--- /dev/null
+From stable+bounces-172213-greg=kroah.com@vger.kernel.org Thu Aug 21 20:18:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 14:18:16 -0400
+Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Hannes Reinecke <hare@suse.de>, Niklas Cassel <cassel@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821181816.887742-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ]
+
+Improve the description of the possible default SATA link power
+management policies and add the missing description for policy 5.
+No functional changes.
+
+Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/Kconfig | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/Kconfig
++++ b/drivers/ata/Kconfig
+@@ -117,22 +117,39 @@ config SATA_AHCI
+
+ config SATA_MOBILE_LPM_POLICY
+ int "Default SATA Link Power Management policy for mobile chipsets"
+- range 0 4
++ range 0 5
+ default 0
+ depends on SATA_AHCI
+ help
+ Select the Default SATA Link Power Management (LPM) policy to use
+ for mobile / laptop variants of chipsets / "South Bridges".
+
+- The value set has the following meanings:
++ Each policy combines power saving states and features:
++ - Partial: The Phy logic is powered but is in a reduced power
++ state. The exit latency from this state is no longer than
++ 10us).
++ - Slumber: The Phy logic is powered but is in an even lower power
++ state. The exit latency from this state is potentially
++ longer, but no longer than 10ms.
++ - DevSleep: The Phy logic may be powered down. The exit latency from
++ this state is no longer than 20 ms, unless otherwise
++ specified by DETO in the device Identify Device Data log.
++ - HIPM: Host Initiated Power Management (host automatically
++ transitions to partial and slumber).
++ - DIPM: Device Initiated Power Management (device automatically
++ transitions to partial and slumber).
++
++ The possible values for the default SATA link power management
++ policies are:
+ 0 => Keep firmware settings
+- 1 => Maximum performance
+- 2 => Medium power
+- 3 => Medium power with Device Initiated PM enabled
+- 4 => Minimum power
++ 1 => No power savings (maximum performance)
++ 2 => HIPM (Partial)
++ 3 => HIPM (Partial) and DIPM (Partial and Slumber)
++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber)
++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber)
+
+- Note "Minimum power" is known to cause issues, including disk
+- corruption, with some disks and should not be used.
++ Excluding the value 0, higher values represent policies with higher
++ power savings.
+
+ config SATA_AHCI_PLATFORM
+ tristate "Platform AHCI SATA support"
--- /dev/null
+From stable+bounces-171803-greg=kroah.com@vger.kernel.org Tue Aug 19 16:33:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 10:33:27 -0400
+Subject: btrfs: populate otime when logging an inode item
+To: stable@vger.kernel.org
+Cc: Qu Wenruo <wqu@suse.com>, Filipe Manana <fdmanana@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819143327.512986-1-sashal@kernel.org>
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ]
+
+[TEST FAILURE WITH EXPERIMENTAL FEATURES]
+When running test case generic/508, the test case will fail with the new
+btrfs shutdown support:
+
+generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad)
+# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930
+# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930
+# @@ -1,2 +1,6 @@
+# QA output created by 508
+# Silence is golden
+# +Before:
+# +After : stat.btime = Thu Jan 1 09:30:00 1970
+# +Before:
+# +After : stat.btime = Wed Jul 2 14:53:22 2025
+# ...
+# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff)
+Ran: generic/508
+Failures: generic/508
+Failed 1 of 1 tests
+
+Please note that the test case requires shutdown support, thus the test
+case will be skipped using the current upstream kernel, as it doesn't
+have shutdown ioctl support.
+
+[CAUSE]
+The direct cause the 0 time stamp in the log tree:
+
+leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG
+leaf 30507008 flags 0x1(WRITTEN) backref revision 1
+checksum stored e522548d
+checksum calced e522548d
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 9 transid 9 size 0 nbytes 0
+ block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0
+ sequence 1 flags 0x0(none)
+ atime 1751432947.492000000 (2025-07-02 14:39:07)
+ ctime 1751432947.492000000 (2025-07-02 14:39:07)
+ mtime 1751432947.492000000 (2025-07-02 14:39:07)
+ otime 0.0 (1970-01-01 09:30:00) <<<
+
+But the old fs tree has all the correct time stamp:
+
+btrfs-progs v6.12
+fs tree key (FS_TREE ROOT_ITEM 0)
+leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE
+leaf 30425088 flags 0x1(WRITTEN) backref revision 1
+checksum stored 48f6c57e
+checksum calced 48f6c57e
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 3 transid 0 size 0 nbytes 16384
+ block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0
+ sequence 0 flags 0x0(none)
+ atime 1751432947.0 (2025-07-02 14:39:07)
+ ctime 1751432947.0 (2025-07-02 14:39:07)
+ mtime 1751432947.0 (2025-07-02 14:39:07)
+ otime 1751432947.0 (2025-07-02 14:39:07) <<<
+
+The root cause is that fill_inode_item() in tree-log.c is only
+populating a/c/m time, not the otime (or btime in statx output).
+
+Part of the reason is that, the vfs inode only has a/c/m time, no native
+btime support yet.
+
+[FIX]
+Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and
+btrfs_inode::i_otime_nsec.
+
+So what we really need is just fill the otime time stamp in
+fill_inode_item() of tree-log.c
+
+There is another fill_inode_item() in inode.c, which is doing the proper
+otime population.
+
+Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing")
+CC: stable@vger.kernel.org
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ Adapted token-based API calls ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3921,6 +3921,11 @@ static void fill_inode_item(struct btrfs
+ btrfs_set_token_timespec_nsec(&token, &item->ctime,
+ inode->i_ctime.tv_nsec);
+
++ btrfs_set_token_timespec_sec(&token, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_sec);
++ btrfs_set_token_timespec_nsec(&token, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_nsec);
++
+ btrfs_set_token_inode_nbytes(&token, item, inode_get_bytes(inode));
+
+ btrfs_set_token_inode_sequence(&token, item, inode_peek_iversion(inode));
--- /dev/null
+From stable+bounces-167102-greg=kroah.com@vger.kernel.org Tue Aug 12 08:37:31 2025
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Mon, 11 Aug 2025 23:23:49 -0700
+Subject: drm/amdgpu: handle the case of pci_channel_io_frozen only in amdgpu_pci_resume
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, alexander.deucher@amd.com, christian.koenig@amd.com, airlied@gmail.com, simona@ffwll.ch, lijo.lazar@amd.com, mario.limonciello@amd.com, sunil.khatri@amd.com, srinivasan.shanmugam@amd.com, siqueira@igalia.com, cesun102@amd.com, linux@treblig.org, zhangzekun11@huawei.com, andrey.grodzovsky@amd.com, amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org, Guchun Chen <guchun.chen@amd.com>, Sasha Levin <sashal@kernel.org>, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20250812062349.149549-1-shivani.agarwal@broadcom.com>
+
+From: Guchun Chen <guchun.chen@amd.com>
+
+[ Upstream commit 248b061689a40f4fed05252ee2c89f87cf26d7d8 ]
+
+In current code, when a PCI error state pci_channel_io_normal is detectd,
+it will report PCI_ERS_RESULT_CAN_RECOVER status to PCI driver, and PCI
+driver will continue the execution of PCI resume callback report_resume by
+pci_walk_bridge, and the callback will go into amdgpu_pci_resume
+finally, where write lock is releasd unconditionally without acquiring
+such lock first. In this case, a deadlock will happen when other threads
+start to acquire the read lock.
