--- /dev/null
+From 0c6b3c91a8810b2f279ef7d05566b2852c83eed9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 14:01:41 +0300
+Subject: Bluetooth: btrtl: Prevent potential NULL dereference
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ]
+
+The btrtl_initialize() function checks that rtl_load_file() either
+had an error or it loaded a zero length file. However, if it loaded
+a zero length file then the error code is not set correctly. It
+results in an error pointer vs NULL bug, followed by a NULL pointer
+dereference. This was detected by Smatch:
+
+drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'
+
+Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btrtl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
+index 5671f0d9ab28c..1c122613e562c 100644
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -817,6 +817,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
+ rtl_dev_err(hdev, "mandatory config file %s not found",
+ btrtl_dev->ic_info->cfg_name);
+ ret = btrtl_dev->cfg_len;
++ if (!ret)
++ ret = -EINVAL;
+ goto err_free;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 553eb8ad2378d3a978f19e2796df1cce568072b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 13:02:08 -0400
+Subject: Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid
+ address
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit eb73b5a9157221f405b4fe32751da84ee46b7a25 ]
+
+This fixes sending MGMT_EV_DEVICE_FOUND for invalid address
+(00:00:00:00:00:00) which is a regression introduced by
+a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
+since in the attempt to skip storing data for extended advertisement it
+actually made the code to skip the entire if statement supposed to send
+MGMT_EV_DEVICE_FOUND without attempting to use the last_addr_adv which
+is garanteed to be invalid for extended advertisement since we never
+store anything on it.
+
+Link: https://github.com/bluez/bluez/issues/1157
+Link: https://github.com/bluez/bluez/issues/1149#issuecomment-2767215658
+Fixes: a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 6cfd61628cd78..8667723d4e969 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6248,11 +6248,12 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ * event or send an immediate device found event if the data
+ * should not be stored for later.
+ */
+- if (!ext_adv && !has_pending_adv_report(hdev)) {
++ if (!has_pending_adv_report(hdev)) {
+ /* If the report will trigger a SCAN_REQ store it for
+ * later merging.
+ */
+- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
++ if (!ext_adv && (type == LE_ADV_IND ||
++ type == LE_ADV_SCAN_IND)) {
+ store_pending_adv_report(hdev, bdaddr, bdaddr_type,
+ rssi, flags, data, len);
+ return;
+--
+2.39.5
+
--- /dev/null
+From 3be48b489fcb60095ca0f617fc025a70863c1a88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 10:53:06 +0200
+Subject: Bluetooth: l2cap: Check encryption key size on incoming connection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Danis <frederic.danis@collabora.com>
+
+[ Upstream commit 522e9ed157e3c21b4dd623c79967f72c21e45b78 ]
+
+This is required for passing GAP/SEC/SEM/BI-04-C PTS test case:
+ Security Mode 4 Level 4, Responder - Invalid Encryption Key Size
+ - 128 bit
+
+This tests the security key with size from 1 to 15 bytes while the
+Security Mode 4 Level 4 requests 16 bytes key size.
+
+Currently PTS fails with the following logs:
+- expected:Connection Response:
+ Code: [3 (0x03)] Code
+ Identifier: (lt)WildCard: Exists(gt)
+ Length: [8 (0x0008)]
+ Destination CID: (lt)WildCard: Exists(gt)
+ Source CID: [64 (0x0040)]
+ Result: [3 (0x0003)] Connection refused - Security block
+ Status: (lt)WildCard: Exists(gt),
+but received:Connection Response:
+ Code: [3 (0x03)] Code
+ Identifier: [1 (0x01)]
+ Length: [8 (0x0008)]
+ Destination CID: [64 (0x0040)]
+ Source CID: [64 (0x0040)]
+ Result: [0 (0x0000)] Connection Successful
+ Status: [0 (0x0000)] No further information available
+
+And HCI logs:
+< HCI Command: Read Encrypti.. (0x05|0x0008) plen 2
+ Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
+> HCI Event: Command Complete (0x0e) plen 7
+ Read Encryption Key Size (0x05|0x0008) ncmd 1
+ Status: Success (0x00)
+ Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)
+ Key size: 7
+> ACL Data RX: Handle 14 flags 0x02 dlen 12
+ L2CAP: Connection Request (0x02) ident 1 len 4
+ PSM: 4097 (0x1001)
+ Source CID: 64
+< ACL Data TX: Handle 14 flags 0x00 dlen 16
+ L2CAP: Connection Response (0x03) ident 1 len 8
+ Destination CID: 64
+ Source CID: 64
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+
+Fixes: 288c06973daa ("Bluetooth: Enforce key size of 16 bytes on FIPS level")
+Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 21a79ef7092d7..222105e24d2d8 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4186,7 +4186,8 @@ static struct l2cap_chan *l2cap_connect(struct l2cap_conn *conn,
+
+ /* Check if the ACL is secure enough (if not SDP) */
+ if (psm != cpu_to_le16(L2CAP_PSM_SDP) &&
+- !hci_conn_check_link_mode(conn->hcon)) {
++ (!hci_conn_check_link_mode(conn->hcon) ||
++ !l2cap_check_enc_key_size(conn->hcon))) {
+ conn->disc_reason = HCI_ERROR_AUTH_FAILURE;
+ result = L2CAP_CR_SEC_BLOCK;
+ goto response;
+--
+2.39.5
+
--- /dev/null
+From fda932e07916a05f866ea6efc4028e109b82a0d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 11:58:08 +0200
+Subject: cpufreq/sched: Fix the usage of CPUFREQ_NEED_UPDATE_LIMITS
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit cfde542df7dd51d26cf667f4af497878ddffd85a ]
+
+Commit 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused
+by need_freq_update") modified sugov_should_update_freq() to set the
+need_freq_update flag only for drivers with CPUFREQ_NEED_UPDATE_LIMITS
+set, but that flag generally needs to be set when the policy limits
+change because the driver callback may need to be invoked for the new
+limits to take effect.
+
+However, if the return value of cpufreq_driver_resolve_freq() after
+applying the new limits is still equal to the previously selected
+frequency, the driver callback needs to be invoked only in the case
+when CPUFREQ_NEED_UPDATE_LIMITS is set (which means that the driver
+specifically wants its callback to be invoked every time the policy
+limits change).
+
+Update the code accordingly to avoid missing policy limits changes for
+drivers without CPUFREQ_NEED_UPDATE_LIMITS.
+
+Fixes: 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused by need_freq_update")
+Closes: https://lore.kernel.org/lkml/Z_Tlc6Qs-tYpxWYb@linaro.org/
+Reported-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Link: https://patch.msgid.link/3010358.e9J7NaK4W3@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
+index 542c0e82a9005..4dcb489733181 100644
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -84,7 +84,7 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
+
+ if (unlikely(sg_policy->limits_changed)) {
+ sg_policy->limits_changed = false;
+- sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
++ sg_policy->need_freq_update = true;
+ return true;
+ }
+
+@@ -96,10 +96,22 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
+ static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
+ unsigned int next_freq)
+ {
+- if (sg_policy->need_freq_update)
++ if (sg_policy->need_freq_update) {
+ sg_policy->need_freq_update = false;
+- else if (sg_policy->next_freq == next_freq)
++ /*
++ * The policy limits have changed, but if the return value of
++ * cpufreq_driver_resolve_freq() after applying the new limits
++ * is still equal to the previously selected frequency, the
++ * driver callback need not be invoked unless the driver
++ * specifically wants that to happen on every update of the
++ * policy limits.
++ */
++ if (sg_policy->next_freq == next_freq &&
++ !cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS))
++ return false;
++ } else if (sg_policy->next_freq == next_freq) {
+ return false;
++ }
+
+ sg_policy->next_freq = next_freq;
+ sg_policy->last_freq_update_time = time;
+--
+2.39.5
+
--- /dev/null
+From 01fbcf1934f3dd0599b5a19060d2b04d4c2329d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 22:36:46 +0530
+Subject: cxgb4: fix memory leak in cxgb4_init_ethtool_filters() error path
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 00ffb3724ce743578163f5ade2884374554ca021 ]
+
+In the for loop used to allocate the loc_array and bmap for each port, a
+memory leak is possible when the allocation for loc_array succeeds,
+but the allocation for bmap fails. This is because when the control flow
+goes to the label free_eth_finfo, only the allocations starting from
+(i-1)th iteration are freed.
+
+Fix that by freeing the loc_array in the bmap allocation error path.
+
+Fixes: d915c299f1da ("cxgb4: add skeleton for ethtool n-tuple filters")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250414170649.89156-1-abdun.nihaal@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+index 8477a93cee6bd..b77897aa06c4f 100644
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c
+@@ -2273,6 +2273,7 @@ int cxgb4_init_ethtool_filters(struct adapter *adap)
+ eth_filter->port[i].bmap = bitmap_zalloc(nentries, GFP_KERNEL);
+ if (!eth_filter->port[i].bmap) {
+ ret = -ENOMEM;
++ kvfree(eth_filter->port[i].loc_array);
+ goto free_eth_finfo;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From d3cb297aeb2d52d6d04e7f9912b46a6ae061c4c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 16:35:33 -0700
+Subject: igc: cleanup PTP module if probe fails
+
+From: Christopher S M Hall <christopher.s.hall@intel.com>
+
+[ Upstream commit 1f025759ba394dd53e434d2668cb0597886d9b69 ]
+
+Make sure that the PTP module is cleaned up if the igc_probe() fails by
+calling igc_ptp_stop() on exit.
+
+Fixes: d89f88419f99 ("igc: Add skeletal frame for Intel(R) 2.5G Ethernet Controller support")
+Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
+Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 6ae2d0b723c82..082f78beeb4ed 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6725,6 +6725,7 @@ static int igc_probe(struct pci_dev *pdev,
+
+ err_register:
+ igc_release_hw_control(adapter);
++ igc_ptp_stop(adapter);
+ err_eeprom:
+ if (!igc_check_reset_block(hw))
+ igc_reset_phy(hw);
+--
+2.39.5
+
--- /dev/null
+From 01d3e9097fed7aa543ed5a0fa1005efccb4ea3a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 16:35:29 -0700
+Subject: igc: fix PTM cycle trigger logic
+
+From: Christopher S M Hall <christopher.s.hall@intel.com>
+
+[ Upstream commit 8e404ad95d2c10c261e2ef6992c7c12dde03df0e ]
+
+Writing to clear the PTM status 'valid' bit while the PTM cycle is
+triggered results in unreliable PTM operation. To fix this, clear the
+PTM 'trigger' and status after each PTM transaction.
