--- /dev/null
+From stable+bounces-172193-greg=kroah.com@vger.kernel.org Thu Aug 21 18:35:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:28:07 -0400
+Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Hannes Reinecke <hare@suse.de>, Niklas Cassel <cassel@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821162807.792983-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ]
+
+Improve the description of the possible default SATA link power
+management policies and add the missing description for policy 5.
+No functional changes.
+
+Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/Kconfig | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/Kconfig
++++ b/drivers/ata/Kconfig
+@@ -117,7 +117,7 @@ config SATA_AHCI
+
+ config SATA_MOBILE_LPM_POLICY
+ int "Default SATA Link Power Management policy for low power chipsets"
+- range 0 4
++ range 0 5
+ default 0
+ depends on SATA_AHCI
+ help
+@@ -126,15 +126,32 @@ config SATA_MOBILE_LPM_POLICY
+ chipsets are typically found on most laptops but desktops and
+ servers now also widely use chipsets supporting low power modes.
+
+- The value set has the following meanings:
++ Each policy combines power saving states and features:
++ - Partial: The Phy logic is powered but is in a reduced power
++ state. The exit latency from this state is no longer than
++ 10us).
++ - Slumber: The Phy logic is powered but is in an even lower power
++ state. The exit latency from this state is potentially
++ longer, but no longer than 10ms.
++ - DevSleep: The Phy logic may be powered down. The exit latency from
++ this state is no longer than 20 ms, unless otherwise
++ specified by DETO in the device Identify Device Data log.
++ - HIPM: Host Initiated Power Management (host automatically
++ transitions to partial and slumber).
++ - DIPM: Device Initiated Power Management (device automatically
++ transitions to partial and slumber).
++
++ The possible values for the default SATA link power management
++ policies are:
+ 0 => Keep firmware settings
+- 1 => Maximum performance
+- 2 => Medium power
+- 3 => Medium power with Device Initiated PM enabled
+- 4 => Minimum power
++ 1 => No power savings (maximum performance)
++ 2 => HIPM (Partial)
++ 3 => HIPM (Partial) and DIPM (Partial and Slumber)
++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber)
++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber)
+
+- Note "Minimum power" is known to cause issues, including disk
+- corruption, with some disks and should not be used.
++ Excluding the value 0, higher values represent policies with higher
++ power savings.
+
+ config SATA_AHCI_PLATFORM
+ tristate "Platform AHCI SATA support"
--- /dev/null
+From stable+bounces-172241-greg=kroah.com@vger.kernel.org Fri Aug 22 04:53:41 2025
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Fri, 22 Aug 2025 11:50:39 +0900
+Subject: ata: libata-scsi: Return aborted command when missing sense and result TF
+To: stable@vger.kernel.org
+Message-ID: <20250822025039.244614-1-dlemoal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+Commit d2be9ea9a75550a35c5127a6c2633658bc38c76b upstream.
+
+ata_gen_ata_sense() is always called for a failed qc missing sense data
+so that a sense key, code and code qualifier can be generated using
+ata_to_sense_error() from the qc status and error fields of its result
+task file. However, if the qc does not have its result task file filled,
+ata_gen_ata_sense() returns early without setting a sense key.
+
+Improve this by defaulting to returning ABORTED COMMAND without any
+additional sense code, since we do not know the reason for the failure.
+The same fix is also applied in ata_gen_passthru_sense() with the
+additional check that the qc failed (qc->err_mask is set).