+
+To fix this, add a member in amdgpu_device strucutre to cache
+pci_channel_state, and only continue the execution in amdgpu_pci_resume
+when it's pci_channel_io_frozen.
+
+Fixes: c9a6b82f45e2 ("drm/amdgpu: Implement DPC recovery")
+Suggested-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Signed-off-by: Guchun Chen <guchun.chen@amd.com>
+Reviewed-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Shivani: Modified to apply on 5.10.y]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 +
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -997,6 +997,7 @@ struct amdgpu_device {
+
+ bool in_pci_err_recovery;
+ struct pci_saved_state *pci_state;
++ pci_channel_state_t pci_channel_state;
+ };
+
+ static inline struct amdgpu_device *drm_to_adev(struct drm_device *ddev)
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4944,6 +4944,8 @@ pci_ers_result_t amdgpu_pci_error_detect
+ return PCI_ERS_RESULT_DISCONNECT;
+ }
+
++ adev->pci_channel_state = state;
++
+ switch (state) {
+ case pci_channel_io_normal:
+ return PCI_ERS_RESULT_CAN_RECOVER;
+@@ -5079,6 +5081,10 @@ void amdgpu_pci_resume(struct pci_dev *p
+
+ DRM_INFO("PCI error: resume callback!!\n");
+
++ /* Only continue execution for the case of pci_channel_io_frozen */
++ if (adev->pci_channel_state != pci_channel_io_frozen)
++ return;
++
+ for (i = 0; i < AMDGPU_MAX_RINGS; ++i) {
+ struct amdgpu_ring *ring = adev->rings[i];
+
--- /dev/null
+From stable+bounces-172484-greg=kroah.com@vger.kernel.org Fri Aug 22 19:55:45 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:55:16 -0400
+Subject: iio: adc: ad_sigma_delta: change to buffer predisable
+To: stable@vger.kernel.org
+Cc: "David Lechner" <dlechner@baylibre.com>, "Nuno Sá" <nuno.sa@analog.com>, "Jonathan Cameron" <Jonathan.Cameron@huawei.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822175516.1349300-1-sashal@kernel.org>
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 66d4374d97f85516b5a22418c5e798aed2606dec ]
+
+Change the buffer disable callback from postdisable to predisable.
+This balances the existing posteanble callback. Using postdisable
+with posteanble can be problematic, for example, if update_scan_mode
+fails, it would call postdisable without ever having called posteanble,
+so the drivers using this would be in an unexpected state when
+postdisable was called.
+
+Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-v1-1-f2ab85138f1f@baylibre.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -371,7 +371,7 @@ err_unlock:
+ return ret;
+ }
+
+-static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
++static int ad_sd_buffer_predisable(struct iio_dev *indio_dev)
+ {
+ struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev);
+
+@@ -432,7 +432,7 @@ static irqreturn_t ad_sd_trigger_handler
+
+ static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = {
+ .postenable = &ad_sd_buffer_postenable,
+- .postdisable = &ad_sd_buffer_postdisable,
++ .predisable = &ad_sd_buffer_predisable,
+ .validate_scan_mask = &iio_validate_scan_mask_onehot,
+ };
+
--- /dev/null
+From stable+bounces-171811-greg=kroah.com@vger.kernel.org Tue Aug 19 17:11:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 11:09:21 -0400
+Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
+To: stable@vger.kernel.org
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>, David Hildenbrand <david@redhat.com>, Dev Jain <dev.jain@arm.com>, Alexander Gordeev <agordeev@linux.ibm.com>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Ryan Roberts <ryan.roberts@arm.com>, Paul Walmsley <paul.walmsley@sifive.com>, Palmer Dabbelt <palmer@dabbelt.com>, Gerald Schaefer <gerald.schaefer@linux.ibm.com>, Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Sven Schnelle <svens@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819150921.531532-1-sashal@kernel.org>
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ]
+
+Memory hot remove unmaps and tears down various kernel page table regions
+as required. The ptdump code can race with concurrent modifications of
+the kernel page tables. When leaf entries are modified concurrently, the
+dump code may log stale or inconsistent information for a VA range, but
+this is otherwise not harmful.
+
+But when intermediate levels of kernel page table are freed, the dump code
+will continue to use memory that has been freed and potentially
+reallocated for another purpose. In such cases, the ptdump code may
+dereference bogus addresses, leading to a number of potential problems.
+
+To avoid the above mentioned race condition, platforms such as arm64,
+riscv and s390 take memory hotplug lock, while dumping kernel page table
+via the sysfs interface /sys/kernel/debug/kernel_page_tables.
+
+Similar race condition exists while checking for pages that might have
+been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
+which in turn calls ptdump_check_wx(). Instead of solving this race
+condition again, let's just move the memory hotplug lock inside generic
+ptdump_check_wx() which will benefit both the scenarios.
+
+Drop get_online_mems() and put_online_mems() combination from all existing
+platform ptdump code paths.
+
+Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
+Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/ptdump_debugfs.c | 3 ---
+ arch/s390/mm/dump_pagetables.c | 2 --
+ mm/ptdump.c | 2 ++
+ 3 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/mm/ptdump_debugfs.c
++++ b/arch/arm64/mm/ptdump_debugfs.c
+@@ -1,6 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/debugfs.h>
+-#include <linux/memory_hotplug.h>
+ #include <linux/seq_file.h>
+
+ #include <asm/ptdump.h>
+@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *
+ {
+ struct ptdump_info *info = m->private;
+
+- get_online_mems();
+ ptdump_walk(m, info);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/arch/s390/mm/dump_pagetables.c
++++ b/arch/s390/mm/dump_pagetables.c
+@@ -218,11 +218,9 @@ static int ptdump_show(struct seq_file *
+ .marker = address_markers,
+ };
+
+- get_online_mems();
+ mutex_lock(&cpa_mutex);
+ ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
+ mutex_unlock(&cpa_mutex);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/mm/ptdump.c
++++ b/mm/ptdump.c
+@@ -141,6 +141,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ {
+ const struct ptdump_range *range = st->range;
+
++ get_online_mems();
+ mmap_write_lock(mm);
+ while (range->start != range->end) {
+ walk_page_range_novma(mm, range->start, range->end,
+@@ -148,6 +149,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ range++;
+ }
+ mmap_write_unlock(mm);
++ put_online_mems();
+
+ /* Flush out the last page */
+ st->note_page(st, 0, -1, 0);
--- /dev/null
+From stable+bounces-171802-greg=kroah.com@vger.kernel.org Tue Aug 19 16:37:20 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 10:32:53 -0400
+Subject: net/sched: ets: use old 'nbands' while purging unused classes
+To: stable@vger.kernel.org
+Cc: Davide Caratti <dcaratti@redhat.com>, Li Shuang <shuali@redhat.com>, Petr Machata <petrm@nvidia.com>, Ivan Vecera <ivecera@redhat.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819143253.512050-3-sashal@kernel.org>
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ]
+
+Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
+after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
+we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
+the cleanup should be done with the old one. The problem is here since my
+first attempts to fix ets_qdisc_change(), but it surfaced again after the
+recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
+assigning a new value of 'q->nbands', so that all purge operations find a
+consistent configuration:
+
+ - old 'q->nbands' because it's needed by ets_class_find()
+ - old 'q->nstrict' because it's needed by ets_class_is_strict()
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
+ Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
+ RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
+ Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
+ RSP: 0018:ffffba186009f400 EFLAGS: 00010202
+ RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
+ R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
+ R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
+ FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ets_class_qlen_notify+0x65/0x90 [sch_ets]
+ qdisc_tree_reduce_backlog+0x74/0x110
+ ets_qdisc_change+0x630/0xa40 [sch_ets]
+ __tc_modify_qdisc.constprop.0+0x216/0x7f0
+ tc_modify_qdisc+0x7c/0x120
+ rtnetlink_rcv_msg+0x145/0x3f0
+ netlink_rcv_skb+0x53/0x100
+ netlink_unicast+0x245/0x390
+ netlink_sendmsg+0x21b/0x470
+ ____sys_sendmsg+0x39d/0x3d0
+ ___sys_sendmsg+0x9a/0xe0
+ __sys_sendmsg+0x7a/0xd0
+ do_syscall_64+0x7d/0x160
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f2155114084
+ Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
+ RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
+ RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
+ RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
+ R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
+ R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
+ </TASK>
+
+ [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
+ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty")
+Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list")
+Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
+Reported-by: Li Shuang <shuali@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-108026
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Co-developed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -664,6 +664,12 @@ static int ets_qdisc_change(struct Qdisc
+
+ sch_tree_lock(sch);
+
++ for (i = nbands; i < oldbands; i++) {
++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
++ list_del_init(&q->classes[i].alist);
++ qdisc_purge_queue(q->classes[i].qdisc);
++ }
++
+ WRITE_ONCE(q->nbands, nbands);
+ for (i = nstrict; i < q->nstrict; i++) {
+ if (q->classes[i].qdisc->q.qlen) {
+@@ -671,11 +677,6 @@ static int ets_qdisc_change(struct Qdisc
+ q->classes[i].deficit = quanta[i];
+ }
+ }
+- for (i = q->nbands; i < oldbands; i++) {
+- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+- list_del_init(&q->classes[i].alist);
+- qdisc_purge_queue(q->classes[i].qdisc);
+- }
+ WRITE_ONCE(q->nstrict, nstrict);
+ memcpy(q->prio2band, priomap, sizeof(priomap));
+
--- /dev/null
+From stable+bounces-171800-greg=kroah.com@vger.kernel.org Tue Aug 19 16:33:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 10:32:51 -0400
+Subject: net/sched: sch_ets: properly init all active DRR list handles
+To: stable@vger.kernel.org
+Cc: Davide Caratti <dcaratti@redhat.com>, Cong Wang <cong.wang@bytedance.com>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819143253.512050-1-sashal@kernel.org>
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 454d3e1ae057a1e09a15905b06b860f60d6c14d0 ]
+
+leaf classes of ETS qdiscs are served in strict priority or deficit round
+robin (DRR), depending on the value of 'nstrict'. Since this value can be
+changed while traffic is running, we need to be sure that the active list
+of DRR classes can be updated at any time, so:
+
+1) call INIT_LIST_HEAD(&alist) on all leaf classes in .init(), before the
+ first packet hits any of them.
+2) ensure that 'alist' is not overwritten with zeros when a leaf class is
+ no more strict priority nor DRR (i.e. array elements beyond 'nbands').
+
+Link: https://lore.kernel.org/netdev/YS%2FoZ+f0Nr8eQkzH@dcaratti.users.ipa.redhat.com
+Suggested-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -666,7 +666,6 @@ static int ets_qdisc_change(struct Qdisc
+
+ q->nbands = nbands;
+ for (i = nstrict; i < q->nstrict; i++) {
+- INIT_LIST_HEAD(&q->classes[i].alist);
+ if (q->classes[i].qdisc->q.qlen) {
+ list_add_tail(&q->classes[i].alist, &q->active);
+ q->classes[i].deficit = quanta[i];
+@@ -694,7 +693,11 @@ static int ets_qdisc_change(struct Qdisc
+ ets_offload_change(sch);
+ for (i = q->nbands; i < oldbands; i++) {
+ qdisc_put(q->classes[i].qdisc);
+- memset(&q->classes[i], 0, sizeof(q->classes[i]));
++ q->classes[i].qdisc = NULL;
++ q->classes[i].quantum = 0;
++ q->classes[i].deficit = 0;
++ memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats));
++ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
+ }
+ return 0;
+ }
+@@ -703,7 +706,7 @@ static int ets_qdisc_init(struct Qdisc *
+ struct netlink_ext_ack *extack)
+ {
+ struct ets_sched *q = qdisc_priv(sch);
+- int err;
++ int err, i;
+
+ if (!opt)
+ return -EINVAL;
+@@ -713,6 +716,9 @@ static int ets_qdisc_init(struct Qdisc *
+ return err;
+
+ INIT_LIST_HEAD(&q->active);
++ for (i = 0; i < TCQ_ETS_MAX_BANDS; i++)
++ INIT_LIST_HEAD(&q->classes[i].alist);
++
+ return ets_qdisc_change(sch, opt, extack);
+ }
+
--- /dev/null
+From stable+bounces-171801-greg=kroah.com@vger.kernel.org Tue Aug 19 16:37:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 10:32:52 -0400
+Subject: net_sched: sch_ets: implement lockless ets_dump()
+To: stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, Simon Horman <horms@kernel.org>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819143253.512050-2-sashal@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ]
+
+Instead of relying on RTNL, ets_dump() can use READ_ONCE()
+annotations, paired with WRITE_ONCE() ones in ets_change().
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -664,7 +664,7 @@ static int ets_qdisc_change(struct Qdisc
+
+ sch_tree_lock(sch);
+
+- q->nbands = nbands;
++ WRITE_ONCE(q->nbands, nbands);
+ for (i = nstrict; i < q->nstrict; i++) {
+ if (q->classes[i].qdisc->q.qlen) {
+ list_add_tail(&q->classes[i].alist, &q->active);
+@@ -676,11 +676,11 @@ static int ets_qdisc_change(struct Qdisc
+ list_del_init(&q->classes[i].alist);
+ qdisc_purge_queue(q->classes[i].qdisc);
+ }
+- q->nstrict = nstrict;
++ WRITE_ONCE(q->nstrict, nstrict);
+ memcpy(q->prio2band, priomap, sizeof(priomap));
+
+ for (i = 0; i < q->nbands; i++)
+- q->classes[i].quantum = quanta[i];
++ WRITE_ONCE(q->classes[i].quantum, quanta[i]);
+
+ for (i = oldbands; i < q->nbands; i++) {
+ q->classes[i].qdisc = queues[i];
+@@ -694,7 +694,7 @@ static int ets_qdisc_change(struct Qdisc
+ for (i = q->nbands; i < oldbands; i++) {
+ qdisc_put(q->classes[i].qdisc);
+ q->classes[i].qdisc = NULL;
+- q->classes[i].quantum = 0;
++ WRITE_ONCE(q->classes[i].quantum, 0);
+ q->classes[i].deficit = 0;
+ memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats));
+ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
+@@ -751,6 +751,7 @@ static int ets_qdisc_dump(struct Qdisc *
+ struct ets_sched *q = qdisc_priv(sch);
+ struct nlattr *opts;
+ struct nlattr *nest;
++ u8 nbands, nstrict;
+ int band;
+ int prio;
+ int err;
+@@ -763,21 +764,22 @@ static int ets_qdisc_dump(struct Qdisc *
+ if (!opts)
+ goto nla_err;
+
+- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands))
++ nbands = READ_ONCE(q->nbands);
++ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands))
+ goto nla_err;
+
+- if (q->nstrict &&
+- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict))
++ nstrict = READ_ONCE(q->nstrict);
++ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict))
+ goto nla_err;
+
+- if (q->nbands > q->nstrict) {
++ if (nbands > nstrict) {
+ nest = nla_nest_start(skb, TCA_ETS_QUANTA);
+ if (!nest)
+ goto nla_err;
+
+- for (band = q->nstrict; band < q->nbands; band++) {
++ for (band = nstrict; band < nbands; band++) {
+ if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND,
+- q->classes[band].quantum))
++ READ_ONCE(q->classes[band].quantum)))
+ goto nla_err;
+ }
+
+@@ -789,7 +791,8 @@ static int ets_qdisc_dump(struct Qdisc *
+ goto nla_err;
+
+ for (prio = 0; prio <= TC_PRIO_MAX; prio++) {
+- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio]))
++ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND,
++ READ_ONCE(q->prio2band[prio])))
+ goto nla_err;
+ }
+
--- /dev/null
+From stable+bounces-169823-greg=kroah.com@vger.kernel.org Fri Aug 15 22:47:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:47:30 -0400
+Subject: NFS: Create an nfs4_server_set_init_caps() function
+To: stable@vger.kernel.org
+Cc: Anna Schumaker <Anna.Schumaker@Netapp.com>, Trond Myklebust <trond.myklebust@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815204731.220441-3-sashal@kernel.org>
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+[ Upstream commit 01dde76e471229e3437a2686c572f4980b2c483e ]
+
+And call it before doing an FSINFO probe to reset to the baseline
+capabilities before probing.
