--- /dev/null
+From stable+bounces-196783-greg=kroah.com@vger.kernel.org Mon Nov 24 19:49:16 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 13:48:38 -0500
+Subject: ata: libata-scsi: Fix system suspend for a security locked drive
+To: stable@vger.kernel.org
+Cc: Niklas Cassel <cassel@kernel.org>, Ilia Baryshnikov <qwelias@gmail.com>, Hannes Reinecke <hare@suse.de>, "Martin K. Petersen" <martin.petersen@oracle.com>, Damien Le Moal <dlemoal@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124184838.4189739-1-sashal@kernel.org>
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit b11890683380a36b8488229f818d5e76e8204587 ]
+
+Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status
+handling") fixed ata_to_sense_error() to properly generate sense key
+ABORTED COMMAND (without any additional sense code), instead of the
+previous bogus sense key ILLEGAL REQUEST with the additional sense code
+UNALIGNED WRITE COMMAND, for a failed command.
+
+However, this broke suspend for Security locked drives (drives that have
+Security enabled, and have not been Security unlocked by boot firmware).
+
+The reason for this is that the SCSI disk driver, for the Synchronize
+Cache command only, treats any sense data with sense key ILLEGAL REQUEST
+as a successful command (regardless of ASC / ASCQ).
+
+After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error()
+status handling") the code that treats any sense data with sense key
+ILLEGAL REQUEST as a successful command is no longer applicable, so the
+command fails, which causes the system suspend to be aborted:
+
+ sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5
+ sd 1:0:0:0: PM: failed to suspend async: error -5
+ PM: Some devices failed to suspend, or early wake event detected
+
+To make suspend work once again, for a Security locked device only,
+return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense
+data which a real SCSI device would have returned if locked.
+The SCSI disk driver treats this sense data as a successful command.
+
+Cc: stable@vger.kernel.org
+Reported-by: Ilia Baryshnikov <qwelias@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704
+Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling")
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 8 ++++++++
+ include/linux/ata.h | 1 +
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -968,6 +968,14 @@ static void ata_gen_ata_sense(struct ata
+ ata_scsi_set_sense(dev, cmd, NOT_READY, 0x04, 0x21);
+ return;
+ }
++
++ if (ata_id_is_locked(dev->id)) {
++ /* Security locked */
++ /* LOGICAL UNIT ACCESS NOT AUTHORIZED */
++ ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71);
++ return;
++ }
++
+ /* Use ata_to_sense_error() to map status register bits
+ * onto sense key, asc & ascq.
+ */
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -557,6 +557,7 @@ struct ata_bmdma_prd {
+ #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8))
+ #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1)
+ #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7))
++#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7)
+ #define ata_id_has_atapi_AN(id) \
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
--- /dev/null
+From 8a2b3da191e5a167bba9776e109b775b21cb4d85 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 31 Aug 2021 15:30:36 +0100
+Subject: btrfs: add helper to truncate inode items when logging inode
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 8a2b3da191e5a167bba9776e109b775b21cb4d85 upstream.
+
+Move the call to btrfs_truncate_inode_items(), and the surrounding retry
+loop, into a local helper function. This avoids some repetition and avoids
+making the next change a bit awkward due to a bit of too much indentation.
+
+This patch is part of a patch set comprised of the following patches:
+
+ btrfs: check if a log tree exists at inode_logged()
+ btrfs: remove no longer needed checks for NULL log context
+ btrfs: do not log new dentries when logging that a new name exists
+ btrfs: always update the logged transaction when logging new names
+ btrfs: avoid expensive search when dropping inode items from log
+ btrfs: add helper to truncate inode items when logging inode
+ btrfs: avoid expensive search when truncating inode items from the log
+ btrfs: avoid search for logged i_size when logging inode if possible
+ btrfs: avoid attempt to drop extents when logging inode for the first time
+ btrfs: do not commit delayed inode when logging a file in full sync mode
+
+This is patch 6/10 and test results are listed in the change log of the
+last patch in the set.
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 32 +++++++++++++++++++-------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3955,6 +3955,21 @@ static int drop_objectid_items(struct bt
+ return ret;
+ }
+
++static int truncate_inode_items(struct btrfs_trans_handle *trans,
++ struct btrfs_root *log_root,
++ struct btrfs_inode *inode,
++ u64 new_size, u32 min_type)
++{
++ int ret;
++
++ do {
++ ret = btrfs_truncate_inode_items(trans, log_root, inode,
++ new_size, min_type, NULL);
++ } while (ret == -EAGAIN);
++
++ return ret;
++}
++
+ static void fill_inode_item(struct btrfs_trans_handle *trans,
+ struct extent_buffer *leaf,
+ struct btrfs_inode_item *item,
+@@ -4548,13 +4563,9 @@ static int btrfs_log_prealloc_extents(st
+ * Avoid logging extent items logged in past fsync calls
+ * and leading to duplicate keys in the log tree.
+ */
+- do {
+- ret = btrfs_truncate_inode_items(trans,
+- root->log_root,
+- inode, truncate_offset,
+- BTRFS_EXTENT_DATA_KEY,
+- NULL);
+- } while (ret == -EAGAIN);
++ ret = truncate_inode_items(trans, root->log_root, inode,
++ truncate_offset,
++ BTRFS_EXTENT_DATA_KEY);
+ if (ret)
+ goto out;
+ dropped_extents = true;
+@@ -5531,12 +5542,7 @@ static int btrfs_log_inode(struct btrfs_
+ &inode->runtime_flags);
+ clear_bit(BTRFS_INODE_COPY_EVERYTHING,
+ &inode->runtime_flags);
+- while(1) {
+- ret = btrfs_truncate_inode_items(trans,
+- log, inode, 0, 0, NULL);
+- if (ret != -EAGAIN)
+- break;
+- }
++ ret = truncate_inode_items(trans, log, inode, 0, 0);
+ }
+ } else if (test_and_clear_bit(BTRFS_INODE_COPY_EVERYTHING,
+ &inode->runtime_flags) ||
--- /dev/null
+From 9d274c19a71b3a276949933859610721a453946b Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Fri, 24 May 2024 13:58:11 -0700
+Subject: btrfs: fix crash on racing fsync and size-extending write into prealloc
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit 9d274c19a71b3a276949933859610721a453946b upstream.
+
+We have been seeing crashes on duplicate keys in
+btrfs_set_item_key_safe():
+
+ BTRFS critical (device vdb): slot 4 key (450 108 8192) new key (450 108 8192)
+ ------------[ cut here ]------------
+ kernel BUG at fs/btrfs/ctree.c:2620!
+ invalid opcode: 0000 [#1] PREEMPT SMP PTI
+ CPU: 0 PID: 3139 Comm: xfs_io Kdump: loaded Not tainted 6.9.0 #6
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
+ RIP: 0010:btrfs_set_item_key_safe+0x11f/0x290 [btrfs]
+
+With the following stack trace:
+
+ #0 btrfs_set_item_key_safe (fs/btrfs/ctree.c:2620:4)
+ #1 btrfs_drop_extents (fs/btrfs/file.c:411:4)
+ #2 log_one_extent (fs/btrfs/tree-log.c:4732:9)
+ #3 btrfs_log_changed_extents (fs/btrfs/tree-log.c:4955:9)
+ #4 btrfs_log_inode (fs/btrfs/tree-log.c:6626:9)
+ #5 btrfs_log_inode_parent (fs/btrfs/tree-log.c:7070:8)
+ #6 btrfs_log_dentry_safe (fs/btrfs/tree-log.c:7171:8)
+ #7 btrfs_sync_file (fs/btrfs/file.c:1933:8)
+ #8 vfs_fsync_range (fs/sync.c:188:9)
+ #9 vfs_fsync (fs/sync.c:202:9)
+ #10 do_fsync (fs/sync.c:212:9)
+ #11 __do_sys_fdatasync (fs/sync.c:225:9)
+ #12 __se_sys_fdatasync (fs/sync.c:223:1)
+ #13 __x64_sys_fdatasync (fs/sync.c:223:1)
+ #14 do_syscall_x64 (arch/x86/entry/common.c:52:14)
+ #15 do_syscall_64 (arch/x86/entry/common.c:83:7)
+ #16 entry_SYSCALL_64+0xaf/0x14c (arch/x86/entry/entry_64.S:121)
+
+So we're logging a changed extent from fsync, which is splitting an
+extent in the log tree. But this split part already exists in the tree,
+triggering the BUG().
+
+This is the state of the log tree at the time of the crash, dumped with
+drgn (https://github.com/osandov/drgn/blob/main/contrib/btrfs_tree.py)
+to get more details than btrfs_print_leaf() gives us:
+
+ >>> print_extent_buffer(prog.crashed_thread().stack_trace()[0]["eb"])
+ leaf 33439744 level 0 items 72 generation 9 owner 18446744073709551610
+ leaf 33439744 flags 0x100000000000000
+ fs uuid e5bd3946-400c-4223-8923-190ef1f18677
+ chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
+ item 0 key (450 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 7 transid 9 size 8192 nbytes 8473563889606862198
+ block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
+ sequence 204 flags 0x10(PREALLOC)
+ atime 1716417703.220000000 (2024-05-22 15:41:43)
+ ctime 1716417704.983333333 (2024-05-22 15:41:44)
+ mtime 1716417704.983333333 (2024-05-22 15:41:44)
+ otime 17592186044416.000000000 (559444-03-08 01:40:16)
+ item 1 key (450 INODE_REF 256) itemoff 16110 itemsize 13
+ index 195 namelen 3 name: 193
+ item 2 key (450 XATTR_ITEM 1640047104) itemoff 16073 itemsize 37
+ location key (0 UNKNOWN.0 0) type XATTR
+ transid 7 data_len 1 name_len 6
+ name: user.a
+ data a
+ item 3 key (450 EXTENT_DATA 0) itemoff 16020 itemsize 53
+ generation 9 type 1 (regular)
+ extent data disk byte 303144960 nr 12288
+ extent data offset 0 nr 4096 ram 12288
+ extent compression 0 (none)
+ item 4 key (450 EXTENT_DATA 4096) itemoff 15967 itemsize 53
+ generation 9 type 2 (prealloc)
+ prealloc data disk byte 303144960 nr 12288
+ prealloc data offset 4096 nr 8192
+ item 5 key (450 EXTENT_DATA 8192) itemoff 15914 itemsize 53
+ generation 9 type 2 (prealloc)
+ prealloc data disk byte 303144960 nr 12288
+ prealloc data offset 8192 nr 4096
+ ...
+
+So the real problem happened earlier: notice that items 4 (4k-12k) and 5
+(8k-12k) overlap. Both are prealloc extents. Item 4 straddles i_size and
+item 5 starts at i_size.
