--- /dev/null
+From adfab6b39202481bb43286fff94def4953793fdb Mon Sep 17 00:00:00 2001
+From: Jeremy Linton <jeremy.linton@arm.com>
+Date: Wed, 7 May 2025 21:30:25 -0500
+Subject: ACPI: PPTT: Fix processor subtable walk
+
+From: Jeremy Linton <jeremy.linton@arm.com>
+
+commit adfab6b39202481bb43286fff94def4953793fdb upstream.
+
+The original PPTT code had a bug where the processor subtable length
+was not correctly validated when encountering a truncated
+acpi_pptt_processor node.
+
+Commit 7ab4f0e37a0f4 ("ACPI PPTT: Fix coding mistakes in a couple of
+sizeof() calls") attempted to fix this by validating the size is as
+large as the acpi_pptt_processor node structure. This introduced a
+regression where the last processor node in the PPTT table is ignored
+if it doesn't contain any private resources. That results errors like:
+
+ ACPI PPTT: PPTT table found, but unable to locate core XX (XX)
+ ACPI: SPE must be homogeneous
+
+Furthermore, it fails in a common case where the node length isn't
+equal to the acpi_pptt_processor structure size, leaving the original
+bug in a modified form.
+
+Correct the regression by adjusting the loop termination conditions as
+suggested by the bug reporters. An additional check performed after
+the subtable node type is detected, validates the acpi_pptt_processor
+node is fully contained in the PPTT table. Repeating the check in
+acpi_pptt_leaf_node() is largely redundant as the node is already
+known to be fully contained in the table.
+
+The case where a final truncated node's parent property is accepted,
+but the node itself is rejected should not be considered a bug.
+
+Fixes: 7ab4f0e37a0f4 ("ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls")
+Reported-by: Maximilian Heyne <mheyne@amazon.de>
+Closes: https://lore.kernel.org/linux-acpi/20250506-draco-taped-15f475cd@mheyne-amazon/
+Reported-by: Yicong Yang <yangyicong@hisilicon.com>
+Closes: https://lore.kernel.org/linux-acpi/20250507035124.28071-1-yangyicong@huawei.com/
+Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
+Tested-by: Yicong Yang <yangyicong@hisilicon.com>
+Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Maximilian Heyne <mheyne@amazon.de>
+Cc: All applicable <stable@vger.kernel.org> # 7ab4f0e37a0f4: ACPI PPTT: Fix coding mistakes ...
+Link: https://patch.msgid.link/20250508023025.1301030-1-jeremy.linton@arm.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/pptt.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/pptt.c
++++ b/drivers/acpi/pptt.c
+@@ -231,16 +231,18 @@ static int acpi_pptt_leaf_node(struct ac
+ sizeof(struct acpi_table_pptt));
+ proc_sz = sizeof(struct acpi_pptt_processor);
+
+- while ((unsigned long)entry + proc_sz < table_end) {
++ /* ignore subtable types that are smaller than a processor node */
++ while ((unsigned long)entry + proc_sz <= table_end) {
+ cpu_node = (struct acpi_pptt_processor *)entry;
++
+ if (entry->type == ACPI_PPTT_TYPE_PROCESSOR &&
+ cpu_node->parent == node_entry)
+ return 0;
+ if (entry->length == 0)
+ return 0;
++
+ entry = ACPI_ADD_PTR(struct acpi_subtable_header, entry,
+ entry->length);
+-
+ }
+ return 1;
+ }
+@@ -273,15 +275,18 @@ static struct acpi_pptt_processor *acpi_
+ proc_sz = sizeof(struct acpi_pptt_processor);
+
+ /* find the processor structure associated with this cpuid */
+- while ((unsigned long)entry + proc_sz < table_end) {
++ while ((unsigned long)entry + proc_sz <= table_end) {
+ cpu_node = (struct acpi_pptt_processor *)entry;
+
+ if (entry->length == 0) {
+ pr_warn("Invalid zero length subtable\n");
+ break;
+ }
++ /* entry->length may not equal proc_sz, revalidate the processor structure length */
+ if (entry->type == ACPI_PPTT_TYPE_PROCESSOR &&
+ acpi_cpu_id == cpu_node->acpi_processor_id &&
++ (unsigned long)entry + entry->length <= table_end &&
++ entry->length == proc_sz + cpu_node->number_of_priv_resources * sizeof(u32) &&
+ acpi_pptt_leaf_node(table_hdr, cpu_node)) {
+ return (struct acpi_pptt_processor *)entry;
+ }
--- /dev/null
+From 4ce2affc6ef9f84b4aebbf18bd5c57397b6024eb Mon Sep 17 00:00:00 2001
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+Date: Fri, 9 May 2025 19:26:31 +0900
+Subject: btrfs: add back warning for mount option commit values exceeding 300
+
+From: Kyoji Ogasawara <sawara04.o@gmail.com>
+
+commit 4ce2affc6ef9f84b4aebbf18bd5c57397b6024eb upstream.
+
+The Btrfs documentation states that if the commit value is greater than
+300 a warning should be issued. The warning was accidentally lost in the
+new mount API update.
+
+Fixes: 6941823cc878 ("btrfs: remove old mount API code")
+CC: stable@vger.kernel.org # 6.12+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Kyoji Ogasawara <sawara04.o@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/fs.h | 1 +
+ fs/btrfs/super.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+--- a/fs/btrfs/fs.h
++++ b/fs/btrfs/fs.h
+@@ -285,6 +285,7 @@ enum {
+ #define BTRFS_FEATURE_INCOMPAT_SAFE_CLEAR 0ULL
+
+ #define BTRFS_DEFAULT_COMMIT_INTERVAL (30)
++#define BTRFS_WARNING_COMMIT_INTERVAL (300)
+ #define BTRFS_DEFAULT_MAX_INLINE (2048)
+
+ struct btrfs_dev_replace {
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -570,6 +570,10 @@ static int btrfs_parse_param(struct fs_c
+ break;
+ case Opt_commit_interval:
+ ctx->commit_interval = result.uint_32;
++ if (ctx->commit_interval > BTRFS_WARNING_COMMIT_INTERVAL) {
++ btrfs_warn(NULL, "excessive commit interval %u, use with care",
++ ctx->commit_interval);
++ }
+ if (ctx->commit_interval == 0)
+ ctx->commit_interval = BTRFS_DEFAULT_COMMIT_INTERVAL;
+ break;
--- /dev/null
+From 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Mon, 5 May 2025 16:03:16 +0100
+Subject: btrfs: fix discard worker infinite loop after disabling discard
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 54db6d1bdd71fa90172a2a6aca3308bbf7fa7eb5 upstream.
+
+If the discard worker is running and there's currently only one block
+group, that block group is a data block group, it's in the unused block
+groups discard list and is being used (it got an extent allocated from it
+after becoming unused), the worker can end up in an infinite loop if a
+transaction abort happens or the async discard is disabled (during remount
+or unmount for example).