+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/internal.h | 1 +
+ fs/nfs/nfs4client.c | 33 +++++++++++++++++++--------------
+ fs/nfs/nfs4proc.c | 2 ++
+ 3 files changed, 22 insertions(+), 14 deletions(-)
+
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -222,6 +222,7 @@ extern struct nfs_client *
+ nfs4_find_client_sessionid(struct net *, const struct sockaddr *,
+ struct nfs4_sessionid *, u32);
+ extern struct nfs_server *nfs_create_server(struct fs_context *);
++extern void nfs4_server_set_init_caps(struct nfs_server *);
+ extern struct nfs_server *nfs4_create_server(struct fs_context *);
+ extern struct nfs_server *nfs4_create_referral_server(struct fs_context *);
+ extern int nfs4_update_server(struct nfs_server *server, const char *hostname,
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -1025,6 +1025,24 @@ static void nfs4_session_limit_xasize(st
+ #endif
+ }
+
++void nfs4_server_set_init_caps(struct nfs_server *server)
++{
++ /* Set the basic capabilities */
++ server->caps |= server->nfs_client->cl_mvops->init_caps;
++ if (server->flags & NFS_MOUNT_NORDIRPLUS)
++ server->caps &= ~NFS_CAP_READDIRPLUS;
++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
++ server->caps &= ~NFS_CAP_READ_PLUS;
++
++ /*
++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
++ * authentication.
++ */
++ if (nfs4_disable_idmapping &&
++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
++ server->caps |= NFS_CAP_UIDGID_NOMAP;
++}
++
+ static int nfs4_server_common_setup(struct nfs_server *server,
+ struct nfs_fh *mntfh, bool auth_probe)
+ {
+@@ -1044,20 +1062,7 @@ static int nfs4_server_common_setup(stru
+ if (error < 0)
+ goto out;
+
+- /* Set the basic capabilities */
+- server->caps |= server->nfs_client->cl_mvops->init_caps;
+- if (server->flags & NFS_MOUNT_NORDIRPLUS)
+- server->caps &= ~NFS_CAP_READDIRPLUS;
+- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
+- server->caps &= ~NFS_CAP_READ_PLUS;
+- /*
+- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+- * authentication.
+- */
+- if (nfs4_disable_idmapping &&
+- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+- server->caps |= NFS_CAP_UIDGID_NOMAP;
+-
++ nfs4_server_set_init_caps(server);
+
+ /* Probe the root fh to retrieve its FSID and filehandle */
+ error = nfs4_get_rootfh(server, mntfh, auth_probe);
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3934,6 +3934,8 @@ int nfs4_server_capabilities(struct nfs_
+ .interruptible = true,
+ };
+ int err;
++
++ nfs4_server_set_init_caps(server);
+ do {
+ err = nfs4_handle_exception(server,
+ _nfs4_server_capabilities(server, fhandle),
--- /dev/null
+From stable+bounces-169821-greg=kroah.com@vger.kernel.org Fri Aug 15 22:47:41 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:47:28 -0400
+Subject: NFS: Don't set NFS_INO_REVAL_PAGECACHE in the inode cache validity
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815204731.220441-1-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 36a9346c225270262d9f34e66c91aa1723fa903f ]
+
+It is no longer necessary to preserve the NFS_INO_REVAL_PAGECACHE flag.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/inode.c | 6 ++----
+ fs/nfs/nfs4proc.c | 1 -
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -217,11 +217,12 @@ static void nfs_set_cache_invalid(struct
+ flags &= ~NFS_INO_INVALID_OTHER;
+ flags &= ~(NFS_INO_INVALID_CHANGE
+ | NFS_INO_INVALID_SIZE
+- | NFS_INO_REVAL_PAGECACHE
+ | NFS_INO_INVALID_XATTR);
+ } else if (flags & NFS_INO_REVAL_PAGECACHE)
+ flags |= NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_SIZE;
+
++ flags &= ~NFS_INO_REVAL_PAGECACHE;
++
+ if (!nfs_has_xattr_cache(nfsi))
+ flags &= ~NFS_INO_INVALID_XATTR;
+ if (inode->i_mapping->nrpages == 0)
+@@ -1900,7 +1901,6 @@ static int nfs_update_inode(struct inode
+ nfsi->cache_validity &= ~(NFS_INO_INVALID_ATTR
+ | NFS_INO_INVALID_ATIME
+ | NFS_INO_REVAL_FORCED
+- | NFS_INO_REVAL_PAGECACHE
+ | NFS_INO_INVALID_BLOCKS);
+
+ /* Do atomic weak cache consistency updates */
+@@ -1942,7 +1942,6 @@ static int nfs_update_inode(struct inode
+ } else {
+ nfsi->cache_validity |= save_cache_validity &
+ (NFS_INO_INVALID_CHANGE
+- | NFS_INO_REVAL_PAGECACHE
+ | NFS_INO_REVAL_FORCED);
+ cache_revalidated = false;
+ }
+@@ -1988,7 +1987,6 @@ static int nfs_update_inode(struct inode
+ } else {
+ nfsi->cache_validity |= save_cache_validity &
+ (NFS_INO_INVALID_SIZE
+- | NFS_INO_REVAL_PAGECACHE
+ | NFS_INO_REVAL_FORCED);
+ cache_revalidated = false;
+ }
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -1213,7 +1213,6 @@ nfs4_update_changeattr_locked(struct ino
+ | cache_validity;
+
+ if (cinfo->atomic && cinfo->before == inode_peek_iversion_raw(inode)) {
+- nfsi->cache_validity &= ~NFS_INO_REVAL_PAGECACHE;
+ nfsi->attrtimeo_timestamp = jiffies;
+ } else {
+ if (S_ISDIR(inode->i_mode)) {
--- /dev/null
+From stable+bounces-169824-greg=kroah.com@vger.kernel.org Fri Aug 15 22:49:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:47:31 -0400
+Subject: NFS: Fix the setting of capabilities when automounting a new filesystem
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Benjamin Coddington <bcodding@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815204731.220441-4-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit b01f21cacde9f2878492cf318fee61bf4ccad323 ]
+
+Capabilities cannot be inherited when we cross into a new filesystem.