+
+The issue can be reproduced with the following:
+
+$ sudo phc2sys -R 1000 -O 0 -i tsn0 -m
+
+Note: 1000 Hz (-R 1000) is unrealistically large, but provides a way to
+quickly reproduce the issue.
+
+PHC2SYS exits with:
+
+"ioctl PTP_OFFSET_PRECISE: Connection timed out" when the PTM transaction
+ fails
+
+This patch also fixes a hang in igc_probe() when loading the igc
+driver in the kdump kernel on systems supporting PTM.
+
+The igc driver running in the base kernel enables PTM trigger in
+igc_probe(). Therefore the driver is always in PTM trigger mode,
+except in brief periods when manually triggering a PTM cycle.
+
+When a crash occurs, the NIC is reset while PTM trigger is enabled.
+Due to a hardware problem, the NIC is subsequently in a bad busmaster
+state and doesn't handle register reads/writes. When running
+igc_probe() in the kdump kernel, the first register access to a NIC
+register hangs driver probing and ultimately breaks kdump.
+
+With this patch, igc has PTM trigger disabled most of the time,
+and the trigger is only enabled for very brief (10 - 100 us) periods
+when manually triggering a PTM cycle. Chances that a crash occurs
+during a PTM trigger are not 0, but extremely reduced.
+
+Fixes: a90ec8483732 ("igc: Add support for PTP getcrosststamp()")
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
+Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Corinna Vinschen <vinschen@redhat.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_defines.h | 1 +
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 70 ++++++++++++--------
+ 2 files changed, 42 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
+index 8187a658dcbd5..17a7e3c875ccb 100644
+--- a/drivers/net/ethernet/intel/igc/igc_defines.h
++++ b/drivers/net/ethernet/intel/igc/igc_defines.h
+@@ -574,6 +574,7 @@
+ #define IGC_PTM_STAT_T4M1_OVFL BIT(3) /* T4 minus T1 overflow */
+ #define IGC_PTM_STAT_ADJUST_1ST BIT(4) /* 1588 timer adjusted during 1st PTM cycle */
+ #define IGC_PTM_STAT_ADJUST_CYC BIT(5) /* 1588 timer adjusted during non-1st PTM cycle */
++#define IGC_PTM_STAT_ALL GENMASK(5, 0) /* Used to clear all status */
+
+ /* PCIe PTM Cycle Control */
+ #define IGC_PTM_CYCLE_CTRL_CYC_TIME(msec) ((msec) & 0x3ff) /* PTM Cycle Time (msec) */
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index 14cd7f995280d..b4720545191ff 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -844,13 +844,40 @@ static void igc_ptm_log_error(struct igc_adapter *adapter, u32 ptm_stat)
+ }
+ }
+
++static void igc_ptm_trigger(struct igc_hw *hw)
++{
++ u32 ctrl;
++
++ /* To "manually" start the PTM cycle we need to set the
++ * trigger (TRIG) bit
++ */
++ ctrl = rd32(IGC_PTM_CTRL);
++ ctrl |= IGC_PTM_CTRL_TRIG;
++ wr32(IGC_PTM_CTRL, ctrl);
++ /* Perform flush after write to CTRL register otherwise
++ * transaction may not start
++ */
++ wrfl();
++}
++
++static void igc_ptm_reset(struct igc_hw *hw)
++{
++ u32 ctrl;
++
++ ctrl = rd32(IGC_PTM_CTRL);
++ ctrl &= ~IGC_PTM_CTRL_TRIG;
++ wr32(IGC_PTM_CTRL, ctrl);
++ /* Write to clear all status */
++ wr32(IGC_PTM_STAT, IGC_PTM_STAT_ALL);
++}
++
+ static int igc_phc_get_syncdevicetime(ktime_t *device,
+ struct system_counterval_t *system,
+ void *ctx)
+ {
+- u32 stat, t2_curr_h, t2_curr_l, ctrl;
+ struct igc_adapter *adapter = ctx;
+ struct igc_hw *hw = &adapter->hw;
++ u32 stat, t2_curr_h, t2_curr_l;
+ int err, count = 100;
+ ktime_t t1, t2_curr;
+
+@@ -864,25 +891,13 @@ static int igc_phc_get_syncdevicetime(ktime_t *device,
+ * are transitory. Repeating the process returns valid
+ * data eventually.
+ */
+-
+- /* To "manually" start the PTM cycle we need to clear and
+- * then set again the TRIG bit.
+- */
+- ctrl = rd32(IGC_PTM_CTRL);
+- ctrl &= ~IGC_PTM_CTRL_TRIG;
+- wr32(IGC_PTM_CTRL, ctrl);
+- ctrl |= IGC_PTM_CTRL_TRIG;
+- wr32(IGC_PTM_CTRL, ctrl);
+-
+- /* The cycle only starts "for real" when software notifies
+- * that it has read the registers, this is done by setting
+- * VALID bit.
+- */
+- wr32(IGC_PTM_STAT, IGC_PTM_STAT_VALID);
++ igc_ptm_trigger(hw);
+
+ err = readx_poll_timeout(rd32, IGC_PTM_STAT, stat,
+ stat, IGC_PTM_STAT_SLEEP,
+ IGC_PTM_STAT_TIMEOUT);
++ igc_ptm_reset(hw);
++
+ if (err < 0) {
+ netdev_err(adapter->netdev, "Timeout reading IGC_PTM_STAT register\n");
+ return err;
+@@ -891,15 +906,7 @@ static int igc_phc_get_syncdevicetime(ktime_t *device,
+ if ((stat & IGC_PTM_STAT_VALID) == IGC_PTM_STAT_VALID)
+ break;
+
+- if (stat & ~IGC_PTM_STAT_VALID) {
+- /* An error occurred, log it. */
+- igc_ptm_log_error(adapter, stat);
+- /* The STAT register is write-1-to-clear (W1C),
+- * so write the previous error status to clear it.
+- */
+- wr32(IGC_PTM_STAT, stat);
+- continue;
+- }
++ igc_ptm_log_error(adapter, stat);
+ } while (--count);
+
+ if (!count) {
+@@ -1081,7 +1088,7 @@ void igc_ptp_stop(struct igc_adapter *adapter)
+ void igc_ptp_reset(struct igc_adapter *adapter)
+ {
+ struct igc_hw *hw = &adapter->hw;
+- u32 cycle_ctrl, ctrl;
++ u32 cycle_ctrl, ctrl, stat;
+ unsigned long flags;
+ u32 timadj;
+
+@@ -1116,14 +1123,19 @@ void igc_ptp_reset(struct igc_adapter *adapter)
+ ctrl = IGC_PTM_CTRL_EN |
+ IGC_PTM_CTRL_START_NOW |
+ IGC_PTM_CTRL_SHRT_CYC(IGC_PTM_SHORT_CYC_DEFAULT) |
+- IGC_PTM_CTRL_PTM_TO(IGC_PTM_TIMEOUT_DEFAULT) |
+- IGC_PTM_CTRL_TRIG;
++ IGC_PTM_CTRL_PTM_TO(IGC_PTM_TIMEOUT_DEFAULT);
+
+ wr32(IGC_PTM_CTRL, ctrl);
+
+ /* Force the first cycle to run. */
+- wr32(IGC_PTM_STAT, IGC_PTM_STAT_VALID);
++ igc_ptm_trigger(hw);
++
++ if (readx_poll_timeout_atomic(rd32, IGC_PTM_STAT, stat,
++ stat, IGC_PTM_STAT_SLEEP,
++ IGC_PTM_STAT_TIMEOUT))
++ netdev_err(adapter->netdev, "Timeout reading IGC_PTM_STAT register\n");
+
++ igc_ptm_reset(hw);
+ break;
+ default:
+ /* No work to do. */
+--
+2.39.5
+
--- /dev/null
+From 242f19f2e9a0a1f1d3d55650df1aee2f9f686a83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 16:35:32 -0700
+Subject: igc: handle the IGC_PTP_ENABLED flag correctly
+
+From: Christopher S M Hall <christopher.s.hall@intel.com>
+
+[ Upstream commit 26a3910afd111f7c1a96dace6dc02f3225063896 ]
+
+All functions in igc_ptp.c called from igc_main.c should check the
+IGC_PTP_ENABLED flag. Adding check for this flag to stop and reset
+functions.
+
+Fixes: 5f2958052c58 ("igc: Add basic skeleton for PTP")
+Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
+Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index 5616b7f4e504f..8731e8f234946 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -1070,8 +1070,12 @@ void igc_ptp_suspend(struct igc_adapter *adapter)
+ **/
+ void igc_ptp_stop(struct igc_adapter *adapter)
+ {
++ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
++ return;
++
+ igc_ptp_suspend(adapter);
+
++ adapter->ptp_flags &= ~IGC_PTP_ENABLED;
+ if (adapter->ptp_clock) {
+ ptp_clock_unregister(adapter->ptp_clock);
+ netdev_info(adapter->netdev, "PHC removed\n");
+@@ -1092,6 +1096,9 @@ void igc_ptp_reset(struct igc_adapter *adapter)
+ unsigned long flags;
+ u32 timadj;
+
++ if (!(adapter->ptp_flags & IGC_PTP_ENABLED))
++ return;
++
+ /* reset the tstamp_config */
+ igc_ptp_set_timestamp_mode(adapter, &adapter->tstamp_config);
+
+--
+2.39.5
+
--- /dev/null
+From 2a035b8e55ed8be6b30f66cdb2c9f8af6a2fc99c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 16:35:31 -0700
+Subject: igc: move ktime snapshot into PTM retry loop
+
+From: Christopher S M Hall <christopher.s.hall@intel.com>
+
+[ Upstream commit cd7f7328d691937102732f39f97ead35b15bf803 ]
+
+Move ktime_get_snapshot() into the loop. If a retry does occur, a more
+recent snapshot will result in a more accurate cross-timestamp.
