--- /dev/null
+From 085ff2af11b004f122387d1e6d91f86b73b8b3cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 01:36:14 -0400
+Subject: ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100
+
+From: Yasmin Fitzgerald <sunoflife1.git@gmail.com>
+
+[ Upstream commit 68cc9d3c8e44afe90e43cbbd2960da15c2f31e23 ]
+
+The HP Pavilion Laptop 15-eg100 has Realtek HDA codec ALC287.
+It needs the ALC287_FIXUP_HP_GPIO_LED quirk to enable the mute LED.
+
+Signed-off-by: Yasmin Fitzgerald <sunoflife1.git@gmail.com>
+Link: https://patch.msgid.link/20250621053832.52950-1-sunoflife1.git@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 13b3ec78010a0..f0c67b6af33ae 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9995,6 +9995,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8975, "HP EliteBook x360 840 Aero G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x897d, "HP mt440 Mobile Thin Client U74", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8981, "HP Elite Dragonfly G3", ALC245_FIXUP_CS35L41_SPI_4),
++ SND_PCI_QUIRK(0x103c, 0x898a, "HP Pavilion 15-eg100", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x898e, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x898f, "HP EliteBook 835 G9", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8991, "HP EliteBook 845 G9", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+--
+2.39.5
+
--- /dev/null
+From 2a98fb64403d1bfa37ad53bc5cc613ba07af24ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Jun 2025 22:58:00 +0000
+Subject: ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic
+
+From: Yuzuru10 <yuzuru_10@proton.me>
+
+[ Upstream commit 7186b81807b4a08f8bf834b6bdc72d6ed8ba1587 ]
+
+This patch adds DMI-based quirk for the Acer Nitro ANV15-41,
+allowing the internal microphone to be detected correctly on
+machines with "RB" as board vendor.
+
+Signed-off-by: Yuzuru <yuzuru_10@proton.me>
+Link: https://patch.msgid.link/20250622225754.20856-1-yuzuru_10@proton.me
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index ecf4f4c0e6967..1f4c43bf817e4 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -339,6 +339,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "RB"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Nitro ANV15-41"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.39.5
+
--- /dev/null
+From 313392dfe6e2db02728e31a0b57400145577d19b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 08:41:47 +0200
+Subject: atm: idt77252: Add missing `dma_map_error()`
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c4890963350dcf4e9a909bae23665921fba4ad27 ]
+
+The DMA map functions can fail and should be tested for errors.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250624064148.12815-3-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/idt77252.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
+index 7810f974b2ca9..d9ee20f0048fe 100644
+--- a/drivers/atm/idt77252.c
++++ b/drivers/atm/idt77252.c
+@@ -852,6 +852,8 @@ queue_skb(struct idt77252_dev *card, struct vc_map *vc,
+
+ IDT77252_PRV_PADDR(skb) = dma_map_single(&card->pcidev->dev, skb->data,
+ skb->len, DMA_TO_DEVICE);
++ if (dma_mapping_error(&card->pcidev->dev, IDT77252_PRV_PADDR(skb)))
++ return -ENOMEM;
+
+ error = -EINVAL;
+
+@@ -1857,6 +1859,8 @@ add_rx_skb(struct idt77252_dev *card, int queue,
+ paddr = dma_map_single(&card->pcidev->dev, skb->data,
+ skb_end_pointer(skb) - skb->data,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(&card->pcidev->dev, paddr))
++ goto outpoolrm;
+ IDT77252_PRV_PADDR(skb) = paddr;
+
+ if (push_rx_skb(card, skb, queue)) {
+@@ -1871,6 +1875,7 @@ add_rx_skb(struct idt77252_dev *card, int queue,
+ dma_unmap_single(&card->pcidev->dev, IDT77252_PRV_PADDR(skb),
+ skb_end_pointer(skb) - skb->data, DMA_FROM_DEVICE);
+
++outpoolrm:
+ handle = IDT77252_PRV_POOL(skb);
+ card->sbpool[POOL_QUEUE(handle)].skb[POOL_INDEX(handle)] = NULL;
+
+--
+2.39.5
+
--- /dev/null
+From c77665e39ea95b5eced6ea1115c1e4351ea156fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 14:39:36 -0700
+Subject: bnxt_en: Fix DCB ETS validation
+
+From: Shravya KN <shravya.k-n@broadcom.com>
+
+[ Upstream commit b74c2a2e9cc471e847abd87e50a2354c07e02040 ]
+
+In bnxt_ets_validate(), the code incorrectly loops over all possible
+traffic classes to check and add the ETS settings. Fix it to loop
+over the configured traffic classes only.
+
+The unconfigured traffic classes will default to TSA_ETS with 0
+bandwidth. Looping over these unconfigured traffic classes may
+cause the validation to fail and trigger this error message:
+
+"rejecting ETS config starving a TC\n"
+
+The .ieee_setets() will then fail.
+
+Fixes: 7df4ae9fe855 ("bnxt_en: Implement DCBNL to support host-based DCBX.")
+Reviewed-by: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Signed-off-by: Shravya KN <shravya.k-n@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://patch.msgid.link/20250710213938.1959625-2-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
+index 63e0670383852..1727e9bb1479d 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c
+@@ -487,7 +487,9 @@ static int bnxt_ets_validate(struct bnxt *bp, struct ieee_ets *ets, u8 *tc)
+
+ if ((ets->tc_tx_bw[i] || ets->tc_tsa[i]) && i > bp->max_tc)
+ return -EINVAL;
++ }
+
++ for (i = 0; i < max_tc; i++) {
+ switch (ets->tc_tsa[i]) {
+ case IEEE_8021QAZ_TSA_STRICT:
+ break;
+--
+2.39.5
+
--- /dev/null
+From 546f4d9807848d0432012294a2b068cf3ab6f2dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 14:39:38 -0700
+Subject: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
+
+From: Somnath Kotur <somnath.kotur@broadcom.com>
+
+[ Upstream commit 3cdf199d4755d477972ee87110b2aebc88b3cfad ]
+
+When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set()
+with the proper length instead of 0. This bug triggers this warning
+on a system with IOMMU enabled:
+
+WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170
+RIP: 0010:__iommu_dma_unmap+0x159/0x170
+Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45
+b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00
+RSP: 0018:ff22d31181150c88 EFLAGS: 00010206
+RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000
+R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000
+R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00
+FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0
+PKRU: 55555554
+Call Trace:
+<IRQ>
+? show_regs+0x6d/0x80
+? __warn+0x89/0x160
+? __iommu_dma_unmap+0x159/0x170
+? report_bug+0x17e/0x1b0
+? handle_bug+0x46/0x90
+? exc_invalid_op+0x18/0x80
+? asm_exc_invalid_op+0x1b/0x20
+? __iommu_dma_unmap+0x159/0x170
+? __iommu_dma_unmap+0xb3/0x170
+iommu_dma_unmap_page+0x4f/0x100
+dma_unmap_page_attrs+0x52/0x220
+? srso_alias_return_thunk+0x5/0xfbef5
+? xdp_return_frame+0x2e/0xd0
+bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en]
+__bnxt_poll_work_done+0x81/0x1e0 [bnxt_en]
+bnxt_poll+0xd3/0x1e0 [bnxt_en]
+
+Fixes: f18c2b77b2e4 ("bnxt_en: optimized XDP_REDIRECT support")
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Link: https://patch.msgid.link/20250710213938.1959625-4-michael.chan@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
+index d9a7b85343a49..967a7fa291eae 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
+@@ -122,7 +122,7 @@ static void __bnxt_xmit_xdp_redirect(struct bnxt *bp,
+ tx_buf->action = XDP_REDIRECT;
+ tx_buf->xdpf = xdpf;
+ dma_unmap_addr_set(tx_buf, mapping, mapping);
+- dma_unmap_len_set(tx_buf, len, 0);
++ dma_unmap_len_set(tx_buf, len, len);
+ }
+
+ void bnxt_tx_int_xdp(struct bnxt *bp, struct bnxt_napi *bnapi, int nr_pkts)
+--
+2.39.5
+
--- /dev/null
+From 4370a68d2a1ccffad267a1c50626ceb0106b6d12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 20:51:03 +0100
+Subject: btrfs: fix assertion when building free space tree
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1961d20f6fa8903266ed9bd77c691924c22c8f02 ]
+
+When building the free space tree with the block group tree feature
+enabled, we can hit an assertion failure like this:
+
+ BTRFS info (device loop0 state M): rebuilding free space tree
+ assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102
+ ------------[ cut here ]------------
+ kernel BUG at fs/btrfs/free-space-tree.c:1102!
+ Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
+ Modules linked in:
+ CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102
+ lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102
+ sp : ffff8000a4ce7600
+ x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8
+ x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001
+ x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160
+ x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff
+ x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0
+ x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff
+ x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00
+ x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001
+ x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0
+ x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e
+ Call trace:
+ populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P)
+ btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337
+ btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074
+ btrfs_remount_rw fs/btrfs/super.c:1319 [inline]
+ btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543
+ reconfigure_super+0x1d4/0x6f0 fs/super.c:1083
+ do_remount fs/namespace.c:3365 [inline]
+ path_mount+0xb34/0xde0 fs/namespace.c:4200
+ do_mount fs/namespace.c:4221 [inline]
+ __do_sys_mount fs/namespace.c:4432 [inline]
+ __se_sys_mount fs/namespace.c:4409 [inline]
+ __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
+ el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
+ el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
+ Code: f0047182 91178042 528089c3 9771d47b (d4210000)
+ ---[ end trace 0000000000000000 ]---
+
+This happens because we are processing an empty block group, which has
+no extents allocated from it, there are no items for this block group,
+including the block group item since block group items are stored in a
+dedicated tree when using the block group tree feature. It also means
+this is the block group with the highest start offset, so there are no
+higher keys in the extent root, hence btrfs_search_slot_for_read()
+returns 1 (no higher key found).
+
+Fix this by asserting 'ret' is 0 only if the block group tree feature
+is not enabled, in which case we should find a block group item for
+the block group since it's stored in the extent root and block group
+item keys are greater than extent item keys (the value for
+BTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and
+BTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively).
+In case 'ret' is 1, we just need to add a record to the free space
+tree which spans the whole block group, and we can achieve this by
+making 'ret == 0' as the while loop's condition.
+
+Reported-by: syzbot+36fae25c35159a763a2a@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/6841dca8.a00a0220.d4325.0020.GAE@google.com/
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/free-space-tree.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c
+index 6a44733a95e1c..14bdb241ff6bb 100644
+--- a/fs/btrfs/free-space-tree.c
++++ b/fs/btrfs/free-space-tree.c
+@@ -1098,11 +1098,21 @@ static int populate_free_space_tree(struct btrfs_trans_handle *trans,
+ ret = btrfs_search_slot_for_read(extent_root, &key, path, 1, 0);
+ if (ret < 0)
+ goto out_locked;
+- ASSERT(ret == 0);
++ /*
++ * If ret is 1 (no key found), it means this is an empty block group,
++ * without any extents allocated from it and there's no block group
++ * item (key BTRFS_BLOCK_GROUP_ITEM_KEY) located in the extent tree
++ * because we are using the block group tree feature, so block group
++ * items are stored in the block group tree. It also means there are no
++ * extents allocated for block groups with a start offset beyond this
++ * block group's end offset (this is the last, highest, block group).
++ */
++ if (!btrfs_fs_compat_ro(trans->fs_info, BLOCK_GROUP_TREE))
++ ASSERT(ret == 0);
+
+ start = block_group->start;
+ end = block_group->start + block_group->length;
+- while (1) {
++ while (ret == 0) {
+ btrfs_item_key_to_cpu(path->nodes[0], &key, path->slots[0]);
+
+ if (key.type == BTRFS_EXTENT_ITEM_KEY ||
+@@ -1132,8 +1142,6 @@ static int populate_free_space_tree(struct btrfs_trans_handle *trans,
+ ret = btrfs_next_item(extent_root, path);
+ if (ret < 0)
+ goto out_locked;
+- if (ret)
+- break;
+ }
+ if (start < end) {
+ ret = __add_to_free_space_tree(trans, block_group, path2,
+--
+2.39.5
+
--- /dev/null
+From 5982508ed823e76ad348bd396ea07f1adbe05248 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jul 2025 00:45:48 -0400
+Subject: btrfs: propagate last_unlink_trans earlier when doing a rmdir
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit c466e33e729a0ee017d10d919cba18f503853c60 ]
+
+In case the removed directory had a snapshot that was deleted, we are
+propagating its inode's last_unlink_trans to the parent directory after
+we removed the entry from the parent directory. This leaves a small race
+window where someone can log the parent directory after we removed the
+entry and before we updated last_unlink_trans, and as a result if we ever
+try to replay such a log tree, we will fail since we will attempt to
+remove a snapshot during log replay, which is currently not possible and
+results in the log replay (and mount) to fail. This is the type of failure
+described in commit 1ec9a1ae1e30 ("Btrfs: fix unreplayable log after
+snapshot delete + parent dir fsync").
+
+So fix this by propagating the last_unlink_trans to the parent directory
+before we remove the entry from it.
+
+Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 5ecc2f3dc3a99..469a622b440b6 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4881,6 +4881,23 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ goto out_notrans;
+ }
+
++ /*
++ * Propagate the last_unlink_trans value of the deleted dir to its
++ * parent directory. This is to prevent an unrecoverable log tree in the
++ * case we do something like this:
++ * 1) create dir foo
++ * 2) create snapshot under dir foo
++ * 3) delete the snapshot
++ * 4) rmdir foo
++ * 5) mkdir foo
++ * 6) fsync foo or some file inside foo
++ *
++ * This is because we can't unlink other roots when replaying the dir
++ * deletes for directory foo.
++ */
++ if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
++ BTRFS_I(dir)->last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
++
+ if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+ err = btrfs_unlink_subvol(trans, dir, dentry);
+ goto out;
+@@ -4895,17 +4912,6 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ &fname.disk_name);
+ if (!err) {
+ btrfs_i_size_write(BTRFS_I(inode), 0);
+- /*
+- * Propagate the last_unlink_trans value of the deleted dir to
+- * its parent directory. This is to prevent an unrecoverable
+- * log tree in the case we do something like this:
+- * 1) create dir foo
+- * 2) create snapshot under dir foo
+- * 3) delete the snapshot
+- * 4) rmdir foo
+- * 5) mkdir foo
+- * 6) fsync foo or some file inside foo
+- */
+ if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
+ btrfs_record_snapshot_destroy(trans, BTRFS_I(dir));
+ }
+--
+2.39.5
+
--- /dev/null
+From 37f3d52ec375018ed970b379d6635dc52cbadb33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 12:12:02 +0200
+Subject: can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message
+ to debug level
+
+From: Sean Nyekjaer <sean@geanix.com>
+
+[ Upstream commit 58805e9cbc6f6a28f35d90e740956e983a0e036e ]
+
+Downgrade the "msg lost in rx" message to debug level, to prevent
+flooding the kernel log with error messages.
+
+Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support")
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Link: https://patch.msgid.link/20250711-mcan_ratelimit-v3-1-7413e8e21b84@geanix.com
+[mkl: enhance commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index 56b0f49c81164..814f947e7f505 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -577,7 +577,7 @@ static int m_can_handle_lost_msg(struct net_device *dev)
+ struct can_frame *frame;
+ u32 timestamp = 0;
+
+- netdev_err(dev, "msg lost in rxf0\n");
++ netdev_dbg(dev, "msg lost in rxf0\n");
+
+ stats->rx_errors++;
+ stats->rx_over_errors++;
+--
+2.39.5
+
--- /dev/null
+From d8702800ba96698a330dd0d918846ab59649415c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 11:08:07 +0900
+Subject: drm/tegra: nvdec: Fix dma_alloc_coherent error check
+
+From: Mikko Perttunen <mperttunen@nvidia.com>
+
+[ Upstream commit 44306a684cd1699b8562a54945ddc43e2abc9eab ]
+
+Check for NULL return value with dma_alloc_coherent, in line with
+Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'.
+
+Fixes: 46f226c93d35 ("drm/tegra: Add NVDEC driver")
+Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20250702-nvdec-dma-error-check-v1-1-c388b402c53a@nvidia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/nvdec.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/tegra/nvdec.c b/drivers/gpu/drm/tegra/nvdec.c
+index 276fe04727302..99ada87e25895 100644
+--- a/drivers/gpu/drm/tegra/nvdec.c
++++ b/drivers/gpu/drm/tegra/nvdec.c
+@@ -209,10 +209,8 @@ static int nvdec_load_firmware(struct nvdec *nvdec)
+
+ if (!client->group) {
+ virt = dma_alloc_coherent(nvdec->dev, size, &iova, GFP_KERNEL);
+-
+- err = dma_mapping_error(nvdec->dev, iova);
+- if (err < 0)
+- return err;
++ if (!virt)
++ return -ENOMEM;
+ } else {
+ virt = tegra_drm_alloc(tegra, size, &iova);
+ }
+--
+2.39.5
+
--- /dev/null
+From 3a6576a1868719d9829fcdceb8b44ae6cd62f45f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Aug 2023 16:39:42 +0800
+Subject: erofs: adapt folios for z_erofs_read_folio()
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit c33ad3b2b7100ac944aad38d3ebc89cb5f654e94 ]
+
+It's a straight-forward conversion and no logic changes (except that
+it renames the corresponding tracepoint.)
