--- /dev/null
+From 2427182abf4d5865a725e47e44667edb49953a4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 18:54:54 +0200
+Subject: ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ]
+
+As specified in section 5.7.2 of the ACPI specification the feature
+group string "3.0 _SCP Extensions" implies that the operating system
+evaluates the _SCP control method with additional parameters.
+
+However the ACPI thermal driver evaluates the _SCP control method
+without those additional parameters, conflicting with the above
+feature group string advertised to the firmware thru _OSI.
+
+Stop advertising support for this feature string to avoid confusing
+the ACPI firmware.
+
+Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/osi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
+index d4405e1ca9b97..ae9620757865b 100644
+--- a/drivers/acpi/osi.c
++++ b/drivers/acpi/osi.c
+@@ -42,7 +42,6 @@ static struct acpi_osi_entry
+ osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = {
+ {"Module Device", true},
+ {"Processor Device", true},
+- {"3.0 _SCP Extensions", true},
+ {"Processor Aggregator Device", true},
+ };
+
+--
+2.39.5
+
--- /dev/null
+From fa75ddbfa9dd5d1383ad1fdc000e13f701ce8593 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:42 +0930
+Subject: ARM: aspeed: Don't select SRAM
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit e4f59f873c3ffe2a0150e11115a83e2dfb671dbf ]
+
+The ASPEED devices have SRAM, but don't require it for basic function
+(or any function; there's no known users of the driver).
+
+Fixes: 8c2ed9bcfbeb ("arm: Add Aspeed machine")
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Link: https://patch.msgid.link/20250115103942.421429-1-joel@jms.id.au
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-aspeed/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig
+index 080019aa6fcd8..fcf287edd0e5e 100644
+--- a/arch/arm/mach-aspeed/Kconfig
++++ b/arch/arm/mach-aspeed/Kconfig
+@@ -2,7 +2,6 @@
+ menuconfig ARCH_ASPEED
+ bool "Aspeed BMC architectures"
+ depends on (CPU_LITTLE_ENDIAN && ARCH_MULTI_V5) || ARCH_MULTI_V6 || ARCH_MULTI_V7
+- select SRAM
+ select WATCHDOG
+ select ASPEED_WATCHDOG
+ select MFD_SYSCON
+--
+2.39.5
+
--- /dev/null
+From 6057e0d599efc8cd5c99cc077a9203d8f9e23288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 23:04:46 +0200
+Subject: ARM: dts: at91: at91sam9263: fix NAND chip selects
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ]
+
+NAND did not work on my USB-A9263. I discovered that the offending
+commit converted the PIO bank for chip selects wrongly, so all A9263
+boards need to be fixed.
+
+Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/at91sam9263ek.dts | 2 +-
+ arch/arm/boot/dts/tny_a9263.dts | 2 +-
+ arch/arm/boot/dts/usb_a9263.dts | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/at91sam9263ek.dts b/arch/arm/boot/dts/at91sam9263ek.dts
+index ce8baff6a9f4e..e42e1a75a715d 100644
+--- a/arch/arm/boot/dts/at91sam9263ek.dts
++++ b/arch/arm/boot/dts/at91sam9263ek.dts
+@@ -152,7 +152,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+diff --git a/arch/arm/boot/dts/tny_a9263.dts b/arch/arm/boot/dts/tny_a9263.dts
+index 62b7d9f9a926c..c8b6318aaa838 100644
+--- a/arch/arm/boot/dts/tny_a9263.dts
++++ b/arch/arm/boot/dts/tny_a9263.dts
+@@ -64,7 +64,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts
+index c9d0058e90813..83d0b98dd287b 100644
+--- a/arch/arm/boot/dts/usb_a9263.dts
++++ b/arch/arm/boot/dts/usb_a9263.dts
+@@ -84,7 +84,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+--
+2.39.5
+
--- /dev/null
+From 2e9a7e6afaa7efc8e23f7b0c4ac3553470ed0aa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 13:27:43 +0200
+Subject: ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ]
+
+Dataflash did not work on my board. After checking schematics and using
+the proper GPIO, it works now. Also, make it active low to avoid:
+
+flash@0 enforce active low on GPIO handle
+
+Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/usb_a9263.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts
+index b6cb9cdf81973..c9d0058e90813 100644
+--- a/arch/arm/boot/dts/usb_a9263.dts
++++ b/arch/arm/boot/dts/usb_a9263.dts
+@@ -58,7 +58,7 @@
+ };
+
+ spi0: spi@fffa4000 {
+- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>;
+ status = "okay";
+ flash@0 {
+ compatible = "atmel,at45", "atmel,dataflash";
+--
+2.39.5
+
--- /dev/null
+From c9efc1d6d71889d72683625f5af79c8a1a59cdb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 15:22:00 +0200
+Subject: ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon
+ device
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ]
+
+Follow up the expected way of describing the SFPB hwspinlock and merge
+hwspinlock node into corresponding syscon node, fixing several dt-schema
+warnings.
+
+Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index 2b3927a829b70..da7e780dc3351 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -212,12 +212,6 @@
+ };
+ };
+
+- sfpb_mutex: hwmutex {
+- compatible = "qcom,sfpb-mutex";
+- syscon = <&sfpb_wrapper_mutex 0x604 0x4>;
+- #hwlock-cells = <1>;
+- };
+-
+ smem {
+ compatible = "qcom,smem";
+ memory-region = <&smem_region>;
+@@ -361,9 +355,10 @@
+ pinctrl-0 = <&ps_hold>;
+ };
+
+- sfpb_wrapper_mutex: syscon@1200000 {
+- compatible = "syscon";
+- reg = <0x01200000 0x8000>;
++ sfpb_mutex: hwmutex@1200600 {
++ compatible = "qcom,sfpb-mutex";
++ reg = <0x01200600 0x100>;
++ #hwlock-cells = <1>;
+ };
+
+ intc: interrupt-controller@2000000 {
+--
+2.39.5
+
--- /dev/null
+From e9e76ca3a53a2ab669c7976ee0ee4fb5dc4fdd62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 18:49:24 +0530
+Subject: arm64: defconfig: mediatek: enable PHY drivers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vignesh Raman <vignesh.raman@collabora.com>
+
+[ Upstream commit f52cd248d844f9451858992f924988ac413fdc7e ]
+
+The mediatek display driver fails to probe on mt8173-elm-hana and
+mt8183-kukui-jacuzzi-juniper-sku16 in v6.14-rc4 due to missing PHY
+configurations.
+
+Commit 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
+stopped selecting the MediaTek PHY drivers, requiring them to be
+explicitly enabled in defconfig.
+
+Enable the following PHY drivers for MediaTek platforms:
+CONFIG_PHY_MTK_HDMI=m for HDMI display
+CONFIG_PHY_MTK_MIPI_DSI=m for DSI display
+CONFIG_PHY_MTK_DP=m for DP display
+
+Fixes: 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Signed-off-by: Vignesh Raman <vignesh.raman@collabora.com>
+Link: https://lore.kernel.org/r/20250512131933.1247830-1-vignesh.raman@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/configs/defconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig
+index 623e9f308f38a..4543b292b50b4 100644
+--- a/arch/arm64/configs/defconfig
++++ b/arch/arm64/configs/defconfig
+@@ -1230,6 +1230,9 @@ CONFIG_PHY_HISTB_COMBPHY=y
+ CONFIG_PHY_HISI_INNO_USB2=y
+ CONFIG_PHY_MVEBU_CP110_COMPHY=y
+ CONFIG_PHY_MTK_TPHY=y
++CONFIG_PHY_MTK_HDMI=m
++CONFIG_PHY_MTK_MIPI_DSI=m
++CONFIG_PHY_MTK_DP=m
+ CONFIG_PHY_QCOM_EDP=m
+ CONFIG_PHY_QCOM_PCIE2=m
+ CONFIG_PHY_QCOM_QMP=m
+--
+2.39.5
+
--- /dev/null
+From cdf52f6429f15c5dbae3584535b5ec01f6c4c564 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:27 -0500
+Subject: arm64: dts: imx8mm-beacon: Fix RTC capacitive load
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ]
+
+Although not noticeable when used every day, the RTC appears to drift when
+left to sit over time. This is due to the capacitive load not being
+properly set. Fix RTC drift by correcting the capacitive load setting
+from 7000 to 12500, which matches the actual hardware configuration.
+
+Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+index cf07987ccc10b..140e251094fa4 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+@@ -231,6 +231,7 @@
+ rtc: rtc@51 {
+ compatible = "nxp,pcf85263";
+ reg = <0x51>;
++ quartz-load-femtofarads = <12500>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From fa879707910c3d8105c73783ac867adbb70b4baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:28 -0500
+Subject: arm64: dts: imx8mn-beacon: Fix RTC capacitive load
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit c3f03bec30efd5082b55876846d57b5d17dae7b9 ]
+
+Although not noticeable when used every day, the RTC appears to drift when
+left to sit over time. This is due to the capacitive load not being
+properly set. Fix RTC drift by correcting the capacitive load setting
+from 7000 to 12500, which matches the actual hardware configuration.
+
+Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+index 1133cded9be2f..c4b1c6029c9a9 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+@@ -240,6 +240,7 @@
+ rtc: rtc@51 {
+ compatible = "nxp,pcf85263";
+ reg = <0x51>;
++ quartz-load-femtofarads = <12500>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 89d19e14aa08bec8062d8d810ede640fde8d97a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 11:06:15 +0200
+Subject: arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power
+ domains
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 394f29033324e2317bfd6a7ed99b9a60832b36a2 ]
+
+By hardware, the first and second core of the video decoder IP
+need the VDEC_SOC to be powered up in order to be able to be
+accessed (both internally, by firmware, and externally, by the
+kernel).
+Similarly, for the video encoder IP, the second core needs the
+first core to be powered up in order to be accessible.
+
+Fix that by reparenting the VDEC1/2 power domains to be children
+of VDEC0 (VDEC_SOC), and the VENC1 to be a child of VENC0.
+
+Fixes: 2b515194bf0c ("arm64: dts: mt8195: Add power domains controller")
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20250402090615.25871-3-angelogioacchino.delregno@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 +++++++++++++-----------
+ 1 file changed, 27 insertions(+), 23 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index 274edce5d5e6e..6f92451671355 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -461,22 +461,6 @@
+ #size-cells = <0>;
+ #power-domain-cells = <1>;
+
+- power-domain@MT8195_POWER_DOMAIN_VDEC1 {
+- reg = <MT8195_POWER_DOMAIN_VDEC1>;
+- clocks = <&vdecsys CLK_VDEC_LARB1>;
+- clock-names = "vdec1-0";
+- mediatek,infracfg = <&infracfg_ao>;
+- #power-domain-cells = <0>;
+- };
+-
+- power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
+- reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
+- clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
+- clock-names = "venc1-larb";
+- mediatek,infracfg = <&infracfg_ao>;
+- #power-domain-cells = <0>;
+- };
+-
+ power-domain@MT8195_POWER_DOMAIN_VDOSYS0 {
+ reg = <MT8195_POWER_DOMAIN_VDOSYS0>;
+ clocks = <&topckgen CLK_TOP_CFG_VDO0>,
+@@ -522,15 +506,25 @@
+ clocks = <&vdecsys_soc CLK_VDEC_SOC_LARB1>;
+ clock-names = "vdec0-0";
+ mediatek,infracfg = <&infracfg_ao>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ #power-domain-cells = <0>;
+- };
+
+- power-domain@MT8195_POWER_DOMAIN_VDEC2 {
+- reg = <MT8195_POWER_DOMAIN_VDEC2>;
+- clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
+- clock-names = "vdec2-0";
+- mediatek,infracfg = <&infracfg_ao>;
+- #power-domain-cells = <0>;
++ power-domain@MT8195_POWER_DOMAIN_VDEC1 {
++ reg = <MT8195_POWER_DOMAIN_VDEC1>;
++ clocks = <&vdecsys CLK_VDEC_LARB1>;
++ clock-names = "vdec1-0";
++ mediatek,infracfg = <&infracfg_ao>;
++ #power-domain-cells = <0>;
++ };
++
++ power-domain@MT8195_POWER_DOMAIN_VDEC2 {
++ reg = <MT8195_POWER_DOMAIN_VDEC2>;
++ clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
++ clock-names = "vdec2-0";
++ mediatek,infracfg = <&infracfg_ao>;
++ #power-domain-cells = <0>;
++ };
+ };
+
+ power-domain@MT8195_POWER_DOMAIN_VENC {
+@@ -538,7 +532,17 @@
+ clocks = <&vencsys CLK_VENC_LARB>;
+ clock-names = "venc0-larb";
+ mediatek,infracfg = <&infracfg_ao>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ #power-domain-cells = <0>;
++
++ power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
++ reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
++ clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
++ clock-names = "venc1-larb";
++ mediatek,infracfg = <&infracfg_ao>;
++ #power-domain-cells = <0>;
++ };
+ };
+
+ power-domain@MT8195_POWER_DOMAIN_VDOSYS1 {
+--
+2.39.5
+
--- /dev/null
+From 858e91d3a6c38a92781ad0ce14fc48d477c912f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 15:23:39 +0200
+Subject: arm64: dts: mt6359: Add missing 'compatible' property to regulators
+ node
+
+From: Julien Massot <julien.massot@collabora.com>
+
+[ Upstream commit 1fe38d2a19950fa6dbc384ee8967c057aef9faf4 ]
+
+The 'compatible' property is required by the
+'mfd/mediatek,mt6397.yaml' binding. Add it to fix the following
+dtb-check error:
+mediatek/mt8395-radxa-nio-12l.dtb: pmic: regulators:
+'compatible' is a required property
+
+Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
+Signed-off-by: Julien Massot <julien.massot@collabora.com>
+Link: https://lore.kernel.org/r/20250505-mt8395-dtb-errors-v1-3-9c4714dcdcdb@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+index df3e822232d34..ef6ab90b99f93 100644
+--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+@@ -13,6 +13,8 @@
+ };
+
+ regulators {
++ compatible = "mediatek,mt6359-regulator";
++
+ mt6359_vs1_buck_reg: buck_vs1 {
+ regulator-name = "vs1";
+ regulator-min-microvolt = <800000>;
+--
+2.39.5
+
--- /dev/null
+From f65262c97838b206c9a5159e744a20574939467a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 10:19:58 +0200
+Subject: arm64: dts: mt6359: Rename RTC node to match binding expectations
+
+From: Julien Massot <julien.massot@collabora.com>
+
+[ Upstream commit cfe035d8662cfbd6edff9bd89c4b516bbb34c350 ]
+
+Rename the node 'mt6359rtc' to 'rtc', as required by the binding.
+
+Fix the following dtb-check error:
+
+mediatek/mt8395-radxa-nio-12l.dtb: pmic: 'mt6359rtc' do not match
+any of the regexes: 'pinctrl-[0-9]+'
+
+Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
+Signed-off-by: Julien Massot <julien.massot@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20250514-mt8395-dtb-errors-v2-3-d67b9077c59a@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+index ef6ab90b99f93..29e784bebb69e 100644
+--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+@@ -293,7 +293,7 @@
+ };
+ };
+
+- mt6359rtc: mt6359rtc {
++ mt6359rtc: rtc {
+ compatible = "mediatek,mt6358-rtc";
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From edf85b902e598a5e1f2f33deb4ba4697c7762071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 May 2025 14:51:20 +0300
+Subject: arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning
+
+From: Alexey Minnekhanov <alexeymin@postmarketos.org>
+
+[ Upstream commit f5110806b41eaa0eb0ab1bf2787876a580c6246c ]
+
+If you remove clocks property, you should remove clock-names, too.
+Fixes warning with dtbs check:
+
+ 'clocks' is a dependency of 'clock-names'
+
+Fixes: 34279d6e3f32c ("arm64: dts: qcom: sdm660: Add initial Inforce IFC6560 board support")
+Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250504115120.1432282-4-alexeymin@postmarketos.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
+index 28050bc5f0813..502a3481ba284 100644
+--- a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
++++ b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
+@@ -155,6 +155,7 @@
+ * BAM DMA interconnects support is in place.
+ */
+ /delete-property/ clocks;
++ /delete-property/ clock-names;
+ };
+
+ &blsp1_uart2 {
+@@ -167,6 +168,7 @@
+ * BAM DMA interconnects support is in place.
+ */
+ /delete-property/ clocks;
++ /delete-property/ clock-names;
+ };
+
+ &blsp2_uart1 {
+--
+2.39.5
+
--- /dev/null
+From c0eee5307e41d8aeed65e027f60ace25dce56be8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 May 2025 14:51:19 +0300
+Subject: arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply
+
+From: Alexey Minnekhanov <alexeymin@postmarketos.org>
+
+[ Upstream commit dbf62a117a1b7f605a98dd1fd1fd6c85ec324ea0 ]
+
+Fixes the following dtbs check error:
+
+ phy@c012000: 'vdda-pll-supply' is a required property
+
+Fixes: e5d3e752b050e ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add USB")
+Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250504115120.1432282-3-alexeymin@postmarketos.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+index 9612671dc5afa..6166099aa0c32 100644
+--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+@@ -107,6 +107,7 @@
+ status = "okay";
+
+ vdd-supply = <&vreg_l1b_0p925>;
++ vdda-pll-supply = <&vreg_l10a_1p8>;
+ vdda-phy-dpdm-supply = <&vreg_l7b_3p125>;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From b3c792de117865f8ff16247e10c1fe4a73330ffa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 16:01:01 +0300
+Subject: arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect
+ GPIO
+
+From: Alexey Minnekhanov <alexeymin@postmarketos.org>
+
+[ Upstream commit 2eca6af66709de0d1ba14cdf8b6d200a1337a3a2 ]
+
+During initial porting these cd-gpios were missed. Having card detect is
+beneficial because driver does not need to do polling every second and it
+can just use IRQ. SD card detection in U-Boot is also fixed by this.
+
+Fixes: cf85e9aee210 ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add eMMC and SD")
+Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250415130101.1429281-1-alexeymin@postmarketos.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+index a3559f6e34a5e..9612671dc5afa 100644
+--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+@@ -402,6 +402,8 @@
+ &sdhc_2 {
+ status = "okay";
+
++ cd-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>;
++
+ vmmc-supply = <&vreg_l5b_2p95>;
+ vqmmc-supply = <&vreg_l2b_2p95>;
+ };
+--
+2.39.5
+
--- /dev/null
+From 2167c31246d0eb1327c60ca1b5d9bdb54f7dddb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Mar 2025 18:27:51 +0800
+Subject: arm64: dts: qcom: sm8250: Fix CPU7 opp table
+
+From: Xilin Wu <wuxilin123@gmail.com>
+
+[ Upstream commit 28f997b89967afdc0855d8aa7538b251fb44f654 ]
+
+There is a typo in cpu7_opp9. Fix it to get rid of the following
+errors.
+
+[ 0.198043] cpu cpu7: Voltage update failed freq=1747200
+[ 0.198052] cpu cpu7: failed to update OPP for freq=1747200
+
+Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables")
+Signed-off-by: Xilin Wu <wuxilin123@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250308-fix-sm8250-cpufreq-v1-1-8a0226721399@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+index eb500cb67c86c..72ab4ca129459 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+@@ -569,7 +569,7 @@
+ };
+
+ cpu7_opp9: opp-1747200000 {
+- opp-hz = /bits/ 64 <1708800000>;
++ opp-hz = /bits/ 64 <1747200000>;
+ opp-peak-kBps = <5412000 42393600>;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From e0e8c0c86b0b58007a8deb33deedeb8cf36048c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 17:18:10 +0200
+Subject: arm64: dts: rockchip: disable unrouted USB controllers and PHY on
+ RK3399 Puma with Haikou
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ]
+
+The u2phy0_host port is the part of the USB PHY0 (namely the
+HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST
+controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG
+controller (dwc3), which we do use.
+
+The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply
+disable the USB2.0 controllers.
+
+USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a
+while, one of the recurring issues being that only USB2 is detected and
+not USB3 in host mode. Reading the justification above and seeing that
+we are keeping u2phy0_host in the Haikou carrierboard DTS probably may
+have bothered you since it should be changed to u2phy0_otg. The issue is
+that if it's switched to that, USB OTG on Haikou is entirely broken. I
+have checked the routing in the Gerber file, the lanes are going to the
+expected ball pins (that is, NOT HOST0_DP/DM).
+u2phy0_host is for sure the wrong part of the PHY to use, but it's the
+only one that works at the moment for that board so keep it until we
+figure out what exactly is broken.
+
+No intended functional change.
+
+[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf
+ Chapter 2 USB2.0 PHY
+
+Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+index 115c14c0a3c68..396a6636073b5 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+@@ -251,14 +251,6 @@
+ status = "okay";
+ };
+
+-&usb_host0_ehci {
+- status = "okay";
+-};
+-
+-&usb_host0_ohci {
+- status = "okay";
+-};
+-
+ &vopb {
+ status = "okay";
+ };
+--
+2.39.5
+
--- /dev/null
+From 59022304224e2b36e526c0c6f290fe127fd75c58 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 17:40:02 +0100
+Subject: arm64/fpsimd: Discard stale CPU state when handling SME traps
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit d3eaab3c70905c5467e5c4ea403053d67505adeb ]
+
+The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state
+incorrectly, and a race with preemption can result in a task having
+TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
+is stale (e.g. with SME traps enabled). This can result in warnings from
+do_sme_acc() where SME traps are not expected while TIF_SME is set:
+
+| /* With TIF_SME userspace shouldn't generate any traps */
+| if (test_and_set_thread_flag(TIF_SME))
+| WARN_ON(1);
+
+This is very similar to the SVE issue we fixed in commit:
+
+ 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps")
+
+The race can occur when the SME trap handler is preempted before and
+after manipulating the saved FPSIMD/SVE/SME state, starting and ending on
+the same CPU, e.g.
+
+| void do_sme_acc(unsigned long esr, struct pt_regs *regs)
+| {
+| // Trap on CPU 0 with TIF_SME clear, SME traps enabled
+| // task->fpsimd_cpu is 0.
+| // per_cpu_ptr(&fpsimd_last_state, 0) is task.
+|
+| ...
+|
+| // Preempted; migrated from CPU 0 to CPU 1.
+| // TIF_FOREIGN_FPSTATE is set.
+|
+| get_cpu_fpsimd_context();
+|
+| /* With TIF_SME userspace shouldn't generate any traps */
+| if (test_and_set_thread_flag(TIF_SME))
+| WARN_ON(1);
+|
+| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
+| unsigned long vq_minus_one =
+| sve_vq_from_vl(task_get_sme_vl(current)) - 1;
+| sme_set_vq(vq_minus_one);
+|
+| fpsimd_bind_task_to_cpu();
+| }
+|
+| put_cpu_fpsimd_context();
+|
+| // Preempted; migrated from CPU 1 to CPU 0.
+| // task->fpsimd_cpu is still 0
+| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
+| // - Stale HW state is reused (with SME traps enabled)
+| // - TIF_FOREIGN_FPSTATE is cleared
+| // - A return to userspace skips HW state restore
+| }
+
+Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
+by calling fpsimd_flush_task_state() to detach from the saved CPU
+state. This ensures that a subsequent context switch will not reuse the
+stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
+new state to be reloaded from memory prior to a return to userspace.
+
+Note: this was originallly posted as [1].
+
+Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME")
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/linux-arm-kernel/20241204-arm64-sme-reenable-v2-1-bae87728251d@kernel.org/
+[ Rutland: rewrite commit message ]
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20250409164010.3480271-6-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/fpsimd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index b3e101a7d04f8..235131db8b8db 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1504,6 +1504,8 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs)
+ sme_set_vq(vq_minus_one);
+
+ fpsimd_bind_task_to_cpu();
++ } else {
++ fpsimd_flush_task_state(current);
+ }
+
+ put_cpu_fpsimd_context();
+--
+2.39.5
+
--- /dev/null
+From d5e56fff82e61f16458e43b8ada8ccef1edc5696 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 17:40:06 +0100
+Subject: arm64/fpsimd: Fix merging of FPSIMD state during signal return
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit c94f2f326146a34066a0070ed90b8bc656b1842f ]
+
+For backwards compatibility reasons, when a signal return occurs which
+restores SVE state, the effective lower 128 bits of each of the SVE
+vector registers are restored from the corresponding FPSIMD vector
+register in the FPSIMD signal frame, overriding the values in the SVE
+signal frame. This is intended to be the case regardless of streaming
+mode.
+
+To make this happen, restore_sve_fpsimd_context() uses
+fpsimd_update_current_state() to merge the lower 128 bits from the
+FPSIMD signal frame into the SVE register state. Unfortunately,
+fpsimd_update_current_state() performs this merging dependent upon
+TIF_SVE, which is not always correct for streaming SVE register state:
+
+* When restoring non-streaming SVE register state there is no observable
+ problem, as the signal return code configures TIF_SVE and the saved
+ fp_type to match before calling fpsimd_update_current_state(), which
+ observes either:
+
+ - TIF_SVE set AND fp_type == FP_STATE_SVE
+ - TIF_SVE clear AND fp_type == FP_STATE_FPSIMD
+
+* On systems which have SME but not SVE, TIF_SVE cannot be set. Thus the
+ merging will never happen for the streaming SVE register state.
+
+* On systems which have SVE and SME, TIF_SVE can be set and cleared
+ independently of PSTATE.SM. Thus the merging may or may not happen for
+ streaming SVE register state.
+
+ As TIF_SVE can be cleared non-deterministically during syscalls
+ (including at the start of sigreturn()), the merging may occur
+ non-deterministically from the perspective of userspace.
+
+This logic has been broken since its introduction in commit:
+
+ 85ed24dad2904f7c ("arm64/sme: Implement streaming SVE signal handling")
+
+... at which point both fpsimd_signal_preserve_current_state() and
+fpsimd_update_current_state() only checked TIF SVE. When PSTATE.SM==1
+and TIF_SVE was clear, signal delivery would place stale FPSIMD state
+into the FPSIMD signal frame, and signal return would not merge this
+into the restored register state.
+
+Subsequently, signal delivery was fixed as part of commit:
+
+ 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
+
+... but signal restore was not given a corresponding fix, and when
+TIF_SVE was clear, signal restore would still fail to merge the FPSIMD
+state into the restored SVE register state. The 'Fixes' tag did not
+indicate that this had been broken since its introduction.
+
+Fix this by merging the FPSIMD state dependent upon the saved fp_type,
+matching what we (currently) do during signal delivery.
+
+As described above, when backporting this commit, it will also be
+necessary to backport commit:
+
+ 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
+
+... and prior to commit:
+
+ baa8515281b30861 ("arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE")
+
+... it will be necessary for fpsimd_signal_preserve_current_state() and
+fpsimd_update_current_state() to consider both TIF_SVE and
+thread_sm_enabled(¤t->thread), in place of the saved fp_type.
+
+Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250409164010.3480271-10-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/fpsimd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index 235131db8b8db..837d1937300a5 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1783,7 +1783,7 @@ void fpsimd_update_current_state(struct user_fpsimd_state const *state)
+ get_cpu_fpsimd_context();
+
+ current->thread.uw.fpsimd_state = *state;
+- if (test_thread_flag(TIF_SVE))
++ if (current->thread.fp_type == FP_STATE_SVE)
+ fpsimd_to_sve(current);
+
+ task_fpsimd_load();
+--
+2.39.5
+
--- /dev/null
+From 6452689bd17146154ad6ad3d0ecae343fc7aaabc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 11:47:54 +0000
+Subject: arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kornel Dulęba <korneld@google.com>
+
+[ Upstream commit f101c56447717c595d803894ba0e215f56c6fba4 ]
+
+When the 52-bit virtual addressing was introduced the select like
+ARCH_MMAP_RND_BITS_MAX logic was never updated to account for it.
+Because of that the rnd max bits knob is set to the default value of 18
+when ARM64_VA_BITS=52.
+Fix this by setting ARCH_MMAP_RND_BITS_MAX to the same value that would
+be used if 48-bit addressing was used. Higher values can't used here
+because 52-bit addressing is used only if the caller provides a hint to
+mmap, with a fallback to 48-bit. The knob in question is an upper bound
+for what the user can set in /proc/sys/vm/mmap_rnd_bits, which in turn
+is used to determine how many random bits can be inserted into the base
+address used for mmap allocations. Since 48-bit allocations are legal
+with ARM64_VA_BITS=52, we need to make sure that the base address is
+small enough to facilitate this.
+
+Fixes: b6d00d47e81a ("arm64: mm: Introduce 52-bit Kernel VAs")
+Signed-off-by: Kornel Dulęba <korneld@google.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20250417114754.3238273-1-korneld@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 57b437ed09747..6bb23a041e328 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -280,9 +280,9 @@ config ARCH_MMAP_RND_BITS_MAX
+ default 24 if ARM64_VA_BITS=39
+ default 27 if ARM64_VA_BITS=42
+ default 30 if ARM64_VA_BITS=47
+- default 29 if ARM64_VA_BITS=48 && ARM64_64K_PAGES
+- default 31 if ARM64_VA_BITS=48 && ARM64_16K_PAGES
+- default 33 if ARM64_VA_BITS=48
++ default 29 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_64K_PAGES
++ default 31 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_16K_PAGES
++ default 33 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52)
+ default 14 if ARM64_64K_PAGES
+ default 16 if ARM64_16K_PAGES
+ default 18
+--
+2.39.5
+
--- /dev/null
+From be7c0e274f241319128c94c3f8c4d2284cf8e685 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 May 2025 20:50:46 +1000
+Subject: ASoC: apple: mca: Constrain channels according to TDM mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit e717c661e2d1a660e96c40b0fe9933e23a1d7747 ]
+
+We don't (and can't) configure the hardware correctly if the number of
+channels exceeds the weight of the TDM mask. Report that constraint in
+startup of FE.
+
+Fixes: 3df5d0d97289 ("ASoC: apple: mca: Start new platform driver")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
+Link: https://patch.msgid.link/20250518-mca-fixes-v1-1-ee1015a695f6@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/apple/mca.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/sound/soc/apple/mca.c b/sound/soc/apple/mca.c
+index 64750db9b9639..409b3a716ccbc 100644
+--- a/sound/soc/apple/mca.c
++++ b/sound/soc/apple/mca.c
+@@ -464,6 +464,28 @@ static int mca_configure_serdes(struct mca_cluster *cl, int serdes_unit,
+ return -EINVAL;
+ }
+
++static int mca_fe_startup(struct snd_pcm_substream *substream,
++ struct snd_soc_dai *dai)
++{
++ struct mca_cluster *cl = mca_dai_to_cluster(dai);
++ unsigned int mask, nchannels;
++
++ if (cl->tdm_slots) {
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ mask = cl->tdm_tx_mask;
++ else
++ mask = cl->tdm_rx_mask;
++
++ nchannels = hweight32(mask);
++ } else {
++ nchannels = 2;
++ }
++
++ return snd_pcm_hw_constraint_minmax(substream->runtime,
++ SNDRV_PCM_HW_PARAM_CHANNELS,
++ 1, nchannels);
++}
++
+ static int mca_fe_set_tdm_slot(struct snd_soc_dai *dai, unsigned int tx_mask,
+ unsigned int rx_mask, int slots, int slot_width)
+ {
+@@ -680,6 +702,7 @@ static int mca_fe_hw_params(struct snd_pcm_substream *substream,
+ }
+
+ static const struct snd_soc_dai_ops mca_fe_ops = {
++ .startup = mca_fe_startup,
+ .set_fmt = mca_fe_set_fmt,
+ .set_bclk_ratio = mca_set_bclk_ratio,
+ .set_tdm_slot = mca_fe_set_tdm_slot,
+--
+2.39.5
+
--- /dev/null
+From a657c7550be559ae49970fbf863ce059f091c1ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:10:17 +0200
+Subject: ASoC: codecs: hda: Fix RPM usage count underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit ff0045de4ee0288dec683690f66f2f369b7d3466 ]
+
+RPM manipulation in hda_codec_probe_complete()'s error path is
+superfluous and leads to RPM usage count underflow if the
+build-controls operation fails.
+
+hda_codec_probe_complete() is called in:
+
+1) hda_codec_probe() for all non-HDMI codecs
+2) in card->late_probe() for HDMI codecs
+
+Error path for hda_codec_probe() takes care of bus' RPM already.
+For 2) if late_probe() fails, ASoC performs card cleanup what
+triggers hda_codec_remote() - same treatment is in 1).
+
+Fixes: b5df2a7dca1c ("ASoC: codecs: Add HD-Audio codec driver")
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530141025.2942936-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hda.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/hda.c b/sound/soc/codecs/hda.c
+index 61e8e9be6b8d7..bd81572a6775b 100644
+--- a/sound/soc/codecs/hda.c
++++ b/sound/soc/codecs/hda.c
+@@ -149,7 +149,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
+ ret = snd_hda_codec_build_controls(codec);
+ if (ret < 0) {
+ dev_err(&hdev->dev, "unable to create controls %d\n", ret);
+- goto out;
++ return ret;
+ }
+
+ /* Bus suspended codecs as it does not manage their pm */
+@@ -157,7 +157,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
+ /* rpm was forbidden in snd_hda_codec_device_new() */
+ snd_hda_codec_set_power_save(codec, 2000);
+ snd_hda_codec_register(codec);
+-out:
++
+ /* Complement pm_runtime_get_sync(bus) in probe */
+ pm_runtime_mark_last_busy(bus->dev);
+ pm_runtime_put_autosuspend(bus->dev);
+--
+2.39.5
+
--- /dev/null
+From 27c822220bdaebd19874afd1c689733a19fc7d0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:10:18 +0200
+Subject: ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 9ad1f3cd0d60444c69948854c7e50d2a61b63755 ]
+
+The procedure handling IPC timeouts and EXCEPTION_CAUGHT notification
+shall cancel any D0IX work before proceeding with DSP recovery. If
+SET_D0IX called from delayed_work is the failing IPC the procedure will
+deadlock. Conditionally skip cancelling the work to fix that.
+
+Fixes: 335c4cbd201d ("ASoC: Intel: avs: D0ix power state support")
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530141025.2942936-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/ipc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c
+index 306f0dc4eaf58..2e76aba7338e8 100644
+--- a/sound/soc/intel/avs/ipc.c
++++ b/sound/soc/intel/avs/ipc.c
+@@ -169,7 +169,9 @@ static void avs_dsp_exception_caught(struct avs_dev *adev, union avs_notify_msg
+
+ dev_crit(adev->dev, "communication severed, rebooting dsp..\n");
+
+- cancel_delayed_work_sync(&ipc->d0ix_work);
++ /* Avoid deadlock as the exception may be the response to SET_D0IX. */
++ if (current_work() != &ipc->d0ix_work.work)
++ cancel_delayed_work_sync(&ipc->d0ix_work);
+ ipc->in_d0ix = false;
+ /* Re-enabled on recovery completion. */
+ pm_runtime_disable(adev->dev);
+--
+2.39.5
+
--- /dev/null
+From 1d036d490b5407d26c95eab7976b761f863f5bc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 09:15:08 +1000
+Subject: ASoC: tas2764: Enable main IRQs
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit dd50f0e38563f15819059c923bf142200453e003 ]
+
+IRQ handling was added in commit dae191fb957f ("ASoC: tas2764: Add IRQ
+handling") however that same commit masks all interrupts coming from
+the chip. Unmask the "main" interrupts so that we can see and
+deal with a number of errors including clock, voltage, and current.
+
+Fixes: dae191fb957f ("ASoC: tas2764: Add IRQ handling")
+Reviewed-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
+Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-4-50a00ec850a3@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2764.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
+index 10f0f07b90ff2..8baf92abcf000 100644
+--- a/sound/soc/codecs/tas2764.c
++++ b/sound/soc/codecs/tas2764.c
+@@ -542,7 +542,7 @@ static int tas2764_codec_probe(struct snd_soc_component *component)
+ tas2764_reset(tas2764);
+
+ if (tas2764->irq) {
+- ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0xff);
++ ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0x00);
+ if (ret < 0)
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 12fbe0a94583e53999d7dce554c7647ab68b3bd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 17:16:47 +0800
+Subject: backlight: pm8941: Add NULL check in wled_configure()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+wled_configure() does not check for this case, which results in a NULL
+pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: "Daniel Thompson (RISCstar)" <danielt@kernel.org>
+Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index 527210e857959..434c6c499fdef 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -1406,9 +1406,11 @@ static int wled_configure(struct wled *wled)
+ wled->ctrl_addr = be32_to_cpu(*prop_addr);
+
+ rc = of_property_read_string(dev->of_node, "label", &wled->name);
+- if (rc)
++ if (rc) {
+ wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node);
+-
++ if (!wled->name)
++ return -ENOMEM;
++ }
+ switch (wled->version) {
+ case 3:
+ u32_opts = wled3_opts;
+--
+2.39.5
+
--- /dev/null
+From 3c59dcacd331fa916fd3e360b2f70ba9297806fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 14:53:11 -0400
+Subject: Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ]
+
+Depending on the security set the response to L2CAP_LE_CONN_REQ shall be
+just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM
+is selected since that means security mode 2 which doesn't require
+authentication which is something that is covered in the qualification
+test L2CAP/LE/CFC/BV-25-C.
+
+Link: https://github.com/bluez/bluez/issues/1270
+Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index cb9b1edfcea2a..550c3da6f3910 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5883,7 +5883,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
+
+ if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
+ SMP_ALLOW_STK)) {
+- result = L2CAP_CR_LE_AUTHENTICATION;
++ result = pchan->sec_level == BT_SECURITY_MEDIUM ?
++ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION;
+ chan = NULL;
+ goto response_unlock;
+ }
+--
+2.39.5
+
--- /dev/null
+From d6bd6b1809da36f705a67abb5061807d11fe8d0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 11:42:30 +0300
+Subject: Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 3bb88524b7d030160bb3c9b35f928b2778092111 ]
+
+In 'mgmt_mesh_foreach()', iterate over mesh commands
+rather than generic mgmt ones. Compile tested only.
+
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
+index 0115f783bde80..17e32605d9b00 100644
+--- a/net/bluetooth/mgmt_util.c
++++ b/net/bluetooth/mgmt_util.c
+@@ -321,7 +321,7 @@ void mgmt_mesh_foreach(struct hci_dev *hdev,
+ {
+ struct mgmt_mesh_tx *mesh_tx, *tmp;
+
+- list_for_each_entry_safe(mesh_tx, tmp, &hdev->mgmt_pending, list) {
++ list_for_each_entry_safe(mesh_tx, tmp, &hdev->mesh_pending, list) {
+ if (!sk || mesh_tx->sk == sk)
+ cb(mesh_tx, data);
+ }
+--
+2.39.5
+
--- /dev/null
+From b7f7cab7e9aa03a34b171eabb4efc2aeeec126af Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 21:33:58 +0800
+Subject: bpf: Avoid __bpf_prog_ret0_warn when jit fails
+
+From: KaFai Wan <mannkafai@gmail.com>
+
+[ Upstream commit 86bc9c742426a16b52a10ef61f5b721aecca2344 ]
+
+syzkaller reported an issue:
+
+WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
+Modules linked in:
+CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
+RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
+Call Trace:
+ <TASK>
+ bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
+ __bpf_prog_run include/linux/filter.h:718 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105
+ ...
+
+When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.
+This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set
+and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,
+but jit failed due to FAULT_INJECTION. As a result, incorrectly
+treats the program as valid, when the program runs it calls
+`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).
+
+Reported-by: syzbot+0903f6d7f285e41cdf10@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/6816e34e.a70a0220.254cdc.002c.GAE@google.com
+Fixes: fa9dd599b4da ("bpf: get rid of pure_initcall dependency to enable jits")
+Signed-off-by: KaFai Wan <mannkafai@gmail.com>
+Link: https://lore.kernel.org/r/20250526133358.2594176-1-mannkafai@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index c281f5b8705e1..2ed1d00bede0b 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2209,7 +2209,7 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
+ /* In case of BPF to BPF calls, verifier did all the prep
+ * work with regards to JITing, etc.
+ */
+- bool jit_needed = false;
++ bool jit_needed = fp->jit_requested;
+
+ if (fp->bpf_func)
+ goto finalize;
+--
+2.39.5
+
--- /dev/null
+From 9d07e9a4cf14fe7d95270f818f0a60e77ac776df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2025 13:20:14 +0800
+Subject: bpf: fix ktls panic with sockmap
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 54a3ecaeeeae8176da8badbd7d72af1017032c39 ]
+
+[ 2172.936997] ------------[ cut here ]------------
+[ 2172.936999] kernel BUG at lib/iov_iter.c:629!
+......
+[ 2172.944996] PKRU: 55555554
+[ 2172.945155] Call Trace:
+[ 2172.945299] <TASK>
+[ 2172.945428] ? die+0x36/0x90
+[ 2172.945601] ? do_trap+0xdd/0x100
+[ 2172.945795] ? iov_iter_revert+0x178/0x180
+[ 2172.946031] ? iov_iter_revert+0x178/0x180
+[ 2172.946267] ? do_error_trap+0x7d/0x110
+[ 2172.946499] ? iov_iter_revert+0x178/0x180
+[ 2172.946736] ? exc_invalid_op+0x50/0x70
+[ 2172.946961] ? iov_iter_revert+0x178/0x180
+[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20
+[ 2172.947446] ? iov_iter_revert+0x178/0x180
+[ 2172.947683] ? iov_iter_revert+0x5c/0x180
+[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840
+[ 2172.948206] tls_sw_sendmsg+0x52/0x80
+[ 2172.948420] ? inet_sendmsg+0x1f/0x70
+[ 2172.948634] __sys_sendto+0x1cd/0x200
+[ 2172.948848] ? find_held_lock+0x2b/0x80
+[ 2172.949072] ? syscall_trace_enter+0x140/0x270
+[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170
+[ 2172.949595] ? find_held_lock+0x2b/0x80
+[ 2172.949817] ? syscall_trace_enter+0x140/0x270
+[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190
+[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0
+[ 2172.951036] __x64_sys_sendto+0x24/0x30
+[ 2172.951382] do_syscall_64+0x90/0x170
+......
+
+After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase,
+e.g., when the BPF program executes bpf_msg_push_data().
+
+If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,
+it will return -ENOSPC and attempt to roll back to the non-zero copy
+logic. However, during rollback, msg->msg_iter is reset, but since
+msg_pl->sg.size has been increased, subsequent executions will exceed the
+actual size of msg_iter.
+'''
+iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size);
+'''
+
+The changes in this commit are based on the following considerations:
+
+1. When cork_bytes is set, rolling back to non-zero copy logic is
+pointless and can directly go to zero-copy logic.
+
+2. We can not calculate the correct number of bytes to revert msg_iter.
+
+Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes
+by the BPF program, it becomes 11-byte data: "abc?de?fgh?".
+Then, we set cork_bytes to 6, which means the first 6 bytes have been
+processed, and the remaining 5 bytes "?fgh?" will be cached until the
+length meets the cork_bytes requirement.
+
+However, some data in "?fgh?" is not within 'sg->msg_iter'
+(but in msg_pl instead), especially the data "?" we pushed.
+
+So it doesn't seem as simple as just reverting through an offset of
+msg_iter.
+
+3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs,
+the user-space send() doesn't return an error, and the returned length is
+the same as the input length parameter, even if some data is cached.
+
+Additionally, I saw that the current non-zero-copy logic for handling
+corking is written as:
+'''
+line 1177
+else if (ret != -EAGAIN) {
+ if (ret == -ENOSPC)
+ ret = 0;
+ goto send_end;
+'''
+
+So it's ok to just return 'copied' without error when a "cork" situation
+occurs.
+
+Fixes: fcb14cb1bdac ("new iov_iter flavour - ITER_UBUF")
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20250219052015.274405-2-jiayuan.chen@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 5310441240e70..af820ae9b1a52 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1075,9 +1075,13 @@ int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
+ num_async++;
+ else if (ret == -ENOMEM)
+ goto wait_for_memory;
+- else if (ctx->open_rec && ret == -ENOSPC)
++ else if (ctx->open_rec && ret == -ENOSPC) {
++ if (msg_pl->cork_bytes) {
++ ret = 0;
++ goto send_end;
++ }
+ goto rollback_iter;
+- else if (ret != -EAGAIN)
++ } else if (ret != -EAGAIN)
+ goto send_end;
+ }
+ continue;
+--
+2.39.5
+
--- /dev/null
+From 49ad319bae9bf6630ef97b8ada146119f28fece4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 19:30:31 +0000
+Subject: bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit 41d4ce6df3f4945341ec509a840cc002a413b6cc ]
+
+With the latest LLVM bpf selftests build will fail with
+the following error message:
+
+ progs/profiler.inc.h:710:31: error: default initialization of an object of type 'typeof ((parent_task)->real_cred->uid.val)' (aka 'const unsigned int') leaves the object uninitialized and is incompatible with C++ [-Werror,-Wdefault-const-init-unsafe]
+ 710 | proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val);
+ | ^
+ tools/testing/selftests/bpf/tools/include/bpf/bpf_core_read.h:520:35: note: expanded from macro 'BPF_CORE_READ'
+ 520 | ___type((src), a, ##__VA_ARGS__) __r; \
+ | ^
+
+This happens because BPF_CORE_READ (and other macro) declare the
+variable __r using the ___type macro which can inherit const modifier
+from intermediate types.
+
+Fix this by using __typeof_unqual__, when supported. (And when it
+is not supported, the problem shouldn't appear, as older compilers
+haven't complained.)
+
+Fixes: 792001f4f7aa ("libbpf: Add user-space variants of BPF_CORE_READ() family of macros")
+Fixes: a4b09a9ef945 ("libbpf: Add non-CO-RE variants of BPF_CORE_READ() macro family")
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250502193031.3522715-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_core_read.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
+index 41740ae8aad73..18c2ab57a9bff 100644
+--- a/tools/lib/bpf/bpf_core_read.h
++++ b/tools/lib/bpf/bpf_core_read.h
+@@ -312,7 +312,13 @@ enum bpf_enum_value_kind {
+ #define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j
+ #define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__)
+
++#if defined(__clang__) && (__clang_major__ >= 19)
++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
++#elif defined(__GNUC__) && (__GNUC__ >= 14)
++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
++#else
+ #define ___type(...) typeof(___arrow(__VA_ARGS__))
++#endif
+
+ #define ___read(read_fn, dst, src_type, src, accessor) \
+ read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor)
+--
+2.39.5
+
--- /dev/null
+From 6ad9cfe2dc691bc726a950da36f3a083d2970ffa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:27:47 +0800
+Subject: bpf: Fix WARN() in get_bpf_raw_tp_regs
+
+From: Tao Chen <chen.dylane@linux.dev>
+
+[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ]
+
+syzkaller reported an issue:
+
+WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
+Modules linked in:
+CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
+RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c
+RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005
+RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003
+R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004
+R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900
+FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]
+ bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931
+ bpf_prog_ec3b2eefa702d8d3+0x43/0x47
+ bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
+ __bpf_prog_run include/linux/filter.h:718 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
+ bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
+ __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
+ __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
+ __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
+ trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
+ __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
+ __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
+ mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
+ stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
+ __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
+ ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
+ bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
+ ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
+ bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
+ bpf_prog_ec3b2eefa702d8d3+0x43/0x47
+
+Tracepoint like trace_mmap_lock_acquire_returned may cause nested call
+as the corner case show above, which will be resolved with more general
+method in the future. As a result, WARN_ON_ONCE will be triggered. As
+Alexei suggested, remove the WARN_ON_ONCE first.