+
+This happens like this:
+
+1) Task A, the discard worker, is at peek_discard_list() and
+ find_next_block_group() returns block group X;
+
+2) Block group X is in the unused block groups discard list (its discard
+ index is BTRFS_DISCARD_INDEX_UNUSED) since at some point in the past
+ it become an unused block group and was added to that list, but then
+ later it got an extent allocated from it, so its ->used counter is not
+ zero anymore;
+
+3) The current transaction is aborted by task B and we end up at
+ __btrfs_handle_fs_error() in the transaction abort path, where we call
+ btrfs_discard_stop(), which clears BTRFS_FS_DISCARD_RUNNING from
+ fs_info, and then at __btrfs_handle_fs_error() we set the fs to RO mode
+ (setting SB_RDONLY in the super block's s_flags field);
+
+4) Task A calls __add_to_discard_list() with the goal of moving the block
+ group from the unused block groups discard list into another discard
+ list, but at __add_to_discard_list() we end up doing nothing because
+ btrfs_run_discard_work() returns false, since the super block has
+ SB_RDONLY set in its flags and BTRFS_FS_DISCARD_RUNNING is not set
+ anymore in fs_info->flags. So block group X remains in the unused block
+ groups discard list;
+
+5) Task A then does a goto into the 'again' label, calls
+ find_next_block_group() again we gets block group X again. Then it
+ repeats the previous steps over and over since there are not other
+ block groups in the discard lists and block group X is never moved
+ out of the unused block groups discard list since
+ btrfs_run_discard_work() keeps returning false and therefore
+ __add_to_discard_list() doesn't move block group X out of that discard
+ list.
+
+When this happens we can get a soft lockup report like this:
+
+ [71.957] watchdog: BUG: soft lockup - CPU#0 stuck for 27s! [kworker/u4:3:97]
+ [71.957] Modules linked in: xfs af_packet rfkill (...)
+ [71.957] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa
+ [71.957] Tainted: [W]=WARN
+ [71.957] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ [71.957] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]
+ [71.957] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs]
+ [71.957] Code: c1 01 48 83 (...)
+ [71.957] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246
+ [71.957] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000
+ [71.957] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad
+ [71.957] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080
+ [71.957] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860
+ [71.957] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000
+ [71.957] FS: 0000000000000000(0000) GS:ffff89707bc00000(0000) knlGS:0000000000000000
+ [71.957] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [71.957] CR2: 00005605bcc8d2f0 CR3: 000000010376a001 CR4: 0000000000770ef0
+ [71.957] PKRU: 55555554
+ [71.957] Call Trace:
+ [71.957] <TASK>
+ [71.957] process_one_work+0x17e/0x330
+ [71.957] worker_thread+0x2ce/0x3f0
+ [71.957] ? __pfx_worker_thread+0x10/0x10
+ [71.957] kthread+0xef/0x220
+ [71.957] ? __pfx_kthread+0x10/0x10
+ [71.957] ret_from_fork+0x34/0x50
+ [71.957] ? __pfx_kthread+0x10/0x10
+ [71.957] ret_from_fork_asm+0x1a/0x30
+ [71.957] </TASK>
+ [71.957] Kernel panic - not syncing: softlockup: hung tasks
+ [71.987] CPU: 0 UID: 0 PID: 97 Comm: kworker/u4:3 Tainted: G W L 6.14.2-1-default #1 openSUSE Tumbleweed 968795ef2b1407352128b466fe887416c33af6fa
+ [71.989] Tainted: [W]=WARN, [L]=SOFTLOCKUP
+ [71.989] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ [71.991] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]
+ [71.992] Call Trace:
+ [71.993] <IRQ>
+ [71.994] dump_stack_lvl+0x5a/0x80
+ [71.994] panic+0x10b/0x2da
+ [71.995] watchdog_timer_fn.cold+0x9a/0xa1
+ [71.996] ? __pfx_watchdog_timer_fn+0x10/0x10
+ [71.997] __hrtimer_run_queues+0x132/0x2a0
+ [71.997] hrtimer_interrupt+0xff/0x230
+ [71.998] __sysvec_apic_timer_interrupt+0x55/0x100
+ [71.999] sysvec_apic_timer_interrupt+0x6c/0x90
+ [72.000] </IRQ>
+ [72.000] <TASK>
+ [72.001] asm_sysvec_apic_timer_interrupt+0x1a/0x20
+ [72.002] RIP: 0010:btrfs_discard_workfn+0xc4/0x400 [btrfs]
+ [72.002] Code: c1 01 48 83 (...)
+ [72.005] RSP: 0018:ffffafaec03efe08 EFLAGS: 00000246
+ [72.006] RAX: ffff897045500000 RBX: ffff8970413ed8d0 RCX: 0000000000000000
+ [72.006] RDX: 0000000000000001 RSI: ffff8970413ed8d0 RDI: 0000000a8f1272ad
+ [72.007] RBP: 0000000a9d61c60e R08: ffff897045500140 R09: 8080808080808080
+ [72.008] R10: ffff897040276800 R11: fefefefefefefeff R12: ffff8970413ed860
+ [72.009] R13: ffff897045500000 R14: ffff8970413ed868 R15: 0000000000000000
+ [72.010] ? btrfs_discard_workfn+0x51/0x400 [btrfs 23b01089228eb964071fb7ca156eee8cd3bf996f]
+ [72.011] process_one_work+0x17e/0x330
+ [72.012] worker_thread+0x2ce/0x3f0
+ [72.013] ? __pfx_worker_thread+0x10/0x10
+ [72.014] kthread+0xef/0x220
+ [72.014] ? __pfx_kthread+0x10/0x10
+ [72.015] ret_from_fork+0x34/0x50
+ [72.015] ? __pfx_kthread+0x10/0x10
+ [72.016] ret_from_fork_asm+0x1a/0x30
+ [72.017] </TASK>
+ [72.017] Kernel Offset: 0x15000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+ [72.019] Rebooting in 90 seconds..
+
+So fix this by making sure we move a block group out of the unused block
+groups discard list when calling __add_to_discard_list().
+
+Fixes: 2bee7eb8bb81 ("btrfs: discard one region at a time in async discard")
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1242012
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Daniel Vacek <neelx@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/discard.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/discard.c
++++ b/fs/btrfs/discard.c
+@@ -94,8 +94,6 @@ static void __add_to_discard_list(struct
+ struct btrfs_block_group *block_group)
+ {
+ lockdep_assert_held(&discard_ctl->lock);
+- if (!btrfs_run_discard_work(discard_ctl))
+- return;
+
+ if (list_empty(&block_group->discard_list) ||
+ block_group->discard_index == BTRFS_DISCARD_INDEX_UNUSED) {
+@@ -118,6 +116,9 @@ static void add_to_discard_list(struct b
+ if (!btrfs_is_block_group_data_only(block_group))
+ return;
+
++ if (!btrfs_run_discard_work(discard_ctl))
++ return;
++
+ spin_lock(&discard_ctl->lock);
+ __add_to_discard_list(discard_ctl, block_group);
+ spin_unlock(&discard_ctl->lock);
+@@ -250,6 +251,18 @@ again:
+ block_group->used != 0) {
+ if (btrfs_is_block_group_data_only(block_group)) {
+ __add_to_discard_list(discard_ctl, block_group);
++ /*
++ * The block group must have been moved to other
++ * discard list even if discard was disabled in
++ * the meantime or a transaction abort happened,
++ * otherwise we can end up in an infinite loop,
++ * always jumping into the 'again' label and
++ * keep getting this block group over and over
++ * in case there are no other block groups in
++ * the discard lists.
++ */
++ ASSERT(block_group->discard_index !=
++ BTRFS_DISCARD_INDEX_UNUSED);
+ } else {
+ list_del_init(&block_group->discard_list);
+ btrfs_put_block_group(block_group);
--- /dev/null
+From a0fd1c6098633f9a95fc2f636383546c82b704c3 Mon Sep 17 00:00:00 2001
+From: Boris Burkov <boris@bur.io>
+Date: Wed, 7 May 2025 12:42:24 -0700
+Subject: btrfs: fix folio leak in submit_one_async_extent()
+
+From: Boris Burkov <boris@bur.io>
+
+commit a0fd1c6098633f9a95fc2f636383546c82b704c3 upstream.
+
+If btrfs_reserve_extent() fails while submitting an async_extent for a
+compressed write, then we fail to call free_async_extent_pages() on the
+async_extent and leak its folios. A likely cause for such a failure
+would be btrfs_reserve_extent() failing to find a large enough
+contiguous free extent for the compressed extent.
