--- /dev/null
+From 67d15c7aa0864dfd82325c7e7e7d8548b5224c7b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 7 Mar 2025 11:41:48 +0300
+Subject: accel/qaic: Fix integer overflow in qaic_validate_req()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 67d15c7aa0864dfd82325c7e7e7d8548b5224c7b upstream.
+
+These are u64 variables that come from the user via
+qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that
+the math doesn't have an integer wrapping bug.
+
+Cc: stable@vger.kernel.org
+Fixes: ff13be830333 ("accel/qaic: Add datapath")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
+Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/176388fa-40fe-4cb4-9aeb-2c91c22130bd@stanley.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/qaic/qaic_data.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/accel/qaic/qaic_data.c
++++ b/drivers/accel/qaic/qaic_data.c
+@@ -550,6 +550,7 @@ static bool invalid_sem(struct qaic_sem
+ static int qaic_validate_req(struct qaic_device *qdev, struct qaic_attach_slice_entry *slice_ent,
+ u32 count, u64 total_size)
+ {
++ u64 total;
+ int i;
+
+ for (i = 0; i < count; i++) {
+@@ -559,7 +560,8 @@ static int qaic_validate_req(struct qaic
+ invalid_sem(&slice_ent[i].sem2) || invalid_sem(&slice_ent[i].sem3))
+ return -EINVAL;
+
+- if (slice_ent[i].offset + slice_ent[i].size > total_size)
++ if (check_add_overflow(slice_ent[i].offset, slice_ent[i].size, &total) ||
++ total > total_size)
+ return -EINVAL;
+ }
+
--- /dev/null
+From 83964a29379cb08929a39172780a4c2992bc7c93 Mon Sep 17 00:00:00 2001
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Date: Fri, 10 Jan 2025 16:18:29 +0100
+Subject: ARM: dts: imx6qdl-apalis: Fix poweroff on Apalis iMX6
+
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+
+commit 83964a29379cb08929a39172780a4c2992bc7c93 upstream.
+
+The current solution for powering off the Apalis iMX6 is not functioning
+as intended. To resolve this, it is necessary to power off the
+vgen2_reg, which will also set the POWER_ENABLE_MOCI signal to a low
+state. This ensures the carrier board is properly informed to initiate
+its power-off sequence.
+
+The new solution uses the regulator-poweroff driver, which will power
+off the regulator during a system shutdown.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 4eb56e26f92e ("ARM: dts: imx6q-apalis: Command pmic to standby for poweroff")
+Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi
++++ b/arch/arm/boot/dts/nxp/imx/imx6qdl-apalis.dtsi
+@@ -101,6 +101,11 @@
+ };
+ };
+
++ poweroff {
++ compatible = "regulator-poweroff";
++ cpu-supply = <&vgen2_reg>;
++ };
++
+ reg_module_3v3: regulator-module-3v3 {
+ compatible = "regulator-fixed";
+ regulator-always-on;
+@@ -220,10 +225,6 @@
+ status = "disabled";
+ };
+
+-&clks {
+- fsl,pmic-stby-poweroff;
+-};
+-
+ /* Apalis SPI1 */
+ &ecspi1 {
+ cs-gpios = <&gpio5 25 GPIO_ACTIVE_LOW>;
+@@ -511,7 +512,6 @@
+
+ pmic: pmic@8 {
+ compatible = "fsl,pfuze100";
+- fsl,pmic-stby-poweroff;
+ reg = <0x08>;
+
+ regulators {
--- /dev/null
+From 379c590113ce46f605439d4887996c60ab8820cc Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 10 Mar 2025 14:12:20 +0100
+Subject: ARM: shmobile: smp: Enforce shmobile_smp_* alignment
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 379c590113ce46f605439d4887996c60ab8820cc upstream.
+
+When the addresses of the shmobile_smp_mpidr, shmobile_smp_fn, and
+shmobile_smp_arg variables are not multiples of 4 bytes, secondary CPU
+bring-up fails:
+
+ smp: Bringing up secondary CPUs ...
+ CPU1: failed to come online
+ CPU2: failed to come online
+ CPU3: failed to come online
+ smp: Brought up 1 node, 1 CPU
+
+Fix this by adding the missing alignment directive.
+
+Fixes: 4e960f52fce16a3b ("ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss")
+Closes: https://lore.kernel.org/r/CAMuHMdU=QR-JLgEHKWpsr6SbaZRc-Hz9r91JfpP8c3n2G-OjqA@mail.gmail.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/c499234d559a0d95ad9472883e46077311051cd8.1741612208.git.geert+renesas@glider.be
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-shmobile/headsmp.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-shmobile/headsmp.S
++++ b/arch/arm/mach-shmobile/headsmp.S
+@@ -136,6 +136,7 @@ ENDPROC(shmobile_smp_sleep)
+ .long shmobile_smp_arg - 1b
+
+ .bss
++ .align 2
+ .globl shmobile_smp_mpidr
+ shmobile_smp_mpidr:
+ .space NR_CPUS * 4
--- /dev/null
+From 2c1092823eb03f8508d6769e2f38eef7e1fe62a0 Mon Sep 17 00:00:00 2001
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Date: Mon, 17 Feb 2025 15:56:41 +0100
+Subject: arm64: dts: freescale: imx8mm-verdin-dahlia: add Microphone Jack to sound card
+
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+
+commit 2c1092823eb03f8508d6769e2f38eef7e1fe62a0 upstream.
+
+The simple-audio-card's microphone widget currently connects to the
+headphone jack. Routing the microphone input to the microphone jack
+allows for independent operation of the microphone and headphones.
+
+This resolves the following boot-time kernel log message, which
+indicated a conflict when the microphone and headphone functions were
+not separated:
+ debugfs: File 'Headphone Jack' in directory 'dapm' already present!
+
+Fixes: 6a57f224f734 ("arm64: dts: freescale: add initial support for verdin imx8m mini")
+Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-verdin-dahlia.dtsi
+@@ -16,10 +16,10 @@
+ "Headphone Jack", "HPOUTR",
+ "IN2L", "Line In Jack",
+ "IN2R", "Line In Jack",
+- "Headphone Jack", "MICBIAS",
+- "IN1L", "Headphone Jack";
++ "Microphone Jack", "MICBIAS",
++ "IN1L", "Microphone Jack";
+ simple-audio-card,widgets =
+- "Microphone", "Headphone Jack",
++ "Microphone", "Microphone Jack",
+ "Headphone", "Headphone Jack",
+ "Line", "Line In Jack";
+
--- /dev/null
+From b0612fdba9afdce261bfb8684e0cece6f2e2b0bb Mon Sep 17 00:00:00 2001
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Date: Mon, 17 Feb 2025 15:56:40 +0100
+Subject: arm64: dts: freescale: imx8mp-verdin-dahlia: add Microphone Jack to sound card
+
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+
+commit b0612fdba9afdce261bfb8684e0cece6f2e2b0bb upstream.
+
+The simple-audio-card's microphone widget currently connects to the
+headphone jack. Routing the microphone input to the microphone jack
+allows for independent operation of the microphone and headphones.
+
+This resolves the following boot-time kernel log message, which
+indicated a conflict when the microphone and headphone functions were
+not separated:
+ debugfs: File 'Headphone Jack' in directory 'dapm' already present!
+
+Fixes: 874958916844 ("arm64: dts: freescale: verdin-imx8mp: dahlia: add sound card")
+Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mp-verdin-dahlia.dtsi
+@@ -16,10 +16,10 @@
+ "Headphone Jack", "HPOUTR",
+ "IN2L", "Line In Jack",
+ "IN2R", "Line In Jack",
+- "Headphone Jack", "MICBIAS",
+- "IN1L", "Headphone Jack";
++ "Microphone Jack", "MICBIAS",
++ "IN1L", "Microphone Jack";
+ simple-audio-card,widgets =
+- "Microphone", "Headphone Jack",
++ "Microphone", "Microphone Jack",
+ "Headphone", "Headphone Jack",
+ "Line", "Line In Jack";
+
--- /dev/null
+From ffcef3df680c437ca33ff434be18ec24d72907c2 Mon Sep 17 00:00:00 2001
+From: Dragan Simic <dsimic@manjaro.org>
+Date: Sun, 2 Mar 2025 19:48:04 +0100
+Subject: arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi
+
+From: Dragan Simic <dsimic@manjaro.org>
+
+commit ffcef3df680c437ca33ff434be18ec24d72907c2 upstream.
+
+Add missing "vpcie0v9-supply" and "vpcie1v8-supply" properties to the "pcie0"
+node in the Pine64 RockPro64 board dtsi file. This eliminates the following
+warnings from the kernel log:
+
+ rockchip-pcie f8000000.pcie: supply vpcie1v8 not found, using dummy regulator
+ rockchip-pcie f8000000.pcie: supply vpcie0v9 not found, using dummy regulator
+
+These additions improve the accuracy of hardware description of the RockPro64
+and, in theory, they should result in no functional changes to the way board
+works after the changes, because the "vcca_0v9" and "vcca_1v8" regulators are
+always enabled. [1][2] However, extended reliability testing, performed by
+Chris, [3] has proven that the age-old issues with some PCI Express cards,
+when used with a Pine64 RockPro64, are also resolved.
+
+Those issues were already mentioned in the commit 43853e843aa6 (arm64: dts:
+rockchip: Remove unsupported node from the Pinebook Pro dts, 2024-04-01),
+together with a brief description of the out-of-tree enumeration delay patch
+that reportedly resolves those issues. In a nutshell, booting a RockPro64
+with some PCI Express cards attached to it caused a kernel oops. [4]
+
+Symptomatically enough, to the commit author's best knowledge, only the Pine64
+RockPro64, out of all RK3399-based boards and devices supported upstream, has
+been reported to suffer from those PCI Express issues, and only the RockPro64
+had some of the PCI Express supplies missing in its DT. Thus, perhaps some
+weird timing issues exist that caused the "vcca_1v8" always-on regulator,
+which is part of the RK808 PMIC, to actually not be enabled before the PCI
+Express is initialized and enumerated on the RockPro64, causing oopses with
+some PCIe cards, and the aforementioned enumeration delay patch [4] probably
+acted as just a workaround for the underlying timing issue.