+
+Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data")
+Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com
+Suggested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Tao Chen <chen.dylane@linux.dev>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev
+
+Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 7254c808b27c1..243122ca56793 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1797,7 +1797,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void)
+ struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs);
+ int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level);
+
+- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) {
++ if (nest_level > ARRAY_SIZE(tp_regs->regs)) {
+ this_cpu_dec(bpf_raw_tp_nest_level);
+ return ERR_PTR(-EBUSY);
+ }
+--
+2.39.5
+
--- /dev/null
+From 18594c69c73441af90e7fffb2020c9efb1cbd65d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 22:17:12 +0800
+Subject: bpf, sockmap: Avoid using sk_socket after free when sending
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 ]
+
+The sk->sk_socket is not locked or referenced in backlog thread, and
+during the call to skb_send_sock(), there is a race condition with
+the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)
+will be affected.
+
+Race conditions:
+'''
+CPU0 CPU1
+
+backlog::skb_send_sock
+ sendmsg_unlocked
+ sock_sendmsg
+ sock_sendmsg_nosec
+ close(fd):
+ ...
+ ops->release() -> sock_map_close()
+ sk_socket->ops = NULL
+ free(socket)
+ sock->ops->sendmsg
+ ^
+ panic here
+'''
+
+The ref of psock become 0 after sock_map_close() executed.
+'''
+void sock_map_close()
+{
+ ...
+ if (likely(psock)) {
+ ...
+ // !! here we remove psock and the ref of psock become 0
+ sock_map_remove_links(sk, psock)
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ goto no_psock; <=== Control jumps here via goto
+ ...
+ cancel_delayed_work_sync(&psock->work); <=== not executed
+ sk_psock_put(sk, psock);
+ ...
+}
+'''
+
+Based on the fact that we already wait for the workqueue to finish in
+sock_map_close() if psock is held, we simply increase the psock
+reference count to avoid race conditions.
+
+With this patch, if the backlog thread is running, sock_map_close() will
+wait for the backlog thread to complete and cancel all pending work.
+
+If no backlog running, any pending work that hasn't started by then will
+fail when invoked by sk_psock_get(), as the psock reference count have
+been zeroed, and sk_psock_drop() will cancel all jobs via
+cancel_delayed_work_sync().
+
+In summary, we require synchronization to coordinate the backlog thread
+and close() thread.
+
+The panic I catched:
+'''
+Workqueue: events sk_psock_backlog
+RIP: 0010:sock_sendmsg+0x21d/0x440
+RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
+...
+Call Trace:
+ <TASK>
+ ? die_addr+0x40/0xa0
+ ? exc_general_protection+0x14c/0x230
+ ? asm_exc_general_protection+0x26/0x30
+ ? sock_sendmsg+0x21d/0x440
+ ? sock_sendmsg+0x3e0/0x440
+ ? __pfx_sock_sendmsg+0x10/0x10
+ __skb_send_sock+0x543/0xb70
+ sk_psock_backlog+0x247/0xb80
+...
+'''
+
+Fixes: 4b4647add7d3 ("sock_map: avoid race between sock_map_close and sk_psock_put")
+Reported-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20250516141713.291150-1-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 0613f9a2543bb..e5ba57a5db126 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -654,6 +654,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ bool ingress;
+ int ret;
+
++ /* Increment the psock refcnt to synchronize with close(fd) path in
++ * sock_map_close(), ensuring we wait for backlog thread completion
++ * before sk_socket freed. If refcnt increment fails, it indicates
++ * sock_map_close() completed with sk_socket potentially already freed.
++ */
++ if (!sk_psock_get(psock->sk))
++ return;
+ mutex_lock(&psock->work_mutex);
+ while ((skb = skb_peek(&psock->ingress_skb))) {
+ len = skb->len;
+@@ -705,6 +712,7 @@ static void sk_psock_backlog(struct work_struct *work)
+ }
+ end:
+ mutex_unlock(&psock->work_mutex);
++ sk_psock_put(psock->sk, psock);
+ }
+
+ struct sk_psock *sk_psock_init(struct sock *sk, int node)
+--
+2.39.5
+
--- /dev/null
+From bb1589f3f285f78ff099dea188ba964cb604f153 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 22:21:21 +0800
+Subject: bpf, sockmap: fix duplicated data transmission
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 3b4f14b794287be137ea2c6158765d1ea1e018a4 ]
+
+In the !ingress path under sk_psock_handle_skb(), when sending data to the
+remote under snd_buf limitations, partial skb data might be transmitted.
+
+Although we preserved the partial transmission state (offset/length), the
+state wasn't properly consumed during retries. This caused the retry path
+to resend the entire skb data instead of continuing from the previous
+offset, resulting in data overlap at the receiver side.
+
+Fixes: 405df89dd52c ("bpf, sockmap: Improved check for empty queue")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://lore.kernel.org/r/20250407142234.47591-3-jiayuan.chen@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 5a790cd1121b1..72f4949cbb70f 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -654,11 +654,6 @@ static void sk_psock_backlog(struct work_struct *work)
+ int ret;
+
+ mutex_lock(&psock->work_mutex);
+- if (unlikely(state->len)) {
+- len = state->len;
+- off = state->off;
+- }
+-
+ while ((skb = skb_peek(&psock->ingress_skb))) {
+ len = skb->len;
+ off = 0;
+@@ -668,6 +663,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ off = stm->offset;
+ len = stm->full_len;
+ }
++
++ /* Resume processing from previous partial state */
++ if (unlikely(state->len)) {
++ len = state->len;
++ off = state->off;
++ }
++
+ ingress = skb_bpf_ingress(skb);
+ skb_bpf_redirect_clear(skb);
+ do {
+@@ -695,6 +697,8 @@ static void sk_psock_backlog(struct work_struct *work)
+ len -= ret;
+ } while (len);
+
++ /* The entire skb sent, clear state */
++ sk_psock_skb_state(psock, state, 0, 0);
+ skb = skb_dequeue(&psock->ingress_skb);
+ kfree_skb(skb);
+ }
+--
+2.39.5
+
--- /dev/null
+From 5e808cc8ab1d3e2c76b98739a99718d3391d0902 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 22:21:22 +0800
+Subject: bpf, sockmap: Fix panic when calling skb_linearize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e ]
+
+The panic can be reproduced by executing the command:
+./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000
+
+Then a kernel panic was captured:
+'''
+[ 657.460555] kernel BUG at net/core/skbuff.c:2178!
+[ 657.462680] Tainted: [W]=WARN
+[ 657.463287] Workqueue: events sk_psock_backlog
+...
+[ 657.469610] <TASK>
+[ 657.469738] ? die+0x36/0x90
+[ 657.469916] ? do_trap+0x1d0/0x270
+[ 657.470118] ? pskb_expand_head+0x612/0xf40
+[ 657.470376] ? pskb_expand_head+0x612/0xf40
+[ 657.470620] ? do_error_trap+0xa3/0x170
+[ 657.470846] ? pskb_expand_head+0x612/0xf40
+[ 657.471092] ? handle_invalid_op+0x2c/0x40
+[ 657.471335] ? pskb_expand_head+0x612/0xf40
+[ 657.471579] ? exc_invalid_op+0x2d/0x40
+[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20
+[ 657.472052] ? pskb_expand_head+0xd1/0xf40
+[ 657.472292] ? pskb_expand_head+0x612/0xf40
+[ 657.472540] ? lock_acquire+0x18f/0x4e0
+[ 657.472766] ? find_held_lock+0x2d/0x110
+[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10
+[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470
+[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10
+[ 657.473826] __pskb_pull_tail+0xfd/0x1d20
+[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90
+[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510
+[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0
+[ 657.476010] sk_psock_backlog+0x5cf/0xd70
+[ 657.476637] process_one_work+0x858/0x1a20
+'''
+
+The panic originates from the assertion BUG_ON(skb_shared(skb)) in
+skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()
+to avoid race conditions between skb operations in the backlog and skb
+release in the recvmsg path. However, this caused the panic to always
+occur when skb_linearize is executed.
+
+The "--rx-strp 100000" parameter forces the RX path to use the strparser
+module which aggregates data until it reaches 100KB before calling sockmap
+logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.
+
+To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.
+
+'''
+sk_psock_backlog:
+ sk_psock_handle_skb
+ skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'
+ sk_psock_skb_ingress____________
+ ↓
+ |
+ | → sk_psock_skb_ingress_self
+ | sk_psock_skb_ingress_enqueue
+sk_psock_verdict_apply_________________↑ skb_linearize
+'''
+
+Note that for verdict_apply path, the skb_get operation is unnecessary so
+we add 'take_ref' param to control it's behavior.
+
+Fixes: a454d84ee20b ("bpf, sockmap: Fix skb refcnt race after locking changes")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://lore.kernel.org/r/20250407142234.47591-4-jiayuan.chen@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 72f4949cbb70f..0613f9a2543bb 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -528,16 +528,22 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ u32 off, u32 len,
+ struct sk_psock *psock,
+ struct sock *sk,
+- struct sk_msg *msg)
++ struct sk_msg *msg,
++ bool take_ref)
+ {
+ int num_sge, copied;
+
++ /* skb_to_sgvec will fail when the total number of fragments in
++ * frag_list and frags exceeds MAX_MSG_FRAGS. For example, the
++ * caller may aggregate multiple skbs.
++ */
+ num_sge = skb_to_sgvec(skb, msg->sg.data, off, len);
+ if (num_sge < 0) {
+ /* skb linearize may fail with ENOMEM, but lets simply try again
+ * later if this happens. Under memory pressure we don't want to
+ * drop the skb. We need to linearize the skb so that the mapping
+ * in skb_to_sgvec can not error.
++ * Note that skb_linearize requires the skb not to be shared.
+ */
+ if (skb_linearize(skb))
+ return -EAGAIN;
+@@ -554,7 +560,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ msg->sg.start = 0;
+ msg->sg.size = copied;
+ msg->sg.end = num_sge;
+- msg->skb = skb;
++ msg->skb = take_ref ? skb_get(skb) : skb;
+
+ sk_psock_queue_msg(psock, msg);
+ sk_psock_data_ready(sk, psock);
+@@ -562,7 +568,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ }
+
+ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
+- u32 off, u32 len);
++ u32 off, u32 len, bool take_ref);
+
+ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ u32 off, u32 len)
+@@ -576,7 +582,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ * correctly.
+ */
+ if (unlikely(skb->sk == sk))
+- return sk_psock_skb_ingress_self(psock, skb, off, len);
++ return sk_psock_skb_ingress_self(psock, skb, off, len, true);
+ msg = sk_psock_create_ingress_msg(sk, skb);
+ if (!msg)
+ return -EAGAIN;
+@@ -588,7 +594,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ * into user buffers.
+ */
+ skb_set_owner_r(skb, sk);
+- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, true);
+ if (err < 0)
+ kfree(msg);
+ return err;
+@@ -599,7 +605,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ * because the skb is already accounted for here.
+ */
+ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
+- u32 off, u32 len)
++ u32 off, u32 len, bool take_ref)
+ {
+ struct sk_msg *msg = alloc_sk_msg(GFP_ATOMIC);
+ struct sock *sk = psock->sk;
+@@ -608,7 +614,7 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
+ if (unlikely(!msg))
+ return -EAGAIN;
+ skb_set_owner_r(skb, sk);
+- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, take_ref);
+ if (err < 0)
+ kfree(msg);
+ return err;
+@@ -617,18 +623,13 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
+ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
+ u32 off, u32 len, bool ingress)
+ {
+- int err = 0;
+-
+ if (!ingress) {
+ if (!sock_writeable(psock->sk))
+ return -EAGAIN;
+ return skb_send_sock(psock->sk, skb, off, len);
+ }
+- skb_get(skb);
+- err = sk_psock_skb_ingress(psock, skb, off, len);
+- if (err < 0)
+- kfree_skb(skb);
+- return err;
++
++ return sk_psock_skb_ingress(psock, skb, off, len);
+ }
+
+ static void sk_psock_skb_state(struct sk_psock *psock,
+@@ -1016,7 +1017,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb,
+ off = stm->offset;
+ len = stm->full_len;
+ }
+- err = sk_psock_skb_ingress_self(psock, skb, off, len);
++ err = sk_psock_skb_ingress_self(psock, skb, off, len, false);
+ }
+ if (err < 0) {
+ spin_lock_bh(&psock->ingress_lock);
+--
+2.39.5
+
--- /dev/null
+From 5ded99dc49b086207281276886a3eac804ba71e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 13:58:09 +0300
+Subject: bus: fsl-mc: fix double-free on mc_dev
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ]
+
+The blamed commit tried to simplify how the deallocations are done but,
+in the process, introduced a double-free on the mc_dev variable.
+
+In case the MC device is a DPRC, a new mc_bus is allocated and the
+mc_dev variable is just a reference to one of its fields. In this
+circumstance, on the error path only the mc_bus should be freed.
+
+This commit introduces back the following checkpatch warning which is a
+false-positive.
+
+WARNING: kfree(NULL) is safe and this check is probably not required
++ if (mc_bus)
++ kfree(mc_bus);
+
+Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c
+index 6143dbf31f311..6e4556530df58 100644
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -910,8 +910,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc,
+
+ error_cleanup_dev:
+ kfree(mc_dev->regions);
+- kfree(mc_bus);
+- kfree(mc_dev);
++ if (mc_bus)
++ kfree(mc_bus);
++ else
++ kfree(mc_dev);
+
+ return error;
+ }
+--
+2.39.5
+
--- /dev/null
+From 0ed2fcb77a5272b90423b42b1a1747fe26d8c286 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 15:18:56 -0700
+Subject: calipso: Don't call calipso functions for AF_INET sk.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ]
+
+syzkaller reported a null-ptr-deref in txopt_get(). [0]
+
+The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,
+so struct ipv6_pinfo was NULL there.
+
+However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6
+is always set in inet6_create(), meaning the socket was not IPv6 one.
+
+The root cause is missing validation in netlbl_conn_setattr().
+
+netlbl_conn_setattr() switches branches based on struct
+sockaddr.sa_family, which is passed from userspace. However,
+netlbl_conn_setattr() does not check if the address family matches
+the socket.
+
+The syzkaller must have called connect() for an IPv6 address on
+an IPv4 socket.
+
+We have a proper validation in tcp_v[46]_connect(), but
+security_socket_connect() is called in the earlier stage.
+
+Let's copy the validation to netlbl_conn_setattr().
+
+[0]:
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI
+KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
+CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:txopt_get include/net/ipv6.h:390 [inline]
+RIP: 0010:
+Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00
+RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212
+RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c
+RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070
+RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e
+R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00
+R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80
+FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0
+PKRU: 80000000
+Call Trace:
+ <TASK>
+ calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557
+ netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177
+ selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569
+ selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]
+ selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615
+ selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931
+ security_socket_connect+0x50/0xa0 security/security.c:4598
+ __sys_connect_file+0xa4/0x190 net/socket.c:2067
+ __sys_connect+0x12c/0x170 net/socket.c:2088
+ __do_sys_connect net/socket.c:2098 [inline]
+ __se_sys_connect net/socket.c:2095 [inline]
+ __x64_sys_connect+0x73/0xb0 net/socket.c:2095
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f901b61a12d
+Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d
+RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003
+RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000
+ </TASK>
+Modules linked in:
+
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Reported-by: John Cheung <john.cs.hey@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_kapi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
+index 27511c90a26f4..75b645c1928db 100644
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk,
+ break;
+ #if IS_ENABLED(CONFIG_IPV6)
+ case AF_INET6:
++ if (sk->sk_family != AF_INET6)
++ return -EAFNOSUPPORT;
++
+ addr6 = (struct sockaddr_in6 *)addr;
+ entry = netlbl_domhsh_getentry_af6(secattr->domain,
+ &addr6->sin6_addr);
+--
+2.39.5
+
--- /dev/null
+From c4562cb57d92ad4124817b8b84f023e8690c01c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 10:05:13 +0800
+Subject: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+raspberrypi_clk_register() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-raspberrypi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
+index 278f845572813..a7e18789839fe 100644
+--- a/drivers/clk/bcm/clk-raspberrypi.c
++++ b/drivers/clk/bcm/clk-raspberrypi.c
+@@ -290,6 +290,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi,
+ init.name = devm_kasprintf(rpi->dev, GFP_KERNEL,
+ "fw-clk-%s",
+ rpi_firmware_clk_names[id]);
++ if (!init.name)
++ return ERR_PTR(-ENOMEM);
+ init.ops = &raspberrypi_firmware_clk_ops;
+ init.flags = CLK_GET_RATE_NOCACHE;
+
+--
+2.39.5
+
--- /dev/null
+From 8a0278dee8d1f8369947e79f2620fff288d1f26a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:56 +0200
+Subject: clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 673989d27123618afab56df1143a75454178b4ae ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used.
+
+Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-2-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm6350.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c
+index ddacb4f76eca5..ea98a63746f0f 100644
+--- a/drivers/clk/qcom/dispcc-sm6350.c
++++ b/drivers/clk/qcom/dispcc-sm6350.c
+@@ -680,6 +680,9 @@ static struct clk_branch disp_cc_xo_clk = {
+
+ static struct gdsc mdss_gdsc = {
+ .gdscr = 0x1004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "mdss_gdsc",
+ },
+--
+2.39.5
+
--- /dev/null
+From ec8292632b4046cd403d0e7aee282b62b235e365 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:45:12 +0200
+Subject: clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
+
+From: Vincent Knecht <vincent.knecht@mailoo.org>
+
+[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ]
+
+Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and
+freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz.
+
+Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller")
+Suggested-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vincent Knecht <vincent.knecht@mailoo.org>
+Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-msm8939.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c
+index af608f1658967..ecf1c29a1f0e1 100644
+--- a/drivers/clk/qcom/gcc-msm8939.c
++++ b/drivers/clk/qcom/gcc-msm8939.c
+@@ -433,7 +433,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = {
+ { P_XO, 0 },
+ { P_GPLL0, 1 },
+ { P_GPLL1_AUX, 2 },
+- { P_GPLL6, 2 },
++ { P_GPLL6, 3 },
+ { P_SLEEP_CLK, 6 },
+ };
+
+@@ -1088,7 +1088,7 @@ static struct clk_rcg2 jpeg0_clk_src = {
+ };
+
+ static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = {
+- F(24000000, P_GPLL0, 1, 1, 45),
++ F(24000000, P_GPLL6, 1, 1, 45),
+ F(66670000, P_GPLL0, 12, 0, 0),
+ { }
+ };
+--
+2.39.5
+
--- /dev/null
+From 3178bcd98ee45bf7b3286c7a592a7a7dce2c8a43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:57 +0200
+Subject: clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit afdfd829a99e467869e3ca1955fb6c6e337c340a ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used.
+
+Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-3-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sm6350.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c
+index 428cd99dcdcbe..4031613c6236f 100644
+--- a/drivers/clk/qcom/gcc-sm6350.c
++++ b/drivers/clk/qcom/gcc-sm6350.c
+@@ -2320,6 +2320,9 @@ static struct clk_branch gcc_video_xo_clk = {
+
+ static struct gdsc usb30_prim_gdsc = {
+ .gdscr = 0x1a004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "usb30_prim_gdsc",
+ },
+@@ -2328,6 +2331,9 @@ static struct gdsc usb30_prim_gdsc = {
+
+ static struct gdsc ufs_phy_gdsc = {
+ .gdscr = 0x3a004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "ufs_phy_gdsc",
+ },
+--
+2.39.5
+
--- /dev/null
+From c5d21de8e387d76dcb4df8f050e022c4b6ef99d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:58 +0200
+Subject: clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit d988b0b866c2aeb23aa74022b5bbd463165a7a33 ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used, with the exception of
+gpu_cx_gdsc which has an explicit value (qcom,clk-dis-wait-val = <8>).
+
+Fixes: 013804a727a0 ("clk: qcom: Add GPU clock controller driver for SM6350")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-4-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gpucc-sm6350.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/qcom/gpucc-sm6350.c b/drivers/clk/qcom/gpucc-sm6350.c
+index 0bcbba2a29436..86c8ad5b55bac 100644
+--- a/drivers/clk/qcom/gpucc-sm6350.c
++++ b/drivers/clk/qcom/gpucc-sm6350.c
+@@ -412,6 +412,9 @@ static struct clk_branch gpu_cc_gx_vsense_clk = {
+ static struct gdsc gpu_cx_gdsc = {
+ .gdscr = 0x106c,
+ .gds_hw_ctrl = 0x1540,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0x8,
+ .pd = {
+ .name = "gpu_cx_gdsc",
+ },
+@@ -422,6 +425,9 @@ static struct gdsc gpu_cx_gdsc = {
+ static struct gdsc gpu_gx_gdsc = {
+ .gdscr = 0x100c,
+ .clamp_io_ctrl = 0x1508,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0x2,
+ .pd = {
+ .name = "gpu_gx_gdsc",
+ .power_on = gdsc_gx_do_nothing_enable,
+--
+2.39.5
+
--- /dev/null
+From c5511a208c24a9fe68dbed861a024a42135bb385 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 17:19:51 +0100
+Subject: coresight: prevent deactivate active config while enabling the config
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit 408c97c4a5e0b634dcd15bf8b8808b382e888164 ]
+
+While enable active config via cscfg_csdev_enable_active_config(),
+active config could be deactivated via configfs' sysfs interface.
+This could make UAF issue in below scenario:
+
+CPU0 CPU1
+(sysfs enable) load module
+ cscfg_load_config_sets()
+ activate config. // sysfs
+ (sys_active_cnt == 1)
+...
+cscfg_csdev_enable_active_config()
+lock(csdev->cscfg_csdev_lock)
+// here load config activate by CPU1
+unlock(csdev->cscfg_csdev_lock)
+
+ deactivate config // sysfs
+ (sys_activec_cnt == 0)
+ cscfg_unload_config_sets()
+ unload module
+
+// access to config_desc which freed
+// while unloading module.
+cscfg_csdev_enable_config
+
+To address this, use cscfg_config_desc's active_cnt as a reference count
+ which will be holded when
+ - activate the config.
+ - enable the activated config.
+and put the module reference when config_active_cnt == 0.
+
+Fixes: f8cce2ff3c04 ("coresight: syscfg: Add API to activate and enable configurations")
+Suggested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Leo Yan <leo.yan@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250514161951.3427590-4-yeoreum.yun@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../hwtracing/coresight/coresight-config.h | 2 +-
+ .../hwtracing/coresight/coresight-syscfg.c | 49 +++++++++++++------
+ 2 files changed, 35 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-config.h b/drivers/hwtracing/coresight/coresight-config.h
+index 6ba0139757418..84cdde6f0e4db 100644
+--- a/drivers/hwtracing/coresight/coresight-config.h
++++ b/drivers/hwtracing/coresight/coresight-config.h
+@@ -228,7 +228,7 @@ struct cscfg_feature_csdev {
+ * @feats_csdev:references to the device features to enable.
+ */
+ struct cscfg_config_csdev {
+- const struct cscfg_config_desc *config_desc;
++ struct cscfg_config_desc *config_desc;
+ struct coresight_device *csdev;
+ bool enabled;
+ struct list_head node;
+diff --git a/drivers/hwtracing/coresight/coresight-syscfg.c b/drivers/hwtracing/coresight/coresight-syscfg.c
+index 11138a9762b01..30a561d874819 100644
+--- a/drivers/hwtracing/coresight/coresight-syscfg.c
++++ b/drivers/hwtracing/coresight/coresight-syscfg.c
+@@ -867,6 +867,25 @@ void cscfg_csdev_reset_feats(struct coresight_device *csdev)
+ }
+ EXPORT_SYMBOL_GPL(cscfg_csdev_reset_feats);
+
++static bool cscfg_config_desc_get(struct cscfg_config_desc *config_desc)
++{
++ if (!atomic_fetch_inc(&config_desc->active_cnt)) {
++ /* must ensure that config cannot be unloaded in use */
++ if (unlikely(cscfg_owner_get(config_desc->load_owner))) {
++ atomic_dec(&config_desc->active_cnt);
++ return false;
++ }
++ }
++
++ return true;
++}
++
++static void cscfg_config_desc_put(struct cscfg_config_desc *config_desc)
++{
++ if (!atomic_dec_return(&config_desc->active_cnt))
++ cscfg_owner_put(config_desc->load_owner);
++}
++
+ /*
+ * This activate configuration for either perf or sysfs. Perf can have multiple
+ * active configs, selected per event, sysfs is limited to one.
+@@ -890,22 +909,17 @@ static int _cscfg_activate_config(unsigned long cfg_hash)
+ if (config_desc->available == false)
+ return -EBUSY;
+
+- /* must ensure that config cannot be unloaded in use */
+- err = cscfg_owner_get(config_desc->load_owner);
+- if (err)
++ if (!cscfg_config_desc_get(config_desc)) {
++ err = -EINVAL;
+ break;
++ }
++
+ /*
+ * increment the global active count - control changes to
+ * active configurations
+ */
+ atomic_inc(&cscfg_mgr->sys_active_cnt);
+
+- /*
+- * mark the descriptor as active so enable config on a
+- * device instance will use it
+- */
+- atomic_inc(&config_desc->active_cnt);
+-
+ err = 0;
+ dev_dbg(cscfg_device(), "Activate config %s.\n", config_desc->name);
+ break;
+@@ -920,9 +934,8 @@ static void _cscfg_deactivate_config(unsigned long cfg_hash)
+
+ list_for_each_entry(config_desc, &cscfg_mgr->config_desc_list, item) {
+ if ((unsigned long)config_desc->event_ea->var == cfg_hash) {
+- atomic_dec(&config_desc->active_cnt);
+ atomic_dec(&cscfg_mgr->sys_active_cnt);
+- cscfg_owner_put(config_desc->load_owner);
++ cscfg_config_desc_put(config_desc);
+ dev_dbg(cscfg_device(), "Deactivate config %s.\n", config_desc->name);
+ break;
+ }
+@@ -1047,7 +1060,7 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
+ unsigned long cfg_hash, int preset)
+ {
+ struct cscfg_config_csdev *config_csdev_active = NULL, *config_csdev_item;
+- const struct cscfg_config_desc *config_desc;
++ struct cscfg_config_desc *config_desc;
+ unsigned long flags;
+ int err = 0;
+
+@@ -1062,8 +1075,8 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
+ spin_lock_irqsave(&csdev->cscfg_csdev_lock, flags);
+ list_for_each_entry(config_csdev_item, &csdev->config_csdev_list, node) {
+ config_desc = config_csdev_item->config_desc;
+- if ((atomic_read(&config_desc->active_cnt)) &&
+- ((unsigned long)config_desc->event_ea->var == cfg_hash)) {
++ if (((unsigned long)config_desc->event_ea->var == cfg_hash) &&
++ cscfg_config_desc_get(config_desc)) {
+ config_csdev_active = config_csdev_item;
+ csdev->active_cscfg_ctxt = (void *)config_csdev_active;
+ break;
+@@ -1097,7 +1110,11 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
+ err = -EBUSY;
+ spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
+ }
++
++ if (err)
++ cscfg_config_desc_put(config_desc);
+ }
++
+ return err;
+ }
+ EXPORT_SYMBOL_GPL(cscfg_csdev_enable_active_config);
+@@ -1136,8 +1153,10 @@ void cscfg_csdev_disable_active_config(struct coresight_device *csdev)
+ spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
+
+ /* true if there was an enabled active config */
+- if (config_csdev)
++ if (config_csdev) {
+ cscfg_csdev_disable_config(config_csdev);
++ cscfg_config_desc_put(config_csdev->config_desc);
++ }
+ }
+ EXPORT_SYMBOL_GPL(cscfg_csdev_disable_active_config);
+
+--
+2.39.5
+
--- /dev/null
+From 15a5dcbb703f3a0fd90a7d09a9eb764fec587972 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 18:36:40 +0200
+Subject: counter: interrupt-cnt: Protect enable/disable OPs with mutex
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+[ Upstream commit 7351312632e831e51383f48957d47712fae791ef ]
+
+Enable/disable seems to be racy on SMP, consider the following scenario:
+
+CPU0 CPU1
+
+interrupt_cnt_enable_write(true)
+{
+ if (priv->enabled == enable)
+ return 0;
+
+ if (enable) {
+ priv->enabled = true;
+ interrupt_cnt_enable_write(false)
+ {
+ if (priv->enabled == enable)
+ return 0;
+
+ if (enable) {
+ priv->enabled = true;
+ enable_irq(priv->irq);
+ } else {
+ disable_irq(priv->irq)
+ priv->enabled = false;
+ }
+ enable_irq(priv->irq);
+ } else {
+ disable_irq(priv->irq);
+ priv->enabled = false;
+ }
+
+The above would result in priv->enabled == false, but IRQ left enabled.
+Protect both write (above race) and read (to propagate the value on SMP)
+callbacks with a mutex.
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20250331163642.2382651-1-alexander.sverdlin@siemens.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/counter/interrupt-cnt.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/counter/interrupt-cnt.c b/drivers/counter/interrupt-cnt.c
+index 229473855c5b3..bc762ba87a19b 100644
+--- a/drivers/counter/interrupt-cnt.c
++++ b/drivers/counter/interrupt-cnt.c
+@@ -3,12 +3,14 @@
+ * Copyright (c) 2021 Pengutronix, Oleksij Rempel <kernel@pengutronix.de>
+ */
+
++#include <linux/cleanup.h>
+ #include <linux/counter.h>
+ #include <linux/gpio/consumer.h>
+ #include <linux/interrupt.h>
+ #include <linux/irq.h>
+ #include <linux/mod_devicetable.h>
+ #include <linux/module.h>
++#include <linux/mutex.h>
+ #include <linux/platform_device.h>
+ #include <linux/types.h>
+
+@@ -19,6 +21,7 @@ struct interrupt_cnt_priv {
+ struct gpio_desc *gpio;
+ int irq;
+ bool enabled;
++ struct mutex lock;
+ struct counter_signal signals;
+ struct counter_synapse synapses;
+ struct counter_count cnts;
+@@ -41,6 +44,8 @@ static int interrupt_cnt_enable_read(struct counter_device *counter,
+ {
+ struct interrupt_cnt_priv *priv = counter_priv(counter);
+
++ guard(mutex)(&priv->lock);
++
+ *enable = priv->enabled;
+
+ return 0;
+@@ -51,6 +56,8 @@ static int interrupt_cnt_enable_write(struct counter_device *counter,
+ {
+ struct interrupt_cnt_priv *priv = counter_priv(counter);
+
++ guard(mutex)(&priv->lock);
++
+ if (priv->enabled == enable)
+ return 0;
+
+@@ -227,6 +234,8 @@ static int interrupt_cnt_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
++ mutex_init(&priv->lock);
++
+ ret = devm_counter_add(dev, counter);
+ if (ret < 0)
+ return dev_err_probe(dev, ret, "Failed to add counter\n");
+--
+2.39.5
+
--- /dev/null
+From 00a7f048f677765ee662e8250e8e1d62bc63923e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:28:08 +0800
+Subject: crypto: lrw - Only add ecb if it is not already there
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ]
+
+Only add ecb to the cipher name if it isn't already ecb.
+
+Also use memcmp instead of strncmp since these strings are all
+stored in an array of length CRYPTO_MAX_ALG_NAME.
+
+Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/lrw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/lrw.c b/crypto/lrw.c
+index fb8892ed179f5..99d9eb67e1827 100644
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
+
+ err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst),
+ cipher_name, 0, mask);
+- if (err == -ENOENT) {
++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
+ err = -ENAMETOOLONG;
+ if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
+ cipher_name) >= CRYPTO_MAX_ALG_NAME)
+@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
+ /* Alas we screwed up the naming so we have to mangle the
+ * cipher name.
+ */
+- if (!strncmp(cipher_name, "ecb(", 4)) {
++ if (!memcmp(cipher_name, "ecb(", 4)) {
+ int len;
+
+ len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name));
+--
+2.39.5
+
--- /dev/null
+From f9346a4c7cf783c4699477fc4a39007bc3f6385d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:43:33 +0800
+Subject: crypto: marvell/cesa - Avoid empty transfer descriptor
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ]
+
+The user may set req->src even if req->nbytes == 0. If there
+is no data to hash from req->src, do not generate an empty TDMA
+descriptor.
+
+Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
+index 84c1065092796..72b0f863dee07 100644
+--- a/drivers/crypto/marvell/cesa/hash.c
++++ b/drivers/crypto/marvell/cesa/hash.c
+@@ -663,7 +663,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req)
+ if (ret)
+ goto err_free_tdma;
+
+- if (iter.src.sg) {
++ if (iter.base.len > iter.src.op_offset) {
+ /*
+ * Add all the new data, inserting an operation block and
+ * launch command between each full SRAM block-worth of
+--
+2.39.5
+
--- /dev/null
+From 67bb926259e965dd859afcd5ae7f15fdd852fb22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:41:31 +0800
+Subject: crypto: marvell/cesa - Handle zero-length skcipher requests
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ]
+
+Do not access random memory for zero-length skcipher requests.
+Just return 0.
+
+Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/cipher.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
+index 0f37dfd42d850..3876e3ce822f4 100644
+--- a/drivers/crypto/marvell/cesa/cipher.c
++++ b/drivers/crypto/marvell/cesa/cipher.c
+@@ -459,6 +459,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req,
+ struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
+ struct mv_cesa_engine *engine;
+
++ if (!req->cryptlen)
++ return 0;
++
+ ret = mv_cesa_skcipher_req_init(req, tmpl);
+ if (ret)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From b691b4579b4c1dab0e7c181f0ba4b981d00ddfd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 15:45:14 +0300
+Subject: crypto: sun8i-ce-cipher - fix error handling in
+ sun8i_ce_cipher_prepare()
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 ]
+
+Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():
+
+1] If dma_map_sg() fails for areq->dst, the device driver would try to free
+ DMA memory it has not allocated in the first place. To fix this, on the
+ "theend_sgs" error path, call dma unmap only if the corresponding dma
+ map was successful.
+
+2] If the dma_map_single() call for the IV fails, the device driver would
+ try to free an invalid DMA memory address on the "theend_iv" path:
+ ------------[ cut here ]------------
+ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address
+ WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90
+ Modules linked in: skcipher_example(O+)
+ CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT
+ Tainted: [O]=OOT_MODULE
+ Hardware name: OrangePi Zero2 (DT)
+ pc : check_unmap+0x123c/0x1b90
+ lr : check_unmap+0x123c/0x1b90
+ ...
+ Call trace:
+ check_unmap+0x123c/0x1b90 (P)
+ debug_dma_unmap_page+0xac/0xc0
+ dma_unmap_page_attrs+0x1f4/0x5fc
+ sun8i_ce_cipher_do_one+0x1bd4/0x1f40
+ crypto_pump_work+0x334/0x6e0
+ kthread_worker_fn+0x21c/0x438
+ kthread+0x374/0x664
+ ret_from_fork+0x10/0x20
+ ---[ end trace 0000000000000000 ]---
+
+To fix this, check for !dma_mapping_error() before calling
+dma_unmap_single() on the "theend_iv" path.
+
+Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+index 74b4e910a38d7..4c6afc7367235 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+@@ -270,13 +270,16 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req
+ } else {
+ if (nr_sgs > 0)
+ dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
+- dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
++
++ if (nr_sgd > 0)
++ dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
+ }
+
+ theend_iv:
+ if (areq->iv && ivsize > 0) {
+- if (rctx->addr_iv)
++ if (!dma_mapping_error(ce->dev, rctx->addr_iv))
+ dma_unmap_single(ce->dev, rctx->addr_iv, rctx->ivlen, DMA_TO_DEVICE);
++
+ offset = areq->cryptlen - ivsize;
+ if (rctx->op_dir & CE_DECRYPTION) {
+ memcpy(areq->iv, chan->backup_iv, ivsize);
+--
+2.39.5
+
--- /dev/null
+From ade5461d4f39b74160c23f11a28dcc20957ddea6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 15:06:56 +0300
+Subject: crypto: sun8i-ce - move fallback ahash_request to the end of the
+ struct
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ]
+
+'struct ahash_request' has a flexible array at the end, so it must be the
+last member in a struct, to avoid overwriting other struct members.
+
+Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx'
+struct.
+
+Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+index 8177aaba44349..a1658722d886d 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+@@ -297,8 +297,8 @@ struct sun8i_ce_hash_tfm_ctx {
+ * @flow: the flow to use for this request
+ */
+ struct sun8i_ce_hash_reqctx {
+- struct ahash_request fallback_req;
+ int flow;
++ struct ahash_request fallback_req; // keep at the end
+ };
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 5bd0735cf24806903abae77bab65678d80f775ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Apr 2025 13:12:36 +0200
+Subject: crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
+
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+
+[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ]
+
+When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto
+selftests.
+This is strange since on sunxi_defconfig, everything was ok.
+The problem was in the IV setup loop which never run because sg_dma_len
+was 0.
+
+Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV")
+Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+index e97fb203690ae..5a864a71efa11 100644
+--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+@@ -136,7 +136,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq)
+
+ /* we need to copy all IVs from source in case DMA is bi-directionnal */
+ while (sg && len) {
+- if (sg_dma_len(sg) == 0) {
++ if (sg->length == 0) {
+ sg = sg_next(sg);
+ continue;
+ }
+--
+2.39.5
+
--- /dev/null
+From 8238a306da49167e9453f2259d2e3e7371bfd93d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:34:04 +0800
+Subject: crypto: xts - Only add ecb if it is not already there
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ]
+
+Only add ecb to the cipher name if it isn't already ecb.
+
+Also use memcmp instead of strncmp since these strings are all
+stored in an array of length CRYPTO_MAX_ALG_NAME.
+
+Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/xts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/xts.c b/crypto/xts.c
+index b05020657cdc8..1972f40333f04 100644
+--- a/crypto/xts.c
++++ b/crypto/xts.c
+@@ -361,7 +361,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
+
+ err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst),
+ cipher_name, 0, mask);
+- if (err == -ENOENT) {
++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
+ err = -ENAMETOOLONG;
+ if (snprintf(ctx->name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
+ cipher_name) >= CRYPTO_MAX_ALG_NAME)
+@@ -395,7 +395,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
+ /* Alas we screwed up the naming so we have to mangle the
+ * cipher name.
+ */
+- if (!strncmp(cipher_name, "ecb(", 4)) {
++ if (!memcmp(cipher_name, "ecb(", 4)) {
+ int len;
+
+ len = strscpy(ctx->name, cipher_name + 4, sizeof(ctx->name));
+--
+2.39.5
+
--- /dev/null
+From 00607c37e4feb0c273be694ea39832197fc7fde0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 15:49:38 -0400
+Subject: dm: don't change md if dm_table_set_restrictions() fails
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit 9eb7109a5bfc5b8226e9517e9f3cc6d414391884 ]
+
+__bind was changing the disk capacity, geometry and mempools of the
+mapped device before calling dm_table_set_restrictions() which could
+fail, forcing dm to drop the new table. Failing here would leave the
+device using the old table but with the wrong capacity and mempools.
+
+Move dm_table_set_restrictions() earlier in __bind(). Since it needs the
+capacity to be set, save the old version and restore it on failure.
+
+Fixes: bb37d77239af2 ("dm: introduce zone append emulation")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Tested-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 4767265793de7..2b8fe98c515ed 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2165,21 +2165,29 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ struct queue_limits *limits)
+ {
+ struct dm_table *old_map;
+- sector_t size;
++ sector_t size, old_size;
+ int ret;
+
+ lockdep_assert_held(&md->suspend_lock);
+
+ size = dm_table_get_size(t);
+
++ old_size = dm_get_size(md);
++ set_capacity(md->disk, size);
++
++ ret = dm_table_set_restrictions(t, md->queue, limits);
++ if (ret) {
++ set_capacity(md->disk, old_size);
++ old_map = ERR_PTR(ret);
++ goto out;
++ }
++
+ /*
+ * Wipe any geometry if the size of the table changed.
+ */
+- if (size != dm_get_size(md))
++ if (size != old_size)
+ memset(&md->geometry, 0, sizeof(md->geometry));
+
+- set_capacity(md->disk, size);
+-
+ dm_table_event_callback(t, event_callback, md);
+
+ if (dm_table_request_based(t)) {
+@@ -2212,12 +2220,6 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ t->mempools = NULL;
+ }
+
+- ret = dm_table_set_restrictions(t, md->queue, limits);
+- if (ret) {
+- old_map = ERR_PTR(ret);
+- goto out;
+- }
+-
+ old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
+ rcu_assign_pointer(md->map, (void *)t);
+ md->immutable_target_type = dm_table_get_immutable_target_type(t);
+--
+2.39.5
+
--- /dev/null
+From 6f4ee438ba31634a0a07b79b52be9f8dde6f9180 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 15:49:39 -0400
+Subject: dm: free table mempools if not used in __bind
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit e8819e7f03470c5b468720630d9e4e1d5b99159e ]
+
+With request-based dm, the mempools don't need reloading when switching
+tables, but the unused table mempools are not freed until the active
+table is finally freed. Free them immediately if they are not needed.
+
+Fixes: 29dec90a0f1d9 ("dm: fix bio_set allocation")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Tested-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 2b8fe98c515ed..cf7520551b63b 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2205,10 +2205,10 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ * requests in the queue may refer to bio from the old bioset,
+ * so you must walk through the queue to unprep.
+ */
+- if (!md->mempools) {
++ if (!md->mempools)
+ md->mempools = t->mempools;
+- t->mempools = NULL;
+- }
++ else
++ dm_free_md_mempools(t->mempools);
+ } else {
+ /*
+ * The md may already have mempools that need changing.
+@@ -2217,8 +2217,8 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ */
+ dm_free_md_mempools(md->mempools);
+ md->mempools = t->mempools;
+- t->mempools = NULL;
+ }
++ t->mempools = NULL;
+
+ old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
+ rcu_assign_pointer(md->map, (void *)t);
+--
+2.39.5
+
--- /dev/null
+From 06cdf8861cc6b2a2700e6e9a2c818fdf6bdae81e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 10:39:00 +0800
+Subject: dmaengine: ti: Add NULL check in udma_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+udma_probe() does not check for this case, which results in a NULL
+pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Nathan Lynch <nathan.lynch@amd.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/k3-udma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
+index edad538928dd7..1d12dc141070a 100644
+--- a/drivers/dma/ti/k3-udma.c
++++ b/drivers/dma/ti/k3-udma.c
+@@ -5490,7 +5490,8 @@ static int udma_probe(struct platform_device *pdev)
+ uc->config.dir = DMA_MEM_TO_MEM;
+ uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d",
+ dev_name(dev), i);
+-
++ if (!uc->name)
++ return -ENOMEM;
+ vchan_init(&uc->vc, &ud->ddev);
+ /* Use custom vchan completion handling */
+ tasklet_setup(&uc->vc.task, udma_vchan_complete);
+--
+2.39.5
+
--- /dev/null
+From 0f51684694d37ba03ea09665d44787057ae3e861 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 12:27:08 -0400
+Subject: do_change_type(): refuse to operate on unmounted/not ours mounts
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ]
+
+Ensure that propagation settings can only be changed for mounts located
+in the caller's mount namespace. This change aligns permission checking
+with the rest of mount(2).
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Fixes: 07b20889e305 ("beginning of the shared-subtree proper")
+Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 65aa3495db6a1..aae1a77ac2d3f 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2371,6 +2371,10 @@ static int do_change_type(struct path *path, int ms_flags)
+ return -EINVAL;
+
+ namespace_lock();
++ if (!check_mnt(mnt)) {
++ err = -EINVAL;
++ goto out_unlock;
++ }
+ if (type == MS_SHARED) {
+ err = invent_group_ids(mnt, recurse);
+ if (err)
+--
+2.39.5
+
--- /dev/null
+From 163b7425e39e6e0f42c31a3871efc2a0dc555aa7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 15:53:51 +0800
+Subject: driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
+
+From: Yanqing Wang <ot_yanqing.wang@mediatek.com>
+
+[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ]
+
+Identify the cause of the suspend/resume hang: netif_carrier_off()
+is called during link state changes and becomes stuck while
+executing linkwatch_work().
+
+To resolve this issue, call netif_device_detach() during the Ethernet
+suspend process to temporarily detach the network device from the
+kernel and prevent the suspend/resume hang.
+
+Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver")
+Signed-off-by: Yanqing Wang <ot_yanqing.wang@mediatek.com>
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Signed-off-by: Biao Huang <biao.huang@mediatek.com>
+Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+index c42e9f741f959..a631491a19da1 100644
+--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c
++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+@@ -1475,6 +1475,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev)
+ if (netif_running(ndev))
+ mtk_star_disable(ndev);
+
++ netif_device_detach(ndev);
++
+ clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
+
+ return 0;
+@@ -1499,6 +1501,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev)
+ clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
+ }
+
++ netif_device_attach(ndev);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 865aafe682fe208b8de671a7c195ed6c6155a2ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 12:04:35 +0800
+Subject: drm/amd/pp: Fix potential NULL pointer dereference in
+ atomctrl_initialize_mc_reg_table
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 820116a39f96bdc7d426c33a804b52f53700a919 ]
+
+The function atomctrl_initialize_mc_reg_table() and
+atomctrl_initialize_mc_reg_table_v2_2() does not check the return
+value of smu_atom_get_data_table(). If smu_atom_get_data_table()
+fails to retrieve vram_info, it returns NULL which is later
+dereferenced.
+
+Fixes: b3892e2bb519 ("drm/amd/pp: Use atombios api directly in powerplay (v2)")
+Fixes: 5f92b48cf62c ("drm/amd/pm: add mc register table initialization")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+index 1fbd23922082a..7e37354a03411 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+@@ -144,6 +144,10 @@ int atomctrl_initialize_mc_reg_table(
+ vram_info = (ATOM_VRAM_INFO_HEADER_V2_1 *)
+ smu_atom_get_data_table(hwmgr->adev,
+ GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
++ if (!vram_info) {
++ pr_err("Could not retrieve the VramInfo table!");
++ return -EINVAL;
++ }
+
+ if (module_index >= vram_info->ucNumOfVRAMModule) {
+ pr_err("Invalid VramInfo table.");
+@@ -181,6 +185,10 @@ int atomctrl_initialize_mc_reg_table_v2_2(
+ vram_info = (ATOM_VRAM_INFO_HEADER_V2_2 *)
+ smu_atom_get_data_table(hwmgr->adev,
+ GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
++ if (!vram_info) {
++ pr_err("Could not retrieve the VramInfo table!");
++ return -EINVAL;
++ }
+
+ if (module_index >= vram_info->ucNumOfVRAMModule) {
+ pr_err("Invalid VramInfo table.");
+--
+2.39.5
+
--- /dev/null
+From 256cd40e8a0eea682b75223a5cf53129bebef3d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Apr 2025 08:48:16 +0200
+Subject: drm/bridge: lt9611uxc: Fix an error handling path in
+ lt9611uxc_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b848cd418aebdb313364b4843f41fae82281a823 ]
+
+If lt9611uxc_audio_init() fails, some resources still need to be released
+before returning the error code.
