--- /dev/null
+From 48fce74fe209ba9e9b416d7100ccee546edc9fc6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:38 +0100
+Subject: landlock: Add erratum for TCP fix
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 48fce74fe209ba9e9b416d7100ccee546edc9fc6 upstream.
+
+Add erratum for the TCP socket identification fixed with commit
+854277e2cc8c ("landlock: Fix non-TCP sockets restriction").
+
+Fixes: 854277e2cc8c ("landlock: Fix non-TCP sockets restriction")
+Cc: Günther Noack <gnoack@google.com>
+Cc: Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318161443.279194-4-mic@digikod.net
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/landlock/errata/abi-4.h | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+ create mode 100644 security/landlock/errata/abi-4.h
+
+--- /dev/null
++++ b/security/landlock/errata/abi-4.h
+@@ -0,0 +1,15 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++/**
++ * DOC: erratum_1
++ *
++ * Erratum 1: TCP socket identification
++ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++ *
++ * This fix addresses an issue where IPv4 and IPv6 stream sockets (e.g., SMC,
++ * MPTCP, or SCTP) were incorrectly restricted by TCP access rights during
++ * :manpage:`bind(2)` and :manpage:`connect(2)` operations. This change ensures
++ * that only TCP sockets are subject to TCP access rights, allowing other
++ * protocols to operate without unnecessary restrictions.
++ */
++LANDLOCK_ERRATUM(1)
--- /dev/null
+From 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:37 +0100
+Subject: landlock: Add the errata interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac upstream.
+
+Some fixes may require user space to check if they are applied on the
+running kernel before using a specific feature. For instance, this
+applies when a restriction was previously too restrictive and is now
+getting relaxed (e.g. for compatibility reasons). However, non-visible
+changes for legitimate use (e.g. security fixes) do not require an
+erratum.
+
+Because fixes are backported down to a specific Landlock ABI, we need a
+way to avoid cherry-pick conflicts. The solution is to only update a
+file related to the lower ABI impacted by this issue. All the ABI files
+are then used to create a bitmask of fixes.
+
+The new errata interface is similar to the one used to get the supported
+Landlock ABI version, but it returns a bitmask instead because the order
+of fixes may not match the order of versions, and not all fixes may
+apply to all versions.
+
+The actual errata will come with dedicated commits. The description is
+not actually used in the code but serves as documentation.
+
+Create the landlock_abi_version symbol and use its value to check errata
+consistency.
+
+Update test_base's create_ruleset_checks_ordering tests and add errata
+tests.
+
+This commit is backportable down to the first version of Landlock.
+
+Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features")
+Cc: Günther Noack <gnoack@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/landlock.h | 2
+ security/landlock/errata.h | 87 +++++++++++++++++++++++++++
+ security/landlock/setup.c | 30 +++++++++
+ security/landlock/setup.h | 3
+ security/landlock/syscalls.c | 22 +++++-
+ tools/testing/selftests/landlock/base_test.c | 46 +++++++++++++-
+ 6 files changed, 185 insertions(+), 5 deletions(-)
+ create mode 100644 security/landlock/errata.h
+
+--- a/include/uapi/linux/landlock.h
++++ b/include/uapi/linux/landlock.h
+@@ -57,9 +57,11 @@ struct landlock_ruleset_attr {
+ *
+ * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
+ * version.
++ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.
+ */
+ /* clang-format off */
+ #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
+ /* clang-format on */
+
+ /**
+--- /dev/null
++++ b/security/landlock/errata.h
+@@ -0,0 +1,87 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++/*
++ * Landlock - Errata information
++ *
++ * Copyright © 2025 Microsoft Corporation
++ */
++
++#ifndef _SECURITY_LANDLOCK_ERRATA_H
++#define _SECURITY_LANDLOCK_ERRATA_H
++
++#include <linux/init.h>
++
++struct landlock_erratum {
++ const int abi;
++ const u8 number;
++};
++
++/* clang-format off */
++#define LANDLOCK_ERRATUM(NUMBER) \
++ { \
++ .abi = LANDLOCK_ERRATA_ABI, \
++ .number = NUMBER, \
++ },
++/* clang-format on */
++
++/*
++ * Some fixes may require user space to check if they are applied on the running
++ * kernel before using a specific feature. For instance, this applies when a
++ * restriction was previously too restrictive and is now getting relaxed (for
++ * compatibility or semantic reasons). However, non-visible changes for
++ * legitimate use (e.g. security fixes) do not require an erratum.
++ */
++static const struct landlock_erratum landlock_errata_init[] __initconst = {
++
++/*
++ * Only Sparse may not implement __has_include. If a compiler does not
++ * implement __has_include, a warning will be printed at boot time (see
++ * setup.c).
++ */
++#ifdef __has_include
++
++#define LANDLOCK_ERRATA_ABI 1
++#if __has_include("errata/abi-1.h")
++#include "errata/abi-1.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++#define LANDLOCK_ERRATA_ABI 2
++#if __has_include("errata/abi-2.h")
++#include "errata/abi-2.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++#define LANDLOCK_ERRATA_ABI 3
++#if __has_include("errata/abi-3.h")
++#include "errata/abi-3.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++#define LANDLOCK_ERRATA_ABI 4
++#if __has_include("errata/abi-4.h")
++#include "errata/abi-4.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++/*
++ * For each new erratum, we need to include all the ABI files up to the impacted
++ * ABI to make all potential future intermediate errata easy to backport.
++ *
++ * If such change involves more than one ABI addition, then it must be in a
++ * dedicated commit with the same Fixes tag as used for the actual fix.
++ *
++ * Each commit creating a new security/landlock/errata/abi-*.h file must have a
++ * Depends-on tag to reference the commit that previously added the line to
++ * include this new file, except if the original Fixes tag is enough.
++ *
++ * Each erratum must be documented in its related ABI file, and a dedicated
++ * commit must update Documentation/userspace-api/landlock.rst to include this
++ * erratum. This commit will not be backported.
++ */
++
++#endif
++
++ {}
++};
++
++#endif /* _SECURITY_LANDLOCK_ERRATA_H */
+--- a/security/landlock/setup.c
++++ b/security/landlock/setup.c
+@@ -6,12 +6,14 @@
+ * Copyright © 2018-2020 ANSSI
+ */
+
++#include <linux/bits.h>
+ #include <linux/init.h>
+ #include <linux/lsm_hooks.h>
+ #include <uapi/linux/lsm.h>
+
+ #include "common.h"
+ #include "cred.h"
++#include "errata.h"
+ #include "fs.h"
+ #include "net.h"
+ #include "setup.h"
+@@ -31,8 +33,36 @@ struct lsm_blob_sizes landlock_blob_size
+ .lbs_superblock = sizeof(struct landlock_superblock_security),
+ };
+
++int landlock_errata __ro_after_init;
++
++static void __init compute_errata(void)
++{
++ size_t i;
++
++#ifndef __has_include
++ /*
++ * This is a safeguard to make sure the compiler implements
++ * __has_include (see errata.h).