+
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230817083942.103303-1-hsiangkao@linux.alibaba.com
+Stable-dep-of: 99f7619a77a0 ("erofs: fix to add missing tracepoint in erofs_read_folio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 9 ++++-----
+ include/trace/events/erofs.h | 16 ++++++++--------
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index ac8c082798512..32ca6d3e373ab 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -1680,17 +1680,16 @@ static void z_erofs_pcluster_readmore(struct z_erofs_decompress_frontend *f,
+
+ static int z_erofs_read_folio(struct file *file, struct folio *folio)
+ {
+- struct page *page = &folio->page;
+- struct inode *const inode = page->mapping->host;
++ struct inode *const inode = folio->mapping->host;
+ struct erofs_sb_info *const sbi = EROFS_I_SB(inode);
+ struct z_erofs_decompress_frontend f = DECOMPRESS_FRONTEND_INIT(inode);
+ int err;
+
+- trace_erofs_readpage(page, false);
+- f.headoffset = (erofs_off_t)page->index << PAGE_SHIFT;
++ trace_erofs_read_folio(folio, false);
++ f.headoffset = (erofs_off_t)folio->index << PAGE_SHIFT;
+
+ z_erofs_pcluster_readmore(&f, NULL, true);
+- err = z_erofs_do_read_page(&f, page);
++ err = z_erofs_do_read_page(&f, &folio->page);
+ z_erofs_pcluster_readmore(&f, NULL, false);
+ (void)z_erofs_collector_end(&f);
+
+diff --git a/include/trace/events/erofs.h b/include/trace/events/erofs.h
+index a5e7f79ba557f..54a876f52e9b4 100644
+--- a/include/trace/events/erofs.h
++++ b/include/trace/events/erofs.h
+@@ -75,11 +75,11 @@ TRACE_EVENT(erofs_fill_inode,
+ __entry->blkaddr, __entry->ofs)
+ );
+
+-TRACE_EVENT(erofs_readpage,
++TRACE_EVENT(erofs_read_folio,
+
+- TP_PROTO(struct page *page, bool raw),
++ TP_PROTO(struct folio *folio, bool raw),
+
+- TP_ARGS(page, raw),
++ TP_ARGS(folio, raw),
+
+ TP_STRUCT__entry(
+ __field(dev_t, dev )
+@@ -91,11 +91,11 @@ TRACE_EVENT(erofs_readpage,
+ ),
+
+ TP_fast_assign(
+- __entry->dev = page->mapping->host->i_sb->s_dev;
+- __entry->nid = EROFS_I(page->mapping->host)->nid;
+- __entry->dir = S_ISDIR(page->mapping->host->i_mode);
+- __entry->index = page->index;
+- __entry->uptodate = PageUptodate(page);
++ __entry->dev = folio->mapping->host->i_sb->s_dev;
++ __entry->nid = EROFS_I(folio->mapping->host)->nid;
++ __entry->dir = S_ISDIR(folio->mapping->host->i_mode);
++ __entry->index = folio->index;
++ __entry->uptodate = folio_test_uptodate(folio);
+ __entry->raw = raw;
+ ),
+
+--
+2.39.5
+
--- /dev/null
+From d9770d0ac6cd3e76c460412b3b333dc20a59d912 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 04:14:54 +0800
+Subject: erofs: allocate extra bvec pages directly instead of retrying
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 05b63d2beb8b0f752d1f5cdd051c8bdbf532cedd ]
+
+If non-bootstrap bvecs cannot be kept in place (very rarely), an extra
+short-lived page is allocated.
+
+Let's just allocate it immediately rather than do unnecessary -EAGAIN
+return first and retry as a cleanup. Also it's unnecessary to use
+__GFP_NOFAIL here since we could gracefully fail out this case instead.
+
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Reviewed-by: Yue Hu <huyue2@coolpad.com>
+Link: https://lore.kernel.org/r/20230526201459.128169-2-hsiangkao@linux.alibaba.com
+Stable-dep-of: 99f7619a77a0 ("erofs: fix to add missing tracepoint in erofs_read_folio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 32 ++++++++++++--------------------
+ 1 file changed, 12 insertions(+), 20 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index 50dd104dbaabf..ff82610eb14c9 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -238,12 +238,17 @@ static int z_erofs_bvec_enqueue(struct z_erofs_bvec_iter *iter,
+ struct z_erofs_bvec *bvec,
+ struct page **candidate_bvpage)
+ {
+- if (iter->cur == iter->nr) {
+- if (!*candidate_bvpage)
+- return -EAGAIN;
+-
++ if (iter->cur >= iter->nr) {
++ struct page *nextpage = *candidate_bvpage;
++
++ if (!nextpage) {
++ nextpage = alloc_page(GFP_NOFS);
++ if (!nextpage)
++ return -ENOMEM;
++ set_page_private(nextpage, Z_EROFS_SHORTLIVED_PAGE);
++ }
+ DBG_BUGON(iter->bvset->nextpage);
+- iter->bvset->nextpage = *candidate_bvpage;
++ iter->bvset->nextpage = nextpage;
+ z_erofs_bvset_flip(iter);
+
+ iter->bvset->nextpage = NULL;
+@@ -744,10 +749,8 @@ static bool z_erofs_collector_end(struct z_erofs_decompress_frontend *fe)
+ z_erofs_bvec_iter_end(&fe->biter);
+ mutex_unlock(&pcl->lock);
+
+- if (fe->candidate_bvpage) {
+- DBG_BUGON(z_erofs_is_shortlived_page(fe->candidate_bvpage));
++ if (fe->candidate_bvpage)
+ fe->candidate_bvpage = NULL;
+- }
+
+ /*
+ * if all pending pages are added, don't hold its reference
+@@ -896,24 +899,13 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe,
+ if (cur)
+ tight &= (fe->mode >= Z_EROFS_PCLUSTER_FOLLOWED);
+
+-retry:
+ err = z_erofs_attach_page(fe, &((struct z_erofs_bvec) {
+ .page = page,
+ .offset = offset - map->m_la,
+ .end = end,
+ }), exclusive);
+- /* should allocate an additional short-lived page for bvset */
+- if (err == -EAGAIN && !fe->candidate_bvpage) {
+- fe->candidate_bvpage = alloc_page(GFP_NOFS | __GFP_NOFAIL);
+- set_page_private(fe->candidate_bvpage,
+- Z_EROFS_SHORTLIVED_PAGE);
+- goto retry;
+- }
+-
+- if (err) {
+- DBG_BUGON(err == -EAGAIN && fe->candidate_bvpage);
++ if (err)
+ goto out;
+- }
+
+ z_erofs_onlinepage_split(page);
+ /* bump up the number of spiltted parts of a page */
+--
+2.39.5
+
--- /dev/null
+From bea6ae961c533f3117ba74b3d41a3aeca5d4437d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 May 2023 04:14:55 +0800
+Subject: erofs: avoid on-stack pagepool directly passed by arguments
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+[ Upstream commit 6ab5eed6002edc5a29b683285e90459a7df6ce2b ]
+
+On-stack pagepool is used so that short-lived temporary pages could be
+shared within a single I/O request (e.g. among multiple pclusters).
+
+Moving the remaining frontend-related uses into
+z_erofs_decompress_frontend to avoid too many arguments.
+
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Reviewed-by: Yue Hu <huyue2@coolpad.com>
+Link: https://lore.kernel.org/r/20230526201459.128169-3-hsiangkao@linux.alibaba.com
+Stable-dep-of: 99f7619a77a0 ("erofs: fix to add missing tracepoint in erofs_read_folio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 64 +++++++++++++++++++++++-------------------------
+ 1 file changed, 30 insertions(+), 34 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index ff82610eb14c9..ac8c082798512 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -236,13 +236,14 @@ static void z_erofs_bvec_iter_begin(struct z_erofs_bvec_iter *iter,
+
+ static int z_erofs_bvec_enqueue(struct z_erofs_bvec_iter *iter,
+ struct z_erofs_bvec *bvec,
+- struct page **candidate_bvpage)
++ struct page **candidate_bvpage,
++ struct page **pagepool)
+ {
+ if (iter->cur >= iter->nr) {
+ struct page *nextpage = *candidate_bvpage;
+
+ if (!nextpage) {
+- nextpage = alloc_page(GFP_NOFS);
++ nextpage = erofs_allocpage(pagepool, GFP_NOFS);
+ if (!nextpage)
+ return -ENOMEM;
+ set_page_private(nextpage, Z_EROFS_SHORTLIVED_PAGE);
+@@ -406,6 +407,7 @@ struct z_erofs_decompress_frontend {
+ struct erofs_map_blocks map;
+ struct z_erofs_bvec_iter biter;
+
++ struct page *pagepool;
+ struct page *candidate_bvpage;
+ struct z_erofs_pcluster *pcl;
+ z_erofs_next_pcluster_t owned_head;
+@@ -440,8 +442,7 @@ static bool z_erofs_should_alloc_cache(struct z_erofs_decompress_frontend *fe)
+ return false;
+ }
+
+-static void z_erofs_bind_cache(struct z_erofs_decompress_frontend *fe,
+- struct page **pagepool)
++static void z_erofs_bind_cache(struct z_erofs_decompress_frontend *fe)
+ {
+ struct address_space *mc = MNGD_MAPPING(EROFS_I_SB(fe->inode));
+ struct z_erofs_pcluster *pcl = fe->pcl;
+@@ -482,7 +483,7 @@ static void z_erofs_bind_cache(struct z_erofs_decompress_frontend *fe,
+ * succeeds or fallback to in-place I/O instead
+ * to avoid any direct reclaim.
+ */
+- newpage = erofs_allocpage(pagepool, gfp);
++ newpage = erofs_allocpage(&fe->pagepool, gfp);
+ if (!newpage)
+ continue;
+ set_page_private(newpage, Z_EROFS_PREALLOCATED_PAGE);
+@@ -495,7 +496,7 @@ static void z_erofs_bind_cache(struct z_erofs_decompress_frontend *fe,
+ if (page)
+ put_page(page);
+ else if (newpage)
+- erofs_pagepool_add(pagepool, newpage);
++ erofs_pagepool_add(&fe->pagepool, newpage);
+ }
+
+ /*
+@@ -593,7 +594,8 @@ static int z_erofs_attach_page(struct z_erofs_decompress_frontend *fe,
+ !fe->candidate_bvpage)
+ fe->candidate_bvpage = bvec->page;
+ }
+- ret = z_erofs_bvec_enqueue(&fe->biter, bvec, &fe->candidate_bvpage);
++ ret = z_erofs_bvec_enqueue(&fe->biter, bvec, &fe->candidate_bvpage,
++ &fe->pagepool);
+ fe->pcl->vcnt += (ret >= 0);
+ return ret;
+ }
+@@ -797,7 +799,7 @@ static int z_erofs_read_fragment(struct inode *inode, erofs_off_t pos,
+ }
+
+ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe,
+- struct page *page, struct page **pagepool)
++ struct page *page)
+ {
+ struct inode *const inode = fe->inode;
+ struct erofs_map_blocks *const map = &fe->map;
+@@ -858,7 +860,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe,
+ fe->mode = Z_EROFS_PCLUSTER_FOLLOWED_NOINPLACE;
+ } else {
+ /* bind cache first when cached decompression is preferred */
+- z_erofs_bind_cache(fe, pagepool);
++ z_erofs_bind_cache(fe);
+ }
+ hitted:
+ /*
+@@ -1470,7 +1472,6 @@ static void z_erofs_decompressqueue_endio(struct bio *bio)
+ }
+
+ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+- struct page **pagepool,
+ struct z_erofs_decompressqueue *fgq,
+ bool *force_fg, bool readahead)
+ {
+@@ -1528,8 +1529,8 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ do {
+ struct page *page;
+
+- page = pickup_page_for_submission(pcl, i++, pagepool,
+- mc);
++ page = pickup_page_for_submission(pcl, i++,
++ &f->pagepool, mc);
+ if (!page)
+ continue;
+
+@@ -1594,16 +1595,16 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ }
+
+ static void z_erofs_runqueue(struct z_erofs_decompress_frontend *f,
+- struct page **pagepool, bool force_fg, bool ra)
++ bool force_fg, bool ra)
+ {
+ struct z_erofs_decompressqueue io[NR_JOBQUEUES];
+
+ if (f->owned_head == Z_EROFS_PCLUSTER_TAIL)
+ return;
+- z_erofs_submit_queue(f, pagepool, io, &force_fg, ra);
++ z_erofs_submit_queue(f, io, &force_fg, ra);
+
+ /* handle bypass queue (no i/o pclusters) immediately */
+- z_erofs_decompress_queue(&io[JQ_BYPASS], pagepool);
++ z_erofs_decompress_queue(&io[JQ_BYPASS], &f->pagepool);
+
+ if (!force_fg)
+ return;
+@@ -1612,7 +1613,7 @@ static void z_erofs_runqueue(struct z_erofs_decompress_frontend *f,
+ wait_for_completion_io(&io[JQ_SUBMIT].u.done);
+
+ /* handle synchronous decompress queue in the caller context */
+- z_erofs_decompress_queue(&io[JQ_SUBMIT], pagepool);
++ z_erofs_decompress_queue(&io[JQ_SUBMIT], &f->pagepool);
+ }
+
+ /*
+@@ -1620,8 +1621,7 @@ static void z_erofs_runqueue(struct z_erofs_decompress_frontend *f,
+ * approximate readmore strategies as a start.
+ */
+ static void z_erofs_pcluster_readmore(struct z_erofs_decompress_frontend *f,
+- struct readahead_control *rac,
+- struct page **pagepool, bool backmost)
++ struct readahead_control *rac, bool backmost)
+ {
+ struct inode *inode = f->inode;
+ struct erofs_map_blocks *map = &f->map;
+@@ -1663,7 +1663,7 @@ static void z_erofs_pcluster_readmore(struct z_erofs_decompress_frontend *f,
+ if (PageUptodate(page)) {
+ unlock_page(page);
+ } else {
+- err = z_erofs_do_read_page(f, page, pagepool);
++ err = z_erofs_do_read_page(f, page);
+ if (err)
+ erofs_err(inode->i_sb,
+ "readmore error at page %lu @ nid %llu",
+@@ -1684,27 +1684,24 @@ static int z_erofs_read_folio(struct file *file, struct folio *folio)
+ struct inode *const inode = page->mapping->host;
+ struct erofs_sb_info *const sbi = EROFS_I_SB(inode);
+ struct z_erofs_decompress_frontend f = DECOMPRESS_FRONTEND_INIT(inode);
+- struct page *pagepool = NULL;
+ int err;
+
+ trace_erofs_readpage(page, false);
+ f.headoffset = (erofs_off_t)page->index << PAGE_SHIFT;
+
+- z_erofs_pcluster_readmore(&f, NULL, &pagepool, true);
+- err = z_erofs_do_read_page(&f, page, &pagepool);
+- z_erofs_pcluster_readmore(&f, NULL, &pagepool, false);
+-
++ z_erofs_pcluster_readmore(&f, NULL, true);
++ err = z_erofs_do_read_page(&f, page);
++ z_erofs_pcluster_readmore(&f, NULL, false);
+ (void)z_erofs_collector_end(&f);
+
+ /* if some compressed cluster ready, need submit them anyway */
+- z_erofs_runqueue(&f, &pagepool, z_erofs_is_sync_decompress(sbi, 0),
+- false);
++ z_erofs_runqueue(&f, z_erofs_is_sync_decompress(sbi, 0), false);
+
+ if (err)
+ erofs_err(inode->i_sb, "failed to read, err [%d]", err);
+
+ erofs_put_metabuf(&f.map.buf);
+- erofs_release_pages(&pagepool);
++ erofs_release_pages(&f.pagepool);
+ return err;
+ }
+
+@@ -1713,12 +1710,12 @@ static void z_erofs_readahead(struct readahead_control *rac)
+ struct inode *const inode = rac->mapping->host;
+ struct erofs_sb_info *const sbi = EROFS_I_SB(inode);
+ struct z_erofs_decompress_frontend f = DECOMPRESS_FRONTEND_INIT(inode);
+- struct page *pagepool = NULL, *head = NULL, *page;
++ struct page *head = NULL, *page;
+ unsigned int nr_pages;
+
+ f.headoffset = readahead_pos(rac);
+
+- z_erofs_pcluster_readmore(&f, rac, &pagepool, true);
++ z_erofs_pcluster_readmore(&f, rac, true);
+ nr_pages = readahead_count(rac);
+ trace_erofs_readpages(inode, readahead_index(rac), nr_pages, false);
+
+@@ -1734,20 +1731,19 @@ static void z_erofs_readahead(struct readahead_control *rac)
+ /* traversal in reverse order */
+ head = (void *)page_private(page);
+
+- err = z_erofs_do_read_page(&f, page, &pagepool);
++ err = z_erofs_do_read_page(&f, page);
+ if (err)
+ erofs_err(inode->i_sb,
+ "readahead error at page %lu @ nid %llu",
+ page->index, EROFS_I(inode)->nid);
+ put_page(page);
+ }
+- z_erofs_pcluster_readmore(&f, rac, &pagepool, false);
++ z_erofs_pcluster_readmore(&f, rac, false);
+ (void)z_erofs_collector_end(&f);
+
+- z_erofs_runqueue(&f, &pagepool,
+- z_erofs_is_sync_decompress(sbi, nr_pages), true);
++ z_erofs_runqueue(&f, z_erofs_is_sync_decompress(sbi, nr_pages), true);
+ erofs_put_metabuf(&f.map.buf);
+- erofs_release_pages(&pagepool);
++ erofs_release_pages(&f.pagepool);
+ }
+
+ const struct address_space_operations z_erofs_aops = {
+--
+2.39.5
+
--- /dev/null
+From fe7e455a5a4f4c1fb5f92c9ef8d25856373c2e35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 May 2023 15:26:05 +0800
+Subject: erofs: clean up z_erofs_pcluster_readmore()
+
+From: Yue Hu <huyue2@coolpad.com>
+
+[ Upstream commit 796e9149a2fcdba5543e247abd8d911a399bb9a6 ]
+
+`end` parameter is no needed since it's pointless for !backmost, we can
+handle it with backmost internally. And we only expand the trailing
+edge, so the newstart can be replaced with ->headoffset.