+
+Use the existing error handling path.
+
+Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/f167608e392c6b4d7d7f6e45e3c21878feb60cbd.1744958833.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
+index cb75da940b890..e9162125382f5 100644
+--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
++++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
+@@ -961,7 +961,11 @@ static int lt9611uxc_probe(struct i2c_client *client,
+ }
+ }
+
+- return lt9611uxc_audio_init(dev, lt9611uxc);
++ ret = lt9611uxc_audio_init(dev, lt9611uxc);
++ if (ret)
++ goto err_remove_bridge;
++
++ return 0;
+
+ err_remove_bridge:
+ free_irq(client->irq, lt9611uxc);
+--
+2.39.5
+
--- /dev/null
+From dcfce079b17685ee19fac5915c672d6283c196db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Nov 2023 12:24:24 +0000
+Subject: drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ]
+
+The rcar_du_vsps_init() doesn't free the np allocated by
+of_parse_phandle_with_fixed_args() for the non-error case.
+
+Fix memory leak for the non-error case.
+
+While at it, replace the label 'error'->'done' as it applies to non-error
+case as well and update the error check condition for rcar_du_vsp_init()
+to avoid breakage in future, if it returns positive value.
+
+Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
+index 8c2719efda2a2..b64f62ad8dbd7 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
+@@ -673,7 +673,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
+ ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name,
+ cells, i, &args);
+ if (ret < 0)
+- goto error;
++ goto done;
+
+ /*
+ * Add the VSP to the list or update the corresponding existing
+@@ -711,13 +711,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
+ vsp->dev = rcdu;
+
+ ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask);
+- if (ret < 0)
+- goto error;
++ if (ret)
++ goto done;
+ }
+
+- return 0;
+-
+-error:
++done:
+ for (i = 0; i < ARRAY_SIZE(vsps); ++i)
+ of_node_put(vsps[i].np);
+
+--
+2.39.5
+
--- /dev/null
+From 276083d8091b049f27bbce3e81b6f8f0e61eb7fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 11:21:35 +0000
+Subject: drm/tegra: rgb: Fix the unbound reference count
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ]
+
+The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe,
+but the driver does not decrement the refcount during unbind. Fix the
+unbound reference count using devm_add_action_or_reset() helper.
+
+Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c
+index 86e55e5d12b39..20ac30673ed53 100644
+--- a/drivers/gpu/drm/tegra/rgb.c
++++ b/drivers/gpu/drm/tegra/rgb.c
+@@ -189,6 +189,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = {
+ .atomic_check = tegra_rgb_encoder_atomic_check,
+ };
+
++static void tegra_dc_of_node_put(void *data)
++{
++ of_node_put(data);
++}
++
+ int tegra_dc_rgb_probe(struct tegra_dc *dc)
+ {
+ struct device_node *np;
+@@ -196,7 +201,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc)
+ int err;
+
+ np = of_get_child_by_name(dc->dev->of_node, "rgb");
+- if (!np || !of_device_is_available(np))
++ if (!np)
++ return -ENODEV;
++
++ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np);
++ if (err < 0)
++ return err;
++
++ if (!of_device_is_available(np))
+ return -ENODEV;
+
+ rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From b6429dbd9cb2ef449ebdcdf3b8115becc3c5e798 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 23:14:32 -0700
+Subject: drm/vkms: Adjust vkms_state->active_planes allocation type
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ]
+
+In preparation for making the kmalloc family of allocators type aware,
+we need to make sure that the returned type from the allocation matches
+the type of the variable being assigned. (Before, the allocator would
+always return "void *", which can be implicitly cast to any pointer type.)
+
+The assigned type is "struct vkms_plane_state **", but the returned type
+will be "struct drm_plane **". These are the same size (pointer size), but
+the types don't match. Adjust the allocation type to match the assignment.
+
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking")
+Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org
+Signed-off-by: Louis Chauvet <contact@louischauvet.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vkms/vkms_crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c
+index 57bbd32e9bebb..de8c2d5cc89c0 100644
+--- a/drivers/gpu/drm/vkms/vkms_crtc.c
++++ b/drivers/gpu/drm/vkms/vkms_crtc.c
+@@ -202,7 +202,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc,
+ i++;
+ }
+
+- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL);
++ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL);
+ if (!vkms_state->active_planes)
+ return -ENOMEM;
+ vkms_state->num_active_planes = i;
+--
+2.39.5
+
--- /dev/null
+From 0ea4cfda0bcf7584f6cde304b764981e4f05986b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Feb 2025 14:06:33 -0600
+Subject: drm/vmwgfx: Add seqno waiter for sync_files
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ]
+
+Because sync_files are passive waiters they do not participate in
+the processing of fences like the traditional vmw_fence_wait IOCTL.
+If userspace exclusively uses sync_files for synchronization then
+nothing in the kernel actually processes fence updates as interrupts
+for fences are masked and ignored if the kernel does not indicate to the
+SVGA device that there are active waiters.
+
+This oversight results in a bug where the entire GUI can freeze waiting
+on a sync_file that will never be signalled as we've masked the interrupts
+to signal its completion. This bug is incredibly racy as any process which
+interacts with the fencing code via the 3D stack can process the stuck
+fences on behalf of the stuck process causing it to run again. Even a
+simple app like eglinfo is enough to resume the stuck process. Usually
+this bug is seen at a login screen like GDM because there are no other
+3D apps running.
+
+By adding a seqno waiter we re-enable interrupt based processing of the
+dma_fences associated with the sync_file which is signalled as part of a
+dma_fence_callback.
+
+This has likely been broken since it was initially added to the kernel in
+2017 but has gone unnoticed until mutter recently started using sync_files
+heavily over the course of 2024 as part of their explicit sync support.
+
+Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+index 2f7ac91149fc0..0d12d6af67c09 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -4077,6 +4077,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv,
+ return 0;
+ }
+
++/*
++ * DMA fence callback to remove a seqno_waiter
++ */
++struct seqno_waiter_rm_context {
++ struct dma_fence_cb base;
++ struct vmw_private *dev_priv;
++};
++
++static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb)
++{
++ struct seqno_waiter_rm_context *ctx =
++ container_of(cb, struct seqno_waiter_rm_context, base);
++
++ vmw_seqno_waiter_remove(ctx->dev_priv);
++ kfree(ctx);
++}
++
+ int vmw_execbuf_process(struct drm_file *file_priv,
+ struct vmw_private *dev_priv,
+ void __user *user_commands, void *kernel_commands,
+@@ -4257,6 +4274,15 @@ int vmw_execbuf_process(struct drm_file *file_priv,
+ } else {
+ /* Link the fence with the FD created earlier */
+ fd_install(out_fence_fd, sync_file->file);
++ struct seqno_waiter_rm_context *ctx =
++ kmalloc(sizeof(*ctx), GFP_KERNEL);
++ ctx->dev_priv = dev_priv;
++ vmw_seqno_waiter_add(dev_priv);
++ if (dma_fence_add_callback(&fence->base, &ctx->base,
++ seqno_waiter_rm_cb) < 0) {
++ vmw_seqno_waiter_remove(dev_priv);
++ kfree(ctx);
++ }
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d849bba706f4aba1ad3c2acc67b35c6bb9f0743e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 17:47:27 +0100
+Subject: dt-bindings: vendor-prefixes: Add Liontron name
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 9baa27a2e9fc746143ab686b6dbe2d515284a4c5 ]
+
+Liontron is a company based in Shenzen, China, making industrial
+development boards and embedded computers, mostly using Rockchip and
+Allwinner SoCs.
+
+Add their name to the list of vendors.
+
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Link: https://patch.msgid.link/20250505164729.18175-2-andre.przywara@arm.com
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml
+index 77e9413cdee07..f955db429f55a 100644
+--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml
++++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml
+@@ -725,6 +725,8 @@ patternProperties:
+ description: Linux-specific binding
+ "^linx,.*":
+ description: Linx Technologies
++ "^liontron,.*":
++ description: Shenzhen Liontron Technology Co., Ltd
+ "^liteon,.*":
+ description: LITE-ON Technology Corp.
+ "^litex,.*":
+--
+2.39.5
+
--- /dev/null
+From d1db366b7a118b9817c1be28d9b2666ae2947036 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 23:07:18 +0800
+Subject: EDAC/skx_common: Fix general protection fault
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ]
+
+After loading i10nm_edac (which automatically loads skx_edac_common), if
+unload only i10nm_edac, then reload it and perform error injection testing,
+a general protection fault may occur:
+
+ mce: [Hardware Error]: Machine check events logged
+ Oops: general protection fault ...
+ ...
+ Workqueue: events mce_gen_pool_process
+ RIP: 0010:string+0x53/0xe0
+ ...
+ Call Trace:
+ <TASK>
+ ? die_addr+0x37/0x90
+ ? exc_general_protection+0x1e7/0x3f0
+ ? asm_exc_general_protection+0x26/0x30
+ ? string+0x53/0xe0
+ vsnprintf+0x23e/0x4c0
+ snprintf+0x4d/0x70
+ skx_adxl_decode+0x16a/0x330 [skx_edac_common]
+ skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common]
+ skx_mce_check_error+0x17/0x20 [skx_edac_common]
+ ...
+
+The issue arose was because the variable 'adxl_component_count' (inside
+skx_edac_common), which counts the ADXL components, was not reset. During
+the reloading of i10nm_edac, the count was incremented by the actual number
+of ADXL components again, resulting in a count that was double the real
+number of ADXL components. This led to an out-of-bounds reference to the
+ADXL component array, causing the general protection fault above.
+
+Fix this issue by resetting the 'adxl_component_count' in adxl_put(),
+which is called during the unloading of {skx,i10nm}_edac.
+
+Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module")
+Reported-by: Feng Xu <feng.f.xu@intel.com>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Feng Xu <feng.f.xu@intel.com>
+Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/skx_common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c
+index e218909f9f9e8..c11870ac1b3c7 100644
+--- a/drivers/edac/skx_common.c
++++ b/drivers/edac/skx_common.c
+@@ -114,6 +114,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get);
+
+ void skx_adxl_put(void)
+ {
++ adxl_component_count = 0;
+ kfree(adxl_values);
+ kfree(adxl_msg);
+ }
+--
+2.39.5
+
--- /dev/null
+From f828d41ebabf578d52cfb9026e83918af0ac19ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 00:31:11 +0800
+Subject: efi/libstub: Describe missing 'out' parameter in efi_load_initrd
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit c8e1927e7f7d63721e32ec41d27ccb0eb1a1b0fc ]
+
+The function efi_load_initrd() had a documentation warning due to
+the missing description for the 'out' parameter. Add the parameter
+description to the kernel-doc comment to resolve the warning and
+improve API documentation.
+
+Fixes the following compiler warning:
+drivers/firmware/efi/libstub/efi-stub-helper.c:611: warning: Function parameter or struct member 'out' not described in 'efi_load_initrd'
+
+Fixes: f4dc7fffa987 ("efi: libstub: unify initrd loading between architectures")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/efi-stub-helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
+index 97744822dd951..587ba946ba9d8 100644
+--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
+@@ -697,6 +697,7 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image,
+ * @image: EFI loaded image protocol
+ * @soft_limit: preferred address for loading the initrd
+ * @hard_limit: upper limit address for loading the initrd
++ * @out: pointer to store the address of the initrd table
+ *
+ * Return: status code
+ */
+--
+2.39.5
+
--- /dev/null
+From b68a2e34876597e12f15426a5cd8fc7bf256ddef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:52:36 +0800
+Subject: f2fs: clean up w/ fscrypt_is_bounce_page()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ]
+
+Just cleanup, no logic changes.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 0b0e3d44e158e..2ae682f8d0c8e 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -56,7 +56,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
+ struct inode *inode;
+ struct f2fs_sb_info *sbi;
+
+- if (!mapping)
++ if (fscrypt_is_bounce_page(page))
+ return false;
+
+ inode = mapping->host;
+--
+2.39.5
+
--- /dev/null
+From e441f0e094c81ce8a651c6ebe5b29df46616802b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 16:45:49 +0800
+Subject: f2fs: fix to correct check conditions in f2fs_cross_rename
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ]
+
+Should be "old_dir" here.
+
+Fixes: 5c57132eaf52 ("f2fs: support project quota")
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 77fa3c639ba38..7bfa3249d9cc1 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1086,7 +1086,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+ if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(new_dir)->i_projid,
+ F2FS_I(old_inode)->i_projid)) ||
+- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
++ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(old_dir)->i_projid,
+ F2FS_I(new_inode)->i_projid)))
+ return -EXDEV;
+--
+2.39.5
+
--- /dev/null
+From 0591197ec0465bf6f81a8f570b028c5497166058 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:52:37 +0800
+Subject: f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit aa1be8dd64163eca4dde7fd2557eb19927a06a47 ]
+
+Jan Prusakowski reported a f2fs bug as below:
+
+f2fs/007 will hang kernel during testing w/ below configs:
+
+kernel 6.12.18 (from pixel-kernel/android16-6.12)
+export MKFS_OPTIONS="-O encrypt -O extra_attr -O project_quota -O quota"
+export F2FS_MOUNT_OPTIONS="test_dummy_encryption,discard,fsync_mode=nobarrier,reserve_root=32768,checkpoint_merge,atgc"
+
+cat /proc/<umount_proc_id>/stack
+f2fs_wait_on_all_pages+0xa3/0x130
+do_checkpoint+0x40c/0x5d0
+f2fs_write_checkpoint+0x258/0x550
+kill_f2fs_super+0x14f/0x190
+deactivate_locked_super+0x30/0xb0
+cleanup_mnt+0xba/0x150
+task_work_run+0x59/0xa0
+syscall_exit_to_user_mode+0x12d/0x130
+do_syscall_64+0x57/0x110
+entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+cat /sys/kernel/debug/f2fs/status
+
+ - IO_W (CP: -256, Data: 256, Flush: ( 0 0 1), Discard: ( 0 0)) cmd: 0 undiscard: 0
+
+CP IOs reference count becomes negative.
+
+The root cause is:
+
+After 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block
+migration"), we will tag page w/ gcing flag for raw page of cluster
+during its migration.
+
+However, if the inode is both encrypted and compressed, during
+ioc_decompress(), it will tag page w/ gcing flag, and it increase
+F2FS_WB_DATA reference count:
+- f2fs_write_multi_page
+ - f2fs_write_raw_page
+ - f2fs_write_single_page
+ - do_write_page
+ - f2fs_submit_page_write
+ - WB_DATA_TYPE(bio_page, fio->compressed_page)
+ : bio_page is encrypted, so mapping is NULL, and fio->compressed_page
+ is NULL, it returns F2FS_WB_DATA
+ - inc_page_count(.., F2FS_WB_DATA)
+
+Then, during end_io(), it decrease F2FS_WB_CP_DATA reference count:
+- f2fs_write_end_io
+ - f2fs_compress_write_end_io
+ - fscrypt_pagecache_folio
+ : get raw page from encrypted page
+ - WB_DATA_TYPE(&folio->page, false)
+ : raw page has gcing flag, it returns F2FS_WB_CP_DATA
+ - dec_page_count(.., F2FS_WB_CP_DATA)
+
+In order to fix this issue, we need to detect gcing flag in raw page
+in f2fs_is_cp_guaranteed().
+
+Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
+Reported-by: Jan Prusakowski <jprusakowski@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 2ae682f8d0c8e..7b65766d365f1 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -57,7 +57,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
+ struct f2fs_sb_info *sbi;
+
+ if (fscrypt_is_bounce_page(page))
+- return false;
++ return page_private_gcing(fscrypt_pagecache_page(page));
+
+ inode = mapping->host;
+ sbi = F2FS_I_SB(inode);
+--
+2.39.5
+
--- /dev/null
+From cf6186b70c2234f1776a7c7403fe4cbc52009a43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 20:22:08 +0800
+Subject: f2fs: fix to do sanity check on sbi->total_valid_block_count
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ]
+
+syzbot reported a f2fs bug as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/f2fs.h:2521!
+RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
+Call Trace:
+ f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
+ truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
+ truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
+ f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
+ f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
+ f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
+ f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
+ f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112
+ notify_change+0xbca/0xe90 fs/attr.c:552
+ do_truncate+0x222/0x310 fs/open.c:65
+ handle_truncate fs/namei.c:3466 [inline]
+ do_open fs/namei.c:3849 [inline]
+ path_openat+0x2e4f/0x35d0 fs/namei.c:4004
+ do_filp_open+0x284/0x4e0 fs/namei.c:4031
+ do_sys_openat2+0x12b/0x1d0 fs/open.c:1429
+ do_sys_open fs/open.c:1444 [inline]
+ __do_sys_creat fs/open.c:1522 [inline]
+ __se_sys_creat fs/open.c:1516 [inline]
+ __x64_sys_creat+0x124/0x170 fs/open.c:1516
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
+
+The reason is: in fuzzed image, sbi->total_valid_block_count is
+inconsistent w/ mapped blocks indexed by inode, so, we should
+not trigger panic for such case, instead, let's print log and
+set fsck flag.
+
+Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure")
+Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 840a458554517..ef9149bd398ae 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -2387,8 +2387,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi,
+ blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK;
+
+ spin_lock(&sbi->stat_lock);
+- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count);
+- sbi->total_valid_block_count -= (block_t)count;
++ if (unlikely(sbi->total_valid_block_count < count)) {
++ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u",
++ sbi->total_valid_block_count, inode->i_ino, count);
++ sbi->total_valid_block_count = 0;
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ } else {
++ sbi->total_valid_block_count -= count;
++ }
+ if (sbi->reserved_blocks &&
+ sbi->current_reserved_blocks < sbi->reserved_blocks)
+ sbi->current_reserved_blocks = min(sbi->reserved_blocks,
+--
+2.39.5
+
--- /dev/null
+From c3606485970d50cc71acb6c355431d107f29e491 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 16:45:48 +0800
+Subject: f2fs: use d_inode(dentry) cleanup dentry->d_inode
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ]
+
+no logic changes.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 8 ++++----
+ fs/f2fs/super.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 9da104c0743c4..77fa3c639ba38 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -401,7 +401,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir,
+
+ if (is_inode_flag_set(dir, FI_PROJ_INHERIT) &&
+ (!projid_eq(F2FS_I(dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)))
++ F2FS_I(inode)->i_projid)))
+ return -EXDEV;
+
+ err = f2fs_dquot_initialize(dir);
+@@ -896,7 +896,7 @@ static int f2fs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
+
+ if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ (!projid_eq(F2FS_I(new_dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)))
++ F2FS_I(old_inode)->i_projid)))
+ return -EXDEV;
+
+ /*
+@@ -1085,10 +1085,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+
+ if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(new_dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)) ||
++ F2FS_I(old_inode)->i_projid)) ||
+ (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(old_dir)->i_projid,
+- F2FS_I(new_dentry->d_inode)->i_projid)))
++ F2FS_I(new_inode)->i_projid)))
+ return -EXDEV;
+
+ err = f2fs_dquot_initialize(old_dir);
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 72160b906f4b3..c1738820a8f0d 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1830,9 +1830,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf)
+ buf->f_fsid = u64_to_fsid(id);
+
+ #ifdef CONFIG_QUOTA
+- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) &&
++ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) &&
+ sb_has_quota_limits_enabled(sb, PRJQUOTA)) {
+- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf);
++ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf);
+ }
+ #endif
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 11d64cb37ba823a846ce2f664bca4bb21c9f113c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 23:35:58 +0300
+Subject: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ]
+
+In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000,
+cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's
+then passed to fb_cvt_hperiod(), where it's used as a divider -- division
+by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to
+avoid such overflow...
+
+Found by Linux Verification Center (linuxtesting.org) with the Svace static
+analysis tool.
+
+Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbcvt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c
+index 64843464c6613..cd3821bd82e56 100644
+--- a/drivers/video/fbdev/core/fbcvt.c
++++ b/drivers/video/fbdev/core/fbcvt.c
+@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb)
+ cvt.f_refresh = cvt.refresh;
+ cvt.interlace = 1;
+
+- if (!cvt.xres || !cvt.yres || !cvt.refresh) {
++ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) {
+ printk(KERN_INFO "fbcvt: Invalid input parameters\n");
+ return 1;
+ }
+--
+2.39.5
+
--- /dev/null
+From f0a5d76f59ada74f8f455079c6e5262890082449 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 23:17:12 +0800
+Subject: firmware: psci: Fix refcount leak in psci_dt_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ]
+
+Fix a reference counter leak in psci_dt_init() where of_node_put(np) was
+missing after of_find_matching_node_and_match() when np is unavailable.
+
+Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/psci/psci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c
+index a44ba09e49d9c..7eddf0912f96c 100644
+--- a/drivers/firmware/psci/psci.c
++++ b/drivers/firmware/psci/psci.c
+@@ -747,8 +747,10 @@ int __init psci_dt_init(void)
+
+ np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np);
+
+- if (!np || !of_device_is_available(np))
++ if (!np || !of_device_is_available(np)) {
++ of_node_put(np);
+ return -ENODEV;
++ }
+
+ init_fn = (psci_initcall_t)matched_np->data;
+ ret = init_fn(np);
+--
+2.39.5
+
--- /dev/null
+From e8d5044c65037f4454317726cd241cea6dcb3d43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 12:57:57 +0800
+Subject: firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
+
+From: Huang Yiwei <quic_hyiwei@quicinc.com>
+
+[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ]
+
+SDEI usually initialize with the ACPI table, but on platforms where
+ACPI is not used, the SDEI feature can still be used to handle
+specific firmware calls or other customized purposes. Therefore, it
+is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES.
+
+In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES
+in acpi_init()"), to make APEI ready earlier, sdei_init was moved
+into acpi_ghes_init instead of being a standalone initcall, adding
+ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the
+flexibility and usability of SDEI.
+
+This patch corrects the dependency in Kconfig and splits sdei_init()
+into two separate functions: sdei_init() and acpi_sdei_init().
+sdei_init() will be called by arch_initcall and will only initialize
+the platform driver, while acpi_sdei_init() will initialize the
+device from acpi_ghes_init() when ACPI is ready. This allows the
+initialization of SDEI without ACPI_APEI_GHES enabled.
+
+Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()")
+Cc: Shuai Xue <xueshuai@linux.alibaba.com>
+Signed-off-by: Huang Yiwei <quic_hyiwei@quicinc.com>
+Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/Kconfig | 1 +
+ drivers/acpi/apei/ghes.c | 2 +-
+ drivers/firmware/Kconfig | 1 -
+ drivers/firmware/arm_sdei.c | 11 ++++++++---
+ include/linux/arm_sdei.h | 4 ++--
+ 5 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig
+index 6b18f8bc7be35..71e0d64a7792e 100644
+--- a/drivers/acpi/apei/Kconfig
++++ b/drivers/acpi/apei/Kconfig
+@@ -23,6 +23,7 @@ config ACPI_APEI_GHES
+ select ACPI_HED
+ select IRQ_WORK
+ select GENERIC_ALLOCATOR
++ select ARM_SDE_INTERFACE if ARM64
+ help
+ Generic Hardware Error Source provides a way to report
+ platform hardware errors (such as that from chipset). It
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 83a4b417b27b9..1f327ec4c30b3 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -1478,7 +1478,7 @@ void __init acpi_ghes_init(void)
+ {
+ int rc;
+
+- sdei_init();
++ acpi_sdei_init();
+
+ if (acpi_disabled)
+ return;
+diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
+index 5583ae61f214b..bffdf735ef781 100644
+--- a/drivers/firmware/Kconfig
++++ b/drivers/firmware/Kconfig
+@@ -40,7 +40,6 @@ config ARM_SCPI_POWER_DOMAIN
+ config ARM_SDE_INTERFACE
+ bool "ARM Software Delegated Exception Interface (SDEI)"
+ depends on ARM64
+- depends on ACPI_APEI_GHES
+ help
+ The Software Delegated Exception Interface (SDEI) is an ARM
+ standard for registering callbacks from the platform firmware
+diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
+index 3e8051fe82965..71e2a9a89f6ad 100644
+--- a/drivers/firmware/arm_sdei.c
++++ b/drivers/firmware/arm_sdei.c
+@@ -1062,13 +1062,12 @@ static bool __init sdei_present_acpi(void)
+ return true;
+ }
+
+-void __init sdei_init(void)
++void __init acpi_sdei_init(void)
+ {
+ struct platform_device *pdev;
+ int ret;
+
+- ret = platform_driver_register(&sdei_driver);
+- if (ret || !sdei_present_acpi())
++ if (!sdei_present_acpi())
+ return;
+
+ pdev = platform_device_register_simple(sdei_driver.driver.name,
+@@ -1081,6 +1080,12 @@ void __init sdei_init(void)
+ }
+ }
+
++static int __init sdei_init(void)
++{
++ return platform_driver_register(&sdei_driver);
++}
++arch_initcall(sdei_init);
++
+ int sdei_event_handler(struct pt_regs *regs,
+ struct sdei_registered_event *arg)
+ {
+diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h
+index 255701e1251b4..f652a5028b590 100644
+--- a/include/linux/arm_sdei.h
++++ b/include/linux/arm_sdei.h
+@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes);
+ /* For use by arch code when CPU hotplug notifiers are not appropriate. */
+ int sdei_mask_local_cpu(void);
+ int sdei_unmask_local_cpu(void);
+-void __init sdei_init(void);
++void __init acpi_sdei_init(void);
+ void sdei_handler_abort(void);
+ #else
+ static inline int sdei_mask_local_cpu(void) { return 0; }
+ static inline int sdei_unmask_local_cpu(void) { return 0; }
+-static inline void sdei_init(void) { }
++static inline void acpi_sdei_init(void) { }
+ static inline void sdei_handler_abort(void) { }
+ #endif /* CONFIG_ARM_SDE_INTERFACE */
+
+--
+2.39.5
+
--- /dev/null
+From f68719f7645c09659e32dca10f4d5e90a966ca48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 17:57:27 -0400
+Subject: fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit d8cc0362f918d020ca1340d7694f07062dc30f36 ]
+
+9ffb14ef61ba "move_mount: allow to add a mount into an existing group"
+breaks assertions on ->mnt_share/->mnt_slave. For once, the data structures
+in question are actually documented.
+
+Documentation/filesystem/sharedsubtree.rst:
+ All vfsmounts in a peer group have the same ->mnt_master. If it is
+ non-NULL, they form a contiguous (ordered) segment of slave list.
+
+do_set_group() puts a mount into the same place in propagation graph
+as the old one. As the result, if old mount gets events from somewhere
+and is not a pure event sink, new one needs to be placed next to the
+old one in the slave list the old one's on. If it is a pure event
+sink, we only need to make sure the new one doesn't end up in the
+middle of some peer group.
+
+"move_mount: allow to add a mount into an existing group" ends up putting
+the new one in the beginning of list; that's definitely not going to be
+in the middle of anything, so that's fine for case when old is not marked
+shared. In case when old one _is_ marked shared (i.e. is not a pure event
+sink), that breaks the assumptions of propagation graph iterators.
+
+Put the new mount next to the old one on the list - that does the right thing
+in "old is marked shared" case and is just as correct as the current behaviour
+if old is not marked shared (kudos to Pavel for pointing that out - my original
+suggested fix changed behaviour in the "nor marked" case, which complicated
+things for no good reason).
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Fixes: 9ffb14ef61ba ("move_mount: allow to add a mount into an existing group")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 211a81240680d..65aa3495db6a1 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2809,7 +2809,7 @@ static int do_set_group(struct path *from_path, struct path *to_path)
+ if (IS_MNT_SLAVE(from)) {
+ struct mount *m = from->mnt_master;
+
+- list_add(&to->mnt_slave, &m->mnt_slave_list);
++ list_add(&to->mnt_slave, &from->mnt_slave);
+ to->mnt_master = m;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b32f452568b16a5fd1bb54cd1081d242826f5015 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 13:42:18 +0000
+Subject: fs/ntfs3: handle hdr_first_de() return value
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+[ Upstream commit af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 ]
+
+The hdr_first_de() function returns a pointer to a struct NTFS_DE. This
+pointer may be NULL. To handle the NULL error effectively, it is important
+to implement an error handler. This will help manage potential errors
+consistently.
+
+Additionally, error handling for the return value already exists at other
+points where this function is called.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/index.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
+index 139bdaececd72..ee6de53d2ad12 100644
+--- a/fs/ntfs3/index.c
++++ b/fs/ntfs3/index.c
+@@ -2166,6 +2166,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
+
+ e = hdr_first_de(&n->index->ihdr);
+ fnd_push(fnd, n, e);
++ if (!e) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ if (!de_is_last(e)) {
+ /*
+@@ -2187,6 +2191,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
+
+ n = fnd->nodes[level];
+ te = hdr_first_de(&n->index->ihdr);
++ if (!te) {
++ err = -EINVAL;
++ goto out;
++ }
+ /* Copy the candidate entry into the replacement entry buffer. */
+ re = kmalloc(le16_to_cpu(te->size) + sizeof(u64), GFP_NOFS);
+ if (!re) {
+--
+2.39.5
+
--- /dev/null
+From 47a2f972bb03e73ffa65879ec8e87ba400d1af93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Apr 2025 16:40:58 +0200
+Subject: gfs2: gfs2_create_inode error handling fix
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ]
+
+When gfs2_create_inode() finds a directory, make sure to return -EISDIR.
+
+Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory")
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
+index 04fc3e72a96e4..06629aeefbe6f 100644
+--- a/fs/gfs2/inode.c
++++ b/fs/gfs2/inode.c
+@@ -631,7 +631,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
+ if (!IS_ERR(inode)) {
+ if (S_ISDIR(inode->i_mode)) {
+ iput(inode);
+- inode = ERR_PTR(-EISDIR);
++ inode = NULL;
++ error = -EISDIR;
+ goto fail_gunlock;
+ }
+ d_instantiate(dentry, inode);
+--
+2.39.5
+
--- /dev/null
+From eec3ed64e819bc442c3233c2f07c71447b97f58e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 03:34:29 -0700
+Subject: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 12c331b29c7397ac3b03584e12902990693bc248 ]
+
+gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()
+did not check for this case before dereferencing the returned pointer.
+
+Add a missing NULL check to prevent a potential NULL pointer
+dereference when allocation fails.
+
+This improves robustness in low-memory scenarios.
+
+Fixes: a57e5de476be ("gve: DQO: Add TX path")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Mina Almasry <almasrymina@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+index eabed3deca763..e32d9967966bc 100644
+--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+@@ -452,6 +452,9 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx,
+ int i;
+
+ pkt = gve_alloc_pending_packet(tx);
++ if (!pkt)
++ return -ENOMEM;
++
+ pkt->skb = skb;
+ pkt->num_bufs = 0;
+ completion_tag = pkt - tx->dqo.pending_packets;
+--
+2.39.5
+
--- /dev/null
+From 589cdbae6c9a34280ea0c7ca80f7ca06c61a5bf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 06:08:16 -0700
+Subject: gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ]
+
+Previously, the RX_BUFFERS_POSTED stat incorrectly reported the
+fill_cnt from RX queue 0 for all queues, resulting in inaccurate
+per-queue statistics.
+Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue.
+
+Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index 8771ccfc69b42..7e7890334ff60 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -1312,7 +1312,7 @@ void gve_handle_report_stats(struct gve_priv *priv)
+ };
+ stats[stats_idx++] = (struct stats) {
+ .stat_name = cpu_to_be32(RX_BUFFERS_POSTED),
+- .value = cpu_to_be64(priv->rx[0].fill_cnt),
++ .value = cpu_to_be64(priv->rx[idx].fill_cnt),
+ .queue_id = cpu_to_be32(idx),
+ };
+ }
+--
+2.39.5
+
--- /dev/null
+From 86089891b298cb5f5f419cca30e385079b2778df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 16:11:51 +0800
+Subject: hisi_acc_vfio_pci: add eq and aeq interruption restore
+
+From: Longfang Liu <liulongfang@huawei.com>
+
+[ Upstream commit 3495cec0787721ba7a9d5c19d0bbb66d182de584 ]
+
+In order to ensure that the task packets of the accelerator
+device are not lost during the migration process, it is necessary
+to send an EQ and AEQ command to the device after the live migration
+is completed and to update the completion position of the task queue.
+
+Let the device recheck the completed tasks data and if there are
+uncollected packets, device resend a task completion interrupt
+to the software.
+
+Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
+Signed-off-by: Longfang Liu <liulongfang@huawei.com>
+Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Link: https://lore.kernel.org/r/20250510081155.55840-3-liulongfang@huawei.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+index b5efb37712d5e..de3e1a148ddab 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+@@ -469,6 +469,19 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ return 0;
+ }
+
++static void vf_qm_xeqc_save(struct hisi_qm *qm,
++ struct hisi_acc_vf_migration_file *migf)
++{
++ struct acc_vf_data *vf_data = &migf->vf_data;
++ u16 eq_head, aeq_head;
++
++ eq_head = vf_data->qm_eqc_dw[0] & 0xFFFF;
++ qm_db(qm, 0, QM_DOORBELL_CMD_EQ, eq_head, 0);
++
++ aeq_head = vf_data->qm_aeqc_dw[0] & 0xFFFF;
++ qm_db(qm, 0, QM_DOORBELL_CMD_AEQ, aeq_head, 0);
++}
++
+ static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ struct hisi_acc_vf_migration_file *migf)
+ {
+@@ -569,6 +582,9 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ }
+
+ migf->total_length = sizeof(struct acc_vf_data);
++ /* Save eqc and aeqc interrupt information */
++ vf_qm_xeqc_save(vf_qm, migf);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b32f0c6c7ee4ac0f6c5aa018aea0418bcccc79b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 16:11:50 +0800
+Subject: hisi_acc_vfio_pci: fix XQE dma address error
+
+From: Longfang Liu <liulongfang@huawei.com>
+
+[ Upstream commit 8bb7170c5a055ea17c6857c256ee73c10ff872eb ]
+
+The dma addresses of EQE and AEQE are wrong after migration and
+results in guest kernel-mode encryption services failure.
+Comparing the definition of hardware registers, we found that
+there was an error when the data read from the register was
+combined into an address. Therefore, the address combination
+sequence needs to be corrected.
+
+Even after fixing the above problem, we still have an issue
+where the Guest from an old kernel can get migrated to
+new kernel and may result in wrong data.
+
+In order to ensure that the address is correct after migration,
+if an old magic number is detected, the dma address needs to be
+updated.
+
+Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
+Signed-off-by: Longfang Liu <liulongfang@huawei.com>
+Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Link: https://lore.kernel.org/r/20250510081155.55840-2-liulongfang@huawei.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 41 ++++++++++++++++---
+ .../vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 ++++++-
+ 2 files changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+index 39eeca18a0f7c..b5efb37712d5e 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+@@ -350,6 +350,32 @@ static int vf_qm_func_stop(struct hisi_qm *qm)
+ return hisi_qm_mb(qm, QM_MB_CMD_PAUSE_QM, 0, 0, 0);
+ }
+
++static int vf_qm_version_check(struct acc_vf_data *vf_data, struct device *dev)
++{
++ switch (vf_data->acc_magic) {
++ case ACC_DEV_MAGIC_V2:
++ if (vf_data->major_ver != ACC_DRV_MAJOR_VER) {
++ dev_info(dev, "migration driver version<%u.%u> not match!\n",
++ vf_data->major_ver, vf_data->minor_ver);
++ return -EINVAL;
++ }
++ break;
++ case ACC_DEV_MAGIC_V1:
++ /* Correct dma address */
++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
++ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
++ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ struct hisi_acc_vf_migration_file *migf)
+ {
+@@ -363,7 +389,8 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ if (migf->total_length < QM_MATCH_SIZE)
+ return -EINVAL;
+
+- if (vf_data->acc_magic != ACC_DEV_MAGIC) {
++ ret = vf_qm_version_check(vf_data, dev);
++ if (ret) {
+ dev_err(dev, "failed to match ACC_DEV_MAGIC\n");
+ return -EINVAL;
+ }
+@@ -417,7 +444,9 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ int vf_id = hisi_acc_vdev->vf_id;
+ int ret;
+
+- vf_data->acc_magic = ACC_DEV_MAGIC;
++ vf_data->acc_magic = ACC_DEV_MAGIC_V2;
++ vf_data->major_ver = ACC_DRV_MAJOR_VER;
++ vf_data->minor_ver = ACC_DRV_MINOR_VER;
+ /* Save device id */
+ vf_data->dev_id = hisi_acc_vdev->vf_dev->device;
+
+@@ -519,12 +548,12 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ return -EINVAL;
+
+ /* Every reg is 32 bit, the dma address is 64 bit. */
+- vf_data->eqe_dma = vf_data->qm_eqc_dw[1];
++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
+- vf_data->eqe_dma |= vf_data->qm_eqc_dw[0];
+- vf_data->aeqe_dma = vf_data->qm_aeqc_dw[1];
++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
+- vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[0];
++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
+
+ /* Through SQC_BT/CQC_BT to get sqc and cqc address */
+ ret = qm_get_sqc(vf_qm, &vf_data->sqc_dma);
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
+index 67343325b3201..f62247d0adf9a 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
+@@ -38,6 +38,9 @@
+ #define QM_REG_ADDR_OFFSET 0x0004
+
+ #define QM_XQC_ADDR_OFFSET 32U
++#define QM_XQC_ADDR_LOW 0x1
++#define QM_XQC_ADDR_HIGH 0x2
++
+ #define QM_VF_AEQ_INT_MASK 0x0004
+ #define QM_VF_EQ_INT_MASK 0x000c
+ #define QM_IFC_INT_SOURCE_V 0x0020
+@@ -49,10 +52,15 @@
+ #define QM_EQC_DW0 0X8000
+ #define QM_AEQC_DW0 0X8020
+
++#define ACC_DRV_MAJOR_VER 1
++#define ACC_DRV_MINOR_VER 0
++
++#define ACC_DEV_MAGIC_V1 0XCDCDCDCDFEEDAACC
++#define ACC_DEV_MAGIC_V2 0xAACCFEEDDECADEDE
++
+ struct acc_vf_data {
+ #define QM_MATCH_SIZE offsetofend(struct acc_vf_data, qm_rsv_state)
+ /* QM match information */
+-#define ACC_DEV_MAGIC 0XCDCDCDCDFEEDAACC
+ u64 acc_magic;
+ u32 qp_num;
+ u32 dev_id;
+@@ -60,7 +68,9 @@ struct acc_vf_data {
+ u32 qp_base;
+ u32 vf_qm_state;
+ /* QM reserved match information */
+- u32 qm_rsv_state[3];
++ u16 major_ver;
++ u16 minor_ver;
++ u32 qm_rsv_state[2];
+
+ /* QM RW regs */
+ u32 aeq_int_mask;
+--
+2.39.5
+
--- /dev/null
+From e74026e7fcd42e4c82b3b292cee2b76ab272fc69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 23:26:54 +0300
+Subject: hwmon: (asus-ec-sensors) check sensor index in read_string()
+
+From: Alexei Safin <a.safin@rosa.ru>
+
+[ Upstream commit 25be318324563c63cbd9cb53186203a08d2f83a1 ]
+
+Prevent a potential invalid memory access when the requested sensor
+is not found.
+
+find_ec_sensor_index() may return a negative value (e.g. -ENOENT),
+but its result was used without checking, which could lead to
+undefined behavior when passed to get_sensor_info().
+
+Add a proper check to return -EINVAL if sensor_index is negative.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC")
+Signed-off-by: Alexei Safin <a.safin@rosa.ru>
+Link: https://lore.kernel.org/r/20250424202654.5902-1-a.safin@rosa.ru
+[groeck: Return error code returned from find_ec_sensor_index]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/asus-ec-sensors.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c
+index d893cfd1cb829..6f20b55f41f2e 100644
+--- a/drivers/hwmon/asus-ec-sensors.c
++++ b/drivers/hwmon/asus-ec-sensors.c
+@@ -839,6 +839,10 @@ static int asus_ec_hwmon_read_string(struct device *dev,
+ {
+ struct ec_sensors_data *state = dev_get_drvdata(dev);
+ int sensor_index = find_ec_sensor_index(state, type, channel);
++
++ if (sensor_index < 0)
++ return sensor_index;
++
+ *str = get_sensor_info(state, sensor_index)->label;
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 1e9e059dd081c73d2119e3026a0600064afd5cce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 17:56:12 +0000
+Subject: IB/cm: use rwlock for MAD agent lock
+
+From: Jacob Moroni <jmoroni@google.com>
+
+[ Upstream commit 4dab26bed543584577b64b36aadb8b5b165bf44f ]
+
+In workloads where there are many processes establishing connections using
+RDMA CM in parallel (large scale MPI), there can be heavy contention for
+mad_agent_lock in cm_alloc_msg.
+
+This contention can occur while inside of a spin_lock_irq region, leading
+to interrupts being disabled for extended durations on many
+cores. Furthermore, it leads to the serialization of rdma_create_ah calls,
+which has negative performance impacts for NICs which are capable of
+processing multiple address handle creations in parallel.
+
+The end result is the machine becoming unresponsive, hung task warnings,
+netdev TX timeouts, etc.
+
+Since the lock appears to be only for protection from cm_remove_one, it
+can be changed to a rwlock to resolve these issues.
+
+Reproducer:
+
+Server:
+ for i in $(seq 1 512); do
+ ucmatose -c 32 -p $((i + 5000)) &
+ done
+
+Client:
+ for i in $(seq 1 512); do
+ ucmatose -c 32 -p $((i + 5000)) -s 10.2.0.52 &
+ done
+
+Fixes: 76039ac9095f ("IB/cm: Protect cm_dev, cm_ports and mad_agent with kref and lock")
+Link: https://patch.msgid.link/r/20250220175612.2763122-1-jmoroni@google.com
+Signed-off-by: Jacob Moroni <jmoroni@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cm.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index 950fe205995b7..0a113d0d6b08f 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -166,7 +166,7 @@ struct cm_port {
+ struct cm_device {
+ struct kref kref;
+ struct list_head list;
+- spinlock_t mad_agent_lock;
++ rwlock_t mad_agent_lock;
+ struct ib_device *ib_device;
+ u8 ack_delay;
+ int going_down;
+@@ -284,7 +284,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
+ if (!cm_id_priv->av.port)
+ return ERR_PTR(-EINVAL);
+
+- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ mad_agent = cm_id_priv->av.port->mad_agent;
+ if (!mad_agent) {
+ m = ERR_PTR(-EINVAL);
+@@ -315,7 +315,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
+ m->context[0] = cm_id_priv;
+
+ out:
+- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ return m;
+ }
+
+@@ -1294,10 +1294,10 @@ static __be64 cm_form_tid(struct cm_id_private *cm_id_priv)
+ if (!cm_id_priv->av.port)
+ return cpu_to_be64(low_tid);
+
+- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ if (cm_id_priv->av.port->mad_agent)
+ hi_tid = ((u64)cm_id_priv->av.port->mad_agent->hi_tid) << 32;
+- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ return cpu_to_be64(hi_tid | low_tid);
+ }
+
+@@ -4365,7 +4365,7 @@ static int cm_add_one(struct ib_device *ib_device)
+ return -ENOMEM;
+
+ kref_init(&cm_dev->kref);
+- spin_lock_init(&cm_dev->mad_agent_lock);
++ rwlock_init(&cm_dev->mad_agent_lock);
+ cm_dev->ib_device = ib_device;
+ cm_dev->ack_delay = ib_device->attrs.local_ca_ack_delay;
+ cm_dev->going_down = 0;
+@@ -4481,9 +4481,9 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data)
+ * The above ensures no call paths from the work are running,
+ * the remaining paths all take the mad_agent_lock.
+ */
+- spin_lock(&cm_dev->mad_agent_lock);
++ write_lock(&cm_dev->mad_agent_lock);
+ port->mad_agent = NULL;
+- spin_unlock(&cm_dev->mad_agent_lock);
++ write_unlock(&cm_dev->mad_agent_lock);
+ ib_unregister_mad_agent(mad_agent);
+ ib_port_unregister_client_groups(ib_device, i,
+ cm_counter_groups);
+--
+2.39.5
+
--- /dev/null
+From ea0e9c5d1f4a39729d50510928409d3d8e34720b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:55:28 +0200
+Subject: ice: create new Tx scheduler nodes for new queues only
+
+From: Michal Kubiak <michal.kubiak@intel.com>
+
+[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ]
+
+The current implementation of the Tx scheduler tree attempts
+to create nodes for all Tx queues, ignoring the fact that some
+queues may already exist in the tree. For example, if the VSI
+already has 128 Tx queues and the user requests for 16 new queues,
+the Tx scheduler will compute the tree for 272 queues (128 existing
+queues + 144 new queues), instead of 144 queues (128 existing queues
+and 16 new queues).
+Fix that by modifying the node count calculation algorithm to skip
+the queues that already exist in the tree.
+
+Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support")
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
+index b07bd0c059f75..3baa9d161a0bf 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sched.c
++++ b/drivers/net/ethernet/intel/ice/ice_sched.c
+@@ -1591,16 +1591,16 @@ ice_sched_get_agg_node(struct ice_port_info *pi, struct ice_sched_node *tc_node,
+ /**
+ * ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes
+ * @hw: pointer to the HW struct
+- * @num_qs: number of queues
++ * @num_new_qs: number of new queues that will be added to the tree
+ * @num_nodes: num nodes array
+ *
+ * This function calculates the number of VSI child nodes based on the
+ * number of queues.
+ */
+ static void
+-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes)
++ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes)
+ {
+- u16 num = num_qs;
++ u16 num = num_new_qs;
+ u8 i, qgl, vsil;
+
+ qgl = ice_sched_get_qgrp_layer(hw);
+@@ -1848,8 +1848,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
+ return status;
+ }
+
+- if (new_numqs)
+- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes);
++ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
++ new_num_nodes);
++
+ /* Keep the max number of queue configuration all the time. Update the
+ * tree only if number of queues > previous number of queues. This may
+ * leave some extra nodes in the tree if number of queues < previous
+--
+2.39.5
+
--- /dev/null
+From 48bea9dd5347e540f3e822fc91ce5f9bd222b90c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:55:29 +0200
+Subject: ice: fix rebuilding the Tx scheduler tree for large queue counts
+
+From: Michal Kubiak <michal.kubiak@intel.com>
+
+[ Upstream commit 73145e6d81070d34a21431c9e0d7aaf2f29ca048 ]
+
+The current implementation of the Tx scheduler allows the tree to be
+rebuilt as the user adds more Tx queues to the VSI. In such a case,
+additional child nodes are added to the tree to support the new number
+of queues.