+
+Admittedly, the Pine64 RockPro64 is a bit specific board by having a standard
+PCI Express slot, allowing use of various standard cards, but pretty much
+standard PCI Express cards have been attached to other RK3399 boards as well,
+and the commit author is unaware ot such issues reported for them.
+
+It's quite hard to be sure that the PCI Express issues are fully resolved by
+these additions to the DT, without some really extensive and time-consuming
+testing. However, these additions to the DT can result in good things and
+improvements anyway, making them perfectly safe from the standpoint of being
+unable to do any harm or cause some unforeseen regressions.
+
+These changes apply to the both supported hardware revisions of the Pine64
+RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2]
+
+[1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf
+[2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf
+[3] https://z9.de/hedgedoc/s/nF4d5G7rg#reboot-tests-for-PCIe-improvements
+[4] https://lore.kernel.org/lkml/20230509153912.515218-1-vincenzopalazzodev@gmail.com/T/#u
+
+Fixes: bba821f5479e ("arm64: dts: rockchip: add PCIe nodes on rk3399-rockpro64")
+Cc: stable@vger.kernel.org
+Cc: Vincenzo Palazzo <vincenzopalazzodev@gmail.com>
+Cc: Peter Geis <pgwipeout@gmail.com>
+Cc: Bjorn Helgaas <helgaas@kernel.org>
+Reported-by: Diederik de Haas <didi.debian@cknow.org>
+Tested-by: Chris Vogel <chris@z9.de>
+Signed-off-by: Dragan Simic <dsimic@manjaro.org>
+Tested-by: Diederik de Haas <didi.debian@cknow.org>
+Link: https://lore.kernel.org/r/b39cfd7490d8194f053bf3971f13a43472d1769e.1740941097.git.dsimic@manjaro.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi
+@@ -661,6 +661,8 @@
+ num-lanes = <4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pcie_perst>;
++ vpcie0v9-supply = <&vcca_0v9>;
++ vpcie1v8-supply = <&vcca_1v8>;
+ vpcie12v-supply = <&vcc12v_dcin>;
+ vpcie3v3-supply = <&vcc3v3_pcie>;
+ status = "okay";
--- /dev/null
+From 2db7d29c7b1629ced3cbab3de242511eb3c22066 Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@cherry.de>
+Date: Tue, 25 Feb 2025 12:53:29 +0100
+Subject: arm64: dts: rockchip: fix pinmux of UART0 for PX30 Ringneck on Haikou
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+commit 2db7d29c7b1629ced3cbab3de242511eb3c22066 upstream.
+
+UART0 pinmux by default configures GPIO0_B5 in its UART RTS function for
+UART0. However, by default on Haikou, it is used as GPIO as UART RTS for
+UART5.
+
+Therefore, let's update UART0 pinmux to not configure the pin in that
+mode, a later commit will make UART5 request the GPIO pinmux.
+
+Fixes: c484cf93f61b ("arm64: dts: rockchip: add PX30-µQ7 (Ringneck) SoM with Haikou baseboard")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Link: https://lore.kernel.org/r/20250225-ringneck-dtbos-v3-1-853a9a6dd597@cherry.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts
++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts
+@@ -221,6 +221,8 @@
+ };
+
+ &uart0 {
++ pinctrl-names = "default";
++ pinctrl-0 = <&uart0_xfer>;
+ status = "okay";
+ };
+
--- /dev/null
+From 548b0c5de7619ef53bbde5590700693f2f6d2a56 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 2 Feb 2025 17:04:13 +0100
+Subject: batman-adv: Ignore own maximum aggregation size during RX
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 548b0c5de7619ef53bbde5590700693f2f6d2a56 upstream.
+
+An OGMv1 and OGMv2 packet receive processing were not only limited by the
+number of bytes in the received packet but also by the nodes maximum
+aggregation packet size limit. But this limit is relevant for TX and not
+for RX. It must not be enforced by batadv_(i)v_ogm_aggr_packet to avoid
+loss of information in case of a different limit for sender and receiver.
+
+This has a minor side effect for B.A.T.M.A.N. IV because the
+batadv_iv_ogm_aggr_packet is also used for the preprocessing for the TX.
+But since the aggregation code itself will not allow more than
+BATADV_MAX_AGGREGATION_BYTES bytes, this check was never triggering (in
+this context) prior of removing it.
+
+Cc: stable@vger.kernel.org
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 3 +--
+ net/batman-adv/bat_v_ogm.c | 3 +--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -324,8 +324,7 @@ batadv_iv_ogm_aggr_packet(int buff_pos,
+ /* check if there is enough space for the optional TVLV */
+ next_buff_pos += ntohs(ogm_packet->tvlv_len);
+
+- return (next_buff_pos <= packet_len) &&
+- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
++ return next_buff_pos <= packet_len;
+ }
+
+ /* send a batman ogm to a given interface */
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -839,8 +839,7 @@ batadv_v_ogm_aggr_packet(int buff_pos, i
+ /* check if there is enough space for the optional TVLV */
+ next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+
+- return (next_buff_pos <= packet_len) &&
+- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
++ return next_buff_pos <= packet_len;
+ }
+
+ /**
--- /dev/null
+From 5a19143124be42900b3fbc9ada3c919632eb45eb Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Fri, 14 Mar 2025 19:01:45 +0800
+Subject: can: flexcan: disable transceiver during system PM
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit 5a19143124be42900b3fbc9ada3c919632eb45eb upstream.
+
+During system PM, if no wakeup requirement, disable transceiver to
+save power.
+
+Fixes: 4de349e786a3 ("can: flexcan: fix resume function")
+Cc: stable@vger.kernel.org
+Reviewed-by: Frank Li <frank.li@nxp.com>
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Link: https://patch.msgid.link/20250314110145.899179-2-haibo.chen@nxp.com
+[mkl: add newlines]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/flexcan/flexcan-core.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/flexcan/flexcan-core.c
++++ b/drivers/net/can/flexcan/flexcan-core.c
+@@ -2245,6 +2245,10 @@ static int __maybe_unused flexcan_suspen
+
+ flexcan_chip_interrupts_disable(dev);
+
++ err = flexcan_transceiver_disable(priv);
++ if (err)
++ return err;
++
+ err = pinctrl_pm_select_sleep_state(device);
+ if (err)
+ return err;
+@@ -2277,10 +2281,16 @@ static int __maybe_unused flexcan_resume
+ if (err)
+ return err;
+
+- err = flexcan_chip_start(dev);
++ err = flexcan_transceiver_enable(priv);
+ if (err)
+ return err;
+
++ err = flexcan_chip_start(dev);
++ if (err) {
++ flexcan_transceiver_disable(priv);
++ return err;
++ }
++
+ flexcan_chip_interrupts_enable(dev);
+ }
+
--- /dev/null
+From fd99d6ed20234b83d65b9c5417794343577cf3e5 Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Fri, 14 Mar 2025 19:01:44 +0800
+Subject: can: flexcan: only change CAN state when link up in system PM
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit fd99d6ed20234b83d65b9c5417794343577cf3e5 upstream.
+
+After a suspend/resume cycle on a down interface, it will come up as
+ERROR-ACTIVE.
+
+$ ip -details -s -s a s dev flexcan0
+3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10
+ link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0
+ can state STOPPED (berr-counter tx 0 rx 0) restart-ms 1000
+
+$ sudo systemctl suspend
+
+$ ip -details -s -s a s dev flexcan0
+3: flexcan0: <NOARP,ECHO> mtu 16 qdisc pfifo_fast state DOWN group default qlen 10
+ link/can promiscuity 0 allmulti 0 minmtu 0 maxmtu 0
+ can state ERROR-ACTIVE (berr-counter tx 0 rx 0) restart-ms 1000
+
+And only set CAN state to CAN_STATE_ERROR_ACTIVE when resume process
+has no issue, otherwise keep in CAN_STATE_SLEEPING as suspend did.
+
+Fixes: 4de349e786a3 ("can: flexcan: fix resume function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Link: https://patch.msgid.link/20250314110145.899179-1-haibo.chen@nxp.com
+Reported-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Closes: https://lore.kernel.org/all/20250314-married-polar-elephant-b15594-mkl@pengutronix.de
+[mkl: add newlines]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/flexcan/flexcan-core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/can/flexcan/flexcan-core.c
++++ b/drivers/net/can/flexcan/flexcan-core.c
+@@ -2251,8 +2251,9 @@ static int __maybe_unused flexcan_suspen
+ }
+ netif_stop_queue(dev);
+ netif_device_detach(dev);
++
++ priv->can.state = CAN_STATE_SLEEPING;
+ }
+- priv->can.state = CAN_STATE_SLEEPING;
+
+ return 0;
+ }
+@@ -2263,7 +2264,6 @@ static int __maybe_unused flexcan_resume
+ struct flexcan_priv *priv = netdev_priv(dev);
+ int err;
+
+- priv->can.state = CAN_STATE_ERROR_ACTIVE;
+ if (netif_running(dev)) {
+ netif_device_attach(dev);
+ netif_start_queue(dev);
+@@ -2283,6 +2283,8 @@ static int __maybe_unused flexcan_resume
+
+ flexcan_chip_interrupts_enable(dev);
+ }
++
++ priv->can.state = CAN_STATE_ERROR_ACTIVE;
+ }
+
+ return 0;
--- /dev/null
+From 1dba0a37644ed3022558165bbb5cb9bda540eaf7 Mon Sep 17 00:00:00 2001
+From: Biju Das <biju.das.jz@bp.renesas.com>
+Date: Fri, 7 Mar 2025 17:03:27 +0000
+Subject: can: rcar_canfd: Fix page entries in the AFL list
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+commit 1dba0a37644ed3022558165bbb5cb9bda540eaf7 upstream.