+
+Also, remove linux/prefetch.h inclusion since that is not used anymore
+after commit 386292919c25 ("erofs: introduce readmore decompression
+strategy").
+
+Signed-off-by: Yue Hu <huyue2@coolpad.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230525072605.17857-1-zbestahu@gmail.com
+[ Gao Xiang: update commit description. ]
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Stable-dep-of: 99f7619a77a0 ("erofs: fix to add missing tracepoint in erofs_read_folio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 27 ++++++++++++---------------
+ 1 file changed, 12 insertions(+), 15 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index 8018f31d2dbca..50dd104dbaabf 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -5,7 +5,6 @@
+ * Copyright (C) 2022 Alibaba Cloud
+ */
+ #include "compress.h"
+-#include <linux/prefetch.h>
+ #include <linux/psi.h>
+
+ #include <trace/events/erofs.h>
+@@ -1630,28 +1629,28 @@ static void z_erofs_runqueue(struct z_erofs_decompress_frontend *f,
+ */
+ static void z_erofs_pcluster_readmore(struct z_erofs_decompress_frontend *f,
+ struct readahead_control *rac,
+- erofs_off_t end,
+- struct page **pagepool,
+- bool backmost)
++ struct page **pagepool, bool backmost)
+ {
+ struct inode *inode = f->inode;
+ struct erofs_map_blocks *map = &f->map;
+- erofs_off_t cur;
++ erofs_off_t cur, end, headoffset = f->headoffset;
+ int err;
+
+ if (backmost) {
++ if (rac)
++ end = headoffset + readahead_length(rac) - 1;
++ else
++ end = headoffset + PAGE_SIZE - 1;
+ map->m_la = end;
+ err = z_erofs_map_blocks_iter(inode, map,
+ EROFS_GET_BLOCKS_READMORE);
+ if (err)
+ return;
+
+- /* expend ra for the trailing edge if readahead */
++ /* expand ra for the trailing edge if readahead */
+ if (rac) {
+- loff_t newstart = readahead_pos(rac);
+-
+ cur = round_up(map->m_la + map->m_llen, PAGE_SIZE);
+- readahead_expand(rac, newstart, cur - newstart);
++ readahead_expand(rac, headoffset, cur - headoffset);
+ return;
+ }
+ end = round_up(end, PAGE_SIZE);
+@@ -1699,10 +1698,9 @@ static int z_erofs_read_folio(struct file *file, struct folio *folio)
+ trace_erofs_readpage(page, false);
+ f.headoffset = (erofs_off_t)page->index << PAGE_SHIFT;
+
+- z_erofs_pcluster_readmore(&f, NULL, f.headoffset + PAGE_SIZE - 1,
+- &pagepool, true);
++ z_erofs_pcluster_readmore(&f, NULL, &pagepool, true);
+ err = z_erofs_do_read_page(&f, page, &pagepool);
+- z_erofs_pcluster_readmore(&f, NULL, 0, &pagepool, false);
++ z_erofs_pcluster_readmore(&f, NULL, &pagepool, false);
+
+ (void)z_erofs_collector_end(&f);
+
+@@ -1728,8 +1726,7 @@ static void z_erofs_readahead(struct readahead_control *rac)
+
+ f.headoffset = readahead_pos(rac);
+
+- z_erofs_pcluster_readmore(&f, rac, f.headoffset +
+- readahead_length(rac) - 1, &pagepool, true);
++ z_erofs_pcluster_readmore(&f, rac, &pagepool, true);
+ nr_pages = readahead_count(rac);
+ trace_erofs_readpages(inode, readahead_index(rac), nr_pages, false);
+
+@@ -1752,7 +1749,7 @@ static void z_erofs_readahead(struct readahead_control *rac)
+ page->index, EROFS_I(inode)->nid);
+ put_page(page);
+ }
+- z_erofs_pcluster_readmore(&f, rac, 0, &pagepool, false);
++ z_erofs_pcluster_readmore(&f, rac, &pagepool, false);
+ (void)z_erofs_collector_end(&f);
+
+ z_erofs_runqueue(&f, &pagepool,
+--
+2.39.5
+
--- /dev/null
+From 80130e6271d318de85d8d7dc0caaee3dff387f4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 19:19:42 +0800
+Subject: erofs: fix to add missing tracepoint in erofs_read_folio()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 99f7619a77a0a2e3e2bcae676d0f301769167754 ]
+
+Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap")
+converts to use iomap interface, it removed trace_erofs_readpage()
+tracepoint in the meantime, let's add it back.
+
+Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250708111942.3120926-1-chao@kernel.org
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/data.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/erofs/data.c b/fs/erofs/data.c
+index 5c2e6fbb70a3e..7b648bec61fd0 100644
+--- a/fs/erofs/data.c
++++ b/fs/erofs/data.c
+@@ -354,6 +354,8 @@ int erofs_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ */
+ static int erofs_read_folio(struct file *file, struct folio *folio)
+ {
++ trace_erofs_read_folio(folio, true);
++
+ return iomap_read_folio(folio, &erofs_iomap_ops);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a958a8a0055b5dc9635ecbda382b7bcb35238367 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 May 2023 14:39:44 +0800
+Subject: erofs: remove the member readahead from struct
+ z_erofs_decompress_frontend
+
+From: Yue Hu <huyue2@coolpad.com>
+
+[ Upstream commit ef4b4b46c6aaf8edeea9a79320627fe10993f153 ]
+
+The struct member is only used to add REQ_RAHEAD during I/O submission.
+So it is cleaner to pass it as a parameter than keep it in the struct.
+
+Also, rename function z_erofs_get_sync_decompress_policy() to
+z_erofs_is_sync_decompress() for better clarity and conciseness.
+
+Signed-off-by: Yue Hu <huyue2@coolpad.com>
+Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20230524063944.1655-1-zbestahu@gmail.com
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Stable-dep-of: 99f7619a77a0 ("erofs: fix to add missing tracepoint in erofs_read_folio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/erofs/zdata.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
+index 94e9e0bf3bbd1..8018f31d2dbca 100644
+--- a/fs/erofs/zdata.c
++++ b/fs/erofs/zdata.c
+@@ -407,7 +407,6 @@ struct z_erofs_decompress_frontend {
+ z_erofs_next_pcluster_t owned_head;
+ enum z_erofs_pclustermode mode;
+
+- bool readahead;
+ /* used for applying cache strategy on the fly */
+ bool backmost;
+ erofs_off_t headoffset;
+@@ -949,7 +948,7 @@ static int z_erofs_do_read_page(struct z_erofs_decompress_frontend *fe,
+ return err;
+ }
+
+-static bool z_erofs_get_sync_decompress_policy(struct erofs_sb_info *sbi,
++static bool z_erofs_is_sync_decompress(struct erofs_sb_info *sbi,
+ unsigned int readahead_pages)
+ {
+ /* auto: enable for read_folio, disable for readahead */
+@@ -1482,7 +1481,7 @@ static void z_erofs_decompressqueue_endio(struct bio *bio)
+ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ struct page **pagepool,
+ struct z_erofs_decompressqueue *fgq,
+- bool *force_fg)
++ bool *force_fg, bool readahead)
+ {
+ struct super_block *sb = f->inode->i_sb;
+ struct address_space *mc = MNGD_MAPPING(EROFS_SB(sb));
+@@ -1568,7 +1567,7 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ bio->bi_iter.bi_sector = (sector_t)cur <<
+ (sb->s_blocksize_bits - 9);
+ bio->bi_private = q[JQ_SUBMIT];
+- if (f->readahead)
++ if (readahead)
+ bio->bi_opf |= REQ_RAHEAD;
+ ++nr_bios;
+ }
+@@ -1604,13 +1603,13 @@ static void z_erofs_submit_queue(struct z_erofs_decompress_frontend *f,
+ }
+
+ static void z_erofs_runqueue(struct z_erofs_decompress_frontend *f,
+- struct page **pagepool, bool force_fg)
++ struct page **pagepool, bool force_fg, bool ra)
+ {
+ struct z_erofs_decompressqueue io[NR_JOBQUEUES];
+
+ if (f->owned_head == Z_EROFS_PCLUSTER_TAIL)
+ return;
+- z_erofs_submit_queue(f, pagepool, io, &force_fg);
++ z_erofs_submit_queue(f, pagepool, io, &force_fg, ra);
+
+ /* handle bypass queue (no i/o pclusters) immediately */
+ z_erofs_decompress_queue(&io[JQ_BYPASS], pagepool);
+@@ -1708,8 +1707,8 @@ static int z_erofs_read_folio(struct file *file, struct folio *folio)
+ (void)z_erofs_collector_end(&f);
+
+ /* if some compressed cluster ready, need submit them anyway */
+- z_erofs_runqueue(&f, &pagepool,
+- z_erofs_get_sync_decompress_policy(sbi, 0));
++ z_erofs_runqueue(&f, &pagepool, z_erofs_is_sync_decompress(sbi, 0),
++ false);
+
+ if (err)
+ erofs_err(inode->i_sb, "failed to read, err [%d]", err);
+@@ -1727,7 +1726,6 @@ static void z_erofs_readahead(struct readahead_control *rac)
+ struct page *pagepool = NULL, *head = NULL, *page;
+ unsigned int nr_pages;
+
+- f.readahead = true;
+ f.headoffset = readahead_pos(rac);
+
+ z_erofs_pcluster_readmore(&f, rac, f.headoffset +
+@@ -1758,7 +1756,7 @@ static void z_erofs_readahead(struct readahead_control *rac)
+ (void)z_erofs_collector_end(&f);
+
+ z_erofs_runqueue(&f, &pagepool,
+- z_erofs_get_sync_decompress_policy(sbi, nr_pages));
++ z_erofs_is_sync_decompress(sbi, nr_pages), true);
+ erofs_put_metabuf(&f.map.buf);
+ erofs_release_pages(&pagepool);
+ }
+--
+2.39.5
+
--- /dev/null
+From 40772b31b446ec740b8206fb41b3c5d96df85f50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 07:03:30 +0000
+Subject: fs: export anon_inode_make_secure_inode() and fix secretmem LSM
+ bypass
+
+From: Shivank Garg <shivankg@amd.com>
+
+[ Upstream commit cbe4134ea4bc493239786220bd69cb8a13493190 ]
+
+Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create
+anonymous inodes with proper security context. This replaces the current
+pattern of calling alloc_anon_inode() followed by
+inode_init_security_anon() for creating security context manually.
+
+This change also fixes a security regression in secretmem where the
+S_PRIVATE flag was not cleared after alloc_anon_inode(), causing
+LSM/SELinux checks to be bypassed for secretmem file descriptors.
+
+As guest_memfd currently resides in the KVM module, we need to export this
+symbol for use outside the core kernel. In the future, guest_memfd might be
+moved to core-mm, at which point the symbols no longer would have to be
+exported. When/if that happens is still unclear.
+
+Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes")
+Suggested-by: David Hildenbrand <david@redhat.com>
+Suggested-by: Mike Rapoport <rppt@kernel.org>
+Signed-off-by: Shivank Garg <shivankg@amd.com>
+Link: https://lore.kernel.org/20250620070328.803704-3-shivankg@amd.com
+Acked-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/anon_inodes.c | 23 ++++++++++++++++++-----
+ include/linux/fs.h | 2 ++
+ mm/secretmem.c | 11 +----------
+ 3 files changed, 21 insertions(+), 15 deletions(-)
+
+diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
+index 24192a7667edf..7a9b1ce9c98a1 100644
+--- a/fs/anon_inodes.c
++++ b/fs/anon_inodes.c
+@@ -55,15 +55,26 @@ static struct file_system_type anon_inode_fs_type = {
+ .kill_sb = kill_anon_super,
+ };
+
+-static struct inode *anon_inode_make_secure_inode(
+- const char *name,
+- const struct inode *context_inode)
++/**
++ * anon_inode_make_secure_inode - allocate an anonymous inode with security context
++ * @sb: [in] Superblock to allocate from
++ * @name: [in] Name of the class of the newfile (e.g., "secretmem")
++ * @context_inode:
++ * [in] Optional parent inode for security inheritance
++ *
++ * The function ensures proper security initialization through the LSM hook
++ * security_inode_init_security_anon().
++ *
++ * Return: Pointer to new inode on success, ERR_PTR on failure.
++ */
++struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name,
++ const struct inode *context_inode)
+ {
+ struct inode *inode;
+ const struct qstr qname = QSTR_INIT(name, strlen(name));
+ int error;
+
+- inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
++ inode = alloc_anon_inode(sb);
+ if (IS_ERR(inode))
+ return inode;
+ inode->i_flags &= ~S_PRIVATE;
+@@ -74,6 +85,7 @@ static struct inode *anon_inode_make_secure_inode(
+ }
+ return inode;
+ }
++EXPORT_SYMBOL_GPL(anon_inode_make_secure_inode);
+
+ static struct file *__anon_inode_getfile(const char *name,
+ const struct file_operations *fops,
+@@ -88,7 +100,8 @@ static struct file *__anon_inode_getfile(const char *name,
+ return ERR_PTR(-ENOENT);
+
+ if (secure) {
+- inode = anon_inode_make_secure_inode(name, context_inode);
++ inode = anon_inode_make_secure_inode(anon_inode_mnt->mnt_sb,
++ name, context_inode);
+ if (IS_ERR(inode)) {
+ file = ERR_CAST(inode);
+ goto err;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 08fba309ddc78..1a619b681bccb 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -3469,6 +3469,8 @@ extern int simple_write_begin(struct file *file, struct address_space *mapping,
+ extern const struct address_space_operations ram_aops;
+ extern int always_delete_dentry(const struct dentry *);
+ extern struct inode *alloc_anon_inode(struct super_block *);
++struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name,
++ const struct inode *context_inode);
+ extern int simple_nosetlease(struct file *, long, struct file_lock **, void **);
+ extern const struct dentry_operations simple_dentry_operations;
+
+diff --git a/mm/secretmem.c b/mm/secretmem.c
+index c6006d765bbd2..18954eae995fc 100644
+--- a/mm/secretmem.c
++++ b/mm/secretmem.c
+@@ -193,19 +193,10 @@ static struct file *secretmem_file_create(unsigned long flags)
+ struct file *file = ERR_PTR(-ENOMEM);
+ struct inode *inode;
+ const char *anon_name = "[secretmem]";
+- const struct qstr qname = QSTR_INIT(anon_name, strlen(anon_name));
+- int err;
+
+- inode = alloc_anon_inode(secretmem_mnt->mnt_sb);
++ inode = anon_inode_make_secure_inode(secretmem_mnt->mnt_sb, anon_name, NULL);
+ if (IS_ERR(inode))
+ return ERR_CAST(inode);
+-
+- err = security_inode_init_security_anon(inode, &qname, NULL);
+- if (err) {
+- file = ERR_PTR(err);
+- goto err_free_inode;
+- }
+-
+ file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
+ O_RDWR, &secretmem_fops);
+ if (IS_ERR(file))
+--
+2.39.5
+
--- /dev/null
+From 52ba45a2749c8f4f59bd8aedb62a67f0bd3b38a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 15:29:59 +0800
+Subject: HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY
+
+From: Zhang Heng <zhangheng@kylinos.cn>
+
+[ Upstream commit 1a8953f4f7746c6a515989774fe03047c522c613 ]
+
+MARTLINKTECHNOLOGY is a microphone device, when the HID interface in an
+audio device is requested to get specific report id, the following error
+may occur.
+
+[ 562.939373] usb 1-1.4.1.2: new full-speed USB device number 21 using xhci_hcd
+[ 563.104908] usb 1-1.4.1.2: New USB device found, idVendor=4c4a, idProduct=4155, bcdDevice= 1.00
+[ 563.104910] usb 1-1.4.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[ 563.104911] usb 1-1.4.1.2: Product: USB Composite Device
+[ 563.104912] usb 1-1.4.1.2: Manufacturer: SmartlinkTechnology
+[ 563.104913] usb 1-1.4.1.2: SerialNumber: 20201111000001
+[ 563.229499] input: SmartlinkTechnology USB Composite Device as /devices/pci0000:00/0000:00:07.1/0000:04:00.3/usb1/1-1/1-1.4/1-1.4.1/1-1.4.1.2/1-1.4.1.2:1.2/0003:4C4A:4155.000F/input/input35
+[ 563.291505] hid-generic 0003:4C4A:4155.000F: input,hidraw2: USB HID v2.01 Keyboard [SmartlinkTechnology USB Composite Device] on usb-0000:04:00.3-1.4.1.2/input2
+[ 563.291557] usbhid 1-1.4.1.2:1.3: couldn't find an input interrupt endpoint
+[ 568.506654] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110)
+[ 573.626656] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110)
+[ 578.746657] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110)
+[ 583.866655] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110)
+[ 588.986657] usb 1-1.4.1.2: 1:1: usb_set_interface failed (-110)
+
+Ignore HID interface. The device is working properly.