+
+Fixes: 816be86c7993 ("ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -935,6 +935,8 @@ static void ata_gen_passthru_sense(struc
+ if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) {
+ ata_dev_dbg(dev,
+ "missing result TF: can't generate ATA PT sense data\n");
++ if (qc->err_mask)
++ ata_scsi_set_sense(dev, cmd, ABORTED_COMMAND, 0, 0);
+ return;
+ }
+
+@@ -992,8 +994,8 @@ static void ata_gen_ata_sense(struct ata
+
+ if (!(qc->flags & ATA_QCFLAG_RTF_FILLED)) {
+ ata_dev_dbg(dev,
+- "missing result TF: can't generate sense data\n");
+- return;
++ "Missing result TF: reporting aborted command\n");
++ goto aborted;
+ }
+
+ /* Use ata_to_sense_error() to map status register bits
+@@ -1004,19 +1006,20 @@ static void ata_gen_ata_sense(struct ata
+ ata_to_sense_error(qc->ap->print_id, tf->status, tf->error,
+ &sense_key, &asc, &ascq);
+ ata_scsi_set_sense(dev, cmd, sense_key, asc, ascq);
+- } else {
+- /* Could not decode error */
+- ata_dev_warn(dev, "could not decode error status 0x%x err_mask 0x%x\n",
+- tf->status, qc->err_mask);
+- ata_scsi_set_sense(dev, cmd, ABORTED_COMMAND, 0, 0);
+- return;
+- }
+
+- block = ata_tf_read_block(&qc->result_tf, dev);
+- if (block == U64_MAX)
++ block = ata_tf_read_block(&qc->result_tf, dev);
++ if (block != U64_MAX)
++ scsi_set_sense_information(sb, SCSI_SENSE_BUFFERSIZE,
++ block);
+ return;
++ }
+
+- scsi_set_sense_information(sb, SCSI_SENSE_BUFFERSIZE, block);
++ /* Could not decode error */
++ ata_dev_warn(dev,
++ "Could not decode error 0x%x, status 0x%x (err_mask=0x%x)\n",
++ tf->error, tf->status, qc->err_mask);
++aborted:
++ ata_scsi_set_sense(dev, cmd, ABORTED_COMMAND, 0, 0);
+ }
+
+ void ata_scsi_sdev_config(struct scsi_device *sdev)
--- /dev/null
+From stable+bounces-172216-greg=kroah.com@vger.kernel.org Thu Aug 21 20:30:56 2025
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 21 Aug 2025 11:29:49 -0700
+Subject: kbuild: userprogs: use correct linker when mixing clang and GNU ld
+To: gregkh@linuxfoundation.org, sashal@kernel.org
+Cc: stable@vger.kernel.org, nathan@kernel.org, thomas.weissschuh@linutronix.de
+Message-ID: <20250821182949.1216551-1-nathan@kernel.org>
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+commit 936599ca514973d44a766b7376c6bbdc96b6a8cc upstream.
+
+The userprogs infrastructure does not expect clang being used with GNU ld
+and in that case uses /usr/bin/ld for linking, not the configured $(LD).
+This fallback is problematic as it will break when cross-compiling.
+Mixing clang and GNU ld is used for example when building for SPARC64,
+as ld.lld is not sufficient; see Documentation/kbuild/llvm.rst.
+
+Relax the check around --ld-path so it gets used for all linkers.
+
+Fixes: dfc1b168a8c4 ("kbuild: userprogs: use correct lld when linking through clang")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+[nathan: Work around wrapping '--ld-path' in cc-option in older stable
+ branches due to older minimum LLVM version]
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -1061,7 +1061,7 @@ KBUILD_USERCFLAGS += $(filter -m32 -m64
+ KBUILD_USERLDFLAGS += $(filter -m32 -m64 --target=%, $(KBUILD_CPPFLAGS) $(KBUILD_CFLAGS))
+
+ # userspace programs are linked via the compiler, use the correct linker
+-ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_LD_IS_LLD),yy)
++ifdef CONFIG_CC_IS_CLANG
+ KBUILD_USERLDFLAGS += $(call cc-option, --ld-path=$(LD))
+ endif
+
--- /dev/null
+From f1fb088d9cecde5c3066d8ff8846789667519b7d Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 4 Apr 2025 12:38:19 -0700
+Subject: KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f1fb088d9cecde5c3066d8ff8846789667519b7d upstream.
+
+Take irqfds.lock when adding/deleting an IRQ bypass producer to ensure
+irqfd->producer isn't modified while kvm_irq_routing_update() is running.
+The only lock held when a producer is added/removed is irqbypass's mutex.