+
+Here is the state of the filesystem tree at the time of the crash:
+
+ >>> root = prog.crashed_thread().stack_trace()[2]["inode"].root
+ >>> ret, nodes, slots = btrfs_search_slot(root, BtrfsKey(450, 0, 0))
+ >>> print_extent_buffer(nodes[0])
+ leaf 30425088 level 0 items 184 generation 9 owner 5
+ leaf 30425088 flags 0x100000000000000
+ fs uuid e5bd3946-400c-4223-8923-190ef1f18677
+ chunk uuid d58cb17e-6d02-494a-829a-18b7d8a399da
+ ...
+ item 179 key (450 INODE_ITEM 0) itemoff 4907 itemsize 160
+ generation 7 transid 7 size 4096 nbytes 12288
+ block group 0 mode 100600 links 1 uid 0 gid 0 rdev 0
+ sequence 6 flags 0x10(PREALLOC)
+ atime 1716417703.220000000 (2024-05-22 15:41:43)
+ ctime 1716417703.220000000 (2024-05-22 15:41:43)
+ mtime 1716417703.220000000 (2024-05-22 15:41:43)
+ otime 1716417703.220000000 (2024-05-22 15:41:43)
+ item 180 key (450 INODE_REF 256) itemoff 4894 itemsize 13
+ index 195 namelen 3 name: 193
+ item 181 key (450 XATTR_ITEM 1640047104) itemoff 4857 itemsize 37
+ location key (0 UNKNOWN.0 0) type XATTR
+ transid 7 data_len 1 name_len 6
+ name: user.a
+ data a
+ item 182 key (450 EXTENT_DATA 0) itemoff 4804 itemsize 53
+ generation 9 type 1 (regular)
+ extent data disk byte 303144960 nr 12288
+ extent data offset 0 nr 8192 ram 12288
+ extent compression 0 (none)
+ item 183 key (450 EXTENT_DATA 8192) itemoff 4751 itemsize 53
+ generation 9 type 2 (prealloc)
+ prealloc data disk byte 303144960 nr 12288
+ prealloc data offset 8192 nr 4096
+
+Item 5 in the log tree corresponds to item 183 in the filesystem tree,
+but nothing matches item 4. Furthermore, item 183 is the last item in
+the leaf.
+
+btrfs_log_prealloc_extents() is responsible for logging prealloc extents
+beyond i_size. It first truncates any previously logged prealloc extents
+that start beyond i_size. Then, it walks the filesystem tree and copies
+the prealloc extent items to the log tree.
+
+If it hits the end of a leaf, then it calls btrfs_next_leaf(), which
+unlocks the tree and does another search. However, while the filesystem
+tree is unlocked, an ordered extent completion may modify the tree. In
+particular, it may insert an extent item that overlaps with an extent
+item that was already copied to the log tree.
+
+This may manifest in several ways depending on the exact scenario,
+including an EEXIST error that is silently translated to a full sync,
+overlapping items in the log tree, or this crash. This particular crash
+is triggered by the following sequence of events:
+
+- Initially, the file has i_size=4k, a regular extent from 0-4k, and a
+ prealloc extent beyond i_size from 4k-12k. The prealloc extent item is
+ the last item in its B-tree leaf.
+- The file is fsync'd, which copies its inode item and both extent items
+ to the log tree.
+- An xattr is set on the file, which sets the
+ BTRFS_INODE_COPY_EVERYTHING flag.
+- The range 4k-8k in the file is written using direct I/O. i_size is
+ extended to 8k, but the ordered extent is still in flight.
+- The file is fsync'd. Since BTRFS_INODE_COPY_EVERYTHING is set, this
+ calls copy_inode_items_to_log(), which calls
+ btrfs_log_prealloc_extents().
+- btrfs_log_prealloc_extents() finds the 4k-12k prealloc extent in the
+ filesystem tree. Since it starts before i_size, it skips it. Since it
+ is the last item in its B-tree leaf, it calls btrfs_next_leaf().
+- btrfs_next_leaf() unlocks the path.
+- The ordered extent completion runs, which converts the 4k-8k part of
+ the prealloc extent to written and inserts the remaining prealloc part
+ from 8k-12k.
+- btrfs_next_leaf() does a search and finds the new prealloc extent
+ 8k-12k.
+- btrfs_log_prealloc_extents() copies the 8k-12k prealloc extent into
+ the log tree. Note that it overlaps with the 4k-12k prealloc extent
+ that was copied to the log tree by the first fsync.
+- fsync calls btrfs_log_changed_extents(), which tries to log the 4k-8k
+ extent that was written.
+- This tries to drop the range 4k-8k in the log tree, which requires
+ adjusting the start of the 4k-12k prealloc extent in the log tree to
+ 8k.
+- btrfs_set_item_key_safe() sees that there is already an extent
+ starting at 8k in the log tree and calls BUG().
+
+Fix this by detecting when we're about to insert an overlapping file
+extent item in the log tree and truncating the part that would overlap.
+
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Harshvardhan Jha <harshvardhan.j.jha@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4558,18 +4558,23 @@ static int btrfs_log_prealloc_extents(st
+ path->slots[0]++;
+ continue;
+ }
+- if (!dropped_extents) {
+- /*
+- * Avoid logging extent items logged in past fsync calls
+- * and leading to duplicate keys in the log tree.
+- */
++ /*
++ * Avoid overlapping items in the log tree. The first time we
++ * get here, get rid of everything from a past fsync. After
++ * that, if the current extent starts before the end of the last
++ * extent we copied, truncate the last one. This can happen if
++ * an ordered extent completion modifies the subvolume tree
++ * while btrfs_next_leaf() has the tree unlocked.
++ */
++ if (!dropped_extents || key.offset < truncate_offset) {
+ ret = truncate_inode_items(trans, root->log_root, inode,
+- truncate_offset,
++ min(key.offset, truncate_offset),
+ BTRFS_EXTENT_DATA_KEY);
+ if (ret)
+ goto out;
+ dropped_extents = true;
+ }
++ truncate_offset = btrfs_file_extent_end(path);
+ if (ins_nr == 0)
+ start_slot = slot;
+ ins_nr++;
--- /dev/null
+From stable+bounces-196805-greg=kroah.com@vger.kernel.org Mon Nov 24 22:18:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:18:06 -0500
+Subject: dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups
+To: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>, Conor Dooley <conor.dooley@microchip.com>, Linus Walleij <linus.walleij@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124211806.34641-1-sashal@kernel.org>
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 316e361b5d2cdeb8d778983794a1c6eadcb26814 ]
+
+The "groups" property can hold multiple entries (e.g.
+toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect
+type (pinmux-node.yaml schema already defines that as string-array) and
+adding constraints for items. This fixes dtbs_check warnings like:
+
+ toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl):
+ pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long
+
+Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+[ adjusted $ref context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++++-----
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
+@@ -46,18 +46,20 @@ patternProperties:
+ groups:
+ description:
+ Name of the pin group to use for the functions.
+- $ref: "/schemas/types.yaml#/definitions/string"
+- enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
+- i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
+- spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
+- spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
+- uart0_grp, uart1_grp, uart2_grp, uart3_grp,
+- pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
+- pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
+- pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
+- pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
+- pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
+- pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ items:
++ enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
++ i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
++ spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
++ spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
++ uart0_grp, uart1_grp, uart2_grp, uart3_grp,
++ pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
++ pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
++ pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
++ pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
++ pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
++ pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ minItems: 1
++ maxItems: 8
+
+ drive-strength:
+ enum: [2, 4, 6, 8, 16, 24, 32]
--- /dev/null
+From stable+bounces-196782-greg=kroah.com@vger.kernel.org Mon Nov 24 19:38:24 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 13:37:58 -0500
+Subject: Input: pegasus-notetaker - fix potential out-of-bounds access
+To: stable@vger.kernel.org
+Cc: Seungjin Bae <eeodqql09@gmail.com>, Dmitry Torokhov <dmitry.torokhov@gmail.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124183758.4187087-3-sashal@kernel.org>
+
+From: Seungjin Bae <eeodqql09@gmail.com>
+
+[ Upstream commit 69aeb507312306f73495598a055293fa749d454e ]
+
+In the pegasus_notetaker driver, the pegasus_probe() function allocates
+the URB transfer buffer using the wMaxPacketSize value from
+the endpoint descriptor. An attacker can use a malicious USB descriptor
+to force the allocation of a very small buffer.
+
+Subsequently, if the device sends an interrupt packet with a specific
+pattern (e.g., where the first byte is 0x80 or 0x42),
+the pegasus_parse_packet() function parses the packet without checking
+the allocated buffer size. This leads to an out-of-bounds memory access.
+
+Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
+Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
+Link: https://lore.kernel.org/r/20251007214131.3737115-2-eeodqql09@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/tablet/pegasus_notetaker.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/tablet/pegasus_notetaker.c
++++ b/drivers/input/tablet/pegasus_notetaker.c
+@@ -63,6 +63,9 @@
+ #define BUTTON_PRESSED 0xb5
+ #define COMMAND_VERSION 0xa9
+
++/* 1 Status + 1 Color + 2 X + 2 Y = 6 bytes */
++#define NOTETAKER_PACKET_SIZE 6
++
+ /* in xy data packet */
+ #define BATTERY_NO_REPORT 0x40
+ #define BATTERY_LOW 0x41
+@@ -297,6 +300,12 @@ static int pegasus_probe(struct usb_inte
+
+ pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress);
+ pegasus->data_len = usb_maxpacket(dev, pipe);
++ if (pegasus->data_len < NOTETAKER_PACKET_SIZE) {
++ dev_err(&intf->dev, "packet size is too small (%d)\n",
++ pegasus->data_len);
++ error = -EINVAL;
++ goto err_free_mem;
++ }
+
+ pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL,
+ &pegasus->data_dma);
--- /dev/null
+From stable+bounces-196781-greg=kroah.com@vger.kernel.org Mon Nov 24 19:38:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 13:37:57 -0500
+Subject: Input: remove third argument of usb_maxpacket()
+To: stable@vger.kernel.org
+Cc: Vincent Mailhol <mailhol.vincent@wanadoo.fr>, Ville Syrjala <syrjala@sci.fi>, Dmitry Torokhov <dmitry.torokhov@gmail.com>, Henk Vergonet <Henk.Vergonet@gmail.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124183758.4187087-2-sashal@kernel.org>
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 948bf187694fc1f4c20cf972fa18b1a6fb3d7603 ]
+
+The third argument of usb_maxpacket(): in_out has been deprecated
+because it could be derived from the second argument (e.g. using
+usb_pipeout(pipe)).
+
+N.B. function usb_maxpacket() was made variadic to accommodate the
+transition from the old prototype with three arguments to the new one
+with only two arguments (so that no renaming is needed). The variadic
+argument is to be removed once all users of usb_maxpacket() get
+migrated.