+
+Fixes: a90ec8483732 ("igc: Add support for PTP getcrosststamp()")
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Tested-by: Avigail Dahan <avigailx.dahan@intel.com>
+Signed-off-by: Christopher S M Hall <christopher.s.hall@intel.com>
+Reviewed-by: Corinna Vinschen <vinschen@redhat.com>
+Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_ptp.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c
+index b4720545191ff..5616b7f4e504f 100644
+--- a/drivers/net/ethernet/intel/igc/igc_ptp.c
++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c
+@@ -881,16 +881,16 @@ static int igc_phc_get_syncdevicetime(ktime_t *device,
+ int err, count = 100;
+ ktime_t t1, t2_curr;
+
+- /* Get a snapshot of system clocks to use as historic value. */
+- ktime_get_snapshot(&adapter->snapshot);
+-
++ /* Doing this in a loop because in the event of a
++ * badly timed (ha!) system clock adjustment, we may
++ * get PTM errors from the PCI root, but these errors
++ * are transitory. Repeating the process returns valid
++ * data eventually.
++ */
+ do {
+- /* Doing this in a loop because in the event of a
+- * badly timed (ha!) system clock adjustment, we may
+- * get PTM errors from the PCI root, but these errors
+- * are transitory. Repeating the process returns valid
+- * data eventually.
+- */
++ /* Get a snapshot of system clocks to use as historic value. */
++ ktime_get_snapshot(&adapter->snapshot);
++
+ igc_ptm_trigger(hw);
+
+ err = readx_poll_timeout(rd32, IGC_PTM_STAT, stat,
+--
+2.39.5
+
--- /dev/null
+From 4fa154bcffc727f04e951f6112c01e74c6e19290 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Sep 2023 14:12:40 +0800
+Subject: md: factor out a helper from mddev_put()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 3d8d32873c7b6d9cec5b40c2ddb8c7c55961694f ]
+
+There are no functional changes, prepare to simplify md_seq_ops in next
+patch.
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230927061241.1552837-2-yukuai1@huaweicloud.com
+Stable-dep-of: 6ec1f0239485 ("md/md-bitmap: fix stats collection for external bitmaps")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 29 +++++++++++++++++------------
+ 1 file changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 0e101e74f0ba8..fda4bf9568572 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -667,23 +667,28 @@ static inline struct mddev *mddev_get(struct mddev *mddev)
+
+ static void mddev_delayed_delete(struct work_struct *ws);
+
++static void __mddev_put(struct mddev *mddev)
++{
++ if (mddev->raid_disks || !list_empty(&mddev->disks) ||
++ mddev->ctime || mddev->hold_active)
++ return;
++
++ /* Array is not configured at all, and not held active, so destroy it */
++ set_bit(MD_DELETED, &mddev->flags);
++
++ /*
++ * Call queue_work inside the spinlock so that flush_workqueue() after
++ * mddev_find will succeed in waiting for the work to be done.
++ */
++ queue_work(md_misc_wq, &mddev->del_work);
++}
++
+ void mddev_put(struct mddev *mddev)
+ {
+ if (!atomic_dec_and_lock(&mddev->active, &all_mddevs_lock))
+ return;
+- if (!mddev->raid_disks && list_empty(&mddev->disks) &&
+- mddev->ctime == 0 && !mddev->hold_active) {
+- /* Array is not configured at all, and not held active,
+- * so destroy it */
+- set_bit(MD_DELETED, &mddev->flags);
+
+- /*
+- * Call queue_work inside the spinlock so that
+- * flush_workqueue() after mddev_find will succeed in waiting
+- * for the work to be done.
+- */
+- queue_work(md_misc_wq, &mddev->del_work);
+- }
++ __mddev_put(mddev);
+ spin_unlock(&all_mddevs_lock);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f54cf552535ed5e0160042bbbddb16e6ab559aab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 09:53:22 +0800
+Subject: md/md-bitmap: fix stats collection for external bitmaps
+
+From: Zheng Qixing <zhengqixing@huawei.com>
+
+[ Upstream commit 6ec1f0239485028445d213d91cfee5242f3211ba ]
+
+The bitmap_get_stats() function incorrectly returns -ENOENT for external
+bitmaps.
+
+Remove the external bitmap check as the statistics should be available
+regardless of bitmap storage location.
+
+Return -EINVAL only for invalid bitmap with no storage (neither in
+superblock nor in external file).
+
+Note: "bitmap_info.external" here refers to a bitmap stored in a separate
+file (bitmap_file), not to external metadata.
+
+Fixes: 8d28d0ddb986 ("md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime")
+Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
+Link: https://lore.kernel.org/linux-raid/20250403015322.2873369-1-zhengqixing@huaweicloud.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index e18e21b24210d..02629516748e4 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -2029,9 +2029,8 @@ int md_bitmap_get_stats(struct bitmap *bitmap, struct md_bitmap_stats *stats)
+
+ if (!bitmap)
+ return -ENOENT;
+- if (bitmap->mddev->bitmap_info.external)
+- return -ENOENT;
+- if (!bitmap->storage.sb_page) /* no superblock */
++ if (!bitmap->mddev->bitmap_info.external &&
++ !bitmap->storage.sb_page)
+ return -EINVAL;
+ sb = kmap_local_page(bitmap->storage.sb_page);
+ stats->sync_size = le64_to_cpu(sb->sync_size);
+--
+2.39.5
+
--- /dev/null
+From 27bd70bf6fd9efe393e118f4abfe3cbd44b64e52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 09:57:46 +0800
+Subject: md/raid10: fix missing discard IO accounting
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit d05af90d6218e9c8f1c2026990c3f53c1b41bfb0 ]
+
+md_account_bio() is not called from raid10_handle_discard(), now that we
+handle bitmap inside md_account_bio(), also fix missing
+bitmap_startwrite for discard.
+
+Test whole disk discard for 20G raid10:
+
+Before:
+Device d/s dMB/s drqm/s %drqm d_await dareq-sz
+md0 48.00 16.00 0.00 0.00 5.42 341.33
+
+After:
+Device d/s dMB/s drqm/s %drqm d_await dareq-sz
+md0 68.00 20462.00 0.00 0.00 2.65 308133.65
+
+Link: https://lore.kernel.org/linux-raid/20250325015746.3195035-1-yukuai1@huaweicloud.com
+Fixes: 528bc2cf2fcc ("md/raid10: enable io accounting")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Acked-by: Coly Li <colyli@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid10.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index f608f30c7d6a6..24427eddf61bc 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1772,6 +1772,7 @@ static int raid10_handle_discard(struct mddev *mddev, struct bio *bio)
+ * The discard bio returns only first r10bio finishes
+ */
+ if (first_copy) {
++ md_account_bio(mddev, &bio);
+ r10_bio->master_bio = bio;
+ set_bit(R10BIO_Discard, &r10_bio->state);
+ first_copy = false;
+--
+2.39.5
+
--- /dev/null
+From 2bf8b80f534f60cdc014da6571a193747823236a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Aug 2023 11:16:16 +0800
+Subject: md: use separate work_struct for md_start_sync()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit ac619781967bd5663c29606246b50dbebd8b3473 ]
+
+It's a little weird to borrow 'del_work' for md_start_sync(), declare
+a new work_struct 'sync_work' for md_start_sync().
+
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20230825031622.1530464-2-yukuai1@huaweicloud.com
+Stable-dep-of: 6ec1f0239485 ("md/md-bitmap: fix stats collection for external bitmaps")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 10 ++++++----
+ drivers/md/md.h | 5 ++++-
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 5e2751d42f645..0e101e74f0ba8 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -682,13 +682,13 @@ void mddev_put(struct mddev *mddev)
+ * flush_workqueue() after mddev_find will succeed in waiting
+ * for the work to be done.
+ */
+- INIT_WORK(&mddev->del_work, mddev_delayed_delete);
+ queue_work(md_misc_wq, &mddev->del_work);
+ }
+ spin_unlock(&all_mddevs_lock);
+ }
+
+ static void md_safemode_timeout(struct timer_list *t);
++static void md_start_sync(struct work_struct *ws);
+
+ void mddev_init(struct mddev *mddev)
+ {
+@@ -710,6 +710,9 @@ void mddev_init(struct mddev *mddev)
+ mddev->resync_min = 0;
+ mddev->resync_max = MaxSector;
+ mddev->level = LEVEL_NONE;
++
++ INIT_WORK(&mddev->sync_work, md_start_sync);
++ INIT_WORK(&mddev->del_work, mddev_delayed_delete);
+ }
+ EXPORT_SYMBOL_GPL(mddev_init);
+
+@@ -9339,7 +9342,7 @@ static int remove_and_add_spares(struct mddev *mddev,
+
+ static void md_start_sync(struct work_struct *ws)
+ {
+- struct mddev *mddev = container_of(ws, struct mddev, del_work);
++ struct mddev *mddev = container_of(ws, struct mddev, sync_work);
+
+ mddev->sync_thread = md_register_thread(md_do_sync,
+ mddev,
+@@ -9547,8 +9550,7 @@ void md_check_recovery(struct mddev *mddev)
+ */
+ md_bitmap_write_all(mddev->bitmap);
+ }
+- INIT_WORK(&mddev->del_work, md_start_sync);
+- queue_work(md_misc_wq, &mddev->del_work);
++ queue_work(md_misc_wq, &mddev->sync_work);
+ goto unlock;
+ }
+ not_running:
+diff --git a/drivers/md/md.h b/drivers/md/md.h
+index 4f0b480974552..c1258c94216ac 100644
+--- a/drivers/md/md.h
++++ b/drivers/md/md.h
+@@ -452,7 +452,10 @@ struct mddev {
+ struct kernfs_node *sysfs_degraded; /*handle for 'degraded' */
+ struct kernfs_node *sysfs_level; /*handle for 'level' */
+
+- struct work_struct del_work; /* used for delayed sysfs removal */
++ /* used for delayed sysfs removal */
++ struct work_struct del_work;
++ /* used for register new sync thread */
++ struct work_struct sync_work;
+
+ /* "lock" protects:
+ * flush_bio transition from NULL to !NULL
+--
+2.39.5
+
--- /dev/null
+From 2162c1bcb7a40abfbbb9eb8157ca9c3081950b8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 22:04:34 +0200
+Subject: net: b53: enable BPDU reception for management port
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 36355ddfe8955f226a88a543ed354b9f6b84cd70 ]
+
+For STP to work, receiving BPDUs is essential, but the appropriate bit
+was never set. Without GC_RX_BPDU_EN, the switch chip will filter all
+BPDUs, even if an appropriate PVID VLAN was setup.