+
+Fixes: 872768800652 ("KVM: x86: select IRQ_BYPASS_MANAGER")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20250404193923.1413163-5-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[sean: account for lack of kvm_x86_call()]
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -13266,16 +13266,22 @@ int kvm_arch_irq_bypass_add_producer(str
+ {
+ struct kvm_kernel_irqfd *irqfd =
+ container_of(cons, struct kvm_kernel_irqfd, consumer);
++ struct kvm *kvm = irqfd->kvm;
+ int ret;
+
+- irqfd->producer = prod;
+ kvm_arch_start_assignment(irqfd->kvm);
++
++ spin_lock_irq(&kvm->irqfds.lock);
++ irqfd->producer = prod;
++
+ ret = static_call(kvm_x86_pi_update_irte)(irqfd->kvm,
+ prod->irq, irqfd->gsi, 1);
+-
+ if (ret)
+ kvm_arch_end_assignment(irqfd->kvm);
+
++ spin_unlock_irq(&kvm->irqfds.lock);
++
++
+ return ret;
+ }
+
+@@ -13285,9 +13291,9 @@ void kvm_arch_irq_bypass_del_producer(st
+ int ret;
+ struct kvm_kernel_irqfd *irqfd =
+ container_of(cons, struct kvm_kernel_irqfd, consumer);
++ struct kvm *kvm = irqfd->kvm;
+
+ WARN_ON(irqfd->producer != prod);
+- irqfd->producer = NULL;
+
+ /*
+ * When producer of consumer is unregistered, we change back to
+@@ -13295,11 +13301,17 @@ void kvm_arch_irq_bypass_del_producer(st
+ * when the irq is masked/disabled or the consumer side (KVM
+ * int this case doesn't want to receive the interrupts.
+ */
++ spin_lock_irq(&kvm->irqfds.lock);
++ irqfd->producer = NULL;
++
+ ret = static_call(kvm_x86_pi_update_irte)(irqfd->kvm, prod->irq, irqfd->gsi, 0);
+ if (ret)
+ printk(KERN_INFO "irq bypass consumer (token %p) unregistration"
+ " fails: %d\n", irqfd->consumer.token, ret);
+
++ spin_unlock_irq(&kvm->irqfds.lock);
++
++
+ kvm_arch_end_assignment(irqfd->kvm);
+ }
+
--- /dev/null
+From 59305202c67fea50378dcad0cc199dbc13a0e99a Mon Sep 17 00:00:00 2001
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+Date: Fri, 20 Jun 2025 10:54:27 +0530
+Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+commit 59305202c67fea50378dcad0cc199dbc13a0e99a upstream.
+
+Memory hot remove unmaps and tears down various kernel page table regions
+as required. The ptdump code can race with concurrent modifications of
+the kernel page tables. When leaf entries are modified concurrently, the
+dump code may log stale or inconsistent information for a VA range, but
+this is otherwise not harmful.
+
+But when intermediate levels of kernel page table are freed, the dump code
+will continue to use memory that has been freed and potentially
+reallocated for another purpose. In such cases, the ptdump code may
+dereference bogus addresses, leading to a number of potential problems.
+
+To avoid the above mentioned race condition, platforms such as arm64,
+riscv and s390 take memory hotplug lock, while dumping kernel page table
+via the sysfs interface /sys/kernel/debug/kernel_page_tables.
+
+Similar race condition exists while checking for pages that might have
+been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
+which in turn calls ptdump_check_wx(). Instead of solving this race
+condition again, let's just move the memory hotplug lock inside generic
+ptdump_check_wx() which will benefit both the scenarios.
+
+Drop get_online_mems() and put_online_mems() combination from all existing
+platform ptdump code paths.