+
+There are a total of 96 AFL pages and each page has 16 entries with
+registers CFDGAFLIDr, CFDGAFLMr, CFDGAFLP0r, CFDGAFLP1r holding
+the rule entries (r = 0..15).
+
+Currently, RCANFD_GAFL* macros use a start variable to find AFL entries,
+which is incorrect as the testing on RZ/G3E shows ch1 and ch4
+gets a start value of 0 and the register contents are overwritten.
+
+Fix this issue by using rule_entry corresponding to the channel
+to find the page entries in the AFL list.
+
+Fixes: dd3bd23eb438 ("can: rcar_canfd: Add Renesas R-Car CAN FD driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/20250307170330.173425-3-biju.das.jz@bp.renesas.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/rcar/rcar_canfd.c | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/can/rcar/rcar_canfd.c
++++ b/drivers/net/can/rcar/rcar_canfd.c
+@@ -793,22 +793,14 @@ static void rcar_canfd_configure_control
+ }
+
+ static void rcar_canfd_configure_afl_rules(struct rcar_canfd_global *gpriv,
+- u32 ch)
++ u32 ch, u32 rule_entry)
+ {
+- u32 cfg;
+- int offset, start, page, num_rules = RCANFD_CHANNEL_NUMRULES;
++ int offset, page, num_rules = RCANFD_CHANNEL_NUMRULES;
++ u32 rule_entry_index = rule_entry % 16;
+ u32 ridx = ch + RCANFD_RFFIFO_IDX;
+
+- if (ch == 0) {
+- start = 0; /* Channel 0 always starts from 0th rule */
+- } else {
+- /* Get number of Channel 0 rules and adjust */
+- cfg = rcar_canfd_read(gpriv->base, RCANFD_GAFLCFG(ch));
+- start = RCANFD_GAFLCFG_GETRNC(gpriv, 0, cfg);
+- }
+-
+ /* Enable write access to entry */
+- page = RCANFD_GAFL_PAGENUM(start);
++ page = RCANFD_GAFL_PAGENUM(rule_entry);
+ rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLECTR,
+ (RCANFD_GAFLECTR_AFLPN(gpriv, page) |
+ RCANFD_GAFLECTR_AFLDAE));
+@@ -824,13 +816,13 @@ static void rcar_canfd_configure_afl_rul
+ offset = RCANFD_C_GAFL_OFFSET;
+
+ /* Accept all IDs */
+- rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, start), 0);
++ rcar_canfd_write(gpriv->base, RCANFD_GAFLID(offset, rule_entry_index), 0);
+ /* IDE or RTR is not considered for matching */
+- rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, start), 0);
++ rcar_canfd_write(gpriv->base, RCANFD_GAFLM(offset, rule_entry_index), 0);
+ /* Any data length accepted */
+- rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, start), 0);
++ rcar_canfd_write(gpriv->base, RCANFD_GAFLP0(offset, rule_entry_index), 0);
+ /* Place the msg in corresponding Rx FIFO entry */
+- rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, start),
++ rcar_canfd_set_bit(gpriv->base, RCANFD_GAFLP1(offset, rule_entry_index),
+ RCANFD_GAFLP1_GAFLFDP(ridx));
+
+ /* Disable write access to page */
+@@ -1857,6 +1849,7 @@ static int rcar_canfd_probe(struct platf
+ unsigned long channels_mask = 0;
+ int err, ch_irq, g_irq;
+ int g_err_irq, g_recc_irq;
++ u32 rule_entry = 0;
+ bool fdmode = true; /* CAN FD only mode - default */
+ char name[9] = "channelX";
+ int i;
+@@ -2033,7 +2026,8 @@ static int rcar_canfd_probe(struct platf
+ rcar_canfd_configure_tx(gpriv, ch);
+
+ /* Configure receive rules */
+- rcar_canfd_configure_afl_rules(gpriv, ch);
++ rcar_canfd_configure_afl_rules(gpriv, ch, rule_entry);
++ rule_entry += RCANFD_CHANNEL_NUMRULES;
+ }
+
+ /* Configure common interrupts */
--- /dev/null
+From 1d22a122ffb116c3cf78053e812b8b21f8852ee9 Mon Sep 17 00:00:00 2001
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Date: Tue, 18 Feb 2025 23:32:28 +0900
+Subject: can: ucan: fix out of bound read in strscpy() source
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+commit 1d22a122ffb116c3cf78053e812b8b21f8852ee9 upstream.
+
+Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()")
+unintentionally introduced a one byte out of bound read on strscpy()'s
+source argument (which is kind of ironic knowing that strscpy() is meant
+to be a more secure alternative :)).
+
+Let's consider below buffers:
+
+ dest[len + 1]; /* will be NUL terminated */
+ src[len]; /* may not be NUL terminated */
+
+When doing:
+
+ strncpy(dest, src, len);
+ dest[len] = '\0';
+
+strncpy() will read up to len bytes from src.
+
+On the other hand:
+
+ strscpy(dest, src, len + 1);
+
+will read up to len + 1 bytes from src, that is to say, an out of bound
+read of one byte will occur on src if it is not NUL terminated. Note
+that the src[len] byte is never copied, but strscpy() still needs to
+read it to check whether a truncation occurred or not.
+
+This exact pattern happened in ucan.
+
+The root cause is that the source is not NUL terminated. Instead of
+doing a copy in a local buffer, directly NUL terminate it as soon as
+usb_control_msg() returns. With this, the local firmware_str[] variable
+can be removed.
+
+On top of this do a couple refactors:
+
+ - ucan_ctl_payload->raw is only used for the firmware string, so
+ rename it to ucan_ctl_payload->fw_str and change its type from u8 to
+ char.
+
+ - ucan_device_request_in() is only used to retrieve the firmware
+ string, so rename it to ucan_get_fw_str() and refactor it to make it
+ directly handle all the string termination logic.
+
+Reported-by: syzbot+d7d8c418e8317899e88c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-can/67b323a4.050a0220.173698.002b.GAE@google.com/
+Fixes: 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()")
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20250218143515.627682-2-mailhol.vincent@wanadoo.fr
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/ucan.c | 43 ++++++++++++++++++-------------------------
+ 1 file changed, 18 insertions(+), 25 deletions(-)
+
+--- a/drivers/net/can/usb/ucan.c
++++ b/drivers/net/can/usb/ucan.c
+@@ -186,7 +186,7 @@ union ucan_ctl_payload {
+ */
+ struct ucan_ctl_cmd_get_protocol_version cmd_get_protocol_version;
+
+- u8 raw[128];
++ u8 fw_str[128];
+ } __packed;
+
+ enum {
+@@ -424,18 +424,20 @@ static int ucan_ctrl_command_out(struct
+ UCAN_USB_CTL_PIPE_TIMEOUT);
+ }
+
+-static int ucan_device_request_in(struct ucan_priv *up,
+- u8 cmd, u16 subcmd, u16 datalen)
++static void ucan_get_fw_str(struct ucan_priv *up, char *fw_str, size_t size)
+ {
+- return usb_control_msg(up->udev,
+- usb_rcvctrlpipe(up->udev, 0),
+- cmd,
+- USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+- subcmd,
+- 0,
+- up->ctl_msg_buffer,
+- datalen,
+- UCAN_USB_CTL_PIPE_TIMEOUT);
++ int ret;
++
++ ret = usb_control_msg(up->udev, usb_rcvctrlpipe(up->udev, 0),
++ UCAN_DEVICE_GET_FW_STRING,
++ USB_DIR_IN | USB_TYPE_VENDOR |
++ USB_RECIP_DEVICE,
++ 0, 0, fw_str, size - 1,
++ UCAN_USB_CTL_PIPE_TIMEOUT);
++ if (ret > 0)
++ fw_str[ret] = '\0';
++ else
++ strscpy(fw_str, "unknown", size);
+ }
+
+ /* Parse the device information structure reported by the device and
+@@ -1314,7 +1316,6 @@ static int ucan_probe(struct usb_interfa
+ u8 in_ep_addr;
+ u8 out_ep_addr;
+ union ucan_ctl_payload *ctl_msg_buffer;
+- char firmware_str[sizeof(union ucan_ctl_payload) + 1];
+
+ udev = interface_to_usbdev(intf);
+
+@@ -1527,17 +1528,6 @@ static int ucan_probe(struct usb_interfa
+ */
+ ucan_parse_device_info(up, &ctl_msg_buffer->cmd_get_device_info);
+
+- /* just print some device information - if available */
+- ret = ucan_device_request_in(up, UCAN_DEVICE_GET_FW_STRING, 0,
+- sizeof(union ucan_ctl_payload));
+- if (ret > 0) {
+- /* copy string while ensuring zero termination */
+- strscpy(firmware_str, up->ctl_msg_buffer->raw,
+- sizeof(union ucan_ctl_payload) + 1);
+- } else {
+- strcpy(firmware_str, "unknown");
+- }
+-
+ /* device is compatible, reset it */
+ ret = ucan_ctrl_command_out(up, UCAN_COMMAND_RESET, 0, 0);
+ if (ret < 0)
+@@ -1555,7 +1545,10 @@ static int ucan_probe(struct usb_interfa
+
+ /* initialisation complete, log device info */
+ netdev_info(up->netdev, "registered device\n");
+- netdev_info(up->netdev, "firmware string: %s\n", firmware_str);
++ ucan_get_fw_str(up, up->ctl_msg_buffer->fw_str,
++ sizeof(up->ctl_msg_buffer->fw_str));
++ netdev_info(up->netdev, "firmware string: %s\n",
++ up->ctl_msg_buffer->fw_str);
+
+ /* success */
+ return 0;
--- /dev/null
+From bfeefe6ea5f18cabb8fda55364079573804623f9 Mon Sep 17 00:00:00 2001
+From: Martin Tsai <martin.tsai@amd.com>
+Date: Fri, 2 Feb 2024 14:39:29 +0800
+Subject: drm/amd/display: should support dmub hw lock on Replay
+
+From: Martin Tsai <martin.tsai@amd.com>
+
+commit bfeefe6ea5f18cabb8fda55364079573804623f9 upstream.