+
+Fixes: ff39c2d68679 ("net: dsa: b53: Add bridge support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Link: https://patch.msgid.link/20250414200434.194422-1-jonas.gorski@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 463c6d84ae1b0..ea7d2c01e6726 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -724,6 +724,15 @@ static void b53_enable_mib(struct b53_device *dev)
+ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
+ }
+
++static void b53_enable_stp(struct b53_device *dev)
++{
++ u8 gc;
++
++ b53_read8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, &gc);
++ gc |= GC_RX_BPDU_EN;
++ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
++}
++
+ static u16 b53_default_pvid(struct b53_device *dev)
+ {
+ if (is5325(dev) || is5365(dev))
+@@ -863,6 +872,7 @@ static int b53_switch_reset(struct b53_device *dev)
+ }
+
+ b53_enable_mib(dev);
++ b53_enable_stp(dev);
+
+ return b53_flush_arl(dev, FAST_AGE_STATIC);
+ }
+--
+2.39.5
+
--- /dev/null
+From f3f7529256393aeb42e3fb43f32330d6453b5467 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 22:00:20 +0200
+Subject: net: bridge: switchdev: do not notify new brentries as changed
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit eb25de13bd9cf025413a04f25e715d0e99847e30 ]
+
+When adding a bridge vlan that is pvid or untagged after the vlan has
+already been added to any other switchdev backed port, the vlan change
+will be propagated as changed, since the flags change.
+
+This causes the vlan to not be added to the hardware for DSA switches,
+since the DSA handler ignores any vlans for the CPU or DSA ports that
+are changed.
+
+E.g. the following order of operations would work:
+
+$ ip link add swbridge type bridge vlan_filtering 1 vlan_default_pvid 0
+$ ip link set lan1 master swbridge
+$ bridge vlan add dev swbridge vid 1 pvid untagged self
+$ bridge vlan add dev lan1 vid 1 pvid untagged
+
+but this order would break:
+
+$ ip link add swbridge type bridge vlan_filtering 1 vlan_default_pvid 0
+$ ip link set lan1 master swbridge
+$ bridge vlan add dev lan1 vid 1 pvid untagged
+$ bridge vlan add dev swbridge vid 1 pvid untagged self
+
+Additionally, the vlan on the bridge itself would become undeletable:
+
+$ bridge vlan
+port vlan-id
+lan1 1 PVID Egress Untagged
+swbridge 1 PVID Egress Untagged
+$ bridge vlan del dev swbridge vid 1 self
+$ bridge vlan
+port vlan-id
+lan1 1 PVID Egress Untagged
+swbridge 1 Egress Untagged
+
+since the vlan was never added to DSA's vlan list, so deleting it will
+cause an error, causing the bridge code to not remove it.
+
+Fix this by checking if flags changed only for vlans that are already
+brentry and pass changed as false for those that become brentries, as
+these are a new vlan (member) from the switchdev point of view.
+
+Since *changed is set to true for becomes_brentry = true regardless of
+would_change's value, this will not change any rtnetlink notification
+delivery, just the value passed on to switchdev in vlan->changed.
+
+Fixes: 8d23a54f5bee ("net: bridge: switchdev: differentiate new VLANs from changed ones")
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Link: https://patch.msgid.link/20250414200020.192715-1-jonas.gorski@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_vlan.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
+index 9ffd40b8270c1..23a82567fe624 100644
+--- a/net/bridge/br_vlan.c
++++ b/net/bridge/br_vlan.c
+@@ -715,8 +715,8 @@ static int br_vlan_add_existing(struct net_bridge *br,
+ u16 flags, bool *changed,
+ struct netlink_ext_ack *extack)
+ {
+- bool would_change = __vlan_flags_would_change(vlan, flags);
+ bool becomes_brentry = false;
++ bool would_change = false;
+ int err;
+
+ if (!br_vlan_is_brentry(vlan)) {
+@@ -725,6 +725,8 @@ static int br_vlan_add_existing(struct net_bridge *br,
+ return -EINVAL;
+
+ becomes_brentry = true;
++ } else {
++ would_change = __vlan_flags_would_change(vlan, flags);
+ }
+
+ /* Master VLANs that aren't brentries weren't notified before,
+--
+2.39.5
+
--- /dev/null
+From c6d8eef9c6edb05d90a5ea8a2f5811637b943e95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 00:30:20 +0300
+Subject: net: dsa: avoid refcount warnings when ds->ops->tag_8021q_vlan_del()
+ fails
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 514eff7b0aa1c5eb645ddbb8676ef3e2d88a8b99 ]
+
+This is very similar to the problem and solution from commit
+232deb3f9567 ("net: dsa: avoid refcount warnings when
+->port_{fdb,mdb}_del returns error"), except for the
+dsa_port_do_tag_8021q_vlan_del() operation.
+
+Fixes: c64b9c05045a ("net: dsa: tag_8021q: add proper cross-chip notifier support")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20250414213020.2959021-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_8021q.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_8021q.c b/net/dsa/tag_8021q.c
+index 89371b16416e2..6a33f35a0f748 100644
+--- a/net/dsa/tag_8021q.c
++++ b/net/dsa/tag_8021q.c
+@@ -180,7 +180,7 @@ static int dsa_port_do_tag_8021q_vlan_del(struct dsa_port *dp, u16 vid)
+
+ err = ds->ops->tag_8021q_vlan_del(ds, port, vid);
+ if (err) {
+- refcount_inc(&v->refcount);
++ refcount_set(&v->refcount, 1);
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1c0f1e7e6065f47e4cba9769cd65d29e4b003e18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 00:28:50 +0300
+Subject: net: dsa: mv88e6xxx: avoid unregistering devlink regions which were
+ never registered
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit c84f6ce918a9e6f4996597cbc62536bbf2247c96 ]
+
+Russell King reports that a system with mv88e6xxx dereferences a NULL
+pointer when unbinding this driver:
+https://lore.kernel.org/netdev/Z_lRkMlTJ1KQ0kVX@shell.armlinux.org.uk/
+
+The crash seems to be in devlink_region_destroy(), which is not NULL
+tolerant but is given a NULL devlink global region pointer.
+
+At least on some chips, some devlink regions are conditionally registered
+since the blamed commit, see mv88e6xxx_setup_devlink_regions_global():
+
+ if (cond && !cond(chip))
+ continue;
+
+These are MV88E6XXX_REGION_STU and MV88E6XXX_REGION_PVT. If the chip
+does not have an STU or PVT, it should crash like this.
+
+To fix the issue, avoid unregistering those regions which are NULL, i.e.
+were skipped at mv88e6xxx_setup_devlink_regions_global() time.
+
+Fixes: 836021a2d0e0 ("net: dsa: mv88e6xxx: Export cross-chip PVT as devlink region")
+Tested-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20250414212850.2953957-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/devlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/devlink.c b/drivers/net/dsa/mv88e6xxx/devlink.c
+index 1266eabee0863..2ab2eb2cb47be 100644
+--- a/drivers/net/dsa/mv88e6xxx/devlink.c
++++ b/drivers/net/dsa/mv88e6xxx/devlink.c
+@@ -743,7 +743,8 @@ void mv88e6xxx_teardown_devlink_regions_global(struct dsa_switch *ds)
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(mv88e6xxx_regions); i++)
+- dsa_devlink_region_destroy(chip->regions[i]);
++ if (chip->regions[i])
++ dsa_devlink_region_destroy(chip->regions[i]);
+ }
+
+ void mv88e6xxx_teardown_devlink_regions_port(struct dsa_switch *ds, int port)
+--
+2.39.5
+
--- /dev/null
+From fa01d376c4cdb54a46547c8699ae933baf660c6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 00:29:13 +0300
+Subject: net: dsa: mv88e6xxx: fix -ENOENT when deleting VLANs and MST is
+ unsupported
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit ea08dfc35f83cfc73493c52f63ae4f2e29edfe8d ]
+
+Russell King reports that on the ZII dev rev B, deleting a bridge VLAN
+from a user port fails with -ENOENT:
+https://lore.kernel.org/netdev/Z_lQXNP0s5-IiJzd@shell.armlinux.org.uk/
+
+This comes from mv88e6xxx_port_vlan_leave() -> mv88e6xxx_mst_put(),
+which tries to find an MST entry in &chip->msts associated with the SID,
+but fails and returns -ENOENT as such.
+
+But we know that this chip does not support MST at all, so that is not
+surprising. The question is why does the guard in mv88e6xxx_mst_put()
+not exit early:
+
+ if (!sid)
+ return 0;
+
+And the answer seems to be simple: the sid comes from vlan.sid which
+supposedly was previously populated by mv88e6xxx_vtu_get().
+But some chip->info->ops->vtu_getnext() implementations do not populate
+vlan.sid, for example see mv88e6185_g1_vtu_getnext(). In that case,
+later in mv88e6xxx_port_vlan_leave() we are using a garbage sid which is
+just residual stack memory.
+
+Testing for sid == 0 covers all cases of a non-bridge VLAN or a bridge
+VLAN mapped to the default MSTI. For some chips, SID 0 is valid and
+installed by mv88e6xxx_stu_setup(). A chip which does not support the
+STU would implicitly only support mapping all VLANs to the default MSTI,
+so although SID 0 is not valid, it would be sufficient, if we were to
+zero-initialize the vlan structure, to fix the bug, due to the
+coincidence that a test for vlan.sid == 0 already exists and leads to
+the same (correct) behavior.
+
+Another option which would be sufficient would be to add a test for
+mv88e6xxx_has_stu() inside mv88e6xxx_mst_put(), symmetric to the one
+which already exists in mv88e6xxx_mst_get(). But that placement means
+the caller will have to dereference vlan.sid, which means it will access
+uninitialized memory, which is not nice even if it ignores it later.
+
+So we end up making both modifications, in order to not rely just on the
+sid == 0 coincidence, but also to avoid having uninitialized structure
+fields which might get temporarily accessed.