++ */
++ WARN_ON_ONCE(1);
++ return;
++#endif
++
++ for (i = 0; landlock_errata_init[i].number; i++) {
++ const int prev_errata = landlock_errata;
++
++ if (WARN_ON_ONCE(landlock_errata_init[i].abi >
++ landlock_abi_version))
++ continue;
++
++ landlock_errata |= BIT(landlock_errata_init[i].number - 1);
++ WARN_ON_ONCE(prev_errata == landlock_errata);
++ }
++}
++
+ static int __init landlock_init(void)
+ {
++ compute_errata();
+ landlock_add_cred_hooks();
+ landlock_add_task_hooks();
+ landlock_add_fs_hooks();
+--- a/security/landlock/setup.h
++++ b/security/landlock/setup.h
+@@ -11,7 +11,10 @@
+
+ #include <linux/lsm_hooks.h>
+
++extern const int landlock_abi_version;
++
+ extern bool landlock_initialized;
++extern int landlock_errata;
+
+ extern struct lsm_blob_sizes landlock_blob_sizes;
+ extern const struct lsm_id landlock_lsmid;
+--- a/security/landlock/syscalls.c
++++ b/security/landlock/syscalls.c
+@@ -159,7 +159,9 @@ static const struct file_operations rule
+ * the new ruleset.
+ * @size: Size of the pointed &struct landlock_ruleset_attr (needed for
+ * backward and forward compatibility).
+- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
++ * @flags: Supported value:
++ * - %LANDLOCK_CREATE_RULESET_VERSION
++ * - %LANDLOCK_CREATE_RULESET_ERRATA
+ *
+ * This system call enables to create a new Landlock ruleset, and returns the
+ * related file descriptor on success.
+@@ -168,6 +170,10 @@ static const struct file_operations rule
+ * 0, then the returned value is the highest supported Landlock ABI version
+ * (starting at 1).
+ *
++ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is
++ * 0, then the returned value is a bitmask of fixed issues for the current
++ * Landlock ABI version.
++ *
+ * Possible returned errors are:
+ *
+ * - %EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
+@@ -191,9 +197,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
+ return -EOPNOTSUPP;
+
+ if (flags) {
+- if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
+- !size)
+- return LANDLOCK_ABI_VERSION;
++ if (attr || size)
++ return -EINVAL;
++
++ if (flags == LANDLOCK_CREATE_RULESET_VERSION)
++ return landlock_abi_version;
++
++ if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
++ return landlock_errata;
++
+ return -EINVAL;
+ }
+
+@@ -234,6 +246,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
+ return ruleset_fd;
+ }
+
++const int landlock_abi_version = LANDLOCK_ABI_VERSION;
++
+ /*
+ * Returns an owned ruleset from a FD. It is thus needed to call
+ * landlock_put_ruleset() on the return value.
+--- a/tools/testing/selftests/landlock/base_test.c
++++ b/tools/testing/selftests/landlock/base_test.c
+@@ -98,10 +98,54 @@ TEST(abi_version)
+ ASSERT_EQ(EINVAL, errno);
+ }
+
++/*
++ * Old source trees might not have the set of Kselftest fixes related to kernel
++ * UAPI headers.
++ */
++#ifndef LANDLOCK_CREATE_RULESET_ERRATA
++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
++#endif
++
++TEST(errata)
++{
++ const struct landlock_ruleset_attr ruleset_attr = {
++ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
++ };
++ int errata;
++
++ errata = landlock_create_ruleset(NULL, 0,
++ LANDLOCK_CREATE_RULESET_ERRATA);
++ /* The errata bitmask will not be backported to tests. */
++ ASSERT_LE(0, errata);
++ TH_LOG("errata: 0x%x", errata);
++
++ ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(EINVAL, errno);
++
++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr),
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(EINVAL, errno);
++
++ ASSERT_EQ(-1,
++ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr),
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(EINVAL, errno);
++
++ ASSERT_EQ(-1, landlock_create_ruleset(
++ NULL, 0,
++ LANDLOCK_CREATE_RULESET_VERSION |
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0,
++ LANDLOCK_CREATE_RULESET_ERRATA |
++ 1 << 31));
++ ASSERT_EQ(EINVAL, errno);
++}
++
+ /* Tests ordering of syscall argument checks. */
+ TEST(create_ruleset_checks_ordering)
+ {
+- const int last_flag = LANDLOCK_CREATE_RULESET_VERSION;
++ const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA;
+ const int invalid_flag = last_flag << 1;
+ int ruleset_fd;
+ const struct landlock_ruleset_attr ruleset_attr = {
--- /dev/null
+From 18eb75f3af40be1f0fc2025d4ff821711222a2fd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:40 +0100
+Subject: landlock: Always allow signals between threads of the same process
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 18eb75f3af40be1f0fc2025d4ff821711222a2fd upstream.
+
+Because Linux credentials are managed per thread, user space relies on
+some hack to synchronize credential update across threads from the same
+process. This is required by the Native POSIX Threads Library and
+implemented by set*id(2) wrappers and libcap(3) to use tgkill(2) to
+synchronize threads. See nptl(7) and libpsx(3). Furthermore, some
+runtimes like Go do not enable developers to have control over threads
+[1].
+
+To avoid potential issues, and because threads are not security
+boundaries, let's relax the Landlock (optional) signal scoping to always
+allow signals sent between threads of the same process. This exception
+is similar to the __ptrace_may_access() one.
+
+hook_file_set_fowner() now checks if the target task is part of the same
+process as the caller. If this is the case, then the related signal
+triggered by the socket will always be allowed.
+
+Scoping of abstract UNIX sockets is not changed because kernel objects
+(e.g. sockets) should be tied to their creator's domain at creation
+time.
+
+Note that creating one Landlock domain per thread puts each of these
+threads (and their future children) in their own scope, which is
+probably not what users expect, especially in Go where we do not control
+threads. However, being able to drop permissions on all threads should
+not be restricted by signal scoping. We are working on a way to make it
+possible to atomically restrict all threads of a process with the same
+domain [2].
+
+Add erratum for signal scoping.