+They need to be reset to the minimal defaults, and then probed for
+again.
+
+Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+[ Removed extended capability flags that don't exist in older trees ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/client.c | 46 ++++++++++++++++++++++++++++++++++++++++++----
+ fs/nfs/internal.h | 2 +-
+ fs/nfs/nfs4client.c | 20 +-------------------
+ fs/nfs/nfs4proc.c | 2 +-
+ 4 files changed, 45 insertions(+), 25 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -661,6 +661,44 @@ struct nfs_client *nfs_init_client(struc
+ }
+ EXPORT_SYMBOL_GPL(nfs_init_client);
+
++static void nfs4_server_set_init_caps(struct nfs_server *server)
++{
++#if IS_ENABLED(CONFIG_NFS_V4)
++ /* Set the basic capabilities */
++ server->caps = server->nfs_client->cl_mvops->init_caps;
++ if (server->flags & NFS_MOUNT_NORDIRPLUS)
++ server->caps &= ~NFS_CAP_READDIRPLUS;
++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
++ server->caps &= ~NFS_CAP_READ_PLUS;
++
++ /*
++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
++ * authentication.
++ */
++ if (nfs4_disable_idmapping &&
++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
++ server->caps |= NFS_CAP_UIDGID_NOMAP;
++#endif
++}
++
++void nfs_server_set_init_caps(struct nfs_server *server)
++{
++ switch (server->nfs_client->rpc_ops->version) {
++ case 2:
++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
++ break;
++ case 3:
++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
++ if (!(server->flags & NFS_MOUNT_NORDIRPLUS))
++ server->caps |= NFS_CAP_READDIRPLUS;
++ break;
++ default:
++ nfs4_server_set_init_caps(server);
++ break;
++ }
++}
++EXPORT_SYMBOL_GPL(nfs_server_set_init_caps);
++
+ /*
+ * Create a version 2 or 3 client
+ */
+@@ -699,9 +737,6 @@ static int nfs_init_server(struct nfs_se
+ /* Initialise the client representation from the mount data */
+ server->flags = ctx->flags;
+ server->options = ctx->options;
+- server->caps |= NFS_CAP_HARDLINKS|NFS_CAP_SYMLINKS|NFS_CAP_FILEID|
+- NFS_CAP_MODE|NFS_CAP_NLINK|NFS_CAP_OWNER|NFS_CAP_OWNER_GROUP|
+- NFS_CAP_ATIME|NFS_CAP_CTIME|NFS_CAP_MTIME;
+
+ if (ctx->rsize)
+ server->rsize = nfs_block_size(ctx->rsize, NULL);
+@@ -726,6 +761,8 @@ static int nfs_init_server(struct nfs_se
+ if (error < 0)
+ goto error;
+
++ nfs_server_set_init_caps(server);
++
+ /* Preserve the values of mount_server-related mount options */
+ if (ctx->mount_server.addrlen) {
+ memcpy(&server->mountd_address, &ctx->mount_server.address,
+@@ -867,7 +904,6 @@ void nfs_server_copy_userdata(struct nfs
+ target->acregmax = source->acregmax;
+ target->acdirmin = source->acdirmin;
+ target->acdirmax = source->acdirmax;
+- target->caps = source->caps;
+ target->options = source->options;
+ target->auth_info = source->auth_info;
+ target->port = source->port;
+@@ -1076,6 +1112,8 @@ struct nfs_server *nfs_clone_server(stru
+ if (error < 0)
+ goto out_free_server;
+
++ nfs_server_set_init_caps(server);
++
+ /* probe the filesystem info for this server filesystem */
+ error = nfs_probe_fsinfo(server, fh, fattr_fsinfo);
+ if (error < 0)
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -222,7 +222,7 @@ extern struct nfs_client *
+ nfs4_find_client_sessionid(struct net *, const struct sockaddr *,
+ struct nfs4_sessionid *, u32);
+ extern struct nfs_server *nfs_create_server(struct fs_context *);
+-extern void nfs4_server_set_init_caps(struct nfs_server *);
++extern void nfs_server_set_init_caps(struct nfs_server *);
+ extern struct nfs_server *nfs4_create_server(struct fs_context *);
+ extern struct nfs_server *nfs4_create_referral_server(struct fs_context *);
+ extern int nfs4_update_server(struct nfs_server *server, const char *hostname,
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -1025,24 +1025,6 @@ static void nfs4_session_limit_xasize(st
+ #endif
+ }
+
+-void nfs4_server_set_init_caps(struct nfs_server *server)
+-{
+- /* Set the basic capabilities */
+- server->caps |= server->nfs_client->cl_mvops->init_caps;
+- if (server->flags & NFS_MOUNT_NORDIRPLUS)
+- server->caps &= ~NFS_CAP_READDIRPLUS;
+- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
+- server->caps &= ~NFS_CAP_READ_PLUS;
+-
+- /*
+- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+- * authentication.
+- */
+- if (nfs4_disable_idmapping &&
+- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+- server->caps |= NFS_CAP_UIDGID_NOMAP;
+-}
+-
+ static int nfs4_server_common_setup(struct nfs_server *server,
+ struct nfs_fh *mntfh, bool auth_probe)
+ {
+@@ -1062,7 +1044,7 @@ static int nfs4_server_common_setup(stru
+ if (error < 0)
+ goto out;
+
+- nfs4_server_set_init_caps(server);
++ nfs_server_set_init_caps(server);
+
+ /* Probe the root fh to retrieve its FSID and filehandle */
+ error = nfs4_get_rootfh(server, mntfh, auth_probe);
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3935,7 +3935,7 @@ int nfs4_server_capabilities(struct nfs_
+ };
+ int err;
+
+- nfs4_server_set_init_caps(server);
++ nfs_server_set_init_caps(server);
+ do {
+ err = nfs4_handle_exception(server,
+ _nfs4_server_capabilities(server, fhandle),
--- /dev/null
+From stable+bounces-169822-greg=kroah.com@vger.kernel.org Fri Aug 15 22:47:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:47:29 -0400
+Subject: NFSv4: Fix nfs4_bitmap_copy_adjust()
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815204731.220441-2-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit a71029b86752e8d40301af235a6bbf4896cc1402 ]
+
+Don't remove flags from the set retrieved from the cache_validity.