+
+Fixes: acaf4d2e36b3 ("net: dsa: mv88e6xxx: MST Offloading")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20250414212913.2955253-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index d348078ec033c..4c60f79ce2697 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -1724,6 +1724,8 @@ static int mv88e6xxx_vtu_get(struct mv88e6xxx_chip *chip, u16 vid,
+ if (!chip->info->ops->vtu_getnext)
+ return -EOPNOTSUPP;
+
++ memset(entry, 0, sizeof(*entry));
++
+ entry->vid = vid ? vid - 1 : mv88e6xxx_max_vid(chip);
+ entry->valid = false;
+
+@@ -1859,7 +1861,16 @@ static int mv88e6xxx_mst_put(struct mv88e6xxx_chip *chip, u8 sid)
+ struct mv88e6xxx_mst *mst, *tmp;
+ int err;
+
+- if (!sid)
++ /* If the SID is zero, it is for a VLAN mapped to the default MSTI,
++ * and mv88e6xxx_stu_setup() made sure it is always present, and thus,
++ * should not be removed here.
++ *
++ * If the chip lacks STU support, numerically the "sid" variable will
++ * happen to also be zero, but we don't want to rely on that fact, so
++ * we explicitly test that first. In that case, there is also nothing
++ * to do here.
++ */
++ if (!mv88e6xxx_has_stu(chip) || !sid)
+ return 0;
+
+ list_for_each_entry_safe(mst, tmp, &chip->msts, node) {
+--
+2.39.5
+
--- /dev/null
+From a9a33c68ce4ff5cd8801abd17ba7591cd2a0c8ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 11:53:19 +0800
+Subject: net: mctp: Set SOCK_RCU_FREE
+
+From: Matt Johnston <matt@codeconstruct.com.au>
+
+[ Upstream commit 52024cd6ec71a6ca934d0cc12452bd8d49850679 ]
+
+Bind lookup runs under RCU, so ensure that a socket doesn't go away in
+the middle of a lookup.
+
+Fixes: 833ef3b91de6 ("mctp: Populate socket implementation")
+Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250410-mctp-rcu-sock-v1-1-872de9fdc877@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 2316e7772b785..6a963eac1cc2f 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -551,6 +551,9 @@ static int mctp_sk_hash(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
+
++ /* Bind lookup runs under RCU, remain live during that. */
++ sock_set_flag(sk, SOCK_RCU_FREE);
++
+ mutex_lock(&net->mctp.bind_lock);
+ sk_add_node_rcu(sk, &net->mctp.binds);
+ mutex_unlock(&net->mctp.bind_lock);
+--
+2.39.5
+
--- /dev/null
+From 86805e14a4cad689ef67c4ab9a88b1cb31d6a06c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Apr 2025 12:40:18 +0200
+Subject: net: openvswitch: fix nested key length validation in the set()
+ action
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit 65d91192aa66f05710cfddf6a14b5a25ee554dba ]
+
+It's not safe to access nla_len(ovs_key) if the data is smaller than
+the netlink header. Check that the attribute is OK first.
+
+Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
+Reported-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b07a9da40df1576b8048
+Tested-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Reviewed-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20250412104052.2073688-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/flow_netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 5ebbec656895e..0ed3953dbe529 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -2860,7 +2860,8 @@ static int validate_set(const struct nlattr *a,
+ size_t key_len;
+
+ /* There can be only one key in a action */
+- if (nla_total_size(nla_len(ovs_key)) != nla_len(a))
++ if (!nla_ok(ovs_key, nla_len(a)) ||
++ nla_total_size(nla_len(ovs_key)) != nla_len(a))
+ return -EINVAL;
+
+ key_len = nla_len(ovs_key);
+--
+2.39.5
+
--- /dev/null
+From f3ea0386b21ae970302c4f5e37e346aab8192a01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 08:31:31 +0300
+Subject: ptp: ocp: fix start time alignment in ptp_ocp_signal_set
+
+From: Sagi Maimon <maimon.sagi@gmail.com>
+
+[ Upstream commit 2a5970d5aaff8f3e33ce3bfaa403ae88c40de40d ]
+
+In ptp_ocp_signal_set, the start time for periodic signals is not
+aligned to the next period boundary. The current code rounds up the
+start time and divides by the period but fails to multiply back by
+the period, causing misaligned signal starts. Fix this by multiplying
+the rounded-up value by the period to ensure the start time is the
+closest next period.
+
+Fixes: 4bd46bb037f8e ("ptp: ocp: Use DIV64_U64_ROUND_UP for rounding.")
+Signed-off-by: Sagi Maimon <maimon.sagi@gmail.com>
+Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
+Link: https://patch.msgid.link/20250415053131.129413-1-maimon.sagi@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_ocp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c
+index 87b960e941bae..b6f66a9886ce2 100644
+--- a/drivers/ptp/ptp_ocp.c
++++ b/drivers/ptp/ptp_ocp.c
+@@ -1654,6 +1654,7 @@ ptp_ocp_signal_set(struct ptp_ocp *bp, int gen, struct ptp_ocp_signal *s)
+ if (!s->start) {
+ /* roundup() does not work on 32-bit systems */
+ s->start = DIV64_U64_ROUND_UP(start_ns, s->period);
++ s->start *= s->period;
+ s->start = ktime_add(s->start, s->phase);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 29e0b1703f97c014dc1139ed60209db719f427ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 14:42:21 +0200
+Subject: RDMA/core: Silence oversized kvmalloc() warning
+
+From: Shay Drory <shayd@nvidia.com>
+
+[ Upstream commit 9a0e6f15029e1a8a21e40f06fd05aa52b7f063de ]
+
+syzkaller triggered an oversized kvmalloc() warning.
+Silence it by adding __GFP_NOWARN.
+
+syzkaller log:
+ WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180
+ CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:__kvmalloc_node_noprof+0x175/0x180
+ RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246
+ RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b
+ RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002
+ RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000
+ R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000
+ R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000
+ FS: 00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <TASK>
+ ib_umem_odp_get+0x1f6/0x390
+ mlx5_ib_reg_user_mr+0x1e8/0x450
+ ib_uverbs_reg_mr+0x28b/0x440
+ ib_uverbs_write+0x7d3/0xa30
+ vfs_write+0x1ac/0x6c0
+ ksys_write+0x134/0x170
+ ? __sanitizer_cov_trace_pc+0x1c/0x50
+ do_syscall_64+0x50/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fixes: 37824952dc8f ("RDMA/odp: Use kvcalloc for the dma_list and page_list")
+Signed-off-by: Shay Drory <shayd@nvidia.com>
+Link: https://patch.msgid.link/c6cb92379de668be94894f49c2cfa40e73f94d56.1742388096.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/umem_odp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/umem_odp.c b/drivers/infiniband/core/umem_odp.c
+index e9fa22d31c233..c48ef60830205 100644
+--- a/drivers/infiniband/core/umem_odp.c
++++ b/drivers/infiniband/core/umem_odp.c
+@@ -76,12 +76,14 @@ static inline int ib_init_umem_odp(struct ib_umem_odp *umem_odp,
+
+ npfns = (end - start) >> PAGE_SHIFT;
+ umem_odp->pfn_list = kvcalloc(
+- npfns, sizeof(*umem_odp->pfn_list), GFP_KERNEL);
++ npfns, sizeof(*umem_odp->pfn_list),
++ GFP_KERNEL | __GFP_NOWARN);
+ if (!umem_odp->pfn_list)
+ return -ENOMEM;
+
+ umem_odp->dma_list = kvcalloc(
+- ndmas, sizeof(*umem_odp->dma_list), GFP_KERNEL);
++ ndmas, sizeof(*umem_odp->dma_list),
++ GFP_KERNEL | __GFP_NOWARN);
+ if (!umem_odp->dma_list) {
+ ret = -ENOMEM;
+ goto out_pfn_list;
+--
+2.39.5
+
--- /dev/null
+From ea07c28921bbf6a379d3d4d6e186e285ecba243a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 19:47:24 +0800
+Subject: RDMA/hns: Fix wrong maximum DMA segment size
+
+From: Chengchang Tang <tangchengchang@huawei.com>
+
+[ Upstream commit 9beb2c91fb86e0be70a5833c6730441fa3c9efa8 ]
+
+Set maximum DMA segment size to 2G instead of UINT_MAX due to HW limit.
+
+Fixes: e0477b34d9d1 ("RDMA: Explicitly pass in the dma_device to ib_register_device")
+Link: https://patch.msgid.link/r/20250327114724.3454268-3-huangjunxian6@hisilicon.com
+Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index 5106b3ce89f08..eae22ac42e05d 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -642,7 +642,7 @@ static int hns_roce_register_device(struct hns_roce_dev *hr_dev)
+ if (ret)
+ return ret;
+ }
+- dma_set_max_seg_size(dev, UINT_MAX);
++ dma_set_max_seg_size(dev, SZ_2G);
+ ret = ib_register_device(ib_dev, "hns_%d", dev);
+ if (ret) {
+ dev_err(dev, "ib_register_device failed!\n");
+--
+2.39.5
+
--- /dev/null
+From 11379ac0a08bcb469bf7c42c8bcb3361641384ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 20:31:32 +0800
+Subject: RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+[ Upstream commit 95ba3850fed03e01b422ab5d7943aeba130c9723 ]
+
+drivers/infiniband/hw/usnic/usnic_ib_main.c:590
+ usnic_ib_pci_probe() warn: passing zero to 'PTR_ERR'
+
+Make usnic_ib_device_add() return NULL on fail path, also remove
+useless NULL check for usnic_ib_discover_pf()
+
+Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
+Link: https://patch.msgid.link/r/20250324123132.2392077-1-yuehaibing@huawei.com
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/usnic/usnic_ib_main.c b/drivers/infiniband/hw/usnic/usnic_ib_main.c
+index 46653ad56f5a1..ec2d8f78c898b 100644
+--- a/drivers/infiniband/hw/usnic/usnic_ib_main.c
++++ b/drivers/infiniband/hw/usnic/usnic_ib_main.c
+@@ -380,7 +380,7 @@ static void *usnic_ib_device_add(struct pci_dev *dev)
+ if (!us_ibdev) {
+ usnic_err("Device %s context alloc failed\n",
+ netdev_name(pci_get_drvdata(dev)));
+- return ERR_PTR(-EFAULT);
++ return NULL;
+ }
+
+ us_ibdev->ufdev = usnic_fwd_dev_alloc(dev);
+@@ -500,8 +500,8 @@ static struct usnic_ib_dev *usnic_ib_discover_pf(struct usnic_vnic *vnic)
+ }
+
+ us_ibdev = usnic_ib_device_add(parent_pci);
+- if (IS_ERR_OR_NULL(us_ibdev)) {
+- us_ibdev = us_ibdev ? us_ibdev : ERR_PTR(-EFAULT);
++ if (!us_ibdev) {
++ us_ibdev = ERR_PTR(-EFAULT);
+ goto out;
+ }
+
+@@ -569,10 +569,10 @@ static int usnic_ib_pci_probe(struct pci_dev *pdev,
+ }
+
+ pf = usnic_ib_discover_pf(vf->vnic);
+- if (IS_ERR_OR_NULL(pf)) {
+- usnic_err("Failed to discover pf of vnic %s with err%ld\n",
+- pci_name(pdev), PTR_ERR(pf));
+- err = pf ? PTR_ERR(pf) : -EFAULT;
++ if (IS_ERR(pf)) {
++ err = PTR_ERR(pf);
++ usnic_err("Failed to discover pf of vnic %s with err%d\n",
++ pci_name(pdev), err);
+ goto out_clean_vnic;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a4e951c23e2dae4c1c07a3fa455368d50ff36db1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 16:13:34 +0200
+Subject: Revert "wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 0937cb5f345c79d702b4d0d744e2a2529b551cb2 ]
+
+This reverts commit a104042e2bf6528199adb6ca901efe7b60c2c27f.