+
+Closes: https://github.com/landlock-lsm/go-landlock/issues/36
+Fixes: 54a6e6bbf3be ("landlock: Add signal scoping")
+Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
+Depends-on: 26f204380a3c ("fs: Fix file_set_fowner LSM hook inconsistencies")
+Link: https://pkg.go.dev/kernel.org/pub/linux/libs/security/libcap/psx [1]
+Link: https://github.com/landlock-lsm/linux/issues/2 [2]
+Cc: Günther Noack <gnoack@google.com>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: Serge Hallyn <serge@hallyn.com>
+Cc: Tahera Fahimi <fahimitahera@gmail.com>
+Cc: stable@vger.kernel.org
+Acked-by: Christian Brauner <brauner@kernel.org>
+Link: https://lore.kernel.org/r/20250318161443.279194-6-mic@digikod.net
+[mic: Add extra pointer check and RCU guard, and ease backport]
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/landlock/errata/abi-6.h | 19 ++++++++
+ security/landlock/fs.c | 39 +++++++++++++++---
+ security/landlock/task.c | 12 +++++
+ tools/testing/selftests/landlock/scoped_signal_test.c | 2
+ 4 files changed, 65 insertions(+), 7 deletions(-)
+ create mode 100644 security/landlock/errata/abi-6.h
+
+--- /dev/null
++++ b/security/landlock/errata/abi-6.h
+@@ -0,0 +1,19 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++
++/**
++ * DOC: erratum_2
++ *
++ * Erratum 2: Scoped signal handling
++ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++ *
++ * This fix addresses an issue where signal scoping was overly restrictive,
++ * preventing sandboxed threads from signaling other threads within the same
++ * process if they belonged to different domains. Because threads are not
++ * security boundaries, user space might assume that any thread within the same
++ * process can send signals between themselves (see :manpage:`nptl(7)` and
++ * :manpage:`libpsx(3)`). Consistent with :manpage:`ptrace(2)` behavior, direct
++ * interaction between threads of the same process should always be allowed.
++ * This change ensures that any thread is allowed to send signals to any other
++ * thread within the same process, regardless of their domain.
++ */
++LANDLOCK_ERRATUM(2)
+--- a/security/landlock/fs.c
++++ b/security/landlock/fs.c
+@@ -27,7 +27,9 @@
+ #include <linux/mount.h>
+ #include <linux/namei.h>
+ #include <linux/path.h>
++#include <linux/pid.h>
+ #include <linux/rcupdate.h>
++#include <linux/sched/signal.h>
+ #include <linux/spinlock.h>
+ #include <linux/stat.h>
+ #include <linux/types.h>
+@@ -1623,21 +1625,46 @@ static int hook_file_ioctl_compat(struct
+ return -EACCES;
+ }
+
+-static void hook_file_set_fowner(struct file *file)
++/*
++ * Always allow sending signals between threads of the same process. This
++ * ensures consistency with hook_task_kill().
++ */
++static bool control_current_fowner(struct fown_struct *const fown)
+ {
+- struct landlock_ruleset *new_dom, *prev_dom;
++ struct task_struct *p;
+
+ /*
+ * Lock already held by __f_setown(), see commit 26f204380a3c ("fs: Fix
+ * file_set_fowner LSM hook inconsistencies").
+ */
+- lockdep_assert_held(&file_f_owner(file)->lock);
+- new_dom = landlock_get_current_domain();
+- landlock_get_ruleset(new_dom);
++ lockdep_assert_held(&fown->lock);
++
++ /*
++ * Some callers (e.g. fcntl_dirnotify) may not be in an RCU read-side
++ * critical section.
++ */
++ guard(rcu)();
++ p = pid_task(fown->pid, fown->pid_type);
++ if (!p)
++ return true;
++
++ return !same_thread_group(p, current);
++}
++
++static void hook_file_set_fowner(struct file *file)
++{
++ struct landlock_ruleset *prev_dom;
++ struct landlock_ruleset *new_dom = NULL;
++
++ if (control_current_fowner(file_f_owner(file))) {
++ new_dom = landlock_get_current_domain();
++ landlock_get_ruleset(new_dom);
++ }
++
+ prev_dom = landlock_file(file)->fown_domain;
+ landlock_file(file)->fown_domain = new_dom;
+
+- /* Called in an RCU read-side critical section. */
++ /* May be called in an RCU read-side critical section. */
+ landlock_put_ruleset_deferred(prev_dom);
+ }
+
+--- a/security/landlock/task.c
++++ b/security/landlock/task.c
+@@ -13,6 +13,7 @@
+ #include <linux/lsm_hooks.h>
+ #include <linux/rcupdate.h>
+ #include <linux/sched.h>
++#include <linux/sched/signal.h>
+ #include <net/af_unix.h>
+ #include <net/sock.h>
+
+@@ -264,6 +265,17 @@ static int hook_task_kill(struct task_st
+ /* Dealing with USB IO. */
+ dom = landlock_cred(cred)->domain;
+ } else {
++ /*
++ * Always allow sending signals between threads of the same process.
++ * This is required for process credential changes by the Native POSIX
++ * Threads Library and implemented by the set*id(2) wrappers and
++ * libcap(3) with tgkill(2). See nptl(7) and libpsx(3).
++ *
++ * This exception is similar to the __ptrace_may_access() one.
++ */
++ if (same_thread_group(p, current))
++ return 0;
++
+ dom = landlock_get_current_domain();
+ }
+ dom = landlock_get_applicable_domain(dom, signal_scope);
+--- a/tools/testing/selftests/landlock/scoped_signal_test.c
++++ b/tools/testing/selftests/landlock/scoped_signal_test.c
+@@ -281,7 +281,7 @@ TEST(signal_scoping_threads)
+ /* Restricts the domain after creating the first thread. */
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+
+- ASSERT_EQ(EPERM, pthread_kill(no_sandbox_thread, 0));
++ ASSERT_EQ(0, pthread_kill(no_sandbox_thread, 0));
+ ASSERT_EQ(1, write(thread_pipe[1], ".", 1));
+
+ ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL));
--- /dev/null
+From 624f177d8f62032b4f3343c289120269645cec37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:36 +0100
+Subject: landlock: Move code to ease future backports
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 624f177d8f62032b4f3343c289120269645cec37 upstream.
+
+To ease backports in setup.c, let's group changes from
+__lsm_ro_after_init to __ro_after_init with commit f22f9aaf6c3d
+("selinux: remove the runtime disable functionality"), and the
+landlock_lsmid addition with commit f3b8788cde61 ("LSM: Identify modules
+by more than name").
+
+That will help to backport the following errata.