+
+Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 3 +++
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 60e30cc9d6ff7..21e0660179ee9 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1455,4 +1455,7 @@
+ #define USB_VENDOR_ID_SIGNOTEC 0x2133
+ #define USB_DEVICE_ID_SIGNOTEC_VIEWSONIC_PD1011 0x0018
+
++#define USB_VENDOR_ID_SMARTLINKTECHNOLOGY 0x4c4a
++#define USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155 0x4155
++
+ #endif
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index d8c5c7d451efd..7fca632ceea79 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -885,6 +885,7 @@ static const struct hid_device_id hid_ignore_list[] = {
+ #endif
+ { HID_USB_DEVICE(USB_VENDOR_ID_YEALINK, USB_DEVICE_ID_YEALINK_P1K_P4K_B2K) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_HP_5MP_CAMERA_5473) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_SMARTLINKTECHNOLOGY, USB_DEVICE_ID_SMARTLINKTECHNOLOGY_4155) },
+ { }
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 5db9b242bcfc88188f0fb84a8f68de59a4982bbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 13:34:38 +0900
+Subject: HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2
+
+From: Akira Inoue <niyarium@gmail.com>
+
+[ Upstream commit a8905238c3bbe13db90065ed74682418f23830c3 ]
+
+Add "Thinkpad X1 Tablet Gen 2 Keyboard" PID to hid-lenovo driver to fix trackpoint not working issue.
+
+Signed-off-by: Akira Inoue <niyarium@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-lenovo.c | 8 ++++++++
+ drivers/hid/hid-multitouch.c | 8 +++++++-
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index e078d2ac92c87..60e30cc9d6ff7 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -790,6 +790,7 @@
+ #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067
+ #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085
+ #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3
++#define USB_DEVICE_ID_LENOVO_X1_TAB2 0x60a4
+ #define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5
+ #define USB_DEVICE_ID_LENOVO_X12_TAB 0x60fe
+ #define USB_DEVICE_ID_LENOVO_X12_TAB2 0x61ae
+diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c
+index ee65da98c7d5b..32cb2e75228c4 100644
+--- a/drivers/hid/hid-lenovo.c
++++ b/drivers/hid/hid-lenovo.c
+@@ -473,6 +473,7 @@ static int lenovo_input_mapping(struct hid_device *hdev,
+ return lenovo_input_mapping_tp10_ultrabook_kbd(hdev, hi, field,
+ usage, bit, max);
+ case USB_DEVICE_ID_LENOVO_X1_TAB:
++ case USB_DEVICE_ID_LENOVO_X1_TAB2:
+ case USB_DEVICE_ID_LENOVO_X1_TAB3:
+ return lenovo_input_mapping_x1_tab_kbd(hdev, hi, field, usage, bit, max);
+ default:
+@@ -587,6 +588,7 @@ static ssize_t attr_fn_lock_store(struct device *dev,
+ break;
+ case USB_DEVICE_ID_LENOVO_TP10UBKBD:
+ case USB_DEVICE_ID_LENOVO_X1_TAB:
++ case USB_DEVICE_ID_LENOVO_X1_TAB2:
+ case USB_DEVICE_ID_LENOVO_X1_TAB3:
+ ret = lenovo_led_set_tp10ubkbd(hdev, TP10UBKBD_FN_LOCK_LED, value);
+ if (ret)
+@@ -782,6 +784,7 @@ static int lenovo_event(struct hid_device *hdev, struct hid_field *field,
+ return lenovo_event_cptkbd(hdev, field, usage, value);
+ case USB_DEVICE_ID_LENOVO_TP10UBKBD:
+ case USB_DEVICE_ID_LENOVO_X1_TAB:
++ case USB_DEVICE_ID_LENOVO_X1_TAB2:
+ case USB_DEVICE_ID_LENOVO_X1_TAB3:
+ return lenovo_event_tp10ubkbd(hdev, field, usage, value);
+ default:
+@@ -1065,6 +1068,7 @@ static int lenovo_led_brightness_set(struct led_classdev *led_cdev,
+ break;
+ case USB_DEVICE_ID_LENOVO_TP10UBKBD:
+ case USB_DEVICE_ID_LENOVO_X1_TAB:
++ case USB_DEVICE_ID_LENOVO_X1_TAB2:
+ case USB_DEVICE_ID_LENOVO_X1_TAB3:
+ ret = lenovo_led_set_tp10ubkbd(hdev, tp10ubkbd_led[led_nr], value);
+ break;
+@@ -1296,6 +1300,7 @@ static int lenovo_probe(struct hid_device *hdev,
+ break;
+ case USB_DEVICE_ID_LENOVO_TP10UBKBD:
+ case USB_DEVICE_ID_LENOVO_X1_TAB:
++ case USB_DEVICE_ID_LENOVO_X1_TAB2:
+ case USB_DEVICE_ID_LENOVO_X1_TAB3:
+ ret = lenovo_probe_tp10ubkbd(hdev);
+ break;
+@@ -1383,6 +1388,7 @@ static void lenovo_remove(struct hid_device *hdev)
+ break;
+ case USB_DEVICE_ID_LENOVO_TP10UBKBD:
+ case USB_DEVICE_ID_LENOVO_X1_TAB:
++ case USB_DEVICE_ID_LENOVO_X1_TAB2:
+ case USB_DEVICE_ID_LENOVO_X1_TAB3:
+ lenovo_remove_tp10ubkbd(hdev);
+ break;
+@@ -1433,6 +1439,8 @@ static const struct hid_device_id lenovo_devices[] = {
+ */
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB) },
++ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
++ USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB2) },
+ { HID_DEVICE(BUS_USB, HID_GROUP_GENERIC,
+ USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_X1_TAB3) },
+ { }
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 6386043aab0bb..becd4c1ccf93c 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -2110,12 +2110,18 @@ static const struct hid_device_id mt_devices[] = {
+ HID_DEVICE(BUS_I2C, HID_GROUP_GENERIC,
+ USB_VENDOR_ID_LG, I2C_DEVICE_ID_LG_7010) },
+
+- /* Lenovo X1 TAB Gen 2 */
++ /* Lenovo X1 TAB Gen 1 */
+ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
+ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_LENOVO,
+ USB_DEVICE_ID_LENOVO_X1_TAB) },
+
++ /* Lenovo X1 TAB Gen 2 */
++ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
++ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8,
++ USB_VENDOR_ID_LENOVO,
++ USB_DEVICE_ID_LENOVO_X1_TAB2) },
++
+ /* Lenovo X1 TAB Gen 3 */
+ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
+ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8,
+--
+2.39.5
+
--- /dev/null
+From 42d51e11440c972b4929e1efb8ce965d5bc0eac2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 13:50:15 +0800
+Subject: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras
+
+From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+
+[ Upstream commit 54bae4c17c11688339eb73a04fd24203bb6e7494 ]
+
+The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C)
+report a HID sensor interface that is not actually implemented.
+Attempting to access this non-functional sensor via iio_info causes
+system hangs as runtime PM tries to wake up an unresponsive sensor.
+
+Add these 2 devices to the HID ignore list since the sensor interface is
+non-functional by design and should not be exposed to userspace.
+
+Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 2 ++
+ drivers/hid/hid-quirks.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 21e0660179ee9..0bbba80d6c51c 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -297,6 +297,8 @@
+ #define USB_DEVICE_ID_ASUS_AK1D 0x1125
+ #define USB_DEVICE_ID_CHICONY_TOSHIBA_WT10A 0x1408
+ #define USB_DEVICE_ID_CHICONY_ACER_SWITCH12 0x1421
++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA 0xb824
++#define USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2 0xb82c
+
+ #define USB_VENDOR_ID_CHUNGHWAT 0x2247
+ #define USB_DEVICE_ID_CHUNGHWAT_MULTITOUCH 0x0001
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 7fca632ceea79..b37927f909412 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -738,6 +738,8 @@ static const struct hid_device_id hid_ignore_list[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_AVERMEDIA, USB_DEVICE_ID_AVER_FM_MR800) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_AXENTIA, USB_DEVICE_ID_AXENTIA_FM_RADIO) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_BERKSHIRE, USB_DEVICE_ID_BERKSHIRE_PCWD) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA) },
++ { HID_USB_DEVICE(USB_VENDOR_ID_CHICONY, USB_DEVICE_ID_CHICONY_HP_5MP_CAMERA2) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CIDC, 0x0103) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI470X) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CYGNAL, USB_DEVICE_ID_CYGNAL_RADIO_SI4713) },
+--
+2.39.5
+
--- /dev/null
+From 954fe82ee458848b45e2a42d8ca6552e5469642c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 08:33:32 -0700
+Subject: ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof
+
+From: Mingming Cao <mmc@linux.ibm.com>
+
+[ Upstream commit 01b8114b432d7baaa5e51ab229c12c4f36b8e2c6 ]
+
+The previous hardcoded definitions of NUM_RX_STATS and
+NUM_TX_STATS were not updated when new fields were added
+to the ibmvnic_{rx,tx}_queue_stats structures. Specifically,
+commit 2ee73c54a615 ("ibmvnic: Add stat for tx direct vs tx
+batched") added a fourth TX stat, but NUM_TX_STATS remained 3,
+leading to a mismatch.
+
+This patch replaces the static defines with dynamic sizeof-based
+calculations to ensure the stat arrays are correctly sized.
+This fixes incorrect indexing and prevents incomplete stat
+reporting in tools like ethtool.
+
+Fixes: 2ee73c54a615 ("ibmvnic: Add stat for tx direct vs tx batched")
+Signed-off-by: Mingming Cao <mmc@linux.ibm.com>
+Reviewed-by: Dave Marquardt <davemarq@linux.ibm.com>
+Reviewed-by: Haren Myneni <haren@linux.ibm.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250709153332.73892-1-mmc@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ibm/ibmvnic.h | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/ibm/ibmvnic.h b/drivers/net/ethernet/ibm/ibmvnic.h
+index f923cdab03f57..91291b5e8a2a2 100644
+--- a/drivers/net/ethernet/ibm/ibmvnic.h
++++ b/drivers/net/ethernet/ibm/ibmvnic.h
+@@ -211,7 +211,6 @@ struct ibmvnic_statistics {
+ u8 reserved[72];
+ } __packed __aligned(8);
+
+-#define NUM_TX_STATS 3
+ struct ibmvnic_tx_queue_stats {
+ u64 batched_packets;
+ u64 direct_packets;
+@@ -219,13 +218,18 @@ struct ibmvnic_tx_queue_stats {
+ u64 dropped_packets;
+ };
+
+-#define NUM_RX_STATS 3
++#define NUM_TX_STATS \
++ (sizeof(struct ibmvnic_tx_queue_stats) / sizeof(u64))
++
+ struct ibmvnic_rx_queue_stats {
+ u64 packets;
+ u64 bytes;
+ u64 interrupts;
+ };
+
++#define NUM_RX_STATS \
++ (sizeof(struct ibmvnic_rx_queue_stats) / sizeof(u64))
++
+ struct ibmvnic_acl_buffer {
+ __be32 len;
+ __be32 version;
+--
+2.39.5
+
--- /dev/null
+From abc382354f37454e72edd3dec86018850c7dac68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 16:29:40 -0700
+Subject: Input: xpad - support Acer NGR 200 Controller
+
+From: Nilton Perim Neto <niltonperimneto@gmail.com>
+
+[ Upstream commit 22c69d786ef8fb789c61ca75492a272774221324 ]
+
+Add the NGR 200 Xbox 360 to the list of recognized controllers.
+
+Signed-off-by: Nilton Perim Neto <niltonperimneto@gmail.com>
+Link: https://lore.kernel.org/r/20250608060517.14967-1-niltonperimneto@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/joystick/xpad.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
+index 872381221e754..7c11d9a1de0e5 100644
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -167,6 +167,7 @@ static const struct xpad_device {
+ { 0x05fd, 0x107a, "InterAct 'PowerPad Pro' X-Box pad (Germany)", 0, XTYPE_XBOX },
+ { 0x05fe, 0x3030, "Chic Controller", 0, XTYPE_XBOX },
+ { 0x05fe, 0x3031, "Chic Controller", 0, XTYPE_XBOX },
++ { 0x0502, 0x1305, "Acer NGR200", 0, XTYPE_XBOX },
+ { 0x062a, 0x0020, "Logic3 Xbox GamePad", 0, XTYPE_XBOX },
+ { 0x062a, 0x0033, "Competition Pro Steering Wheel", 0, XTYPE_XBOX },
+ { 0x06a3, 0x0200, "Saitek Racing Wheel", 0, XTYPE_XBOX },
+@@ -468,6 +469,7 @@ static const struct usb_device_id xpad_table[] = {
+ XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */
+ XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */
+ XPAD_XBOX360_VENDOR(0x046d), /* Logitech X-Box 360 style controllers */
++ XPAD_XBOX360_VENDOR(0x0502), /* Acer Inc. X-Box 360 style controllers */
+ XPAD_XBOX360_VENDOR(0x056e), /* Elecom JC-U3613M */
+ XPAD_XBOX360_VENDOR(0x06a3), /* Saitek P3600 */
+ XPAD_XBOX360_VENDOR(0x0738), /* Mad Catz X-Box 360 controllers */
+--
+2.39.5
+
--- /dev/null
+From f66d8d1ac6c3edcd1e575d3b0ab73e3e838082f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 19:28:40 +0800
+Subject: md/raid1: Fix stack memory use after return in raid1_reshape
+
+From: Wang Jinchao <wangjinchao600@gmail.com>
+
+[ Upstream commit d67ed2ccd2d1dcfda9292c0ea8697a9d0f2f0d98 ]
+
+In the raid1_reshape function, newpool is
+allocated on the stack and assigned to conf->r1bio_pool.
+This results in conf->r1bio_pool.wait.head pointing
+to a stack address.
+Accessing this address later can lead to a kernel panic.
+
+Example access path:
+
+raid1_reshape()
+{
+ // newpool is on the stack
+ mempool_t newpool, oldpool;
+ // initialize newpool.wait.head to stack address
+ mempool_init(&newpool, ...);
+ conf->r1bio_pool = newpool;
+}
+
+raid1_read_request() or raid1_write_request()
+{
+ alloc_r1bio()
+ {
+ mempool_alloc()
+ {
+ // if pool->alloc fails
+ remove_element()
+ {
+ --pool->curr_nr;
+ }
+ }
+ }
+}
+
+mempool_free()
+{
+ if (pool->curr_nr < pool->min_nr) {
+ // pool->wait.head is a stack address
+ // wake_up() will try to access this invalid address
+ // which leads to a kernel panic
+ return;
+ wake_up(&pool->wait);
+ }
+}
+
+Fix:
+reinit conf->r1bio_pool.wait after assigning newpool.
+
+Fixes: afeee514ce7f ("md: convert to bioset_init()/mempool_init()")
+Signed-off-by: Wang Jinchao <wangjinchao600@gmail.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/linux-raid/20250612112901.3023950-1-wangjinchao600@gmail.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 38e77a4b6b338..ebff40a3423ae 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -3306,6 +3306,7 @@ static int raid1_reshape(struct mddev *mddev)
+ /* ok, everything is stopped */
+ oldpool = conf->r1bio_pool;
+ conf->r1bio_pool = newpool;
++ init_waitqueue_head(&conf->r1bio_pool.wait);
+
+ for (d = d2 = 0; d < conf->raid_disks; d++) {
+ struct md_rdev *rdev = conf->mirrors[d].rdev;
+--
+2.39.5
+
--- /dev/null
+From b04860927f3f8dcfcad4f8353cfca71ba51d4075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 21:24:05 +0800
+Subject: nbd: fix uaf in nbd_genl_connect() error path
+
+From: Zheng Qixing <zhengqixing@huawei.com>
+
+[ Upstream commit aa9552438ebf015fc5f9f890dbfe39f0c53cf37e ]
+
+There is a use-after-free issue in nbd:
+
+block nbd6: Receive control failed (result -104)
+block nbd6: shutting down sockets
+==================================================================
+BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022
+Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67
+
+CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Workqueue: nbd6-recv recv_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xc3/0x670 mm/kasan/report.c:521
+ kasan_report+0xe0/0x110 mm/kasan/report.c:634
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
+ instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
+ atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline]
+ recv_work+0x694/0xa80 drivers/block/nbd.c:1022
+ process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
+ process_scheduled_works kernel/workqueue.c:3319 [inline]
+ worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
+ kthread+0x3c2/0x780 kernel/kthread.c:464
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+nbd_genl_connect() does not properly stop the device on certain
+error paths after nbd_start_device() has been called. This causes
+the error path to put nbd->config while recv_work continue to use
+the config after putting it, leading to use-after-free in recv_work.
+
+This patch moves nbd_start_device() after the backend file creation.