+
+CC: Ville Syrjala <syrjala@sci.fi>
+CC: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+CC: Henk Vergonet <Henk.Vergonet@gmail.com>
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/r/20220317035514.6378-4-mailhol.vincent@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 69aeb5073123 ("Input: pegasus-notetaker - fix potential out-of-bounds access")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/ati_remote2.c | 2 +-
+ drivers/input/misc/cm109.c | 2 +-
+ drivers/input/misc/powermate.c | 2 +-
+ drivers/input/misc/yealink.c | 2 +-
+ drivers/input/tablet/acecad.c | 2 +-
+ drivers/input/tablet/pegasus_notetaker.c | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/misc/ati_remote2.c
++++ b/drivers/input/misc/ati_remote2.c
+@@ -639,7 +639,7 @@ static int ati_remote2_urb_init(struct a
+ return -ENOMEM;
+
+ pipe = usb_rcvintpipe(udev, ar2->ep[i]->bEndpointAddress);
+- maxp = usb_maxpacket(udev, pipe, usb_pipeout(pipe));
++ maxp = usb_maxpacket(udev, pipe);
+ maxp = maxp > 4 ? 4 : maxp;
+
+ usb_fill_int_urb(ar2->urb[i], udev, pipe, ar2->buf[i], maxp,
+--- a/drivers/input/misc/cm109.c
++++ b/drivers/input/misc/cm109.c
+@@ -745,7 +745,7 @@ static int cm109_usb_probe(struct usb_in
+
+ /* get a handle to the interrupt data pipe */
+ pipe = usb_rcvintpipe(udev, endpoint->bEndpointAddress);
+- ret = usb_maxpacket(udev, pipe, usb_pipeout(pipe));
++ ret = usb_maxpacket(udev, pipe);
+ if (ret != USB_PKT_LEN)
+ dev_err(&intf->dev, "invalid payload size %d, expected %d\n",
+ ret, USB_PKT_LEN);
+--- a/drivers/input/misc/powermate.c
++++ b/drivers/input/misc/powermate.c
+@@ -374,7 +374,7 @@ static int powermate_probe(struct usb_in
+
+ /* get a handle to the interrupt data pipe */
+ pipe = usb_rcvintpipe(udev, endpoint->bEndpointAddress);
+- maxp = usb_maxpacket(udev, pipe, usb_pipeout(pipe));
++ maxp = usb_maxpacket(udev, pipe);
+
+ if (maxp < POWERMATE_PAYLOAD_SIZE_MIN || maxp > POWERMATE_PAYLOAD_SIZE_MAX) {
+ printk(KERN_WARNING "powermate: Expected payload of %d--%d bytes, found %d bytes!\n",
+--- a/drivers/input/misc/yealink.c
++++ b/drivers/input/misc/yealink.c
+@@ -905,7 +905,7 @@ static int usb_probe(struct usb_interfac
+
+ /* get a handle to the interrupt data pipe */
+ pipe = usb_rcvintpipe(udev, endpoint->bEndpointAddress);
+- ret = usb_maxpacket(udev, pipe, usb_pipeout(pipe));
++ ret = usb_maxpacket(udev, pipe);
+ if (ret != USB_PKT_LEN)
+ dev_err(&intf->dev, "invalid payload size %d, expected %zd\n",
+ ret, USB_PKT_LEN);
+--- a/drivers/input/tablet/acecad.c
++++ b/drivers/input/tablet/acecad.c
+@@ -130,7 +130,7 @@ static int usb_acecad_probe(struct usb_i
+ return -ENODEV;
+
+ pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress);
+- maxp = usb_maxpacket(dev, pipe, usb_pipeout(pipe));
++ maxp = usb_maxpacket(dev, pipe);
+
+ acecad = kzalloc(sizeof(struct usb_acecad), GFP_KERNEL);
+ input_dev = input_allocate_device();
+--- a/drivers/input/tablet/pegasus_notetaker.c
++++ b/drivers/input/tablet/pegasus_notetaker.c
+@@ -296,7 +296,7 @@ static int pegasus_probe(struct usb_inte
+ pegasus->intf = intf;
+
+ pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress);
+- pegasus->data_len = usb_maxpacket(dev, pipe, usb_pipeout(pipe));
++ pegasus->data_len = usb_maxpacket(dev, pipe);
+
+ pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL,
+ &pegasus->data_dma);
--- /dev/null
+From 88b61e3bff93f99712718db785b4aa0c1165f35c Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Mon, 19 Sep 2022 10:08:28 -0700
+Subject: Makefile.compiler: replace cc-ifversion with compiler-specific macros
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+commit 88b61e3bff93f99712718db785b4aa0c1165f35c upstream.
+
+cc-ifversion is GCC specific. Replace it with compiler specific
+variants. Update the users of cc-ifversion to use these new macros.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/350
+Link: https://lore.kernel.org/llvm/CAGG=3QWSAUakO42kubrCap8fp-gm1ERJJAYXTnP1iHk_wrH=BQ@mail.gmail.com/
+Suggested-by: Bill Wendling <morbo@google.com>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+[nathan: Backport to 5.15 and eliminate instances of cc-ifversion that
+ did not exist upstream when this change was original created]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/kbuild/makefiles.rst | 29 ++++++++++++++-----------
+ Makefile | 6 +----
+ arch/mips/loongson64/Platform | 2 -
+ arch/s390/Makefile | 4 +--
+ drivers/gpu/drm/amd/display/dc/dcn20/Makefile | 2 -
+ drivers/gpu/drm/amd/display/dc/dcn21/Makefile | 2 -
+ drivers/gpu/drm/amd/display/dc/dcn30/Makefile | 2 -
+ drivers/gpu/drm/amd/display/dc/dcn301/Makefile | 2 -
+ drivers/gpu/drm/amd/display/dc/dcn302/Makefile | 2 -
+ drivers/gpu/drm/amd/display/dc/dcn303/Makefile | 2 -
+ drivers/gpu/drm/amd/display/dc/dcn31/Makefile | 2 -
+ drivers/gpu/drm/amd/display/dc/dml/Makefile | 2 -
+ scripts/Makefile.compiler | 10 ++++++--
+ 13 files changed, 37 insertions(+), 30 deletions(-)
+
+--- a/Documentation/kbuild/makefiles.rst
++++ b/Documentation/kbuild/makefiles.rst
+@@ -682,22 +682,27 @@ more details, with real examples.
+ In the above example, -Wno-unused-but-set-variable will be added to
+ KBUILD_CFLAGS only if gcc really accepts it.
+
+- cc-ifversion
+- cc-ifversion tests the version of $(CC) and equals the fourth parameter
+- if version expression is true, or the fifth (if given) if the version
+- expression is false.
++ gcc-min-version
++ gcc-min-version tests if the value of $(CONFIG_GCC_VERSION) is greater than
++ or equal to the provided value and evaluates to y if so.
+
+ Example::
+
+- #fs/reiserfs/Makefile
+- ccflags-y := $(call cc-ifversion, -lt, 0402, -O1)
++ cflags-$(call gcc-min-version, 70100) := -foo
+
+- In this example, ccflags-y will be assigned the value -O1 if the
+- $(CC) version is less than 4.2.
+- cc-ifversion takes all the shell operators:
+- -eq, -ne, -lt, -le, -gt, and -ge
+- The third parameter may be a text as in this example, but it may also
+- be an expanded variable or a macro.
++ In this example, cflags-y will be assigned the value -foo if $(CC) is gcc and
++ $(CONFIG_GCC_VERSION) is >= 7.1.
++
++ clang-min-version
++ clang-min-version tests if the value of $(CONFIG_CLANG_VERSION) is greater
++ than or equal to the provided value and evaluates to y if so.
++
++ Example::
++
++ cflags-$(call clang-min-version, 110000) := -foo
++
++ In this example, cflags-y will be assigned the value -foo if $(CC) is clang
++ and $(CONFIG_CLANG_VERSION) is >= 11.0.0.
+
+ cc-cross-prefix
+ cc-cross-prefix is used to check if there exists a $(CC) in path with
+--- a/Makefile
++++ b/Makefile
+@@ -804,7 +804,6 @@ stackp-flags-$(CONFIG_STACKPROTECTOR_STR
+ KBUILD_CFLAGS += $(stackp-flags-y)
+
+ KBUILD_CFLAGS-$(CONFIG_WERROR) += -Werror
+-KBUILD_CFLAGS += $(KBUILD_CFLAGS-y)
+
+ ifdef CONFIG_CC_IS_CLANG
+ KBUILD_CPPFLAGS += -Qunused-arguments
+@@ -1043,7 +1042,6 @@ ifdef CONFIG_CC_IS_GCC
+ KBUILD_CFLAGS += -Wno-maybe-uninitialized
+ endif
+
+-ifdef CONFIG_CC_IS_GCC
+ # The allocators already balk at large sizes, so silence the compiler
+ # warnings for bounds checks involving those possible values. While
+ # -Wno-alloc-size-larger-than would normally be used here, earlier versions
+@@ -1055,8 +1053,8 @@ ifdef CONFIG_CC_IS_GCC
+ # ignored, continuing to default to PTRDIFF_MAX. So, left with no other
+ # choice, we must perform a versioned check to disable this warning.
+ # https://lore.kernel.org/lkml/20210824115859.187f272f@canb.auug.org.au
+-KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0901, -Wno-alloc-size-larger-than)
+-endif
++KBUILD_CFLAGS-$(call gcc-min-version, 90100) += -Wno-alloc-size-larger-than
++KBUILD_CFLAGS += $(KBUILD_CFLAGS-y)
+
+ # disable invalid "can't wrap" optimizations for signed / pointers
+ KBUILD_CFLAGS += -fno-strict-overflow
+--- a/arch/mips/loongson64/Platform
++++ b/arch/mips/loongson64/Platform
+@@ -12,7 +12,7 @@ cflags-$(CONFIG_CPU_LOONGSON64) += -Wa,-
+ # by GAS. The cc-option can't probe for this behaviour so -march=loongson3a
+ # can't easily be used safely within the kbuild framework.