+
+[Why]
+Without acquiring DMCUB hw lock, a race condition is caused with
+Panel Replay feature, which will trigger a hang. Indicate that a
+lock is necessary to prevent this when replay feature is enabled.
+
+[How]
+To allow dmub hw lock on Replay.
+
+Reviewed-by: Robin Chen <robin.chen@amd.com>
+Acked-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Martin Tsai <martin.tsai@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c
+@@ -65,5 +65,9 @@ bool should_use_dmub_lock(struct dc_link
+ {
+ if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1)
+ return true;
++
++ if (link->replay_settings.replay_feature_enabled)
++ return true;
++
+ return false;
+ }
--- /dev/null
+From acbf16a6ae775b4db86f537448cc466288aa307e Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Fri, 7 Mar 2025 15:55:20 -0600
+Subject: drm/amd/display: Use HW lock mgr for PSR1 when only one eDP
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit acbf16a6ae775b4db86f537448cc466288aa307e upstream.
+
+[WHY]
+DMUB locking is important to make sure that registers aren't accessed
+while in PSR. Previously it was enabled but caused a deadlock in
+situations with multiple eDP panels.
+
+[HOW]
+Detect if multiple eDP panels are in use to decide whether to use
+lock. Refactor the function so that the first check is for PSR-SU
+and then replay is in use to prevent having to look up number
+of eDP panels for those configurations.
+
+Fixes: f245b400a223 ("Revert "drm/amd/display: Use HW lock mgr for PSR1"")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3965
+Reviewed-by: ChiaHsuan Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit ed569e1279a3045d6b974226c814e071fa0193a6)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c
+@@ -69,5 +69,16 @@ bool should_use_dmub_lock(struct dc_link
+ if (link->replay_settings.replay_feature_enabled)
+ return true;
+
++ /* only use HW lock for PSR1 on single eDP */
++ if (link->psr_settings.psr_version == DC_PSR_VERSION_1) {
++ struct dc_link *edp_links[MAX_NUM_EDP];
++ int edp_num;
++
++ dc_get_edp_links(link->dc, edp_links, &edp_num);
++
++ if (edp_num == 1)
++ return true;
++ }
++
+ return false;
+ }
--- /dev/null
+From ec33964d9d88488fa954a03d476a8b811efc6e85 Mon Sep 17 00:00:00 2001
+From: David Rosca <david.rosca@amd.com>
+Date: Fri, 28 Feb 2025 13:34:49 +0100
+Subject: drm/amdgpu: Fix JPEG video caps max size for navi1x and raven
+
+From: David Rosca <david.rosca@amd.com>
+
+commit ec33964d9d88488fa954a03d476a8b811efc6e85 upstream.
+
+8192x8192 is the maximum supported resolution.
+
+Signed-off-by: David Rosca <david.rosca@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 6e0d2fde3ae8fdb5b47e10389f23ed2cb4daec5d)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/nv.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/soc15.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/nv.c
++++ b/drivers/gpu/drm/amd/amdgpu/nv.c
+@@ -84,7 +84,7 @@ static const struct amdgpu_video_codec_i
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+ };
+
+--- a/drivers/gpu/drm/amd/amdgpu/soc15.c
++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c
+@@ -125,7 +125,7 @@ static const struct amdgpu_video_codec_i
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 8192, 8192, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 4096, 4096, 0)},
+ };
+
--- /dev/null
+From f0105e173103c9d30a2bb959f7399437d536c848 Mon Sep 17 00:00:00 2001
+From: David Rosca <david.rosca@amd.com>
+Date: Fri, 28 Feb 2025 13:32:46 +0100
+Subject: drm/amdgpu: Fix MPEG2, MPEG4 and VC1 video caps max size
+
+From: David Rosca <david.rosca@amd.com>
+
+commit f0105e173103c9d30a2bb959f7399437d536c848 upstream.
+
+1920x1088 is the maximum supported resolution.
+
+Signed-off-by: David Rosca <david.rosca@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 1a0807feb97082bff2b1342dbbe55a2a9a8bdb88)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/nv.c | 18 +++++++++---------
+ drivers/gpu/drm/amd/amdgpu/soc15.c | 18 +++++++++---------
+ drivers/gpu/drm/amd/amdgpu/vi.c | 36 ++++++++++++++++++------------------
+ 3 files changed, 36 insertions(+), 36 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/nv.c
++++ b/drivers/gpu/drm/amd/amdgpu/nv.c
+@@ -79,10 +79,10 @@ static const struct amdgpu_video_codecs
+
+ /* Navi1x */
+ static const struct amdgpu_video_codec_info nv_video_codecs_decode_array[] = {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+@@ -105,10 +105,10 @@ static const struct amdgpu_video_codecs
+ };
+
+ static const struct amdgpu_video_codec_info sc_video_codecs_decode_array_vcn0[] = {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+@@ -116,10 +116,10 @@ static const struct amdgpu_video_codec_i
+ };
+
+ static const struct amdgpu_video_codec_info sc_video_codecs_decode_array_vcn1[] = {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+--- a/drivers/gpu/drm/amd/amdgpu/soc15.c
++++ b/drivers/gpu/drm/amd/amdgpu/soc15.c
+@@ -103,10 +103,10 @@ static const struct amdgpu_video_codecs
+ /* Vega */
+ static const struct amdgpu_video_codec_info vega_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ };
+@@ -120,10 +120,10 @@ static const struct amdgpu_video_codecs
+ /* Raven */
+ static const struct amdgpu_video_codec_info rv_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 4096, 4096, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 4096, 4096, 0)},
+@@ -138,10 +138,10 @@ static const struct amdgpu_video_codecs
+ /* Renoir, Arcturus */
+ static const struct amdgpu_video_codec_info rn_video_codecs_decode_array[] =
+ {
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 4096, 4096, 3)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 4096, 4096, 5)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2, 1920, 1088, 3)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4, 1920, 1088, 5)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4_AVC, 4096, 4096, 52)},
+- {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 4096, 4096, 4)},
++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1, 1920, 1088, 4)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)},
+ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)},
+--- a/drivers/gpu/drm/amd/amdgpu/vi.c
++++ b/drivers/gpu/drm/amd/amdgpu/vi.c
+@@ -167,16 +167,16 @@ static const struct amdgpu_video_codec_i
+ {
+ {
+ .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2,
+- .max_width = 4096,
+- .max_height = 4096,
+- .max_pixels_per_frame = 4096 * 4096,
++ .max_width = 1920,
++ .max_height = 1088,
++ .max_pixels_per_frame = 1920 * 1088,
+ .max_level = 3,
+ },
+ {
+ .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4,
+- .max_width = 4096,
+- .max_height = 4096,
+- .max_pixels_per_frame = 4096 * 4096,
++ .max_width = 1920,
++ .max_height = 1088,
++ .max_pixels_per_frame = 1920 * 1088,
+ .max_level = 5,
+ },
+ {
+@@ -188,9 +188,9 @@ static const struct amdgpu_video_codec_i
+ },
+ {
+ .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1,
+- .max_width = 4096,
+- .max_height = 4096,
+- .max_pixels_per_frame = 4096 * 4096,
++ .max_width = 1920,
++ .max_height = 1088,
++ .max_pixels_per_frame = 1920 * 1088,
+ .max_level = 4,
+ },
+ };
+@@ -206,16 +206,16 @@ static const struct amdgpu_video_codec_i
+ {
+ {
+ .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG2,
+- .max_width = 4096,
+- .max_height = 4096,
+- .max_pixels_per_frame = 4096 * 4096,
++ .max_width = 1920,
++ .max_height = 1088,
++ .max_pixels_per_frame = 1920 * 1088,
+ .max_level = 3,
+ },
+ {
+ .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_MPEG4,
+- .max_width = 4096,
+- .max_height = 4096,
+- .max_pixels_per_frame = 4096 * 4096,
++ .max_width = 1920,
++ .max_height = 1088,
++ .max_pixels_per_frame = 1920 * 1088,
+ .max_level = 5,
+ },
+ {
+@@ -227,9 +227,9 @@ static const struct amdgpu_video_codec_i
+ },
+ {
+ .codec_type = AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VC1,
+- .max_width = 4096,
+- .max_height = 4096,
+- .max_pixels_per_frame = 4096 * 4096,
++ .max_width = 1920,
++ .max_height = 1088,
++ .max_pixels_per_frame = 1920 * 1088,
+ .max_level = 4,
+ },
+ {
--- /dev/null
+From dd8689b52a24807c2d5ce0a17cb26dc87f75235c Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Tue, 11 Mar 2025 14:14:59 +0300
+Subject: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit dd8689b52a24807c2d5ce0a17cb26dc87f75235c upstream.
+
+On the off chance that command stream passed from userspace via
+ioctl() call to radeon_vce_cs_parse() is weirdly crafted and
+first command to execute is to encode (case 0x03000001), the function
+in question will attempt to call radeon_vce_cs_reloc() with size
+argument that has not been properly initialized. Specifically, 'size'
+will point to 'tmp' variable before the latter had a chance to be
+assigned any value.
+
+Play it safe and init 'tmp' with 0, thus ensuring that
+radeon_vce_cs_reloc() will catch an early error in cases like these.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/radeon_vce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_vce.c
++++ b/drivers/gpu/drm/radeon/radeon_vce.c
+@@ -557,7 +557,7 @@ int radeon_vce_cs_parse(struct radeon_cs
+ {
+ int session_idx = -1;
+ bool destroyed = false, created = false, allocated = false;
+- uint32_t tmp, handle = 0;
++ uint32_t tmp = 0, handle = 0;
+ uint32_t *size = &tmp;
+ int i, r = 0;
+
--- /dev/null
+From a952f1ab696873be124e31ce5ef964d36bce817f Mon Sep 17 00:00:00 2001
+From: qianyi liu <liuqianyi125@gmail.com>
+Date: Tue, 11 Mar 2025 14:02:51 +0800
+Subject: drm/sched: Fix fence reference count leak
+
+From: qianyi liu <liuqianyi125@gmail.com>
+
+commit a952f1ab696873be124e31ce5ef964d36bce817f upstream.