+We do want to retrieve all attributes that are listed as being
+invalid, whether or not there is a delegation set.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -292,7 +292,7 @@ const u32 nfs4_fs_locations_bitmap[3] =
+ };
+
+ static void nfs4_bitmap_copy_adjust(__u32 *dst, const __u32 *src,
+- struct inode *inode)
++ struct inode *inode, unsigned long flags)
+ {
+ unsigned long cache_validity;
+
+@@ -300,22 +300,19 @@ static void nfs4_bitmap_copy_adjust(__u3
+ if (!inode || !nfs4_have_delegation(inode, FMODE_READ))
+ return;
+
+- cache_validity = READ_ONCE(NFS_I(inode)->cache_validity);
+- if (!(cache_validity & NFS_INO_REVAL_FORCED))
+- cache_validity &= ~(NFS_INO_INVALID_CHANGE
+- | NFS_INO_INVALID_SIZE);
++ cache_validity = READ_ONCE(NFS_I(inode)->cache_validity) | flags;
+
++ /* Remove the attributes over which we have full control */
++ dst[1] &= ~FATTR4_WORD1_RAWDEV;
+ if (!(cache_validity & NFS_INO_INVALID_SIZE))
+ dst[0] &= ~FATTR4_WORD0_SIZE;
+
+ if (!(cache_validity & NFS_INO_INVALID_CHANGE))
+ dst[0] &= ~FATTR4_WORD0_CHANGE;
+-}
+
+-static void nfs4_bitmap_copy_adjust_setattr(__u32 *dst,
+- const __u32 *src, struct inode *inode)
+-{
+- nfs4_bitmap_copy_adjust(dst, src, inode);
++ if (!(cache_validity & NFS_INO_INVALID_OTHER))
++ dst[1] &= ~(FATTR4_WORD1_MODE | FATTR4_WORD1_OWNER |
++ FATTR4_WORD1_OWNER_GROUP);
+ }
+
+ static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dentry,
+@@ -3379,12 +3376,15 @@ static int nfs4_do_setattr(struct inode
+ .inode = inode,
+ .stateid = &arg.stateid,
+ };
++ unsigned long adjust_flags = NFS_INO_INVALID_CHANGE;
+ int err;
+
++ if (sattr->ia_valid & (ATTR_MODE|ATTR_UID|ATTR_GID))
++ adjust_flags |= NFS_INO_INVALID_OTHER;
++
+ do {
+- nfs4_bitmap_copy_adjust_setattr(bitmask,
+- nfs4_bitmask(server, olabel),
+- inode);
++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, olabel),
++ inode, adjust_flags);
+
+ err = _nfs4_do_setattr(inode, &arg, &res, cred, ctx);
+ switch (err) {
+@@ -4192,8 +4192,7 @@ static int _nfs4_proc_getattr(struct nfs
+ if (inode && (server->flags & NFS_MOUNT_SOFTREVAL))
+ task_flags |= RPC_TASK_TIMEOUT;
+
+- nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode);
+-
++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode, 0);
+ nfs_fattr_init(fattr);
+ nfs4_init_sequence(&args.seq_args, &res.seq_res, 0, 0);
+ return nfs4_do_call_sync(server->client, server, &msg,
+@@ -4795,8 +4794,8 @@ static int _nfs4_proc_link(struct inode
+ }
+
+ nfs4_inode_make_writeable(inode);
+- nfs4_bitmap_copy_adjust_setattr(bitmask, nfs4_bitmask(server, res.label), inode);
+-
++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, res.label), inode,
++ NFS_INO_INVALID_CHANGE);
+ status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
+ if (!status) {
+ nfs4_update_changeattr(dir, &res.cinfo, res.fattr->time_start,
--- /dev/null
+From stable+bounces-167100-greg=kroah.com@vger.kernel.org Tue Aug 12 08:26:13 2025
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Mon, 11 Aug 2025 23:12:31 -0700
+Subject: RDMA/rxe: Return CQE error if invalid lkey was supplied
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, zyjzyj2000@gmail.com, jgg@ziepe.ca, leon@kernel.org, richardcochran@gmail.com, monis@mellanox.com, kamalh@mellanox.com, haggaie@mellanox.com, amirv@mellanox.com, dledford@redhat.com, linux-rdma@vger.kernel.org, netdev@vger.kernel.org, Leon Romanovsky <leonro@nvidia.com>, Jason Gunthorpe <jgg@nvidia.com>, Sasha Levin <sashal@kernel.org>, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20250812061231.149309-1-shivani.agarwal@broadcom.com>
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit dc07628bd2bbc1da768e265192c28ebd301f509d ]
+
+RXE is missing update of WQE status in LOCAL_WRITE failures. This caused
+the following kernel panic if someone sent an atomic operation with an
+explicitly wrong lkey.
+
+[leonro@vm ~]$ mkt test
+test_atomic_invalid_lkey (tests.test_atomic.AtomicTest) ...
+ WARNING: CPU: 5 PID: 263 at drivers/infiniband/sw/rxe/rxe_comp.c:740 rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
+ Modules linked in: crc32_generic rdma_rxe ip6_udp_tunnel udp_tunnel rdma_ucm rdma_cm ib_umad ib_ipoib iw_cm ib_cm mlx5_ib ib_uverbs ib_core mlx5_core ptp pps_core
+ CPU: 5 PID: 263 Comm: python3 Not tainted 5.13.0-rc1+ #2936
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:rxe_completer+0x1a6d/0x2e30 [rdma_rxe]
+ Code: 03 0f 8e 65 0e 00 00 3b 93 10 06 00 00 0f 84 82 0a 00 00 4c 89 ff 4c 89 44 24 38 e8 2d 74 a9 e1 4c 8b 44 24 38 e9 1c f5 ff ff <0f> 0b e9 0c e8 ff ff b8 05 00 00 00 41 bf 05 00 00 00 e9 ab e7 ff
+ RSP: 0018:ffff8880158af090 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: ffff888016a78000 RCX: ffffffffa0cf1652
+ RDX: 1ffff9200004b442 RSI: 0000000000000004 RDI: ffffc9000025a210
+ RBP: dffffc0000000000 R08: 00000000ffffffea R09: ffff88801617740b
+ R10: ffffed1002c2ee81 R11: 0000000000000007 R12: ffff88800f3b63e8
+ R13: ffff888016a78008 R14: ffffc9000025a180 R15: 000000000000000c
+ FS: 00007f88b622a740(0000) GS:ffff88806d540000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f88b5a1fa10 CR3: 000000000d848004 CR4: 0000000000370ea0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ rxe_do_task+0x130/0x230 [rdma_rxe]
+ rxe_rcv+0xb11/0x1df0 [rdma_rxe]
+ rxe_loopback+0x157/0x1e0 [rdma_rxe]
+ rxe_responder+0x5532/0x7620 [rdma_rxe]
+ rxe_do_task+0x130/0x230 [rdma_rxe]
+ rxe_rcv+0x9c8/0x1df0 [rdma_rxe]
+ rxe_loopback+0x157/0x1e0 [rdma_rxe]
+ rxe_requester+0x1efd/0x58c0 [rdma_rxe]
+ rxe_do_task+0x130/0x230 [rdma_rxe]
+ rxe_post_send+0x998/0x1860 [rdma_rxe]
+ ib_uverbs_post_send+0xd5f/0x1220 [ib_uverbs]
+ ib_uverbs_write+0x847/0xc80 [ib_uverbs]
+ vfs_write+0x1c5/0x840
+ ksys_write+0x176/0x1d0
+ do_syscall_64+0x3f/0x80
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://lore.kernel.org/r/11e7b553f3a6f5371c6bb3f57c494bb52b88af99.1620711734.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Acked-by: Zhu Yanjun <zyjzyj2000@gmail.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Shivani: Modified to apply on 5.10.y]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/sw/rxe/rxe_comp.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/sw/rxe/rxe_comp.c
++++ b/drivers/infiniband/sw/rxe/rxe_comp.c
+@@ -346,13 +346,15 @@ static inline enum comp_state do_read(st
+ ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE,
+ &wqe->dma, payload_addr(pkt),
+ payload_size(pkt), to_mem_obj, NULL);
+- if (ret)
++ if (ret) {
++ wqe->status = IB_WC_LOC_PROT_ERR;
+ return COMPST_ERROR;
++ }
+
+ if (wqe->dma.resid == 0 && (pkt->mask & RXE_END_MASK))
+ return COMPST_COMP_ACK;
+- else
+- return COMPST_UPDATE_COMP;
++
++ return COMPST_UPDATE_COMP;
+ }
+
+ static inline enum comp_state do_atomic(struct rxe_qp *qp,
+@@ -366,10 +368,12 @@ static inline enum comp_state do_atomic(
+ ret = copy_data(qp->pd, IB_ACCESS_LOCAL_WRITE,
+ &wqe->dma, &atomic_orig,
+ sizeof(u64), to_mem_obj, NULL);
+- if (ret)
++ if (ret) {
++ wqe->status = IB_WC_LOC_PROT_ERR;
+ return COMPST_ERROR;
+- else
+- return COMPST_COMP_ACK;
++ }
++
++ return COMPST_COMP_ACK;
+ }
+
+ static void make_send_cqe(struct rxe_qp *qp, struct rxe_send_wqe *wqe,
--- /dev/null
+From stable+bounces-167099-greg=kroah.com@vger.kernel.org Tue Aug 12 08:22:10 2025
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Mon, 11 Aug 2025 23:08:22 -0700
+Subject: scsi: lpfc: Fix link down processing to address NULL pointer dereference
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, james.smart@broadcom.com, dick.kennedy@broadcom.com, James.Bottomley@HansenPartnership.com, martin.petersen@oracle.com, linux-scsi@vger.kernel.org, James Smart <jsmart2021@gmail.com>, Justin Tee <justin.tee@broadcom.com>, Sasha Levin <sashal@kernel.org>, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20250812060822.149216-1-shivani.agarwal@broadcom.com>
+
+From: James Smart <jsmart2021@gmail.com>
+
+[ Upstream commit 1854f53ccd88ad4e7568ddfafafffe71f1ceb0a6 ]
+
+If an FC link down transition while PLOGIs are outstanding to fabric well
+known addresses, outstanding ABTS requests may result in a NULL pointer
+dereference. Driver unload requests may hang with repeated "2878" log
+messages.