+ #
+-ifeq ($(call cc-ifversion, -ge, 0409, y), y)
++ifeq ($(call gcc-min-version, 40900), y)
+ ifeq ($(call ld-ifversion, -ge, 22500, y), y)
+ cflags-$(CONFIG_CPU_LOONGSON64) += \
+ $(call cc-option,-march=loongson3a -U_MIPS_ISA -D_MIPS_ISA=_MIPS_ISA_MIPS64)
+--- a/arch/s390/Makefile
++++ b/arch/s390/Makefile
+@@ -35,8 +35,8 @@ KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CON
+ KBUILD_CFLAGS_DECOMPRESSOR += $(if $(CONFIG_DEBUG_INFO_DWARF4), $(call cc-option, -gdwarf-4,))
+
+ ifdef CONFIG_CC_IS_GCC
+- ifeq ($(call cc-ifversion, -ge, 1200, y), y)
+- ifeq ($(call cc-ifversion, -lt, 1300, y), y)
++ ifeq ($(call gcc-min-version, 120000), y)
++ ifneq ($(call gcc-min-version, 130000), y)
+ KBUILD_CFLAGS += $(call cc-disable-warning, array-bounds)
+ KBUILD_CFLAGS_DECOMPRESSOR += $(call cc-disable-warning, array-bounds)
+ endif
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/Makefile
+@@ -18,7 +18,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn20/dcn20_reso
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100), y)
+ IS_OLD_GCC = 1
+ endif
+ endif
+--- a/drivers/gpu/drm/amd/display/dc/dcn21/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dcn21/Makefile
+@@ -14,7 +14,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn21/dcn21_reso
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100), y)
+ IS_OLD_GCC = 1
+ endif
+ endif
+--- a/drivers/gpu/drm/amd/display/dc/dcn30/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dcn30/Makefile
+@@ -42,7 +42,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn30/dcn30_optc
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100), y)
+ IS_OLD_GCC = 1
+ endif
+ CFLAGS_$(AMDDALPATH)/dc/dcn30/dcn30_resource.o += -mhard-float
+--- a/drivers/gpu/drm/amd/display/dc/dcn301/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dcn301/Makefile
+@@ -22,7 +22,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn301/dcn301_re
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100), y)
+ IS_OLD_GCC = 1
+ endif
+ CFLAGS_$(AMDDALPATH)/dc/dcn301/dcn301_resource.o += -mhard-float
+--- a/drivers/gpu/drm/amd/display/dc/dcn302/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dcn302/Makefile
+@@ -21,7 +21,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn302/dcn302_re
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100), y)
+ IS_OLD_GCC = 1
+ endif
+ CFLAGS_$(AMDDALPATH)/dc/dcn302/dcn302_resource.o += -mhard-float
+--- a/drivers/gpu/drm/amd/display/dc/dcn303/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dcn303/Makefile
+@@ -17,7 +17,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn303/dcn303_re
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100), y)
+ IS_OLD_GCC = 1
+ endif
+ CFLAGS_$(AMDDALPATH)/dc/dcn303/dcn303_resource.o += -mhard-float
+--- a/drivers/gpu/drm/amd/display/dc/dcn31/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dcn31/Makefile
+@@ -22,7 +22,7 @@ CFLAGS_$(AMDDALPATH)/dc/dcn31/dcn31_reso
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100), y)
+ IS_OLD_GCC = 1
+ endif
+ CFLAGS_$(AMDDALPATH)/dc/dcn31/dcn31_resource.o += -mhard-float
+--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile
++++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile
+@@ -35,7 +35,7 @@ dml_ccflags := -mhard-float -maltivec
+ endif
+
+ ifdef CONFIG_CC_IS_GCC
+-ifeq ($(call cc-ifversion, -lt, 0701, y), y)
++ifneq ($(call gcc-min-version, 70100),y)
+ IS_OLD_GCC = 1
+ endif
+ endif
+--- a/scripts/Makefile.compiler
++++ b/scripts/Makefile.compiler
+@@ -61,9 +61,13 @@ cc-option-yn = $(call try-run,\
+ cc-disable-warning = $(call try-run,\
+ $(CC) -Werror $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS) -W$(strip $(1)) -c -x c /dev/null -o "$$TMP",-Wno-$(strip $(1)))
+
+-# cc-ifversion
+-# Usage: EXTRA_CFLAGS += $(call cc-ifversion, -lt, 0402, -O1)
+-cc-ifversion = $(shell [ $(CONFIG_GCC_VERSION)0 $(1) $(2)000 ] && echo $(3) || echo $(4))
++# gcc-min-version
++# Usage: cflags-$(call gcc-min-version, 70100) += -foo
++gcc-min-version = $(shell [ $(CONFIG_GCC_VERSION)0 -ge $(1)0 ] && echo y)
++
++# clang-min-version
++# Usage: cflags-$(call clang-min-version, 110000) += -foo
++clang-min-version = $(shell [ $(CONFIG_CLANG_VERSION)0 -ge $(1)0 ] && echo y)
+
+ # ld-option
+ # Usage: KBUILD_LDFLAGS += $(call ld-option, -X, -Y)
--- /dev/null
+From stable+bounces-196808-greg=kroah.com@vger.kernel.org Mon Nov 24 22:33:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:33:30 -0500
+Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM
+To: stable@vger.kernel.org
+Cc: Vlastimil Babka <vbabka@suse.cz>, kernel test robot <oliver.sang@intel.com>, Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124213330.39729-2-sashal@kernel.org>
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+[ Upstream commit ec33b59542d96830e3c89845ff833cf7b25ef172 ]
+
+The kernel test has reported:
+
+ BUG: unable to handle page fault for address: fffba000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ *pde = 03171067 *pte = 00000000
+ Oops: Oops: 0002 [#1]
+ CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca
+ Tainted: [T]=RANDSTRUCT
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
+ Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
+ EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
+ ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
+ DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
+ CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
+ Call Trace:
+ poison_element (mm/mempool.c:83 mm/mempool.c:102)
+ mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
+ mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ do_one_initcall (init/main.c:1283)
+
+Christoph found out this is due to the poisoning code not dealing
+properly with CONFIG_HIGHMEM because only the first page is mapped but
+then the whole potentially high-order page is accessed.
+
+We could give up on HIGHMEM here, but it's straightforward to fix this
+with a loop that's mapping, poisoning or checking and unmapping
+individual pages.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com
+Analyzed-by: Christoph Hellwig <hch@lst.de>
+Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator")
+Cc: stable@vger.kernel.org
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -63,10 +63,20 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __check_element(pool, addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __check_element(pool, addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+
+@@ -86,10 +96,20 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __poison_element(addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __poison_element(addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From stable+bounces-196807-greg=kroah.com@vger.kernel.org Mon Nov 24 22:33:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:33:29 -0500
+Subject: mm/mempool: replace kmap_atomic() with kmap_local_page()
+To: stable@vger.kernel.org
+Cc: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>, Ira Weiny <ira.weiny@intel.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124213330.39729-1-sashal@kernel.org>
+
+From: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>
+
+[ Upstream commit f2bcc99a5e901a13b754648d1dbab60f4adf9375 ]
+
+kmap_atomic() has been deprecated in favor of kmap_local_page().
+
+Therefore, replace kmap_atomic() with kmap_local_page().
+
+kmap_atomic() is implemented like a kmap_local_page() which also disables
+page-faults and preemption (the latter only in !PREEMPT_RT kernels). The
+kernel virtual addresses returned by these two API are only valid in the
+context of the callers (i.e., they cannot be handed to other threads).
+
+With kmap_local_page() the mappings are per thread and CPU local like in
+kmap_atomic(); however, they can handle page-faults and can be called from
+any context (including interrupts). The tasks that call kmap_local_page()
+can be preempted and, when they are scheduled to run again, the kernel
+virtual addresses are restored and are still valid.
+
+The code blocks between the mappings and un-mappings don't rely on the
+above-mentioned side effects of kmap_atomic(), so that mere replacements
+of the old API with the new one is all that they require (i.e., there is
+no need to explicitly call pagefault_disable() and/or preempt_disable()).
+
+Link: https://lkml.kernel.org/r/20231120142640.7077-1-fabio.maria.de.francesco@linux.intel.com
+Signed-off-by: Fabio M. De Francesco <fabio.maria.de.francesco@linux.intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: ec33b59542d9 ("mm/mempool: fix poisoning order>0 pages with HIGHMEM")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -63,10 +63,10 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_atomic((struct page *)element);
++ void *addr = kmap_local_page((struct page *)element);
+
+ __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_atomic(addr);
++ kunmap_local(addr);
+ }
+ }
+
+@@ -86,10 +86,10 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_atomic((struct page *)element);
++ void *addr = kmap_local_page((struct page *)element);
+
+ __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_atomic(addr);
++ kunmap_local(addr);
+ }
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From stable+bounces-195439-greg=kroah.com@vger.kernel.org Fri Nov 21 02:45:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 20:45:42 -0500
+Subject: mmc: sdhci-of-dwcmshc: Change DLL_STRBIN_TAPNUM_DEFAULT to 0x4
+To: stable@vger.kernel.org
+Cc: Shawn Lin <shawn.lin@rock-chips.com>, Alexey Charkov <alchark@gmail.com>, Hugh Cole-Baker <sigmaris@gmail.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121014542.2332865-1-sashal@kernel.org>
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit a28352cf2d2f8380e7aca8cb61682396dca7a991 ]
+
+strbin signal delay under 0x8 configuration is not stable after massive
+test. The recommandation of it should be 0x4.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Tested-by: Alexey Charkov <alchark@gmail.com>
+Tested-by: Hugh Cole-Baker <sigmaris@gmail.com>
+Fixes: 08f3dff799d4 ("mmc: sdhci-of-dwcmshc: add rockchip platform support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-dwcmshc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
+@@ -49,7 +49,7 @@
+ #define DWCMSHC_EMMC_DLL_INC 8
+ #define DWCMSHC_EMMC_DLL_DLYENA BIT(27)
+ #define DLL_TXCLK_TAPNUM_DEFAULT 0x8
+-#define DLL_STRBIN_TAPNUM_DEFAULT 0x8
++#define DLL_STRBIN_TAPNUM_DEFAULT 0x4
+ #define DLL_TXCLK_TAPNUM_FROM_SW BIT(24)
+ #define DLL_RXCLK_NO_INVERTER 1
+ #define DLL_RXCLK_INVERTER 0
--- /dev/null
+From stable+bounces-196758-greg=kroah.com@vger.kernel.org Mon Nov 24 16:18:22 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 10:18:14 -0500
+Subject: mptcp: Disallow MPTCP subflows from sockmap
+To: stable@vger.kernel.org
+Cc: Jiayuan Chen <jiayuan.chen@linux.dev>, Martin KaFai Lau <martin.lau@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124151814.4126349-1-sashal@kernel.org>
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit fbade4bd08ba52cbc74a71c4e86e736f059f99f7 ]
+
+The sockmap feature allows bpf syscall from userspace, or based on bpf
+sockops, replacing the sk_prot of sockets during protocol stack processing
+with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+Consider two scenarios:
+
+1. When the server has MPTCP enabled and the client also requests MPTCP,
+ the sk passed to the BPF program is a subflow sk. Since subflows only
+ handle partial data, replacing their sk_prot is meaningless and will
+ cause traffic disruption.