+
+Cc: Günther Noack <gnoack@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318161443.279194-2-mic@digikod.net
+Fixes: f3b8788cde61 ("LSM: Identify modules by more than name")
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/landlock/setup.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/security/landlock/setup.c
++++ b/security/landlock/setup.c
+@@ -19,6 +19,11 @@
+
+ bool landlock_initialized __ro_after_init = false;
+
++const struct lsm_id landlock_lsmid = {
++ .name = LANDLOCK_NAME,
++ .id = LSM_ID_LANDLOCK,
++};
++
+ struct lsm_blob_sizes landlock_blob_sizes __ro_after_init = {
+ .lbs_cred = sizeof(struct landlock_cred_security),
+ .lbs_file = sizeof(struct landlock_file_security),
+@@ -26,11 +31,6 @@ struct lsm_blob_sizes landlock_blob_size
+ .lbs_superblock = sizeof(struct landlock_superblock_security),
+ };
+
+-const struct lsm_id landlock_lsmid = {
+- .name = LANDLOCK_NAME,
+- .id = LSM_ID_LANDLOCK,
+-};
+-
+ static int __init landlock_init(void)
+ {
+ landlock_add_cred_hooks();
--- /dev/null
+From 6d9ac5e4d70eba3e336f9809ba91ab2c49de6d87 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:39 +0100
+Subject: landlock: Prepare to add second errata
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 6d9ac5e4d70eba3e336f9809ba91ab2c49de6d87 upstream.
+
+Potentially include errata for Landlock ABI v5 (Linux 6.10) and v6
+(Linux 6.12). That will be useful for the following signal scoping
+erratum.
+
+As explained in errata.h, this commit should be backportable without
+conflict down to ABI v5. It must then not include the errata/abi-6.h
+file.
+
+Fixes: 54a6e6bbf3be ("landlock: Add signal scoping")
+Cc: Günther Noack <gnoack@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318161443.279194-5-mic@digikod.net
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/landlock/errata.h | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/security/landlock/errata.h
++++ b/security/landlock/errata.h
+@@ -63,6 +63,18 @@ static const struct landlock_erratum lan
+ #endif
+ #undef LANDLOCK_ERRATA_ABI
+
++#define LANDLOCK_ERRATA_ABI 5
++#if __has_include("errata/abi-5.h")
++#include "errata/abi-5.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++#define LANDLOCK_ERRATA_ABI 6
++#if __has_include("errata/abi-6.h")
++#include "errata/abi-6.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
+ /*
+ * For each new erratum, we need to include all the ABI files up to the impacted
+ * ABI to make all potential future intermediate errata easy to backport.
--- /dev/null
+From 919d14603dab6a9cf03ebbeb2cfa556df48737c8 Mon Sep 17 00:00:00 2001
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Tue, 25 Feb 2025 20:02:49 +0900
+Subject: misc: pci_endpoint_test: Fix displaying 'irq_type' after 'request_irq' error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+commit 919d14603dab6a9cf03ebbeb2cfa556df48737c8 upstream.
+
+There are two variables that indicate the interrupt type to be used
+in the next test execution, global "irq_type" and "test->irq_type".
+
+The former is referenced from pci_endpoint_test_get_irq() to preserve
+the current type for ioctl(PCITEST_GET_IRQTYPE).
+
+In the pci_endpoint_test_request_irq(), since this global variable
+is referenced when an error occurs, the unintended error message is
+displayed.
+
+For example, after running "pcitest -i 2", the following message
+shows "MSI 3" even if the current IRQ type becomes "MSI-X":
+
+ pci-endpoint-test 0000:01:00.0: Failed to request IRQ 30 for MSI 3
+ SET IRQ TYPE TO MSI-X: NOT OKAY
+
+Fix this issue by using "test->irq_type" instead of global "irq_type".
+
+Cc: stable@vger.kernel.org
+Fixes: b2ba9225e031 ("misc: pci_endpoint_test: Avoid using module parameter to determine irqtype")
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://lore.kernel.org/r/20250225110252.28866-4-hayashi.kunihiko@socionext.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/pci_endpoint_test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/pci_endpoint_test.c
++++ b/drivers/misc/pci_endpoint_test.c
+@@ -234,7 +234,7 @@ static bool pci_endpoint_test_request_ir
+ return true;
+
+ fail:
+- switch (irq_type) {
++ switch (test->irq_type) {
+ case IRQ_TYPE_INTX:
+ dev_err(dev, "Failed to request IRQ %d for Legacy\n",
+ pci_irq_vector(pdev, i));
--- /dev/null
+From fa37a8849634db2dd3545116873da8cf4b1e67c6 Mon Sep 17 00:00:00 2001
+From: Haiyang Zhang <haiyangz@microsoft.com>
+Date: Tue, 25 Mar 2025 09:32:37 -0700
+Subject: net: mana: Switch to page pool for jumbo frames
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+commit fa37a8849634db2dd3545116873da8cf4b1e67c6 upstream.
+
+Frag allocators, such as netdev_alloc_frag(), were not designed to
+work for fragsz > PAGE_SIZE.
+
+So, switch to page pool for jumbo frames instead of using page frag
+allocators. This driver is using page pool for smaller MTUs already.