+
+I was able to reproduce this by:
+
+1. mount with compress-force=zstd:3
+2. fallocating most of a filesystem to a big file
+3. fragmenting the remaining free space
+4. trying to copy in a file which zstd would generate large compressed
+ extents for (vmlinux worked well for this)
+
+Step 4. hits the memory leak and can be repeated ad nauseam to
+eventually exhaust the system memory.
+
+Fix this by detecting the case where we fallback to uncompressed
+submission for a compressed async_extent and ensuring that we call
+free_async_extent_pages().
+
+Fixes: 131a821a243f ("btrfs: fallback if compressed IO fails for ENOSPC")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Co-developed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1187,6 +1187,7 @@ static void submit_one_async_extent(stru
+ struct extent_state *cached = NULL;
+ struct extent_map *em;
+ int ret = 0;
++ bool free_pages = false;
+ u64 start = async_extent->start;
+ u64 end = async_extent->start + async_extent->ram_size - 1;
+
+@@ -1207,7 +1208,10 @@ static void submit_one_async_extent(stru
+ }
+
+ if (async_extent->compress_type == BTRFS_COMPRESS_NONE) {
++ ASSERT(!async_extent->folios);
++ ASSERT(async_extent->nr_folios == 0);
+ submit_uncompressed_range(inode, async_extent, locked_folio);
++ free_pages = true;
+ goto done;
+ }
+
+@@ -1223,6 +1227,7 @@ static void submit_one_async_extent(stru
+ * fall back to uncompressed.
+ */
+ submit_uncompressed_range(inode, async_extent, locked_folio);
++ free_pages = true;
+ goto done;
+ }
+
+@@ -1264,6 +1269,8 @@ static void submit_one_async_extent(stru
+ done:
+ if (async_chunk->blkcg_css)
+ kthread_associate_blkcg(NULL);
++ if (free_pages)
++ free_async_extent_pages(async_extent);
+ kfree(async_extent);
+ return;
+
--- /dev/null
+From df180e65305f8c1e020d54bfc2132349fd693de1 Mon Sep 17 00:00:00 2001
+From: Nathan Lynch <nathan.lynch@amd.com>
+Date: Thu, 3 Apr 2025 11:24:19 -0500
+Subject: dmaengine: Revert "dmaengine: dmatest: Fix dmatest waiting less when interrupted"
+
+From: Nathan Lynch <nathan.lynch@amd.com>
+
+commit df180e65305f8c1e020d54bfc2132349fd693de1 upstream.
+
+Several issues with this change:
+
+* The analysis is flawed and it's unclear what problem is being
+ fixed. There is no difference between wait_event_freezable_timeout()
+ and wait_event_timeout() with respect to device interrupts. And of
+ course "the interrupt notifying the finish of an operation happens
+ during wait_event_freezable_timeout()" -- that's how it's supposed
+ to work.
+
+* The link at the "Closes:" tag appears to be an unrelated
+ use-after-free in idxd.
+
+* It introduces a regression: dmatest threads are meant to be
+ freezable and this change breaks that.
+
+See discussion here:
+https://lore.kernel.org/dmaengine/878qpa13fe.fsf@AUSNATLYNCH.amd.com/
+
+Fixes: e87ca16e9911 ("dmaengine: dmatest: Fix dmatest waiting less when interrupted")
+Signed-off-by: Nathan Lynch <nathan.lynch@amd.com>
+Link: https://lore.kernel.org/r/20250403-dmaengine-dmatest-revert-waiting-less-v1-1-8227c5a3d7c8@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/dmatest.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -841,9 +841,9 @@ static int dmatest_func(void *data)
+ } else {
+ dma_async_issue_pending(chan);
+
+- wait_event_timeout(thread->done_wait,
+- done->done,
+- msecs_to_jiffies(params->timeout));
++ wait_event_freezable_timeout(thread->done_wait,
++ done->done,
++ msecs_to_jiffies(params->timeout));
+
+ status = dma_async_is_tx_complete(chan, cookie, NULL,
+ NULL);
--- /dev/null
+From d33724ffb743d3d2698bd969e29253ae0cff9739 Mon Sep 17 00:00:00 2001
+From: Wayne Lin <Wayne.Lin@amd.com>
+Date: Tue, 13 May 2025 11:20:24 +0800
+Subject: drm/amd/display: Avoid flooding unnecessary info messages
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+commit d33724ffb743d3d2698bd969e29253ae0cff9739 upstream.
+
+It's expected that we'll encounter temporary exceptions
+during aux transactions. Adjust logging from drm_info to
+drm_dbg_dp to prevent flooding with unnecessary log messages.
+
+Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case")
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://lore.kernel.org/r/20250513032026.838036-1-Wayne.Lin@amd.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9a9c3e1fe5256da14a0a307dff0478f90c55fc8c)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -107,7 +107,7 @@ static ssize_t dm_dp_aux_transfer(struct
+ if (payload.write && result >= 0) {
+ if (result) {
+ /*one byte indicating partially written bytes*/
+- drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n");
++ drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX partially written\n");
+ result = payload.data[0];
+ } else if (!payload.reply[0])
+ /*I2C_ACK|AUX_ACK*/
+@@ -133,11 +133,11 @@ static ssize_t dm_dp_aux_transfer(struct
+ break;
+ }
+
+- drm_info(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result);
++ drm_dbg_dp(adev_to_drm(adev), "amdgpu: DP AUX transfer fail:%d\n", operation_result);
+ }
+
+ if (payload.reply[0])
+- drm_info(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.",
++ drm_dbg_dp(adev_to_drm(adev), "amdgpu: AUX reply command not ACK: 0x%02x.",
+ payload.reply[0]);
+
+ return result;
--- /dev/null
+From d433981385c62c72080e26f1c00a961d18b233be Mon Sep 17 00:00:00 2001
+From: Wayne Lin <Wayne.Lin@amd.com>
+Date: Fri, 25 Apr 2025 14:44:02 +0800
+Subject: drm/amd/display: Correct the reply value when AUX write incomplete
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+commit d433981385c62c72080e26f1c00a961d18b233be upstream.
+
+[Why]
+Now forcing aux->transfer to return 0 when incomplete AUX write is
+inappropriate. It should return bytes have been transferred.
+
+[How]
+aux->transfer is asked not to change original msg except reply field of
+drm_dp_aux_msg structure. Copy the msg->buffer when it's write request,
+and overwrite the first byte when sink reply 1 byte indicating partially
+written byte number. Then we can return the correct value without
+changing the original msg.