+
+2. When the server has MPTCP enabled but the client sends a TCP SYN
+ without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+ subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+ '''
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+ '''
+ Subsequently, accept::mptcp_stream_accept::mptcp_fallback_tcp_ops()
+ converts the subflow to plain TCP.
+
+For the first case, we should prevent it from being combined with sockmap
+by setting sk_prot->psock_update_sk_prot to NULL, which will be blocked by
+sockmap's own flow.
+
+For the second case, since subflow_syn_recv_sock() has already restored
+sk_prot to native tcp_prot/tcpv6_prot, no further action is needed.
+
+Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-2-jiayuan.chen@linux.dev
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/subflow.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/mptcp/subflow.c
++++ b/net/mptcp/subflow.c
+@@ -1854,6 +1854,10 @@ void __init mptcp_subflow_init(void)
+
+ tcp_prot_override = tcp_prot;
+ tcp_prot_override.release_cb = tcp_release_cb_override;
++#ifdef CONFIG_BPF_SYSCALL
++ /* Disable sockmap processing for subflows */
++ tcp_prot_override.psock_update_sk_prot = NULL;
++#endif
+
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+ /* In struct mptcp_subflow_request_sock, we assume the TCP request sock
+@@ -1887,6 +1891,10 @@ void __init mptcp_subflow_init(void)
+
+ tcpv6_prot_override = tcpv6_prot;
+ tcpv6_prot_override.release_cb = tcp_release_cb_override;
++#ifdef CONFIG_BPF_SYSCALL
++ /* Disable sockmap processing for subflows */
++ tcpv6_prot_override.psock_update_sk_prot = NULL;
++#endif
+ #endif
+
+ mptcp_diag_subflow_init(&subflow_ulp_ops);
--- /dev/null
+From stable+bounces-196844-greg=kroah.com@vger.kernel.org Tue Nov 25 04:07:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 22:07:11 -0500
+Subject: mptcp: do not fallback when OoO is present
+To: stable@vger.kernel.org
+Cc: Paolo Abeni <pabeni@redhat.com>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125030711.325345-1-sashal@kernel.org>
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 1bba3f219c5e8c29e63afa3c1fc24f875ebec119 ]
+
+In case of DSS corruption, the MPTCP protocol tries to avoid the subflow
+reset if fallback is possible. Such corruptions happen in the receive
+path; to ensure fallback is possible the stack additionally needs to
+check for OoO data, otherwise the fallback will break the data stream.
+
+Fixes: e32d262c89e2 ("mptcp: handle consistently DSS corruption")
+Cc: stable@vger.kernel.org
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/598
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-4-806d3781c95f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ patch mptcp_dss_corruption() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -574,6 +574,15 @@ static bool mptcp_check_data_fin(struct
+ static void mptcp_dss_corruption(struct mptcp_sock *msk, struct sock *ssk)
+ {
+ if (READ_ONCE(msk->allow_infinite_fallback)) {
++ /* The caller possibly is not holding the msk socket lock, but
++ * in the fallback case only the current subflow is touching
++ * the OoO queue.
++ */
++ if (!RB_EMPTY_ROOT(&msk->out_of_order_queue)) {
++ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DSSCORRUPTIONRESET);
++ mptcp_subflow_reset(ssk);
++ return;
++ }
+ MPTCP_INC_STATS(sock_net(ssk),
+ MPTCP_MIB_DSSCORRUPTIONFALLBACK);
+ mptcp_do_fallback(ssk);
--- /dev/null
+From stable+bounces-196839-greg=kroah.com@vger.kernel.org Tue Nov 25 03:39:18 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 21:39:10 -0500
+Subject: mptcp: fix a race in mptcp_pm_del_add_timer()
+To: stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com, Geliang Tang <geliang@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125023910.292706-1-sashal@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 426358d9be7ce3518966422f87b96f1bad27295f ]
+
+mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
+while another might have free entry already, as reported by syzbot.
+
+Add RCU protection to fix this issue.
+
+Also change confusing add_timer variable with stop_timer boolean.
+
+syzbot report:
+
+BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
+
+CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
+Workqueue: events mptcp_worker
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+ sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631
+ mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362
+ mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174
+ tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361
+ tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441
+ tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931
+ tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374
+ ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
+ __netif_receive_skb+0x143/0x380 net/core/dev.c:6192
+ process_backlog+0x31e/0x900 net/core/dev.c:6544
+ __napi_poll+0xb6/0x540 net/core/dev.c:7594
+ napi_poll net/core/dev.c:7657 [inline]
+ net_rx_action+0x5f7/0xda0 net/core/dev.c:7784
+ handle_softirqs+0x22f/0x710 kernel/softirq.c:622
+ __do_softirq kernel/softirq.c:656 [inline]
+ __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302
+ mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]
+ mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1
+ mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002
+ mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+ process_one_work kernel/workqueue.c:3263 [inline]
+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+Allocated by task 44:
+ kasan_save_stack mm/kasan/common.c:56 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+ poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
+ __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
+ kasan_kmalloc include/linux/kasan.h:262 [inline]
+ __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748
+ kmalloc_noprof include/linux/slab.h:957 [inline]
+ mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385
+ mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355
+ mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]
+ __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529
+ mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008
+ mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+ process_one_work kernel/workqueue.c:3263 [inline]
+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 6630:
+ kasan_save_stack mm/kasan/common.c:56 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+ __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
+ kasan_save_free_info mm/kasan/kasan.h:406 [inline]
+ poison_slab_object mm/kasan/common.c:252 [inline]
+ __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
+ kasan_slab_free include/linux/kasan.h:234 [inline]
+ slab_free_hook mm/slub.c:2523 [inline]
+ slab_free mm/slub.c:6611 [inline]
+ kfree+0x197/0x950 mm/slub.c:6818
+ mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158
+ mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline]
+ mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline]
+ mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281
+ genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x508/0x820 net/socket.c:2630
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
+ __sys_sendmsg net/socket.c:2716 [inline]
+ __do_sys_sendmsg net/socket.c:2721 [inline]
+ __se_sys_sendmsg net/socket.c:2719 [inline]
+ __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Cc: stable@vger.kernel.org
+Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
+Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ applied changes to pm_netlink.c instead of pm.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -36,6 +36,7 @@ struct mptcp_pm_add_entry {
+ struct timer_list add_timer;
+ struct mptcp_sock *sock;
+ u8 retrans_times;
++ struct rcu_head rcu;
+ };
+
+ /* max value of mptcp_addr_info.id */
+@@ -366,22 +367,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock
+ {
+ struct mptcp_pm_add_entry *entry;
+ struct sock *sk = (struct sock *)msk;
+- struct timer_list *add_timer = NULL;
++ bool stop_timer = false;
++
++ rcu_read_lock();
+
+ spin_lock_bh(&msk->pm.lock);
+ entry = mptcp_lookup_anno_list_by_saddr(msk, addr);
+ if (entry && (!check_id || entry->addr.id == addr->id)) {
+ entry->retrans_times = ADD_ADDR_RETRANS_MAX;
+- add_timer = &entry->add_timer;
++ stop_timer = true;
+ }
+ if (!check_id && entry)
+ list_del(&entry->list);
+ spin_unlock_bh(&msk->pm.lock);
+
+- /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */
+- if (add_timer)
+- sk_stop_timer_sync(sk, add_timer);
++ /* Note: entry might have been removed by another thread.
++ * We hold rcu_read_lock() to ensure it is not freed under us.
++ */
++ if (stop_timer)
++ sk_stop_timer_sync(sk, &entry->add_timer);
+
++ rcu_read_unlock();
+ return entry;
+ }
+
+@@ -430,7 +436,7 @@ void mptcp_pm_free_anno_list(struct mptc
+
+ list_for_each_entry_safe(entry, tmp, &free_list, list) {
+ sk_stop_timer_sync(sk, &entry->add_timer);
+- kfree(entry);
++ kfree_rcu(entry, rcu);
+ }
+ }
+
+@@ -1425,7 +1431,7 @@ static bool remove_anno_list_by_saddr(st
+
+ entry = mptcp_pm_del_add_timer(msk, addr, false);
+ if (entry) {
+- kfree(entry);
++ kfree_rcu(entry, rcu);
+ return true;
+ }
+
--- /dev/null
+From stable+bounces-196824-greg=kroah.com@vger.kernel.org Mon Nov 24 23:40:17 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 17:39:38 -0500
+Subject: mptcp: fix ack generation for fallback msk
+To: stable@vger.kernel.org
+Cc: Paolo Abeni <pabeni@redhat.com>, Geliang Tang <geliang@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124223938.74969-1-sashal@kernel.org>
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 5e15395f6d9ec07395866c5511f4b4ac566c0c9b ]
+
+mptcp_cleanup_rbuf() needs to know the last most recent, mptcp-level
+rcv_wnd sent, and such information is tracked into the msk->old_wspace
+field, updated at ack transmission time by mptcp_write_options().
+
+Fallback socket do not add any mptcp options, such helper is never
+invoked, and msk->old_wspace value remain stale. That in turn makes
+ack generation at recvmsg() time quite random.
+
+Address the issue ensuring mptcp_write_options() is invoked even for
+fallback sockets, and just update the needed info in such a case.
+
+The issue went unnoticed for a long time, as mptcp currently overshots
+the fallback socket receive buffer autotune significantly. It is going
+to change in the near future.
+
+Fixes: e3859603ba13 ("mptcp: better msk receive window updates")
+Cc: stable@vger.kernel.org
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/594
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-1-806d3781c95f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/options.c | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -810,8 +810,11 @@ bool mptcp_established_options(struct so
+
+ opts->suboptions = 0;
+
++ /* Force later mptcp_write_options(), but do not use any actual
++ * option space.
++ */
+ if (unlikely(__mptcp_check_fallback(msk)))
+- return false;
++ return true;
+
+ if (unlikely(skb && TCP_SKB_CB(skb)->tcp_flags & TCPHDR_RST)) {
+ if (mptcp_established_options_mp_fail(sk, &opt_size, remaining, opts)) {
+@@ -1222,6 +1225,20 @@ static void mptcp_set_rwin(const struct
+ WRITE_ONCE(msk->rcv_wnd_sent, ack_seq);
+ }
+
++static void mptcp_track_rwin(const struct tcp_sock *tp)
++{
++ const struct sock *ssk = (const struct sock *)tp;
++ struct mptcp_subflow_context *subflow;
++ struct mptcp_sock *msk;
++
++ if (!ssk)
++ return;
++
++ subflow = mptcp_subflow_ctx(ssk);
++ msk = mptcp_sk(subflow->conn);
++ WRITE_ONCE(msk->old_wspace, tp->rcv_wnd);
++}
++
+ __sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum)
+ {
+ struct csum_pseudo_header header;
+@@ -1283,6 +1300,12 @@ void mptcp_write_options(__be32 *ptr, co
+ return;
+ }
+
++ /* Fallback to TCP */
++ if (unlikely(!opts->suboptions)) {
++ mptcp_track_rwin(tp);
++ return;
++ }
++
+ /* DSS, MPC, MPJ and ADD_ADDR are mutually exclusive, see
+ * mptcp_established_options*()
+ */
--- /dev/null
+From stable+bounces-196832-greg=kroah.com@vger.kernel.org Tue Nov 25 01:48:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 19:48:16 -0500
+Subject: mptcp: fix premature close in case of fallback
+To: stable@vger.kernel.org
+Cc: Paolo Abeni <pabeni@redhat.com>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125004816.192030-1-sashal@kernel.org>
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 17393fa7b7086664be519e7230cb6ed7ec7d9462 ]
+
+I'm observing very frequent self-tests failures in case of fallback when
+running on a CONFIG_PREEMPT kernel.