+
+Reported-by: syzbot+48240bab47e705c53126@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68227a04.050a0220.f2294.00b5.GAE@google.com/T/
+Fixes: 6497ef8df568 ("nbd: provide a way for userspace processes to identify device backends")
+Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20250612132405.364904-1-zhengqixing@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 7f6ef0a2b4a5c..120b75ee703d1 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -2089,9 +2089,7 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
+ goto out;
+ }
+ }
+- ret = nbd_start_device(nbd);
+- if (ret)
+- goto out;
++
+ if (info->attrs[NBD_ATTR_BACKEND_IDENTIFIER]) {
+ nbd->backend = nla_strdup(info->attrs[NBD_ATTR_BACKEND_IDENTIFIER],
+ GFP_KERNEL);
+@@ -2107,6 +2105,8 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
+ goto out;
+ }
+ set_bit(NBD_RT_HAS_BACKEND_FILE, &config->runtime_flags);
++
++ ret = nbd_start_device(nbd);
+ out:
+ mutex_unlock(&nbd->config_lock);
+ if (!ret) {
+--
+2.39.5
+
--- /dev/null
+From 5e204bc54481c03b4de073d8ada7e24caa5468bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 03:52:51 +0000
+Subject: net: appletalk: Fix device refcount leak in atrtr_create()
+
+From: Kito Xu <veritas501@foxmail.com>
+
+[ Upstream commit 711c80f7d8b163d3ecd463cd96f07230f488e750 ]
+
+When updating an existing route entry in atrtr_create(), the old device
+reference was not being released before assigning the new device,
+leading to a device refcount leak. Fix this by calling dev_put() to
+release the old device reference before holding the new one.
+
+Fixes: c7f905f0f6d4 ("[ATALK]: Add missing dev_hold() to atrtr_create().")
+Signed-off-by: Kito Xu <veritas501@foxmail.com>
+Link: https://patch.msgid.link/tencent_E1A26771CDAB389A0396D1681A90A49E5D09@qq.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/appletalk/ddp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
+index f67f14db16334..5c9a9652449d8 100644
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -563,6 +563,7 @@ static int atrtr_create(struct rtentry *r, struct net_device *devhint)
+
+ /* Fill in the routing entry */
+ rt->target = ta->sat_addr;
++ dev_put(rt->dev); /* Release old device */
+ dev_hold(devhint);
+ rt->dev = devhint;
+ rt->flags = r->rt_flags;
+--
+2.39.5
+
--- /dev/null
+From 7e158323704ec1823117e758d6e03cd7a6b1c185 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 11:06:17 -0700
+Subject: net: ll_temac: Fix missing tx_pending check in
+ ethtools_set_ringparam()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit e81750b4e3826fedce7362dad839cb40384d60ae ]
+
+The function ll_temac_ethtools_set_ringparam() incorrectly checked
+rx_pending twice, once correctly for RX and once mistakenly in place
+of tx_pending. This caused tx_pending to be left unchecked against
+TX_BD_NUM_MAX.
+As a result, invalid TX ring sizes may have been accepted or valid
+ones wrongly rejected based on the RX limit, leading to potential
+misconfiguration or unexpected results.
+
+This patch corrects the condition to properly validate tx_pending.
+
+Fixes: f7b261bfc35e ("net: ll_temac: Make RX/TX ring sizes configurable")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250710180621.2383000-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/xilinx/ll_temac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/xilinx/ll_temac_main.c b/drivers/net/ethernet/xilinx/ll_temac_main.c
+index 08c45756b2181..d9b5c1c6ceaa2 100644
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -1311,7 +1311,7 @@ ll_temac_ethtools_set_ringparam(struct net_device *ndev,
+ if (ering->rx_pending > RX_BD_NUM_MAX ||
+ ering->rx_mini_pending ||
+ ering->rx_jumbo_pending ||
+- ering->rx_pending > TX_BD_NUM_MAX)
++ ering->tx_pending > TX_BD_NUM_MAX)
+ return -EINVAL;
+
+ if (netif_running(ndev))
+--
+2.39.5
+
--- /dev/null
+From 5d0b0dce4f06cc1305f18295ea263d0728cda23d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 15:07:53 +0200
+Subject: net: phy: microchip: limit 100M workaround to link-down events on
+ LAN88xx
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit dd4360c0e8504f2f7639c7f5d07c93cfd6a98333 ]
+
+Restrict the 100Mbit forced-mode workaround to link-down transitions
+only, to prevent repeated link reset cycles in certain configurations.
+
+The workaround was originally introduced to improve signal reliability
+when switching cables between long and short distances. It temporarily
+forces the PHY into 10 Mbps before returning to 100 Mbps.
+
+However, when used with autonegotiating link partners (e.g., Intel i350),
+executing this workaround on every link change can confuse the partner
+and cause constant renegotiation loops. This results in repeated link
+down/up transitions and the PHY never reaching a stable state.
+
+Limit the workaround to only run during the PHY_NOLINK state. This ensures
+it is triggered only once per link drop, avoiding disruptive toggling
+while still preserving its intended effect.
+
+Note: I am not able to reproduce the original issue that this workaround
+addresses. I can only confirm that 100 Mbit mode works correctly in my
+test setup. Based on code inspection, I assume the workaround aims to
+reset some internal state machine or signal block by toggling speeds.
+However, a PHY reset is already performed earlier in the function via
+phy_init_hw(), which may achieve a similar effect. Without a reproducer,
+I conservatively keep the workaround but restrict its conditions.
+
+Fixes: e57cf3639c32 ("net: lan78xx: fix accessing the LAN7800's internal phy specific registers from the MAC driver")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250709130753.3994461-3-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/microchip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/microchip.c b/drivers/net/phy/microchip.c
+index 0b88635f4fbca..3750f8778c65c 100644
+--- a/drivers/net/phy/microchip.c
++++ b/drivers/net/phy/microchip.c
+@@ -351,7 +351,7 @@ static void lan88xx_link_change_notify(struct phy_device *phydev)
+ * As workaround, set to 10 before setting to 100
+ * at forced 100 F/H mode.
+ */
+- if (!phydev->autoneg && phydev->speed == 100) {
++ if (phydev->state == PHY_NOLINK && !phydev->autoneg && phydev->speed == 100) {
+ /* disable phy interrupt */
+ temp = phy_read(phydev, LAN88XX_INT_MASK);
+ temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_;
+--
+2.39.5
+
--- /dev/null
+From 2a86f28f62daf7c96e83283920b9b8f59d541533 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 10:27:02 +0800
+Subject: net: usb: qmi_wwan: add SIMCom 8230C composition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaowei Li <xiaowei.li@simcom.com>
+
+[ Upstream commit 0b39b055b5b48cbbdf5746a1ca6e3f6b0221e537 ]
+
+Add support for SIMCom 8230C which is based on Qualcomm SDX35 chip.
+0x9071: tty (DM) + tty (NMEA) + tty (AT) + rmnet
+T: Bus=01 Lev=01 Prnt=01 Port=05 Cnt=02 Dev#= 8 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1e0e ProdID=9071 Rev= 5.15
+S: Manufacturer=SIMCOM
+S: Product=SDXBAAGHA-IDP _SN:D744C4C5
+S: SerialNumber=0123456789ABCDEF
+C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=86(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=none
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Xiaowei Li <xiaowei.li@simcom.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Link: https://patch.msgid.link/tencent_21D781FAA4969FEACA6ABB460362B52C9409@qq.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index b4c0413c6522a..96656e56e809f 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1431,6 +1431,7 @@ static const struct usb_device_id products[] = {
+ {QMI_QUIRK_SET_DTR(0x22de, 0x9051, 2)}, /* Hucom Wireless HM-211S/K */
+ {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */
+ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9001, 5)}, /* SIMCom 7100E, 7230E, 7600E ++ */
++ {QMI_QUIRK_SET_DTR(0x1e0e, 0x9071, 3)}, /* SIMCom 8230C ++ */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0121, 4)}, /* Quectel EC21 Mini PCIe */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)}, /* Quectel EG91 */
+ {QMI_QUIRK_SET_DTR(0x2c7c, 0x0195, 4)}, /* Quectel EG95 */
+--
+2.39.5
+
--- /dev/null
+From 31a5be1ae8fdb50967bbb6f5bd040a1eb1fdb812 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 12:45:17 +0000
+Subject: netfilter: flowtable: account for Ethernet header in
+ nf_flow_pppoe_proto()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 18cdb3d982da8976b28d57691eb256ec5688fad2 ]
+
+syzbot found a potential access to uninit-value in nf_flow_pppoe_proto()
+
+Blamed commit forgot the Ethernet header.
+
+BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
+ nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27
+ nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline]
+ nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623
+ nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline]
+ nf_ingress net/core/dev.c:5742 [inline]
+ __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837
+ __netif_receive_skb_one_core net/core/dev.c:5975 [inline]
+ __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090
+ netif_receive_skb_internal net/core/dev.c:6176 [inline]
+ netif_receive_skb+0x57/0x630 net/core/dev.c:6235
+ tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
+ tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938
+ tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0xb4b/0x1580 fs/read_write.c:686
+ ksys_write fs/read_write.c:738 [inline]
+ __do_sys_write fs/read_write.c:749 [inline]
+
+Reported-by: syzbot+bf6ed459397e307c3ad2@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/686bc073.a00a0220.c7b3.0086.GAE@google.com/T/#u
+Fixes: 87b3593bed18 ("netfilter: flowtable: validate pppoe header")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://patch.msgid.link/20250707124517.614489-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_flow_table.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
+index df7775afb92b9..0097791e1eede 100644
+--- a/include/net/netfilter/nf_flow_table.h
++++ b/include/net/netfilter/nf_flow_table.h
+@@ -353,7 +353,7 @@ static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb)
+
+ static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto)
+ {
+- if (!pskb_may_pull(skb, PPPOE_SES_HLEN))
++ if (!pskb_may_pull(skb, ETH_HLEN + PPPOE_SES_HLEN))
+ return false;
+
+ *inner_proto = __nf_flow_pppoe_proto(skb);
+--
+2.39.5
+
--- /dev/null
+From b0e2afd8b3bee745e8e375df02f976f9f8ffd690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jul 2025 03:36:43 -0400
+Subject: platform/x86: think-lmi: Fix sysfs group cleanup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+[ Upstream commit 4f30f946f27b7f044cf8f3f1f353dee1dcd3517a ]
+
+Many error paths in tlmi_sysfs_init() lead to sysfs groups being removed
+when they were not even created.
+
+Fix this by letting the kobject core manage these groups through their
+kobj_type's defult_groups.
+
+Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250630-lmi-fix-v3-3-ce4f81c9c481@gmail.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/powercap/intel_rapl_common.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c
+index 26d00b1853b42..02787682b395e 100644
+--- a/drivers/powercap/intel_rapl_common.c
++++ b/drivers/powercap/intel_rapl_common.c
+@@ -21,6 +21,7 @@
+ #include <linux/intel_rapl.h>
+ #include <linux/processor.h>
+ #include <linux/platform_device.h>
++#include <linux/string_helpers.h>
+
+ #include <asm/iosf_mbi.h>
+ #include <asm/cpu_device_id.h>
+@@ -227,17 +228,34 @@ static int find_nr_power_limit(struct rapl_domain *rd)
+ static int set_domain_enable(struct powercap_zone *power_zone, bool mode)
+ {
+ struct rapl_domain *rd = power_zone_to_rapl_domain(power_zone);
++ u64 val;
++ int ret;
+
+ if (rd->state & DOMAIN_STATE_BIOS_LOCKED)
+ return -EACCES;
+
+ cpus_read_lock();
+- rapl_write_data_raw(rd, PL1_ENABLE, mode);
++ ret = rapl_write_data_raw(rd, PL1_ENABLE, mode);
++ if (ret)
++ goto end;
++
++ ret = rapl_read_data_raw(rd, PL1_ENABLE, true, &val);
++ if (ret)
++ goto end;
++
++ if (mode != val) {
++ pr_debug("%s cannot be %s\n", power_zone->name,
++ str_enabled_disabled(mode));
++ goto end;
++ }
++
+ if (rapl_defaults->set_floor_freq)
+ rapl_defaults->set_floor_freq(rd, mode);
++
++end:
+ cpus_read_unlock();
+
+- return 0;
++ return ret;
+ }
+
+ static int get_domain_enable(struct powercap_zone *power_zone, bool *mode)
+--
+2.39.5
+
--- /dev/null
+From a2364b1b1d2b50971c6538b300d874a926c9a611 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 11:23:04 -0400
+Subject: raid10: cleanup memleak at raid10_make_request
+
+From: Nigel Croxon <ncroxon@redhat.com>
+
+[ Upstream commit 43806c3d5b9bb7d74ba4e33a6a8a41ac988bde24 ]
+
+If raid10_read_request or raid10_write_request registers a new
+request and the REQ_NOWAIT flag is set, the code does not
+free the malloc from the mempool.
+
+unreferenced object 0xffff8884802c3200 (size 192):
+ comm "fio", pid 9197, jiffies 4298078271
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A......
+ 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace (crc c1a049a2):
+ __kmalloc+0x2bb/0x450
+ mempool_alloc+0x11b/0x320
+ raid10_make_request+0x19e/0x650 [raid10]
+ md_handle_request+0x3b3/0x9e0
+ __submit_bio+0x394/0x560
+ __submit_bio_noacct+0x145/0x530
+ submit_bio_noacct_nocheck+0x682/0x830
+ __blkdev_direct_IO_async+0x4dc/0x6b0
+ blkdev_read_iter+0x1e5/0x3b0
+ __io_read+0x230/0x1110
+ io_read+0x13/0x30
+ io_issue_sqe+0x134/0x1180
+ io_submit_sqes+0x48c/0xe90
+ __do_sys_io_uring_enter+0x574/0x8b0
+ do_syscall_64+0x5c/0xe0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+V4: changing backing tree to see if CKI tests will pass.
+The patch code has not changed between any versions.
+
+Fixes: c9aa889b035f ("md: raid10 add nowait support")
+Signed-off-by: Nigel Croxon <ncroxon@redhat.com>
+Link: https://lore.kernel.org/linux-raid/c0787379-9caa-42f3-b5fc-369aed784400@redhat.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid10.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
+index 24427eddf61bc..2ae68b7b79598 100644
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1210,8 +1210,11 @@ static void raid10_read_request(struct mddev *mddev, struct bio *bio,
+ rcu_read_unlock();
+ }
+
+- if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors))
++ if (!regular_request_wait(mddev, conf, bio, r10_bio->sectors)) {
++ raid_end_bio_io(r10_bio);
+ return;
++ }
++
+ rdev = read_balance(conf, r10_bio, &max_sectors);
+ if (!rdev) {
+ if (err_rdev) {
+@@ -1432,8 +1435,11 @@ static void raid10_write_request(struct mddev *mddev, struct bio *bio,
+ }
+
+ sectors = r10_bio->sectors;
+- if (!regular_request_wait(mddev, conf, bio, sectors))
++ if (!regular_request_wait(mddev, conf, bio, sectors)) {
++ raid_end_bio_io(r10_bio);
+ return;
++ }
++
+ if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery) &&
+ (mddev->reshape_backwards
+ ? (bio->bi_iter.bi_sector < conf->reshape_safe &&
+--
+2.39.5
+
ksmbd-fix-a-mount-write-count-leak-in-ksmbd_vfs_kern_path_locked.patch
netlink-fix-rmem-check-in-netlink_broadcast_deliver.patch
netlink-make-sure-we-allow-at-least-one-dump-skb.patch
+fs-export-anon_inode_make_secure_inode-and-fix-secre.patch
+btrfs-propagate-last_unlink_trans-earlier-when-doing.patch
+xhci-allow-rpm-on-the-usb-controller-1022-43f7-by-de.patch
+usb-xhci-quirk-for-data-loss-in-isoc-transfers.patch
+input-xpad-support-acer-ngr-200-controller.patch
+usb-cdnsp-remove-trb_flush_endpoint-command.patch
+usb-cdnsp-replace-snprintf-with-the-safer-scnprintf-.patch
+usb-cdnsp-fix-issue-with-cv-bad-descriptor-test.patch
+usb-dwc3-abort-suspend-on-soft-disconnect-failure.patch
+platform-x86-think-lmi-fix-sysfs-group-cleanup.patch
+wifi-zd1211rw-fix-potential-null-pointer-dereference.patch
+drm-tegra-nvdec-fix-dma_alloc_coherent-error-check.patch
+md-raid1-fix-stack-memory-use-after-return-in-raid1_.patch
+raid10-cleanup-memleak-at-raid10_make_request.patch
+nbd-fix-uaf-in-nbd_genl_connect-error-path.patch
+erofs-remove-the-member-readahead-from-struct-z_erof.patch
+erofs-clean-up-z_erofs_pcluster_readmore.patch
+erofs-allocate-extra-bvec-pages-directly-instead-of-.patch
+erofs-avoid-on-stack-pagepool-directly-passed-by-arg.patch
+erofs-adapt-folios-for-z_erofs_read_folio.patch
+erofs-fix-to-add-missing-tracepoint-in-erofs_read_fo.patch
+netfilter-flowtable-account-for-ethernet-header-in-n.patch
+net-appletalk-fix-device-refcount-leak-in-atrtr_crea.patch
+ibmvnic-fix-hardcoded-num_rx_stats-num_tx_stats-with.patch
+net-phy-microchip-limit-100m-workaround-to-link-down.patch
+can-m_can-m_can_handle_lost_msg-downgrade-msg-lost-i.patch
+net-ll_temac-fix-missing-tx_pending-check-in-ethtool.patch
+bnxt_en-fix-dcb-ets-validation.patch
+bnxt_en-set-dma-unmap-len-correctly-for-xdp_redirect.patch
+atm-idt77252-add-missing-dma_map_error.patch
+um-vector-reduce-stack-usage-in-vector_eth_configure.patch
+asoc-amd-yc-add-quirk-for-acer-nitro-anv15-41-intern.patch
+alsa-hda-realtek-enable-mute-led-on-hp-pavilion-lapt.patch
+net-usb-qmi_wwan-add-simcom-8230c-composition.patch
+hid-lenovo-add-support-for-thinkpad-x1-tablet-thin-k.patch
+btrfs-fix-assertion-when-building-free-space-tree.patch
+vt-add-missing-notification-when-switching-back-to-t.patch
+hid-add-ignore-quirk-for-smartlinktechnology.patch
+hid-quirks-add-quirk-for-2-chicony-electronics-hp-5m.patch
--- /dev/null
+From c4843d36f1c74852441bb10459c6056e6c9c7c26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 19:08:29 +0800
+Subject: um: vector: Reduce stack usage in vector_eth_configure()
+
+From: Tiwei Bie <tiwei.btw@antgroup.com>
+
+[ Upstream commit 2d65fc13be85c336c56af7077f08ccd3a3a15a4a ]
+
+When compiling with clang (19.1.7), initializing *vp using a compound
+literal may result in excessive stack usage. Fix it by initializing the
+required fields of *vp individually.