+
+Fixes: 3637e457eb00 ("drm/amd/display: Fix wrong handling for AUX_DEFER case")
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Ray Wu <ray.wu@amd.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Signed-off-by: Ray Wu <ray.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 7ac37f0dcd2e0b729fa7b5513908dc8ab802b540)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 10 ++++++++--
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -12546,7 +12546,8 @@ int amdgpu_dm_process_dmub_aux_transfer_
+ /* The reply is stored in the top nibble of the command. */
+ payload->reply[0] = (adev->dm.dmub_notify->aux_reply.command >> 4) & 0xF;
+
+- if (!payload->write && p_notify->aux_reply.length)
++ /*write req may receive a byte indicating partially written number as well*/
++ if (p_notify->aux_reply.length)
+ memcpy(payload->data, p_notify->aux_reply.data,
+ p_notify->aux_reply.length);
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -62,6 +62,7 @@ static ssize_t dm_dp_aux_transfer(struct
+ enum aux_return_code_type operation_result;
+ struct amdgpu_device *adev;
+ struct ddc_service *ddc;
++ uint8_t copy[16];
+
+ if (WARN_ON(msg->size > 16))
+ return -E2BIG;
+@@ -77,6 +78,11 @@ static ssize_t dm_dp_aux_transfer(struct
+ (msg->request & DP_AUX_I2C_WRITE_STATUS_UPDATE) != 0;
+ payload.defer_delay = 0;
+
++ if (payload.write) {
++ memcpy(copy, msg->buffer, msg->size);
++ payload.data = copy;
++ }
++
+ result = dc_link_aux_transfer_raw(TO_DM_AUX(aux)->ddc_service, &payload,
+ &operation_result);
+
+@@ -100,9 +106,9 @@ static ssize_t dm_dp_aux_transfer(struct
+ */
+ if (payload.write && result >= 0) {
+ if (result) {
+- /*one byte indicating partially written bytes. Force 0 to retry*/
++ /*one byte indicating partially written bytes*/
+ drm_info(adev_to_drm(adev), "amdgpu: AUX partially written\n");
+- result = 0;
++ result = payload.data[0];
+ } else if (!payload.reply[0])
+ /*I2C_ACK|AUX_ACK*/
+ result = msg->size;
--- /dev/null
+From a0fa7873f2f869087b1e7793f7fac3713a1e3afe Mon Sep 17 00:00:00 2001
+From: Philip Yang <Philip.Yang@amd.com>
+Date: Wed, 7 May 2025 11:04:32 -0400
+Subject: drm/amdgpu: csa unmap use uninterruptible lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+commit a0fa7873f2f869087b1e7793f7fac3713a1e3afe upstream.
+
+After process exit to unmap csa and free GPU vm, if signal is accepted
+and then waiting to take vm lock is interrupted and return, it causes
+memory leaking and below warning backtrace.
+
+Change to use uninterruptible wait lock fix the issue.
+
+WARNING: CPU: 69 PID: 167800 at amd/amdgpu/amdgpu_kms.c:1525
+ amdgpu_driver_postclose_kms+0x294/0x2a0 [amdgpu]
+ Call Trace:
+ <TASK>
+ drm_file_free.part.0+0x1da/0x230 [drm]
+ drm_close_helper.isra.0+0x65/0x70 [drm]
+ drm_release+0x6a/0x120 [drm]
+ amdgpu_drm_release+0x51/0x60 [amdgpu]
+ __fput+0x9f/0x280
+ ____fput+0xe/0x20
+ task_work_run+0x67/0xa0
+ do_exit+0x217/0x3c0
+ do_group_exit+0x3b/0xb0
+ get_signal+0x14a/0x8d0
+ arch_do_signal_or_restart+0xde/0x100
+ exit_to_user_mode_loop+0xc1/0x1a0
+ exit_to_user_mode_prepare+0xf4/0x100
+ syscall_exit_to_user_mode+0x17/0x40
+ do_syscall_64+0x69/0xc0
+
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 7dbbfb3c171a6f63b01165958629c9c26abf38ab)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c
+@@ -109,7 +109,7 @@ int amdgpu_unmap_static_csa(struct amdgp
+ struct drm_exec exec;
+ int r;
+
+- drm_exec_init(&exec, DRM_EXEC_INTERRUPTIBLE_WAIT, 0);
++ drm_exec_init(&exec, 0, 0);
+ drm_exec_until_all_locked(&exec) {
+ r = amdgpu_vm_lock_pd(vm, &exec, 0);
+ if (likely(!r))
--- /dev/null
+From 2d73b0845ab3963856e857b810600e5594bc29f4 Mon Sep 17 00:00:00 2001
+From: Tim Huang <tim.huang@amd.com>
+Date: Thu, 8 May 2025 13:37:35 +0800
+Subject: drm/amdgpu: fix incorrect MALL size for GFX1151
+
+From: Tim Huang <tim.huang@amd.com>
+
+commit 2d73b0845ab3963856e857b810600e5594bc29f4 upstream.
+
+On GFX1151, the reported MALL cache size reflects only
+half of its actual size; this adjustment corrects the discrepancy.
+
+Signed-off-by: Tim Huang <tim.huang@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Yifan Zhang <yifan1.zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 0a5c060b593ad152318f89e5564bfdfcff8a6ac0)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c
+@@ -747,6 +747,18 @@ static int gmc_v11_0_sw_init(void *handl
+ adev->gmc.vram_type = vram_type;
+ adev->gmc.vram_vendor = vram_vendor;
+
++ /* The mall_size is already calculated as mall_size_per_umc * num_umc.
++ * However, for gfx1151, which features a 2-to-1 UMC mapping,
++ * the result must be multiplied by 2 to determine the actual mall size.
++ */
++ switch (amdgpu_ip_version(adev, GC_HWIP, 0)) {
++ case IP_VERSION(11, 5, 1):
++ adev->gmc.mall_size *= 2;
++ break;
++ default:
++ break;
++ }
++
+ switch (amdgpu_ip_version(adev, GC_HWIP, 0)) {
+ case IP_VERSION(11, 0, 0):
+ case IP_VERSION(11, 0, 1):
--- /dev/null
+From ee7360fc27d6045510f8fe459b5649b2af27811a Mon Sep 17 00:00:00 2001
+From: "David (Ming Qiang) Wu" <David.Wu3@amd.com>
+Date: Mon, 12 May 2025 15:14:43 -0400
+Subject: drm/amdgpu: read back register after written for VCN v4.0.5
+
+From: David (Ming Qiang) Wu <David.Wu3@amd.com>
+
+commit ee7360fc27d6045510f8fe459b5649b2af27811a upstream.
+
+On VCN v4.0.5 there is a race condition where the WPTR is not
+updated after starting from idle when doorbell is used. Adding
+register read-back after written at function end is to ensure
+all register writes are done before they can be used.
+
+Closes: https://gitlab.freedesktop.org/mesa/mesa/-/issues/12528
+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Tested-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 07c9db090b86e5211188e1b351303fbc673378cf)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0_5.c
+@@ -985,6 +985,10 @@ static int vcn_v4_0_5_start_dpg_mode(str
+ ring->doorbell_index << VCN_RB1_DB_CTRL__OFFSET__SHIFT |
+ VCN_RB1_DB_CTRL__EN_MASK);
+
++ /* Keeping one read-back to ensure all register writes are done, otherwise
++ * it may introduce race conditions */
++ RREG32_SOC15(VCN, inst_idx, regVCN_RB1_DB_CTRL);
++
+ return 0;
+ }
+
+@@ -1169,6 +1173,10 @@ static int vcn_v4_0_5_start(struct amdgp
+ fw_shared->sq.queue_mode &= ~(FW_QUEUE_RING_RESET | FW_QUEUE_DPG_HOLD_OFF);
+ }
+
++ /* Keeping one read-back to ensure all register writes are done, otherwise
++ * it may introduce race conditions */
++ RREG32_SOC15(VCN, i, regVCN_RB_ENABLE);
++
+ return 0;
+ }
+
--- /dev/null
+From 3e38f946062b4845961ab86b726651b4457b2af8 Mon Sep 17 00:00:00 2001
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Date: Mon, 12 May 2025 11:54:41 +0200
+Subject: gpio: pca953x: fix IRQ storm on system wake up
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+commit 3e38f946062b4845961ab86b726651b4457b2af8 upstream.
+
+If an input changes state during wake-up and is used as an interrupt
+source, the IRQ handler reads the volatile input register to clear the
+interrupt mask and deassert the IRQ line. However, the IRQ handler is
+triggered before access to the register is granted, causing the read
+operation to fail.
+
+As a result, the IRQ handler enters a loop, repeatedly printing the
+"failed reading register" message, until `pca953x_resume()` is eventually
+called, which restores the driver context and enables access to
+registers.