+
+The root cause is that subflow_sched_work_if_closed() closes any subflow
+as soon as it is half-closed and has no incoming data pending.
+
+That works well for regular subflows - MPTCP needs bi-directional
+connectivity to operate on a given subflow - but for fallback socket is
+race prone.
+
+When TCP peer closes the connection before the MPTCP one,
+subflow_sched_work_if_closed() will schedule the MPTCP worker to
+gracefully close the subflow, and shortly after will do another schedule
+to inject and process a dummy incoming DATA_FIN.
+
+On CONFIG_PREEMPT kernel, the MPTCP worker can kick-in and close the
+fallback subflow before subflow_sched_work_if_closed() is able to create
+the dummy DATA_FIN, unexpectedly interrupting the transfer.
+
+Address the issue explicitly avoiding closing fallback subflows on when
+the peer is only half-closed.
+
+Note that, when the subflow is able to create the DATA_FIN before the
+worker invocation, the worker will change the msk state before trying to
+close the subflow and will skip the latter operation as the msk will not
+match anymore the precondition in __mptcp_close_subflow().
+
+Fixes: f09b0ad55a11 ("mptcp: close subflow when receiving TCP+FIN")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-3-806d3781c95f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ sk -> ssk ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2412,7 +2412,8 @@ static void __mptcp_close_subflow(struct
+
+ if (ssk_state != TCP_CLOSE &&
+ (ssk_state != TCP_CLOSE_WAIT ||
+- inet_sk_state_load((struct sock *)ssk) != TCP_ESTABLISHED))
++ inet_sk_state_load((struct sock *)ssk) != TCP_ESTABLISHED ||
++ __mptcp_check_fallback(msk)))
+ continue;
+
+ /* 'subflow_data_ready' will re-sched once rx queue is empty */
--- /dev/null
+From stable+bounces-196772-greg=kroah.com@vger.kernel.org Mon Nov 24 18:24:35 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 12:24:26 -0500
+Subject: mptcp: Fix proto fallback detection with BPF
+To: stable@vger.kernel.org
+Cc: Jiayuan Chen <jiayuan.chen@linux.dev>, Martin KaFai Lau <martin.lau@kernel.org>, Jakub Sitnicki <jakub@cloudflare.com>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124172426.4160679-1-sashal@kernel.org>
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f ]
+
+The sockmap feature allows bpf syscall from userspace, or based
+on bpf sockops, replacing the sk_prot of sockets during protocol stack
+processing with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ syn_recv_sock()/subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+
+When the server has MPTCP enabled but the client sends a TCP SYN
+without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+'''
+subflow_syn_recv_sock()
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+'''
+
+Then, this subflow can be normally used by sockmap, which replaces the
+native sk_prot with sockmap's custom sk_prot. The issue occurs when the
+user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
+Here, it uses sk->sk_prot to compare with the native sk_prot, but this
+is incorrect when sockmap is used, as we may incorrectly set
+sk->sk_socket->ops.
+
+This fix uses the more generic sk_family for the comparison instead.
+
+Additionally, this also prevents a WARNING from occurring:
+
+result from ./scripts/decode_stacktrace.sh:
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
+(net/mptcp/protocol.c:4005)
+Modules linked in:
+...
+
+PKRU: 55555554
+Call Trace:
+<TASK>
+do_accept (net/socket.c:1989)
+__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
+__x64_sys_accept (net/socket.c:2067)
+x64_sys_call (arch/x86/entry/syscall_64.c:41)
+do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+RIP: 0033:0x7f87ac92b83d
+
+---[ end trace 0000000000000000 ]---
+
+Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev
+[ applied fix to mptcp_is_tcpsk() instead of mptcp_fallback_tcp_ops() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -77,8 +77,9 @@ static u64 mptcp_wnd_end(const struct mp
+ static bool mptcp_is_tcpsk(struct sock *sk)
+ {
+ struct socket *sock = sk->sk_socket;
++ unsigned short family = READ_ONCE(sk->sk_family);
+
+- if (unlikely(sk->sk_prot == &tcp_prot)) {
++ if (unlikely(family == AF_INET)) {
+ /* we are being invoked after mptcp_accept() has
+ * accepted a non-mp-capable flow: sk is a tcp_sk,
+ * not an mptcp one.
+@@ -89,7 +90,7 @@ static bool mptcp_is_tcpsk(struct sock *
+ sock->ops = &inet_stream_ops;
+ return true;
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+- } else if (unlikely(sk->sk_prot == &tcpv6_prot)) {
++ } else if (unlikely(family == AF_INET6)) {
+ sock->ops = &inet6_stream_ops;
+ return true;
+ #endif
--- /dev/null
+From stable+bounces-195440-greg=kroah.com@vger.kernel.org Fri Nov 21 02:52:25 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Nov 2025 20:52:15 -0500
+Subject: net: netpoll: fix incorrect refcount handling causing incorrect cleanup
+To: stable@vger.kernel.org
+Cc: Breno Leitao <leitao@debian.org>, Jay Vosburgh <jv@jvosburgh.net>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121015215.2335584-1-sashal@kernel.org>
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 49c8d2c1f94cc2f4d1a108530d7ba52614b874c2 ]
+
+commit efa95b01da18 ("netpoll: fix use after free") incorrectly
+ignored the refcount and prematurely set dev->npinfo to NULL during
+netpoll cleanup, leading to improper behavior and memory leaks.
+
+Scenario causing lack of proper cleanup:
+
+1) A netpoll is associated with a NIC (e.g., eth0) and netdev->npinfo is
+ allocated, and refcnt = 1
+ - Keep in mind that npinfo is shared among all netpoll instances. In
+ this case, there is just one.
+
+2) Another netpoll is also associated with the same NIC and
+ npinfo->refcnt += 1.
+ - Now dev->npinfo->refcnt = 2;
+ - There is just one npinfo associated to the netdev.
+
+3) When the first netpolls goes to clean up:
+ - The first cleanup succeeds and clears np->dev->npinfo, ignoring
+ refcnt.
+ - It basically calls `RCU_INIT_POINTER(np->dev->npinfo, NULL);`
+ - Set dev->npinfo = NULL, without proper cleanup
+ - No ->ndo_netpoll_cleanup() is either called
+
+4) Now the second target tries to clean up
+ - The second cleanup fails because np->dev->npinfo is already NULL.
+ * In this case, ops->ndo_netpoll_cleanup() was never called, and
+ the skb pool is not cleaned as well (for the second netpoll
+ instance)
+ - This leaks npinfo and skbpool skbs, which is clearly reported by
+ kmemleak.
+
+Revert commit efa95b01da18 ("netpoll: fix use after free") and adds
+clarifying comments emphasizing that npinfo cleanup should only happen
+once the refcount reaches zero, ensuring stable and correct netpoll
+behavior.
+
+Cc: <stable@vger.kernel.org> # 3.17.x
+Cc: Jay Vosburgh <jv@jvosburgh.net>
+Fixes: efa95b01da18 ("netpoll: fix use after free")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20251107-netconsole_torture-v10-1-749227b55f63@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netpoll.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/core/netpoll.c
++++ b/net/core/netpoll.c
+@@ -851,6 +851,10 @@ void __netpoll_cleanup(struct netpoll *n
+
+ synchronize_srcu(&netpoll_srcu);
+
++ /* At this point, there is a single npinfo instance per netdevice, and
++ * its refcnt tracks how many netpoll structures are linked to it. We
++ * only perform npinfo cleanup when the refcnt decrements to zero.
++ */
+ if (refcount_dec_and_test(&npinfo->refcnt)) {
+ const struct net_device_ops *ops;
+
+@@ -860,8 +864,7 @@ void __netpoll_cleanup(struct netpoll *n
+
+ RCU_INIT_POINTER(np->dev->npinfo, NULL);
+ call_rcu(&npinfo->rcu, rcu_cleanup_netpoll_info);
+- } else
+- RCU_INIT_POINTER(np->dev->npinfo, NULL);
++ }
+ }
+ EXPORT_SYMBOL_GPL(__netpoll_cleanup);
+
--- /dev/null
+From 6b3ab7f2cbfaeb6580709cd8ef4d72cfd01bfde4 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 7 May 2025 21:47:45 +0100
+Subject: net: qede: Initialize qede_ll_ops with designated initializer
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 6b3ab7f2cbfaeb6580709cd8ef4d72cfd01bfde4 upstream.
+
+After a recent change [1] in clang's randstruct implementation to
+randomize structures that only contain function pointers, there is an
+error because qede_ll_ops get randomized but does not use a designated
+initializer for the first member:
+
+ drivers/net/ethernet/qlogic/qede/qede_main.c:206:2: error: a randomized struct can only be initialized with a designated initializer
+ 206 | {
+ | ^
+
+Explicitly initialize the common member using a designated initializer
+to fix the build.
+
+Cc: stable@vger.kernel.org
+Fixes: 035f7f87b729 ("randstruct: Enable Clang support")
+Link: https://github.com/llvm/llvm-project/commit/04364fb888eea6db9811510607bed4b200bcb082 [1]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://patch.msgid.link/20250507-qede-fix-clang-randstruct-v1-1-5ccc15626fba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qlogic/qede/qede_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
+@@ -194,7 +194,7 @@ static struct pci_driver qede_pci_driver
+ };
+
+ static struct qed_eth_cb_ops qede_ll_ops = {
+- {
++ .common = {
+ #ifdef CONFIG_RFS_ACCEL
+ .arfs_filter_op = qede_arfs_filter_op,
+ #endif
--- /dev/null
+From stable+bounces-196522-greg=kroah.com@vger.kernel.org Fri Nov 21 17:23:45 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:22:09 -0500
+Subject: pmdomain: arm: scmi: Fix genpd leak on provider registration failure
+To: stable@vger.kernel.org
+Cc: Sudeep Holla <sudeep.holla@arm.com>, Peng Fan <peng.fan@nxp.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121162209.2595547-1-sashal@kernel.org>
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 7458f72cc28f9eb0de811effcb5376d0ec19094a ]
+
+If of_genpd_add_provider_onecell() fails during probe, the previously
+created generic power domains are not removed, leading to a memory leak
+and potential kernel crash later in genpd_debug_add().