+
+Cc: stable@vger.kernel.org
+Fixes: 80f6215b450e ("net: mana: Add support for jumbo frame")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Long Li <longli@microsoft.com>
+Reviewed-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Link: https://patch.msgid.link/1742920357-27263-1-git-send-email-haiyangz@microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 46 +++++---------------------
+ 1 file changed, 9 insertions(+), 37 deletions(-)
+
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -652,30 +652,16 @@ int mana_pre_alloc_rxbufs(struct mana_po
+ mpc->rxbpre_total = 0;
+
+ for (i = 0; i < num_rxb; i++) {
+- if (mpc->rxbpre_alloc_size > PAGE_SIZE) {
+- va = netdev_alloc_frag(mpc->rxbpre_alloc_size);
+- if (!va)
+- goto error;
+-
+- page = virt_to_head_page(va);
+- /* Check if the frag falls back to single page */
+- if (compound_order(page) <
+- get_order(mpc->rxbpre_alloc_size)) {
+- put_page(page);
+- goto error;
+- }
+- } else {
+- page = dev_alloc_page();
+- if (!page)
+- goto error;
++ page = dev_alloc_pages(get_order(mpc->rxbpre_alloc_size));
++ if (!page)
++ goto error;
+
+- va = page_to_virt(page);
+- }
++ va = page_to_virt(page);
+
+ da = dma_map_single(dev, va + mpc->rxbpre_headroom,
+ mpc->rxbpre_datasize, DMA_FROM_DEVICE);
+ if (dma_mapping_error(dev, da)) {
+- put_page(virt_to_head_page(va));
++ put_page(page);
+ goto error;
+ }
+
+@@ -1660,7 +1646,7 @@ drop:
+ }
+
+ static void *mana_get_rxfrag(struct mana_rxq *rxq, struct device *dev,
+- dma_addr_t *da, bool *from_pool, bool is_napi)
++ dma_addr_t *da, bool *from_pool)
+ {
+ struct page *page;
+ void *va;
+@@ -1671,21 +1657,6 @@ static void *mana_get_rxfrag(struct mana
+ if (rxq->xdp_save_va) {
+ va = rxq->xdp_save_va;
+ rxq->xdp_save_va = NULL;
+- } else if (rxq->alloc_size > PAGE_SIZE) {
+- if (is_napi)
+- va = napi_alloc_frag(rxq->alloc_size);
+- else
+- va = netdev_alloc_frag(rxq->alloc_size);
+-
+- if (!va)
+- return NULL;
+-
+- page = virt_to_head_page(va);
+- /* Check if the frag falls back to single page */
+- if (compound_order(page) < get_order(rxq->alloc_size)) {
+- put_page(page);
+- return NULL;
+- }
+ } else {
+ page = page_pool_dev_alloc_pages(rxq->page_pool);
+ if (!page)
+@@ -1718,7 +1689,7 @@ static void mana_refill_rx_oob(struct de
+ dma_addr_t da;
+ void *va;
+
+- va = mana_get_rxfrag(rxq, dev, &da, &from_pool, true);
++ va = mana_get_rxfrag(rxq, dev, &da, &from_pool);
+ if (!va)
+ return;
+
+@@ -2158,7 +2129,7 @@ static int mana_fill_rx_oob(struct mana_
+ if (mpc->rxbufs_pre)
+ va = mana_get_rxbuf_pre(rxq, &da);
+ else
+- va = mana_get_rxfrag(rxq, dev, &da, &from_pool, false);
++ va = mana_get_rxfrag(rxq, dev, &da, &from_pool);
+
+ if (!va)
+ return -ENOMEM;
+@@ -2244,6 +2215,7 @@ static int mana_create_page_pool(struct
+ pprm.nid = gc->numa_node;
+ pprm.napi = &rxq->rx_cq.napi;
+ pprm.netdev = rxq->ndev;
++ pprm.order = get_order(rxq->alloc_size);
+
+ rxq->page_pool = page_pool_create(&pprm);
+
--- /dev/null
+From fd5625fc86922f36bedee5846fefd647b7e72751 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 15 Jan 2025 21:28:17 +0300
+Subject: ntb: use 64-bit arithmetic for the MSI doorbell mask
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream.
+
+msi_db_mask is of type 'u64', still the standard 'int' arithmetic is
+performed to compute its value.
+
+While most of the ntb_hw drivers actually don't utilize the higher 32
+bits of the doorbell mask now, this may be the case for Switchtec - see
+switchtec_ntb_init_db().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE static
+analysis tool.
+
+Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/ntb_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1353,7 +1353,7 @@ static int ntb_transport_probe(struct nt
+ qp_count = ilog2(qp_bitmap);
+ if (nt->use_msi) {
+ qp_count -= 1;
+- nt->msi_db_mask = 1 << qp_count;
++ nt->msi_db_mask = BIT_ULL(qp_count);
+ ntb_db_clear_mask(ndev, nt->msi_db_mask);
+ }
+
--- /dev/null
+From 962a2805e47b933876ba0e4c488d9e89ced2dd29 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:59 +0800
+Subject: of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream.
+
+In irq_of_parse_and_map(), refcount of device node @oirq.np was got
+by successful of_irq_parse_one() invocation, but it does not put the
+refcount before return, so causes @oirq.np refcount leakage.
+
+Fix by putting @oirq.np refcount before return.
+
+Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -39,11 +39,15 @@
+ unsigned int irq_of_parse_and_map(struct device_node *dev, int index)
+ {
+ struct of_phandle_args oirq;
++ unsigned int ret;
+
+ if (of_irq_parse_one(dev, index, &oirq))
+ return 0;
+
+- return irq_create_of_mapping(&oirq);
++ ret = irq_create_of_mapping(&oirq);
++ of_node_put(oirq.np);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(irq_of_parse_and_map);
+
--- /dev/null
+From 0cb58d6c7b558a69957fabe159bfb184196e1e8d Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:55 +0800
+Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_one()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 0cb58d6c7b558a69957fabe159bfb184196e1e8d upstream.
+
+of_irq_parse_one(@int_gen_dev, i, ...) will leak refcount of @i_th_phandle
+
+int_gen_dev {
+ ...
+ interrupts-extended = ..., <&i_th_phandle ...>, ...;
+ ...
+};
+
+Refcount of @i_th_phandle is increased by of_parse_phandle_with_args()
+but is not decreased by API of_irq_parse_one() before return, so causes
+refcount leakage.
+
+Rework the refcounting to use __free() cleanup and simplify the code to
+have a single call to of_irq_parse_raw().
+
+Also add comments about refcount of node @out_irq->np got by the API.
+
+Fixes: 79d9701559a9 ("of/irq: create interrupts-extended property")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-2-93e3a2659aa7@quicinc.com
+[robh: Use __free() to do puts]
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 59 +++++++++++++++++++++++++------------------------------
+ 1 file changed, 27 insertions(+), 32 deletions(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -16,6 +16,7 @@
+
+ #define pr_fmt(fmt) "OF: " fmt
+
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/errno.h>
+ #include <linux/list.h>
+@@ -339,10 +340,12 @@ EXPORT_SYMBOL_GPL(of_irq_parse_raw);
+ * This function resolves an interrupt for a node by walking the interrupt tree,
+ * finding which interrupt controller node it is attached to, and returning the
+ * interrupt specifier that can be used to retrieve a Linux IRQ number.
++ *
++ * Note: refcount of node @out_irq->np is increased by 1 on success.