+
+Fix by disabling the IRQ line before entering suspend mode, and
+re-enabling it after the driver context is restored in `pca953x_resume()`.
+
+An IRQ can be disabled with disable_irq() and still wake the system as
+long as the IRQ has wake enabled, so the wake-up functionality is
+preserved.
+
+Fixes: b76574300504 ("gpio: pca953x: Restore registers after suspend/resume cycle")
+Cc: stable@vger.kernel.org
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/r/20250512095441.31645-1-francesco@dolcini.it
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-pca953x.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/gpio/gpio-pca953x.c
++++ b/drivers/gpio/gpio-pca953x.c
+@@ -1203,6 +1203,8 @@ static int pca953x_restore_context(struc
+
+ guard(mutex)(&chip->i2c_lock);
+
++ if (chip->client->irq > 0)
++ enable_irq(chip->client->irq);
+ regcache_cache_only(chip->regmap, false);
+ regcache_mark_dirty(chip->regmap);
+ ret = pca953x_regcache_sync(chip);
+@@ -1215,6 +1217,10 @@ static int pca953x_restore_context(struc
+ static void pca953x_save_context(struct pca953x_chip *chip)
+ {
+ guard(mutex)(&chip->i2c_lock);
++
++ /* Disable IRQ to prevent early triggering while regmap "cache only" is on */
++ if (chip->client->irq > 0)
++ disable_irq(chip->client->irq);
+ regcache_cache_only(chip->regmap, true);
+ }
+
--- /dev/null
+From 578e1b96fad7402ff7e9c7648c8f1ad0225147c8 Mon Sep 17 00:00:00 2001
+From: Rong Zhang <i@rong.moe>
+Date: Mon, 12 May 2025 23:24:19 +0800
+Subject: HID: bpf: abort dispatch if device destroyed
+
+From: Rong Zhang <i@rong.moe>
+
+commit 578e1b96fad7402ff7e9c7648c8f1ad0225147c8 upstream.
+
+The current HID bpf implementation assumes no output report/request will
+go through it after hid_bpf_destroy_device() has been called. This leads
+to a bug that unplugging certain types of HID devices causes a cleaned-
+up SRCU to be accessed. The bug was previously a hidden failure until a
+recent x86 percpu change [1] made it access not-present pages.
+
+The bug will be triggered if the conditions below are met:
+
+A) a device under the driver has some LEDs on
+B) hid_ll_driver->request() is uninplemented (e.g., logitech-djreceiver)
+
+If condition A is met, hidinput_led_worker() is always scheduled *after*
+hid_bpf_destroy_device().
+
+hid_destroy_device
+` hid_bpf_destroy_device
+ ` cleanup_srcu_struct(&hdev->bpf.srcu)
+` hid_remove_device
+ ` ...
+ ` led_classdev_unregister
+ ` led_trigger_set(led_cdev, NULL)
+ ` led_set_brightness(led_cdev, LED_OFF)
+ ` ...
+ ` input_inject_event
+ ` input_event_dispose
+ ` hidinput_input_event
+ ` schedule_work(&hid->led_work) [hidinput_led_worker]
+
+This is fine when condition B is not met, where hidinput_led_worker()
+calls hid_ll_driver->request(). This is the case for most HID drivers,
+which implement it or use the generic one from usbhid. The driver itself
+or an underlying driver will then abort processing the request.
+
+Otherwise, hidinput_led_worker() tries hid_hw_output_report() and leads
+to the bug.
+
+hidinput_led_worker
+` hid_hw_output_report
+ ` dispatch_hid_bpf_output_report
+ ` srcu_read_lock(&hdev->bpf.srcu)
+ ` srcu_read_unlock(&hdev->bpf.srcu, idx)
+
+The bug has existed since the introduction [2] of
+dispatch_hid_bpf_output_report(). However, the same bug also exists in
+dispatch_hid_bpf_raw_requests(), and I've reproduced (no visible effect
+because of the lack of [1], but confirmed bpf.destroyed == 1) the bug
+against the commit (i.e., the Fixes:) introducing the function. This is
+because hidinput_led_worker() falls back to hid_hw_raw_request() when
+hid_ll_driver->output_report() is uninplemented (e.g., logitech-
+djreceiver).
+
+hidinput_led_worker
+` hid_hw_output_report: -ENOSYS
+` hid_hw_raw_request
+ ` dispatch_hid_bpf_raw_requests
+ ` srcu_read_lock(&hdev->bpf.srcu)
+ ` srcu_read_unlock(&hdev->bpf.srcu, idx)
+
+Fix the issue by returning early in the two mentioned functions if
+hid_bpf has been marked as destroyed. Though
+dispatch_hid_bpf_device_event() handles input events, and there is no
+evidence that it may be called after the destruction, the same check, as
+a safety net, is also added to it to maintain the consistency among all
+dispatch functions.
+
+The impact of the bug on other architectures is unclear. Even if it acts
+as a hidden failure, this is still dangerous because it corrupts
+whatever is on the address calculated by SRCU. Thus, CC'ing the stable
+list.
+
+[1]: commit 9d7de2aa8b41 ("x86/percpu/64: Use relative percpu offsets")
+[2]: commit 9286675a2aed ("HID: bpf: add HID-BPF hooks for
+hid_hw_output_report")
+
+Closes: https://lore.kernel.org/all/20250506145548.GGaBoi9Jzp3aeJizTR@fat_crate.local/
+Fixes: 8bd0488b5ea5 ("HID: bpf: add HID-BPF hooks for hid_hw_raw_requests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rong Zhang <i@rong.moe>
+Tested-by: Petr Tesarik <petr@tesarici.cz>
+Link: https://patch.msgid.link/20250512152420.87441-1-i@rong.moe
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/bpf/hid_bpf_dispatch.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/hid/bpf/hid_bpf_dispatch.c
++++ b/drivers/hid/bpf/hid_bpf_dispatch.c
+@@ -38,6 +38,9 @@ dispatch_hid_bpf_device_event(struct hid
+ struct hid_bpf_ops *e;
+ int ret;
+
++ if (unlikely(hdev->bpf.destroyed))
++ return ERR_PTR(-ENODEV);
++
+ if (type >= HID_REPORT_TYPES)
+ return ERR_PTR(-EINVAL);
+
+@@ -93,6 +96,9 @@ int dispatch_hid_bpf_raw_requests(struct
+ struct hid_bpf_ops *e;
+ int ret, idx;
+
++ if (unlikely(hdev->bpf.destroyed))
++ return -ENODEV;
++
+ if (rtype >= HID_REPORT_TYPES)
+ return -EINVAL;
+
+@@ -130,6 +136,9 @@ int dispatch_hid_bpf_output_report(struc
+ struct hid_bpf_ops *e;
+ int ret, idx;
+
++ if (unlikely(hdev->bpf.destroyed))
++ return -ENODEV;
++
+ idx = srcu_read_lock(&hdev->bpf.srcu);
+ list_for_each_entry_srcu(e, &hdev->bpf.prog_list, list,
+ srcu_read_lock_held(&hdev->bpf.srcu)) {
--- /dev/null
+From 90436d234230e9a950ccd87831108b688b27a234 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Wed, 14 May 2025 22:17:43 +0800
+Subject: LoongArch: Fix MAX_REG_OFFSET calculation
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 90436d234230e9a950ccd87831108b688b27a234 upstream.
+
+Fix MAX_REG_OFFSET calculation, make it point to the last register
+in 'struct pt_regs' and not to the marker itself, which could allow
+regs_get_register() to return an invalid offset.