+
+The last_scheduled fence leaks when an entity is being killed and adding
+the cleanup callback fails.
+
+Decrement the reference count of prev when dma_fence_add_callback()
+fails, ensuring proper balance.
+
+Cc: stable@vger.kernel.org # v6.2+
+[phasta: add git tag info for stable kernel]
+Fixes: 2fdb8a8f07c2 ("drm/scheduler: rework entity flush, kill and fini")
+Signed-off-by: qianyi liu <liuqianyi125@gmail.com>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250311060251.4041101-1-liuqianyi125@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -237,9 +237,16 @@ static void drm_sched_entity_kill(struct
+ struct drm_sched_fence *s_fence = job->s_fence;
+
+ dma_fence_get(&s_fence->finished);
+- if (!prev || dma_fence_add_callback(prev, &job->finish_cb,
+- drm_sched_entity_kill_jobs_cb))
++ if (!prev ||
++ dma_fence_add_callback(prev, &job->finish_cb,
++ drm_sched_entity_kill_jobs_cb)) {
++ /*
++ * Adding callback above failed.
++ * dma_fence_put() checks for NULL.
++ */
++ dma_fence_put(prev);
+ drm_sched_entity_kill_jobs_cb(NULL, &job->finish_cb);
++ }
+
+ prev = &s_fence->finished;
+ }
--- /dev/null
+From 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>
+Date: Thu, 13 Mar 2025 11:43:26 -0300
+Subject: drm/v3d: Don't run jobs that have errors flagged in its fence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: MaÃra Canal <mcanal@igalia.com>
+
+commit 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 upstream.
+
+The V3D driver still relies on `drm_sched_increase_karma()` and
+`drm_sched_resubmit_jobs()` for resubmissions when a timeout occurs.
+The function `drm_sched_increase_karma()` marks the job as guilty, while
+`drm_sched_resubmit_jobs()` sets an error (-ECANCELED) in the DMA fence of
+that guilty job.
+
+Because of this, we must check whether the job’s DMA fence has been
+flagged with an error before executing the job. Otherwise, the same guilty
+job may be resubmitted indefinitely, causing repeated GPU resets.
+
+This patch adds a check for an error on the job's fence to prevent running
+a guilty job that was previously flagged when the GPU timed out.
+
+Note that the CPU and CACHE_CLEAN queues do not require this check, as
+their jobs are executed synchronously once the DRM scheduler starts them.
+
+Cc: stable@vger.kernel.org
+Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.")
+Fixes: 1584f16ca96e ("drm/v3d: Add support for submitting jobs to the TFU.")
+Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
+Signed-off-by: MaÃra Canal <mcanal@igalia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250313-v3d-gpu-reset-fixes-v4-1-c1e780d8e096@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/v3d/v3d_sched.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/v3d/v3d_sched.c
++++ b/drivers/gpu/drm/v3d/v3d_sched.c
+@@ -179,11 +179,15 @@ v3d_tfu_job_run(struct drm_sched_job *sc
+ struct drm_device *dev = &v3d->drm;
+ struct dma_fence *fence;
+
++ if (unlikely(job->base.base.s_fence->finished.error))
++ return NULL;
++
++ v3d->tfu_job = job;
++
+ fence = v3d_fence_create(v3d, V3D_TFU);
+ if (IS_ERR(fence))
+ return NULL;
+
+- v3d->tfu_job = job;
+ if (job->base.irq_fence)
+ dma_fence_put(job->base.irq_fence);
+ job->base.irq_fence = dma_fence_get(fence);
+@@ -217,6 +221,9 @@ v3d_csd_job_run(struct drm_sched_job *sc
+ struct dma_fence *fence;
+ int i;
+
++ if (unlikely(job->base.base.s_fence->finished.error))
++ return NULL;
++
+ v3d->csd_job = job;
+
+ v3d_invalidate_caches(v3d);
--- /dev/null
+From cb16dfed0093217a68c0faa9394fa5823927e04c Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Fri, 14 Mar 2025 12:03:33 +0100
+Subject: efi/libstub: Avoid physical address 0x0 when doing random allocation
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit cb16dfed0093217a68c0faa9394fa5823927e04c upstream.
+
+Ben reports spurious EFI zboot failures on a system where physical RAM
+starts at 0x0. When doing random memory allocation from the EFI stub on
+such a platform, a random seed of 0x0 (which means no entropy source is
+available) will result in the allocation to be placed at address 0x0 if
+sufficient space is available.
+
+When this allocation is subsequently passed on to the decompression
+code, the 0x0 address is mistaken for NULL and the code complains and
+gives up.
+
+So avoid address 0x0 when doing random allocation, and set the minimum
+address to the minimum alignment.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Ben Schneider <ben@bens.haus>
+Tested-by: Ben Schneider <ben@bens.haus>
+Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/libstub/randomalloc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/firmware/efi/libstub/randomalloc.c
++++ b/drivers/firmware/efi/libstub/randomalloc.c
+@@ -75,6 +75,10 @@ efi_status_t efi_random_alloc(unsigned l
+ if (align < EFI_ALLOC_ALIGN)
+ align = EFI_ALLOC_ALIGN;
+
++ /* Avoid address 0x0, as it can be mistaken for NULL */
++ if (alloc_min == 0)
++ alloc_min = align;
++
+ size = round_up(size, EFI_ALLOC_ALIGN);
+
+ /* count the suitable slots in each memory map entry */
--- /dev/null
+From 285df995f90e3d61d97f327d34b9659d92313314 Mon Sep 17 00:00:00 2001
+From: Andreas Kemnade <andreas@kemnade.info>
+Date: Fri, 28 Feb 2025 15:04:20 +0100
+Subject: i2c: omap: fix IRQ storms
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+commit 285df995f90e3d61d97f327d34b9659d92313314 upstream.
+
+On the GTA04A5 writing a reset command to the gyroscope causes IRQ
+storms because NACK IRQs are enabled and therefore triggered but not
+acked.
+
+Sending a reset command to the gyroscope by
+i2cset 1 0x69 0x14 0xb6
+with an additional debug print in the ISR (not the thread) itself
+causes
+
+[ 363.353515] i2c i2c-1: ioctl, cmd=0x720, arg=0xbe801b00
+[ 363.359039] omap_i2c 48072000.i2c: addr: 0x0069, len: 2, flags: 0x0, stop: 1
+[ 363.366180] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x1110)
+[ 363.371673] omap_i2c 48072000.i2c: IRQ (ISR = 0x0010)
+[ 363.376892] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
+[ 363.382263] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
+[ 363.387664] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
+repeating till infinity
+[...]
+(0x2 = NACK, 0x100 = Bus free, which is not enabled)
+Apparently no other IRQ bit gets set, so this stalls.
+
+Do not ignore enabled interrupts and make sure they are acked.
+If the NACK IRQ is not needed, it should simply not enabled, but
+according to the above log, caring about it is necessary unless
+the Bus free IRQ is enabled and handled. The assumption that is
+will always come with a ARDY IRQ, which was the idea behind
+ignoring it, proves wrong.
+It is true for simple reads from an unused address.
+
+To still avoid the i2cdetect trouble which is the reason for
+commit c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"),
+avoid doing much about NACK in omap_i2c_xfer_data() which is used
+by both IRQ mode and polling mode, so also the false detection fix
+is extended to polling usage and IRQ storms are avoided.
+
+By changing this, the hardirq handler is not needed anymore to filter
+stuff.
+
+The mentioned gyro reset now just causes a -ETIMEDOUT instead of
+hanging the system.
+
+Fixes: c770657bd261 ("i2c: omap: Fix standard mode false ACK readings").
+CC: stable@kernel.org
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Tested-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Aniket Limaye <a-limaye@ti.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250228140420.379498-1-andreas@kemnade.info
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-omap.c | 26 +++++++-------------------
+ 1 file changed, 7 insertions(+), 19 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-omap.c
++++ b/drivers/i2c/busses/i2c-omap.c
+@@ -1049,23 +1049,6 @@ static int omap_i2c_transmit_data(struct
+ return 0;
+ }
+
+-static irqreturn_t
+-omap_i2c_isr(int irq, void *dev_id)
+-{
+- struct omap_i2c_dev *omap = dev_id;
+- irqreturn_t ret = IRQ_HANDLED;
+- u16 mask;
+- u16 stat;
+-
+- stat = omap_i2c_read_reg(omap, OMAP_I2C_STAT_REG);
+- mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG) & ~OMAP_I2C_STAT_NACK;
+-
+- if (stat & mask)
+- ret = IRQ_WAKE_THREAD;
+-
+- return ret;
+-}
+-
+ static int omap_i2c_xfer_data(struct omap_i2c_dev *omap)
+ {
+ u16 bits;
+@@ -1096,8 +1079,13 @@ static int omap_i2c_xfer_data(struct oma
+ }
+
+ if (stat & OMAP_I2C_STAT_NACK) {
+- err |= OMAP_I2C_STAT_NACK;
++ omap->cmd_err |= OMAP_I2C_STAT_NACK;
+ omap_i2c_ack_stat(omap, OMAP_I2C_STAT_NACK);
++
++ if (!(stat & ~OMAP_I2C_STAT_NACK)) {
++ err = -EAGAIN;
++ break;
++ }
+ }
+
+ if (stat & OMAP_I2C_STAT_AL) {
+@@ -1475,7 +1463,7 @@ omap_i2c_probe(struct platform_device *p
+ IRQF_NO_SUSPEND, pdev->name, omap);
+ else
+ r = devm_request_threaded_irq(&pdev->dev, omap->irq,
+- omap_i2c_isr, omap_i2c_isr_thread,
++ NULL, omap_i2c_isr_thread,
+ IRQF_NO_SUSPEND | IRQF_ONESHOT,
+ pdev->name, omap);
+
--- /dev/null
+From 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb Mon Sep 17 00:00:00 2001
+From: Shakeel Butt <shakeel.butt@linux.dev>
+Date: Mon, 10 Mar 2025 16:09:34 -0700
+Subject: memcg: drain obj stock on cpu hotplug teardown
+
+From: Shakeel Butt <shakeel.butt@linux.dev>
+
+commit 9f01b4954490d4ccdbcc2b9be34a9921ceee9cbb upstream.