+ */
+ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_args *out_irq)
+ {
+- struct device_node *p;
++ struct device_node __free(device_node) *p = NULL;
+ const __be32 *addr;
+ u32 intsize;
+ int i, res, addr_len;
+@@ -367,41 +370,33 @@ int of_irq_parse_one(struct device_node
+ /* Try the new-style interrupts-extended first */
+ res = of_parse_phandle_with_args(device, "interrupts-extended",
+ "#interrupt-cells", index, out_irq);
+- if (!res)
+- return of_irq_parse_raw(addr_buf, out_irq);
+-
+- /* Look for the interrupt parent. */
+- p = of_irq_find_parent(device);
+- if (p == NULL)
+- return -EINVAL;
+-
+- /* Get size of interrupt specifier */
+- if (of_property_read_u32(p, "#interrupt-cells", &intsize)) {
+- res = -EINVAL;
+- goto out;
+- }
+-
+- pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
++ if (!res) {
++ p = out_irq->np;
++ } else {
++ /* Look for the interrupt parent. */
++ p = of_irq_find_parent(device);
++ /* Get size of interrupt specifier */
++ if (!p || of_property_read_u32(p, "#interrupt-cells", &intsize))
++ return -EINVAL;
++
++ pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
++
++ /* Copy intspec into irq structure */
++ out_irq->np = p;
++ out_irq->args_count = intsize;
++ for (i = 0; i < intsize; i++) {
++ res = of_property_read_u32_index(device, "interrupts",
++ (index * intsize) + i,
++ out_irq->args + i);
++ if (res)
++ return res;
++ }
+
+- /* Copy intspec into irq structure */
+- out_irq->np = p;
+- out_irq->args_count = intsize;
+- for (i = 0; i < intsize; i++) {
+- res = of_property_read_u32_index(device, "interrupts",
+- (index * intsize) + i,
+- out_irq->args + i);
+- if (res)
+- goto out;
++ pr_debug(" intspec=%d\n", *out_irq->args);
+ }
+
+- pr_debug(" intspec=%d\n", *out_irq->args);
+-
+-
+ /* Check if there are any interrupt-map translations to process */
+- res = of_irq_parse_raw(addr_buf, out_irq);
+- out:
+- of_node_put(p);
+- return res;
++ return of_irq_parse_raw(addr_buf, out_irq);
+ }
+ EXPORT_SYMBOL_GPL(of_irq_parse_one);
+
--- /dev/null
+From ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:57 +0800
+Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_raw()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 upstream.
+
+if the node @out_irq->np got by of_irq_parse_raw() is a combo node which
+consists of both controller and nexus, namely, of_irq_parse_raw() returns
+due to condition (@ipar == @newpar), then the node's refcount was increased
+twice, hence causes refcount leakage.
+
+Fix by putting @out_irq->np refcount before returning due to the condition.
+Also add comments about refcount of node @out_irq->np got by the API.
+
+Fixes: 041284181226 ("of/irq: Allow matching of an interrupt-map local to an interrupt controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-4-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -166,6 +166,8 @@ const __be32 *of_irq_parse_imap_parent(c
+ * the specifier for each map, and then returns the translated map.
+ *
+ * Return: 0 on success and a negative number on error
++ *
++ * Note: refcount of node @out_irq->np is increased by 1 on success.
+ */
+ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
+ {
+@@ -311,6 +313,12 @@ int of_irq_parse_raw(const __be32 *addr,
+ addrsize = (imap - match_array) - intsize;
+
+ if (ipar == newpar) {
++ /*
++ * We got @ipar's refcount, but the refcount was
++ * gotten again by of_irq_parse_imap_parent() via its
++ * alias @newpar.
++ */
++ of_node_put(ipar);
+ pr_debug("%pOF interrupt-map entry to self\n", ipar);
+ return 0;
+ }
--- /dev/null
+From bbf71f44aaf241d853759a71de7e7ebcdb89be3d Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:58 +0800
+Subject: of/irq: Fix device node refcount leakages in of_irq_count()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream.
+
+of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful
+invocation of the later will get device node @irq.np refcount, but the
+former does not put the refcount before next iteration invocation, hence
+causes device node refcount leakages.
+
+Fix by putting @irq.np refcount before the next iteration invocation.
+
+Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -508,8 +508,10 @@ int of_irq_count(struct device_node *dev
+ struct of_phandle_args irq;
+ int nr = 0;
+
+- while (of_irq_parse_one(dev, nr, &irq) == 0)
++ while (of_irq_parse_one(dev, nr, &irq) == 0) {
++ of_node_put(irq.np);
+ nr++;
++ }
+
+ return nr;
+ }
--- /dev/null
+From 708124d9e6e7ac5ebf927830760679136b23fdf0 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:59:00 +0800
+Subject: of/irq: Fix device node refcount leakages in of_irq_init()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream.
+
+of_irq_init() will leak interrupt controller device node refcounts
+in two places as explained below:
+
+1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when
+ suffers @desc->irq_init_cb() failure.
+2) Leak refcount of @desc->interrupt_parent when cleans up list
+ @intc_desc_list in the end.
+
+Refcounts of both @desc->dev and @desc->interrupt_parent were got in
+the first loop, but of_irq_init() does not put them before kfree(@desc)
+in places mentioned above, so causes refcount leakages.
+
+Fix by putting refcounts involved before kfree(@desc).
+
+Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put")
+Fixes: c71a54b08201 ("of/irq: introduce of_irq_init")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -632,6 +632,8 @@ void __init of_irq_init(const struct of_
+ __func__, desc->dev, desc->dev,
+ desc->interrupt_parent);
+ of_node_clear_flag(desc->dev, OF_POPULATED);
++ of_node_put(desc->interrupt_parent);
++ of_node_put(desc->dev);
+ kfree(desc);
+ continue;
+ }
+@@ -662,6 +664,7 @@ void __init of_irq_init(const struct of_
+ err:
+ list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) {
+ list_del(&desc->list);
++ of_node_put(desc->interrupt_parent);
+ of_node_put(desc->dev);
+ kfree(desc);
+ }
--- /dev/null
+From 2df181e1aea4628a8fd257f866026625d0519627 Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <svarbanov@suse.de>
+Date: Thu, 23 Jan 2025 00:29:55 +0200
+Subject: PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stanimir Varbanov <svarbanov@suse.de>
+
+commit 2df181e1aea4628a8fd257f866026625d0519627 upstream.
+
+A call to of_parse_phandle() is incrementing the refcount, and as such,
+the of_node_put() must be called when the reference is no longer needed.
+
+Thus, refactor the existing code and add a missing of_node_put() call
+following the check to ensure that "msi_np" matches "pcie->np" and after
+MSI initialization, but only if the MSI support is enabled system-wide.
+
+Cc: stable@vger.kernel.org # v5.10+
+Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support")
+Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250122222955.1752778-1-svarbanov@suse.de
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-brcmstb.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/controller/pcie-brcmstb.c
++++ b/drivers/pci/controller/pcie-brcmstb.c
+@@ -1786,7 +1786,7 @@ static struct pci_ops brcm7425_pcie_ops
+
+ static int brcm_pcie_probe(struct platform_device *pdev)
+ {
+- struct device_node *np = pdev->dev.of_node, *msi_np;
++ struct device_node *np = pdev->dev.of_node;
+ struct pci_host_bridge *bridge;
+ const struct pcie_cfg_data *data;
+ struct brcm_pcie *pcie;
+@@ -1890,9 +1890,14 @@ static int brcm_pcie_probe(struct platfo
+ goto fail;
+ }
+
+- msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
+- if (pci_msi_enabled() && msi_np == pcie->np) {
+- ret = brcm_pcie_enable_msi(pcie);
++ if (pci_msi_enabled()) {
++ struct device_node *msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
++
++ if (msi_np == pcie->np)
++ ret = brcm_pcie_enable_msi(pcie);
++
++ of_node_put(msi_np);
++
+ if (ret) {
+ dev_err(pcie->dev, "probe of internal MSI failed");
+ goto fail;
--- /dev/null
+From 1f2768b6a3ee77a295106e3a5d68458064923ede Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Sun, 2 Feb 2025 14:23:57 +0800
+Subject: PCI: Fix reference leak in pci_alloc_child_bus()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream.