+Unfortunately, this algorithm does not take into account that the limit
+of the VSI support node may be exceeded, so an additional node in the
+VSI layer may be required to handle all the requested queues.
+
+Such a scenario occurs when adding XDP Tx queues on machines with many
+CPUs. Although the driver still respects the queue limit returned by
+the FW, the Tx scheduler was unable to add those queues to its tree
+and returned one of the errors below.
+
+Such a scenario occurs when adding XDP Tx queues on machines with many
+CPUs (e.g. at least 321 CPUs, if there is already 128 Tx/Rx queue pairs).
+Although the driver still respects the queue limit returned by the FW,
+the Tx scheduler was unable to add those queues to its tree and returned
+the following errors:
+
+ Failed VSI LAN queue config for XDP, error: -5
+or:
+ Failed to set LAN Tx queue context, error: -22
+
+Fix this problem by extending the tree rebuild algorithm to check if the
+current VSI node can support the requested number of queues. If it
+cannot, create as many additional VSI support nodes as necessary to
+handle all the required Tx queues. Symmetrically, adjust the VSI node
+removal algorithm to remove all nodes associated with the given VSI.
+Also, make the search for the next free VSI node more restrictive. That is,
+add queue group nodes only to the VSI support nodes that have a matching
+VSI handle.
+Finally, fix the comment describing the tree update algorithm to better
+reflect the current scenario.
+
+Fixes: b0153fdd7e8a ("ice: update VSI config dynamically")
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sched.c | 170 +++++++++++++++++----
+ 1 file changed, 142 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
+index 3baa9d161a0bf..f8f2f657bf9b6 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sched.c
++++ b/drivers/net/ethernet/intel/ice/ice_sched.c
+@@ -84,6 +84,27 @@ ice_sched_find_node_by_teid(struct ice_sched_node *start_node, u32 teid)
+ return NULL;
+ }
+
++/**
++ * ice_sched_find_next_vsi_node - find the next node for a given VSI
++ * @vsi_node: VSI support node to start search with
++ *
++ * Return: Next VSI support node, or NULL.
++ *
++ * The function returns a pointer to the next node from the VSI layer
++ * assigned to the given VSI, or NULL if there is no such a node.
++ */
++static struct ice_sched_node *
++ice_sched_find_next_vsi_node(struct ice_sched_node *vsi_node)
++{
++ unsigned int vsi_handle = vsi_node->vsi_handle;
++
++ while ((vsi_node = vsi_node->sibling) != NULL)
++ if (vsi_node->vsi_handle == vsi_handle)
++ break;
++
++ return vsi_node;
++}
++
+ /**
+ * ice_aqc_send_sched_elem_cmd - send scheduling elements cmd
+ * @hw: pointer to the HW struct
+@@ -1073,8 +1094,10 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi,
+ if (parent->num_children < max_child_nodes) {
+ new_num_nodes = max_child_nodes - parent->num_children;
+ } else {
+- /* This parent is full, try the next sibling */
+- parent = parent->sibling;
++ /* This parent is full,
++ * try the next available sibling.
++ */
++ parent = ice_sched_find_next_vsi_node(parent);
+ /* Don't modify the first node TEID memory if the
+ * first node was added already in the above call.
+ * Instead send some temp memory for all other
+@@ -1515,12 +1538,23 @@ ice_sched_get_free_qparent(struct ice_port_info *pi, u16 vsi_handle, u8 tc,
+ /* get the first queue group node from VSI sub-tree */
+ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
+ while (qgrp_node) {
++ struct ice_sched_node *next_vsi_node;
++
+ /* make sure the qgroup node is part of the VSI subtree */
+ if (ice_sched_find_node_in_subtree(pi->hw, vsi_node, qgrp_node))
+ if (qgrp_node->num_children < max_children &&
+ qgrp_node->owner == owner)
+ break;
+ qgrp_node = qgrp_node->sibling;
++ if (qgrp_node)
++ continue;
++
++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
++ if (!next_vsi_node)
++ break;
++
++ vsi_node = next_vsi_node;
++ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
+ }
+
+ /* Select the best queue group */
+@@ -1764,7 +1798,11 @@ ice_sched_add_vsi_support_nodes(struct ice_port_info *pi, u16 vsi_handle,
+ if (!parent)
+ return -EIO;
+
+- if (i == vsil)
++ /* Do not modify the VSI handle for already existing VSI nodes,
++ * (if no new VSI node was added to the tree).
++ * Assign the VSI handle only to newly added VSI nodes.
++ */
++ if (i == vsil && num_added)
+ parent->vsi_handle = vsi_handle;
+ }
+
+@@ -1797,6 +1835,41 @@ ice_sched_add_vsi_to_topo(struct ice_port_info *pi, u16 vsi_handle, u8 tc)
+ num_nodes);
+ }
+
++/**
++ * ice_sched_recalc_vsi_support_nodes - recalculate VSI support nodes count
++ * @hw: pointer to the HW struct
++ * @vsi_node: pointer to the leftmost VSI node that needs to be extended
++ * @new_numqs: new number of queues that has to be handled by the VSI
++ * @new_num_nodes: pointer to nodes count table to modify the VSI layer entry
++ *
++ * This function recalculates the number of supported nodes that need to
++ * be added after adding more Tx queues for a given VSI.
++ * The number of new VSI support nodes that shall be added will be saved
++ * to the @new_num_nodes table for the VSI layer.
++ */
++static void
++ice_sched_recalc_vsi_support_nodes(struct ice_hw *hw,
++ struct ice_sched_node *vsi_node,
++ unsigned int new_numqs, u16 *new_num_nodes)
++{
++ u32 vsi_nodes_cnt = 1;
++ u32 max_queue_cnt = 1;
++ u32 qgl, vsil;
++
++ qgl = ice_sched_get_qgrp_layer(hw);
++ vsil = ice_sched_get_vsi_layer(hw);
++
++ for (u32 i = vsil; i <= qgl; i++)
++ max_queue_cnt *= hw->max_children[i];
++
++ while ((vsi_node = ice_sched_find_next_vsi_node(vsi_node)) != NULL)
++ vsi_nodes_cnt++;
++
++ if (new_numqs > (max_queue_cnt * vsi_nodes_cnt))
++ new_num_nodes[vsil] = DIV_ROUND_UP(new_numqs, max_queue_cnt) -
++ vsi_nodes_cnt;
++}
++
+ /**
+ * ice_sched_update_vsi_child_nodes - update VSI child nodes
+ * @pi: port information structure
+@@ -1848,16 +1921,25 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
+ return status;
+ }
+
++ ice_sched_recalc_vsi_support_nodes(hw, vsi_node,
++ new_numqs, new_num_nodes);
+ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
+ new_num_nodes);
+
+- /* Keep the max number of queue configuration all the time. Update the
+- * tree only if number of queues > previous number of queues. This may
++ /* Never decrease the number of queues in the tree. Update the tree
++ * only if number of queues > previous number of queues. This may
+ * leave some extra nodes in the tree if number of queues < previous
+ * number but that wouldn't harm anything. Removing those extra nodes
+ * may complicate the code if those nodes are part of SRL or
+ * individually rate limited.
++ * Also, add the required VSI support nodes if the existing ones cannot
++ * handle the requested new number of queues.
+ */
++ status = ice_sched_add_vsi_support_nodes(pi, vsi_handle, tc_node,
++ new_num_nodes);
++ if (status)
++ return status;
++
+ status = ice_sched_add_vsi_child_nodes(pi, vsi_handle, tc_node,
+ new_num_nodes, owner);
+ if (status)
+@@ -1998,6 +2080,58 @@ static bool ice_sched_is_leaf_node_present(struct ice_sched_node *node)
+ return (node->info.data.elem_type == ICE_AQC_ELEM_TYPE_LEAF);
+ }
+
++/**
++ * ice_sched_rm_vsi_subtree - remove all nodes assigned to a given VSI
++ * @pi: port information structure
++ * @vsi_node: pointer to the leftmost node of the VSI to be removed
++ * @owner: LAN or RDMA
++ * @tc: TC number
++ *
++ * Return: Zero in case of success, or -EBUSY if the VSI has leaf nodes in TC.
++ *
++ * This function removes all the VSI support nodes associated with a given VSI
++ * and its LAN or RDMA children nodes from the scheduler tree.
++ */
++static int
++ice_sched_rm_vsi_subtree(struct ice_port_info *pi,
++ struct ice_sched_node *vsi_node, u8 owner, u8 tc)
++{
++ u16 vsi_handle = vsi_node->vsi_handle;
++ bool all_vsi_nodes_removed = true;
++ int j = 0;
++
++ while (vsi_node) {
++ struct ice_sched_node *next_vsi_node;
++
++ if (ice_sched_is_leaf_node_present(vsi_node)) {
++ ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", tc);
++ return -EBUSY;
++ }
++ while (j < vsi_node->num_children) {
++ if (vsi_node->children[j]->owner == owner)
++ ice_free_sched_node(pi, vsi_node->children[j]);
++ else
++ j++;
++ }
++
++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
++
++ /* remove the VSI if it has no children */
++ if (!vsi_node->num_children)
++ ice_free_sched_node(pi, vsi_node);
++ else
++ all_vsi_nodes_removed = false;
++
++ vsi_node = next_vsi_node;
++ }
++
++ /* clean up aggregator related VSI info if any */
++ if (all_vsi_nodes_removed)
++ ice_sched_rm_agg_vsi_info(pi, vsi_handle);
++
++ return 0;
++}
++
+ /**
+ * ice_sched_rm_vsi_cfg - remove the VSI and its children nodes
+ * @pi: port information structure
+@@ -2024,7 +2158,6 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
+
+ ice_for_each_traffic_class(i) {
+ struct ice_sched_node *vsi_node, *tc_node;
+- u8 j = 0;
+
+ tc_node = ice_sched_get_tc_node(pi, i);
+ if (!tc_node)
+@@ -2034,31 +2167,12 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
+ if (!vsi_node)
+ continue;
+
+- if (ice_sched_is_leaf_node_present(vsi_node)) {
+- ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", i);
+- status = -EBUSY;
++ status = ice_sched_rm_vsi_subtree(pi, vsi_node, owner, i);
++ if (status)
+ goto exit_sched_rm_vsi_cfg;
+- }
+- while (j < vsi_node->num_children) {
+- if (vsi_node->children[j]->owner == owner) {
+- ice_free_sched_node(pi, vsi_node->children[j]);
+
+- /* reset the counter again since the num
+- * children will be updated after node removal
+- */
+- j = 0;
+- } else {
+- j++;
+- }
+- }
+- /* remove the VSI if it has no children */
+- if (!vsi_node->num_children) {
+- ice_free_sched_node(pi, vsi_node);
+- vsi_ctx->sched.vsi_node[i] = NULL;
++ vsi_ctx->sched.vsi_node[i] = NULL;
+
+- /* clean up aggregator related VSI info if any */
+- ice_sched_rm_agg_vsi_info(pi, vsi_handle);
+- }
+ if (owner == ICE_SCHED_NODE_OWNER_LAN)
+ vsi_ctx->sched.max_lanq[i] = 0;
+ else
+--
+2.39.5
+
--- /dev/null
+From 69768313091bccf473bcc3eeb39c89d1234e538c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 12:52:47 +0100
+Subject: iio: adc: ad7124: Fix 3dB filter frequency reading
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ]
+
+The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB}
+and for sinc3 the factor is 0.272 according to the data sheets for
+ad7124-4 (Rev. E.) and ad7124-8 (Rev. F).
+
+Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
+Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7124.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
+index 307a607bf56c7..1e0af424f34f6 100644
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -299,9 +299,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st,
+
+ switch (st->channels[channel].cfg.filter_type) {
+ case AD7124_SINC3_FILTER:
+- return DIV_ROUND_CLOSEST(fadc * 230, 1000);
++ return DIV_ROUND_CLOSEST(fadc * 272, 1000);
+ case AD7124_SINC4_FILTER:
+- return DIV_ROUND_CLOSEST(fadc * 262, 1000);
++ return DIV_ROUND_CLOSEST(fadc * 230, 1000);
+ default:
+ return -EINVAL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 8aed13500c5ef1963913bd07233538dade380de5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:27 -0400
+Subject: iio: filter: admv8818: fix band 4, state 15
+
+From: Sam Winchenbach <swinchenbach@arka.org>
+
+[ Upstream commit ef0ce24f590ac075d5eda11f2d6434b303333ed6 ]
+
+Corrects the upper range of LPF Band 4 from 18.5 GHz to 18.85 GHz per
+the ADMV8818 datasheet
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-3-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index c7f5911f9040d..a50a8ea2f8dda 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -102,7 +102,7 @@ static const unsigned long long freq_range_lpf[4][2] = {
+ {2050000000ULL, 3850000000ULL},
+ {3350000000ULL, 7250000000ULL},
+ {7000000000, 13000000000},
+- {12550000000, 18500000000}
++ {12550000000, 18850000000}
+ };
+
+ static const struct regmap_config admv8818_regmap_config = {
+--
+2.39.5
+
--- /dev/null
+From 931d8bef48b46185529fb2d93feef85c8f1f27dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:28 -0400
+Subject: iio: filter: admv8818: fix integer overflow
+
+From: Sam Winchenbach <swinchenbach@arka.org>
+
+[ Upstream commit fb6009a28d77edec4eb548b5875dae8c79b88467 ]
+
+HZ_PER_MHZ is only unsigned long. This math overflows, leading to
+incorrect results.
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-4-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index a50a8ea2f8dda..831427aa89d83 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -152,7 +152,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+ }
+
+ /* Close HPF frequency gap between 12 and 12.5 GHz */
+- if (freq >= 12000 * HZ_PER_MHZ && freq <= 12500 * HZ_PER_MHZ) {
++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
+ hpf_band = 3;
+ hpf_step = 15;
+ }
+--
+2.39.5
+
--- /dev/null
+From 7086109620c4afb4fcddc9e7438ce60391fcd2fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:29 -0400
+Subject: iio: filter: admv8818: fix range calculation
+
+From: Sam Winchenbach <swinchenbach@arka.org>
+
+[ Upstream commit d542db7095d322bfcdc8e306db6f8c48358c9619 ]
+
+Search for the minimum error while ensuring that the LPF corner
+frequency is greater than the target, and the HPF corner frequency
+is lower than the target
+
+This fixes issues where the range calculations were suboptimal.
+
+Add two new DTS properties to set the margin between the input frequency
+and the calculated corner frequency
+
+Below is a generated table of the differences between the old algorithm
+and the new. This is a sweep from 0 to 20 GHz in 10 MHz steps.
+=== HPF ===
+freq = 1750 MHz, 3db: bypass => 1750 MHz
+freq = 3400 MHz, 3db: 3310 => 3400 MHz
+freq = 3410 MHz, 3db: 3310 => 3400 MHz
+freq = 3420 MHz, 3db: 3310 => 3400 MHz
+freq = 3660 MHz, 3db: 3550 => 3656 MHz
+freq = 6600 MHz, 3db: 6479 => 6600 MHz
+freq = 6610 MHz, 3db: 6479 => 6600 MHz
+freq = 6620 MHz, 3db: 6479 => 6600 MHz
+freq = 6630 MHz, 3db: 6479 => 6600 MHz
+freq = 6640 MHz, 3db: 6479 => 6600 MHz
+freq = 6650 MHz, 3db: 6479 => 6600 MHz
+freq = 6660 MHz, 3db: 6479 => 6600 MHz
+freq = 6670 MHz, 3db: 6479 => 6600 MHz
+freq = 6680 MHz, 3db: 6479 => 6600 MHz
+freq = 6690 MHz, 3db: 6479 => 6600 MHz
+freq = 6700 MHz, 3db: 6479 => 6600 MHz
+freq = 6710 MHz, 3db: 6479 => 6600 MHz
+freq = 6720 MHz, 3db: 6479 => 6600 MHz
+freq = 6730 MHz, 3db: 6479 => 6600 MHz
+freq = 6960 MHz, 3db: 6736 => 6960 MHz
+freq = 6970 MHz, 3db: 6736 => 6960 MHz
+freq = 6980 MHz, 3db: 6736 => 6960 MHz
+freq = 6990 MHz, 3db: 6736 => 6960 MHz
+freq = 7320 MHz, 3db: 7249 => 7320 MHz
+freq = 7330 MHz, 3db: 7249 => 7320 MHz
+freq = 7340 MHz, 3db: 7249 => 7320 MHz
+freq = 7350 MHz, 3db: 7249 => 7320 MHz
+freq = 7360 MHz, 3db: 7249 => 7320 MHz
+freq = 7370 MHz, 3db: 7249 => 7320 MHz
+freq = 7380 MHz, 3db: 7249 => 7320 MHz
+freq = 7390 MHz, 3db: 7249 => 7320 MHz
+freq = 7400 MHz, 3db: 7249 => 7320 MHz
+freq = 7410 MHz, 3db: 7249 => 7320 MHz
+freq = 7420 MHz, 3db: 7249 => 7320 MHz
+freq = 7430 MHz, 3db: 7249 => 7320 MHz
+freq = 7440 MHz, 3db: 7249 => 7320 MHz
+freq = 7450 MHz, 3db: 7249 => 7320 MHz
+freq = 7460 MHz, 3db: 7249 => 7320 MHz
+freq = 7470 MHz, 3db: 7249 => 7320 MHz
+freq = 7480 MHz, 3db: 7249 => 7320 MHz
+freq = 7490 MHz, 3db: 7249 => 7320 MHz
+freq = 7500 MHz, 3db: 7249 => 7320 MHz
+freq = 12500 MHz, 3db: 12000 => 12500 MHz
+
+=== LPF ===
+freq = 2050 MHz, 3db: bypass => 2050 MHz
+freq = 2170 MHz, 3db: 2290 => 2170 MHz
+freq = 2290 MHz, 3db: 2410 => 2290 MHz
+freq = 2410 MHz, 3db: 2530 => 2410 MHz
+freq = 2530 MHz, 3db: 2650 => 2530 MHz
+freq = 2650 MHz, 3db: 2770 => 2650 MHz
+freq = 2770 MHz, 3db: 2890 => 2770 MHz
+freq = 2890 MHz, 3db: 3010 => 2890 MHz
+freq = 3010 MHz, 3db: 3130 => 3010 MHz
+freq = 3130 MHz, 3db: 3250 => 3130 MHz
+freq = 3250 MHz, 3db: 3370 => 3250 MHz
+freq = 3260 MHz, 3db: 3370 => 3350 MHz
+freq = 3270 MHz, 3db: 3370 => 3350 MHz
+freq = 3280 MHz, 3db: 3370 => 3350 MHz
+freq = 3290 MHz, 3db: 3370 => 3350 MHz
+freq = 3300 MHz, 3db: 3370 => 3350 MHz
+freq = 3310 MHz, 3db: 3370 => 3350 MHz
+freq = 3320 MHz, 3db: 3370 => 3350 MHz
+freq = 3330 MHz, 3db: 3370 => 3350 MHz
+freq = 3340 MHz, 3db: 3370 => 3350 MHz
+freq = 3350 MHz, 3db: 3370 => 3350 MHz
+freq = 3370 MHz, 3db: 3490 => 3370 MHz
+freq = 3490 MHz, 3db: 3610 => 3490 MHz
+freq = 3610 MHz, 3db: 3730 => 3610 MHz
+freq = 3730 MHz, 3db: 3850 => 3730 MHz
+freq = 3850 MHz, 3db: 3870 => 3850 MHz
+freq = 3870 MHz, 3db: 4130 => 3870 MHz
+freq = 4130 MHz, 3db: 4390 => 4130 MHz
+freq = 4390 MHz, 3db: 4650 => 4390 MHz
+freq = 4650 MHz, 3db: 4910 => 4650 MHz
+freq = 4910 MHz, 3db: 5170 => 4910 MHz
+freq = 5170 MHz, 3db: 5430 => 5170 MHz
+freq = 5430 MHz, 3db: 5690 => 5430 MHz
+freq = 5690 MHz, 3db: 5950 => 5690 MHz
+freq = 5950 MHz, 3db: 6210 => 5950 MHz
+freq = 6210 MHz, 3db: 6470 => 6210 MHz
+freq = 6470 MHz, 3db: 6730 => 6470 MHz
+freq = 6730 MHz, 3db: 6990 => 6730 MHz
+freq = 6990 MHz, 3db: 7250 => 6990 MHz
+freq = 7000 MHz, 3db: 7250 => 7000 MHz
+freq = 7250 MHz, 3db: 7400 => 7250 MHz
+freq = 7400 MHz, 3db: 7800 => 7400 MHz
+freq = 7800 MHz, 3db: 8200 => 7800 MHz
+freq = 8200 MHz, 3db: 8600 => 8200 MHz
+freq = 8600 MHz, 3db: 9000 => 8600 MHz
+freq = 9000 MHz, 3db: 9400 => 9000 MHz
+freq = 9400 MHz, 3db: 9800 => 9400 MHz
+freq = 9800 MHz, 3db: 10200 => 9800 MHz
+freq = 10200 MHz, 3db: 10600 => 10200 MHz
+freq = 10600 MHz, 3db: 11000 => 10600 MHz
+freq = 11000 MHz, 3db: 11400 => 11000 MHz
+freq = 11400 MHz, 3db: 11800 => 11400 MHz
+freq = 11800 MHz, 3db: 12200 => 11800 MHz
+freq = 12200 MHz, 3db: 12600 => 12200 MHz
+freq = 12210 MHz, 3db: 12600 => 12550 MHz
+freq = 12220 MHz, 3db: 12600 => 12550 MHz
+freq = 12230 MHz, 3db: 12600 => 12550 MHz
+freq = 12240 MHz, 3db: 12600 => 12550 MHz
+freq = 12250 MHz, 3db: 12600 => 12550 MHz
+freq = 12260 MHz, 3db: 12600 => 12550 MHz
+freq = 12270 MHz, 3db: 12600 => 12550 MHz
+freq = 12280 MHz, 3db: 12600 => 12550 MHz
+freq = 12290 MHz, 3db: 12600 => 12550 MHz
+freq = 12300 MHz, 3db: 12600 => 12550 MHz
+freq = 12310 MHz, 3db: 12600 => 12550 MHz
+freq = 12320 MHz, 3db: 12600 => 12550 MHz
+freq = 12330 MHz, 3db: 12600 => 12550 MHz
+freq = 12340 MHz, 3db: 12600 => 12550 MHz
+freq = 12350 MHz, 3db: 12600 => 12550 MHz
+freq = 12360 MHz, 3db: 12600 => 12550 MHz
+freq = 12370 MHz, 3db: 12600 => 12550 MHz
+freq = 12380 MHz, 3db: 12600 => 12550 MHz
+freq = 12390 MHz, 3db: 12600 => 12550 MHz
+freq = 12400 MHz, 3db: 12600 => 12550 MHz
+freq = 12410 MHz, 3db: 12600 => 12550 MHz
+freq = 12420 MHz, 3db: 12600 => 12550 MHz
+freq = 12430 MHz, 3db: 12600 => 12550 MHz
+freq = 12440 MHz, 3db: 12600 => 12550 MHz
+freq = 12450 MHz, 3db: 12600 => 12550 MHz
+freq = 12460 MHz, 3db: 12600 => 12550 MHz
+freq = 12470 MHz, 3db: 12600 => 12550 MHz
+freq = 12480 MHz, 3db: 12600 => 12550 MHz
+freq = 12490 MHz, 3db: 12600 => 12550 MHz
+freq = 12500 MHz, 3db: 12600 => 12550 MHz
+freq = 12510 MHz, 3db: 12600 => 12550 MHz
+freq = 12520 MHz, 3db: 12600 => 12550 MHz
+freq = 12530 MHz, 3db: 12600 => 12550 MHz
+freq = 12540 MHz, 3db: 12600 => 12550 MHz
+freq = 12550 MHz, 3db: 12600 => 12550 MHz
+freq = 12600 MHz, 3db: 13000 => 12600 MHz
+freq = 12610 MHz, 3db: 13000 => 12970 MHz
+freq = 12620 MHz, 3db: 13000 => 12970 MHz
+freq = 12630 MHz, 3db: 13000 => 12970 MHz
+freq = 12640 MHz, 3db: 13000 => 12970 MHz
+freq = 12650 MHz, 3db: 13000 => 12970 MHz
+freq = 12660 MHz, 3db: 13000 => 12970 MHz
+freq = 12670 MHz, 3db: 13000 => 12970 MHz
+freq = 12680 MHz, 3db: 13000 => 12970 MHz
+freq = 12690 MHz, 3db: 13000 => 12970 MHz
+freq = 12700 MHz, 3db: 13000 => 12970 MHz
+freq = 12710 MHz, 3db: 13000 => 12970 MHz
+freq = 12720 MHz, 3db: 13000 => 12970 MHz
+freq = 12730 MHz, 3db: 13000 => 12970 MHz
+freq = 12740 MHz, 3db: 13000 => 12970 MHz
+freq = 12750 MHz, 3db: 13000 => 12970 MHz
+freq = 12760 MHz, 3db: 13000 => 12970 MHz
+freq = 12770 MHz, 3db: 13000 => 12970 MHz
+freq = 12780 MHz, 3db: 13000 => 12970 MHz
+freq = 12790 MHz, 3db: 13000 => 12970 MHz
+freq = 12800 MHz, 3db: 13000 => 12970 MHz
+freq = 12810 MHz, 3db: 13000 => 12970 MHz
+freq = 12820 MHz, 3db: 13000 => 12970 MHz
+freq = 12830 MHz, 3db: 13000 => 12970 MHz
+freq = 12840 MHz, 3db: 13000 => 12970 MHz
+freq = 12850 MHz, 3db: 13000 => 12970 MHz
+freq = 12860 MHz, 3db: 13000 => 12970 MHz
+freq = 12870 MHz, 3db: 13000 => 12970 MHz
+freq = 12880 MHz, 3db: 13000 => 12970 MHz
+freq = 12890 MHz, 3db: 13000 => 12970 MHz
+freq = 12900 MHz, 3db: 13000 => 12970 MHz
+freq = 12910 MHz, 3db: 13000 => 12970 MHz
+freq = 12920 MHz, 3db: 13000 => 12970 MHz
+freq = 12930 MHz, 3db: 13000 => 12970 MHz
+freq = 12940 MHz, 3db: 13000 => 12970 MHz
+freq = 12950 MHz, 3db: 13000 => 12970 MHz
+freq = 12960 MHz, 3db: 13000 => 12970 MHz
+freq = 12970 MHz, 3db: 13000 => 12970 MHz
+freq = 13000 MHz, 3db: 13390 => 13000 MHz
+freq = 13390 MHz, 3db: 13810 => 13390 MHz
+freq = 13810 MHz, 3db: 14230 => 13810 MHz
+freq = 14230 MHz, 3db: 14650 => 14230 MHz
+freq = 14650 MHz, 3db: 15070 => 14650 MHz
+freq = 15070 MHz, 3db: 15490 => 15070 MHz
+freq = 15490 MHz, 3db: 15910 => 15490 MHz
+freq = 15910 MHz, 3db: 16330 => 15910 MHz
+freq = 16330 MHz, 3db: 16750 => 16330 MHz
+freq = 16750 MHz, 3db: 17170 => 16750 MHz
+freq = 17170 MHz, 3db: 17590 => 17170 MHz
+freq = 17590 MHz, 3db: 18010 => 17590 MHz
+freq = 18010 MHz, 3db: 18430 => 18010 MHz
+freq = 18430 MHz, 3db: 18850 => 18430 MHz
+freq = 18850 MHz, 3db: bypass => 18850 MHz
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-5-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 205 +++++++++++++++++++++++++---------
+ 1 file changed, 152 insertions(+), 53 deletions(-)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index 831427aa89d83..2dfa92e052af8 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -14,6 +14,7 @@
+ #include <linux/mod_devicetable.h>
+ #include <linux/mutex.h>
+ #include <linux/notifier.h>
++#include <linux/property.h>
+ #include <linux/regmap.h>
+ #include <linux/spi/spi.h>
+ #include <linux/units.h>
+@@ -70,6 +71,16 @@
+ #define ADMV8818_HPF_WR0_MSK GENMASK(7, 4)
+ #define ADMV8818_LPF_WR0_MSK GENMASK(3, 0)
+
++#define ADMV8818_BAND_BYPASS 0
++#define ADMV8818_BAND_MIN 1
++#define ADMV8818_BAND_MAX 4
++#define ADMV8818_BAND_CORNER_LOW 0
++#define ADMV8818_BAND_CORNER_HIGH 1
++
++#define ADMV8818_STATE_MIN 0
++#define ADMV8818_STATE_MAX 15
++#define ADMV8818_NUM_STATES 16
++
+ enum {
+ ADMV8818_BW_FREQ,
+ ADMV8818_CENTER_FREQ
+@@ -89,16 +100,20 @@ struct admv8818_state {
+ struct mutex lock;
+ unsigned int filter_mode;
+ u64 cf_hz;
++ u64 lpf_margin_hz;
++ u64 hpf_margin_hz;
+ };
+
+-static const unsigned long long freq_range_hpf[4][2] = {
++static const unsigned long long freq_range_hpf[5][2] = {
++ {0ULL, 0ULL}, /* bypass */
+ {1750000000ULL, 3550000000ULL},
+ {3400000000ULL, 7250000000ULL},
+ {6600000000, 12000000000},
+ {12500000000, 19900000000}
+ };
+
+-static const unsigned long long freq_range_lpf[4][2] = {
++static const unsigned long long freq_range_lpf[5][2] = {
++ {U64_MAX, U64_MAX}, /* bypass */
+ {2050000000ULL, 3850000000ULL},
+ {3350000000ULL, 7250000000ULL},
+ {7000000000, 13000000000},
+@@ -119,44 +134,59 @@ static const char * const admv8818_modes[] = {
+
+ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+ {
+- unsigned int hpf_step = 0, hpf_band = 0, i, j;
+- u64 freq_step;
+- int ret;
++ int band, state, ret;
++ unsigned int hpf_state = ADMV8818_STATE_MIN, hpf_band = ADMV8818_BAND_BYPASS;
++ u64 freq_error, min_freq_error, freq_corner, freq_step;
+
+- if (freq < freq_range_hpf[0][0])
++ if (freq < freq_range_hpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW])
+ goto hpf_write;
+
+- if (freq > freq_range_hpf[3][1]) {
+- hpf_step = 15;
+- hpf_band = 4;
+-
++ if (freq >= freq_range_hpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) {
++ hpf_state = ADMV8818_STATE_MAX;
++ hpf_band = ADMV8818_BAND_MAX;
+ goto hpf_write;
+ }
+
+- for (i = 0; i < 4; i++) {
+- freq_step = div_u64((freq_range_hpf[i][1] -
+- freq_range_hpf[i][0]), 15);
++ /* Close HPF frequency gap between 12 and 12.5 GHz */
++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
++ hpf_state = ADMV8818_STATE_MAX;
++ hpf_band = 3;
++ goto hpf_write;
++ }
+
+- if (freq > freq_range_hpf[i][0] &&
+- (freq < freq_range_hpf[i][1] + freq_step)) {
+- hpf_band = i + 1;
++ min_freq_error = U64_MAX;
++ for (band = ADMV8818_BAND_MIN; band <= ADMV8818_BAND_MAX; band++) {
++ /*
++ * This (and therefore all other ranges) have a corner
++ * frequency higher than the target frequency.
++ */
++ if (freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] > freq)
++ break;
+
+- for (j = 1; j <= 16; j++) {
+- if (freq < (freq_range_hpf[i][0] + (freq_step * j))) {
+- hpf_step = j - 1;
+- break;
+- }
++ freq_step = freq_range_hpf[band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW];
++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
++
++ for (state = ADMV8818_STATE_MIN; state <= ADMV8818_STATE_MAX; state++) {
++ freq_corner = freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] +
++ freq_step * state;
++
++ /*
++ * This (and therefore all other states) have a corner
++ * frequency higher than the target frequency.
++ */
++ if (freq_corner > freq)
++ break;
++
++ freq_error = freq - freq_corner;
++ if (freq_error < min_freq_error) {
++ min_freq_error = freq_error;
++ hpf_state = state;
++ hpf_band = band;
+ }
+- break;
+ }
+ }
+
+- /* Close HPF frequency gap between 12 and 12.5 GHz */
+- if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
+- hpf_band = 3;
+- hpf_step = 15;
+- }
+-
+ hpf_write:
+ ret = regmap_update_bits(st->regmap, ADMV8818_REG_WR0_SW,
+ ADMV8818_SW_IN_SET_WR0_MSK |
+@@ -168,7 +198,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+
+ return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
+ ADMV8818_HPF_WR0_MSK,
+- FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_step));
++ FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_state));
+ }
+
+ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+@@ -184,31 +214,52 @@ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+
+ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+ {
+- unsigned int lpf_step = 0, lpf_band = 0, i, j;
+- u64 freq_step;
+- int ret;
++ int band, state, ret;
++ unsigned int lpf_state = ADMV8818_STATE_MIN, lpf_band = ADMV8818_BAND_BYPASS;
++ u64 freq_error, min_freq_error, freq_corner, freq_step;
+
+- if (freq > freq_range_lpf[3][1])
++ if (freq > freq_range_lpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH])
+ goto lpf_write;
+
+- if (freq < freq_range_lpf[0][0]) {
+- lpf_band = 1;
+-
++ if (freq < freq_range_lpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) {
++ lpf_state = ADMV8818_STATE_MIN;
++ lpf_band = ADMV8818_BAND_MIN;
+ goto lpf_write;
+ }
+
+- for (i = 0; i < 4; i++) {
+- if (freq > freq_range_lpf[i][0] && freq < freq_range_lpf[i][1]) {
+- lpf_band = i + 1;
+- freq_step = div_u64((freq_range_lpf[i][1] - freq_range_lpf[i][0]), 15);
++ min_freq_error = U64_MAX;
++ for (band = ADMV8818_BAND_MAX; band >= ADMV8818_BAND_MIN; --band) {
++ /*
++ * At this point the highest corner frequency of
++ * all remaining ranges is below the target.
++ * LPF corner should be >= the target.
++ */
++ if (freq > freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH])
++ break;
++
++ freq_step = freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW];
++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
++
++ for (state = ADMV8818_STATE_MAX; state >= ADMV8818_STATE_MIN; --state) {
+
+- for (j = 0; j <= 15; j++) {
+- if (freq < (freq_range_lpf[i][0] + (freq_step * j))) {
+- lpf_step = j;
+- break;
+- }
++ freq_corner = freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW] +
++ state * freq_step;
++
++ /*
++ * At this point all other states in range will
++ * place the corner frequency below the target
++ * LPF corner should >= the target.
++ */
++ if (freq > freq_corner)
++ break;
++
++ freq_error = freq_corner - freq;
++ if (freq_error < min_freq_error) {
++ min_freq_error = freq_error;
++ lpf_state = state;
++ lpf_band = band;
+ }
+- break;
+ }
+ }
+
+@@ -223,7 +274,7 @@ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+
+ return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
+ ADMV8818_LPF_WR0_MSK,
+- FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_step));
++ FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_state));
+ }
+
+ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+@@ -240,16 +291,28 @@ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+ static int admv8818_rfin_band_select(struct admv8818_state *st)
+ {
+ int ret;
++ u64 hpf_corner_target, lpf_corner_target;
+
+ st->cf_hz = clk_get_rate(st->clkin);
+
++ /* Check for underflow */
++ if (st->cf_hz > st->hpf_margin_hz)
++ hpf_corner_target = st->cf_hz - st->hpf_margin_hz;
++ else
++ hpf_corner_target = 0;
++
++ /* Check for overflow */
++ lpf_corner_target = st->cf_hz + st->lpf_margin_hz;
++ if (lpf_corner_target < st->cf_hz)
++ lpf_corner_target = U64_MAX;
++
+ mutex_lock(&st->lock);
+
+- ret = __admv8818_hpf_select(st, st->cf_hz);
++ ret = __admv8818_hpf_select(st, hpf_corner_target);
+ if (ret)
+ goto exit;
+
+- ret = __admv8818_lpf_select(st, st->cf_hz);
++ ret = __admv8818_lpf_select(st, lpf_corner_target);
+ exit:
+ mutex_unlock(&st->lock);
+ return ret;
+@@ -276,8 +339,11 @@ static int __admv8818_read_hpf_freq(struct admv8818_state *st, u64 *hpf_freq)
+
+ hpf_state = FIELD_GET(ADMV8818_HPF_WR0_MSK, data);
+
+- *hpf_freq = div_u64(freq_range_hpf[hpf_band - 1][1] - freq_range_hpf[hpf_band - 1][0], 15);
+- *hpf_freq = freq_range_hpf[hpf_band - 1][0] + (*hpf_freq * hpf_state);
++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW];
++ *hpf_freq = div_u64(*hpf_freq, ADMV8818_NUM_STATES - 1);
++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW] +
++ (*hpf_freq * hpf_state);
+
+ return ret;
+ }
+@@ -314,8 +380,11 @@ static int __admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
+
+ lpf_state = FIELD_GET(ADMV8818_LPF_WR0_MSK, data);
+
+- *lpf_freq = div_u64(freq_range_lpf[lpf_band - 1][1] - freq_range_lpf[lpf_band - 1][0], 15);
+- *lpf_freq = freq_range_lpf[lpf_band - 1][0] + (*lpf_freq * lpf_state);
++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW];
++ *lpf_freq = div_u64(*lpf_freq, ADMV8818_NUM_STATES - 1);
++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW] +
++ (*lpf_freq * lpf_state);
+
+ return ret;
+ }
+@@ -594,6 +663,32 @@ static int admv8818_clk_setup(struct admv8818_state *st)
+ return devm_add_action_or_reset(&spi->dev, admv8818_clk_notifier_unreg, st);
+ }
+
++static int admv8818_read_properties(struct admv8818_state *st)
++{
++ struct spi_device *spi = st->spi;
++ u32 mhz;
++ int ret;
++
++ ret = device_property_read_u32(&spi->dev, "adi,lpf-margin-mhz", &mhz);
++ if (ret == 0)
++ st->lpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
++ else if (ret == -EINVAL)
++ st->lpf_margin_hz = 0;
++ else
++ return ret;
++
++
++ ret = device_property_read_u32(&spi->dev, "adi,hpf-margin-mhz", &mhz);
++ if (ret == 0)
++ st->hpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
++ else if (ret == -EINVAL)
++ st->hpf_margin_hz = 0;
++ else if (ret < 0)
++ return ret;
++
++ return 0;
++}
++
+ static int admv8818_probe(struct spi_device *spi)
+ {
+ struct iio_dev *indio_dev;
+@@ -625,6 +720,10 @@ static int admv8818_probe(struct spi_device *spi)
+
+ mutex_init(&st->lock);
+
++ ret = admv8818_read_properties(st);
++ if (ret)
++ return ret;
++
+ ret = admv8818_init(st);
+ if (ret)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 8cc88e732571fbb8e1561c96fe127721a4867e35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:31 -0400
+Subject: iio: filter: admv8818: Support frequencies >= 2^32
+
+From: Brian Pellegrino <bpellegrino@arka.org>
+
+[ Upstream commit 9016776f1301627de78a633bda7c898425a56572 ]
+
+This patch allows writing u64 values to the ADMV8818's high and low-pass
+filter frequencies. It includes the following changes:
+
+- Rejects negative frequencies in admv8818_write_raw.
+- Adds a write_raw_get_fmt function to admv8818's iio_info, returning
+ IIO_VAL_INT_64 for the high and low-pass filter 3dB frequency channels.
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Brian Pellegrino <bpellegrino@arka.org>
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-7-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index 2dfa92e052af8..b83d655274325 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -400,6 +400,19 @@ static int admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
+ return ret;
+ }
+
++static int admv8818_write_raw_get_fmt(struct iio_dev *indio_dev,
++ struct iio_chan_spec const *chan,
++ long mask)
++{
++ switch (mask) {
++ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
++ case IIO_CHAN_INFO_HIGH_PASS_FILTER_3DB_FREQUENCY:
++ return IIO_VAL_INT_64;
++ default:
++ return -EINVAL;
++ }
++}
++
+ static int admv8818_write_raw(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *chan,
+ int val, int val2, long info)
+@@ -408,6 +421,9 @@ static int admv8818_write_raw(struct iio_dev *indio_dev,
+
+ u64 freq = ((u64)val2 << 32 | (u32)val);
+
++ if ((s64)freq < 0)
++ return -EINVAL;
++
+ switch (info) {
+ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
+ return admv8818_lpf_select(st, freq);
+@@ -524,6 +540,7 @@ static int admv8818_set_mode(struct iio_dev *indio_dev,
+
+ static const struct iio_info admv8818_info = {
+ .write_raw = admv8818_write_raw,
++ .write_raw_get_fmt = admv8818_write_raw_get_fmt,
+ .read_raw = admv8818_read_raw,
+ .debugfs_reg_access = &admv8818_reg_access,
+ };
+--
+2.39.5
+
--- /dev/null
+From 599c28ce4d80968e61b931734c5609a87e3a6b8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 10:08:37 -0300
+Subject: iommu: Protect against overflow in iommu_pgsize()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 ]
+
+On a 32 bit system calling:
+ iommu_map(0, 0x40000000)
+
+When using the AMD V1 page table type with a domain->pgsize of 0xfffff000
+causes iommu_pgsize() to miscalculate a result of:
+ size=0x40000000 count=2
+
+count should be 1. This completely corrupts the mapping process.
+
+This is because the final test to adjust the pagesize malfunctions when
+the addition overflows. Use check_add_overflow() to prevent this.
+
+Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/0-v1-3ad28fc2e3a3+163327-iommu_overflow_pgsize_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index 83736824f17d1..ae9ca0700ad22 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -2202,6 +2202,7 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
+ unsigned int pgsize_idx, pgsize_idx_next;
+ unsigned long pgsizes;
+ size_t offset, pgsize, pgsize_next;
++ size_t offset_end;
+ unsigned long addr_merge = paddr | iova;
+
+ /* Page sizes supported by the hardware and small enough for @size */
+@@ -2242,7 +2243,8 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
+ * If size is big enough to accommodate the larger page, reduce
+ * the number of smaller pages.
+ */
+- if (offset + pgsize_next <= size)
++ if (!check_add_overflow(offset, pgsize_next, &offset_end) &&
++ offset_end <= size)
+ size = offset;
+
+ out_set_count:
+--
+2.39.5
+
--- /dev/null
+From 484a356efb39b2013c78b8aa502bb63e9cac0cef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 15:10:44 +0200
+Subject: iommu: remove duplicate selection of DMAR_TABLE
+
+From: Rolf Eike Beer <eb@emlix.com>
+
+[ Upstream commit 9548feff840a05d61783e6316d08ed37e115f3b1 ]
+
+This is already done in intel/Kconfig.
+
+Fixes: 70bad345e622 ("iommu: Fix compilation without CONFIG_IOMMU_INTEL")
+Signed-off-by: Rolf Eike Beer <eb@emlix.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/2232605.Mh6RI2rZIc@devpool92.emlix.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
+index dc19e7fb07cfe..fad36f0a4d14b 100644
+--- a/drivers/iommu/Kconfig
++++ b/drivers/iommu/Kconfig
+@@ -192,7 +192,6 @@ source "drivers/iommu/intel/Kconfig"
+ config IRQ_REMAP
+ bool "Support for Interrupt Remapping"
+ depends on X86_64 && X86_IO_APIC && PCI_MSI && ACPI
+- select DMAR_TABLE if INTEL_IOMMU
+ help
+ Supports Interrupt remapping for IO-APIC and MSI devices.
+ To use x2apic mode in the CPU's which support x2APIC enhancements or
+--
+2.39.5
+
--- /dev/null
+From 803fa1577ff9d51a02e335d409c62b571867b2c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 14:12:00 +0200
+Subject: kernfs: Relax constraint in draining guard
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+[ Upstream commit 071d8e4c2a3b0999a9b822e2eb8854784a350f8a ]
+
+The active reference lifecycle provides the break/unbreak mechanism but
+the active reference is not truly active after unbreak -- callers don't
+use it afterwards but it's important for proper pairing of kn->active
+counting. Assuming this mechanism is in place, the WARN check in
+kernfs_should_drain_open_files() is too sensitive -- it may transiently
+catch those (rightful) callers between
+kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen
+Ridong:
+
+ kernfs_remove_by_name_ns kernfs_get_active // active=1
+ __kernfs_remove // active=0x80000002
+ kernfs_drain ...
+ wait_event
+ //waiting (active == 0x80000001)
+ kernfs_break_active_protection
+ // active = 0x80000001
+ // continue
+ kernfs_unbreak_active_protection
+ // active = 0x80000002
+ ...
+ kernfs_should_drain_open_files
+ // warning occurs
+ kernfs_put_active
+
+To avoid the false positives (mind panic_on_warn) remove the check altogether.
+(This is meant as quick fix, I think active reference break/unbreak may be
+simplified with larger rework.)
+
+Fixes: bdb2fd7fc56e1 ("kernfs: Skip kernfs_drain_open_files() more aggressively")
+Link: https://lore.kernel.org/r/kmmrseckjctb4gxcx2rdminrjnq2b4ipf7562nvfd432ld5v5m@2byj5eedkb2o/
+
+Cc: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20250505121201.879823-1-mkoutny@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/kernfs/dir.c | 5 +++--
+ fs/kernfs/file.c | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
+index 2c74b24fc22aa..a259fe3471a98 100644
+--- a/fs/kernfs/dir.c
++++ b/fs/kernfs/dir.c
+@@ -1532,8 +1532,9 @@ void kernfs_break_active_protection(struct kernfs_node *kn)
+ * invoked before finishing the kernfs operation. Note that while this
+ * function restores the active reference, it doesn't and can't actually
+ * restore the active protection - @kn may already or be in the process of
+- * being removed. Once kernfs_break_active_protection() is invoked, that
+- * protection is irreversibly gone for the kernfs operation instance.
++ * being drained and removed. Once kernfs_break_active_protection() is
++ * invoked, that protection is irreversibly gone for the kernfs operation
++ * instance.
+ *
+ * While this function may be called at any point after
+ * kernfs_break_active_protection() is invoked, its most useful location
+diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
+index adf3536cfec81..cf57b7cc3a430 100644
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -820,8 +820,9 @@ bool kernfs_should_drain_open_files(struct kernfs_node *kn)
+ /*
+ * @kn being deactivated guarantees that @kn->attr.open can't change
+ * beneath us making the lockless test below safe.
++ * Callers post kernfs_unbreak_active_protection may be counted in
++ * kn->active by now, do not WARN_ON because of them.