+
+Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
+Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/ptdump_debugfs.c | 3 ---
+ arch/s390/mm/dump_pagetables.c | 2 --
+ mm/ptdump.c | 2 ++
+ 3 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/mm/ptdump_debugfs.c
++++ b/arch/arm64/mm/ptdump_debugfs.c
+@@ -1,6 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/debugfs.h>
+-#include <linux/memory_hotplug.h>
+ #include <linux/seq_file.h>
+
+ #include <asm/ptdump.h>
+@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *
+ {
+ struct ptdump_info *info = m->private;
+
+- get_online_mems();
+ ptdump_walk(m, info);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/arch/s390/mm/dump_pagetables.c
++++ b/arch/s390/mm/dump_pagetables.c
+@@ -249,11 +249,9 @@ static int ptdump_show(struct seq_file *
+ .marker = address_markers,
+ };
+
+- get_online_mems();
+ mutex_lock(&cpa_mutex);
+ ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
+ mutex_unlock(&cpa_mutex);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/mm/ptdump.c
++++ b/mm/ptdump.c
+@@ -152,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ {
+ const struct ptdump_range *range = st->range;
+
++ get_online_mems();
+ mmap_write_lock(mm);
+ while (range->start != range->end) {
+ walk_page_range_novma(mm, range->start, range->end,
+@@ -159,6 +160,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ range++;
+ }
+ mmap_write_unlock(mm);
++ put_online_mems();
+
+ /* Flush out the last page */
+ st->note_page(st, 0, -1, 0);
--- /dev/null
+From stable+bounces-172195-greg=kroah.com@vger.kernel.org Thu Aug 21 18:36:03 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:28:32 -0400
+Subject: PM: runtime: Simplify pm_runtime_get_if_active() usage
+To: stable@vger.kernel.org
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>, Alex Elder <elder@linaro.org>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Takashi Iwai <tiwai@suse.de>, Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>, Rodrigo Vivi <rodrigo.vivi@intel.com>, Bjorn Helgaas <bhelgaas@google.com>, "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821162833.814231-1-sashal@kernel.org>
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+[ Upstream commit c0ef3df8dbaef51ee4cfd58a471adf2eaee6f6b3 ]
+
+There are two ways to opportunistically increment a device's runtime PM
+usage count, calling either pm_runtime_get_if_active() or
+pm_runtime_get_if_in_use(). The former has an argument to tell whether to
+ignore the usage count or not, and the latter simply calls the former with
+ign_usage_count set to false. The other users that want to ignore the
+usage_count will have to explicitly set that argument to true which is a
+bit cumbersome.
+
+To make this function more practical to use, remove the ign_usage_count
+argument from the function. The main implementation is in a static
+function called pm_runtime_get_conditional() and implementations of
+pm_runtime_get_if_active() and pm_runtime_get_if_in_use() are moved to
+runtime.c.
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Alex Elder <elder@linaro.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Acked-by: Takashi Iwai <tiwai@suse.de> # sound/
+Reviewed-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com> # drivers/accel/ivpu/
+Acked-by: Rodrigo Vivi <rodrigo.vivi@intel.com> # drivers/gpu/drm/i915/
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Acked-by: Bjorn Helgaas <bhelgaas@google.com> # drivers/pci/
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+[ Removed changes to code that didn't exist in older trees ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/power/runtime_pm.rst | 5 +---
+ drivers/base/power/runtime.c | 35 ++++++++++++++++++++++++++++++--
+ drivers/gpu/drm/i915/intel_runtime_pm.c | 5 +++-
+ drivers/media/i2c/ccs/ccs-core.c | 2 -
+ drivers/net/ipa/ipa_smp2p.c | 2 -
+ drivers/pci/pci.c | 2 -
+ drivers/ufs/core/ufshcd-priv.h | 2 -
+ include/linux/pm_runtime.h | 18 ++--------------
+ sound/hda/hdac_device.c | 2 -
+ 9 files changed, 47 insertions(+), 26 deletions(-)
+
+--- a/Documentation/power/runtime_pm.rst
++++ b/Documentation/power/runtime_pm.rst
+@@ -398,10 +398,9 @@ drivers/base/power/runtime.c and include
+ nonzero, increment the counter and return 1; otherwise return 0 without
+ changing the counter
+
+- `int pm_runtime_get_if_active(struct device *dev, bool ign_usage_count);`
++ `int pm_runtime_get_if_active(struct device *dev);`
+ - return -EINVAL if 'power.disable_depth' is nonzero; otherwise, if the
+- runtime PM status is RPM_ACTIVE, and either ign_usage_count is true
+- or the device's usage_count is non-zero, increment the counter and
++ runtime PM status is RPM_ACTIVE, increment the counter and
+ return 1; otherwise return 0 without changing the counter
+
+ `void pm_runtime_put_noidle(struct device *dev);`
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1175,7 +1175,7 @@ int __pm_runtime_resume(struct device *d
+ EXPORT_SYMBOL_GPL(__pm_runtime_resume);
+
+ /**
+- * pm_runtime_get_if_active - Conditionally bump up device usage counter.
++ * pm_runtime_get_conditional - Conditionally bump up device usage counter.
+ * @dev: Device to handle.
+ * @ign_usage_count: Whether or not to look at the current usage counter value.
+ *
+@@ -1196,7 +1196,7 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume);
+ * The caller is responsible for decrementing the runtime PM usage counter of
+ * @dev after this function has returned a positive value for it.