+
+Since the original bug seems to have been around for years,
+but a new issue was report with the fix, revert the fix for
+now. We have a couple of weeks to figure it out for this
+release, if needed.
+
+Reported-by: Bert Karwatzki <spasswolf@web.de>
+Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
+Fixes: a104042e2bf6 ("wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 7c1e81e15865c..62b2817df2ba9 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3800,7 +3800,6 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
+- info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From 8f6a249cbe2d7e2721b98b5467c08b4e002bff21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 15:32:21 +0800
+Subject: riscv: KGDB: Do not inline arch_kgdb_breakpoint()
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 3af4bec9c1db3f003be4d5ae09b6a737e4be1612 ]
+
+The arch_kgdb_breakpoint() function defines the kgdb_compiled_break
+symbol using inline assembly.
+
+There's a potential issue where the compiler might inline
+arch_kgdb_breakpoint(), which would then define the kgdb_compiled_break
+symbol multiple times, leading to fail to link vmlinux.o.
+
+This isn't merely a potential compilation problem. The intent here
+is to determine the global symbol address of kgdb_compiled_break,
+and if this function is inlined multiple times, it would logically
+be a grave error.
+
+Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
+Link: https://lore.kernel.org/all/5b0adf9b-2b22-43fe-ab74-68df94115b9a@ghiti.fr/
+Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
+Fixes: fe89bd2be866 ("riscv: Add KGDB support")
+Co-developed-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Link: https://lore.kernel.org/r/F22359AFB6FF9FD8+20250411073222.56820-1-wangyuli@uniontech.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/kgdb.h | 9 +--------
+ arch/riscv/kernel/kgdb.c | 8 ++++++++
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/riscv/include/asm/kgdb.h b/arch/riscv/include/asm/kgdb.h
+index 46677daf708bd..cc11c4544cffd 100644
+--- a/arch/riscv/include/asm/kgdb.h
++++ b/arch/riscv/include/asm/kgdb.h
+@@ -19,16 +19,9 @@
+
+ #ifndef __ASSEMBLY__
+
++void arch_kgdb_breakpoint(void);
+ extern unsigned long kgdb_compiled_break;
+
+-static inline void arch_kgdb_breakpoint(void)
+-{
+- asm(".global kgdb_compiled_break\n"
+- ".option norvc\n"
+- "kgdb_compiled_break: ebreak\n"
+- ".option rvc\n");
+-}
+-
+ #endif /* !__ASSEMBLY__ */
+
+ #define DBG_REG_ZERO "zero"
+diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
+index 963ed7edcff26..b0db3350d243b 100644
+--- a/arch/riscv/kernel/kgdb.c
++++ b/arch/riscv/kernel/kgdb.c
+@@ -273,6 +273,14 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
+ regs->epc = pc;
+ }
+
++noinline void arch_kgdb_breakpoint(void)
++{
++ asm(".global kgdb_compiled_break\n"
++ ".option norvc\n"
++ "kgdb_compiled_break: ebreak\n"
++ ".option rvc\n");
++}
++
+ void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
+ char *remcom_out_buffer)
+ {
+--
+2.39.5
+
--- /dev/null
+From 35da1ce9232900f9878993fb1950fb758446055c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 15:32:22 +0800
+Subject: riscv: KGDB: Remove ".option norvc/.option rvc" for
+ kgdb_compiled_break
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 550c2aa787d1b06efcb11de1877354502a1237f2 ]
+
+[ Quoting Samuel Holland: ]
+
+ This is a separate issue, but using ".option rvc" here is a bug.
+ It will unconditionally enable the C extension for the rest of
+ the file, even if the kernel is being built with CONFIG_RISCV_ISA_C=n.
+
+[ Quoting Palmer Dabbelt: ]
+
+ We're just looking at the address of kgdb_compiled_break, so it's
+ fine if it ends up as a c.ebreak.
+
+[ Quoting Alexandre Ghiti: ]
+
+ .option norvc is used to prevent the assembler from using compressed
+ instructions, but it's generally used when we need to ensure the
+ size of the instructions that are used, which is not the case here
+ as noted by Palmer since we only care about the address. So yes
+ it will work fine with C enabled :)
+
+So let's just remove them all.
+
+Link: https://lore.kernel.org/all/4b4187c1-77e5-44b7-885f-d6826723dd9a@sifive.com/
+Link: https://lore.kernel.org/all/mhng-69513841-5068-441d-be8f-2aeebdc56a08@palmer-ri-x1c9a/
+Link: https://lore.kernel.org/all/23693e7f-4fff-40f3-a437-e06d827278a5@ghiti.fr/
+Fixes: fe89bd2be866 ("riscv: Add KGDB support")
+Cc: Samuel Holland <samuel.holland@sifive.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Alexandre Ghiti <alex@ghiti.fr>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Link: https://lore.kernel.org/r/8B431C6A4626225C+20250411073222.56820-2-wangyuli@uniontech.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/kgdb.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/arch/riscv/kernel/kgdb.c b/arch/riscv/kernel/kgdb.c
+index b0db3350d243b..1d83b36967212 100644
+--- a/arch/riscv/kernel/kgdb.c
++++ b/arch/riscv/kernel/kgdb.c
+@@ -276,9 +276,7 @@ void kgdb_arch_set_pc(struct pt_regs *regs, unsigned long pc)
+ noinline void arch_kgdb_breakpoint(void)
+ {
+ asm(".global kgdb_compiled_break\n"
+- ".option norvc\n"
+- "kgdb_compiled_break: ebreak\n"
+- ".option rvc\n");
++ "kgdb_compiled_break: ebreak\n");
+ }
+
+ void kgdb_arch_handle_qxfer_pkt(char *remcom_in_buffer,
+--
+2.39.5
+
--- /dev/null
+From b88483440a6fbdb65289e574cacc27a9aa142291 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 20:21:27 +0200
+Subject: riscv: Properly export reserved regions in /proc/iomem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit e94eb7ea6f206e229791761a5fdf9389f8dbd183 ]
+
+The /proc/iomem represents the kernel's memory map. Regions marked
+with "Reserved" tells the user that the range should not be tampered
+with. Kexec-tools, when using the older kexec_load syscall relies on
+the "Reserved" regions to build the memory segments, that will be the
+target of the new kexec'd kernel.
+
+The RISC-V port tries to expose all reserved regions to userland, but
+some regions were not properly exposed: Regions that resided in both
+the "regular" and reserved memory block, e.g. the EFI Memory Map. A
+missing entry could result in reserved memory being overwritten.
+
+It turns out, that arm64, and loongarch had a similar issue a while
+back:
+
+ commit d91680e687f4 ("arm64: Fix /proc/iomem for reserved but not memory regions")
+ commit 50d7ba36b916 ("arm64: export memblock_reserve()d regions via /proc/iomem")
+
+Similar to the other ports, resolve the issue by splitting the regions
+in an arch initcall, since we need a working allocator.
+
+Fixes: ffe0e5261268 ("RISC-V: Improve init_resources()")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20250409182129.634415-1-bjorn@kernel.org
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/setup.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
+index 2acf51c235673..f4c3252abce41 100644
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -76,6 +76,9 @@ static struct resource bss_res = { .name = "Kernel bss", };
+ static struct resource elfcorehdr_res = { .name = "ELF Core hdr", };
+ #endif
+
++static int num_standard_resources;
++static struct resource *standard_resources;
++
+ static int __init add_resource(struct resource *parent,
+ struct resource *res)
+ {
+@@ -149,7 +152,7 @@ static void __init init_resources(void)
+ struct resource *res = NULL;
+ struct resource *mem_res = NULL;
+ size_t mem_res_sz = 0;
+- int num_resources = 0, res_idx = 0;
++ int num_resources = 0, res_idx = 0, non_resv_res = 0;
+ int ret = 0;
+
+ /* + 1 as memblock_alloc() might increase memblock.reserved.cnt */
+@@ -213,6 +216,7 @@ static void __init init_resources(void)
+ /* Add /memory regions to the resource tree */
+ for_each_mem_region(region) {
+ res = &mem_res[res_idx--];
++ non_resv_res++;
+
+ if (unlikely(memblock_is_nomap(region))) {
+ res->name = "Reserved";
+@@ -230,6 +234,9 @@ static void __init init_resources(void)
+ goto error;
+ }
+
++ num_standard_resources = non_resv_res;
++ standard_resources = &mem_res[res_idx + 1];
++
+ /* Clean-up any unused pre-allocated resources */
+ if (res_idx >= 0)
+ memblock_free(mem_res, (res_idx + 1) * sizeof(*mem_res));
+@@ -241,6 +248,33 @@ static void __init init_resources(void)
+ memblock_free(mem_res, mem_res_sz);
+ }
+
++static int __init reserve_memblock_reserved_regions(void)
++{
++ u64 i, j;
++
++ for (i = 0; i < num_standard_resources; i++) {
++ struct resource *mem = &standard_resources[i];
++ phys_addr_t r_start, r_end, mem_size = resource_size(mem);
++
++ if (!memblock_is_region_reserved(mem->start, mem_size))
++ continue;
++
++ for_each_reserved_mem_range(j, &r_start, &r_end) {
++ resource_size_t start, end;
++
++ start = max(PFN_PHYS(PFN_DOWN(r_start)), mem->start);
++ end = min(PFN_PHYS(PFN_UP(r_end)) - 1, mem->end);
++
++ if (start > mem->end || end < mem->start)
++ continue;
++
++ reserve_region_with_split(mem, start, end, "Reserved");
++ }
++ }
++
++ return 0;
++}
++arch_initcall(reserve_memblock_reserved_regions);
+
+ static void __init parse_dtb(void)
+ {
+--
+2.39.5
+
--- /dev/null
+From d7a3256ba20e787089dfe400285572063d3e6909 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:51:34 +0800
+Subject: scsi: hisi_sas: Enable force phy when SATA disk directly connected
+
+From: Xingui Yang <yangxingui@huawei.com>
+
+[ Upstream commit 8aa580cd92843b60d4d6331f3b0a9e8409bb70eb ]
+
+when a SATA disk is directly connected the SAS controller determines the
+disk to which I/Os are delivered based on the port ID in the DQ entry.