+ */
+- WARN_ON_ONCE(atomic_read(&kn->active) != KN_DEACTIVATED_BIAS);
+
+ rcu_read_lock();
+ on = rcu_dereference(kn->attr.open);
+--
+2.39.5
+
--- /dev/null
+From 6bc5b4acf1a14236085b9d4e5ca3bb9944244e18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 13:59:57 +0800
+Subject: ktls, sockmap: Fix missing uncharge operation
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ]
+
+When we specify apply_bytes, we divide the msg into multiple segments,
+each with a length of 'send', and every time we send this part of the data
+using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the
+memory of the specified 'send' size.
+
+However, if the first segment of data fails to send, for example, the
+peer's buffer is full, we need to release all of the msg. When releasing
+the msg, we haven't uncharged the memory of the subsequent segments.
+
+This modification does not make significant logical changes, but only
+fills in the missing uncharge places.
+
+This issue has existed all along, until it was exposed after we added the
+apply test in test_sockmap:
+commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap")
+
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index af820ae9b1a52..5f95f837dfc7f 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -904,6 +904,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ &msg_redir, send, flags);
+ lock_sock(sk);
+ if (err < 0) {
++ /* Regardless of whether the data represented by
++ * msg_redir is sent successfully, we have already
++ * uncharged it via sk_msg_return_zero(). The
++ * msg->sg.size represents the remaining unprocessed
++ * data, which needs to be uncharged here.
++ */
++ sk_mem_uncharge(sk, msg->sg.size);
+ *copied -= sk_msg_free_nocharge(sk, &msg_redir);
+ msg->sg.size = 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 313ffe397745e6132e9c88e05f1f07c3e6cf6d51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 17:50:14 +0200
+Subject: libbpf: Fix buffer overflow in bpf_object__init_prog
+
+From: Viktor Malik <vmalik@redhat.com>
+
+[ Upstream commit ee684de5c1b0ac01821320826baec7da93f3615b ]
+
+As shown in [1], it is possible to corrupt a BPF ELF file such that
+arbitrary BPF instructions are loaded by libbpf. This can be done by
+setting a symbol (BPF program) section offset to a large (unsigned)
+number such that <section start + symbol offset> overflows and points
+before the section data in the memory.
+
+Consider the situation below where:
+- prog_start = sec_start + symbol_offset <-- size_t overflow here
+- prog_end = prog_start + prog_size
+
+ prog_start sec_start prog_end sec_end
+ | | | |
+ v v v v
+ .....................|################################|............
+
+The report in [1] also provides a corrupted BPF ELF which can be used as
+a reproducer:
+
+ $ readelf -S crash
+ Section Headers:
+ [Nr] Name Type Address Offset
+ Size EntSize Flags Link Info Align
+ ...
+ [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
+ 0000000000000068 0000000000000000 AX 0 0 8
+
+ $ readelf -s crash
+ Symbol table '.symtab' contains 8 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+ ...
+ 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
+
+Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
+point before the actual memory where section 2 is allocated.
+
+This is also reported by AddressSanitizer:
+
+ =================================================================
+ ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
+ READ of size 104 at 0x7c7302fe0000 thread T0
+ #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
+ #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
+ #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
+ #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
+ #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
+ #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
+ #6 0x000000400c16 in main /poc/poc.c:8
+ #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
+ #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
+ #9 0x000000400b34 in _start (/poc/poc+0x400b34)
+
+ 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
+ allocated by thread T0 here:
+ #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
+ #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
+ #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
+ #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
+
+The problem here is that currently, libbpf only checks that the program
+end is within the section bounds. There used to be a check
+`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
+removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
+sections to support overriden weak functions").
+
+Add a check for detecting the overflow of `sec_off + prog_sz` to
+bpf_object__init_prog to fix this issue.
+
+[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+
+Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
+Reported-by: lmarch2 <2524158037@qq.com>
+Signed-off-by: Viktor Malik <vmalik@redhat.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 98d5e566e0582..2fb66ca0f50a5 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -818,7 +818,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
+ return -LIBBPF_ERRNO__FORMAT;
+ }
+
+- if (sec_off + prog_sz > sec_sz) {
++ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
+ pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
+ sec_name, sec_off);
+ return -LIBBPF_ERRNO__FORMAT;
+--
+2.39.5
+
--- /dev/null
+From e08672e88a999a48f2545313ec7b096a5b30d9b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Apr 2025 12:08:20 +0000
+Subject: libbpf: Use proper errno value in linker
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit 358b1c0f56ebb6996fcec7dcdcf6bae5dcbc8b6c ]
+
+Return values of the linker_append_sec_data() and the
+linker_append_elf_relos() functions are propagated all the
+way up to users of libbpf API. In some error cases these
+functions return -1 which will be seen as -EPERM from user's
+point of view. Instead, return a more reasonable -EINVAL.
+
+Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250430120820.2262053-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/linker.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
+index 752ef88c9fd97..0bee018a6a6c0 100644
+--- a/tools/lib/bpf/linker.c
++++ b/tools/lib/bpf/linker.c
+@@ -1175,7 +1175,7 @@ static int linker_append_sec_data(struct bpf_linker *linker, struct src_obj *obj
+ } else {
+ if (!secs_match(dst_sec, src_sec)) {
+ pr_warn("ELF sections %s are incompatible\n", src_sec->sec_name);
+- return -1;
++ return -EINVAL;
+ }
+
+ /* "license" and "version" sections are deduped */
+@@ -2023,7 +2023,7 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob
+ }
+ } else if (!secs_match(dst_sec, src_sec)) {
+ pr_warn("sections %s are not compatible\n", src_sec->sec_name);
+- return -1;
++ return -EINVAL;
+ }
+
+ /* add_dst_sec() above could have invalidated linker->secs */
+--
+2.39.5
+
--- /dev/null
+From 7e1a6c7a4dc05b1794fa86ad35ace9fb2e58f999 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:20:11 +0000
+Subject: libbpf: Use proper errno value in nlattr
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ]
+
+Return value of the validate_nla() function can be propagated all the
+way up to users of libbpf API. In case of error this libbpf version
+of validate_nla returns -1 which will be seen as -EPERM from user's
+point of view. Instead, return a more reasonable -EINVAL.
+
+Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP")
+Suggested-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/nlattr.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c
+index 975e265eab3bf..06663f9ea581f 100644
+--- a/tools/lib/bpf/nlattr.c
++++ b/tools/lib/bpf/nlattr.c
+@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype,
+ minlen = nla_attr_minlen[pt->type];
+
+ if (libbpf_nla_len(nla) < minlen)
+- return -1;
++ return -EINVAL;
+
+ if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen)
+- return -1;
++ return -EINVAL;
+
+ if (pt->type == LIBBPF_NLA_STRING) {
+ char *data = libbpf_nla_data(nla);
+
+ if (data[libbpf_nla_len(nla) - 1] != '\0')
+- return -1;
++ return -EINVAL;
+ }
+
+ return 0;
+@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head,
+ if (policy) {
+ err = validate_nla(nla, maxtype, policy);
+ if (err < 0)
+- goto errout;
++ return err;
+ }
+
+- if (tb[type])
++ if (tb[type]) {
+ pr_warn("Attribute of type %#x found multiple times in message, "
+ "previous attribute is being ignored.\n", type);
++ }
+
+ tb[type] = nla;
+ }
+
+- err = 0;
+-errout:
+- return err;
++ return 0;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From c6cf4613a96bda43b678619a3cbc2353680c5ee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 10:07:26 +1000
+Subject: m68k: mac: Fix macintosh_config for Mac II
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ]
+
+When booted on my Mac II, the kernel prints this:
+
+ Detected Macintosh model: 6
+ Apple Macintosh Unknown
+
+The catch-all entry ("Unknown") is mac_data_table[0] which is only needed
+in the unlikely event that the bootinfo model ID can't be matched.
+When model ID is 6, the search should begin and end at mac_data_table[1].
+Fix the off-by-one error that causes this problem.
+
+Cc: Joshua Thompson <funaho@jurai.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
+index 382f656c29eae..9f5603e01a688 100644
+--- a/arch/m68k/mac/config.c
++++ b/arch/m68k/mac/config.c
+@@ -801,7 +801,7 @@ static void __init mac_identify(void)
+ }
+
+ macintosh_config = mac_data_table;
+- for (m = macintosh_config; m->ident != -1; m++) {
++ for (m = &mac_data_table[1]; m->ident != -1; m++) {
+ if (m->ident == model) {
+ macintosh_config = m;
+ break;
+--
+2.39.5
+
--- /dev/null
+From dba8e0698db0b777377765be1d3104096e5fdb37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 10:40:33 +0100
+Subject: media: rkvdec: Fix frame size enumeration
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ]
+
+The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e.
+width and height in pixels) that the device supports for the given pixel
+format.
+
+It doesn't make a lot of sense to return the frame-sizes in a stepwise
+manner, which is used to enforce hardware alignments requirements for
+CAPTURE buffers, for coded formats.
+
+Instead, applications should receive an indication, about the maximum
+supported frame size for that hardware decoder, via a continuous
+frame-size enumeration.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Suggested-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
+index d16cf4115d03a..b5847259f4541 100644
+--- a/drivers/staging/media/rkvdec/rkvdec.c
++++ b/drivers/staging/media/rkvdec/rkvdec.c
+@@ -213,8 +213,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv,
+ if (!fmt)
+ return -EINVAL;
+
+- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE;
+- fsize->stepwise = fmt->frmsize;
++ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS;
++ fsize->stepwise.min_width = 1;
++ fsize->stepwise.max_width = fmt->frmsize.max_width;
++ fsize->stepwise.step_width = 1;
++ fsize->stepwise.min_height = 1;
++ fsize->stepwise.max_height = fmt->frmsize.max_height;
++ fsize->stepwise.step_height = 1;
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a2211a14aa833342de9800c7de2df79796aef285 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 17:00:34 +0200
+Subject: mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in
+ exynos_lpass_remove()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ]
+
+exynos_lpass_disable() is called twice in the remove function. Remove
+one of these calls.
+
+Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/exynos-lpass.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c
+index 166cd21088cdd..5ee00f86e39c7 100644
+--- a/drivers/mfd/exynos-lpass.c
++++ b/drivers/mfd/exynos-lpass.c
+@@ -143,7 +143,6 @@ static int exynos_lpass_remove(struct platform_device *pdev)
+ {
+ struct exynos_lpass *lpass = platform_get_drvdata(pdev);
+
+- exynos_lpass_disable(lpass);
+ pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+ exynos_lpass_disable(lpass);
+--
+2.39.5
+
--- /dev/null
+From 90b18a1ed623c641a770d18bb992b8e4c3cc7bf4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Apr 2025 18:16:32 +0200
+Subject: mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
+
+From: Alexey Gladkov <legion@kernel.org>
+
+[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ]
+
+The name used in the macro does not exist.
+
+drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id'
+ 132 | MODULE_DEVICE_TABLE(spi, stmpe_id);
+
+Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface")
+Signed-off-by: Alexey Gladkov <legion@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/stmpe-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c
+index ad8055a0e2869..6791a53689777 100644
+--- a/drivers/mfd/stmpe-spi.c
++++ b/drivers/mfd/stmpe-spi.c
+@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = {
+ { "stmpe2403", STMPE2403 },
+ { }
+ };
+-MODULE_DEVICE_TABLE(spi, stmpe_id);
++MODULE_DEVICE_TABLE(spi, stmpe_spi_id);
+
+ static struct spi_driver stmpe_spi_driver = {
+ .driver = {
+--
+2.39.5
+
--- /dev/null
+From bde34f05a3339dfc234ae23ce40ec0f9412aa66b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:45:48 +0800
+Subject: MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ]
+
+Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a").
+
+Fix follow warnings:
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider'
+
+Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH")
+Tested-by: WangYuli <wangyuli@uniontech.com>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+index c7ea4f1c0bb21..6c277ab83d4b9 100644
+--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
++++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+@@ -29,6 +29,7 @@
+ compatible = "loongson,pch-msi-1.0";
+ reg = <0 0x2ff00000 0 0x8>;
+ interrupt-controller;
++ #interrupt-cells = <1>;
+ msi-controller;
+ loongson,msi-base-vec = <64>;
+ loongson,msi-num-vecs = <64>;
+--
+2.39.5
+
--- /dev/null
+From 4cb81dc276b39745fd3865955d141870b6faade2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 00:39:06 +0300
+Subject: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
+
+From: Mikhail Arkhipov <m.arhipov@rosa.ru>
+
+[ Upstream commit d95846350aac72303036a70c4cdc69ae314aa26d ]
+
+If ctx->steps is zero, the loop processing ECC steps is skipped,
+and the variable ret remains uninitialized. It is later checked
+and returned, which leads to undefined behavior and may cause
+unpredictable results in user space or kernel crashes.
+
+This scenario can be triggered in edge cases such as misconfigured
+geometry, ECC engine misuse, or if ctx->steps is not validated
+after initialization.
+
+Initialize ret to zero before the loop to ensure correct and safe
+behavior regardless of the ctx->steps value.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 48e6633a9fa2 ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support")
+Signed-off-by: Mikhail Arkhipov <m.arhipov@rosa.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/ecc-mxic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/ecc-mxic.c b/drivers/mtd/nand/ecc-mxic.c
+index 6b487ffe2f2dc..e8bbe009c04e8 100644
+--- a/drivers/mtd/nand/ecc-mxic.c
++++ b/drivers/mtd/nand/ecc-mxic.c
+@@ -614,7 +614,7 @@ static int mxic_ecc_finish_io_req_external(struct nand_device *nand,
+ {
+ struct mxic_ecc_engine *mxic = nand_to_mxic(nand);
+ struct mxic_ecc_ctx *ctx = nand_to_ecc_ctx(nand);
+- int nents, step, ret;
++ int nents, step, ret = 0;
+
+ if (req->mode == MTD_OPS_RAW)
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From c3877156c696623b1cb7fec4aedec25ee6f09c20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 14:44:06 +0200
+Subject: net: dsa: tag_brcm: legacy: fix pskb_may_pull length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit efdddc4484859082da6c7877ed144c8121c8ea55 ]
+
+BRCM_LEG_PORT_ID was incorrectly used for pskb_may_pull length.
+The correct check is BRCM_LEG_TAG_LEN + VLAN_HLEN, or 10 bytes.
+
+Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags")
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529124406.2513779-1-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_brcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c
+index a65d62fb90094..04b57534fe4de 100644
+--- a/net/dsa/tag_brcm.c
++++ b/net/dsa/tag_brcm.c
+@@ -253,7 +253,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb,
+ int source_port;
+ u8 *brcm_tag;
+
+- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_PORT_ID)))
++ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN)))
+ return NULL;
+
+ brcm_tag = dsa_etype_header_pos_rx(skb);
+--
+2.39.5
+
--- /dev/null
+From 67586a97ed89a18cf0032c2ea9fa094760422662 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 12:28:05 +0200
+Subject: net: Fix checksum update for ILA adj-transport
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit 6043b794c7668c19dabc4a93c75b924a19474d59 ]
+
+During ILA address translations, the L4 checksums can be handled in
+different ways. One of them, adj-transport, consist in parsing the
+transport layer and updating any found checksum. This logic relies on
+inet_proto_csum_replace_by_diff and produces an incorrect skb->csum when
+in state CHECKSUM_COMPLETE.
+
+This bug can be reproduced with a simple ILA to SIR mapping, assuming
+packets are received with CHECKSUM_COMPLETE:
+
+ $ ip a show dev eth0
+ 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+ link/ether 62:ae:35:9e:0f:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0
+ inet6 3333:0:0:1::c078/64 scope global
+ valid_lft forever preferred_lft forever
+ inet6 fd00:10:244:1::c078/128 scope global nodad
+ valid_lft forever preferred_lft forever
+ inet6 fe80::60ae:35ff:fe9e:f8d/64 scope link proto kernel_ll
+ valid_lft forever preferred_lft forever
+ $ ip ila add loc_match fd00:10:244:1 loc 3333:0:0:1 \
+ csum-mode adj-transport ident-type luid dev eth0
+
+Then I hit [fd00:10:244:1::c078]:8000 with a server listening only on
+[3333:0:0:1::c078]:8000. With the bug, the SYN packet is dropped with
+SKB_DROP_REASON_TCP_CSUM after inet_proto_csum_replace_by_diff changed
+skb->csum. The translation and drop are visible on pwru [1] traces:
+
+ IFACE TUPLE FUNC
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ipv6_rcv
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ip6_rcv_core
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) nf_hook_slow
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) inet_proto_csum_replace_by_diff
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_early_demux
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_route_input
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input_finish
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_protocol_deliver_rcu
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) raw6_local_deliver
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ipv6_raw_deliver
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_rcv
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) __skb_checksum_complete
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skb_reason(SKB_DROP_REASON_TCP_CSUM)
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_head_state
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_data
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_free_head
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skbmem
+
+This is happening because inet_proto_csum_replace_by_diff is updating
+skb->csum when it shouldn't. The L4 checksum is updated such that it
+"cancels" the IPv6 address change in terms of checksum computation, so
+the impact on skb->csum is null.
+
+Note this would be different for an IPv4 packet since three fields
+would be updated: the IPv4 address, the IP checksum, and the L4
+checksum. Two would cancel each other and skb->csum would still need
+to be updated to take the L4 checksum change into account.
+
+This patch fixes it by passing an ipv6 flag to
+inet_proto_csum_replace_by_diff, to skip the skb->csum update if we're
+in the IPv6 case. Note the behavior of the only other user of
+inet_proto_csum_replace_by_diff, the BPF subsystem, is left as is in
+this patch and fixed in the subsequent patch.
+
+With the fix, using the reproduction from above, I can confirm
+skb->csum is not touched by inet_proto_csum_replace_by_diff and the TCP
+SYN proceeds to the application after the ILA translation.
+
+Link: https://github.com/cilium/pwru [1]
+Fixes: 65d7ab8de582 ("net: Identifier Locator Addressing module")
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://patch.msgid.link/b5539869e3550d46068504feb02d37653d939c0b.1748509484.git.paul.chaignon@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/checksum.h | 2 +-
+ net/core/filter.c | 2 +-
+ net/core/utils.c | 4 ++--
+ net/ipv6/ila/ila_common.c | 6 +++---
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/checksum.h b/include/net/checksum.h
+index 6bc783b7a06c2..a3d1bde322c98 100644
+--- a/include/net/checksum.h
++++ b/include/net/checksum.h
+@@ -156,7 +156,7 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
+ const __be32 *from, const __be32 *to,
+ bool pseudohdr);
+ void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
+- __wsum diff, bool pseudohdr);
++ __wsum diff, bool pseudohdr, bool ipv6);
+
+ static __always_inline
+ void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb,
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 497b41ac399da..e58cd1dfa6b19 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1977,7 +1977,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct sk_buff *, skb, u32, offset,
+ if (unlikely(from != 0))
+ return -EINVAL;
+
+- inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo);
++ inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false);
+ break;
+ case 2:
+ inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo);
+diff --git a/net/core/utils.c b/net/core/utils.c
+index 938495bc1d348..1eeb9131e2cf7 100644
+--- a/net/core/utils.c
++++ b/net/core/utils.c
+@@ -473,11 +473,11 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
+ EXPORT_SYMBOL(inet_proto_csum_replace16);
+
+ void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
+- __wsum diff, bool pseudohdr)
++ __wsum diff, bool pseudohdr, bool ipv6)
+ {
+ if (skb->ip_summed != CHECKSUM_PARTIAL) {
+ csum_replace_by_diff(sum, diff);
+- if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
++ if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr && !ipv6)
+ skb->csum = ~csum_sub(diff, skb->csum);
+ } else if (pseudohdr) {
+ *sum = ~csum_fold(csum_add(diff, csum_unfold(*sum)));
+diff --git a/net/ipv6/ila/ila_common.c b/net/ipv6/ila/ila_common.c
+index 95e9146918cc6..b8d43ed4689db 100644
+--- a/net/ipv6/ila/ila_common.c
++++ b/net/ipv6/ila/ila_common.c
+@@ -86,7 +86,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
+
+ diff = get_csum_diff(ip6h, p);
+ inet_proto_csum_replace_by_diff(&th->check, skb,
+- diff, true);
++ diff, true, true);
+ }
+ break;
+ case NEXTHDR_UDP:
+@@ -97,7 +97,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
+ if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) {
+ diff = get_csum_diff(ip6h, p);
+ inet_proto_csum_replace_by_diff(&uh->check, skb,
+- diff, true);
++ diff, true, true);
+ if (!uh->check)
+ uh->check = CSUM_MANGLED_0;
+ }
+@@ -111,7 +111,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
+
+ diff = get_csum_diff(ip6h, p);
+ inet_proto_csum_replace_by_diff(&ih->icmp6_cksum, skb,
+- diff, true);
++ diff, true, true);
+ }
+ break;
+ }
+--
+2.39.5
+
--- /dev/null
+From 87254b44bfab1f3b06717110207ad6bae0284566 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 09:26:08 +0800
+Subject: net: fix udp gso skb_segment after pull from frag_list
+
+From: Shiming Cheng <shiming.cheng@mediatek.com>
+
+[ Upstream commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72 ]
+
+Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after
+pull from frag_list") detected invalid geometry in frag_list skbs and
+redirects them from skb_segment_list to more robust skb_segment. But some
+packets with modified geometry can also hit bugs in that code. We don't
+know how many such cases exist. Addressing each one by one also requires
+touching the complex skb_segment code, which risks introducing bugs for
+other types of skbs. Instead, linearize all these packets that fail the
+basic invariants on gso fraglist skbs. That is more robust.
+
+If only part of the fraglist payload is pulled into head_skb, it will
+always cause exception when splitting skbs by skb_segment. For detailed
+call stack information, see below.
+
+Valid SKB_GSO_FRAGLIST skbs
+- consist of two or more segments
+- the head_skb holds the protocol headers plus first gso_size
+- one or more frag_list skbs hold exactly one segment
+- all but the last must be gso_size
+
+Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
+modify fraglist skbs, breaking these invariants.
+
+In extreme cases they pull one part of data into skb linear. For UDP,
+this causes three payloads with lengths of (11,11,10) bytes were
+pulled tail to become (12,10,10) bytes.
+
+The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because
+payload was pulled into head_skb, it needs to be linearized before pass
+to regular skb_segment.
+
+ skb_segment+0xcd0/0xd14
+ __udp_gso_segment+0x334/0x5f4
+ udp4_ufo_fragment+0x118/0x15c
+ inet_gso_segment+0x164/0x338
+ skb_mac_gso_segment+0xc4/0x13c
+ __skb_gso_segment+0xc4/0x124
+ validate_xmit_skb+0x9c/0x2c0
+ validate_xmit_skb_list+0x4c/0x80
+ sch_direct_xmit+0x70/0x404
+ __dev_queue_xmit+0x64c/0xe5c
+ neigh_resolve_output+0x178/0x1c4
+ ip_finish_output2+0x37c/0x47c
+ __ip_finish_output+0x194/0x240
+ ip_finish_output+0x20/0xf4
+ ip_output+0x100/0x1a0
+ NF_HOOK+0xc4/0x16c
+ ip_forward+0x314/0x32c
+ ip_rcv+0x90/0x118
+ __netif_receive_skb+0x74/0x124
+ process_backlog+0xe8/0x1a4
+ __napi_poll+0x5c/0x1f8
+ net_rx_action+0x154/0x314
+ handle_softirqs+0x154/0x4b8
+
+ [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!
+ [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+ [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000
+ [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000
+ [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)
+ [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14
+ [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14
+ [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770
+
+Fixes: a1e40ac5b5e9 ("gso: fix udp gso fraglist segmentation after pull from frag_list")
+Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp_offload.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
+index d415b4fb2f1f4..1a51c4b44c006 100644
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -331,6 +331,7 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
+ bool copy_dtor;
+ __sum16 check;
+ __be16 newlen;
++ int ret = 0;
+
+ mss = skb_shinfo(gso_skb)->gso_size;
+ if (gso_skb->len <= sizeof(*uh) + mss)
+@@ -353,6 +354,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
+ if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size)
+ return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+
++ ret = __skb_linearize(gso_skb);
++ if (ret)
++ return ERR_PTR(ret);
++
+ /* Setup csum, as fraglist skips this in udp4_gro_receive. */
+ gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head;
+ gso_skb->csum_offset = offsetof(struct udphdr, check);
+--
+2.39.5
+
--- /dev/null
+From cb8f197a349ef98574c65e75af39ad6daa7d640a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 11:00:47 +0530
+Subject: net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
+
+From: Thangaraj Samynathan <thangaraj.s@microchip.com>
+
+[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ]
+
+rename the function to lan743x_hw_reset_phy to better describe it
+operation.
+
+Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver")
+Signed-off-by: Thangaraj Samynathan <thangaraj.s@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan743x_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
+index fd35554191793..0f456d389e53a 100644
+--- a/drivers/net/ethernet/microchip/lan743x_main.c
++++ b/drivers/net/ethernet/microchip/lan743x_main.c
+@@ -1389,7 +1389,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu)
+ }
+
+ /* PHY */
+-static int lan743x_phy_reset(struct lan743x_adapter *adapter)
++static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter)
+ {
+ u32 data;
+
+@@ -1423,7 +1423,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter,
+
+ static int lan743x_phy_init(struct lan743x_adapter *adapter)
+ {
+- return lan743x_phy_reset(adapter);
++ return lan743x_hw_reset_phy(adapter);
+ }
+
+ static void lan743x_phy_link_status_change(struct net_device *netdev)
+--
+2.39.5
+
--- /dev/null
+From 90cb02311a07f81c79417f813221f59004369d6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 11:36:19 +0200
+Subject: net: lan966x: Make sure to insert the vlan tags also in host mode
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 27eab4c644236a9324084a70fe79e511cbd07393 ]
+
+When running these commands on DUT (and similar at the other end)
+ip link set dev eth0 up
+ip link add link eth0 name eth0.10 type vlan id 10
+ip addr add 10.0.0.1/24 dev eth0.10
+ip link set dev eth0.10 up
+ping 10.0.0.2
+
+The ping will fail.
+
+The reason why is failing is because, the network interfaces for lan966x
+have a flag saying that the HW can insert the vlan tags into the
+frames(NETIF_F_HW_VLAN_CTAG_TX). Meaning that the frames that are
+transmitted don't have the vlan tag inside the skb data, but they have
+it inside the skb. We already get that vlan tag and put it in the IFH
+but the problem is that we don't configure the HW to rewrite the frame
+when the interface is in host mode.
+The fix consists in actually configuring the HW to insert the vlan tag
+if it is different than 0.
+
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Fixes: 6d2c186afa5d ("net: lan966x: Add vlan support.")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250528093619.3738998-1-horatiu.vultur@microchip.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/microchip/lan966x/lan966x_main.c | 1 +
+ .../ethernet/microchip/lan966x/lan966x_main.h | 1 +
+ .../microchip/lan966x/lan966x_switchdev.c | 1 +
+ .../ethernet/microchip/lan966x/lan966x_vlan.c | 21 +++++++++++++++++++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+index 9ce46588aaf03..8c048ffde23d6 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+@@ -811,6 +811,7 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p,
+ lan966x_vlan_port_set_vlan_aware(port, 0);
+ lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
+ lan966x_vlan_port_apply(port);
++ lan966x_vlan_port_rew_host(port);
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+index 4ec33999e4df6..ff5736d2c7a6b 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+@@ -388,6 +388,7 @@ void lan966x_vlan_port_apply(struct lan966x_port *port);
+ bool lan966x_vlan_cpu_member_cpu_vlan_mask(struct lan966x *lan966x, u16 vid);
+ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
+ bool vlan_aware);
++void lan966x_vlan_port_rew_host(struct lan966x_port *port);
+ int lan966x_vlan_port_set_vid(struct lan966x_port *port,
+ u16 vid,
+ bool pvid,
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
+index 1c88120eb291a..bcb4db76b75cd 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
+@@ -297,6 +297,7 @@ static void lan966x_port_bridge_leave(struct lan966x_port *port,
+ lan966x_vlan_port_set_vlan_aware(port, false);
+ lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
+ lan966x_vlan_port_apply(port);
++ lan966x_vlan_port_rew_host(port);
+ }
+
+ int lan966x_port_changeupper(struct net_device *dev,
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
+index 3c44660128dae..ffb245fb7d678 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
+@@ -149,6 +149,27 @@ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
+ port->vlan_aware = vlan_aware;
+ }
+
++/* When the interface is in host mode, the interface should not be vlan aware
++ * but it should insert all the tags that it gets from the network stack.
++ * The tags are not in the data of the frame but actually in the skb and the ifh
++ * is configured already to get this tag. So what we need to do is to update the
++ * rewriter to insert the vlan tag for all frames which have a vlan tag
++ * different than 0.
++ */
++void lan966x_vlan_port_rew_host(struct lan966x_port *port)
++{
++ struct lan966x *lan966x = port->lan966x;
++ u32 val;
++
++ /* Tag all frames except when VID=0*/
++ val = REW_TAG_CFG_TAG_CFG_SET(2);
++
++ /* Update only some bits in the register */
++ lan_rmw(val,
++ REW_TAG_CFG_TAG_CFG,
++ lan966x, REW_TAG_CFG(port->chip_port));
++}
++
+ void lan966x_vlan_port_apply(struct lan966x_port *port)
+ {
+ struct lan966x *lan966x = port->lan966x;
+--
+2.39.5
+
--- /dev/null
+From 9623be6343ff2b89eb69f1b72ee7ec1602a56992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 11:11:09 +0300
+Subject: net/mlx4_en: Prevent potential integer overflow calculating Hz
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ]
+
+The "freq" variable is in terms of MHz and "max_val_cycles" is in terms
+of Hz. The fact that "max_val_cycles" is a u64 suggests that support
+for high frequency is intended but the "freq_khz * 1000" would overflow
+the u32 type if we went above 4GHz. Use unsigned long long type for the
+mutliplication to prevent that.
+
+Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+index 024788549c256..060698b0c65cc 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+@@ -251,7 +251,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = {
+ static u32 freq_to_shift(u16 freq)
+ {
+ u32 freq_khz = freq * 1000;
+- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
++ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC;
+ u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1);
+ /* calculate max possible multiplier in order to fit in 64bit */
+ u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded);
+--
+2.39.5
+
--- /dev/null
+From 096555c48de38fe978b8ac030fc4309a6eb6bfc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 18:23:08 -0700
+Subject: net: ncsi: Fix GCPS 64-bit member variables
+
+From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+
+[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ]
+
+Correct Get Controller Packet Statistics (GCPS) 64-bit wide member
+variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently
+collects these stats, but they are yet to be exposed to the user.
+Therefore, no user impact.
+
+Statistics fixes:
+Total Bytes Received (byte range 28..35)
+Total Bytes Transmitted (byte range 36..43)
+Total Unicast Packets Received (byte range 44..51)
+Total Multicast Packets Received (byte range 52..59)
+Total Broadcast Packets Received (byte range 60..67)
+Total Unicast Packets Transmitted (byte range 68..75)
+Total Multicast Packets Transmitted (byte range 76..83)
+Total Broadcast Packets Transmitted (byte range 84..91)
+Valid Bytes Received (byte range 204..11)
+
+Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+Reviewed-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 21 ++++++++++-----------
+ net/ncsi/ncsi-pkt.h | 23 +++++++++++------------
+ net/ncsi/ncsi-rsp.c | 21 ++++++++++-----------
+ 3 files changed, 31 insertions(+), 34 deletions(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index 4e0842df5234e..2c260f33b55cc 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -143,16 +143,15 @@ struct ncsi_channel_vlan_filter {
+ };
+
+ struct ncsi_channel_stats {
+- u32 hnc_cnt_hi; /* Counter cleared */
+- u32 hnc_cnt_lo; /* Counter cleared */
+- u32 hnc_rx_bytes; /* Rx bytes */
+- u32 hnc_tx_bytes; /* Tx bytes */
+- u32 hnc_rx_uc_pkts; /* Rx UC packets */
+- u32 hnc_rx_mc_pkts; /* Rx MC packets */
+- u32 hnc_rx_bc_pkts; /* Rx BC packets */
+- u32 hnc_tx_uc_pkts; /* Tx UC packets */
+- u32 hnc_tx_mc_pkts; /* Tx MC packets */
+- u32 hnc_tx_bc_pkts; /* Tx BC packets */
++ u64 hnc_cnt; /* Counter cleared */
++ u64 hnc_rx_bytes; /* Rx bytes */
++ u64 hnc_tx_bytes; /* Tx bytes */
++ u64 hnc_rx_uc_pkts; /* Rx UC packets */
++ u64 hnc_rx_mc_pkts; /* Rx MC packets */
++ u64 hnc_rx_bc_pkts; /* Rx BC packets */
++ u64 hnc_tx_uc_pkts; /* Tx UC packets */
++ u64 hnc_tx_mc_pkts; /* Tx MC packets */
++ u64 hnc_tx_bc_pkts; /* Tx BC packets */
+ u32 hnc_fcs_err; /* FCS errors */
+ u32 hnc_align_err; /* Alignment errors */
+ u32 hnc_false_carrier; /* False carrier detection */
+@@ -181,7 +180,7 @@ struct ncsi_channel_stats {
+ u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */
+ u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */
+ u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */
+- u32 hnc_rx_valid_bytes; /* Rx valid bytes */
++ u64 hnc_rx_valid_bytes; /* Rx valid bytes */
+ u32 hnc_rx_runt_pkts; /* Rx error runt packets */
+ u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */
+ u32 ncsi_rx_cmds; /* Rx NCSI commands */
+diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h
+index f2f3b5c1b9412..24edb27379724 100644
+--- a/net/ncsi/ncsi-pkt.h
++++ b/net/ncsi/ncsi-pkt.h
+@@ -252,16 +252,15 @@ struct ncsi_rsp_gp_pkt {
+ /* Get Controller Packet Statistics */
+ struct ncsi_rsp_gcps_pkt {
+ struct ncsi_rsp_pkt_hdr rsp; /* Response header */
+- __be32 cnt_hi; /* Counter cleared */
+- __be32 cnt_lo; /* Counter cleared */
+- __be32 rx_bytes; /* Rx bytes */
+- __be32 tx_bytes; /* Tx bytes */
+- __be32 rx_uc_pkts; /* Rx UC packets */
+- __be32 rx_mc_pkts; /* Rx MC packets */
+- __be32 rx_bc_pkts; /* Rx BC packets */
+- __be32 tx_uc_pkts; /* Tx UC packets */
+- __be32 tx_mc_pkts; /* Tx MC packets */
+- __be32 tx_bc_pkts; /* Tx BC packets */
++ __be64 cnt; /* Counter cleared */
++ __be64 rx_bytes; /* Rx bytes */
++ __be64 tx_bytes; /* Tx bytes */
++ __be64 rx_uc_pkts; /* Rx UC packets */
++ __be64 rx_mc_pkts; /* Rx MC packets */
++ __be64 rx_bc_pkts; /* Rx BC packets */
++ __be64 tx_uc_pkts; /* Tx UC packets */
++ __be64 tx_mc_pkts; /* Tx MC packets */
++ __be64 tx_bc_pkts; /* Tx BC packets */
+ __be32 fcs_err; /* FCS errors */
+ __be32 align_err; /* Alignment errors */
+ __be32 false_carrier; /* False carrier detection */
+@@ -290,11 +289,11 @@ struct ncsi_rsp_gcps_pkt {
+ __be32 tx_1023_frames; /* Tx 512-1023 bytes frames */
+ __be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */
+ __be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */
+- __be32 rx_valid_bytes; /* Rx valid bytes */
++ __be64 rx_valid_bytes; /* Rx valid bytes */
+ __be32 rx_runt_pkts; /* Rx error runt packets */
+ __be32 rx_jabber_pkts; /* Rx error jabber packets */
+ __be32 checksum; /* Checksum */
+-};
++} __packed __aligned(4);
+
+ /* Get NCSI Statistics */
+ struct ncsi_rsp_gns_pkt {
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index 4a8ce2949faea..8668888c5a2f9 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -926,16 +926,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
+
+ /* Update HNC's statistics */
+ ncs = &nc->stats;
+- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi);
+- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo);
+- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes);
+- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes);
+- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts);
+- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts);
+- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts);
+- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts);
+- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts);
+- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts);
++ ncs->hnc_cnt = be64_to_cpu(rsp->cnt);
++ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes);
++ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes);
++ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts);
++ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts);
++ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts);
++ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts);
++ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts);
++ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts);
+ ncs->hnc_fcs_err = ntohl(rsp->fcs_err);
+ ncs->hnc_align_err = ntohl(rsp->align_err);
+ ncs->hnc_false_carrier = ntohl(rsp->false_carrier);
+@@ -964,7 +963,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
+ ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames);
+ ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames);
+ ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames);
+- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes);
++ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes);
+ ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts);
+ ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts);
+
+--
+2.39.5
+
--- /dev/null
+From a45568cafdd14618a36fb359fe2c7de4660d3587 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 03:41:43 +0000
+Subject: net: openvswitch: Fix the dead loop of MPLS parse
+
+From: Faicker Mo <faicker.mo@zenlayer.com>
+
+[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ]
+
+The unexpected MPLS packet may not end with the bottom label stack.
+When there are many stacks, The label count value has wrapped around.
+A dead loop occurs, soft lockup/CPU stuck finally.
+
+stack backtrace:
+UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
+index -1 is out of range for type '__be32 [3]'
+CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
+Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
+Call Trace:
+ <IRQ>
+ show_stack+0x52/0x5c
+ dump_stack_lvl+0x4a/0x63
+ dump_stack+0x10/0x16
+ ubsan_epilogue+0x9/0x36
+ __ubsan_handle_out_of_bounds.cold+0x44/0x49
+ key_extract_l3l4+0x82a/0x840 [openvswitch]
+ ? kfree_skbmem+0x52/0xa0
+ key_extract+0x9c/0x2b0 [openvswitch]
+ ovs_flow_key_extract+0x124/0x350 [openvswitch]
+ ovs_vport_receive+0x61/0xd0 [openvswitch]
+ ? kernel_init_free_pages.part.0+0x4a/0x70
+ ? get_page_from_freelist+0x353/0x540
+ netdev_port_receive+0xc4/0x180 [openvswitch]
+ ? netdev_port_receive+0x180/0x180 [openvswitch]
+ netdev_frame_hook+0x1f/0x40 [openvswitch]
+ __netif_receive_skb_core.constprop.0+0x23a/0xf00
+ __netif_receive_skb_list_core+0xfa/0x240
+ netif_receive_skb_list_internal+0x18e/0x2a0
+ napi_complete_done+0x7a/0x1c0
+ bnxt_poll+0x155/0x1c0 [bnxt_en]
+ __napi_poll+0x30/0x180
+ net_rx_action+0x126/0x280
+ ? bnxt_msix+0x67/0x80 [bnxt_en]
+ handle_softirqs+0xda/0x2d0
+ irq_exit_rcu+0x96/0xc0
+ common_interrupt+0x8e/0xa0
+ </IRQ>
+
+Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction")
+Signed-off-by: Faicker Mo <faicker.mo@zenlayer.com>
+Acked-by: Ilya Maximets <i.maximets@ovn.org>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/flow.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
+index 78960a8a38925..60ebc42a20e7e 100644
+--- a/net/openvswitch/flow.c
++++ b/net/openvswitch/flow.c
+@@ -785,7 +785,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key)
+ memset(&key->ipv4, 0, sizeof(key->ipv4));
+ }
+ } else if (eth_p_mpls(key->eth.type)) {
+- u8 label_count = 1;
++ size_t label_count = 1;
+
+ memset(&key->mpls, 0, sizeof(key->mpls));
+ skb_set_inner_network_header(skb, skb->mac_len);
+--
+2.39.5
+
--- /dev/null
+From 1f885134454d6a5462eee080d23642c0335f0574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 13:57:22 +0200
+Subject: net: phy: mscc: Fix memory leak when using one step timestamping
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ]
+
+Fix memory leak when running one-step timestamping. When running
+one-step sync timestamping, the HW is configured to insert the TX time
+into the frame, so there is no reason to keep the skb anymore. As in
+this case the HW will never generate an interrupt to say that the frame
+was timestamped, then the frame will never released.
+Fix this by freeing the frame in case of one-step timestamping.
+
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index cf728bfd83e22..af44b01f3d383 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -1165,18 +1165,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+ container_of(mii_ts, struct vsc8531_private, mii_ts);
+
+ if (!vsc8531->ptp->configured)
+- return;
++ goto out;
+
+- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) {
+- kfree_skb(skb);
+- return;
+- }
++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF)
++ goto out;
++
++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC)
++ if (ptp_msg_is_sync(skb, type))
++ goto out;
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+ mutex_lock(&vsc8531->ts_lock);
+ __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ mutex_unlock(&vsc8531->ts_lock);
++ return;
++
++out:
++ kfree_skb(skb);
+ }
+
+ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
+--
+2.39.5
+
--- /dev/null
+From 0a996ea25114008869b6e4b67881631a2cb94843 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 10:27:16 +0200
+Subject: net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ]
+
+We have noticed that when PHY timestamping is enabled, L2 frames seems
+to be modified by changing two 2 bytes with a value of 0. The place were
+these 2 bytes seems to be random(or I couldn't find a pattern). In most
+of the cases the userspace can ignore these frames but if for example
+those 2 bytes are in the correction field there is nothing to do. This
+seems to happen when configuring the HW for IPv4 even that the flow is
+not enabled.
+These 2 bytes correspond to the UDPv4 checksum and once we don't enable
+clearing the checksum when using L2 frames then the frame doesn't seem
+to be changed anymore.
+
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index af44b01f3d383..7e7ce79eadffb 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk,
+ /* UDP checksum offset in IPv4 packet
+ * according to: https://tools.ietf.org/html/rfc768
+ */
+- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
++ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26);
++ if (enable)
++ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
+ vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM,
+ val);
+
+--
+2.39.5
+
--- /dev/null
+From 3b4346047e1f2f7e3d7a5f16cd548bbfc303f9ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 11:07:23 +0200
+Subject: net: stmmac: make sure that ptp_rate is not 0 before configuring
+ timestamping
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexis Lothoré <alexis.lothore@bootlin.com>
+
+[ Upstream commit 030ce919e114a111e83b7976ecb3597cefd33f26 ]
+
+The stmmac platform drivers that do not open-code the clk_ptp_rate value
+after having retrieved the default one from the device-tree can end up
+with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will
+eventually propagate up to PTP initialization when bringing up the
+interface, leading to a divide by 0:
+
+ Division by zero in kernel.
+ CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22
+ Hardware name: STM32 (Device Tree Support)
+ Call trace:
+ unwind_backtrace from show_stack+0x18/0x1c
+ show_stack from dump_stack_lvl+0x6c/0x8c
+ dump_stack_lvl from Ldiv0_64+0x8/0x18
+ Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4
+ stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c
+ stmmac_hw_setup from __stmmac_open+0x18c/0x434
+ __stmmac_open from stmmac_open+0x3c/0xbc
+ stmmac_open from __dev_open+0xf4/0x1ac
+ __dev_open from __dev_change_flags+0x1cc/0x224
+ __dev_change_flags from dev_change_flags+0x24/0x60
+ dev_change_flags from ip_auto_config+0x2e8/0x11a0
+ ip_auto_config from do_one_initcall+0x84/0x33c
+ do_one_initcall from kernel_init_freeable+0x1b8/0x214
+ kernel_init_freeable from kernel_init+0x24/0x140
+ kernel_init from ret_from_fork+0x14/0x28
+ Exception stack(0xe0815fb0 to 0xe0815ff8)
+
+Prevent this division by 0 by adding an explicit check and error log
+about the actual issue. While at it, remove the same check from
+stmmac_ptp_register, which then becomes duplicate
+
+Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.")
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Reviewed-by: Yanteng Si <si.yanteng@linux.dev>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootlin.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 14e5b94b0b5ab..948e35c405a84 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -841,6 +841,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags)
+ if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp))
+ return -EOPNOTSUPP;
+
++ if (!priv->plat->clk_ptp_rate) {
++ netdev_err(priv->dev, "Invalid PTP clock rate");
++ return -EINVAL;
++ }
++
+ stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags);
+ priv->systime_flags = systime_flags;
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+index 9c91a3dc8e385..cc223fe086484 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+@@ -301,7 +301,7 @@ void stmmac_ptp_register(struct stmmac_priv *priv)
+
+ /* Calculate the clock domain crossing (CDC) error if necessary */
+ priv->plat->cdc_error_adj = 0;
+- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate)
++ if (priv->plat->has_gmac4)
+ priv->plat->cdc_error_adj = (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate;
+
+ stmmac_ptp_clock_ops.n_per_out = priv->dma_cap.pps_out_num;
+--
+2.39.5
+
--- /dev/null
+From bd60175b341ba01fabd25e4455ed21ea4f0175c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 13:56:23 +0200
+Subject: net: stmmac: platform: guarantee uniqueness of bus_id
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ]
+
+bus_id is currently derived from the ethernetX alias. If one is missing
+for the device, 0 is used. If ethernet0 points to another stmmac device
+or if there are 2+ stmmac devices without an ethernet alias, then bus_id
+will be 0 for all of those.
+
+This is an issue because the bus_id is used to generate the mdio bus id
+(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+stmmac_mdio_register) and this needs to be unique.
+
+This allows to avoid needing to define ethernet aliases for devices with
+multiple stmmac controllers (such as the Rockchip RK3588) for multiple
+stmmac devices to probe properly.
+
+Obviously, the bus_id isn't guaranteed to be stable across reboots if no
+alias is set for the device but that is easily fixed by simply adding an
+alias if this is desired.
+
+Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710")
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index c368ef3cd9cb4..e81f54a4ac9b1 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -417,6 +417,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ struct device_node *np = pdev->dev.of_node;
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_dma_cfg *dma_cfg;
++ static int bus_id = -ENODEV;
+ int phy_mode;
+ void *ret;
+ int rc;
+@@ -453,8 +454,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ of_property_read_u32(np, "max-speed", &plat->max_speed);
+
+ plat->bus_id = of_alias_get_id(np, "ethernet");
+- if (plat->bus_id < 0)
+- plat->bus_id = 0;
++ if (plat->bus_id < 0) {
++ if (bus_id < 0)
++ bus_id = of_alias_get_highest_id("ethernet");
++ /* No ethernet alias found, init at -1 so first bus_id is 0 */
++ if (bus_id < 0)
++ bus_id = -1;
++ plat->bus_id = ++bus_id;
++ }
+
+ /* Default to phy auto-detection */
+ plat->phy_addr = -1;
+--
+2.39.5
+
--- /dev/null
+From 144d058b6895fc438d441dfead275da6d76e44ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 16:35:44 +0000
+Subject: net: tipc: fix refcount warning in tipc_aead_encrypt
+
+From: Charalampos Mitrodimas <charmitro@posteo.net>
+
+[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ]
+
+syzbot reported a refcount warning [1] caused by calling get_net() on
+a network namespace that is being destroyed (refcount=0). This happens
+when a TIPC discovery timer fires during network namespace cleanup.