+
+Add proper error handling to unwind the initialized domains before
+returning from probe to ensure all resources are correctly released on
+failure.
+
+Example crash trace observed without this fix:
+
+ | Unable to handle kernel paging request at virtual address fffffffffffffc70
+ | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT
+ | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform
+ | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ | pc : genpd_debug_add+0x2c/0x160
+ | lr : genpd_debug_init+0x74/0x98
+ | Call trace:
+ | genpd_debug_add+0x2c/0x160 (P)
+ | genpd_debug_init+0x74/0x98
+ | do_one_initcall+0xd0/0x2d8
+ | do_initcall_level+0xa0/0x140
+ | do_initcalls+0x60/0xa8
+ | do_basic_setup+0x28/0x40
+ | kernel_init_freeable+0xe8/0x170
+ | kernel_init+0x2c/0x140
+ | ret_from_fork+0x10/0x20
+
+Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd")
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/arm/scmi_pm_domain.c -> drivers/firmware/arm_scmi/scmi_pm_domain.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/scmi_pm_domain.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c
++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c
+@@ -54,7 +54,7 @@ static int scmi_pd_power_off(struct gene
+
+ static int scmi_pm_domain_probe(struct scmi_device *sdev)
+ {
+- int num_domains, i;
++ int num_domains, i, ret;
+ struct device *dev = &sdev->dev;
+ struct device_node *np = dev->of_node;
+ struct scmi_pm_domain *scmi_pd;
+@@ -112,9 +112,18 @@ static int scmi_pm_domain_probe(struct s
+ scmi_pd_data->domains = domains;
+ scmi_pd_data->num_domains = num_domains;
+
++ ret = of_genpd_add_provider_onecell(np, scmi_pd_data);
++ if (ret)
++ goto err_rm_genpds;
++
+ dev_set_drvdata(dev, scmi_pd_data);
+
+- return of_genpd_add_provider_onecell(np, scmi_pd_data);
++ return 0;
++err_rm_genpds:
++ for (i = num_domains - 1; i >= 0; i--)
++ pm_genpd_remove(domains[i]);
++
++ return ret;
+ }
+
+ static void scmi_pm_domain_remove(struct scmi_device *sdev)
--- /dev/null
+From stable+bounces-196521-greg=kroah.com@vger.kernel.org Fri Nov 21 17:23:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:22:06 -0500
+Subject: pmdomain: imx: Fix reference count leak in imx_gpc_remove
+To: stable@vger.kernel.org
+Cc: Miaoqian Lin <linmq006@gmail.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121162206.2595501-1-sashal@kernel.org>
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 ]
+
+of_get_child_by_name() returns a node pointer with refcount incremented, we
+should use of_node_put() on it when not needed anymore. Add the missing
+of_node_put() to avoid refcount leak.
+
+Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/imx/gpc.c -> drivers/soc/imx/gpc.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/imx/gpc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/soc/imx/gpc.c
++++ b/drivers/soc/imx/gpc.c
+@@ -540,6 +540,8 @@ static int imx_gpc_remove(struct platfor
+ return ret;
+ }
+
++ of_node_put(pgc_node);
++
+ return 0;
+ }
+
--- /dev/null
+From stable+bounces-196543-greg=kroah.com@vger.kernel.org Fri Nov 21 18:21:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 12:16:26 -0500
+Subject: pmdomain: samsung: plug potential memleak during probe
+To: stable@vger.kernel.org
+Cc: "André Draszik" <andre.draszik@linaro.org>, "Peter Griffin" <peter.griffin@linaro.org>, "Krzysztof Kozlowski" <krzysztof.kozlowski@linaro.org>, "Marek Szyprowski" <m.szyprowski@samsung.com>, "Ulf Hansson" <ulf.hansson@linaro.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20251121171626.2611968-1-sashal@kernel.org>
+
+From: André Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit 90c82941adf1986364e0f82c35cf59f2bf5f6a1d ]
+
+of_genpd_add_provider_simple() could fail, in which case this code
+leaks the domain name, pd->pd.name.
+
+Use devm_kstrdup_const() to plug this leak. As a side-effect, we can
+simplify existing error handling.
+
+Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/samsung/exynos-pm-domains.c -> drivers/soc/samsung/pm_domains.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/samsung/pm_domains.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/soc/samsung/pm_domains.c
++++ b/drivers/soc/samsung/pm_domains.c
+@@ -92,13 +92,14 @@ static const struct of_device_id exynos_
+ { },
+ };
+
+-static const char *exynos_get_domain_name(struct device_node *node)
++static const char *exynos_get_domain_name(struct device *dev,
++ struct device_node *node)
+ {
+ const char *name;
+
+ if (of_property_read_string(node, "label", &name) < 0)
+ name = kbasename(node->full_name);
+- return kstrdup_const(name, GFP_KERNEL);
++ return devm_kstrdup_const(dev, name, GFP_KERNEL);
+ }
+
+ static int exynos_pd_probe(struct platform_device *pdev)
+@@ -115,15 +116,13 @@ static int exynos_pd_probe(struct platfo
+ if (!pd)
+ return -ENOMEM;
+
+- pd->pd.name = exynos_get_domain_name(np);
++ pd->pd.name = exynos_get_domain_name(dev, np);
+ if (!pd->pd.name)
+ return -ENOMEM;
+
+ pd->base = of_iomap(np, 0);
+- if (!pd->base) {
+- kfree_const(pd->pd.name);
++ if (!pd->base)
+ return -ENODEV;
+- }
+
+ pd->pd.power_off = exynos_pd_power_off;
+ pd->pd.power_on = exynos_pd_power_on;
--- /dev/null
+From stable+bounces-197047-greg=kroah.com@vger.kernel.org Wed Nov 26 18:54:34 2025
+From: Gulam Mohamed <gulam.mohamed@oracle.com>
+Date: Wed, 26 Nov 2025 17:54:15 +0000
+Subject: Revert "block: don't add or resize partition on the disk with GENHD_FL_NO_PART"
+To: linux-kernel@vger.kernel.org, hch@lst.de
+Cc: stable@vger.kernel.org, gulam.mohamed@oracle.com
+Message-ID: <20251126175415.259906-2-gulam.mohamed@oracle.com>
+
+From: Gulam Mohamed <gulam.mohamed@oracle.com>
+
+This reverts commit 1a721de8489fa559ff4471f73c58bb74ac5580d3.
+
+The commit 1a721de8489f ("block: don't add or resize partition on the disk
+with GENHD_FL_NO_PART") and the commit 7777f47f2ea6 ("block: Move checking
+GENHD_FL_NO_PART to bdev_add_partition()") used the flag GENHD_FL_NO_PART
+to prevent the add or resize of partitions in 5.15 stable kernels.But in
+these 5.15 kernels, this is giving an issue with the following error
+where the loop driver wants to create a partition when the partscan is
+disabled on the loop device:
+
+dd if=/dev/zero of=loopDisk.dsk bs=1M count=1 seek=10240;
+losetup -f loopDisk.dsk;parted -s /dev/loop0 -- mklabel gpt mkpart primary
+ 2048s 4096s
+1+0 records in
+1+0 records out
+1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0016293 s, 644 MB/s
+""
+Error: Partition(s) 1 on /dev/loop0 have been written, but we have been
+unable to inform the kernel of the change, probably because it/they are
+in use. As a result, the old partition(s) will remain in use. You should
+reboot now before making further changes.
+""
+If the partition scan is not enabled on the loop device, this flag
+GENHD_FL_NO_PART is getting set and when partition creation is tried,
+it returns an error EINVAL thereby preventing the creation of partitions.
+So, there is no such distinction between disabling of partition scan and
+partition creation.
+
+Later in 6.xxx kernels, the commit b9684a71fca7 ("block, loop: support
+partitions without scanning") a new flag GD_SUPPRESS_PART_SCAN was
+introduced that just disables the partition scan and uses GENHD_FL_NO_PART
+only to prevent creating partition scan. So, the partition creationg can
+proceed with even if partition scan is disabled.
+
+As the commit b9684a71fca7 ("block, loop: support partitions without
+scanning") is not available in 5.15 stable kernel, and since there is no
+distinction between disabling of "partition scan" and "partition
+creation", we need to revert the commits 1a721de8489f and 7777f47f2ea6
+from 5.15 stable kernel to allow partition creation when partscan is
+disabled.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gulam Mohamed <gulam.mohamed@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/ioctl.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -20,8 +20,6 @@ static int blkpg_do_ioctl(struct block_d
+ struct blkpg_partition p;
+ sector_t start, length;
+
+- if (disk->flags & GENHD_FL_NO_PART)
+- return -EINVAL;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+ if (copy_from_user(&p, upart, sizeof(struct blkpg_partition)))
--- /dev/null
+From stable+bounces-197046-greg=kroah.com@vger.kernel.org Wed Nov 26 18:54:35 2025
+From: Gulam Mohamed <gulam.mohamed@oracle.com>
+Date: Wed, 26 Nov 2025 17:54:14 +0000
+Subject: Revert "block: Move checking GENHD_FL_NO_PART to bdev_add_partition()"
+To: linux-kernel@vger.kernel.org, hch@lst.de
+Cc: stable@vger.kernel.org, gulam.mohamed@oracle.com
+Message-ID: <20251126175415.259906-1-gulam.mohamed@oracle.com>
+
+From: Gulam Mohamed <gulam.mohamed@oracle.com>
+
+This reverts commit 7777f47f2ea64efd1016262e7b59fab34adfb869.
+
+The commit 1a721de8489f ("block: don't add or resize partition on the disk
+with GENHD_FL_NO_PART") and the commit 7777f47f2ea6 ("block: Move checking
+GENHD_FL_NO_PART to bdev_add_partition()") used the flag GENHD_FL_NO_PART
+to prevent the add or resize of partitions in 5.15 stable kernels.But in
+these 5.15 kernels, this is giving an issue with the following error
+where the loop driver wants to create a partition when the partscan is
+disabled on the loop device:
+
+dd if=/dev/zero of=loopDisk.dsk bs=1M count=1 seek=10240;
+losetup -f loopDisk.dsk;parted -s /dev/loop0 -- mklabel gpt mkpart primary
+ 2048s 4096s
+1+0 records in
+1+0 records out
+1048576 bytes (1.0 MB, 1.0 MiB) copied, 0.0016293 s, 644 MB/s
+""
+Error: Partition(s) 1 on /dev/loop0 have been written, but we have been
+unable to inform the kernel of the change, probably because it/they are
+in use. As a result, the old partition(s) will remain in use. You should
+reboot now before making further changes.