+
+The Link down processing results in ABTS requests for outstanding ELS
+requests. The Abort WQEs are sent for the ELSs before the driver had set
+the link state to down. Thus the driver is sending the Abort with the
+expectation that an ABTS will be sent on the wire. The Abort request is
+stalled waiting for the link to come up. In some conditions the driver may
+auto-complete the ELSs thus if the link does come up, the Abort completions
+may reference an invalid structure.
+
+Fix by ensuring that Abort set the flag to avoid link traffic if issued due
+to conditions where the link failed.
+
+Link: https://lore.kernel.org/r/20211020211417.88754-7-jsmart2021@gmail.com
+Co-developed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: James Smart <jsmart2021@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Shivani: Modified to apply on 5.10.y]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -11432,10 +11432,12 @@ lpfc_sli_abort_iotag_issue(struct lpfc_h
+ if (cmdiocb->iocb_flag & LPFC_IO_FOF)
+ abtsiocbp->iocb_flag |= LPFC_IO_FOF;
+
+- if (phba->link_state >= LPFC_LINK_UP)
+- iabt->ulpCommand = CMD_ABORT_XRI_CN;
+- else
++ if (phba->link_state < LPFC_LINK_UP ||
++ (phba->sli_rev == LPFC_SLI_REV4 &&
++ phba->sli4_hba.link_state.status == LPFC_FC_LA_TYPE_LINK_DOWN))
+ iabt->ulpCommand = CMD_CLOSE_XRI_CN;
++ else
++ iabt->ulpCommand = CMD_ABORT_XRI_CN;
+
+ abtsiocbp->iocb_cmpl = lpfc_sli_abort_els_cmpl;
+ abtsiocbp->vport = vport;
--- /dev/null
+From stable+bounces-166983-greg=kroah.com@vger.kernel.org Mon Aug 11 07:34:08 2025
+From: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Date: Sun, 10 Aug 2025 22:20:35 -0700
+Subject: scsi: pm80xx: Fix memory leak during rmmod
+To: stable@vger.kernel.org, gregkh@linuxfoundation.org
+Cc: bcm-kernel-feedback-list@broadcom.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, tapas.kundu@broadcom.com, James.Bottomley@HansenPartnership.com, jinpu.wang@cloud.ionos.com, martin.petersen@oracle.com, linux-scsi@vger.kernel.org, Ajish Koshy <Ajish.Koshy@microchip.com>, Jack Wang <jinpu.wang@ionos.com>, Viswas G <Viswas.G@microchip.com>, Sasha Levin <sashal@kernel.org>, Shivani Agarwal <shivani.agarwal@broadcom.com>
+Message-ID: <20250811052035.145021-1-shivani.agarwal@broadcom.com>
+
+From: Ajish Koshy <Ajish.Koshy@microchip.com>
+
+[ Upstream commit 51e6ed83bb4ade7c360551fa4ae55c4eacea354b ]
+
+Driver failed to release all memory allocated. This would lead to memory
+leak during driver removal.
+
+Properly free memory when the module is removed.
+
+Link: https://lore.kernel.org/r/20210906170404.5682-5-Ajish.Koshy@microchip.com
+Acked-by: Jack Wang <jinpu.wang@ionos.com>
+Signed-off-by: Ajish Koshy <Ajish.Koshy@microchip.com>
+Signed-off-by: Viswas G <Viswas.G@microchip.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+[Shivani: Modified to apply on 5.10.y]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/pm8001/pm8001_init.c | 11 +++++++++++
+ drivers/scsi/pm8001/pm8001_sas.h | 1 +
+ 2 files changed, 12 insertions(+)
+
+--- a/drivers/scsi/pm8001/pm8001_init.c
++++ b/drivers/scsi/pm8001/pm8001_init.c
+@@ -1166,6 +1166,7 @@ pm8001_init_ccb_tag(struct pm8001_hba_in
+ goto err_out;
+
+ /* Memory region for ccb_info*/
++ pm8001_ha->ccb_count = ccb_count;
+ pm8001_ha->ccb_info = (struct pm8001_ccb_info *)
+ kcalloc(ccb_count, sizeof(struct pm8001_ccb_info), GFP_KERNEL);
+ if (!pm8001_ha->ccb_info) {
+@@ -1226,6 +1227,16 @@ static void pm8001_pci_remove(struct pci
+ tasklet_kill(&pm8001_ha->tasklet[j]);
+ #endif
+ scsi_host_put(pm8001_ha->shost);
++
++ for (i = 0; i < pm8001_ha->ccb_count; i++) {
++ dma_free_coherent(&pm8001_ha->pdev->dev,
++ sizeof(struct pm8001_prd) * PM8001_MAX_DMA_SG,
++ pm8001_ha->ccb_info[i].buf_prd,
++ pm8001_ha->ccb_info[i].ccb_dma_handle);
++ }
++ kfree(pm8001_ha->ccb_info);
++ kfree(pm8001_ha->devices);
++
+ pm8001_free(pm8001_ha);
+ kfree(sha->sas_phy);
+ kfree(sha->sas_port);
+--- a/drivers/scsi/pm8001/pm8001_sas.h
++++ b/drivers/scsi/pm8001/pm8001_sas.h
+@@ -515,6 +515,7 @@ struct pm8001_hba_info {
+ u32 iomb_size; /* SPC and SPCV IOMB size */
+ struct pm8001_device *devices;
+ struct pm8001_ccb_info *ccb_info;
++ u32 ccb_count;
+ #ifdef PM8001_USE_MSIX
+ int number_of_intr;/*will be used in remove()*/
+ char intr_drvname[PM8001_MAX_MSIX_VEC]
--- /dev/null
+From stable+bounces-172482-greg=kroah.com@vger.kernel.org Fri Aug 22 19:44:22 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:43:47 -0400
+Subject: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
+To: stable@vger.kernel.org
+Cc: "André Draszik" <andre.draszik@linaro.org>, "Bart Van Assche" <bvanassche@acm.org>, "Peter Griffin" <peter.griffin@linaro.org>, "Martin K. Petersen" <martin.petersen@oracle.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822174347.1341004-1-sashal@kernel.org>
+
+From: André Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ]
+
+On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
+and in this case the driver ends up programming the UTRL_NEXUS_TYPE
+incorrectly as 0.