+
+Without this patch:
+
+$ objdump -d arch/um/drivers/vector_kern.o | ./scripts/checkstack.pl x86_64 0
+...
+0x0000000000000540 vector_eth_configure [vector_kern.o]:1472
+...
+
+With this patch:
+
+$ objdump -d arch/um/drivers/vector_kern.o | ./scripts/checkstack.pl x86_64 0
+...
+0x0000000000000540 vector_eth_configure [vector_kern.o]:208
+...
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506221017.WtB7Usua-lkp@intel.com/
+Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
+Link: https://patch.msgid.link/20250623110829.314864-1-tiwei.btw@antgroup.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/vector_kern.c | 42 +++++++++++------------------------
+ 1 file changed, 13 insertions(+), 29 deletions(-)
+
+diff --git a/arch/um/drivers/vector_kern.c b/arch/um/drivers/vector_kern.c
+index 2baa8d4a33ed3..1a068859a4185 100644
+--- a/arch/um/drivers/vector_kern.c
++++ b/arch/um/drivers/vector_kern.c
+@@ -1600,35 +1600,19 @@ static void vector_eth_configure(
+
+ device->dev = dev;
+
+- *vp = ((struct vector_private)
+- {
+- .list = LIST_HEAD_INIT(vp->list),
+- .dev = dev,
+- .unit = n,
+- .options = get_transport_options(def),
+- .rx_irq = 0,
+- .tx_irq = 0,
+- .parsed = def,
+- .max_packet = get_mtu(def) + ETH_HEADER_OTHER,
+- /* TODO - we need to calculate headroom so that ip header
+- * is 16 byte aligned all the time
+- */
+- .headroom = get_headroom(def),
+- .form_header = NULL,
+- .verify_header = NULL,
+- .header_rxbuffer = NULL,
+- .header_txbuffer = NULL,
+- .header_size = 0,
+- .rx_header_size = 0,
+- .rexmit_scheduled = false,
+- .opened = false,
+- .transport_data = NULL,
+- .in_write_poll = false,
+- .coalesce = 2,
+- .req_size = get_req_size(def),
+- .in_error = false,
+- .bpf = NULL
+- });
++ INIT_LIST_HEAD(&vp->list);
++ vp->dev = dev;
++ vp->unit = n;
++ vp->options = get_transport_options(def);
++ vp->parsed = def;
++ vp->max_packet = get_mtu(def) + ETH_HEADER_OTHER;
++ /*
++ * TODO - we need to calculate headroom so that ip header
++ * is 16 byte aligned all the time
++ */
++ vp->headroom = get_headroom(def);
++ vp->coalesce = 2;
++ vp->req_size = get_req_size(def);
+
+ dev->features = dev->hw_features = (NETIF_F_SG | NETIF_F_FRAGLIST);
+ INIT_WORK(&vp->reset_tx, vector_reset_tx);
+--
+2.39.5
+
--- /dev/null
+From c7eaca543e5c05684a93f356e25abdf308a2250b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 08:23:12 +0000
+Subject: usb: cdnsp: Fix issue with CV Bad Descriptor test
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 2831a81077f5162f104ba5a97a7d886eb371c21c ]
+
+The SSP2 controller has extra endpoint state preserve bit (ESP) which
+setting causes that endpoint state will be preserved during
+Halt Endpoint command. It is used only for EP0.
+Without this bit the Command Verifier "TD 9.10 Bad Descriptor Test"
+failed.
+Setting this bit doesn't have any impact for SSP controller.
+
+Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/PH7PR07MB95382CCD50549DABAEFD6156DD7CA@PH7PR07MB9538.namprd07.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/cdns3/cdnsp-debug.h | 5 +++--
+ drivers/usb/cdns3/cdnsp-ep0.c | 18 +++++++++++++++---
+ drivers/usb/cdns3/cdnsp-gadget.h | 6 ++++++
+ drivers/usb/cdns3/cdnsp-ring.c | 3 ++-
+ 4 files changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/usb/cdns3/cdnsp-debug.h b/drivers/usb/cdns3/cdnsp-debug.h
+index cd138acdcce16..86860686d8363 100644
+--- a/drivers/usb/cdns3/cdnsp-debug.h
++++ b/drivers/usb/cdns3/cdnsp-debug.h
+@@ -327,12 +327,13 @@ static inline const char *cdnsp_decode_trb(char *str, size_t size, u32 field0,
+ case TRB_RESET_EP:
+ case TRB_HALT_ENDPOINT:
+ ret = scnprintf(str, size,
+- "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c",
++ "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c %c",
+ cdnsp_trb_type_string(type),
+ ep_num, ep_id % 2 ? "out" : "in",
+ TRB_TO_EP_INDEX(field3), field1, field0,
+ TRB_TO_SLOT_ID(field3),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ field3 & TRB_CYCLE ? 'C' : 'c',
++ field3 & TRB_ESP ? 'P' : 'p');
+ break;
+ case TRB_STOP_RING:
+ ret = scnprintf(str, size,
+diff --git a/drivers/usb/cdns3/cdnsp-ep0.c b/drivers/usb/cdns3/cdnsp-ep0.c
+index f317d3c847810..5cd9b898ce971 100644
+--- a/drivers/usb/cdns3/cdnsp-ep0.c
++++ b/drivers/usb/cdns3/cdnsp-ep0.c
+@@ -414,6 +414,7 @@ static int cdnsp_ep0_std_request(struct cdnsp_device *pdev,
+ void cdnsp_setup_analyze(struct cdnsp_device *pdev)
+ {
+ struct usb_ctrlrequest *ctrl = &pdev->setup;
++ struct cdnsp_ep *pep;
+ int ret = -EINVAL;
+ u16 len;
+
+@@ -427,10 +428,21 @@ void cdnsp_setup_analyze(struct cdnsp_device *pdev)
+ goto out;
+ }
+
++ pep = &pdev->eps[0];
++
+ /* Restore the ep0 to Stopped/Running state. */
+- if (pdev->eps[0].ep_state & EP_HALTED) {
+- trace_cdnsp_ep0_halted("Restore to normal state");
+- cdnsp_halt_endpoint(pdev, &pdev->eps[0], 0);
++ if (pep->ep_state & EP_HALTED) {
++ if (GET_EP_CTX_STATE(pep->out_ctx) == EP_STATE_HALTED)
++ cdnsp_halt_endpoint(pdev, pep, 0);
++
++ /*
++ * Halt Endpoint Command for SSP2 for ep0 preserve current
++ * endpoint state and driver has to synchronize the
++ * software endpoint state with endpoint output context
++ * state.
++ */
++ pep->ep_state &= ~EP_HALTED;
++ pep->ep_state |= EP_STOPPED;
+ }
+
+ /*
+diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h
+index 48336e121ed6f..155fd770a8cd9 100644
+--- a/drivers/usb/cdns3/cdnsp-gadget.h
++++ b/drivers/usb/cdns3/cdnsp-gadget.h
+@@ -987,6 +987,12 @@ enum cdnsp_setup_dev {
+ #define STREAM_ID_FOR_TRB(p) ((((p)) << 16) & GENMASK(31, 16))
+ #define SCT_FOR_TRB(p) (((p) << 1) & 0x7)
+
++/*
++ * Halt Endpoint Command TRB field.
++ * The ESP bit only exists in the SSP2 controller.
++ */
++#define TRB_ESP BIT(9)
++
+ /* Link TRB specific fields. */
+ #define TRB_TC BIT(1)
+
+diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c
+index 795668435c77e..42db256978bcc 100644
+--- a/drivers/usb/cdns3/cdnsp-ring.c
++++ b/drivers/usb/cdns3/cdnsp-ring.c
+@@ -2475,7 +2475,8 @@ void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev, unsigned int ep_index)
+ {
+ cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_HALT_ENDPOINT) |
+ SLOT_ID_FOR_TRB(pdev->slot_id) |
+- EP_ID_FOR_TRB(ep_index));
++ EP_ID_FOR_TRB(ep_index) |
++ (!ep_index ? TRB_ESP : 0));
+ }
+
+ void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num)
+--
+2.39.5
+
--- /dev/null
+From 3dd3391968caff1a1b66a8d7b29fd107546ed35b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Oct 2023 09:37:37 +0200
+Subject: usb:cdnsp: remove TRB_FLUSH_ENDPOINT command
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+[ Upstream commit 2998874736bca1031ca84b0a3235a2cd09dfa426 ]
+
+Patch removes TRB_FLUSH_ENDPOINT command from driver.
+This command is not supported by controller and
+USBSSP returns TRB Error completion code for it.
+
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/20231026073737.165450-1-pawell@cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 2831a81077f5 ("usb: cdnsp: Fix issue with CV Bad Descriptor test")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/cdns3/cdnsp-debug.h | 3 ---
+ drivers/usb/cdns3/cdnsp-gadget.c | 6 +-----
+ drivers/usb/cdns3/cdnsp-gadget.h | 5 -----
+ drivers/usb/cdns3/cdnsp-ring.c | 24 ------------------------
+ 4 files changed, 1 insertion(+), 37 deletions(-)
+
+diff --git a/drivers/usb/cdns3/cdnsp-debug.h b/drivers/usb/cdns3/cdnsp-debug.h
+index f0ca865cce2a0..ad617b7455b9c 100644
+--- a/drivers/usb/cdns3/cdnsp-debug.h
++++ b/drivers/usb/cdns3/cdnsp-debug.h
+@@ -131,8 +131,6 @@ static inline const char *cdnsp_trb_type_string(u8 type)
+ return "Endpoint Not ready";
+ case TRB_HALT_ENDPOINT:
+ return "Halt Endpoint";
+- case TRB_FLUSH_ENDPOINT:
+- return "FLush Endpoint";
+ default:
+ return "UNKNOWN";
+ }
+@@ -328,7 +326,6 @@ static inline const char *cdnsp_decode_trb(char *str, size_t size, u32 field0,
+ break;
+ case TRB_RESET_EP:
+ case TRB_HALT_ENDPOINT:
+- case TRB_FLUSH_ENDPOINT:
+ ret = snprintf(str, size,
+ "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c",
+ cdnsp_trb_type_string(type),
+diff --git a/drivers/usb/cdns3/cdnsp-gadget.c b/drivers/usb/cdns3/cdnsp-gadget.c
+index bc63c039d3ac9..ccd02f6be78ae 100644
+--- a/drivers/usb/cdns3/cdnsp-gadget.c
++++ b/drivers/usb/cdns3/cdnsp-gadget.c
+@@ -1061,10 +1061,8 @@ static int cdnsp_gadget_ep_disable(struct usb_ep *ep)
+ pep->ep_state |= EP_DIS_IN_RROGRESS;
+
+ /* Endpoint was unconfigured by Reset Device command. */
+- if (!(pep->ep_state & EP_UNCONFIGURED)) {
++ if (!(pep->ep_state & EP_UNCONFIGURED))
+ cdnsp_cmd_stop_ep(pdev, pep);
+- cdnsp_cmd_flush_ep(pdev, pep);
+- }
+
+ /* Remove all queued USB requests. */
+ while (!list_empty(&pep->pending_list)) {
+@@ -1461,8 +1459,6 @@ static void cdnsp_stop(struct cdnsp_device *pdev)
+ {
+ u32 temp;
+
+- cdnsp_cmd_flush_ep(pdev, &pdev->eps[0]);
+-
+ /* Remove internally queued request for ep0. */
+ if (!list_empty(&pdev->eps[0].pending_list)) {
+ struct cdnsp_request *req;
+diff --git a/drivers/usb/cdns3/cdnsp-gadget.h b/drivers/usb/cdns3/cdnsp-gadget.h
+index 2998548177aba..48336e121ed6f 100644
+--- a/drivers/usb/cdns3/cdnsp-gadget.h
++++ b/drivers/usb/cdns3/cdnsp-gadget.h
+@@ -1138,8 +1138,6 @@ union cdnsp_trb {
+ #define TRB_HALT_ENDPOINT 54
+ /* Doorbell Overflow Event. */
+ #define TRB_DRB_OVERFLOW 57
+-/* Flush Endpoint Command. */
+-#define TRB_FLUSH_ENDPOINT 58
+
+ #define TRB_TYPE_LINK(x) (((x) & TRB_TYPE_BITMASK) == TRB_TYPE(TRB_LINK))
+ #define TRB_TYPE_LINK_LE32(x) (((x) & cpu_to_le32(TRB_TYPE_BITMASK)) == \
+@@ -1552,8 +1550,6 @@ void cdnsp_queue_configure_endpoint(struct cdnsp_device *pdev,
+ void cdnsp_queue_reset_ep(struct cdnsp_device *pdev, unsigned int ep_index);
+ void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev,
+ unsigned int ep_index);
+-void cdnsp_queue_flush_endpoint(struct cdnsp_device *pdev,
+- unsigned int ep_index);
+ void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num);
+ void cdnsp_queue_reset_device(struct cdnsp_device *pdev);
+ void cdnsp_queue_new_dequeue_state(struct cdnsp_device *pdev,
+@@ -1587,7 +1583,6 @@ void cdnsp_irq_reset(struct cdnsp_device *pdev);
+ int cdnsp_halt_endpoint(struct cdnsp_device *pdev,
+ struct cdnsp_ep *pep, int value);
+ int cdnsp_cmd_stop_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep);
+-int cdnsp_cmd_flush_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep);
+ void cdnsp_setup_analyze(struct cdnsp_device *pdev);
+ int cdnsp_status_stage(struct cdnsp_device *pdev);
+ int cdnsp_reset_device(struct cdnsp_device *pdev);
+diff --git a/drivers/usb/cdns3/cdnsp-ring.c b/drivers/usb/cdns3/cdnsp-ring.c
+index c9ad4280f4ba2..795668435c77e 100644
+--- a/drivers/usb/cdns3/cdnsp-ring.c
++++ b/drivers/usb/cdns3/cdnsp-ring.c
+@@ -2157,19 +2157,6 @@ int cdnsp_cmd_stop_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep)
+ return ret;
+ }
+
+-int cdnsp_cmd_flush_ep(struct cdnsp_device *pdev, struct cdnsp_ep *pep)
+-{
+- int ret;
+-
+- cdnsp_queue_flush_endpoint(pdev, pep->idx);
+- cdnsp_ring_cmd_db(pdev);
+- ret = cdnsp_wait_for_cmd_compl(pdev);
+-
+- trace_cdnsp_handle_cmd_flush_ep(pep->out_ctx);
+-
+- return ret;
+-}
+-
+ /*
+ * The transfer burst count field of the isochronous TRB defines the number of
+ * bursts that are required to move all packets in this TD. Only SuperSpeed
+@@ -2491,17 +2478,6 @@ void cdnsp_queue_halt_endpoint(struct cdnsp_device *pdev, unsigned int ep_index)
+ EP_ID_FOR_TRB(ep_index));
+ }
+
+-/*
+- * Queue a flush endpoint request on the command ring.
+- */
+-void cdnsp_queue_flush_endpoint(struct cdnsp_device *pdev,
+- unsigned int ep_index)
+-{
+- cdnsp_queue_command(pdev, 0, 0, 0, TRB_TYPE(TRB_FLUSH_ENDPOINT) |
+- SLOT_ID_FOR_TRB(pdev->slot_id) |
+- EP_ID_FOR_TRB(ep_index));
+-}
+-
+ void cdnsp_force_header_wakeup(struct cdnsp_device *pdev, int intf_num)
+ {
+ u32 lo, mid;
+--
+2.39.5
+
--- /dev/null
+From a090b3d75f26cbc904a4d7b75084c4aa1d215d64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 10:54:36 +0000
+Subject: usb: cdnsp: Replace snprintf() with the safer scnprintf() variant
+
+From: Lee Jones <lee@kernel.org>
+
+[ Upstream commit b385ef088c7aab20a2c0dc20d390d69a6620f0f3 ]
+
+There is a general misunderstanding amongst engineers that {v}snprintf()
+returns the length of the data *actually* encoded into the destination
+array. However, as per the C99 standard {v}snprintf() really returns
+the length of the data that *would have been* written if there were
+enough space for it. This misunderstanding has led to buffer-overruns
+in the past. It's generally considered safer to use the {v}scnprintf()
+variants in their place (or even sprintf() in simple cases). So let's
+do that.