+
+The recently added get_net() call in commit e279024617134 ("net/tipc:
+fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
+hold a reference to the network namespace. However, if the namespace
+is already being destroyed, its refcount might be zero, leading to the
+use-after-free warning.
+
+Replace get_net() with maybe_get_net(), which safely checks if the
+refcount is non-zero before incrementing it. If the namespace is being
+destroyed, return -ENODEV early, after releasing the bearer reference.
+
+[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
+
+Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
+Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done")
+Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index a9c02fac039b5..17e2b09002853 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -818,7 +818,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb,
+ }
+
+ /* Get net to avoid freed tipc_crypto when delete namespace */
+- get_net(aead->crypto->net);
++ if (!maybe_get_net(aead->crypto->net)) {
++ tipc_bearer_put(b);
++ rc = -ENODEV;
++ goto exit;
++ }
+
+ /* Now, do encrypt */
+ rc = crypto_aead_encrypt(req);
+--
+2.39.5
+
--- /dev/null
+From 87afcd63895e6bd84e76fc8eaa1231eb8c0bec50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 14:32:39 +0300
+Subject: net: usb: aqc111: fix error handling of usbnet read calls
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ]
+
+Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
+aqc111 driver, caused by incomplete sanitation of usb read calls'
+results. This problem is quite similar to the one fixed in commit
+920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
+
+For instance, usbnet_read_cmd() may read fewer than 'size' bytes,
+even if the caller expected the full amount, and aqc111_read_cmd()
+will not check its result properly. As [1] shows, this may lead
+to MAC address in aqc111_bind() being only partly initialized,
+triggering KMSAN warnings.
+
+Fix the issue by verifying that the number of bytes read is
+as expected and not less.
+
+[1] Partial syzbot report:
+BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
+BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
+ is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
+ usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+ call_driver_probe drivers/base/dd.c:-1 [inline]
+ really_probe+0x4d1/0xd90 drivers/base/dd.c:658
+ __driver_probe_device+0x268/0x380 drivers/base/dd.c:800
+...
+
+Uninit was stored to memory at:
+ dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
+ __dev_addr_set include/linux/netdevice.h:4874 [inline]
+ eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
+ aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+...
+
+Uninit was stored to memory at:
+ ether_addr_copy include/linux/etherdevice.h:305 [inline]
+ aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
+ aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+ call_driver_probe drivers/base/dd.c:-1 [inline]
+...
+
+Local variable buf.i created at:
+ aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
+ aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+
+Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b
+Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
+Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 284375f662f1e..04d5573123bec 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value,
+ ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, value, index, data, size);
+
+- if (unlikely(ret < 0))
++ if (unlikely(ret < size)) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ netdev_warn(dev->net,
+ "Failed to read(0x%x) reg index 0x%04x: %d\n",
+ cmd, index, ret);
++ }
+
+ return ret;
+ }
+@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value,
+ ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, value, index, data, size);
+
+- if (unlikely(ret < 0))
++ if (unlikely(ret < size)) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ netdev_warn(dev->net,
+ "Failed to read(0x%x) reg index 0x%04x: %d\n",
+ cmd, index, ret);
++ }
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From 30ec1477e36b3b66b3f9ddd9573c946ebff4221b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 17:29:53 +0800
+Subject: netfilter: bridge: Move specific fragmented packet to slow_path
+ instead of dropping it
+
+From: Huajian Yang <huajianyang@asrmicro.com>
+
+[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ]
+
+The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for
+fragmented packets.
+
+The original bridge does not know that it is a fragmented packet and
+forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function
+nf_br_ip_fragment and br_ip6_fragment will check the headroom.
+
+In original br_forward, insufficient headroom of skb may indeed exist,
+but there's still a way to save the skb in the device driver after
+dev_queue_xmit.So droping the skb will change the original bridge
+forwarding in some cases.
+
+Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
+Signed-off-by: Huajian Yang <huajianyang@asrmicro.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------
+ net/ipv6/netfilter.c | 12 ++++++------
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
+index e60c38670f220..e7df2911d2be7 100644
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@ -60,19 +60,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
+ struct ip_fraglist_iter iter;
+ struct sk_buff *frag;
+
+- if (first_len - hlen > mtu ||
+- skb_headroom(skb) < ll_rs)
++ if (first_len - hlen > mtu)
+ goto blackhole;
+
+- if (skb_cloned(skb))
++ if (skb_cloned(skb) ||
++ skb_headroom(skb) < ll_rs)
+ goto slow_path;
+
+ skb_walk_frags(skb, frag) {
+- if (frag->len > mtu ||
+- skb_headroom(frag) < hlen + ll_rs)
++ if (frag->len > mtu)
+ goto blackhole;
+
+- if (skb_shared(frag))
++ if (skb_shared(frag) ||
++ skb_headroom(frag) < hlen + ll_rs)
+ goto slow_path;
+ }
+
+diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
+index 857713d7a38a5..d873658fc821f 100644
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -163,20 +163,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ struct ip6_fraglist_iter iter;
+ struct sk_buff *frag2;
+
+- if (first_len - hlen > mtu ||
+- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
++ if (first_len - hlen > mtu)
+ goto blackhole;
+
+- if (skb_cloned(skb))
++ if (skb_cloned(skb) ||
++ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
+ goto slow_path;
+
+ skb_walk_frags(skb, frag2) {
+- if (frag2->len > mtu ||
+- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
++ if (frag2->len > mtu)
+ goto blackhole;
+
+ /* Partially cloned skb? */
+- if (skb_shared(frag2))
++ if (skb_shared(frag2) ||
++ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
+ goto slow_path;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5a3fe89278140952d35f068dd2148877a336ba78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 14:20:44 +0200
+Subject: netfilter: nf_set_pipapo_avx2: fix initial map fill
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 ]
+
+If the first field doesn't cover the entire start map, then we must zero
+out the remainder, else we leak those bits into the next match round map.
+
+The early fix was incomplete and did only fix up the generic C
+implementation.
+
+A followup patch adds a test case to nft_concat_range.sh.
+
+Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index c15db28c5ebc4..be7c16c79f711 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -1113,6 +1113,25 @@ bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features,
+ return true;
+ }
+
++/**
++ * pipapo_resmap_init_avx2() - Initialise result map before first use
++ * @m: Matching data, including mapping table
++ * @res_map: Result map
++ *
++ * Like pipapo_resmap_init() but do not set start map bits covered by the first field.
++ */
++static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map)
++{
++ const struct nft_pipapo_field *f = m->f;
++ int i;
++
++ /* Starting map doesn't need to be set to all-ones for this implementation,
++ * but we do need to zero the remaining bits, if any.
++ */
++ for (i = f->bsize; i < m->bsize_max; i++)
++ res_map[i] = 0ul;
++}
++
+ /**
+ * nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation
+ * @net: Network namespace
+@@ -1171,7 +1190,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
+ res = scratch->map + (map_index ? m->bsize_max : 0);
+ fill = scratch->map + (map_index ? 0 : m->bsize_max);
+
+- /* Starting map doesn't need to be set for this implementation */
++ pipapo_resmap_init_avx2(m, res);
+
+ nft_pipapo_avx2_prepare();
+
+--
+2.39.5
+
--- /dev/null
+From 92c641d2b8f03eea29f947e60e37d68f8ca0ee9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:38:47 +0200
+Subject: netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result
+ discrepancy
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ]
+
+With a VRF, ipv4 and ipv6 FIB expression behave differently.
+
+ fib daddr . iif oif
+
+Will return the input interface name for ipv4, but the real device
+for ipv6. Example:
+
+If VRF device name is tvrf and real (incoming) device is veth0.
+First round is ok, both ipv4 and ipv6 will yield 'veth0'.
+
+But in the second round (incoming device will be set to "tvrf"), ipv4
+will yield "tvrf" whereas ipv6 returns "veth0" for the second round too.
+
+This makes ipv6 behave like ipv4.
+
+A followup patch will add a test case for this, without this change
+it will fail with:
+ get element inet t fibif6iif { tvrf . dead:1::99 . tvrf }
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif
+
+Alternatively we could either not do anything at all or change
+ipv4 to also return the lower/real device, however, nft (userspace)
+doc says "iif: if fib lookup provides a route then check its output
+interface is identical to the packets input interface." which is what
+the nft fib ipv4 behaviour is.
+
+Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
+index c9f1634b3838a..a89ce0fbfe4b1 100644
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -158,6 +158,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ {
+ const struct nft_fib *priv = nft_expr_priv(expr);
+ int noff = skb_network_offset(pkt->skb);
++ const struct net_device *found = NULL;
+ const struct net_device *oif = NULL;
+ u32 *dest = ®s->data[priv->dreg];
+ struct ipv6hdr *iph, _iph;
+@@ -202,11 +203,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
+ goto put_rt_err;
+
+- if (oif && oif != rt->rt6i_idev->dev &&
+- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
+- goto put_rt_err;
++ if (!oif) {
++ found = rt->rt6i_idev->dev;
++ } else {
++ if (oif == rt->rt6i_idev->dev ||
++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex)
++ found = oif;
++ }
+
+- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);
++ nft_fib_store_result(dest, priv, found);
+ put_rt_err:
+ ip6_rt_put(rt);
+ }
+--
+2.39.5
+
--- /dev/null
+From 8a419237c16aab7057a215b7c3e3a3f94c3621d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 15:49:30 +0000
+Subject: netfilter: nft_quota: match correctly when the quota just depleted
+
+From: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+
+[ Upstream commit bfe7cfb65c753952735c3eed703eba9a8b96a18d ]
+
+The xt_quota compares skb length with remaining quota, but the nft_quota
+compares it with consumed bytes.
+
+The xt_quota can match consumed bytes up to quota at maximum. But the
+nft_quota break match when consumed bytes equal to quota.
+
+i.e., nft_quota match consumed bytes in [0, quota - 1], not [0, quota].
+
+Fixes: 795595f68d6c ("netfilter: nft_quota: dump consumed quota")
+Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_quota.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
+index ef8e7cdbd0e6a..60e6d0c5f04ec 100644
+--- a/net/netfilter/nft_quota.c
++++ b/net/netfilter/nft_quota.c
+@@ -19,10 +19,16 @@ struct nft_quota {
+ };
+
+ static inline bool nft_overquota(struct nft_quota *priv,
+- const struct sk_buff *skb)
++ const struct sk_buff *skb,
++ bool *report)
+ {
+- return atomic64_add_return(skb->len, priv->consumed) >=
+- atomic64_read(&priv->quota);
++ u64 consumed = atomic64_add_return(skb->len, priv->consumed);
++ u64 quota = atomic64_read(&priv->quota);
++
++ if (report)
++ *report = consumed >= quota;
++
++ return consumed > quota;
+ }
+
+ static inline bool nft_quota_invert(struct nft_quota *priv)
+@@ -34,7 +40,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+ {
+- if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv))
++ if (nft_overquota(priv, pkt->skb, NULL) ^ nft_quota_invert(priv))
+ regs->verdict.code = NFT_BREAK;
+ }
+
+@@ -51,13 +57,13 @@ static void nft_quota_obj_eval(struct nft_object *obj,
+ const struct nft_pktinfo *pkt)
+ {
+ struct nft_quota *priv = nft_obj_data(obj);
+- bool overquota;
++ bool overquota, report;
+
+- overquota = nft_overquota(priv, pkt->skb);
++ overquota = nft_overquota(priv, pkt->skb, &report);
+ if (overquota ^ nft_quota_invert(priv))
+ regs->verdict.code = NFT_BREAK;
+
+- if (overquota &&
++ if (report &&
+ !test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags))
+ nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0,
+ NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC);
+--
+2.39.5
+
--- /dev/null
+From a887de237e05f947d65dece2e1b09cb4f87e106a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:41:08 +0200
+Subject: netfilter: nft_tunnel: fix geneve_opt dump
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ]
+
+When dumping a nft_tunnel with more than one geneve_opt configured the
+netlink attribute hierarchy should be as follow:
+
+ NFTA_TUNNEL_KEY_OPTS
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ | |
+ | |--NFTA_TUNNEL_KEY_GENEVE_CLASS
+ | |--NFTA_TUNNEL_KEY_GENEVE_TYPE
+ | |--NFTA_TUNNEL_KEY_GENEVE_DATA
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ | |
+ | |--NFTA_TUNNEL_KEY_GENEVE_CLASS
+ | |--NFTA_TUNNEL_KEY_GENEVE_TYPE
+ | |--NFTA_TUNNEL_KEY_GENEVE_DATA
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ ...
+
+Otherwise, userspace tools won't be able to fetch the geneve options
+configured correctly.
+
+Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tunnel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index d026982a00fc4..be741db50ffae 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -617,10 +617,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ struct geneve_opt *opt;
+ int offset = 0;
+
+- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
+- if (!inner)
+- goto failure;
+ while (opts->len > offset) {
++ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
++ if (!inner)
++ goto failure;
+ opt = (struct geneve_opt *)(opts->u.data + offset);
+ if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
+ opt->opt_class) ||
+@@ -630,8 +630,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ opt->length * 4, opt->opt_data))
+ goto inner_failure;
+ offset += sizeof(*opt) + opt->length * 4;
++ nla_nest_end(skb, inner);
+ }
+- nla_nest_end(skb, inner);
+ }
+ nla_nest_end(skb, nest);
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From b1bd8b0ad821d0987d27e8f1470f4e408e6eabc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 21:05:32 +0800
+Subject: nfs: clear SB_RDONLY before getting superblock
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ]
+
+As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when
+mounting nfs") removed the check for the ro flag when determining whether
+to share the superblock, which caused issues when mounting different
+subdirectories under the same export directory via NFSv3. However, this
+change did not affect NFSv4.
+
+For NFSv3:
+1) A single superblock is created for the initial mount.
+2) When mounted read-only, this superblock carries the SB_RDONLY flag.
+3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"):
+Subsequent rw mounts would not share the existing ro superblock due to
+flag mismatch, creating a new superblock without SB_RDONLY.
+After the commit:
+ The SB_RDONLY flag is ignored during superblock comparison, and this leads
+ to sharing the existing superblock even for rw mounts.
+ Ultimately results in write operations being rejected at the VFS layer.
+
+For NFSv4:
+1) Multiple superblocks are created and the last one will be kept.
+2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag.
+Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts.
+
+Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not
+set to fix it.
+
+Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs")
+Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 3dffeb1d17b9c..a4679cd75f70a 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1273,8 +1273,17 @@ int nfs_get_tree_common(struct fs_context *fc)
+ if (IS_ERR(server))
+ return PTR_ERR(server);
+
++ /*
++ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a
++ * superblock among each filesystem that mounts sub-directories
++ * belonging to a single exported root path.
++ * To prevent interference between different filesystems, the
++ * SB_RDONLY flag should be removed from the superblock.
++ */
+ if (server->flags & NFS_MOUNT_UNSHARED)
+ compare_super = NULL;
++ else
++ fc->sb_flags &= ~SB_RDONLY;
+
+ /* -o noac implies -o sync */
+ if (server->flags & NFS_MOUNT_NOAC)
+--
+2.39.5
+
--- /dev/null
+From 59c25e20012be97e2e2b2a18fd76a628b78e316b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 21:05:33 +0800
+Subject: nfs: ignore SB_RDONLY when remounting nfs
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ]
+
+In some scenarios, when mounting NFS, more than one superblock may be
+created. The final superblock used is the last one created, but only the
+first superblock carries the ro flag passed from user space. If a ro flag
+is added to the superblock via remount, it will trigger the issue
+described in Link[1].
+
+Link[2] attempted to address this by marking the superblock as ro during
+the initial mount. However, this introduced a new problem in scenarios
+where multiple mount points share the same superblock:
+[root@a ~]# mount /dev/sdb /mnt/sdb
+[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports
+[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports
+[root@a ~]# systemctl restart nfs-server
+[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1
+[root@a ~]# mount | grep nfs4
+127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,...
+[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2
+[root@a ~]# mount | grep nfs4
+127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,...
+127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,...
+[root@a ~]#
+
+When mounting the second NFS, the shared superblock is marked as ro,
+causing the previous NFS mount to become read-only.
+
+To resolve both issues, the ro flag is no longer applied to the superblock
+during remount. Instead, the ro flag on the mount is used to control
+whether the mount point is read-only.
+
+Fixes: 281cad46b34d ("NFS: Create a submount rpc_op")
+Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/
+Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index a4679cd75f70a..2dca011da034e 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1017,6 +1017,16 @@ int nfs_reconfigure(struct fs_context *fc)
+
+ sync_filesystem(sb);
+
++ /*
++ * The SB_RDONLY flag has been removed from the superblock during
++ * mounts to prevent interference between different filesystems.
++ * Similarly, it is also necessary to ignore the SB_RDONLY flag
++ * during reconfiguration; otherwise, it may also result in the
++ * creation of redundant superblocks when mounting a directory with
++ * different rw and ro flags multiple times.
++ */
++ fc->sb_flags_mask &= ~SB_RDONLY;
++
+ /*
+ * Userspace mount programs that send binary options generally send
+ * them populated with default values. We have no way to know which
+--
+2.39.5
+
--- /dev/null
+From e814aec211a7d87059b669138962f6dde17c9dca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 02:37:07 +0900
+Subject: nilfs2: add pointer check for nilfs_direct_propagate()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+[ Upstream commit f43f02429295486059605997bc43803527d69791 ]
+
+Patch series "nilfs2: improve sanity checks in dirty state propagation".
+
+This fixes one missed check for block mapping anomalies and one improper
+return of an error code during a preparation step for log writing, thereby
+improving checking for filesystem corruption on writeback.
+
+This patch (of 2):
+
+In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr()
+need to be checked to ensure it is not an invalid pointer.
+
+If the pointer value obtained by nilfs_direct_get_ptr() is
+NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in
+the nilfs_inode_info struct) that should point to the data block at the
+buffer head of the argument is corrupted and the data block is orphaned,
+meaning that the file system has lost consistency.
+
+Add a value check and return -EINVAL when it is an invalid pointer.
+
+Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com
+Fixes: 36a580eb489f ("nilfs2: direct block mapping")
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/direct.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c
+index 893ab36824cc2..2d8dc6b35b547 100644
+--- a/fs/nilfs2/direct.c
++++ b/fs/nilfs2/direct.c
+@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap,
+ dat = nilfs_bmap_get_dat(bmap);
+ key = nilfs_bmap_data_get_key(bmap, bh);
+ ptr = nilfs_direct_get_ptr(bmap, key);
++ if (ptr == NILFS_BMAP_INVALID_PTR)
++ return -EINVAL;
++
+ if (!buffer_nilfs_volatile(bh)) {
+ oldreq.pr_entry_nr = ptr;
+ newreq.pr_entry_nr = ptr;
+--
+2.39.5
+
--- /dev/null
+From 048b83ff9a143781eebb0bd2a7c78c58c9e0f588 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 02:37:08 +0900
+Subject: nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ]
+
+In preparation for writing logs, in nilfs_btree_propagate(), which makes
+parent and ancestor node blocks dirty starting from a modified data block
+or b-tree node block, if the starting block does not belong to the b-tree,
+i.e. is isolated, nilfs_btree_do_lookup() called within the function
+fails with -ENOENT.
+
+In this case, even though -ENOENT is an internal code, it is propagated to
+the log writer via nilfs_bmap_propagate() and may be erroneously returned
+to system calls such as fsync().
+
+Fix this issue by changing the error code to -EINVAL in this case, and
+having the bmap layer detect metadata corruption and convert the error
+code appropriately.
+
+Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com
+Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index 3139a1863751b..29cb1236e1a9b 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -2094,11 +2094,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree,
+
+ ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0);
+ if (ret < 0) {
+- if (unlikely(ret == -ENOENT))
++ if (unlikely(ret == -ENOENT)) {
+ nilfs_crit(btree->b_inode->i_sb,
+ "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d",
+ btree->b_inode->i_ino,
+ (unsigned long long)key, level);
++ ret = -EINVAL;
++ }
+ goto out;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 10003f872f26d8b55226a7a9f5b4d4b7aa6321ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 09:56:27 +0300
+Subject: ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit cdc3ed3035d0fe934aa1d9b78ce256752fd3bb7d ]
+
+If ocfs2_finish_quota_recovery() exits due to an error before passing all
+rc_list elements to ocfs2_recover_local_quota_file() then it can lead to a
+memory leak as rc_list may still contain elements that have to be freed.
+
+Release all memory allocated by ocfs2_add_recovery_chunk() using
+ocfs2_free_quota_recovery() instead of kfree().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Link: https://lkml.kernel.org/r/20250402065628.706359-2-m.masimov@mt-integration.ru
+Fixes: 2205363dce74 ("ocfs2: Implement quota recovery")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/quota_local.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
+index 0ca8975a1df47..c7bda48b5fb21 100644
+--- a/fs/ocfs2/quota_local.c
++++ b/fs/ocfs2/quota_local.c
+@@ -671,7 +671,7 @@ int ocfs2_finish_quota_recovery(struct ocfs2_super *osb,
+ break;
+ }
+ out:
+- kfree(rec);
++ ocfs2_free_quota_recovery(rec);
+ return status;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 7649c4c3b3327888b99a6d27ec0080c8753a2d81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 10:17:11 +0100
+Subject: PCI: apple: Use gpiod_set_value_cansleep in probe flow
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit 7334364f9de79a9a236dd0243ba574b8d2876e89 ]
+
+We're allowed to sleep here, so tell the GPIO core by using
+gpiod_set_value_cansleep instead of gpiod_set_value.
+
+Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up")
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Tested-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
+Link: https://patch.msgid.link/20250401091713.2765724-12-maz@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-apple.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c
+index 2340dab6cd5bd..487d01f6b4f56 100644
+--- a/drivers/pci/controller/pcie-apple.c
++++ b/drivers/pci/controller/pcie-apple.c
+@@ -541,7 +541,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
+ rmw_set(PORT_APPCLK_EN, port->base + PORT_APPCLK);
+
+ /* Assert PERST# before setting up the clock */
+- gpiod_set_value(reset, 1);
++ gpiod_set_value_cansleep(reset, 1);
+
+ ret = apple_pcie_setup_refclk(pcie, port);
+ if (ret < 0)
+@@ -552,7 +552,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
+
+ /* Deassert PERST# */
+ rmw_set(PORT_PERST_OFF, port->base + PORT_PERST);
+- gpiod_set_value(reset, 0);
++ gpiod_set_value_cansleep(reset, 0);
+
+ /* Wait for 100ms after PERST# deassertion (PCIe r5.0, 6.6.1) */
+ msleep(100);
+--
+2.39.5
+
--- /dev/null
+From 2280f7335557662cca769904089b770b20fd797c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Apr 2025 21:30:58 +0800
+Subject: PCI: cadence: Fix runtime atomic count underflow
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ]
+
+If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM
+runtime count is decremented in the error path using pm_runtime_put_sync().
+But the runtime count is not incremented by this driver, but only by the
+callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also
+decrement the runtime PM count in their error path. So this leads to the
+below warning from the PM core:
+
+ "runtime PM usage count underflow!"
+
+So fix it by getting rid of pm_runtime_put_sync() in the error path and
+directly return the errno.
+
+Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c
+index 5b14f7ee3c798..0a1b11d41a38a 100644
+--- a/drivers/pci/controller/cadence/pcie-cadence-host.c
++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c
+@@ -558,14 +558,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc)
+ if (!bridge->ops)
+ bridge->ops = &cdns_pcie_host_ops;
+
+- ret = pci_host_probe(bridge);
+- if (ret < 0)
+- goto err_init;
+-
+- return 0;
+-
+- err_init:
+- pm_runtime_put_sync(dev);
+-
+- return ret;
++ return pci_host_probe(bridge);
+ }
+--
+2.39.5
+
--- /dev/null
+From bf7c216639230adab93b0d2237de2a150fd239cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 18:21:07 -0500
+Subject: PCI/DPC: Initialize aer_err_info before using it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ]
+
+Previously the struct aer_err_info "info" was allocated on the stack
+without being initialized, so it contained junk except for the fields we
+explicitly set later.
+
+Initialize "info" at declaration so it starts as all zeros.
+
+Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/dpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
+index a5cec2a4e057d..3c3ecb9cf57af 100644
+--- a/drivers/pci/pcie/dpc.c
++++ b/drivers/pci/pcie/dpc.c
+@@ -263,7 +263,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev,
+ void dpc_process_error(struct pci_dev *pdev)
+ {
+ u16 cap = pdev->dpc_cap, status, source, reason, ext_reason;
+- struct aer_err_info info;
++ struct aer_err_info info = {};
+
+ pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status);
+ pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source);
+--
+2.39.5
+
--- /dev/null
+From ba579d1bb72e6271cf354970db53b9f20d2f1ae7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 23:31:32 -0500
+Subject: PCI: Explicitly put devices into D0 when initializing
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 4d4c10f763d7808fbade28d83d237411603bca05 ]
+
+AMD BIOS team has root caused an issue that NVMe storage failed to come
+back from suspend to a lack of a call to _REG when NVMe device was probed.
+
+112a7f9c8edbf ("PCI/ACPI: Call _REG when transitioning D-states") added
+support for calling _REG when transitioning D-states, but this only works
+if the device actually "transitions" D-states.
+
+967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
+added support for runtime PM on PCI devices, but never actually
+'explicitly' sets the device to D0.
+
+To make sure that devices are in D0 and that platform methods such as
+_REG are called, explicitly set all devices into D0 during initialization.
+
+Fixes: 967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Denis Benato <benato.denis96@gmail.com>
+Tested-By: Yijun Shen <Yijun_Shen@Dell.com>
+Tested-By: David Perry <david.perry@amd.com>
+Reviewed-by: Rafael J. Wysocki <rafael@kernel.org>
+Link: https://patch.msgid.link/20250424043232.1848107-1-superm1@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci-driver.c | 6 ------
+ drivers/pci/pci.c | 13 ++++++++++---
+ drivers/pci/pci.h | 1 +
+ 3 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
+index 18e973a91a979..2b04d2d6c116a 100644
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -564,12 +564,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev)
+ pci_enable_wake(pci_dev, PCI_D0, false);
+ }
+
+-static void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
+-{
+- pci_power_up(pci_dev);
+- pci_update_current_state(pci_dev, PCI_D0);
+-}
+-
+ static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
+ {
+ pci_pm_power_up_and_verify_state(pci_dev);
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 10436a193b3b6..19c9214acfb81 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3181,6 +3181,12 @@ void pci_d3cold_disable(struct pci_dev *dev)
+ }
+ EXPORT_SYMBOL_GPL(pci_d3cold_disable);
+
++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
++{
++ pci_power_up(pci_dev);
++ pci_update_current_state(pci_dev, PCI_D0);
++}
++
+ /**
+ * pci_pm_init - Initialize PM functions of given PCI device
+ * @dev: PCI device to handle.
+@@ -3191,9 +3197,6 @@ void pci_pm_init(struct pci_dev *dev)
+ u16 status;
+ u16 pmc;
+
+- pm_runtime_forbid(&dev->dev);
+- pm_runtime_set_active(&dev->dev);
+- pm_runtime_enable(&dev->dev);
+ device_enable_async_suspend(&dev->dev);
+ dev->wakeup_prepared = false;
+
+@@ -3255,6 +3258,10 @@ void pci_pm_init(struct pci_dev *dev)
+ pci_read_config_word(dev, PCI_STATUS, &status);
+ if (status & PCI_STATUS_IMM_READY)
+ dev->imm_ready = 1;
++ pci_pm_power_up_and_verify_state(dev);
++ pm_runtime_forbid(&dev->dev);
++ pm_runtime_set_active(&dev->dev);
++ pm_runtime_enable(&dev->dev);
+ }
+
+ static unsigned long pci_ea_flags(struct pci_dev *dev, u8 prop)
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index 38ad75ce52c32..70b7fd7a0fc7c 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -87,6 +87,7 @@ void pci_dev_adjust_pme(struct pci_dev *dev);
+ void pci_dev_complete_resume(struct pci_dev *pci_dev);
+ void pci_config_pm_runtime_get(struct pci_dev *dev);
+ void pci_config_pm_runtime_put(struct pci_dev *dev);
++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev);
+ void pci_pm_init(struct pci_dev *dev);
+ void pci_ea_init(struct pci_dev *dev);
+ void pci_msi_init(struct pci_dev *dev);
+--
+2.39.5
+
--- /dev/null
+From 49b378c0fdfb416eacbac1025bb5b02d5e97d424 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 11:37:20 -0300
+Subject: perf build: Warn when libdebuginfod devel files are not available
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ]
+
+While working on 'perf version --build-options' I noticed that:
+
+ $ perf version --build-options
+ perf version 6.15.rc1.g312a07a00d31
+ aio: [ on ] # HAVE_AIO_SUPPORT
+ bpf: [ on ] # HAVE_LIBBPF_SUPPORT
+ bpf_skeletons: [ on ] # HAVE_BPF_SKEL
+ debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT
+ <SNIP>
+
+And looking at tools/perf/Makefile.config I also noticed that it is not
+opt-in, meaning we will attempt to build with it in all normal cases.
+
+So add the usual warning at build time to let the user know that
+something recommended is missing, now we see:
+
+ Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent
+
+And after following the recommendation:
+
+ $ perf check feature debuginfod
+ debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT
+ $ ldd ~/bin/perf | grep debuginfo
+ libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000)
+ $
+
+With this feature on several perf tools will fetch what is needed and
+not require all the contents of the debuginfo packages, for instance:
+
+ # rpm -qa | grep kernel-debuginfo
+ # pahole --running_kernel_vmlinux
+ pahole: couldn't find a vmlinux that matches the running kernel
+ HINT: Maybe you're inside a container or missing a debuginfo package?
+ #
+ # perf trace -e open* perf probe --vars icmp_rcv
+ 0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3
+ 0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3
+ <SNIP>
+ 32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3
+ <SNIP>
+ Available variables at icmp_rcv
+ @<icmp_rcv+0>
+ struct sk_buff* skb
+ <SNIP>
+ #
+ # pahole --running_kernel_vmlinux
+ /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ # file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped
+ # ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ -r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ #
+
+Then, cached:
+
+ # perf stat --null perf probe --vars icmp_rcv
+ Available variables at icmp_rcv
+ @<icmp_rcv+0>
+ struct sk_buff* skb
+
+ Performance counter stats for 'perf probe --vars icmp_rcv':
+
+ 0.671389041 seconds time elapsed
+
+ 0.519176000 seconds user
+ 0.150860000 seconds sys
+
+Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found")
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Howard Chu <howardchu95@gmail.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Frank Ch. Eigler <fche@redhat.com>
+Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com
+[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/Makefile.config | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
+index fac6ba07eacdb..249f3d8415634 100644
+--- a/tools/perf/Makefile.config
++++ b/tools/perf/Makefile.config
+@@ -545,6 +545,8 @@ ifndef NO_LIBELF
+ ifeq ($(feature-libdebuginfod), 1)
+ CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT
+ EXTLIBS += -ldebuginfod
++ else
++ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent)
+ endif
+ endif
+
+--
+2.39.5
+
--- /dev/null
+From e198704d2b433465662705f45ac3c7c759873da3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Apr 2025 22:16:35 +0800
+Subject: perf/core: Fix broken throttling when max_samples_per_tick=1
+
+From: Qing Wang <wangqing7171@gmail.com>
+
+[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ]
+
+According to the throttling mechanism, the pmu interrupts number can not
+exceed the max_samples_per_tick in one tick. But this mechanism is
+ineffective when max_samples_per_tick=1, because the throttling check is
+skipped during the first interrupt and only performed when the second
+interrupt arrives.
+
+Perhaps this bug may cause little influence in one tick, but if in a
+larger time scale, the problem can not be underestimated.
+
+When max_samples_per_tick = 1:
+Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH
+200 100 100 X86
+500 250 250 ARM64
+...
+Obviously, the pmu interrupt number far exceed the user's expect.
+
+Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling")
+Signed-off-by: Qing Wang <wangqing7171@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 552bb00bfceb0..3544f26b58060 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9359,14 +9359,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle)
+ hwc->interrupts = 1;
+ } else {
+ hwc->interrupts++;
+- if (unlikely(throttle &&
+- hwc->interrupts > max_samples_per_tick)) {
+- __this_cpu_inc(perf_throttled_count);
+- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
+- hwc->interrupts = MAX_INTERRUPTS;
+- perf_log_throttle(event, 0);
+- ret = 1;
+- }
++ }
++
++ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) {
++ __this_cpu_inc(perf_throttled_count);
++ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
++ hwc->interrupts = MAX_INTERRUPTS;
++ perf_log_throttle(event, 0);
++ ret = 1;
+ }
+
+ if (event->attr.freq) {
+--
+2.39.5
+
--- /dev/null
+From 5741a39aa45a67661f2f49bccc921cf4afde4b0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 12:39:30 +0300
+Subject: perf intel-pt: Fix PEBS-via-PT data_src
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit e00eac6b5b6d956f38d8880c44bf7fd9954063c3 ]
+
+The Fixes commit did not add support for decoding PEBS-via-PT data_src.
+Fix by adding support.
+
+PEBS-via-PT is a feature of some E-core processors, starting with
+processors based on Tremont microarchitecture. Because the kernel only
+supports Intel PT features that are on all processors, there is no support
+for PEBS-via-PT on hybrids.
+
+Currently that leaves processors based on Tremont, Gracemont and Crestmont,
+however there are no events on Tremont that produce data_src information,
+and for Gracemont and Crestmont there are only:
+
+ mem-loads event=0xd0,umask=0x5,ldlat=3
+ mem-stores event=0xd0,umask=0x6
+
+Affected processors include Alder Lake N (Gracemont), Sierra Forest
+(Crestmont) and Grand Ridge (Crestmont).
+
+Example:
+
+ # perf record -d -e intel_pt/branch=0/ -e mem-loads/aux-output/pp uname
+
+ Before:
+
+ # perf.before script --itrace=o -Fdata_src
+ 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
+ 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
+
+ After:
+
+ # perf script --itrace=o -Fdata_src
+ 10268100142 |OP LOAD|LVL L1 hit|SNP None|TLB L1 or L2 hit|LCK No|BLK N/A
+ 10450100442 |OP LOAD|LVL L2 hit|SNP None|TLB L2 miss|LCK No|BLK N/A
+
+Fixes: 975846eddf907297 ("perf intel-pt: Add memory information to synthesized PEBS sample")
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20250512093932.79854-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 205 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 202 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index bd09af447eb0d..018eaddd4e6af 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -122,6 +122,7 @@ struct intel_pt {
+
+ bool single_pebs;
+ bool sample_pebs;
++ int pebs_data_src_fmt;
+ struct evsel *pebs_evsel;
+
+ u64 evt_sample_type;
+@@ -170,6 +171,7 @@ enum switch_state {
+ struct intel_pt_pebs_event {
+ struct evsel *evsel;
+ u64 id;
++ int data_src_fmt;
+ };
+
+ struct intel_pt_queue {
+@@ -2176,7 +2178,146 @@ static void intel_pt_add_lbrs(struct branch_stack *br_stack,
+ }
+ }
+
+-static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, u64 id)
++#define P(a, b) PERF_MEM_S(a, b)
++#define OP_LH (P(OP, LOAD) | P(LVL, HIT))
++#define LEVEL(x) P(LVLNUM, x)
++#define REM P(REMOTE, REMOTE)
++#define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS))
++
++#define PERF_PEBS_DATA_SOURCE_GRT_MAX 0x10
++#define PERF_PEBS_DATA_SOURCE_GRT_MASK (PERF_PEBS_DATA_SOURCE_GRT_MAX - 1)
++
++/* Based on kernel __intel_pmu_pebs_data_source_grt() and pebs_data_source */
++static const u64 pebs_data_source_grt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP Hit */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP Fwd */
++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, HIT), /* RAM hit|SNP Hit */
++ OP_LH | P(LVL, REM_RAM1) | REM | LEVEL(L3) | P(SNOOP, HIT), /* Remote L3 hit|SNP Hit */
++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | SNOOP_NONE_MISS, /* RAM hit|SNP None or Miss */
++ OP_LH | P(LVL, REM_RAM1) | LEVEL(RAM) | REM | SNOOP_NONE_MISS, /* Remote RAM hit|SNP None or Miss */
++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
++};
++
++/* Based on kernel __intel_pmu_pebs_data_source_cmt() and pebs_data_source */
++static const u64 pebs_data_source_cmt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, MISS), /* L3 hit|SNP Hit */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP Fwd */
++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, NONE), /* RAM hit|SNP Hit */
++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, NONE), /* Remote L3 hit|SNP Hit */
++ OP_LH | LEVEL(RAM) | REM | P(SNOOPX, FWD), /* RAM hit|SNP None or Miss */
++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, HITM), /* Remote RAM hit|SNP None or Miss */
++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
++};
++
++/* Based on kernel pebs_set_tlb_lock() */
++static inline void pebs_set_tlb_lock(u64 *val, bool tlb, bool lock)
++{
++ /*
++ * TLB access
++ * 0 = did not miss 2nd level TLB
++ * 1 = missed 2nd level TLB
++ */
++ if (tlb)
++ *val |= P(TLB, MISS) | P(TLB, L2);
++ else
++ *val |= P(TLB, HIT) | P(TLB, L1) | P(TLB, L2);
++
++ /* locked prefix */
++ if (lock)
++ *val |= P(LOCK, LOCKED);
++}
++
++/* Based on kernel __grt_latency_data() */
++static u64 intel_pt_grt_latency_data(u8 dse, bool tlb, bool lock, bool blk,
++ const u64 *pebs_data_source)
++{
++ u64 val;
++
++ dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK;
++ val = pebs_data_source[dse];
++
++ pebs_set_tlb_lock(&val, tlb, lock);
++
++ if (blk)
++ val |= P(BLK, DATA);
++ else
++ val |= P(BLK, NA);
++
++ return val;
++}
++
++/* Default value for data source */
++#define PERF_MEM_NA (PERF_MEM_S(OP, NA) |\
++ PERF_MEM_S(LVL, NA) |\
++ PERF_MEM_S(SNOOP, NA) |\
++ PERF_MEM_S(LOCK, NA) |\
++ PERF_MEM_S(TLB, NA) |\
++ PERF_MEM_S(LVLNUM, NA))
++
++enum DATA_SRC_FORMAT {
++ DATA_SRC_FORMAT_ERR = -1,
++ DATA_SRC_FORMAT_NA = 0,
++ DATA_SRC_FORMAT_GRT = 1,
++ DATA_SRC_FORMAT_CMT = 2,
++};
++
++/* Based on kernel grt_latency_data() and cmt_latency_data */
++static u64 intel_pt_get_data_src(u64 mem_aux_info, int data_src_fmt)
++{
++ switch (data_src_fmt) {
++ case DATA_SRC_FORMAT_GRT: {
++ union {
++ u64 val;
++ struct {
++ unsigned int dse:4;
++ unsigned int locked:1;
++ unsigned int stlb_miss:1;
++ unsigned int fwd_blk:1;
++ unsigned int reserved:25;
++ };
++ } x = {.val = mem_aux_info};
++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
++ pebs_data_source_grt);
++ }
++ case DATA_SRC_FORMAT_CMT: {
++ union {
++ u64 val;
++ struct {
++ unsigned int dse:5;
++ unsigned int locked:1;
++ unsigned int stlb_miss:1;
++ unsigned int fwd_blk:1;
++ unsigned int reserved:24;
++ };
++ } x = {.val = mem_aux_info};
++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
++ pebs_data_source_cmt);
++ }
++ default:
++ return PERF_MEM_NA;
++ }
++}
++
++static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel,
++ u64 id, int data_src_fmt)
+ {
+ const struct intel_pt_blk_items *items = &ptq->state->items;
+ struct perf_sample sample = { .ip = 0, };
+@@ -2294,6 +2435,18 @@ static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evse
+ }
+ }
+
++ if (sample_type & PERF_SAMPLE_DATA_SRC) {
++ if (items->has_mem_aux_info && data_src_fmt) {
++ if (data_src_fmt < 0) {
++ pr_err("Intel PT missing data_src info\n");
++ return -1;
++ }
++ sample.data_src = intel_pt_get_data_src(items->mem_aux_info, data_src_fmt);
++ } else {
++ sample.data_src = PERF_MEM_NA;
++ }
++ }
++
+ if (sample_type & PERF_SAMPLE_TRANSACTION && items->has_tsx_aux_info) {
+ u64 ax = items->has_rax ? items->rax : 0;
+ /* Refer kernel's intel_hsw_transaction() */
+@@ -2312,9 +2465,10 @@ static int intel_pt_synth_single_pebs_sample(struct intel_pt_queue *ptq)
+ {
+ struct intel_pt *pt = ptq->pt;
+ struct evsel *evsel = pt->pebs_evsel;
++ int data_src_fmt = pt->pebs_data_src_fmt;
+ u64 id = evsel->core.id[0];
+
+- return intel_pt_do_synth_pebs_sample(ptq, evsel, id);
++ return intel_pt_do_synth_pebs_sample(ptq, evsel, id, data_src_fmt);
+ }
+
+ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+@@ -2339,7 +2493,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+ hw_id);
+ return intel_pt_synth_single_pebs_sample(ptq);
+ }
+- err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id);
++ err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id, pe->data_src_fmt);
+ if (err)
+ return err;
+ }
+@@ -3290,6 +3444,49 @@ static int intel_pt_process_itrace_start(struct intel_pt *pt,
+ event->itrace_start.tid);
+ }
+
++/*
++ * Events with data_src are identified by L1_Hit_Indication
++ * refer https://github.com/intel/perfmon
++ */
++static int intel_pt_data_src_fmt(struct intel_pt *pt, struct evsel *evsel)
++{
++ struct perf_env *env = pt->machine->env;
++ int fmt = DATA_SRC_FORMAT_NA;
++
++ if (!env->cpuid)
++ return DATA_SRC_FORMAT_ERR;
++
++ /*
++ * PEBS-via-PT is only supported on E-core non-hybrid. Of those only
++ * Gracemont and Crestmont have data_src. Check for:
++ * Alderlake N (Gracemont)
++ * Sierra Forest (Crestmont)
++ * Grand Ridge (Crestmont)
++ */
++
++ if (!strncmp(env->cpuid, "GenuineIntel,6,190,", 19))
++ fmt = DATA_SRC_FORMAT_GRT;
++
++ if (!strncmp(env->cpuid, "GenuineIntel,6,175,", 19) ||
++ !strncmp(env->cpuid, "GenuineIntel,6,182,", 19))
++ fmt = DATA_SRC_FORMAT_CMT;
++
++ if (fmt == DATA_SRC_FORMAT_NA)
++ return fmt;
++
++ /*
++ * Only data_src events are:
++ * mem-loads event=0xd0,umask=0x5
++ * mem-stores event=0xd0,umask=0x6
++ */
++ if (evsel->core.attr.type == PERF_TYPE_RAW &&
++ ((evsel->core.attr.config & 0xffff) == 0x5d0 ||
++ (evsel->core.attr.config & 0xffff) == 0x6d0))
++ return fmt;
++
++ return DATA_SRC_FORMAT_NA;
++}
++
+ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
+ union perf_event *event,
+ struct perf_sample *sample)
+@@ -3310,6 +3507,7 @@ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
+
+ ptq->pebs[hw_id].evsel = evsel;
+ ptq->pebs[hw_id].id = sample->id;
++ ptq->pebs[hw_id].data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
+
+ return 0;
+ }
+@@ -3855,6 +4053,7 @@ static void intel_pt_setup_pebs_events(struct intel_pt *pt)
+ }
+ pt->single_pebs = true;
+ pt->sample_pebs = true;
++ pt->pebs_data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
+ pt->pebs_evsel = evsel;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 78fb0050d76ba9ccb3ae5524dfc0e585201627b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 06:08:10 +0000
+Subject: perf record: Fix incorrect --user-regs comments
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ]
+
+The comment of "--user-regs" option is not correct, fix it.
+
+"on interrupt," -> "in user space,"
+
+Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-record.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
+index ee3a5c4b8251e..a257a30a42efd 100644
+--- a/tools/perf/builtin-record.c
++++ b/tools/perf/builtin-record.c
+@@ -3438,7 +3438,7 @@ static struct option __record_options[] = {
+ "sample selected machine registers on interrupt,"
+ " use '-I?' to list register names", parse_intr_regs),
+ OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register",
+- "sample selected machine registers on interrupt,"
++ "sample selected machine registers in user space,"
+ " use '--user-regs=?' to list register names", parse_user_regs),
+ OPT_BOOLEAN(0, "running-time", &record.opts.running_time,
+ "Record running/enabled time of read (:S) events"),
+--
+2.39.5
+
--- /dev/null
+From 1b1554bb33211f9c729f5b4ddb2a300318866026 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 12:39:32 +0300
+Subject: perf scripts python: exported-sql-viewer.py: Fix pattern matching
+ with Python 3
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ]
+
+The script allows the user to enter patterns to find symbols.
+
+The pattern matching characters are converted for use in SQL.
+
+For PostgreSQL the conversion involves using the Python maketrans()
+method which is slightly different in Python 3 compared with Python 2.
+
+Fix to work in Python 3.
+
+Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Tony Jones <tonyj@suse.de>
+Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py
+index 13f2d8a816109..99742013676b3 100755
+--- a/tools/perf/scripts/python/exported-sql-viewer.py
++++ b/tools/perf/scripts/python/exported-sql-viewer.py
+@@ -680,7 +680,10 @@ class CallGraphModelBase(TreeModel):
+ s = value.replace("%", "\%")
+ s = s.replace("_", "\_")
+ # Translate * and ? into SQL LIKE pattern characters % and _
+- trans = string.maketrans("*?", "%_")
++ if sys.version_info[0] == 3:
++ trans = str.maketrans("*?", "%_")
++ else:
++ trans = string.maketrans("*?", "%_")
+ match = " LIKE '" + str(s).translate(trans) + "'"
+ else:
+ match = " GLOB '" + str(value) + "'"
+--
+2.39.5
+
--- /dev/null
+From aada34959608d9493d54ab15296eacf00a8b782f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 18:27:59 +0100
+Subject: perf tests switch-tracking: Fix timestamp comparison
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ]
+
+The test might fail on the Arm64 platform with the error:
+
+ # perf test -vvv "Track with sched_switch"
+ Missing sched_switch events
+ #
+
+The issue is caused by incorrect handling of timestamp comparisons. The
+comparison result, a signed 64-bit value, was being directly cast to an
+int, leading to incorrect sorting for sched events.
+
+The case does not fail everytime, usually I can trigger the failure
+after run 20 ~ 30 times:
+
+ # while true; do perf test "Track with sched_switch"; done
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : FAILED!
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : FAILED!