+ */
+-int pm_runtime_get_if_active(struct device *dev, bool ign_usage_count)
++static int pm_runtime_get_conditional(struct device *dev, bool ign_usage_count)
+ {
+ unsigned long flags;
+ int retval;
+@@ -1217,9 +1217,40 @@ int pm_runtime_get_if_active(struct devi
+
+ return retval;
+ }
++
++/**
++ * pm_runtime_get_if_active - Bump up runtime PM usage counter if the device is
++ * in active state
++ * @dev: Target device.
++ *
++ * Increment the runtime PM usage counter of @dev if its runtime PM status is
++ * %RPM_ACTIVE, in which case it returns 1. If the device is in a different
++ * state, 0 is returned. -EINVAL is returned if runtime PM is disabled for the
++ * device, in which case also the usage_count will remain unmodified.
++ */
++int pm_runtime_get_if_active(struct device *dev)
++{
++ return pm_runtime_get_conditional(dev, true);
++}
+ EXPORT_SYMBOL_GPL(pm_runtime_get_if_active);
+
+ /**
++ * pm_runtime_get_if_in_use - Conditionally bump up runtime PM usage counter.
++ * @dev: Target device.
++ *
++ * Increment the runtime PM usage counter of @dev if its runtime PM status is
++ * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case
++ * it returns 1. If the device is in a different state or its usage_count is 0,
++ * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device,
++ * in which case also the usage_count will remain unmodified.
++ */
++int pm_runtime_get_if_in_use(struct device *dev)
++{
++ return pm_runtime_get_conditional(dev, false);
++}
++EXPORT_SYMBOL_GPL(pm_runtime_get_if_in_use);
++
++/**
+ * __pm_runtime_set_status - Set runtime PM status of a device.
+ * @dev: Device to handle.
+ * @status: New runtime PM status of the device.
+--- a/drivers/gpu/drm/i915/intel_runtime_pm.c
++++ b/drivers/gpu/drm/i915/intel_runtime_pm.c
+@@ -434,7 +434,10 @@ static intel_wakeref_t __intel_runtime_p
+ * function, since the power state is undefined. This applies
+ * atm to the late/early system suspend/resume handlers.
+ */
+- if (pm_runtime_get_if_active(rpm->kdev, ignore_usecount) <= 0)
++ if ((ignore_usecount &&
++ pm_runtime_get_if_active(rpm->kdev) <= 0) ||
++ (!ignore_usecount &&
++ pm_runtime_get_if_in_use(rpm->kdev) <= 0))
+ return 0;
+ }
+
+--- a/drivers/media/i2c/ccs/ccs-core.c
++++ b/drivers/media/i2c/ccs/ccs-core.c
+@@ -665,7 +665,7 @@ static int ccs_set_ctrl(struct v4l2_ctrl
+ break;
+ }
+
+- pm_status = pm_runtime_get_if_active(&client->dev, true);
++ pm_status = pm_runtime_get_if_active(&client->dev);
+ if (!pm_status)
+ return 0;
+
+--- a/drivers/net/ipa/ipa_smp2p.c
++++ b/drivers/net/ipa/ipa_smp2p.c
+@@ -92,7 +92,7 @@ static void ipa_smp2p_notify(struct ipa_
+ return;
+
+ dev = &smp2p->ipa->pdev->dev;
+- smp2p->power_on = pm_runtime_get_if_active(dev, true) > 0;
++ smp2p->power_on = pm_runtime_get_if_active(dev) > 0;
+
+ /* Signal whether the IPA power is enabled */
+ mask = BIT(smp2p->enabled_bit);
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2475,7 +2475,7 @@ static void pci_pme_list_scan(struct wor
+ * course of the call.