+
+Currently on cpu hotplug teardown, only memcg stock is drained but we
+need to drain the obj stock as well otherwise we will miss the stats
+accumulated on the target cpu as well as the nr_bytes cached. The stats
+include MEMCG_KMEM, NR_SLAB_RECLAIMABLE_B & NR_SLAB_UNRECLAIMABLE_B. In
+addition we are leaking reference to struct obj_cgroup object.
+
+Link: https://lkml.kernel.org/r/20250310230934.2913113-1-shakeel.butt@linux.dev
+Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
+Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
+Reviewed-by: Roman Gushchin <roman.gushchin@linux.dev>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -2378,9 +2378,18 @@ static void drain_all_stock(struct mem_c
+ static int memcg_hotplug_cpu_dead(unsigned int cpu)
+ {
+ struct memcg_stock_pcp *stock;
++ struct obj_cgroup *old;
++ unsigned long flags;
+
+ stock = &per_cpu(memcg_stock, cpu);
++
++ /* drain_obj_stock requires stock_lock */
++ local_lock_irqsave(&memcg_stock.stock_lock, flags);
++ old = drain_obj_stock(stock);
++ local_unlock_irqrestore(&memcg_stock.stock_lock, flags);
++
+ drain_stock(stock);
++ obj_cgroup_put(old);
+
+ return 0;
+ }
--- /dev/null
+From 182db972c9568dc530b2f586a2f82dfd039d9f2a Mon Sep 17 00:00:00 2001
+From: "Raphael S. Carvalho" <raphaelsc@scylladb.com>
+Date: Mon, 24 Feb 2025 11:37:00 -0300
+Subject: mm: fix error handling in __filemap_get_folio() with FGP_NOWAIT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Raphael S. Carvalho <raphaelsc@scylladb.com>
+
+commit 182db972c9568dc530b2f586a2f82dfd039d9f2a upstream.
+
+original report:
+https://lore.kernel.org/all/CAKhLTr1UL3ePTpYjXOx2AJfNk8Ku2EdcEfu+CH1sf3Asr=B-Dw@mail.gmail.com/T/
+
+When doing buffered writes with FGP_NOWAIT, under memory pressure, the
+system returned ENOMEM despite there being plenty of available memory, to
+be reclaimed from page cache. The user space used io_uring interface,
+which in turn submits I/O with FGP_NOWAIT (the fast path).
+
+retsnoop pointed to iomap_get_folio:
+
+00:34:16.180612 -> 00:34:16.180651 TID/PID 253786/253721
+(reactor-1/combined_tests):
+
+ entry_SYSCALL_64_after_hwframe+0x76
+ do_syscall_64+0x82
+ __do_sys_io_uring_enter+0x265
+ io_submit_sqes+0x209
+ io_issue_sqe+0x5b
+ io_write+0xdd
+ xfs_file_buffered_write+0x84
+ iomap_file_buffered_write+0x1a6
+ 32us [-ENOMEM] iomap_write_begin+0x408
+iter=&{.inode=0xffff8c67aa031138,.len=4096,.flags=33,.iomap={.addr=0xffffffffffffffff,.length=4096,.type=1,.flags=3,.bdev=0x…
+pos=0 len=4096 foliop=0xffffb32c296b7b80
+! 4us [-ENOMEM] iomap_get_folio
+iter=&{.inode=0xffff8c67aa031138,.len=4096,.flags=33,.iomap={.addr=0xffffffffffffffff,.length=4096,.type=1,.flags=3,.bdev=0x…
+pos=0 len=4096
+
+This is likely a regression caused by 66dabbb65d67 ("mm: return an ERR_PTR
+from __filemap_get_folio"), which moved error handling from
+io_map_get_folio() to __filemap_get_folio(), but broke FGP_NOWAIT
+handling, so ENOMEM is being escaped to user space. Had it correctly
+returned -EAGAIN with NOWAIT, either io_uring or user space itself would
+be able to retry the request.
+
+It's not enough to patch io_uring since the iomap interface is the one
+responsible for it, and pwritev2(RWF_NOWAIT) and AIO interfaces must
+return the proper error too.
+
+The patch was tested with scylladb test suite (its original reproducer),
+and the tests all pass now when memory is pressured.
+
+Link: https://lkml.kernel.org/r/20250224143700.23035-1-raphaelsc@scylladb.com
+Fixes: 66dabbb65d67 ("mm: return an ERR_PTR from __filemap_get_folio")
+Signed-off-by: Raphael S. Carvalho <raphaelsc@scylladb.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Cc: "Darrick J. Wong" <djwong@kernel.org>
+Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -1976,8 +1976,19 @@ no_page:
+
+ if (err == -EEXIST)
+ goto repeat;
+- if (err)
++ if (err) {
++ /*
++ * When NOWAIT I/O fails to allocate folios this could
++ * be due to a nonblocking memory allocation and not
++ * because the system actually is out of memory.
++ * Return -EAGAIN so that there caller retries in a
++ * blocking fashion instead of propagating -ENOMEM
++ * to the application.
++ */
++ if ((fgp_flags & FGP_NOWAIT) && err == -ENOMEM)
++ err = -EAGAIN;
+ return ERR_PTR(err);
++ }
+ /*
+ * filemap_add_folio locks the page, and for mmap
+ * we expect an unlocked page.
--- /dev/null
+From 60cf233b585cdf1f3c5e52d1225606b86acd08b0 Mon Sep 17 00:00:00 2001
+From: Zi Yan <ziy@nvidia.com>
+Date: Wed, 5 Mar 2025 15:04:03 -0500
+Subject: mm/migrate: fix shmem xarray update during migration
+
+From: Zi Yan <ziy@nvidia.com>
+
+commit 60cf233b585cdf1f3c5e52d1225606b86acd08b0 upstream.
+
+A shmem folio can be either in page cache or in swap cache, but not at the
+same time. Namely, once it is in swap cache, folio->mapping should be
+NULL, and the folio is no longer in a shmem mapping.
+
+In __folio_migrate_mapping(), to determine the number of xarray entries to
+update, folio_test_swapbacked() is used, but that conflates shmem in page
+cache case and shmem in swap cache case. It leads to xarray multi-index
+entry corruption, since it turns a sibling entry to a normal entry during
+xas_store() (see [1] for a userspace reproduction). Fix it by only using
+folio_test_swapcache() to determine whether xarray is storing swap cache
+entries or not to choose the right number of xarray entries to update.
+
+[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/
+
+Note:
+In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is
+used to get swap_cache address space, but that ignores the shmem folio in
+swap cache case. It could lead to NULL pointer dereferencing when a
+in-swap-cache shmem folio is split at __xa_store(), since
+!folio_test_anon() is true and folio->mapping is NULL. But fortunately,
+its caller split_huge_page_to_list_to_order() bails out early with EBUSY
+when folio->mapping is NULL. So no need to take care of it here.
+
+Link: https://lkml.kernel.org/r/20250305200403.2822855-1-ziy@nvidia.com
+Fixes: fc346d0a70a1 ("mm: migrate high-order folios in swap cache correctly")
+Signed-off-by: Zi Yan <ziy@nvidia.com>
+Reported-by: Liu Shixin <liushixin2@huawei.com>
+Closes: https://lore.kernel.org/all/28546fb4-5210-bf75-16d6-43e1f8646080@huawei.com/
+Suggested-by: Hugh Dickins <hughd@google.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Charan Teja Kalla <quic_charante@quicinc.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Lance Yang <ioworker0@gmail.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/migrate.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -437,15 +437,13 @@ int folio_migrate_mapping(struct address
+ newfolio->index = folio->index;
+ newfolio->mapping = folio->mapping;
+ folio_ref_add(newfolio, nr); /* add cache reference */
+- if (folio_test_swapbacked(folio)) {
++ if (folio_test_swapbacked(folio))
+ __folio_set_swapbacked(newfolio);
+- if (folio_test_swapcache(folio)) {
+- folio_set_swapcache(newfolio);
+- newfolio->private = folio_get_private(folio);
+- }
++ if (folio_test_swapcache(folio)) {
++ folio_set_swapcache(newfolio);
++ newfolio->private = folio_get_private(folio);
+ entries = nr;
+ } else {
+- VM_BUG_ON_FOLIO(folio_test_swapcache(folio), folio);
+ entries = 1;
+ }
+
--- /dev/null
+From e51a349d2dcf1df8422dabb90b2f691dc7df6f92 Mon Sep 17 00:00:00 2001
+From: Gu Bowen <gubowen5@huawei.com>
+Date: Tue, 25 Feb 2025 10:28:56 +0800
+Subject: mmc: atmel-mci: Add missing clk_disable_unprepare()
+
+From: Gu Bowen <gubowen5@huawei.com>
+
+commit e51a349d2dcf1df8422dabb90b2f691dc7df6f92 upstream.
+
+The error path when atmci_configure_dma() set dma fails in atmci driver
+does not correctly disable the clock.
+Add the missing clk_disable_unprepare() to the error path for pair with
+clk_prepare_enable().