+
+Cc: stable@vger.kernel.org
+Fixes: 803b0fc5c3f2baa6e5 ("LoongArch: Add process management")
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/ptrace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/loongarch/include/asm/ptrace.h
++++ b/arch/loongarch/include/asm/ptrace.h
+@@ -55,7 +55,7 @@ static inline void instruction_pointer_s
+
+ /* Query offset/name of register from its name/offset */
+ extern int regs_query_register_offset(const char *name);
+-#define MAX_REG_OFFSET (offsetof(struct pt_regs, __last))
++#define MAX_REG_OFFSET (offsetof(struct pt_regs, __last) - sizeof(unsigned long))
+
+ /**
+ * regs_get_register() - get register value from its offset
--- /dev/null
+From 3e245b7b74c3a2ead5fa4bad27cc275284c75189 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Wed, 14 May 2025 22:17:52 +0800
+Subject: LoongArch: Move __arch_cpu_idle() to .cpuidle.text section
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 3e245b7b74c3a2ead5fa4bad27cc275284c75189 upstream.
+
+Now arch_cpu_idle() is annotated with __cpuidle which means it is in
+the .cpuidle.text section, but __arch_cpu_idle() isn't. Thus, fix the
+missing .cpuidle.text section assignment for __arch_cpu_idle() in order
+to correct backtracing with nmi_backtrace().
+
+The principle is similar to the commit 97c8580e85cf81c ("MIPS: Annotate
+cpu_wait implementations with __cpuidle")
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/genex.S | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/loongarch/kernel/genex.S
++++ b/arch/loongarch/kernel/genex.S
+@@ -16,6 +16,7 @@
+ #include <asm/stackframe.h>
+ #include <asm/thread_info.h>
+
++ .section .cpuidle.text, "ax"
+ .align 5
+ SYM_FUNC_START(__arch_cpu_idle)
+ /* start of idle interrupt region */
+@@ -31,14 +32,16 @@ SYM_FUNC_START(__arch_cpu_idle)
+ */
+ idle 0
+ /* end of idle interrupt region */
+-1: jr ra
++idle_exit:
++ jr ra
+ SYM_FUNC_END(__arch_cpu_idle)
++ .previous
+
+ SYM_CODE_START(handle_vint)
+ UNWIND_HINT_UNDEFINED
+ BACKUP_T0T1
+ SAVE_ALL
+- la_abs t1, 1b
++ la_abs t1, idle_exit
+ LONG_L t0, sp, PT_ERA
+ /* 3 instructions idle interrupt region */
+ ori t0, t0, 0b1100
--- /dev/null
+From 2468b0e3d5659dfde77f081f266e1111a981efb8 Mon Sep 17 00:00:00 2001
+From: Tianyang Zhang <zhangtianyang@loongson.cn>
+Date: Wed, 14 May 2025 22:17:43 +0800
+Subject: LoongArch: Prevent cond_resched() occurring within kernel-fpu
+
+From: Tianyang Zhang <zhangtianyang@loongson.cn>
+
+commit 2468b0e3d5659dfde77f081f266e1111a981efb8 upstream.
+
+When CONFIG_PREEMPT_COUNT is not configured (i.e. CONFIG_PREEMPT_NONE/
+CONFIG_PREEMPT_VOLUNTARY), preempt_disable() / preempt_enable() merely
+acts as a barrier(). However, in these cases cond_resched() can still
+trigger a context switch and modify the CSR.EUEN, resulting in do_fpu()
+exception being activated within the kernel-fpu critical sections, as
+demonstrated in the following path:
+
+dcn32_calculate_wm_and_dlg()
+ DC_FP_START()
+ dcn32_calculate_wm_and_dlg_fpu()
+ dcn32_find_dummy_latency_index_for_fw_based_mclk_switch()
+ dcn32_internal_validate_bw()
+ dcn32_enable_phantom_stream()
+ dc_create_stream_for_sink()
+ kzalloc(GFP_KERNEL)
+ __kmem_cache_alloc_node()
+ __cond_resched()
+ DC_FP_END()
+
+This patch is similar to commit d02198550423a0b (x86/fpu: Improve crypto
+performance by making kernel-mode FPU reliably usable in softirqs). It
+uses local_bh_disable() instead of preempt_disable() for non-RT kernels
+so it can avoid the cond_resched() issue, and also extend the kernel-fpu
+application scenarios to the softirq context.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Tianyang Zhang <zhangtianyang@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/kfpu.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/arch/loongarch/kernel/kfpu.c
++++ b/arch/loongarch/kernel/kfpu.c
+@@ -18,11 +18,28 @@ static unsigned int euen_mask = CSR_EUEN
+ static DEFINE_PER_CPU(bool, in_kernel_fpu);
+ static DEFINE_PER_CPU(unsigned int, euen_current);
+
++static inline void fpregs_lock(void)
++{
++ if (IS_ENABLED(CONFIG_PREEMPT_RT))
++ preempt_disable();
++ else
++ local_bh_disable();
++}
++
++static inline void fpregs_unlock(void)
++{
++ if (IS_ENABLED(CONFIG_PREEMPT_RT))
++ preempt_enable();
++ else
++ local_bh_enable();
++}
++
+ void kernel_fpu_begin(void)
+ {
+ unsigned int *euen_curr;
+
+- preempt_disable();
++ if (!irqs_disabled())
++ fpregs_lock();
+
+ WARN_ON(this_cpu_read(in_kernel_fpu));
+
+@@ -73,7 +90,8 @@ void kernel_fpu_end(void)
+
+ this_cpu_write(in_kernel_fpu, false);
+
+- preempt_enable();
++ if (!irqs_disabled())
++ fpregs_unlock();
+ }
+ EXPORT_SYMBOL_GPL(kernel_fpu_end);
+
--- /dev/null
+From ceb9155d058a11242aa0572875c44e9713b1a2be Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Wed, 14 May 2025 22:17:52 +0800
+Subject: LoongArch: Save and restore CSR.CNTC for hibernation
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit ceb9155d058a11242aa0572875c44e9713b1a2be upstream.
+
+Save and restore CSR.CNTC for hibernation which is similar to suspend.
+
+For host this is unnecessary because sched clock is ensured continuous,
+but for kvm guest sched clock isn't enough because rdtime.d should also
+be continuous.
+
+Host::rdtime.d = Host::CSR.CNTC + counter
+Guest::rdtime.d = Host::CSR.CNTC + Host::CSR.GCNTC + Guest::CSR.CNTC + counter
+
+so,
+
+Guest::rdtime.d = Host::rdtime.d + Host::CSR.GCNTC + Guest::CSR.CNTC
+
+To ensure Guest::rdtime.d continuous, Host::rdtime.d should be at first
+continuous, while Host::CSR.GCNTC / Guest::CSR.CNTC is maintained by KVM.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/time.c | 2 +-
+ arch/loongarch/power/hibernate.c | 3 +++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/loongarch/kernel/time.c
++++ b/arch/loongarch/kernel/time.c
+@@ -111,7 +111,7 @@ static unsigned long __init get_loops_pe
+ return lpj;
+ }
+
+-static long init_offset __nosavedata;
++static long init_offset;
+
+ void save_counter(void)
+ {
+--- a/arch/loongarch/power/hibernate.c
++++ b/arch/loongarch/power/hibernate.c
+@@ -2,6 +2,7 @@
+ #include <asm/fpu.h>
+ #include <asm/loongson.h>
+ #include <asm/sections.h>
++#include <asm/time.h>
+ #include <asm/tlbflush.h>
+ #include <linux/suspend.h>
+
+@@ -14,6 +15,7 @@ struct pt_regs saved_regs;
+
+ void save_processor_state(void)
+ {
++ save_counter();
+ saved_crmd = csr_read32(LOONGARCH_CSR_CRMD);
+ saved_prmd = csr_read32(LOONGARCH_CSR_PRMD);
+ saved_euen = csr_read32(LOONGARCH_CSR_EUEN);
+@@ -26,6 +28,7 @@ void save_processor_state(void)
+
+ void restore_processor_state(void)
+ {
++ sync_counter();
+ csr_write32(saved_crmd, LOONGARCH_CSR_CRMD);
+ csr_write32(saved_prmd, LOONGARCH_CSR_PRMD);
+ csr_write32(saved_euen, LOONGARCH_CSR_EUEN);
--- /dev/null
+From 12614f794274f63fbdfe76771b2b332077d63848 Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+Date: Wed, 14 May 2025 22:18:10 +0800
+Subject: LoongArch: uprobes: Remove redundant code about resume_era
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+commit 12614f794274f63fbdfe76771b2b332077d63848 upstream.