+
+If device_register(&child->dev) fails, call put_device() to explicitly
+release child->dev, per the comment at device_register().
+
+Found by code review.
+
+Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn
+Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1173,7 +1173,10 @@ static struct pci_bus *pci_alloc_child_b
+ add_dev:
+ pci_set_bus_msi_domain(child);
+ ret = device_register(&child->dev);
+- WARN_ON(ret < 0);
++ if (WARN_ON(ret < 0)) {
++ put_device(&child->dev);
++ return NULL;
++ }
+
+ pcibios_add_bus(child);
+
--- /dev/null
+From 804443c1f27883926de94c849d91f5b7d7d696e9 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Tue, 25 Feb 2025 10:14:40 +0800
+Subject: PCI: Fix reference leak in pci_register_host_bridge()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 804443c1f27883926de94c849d91f5b7d7d696e9 upstream.
+
+If device_register() fails, call put_device() to give up the reference to
+avoid a memory leak, per the comment at device_register().
+
+Found by code review.
+
+Link: https://lore.kernel.org/r/20250225021440.3130264-1-make24@iscas.ac.cn
+Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+[bhelgaas: squash Dan Carpenter's double free fix from
+https://lore.kernel.org/r/db806a6c-a91b-4e5a-a84b-6b7e01bdac85@stanley.mountain]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -910,6 +910,7 @@ static int pci_register_host_bridge(stru
+ resource_size_t offset, next_offset;
+ LIST_HEAD(resources);
+ struct resource *res, *next_res;
++ bool bus_registered = false;
+ char addr[64], *fmt;
+ const char *name;
+ int err;
+@@ -973,6 +974,7 @@ static int pci_register_host_bridge(stru
+ name = dev_name(&bus->dev);
+
+ err = device_register(&bus->dev);
++ bus_registered = true;
+ if (err)
+ goto unregister;
+
+@@ -1059,12 +1061,15 @@ static int pci_register_host_bridge(stru
+ unregister:
+ put_device(&bridge->dev);
+ device_del(&bridge->dev);
+-
+ free:
+ #ifdef CONFIG_PCI_DOMAINS_GENERIC
+ pci_bus_release_domain_nr(parent, bus->domain_nr);
+ #endif
+- kfree(bus);
++ if (bus_registered)
++ put_device(&bus->dev);
++ else
++ kfree(bus);
++
+ return err;
+ }
+
--- /dev/null
+From f09d3937d400433080d17982bd1a540da53a156d Mon Sep 17 00:00:00 2001
+From: Philipp Stanner <phasta@kernel.org>
+Date: Wed, 12 Mar 2025 09:06:34 +0100
+Subject: PCI: Fix wrong length of devres array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philipp Stanner <phasta@kernel.org>
+
+commit f09d3937d400433080d17982bd1a540da53a156d upstream.
+
+The array for the iomapping cookie addresses has a length of
+PCI_STD_NUM_BARS. This constant, however, only describes standard BARs;
+while PCI can allow for additional, special BARs.
+
+The total number of PCI resources is described by constant
+PCI_NUM_RESOURCES, which is also used in, e.g., pci_select_bars().
+
+Thus, the devres array has so far been too small.
+
+Change the length of the devres array to PCI_NUM_RESOURCES.
+
+Link: https://lore.kernel.org/r/20250312080634.13731-3-phasta@kernel.org
+Fixes: bbaff68bf4a4 ("PCI: Add managed partial-BAR request and map infrastructure")
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Cc: stable@vger.kernel.org # v6.11+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/devres.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/devres.c
++++ b/drivers/pci/devres.c
+@@ -40,7 +40,7 @@
+ * Legacy struct storing addresses to whole mapped BARs.
+ */
+ struct pcim_iomap_devres {
+- void __iomem *table[PCI_STD_NUM_BARS];
++ void __iomem *table[PCI_NUM_RESOURCES];
+ };
+
+ /* Used to restore the old INTx state on driver detach. */
--- /dev/null
+From d66b5b336245b91681c2042e7eedf63ef7c2f6db Mon Sep 17 00:00:00 2001
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+Date: Wed, 5 Mar 2025 18:50:18 +0530
+Subject: PCI: j721e: Fix the value of .linkdown_irq_regfield for J784S4
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+commit d66b5b336245b91681c2042e7eedf63ef7c2f6db upstream.
+
+Commit e49ad667815d ("PCI: j721e: Add TI J784S4 PCIe configuration")
+assigned the value of .linkdown_irq_regfield for the J784S4 SoC as the
+"LINK_DOWN" macro corresponding to BIT(1), and as a result, the Link
+Down interrupts on J784S4 SoC are missed.
+
+According to the Technical Reference Manual and Register Documentation
+for the J784S4 SoC[1], BIT(1) corresponds to "ENABLE_SYS_EN_PCIE_DPA_1",
+which is not the correct field for the link-state interrupt. Instead, it
+is BIT(10) of the "PCIE_INTD_ENABLE_REG_SYS_2" register that corresponds
+to the link-state field named as "ENABLE_SYS_EN_PCIE_LINK_STATE".
+
+Thus, set .linkdown_irq_regfield to the macro "J7200_LINK_DOWN", which
+expands to BIT(10) and was first defined for the J7200 SoC. Other SoCs
+already reuse this macro since it accurately represents the "link-state"
+field in their respective "PCIE_INTD_ENABLE_REG_SYS_2" register.