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+
+I used cross compiler to build Perf tool on my host machine and tested on
+Debian / Juno board. Generally, I think this issue is not very specific
+to GCC versions. As both internal CI and my local env can reproduce the
+issue.
+
+My Host Build compiler:
+
+ # aarch64-linux-gnu-gcc --version
+ aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
+
+Juno Board:
+
+ # lsb_release -a
+ No LSB modules are available.
+ Distributor ID: Debian
+ Description: Debian GNU/Linux 12 (bookworm)
+ Release: 12
+ Codename: bookworm
+
+Fix this by explicitly returning 0, 1, or -1 based on whether the result
+is zero, positive, or negative.
+
+Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/switch-tracking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c
+index 87f565c7f650d..db6c61424badf 100644
+--- a/tools/perf/tests/switch-tracking.c
++++ b/tools/perf/tests/switch-tracking.c
+@@ -257,7 +257,7 @@ static int compar(const void *a, const void *b)
+ const struct event_node *nodeb = b;
+ s64 cmp = nodea->event_time - nodeb->event_time;
+
+- return cmp;
++ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0);
+ }
+
+ static int process_events(struct evlist *evlist,
+--
+2.39.5
+
--- /dev/null
+From 08bb21bfd931b13b377cbb2d5fde18c7d69bf0a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 21:58:19 -0300
+Subject: perf ui browser hists: Set actions->thread before calling
+ do_zoom_thread()
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ]
+
+In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct
+perf_hpp_list") it assumes that act->thread is set prior to calling
+do_zoom_thread().
+
+This doesn't happen when we use ESC or the Left arrow key to Zoom out of
+a specific thread, making this operation not to work and we get stuck
+into the thread zoom.
+
+In 6422184b087ff435 ("perf hists browser: Simplify zooming code using
+pstack_peek()") it says no need to set actions->thread, and at that
+point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL
+check was added before the zoom out of thread could kick in.
+
+We can zoom out using the alternative 't' thread zoom toggle hotkey to
+finally set actions->thread before calling do_zoom_thread() and zoom
+out, but lets also fix the ESC/Zoom out of thread case.
+
+Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list")
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/browsers/hists.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
+index fd3e67d2c6bdd..a68d3ee1769d6 100644
+--- a/tools/perf/ui/browsers/hists.c
++++ b/tools/perf/ui/browsers/hists.c
+@@ -3238,10 +3238,10 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
+ /*
+ * No need to set actions->dso here since
+ * it's just to remove the current filter.
+- * Ditto for thread below.
+ */
+ do_zoom_dso(browser, actions);
+ } else if (top == &browser->hists->thread_filter) {
++ actions->thread = thread;
+ do_zoom_thread(browser, actions);
+ } else if (top == &browser->hists->socket_filter) {
+ do_zoom_socket(browser, actions);
+--
+2.39.5
+
--- /dev/null
+From 264435c1ed9375b812224150b618149f2b178ae6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 07:50:50 -0500
+Subject: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit d14402a38c2d868cacb1facaf9be908ca6558e59 ]
+
+The qmp_usb_iomap() helper function currently returns the raw result of
+devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return
+a NULL pointer and the caller only checks error pointers with IS_ERR(),
+NULL could bypass the check and lead to an invalid dereference.
+
+Fix the issue by checking if devm_ioremap() returns NULL. When it does,
+qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),
+ensuring safe and consistent error handling.
+
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Fixes: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral")
+CC: Johan Hovold <johan@kernel.org>
+CC: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250414125050.2118619-1-chenyuan0y@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+index 605591314f256..a85bb0e1cd8c8 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+@@ -2428,12 +2428,16 @@ static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np,
+ int index, bool exclusive)
+ {
+ struct resource res;
++ void __iomem *mem;
+
+ if (!exclusive) {
+ if (of_address_to_resource(np, index, &res))
+ return IOMEM_ERR_PTR(-EINVAL);
+
+- return devm_ioremap(dev, res.start, resource_size(&res));
++ mem = devm_ioremap(dev, res.start, resource_size(&res));
++ if (!mem)
++ return IOMEM_ERR_PTR(-ENOMEM);
++ return mem;
+ }
+
+ return devm_of_iomap(dev, np, index, NULL);
+--
+2.39.5
+
--- /dev/null
+From 5cdc5d434aebcbb69fe07bdccc24ea833c8fd95a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 23:08:07 +0300
+Subject: pinctrl: at91: Fix possible out-of-boundary access
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ]
+
+at91_gpio_probe() doesn't check that given OF alias is not available or
+something went wrong when trying to get it. This might have consequences
+when accessing gpio_chips array with that value as an index. Note, that
+BUG() can be compiled out and hence won't actually perform the required
+checks.
+
+Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/
+Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-at91.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
+index 333f9d70c7f48..b82368ec59f4c 100644
+--- a/drivers/pinctrl/pinctrl-at91.c
++++ b/drivers/pinctrl/pinctrl-at91.c
+@@ -1812,12 +1812,16 @@ static int at91_gpio_probe(struct platform_device *pdev)
+ struct at91_gpio_chip *at91_chip = NULL;
+ struct gpio_chip *chip;
+ struct pinctrl_gpio_range *range;
++ int alias_idx;
+ int ret = 0;
+ int irq, i;
+- int alias_idx = of_alias_get_id(np, "gpio");
+ uint32_t ngpio;
+ char **names;
+
++ alias_idx = of_alias_get_id(np, "gpio");
++ if (alias_idx < 0)
++ return alias_idx;
++
+ BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips));
+ if (gpio_chips[alias_idx]) {
+ ret = -EBUSY;
+--
+2.39.5
+
--- /dev/null
+From ab9669a23472145a621bb6bacfbe47a0ab0762fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 18:19:27 +0200
+Subject: PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ]
+
+Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete
+set on errors") caused power.is_suspended to be set for devices with
+power.direct_complete set, but it forgot to ensure the clearing of that
+flag for them in device_resume(), so power.is_suspended is still set for
+them during the next system suspend-resume cycle.
+
+If that cycle is aborted in dpm_suspend(), the subsequent invocation of
+dpm_resume() will trigger a device_resume() call for every device and
+because power.is_suspended is set for the devices in question, they will
+not be skipped by device_resume() as expected which causes scary error
+messages to be logged (as appropriate).
+
+To address this issue, move the clearing of power.is_suspended in
+device_resume() immediately after the power.is_suspended check so it
+will be always cleared for all devices processed by that function.
+
+Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280
+Reported-and-tested-by: Chris Bainbridge <chris.bainbridge@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 343d3c966e7a7..baa31194cf20d 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -897,6 +897,8 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ if (!dev->power.is_suspended)
+ goto Complete;
+
++ dev->power.is_suspended = false;
++
+ if (dev->power.direct_complete) {
+ /* Match the pm_runtime_disable() in __device_suspend(). */
+ pm_runtime_enable(dev);
+@@ -952,7 +954,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+
+ End:
+ error = dpm_run_callback(callback, dev, state, info);
+- dev->power.is_suspended = false;
+
+ device_unlock(dev);
+ dpm_watchdog_clear(&wd);
+--
+2.39.5
+
--- /dev/null
+From b45d7d0873f8ae9fd61ebb8f04cf23fad3b062e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 17:26:51 +0800
+Subject: PM: wakeup: Delete space in the end of string shown by
+ pm_show_wakelocks()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ]
+
+pm_show_wakelocks() is called to generate a string when showing
+attributes /sys/power/wake_(lock|unlock), but the string ends
+with an unwanted space that was added back by mistake by commit
+c9d967b2ce40 ("PM: wakeup: simplify the output logic of
+pm_show_wakelocks()").
+
+Remove the unwanted space.
+
+Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/wakelock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c
+index 52571dcad768b..4e941999a53ba 100644
+--- a/kernel/power/wakelock.c
++++ b/kernel/power/wakelock.c
+@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active)
+ len += sysfs_emit_at(buf, len, "%s ", wl->name);
+ }
+
++ if (len > 0)
++ --len;
++
+ len += sysfs_emit_at(buf, len, "\n");
+
+ mutex_unlock(&wakelocks_lock);
+--
+2.39.5
+
--- /dev/null
+From 8d13e4ae4adeb6aefa19111e28b44c8b12b08111 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 08:38:09 +0300
+Subject: power: reset: at91-reset: Optimize at91_reset()
+
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+
+[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ]
+
+This patch adds a small optimization to the low-level at91_reset()
+function, which includes:
+- Removes the extra branch, since the following store operations
+ already have proper condition checks.
+- Removes the definition of the clobber register r4, since it is
+ no longer used in the code.
+
+Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic")
+Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/reset/at91-reset.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
+index 741e44a017c3f..f47346a0f099f 100644
+--- a/drivers/power/reset/at91-reset.c
++++ b/drivers/power/reset/at91-reset.c
+@@ -128,12 +128,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
+ " str %4, [%0, %6]\n\t"
+ /* Disable SDRAM1 accesses */
+ "1: tst %1, #0\n\t"
+- " beq 2f\n\t"
+ " strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t"
+ /* Power down SDRAM1 */
+ " strne %4, [%1, %6]\n\t"
+ /* Reset CPU */
+- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
++ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
+
+ " b .\n\t"
+ :
+@@ -144,7 +143,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
+ "r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN),
+ "r" (reset->data->reset_args),
+ "r" (reset->ramc_lpr)
+- : "r4");
++ );
+
+ return NOTIFY_DONE;
+ }
+--
+2.39.5
+
--- /dev/null
+From a64b900de15ea2a0746a95875b18366c9c471fb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 10:20:54 -0600
+Subject: powerpc/crash: Fix non-smp kexec preparation
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit 882b25af265de8e05c66f72b9a29f6047102958f ]
+
+In non-smp configurations, crash_kexec_prepare is never called in
+the crash shutdown path. One result of this is that the crashing_cpu
+variable is never set, preventing crash_save_cpu from storing the
+NT_PRSTATUS elf note in the core dump.
+
+Fixes: c7255058b543 ("powerpc/crash: save cpu register data in crash_smp_send_stop()")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250211162054.857762-1-eajames@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kexec/crash.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
+index 252724ed666a3..14abe7046cd74 100644
+--- a/arch/powerpc/kexec/crash.c
++++ b/arch/powerpc/kexec/crash.c
+@@ -356,7 +356,10 @@ void default_machine_crash_shutdown(struct pt_regs *regs)
+ if (TRAP(regs) == INTERRUPT_SYSTEM_RESET)
+ is_via_system_reset = 1;
+
+- crash_smp_send_stop();
++ if (IS_ENABLED(CONFIG_SMP))
++ crash_smp_send_stop();
++ else
++ crash_kexec_prepare();
+
+ crash_save_cpu(regs, crashing_cpu);
+
+--
+2.39.5
+
--- /dev/null
+From 29feced5e1e91c349718f36fe610142522263b61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 15:18:28 -0700
+Subject: randstruct: gcc-plugin: Fix attribute addition
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ]
+
+Based on changes in the 2021 public version of the randstruct
+out-of-tree GCC plugin[1], more carefully update the attributes on
+resulting decls, to avoid tripping checks in GCC 15's
+comptypes_check_enum_int() when it has been configured with
+"--enable-checking=misc":
+
+arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519
+ 132 | const struct kexec_file_ops kexec_image_ops = {
+ | ^~~~~~~~~~~~~~
+ internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517
+ fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803
+ comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519
+ ...
+
+Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1]
+Reported-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
+Closes: https://github.com/KSPP/linux/issues/367
+Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/
+Reported-by: Ingo Saitz <ingo@hannover.ccc.de>
+Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745
+Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
+Tested-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
+Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++
+ scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++-------
+ 2 files changed, 43 insertions(+), 11 deletions(-)
+
+diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
+index 1ae39b9f4a95e..90e83d62adb54 100644
+--- a/scripts/gcc-plugins/gcc-common.h
++++ b/scripts/gcc-plugins/gcc-common.h
+@@ -128,6 +128,38 @@ static inline tree build_const_char_string(int len, const char *str)
+ return cstr;
+ }
+
++static inline void __add_type_attr(tree type, const char *attr, tree args)
++{
++ tree oldattr;
++
++ if (type == NULL_TREE)
++ return;
++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type));
++ if (oldattr != NULL_TREE) {
++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args));
++ return;
++ }
++
++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type));
++}
++
++static inline void add_type_attr(tree type, const char *attr, tree args)
++{
++ tree main_variant = TYPE_MAIN_VARIANT(type);
++
++ __add_type_attr(TYPE_CANONICAL(type), attr, args);
++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args);
++ __add_type_attr(main_variant, attr, args);
++
++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) {
++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type)))
++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant);
++
++ __add_type_attr(TYPE_CANONICAL(type), attr, args);
++ }
++}
++
+ #define PASS_INFO(NAME, REF, ID, POS) \
+ struct register_pass_info NAME##_pass_info = { \
+ .pass = make_##NAME##_pass(), \
+diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
+index 2b93dd14bd7b6..b00681ad3e383 100644
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c
+@@ -77,6 +77,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f
+
+ if (TYPE_P(*node)) {
+ type = *node;
++ } else if (TREE_CODE(*node) == FIELD_DECL) {
++ *no_add_attrs = false;
++ return NULL_TREE;
+ } else {
+ gcc_assert(TREE_CODE(*node) == TYPE_DECL);
+ type = TREE_TYPE(*node);
+@@ -363,15 +366,14 @@ static int relayout_struct(tree type)
+ TREE_CHAIN(newtree[i]) = newtree[i+1];
+ TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+
++ add_type_attr(type, "randomize_performed", NULL_TREE);
++ add_type_attr(type, "designated_init", NULL_TREE);
++ if (has_flexarray)
++ add_type_attr(type, "has_flexarray", NULL_TREE);
++
+ main_variant = TYPE_MAIN_VARIANT(type);
+- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant))
+ TYPE_FIELDS(variant) = newtree[0];
+- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
+- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+- if (has_flexarray)
+- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type));
+- }
+
+ /*
+ * force a re-layout of the main variant
+@@ -439,10 +441,8 @@ static void randomize_type(tree type)
+ if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type))
+ relayout_struct(type);
+
+- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) {
+- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
+- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type));
+- }
++ add_type_attr(type, "randomize_considered", NULL_TREE);
++
+ #ifdef __DEBUG_PLUGIN
+ fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type));
+ #ifdef __DEBUG_VERBOSE
+--
+2.39.5
+
--- /dev/null
+From eb4c767332af414238f66120f0e46db0568e6de5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Apr 2025 00:37:52 -0700
+Subject: randstruct: gcc-plugin: Remove bogus void member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ]
+
+When building the randomized replacement tree of struct members, the
+randstruct GCC plugin would insert, as the first member, a 0-sized void
+member. This appears as though it was done to catch non-designated
+("unnamed") static initializers, which wouldn't be stable since they
+depend on the original struct layout order.
+
+This was accomplished by having the side-effect of the "void member"
+tripping an assert in GCC internals (count_type_elements) if the member
+list ever needed to be counted (e.g. for figuring out the order of members
+during a non-designated initialization), which would catch impossible type
+(void) in the struct:
+
+security/landlock/fs.c: In function ‘hook_file_ioctl_common’:
+security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075
+ 1745 | .u.op = &(struct lsm_ioctlop_audit) {
+ | ^
+
+static HOST_WIDE_INT
+count_type_elements (const_tree type, bool for_ctor_p)
+{
+ switch (TREE_CODE (type))
+...
+ case VOID_TYPE:
+ default:
+ gcc_unreachable ();
+ }
+}
+
+However this is a redundant safety measure since randstruct uses the
+__designated_initializer attribute both internally and within the
+__randomized_layout attribute macro so that this would be enforced
+by the compiler directly even when randstruct was not enabled (via
+-Wdesignated-init).
+
+A recent change in Landlock ended up tripping the same member counting
+routine when using a full-struct copy initializer as part of an anonymous
+initializer. This, however, is a false positive as the initializer is
+copying between identical structs (and hence identical layouts). The
+"path" member is "struct path", a randomized struct, and is being copied
+to from another "struct path", the "f_path" member:
+
+ landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) {
+ .type = LANDLOCK_REQUEST_FS_ACCESS,
+ .audit = {
+ .type = LSM_AUDIT_DATA_IOCTL_OP,
+ .u.op = &(struct lsm_ioctlop_audit) {
+ .path = file->f_path,
+ .cmd = cmd,
+ },
+ },
+ ...
+
+As can be seen with the coming randstruct KUnit test, there appears to
+be no behavioral problems with this kind of initialization when the void
+member is removed from the randstruct GCC plugin, so remove it.
+
+Reported-by: "Dr. David Alan Gilbert" <linux@treblig.org>
+Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/
+Reported-by: Mark Brown <broonie@kernel.org>
+Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/
+Reported-by: WangYuli <wangyuli@uniontech.com>
+Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/
+Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/randomize_layout_plugin.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
+index 366395cab490d..2b93dd14bd7b6 100644
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c
+@@ -359,29 +359,13 @@ static int relayout_struct(tree type)
+
+ shuffle(type, (tree *)newtree, shuffle_length);
+
+- /*
+- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers
+- * as gcc provides no other way to detect such code
+- */
+- list = make_node(FIELD_DECL);
+- TREE_CHAIN(list) = newtree[0];
+- TREE_TYPE(list) = void_type_node;
+- DECL_SIZE(list) = bitsize_zero_node;
+- DECL_NONADDRESSABLE_P(list) = 1;
+- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node;
+- DECL_SIZE_UNIT(list) = size_zero_node;
+- DECL_FIELD_OFFSET(list) = size_zero_node;
+- DECL_CONTEXT(list) = type;
+- // to satisfy the constify plugin
+- TREE_READONLY(list) = 1;
+-
+ for (i = 0; i < num_fields - 1; i++)
+ TREE_CHAIN(newtree[i]) = newtree[i+1];
+ TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+
+ main_variant = TYPE_MAIN_VARIANT(type);
+ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
+- TYPE_FIELDS(variant) = list;
++ TYPE_FIELDS(variant) = newtree[0];
+ TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
+ TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+ TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+--
+2.39.5
+
--- /dev/null
+From 16d7b39b4d0860621c68c1f45821deaae3d9a416 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 14:36:02 +0300
+Subject: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
+
+From: Jack Morgenstein <jackm@nvidia.com>
+
+[ Upstream commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711 ]
+
+The cited commit fixed a crash when cma_netevent_callback was called for
+a cma_id while work on that id from a previous call had not yet started.
+The work item was re-initialized in the second call, which corrupted the
+work item currently in the work queue.
+
+However, it left a problem when queue_work fails (because the item is
+still pending in the work queue from a previous call). In this case,
+cma_id_put (which is called in the work handler) is therefore not
+called. This results in a userspace process hang (zombie process).
+
+Fix this by calling cma_id_put() if queue_work fails.
+
+Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler")
+Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org
+Signed-off-by: Jack Morgenstein <jackm@nvidia.com>
+Signed-off-by: Feng Liu <feliu@nvidia.com>
+Reviewed-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index bb3c361bd8d45..0b2cb31d0f999 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -5190,7 +5190,8 @@ static int cma_netevent_callback(struct notifier_block *self,
+ neigh->ha, ETH_ALEN))
+ continue;
+ cma_id_get(current_id);
+- queue_work(cma_wq, ¤t_id->id.net_work);
++ if (!queue_work(cma_wq, ¤t_id->id.net_work))
++ cma_id_put(current_id);
+ }
+ out:
+ spin_unlock_irqrestore(&id_table_lock, flags);
+--
+2.39.5
+
--- /dev/null
+From b0b02c74eebb1e49e9d9670b184b26adbf4c569a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 21:27:49 +0800
+Subject: RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ]
+
+hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the
+inline function hns_roce_write64(), but it doesn't include this
+header currently. This leads to that files including
+hns_roce_hw_v2.h must also include hnae3.h to avoid compilation
+errors, even if they themselves don't really rely on hnae3.h.
+This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h
+directly.
+
+Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_ah.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
+ drivers/infiniband/hw/hns/hns_roce_main.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 -
+ 5 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
+index 103a7787b3712..3a6a1f2430571 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
+@@ -33,7 +33,6 @@
+ #include <linux/pci.h>
+ #include <rdma/ib_addr.h>
+ #include <rdma/ib_cache.h>
+-#include "hnae3.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hw_v2.h"
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index ab0dca9d199ab..be5d7a8ab4d43 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -42,7 +42,6 @@
+ #include <rdma/ib_umem.h>
+ #include <rdma/uverbs_ioctl.h>
+
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_cmd.h"
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index a9eff72f10c62..e032db5e3dbf3 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -34,6 +34,7 @@
+ #define _HNS_ROCE_HW_V2_H
+
+ #include <linux/bitops.h>
++#include "hnae3.h"
+
+ #define HNS_ROCE_V2_MAX_QP_NUM 0x1000
+ #define HNS_ROCE_V2_MAX_WQE_NUM 0x8000
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index eae22ac42e05d..3a35f1fb84db9 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -37,7 +37,6 @@
+ #include <rdma/ib_smi.h>
+ #include <rdma/ib_user_verbs.h>
+ #include <rdma/ib_cache.h>
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hem.h"
+diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+index 989a2af2e9382..6ba064899bf14 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c
++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+@@ -4,7 +4,6 @@
+ #include <rdma/rdma_cm.h>
+ #include <rdma/restrack.h>
+ #include <uapi/rdma/rdma_netlink.h>
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hw_v2.h"
+--
+2.39.5
+
--- /dev/null
+From 77343cf97e915a58ce9a7cb75c9faed83dd08ba8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 14:34:07 +0300
+Subject: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ]
+
+Upon RQ destruction if the firmware command fails which is the
+last resource to be destroyed some SW resources were already cleaned
+regardless of the failure.
+
+Now properly rollback the object to its original state upon such failure.
+
+In order to avoid a use-after free in case someone tries to destroy the
+object again, which results in the following kernel trace:
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148
+Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)
+CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : refcount_warn_saturate+0xf4/0x148
+lr : refcount_warn_saturate+0xf4/0x148
+sp : ffff80008b81b7e0
+x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001
+x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00
+x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000
+x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006
+x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f
+x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78
+x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90
+x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff
+x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000
+x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600
+Call trace:
+ refcount_warn_saturate+0xf4/0x148
+ mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]
+ mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]
+ mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]
+ ib_destroy_wq_user+0x30/0xc0 [ib_core]
+ uverbs_free_wq+0x28/0x58 [ib_uverbs]
+ destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]
+ uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]
+ __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]
+ uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]
+ ib_uverbs_close+0x2c/0x100 [ib_uverbs]
+ __fput+0xd8/0x2f0
+ __fput_sync+0x50/0x70
+ __arm64_sys_close+0x40/0x90
+ invoke_syscall.constprop.0+0x74/0xd0
+ do_el0_svc+0x48/0xe8
+ el0_svc+0x44/0x1d0
+ el0t_64_sync_handler+0x120/0x130
+ el0t_64_sync+0x1a4/0x1a8
+
+Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++--
+ include/linux/mlx5/driver.h | 1 +
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c
+index d4e7864c56f18..d75ec5e57c5fd 100644
+--- a/drivers/infiniband/hw/mlx5/qpc.c
++++ b/drivers/infiniband/hw/mlx5/qpc.c
+@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn)
+ spin_lock_irqsave(&table->lock, flags);
+
+ common = radix_tree_lookup(&table->tree, rsn);
+- if (common)
++ if (common && !common->invalid)
+ refcount_inc(&common->refcount);
++ else
++ common = NULL;
+
+ spin_unlock_irqrestore(&table->lock, flags);
+
+@@ -172,6 +174,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev,
+ return 0;
+ }
+
++static void modify_resource_common_state(struct mlx5_ib_dev *dev,
++ struct mlx5_core_qp *qp,
++ bool invalid)
++{
++ struct mlx5_qp_table *table = &dev->qp_table;
++ unsigned long flags;
++
++ spin_lock_irqsave(&table->lock, flags);
++ qp->common.invalid = invalid;
++ spin_unlock_irqrestore(&table->lock, flags);
++}
++
+ static void destroy_resource_common(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *qp)
+ {
+@@ -584,8 +598,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen,
+ int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *rq)
+ {
++ int ret;
++
++ /* The rq destruction can be called again in case it fails, hence we
++ * mark the common resource as invalid and only once FW destruction
++ * is completed successfully we actually destroy the resources.
++ */
++ modify_resource_common_state(dev, rq, true);
++ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid);
++ if (ret) {
++ modify_resource_common_state(dev, rq, false);
++ return ret;
++ }
+ destroy_resource_common(dev, rq);
+- return destroy_rq_tracked(dev, rq->qpn, rq->uid);
++ return 0;
+ }
+
+ static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid)
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 3c3e0f26c2446..b05f69a8306c9 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -385,6 +385,7 @@ struct mlx5_core_rsc_common {
+ enum mlx5_res_type res;
+ refcount_t refcount;
+ struct completion free;
++ bool invalid;
+ };
+
+ struct mlx5_uars_page {
+--
+2.39.5
+
--- /dev/null
+From ea913e1f35f6d4d08b00e06f1bf27cb63e0d7103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 11:14:35 +0530
+Subject: remoteproc: k3-r5: Drop check performed in
+ k3_r5_rproc_{mbox_callback/kick}
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+[ Upstream commit 9995dbfc2235efabdb3759606d522e1a7ec3bdcb ]
+
+Commit f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during
+probe routine") introduced a check in the "k3_r5_rproc_mbox_callback()"
+and "k3_r5_rproc_kick()" callbacks, causing them to exit if the remote
+core's state is "RPROC_DETACHED". However, the "__rproc_attach()"
+function that is responsible for attaching to a remote core, updates
+the state of the remote core to "RPROC_ATTACHED" only after invoking
+"rproc_start_subdevices()".
+
+The "rproc_start_subdevices()" function triggers the probe of the Virtio
+RPMsg devices associated with the remote core, which require that the
+"k3_r5_rproc_kick()" and "k3_r5_rproc_mbox_callback()" callbacks are
+functional. Hence, drop the check in the callbacks.
+
+Fixes: f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during probe routine")
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Beleswar Padhi <b-padhi@ti.com>
+Tested-by: Judith Mendez <jm@ti.com>
+Reviewed-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20250513054510.3439842-2-b-padhi@ti.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c
+index 580f86de654f2..75f0b8c99e0b1 100644
+--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c
++++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c
+@@ -189,10 +189,6 @@ static void k3_r5_rproc_mbox_callback(struct mbox_client *client, void *data)
+ const char *name = kproc->rproc->name;
+ u32 msg = omap_mbox_message(data);
+
+- /* Do not forward message from a detached core */
+- if (kproc->rproc->state == RPROC_DETACHED)
+- return;
+-
+ dev_dbg(dev, "mbox msg: 0x%x\n", msg);
+
+ switch (msg) {
+@@ -228,10 +224,6 @@ static void k3_r5_rproc_kick(struct rproc *rproc, int vqid)
+ mbox_msg_t msg = (mbox_msg_t)vqid;
+ int ret;
+
+- /* Do not forward message to a detached core */
+- if (kproc->rproc->state == RPROC_DETACHED)
+- return;
+-
+ /* send the index of the triggered virtqueue in the mailbox payload */
+ ret = mbox_send_message(kproc->mbox, (void *)msg);
+ if (ret < 0)
+--
+2.39.5
+
--- /dev/null
+From 4f0008e6081b0e0a2c2c1c5267fdc59a8ea5bda3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 13:59:51 +0300
+Subject: remoteproc: qcom_wcnss_iris: Add missing put_device() on error in
+ probe
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 0cb4b1b97041d8a1f773425208ded253c1cb5869 ]
+
+The device_del() call matches with the device_add() but we also need
+to call put_device() to trigger the qcom_iris_release().
+
+Fixes: 1fcef985c8bd ("remoteproc: qcom: wcnss: Fix race with iris probe")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/4604f7e0-3217-4095-b28a-3ff8b5afad3a@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_wcnss_iris.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/remoteproc/qcom_wcnss_iris.c b/drivers/remoteproc/qcom_wcnss_iris.c
+index 09720ddddc857..7c7b688eda1d9 100644
+--- a/drivers/remoteproc/qcom_wcnss_iris.c
++++ b/drivers/remoteproc/qcom_wcnss_iris.c
+@@ -196,6 +196,7 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
+
+ err_device_del:
+ device_del(&iris->dev);
++ put_device(&iris->dev);
+
+ return ERR_PTR(ret);
+ }
+@@ -203,4 +204,5 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
+ void qcom_iris_remove(struct qcom_iris *iris)
+ {
+ device_del(&iris->dev);
++ put_device(&iris->dev);
+ }
+--
+2.39.5
+
--- /dev/null
+From ca6ce682e90f4e779b239720b352baa7c62867cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 20:22:05 +0300
+Subject: rpmsg: qcom_smd: Fix uninitialized return variable in
+ __qcom_smd_send()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ]
+
+The "ret" variable isn't initialized if we don't enter the loop. For
+example, if "channel->state" is not SMD_CHANNEL_OPENED.
+
+Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_smd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
+index 1044cf03c5422..eb2e66f5ca7b5 100644
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
+ __le32 hdr[5] = { cpu_to_le32(len), };
+ int tlen = sizeof(hdr) + len;
+ unsigned long flags;
+- int ret;
++ int ret = 0;
+
+ /* Word aligned channels only accept word size aligned data */
+ if (channel->info_word && len % 4)
+--
+2.39.5
+
--- /dev/null
+From 99b11bb7cd73be467b9137b22d87deaf86718556 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 14:42:56 +0100
+Subject: rtc: sh: assign correct interrupts with DT
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ]
+
+The DT bindings for this driver define the interrupts in the order as
+they are numbered in the interrupt controller. The old platform_data,
+however, listed them in a different order. So, for DT based platforms,
+they are mixed up. Assign them specifically for DT, so we can keep the
+bindings stable. After the fix, 'rtctest' passes again on the Renesas
+Genmai board (RZ-A1 / R7S72100).
+
+Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-sh.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c
+index cd146b5741431..341b1b776e1a3 100644
+--- a/drivers/rtc/rtc-sh.c
++++ b/drivers/rtc/rtc-sh.c
+@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev)
+ return -ENOENT;
+ }
+
+- rtc->periodic_irq = ret;
+- rtc->carry_irq = platform_get_irq(pdev, 1);
+- rtc->alarm_irq = platform_get_irq(pdev, 2);
++ if (!pdev->dev.of_node) {
++ rtc->periodic_irq = ret;
++ rtc->carry_irq = platform_get_irq(pdev, 1);
++ rtc->alarm_irq = platform_get_irq(pdev, 2);
++ } else {
++ rtc->alarm_irq = ret;
++ rtc->periodic_irq = platform_get_irq(pdev, 1);
++ rtc->carry_irq = platform_get_irq(pdev, 2);
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_IO, 0);
+ if (!res)
+--
+2.39.5
+
--- /dev/null
+From c0735192d208aeffa31f84090ff39a7c9a016b99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 14:26:15 +0200
+Subject: s390/bpf: Store backchain even for leaf progs
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ]
+
+Currently a crash in a leaf prog (caused by a bug) produces the
+following call trace:
+
+ [<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78
+ [<0000000000000000>] 0x0
+
+This is because leaf progs do not store backchain. Fix by making all
+progs do it. This is what GCC and Clang-generated code does as well.
+Now the call trace looks like this:
+
+ [<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80
+ [<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4
+ [<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0
+ [<000003ffe0aef070>] bpf_test_run+0x210/0x390
+ [<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668
+ [<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0
+ [<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50
+ [<000003ffe0defea8>] __do_syscall+0x150/0x280
+ [<000003ffe0e01d5c>] system_call+0x74/0x98
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 8623863935576..a9dbf74752586 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -543,17 +543,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, u32 stack_depth)
+ }
+ /* Setup stack and backchain */
+ if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) {
+- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
+- /* lgr %w1,%r15 (backchain) */
+- EMIT4(0xb9040000, REG_W1, REG_15);
++ /* lgr %w1,%r15 (backchain) */
++ EMIT4(0xb9040000, REG_W1, REG_15);
+ /* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */
+ EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED);
+ /* aghi %r15,-STK_OFF */
+ EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth));
+- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
+- /* stg %w1,152(%r15) (backchain) */
+- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
+- REG_15, 152);
++ /* stg %w1,152(%r15) (backchain) */
++ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
++ REG_15, 152);
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c92625ca5f05da7e6227ac33b64ab78702bf4725 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 16:08:44 +0800
+Subject: scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
+
+From: Yihang Li <liyihang9@huawei.com>
+
+[ Upstream commit e4d953ca557e02edd3aed7390043e1b8ad1c9723 ]
+
+In commit 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe
+I_T nexus reset failure"), if the softreset fails upon certain
+conditions, the PHY connected to the disk is disabled directly. Manual
+recovery is required, which is inconvenient for users in actual use.
+
+In addition, SATA disks do not support simultaneous connection of multiple
+hosts. Therefore, when multiple controllers are connected to a SATA disk
+at the same time, the controller which is connected later failed to issue
+an ATA softreset to the SATA disk. As a result, the PHY associated with
+the disk is disabled and cannot be automatically recovered.
+
+Now that, we will not focus on the execution result of softreset. No
+matter whether the execution is successful or not, we will directly carry
+out I_T_nexus_reset.
+
+Fixes: 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe I_T nexus reset failure")
+Signed-off-by: Yihang Li <liyihang9@huawei.com>
+Link: https://lore.kernel.org/r/20250414080845.1220997-4-liyihang9@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +++++----------------------
+ 1 file changed, 5 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index 02855164bf28d..360f2799f2a13 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -1758,33 +1758,14 @@ static int hisi_sas_I_T_nexus_reset(struct domain_device *device)
+ }
+ hisi_sas_dereg_device(hisi_hba, device);
+
+- rc = hisi_sas_debug_I_T_nexus_reset(device);
+- if (rc == TMF_RESP_FUNC_COMPLETE && dev_is_sata(device)) {
+- struct sas_phy *local_phy;
+-
++ if (dev_is_sata(device)) {
+ rc = hisi_sas_softreset_ata_disk(device);
+- switch (rc) {
+- case -ECOMM:
+- rc = -ENODEV;
+- break;
+- case TMF_RESP_FUNC_FAILED:
+- case -EMSGSIZE:
+- case -EIO:
+- local_phy = sas_get_local_phy(device);
+- rc = sas_phy_enable(local_phy, 0);
+- if (!rc) {
+- local_phy->enabled = 0;
+- dev_err(dev, "Disabled local phy of ATA disk %016llx due to softreset fail (%d)\n",
+- SAS_ADDR(device->sas_addr), rc);
+- rc = -ENODEV;
+- }
+- sas_put_local_phy(local_phy);
+- break;
+- default:
+- break;
+- }
++ if (rc == TMF_RESP_FUNC_FAILED)
++ dev_err(dev, "ata disk %016llx reset (%d)\n",
++ SAS_ADDR(device->sas_addr), rc);
+ }
+
++ rc = hisi_sas_debug_I_T_nexus_reset(device);
+ if ((rc == TMF_RESP_FUNC_COMPLETE) || (rc == -ENODEV))
+ hisi_sas_release_task(hisi_hba, device);
+
+--
+2.39.5
+
--- /dev/null
+From ffdc6c9dd7b47a87dd665082e4e932a388ea63c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 15:41:57 -0700
+Subject: scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit d8720235d5b5cad86c1f07f65117ef2a96f8bec7 ]
+
+Recent fixes to the randstruct GCC plugin allowed it to notice
+that this structure is entirely function pointers and is therefore
+subject to randomization, but doing so requires that it always use
+designated initializers. Explicitly specify the "common" member as being
+initialized. Silences:
+
+drivers/scsi/qedf/qedf_main.c:702:9: error: positional initialization of field in 'struct' declared with 'designated_init' attribute [-Werror=designated-init]
+ 702 | {
+ | ^
+
+Fixes: 035f7f87b729 ("randstruct: Enable Clang support")
+Link: https://lore.kernel.org/r/20250502224156.work.617-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index 288c96e7bc39f..a6f53cfff9383 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -699,7 +699,7 @@ static u32 qedf_get_login_failures(void *cookie)
+ }
+
+ static struct qed_fcoe_cb_ops qedf_cb_ops = {
+- {
++ .common = {
+ .link_update = qedf_link_update,
+ .bw_update = qedf_bw_update,
+ .schedule_recovery_handler = qedf_schedule_recovery_handler,
+--
+2.39.5
+
--- /dev/null
+From 818c39ec5b2f799a29b27ba031215eb20c697409 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 14:32:52 +0300
+Subject: seg6: Fix validation of nexthop addresses
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ]
+
+The kernel currently validates that the length of the provided nexthop
+address does not exceed the specified length. This can lead to the
+kernel reading uninitialized memory if user space provided a shorter
+length than the specified one.
+
+Fix by validating that the provided length exactly matches the specified
+one.
+
+Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6_local.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
+index 33cb0381b5749..b7d9a68a265d7 100644
+--- a/net/ipv6/seg6_local.c
++++ b/net/ipv6/seg6_local.c
+@@ -1250,10 +1250,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = {
+ [SEG6_LOCAL_SRH] = { .type = NLA_BINARY },
+ [SEG6_LOCAL_TABLE] = { .type = NLA_U32 },
+ [SEG6_LOCAL_VRFTABLE] = { .type = NLA_U32 },
+- [SEG6_LOCAL_NH4] = { .type = NLA_BINARY,
+- .len = sizeof(struct in_addr) },
+- [SEG6_LOCAL_NH6] = { .type = NLA_BINARY,
+- .len = sizeof(struct in6_addr) },
++ [SEG6_LOCAL_NH4] = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
++ [SEG6_LOCAL_NH6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [SEG6_LOCAL_IIF] = { .type = NLA_U32 },
+ [SEG6_LOCAL_OIF] = { .type = NLA_U32 },
+ [SEG6_LOCAL_BPF] = { .type = NLA_NESTED },
+--
+2.39.5
+
--- /dev/null
+From dd0a267e20664ecfad75ada336a5def11cd02636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Apr 2025 09:40:58 +0000
+Subject: selftests/seccomp: fix syscall_restart test for arm compat
+
+From: Neill Kapron <nkapron@google.com>
+
+[ Upstream commit 797002deed03491215a352ace891749b39741b69 ]
+
+The inconsistencies in the systcall ABI between arm and arm-compat can
+can cause a failure in the syscall_restart test due to the logic
+attempting to work around the differences. The 'machine' field for an
+ARM64 device running in compat mode can report 'armv8l' or 'armv8b'
+which matches with the string 'arm' when only examining the first three
+characters of the string.
+
+This change adds additional validation to the workaround logic to make
+sure we only take the arm path when running natively, not in arm-compat.
+
+Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64")
+Signed-off-by: Neill Kapron <nkapron@google.com>
+Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
+index 4ae6c89913074..b300e87404d8e 100644
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -3136,12 +3136,15 @@ TEST(syscall_restart)
+ ret = get_syscall(_metadata, child_pid);
+ #if defined(__arm__)
+ /*
+- * FIXME:
+ * - native ARM registers do NOT expose true syscall.
+ * - compat ARM registers on ARM64 DO expose true syscall.
++ * - values of utsbuf.machine include 'armv8l' or 'armb8b'
++ * for ARM64 running in compat mode.
+ */
+ ASSERT_EQ(0, uname(&utsbuf));
+- if (strncmp(utsbuf.machine, "arm", 3) == 0) {
++ if ((strncmp(utsbuf.machine, "arm", 3) == 0) &&
++ (strncmp(utsbuf.machine, "armv8l", 6) != 0) &&
++ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) {
+ EXPECT_EQ(__NR_nanosleep, ret);
+ } else
+ #endif
+--
+2.39.5
+
--- /dev/null
+From 26db8566908fdb673c967114290b3ba06b86e135 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 15:03:39 +0800
+Subject: serial: Fix potential null-ptr-deref in mlb_usio_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ]
+
+devm_ioremap() can return NULL on error. Currently, mlb_usio_probe()
+does not check for this case, which could result in a NULL pointer
+dereference.
+
+Add NULL check after devm_ioremap() to prevent this issue.
+
+Fixes: ba44dc043004 ("serial: Add Milbeaut serial control")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/milbeaut_usio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c
+index c15e0d84dc7e3..c604c21e7fa33 100644
+--- a/drivers/tty/serial/milbeaut_usio.c
++++ b/drivers/tty/serial/milbeaut_usio.c
+@@ -524,7 +524,10 @@ static int mlb_usio_probe(struct platform_device *pdev)
+ }
+ port->membase = devm_ioremap(&pdev->dev, res->start,
+ resource_size(res));
+-
++ if (!port->membase) {
++ ret = -ENOMEM;
++ goto failed;
++ }
+ ret = platform_get_irq_byname(pdev, "rx");
+ mlb_usio_irq[index][RX] = ret;
+
+--
+2.39.5
+
bluetooth-hci_qca-move-the-soc-type-check-to-the-right-place.patch
usb-usbtmc-fix-timeout-value-in-get_stb.patch
thunderbolt-do-not-double-dequeue-a-configuration-request.patch
+gfs2-gfs2_create_inode-error-handling-fix.patch
+perf-core-fix-broken-throttling-when-max_samples_per.patch
+crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch
+crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch
+powerpc-crash-fix-non-smp-kexec-preparation.patch
+x86-cpu-sanitize-cpuid-0x80000000-output.patch
+crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch
+crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch
+crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch
+crypto-xts-only-add-ecb-if-it-is-not-already-there.patch
+crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch
+tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch
+asoc-tas2764-enable-main-irqs.patch
+edac-skx_common-fix-general-protection-fault.patch
+tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch
+spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch
+spi-tegra210-quad-remove-redundant-error-handling-co.patch
+spi-tegra210-quad-modify-chip-select-cs-deactivation.patch
+power-reset-at91-reset-optimize-at91_reset.patch
+pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch
+x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch
+acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch
+spi-sh-msiof-fix-maximum-dma-transfer-size.patch
+asoc-apple-mca-constrain-channels-according-to-tdm-m.patch
+drm-vmwgfx-add-seqno-waiter-for-sync_files.patch
+drm-amd-pp-fix-potential-null-pointer-dereference-in.patch
+media-rkvdec-fix-frame-size-enumeration.patch
+arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch
+arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch
+drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch
+fs-ntfs3-handle-hdr_first_de-return-value.patch
+watchdog-exar-shorten-identity-name-to-fit-correctly.patch
+m68k-mac-fix-macintosh_config-for-mac-ii.patch
+firmware-psci-fix-refcount-leak-in-psci_dt_init.patch
+arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch
+selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch
+drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch
+drm-vkms-adjust-vkms_state-active_planes-allocation-.patch
+drm-tegra-rgb-fix-the-unbound-reference-count.patch
+firmware-sdei-allow-sdei-initialization-without-acpi.patch
+scsi-qedf-use-designated-initializer-for-struct-qed_.patch
+wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch
+ib-cm-use-rwlock-for-mad-agent-lock.patch
+bpf-fix-ktls-panic-with-sockmap.patch
+bpf-sockmap-fix-duplicated-data-transmission.patch
+bpf-sockmap-fix-panic-when-calling-skb_linearize.patch
+f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch
+net-ncsi-fix-gcps-64-bit-member-variables.patch
+libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch
+wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch
+rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch
+scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch
+iommu-protect-against-overflow-in-iommu_pgsize.patch
+f2fs-clean-up-w-fscrypt_is_bounce_page.patch
+f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch
+libbpf-use-proper-errno-value-in-linker.patch
+netfilter-bridge-move-specific-fragmented-packet-to-.patch
+netfilter-nft_quota-match-correctly-when-the-quota-j.patch
+rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch
+bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch
+clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch
+clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch
+clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch
+clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch
+efi-libstub-describe-missing-out-parameter-in-efi_lo.patch
+tracing-rename-event_trigger_alloc-to-trigger_data_a.patch
+tracing-fix-error-handling-in-event_trigger_parse.patch
+ktls-sockmap-fix-missing-uncharge-operation.patch
+libbpf-use-proper-errno-value-in-nlattr.patch
+pinctrl-at91-fix-possible-out-of-boundary-access.patch
+bpf-fix-warn-in-get_bpf_raw_tp_regs.patch
+clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch
+s390-bpf-store-backchain-even-for-leaf-progs.patch
+wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch
+iommu-remove-duplicate-selection-of-dmar_table.patch
+hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch
+hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch
+wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch
+kernfs-relax-constraint-in-draining-guard.patch
+netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch
+vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch
+bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch
+bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch
+netfilter-nft_tunnel-fix-geneve_opt-dump.patch
+net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch
+rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch
+bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch
+net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch
+net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch
+calipso-don-t-call-calipso-functions-for-af_inet-sk.patch
+net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch
+net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch
+f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch
+f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch
+arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch
+arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch
+arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch
+arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch
+arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch
+arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch
+arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch
+arm64-dts-mt6359-add-missing-compatible-property-to-.patch
+arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch
+arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch
+squashfs-check-return-result-of-sb_min_blocksize.patch
+ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch
+nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch
+nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch
+bus-fsl-mc-fix-double-free-on-mc_dev.patch
+dt-bindings-vendor-prefixes-add-liontron-name.patch
+arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch
+arm64-defconfig-mediatek-enable-phy-drivers.patch
+arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch
+arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch
+arm-aspeed-don-t-select-sram.patch
+soc-aspeed-lpc-fix-impossible-judgment-condition.patch
+soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch
+fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch
+randstruct-gcc-plugin-remove-bogus-void-member.patch
+randstruct-gcc-plugin-fix-attribute-addition.patch
+perf-build-warn-when-libdebuginfod-devel-files-are-n.patch
+perf-ui-browser-hists-set-actions-thread-before-call.patch
+dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch
+dm-free-table-mempools-if-not-used-in-__bind.patch
+backlight-pm8941-add-null-check-in-wled_configure.patch
+mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch
+hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch
+perf-intel-pt-fix-pebs-via-pt-data_src.patch
+perf-scripts-python-exported-sql-viewer.py-fix-patte.patch
+remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch
+remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch
+rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch
+mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch
+mfd-stmpe-spi-correct-the-name-used-in-module_device.patch
+perf-tests-switch-tracking-fix-timestamp-comparison.patch
+perf-record-fix-incorrect-user-regs-comments.patch
+nfs-clear-sb_rdonly-before-getting-superblock.patch
+nfs-ignore-sb_rdonly-when-remounting-nfs.patch
+rtc-sh-assign-correct-interrupts-with-dt.patch
+pci-cadence-fix-runtime-atomic-count-underflow.patch
+pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch
+pci-explicitly-put-devices-into-d0-when-initializing.patch
+phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch
+dmaengine-ti-add-null-check-in-udma_probe.patch
+pci-dpc-initialize-aer_err_info-before-using-it.patch
+usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch
+serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch
+iio-filter-admv8818-fix-band-4-state-15.patch
+iio-filter-admv8818-fix-integer-overflow.patch
+iio-filter-admv8818-fix-range-calculation.patch
+iio-filter-admv8818-support-frequencies-2-32.patch
+iio-adc-ad7124-fix-3db-filter-frequency-reading.patch
+mips-loongson64-add-missing-interrupt-cells-for-loon.patch
+counter-interrupt-cnt-protect-enable-disable-ops-wit.patch
+coresight-prevent-deactivate-active-config-while-ena.patch
+vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch
+net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch
+gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch
+net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch
+driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch
+net-mlx4_en-prevent-potential-integer-overflow-calcu.patch
+net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch
+spi-bcm63xx-spi-fix-shared-reset.patch
+spi-bcm63xx-hsspi-fix-shared-reset.patch
+bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch
+ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch
+ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch
+net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch
+net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch
+net-fix-checksum-update-for-ila-adj-transport.patch
+net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch
+vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch
+pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch
+gve-add-missing-null-check-for-gve_alloc_pending_pac.patch
+netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch
+wireguard-device-enable-threaded-napi.patch
+seg6-fix-validation-of-nexthop-addresses.patch
+asoc-codecs-hda-fix-rpm-usage-count-underflow.patch
+asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch
+fix-propagation-graph-breakage-by-move_mount_set_gro.patch
+do_change_type-refuse-to-operate-on-unmounted-not-ou.patch
--- /dev/null
+From 254c575986f27ac5e25fbbeab00511aada06b57d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:44 +0930
+Subject: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+aspeed_lpc_enable_snoop() does not check for this case, which results in a
+NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com
+[arj: Fix Fixes: tag to use subject from 3772e5da4454]
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+index d9bdc2e084086..22619b853f449 100644
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -201,11 +201,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR;
+ lpc_snoop->chan[channel].miscdev.name =
+ devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel);
++ if (!lpc_snoop->chan[channel].miscdev.name) {
++ rc = -ENOMEM;
++ goto err_free_fifo;
++ }
+ lpc_snoop->chan[channel].miscdev.fops = &snoop_fops;
+ lpc_snoop->chan[channel].miscdev.parent = dev;
+ rc = misc_register(&lpc_snoop->chan[channel].miscdev);
+ if (rc)
+- return rc;
++ goto err_free_fifo;
+
+ /* Enable LPC snoop channel at requested port */
+ switch (channel) {
+@@ -222,7 +226,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ hicrb_en = HICRB_ENSNP1D;
+ break;
+ default:
+- return -EINVAL;
++ rc = -EINVAL;
++ goto err_misc_deregister;
+ }
+
+ regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en);
+@@ -232,6 +237,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ regmap_update_bits(lpc_snoop->regmap, HICRB,
+ hicrb_en, hicrb_en);
+
++ return 0;
++
++err_misc_deregister:
++ misc_deregister(&lpc_snoop->chan[channel].miscdev);
++err_free_fifo:
++ kfifo_free(&lpc_snoop->chan[channel].fifo);
+ return rc;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 072b30af5835a85a645c18d77e11cb121f60efda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:43 +0930
+Subject: soc: aspeed: lpc: Fix impossible judgment condition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ]
+
+smatch error:
+drivers/soc/aspeed/aspeed-lpc-snoop.c:169
+aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero
+
+platform_get_irq() return non-zero IRQ number or negative error code,
+change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this.