+ */
+ if (bdev) {
+- bref = pm_runtime_get_if_active(bdev, true);
++ bref = pm_runtime_get_if_active(bdev);
+ if (!bref)
+ continue;
+
+--- a/drivers/ufs/core/ufshcd-priv.h
++++ b/drivers/ufs/core/ufshcd-priv.h
+@@ -326,7 +326,7 @@ static inline int ufshcd_rpm_get_sync(st
+
+ static inline int ufshcd_rpm_get_if_active(struct ufs_hba *hba)
+ {
+- return pm_runtime_get_if_active(&hba->ufs_device_wlun->sdev_gendev, true);
++ return pm_runtime_get_if_active(&hba->ufs_device_wlun->sdev_gendev);
+ }
+
+ static inline int ufshcd_rpm_put_sync(struct ufs_hba *hba)
+--- a/include/linux/pm_runtime.h
++++ b/include/linux/pm_runtime.h
+@@ -73,7 +73,8 @@ extern int pm_runtime_force_resume(struc
+ extern int __pm_runtime_idle(struct device *dev, int rpmflags);
+ extern int __pm_runtime_suspend(struct device *dev, int rpmflags);
+ extern int __pm_runtime_resume(struct device *dev, int rpmflags);
+-extern int pm_runtime_get_if_active(struct device *dev, bool ign_usage_count);
++extern int pm_runtime_get_if_active(struct device *dev);
++extern int pm_runtime_get_if_in_use(struct device *dev);
+ extern int pm_schedule_suspend(struct device *dev, unsigned int delay);
+ extern int __pm_runtime_set_status(struct device *dev, unsigned int status);
+ extern int pm_runtime_barrier(struct device *dev);
+@@ -96,18 +97,6 @@ extern void pm_runtime_release_supplier(
+ extern int devm_pm_runtime_enable(struct device *dev);
+
+ /**
+- * pm_runtime_get_if_in_use - Conditionally bump up runtime PM usage counter.
+- * @dev: Target device.
+- *
+- * Increment the runtime PM usage counter of @dev if its runtime PM status is
+- * %RPM_ACTIVE and its runtime PM usage counter is greater than 0.
+- */
+-static inline int pm_runtime_get_if_in_use(struct device *dev)
+-{
+- return pm_runtime_get_if_active(dev, false);
+-}
+-
+-/**
+ * pm_suspend_ignore_children - Set runtime PM behavior regarding children.
+ * @dev: Target device.
+ * @enable: Whether or not to ignore possible dependencies on children.
+@@ -277,8 +266,7 @@ static inline int pm_runtime_get_if_in_u
+ {
+ return -EINVAL;
+ }
+-static inline int pm_runtime_get_if_active(struct device *dev,
+- bool ign_usage_count)
++static inline int pm_runtime_get_if_active(struct device *dev)
+ {
+ return -EINVAL;
+ }
+--- a/sound/hda/hdac_device.c
++++ b/sound/hda/hdac_device.c
+@@ -611,7 +611,7 @@ EXPORT_SYMBOL_GPL(snd_hdac_power_up_pm);
+ int snd_hdac_keep_power_up(struct hdac_device *codec)
+ {
+ if (!atomic_inc_not_zero(&codec->in_pm)) {
+- int ret = pm_runtime_get_if_active(&codec->dev, true);
++ int ret = pm_runtime_get_if_active(&codec->dev);
+ if (!ret)
+ return -1;
+ if (ret < 0)
--- /dev/null
+From stable+bounces-172196-greg=kroah.com@vger.kernel.org Thu Aug 21 18:36:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:28:33 -0400
+Subject: PM: runtime: Take active children into account in pm_runtime_get_if_in_use()
+To: stable@vger.kernel.org
+Cc: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sakari Ailus <sakari.ailus@linux.intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821162833.814231-2-sashal@kernel.org>
+
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 51888393cc64dd0462d0b96c13ab94873abbc030 ]
+
+For all practical purposes, there is no difference between the situation
+in which a given device is not ignoring children and its active child
+count is nonzero and the situation in which its runtime PM usage counter
+is nonzero. However, pm_runtime_get_if_in_use() will only increment the
+device's usage counter and return 1 in the latter case.
+
+For consistency, make it do so in the former case either by adjusting
+pm_runtime_get_conditional() and update the related kerneldoc comments
+accordingly.
+
+Fixes: c111566bea7c ("PM: runtime: Add pm_runtime_get_if_active()")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: 5.10+ <stable@vger.kernel.org> # 5.10+: c0ef3df8dbae: PM: runtime: Simplify pm_runtime_get_if_active() usage
+Cc: 5.10+ <stable@vger.kernel.org> # 5.10+
+Link: https://patch.msgid.link/12700973.O9o76ZdvQC@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/runtime.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1181,10 +1181,12 @@ EXPORT_SYMBOL_GPL(__pm_runtime_resume);
+ *
+ * Return -EINVAL if runtime PM is disabled for @dev.