+
+When many phys are disconnected and reconnect, the port ID of phys were
+changed and used by other link, resulting in I/O being sent to incorrect
+disk. Data inconsistency on the SATA disk may occur during I/O retries
+using the old port ID. So enable force phy, then force the command to be
+executed in a certain phy, and if the actual phy ID of the port does not
+match the phy configured in the command, the chip will stop delivering the
+I/O to disk.
+
+Fixes: ce60689e12dd ("scsi: hisi_sas: add v3 code to send ATA frame")
+Signed-off-by: Xingui Yang <yangxingui@huawei.com>
+Link: https://lore.kernel.org/r/20250312095135.3048379-2-yangxingui@huawei.com
+Reviewed-by: Yihang Li <liyihang9@huawei.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_v2_hw.c | 9 +++++++--
+ drivers/scsi/hisi_sas/hisi_sas_v3_hw.c | 14 ++++++++++++--
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
+index 50697672146ad..ae39f6b5dc9a8 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_v2_hw.c
+@@ -2502,6 +2502,7 @@ static void prep_ata_v2_hw(struct hisi_hba *hisi_hba,
+ struct hisi_sas_port *port = to_hisi_sas_port(sas_port);
+ struct sas_ata_task *ata_task = &task->ata_task;
+ struct sas_tmf_task *tmf = slot->tmf;
++ int phy_id;
+ u8 *buf_cmd;
+ int has_data = 0, hdr_tag = 0;
+ u32 dw0, dw1 = 0, dw2 = 0;
+@@ -2509,10 +2510,14 @@ static void prep_ata_v2_hw(struct hisi_hba *hisi_hba,
+ /* create header */
+ /* dw0 */
+ dw0 = port->id << CMD_HDR_PORT_OFF;
+- if (parent_dev && dev_is_expander(parent_dev->dev_type))
++ if (parent_dev && dev_is_expander(parent_dev->dev_type)) {
+ dw0 |= 3 << CMD_HDR_CMD_OFF;
+- else
++ } else {
++ phy_id = device->phy->identify.phy_identifier;
++ dw0 |= (1U << phy_id) << CMD_HDR_PHY_ID_OFF;
++ dw0 |= CMD_HDR_FORCE_PHY_MSK;
+ dw0 |= 4 << CMD_HDR_CMD_OFF;
++ }
+
+ if (tmf && ata_task->force_phy) {
+ dw0 |= CMD_HDR_FORCE_PHY_MSK;
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+index 05dcd925a3fab..20b4d76e07149 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_v3_hw.c
+@@ -357,6 +357,10 @@
+ #define CMD_HDR_RESP_REPORT_MSK (0x1 << CMD_HDR_RESP_REPORT_OFF)
+ #define CMD_HDR_TLR_CTRL_OFF 6
+ #define CMD_HDR_TLR_CTRL_MSK (0x3 << CMD_HDR_TLR_CTRL_OFF)
++#define CMD_HDR_PHY_ID_OFF 8
++#define CMD_HDR_PHY_ID_MSK (0x1ff << CMD_HDR_PHY_ID_OFF)
++#define CMD_HDR_FORCE_PHY_OFF 17
++#define CMD_HDR_FORCE_PHY_MSK (0x1U << CMD_HDR_FORCE_PHY_OFF)
+ #define CMD_HDR_PORT_OFF 18
+ #define CMD_HDR_PORT_MSK (0xf << CMD_HDR_PORT_OFF)
+ #define CMD_HDR_PRIORITY_OFF 27
+@@ -1385,15 +1389,21 @@ static void prep_ata_v3_hw(struct hisi_hba *hisi_hba,
+ struct hisi_sas_cmd_hdr *hdr = slot->cmd_hdr;
+ struct asd_sas_port *sas_port = device->port;
+ struct hisi_sas_port *port = to_hisi_sas_port(sas_port);
++ int phy_id;
+ u8 *buf_cmd;
+ int has_data = 0, hdr_tag = 0;
+ u32 dw1 = 0, dw2 = 0;
+
+ hdr->dw0 = cpu_to_le32(port->id << CMD_HDR_PORT_OFF);
+- if (parent_dev && dev_is_expander(parent_dev->dev_type))
++ if (parent_dev && dev_is_expander(parent_dev->dev_type)) {
+ hdr->dw0 |= cpu_to_le32(3 << CMD_HDR_CMD_OFF);
+- else
++ } else {
++ phy_id = device->phy->identify.phy_identifier;
++ hdr->dw0 |= cpu_to_le32((1U << phy_id)
++ << CMD_HDR_PHY_ID_OFF);
++ hdr->dw0 |= CMD_HDR_FORCE_PHY_MSK;
+ hdr->dw0 |= cpu_to_le32(4U << CMD_HDR_CMD_OFF);
++ }
+
+ switch (task->data_dir) {
+ case DMA_TO_DEVICE:
+--
+2.39.5
+
--- /dev/null
+From d6f116c6f2402b317eeb4ef1cdc44e4ae3faa91d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:43:43 +0800
+Subject: scsi: iscsi: Fix missing scsi_host_put() in error path
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 72eea84a1092b50a10eeecfeba4b28ac9f1312ab ]
+
+Add goto to ensure scsi_host_put() is called in all error paths of
+iscsi_set_host_param() function. This fixes a potential memory leak when
+strlen() check fails.
+
+Fixes: ce51c8170084 ("scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20250318094344.91776-1-linmq006@gmail.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 687487ea4fd3b..7f0fd03dd03bc 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -3207,11 +3207,14 @@ iscsi_set_host_param(struct iscsi_transport *transport,
+ }
+
+ /* see similar check in iscsi_if_set_param() */
+- if (strlen(data) > ev->u.set_host_param.len)
+- return -EINVAL;
++ if (strlen(data) > ev->u.set_host_param.len) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ err = transport->set_host_param(shost, ev->u.set_host_param.param,
+ data, ev->u.set_host_param.len);
++out:
+ scsi_host_put(shost);
+ return err;
+ }
+--
+2.39.5
+
x86-e820-fix-handling-of-subpage-regions-when-calculating-nosave-ranges-in-e820__register_nosave_regions.patch
bluetooth-hci_uart-fix-another-race-during-initialization.patch
hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch
+scsi-hisi_sas-enable-force-phy-when-sata-disk-direct.patch
+wifi-at76c50x-fix-use-after-free-access-in-at76_disc.patch
+wifi-mac80211-update-skb-s-control-block-key-in-ieee.patch
+wifi-mac80211-purge-vif-txq-in-ieee80211_do_stop.patch
+wifi-wl1251-fix-memory-leak-in-wl1251_tx_work.patch
+scsi-iscsi-fix-missing-scsi_host_put-in-error-path.patch
+md-raid10-fix-missing-discard-io-accounting.patch
+md-use-separate-work_struct-for-md_start_sync.patch
+md-factor-out-a-helper-from-mddev_put.patch
+md-md-bitmap-fix-stats-collection-for-external-bitma.patch
+rdma-usnic-fix-passing-zero-to-ptr_err-in-usnic_ib_p.patch
+rdma-hns-fix-wrong-maximum-dma-segment-size.patch
+rdma-core-silence-oversized-kvmalloc-warning.patch
+bluetooth-hci_event-fix-sending-mgmt_ev_device_found.patch
+bluetooth-btrtl-prevent-potential-null-dereference.patch
+bluetooth-l2cap-check-encryption-key-size-on-incomin.patch
+revert-wifi-mac80211-update-skb-s-control-block-key-.patch
+igc-fix-ptm-cycle-trigger-logic.patch
+igc-move-ktime-snapshot-into-ptm-retry-loop.patch
+igc-handle-the-igc_ptp_enabled-flag-correctly.patch
+igc-cleanup-ptp-module-if-probe-fails.patch
+test-suite-use-zu-to-print-size_t.patch
+net-mctp-set-sock_rcu_free.patch
+net-openvswitch-fix-nested-key-length-validation-in-.patch
+cxgb4-fix-memory-leak-in-cxgb4_init_ethtool_filters-.patch
+net-b53-enable-bpdu-reception-for-management-port.patch
+net-bridge-switchdev-do-not-notify-new-brentries-as-.patch
+net-dsa-mv88e6xxx-avoid-unregistering-devlink-region.patch
+net-dsa-mv88e6xxx-fix-enoent-when-deleting-vlans-and.patch
+net-dsa-avoid-refcount-warnings-when-ds-ops-tag_8021.patch
+ptp-ocp-fix-start-time-alignment-in-ptp_ocp_signal_s.patch
+riscv-properly-export-reserved-regions-in-proc-iomem.patch
+riscv-kgdb-do-not-inline-arch_kgdb_breakpoint.patch
+riscv-kgdb-remove-.option-norvc-.option-rvc-for-kgdb.patch
+cpufreq-sched-fix-the-usage-of-cpufreq_need_update_l.patch
--- /dev/null
+From b6235683332ede0867032fdbf44a7b5d15c91b2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 20:33:11 -0400
+Subject: test suite: use %zu to print size_t
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit a30951d09c33c899f0e4aca80eb87fad5f10ecfa ]
+
+On 32-bit, we can't use %lu to print a size_t variable and gcc warns us
+about it. Shame it doesn't warn about it on 64-bit.