+
+This is because the left hand side of the shift is 1, which is of type
+int, i.e. 31 bits wide. Shifting by more than that width results in
+undefined behaviour.
+
+Fix this by switching to the BIT() macro, which applies correct type
+casting as required. This ensures the correct value is written to
+UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
+warning:
+
+ UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
+ shift exponent 32 is too large for 32-bit type 'int'
+
+For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
+write.
+
+Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Adjusted path from drivers/ufs/host to drivers/scsi/ufs ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufs-exynos.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufs-exynos.c
++++ b/drivers/scsi/ufs/ufs-exynos.c
+@@ -850,8 +850,8 @@ static int exynos_ufs_post_link(struct u
+ hci_writel(ufs, 0xa, HCI_DATA_REORDER);
+ hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE);
+ hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE);
+- hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
+- hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
++ hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
++ hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
+ hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN);
+
+ if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB)
mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch
selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch
dma-buf-insert-memory-barrier-before-updating-num_fences.patch
+drm-amdgpu-handle-the-case-of-pci_channel_io_frozen-only-in-amdgpu_pci_resume.patch
+rdma-rxe-return-cqe-error-if-invalid-lkey-was-supplied.patch
+scsi-lpfc-fix-link-down-processing-to-address-null-pointer-dereference.patch
+scsi-pm80xx-fix-memory-leak-during-rmmod.patch
+nfs-don-t-set-nfs_ino_reval_pagecache-in-the-inode-cache-validity.patch
+nfsv4-fix-nfs4_bitmap_copy_adjust.patch
+nfs-create-an-nfs4_server_set_init_caps-function.patch
+nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch
+net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch
+net_sched-sch_ets-implement-lockless-ets_dump.patch
+net-sched-ets-use-old-nbands-while-purging-unused-classes.patch
+mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch
+ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch
+scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
+iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch
+soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
+usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch
+usb-musb-omap2430-fix-device-leak-at-unbind.patch
+btrfs-populate-otime-when-logging-an-inode-item.patch
--- /dev/null
+From stable+bounces-172489-greg=kroah.com@vger.kernel.org Fri Aug 22 20:18:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 14:18:15 -0400
+Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>, Doug Anderson <dianders@chromium.org>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822181815.1360340-1-sashal@kernel.org>
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ]
+
+When the MDT loader is used in remoteproc, the ELF header is sanitized
+beforehand, but that's not necessary the case for other clients.
+
+Validate the size of the firmware buffer to ensure that we don't read
+past the end as we iterate over the header. e_phentsize and e_shentsize
+are validated as well, to ensure that the assumptions about step size in
+the traversal are valid.
+
+Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
+Cc: stable@vger.kernel.org
+Reported-by: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -12,11 +12,43 @@
+ #include <linux/firmware.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
++#include <linux/overflow.h>
+ #include <linux/qcom_scm.h>
+ #include <linux/sizes.h>
+ #include <linux/slab.h>
+ #include <linux/soc/qcom/mdt_loader.h>
+
++static bool mdt_header_valid(const struct firmware *fw)
++{
++ const struct elf32_hdr *ehdr;
++ size_t phend;
++ size_t shend;
++
++ if (fw->size < sizeof(*ehdr))
++ return false;
++
++ ehdr = (struct elf32_hdr *)fw->data;
++
++ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
++ return false;
++
++ if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
++ return false;
++
++ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
++ if (phend > fw->size)
++ return false;
++
++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++ return false;
++
++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++ if (shend > fw->size)
++ return false;
++
++ return true;
++}
++
+ static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
+ {
+ if (phdr->p_type != PT_LOAD)
+@@ -46,6 +78,9 @@ ssize_t qcom_mdt_get_size(const struct f
+ phys_addr_t max_addr = 0;
+ int i;
+
++ if (!mdt_header_valid(fw))
++ return -EINVAL;
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -92,6 +127,9 @@ void *qcom_mdt_read_metadata(const struc
+ size_t ehdr_size;
+ void *data;
+
++ if (!mdt_header_valid(fw))
++ return ERR_PTR(-EINVAL);
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -151,6 +189,9 @@ static int __qcom_mdt_load(struct device
+ if (!fw || !mem_region || !mem_phys || !mem_size)
+ return -EINVAL;
+
++ if (!mdt_header_valid(fw))
++ return -EINVAL;
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
--- /dev/null
+From sashal@kernel.org Thu Aug 21 18:14:17 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:14:12 -0400
+Subject: usb: musb: omap2430: Convert to platform remove callback returning void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250821161413.775044-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is (mostly) ignored
+and this typically results in resource leaks. To improve here there is a
+quest to make the remove callback return void. In the first step of this
+quest all drivers are converted to .remove_new() which already returns
+void.
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -432,14 +432,12 @@ err0:
+ return ret;
+ }
+
+-static int omap2430_remove(struct platform_device *pdev)
++static void omap2430_remove(struct platform_device *pdev)
+ {
+ struct omap2430_glue *glue = platform_get_drvdata(pdev);
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
+-
+- return 0;
+ }
+
+ #ifdef CONFIG_PM
+@@ -509,7 +507,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl
+
+ static struct platform_driver omap2430_driver = {
+ .probe = omap2430_probe,
+- .remove = omap2430_remove,
++ .remove_new = omap2430_remove,
+ .driver = {
+ .name = "musb-omap2430",
+ .pm = DEV_PM_OPS,
--- /dev/null
+From sashal@kernel.org Thu Aug 21 18:14:17 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:14:13 -0400
+Subject: usb: musb: omap2430: fix device leak at unbind
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Roger Quadros <rogerq@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821161413.775044-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ]
+
+Make sure to drop the reference to the control device taken by
+of_find_device_by_node() during probe when the driver is unbound.
+
+Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Removed populate_irqs-related goto changes ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -403,13 +403,13 @@ static int omap2430_probe(struct platfor
+ ARRAY_SIZE(musb_resources));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add resources\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ ret = platform_device_add_data(musb, pdata, sizeof(*pdata));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add platform_data\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ pm_runtime_enable(glue->dev);
+@@ -424,7 +424,9 @@ static int omap2430_probe(struct platfor
+
+ err3:
+ pm_runtime_disable(glue->dev);
+-
++err_put_control_otghs:
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ err2:
+ platform_device_put(musb);
+
+@@ -438,6 +440,8 @@ static void omap2430_remove(struct platf
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ }
+
+ #ifdef CONFIG_PM
projects / thirdparty / kernel / stable-queue.git / commitdiff