+ *
+- * Otherwise, if the runtime PM status of @dev is %RPM_ACTIVE and either
+- * @ign_usage_count is %true or the runtime PM usage counter of @dev is not
+- * zero, increment the usage counter of @dev and return 1. Otherwise, return 0
+- * without changing the usage counter.
++ * Otherwise, if its runtime PM status is %RPM_ACTIVE and (1) @ign_usage_count
++ * is set, or (2) @dev is not ignoring children and its active child count is
++ * nonero, or (3) the runtime PM usage counter of @dev is not zero, increment
++ * the usage counter of @dev and return 1.
++ *
++ * Otherwise, return 0 without changing the usage counter.
+ *
+ * If @ign_usage_count is %true, this function can be used to prevent suspending
+ * the device when its runtime PM status is %RPM_ACTIVE.
+@@ -1206,7 +1208,8 @@ static int pm_runtime_get_conditional(st
+ retval = -EINVAL;
+ } else if (dev->power.runtime_status != RPM_ACTIVE) {
+ retval = 0;
+- } else if (ign_usage_count) {
++ } else if (ign_usage_count || (!dev->power.ignore_children &&
++ atomic_read(&dev->power.child_count) > 0)) {
+ retval = 1;
+ atomic_inc(&dev->power.usage_count);
+ } else {
+@@ -1239,10 +1242,16 @@ EXPORT_SYMBOL_GPL(pm_runtime_get_if_acti
+ * @dev: Target device.
+ *
+ * Increment the runtime PM usage counter of @dev if its runtime PM status is
+- * %RPM_ACTIVE and its runtime PM usage counter is greater than 0, in which case
+- * it returns 1. If the device is in a different state or its usage_count is 0,
+- * 0 is returned. -EINVAL is returned if runtime PM is disabled for the device,
+- * in which case also the usage_count will remain unmodified.
++ * %RPM_ACTIVE and its runtime PM usage counter is greater than 0 or it is not
++ * ignoring children and its active child count is nonzero. 1 is returned in
++ * this case.
++ *
++ * If @dev is in a different state or it is not in use (that is, its usage
++ * counter is 0, or it is ignoring children, or its active child count is 0),
++ * 0 is returned.
++ *
++ * -EINVAL is returned if runtime PM is disabled for the device, in which case
++ * also the usage counter of @dev is not updated.
+ */
+ int pm_runtime_get_if_in_use(struct device *dev)
+ {
--- /dev/null
+From 5647f61ad9171e8f025558ed6dc5702c56a33ba3 Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Date: Wed, 9 Jul 2025 20:34:30 +0200
+Subject: s390/mm: Remove possible false-positive warning in pte_free_defer()
+
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+
+commit 5647f61ad9171e8f025558ed6dc5702c56a33ba3 upstream.
+
+Commit 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing
+page") added a warning to pte_free_defer(), on our request. It was meant
+to warn if this would ever be reached for KVM guest mappings, because
+the page table would be freed w/o a gmap_unlink(). THP mappings are not
+allowed for KVM guests on s390, so this should never happen.
+
+However, it is possible that the warning is triggered in a valid case as
+false-positive.
+
+s390_enable_sie() takes the mmap_lock, marks all VMAs as VM_NOHUGEPAGE and
+splits possibly existing THP guest mappings. mm->context.has_pgste is set
+to 1 before that, to prevent races with the mm_has_pgste() check in
+MADV_HUGEPAGE.
+
+khugepaged drops the mmap_lock for file mappings and might run in parallel,
+before a vma is marked VM_NOHUGEPAGE, but after mm->context.has_pgste was
+set to 1. If it finds file mappings to collapse, it will eventually call
+pte_free_defer(). This will trigger the warning, but it is a valid case
+because gmap is not yet set up, and the THP mappings will be split again.
+
+Therefore, remove the warning and the comment.
+
+Fixes: 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing page")
+Cc: <stable@vger.kernel.org> # 6.6+
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/pgalloc.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -456,11 +456,6 @@ void pte_free_defer(struct mm_struct *mm
+ page = virt_to_page(pgtable);
+ SetPageActive(page);
+ page_table_free(mm, (unsigned long *)pgtable);
+- /*
+- * page_table_free() does not do the pgste gmap_unlink() which
+- * page_table_free_rcu() does: warn us if pgste ever reaches here.