+""
+If the partition scan is not enabled on the loop device, this flag
+GENHD_FL_NO_PART is getting set and when partition creation is tried,
+it returns an error EINVAL thereby preventing the creation of partitions.
+So, there is no such distinction between disabling of partition scan and
+partition creation.
+
+Later in 6.xxx kernels, the commit b9684a71fca7 ("block, loop: support
+partitions without scanning") a new flag GD_SUPPRESS_PART_SCAN was
+introduced that just disables the partition scan and uses GENHD_FL_NO_PART
+only to prevent creating partition scan. So, the partition creationg can
+proceed with even if partition scan is disabled.
+
+As the commit b9684a71fca7 ("block, loop: support partitions without
+scanning") is not available in 5.15 stable kernel, and since there is no
+distinction between disabling of "partition scan" and "partition
+creation", we need to revert the commits 1a721de8489f and 7777f47f2ea6
+from 5.15 stable kernel to allow partition creation when partscan is
+disabled.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gulam Mohamed <gulam.mohamed@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/ioctl.c | 2 ++
+ block/partitions/core.c | 5 -----
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/block/ioctl.c
++++ b/block/ioctl.c
+@@ -20,6 +20,8 @@ static int blkpg_do_ioctl(struct block_d
+ struct blkpg_partition p;
+ sector_t start, length;
+
++ if (disk->flags & GENHD_FL_NO_PART)
++ return -EINVAL;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+ if (copy_from_user(&p, upart, sizeof(struct blkpg_partition)))
+--- a/block/partitions/core.c
++++ b/block/partitions/core.c
+@@ -463,11 +463,6 @@ int bdev_add_partition(struct gendisk *d
+ goto out;
+ }
+
+- if (disk->flags & GENHD_FL_NO_PART) {
+- ret = -EINVAL;
+- goto out;
+- }
+-
+ if (partition_overlaps(disk, start, length, -1)) {
+ ret = -EBUSY;
+ goto out;
--- /dev/null
+From stable+bounces-196551-greg=kroah.com@vger.kernel.org Fri Nov 21 19:14:02 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 13:10:34 -0500
+Subject: selftests: mptcp: connect: fix fallback note due to OoO
+To: stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Geliang Tang <geliang@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121181034.2640730-1-sashal@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+[ Upstream commit 63c643aa7b7287fdbb0167063785f89ece3f000f ]
+
+The "fallback due to TCP OoO" was never printed because the stat_ooo_now
+variable was checked twice: once in the parent if-statement, and one in
+the child one. The second condition was then always true then, and the
+'else' branch was never taken.
+
+The idea is that when there are more ACK + MP_CAPABLE than expected, the
+test either fails if there was no out of order packets, or a notice is
+printed.
+
+Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Different operators used ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+@@ -535,7 +535,7 @@ do_transfer()
+ "${stat_synrx_now_l}" "${expect_synrx}" 1>&2
+ retc=1
+ fi
+- if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} -a ${stat_ooo_now} -eq 0 ]; then
++ if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then
+ if [ ${stat_ooo_now} -eq 0 ]; then
+ printf "[ FAIL ] lower MPC ACK rx (%d) than expected (%d)\n" \
+ "${stat_ackrx_now_l}" "${expect_ackrx}" 1>&2
alsa-usb-audio-fix-uac2-clock-source-at-terminal-par.patch
net-ethernet-ti-netcp-standardize-knav_dma_open_chan.patch
tracing-tools-fix-incorrcet-short-option-in-usage-te.patch
+uio_hv_generic-set-event-for-all-channels-on-the-device.patch
+makefile.compiler-replace-cc-ifversion-with-compiler-specific-macros.patch
+btrfs-add-helper-to-truncate-inode-items-when-logging-inode.patch
+btrfs-fix-crash-on-racing-fsync-and-size-extending-write-into-prealloc.patch
+net-qede-initialize-qede_ll_ops-with-designated-initializer.patch
+mmc-sdhci-of-dwcmshc-change-dll_strbin_tapnum_default-to-0x4.patch
+net-netpoll-fix-incorrect-refcount-handling-causing-incorrect-cleanup.patch
+pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch
+pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch
+pmdomain-samsung-plug-potential-memleak-during-probe.patch
+selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch
+mptcp-disallow-mptcp-subflows-from-sockmap.patch
+mptcp-fix-proto-fallback-detection-with-bpf.patch
+usb-deprecate-the-third-argument-of-usb_maxpacket.patch
+input-remove-third-argument-of-usb_maxpacket.patch
+input-pegasus-notetaker-fix-potential-out-of-bounds-access.patch
+ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
+dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
+mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch
+mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
+mptcp-fix-ack-generation-for-fallback-msk.patch
+mptcp-fix-premature-close-in-case-of-fallback.patch
+mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch
+mptcp-do-not-fallback-when-ooo-is-present.patch
+revert-block-move-checking-genhd_fl_no_part-to-bdev_add_partition.patch
+revert-block-don-t-add-or-resize-partition-on-the-disk-with-genhd_fl_no_part.patch
--- /dev/null
+From d062463edf1770427dc2d637df4088df4835aa47 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Mon, 10 Mar 2025 15:12:01 -0700
+Subject: uio_hv_generic: Set event for all channels on the device
+
+From: Long Li <longli@microsoft.com>
+
+commit d062463edf1770427dc2d637df4088df4835aa47 upstream.
+
+Hyper-V may offer a non latency sensitive device with subchannels without
+monitor bit enabled. The decision is entirely on the Hyper-V host not
+configurable within guest.
+
+When a device has subchannels, also signal events for the subchannel
+if its monitor bit is disabled.
+
+This patch also removes the memory barrier when monitor bit is enabled
+as it is not necessary. The memory barrier is only needed between
+setting up interrupt mask and calling vmbus_set_event() when monitor
+bit is disabled.
+
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Link: https://lore.kernel.org/r/1741644721-20389-1-git-send-email-longli@linuxonhyperv.com
+Fixes: b15b7d2a1b09 ("uio_hv_generic: Let userspace take care of interrupt mask")
+Closes: https://bugs.debian.org/1120602
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -80,9 +80,15 @@ hv_uio_irqcontrol(struct uio_info *info,
+ {
+ struct hv_uio_private_data *pdata = info->priv;
+ struct hv_device *dev = pdata->device;
++ struct vmbus_channel *primary, *sc;
+
+- dev->channel->inbound.ring_buffer->interrupt_mask = !irq_state;
+- virt_mb();
++ primary = dev->channel;
++ primary->inbound.ring_buffer->interrupt_mask = !irq_state;
++
++ mutex_lock(&vmbus_connection.channel_mutex);
++ list_for_each_entry(sc, &primary->sc_list, sc_list)
++ sc->inbound.ring_buffer->interrupt_mask = !irq_state;
++ mutex_unlock(&vmbus_connection.channel_mutex);
+
+ return 0;
+ }
+@@ -93,11 +99,18 @@ hv_uio_irqcontrol(struct uio_info *info,
+ static void hv_uio_channel_cb(void *context)
+ {
+ struct vmbus_channel *chan = context;
+- struct hv_device *hv_dev = chan->device_obj;
+- struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
++ struct hv_device *hv_dev;
++ struct hv_uio_private_data *pdata;
+
+ virt_mb();
+
++ /*
++ * The callback may come from a subchannel, in which case look
++ * for the hv device in the primary channel
++ */
++ hv_dev = chan->primary_channel ?
++ chan->primary_channel->device_obj : chan->device_obj;
++ pdata = hv_get_drvdata(hv_dev);
+ uio_event_notify(&pdata->info);
+ }
+
--- /dev/null
+From stable+bounces-196780-greg=kroah.com@vger.kernel.org Mon Nov 24 19:38:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 13:37:56 -0500
+Subject: usb: deprecate the third argument of usb_maxpacket()
+To: stable@vger.kernel.org
+Cc: Vincent Mailhol <mailhol.vincent@wanadoo.fr>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124183758.4187087-1-sashal@kernel.org>
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 0f08c2e7458e25c967d844170f8ad1aac3b57a02 ]
+
+This is a transitional patch with the ultimate goal of changing the
+prototype of usb_maxpacket() from:
+| static inline __u16
+| usb_maxpacket(struct usb_device *udev, int pipe, int is_out)
+
+into:
+| static inline u16 usb_maxpacket(struct usb_device *udev, int pipe)
+
+The third argument of usb_maxpacket(): is_out gets removed because it
+can be derived from its second argument: pipe using
+usb_pipeout(pipe). Furthermore, in the current version,
+ubs_pipeout(pipe) is called regardless in order to sanitize the is_out
+parameter.
+
+In order to make a smooth change, we first deprecate the is_out
+parameter by simply ignoring it (using a variadic function) and will
+remove it later, once all the callers get updated.
+
+The body of the function is reworked accordingly and is_out is
+replaced by usb_pipeout(pipe). The WARN_ON() calls become unnecessary
+and get removed.
+
+Finally, the return type is changed from __u16 to u16 because this is
+not a UAPI function.
+
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/r/20220317035514.6378-2-mailhol.vincent@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 69aeb5073123 ("Input: pegasus-notetaker - fix potential out-of-bounds access")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/usb.h | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/include/linux/usb.h
++++ b/include/linux/usb.h
+@@ -1987,21 +1987,17 @@ usb_pipe_endpoint(struct usb_device *dev
+ return eps[usb_pipeendpoint(pipe)];
+ }
+
+-/*-------------------------------------------------------------------------*/
+-
+-static inline __u16
+-usb_maxpacket(struct usb_device *udev, int pipe, int is_out)
++static inline u16 usb_maxpacket(struct usb_device *udev, int pipe,
++ /* int is_out deprecated */ ...)
+ {
+ struct usb_host_endpoint *ep;
+ unsigned epnum = usb_pipeendpoint(pipe);
+
+- if (is_out) {
+- WARN_ON(usb_pipein(pipe));
++ if (usb_pipeout(pipe))
+ ep = udev->ep_out[epnum];
+- } else {
+- WARN_ON(usb_pipeout(pipe));
++ else
+ ep = udev->ep_in[epnum];
+- }
++
+ if (!ep)
+ return 0;
+
+@@ -2009,8 +2005,6 @@ usb_maxpacket(struct usb_device *udev, i
+ return usb_endpoint_maxp(&ep->desc);
+ }
+
+-/* ----------------------------------------------------------------------- */
+-
+ /* translate USB error codes to codes user space understands */
+ static inline int usb_translate_errors(int error_code)
+ {
projects / thirdparty / kernel / stable-queue.git / commitdiff