+
+arch_uprobe_skip_sstep() returns true if instruction was emulated, that
+is to say, there is no need to single step for the emulated instructions.
+regs->csr_era will point to the destination address directly after the
+exception, so the resume_era related code is redundant, just remove them.
+
+Cc: stable@vger.kernel.org
+Fixes: 19bc6cb64092 ("LoongArch: Add uprobes support")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/uprobes.h | 1 -
+ arch/loongarch/kernel/uprobes.c | 7 +------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+--- a/arch/loongarch/include/asm/uprobes.h
++++ b/arch/loongarch/include/asm/uprobes.h
+@@ -15,7 +15,6 @@ typedef u32 uprobe_opcode_t;
+ #define UPROBE_XOLBP_INSN __emit_break(BRK_UPROBE_XOLBP)
+
+ struct arch_uprobe {
+- unsigned long resume_era;
+ u32 insn[2];
+ u32 ixol[2];
+ bool simulate;
+--- a/arch/loongarch/kernel/uprobes.c
++++ b/arch/loongarch/kernel/uprobes.c
+@@ -52,11 +52,7 @@ int arch_uprobe_post_xol(struct arch_upr
+
+ WARN_ON_ONCE(current->thread.trap_nr != UPROBE_TRAP_NR);
+ current->thread.trap_nr = utask->autask.saved_trap_nr;
+-
+- if (auprobe->simulate)
+- instruction_pointer_set(regs, auprobe->resume_era);
+- else
+- instruction_pointer_set(regs, utask->vaddr + LOONGARCH_INSN_SIZE);
++ instruction_pointer_set(regs, utask->vaddr + LOONGARCH_INSN_SIZE);
+
+ return 0;
+ }
+@@ -86,7 +82,6 @@ bool arch_uprobe_skip_sstep(struct arch_
+
+ insn.word = auprobe->insn[0];
+ arch_simulate_insn(insn, regs);
+- auprobe->resume_era = regs->csr_era;
+
+ return true;
+ }
--- /dev/null
+From 0b326b2371f94e798137cc1a3c5c2eef2bc69061 Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+Date: Wed, 14 May 2025 22:18:10 +0800
+Subject: LoongArch: uprobes: Remove user_{en,dis}able_single_step()
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+commit 0b326b2371f94e798137cc1a3c5c2eef2bc69061 upstream.
+
+When executing the "perf probe" and "perf stat" test cases about some
+cryptographic algorithm, the output shows that "Trace/breakpoint trap".
+This is because it uses the software singlestep breakpoint for uprobes
+on LoongArch, and no need to use the hardware singlestep. So just remove
+the related function call to user_{en,dis}able_single_step() for uprobes
+on LoongArch.
+
+How to reproduce:
+
+Please make sure CONFIG_UPROBE_EVENTS is set and openssl supports sm2
+algorithm, then execute the following command.
+
+cd tools/perf && make
+./perf probe -x /usr/lib64/libcrypto.so BN_mod_mul_montgomery
+./perf stat -e probe_libcrypto:BN_mod_mul_montgomery openssl speed sm2
+
+Cc: stable@vger.kernel.org
+Fixes: 19bc6cb64092 ("LoongArch: Add uprobes support")
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/uprobes.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/arch/loongarch/kernel/uprobes.c
++++ b/arch/loongarch/kernel/uprobes.c
+@@ -42,7 +42,6 @@ int arch_uprobe_pre_xol(struct arch_upro
+ utask->autask.saved_trap_nr = current->thread.trap_nr;
+ current->thread.trap_nr = UPROBE_TRAP_NR;
+ instruction_pointer_set(regs, utask->xol_vaddr);
+- user_enable_single_step(current);
+
+ return 0;
+ }
+@@ -59,8 +58,6 @@ int arch_uprobe_post_xol(struct arch_upr
+ else
+ instruction_pointer_set(regs, utask->vaddr + LOONGARCH_INSN_SIZE);
+
+- user_disable_single_step(current);
+-
+ return 0;
+ }
+
+@@ -70,7 +67,6 @@ void arch_uprobe_abort_xol(struct arch_u
+
+ current->thread.trap_nr = utask->autask.saved_trap_nr;
+ instruction_pointer_set(regs, utask->vaddr);
+- user_disable_single_step(current);
+ }
+
+ bool arch_uprobe_xol_was_trapped(struct task_struct *t)
--- /dev/null
+From 386cd3dcfd63491619b4034b818737fc0219e128 Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <alexey.makhalov@broadcom.com>
+Date: Tue, 18 Mar 2025 00:40:31 +0000
+Subject: MAINTAINERS: Update Alexey Makhalov's email address
+
+From: Alexey Makhalov <alexey.makhalov@broadcom.com>
+
+commit 386cd3dcfd63491619b4034b818737fc0219e128 upstream.
+
+Fix a typo in an email address.
+
+Closes: https://lore.kernel.org/all/20240925-rational-succinct-vulture-cca9fb@lemur/T/
+Reported-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
+Reported-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Alexey Makhalov <alexey.makhalov@broadcom.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250318004031.2703923-1-alexey.makhalov@broadcom.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ MAINTAINERS | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -17503,7 +17503,7 @@ F: include/uapi/linux/ppdev.h
+ PARAVIRT_OPS INTERFACE
+ M: Juergen Gross <jgross@suse.com>
+ R: Ajay Kaher <ajay.kaher@broadcom.com>
+-R: Alexey Makhalov <alexey.amakhalov@broadcom.com>
++R: Alexey Makhalov <alexey.makhalov@broadcom.com>
+ R: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
+ L: virtualization@lists.linux.dev
+ L: x86@kernel.org
+@@ -24729,7 +24729,7 @@ F: drivers/misc/vmw_balloon.c
+
+ VMWARE HYPERVISOR INTERFACE
+ M: Ajay Kaher <ajay.kaher@broadcom.com>
+-M: Alexey Makhalov <alexey.amakhalov@broadcom.com>
++M: Alexey Makhalov <alexey.makhalov@broadcom.com>
+ R: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
+ L: virtualization@lists.linux.dev
+ L: x86@kernel.org
+@@ -24757,7 +24757,7 @@ F: drivers/scsi/vmw_pvscsi.h
+ VMWARE VIRTUAL PTP CLOCK DRIVER
+ M: Nick Shi <nick.shi@broadcom.com>
+ R: Ajay Kaher <ajay.kaher@broadcom.com>
+-R: Alexey Makhalov <alexey.amakhalov@broadcom.com>
++R: Alexey Makhalov <alexey.makhalov@broadcom.com>
+ R: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
+ L: netdev@vger.kernel.org
+ S: Supported
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- fs/nfs/pnfs.c | 9 +++++++++
+ fs/nfs/pnfs.c | 9 +++++++++
1 file changed, 9 insertions(+)
-diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
-index 5f582713bf05e..683e09be25adf 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
-@@ -745,6 +745,14 @@ pnfs_mark_matching_lsegs_invalid(struct pnfs_layout_hdr *lo,
+@@ -745,6 +745,14 @@ pnfs_mark_matching_lsegs_invalid(struct
return remaining;
}
static void
pnfs_free_returned_lsegs(struct pnfs_layout_hdr *lo,
struct list_head *free_me,
-@@ -1292,6 +1300,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo,
+@@ -1292,6 +1300,7 @@ void pnfs_layoutreturn_free_lsegs(struct
pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq);
pnfs_free_returned_lsegs(lo, &freeme, range, seq);
pnfs_set_layout_stateid(lo, stateid, NULL, true);
} else
pnfs_mark_layout_stateid_invalid(lo, &freeme);
out_unlock:
---
-2.39.5
-
--- /dev/null
+From fe14c0f096f58d2569e587e9f4b05d772272bbb4 Mon Sep 17 00:00:00 2001
+From: Melissa Wen <mwen@igalia.com>
+Date: Tue, 22 Apr 2025 11:58:11 -0300
+Subject: Revert "drm/amd/display: Hardware cursor changes color when switched to software cursor"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Melissa Wen <mwen@igalia.com>
+
+commit fe14c0f096f58d2569e587e9f4b05d772272bbb4 upstream.