+- */
+- WARN_ON_ONCE(mm_has_pgste(mm));
+ }
+ #endif /* CONFIG_TRANSPARENT_HUGEPAGE */
+
btrfs-send-avoid-path-allocation-for-the-current-inode-when-issuing-commands.patch
btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch
btrfs-send-make-fs_path_len-inline-and-constify-its-argument.patch
+s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch
+kvm-x86-take-irqfds.lock-when-adding-deleting-irq-bypass-producer.patch
+wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch
+mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch
+usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch
+ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch
+pm-runtime-simplify-pm_runtime_get_if_active-usage.patch
+pm-runtime-take-active-children-into-account-in-pm_runtime_get_if_in_use.patch
+ata-libata-scsi-return-aborted-command-when-missing-sense-and-result-tf.patch
+kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch
--- /dev/null
+From sashal@kernel.org Thu Aug 21 18:28:25 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:28:22 -0400
+Subject: usb: dwc3: imx8mp: fix device leak at unbind
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Li Jun <jun.li@nxp.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821162822.805636-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ]
+
+Make sure to drop the reference to the dwc3 device taken by
+of_find_device_by_node() on probe errors and on driver unbind.
+
+Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver")
+Cc: stable@vger.kernel.org # 5.12
+Cc: Li Jun <jun.li@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-imx8mp.c
++++ b/drivers/usb/dwc3/dwc3-imx8mp.c
+@@ -244,7 +244,7 @@ static int dwc3_imx8mp_probe(struct plat
+ IRQF_ONESHOT, dev_name(dev), dwc3_imx);
+ if (err) {
+ dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err);
+- goto depopulate;
++ goto put_dwc3;
+ }
+
+ device_set_wakeup_capable(dev, true);
+@@ -252,6 +252,8 @@ static int dwc3_imx8mp_probe(struct plat
+
+ return 0;
+
++put_dwc3:
++ put_device(&dwc3_imx->dwc3->dev);
+ depopulate:
+ of_platform_depopulate(dev);
+ err_node_put:
+@@ -272,6 +274,8 @@ static void dwc3_imx8mp_remove(struct pl
+ struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev);
+ struct device *dev = &pdev->dev;
+
++ put_device(&dwc3_imx->dwc3->dev);
++
+ pm_runtime_get_sync(dev);
+ of_platform_depopulate(dev);
+
--- /dev/null
+From 16ee3ea8faef8ff042acc15867a6c458c573de61 Mon Sep 17 00:00:00 2001
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+Date: Mon, 17 Mar 2025 13:31:37 +0300
+Subject: wifi: mac80211: check basic rates validity in sta_link_apply_parameters
+
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+
+commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream.
+
+When userspace sets supported rates for a new station via
+NL80211_CMD_NEW_STATION, it might send a list that's empty
+or contains only invalid values. Currently, we process these
+values in sta_link_apply_parameters() without checking the result of
+ieee80211_parse_bitrates(), which can lead to an empty rates bitmap.
+
+A similar issue was addressed for NL80211_CMD_SET_BSS in commit
+ce04abc3fcc6 ("wifi: mac80211: check basic rates validity").
+This patch applies the same approach in sta_link_apply_parameters()
+for NL80211_CMD_NEW_STATION, ensuring there is at least one valid
+rate by inspecting the result of ieee80211_parse_bitrates().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
+Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: "Hanne-Lotta Mäenpää" <hannelotta@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1847,12 +1847,12 @@ static int sta_link_apply_parameters(str
+ }
+
+ if (params->supported_rates &&
+- params->supported_rates_len) {
+- ieee80211_parse_bitrates(link->conf->chandef.width,
+- sband, params->supported_rates,
+- params->supported_rates_len,
+- &link_sta->pub->supp_rates[sband->band]);
+- }
++ params->supported_rates_len &&
++ !ieee80211_parse_bitrates(link->conf->chandef.width,
++ sband, params->supported_rates,
++ params->supported_rates_len,
++ &link_sta->pub->supp_rates[sband->band]))
++ return -EINVAL;
+
+ if (params->ht_capa)
+ ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,
projects / thirdparty / kernel / stable-queue.git / commitdiff