+
+Link: https://lkml.kernel.org/r/20250403003311.359917-1-Liam.Howlett@oracle.com
+Fixes: cc86e0c2f306 ("radix tree test suite: add support for slab bulk APIs")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/radix-tree/linux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/radix-tree/linux.c b/tools/testing/radix-tree/linux.c
+index d587a558997f8..11149bd12a1f7 100644
+--- a/tools/testing/radix-tree/linux.c
++++ b/tools/testing/radix-tree/linux.c
+@@ -121,7 +121,7 @@ void kmem_cache_free(struct kmem_cache *cachep, void *objp)
+ void kmem_cache_free_bulk(struct kmem_cache *cachep, size_t size, void **list)
+ {
+ if (kmalloc_verbose)
+- pr_debug("Bulk free %p[0-%lu]\n", list, size - 1);
++ pr_debug("Bulk free %p[0-%zu]\n", list, size - 1);
+
+ pthread_mutex_lock(&cachep->lock);
+ for (int i = 0; i < size; i++)
+@@ -139,7 +139,7 @@ int kmem_cache_alloc_bulk(struct kmem_cache *cachep, gfp_t gfp, size_t size,
+ size_t i;
+
+ if (kmalloc_verbose)
+- pr_debug("Bulk alloc %lu\n", size);
++ pr_debug("Bulk alloc %zu\n", size);
+
+ if (!(gfp & __GFP_DIRECT_RECLAIM)) {
+ if (cachep->non_kernel < size)
+--
+2.39.5
+
--- /dev/null
+From bb7b1324a617e75b3d02810debd6b572839508e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 16:01:10 +0530
+Subject: wifi: at76c50x: fix use after free access in at76_disconnect
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da ]
+
+The memory pointed to by priv is freed at the end of at76_delete_device
+function (using ieee80211_free_hw). But the code then accesses the udev
+field of the freed object to put the USB device. This may also lead to a
+memory leak of the usb device. Fix this by using udev from interface.
+
+Fixes: 29e20aa6c6af ("at76c50x-usb: fix use after free on failure path in at76_probe()")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Link: https://patch.msgid.link/20250330103110.44080-1-abdun.nihaal@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/atmel/at76c50x-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
+index 24e609c1f5231..4a15c22cf348d 100644
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -2553,7 +2553,7 @@ static void at76_disconnect(struct usb_interface *interface)
+
+ wiphy_info(priv->hw->wiphy, "disconnecting\n");
+ at76_delete_device(priv);
+- usb_put_dev(priv->udev);
++ usb_put_dev(interface_to_usbdev(interface));
+ dev_info(&interface->dev, "disconnected\n");
+ }
+
+--
+2.39.5
+
--- /dev/null
+From fd11cd5e03528ae86f86a35d0fcc3f000c210005 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 17:28:21 +0100
+Subject: wifi: mac80211: Purge vif txq in ieee80211_do_stop()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 378677eb8f44621ecc9ce659f7af61e5baa94d81 ]
+
+After ieee80211_do_stop() SKB from vif's txq could still be processed.
+Indeed another concurrent vif schedule_and_wake_txq call could cause
+those packets to be dequeued (see ieee80211_handle_wake_tx_queue())
+without checking the sdata current state.
+
+Because vif.drv_priv is now cleared in this function, this could lead to
+driver crash.
+
+For example in ath12k, ahvif is store in vif.drv_priv. Thus if
+ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be
+NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to
+trigger the NULL deref below.
+
+ Unable to handle kernel paging request at virtual address dfffffc000000001
+ KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+ batman_adv: bat0: Interface deactivated: brbh1337
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ [dfffffc000000001] address between user and kernel address ranges
+ Internal error: Oops: 0000000096000004 [#1] SMP
+ CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114
+ Hardware name: HW (DT)
+ pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]
+ lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]
+ sp : ffffffc086ace450
+ x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4
+ x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e
+ x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0
+ x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958
+ x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8
+ x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03
+ x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40
+ x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0
+ x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001
+ x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008
+ Call trace:
+ ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)
+ ieee80211_handle_wake_tx_queue+0x16c/0x260
+ ieee80211_queue_skb+0xeec/0x1d20
+ ieee80211_tx+0x200/0x2c8
+ ieee80211_xmit+0x22c/0x338
+ __ieee80211_subif_start_xmit+0x7e8/0xc60
+ ieee80211_subif_start_xmit+0xc4/0xee0
+ __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0
+ ieee80211_subif_start_xmit_8023+0x124/0x488
+ dev_hard_start_xmit+0x160/0x5a8
+ __dev_queue_xmit+0x6f8/0x3120
+ br_dev_queue_push_xmit+0x120/0x4a8
+ __br_forward+0xe4/0x2b0
+ deliver_clone+0x5c/0xd0
+ br_flood+0x398/0x580
+ br_dev_xmit+0x454/0x9f8
+ dev_hard_start_xmit+0x160/0x5a8
+ __dev_queue_xmit+0x6f8/0x3120
+ ip6_finish_output2+0xc28/0x1b60
+ __ip6_finish_output+0x38c/0x638
+ ip6_output+0x1b4/0x338
+ ip6_local_out+0x7c/0xa8
+ ip6_send_skb+0x7c/0x1b0
+ ip6_push_pending_frames+0x94/0xd0
+ rawv6_sendmsg+0x1a98/0x2898
+ inet_sendmsg+0x94/0xe0
+ __sys_sendto+0x1e4/0x308
+ __arm64_sys_sendto+0xc4/0x140
+ do_el0_svc+0x110/0x280
+ el0_svc+0x20/0x60
+ el0t_64_sync_handler+0x104/0x138
+ el0t_64_sync+0x154/0x158
+
+To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could
+be dequeued after ieee80211_do_stop() (new packets cannot be queued
+because SDATA_STATE_RUNNING is cleared at this point).
+
+Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/ff7849e268562456274213c0476e09481a48f489.1742833382.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 8861f63e2cfb9..fc60e80088a38 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -688,6 +688,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, bool going_do
+ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ ieee80211_txq_remove_vlan(local, sdata);
+
++ if (sdata->vif.txq)
++ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
++
+ sdata->bss = NULL;
+
+ if (local->open_count == 0)
+--
+2.39.5
+
--- /dev/null
+From e5b3a0200df5afb0869c156a17fbf26277ef6e5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 17:28:20 +0100
+Subject: wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit a104042e2bf6528199adb6ca901efe7b60c2c27f ]
+
+The ieee80211 skb control block key (set when skb was queued) could have
+been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()
+already called ieee80211_tx_h_select_key() to get the current key, but
+the latter do not update the key in skb control block in case it is
+NULL. Because some drivers actually use this key in their TX callbacks
+(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free
+below:
+
+ BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c
+ Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440
+
+ CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2
+ Hardware name: HW (DT)
+ Workqueue: bat_events batadv_send_outstanding_bcast_packet
+ Call trace:
+ show_stack+0x14/0x1c (C)
+ dump_stack_lvl+0x58/0x74
+ print_report+0x164/0x4c0
+ kasan_report+0xac/0xe8
+ __asan_report_load4_noabort+0x1c/0x24
+ ath11k_mac_op_tx+0x590/0x61c
+ ieee80211_handle_wake_tx_queue+0x12c/0x1c8
+ ieee80211_queue_skb+0xdcc/0x1b4c
+ ieee80211_tx+0x1ec/0x2bc
+ ieee80211_xmit+0x224/0x324
+ __ieee80211_subif_start_xmit+0x85c/0xcf8
+ ieee80211_subif_start_xmit+0xc0/0xec4
+ dev_hard_start_xmit+0xf4/0x28c
+ __dev_queue_xmit+0x6ac/0x318c
+ batadv_send_skb_packet+0x38c/0x4b0
+ batadv_send_outstanding_bcast_packet+0x110/0x328
+ process_one_work+0x578/0xc10
+ worker_thread+0x4bc/0xc7c
+ kthread+0x2f8/0x380
+ ret_from_fork+0x10/0x20
+
+ Allocated by task 1906:
+ kasan_save_stack+0x28/0x4c
+ kasan_save_track+0x1c/0x40
+ kasan_save_alloc_info+0x3c/0x4c
+ __kasan_kmalloc+0xac/0xb0
+ __kmalloc_noprof+0x1b4/0x380
+ ieee80211_key_alloc+0x3c/0xb64
+ ieee80211_add_key+0x1b4/0x71c
+ nl80211_new_key+0x2b4/0x5d8
+ genl_family_rcv_msg_doit+0x198/0x240
+ <...>
+
+ Freed by task 1494:
+ kasan_save_stack+0x28/0x4c
+ kasan_save_track+0x1c/0x40
+ kasan_save_free_info+0x48/0x94
+ __kasan_slab_free+0x48/0x60
+ kfree+0xc8/0x31c
+ kfree_sensitive+0x70/0x80
+ ieee80211_key_free_common+0x10c/0x174
+ ieee80211_free_keys+0x188/0x46c
+ ieee80211_stop_mesh+0x70/0x2cc
+ ieee80211_leave_mesh+0x1c/0x60
+ cfg80211_leave_mesh+0xe0/0x280
+ cfg80211_leave+0x1e0/0x244
+ <...>
+
+Reset SKB control block key before calling ieee80211_tx_h_select_key()
+to avoid that.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/06aa507b853ca385ceded81c18b0a6dd0f081bc8.1742833382.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 62b2817df2ba9..7c1e81e15865c 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3800,6 +3800,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
++ info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From 048872636fb829f838013670af5b99512090ed49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 16:15:32 +0530
+Subject: wifi: wl1251: fix memory leak in wl1251_tx_work
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit a0f0dc96de03ffeefc2a177b7f8acde565cb77f4 ]
+
+The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails
+with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.
+
+Fixes: c5483b719363 ("wl12xx: check if elp wakeup failed")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Michael Nemanov <michael.nemanov@ti.com>
+Link: https://patch.msgid.link/20250330104532.44935-1-abdun.nihaal@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index e9dc3c72bb110..06dc74cc6cb52 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -342,8 +342,10 @@ void wl1251_tx_work(struct work_struct *work)
+ while ((skb = skb_dequeue(&wl->tx_queue))) {
+ if (!woken_up) {
+ ret = wl1251_ps_elp_wakeup(wl);
+- if (ret < 0)
++ if (ret < 0) {
++ skb_queue_head(&wl->tx_queue, skb);
+ goto out;
++ }
+ woken_up = true;
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