+
+Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+index eceeaf8dfbeba..d9bdc2e084086 100644
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -167,7 +167,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop,
+ int rc;
+
+ lpc_snoop->irq = platform_get_irq(pdev, 0);
+- if (!lpc_snoop->irq)
++ if (lpc_snoop->irq < 0)
+ return -ENODEV;
+
+ rc = devm_request_irq(dev, lpc_snoop->irq,
+--
+2.39.5
+
--- /dev/null
+From 0a426938f3d19932eb3f5732a70d1b8c231c2892 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 15:09:15 +0200
+Subject: spi: bcm63xx-hsspi: fix shared reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ]
+
+Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
+and HSSPI controllers, so reset shouldn't be exclusive.
+
+Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support")
+Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
+index 02f56fc001b47..7d8e5c66f6d17 100644
+--- a/drivers/spi/spi-bcm63xx-hsspi.c
++++ b/drivers/spi/spi-bcm63xx-hsspi.c
+@@ -357,7 +357,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev)
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+
+- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
++ reset = devm_reset_control_get_optional_shared(dev, NULL);
+ if (IS_ERR(reset))
+ return PTR_ERR(reset);
+
+--
+2.39.5
+
--- /dev/null
+From ac2ae8f581858361d3027d6e49712f0b552867e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 15:09:14 +0200
+Subject: spi: bcm63xx-spi: fix shared reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ]
+
+Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
+and HSSPI controllers, so reset shouldn't be exclusive.
+
+Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support")
+Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
+index 695ac74571286..2f2a130464651 100644
+--- a/drivers/spi/spi-bcm63xx.c
++++ b/drivers/spi/spi-bcm63xx.c
+@@ -533,7 +533,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev)
+ return PTR_ERR(clk);
+ }
+
+- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
++ reset = devm_reset_control_get_optional_shared(dev, NULL);
+ if (IS_ERR(reset))
+ return PTR_ERR(reset);
+
+--
+2.39.5
+
--- /dev/null
+From a7e5996353c3ce56f5d9f2351dbeee0940364cda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 15:32:06 +0200
+Subject: spi: sh-msiof: Fix maximum DMA transfer size
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ]
+
+The maximum amount of data to transfer in a single DMA request is
+calculated from the FIFO sizes (which is technically not 100% correct,
+but a simplification, as it is limited by the maximum word count values
+in the Transmit and Control Data Registers). However, in case there is
+both data to transmit and to receive, the transmit limit is overwritten
+by the receive limit.
+
+Fix this by using the minimum applicable FIFO size instead. Move the
+calculation outside the loop, so it is not repeated for each individual
+DMA transfer.
+
+As currently tx_fifo_size is always equal to rx_fifo_size, this bug had
+no real impact.
+
+Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sh-msiof.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
+index ec3a4939ee984..374697b2d6061 100644
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -919,6 +919,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
+ void *rx_buf = t->rx_buf;
+ unsigned int len = t->len;
+ unsigned int bits = t->bits_per_word;
++ unsigned int max_wdlen = 256;
+ unsigned int bytes_per_word;
+ unsigned int words;
+ int n;
+@@ -932,17 +933,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
+ if (!spi_controller_is_slave(p->ctlr))
+ sh_msiof_spi_set_clk_regs(p, t);
+
++ if (tx_buf)
++ max_wdlen = min(max_wdlen, p->tx_fifo_size);
++ if (rx_buf)
++ max_wdlen = min(max_wdlen, p->rx_fifo_size);
++
+ while (ctlr->dma_tx && len > 15) {
+ /*
+ * DMA supports 32-bit words only, hence pack 8-bit and 16-bit
+ * words, with byte resp. word swapping.
+ */
+- unsigned int l = 0;
+-
+- if (tx_buf)
+- l = min(round_down(len, 4), p->tx_fifo_size * 4);
+- if (rx_buf)
+- l = min(round_down(len, 4), p->rx_fifo_size * 4);
++ unsigned int l = min(round_down(len, 4), max_wdlen * 4);
+
+ if (bits <= 8) {
+ copy32 = copy_bswap32;
+--
+2.39.5
+
--- /dev/null
+From 8b80135d2804e5a0680dae0e9cd781cf78401e0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:06:01 +0000
+Subject: spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
+
+From: Vishwaroop A <va@nvidia.com>
+
+[ Upstream commit dcb06c638a1174008a985849fa30fc0da7d08904 ]
+
+This patch corrects the QSPI_COMMAND_X1_X2_X4 and QSPI_ADDRESS_X1_X2_X4
+macros to properly encode the bus width for x1, x2, and x4 transfers.
+Although these macros were previously incorrect, they were not being
+used in the driver, so no functionality was affected.
+
+The patch updates tegra_qspi_cmd_config() and tegra_qspi_addr_config()
+function calls to use the actual bus width from the transfer, instead of
+hardcoding it to 0 (which implied x1 mode). This change enables proper
+support for x1, x2, and x4 data transfers by correctly configuring the
+interface width for commands and addresses.
+
+These modifications improve the QSPI driver's flexibility and prepare it
+for future use cases that may require different bus widths for commands
+and addresses.
+
+Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
+Signed-off-by: Vishwaroop A <va@nvidia.com>
+Link: https://patch.msgid.link/20250416110606.2737315-2-va@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index 442d42130ec87..b84dc830c4333 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -135,7 +135,7 @@
+ #define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0)
+
+ #define QSPI_CMB_SEQ_CMD_CFG 0x1a0
+-#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13)
++#define QSPI_COMMAND_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
+ #define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13)
+ #define QSPI_COMMAND_SDR_DDR BIT(12)
+ #define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0)
+@@ -147,7 +147,7 @@
+ #define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0)
+
+ #define QSPI_CMB_SEQ_ADDR_CFG 0x1ac
+-#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13)
++#define QSPI_ADDRESS_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
+ #define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13)
+ #define QSPI_ADDRESS_SDR_DDR BIT(12)
+ #define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0)
+@@ -1035,10 +1035,6 @@ static u32 tegra_qspi_addr_config(bool is_ddr, u8 bus_width, u8 len)
+ {
+ u32 addr_config = 0;
+
+- /* Extract Address configuration and value */
+- is_ddr = 0; //Only SDR mode supported
+- bus_width = 0; //X1 mode
+-
+ if (is_ddr)
+ addr_config |= QSPI_ADDRESS_SDR_DDR;
+ else
+@@ -1072,13 +1068,13 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+ switch (transfer_phase) {
+ case CMD_TRANSFER:
+ /* X1 SDR mode */
+- cmd_config = tegra_qspi_cmd_config(false, 0,
++ cmd_config = tegra_qspi_cmd_config(false, xfer->tx_nbits,
+ xfer->len);
+ cmd_value = *((const u8 *)(xfer->tx_buf));
+ break;
+ case ADDR_TRANSFER:
+ /* X1 SDR mode */
+- addr_config = tegra_qspi_addr_config(false, 0,
++ addr_config = tegra_qspi_addr_config(false, xfer->tx_nbits,
+ xfer->len);
+ address_value = *((const u32 *)(xfer->tx_buf));
+ break;
+--
+2.39.5
+
--- /dev/null
+From bea255193e6e93cf7e7162fc9aa191c5740250d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:06:03 +0000
+Subject: spi: tegra210-quad: modify chip select (CS) deactivation
+
+From: Vishwaroop A <va@nvidia.com>
+
+[ Upstream commit d8966b65413390d1b5b706886987caac05fbe024 ]
+
+Modify the chip select (CS) deactivation and inter-transfer delay
+execution only during the DATA_TRANSFER phase when the cs_change
+flag is not set. This ensures proper CS handling and timing between
+transfers while eliminating redundant operations.
+
+Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
+Signed-off-by: Vishwaroop A <va@nvidia.com>
+Link: https://patch.msgid.link/20250416110606.2737315-4-va@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index d09e0b9ac18c4..f2a4743efcb47 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -1152,16 +1152,16 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+ ret = -EIO;
+ goto exit;
+ }
+- if (!xfer->cs_change) {
+- tegra_qspi_transfer_end(spi);
+- spi_transfer_delay_exec(xfer);
+- }
+ break;
+ default:
+ ret = -EINVAL;
+ goto exit;
+ }
+ msg->actual_length += xfer->len;
++ if (!xfer->cs_change && transfer_phase == DATA_TRANSFER) {
++ tegra_qspi_transfer_end(spi);
++ spi_transfer_delay_exec(xfer);
++ }
+ transfer_phase++;
+ }
+ ret = 0;
+--
+2.39.5
+
--- /dev/null
+From 025d70ae3f8f78a5d2813e6dcefd964b1a0c8c30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:06:02 +0000
+Subject: spi: tegra210-quad: remove redundant error handling code
+
+From: Vishwaroop A <va@nvidia.com>
+
+[ Upstream commit 400d9f1a27cc2fceabdb1ed93eaf0b89b6d32ba5 ]
+
+Remove unnecessary error handling code that terminated transfers and
+executed delay on errors. This code was redundant as error handling is
+already done at a higher level in the SPI core.
+
+Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
+Signed-off-by: Vishwaroop A <va@nvidia.com>
+Link: https://patch.msgid.link/20250416110606.2737315-3-va@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index b84dc830c4333..d09e0b9ac18c4 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -1168,10 +1168,6 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+
+ exit:
+ msg->status = ret;
+- if (ret < 0) {
+- tegra_qspi_transfer_end(spi);
+- spi_transfer_delay_exec(xfer);
+- }
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From 86b67752a4a4b742e6fbaf1a76e667abd8059d6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 03:47:47 +0100
+Subject: Squashfs: check return result of sb_min_blocksize
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ]
+
+Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.
+
+Syzkaller forks multiple processes which after mounting the Squashfs
+filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000).
+Now if this ioctl occurs at the same time another process is in the
+process of mounting a Squashfs filesystem on /dev/loop0, the failure
+occurs. When this happens the following code in squashfs_fill_super()
+fails.
+
+----
+msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
+msblk->devblksize_log2 = ffz(~msblk->devblksize);
+----
+
+sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.
+
+As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2
+is set to 64.
+
+This subsequently causes the
+
+UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36
+shift exponent 64 is too large for 64-bit type 'u64' (aka
+'unsigned long long')
+
+This commit adds a check for a 0 return by sb_min_blocksize().
+
+Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk
+Fixes: 0aa666190509 ("Squashfs: super block operations")
+Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
+index 32565dafa7f3b..37579c07f6fde 100644
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -137,6 +137,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc)
+ msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
+
+ msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
++ if (!msblk->devblksize) {
++ errorf(fc, "squashfs: unable to set blocksize\n");
++ return -EINVAL;
++ }
++
+ msblk->devblksize_log2 = ffz(~msblk->devblksize);
+
+ mutex_init(&msblk->meta_index_mutex);
+--
+2.39.5
+
--- /dev/null
+From 5ad3e4c516aec9ef9a33a5d9ef804102a667a473 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Apr 2025 12:46:22 +0200
+Subject: tools/nolibc: fix integer overflow in i{64,}toa_r() and
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 4d231a7df1a85c7572b67a4666cb73adb977fbf6 ]
+
+In twos complement the most negative number can not be negated.
+
+Fixes: b1c21e7d99cd ("tools/nolibc/stdlib: add i64toa() and u64toa()")
+Fixes: 66c397c4d2e1 ("tools/nolibc/stdlib: replace the ltoa() function with more efficient ones")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20250419-nolibc-ubsan-v2-5-060b8a016917@weissschuh.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/stdlib.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h
+index c0c3854b3f35b..cbed8a12d99e9 100644
+--- a/tools/include/nolibc/stdlib.h
++++ b/tools/include/nolibc/stdlib.h
+@@ -255,7 +255,7 @@ int itoa_r(long in, char *buffer)
+ int len = 0;
+
+ if (in < 0) {
+- in = -in;
++ in = -(unsigned long)in;
+ *(ptr++) = '-';
+ len++;
+ }
+@@ -391,7 +391,7 @@ int i64toa_r(int64_t in, char *buffer)
+ int len = 0;
+
+ if (in < 0) {
+- in = -in;
++ in = -(uint64_t)in;
+ *(ptr++) = '-';
+ len++;
+ }
+--
+2.39.5
+
--- /dev/null
+From cc506448cb52cfc994a0a184b6540a4890b06ee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 15:36:24 +0800
+Subject: tools/nolibc/types.h: fix mismatched parenthesis in minor()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jemmy Wong <jemmywong512@gmail.com>
+
+[ Upstream commit 9c138ac9392228835b520fd4dbb07e636b34a867 ]
+
+Fix an imbalance where opening parentheses exceed closing ones.
+
+Fixes: eba6d00d38e7c ("tools/nolibc/types: move makedev to types.h and make it a macro")
+Signed-off-by: Jemmy Wong <jemmywong512@gmail.com>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20250411073624.22153-1-jemmywong512@gmail.com
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/include/nolibc/types.h b/tools/include/nolibc/types.h
+index fbbc0e68c001b..598d1ef811859 100644
+--- a/tools/include/nolibc/types.h
++++ b/tools/include/nolibc/types.h
+@@ -196,7 +196,7 @@ struct stat {
+ /* WARNING, it only deals with the 4096 first majors and 256 first minors */
+ #define makedev(major, minor) ((dev_t)((((major) & 0xfff) << 8) | ((minor) & 0xff)))
+ #define major(dev) ((unsigned int)(((dev) >> 8) & 0xfff))
+-#define minor(dev) ((unsigned int)(((dev) & 0xff))
++#define minor(dev) ((unsigned int)((dev) & 0xff))
+
+ #ifndef offsetof
+ #define offsetof(TYPE, FIELD) ((size_t) &((TYPE *)0)->FIELD)
+--
+2.39.5
+
--- /dev/null
+From 9c464a08281caabc410174ef9ca3cc762ba0a133 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 10:53:07 -0400
+Subject: tracing: Fix error handling in event_trigger_parse()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit c5dd28e7fb4f63475b50df4f58311df92939d011 ]
+
+According to trigger_data_alloc() doc, trigger_data_free() should be
+used to free an event_trigger_data object. This fixes a mismatch introduced
+when kzalloc was replaced with trigger_data_alloc without updating
+the corresponding deallocation calls.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Link: https://lore.kernel.org/20250507145455.944453325@goodmis.org
+Link: https://lore.kernel.org/20250318112737.4174-1-linmq006@gmail.com
+Fixes: e1f187d09e11 ("tracing: Have existing event_command.parse() implementations use helpers")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+[ SDR: Changed event_trigger_alloc/free() to trigger_data_alloc/free() ]
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_trigger.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
+index 22bee3eae7cc3..782ccb2433bb4 100644
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -998,7 +998,7 @@ event_trigger_parse(struct event_command *cmd_ops,
+
+ if (remove) {
+ event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
+- kfree(trigger_data);
++ trigger_data_free(trigger_data);
+ ret = 0;
+ goto out;
+ }
+@@ -1025,7 +1025,7 @@ event_trigger_parse(struct event_command *cmd_ops,
+
+ out_free:
+ event_trigger_reset_filter(cmd_ops, trigger_data);
+- kfree(trigger_data);
++ trigger_data_free(trigger_data);
+ goto out;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 35748b49c05bf05bdcaf31a8f8cc1525978a03fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 10:53:06 -0400
+Subject: tracing: Rename event_trigger_alloc() to trigger_data_alloc()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit f2947c4b7d0f235621c5daf78aecfbd6e22c05e5 ]
+
+The function event_trigger_alloc() creates an event_trigger_data
+descriptor and states that it needs to be freed via event_trigger_free().
+This is incorrect, it needs to be freed by trigger_data_free() as
+event_trigger_free() adds ref counting.
+
+Rename event_trigger_alloc() to trigger_data_alloc() and state that it
+needs to be freed via trigger_data_free(). This naming convention
+was introducing bugs.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Link: https://lore.kernel.org/20250507145455.776436410@goodmis.org
+Fixes: 86599dbe2c527 ("tracing: Add helper functions to simplify event_command.parse() callback handling")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.h | 8 +++-----
+ kernel/trace/trace_events_hist.c | 2 +-
+ kernel/trace/trace_events_trigger.c | 16 ++++++++--------
+ 3 files changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
+index 49b297ca7fc72..950782b0ab1cb 100644
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -1586,6 +1586,9 @@ extern int event_enable_register_trigger(char *glob,
+ extern void event_enable_unregister_trigger(char *glob,
+ struct event_trigger_data *test,
+ struct trace_event_file *file);
++extern struct event_trigger_data *
++trigger_data_alloc(struct event_command *cmd_ops, char *cmd, char *param,
++ void *private_data);
+ extern void trigger_data_free(struct event_trigger_data *data);
+ extern int event_trigger_init(struct event_trigger_data *data);
+ extern int trace_event_trigger_enable_disable(struct trace_event_file *file,
+@@ -1612,11 +1615,6 @@ extern bool event_trigger_check_remove(const char *glob);
+ extern bool event_trigger_empty_param(const char *param);
+ extern int event_trigger_separate_filter(char *param_and_filter, char **param,
+ char **filter, bool param_required);
+-extern struct event_trigger_data *
+-event_trigger_alloc(struct event_command *cmd_ops,
+- char *cmd,
+- char *param,
+- void *private_data);
+ extern int event_trigger_parse_num(char *trigger,
+ struct event_trigger_data *trigger_data);
+ extern int event_trigger_set_filter(struct event_command *cmd_ops,
+diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
+index a11392596a365..c53be68bcd111 100644
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -6520,7 +6520,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops,
+ return PTR_ERR(hist_data);
+ }
+
+- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, hist_data);
++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data);
+ if (!trigger_data) {
+ ret = -ENOMEM;
+ goto out_free;
+diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
+index afdbad16d00a6..22bee3eae7cc3 100644
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -807,7 +807,7 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
+ }
+
+ /**
+- * event_trigger_alloc - allocate and init event_trigger_data for a trigger
++ * trigger_data_alloc - allocate and init event_trigger_data for a trigger
+ * @cmd_ops: The event_command operations for the trigger
+ * @cmd: The cmd string
+ * @param: The param string
+@@ -818,14 +818,14 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
+ * trigger_ops to assign to the event_trigger_data. @private_data can
+ * also be passed in and associated with the event_trigger_data.
+ *
+- * Use event_trigger_free() to free an event_trigger_data object.
++ * Use trigger_data_free() to free an event_trigger_data object.
+ *
+ * Return: The trigger_data object success, NULL otherwise
+ */
+-struct event_trigger_data *event_trigger_alloc(struct event_command *cmd_ops,
+- char *cmd,
+- char *param,
+- void *private_data)
++struct event_trigger_data *trigger_data_alloc(struct event_command *cmd_ops,
++ char *cmd,
++ char *param,
++ void *private_data)
+ {
+ struct event_trigger_data *trigger_data;
+ struct event_trigger_ops *trigger_ops;
+@@ -992,7 +992,7 @@ event_trigger_parse(struct event_command *cmd_ops,
+ return ret;
+
+ ret = -ENOMEM;
+- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, file);
++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, file);
+ if (!trigger_data)
+ goto out;
+
+@@ -1772,7 +1772,7 @@ int event_enable_trigger_parse(struct event_command *cmd_ops,
+ enable_data->enable = enable;
+ enable_data->file = event_enable_file;
+
+- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, enable_data);
++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, enable_data);
+ if (!trigger_data) {
+ kfree(enable_data);
+ goto out;
+--
+2.39.5
+
--- /dev/null
+From 05f19bb4cf6873679ba8ad635cf8b371b23f821d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 11:50:02 +0100
+Subject: usb: renesas_usbhs: Reorder clock handling and power management in
+ probe
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ]
+
+Reorder the initialization sequence in `usbhs_probe()` to enable runtime
+PM before accessing registers, preventing potential crashes due to
+uninitialized clocks.
+
+Currently, in the probe path, registers are accessed before enabling the
+clocks, leading to a synchronous external abort on the RZ/V2H SoC.
+The problematic call flow is as follows:
+
+ usbhs_probe()
+ usbhs_sys_clock_ctrl()
+ usbhs_bset()
+ usbhs_write()
+ iowrite16() <-- Register access before enabling clocks
+
+Since `iowrite16()` is performed without ensuring the required clocks are
+enabled, this can lead to access errors. To fix this, enable PM runtime
+early in the probe function and ensure clocks are acquired before register
+access, preventing crashes like the following on RZ/V2H:
+
+[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
+[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6
+[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98
+[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)
+[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]
+[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]
+[13.321138] sp : ffff8000827e3850
+[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0
+[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025
+[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010
+[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff
+[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce
+[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000
+[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750
+[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c
+[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000
+[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080
+[13.395574] Call trace:
+[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)
+[13.403076] platform_probe+0x68/0xdc
+[13.406738] really_probe+0xbc/0x2c0
+[13.410306] __driver_probe_device+0x78/0x120
+[13.414653] driver_probe_device+0x3c/0x154
+[13.418825] __driver_attach+0x90/0x1a0
+[13.422647] bus_for_each_dev+0x7c/0xe0
+[13.426470] driver_attach+0x24/0x30
+[13.430032] bus_add_driver+0xe4/0x208
+[13.433766] driver_register+0x68/0x130
+[13.437587] __platform_driver_register+0x24/0x30
+[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]
+[13.448450] do_one_initcall+0x60/0x1d4
+[13.452276] do_init_module+0x54/0x1f8
+[13.456014] load_module+0x1754/0x1c98
+[13.459750] init_module_from_file+0x88/0xcc
+[13.464004] __arm64_sys_finit_module+0x1c4/0x328
+[13.468689] invoke_syscall+0x48/0x104
+[13.472426] el0_svc_common.constprop.0+0xc0/0xe0
+[13.477113] do_el0_svc+0x1c/0x28
+[13.480415] el0_svc+0x30/0xcc
+[13.483460] el0t_64_sync_handler+0x10c/0x138
+[13.487800] el0t_64_sync+0x198/0x19c
+[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)
+[13.497522] ---[ end trace 0000000000000000 ]---
+
+Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++-------
+ 1 file changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
+index 9af61f17dfc75..6343ef4e184b5 100644
+--- a/drivers/usb/renesas_usbhs/common.c
++++ b/drivers/usb/renesas_usbhs/common.c
+@@ -674,10 +674,29 @@ static int usbhs_probe(struct platform_device *pdev)
+ INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug);
+ spin_lock_init(usbhs_priv_to_lock(priv));
+
++ /*
++ * Acquire clocks and enable power management (PM) early in the
++ * probe process, as the driver accesses registers during
++ * initialization. Ensure the device is active before proceeding.
++ */
++ pm_runtime_enable(dev);
++
++ ret = usbhsc_clk_get(dev, priv);
++ if (ret)
++ goto probe_pm_disable;
++
++ ret = pm_runtime_resume_and_get(dev);
++ if (ret)
++ goto probe_clk_put;
++
++ ret = usbhsc_clk_prepare_enable(priv);
++ if (ret)
++ goto probe_pm_put;
++
+ /* call pipe and module init */
+ ret = usbhs_pipe_probe(priv);
+ if (ret < 0)
+- return ret;
++ goto probe_clk_dis_unprepare;
+
+ ret = usbhs_fifo_probe(priv);
+ if (ret < 0)
+@@ -694,10 +713,6 @@ static int usbhs_probe(struct platform_device *pdev)
+ if (ret)
+ goto probe_fail_rst;
+
+- ret = usbhsc_clk_get(dev, priv);
+- if (ret)
+- goto probe_fail_clks;
+-
+ /*
+ * deviece reset here because
+ * USB device might be used in boot loader.
+@@ -710,7 +725,7 @@ static int usbhs_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_warn(dev, "USB function not selected (GPIO)\n");
+ ret = -ENOTSUPP;
+- goto probe_end_mod_exit;
++ goto probe_assert_rest;
+ }
+ }
+
+@@ -724,14 +739,19 @@ static int usbhs_probe(struct platform_device *pdev)
+ ret = usbhs_platform_call(priv, hardware_init, pdev);
+ if (ret < 0) {
+ dev_err(dev, "platform init failed.\n");
+- goto probe_end_mod_exit;
++ goto probe_assert_rest;
+ }
+
+ /* reset phy for connection */
+ usbhs_platform_call(priv, phy_reset, pdev);
+
+- /* power control */
+- pm_runtime_enable(dev);
++ /*
++ * Disable the clocks that were enabled earlier in the probe path,
++ * and let the driver handle the clocks beyond this point.
++ */
++ usbhsc_clk_disable_unprepare(priv);
++ pm_runtime_put(dev);
++
+ if (!usbhs_get_dparam(priv, runtime_pwctrl)) {
+ usbhsc_power_ctrl(priv, 1);
+ usbhs_mod_autonomy_mode(priv);
+@@ -748,9 +768,7 @@ static int usbhs_probe(struct platform_device *pdev)
+
+ return ret;
+
+-probe_end_mod_exit:
+- usbhsc_clk_put(priv);
+-probe_fail_clks:
++probe_assert_rest:
+ reset_control_assert(priv->rsts);
+ probe_fail_rst:
+ usbhs_mod_remove(priv);
+@@ -758,6 +776,14 @@ static int usbhs_probe(struct platform_device *pdev)
+ usbhs_fifo_remove(priv);
+ probe_end_pipe_exit:
+ usbhs_pipe_remove(priv);
++probe_clk_dis_unprepare:
++ usbhsc_clk_disable_unprepare(priv);
++probe_pm_put:
++ pm_runtime_put(dev);
++probe_clk_put:
++ usbhsc_clk_put(priv);
++probe_pm_disable:
++ pm_runtime_disable(dev);
+
+ dev_info(dev, "probe failed (%d)\n", ret);
+
+--
+2.39.5
+
--- /dev/null
+From a40ed3185e4ba59bc6e22c91ffe8791652d9c0d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:46:47 +0800
+Subject: vfio/type1: Fix error unwind in migration dirty bitmap allocation
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ]
+
+When setting up dirty page tracking at the vfio IOMMU backend for
+device migration, if an error is encountered allocating a tracking
+bitmap, the unwind loop fails to free previously allocated tracking
+bitmaps. This occurs because the wrong loop index is used to
+generate the tracking object. This results in unintended memory
+usage for the life of the current DMA mappings where bitmaps were
+successfully allocated.
+
+Use the correct loop index to derive the tracking object for
+freeing during unwind.
+
+Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 18a2dbbc77799..26fac124231f5 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -299,7 +299,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize)
+ struct rb_node *p;
+
+ for (p = rb_prev(n); p; p = rb_prev(p)) {
+- struct vfio_dma *dma = rb_entry(n,
++ struct vfio_dma *dma = rb_entry(p,
+ struct vfio_dma, node);
+
+ vfio_dma_bitmap_free(dma);
+--
+2.39.5
+
--- /dev/null
+From 9f6c6532d34c84ffd098f2de80d572b976a0c2b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 15:27:00 +0000
+Subject: vmxnet3: correctly report gso type for UDP tunnels
+
+From: Ronak Doshi <ronak.doshi@broadcom.com>
+
+[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ]
+
+Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing
+in a tunnel") added checks in linux stack to not accept non-tunnel
+GRO packets landing in a tunnel. This exposed an issue in vmxnet3
+which was not correctly reporting GRO packets for tunnel packets.
+
+This patch fixes this issue by setting correct GSO type for the
+tunnel packets.
+
+Currently, vmxnet3 does not support reporting inner fields for LRO
+tunnel packets. The issue is not seen for egress drivers that do not
+use skb inner fields. The workaround is to enable tnl-segmentation
+offload on the egress interfaces if the driver supports it. This
+problem pre-exists this patch fix and can be addressed as a separate
+future patch.
+
+Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
+Signed-off-by: Ronak Doshi <ronak.doshi@broadcom.com>
+Acked-by: Guolin Yang <guolin.yang@broadcom.com>
+Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com
+[pabeni@redhat.com: dropped the changelog]
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
+index da488cbb05428..8714e49004842 100644
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -1407,6 +1407,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb,
+ return (hlen + (hdr.tcp->doff << 2));
+ }
+
++static void
++vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto)
++{
++ struct udphdr *uh = NULL;
++
++ if (ip_proto == htons(ETH_P_IP)) {
++ struct iphdr *iph = (struct iphdr *)skb->data;
++
++ if (iph->protocol == IPPROTO_UDP)
++ uh = (struct udphdr *)(iph + 1);
++ } else {
++ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data;
++
++ if (iph->nexthdr == IPPROTO_UDP)
++ uh = (struct udphdr *)(iph + 1);
++ }
++ if (uh) {
++ if (uh->check)
++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
++ else
++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL;
++ }
++}
++
+ static int
+ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ struct vmxnet3_adapter *adapter, int quota)
+@@ -1663,6 +1687,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ if (segCnt != 0 && mss != 0) {
+ skb_shinfo(skb)->gso_type = rcd->v4 ?
+ SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
++ if (encap_lro)
++ vmxnet3_lro_tunnel(skb, skb->protocol);
+ skb_shinfo(skb)->gso_size = mss;
+ skb_shinfo(skb)->gso_segs = segCnt;
+ } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) {
+--
+2.39.5
+
--- /dev/null
+From aaa09baec9d38eb599cff5704c947d10cd9314b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 11:30:52 -0400
+Subject: vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
+
+From: Nicolas Pitre <npitre@baylibre.com>
+
+[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ]
+
+They are listed amon those cmd values that "treat 'arg' as an integer"
+which is wrong. They should instead fall into the default case. Probably
+nobody ever relied on that code since 2009 but still.
+
+Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver")
+Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index 8c685b5014044..5b21b60547da1 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -1105,8 +1105,6 @@ long vt_compat_ioctl(struct tty_struct *tty,
+ case VT_WAITACTIVE:
+ case VT_RELDISP:
+ case VT_DISALLOCATE:
+- case VT_RESIZE:
+- case VT_RESIZEX:
+ return vt_ioctl(tty, cmd, arg);
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From cf371abc33e8ca9ccaf755ba2cd1c42e7c44b7c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 15:52:49 -0700
+Subject: watchdog: exar: Shorten identity name to fit correctly
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 8e28276a569addb8a2324439ae473848ee52b056 ]
+
+The static initializer for struct watchdog_info::identity is too long
+and gets initialized without a trailing NUL byte. Since the length
+of "identity" is part of UAPI and tied to ioctls, just shorten
+the name of the device. Avoids the warning seen with GCC 15's
+-Wunterminated-string-initialization option:
+
+drivers/watchdog/exar_wdt.c:224:27: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (33 chars into 32 available) [-Wunterminated-string-initialization]
+ 224 | .identity = "Exar/MaxLinear XR28V38x Watchdog",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fixes: 81126222bd3a ("watchdog: Exar/MaxLinear XR28V38x driver")
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250415225246.work.458-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/exar_wdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/exar_wdt.c b/drivers/watchdog/exar_wdt.c
+index 7c61ff3432711..c2e3bb08df899 100644
+--- a/drivers/watchdog/exar_wdt.c
++++ b/drivers/watchdog/exar_wdt.c
+@@ -221,7 +221,7 @@ static const struct watchdog_info exar_wdt_info = {
+ .options = WDIOF_KEEPALIVEPING |
+ WDIOF_SETTIMEOUT |
+ WDIOF_MAGICCLOSE,
+- .identity = "Exar/MaxLinear XR28V38x Watchdog",
++ .identity = "Exar XR28V38x Watchdog",
+ };
+
+ static const struct watchdog_ops exar_wdt_ops = {
+--
+2.39.5
+
--- /dev/null
+From 9acd9dd04df1eea60306352d32e544b34dce5e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Mar 2025 13:31:45 +0800
+Subject: wifi: ath11k: fix node corruption in ar->arvifs list
+
+From: Stone Zhang <quic_stonez@quicinc.com>
+
+[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ]
+
+In current WLAN recovery code flow, ath11k_core_halt() only
+reinitializes the "arvifs" list head. This will cause the
+list node immediately following the list head to become an
+invalid list node. Because the prev of that node still points
+to the list head "arvifs", but the next of the list head "arvifs"
+no longer points to that list node.
+
+When a WLAN recovery occurs during the execution of a vif
+removal, and it happens before the spin_lock_bh(&ar->data_lock)
+in ath11k_mac_op_remove_interface(), list_del() will detect the
+previously mentioned situation, thereby triggering a kernel panic.
+
+The fix is to remove and reinitialize all vif list nodes from the
+list head "arvifs" during WLAN halt. The reinitialization is to make
+the list nodes valid, ensuring that the list_del() in
+ath11k_mac_op_remove_interface() can execute normally.
+
+Call trace:
+__list_del_entry_valid_or_report+0xb8/0xd0
+ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
+drv_remove_interface+0x48/0x194 [mac80211]
+ieee80211_do_stop+0x6e0/0x844 [mac80211]
+ieee80211_stop+0x44/0x17c [mac80211]
+__dev_close_many+0xac/0x150
+__dev_change_flags+0x194/0x234
+dev_change_flags+0x24/0x6c
+devinet_ioctl+0x3a0/0x670
+inet_ioctl+0x200/0x248
+sock_do_ioctl+0x60/0x118
+sock_ioctl+0x274/0x35c
+__arm64_sys_ioctl+0xac/0xf0
+invoke_syscall+0x48/0x114
+...
+
+Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Stone Zhang <quic_stonez@quicinc.com>
+Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index 893fefadbba96..ef269244fe495 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -1621,6 +1621,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab)
+ void ath11k_core_halt(struct ath11k *ar)
+ {
+ struct ath11k_base *ab = ar->ab;
++ struct list_head *pos, *n;
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+@@ -1635,7 +1636,12 @@ void ath11k_core_halt(struct ath11k *ar)
+
+ rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL);
+ synchronize_rcu();
+- INIT_LIST_HEAD(&ar->arvifs);
++
++ spin_lock_bh(&ar->data_lock);
++ list_for_each_safe(pos, n, &ar->arvifs)
++ list_del_init(pos);
++ spin_unlock_bh(&ar->data_lock);
++
+ idr_init(&ar->txmgmt_idr);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b1fcdd2a0a014d1eb3e379dfb8be85647dc0f7b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 13:22:16 +0200
+Subject: wifi: ath9k_htc: Abort software beacon handling if disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@toke.dk>
+
+[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ]
+
+A malicious USB device can send a WMI_SWBA_EVENTID event from an
+ath9k_htc-managed device before beaconing has been enabled. This causes
+a device-by-zero error in the driver, leading to either a crash or an
+out of bounds read.
+
+Prevent this by aborting the handling in ath9k_htc_swba() if beacons are
+not enabled.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Closes: https://lore.kernel.org/r/88967.1743099372@localhost
+Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots")
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+index 533471e694007..18c7654bc539d 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv,
+ struct ath_common *common = ath9k_hw_common(priv->ah);
+ int slot;
+
++ if (!priv->cur_beacon_conf.enable_beacon)
++ return;
++
+ if (swba->beacon_pending != 0) {
+ priv->beacon.bmisscnt++;
+ if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
+--
+2.39.5
+
--- /dev/null
+From db0c31649c0386d82e53ec570c6879e47a980f1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 12:07:20 +0300
+Subject: wifi: rtw88: do not ignore hardware read error during DPK
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ]
+
+In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned
+by 'check_hw_ready()' but issue a warning to denote possible
+DPK issue. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support")
+Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+index c6dacfde92005..d1b9031536496 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+@@ -3973,7 +3973,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev)
+ rtw_write32(rtwdev, REG_NCTL0, 0x00001148);
+ rtw_write32(rtwdev, REG_NCTL0, 0x00001149);
+
+- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55);
++ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55))
++ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal");
+
+ rtw_write8(rtwdev, 0x1b10, 0x0);
+ rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c);
+--
+2.39.5
+
--- /dev/null
+From 83903ae59986a9b094b5d2f05aecd3dd022debb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:13:04 +0000
+Subject: wifi: rtw88: fix the 'para' buffer size to avoid reading out of
+ bounds
+
+From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+
+[ Upstream commit 4c2c372de2e108319236203cce6de44d70ae15cd ]
+
+Set the size to 6 instead of 2, since 'para' array is passed to
+'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads
+5 bytes:
+
+void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
+{
+ ...
+ SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
+ SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
+ ...
+ SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
+
+Detected using the static analysis tool - Svace.
+Fixes: 4136214f7c46 ("rtw88: add BT co-existence support")
+Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
+index 8627ab0ce3bdf..1a9336c595c12 100644
+--- a/drivers/net/wireless/realtek/rtw88/coex.c
++++ b/drivers/net/wireless/realtek/rtw88/coex.c
+@@ -309,7 +309,7 @@ static void rtw_coex_tdma_timer_base(struct rtw_dev *rtwdev, u8 type)
+ {
+ struct rtw_coex *coex = &rtwdev->coex;
+ struct rtw_coex_stat *coex_stat = &coex->stat;
+- u8 para[2] = {0};
++ u8 para[6] = {};
+ u8 times;
+ u16 tbtt_interval = coex_stat->wl_beacon_interval;
+
+--
+2.39.5
+
--- /dev/null
+From cde9c494aae2de55cf49268984c56bd62fe81a8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 14:06:16 +0200
+Subject: wireguard: device: enable threaded NAPI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirco Barone <mirco.barone@polito.it>
+
+[ Upstream commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e ]
+
+Enable threaded NAPI by default for WireGuard devices in response to low
+performance behavior that we observed when multiple tunnels (and thus
+multiple wg devices) are deployed on a single host. This affects any
+kind of multi-tunnel deployment, regardless of whether the tunnels share
+the same endpoints or not (i.e., a VPN concentrator type of gateway
+would also be affected).
+
+The problem is caused by the fact that, in case of a traffic surge that
+involves multiple tunnels at the same time, the polling of the NAPI
+instance of all these wg devices tends to converge onto the same core,
+causing underutilization of the CPU and bottlenecking performance.
+
+This happens because NAPI polling is hosted by default in softirq
+context, but the WireGuard driver only raises this softirq after the rx
+peer queue has been drained, which doesn't happen during high traffic.
+In this case, the softirq already active on a core is reused instead of
+raising a new one.
+
+As a result, once two or more tunnel softirqs have been scheduled on
+the same core, they remain pinned there until the surge ends.
+
+In our experiments, this almost always leads to all tunnel NAPIs being
+handled on a single core shortly after a surge begins, limiting
+scalability to less than 3× the performance of a single tunnel, despite
+plenty of unused CPU cores being available.
+
+The proposed mitigation is to enable threaded NAPI for all WireGuard
+devices. This moves the NAPI polling context to a dedicated per-device
+kernel thread, allowing the scheduler to balance the load across all
+available cores.
+
+On our 32-core gateways, enabling threaded NAPI yields a ~4× performance
+improvement with 16 tunnels, increasing throughput from ~13 Gbps to
+~48 Gbps. Meanwhile, CPU usage on the receiver (which is the bottleneck)
+jumps from 20% to 100%.
+
+We have found no performance regressions in any scenario we tested.
+Single-tunnel throughput remains unchanged.
+
+More details are available in our Netdev paper.
+
+Link: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf
+Signed-off-by: Mirco Barone <mirco.barone@polito.it>
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://patch.msgid.link/20250605120616.2808744-1-Jason@zx2c4.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireguard/device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
+index 895a621c9e267..531332e169df8 100644
+--- a/drivers/net/wireguard/device.c
++++ b/drivers/net/wireguard/device.c
+@@ -368,6 +368,7 @@ static int wg_newlink(struct net *src_net, struct net_device *dev,
+ if (ret < 0)
+ goto err_free_handshake_queue;
+
++ dev_set_threaded(dev, true);
+ ret = register_netdevice(dev);
+ if (ret < 0)
+ goto err_uninit_ratelimiter;
+--
+2.39.5
+
--- /dev/null
+From edeab20c4cf1ab27b25a930e1908f55a0a78cffa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 07:04:13 +0200
+Subject: x86/cpu: Sanitize CPUID(0x80000000) output
+
+From: Ahmed S. Darwish <darwi@linutronix.de>
+
+[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ]
+
+CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On
+x86-32 machines without an extended CPUID range, a CPUID(0x80000000)
+query will just repeat the output of the last valid standard CPUID leaf
+on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against
+this by doing:
+
+ eax = cpuid_eax(0x80000000);
+ c->extended_cpuid_level = eax;
+
+ if ((eax & 0xffff0000) == 0x80000000) {
+ // CPU has an extended CPUID range. Check for 0x80000001
+ if (eax >= 0x80000001) {
+ cpuid(0x80000001, ...);
+ }
+ }
+
+This is correct so far. Afterwards though, the same possibly broken EAX
+value is used to check the availability of other extended CPUID leaves:
+
+ if (c->extended_cpuid_level >= 0x80000007)
+ ...
+ if (c->extended_cpuid_level >= 0x80000008)
+ ...
+ if (c->extended_cpuid_level >= 0x8000000a)
+ ...
+ if (c->extended_cpuid_level >= 0x8000001f)
+ ...
+
+which is invalid. Fix this by immediately setting the CPU's max extended
+CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid
+CPUID extended range.
+
+While at it, add a comment, similar to kernel/head_32.S, clarifying the
+CPUID(0x80000000) sanity check.
+
+References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX")
+Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit")
+Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: John Ogness <john.ogness@linutronix.de>
+Cc: x86-cpuid@lists.linux.dev
+Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/common.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 48cc1612df49f..722eac51beae6 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1045,17 +1045,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
+ c->x86_capability[CPUID_D_1_EAX] = eax;
+ }
+
+- /* AMD-defined flags: level 0x80000001 */
++ /*
++ * Check if extended CPUID leaves are implemented: Max extended
++ * CPUID leaf must be in the 0x80000001-0x8000ffff range.
++ */
+ eax = cpuid_eax(0x80000000);
+- c->extended_cpuid_level = eax;
++ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0;
+
+- if ((eax & 0xffff0000) == 0x80000000) {
+- if (eax >= 0x80000001) {
+- cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
++ if (c->extended_cpuid_level >= 0x80000001) {
++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
+
+- c->x86_capability[CPUID_8000_0001_ECX] = ecx;
+- c->x86_capability[CPUID_8000_0001_EDX] = edx;
+- }
++ c->x86_capability[CPUID_8000_0001_ECX] = ecx;
++ c->x86_capability[CPUID_8000_0001_EDX] = edx;
+ }
+
+ if (c->extended_cpuid_level >= 0x80000007) {
+--
+2.39.5
+
--- /dev/null
+From f7ecb9d2b22dd56d878043f4b455015bdb576286 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 17:06:33 +0000
+Subject: x86/mtrr: Check if fixed-range MTRRs exist in
+ mtrr_save_fixed_ranges()
+
+From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+
+[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ]
+
+When suspending, save_processor_state() calls mtrr_save_fixed_ranges()
+to save fixed-range MTRRs.
+
+On platforms without fixed-range MTRRs like the ACRN hypervisor which
+has removed fixed-range MTRR emulation, accessing these MSRs will
+trigger an unchecked MSR access error. Make sure fixed-range MTRRs are
+supported before access to prevent such error.
+
+Since mtrr_state.have_fixed is only set when MTRRs are present and
+enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is
+unnecessary.
+
+Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending")
+Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
+index 558108296f3cf..31549e7f6b7c6 100644
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -349,7 +349,7 @@ static void get_fixed_ranges(mtrr_type *frs)
+
+ void mtrr_save_fixed_ranges(void *info)
+ {
+- if (boot_cpu_has(X86_FEATURE_MTRR))
++ if (mtrr_state.have_fixed)
+ get_fixed_ranges(mtrr_state.fixed_ranges);
+ }
+
+--
+2.39.5
+