+
+Fixes: 467e081d23e6 ("mmc: atmel-mci: use probe deferring if dma controller is not ready yet")
+Signed-off-by: Gu Bowen <gubowen5@huawei.com>
+Acked-by: Aubin Constans <aubin.constans@microchip.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250225022856.3452240-1-gubowen5@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/atmel-mci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/atmel-mci.c
++++ b/drivers/mmc/host/atmel-mci.c
+@@ -2536,8 +2536,10 @@ static int atmci_probe(struct platform_d
+ /* Get MCI capabilities and set operations according to it */
+ atmci_get_cap(host);
+ ret = atmci_configure_dma(host);
+- if (ret == -EPROBE_DEFER)
++ if (ret == -EPROBE_DEFER) {
++ clk_disable_unprepare(host->mck);
+ goto err_dma_probe_defer;
++ }
+ if (ret == 0) {
+ host->prepare_data = &atmci_prepare_data_dma;
+ host->submit_data = &atmci_submit_data_dma;
--- /dev/null
+From 723ef0e20dbb2aa1b5406d2bb75374fc48187daa Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+Date: Tue, 11 Mar 2025 12:59:35 -0400
+Subject: mmc: sdhci-brcmstb: add cqhci suspend/resume to PM ops
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+commit 723ef0e20dbb2aa1b5406d2bb75374fc48187daa upstream.
+
+cqhci timeouts observed on brcmstb platforms during suspend:
+ ...
+ [ 164.832853] mmc0: cqhci: timeout for tag 18
+ ...
+
+Adding cqhci_suspend()/resume() calls to disable cqe
+in sdhci_brcmstb_suspend()/resume() respectively to fix
+CQE timeouts seen on PM suspend.
+
+Fixes: d46ba2d17f90 ("mmc: sdhci-brcmstb: Add support for Command Queuing (CQE)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20250311165946.28190-1-kamal.dasu@broadcom.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-brcmstb.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-brcmstb.c
++++ b/drivers/mmc/host/sdhci-brcmstb.c
+@@ -384,8 +384,15 @@ static int sdhci_brcmstb_suspend(struct
+ struct sdhci_host *host = dev_get_drvdata(dev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_brcmstb_priv *priv = sdhci_pltfm_priv(pltfm_host);
++ int ret;
+
+ clk_disable_unprepare(priv->base_clk);
++ if (host->mmc->caps2 & MMC_CAP2_CQE) {
++ ret = cqhci_suspend(host->mmc);
++ if (ret)
++ return ret;
++ }
++
+ return sdhci_pltfm_suspend(dev);
+ }
+
+@@ -410,6 +417,9 @@ static int sdhci_brcmstb_resume(struct d
+ ret = clk_set_rate(priv->base_clk, priv->base_freq_hz);
+ }
+
++ if (host->mmc->caps2 & MMC_CAP2_CQE)
++ ret = cqhci_resume(host->mmc);
++
+ return ret;
+ }
+ #endif
--- /dev/null
+From 654b33ada4ab5e926cd9c570196fefa7bec7c1df Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Sat, 1 Mar 2025 15:06:24 +0300
+Subject: proc: fix UAF in proc_get_inode()
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream.
+
+Fix race between rmmod and /proc/XXX's inode instantiation.
+
+The bug is that pde->proc_ops don't belong to /proc, it belongs to a
+module, therefore dereferencing it after /proc entry has been registered
+is a bug unless use_pde/unuse_pde() pair has been used.
+
+use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
+never changes so information necessary for inode instantiation can be
+saved _before_ proc_register() in PDE itself and used later, avoiding
+pde->proc_ops->... dereference.
+
+ rmmod lookup
+sys_delete_module
+ proc_lookup_de
+ pde_get(de);
+ proc_get_inode(dir->i_sb, de);
+ mod->exit()
+ proc_remove
+ remove_proc_subtree
+ proc_entry_rundown(de);
+ free_module(mod);
+
+ if (S_ISREG(inode->i_mode))
+ if (de->proc_ops->proc_read_iter)
+ --> As module is already freed, will trigger UAF
+
+BUG: unable to handle page fault for address: fffffbfff80a702b
+PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
+Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+RIP: 0010:proc_get_inode+0x302/0x6e0
+RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
+RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
+RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
+RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
+R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
+R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
+FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ proc_lookup_de+0x11f/0x2e0
+ __lookup_slow+0x188/0x350
+ walk_component+0x2ab/0x4f0
+ path_lookupat+0x120/0x660
+ filename_lookup+0x1ce/0x560
+ vfs_statx+0xac/0x150
+ __do_sys_newstat+0x96/0x110
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
+Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183
+Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/generic.c | 10 +++++++++-
+ fs/proc/inode.c | 6 +++---
+ fs/proc/internal.h | 14 ++++++++++++++
+ include/linux/proc_fs.h | 7 +++++--
+ 4 files changed, 31 insertions(+), 6 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -557,10 +557,16 @@ struct proc_dir_entry *proc_create_reg(c
+ return p;
+ }
+
+-static inline void pde_set_flags(struct proc_dir_entry *pde)
++static void pde_set_flags(struct proc_dir_entry *pde)
+ {
+ if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
+ pde->flags |= PROC_ENTRY_PERMANENT;
++ if (pde->proc_ops->proc_read_iter)
++ pde->flags |= PROC_ENTRY_proc_read_iter;
++#ifdef CONFIG_COMPAT
++ if (pde->proc_ops->proc_compat_ioctl)
++ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
++#endif
+ }
+
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+@@ -624,6 +630,7 @@ struct proc_dir_entry *proc_create_seq_p
+ p->proc_ops = &proc_seq_ops;
+ p->seq_ops = ops;
+ p->state_size = state_size;
++ pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_seq_private);
+@@ -654,6 +661,7 @@ struct proc_dir_entry *proc_create_singl
+ return NULL;
+ p->proc_ops = &proc_single_ops;
+ p->single_show = show;
++ pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_single_data);
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -679,13 +679,13 @@ struct inode *proc_get_inode(struct supe
+
+ if (S_ISREG(inode->i_mode)) {
+ inode->i_op = de->proc_iops;
+- if (de->proc_ops->proc_read_iter)
++ if (pde_has_proc_read_iter(de))
+ inode->i_fop = &proc_iter_file_ops;
+ else
+ inode->i_fop = &proc_reg_file_ops;
+ #ifdef CONFIG_COMPAT
+- if (de->proc_ops->proc_compat_ioctl) {
+- if (de->proc_ops->proc_read_iter)
++ if (pde_has_proc_compat_ioctl(de)) {
++ if (pde_has_proc_read_iter(de))
+ inode->i_fop = &proc_iter_file_ops_compat;
+ else
+ inode->i_fop = &proc_reg_file_ops_compat;
+--- a/fs/proc/internal.h
++++ b/fs/proc/internal.h
+@@ -84,6 +84,20 @@ static inline void pde_make_permanent(st
+ pde->flags |= PROC_ENTRY_PERMANENT;
+ }
+
++static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde)
++{
++ return pde->flags & PROC_ENTRY_proc_read_iter;
++}
++
++static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde)
++{
++#ifdef CONFIG_COMPAT
++ return pde->flags & PROC_ENTRY_proc_compat_ioctl;
++#else
++ return false;
++#endif
++}
++
+ extern struct kmem_cache *proc_dir_entry_cache;
+ void pde_free(struct proc_dir_entry *pde);
+
+--- a/include/linux/proc_fs.h
++++ b/include/linux/proc_fs.h
+@@ -20,10 +20,13 @@ enum {
+ * If in doubt, ignore this flag.
+ */
+ #ifdef MODULE
+- PROC_ENTRY_PERMANENT = 0U,
++ PROC_ENTRY_PERMANENT = 0U,
+ #else
+- PROC_ENTRY_PERMANENT = 1U << 0,
++ PROC_ENTRY_PERMANENT = 1U << 0,
+ #endif
++
++ PROC_ENTRY_proc_read_iter = 1U << 1,
++ PROC_ENTRY_proc_compat_ioctl = 1U << 2,
+ };
+
+ struct proc_ops {
--- /dev/null
+From 2c7a50bec4958f1d1c84d19cde518d0e96a676fd Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Thu, 13 Mar 2025 11:27:39 +0100
+Subject: regulator: check that dummy regulator has been probed before using it
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 2c7a50bec4958f1d1c84d19cde518d0e96a676fd upstream.
+
+Due to asynchronous driver probing there is a chance that the dummy
+regulator hasn't already been probed when first accessing it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Link: https://patch.msgid.link/20250313103051.32430-3-ceggers@arri.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/core.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -2084,6 +2084,10 @@ static int regulator_resolve_supply(stru
+
+ if (have_full_constraints()) {
+ r = dummy_regulator_rdev;
++ if (!r) {
++ ret = -EPROBE_DEFER;
++ goto out;
++ }
+ get_device(&r->dev);
+ } else {
+ dev_err(dev, "Failed to resolve %s-supply for %s\n",
+@@ -2101,6 +2105,10 @@ static int regulator_resolve_supply(stru
+ goto out;
+ }
+ r = dummy_regulator_rdev;
++ if (!r) {
++ ret = -EPROBE_DEFER;
++ goto out;
++ }
+ get_device(&r->dev);
+ }
+
+@@ -2209,8 +2217,10 @@ struct regulator *_regulator_get(struct
+ * enabled, even if it isn't hooked up, and just
+ * provide a dummy.
+ */
+- dev_warn(dev, "supply %s not found, using dummy regulator\n", id);
+ rdev = dummy_regulator_rdev;
++ if (!rdev)
++ return ERR_PTR(-EPROBE_DEFER);
++ dev_warn(dev, "supply %s not found, using dummy regulator\n", id);
+ get_device(&rdev->dev);
+ break;
+
--- /dev/null
+From 8619909b38eeebd3e60910158d7d68441fc954e9 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Tue, 11 Mar 2025 10:18:02 +0100
+Subject: regulator: dummy: force synchronous probing
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 8619909b38eeebd3e60910158d7d68441fc954e9 upstream.