+
+This reverts commit 272e6aab14bbf98d7a06b2b1cd6308a02d4a10a1.
+
+Applying degamma curve to the cursor by default breaks Linux userspace
+expectation.
+
+On Linux, AMD display manager enables cursor degamma ROM just for
+implict sRGB on HW versions where degamma is split into two blocks:
+degamma ROM for pre-defined TFs and `gamma correction` for user/custom
+curves, and degamma ROM settings doesn't apply to cursor plane.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1513
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2803
+Reported-by: Michel Dänzer <michel.daenzer@mailbox.org>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4144
+Signed-off-by: Melissa Wen <mwen@igalia.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit f6a305d4748801a6c799ae9375b2ecff3aed094b)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c b/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c
+index 1236e0f9a256..712aff7e17f7 100644
+--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c
++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn401/dcn401_dpp_cm.c
+@@ -120,10 +120,11 @@ void dpp401_set_cursor_attributes(
+ enum dc_cursor_color_format color_format = cursor_attributes->color_format;
+ int cur_rom_en = 0;
+
+- // DCN4 should always do Cursor degamma for Cursor Color modes
+ if (color_format == CURSOR_MODE_COLOR_PRE_MULTIPLIED_ALPHA ||
+ color_format == CURSOR_MODE_COLOR_UN_PRE_MULTIPLIED_ALPHA) {
+- cur_rom_en = 1;
++ if (cursor_attributes->attribute_flags.bits.ENABLE_CURSOR_DEGAMMA) {
++ cur_rom_en = 1;
++ }
+ }
+
+ REG_UPDATE_3(CURSOR0_CONTROL,
+--
+2.49.0
+
--- /dev/null
+From 428dc9fc0873989d73918d4a9cc22745b7bbc799 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Mon, 5 May 2025 11:30:39 -1000
+Subject: sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 428dc9fc0873989d73918d4a9cc22745b7bbc799 upstream.
+
+BPF programs may call next() and destroy() on BPF iterators even after new()
+returns an error value (e.g. bpf_for_each() macro ignores error returns from
+new()). bpf_iter_scx_dsq_new() could leave the iterator in an uninitialized
+state after an error return causing bpf_iter_scx_dsq_next() to dereference
+garbage data. Make bpf_iter_scx_dsq_new() always clear $kit->dsq so that
+next() and destroy() become noops.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Fixes: 650ba21b131e ("sched_ext: Implement DSQ iterator")
+Cc: stable@vger.kernel.org # v6.12+
+Acked-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -6731,6 +6731,12 @@ __bpf_kfunc int bpf_iter_scx_dsq_new(str
+ BUILD_BUG_ON(__alignof__(struct bpf_iter_scx_dsq_kern) !=
+ __alignof__(struct bpf_iter_scx_dsq));
+
++ /*
++ * next() and destroy() will be called regardless of the return value.
++ * Always clear $kit->dsq.
++ */
++ kit->dsq = NULL;
++
+ if (flags & ~__SCX_DSQ_ITER_USER_FLAGS)
+ return -EINVAL;
+
net-tls-fix-kernel-panic-when-alloc_page-failed.patch
tsnep-fix-timestamping-with-a-stacked-dsa-driver.patch
nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch
+dmaengine-revert-dmaengine-dmatest-fix-dmatest-waiting-less-when-interrupted.patch
+sched_ext-bpf_iter_scx_dsq_new-should-always-initialize-iterator.patch
+udf-make-sure-i_lenextents-is-uptodate-on-inode-eviction.patch
+hid-bpf-abort-dispatch-if-device-destroyed.patch
+loongarch-prevent-cond_resched-occurring-within-kernel-fpu.patch
+loongarch-move-__arch_cpu_idle-to-.cpuidle.text-section.patch
+loongarch-save-and-restore-csr.cntc-for-hibernation.patch
+loongarch-fix-max_reg_offset-calculation.patch
+loongarch-uprobes-remove-user_-en-dis-able_single_step.patch
+loongarch-uprobes-remove-redundant-code-about-resume_era.patch
+btrfs-fix-discard-worker-infinite-loop-after-disabling-discard.patch
+btrfs-fix-folio-leak-in-submit_one_async_extent.patch
+btrfs-add-back-warning-for-mount-option-commit-values-exceeding-300.patch
+revert-drm-amd-display-hardware-cursor-changes-color-when-switched-to-software-cursor.patch
+drm-amdgpu-read-back-register-after-written-for-vcn-v4.0.5.patch
+drm-amdgpu-fix-incorrect-mall-size-for-gfx1151.patch
+drm-amdgpu-csa-unmap-use-uninterruptible-lock.patch
+drm-amd-display-correct-the-reply-value-when-aux-write-incomplete.patch
+drm-amd-display-avoid-flooding-unnecessary-info-messages.patch
+maintainers-update-alexey-makhalov-s-email-address.patch
+gpio-pca953x-fix-irq-storm-on-system-wake-up.patch
+acpi-pptt-fix-processor-subtable-walk.patch
--- /dev/null
+From 55dd5b4db3bf04cf077a8d1712f6295d4517c337 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 7 May 2025 11:49:41 +0200
+Subject: udf: Make sure i_lenExtents is uptodate on inode eviction
+
+From: Jan Kara <jack@suse.cz>
+
+commit 55dd5b4db3bf04cf077a8d1712f6295d4517c337 upstream.
+
+UDF maintains total length of all extents in i_lenExtents. Generally we
+keep extent lengths (and thus i_lenExtents) block aligned because it
+makes the file appending logic simpler. However the standard mandates
+that the inode size must match the length of all extents and thus we
+trim the last extent when closing the file. To catch possible bugs we
+also verify that i_lenExtents matches i_size when evicting inode from
+memory. Commit b405c1e58b73 ("udf: refactor udf_next_aext() to handle
+error") however broke the code updating i_lenExtents and thus
+udf_evict_inode() ended up spewing lots of errors about incorrectly
+sized extents although the extents were actually sized properly. Fix the
+updating of i_lenExtents to silence the errors.
+
+Fixes: b405c1e58b73 ("udf: refactor udf_next_aext() to handle error")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/truncate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/udf/truncate.c
++++ b/fs/udf/truncate.c
+@@ -115,7 +115,7 @@ void udf_truncate_tail_extent(struct ino
+ }
+ /* This inode entry is in-memory only and thus we don't have to mark
+ * the inode dirty */
+- if (ret == 0)
++ if (ret >= 0)
+ iinfo->i_lenExtents = inode->i_size;
+ brelse(epos.bh);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