+
+The uses in this file all seem to assume that data *has been* written!
+
+Link: https://lwn.net/Articles/69419/
+Link: https://github.com/KSPP/linux/issues/105
+Cc: Pawel Laszczak <pawell@cadence.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Link: https://lore.kernel.org/r/20231130105459.3208986-3-lee@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 2831a81077f5 ("usb: cdnsp: Fix issue with CV Bad Descriptor test")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/cdns3/cdnsp-debug.h | 354 ++++++++++++++++----------------
+ 1 file changed, 177 insertions(+), 177 deletions(-)
+
+diff --git a/drivers/usb/cdns3/cdnsp-debug.h b/drivers/usb/cdns3/cdnsp-debug.h
+index ad617b7455b9c..cd138acdcce16 100644
+--- a/drivers/usb/cdns3/cdnsp-debug.h
++++ b/drivers/usb/cdns3/cdnsp-debug.h
+@@ -187,202 +187,202 @@ static inline const char *cdnsp_decode_trb(char *str, size_t size, u32 field0,
+
+ switch (type) {
+ case TRB_LINK:
+- ret = snprintf(str, size,
+- "LINK %08x%08x intr %ld type '%s' flags %c:%c:%c:%c",
+- field1, field0, GET_INTR_TARGET(field2),
+- cdnsp_trb_type_string(type),
+- field3 & TRB_IOC ? 'I' : 'i',
+- field3 & TRB_CHAIN ? 'C' : 'c',
+- field3 & TRB_TC ? 'T' : 't',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "LINK %08x%08x intr %ld type '%s' flags %c:%c:%c:%c",
++ field1, field0, GET_INTR_TARGET(field2),
++ cdnsp_trb_type_string(type),
++ field3 & TRB_IOC ? 'I' : 'i',
++ field3 & TRB_CHAIN ? 'C' : 'c',
++ field3 & TRB_TC ? 'T' : 't',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_TRANSFER:
+ case TRB_COMPLETION:
+ case TRB_PORT_STATUS:
+ case TRB_HC_EVENT:
+- ret = snprintf(str, size,
+- "ep%d%s(%d) type '%s' TRB %08x%08x status '%s'"
+- " len %ld slot %ld flags %c:%c",
+- ep_num, ep_id % 2 ? "out" : "in",
+- TRB_TO_EP_INDEX(field3),
+- cdnsp_trb_type_string(type), field1, field0,
+- cdnsp_trb_comp_code_string(GET_COMP_CODE(field2)),
+- EVENT_TRB_LEN(field2), TRB_TO_SLOT_ID(field3),
+- field3 & EVENT_DATA ? 'E' : 'e',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "ep%d%s(%d) type '%s' TRB %08x%08x status '%s'"
++ " len %ld slot %ld flags %c:%c",
++ ep_num, ep_id % 2 ? "out" : "in",
++ TRB_TO_EP_INDEX(field3),
++ cdnsp_trb_type_string(type), field1, field0,
++ cdnsp_trb_comp_code_string(GET_COMP_CODE(field2)),
++ EVENT_TRB_LEN(field2), TRB_TO_SLOT_ID(field3),
++ field3 & EVENT_DATA ? 'E' : 'e',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_MFINDEX_WRAP:
+- ret = snprintf(str, size, "%s: flags %c",
+- cdnsp_trb_type_string(type),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size, "%s: flags %c",
++ cdnsp_trb_type_string(type),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_SETUP:
+- ret = snprintf(str, size,
+- "type '%s' bRequestType %02x bRequest %02x "
+- "wValue %02x%02x wIndex %02x%02x wLength %d "
+- "length %ld TD size %ld intr %ld Setup ID %ld "
+- "flags %c:%c:%c",
+- cdnsp_trb_type_string(type),
+- field0 & 0xff,
+- (field0 & 0xff00) >> 8,
+- (field0 & 0xff000000) >> 24,
+- (field0 & 0xff0000) >> 16,
+- (field1 & 0xff00) >> 8,
+- field1 & 0xff,
+- (field1 & 0xff000000) >> 16 |
+- (field1 & 0xff0000) >> 16,
+- TRB_LEN(field2), GET_TD_SIZE(field2),
+- GET_INTR_TARGET(field2),
+- TRB_SETUPID_TO_TYPE(field3),
+- field3 & TRB_IDT ? 'D' : 'd',
+- field3 & TRB_IOC ? 'I' : 'i',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "type '%s' bRequestType %02x bRequest %02x "
++ "wValue %02x%02x wIndex %02x%02x wLength %d "
++ "length %ld TD size %ld intr %ld Setup ID %ld "
++ "flags %c:%c:%c",
++ cdnsp_trb_type_string(type),
++ field0 & 0xff,
++ (field0 & 0xff00) >> 8,
++ (field0 & 0xff000000) >> 24,
++ (field0 & 0xff0000) >> 16,
++ (field1 & 0xff00) >> 8,
++ field1 & 0xff,
++ (field1 & 0xff000000) >> 16 |
++ (field1 & 0xff0000) >> 16,
++ TRB_LEN(field2), GET_TD_SIZE(field2),
++ GET_INTR_TARGET(field2),
++ TRB_SETUPID_TO_TYPE(field3),
++ field3 & TRB_IDT ? 'D' : 'd',
++ field3 & TRB_IOC ? 'I' : 'i',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_DATA:
+- ret = snprintf(str, size,
+- "type '%s' Buffer %08x%08x length %ld TD size %ld "
+- "intr %ld flags %c:%c:%c:%c:%c:%c:%c",
+- cdnsp_trb_type_string(type),
+- field1, field0, TRB_LEN(field2),
+- GET_TD_SIZE(field2),
+- GET_INTR_TARGET(field2),
+- field3 & TRB_IDT ? 'D' : 'i',
+- field3 & TRB_IOC ? 'I' : 'i',
+- field3 & TRB_CHAIN ? 'C' : 'c',
+- field3 & TRB_NO_SNOOP ? 'S' : 's',
+- field3 & TRB_ISP ? 'I' : 'i',
+- field3 & TRB_ENT ? 'E' : 'e',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "type '%s' Buffer %08x%08x length %ld TD size %ld "
++ "intr %ld flags %c:%c:%c:%c:%c:%c:%c",
++ cdnsp_trb_type_string(type),
++ field1, field0, TRB_LEN(field2),
++ GET_TD_SIZE(field2),
++ GET_INTR_TARGET(field2),
++ field3 & TRB_IDT ? 'D' : 'i',
++ field3 & TRB_IOC ? 'I' : 'i',
++ field3 & TRB_CHAIN ? 'C' : 'c',
++ field3 & TRB_NO_SNOOP ? 'S' : 's',
++ field3 & TRB_ISP ? 'I' : 'i',
++ field3 & TRB_ENT ? 'E' : 'e',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_STATUS:
+- ret = snprintf(str, size,
+- "Buffer %08x%08x length %ld TD size %ld intr"
+- "%ld type '%s' flags %c:%c:%c:%c",
+- field1, field0, TRB_LEN(field2),
+- GET_TD_SIZE(field2),
+- GET_INTR_TARGET(field2),
+- cdnsp_trb_type_string(type),
+- field3 & TRB_IOC ? 'I' : 'i',
+- field3 & TRB_CHAIN ? 'C' : 'c',
+- field3 & TRB_ENT ? 'E' : 'e',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "Buffer %08x%08x length %ld TD size %ld intr"
++ "%ld type '%s' flags %c:%c:%c:%c",
++ field1, field0, TRB_LEN(field2),
++ GET_TD_SIZE(field2),
++ GET_INTR_TARGET(field2),
++ cdnsp_trb_type_string(type),
++ field3 & TRB_IOC ? 'I' : 'i',
++ field3 & TRB_CHAIN ? 'C' : 'c',
++ field3 & TRB_ENT ? 'E' : 'e',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_NORMAL:
+ case TRB_ISOC:
+ case TRB_EVENT_DATA:
+ case TRB_TR_NOOP:
+- ret = snprintf(str, size,
+- "type '%s' Buffer %08x%08x length %ld "
+- "TD size %ld intr %ld "
+- "flags %c:%c:%c:%c:%c:%c:%c:%c:%c",
+- cdnsp_trb_type_string(type),
+- field1, field0, TRB_LEN(field2),
+- GET_TD_SIZE(field2),
+- GET_INTR_TARGET(field2),
+- field3 & TRB_BEI ? 'B' : 'b',
+- field3 & TRB_IDT ? 'T' : 't',
+- field3 & TRB_IOC ? 'I' : 'i',
+- field3 & TRB_CHAIN ? 'C' : 'c',
+- field3 & TRB_NO_SNOOP ? 'S' : 's',
+- field3 & TRB_ISP ? 'I' : 'i',
+- field3 & TRB_ENT ? 'E' : 'e',
+- field3 & TRB_CYCLE ? 'C' : 'c',
+- !(field3 & TRB_EVENT_INVALIDATE) ? 'V' : 'v');
++ ret = scnprintf(str, size,
++ "type '%s' Buffer %08x%08x length %ld "
++ "TD size %ld intr %ld "
++ "flags %c:%c:%c:%c:%c:%c:%c:%c:%c",
++ cdnsp_trb_type_string(type),
++ field1, field0, TRB_LEN(field2),
++ GET_TD_SIZE(field2),
++ GET_INTR_TARGET(field2),
++ field3 & TRB_BEI ? 'B' : 'b',
++ field3 & TRB_IDT ? 'T' : 't',
++ field3 & TRB_IOC ? 'I' : 'i',
++ field3 & TRB_CHAIN ? 'C' : 'c',
++ field3 & TRB_NO_SNOOP ? 'S' : 's',
++ field3 & TRB_ISP ? 'I' : 'i',
++ field3 & TRB_ENT ? 'E' : 'e',
++ field3 & TRB_CYCLE ? 'C' : 'c',
++ !(field3 & TRB_EVENT_INVALIDATE) ? 'V' : 'v');
+ break;
+ case TRB_CMD_NOOP:
+ case TRB_ENABLE_SLOT:
+- ret = snprintf(str, size, "%s: flags %c",
+- cdnsp_trb_type_string(type),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size, "%s: flags %c",
++ cdnsp_trb_type_string(type),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_DISABLE_SLOT:
+- ret = snprintf(str, size, "%s: slot %ld flags %c",
+- cdnsp_trb_type_string(type),
+- TRB_TO_SLOT_ID(field3),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size, "%s: slot %ld flags %c",
++ cdnsp_trb_type_string(type),
++ TRB_TO_SLOT_ID(field3),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_ADDR_DEV:
+- ret = snprintf(str, size,
+- "%s: ctx %08x%08x slot %ld flags %c:%c",
+- cdnsp_trb_type_string(type), field1, field0,
+- TRB_TO_SLOT_ID(field3),
+- field3 & TRB_BSR ? 'B' : 'b',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "%s: ctx %08x%08x slot %ld flags %c:%c",
++ cdnsp_trb_type_string(type), field1, field0,
++ TRB_TO_SLOT_ID(field3),
++ field3 & TRB_BSR ? 'B' : 'b',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_CONFIG_EP:
+- ret = snprintf(str, size,
+- "%s: ctx %08x%08x slot %ld flags %c:%c",
+- cdnsp_trb_type_string(type), field1, field0,
+- TRB_TO_SLOT_ID(field3),
+- field3 & TRB_DC ? 'D' : 'd',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "%s: ctx %08x%08x slot %ld flags %c:%c",
++ cdnsp_trb_type_string(type), field1, field0,
++ TRB_TO_SLOT_ID(field3),
++ field3 & TRB_DC ? 'D' : 'd',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_EVAL_CONTEXT:
+- ret = snprintf(str, size,
+- "%s: ctx %08x%08x slot %ld flags %c",
+- cdnsp_trb_type_string(type), field1, field0,
+- TRB_TO_SLOT_ID(field3),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "%s: ctx %08x%08x slot %ld flags %c",
++ cdnsp_trb_type_string(type), field1, field0,
++ TRB_TO_SLOT_ID(field3),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_RESET_EP:
+ case TRB_HALT_ENDPOINT:
+- ret = snprintf(str, size,
+- "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c",
+- cdnsp_trb_type_string(type),
+- ep_num, ep_id % 2 ? "out" : "in",
+- TRB_TO_EP_INDEX(field3), field1, field0,
+- TRB_TO_SLOT_ID(field3),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "%s: ep%d%s(%d) ctx %08x%08x slot %ld flags %c",
++ cdnsp_trb_type_string(type),
++ ep_num, ep_id % 2 ? "out" : "in",
++ TRB_TO_EP_INDEX(field3), field1, field0,
++ TRB_TO_SLOT_ID(field3),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_STOP_RING:
+- ret = snprintf(str, size,
+- "%s: ep%d%s(%d) slot %ld sp %d flags %c",
+- cdnsp_trb_type_string(type),
+- ep_num, ep_id % 2 ? "out" : "in",
+- TRB_TO_EP_INDEX(field3),
+- TRB_TO_SLOT_ID(field3),
+- TRB_TO_SUSPEND_PORT(field3),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "%s: ep%d%s(%d) slot %ld sp %d flags %c",
++ cdnsp_trb_type_string(type),
++ ep_num, ep_id % 2 ? "out" : "in",
++ TRB_TO_EP_INDEX(field3),
++ TRB_TO_SLOT_ID(field3),
++ TRB_TO_SUSPEND_PORT(field3),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_SET_DEQ:
+- ret = snprintf(str, size,
+- "%s: ep%d%s(%d) deq %08x%08x stream %ld slot %ld flags %c",
+- cdnsp_trb_type_string(type),
+- ep_num, ep_id % 2 ? "out" : "in",
+- TRB_TO_EP_INDEX(field3), field1, field0,
+- TRB_TO_STREAM_ID(field2),
+- TRB_TO_SLOT_ID(field3),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "%s: ep%d%s(%d) deq %08x%08x stream %ld slot %ld flags %c",
++ cdnsp_trb_type_string(type),
++ ep_num, ep_id % 2 ? "out" : "in",
++ TRB_TO_EP_INDEX(field3), field1, field0,
++ TRB_TO_STREAM_ID(field2),
++ TRB_TO_SLOT_ID(field3),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_RESET_DEV:
+- ret = snprintf(str, size, "%s: slot %ld flags %c",
+- cdnsp_trb_type_string(type),
+- TRB_TO_SLOT_ID(field3),
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size, "%s: slot %ld flags %c",
++ cdnsp_trb_type_string(type),
++ TRB_TO_SLOT_ID(field3),
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ case TRB_ENDPOINT_NRDY:
+ temp = TRB_TO_HOST_STREAM(field2);
+
+- ret = snprintf(str, size,
+- "%s: ep%d%s(%d) H_SID %x%s%s D_SID %lx flags %c:%c",
+- cdnsp_trb_type_string(type),
+- ep_num, ep_id % 2 ? "out" : "in",
+- TRB_TO_EP_INDEX(field3), temp,
+- temp == STREAM_PRIME_ACK ? "(PRIME)" : "",
+- temp == STREAM_REJECTED ? "(REJECTED)" : "",
+- TRB_TO_DEV_STREAM(field0),
+- field3 & TRB_STAT ? 'S' : 's',
+- field3 & TRB_CYCLE ? 'C' : 'c');
++ ret = scnprintf(str, size,
++ "%s: ep%d%s(%d) H_SID %x%s%s D_SID %lx flags %c:%c",
++ cdnsp_trb_type_string(type),
++ ep_num, ep_id % 2 ? "out" : "in",
++ TRB_TO_EP_INDEX(field3), temp,
++ temp == STREAM_PRIME_ACK ? "(PRIME)" : "",
++ temp == STREAM_REJECTED ? "(REJECTED)" : "",
++ TRB_TO_DEV_STREAM(field0),
++ field3 & TRB_STAT ? 'S' : 's',
++ field3 & TRB_CYCLE ? 'C' : 'c');
+ break;
+ default:
+- ret = snprintf(str, size,
+- "type '%s' -> raw %08x %08x %08x %08x",
+- cdnsp_trb_type_string(type),
+- field0, field1, field2, field3);
++ ret = scnprintf(str, size,
++ "type '%s' -> raw %08x %08x %08x %08x",
++ cdnsp_trb_type_string(type),
++ field0, field1, field2, field3);
+ }
+
+- if (ret >= size)
+- pr_info("CDNSP: buffer overflowed.\n");
++ if (ret == size - 1)
++ pr_info("CDNSP: buffer may be truncated.\n");
+
+ return str;
+ }
+@@ -465,32 +465,32 @@ static inline const char *cdnsp_decode_portsc(char *str, size_t size,
+ {
+ int ret;
+
+- ret = snprintf(str, size, "%s %s %s Link:%s PortSpeed:%d ",
+- portsc & PORT_POWER ? "Powered" : "Powered-off",
+- portsc & PORT_CONNECT ? "Connected" : "Not-connected",
+- portsc & PORT_PED ? "Enabled" : "Disabled",
+- cdnsp_portsc_link_state_string(portsc),
+- DEV_PORT_SPEED(portsc));
++ ret = scnprintf(str, size, "%s %s %s Link:%s PortSpeed:%d ",
++ portsc & PORT_POWER ? "Powered" : "Powered-off",
++ portsc & PORT_CONNECT ? "Connected" : "Not-connected",
++ portsc & PORT_PED ? "Enabled" : "Disabled",
++ cdnsp_portsc_link_state_string(portsc),
++ DEV_PORT_SPEED(portsc));
+
+ if (portsc & PORT_RESET)
+- ret += snprintf(str + ret, size - ret, "In-Reset ");
++ ret += scnprintf(str + ret, size - ret, "In-Reset ");
+
+- ret += snprintf(str + ret, size - ret, "Change: ");
++ ret += scnprintf(str + ret, size - ret, "Change: ");
+ if (portsc & PORT_CSC)
+- ret += snprintf(str + ret, size - ret, "CSC ");
++ ret += scnprintf(str + ret, size - ret, "CSC ");
+ if (portsc & PORT_WRC)
+- ret += snprintf(str + ret, size - ret, "WRC ");
++ ret += scnprintf(str + ret, size - ret, "WRC ");
+ if (portsc & PORT_RC)
+- ret += snprintf(str + ret, size - ret, "PRC ");
++ ret += scnprintf(str + ret, size - ret, "PRC ");
+ if (portsc & PORT_PLC)
+- ret += snprintf(str + ret, size - ret, "PLC ");
++ ret += scnprintf(str + ret, size - ret, "PLC ");
+ if (portsc & PORT_CEC)
+- ret += snprintf(str + ret, size - ret, "CEC ");
+- ret += snprintf(str + ret, size - ret, "Wake: ");
++ ret += scnprintf(str + ret, size - ret, "CEC ");
++ ret += scnprintf(str + ret, size - ret, "Wake: ");
+ if (portsc & PORT_WKCONN_E)
+- ret += snprintf(str + ret, size - ret, "WCE ");
++ ret += scnprintf(str + ret, size - ret, "WCE ");
+ if (portsc & PORT_WKDISC_E)
+- ret += snprintf(str + ret, size - ret, "WDE ");
++ ret += scnprintf(str + ret, size - ret, "WDE ");
+
+ return str;
+ }
+@@ -562,20 +562,20 @@ static inline const char *cdnsp_decode_ep_context(char *str, size_t size,
+
+ avg = EP_AVG_TRB_LENGTH(tx_info);
+
+- ret = snprintf(str, size, "State %s mult %d max P. Streams %d %s",
+- cdnsp_ep_state_string(ep_state), mult,
+- max_pstr, lsa ? "LSA " : "");
++ ret = scnprintf(str, size, "State %s mult %d max P. Streams %d %s",
++ cdnsp_ep_state_string(ep_state), mult,
++ max_pstr, lsa ? "LSA " : "");
+
+- ret += snprintf(str + ret, size - ret,
+- "interval %d us max ESIT payload %d CErr %d ",
+- (1 << interval) * 125, esit, cerr);
++ ret += scnprintf(str + ret, size - ret,
++ "interval %d us max ESIT payload %d CErr %d ",
++ (1 << interval) * 125, esit, cerr);
+
+- ret += snprintf(str + ret, size - ret,
+- "Type %s %sburst %d maxp %d deq %016llx ",
+- cdnsp_ep_type_string(ep_type), hid ? "HID" : "",
+- burst, maxp, deq);
++ ret += scnprintf(str + ret, size - ret,
++ "Type %s %sburst %d maxp %d deq %016llx ",
++ cdnsp_ep_type_string(ep_type), hid ? "HID" : "",
++ burst, maxp, deq);
+
+- ret += snprintf(str + ret, size - ret, "avg trb len %d", avg);
++ ret += scnprintf(str + ret, size - ret, "avg trb len %d", avg);
+
+ return str;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9fc0963c9faae8c5c6ba0d2a29b48d882a365a6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 18:03:11 +0800
+Subject: usb: dwc3: Abort suspend on soft disconnect failure
+
+From: Kuen-Han Tsai <khtsai@google.com>
+
+[ Upstream commit 630a1dec3b0eba2a695b9063f1c205d585cbfec9 ]
+
+When dwc3_gadget_soft_disconnect() fails, dwc3_suspend_common() keeps
+going with the suspend, resulting in a period where the power domain is
+off, but the gadget driver remains connected. Within this time frame,
+invoking vbus_event_work() will cause an error as it attempts to access
+DWC3 registers for endpoint disabling after the power domain has been
+completely shut down.