+
+Sometimes I get a NULL pointer dereference at boot time in kobject_get()
+with the following call stack:
+
+anatop_regulator_probe()
+ devm_regulator_register()
+ regulator_register()
+ regulator_resolve_supply()
+ kobject_get()
+
+By placing some extra BUG_ON() statements I could verify that this is
+raised because probing of the 'dummy' regulator driver is not completed
+('dummy_regulator_rdev' is still NULL).
+
+In the JTAG debugger I can see that dummy_regulator_probe() and
+anatop_regulator_probe() can be run by different kernel threads
+(kworker/u4:*). I haven't further investigated whether this can be
+changed or if there are other possibilities to force synchronization
+between these two probe routines. On the other hand I don't expect much
+boot time penalty by probing the 'dummy' regulator synchronously.
+
+Cc: stable@vger.kernel.org
+Fixes: 259b93b21a9f ("regulator: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in 4.14")
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Link: https://patch.msgid.link/20250311091803.31026-1-ceggers@arri.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/dummy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/dummy.c b/drivers/regulator/dummy.c
+index 5b9b9e4e762d..9f59889129ab 100644
+--- a/drivers/regulator/dummy.c
++++ b/drivers/regulator/dummy.c
+@@ -60,7 +60,7 @@ static struct platform_driver dummy_regulator_driver = {
+ .probe = dummy_regulator_probe,
+ .driver = {
+ .name = "reg-dummy",
+- .probe_type = PROBE_PREFER_ASYNCHRONOUS,
++ .probe_type = PROBE_FORCE_SYNCHRONOUS,
+ },
+ };
+
+--
+2.49.0
+
--- /dev/null
+From 1b133129ad6b28186214259af3bd5fc651a85509 Mon Sep 17 00:00:00 2001
+From: E Shattow <e@freeshell.de>
+Date: Mon, 9 Dec 2024 20:19:56 -0800
+Subject: riscv: dts: starfive: Fix a typo in StarFive JH7110 pin function definitions
+
+From: E Shattow <e@freeshell.de>
+
+commit 1b133129ad6b28186214259af3bd5fc651a85509 upstream.
+
+Fix a typo in StarFive JH7110 pin function definitions for GPOUT_SYS_SDIO1_DATA4
+
+Fixes: e22f09e598d12 ("riscv: dts: starfive: Add StarFive JH7110 pin function definitions")
+Signed-off-by: E Shattow <e@freeshell.de>
+Acked-by: Hal Feng <hal.feng@starfivetech.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/boot/dts/starfive/jh7110-pinfunc.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h b/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h
+index 256de17f5261..ae49c908e7fb 100644
+--- a/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h
++++ b/arch/riscv/boot/dts/starfive/jh7110-pinfunc.h
+@@ -89,7 +89,7 @@
+ #define GPOUT_SYS_SDIO1_DATA1 59
+ #define GPOUT_SYS_SDIO1_DATA2 60
+ #define GPOUT_SYS_SDIO1_DATA3 61
+-#define GPOUT_SYS_SDIO1_DATA4 63
++#define GPOUT_SYS_SDIO1_DATA4 62
+ #define GPOUT_SYS_SDIO1_DATA5 63
+ #define GPOUT_SYS_SDIO1_DATA6 64
+ #define GPOUT_SYS_SDIO1_DATA7 65
+--
+2.49.0
+
net-lwtunnel-fix-recursion-loops.patch
net-neighbor-add-missing-policy-for-ndtpa_queue_lenb.patch
revert-gre-fix-ipv6-link-local-address-generation.patch
+i2c-omap-fix-irq-storms.patch
+can-rcar_canfd-fix-page-entries-in-the-afl-list.patch
+can-ucan-fix-out-of-bound-read-in-strscpy-source.patch
+can-flexcan-only-change-can-state-when-link-up-in-system-pm.patch
+can-flexcan-disable-transceiver-during-system-pm.patch
+drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch
+riscv-dts-starfive-fix-a-typo-in-starfive-jh7110-pin-function-definitions.patch
+regulator-dummy-force-synchronous-probing.patch
+regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch
+accel-qaic-fix-integer-overflow-in-qaic_validate_req.patch
+arm64-dts-freescale-imx8mp-verdin-dahlia-add-microphone-jack-to-sound-card.patch
+arm64-dts-freescale-imx8mm-verdin-dahlia-add-microphone-jack-to-sound-card.patch
+arm64-dts-rockchip-fix-pinmux-of-uart0-for-px30-ringneck-on-haikou.patch
+arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch
+mmc-sdhci-brcmstb-add-cqhci-suspend-resume-to-pm-ops.patch
+mmc-atmel-mci-add-missing-clk_disable_unprepare.patch
+mm-fix-error-handling-in-__filemap_get_folio-with-fgp_nowait.patch
+mm-migrate-fix-shmem-xarray-update-during-migration.patch
+proc-fix-uaf-in-proc_get_inode.patch
+memcg-drain-obj-stock-on-cpu-hotplug-teardown.patch
+arm-dts-imx6qdl-apalis-fix-poweroff-on-apalis-imx6.patch
+arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch
+efi-libstub-avoid-physical-address-0x0-when-doing-random-allocation.patch
+xsk-fix-an-integer-overflow-in-xp_create_and_assign_umem.patch
+batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch
+soc-qcom-pdr-fix-the-potential-deadlock.patch
+drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch
+drm-sched-fix-fence-reference-count-leak.patch
+drm-amdgpu-fix-mpeg2-mpeg4-and-vc1-video-caps-max-size.patch
+drm-amdgpu-fix-jpeg-video-caps-max-size-for-navi1x-and-raven.patch
+drm-amd-display-should-support-dmub-hw-lock-on-replay.patch
+drm-amd-display-use-hw-lock-mgr-for-psr1-when-only-one-edp.patch
--- /dev/null
+From 2eeb03ad9f42dfece63051be2400af487ddb96d2 Mon Sep 17 00:00:00 2001
+From: Saranya R <quic_sarar@quicinc.com>
+Date: Wed, 12 Feb 2025 22:07:20 +0530
+Subject: soc: qcom: pdr: Fix the potential deadlock
+
+From: Saranya R <quic_sarar@quicinc.com>
+
+commit 2eeb03ad9f42dfece63051be2400af487ddb96d2 upstream.
+
+When some client process A call pdr_add_lookup() to add the look up for
+the service and does schedule locator work, later a process B got a new
+server packet indicating locator is up and call pdr_locator_new_server()
+which eventually sets pdr->locator_init_complete to true which process A
+sees and takes list lock and queries domain list but it will timeout due
+to deadlock as the response will queued to the same qmi->wq and it is
+ordered workqueue and process B is not able to complete new server
+request work due to deadlock on list lock.
+
+Fix it by removing the unnecessary list iteration as the list iteration
+is already being done inside locator work, so avoid it here and just
+call schedule_work() here.
+
+ Process A Process B
+
+ process_scheduled_works()
+pdr_add_lookup() qmi_data_ready_work()
+ process_scheduled_works() pdr_locator_new_server()
+ pdr->locator_init_complete=true;
+ pdr_locator_work()
+ mutex_lock(&pdr->list_lock);
+
+ pdr_locate_service() mutex_lock(&pdr->list_lock);
+
+ pdr_get_domain_list()
+ pr_err("PDR: %s get domain list
+ txn wait failed: %d\n",
+ req->service_name,
+ ret);
+
+Timeout error log due to deadlock:
+
+"
+ PDR: tms/servreg get domain list txn wait failed: -110
+ PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110
+"
+
+Thanks to Bjorn and Johan for letting me know that this commit also fixes
+an audio regression when using the in-kernel pd-mapper as that makes it
+easier to hit this race. [1]
+
+Link: https://lore.kernel.org/lkml/Zqet8iInnDhnxkT9@hovoldconsulting.com/ # [1]
+Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers")
+CC: stable@vger.kernel.org
+Reviewed-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Tested-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Saranya R <quic_sarar@quicinc.com>
+Co-developed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250212163720.1577876-1-mukesh.ojha@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/pdr_interface.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/soc/qcom/pdr_interface.c
++++ b/drivers/soc/qcom/pdr_interface.c
+@@ -74,7 +74,6 @@ static int pdr_locator_new_server(struct
+ {
+ struct pdr_handle *pdr = container_of(qmi, struct pdr_handle,
+ locator_hdl);
+- struct pdr_service *pds;
+
+ mutex_lock(&pdr->lock);
+ /* Create a local client port for QMI communication */
+@@ -86,12 +85,7 @@ static int pdr_locator_new_server(struct
+ mutex_unlock(&pdr->lock);
+
+ /* Service pending lookup requests */
+- mutex_lock(&pdr->list_lock);
+- list_for_each_entry(pds, &pdr->lookups, node) {
+- if (pds->need_locator_lookup)
+- schedule_work(&pdr->locator_work);
+- }
+- mutex_unlock(&pdr->list_lock);
++ schedule_work(&pdr->locator_work);
+
+ return 0;
+ }
--- /dev/null
+From 559847f56769037e5b2e0474d3dbff985b98083d Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Thu, 13 Mar 2025 08:50:08 +0000
+Subject: xsk: fix an integer overflow in xp_create_and_assign_umem()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 559847f56769037e5b2e0474d3dbff985b98083d upstream.
+
+Since the i and pool->chunk_size variables are of type 'u32',
+their product can wrap around and then be cast to 'u64'.
+This can lead to two different XDP buffers pointing to the same
+memory area.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: 94033cd8e73b ("xsk: Optimize for aligned case")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Link: https://patch.msgid.link/20250313085007.3116044-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xdp/xsk_buff_pool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -104,7 +104,7 @@ struct xsk_buff_pool *xp_create_and_assi
+ if (pool->unaligned)
+ pool->free_heads[i] = xskb;
+ else
+- xp_init_xskb_addr(xskb, pool, i * pool->chunk_size);
++ xp_init_xskb_addr(xskb, pool, (u64)i * pool->chunk_size);
+ }
+
+ return pool;
projects / thirdparty / kernel / stable-queue.git / commitdiff