+
+Abort the suspend sequence when dwc3_gadget_suspend() cannot halt the
+controller and proceeds with a soft connect.
+
+Fixes: 9f8a67b65a49 ("usb: dwc3: gadget: fix gadget suspend/resume")
+Cc: stable <stable@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
+Link: https://lore.kernel.org/r/20250528100315.2162699-1-khtsai@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 9 +++++++--
+ drivers/usb/dwc3/gadget.c | 22 +++++++++-------------
+ 2 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 324d7673e3c3d..70ae3246d8d5a 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -2153,6 +2153,7 @@ static int dwc3_core_init_for_resume(struct dwc3 *dwc)
+ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ {
+ u32 reg;
++ int ret;
+
+ if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) {
+ dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) &
+@@ -2171,7 +2172,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ case DWC3_GCTL_PRTCAP_DEVICE:
+ if (pm_runtime_suspended(dwc->dev))
+ break;
+- dwc3_gadget_suspend(dwc);
++ ret = dwc3_gadget_suspend(dwc);
++ if (ret)
++ return ret;
+ synchronize_irq(dwc->irq_gadget);
+ dwc3_core_exit(dwc);
+ break;
+@@ -2202,7 +2205,9 @@ static int dwc3_suspend_common(struct dwc3 *dwc, pm_message_t msg)
+ break;
+
+ if (dwc->current_otg_role == DWC3_OTG_ROLE_DEVICE) {
+- dwc3_gadget_suspend(dwc);
++ ret = dwc3_gadget_suspend(dwc);
++ if (ret)
++ return ret;
+ synchronize_irq(dwc->irq_gadget);
+ }
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 3360a59c3d331..53a2675505208 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -4641,26 +4641,22 @@ int dwc3_gadget_suspend(struct dwc3 *dwc)
+ int ret;
+
+ ret = dwc3_gadget_soft_disconnect(dwc);
+- if (ret)
+- goto err;
+-
+- spin_lock_irqsave(&dwc->lock, flags);
+- if (dwc->gadget_driver)
+- dwc3_disconnect_gadget(dwc);
+- spin_unlock_irqrestore(&dwc->lock, flags);
+-
+- return 0;
+-
+-err:
+ /*
+ * Attempt to reset the controller's state. Likely no
+ * communication can be established until the host
+ * performs a port reset.
+ */
+- if (dwc->softconnect)
++ if (ret && dwc->softconnect) {
+ dwc3_gadget_soft_connect(dwc);
++ return -EAGAIN;
++ }
+
+- return ret;
++ spin_lock_irqsave(&dwc->lock, flags);
++ if (dwc->gadget_driver)
++ dwc3_disconnect_gadget(dwc);
++ spin_unlock_irqrestore(&dwc->lock, flags);
++
++ return 0;
+ }
+
+ int dwc3_gadget_resume(struct dwc3 *dwc)
+--
+2.39.5
+
--- /dev/null
+From f01f4192eecfa26be8b0bc8ca7d045bc3035fd90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 17:41:19 +0300
+Subject: usb: xhci: quirk for data loss in ISOC transfers
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit cbc889ab0122366f6cdbe3c28d477c683ebcebc2 ]
+
+During the High-Speed Isochronous Audio transfers, xHCI
+controller on certain AMD platforms experiences momentary data
+loss. This results in Missed Service Errors (MSE) being
+generated by the xHCI.
+
+The root cause of the MSE is attributed to the ISOC OUT endpoint
+being omitted from scheduling. This can happen when an IN
+endpoint with a 64ms service interval either is pre-scheduled
+prior to the ISOC OUT endpoint or the interval of the ISOC OUT
+endpoint is shorter than that of the IN endpoint. Consequently,
+the OUT service is neglected when an IN endpoint with a service
+interval exceeding 32ms is scheduled concurrently (every 64ms in
+this scenario).
+
+This issue is particularly seen on certain older AMD platforms.
+To mitigate this problem, it is recommended to adjust the service
+interval of the IN endpoint to not exceed 32ms (interval 8). This
+adjustment ensures that the OUT endpoint will not be bypassed,
+even if a smaller interval value is utilized.
+
+Cc: stable <stable@kernel.org>
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250627144127.3889714-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 4 ++++
+ drivers/usb/host/xhci-pci.c | 25 +++++++++++++++++++++++++
+ drivers/usb/host/xhci.h | 1 +
+ 3 files changed, 30 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 09e7eabdb73f4..537a0bc0f5e1c 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1453,6 +1453,10 @@ int xhci_endpoint_init(struct xhci_hcd *xhci,
+ /* Periodic endpoint bInterval limit quirk */
+ if (usb_endpoint_xfer_int(&ep->desc) ||
+ usb_endpoint_xfer_isoc(&ep->desc)) {
++ if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_9) &&
++ interval >= 9) {
++ interval = 8;
++ }
+ if ((xhci->quirks & XHCI_LIMIT_ENDPOINT_INTERVAL_7) &&
+ udev->speed >= USB_SPEED_HIGH &&
+ interval >= 7) {
+diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
+index 30b2188a3cf8a..7ad6d13d65ee9 100644
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -65,12 +65,22 @@
+ #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_PCH_XHCI 0x51ed
+ #define PCI_DEVICE_ID_INTEL_ALDER_LAKE_N_PCH_XHCI 0x54ed
+
++#define PCI_DEVICE_ID_AMD_ARIEL_TYPEC_XHCI 0x13ed
++#define PCI_DEVICE_ID_AMD_ARIEL_TYPEA_XHCI 0x13ee
++#define PCI_DEVICE_ID_AMD_STARSHIP_XHCI 0x148c
++#define PCI_DEVICE_ID_AMD_FIREFLIGHT_15D4_XHCI 0x15d4
++#define PCI_DEVICE_ID_AMD_FIREFLIGHT_15D5_XHCI 0x15d5
++#define PCI_DEVICE_ID_AMD_RAVEN_15E0_XHCI 0x15e0
++#define PCI_DEVICE_ID_AMD_RAVEN_15E1_XHCI 0x15e1
++#define PCI_DEVICE_ID_AMD_RAVEN2_XHCI 0x15e5
+ #define PCI_DEVICE_ID_AMD_RENOIR_XHCI 0x1639
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
+
++#define PCI_DEVICE_ID_ATI_NAVI10_7316_XHCI 0x7316
++
+ #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
+ #define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242
+@@ -167,6 +177,21 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
+ if (pdev->vendor == PCI_VENDOR_ID_NEC)
+ xhci->quirks |= XHCI_NEC_HOST;
+
++ if (pdev->vendor == PCI_VENDOR_ID_AMD &&
++ (pdev->device == PCI_DEVICE_ID_AMD_ARIEL_TYPEC_XHCI ||
++ pdev->device == PCI_DEVICE_ID_AMD_ARIEL_TYPEA_XHCI ||
++ pdev->device == PCI_DEVICE_ID_AMD_STARSHIP_XHCI ||
++ pdev->device == PCI_DEVICE_ID_AMD_FIREFLIGHT_15D4_XHCI ||
++ pdev->device == PCI_DEVICE_ID_AMD_FIREFLIGHT_15D5_XHCI ||
++ pdev->device == PCI_DEVICE_ID_AMD_RAVEN_15E0_XHCI ||
++ pdev->device == PCI_DEVICE_ID_AMD_RAVEN_15E1_XHCI ||
++ pdev->device == PCI_DEVICE_ID_AMD_RAVEN2_XHCI))
++ xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9;
++
++ if (pdev->vendor == PCI_VENDOR_ID_ATI &&
++ pdev->device == PCI_DEVICE_ID_ATI_NAVI10_7316_XHCI)
++ xhci->quirks |= XHCI_LIMIT_ENDPOINT_INTERVAL_9;
++
+ if (pdev->vendor == PCI_VENDOR_ID_AMD && xhci->hci_version == 0x96)
+ xhci->quirks |= XHCI_AMD_0x96_HOST;
+
+diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
+index 542a4b7fd7ce4..fd095ff9fc8b9 100644
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -1663,6 +1663,7 @@ struct xhci_hcd {
+ #define XHCI_ZHAOXIN_HOST BIT_ULL(46)
+ #define XHCI_WRITE_64_HI_LO BIT_ULL(47)
+ #define XHCI_CDNS_SCTX_QUIRK BIT_ULL(48)
++#define XHCI_LIMIT_ENDPOINT_INTERVAL_9 BIT_ULL(49)
+
+ unsigned int num_active_eps;
+ unsigned int limit_active_eps;
+--
+2.39.5
+
--- /dev/null
+From f0c6af2cb2a329270cfe49d8783fd28b0d242a27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 21:41:44 -0400
+Subject: vt: add missing notification when switching back to text mode
+
+From: Nicolas Pitre <npitre@baylibre.com>
+
+[ Upstream commit ff78538e07fa284ce08cbbcb0730daa91ed16722 ]
+
+Programs using poll() on /dev/vcsa to be notified when VT changes occur
+were missing one case: the switch from gfx to text mode.
+
+Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
+Link: https://lore.kernel.org/r/9o5ro928-0pp4-05rq-70p4-ro385n21n723@onlyvoer.pbz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
+index ccfd9d93c10c5..f6457263354ba 100644
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -4452,6 +4452,7 @@ void do_unblank_screen(int leaving_gfx)
+ set_palette(vc);
+ set_cursor(vc);
+ vt_event_post(VT_EVENT_UNBLANK, vc->vc_num, vc->vc_num);
++ notify_update(vc);
+ }
+ EXPORT_SYMBOL(do_unblank_screen);
+
+--
+2.39.5
+
--- /dev/null
+From 735a77a8aa0341ae165b0237aa7e8dbb304b38eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 14:46:19 +0300
+Subject: wifi: zd1211rw: Fix potential NULL pointer dereference in
+ zd_mac_tx_to_dev()
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+[ Upstream commit 74b1ec9f5d627d2bdd5e5b6f3f81c23317657023 ]
+
+There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For
+example, the following is possible:
+
+ T0 T1
+zd_mac_tx_to_dev()
+ /* len == skb_queue_len(q) */
+ while (len > ZD_MAC_MAX_ACK_WAITERS) {
+
+ filter_ack()
+ spin_lock_irqsave(&q->lock, flags);
+ /* position == skb_queue_len(q) */
+ for (i=1; i<position; i++)
+ skb = __skb_dequeue(q)
+
+ if (mac->type == NL80211_IFTYPE_AP)
+ skb = __skb_dequeue(q);
+ spin_unlock_irqrestore(&q->lock, flags);
+
+ skb_dequeue() -> NULL
+
+Since there is a small gap between checking skb queue length and skb being
+unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL.
+Then the pointer is passed to zd_mac_tx_status() where it is dereferenced.
+
+In order to avoid potential NULL pointer dereference due to situations like
+above, check if skb is not NULL before passing it to zd_mac_tx_status().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 459c51ad6e1f ("zd1211rw: port to mac80211")
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Link: https://patch.msgid.link/20250626114619.172631-1-d.dulov@aladdin.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/zydas/zd1211rw/zd_mac.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/zydas/zd1211rw/zd_mac.c b/drivers/net/wireless/zydas/zd1211rw/zd_mac.c
+index 80b905d499542..57269c317ce22 100644
+--- a/drivers/net/wireless/zydas/zd1211rw/zd_mac.c
++++ b/drivers/net/wireless/zydas/zd1211rw/zd_mac.c
+@@ -583,7 +583,11 @@ void zd_mac_tx_to_dev(struct sk_buff *skb, int error)
+
+ skb_queue_tail(q, skb);
+ while (skb_queue_len(q) > ZD_MAC_MAX_ACK_WAITERS) {
+- zd_mac_tx_status(hw, skb_dequeue(q),
++ skb = skb_dequeue(q);
++ if (!skb)
++ break;
++
++ zd_mac_tx_status(hw, skb,
+ mac->ack_pending ? mac->ack_signal : 0,
+ NULL);
+ mac->ack_pending = 0;
+--
+2.39.5
+
--- /dev/null
+From 37c4e0c14754e9afb6465236ba44f12c5742b88d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 11:13:27 +0530
+Subject: xhci: Allow RPM on the USB controller (1022:43f7) by default
+
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+
+[ Upstream commit 28cbed496059fe1868203b76e9e0ef285733524d ]
+
+Enable runtime PM by default for older AMD 1022:43f7 xHCI 1.1 host as it
+is proven to work.
+Driver enables runtime PM by default for newer xHCI 1.2 host.
+
+Link: https://lore.kernel.org/all/12335218.O9o76ZdvQC@natalenko.name/
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Tested-by: Oleksandr Natalenko <oleksandr@natalenko.name>
+Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20240304054327.2564500-1-Basavaraj.Natikar@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: cbc889ab0122 ("usb: xhci: quirk for data loss in ISOC transfers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-pci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
+index ca27bc15209c2..30b2188a3cf8a 100644
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -190,8 +190,11 @@ static void xhci_pci_quirks(struct device *dev, struct xhci_hcd *xhci)
+ xhci->quirks |= XHCI_RESET_ON_RESUME;
+ }
+
+- if (pdev->vendor == PCI_VENDOR_ID_AMD)
++ if (pdev->vendor == PCI_VENDOR_ID_AMD) {
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
++ if (pdev->device == 0x43f7)
++ xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW;
++ }
+
+ if ((pdev->vendor == PCI_VENDOR_ID_AMD) &&
+ ((pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4) ||
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