+
+1: https://www.ti.com/lit/zip/spruj52
+
+Fixes: e49ad667815d ("PCI: j721e: Add TI J784S4 PCIe configuration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+[kwilczynski: commit log, add a missing .linkdown_irq_regfield member
+set to the J7200_LINK_DOWN macro to struct j7200_pcie_ep_data]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Link: https://lore.kernel.org/r/20250305132018.2260771-1-s-vadapalli@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/cadence/pci-j721e.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/cadence/pci-j721e.c
++++ b/drivers/pci/controller/cadence/pci-j721e.c
+@@ -355,6 +355,7 @@ static const struct j721e_pcie_data j720
+ static const struct j721e_pcie_data j7200_pcie_ep_data = {
+ .mode = PCI_MODE_EP,
+ .quirk_detect_quiet_flag = true,
++ .linkdown_irq_regfield = J7200_LINK_DOWN,
+ .quirk_disable_flr = true,
+ .max_lanes = 2,
+ };
+@@ -376,13 +377,13 @@ static const struct j721e_pcie_data j784
+ .mode = PCI_MODE_RC,
+ .quirk_retrain_flag = true,
+ .byte_access_allowed = false,
+- .linkdown_irq_regfield = LINK_DOWN,
++ .linkdown_irq_regfield = J7200_LINK_DOWN,
+ .max_lanes = 4,
+ };
+
+ static const struct j721e_pcie_data j784s4_pcie_ep_data = {
+ .mode = PCI_MODE_EP,
+- .linkdown_irq_regfield = LINK_DOWN,
++ .linkdown_irq_regfield = J7200_LINK_DOWN,
+ .max_lanes = 4,
+ };
+
--- /dev/null
+From e3260237aaadc9799107ccb940c6688195c4518d Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Tue, 11 Mar 2025 07:27:32 +0100
+Subject: PCI: pciehp: Avoid unnecessary device replacement check
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit e3260237aaadc9799107ccb940c6688195c4518d upstream.
+
+Hot-removal of nested PCI hotplug ports suffers from a long-standing race
+condition which can lead to a deadlock: A parent hotplug port acquires
+pci_lock_rescan_remove(), then waits for pciehp to unbind from a child
+hotplug port. Meanwhile that child hotplug port tries to acquire
+pci_lock_rescan_remove() as well in order to remove its own children.
+
+The deadlock only occurs if the parent acquires pci_lock_rescan_remove()
+first, not if the child happens to acquire it first.
+
+Several workarounds to avoid the issue have been proposed and discarded
+over the years, e.g.:
+
+https://lore.kernel.org/r/4c882e25194ba8282b78fe963fec8faae7cf23eb.1529173804.git.lukas@wunner.de/
+
+A proper fix is being worked on, but needs more time as it is nontrivial
+and necessarily intrusive.
+
+Recent commit 9d573d19547b ("PCI: pciehp: Detect device replacement during
+system sleep") provokes more frequent occurrence of the deadlock when
+removing more than one Thunderbolt device during system sleep. The commit
+sought to detect device replacement, but also triggered on device removal.
+Differentiating reliably between replacement and removal is impossible
+because pci_get_dsn() returns 0 both if the device was removed, as well as
+if it was replaced with one lacking a Device Serial Number.
+
+Avoid the more frequent occurrence of the deadlock by checking whether the
+hotplug port itself was hot-removed. If so, there's no sense in checking
+whether its child device was replaced.
+
+This works because the ->resume_noirq() callback is invoked in top-down
+order for the entire hierarchy: A parent hotplug port detecting device
+replacement (or removal) marks all children as removed using
+pci_dev_set_disconnected() and a child hotplug port can then reliably
+detect being removed.
+
+Link: https://lore.kernel.org/r/02f166e24c87d6cde4085865cce9adfdfd969688.1741674172.git.lukas@wunner.de
+Fixes: 9d573d19547b ("PCI: pciehp: Detect device replacement during system sleep")
+Reported-by: Kenneth Crudup <kenny@panix.com>
+Closes: https://lore.kernel.org/r/83d9302a-f743-43e4-9de2-2dd66d91ab5b@panix.com/
+Reported-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+Closes: https://lore.kernel.org/r/20240926125909.2362244-1-acelan.kao@canonical.com/
+Tested-by: Kenneth Crudup <kenny@panix.com>
+Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Cc: stable@vger.kernel.org # v6.11+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/hotplug/pciehp_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/hotplug/pciehp_core.c
++++ b/drivers/pci/hotplug/pciehp_core.c
+@@ -286,9 +286,12 @@ static int pciehp_suspend(struct pcie_de
+
+ static bool pciehp_device_replaced(struct controller *ctrl)
+ {
+- struct pci_dev *pdev __free(pci_dev_put);
++ struct pci_dev *pdev __free(pci_dev_put) = NULL;
+ u32 reg;
+
++ if (pci_dev_is_disconnected(ctrl->pcie->port))
++ return false;
++
+ pdev = pci_get_slot(ctrl->pcie->port->subordinate, PCI_DEVFN(0, 0));
+ if (!pdev)
+ return true;
--- /dev/null
+From aecb63e88c5e5fb9afb782a1577264c76f179af9 Mon Sep 17 00:00:00 2001
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Date: Wed, 5 Mar 2025 15:43:16 +0100
+Subject: phy: freescale: imx8m-pcie: assert phy reset and perst in power off
+
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+
+commit aecb63e88c5e5fb9afb782a1577264c76f179af9 upstream.
+
+Ensure the PHY reset and perst is asserted during power-off to
+guarantee it is in a reset state upon repeated power-on calls. This
+resolves an issue where the PHY may not properly initialize during
+subsequent power-on cycles. Power-on will deassert the reset at the
+appropriate time after tuning the PHY parameters.
+
+During suspend/resume cycles, we observed that the PHY PLL failed to
+lock during resume when the CPU temperature increased from 65C to 75C.
+The observed errors were:
+ phy phy-32f00000.pcie-phy.3: phy poweron failed --> -110
+ imx6q-pcie 33800000.pcie: waiting for PHY ready timeout!
+ imx6q-pcie 33800000.pcie: PM: dpm_run_callback(): genpd_resume_noirq+0x0/0x80 returns -110
+ imx6q-pcie 33800000.pcie: PM: failed to resume noirq: error -110
+
+This resulted in a complete CPU freeze, which is resolved by ensuring
+the PHY is in reset during power-on, thus preventing PHY PLL failures.
+
+Cc: stable@vger.kernel.org
+Fixes: 1aa97b002258 ("phy: freescale: pcie: Initialize the imx8 pcie standalone phy driver")
+Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250305144355.20364-3-eichest@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
++++ b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
+@@ -162,6 +162,16 @@ static int imx8_pcie_phy_power_on(struct
+ return ret;
+ }
+
++static int imx8_pcie_phy_power_off(struct phy *phy)
++{
++ struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy);
++
++ reset_control_assert(imx8_phy->reset);
++ reset_control_assert(imx8_phy->perst);
++
++ return 0;
++}
++
+ static int imx8_pcie_phy_init(struct phy *phy)
+ {
+ struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy);
+@@ -182,6 +192,7 @@ static const struct phy_ops imx8_pcie_ph
+ .init = imx8_pcie_phy_init,
+ .exit = imx8_pcie_phy_exit,
+ .power_on = imx8_pcie_phy_power_on,
++ .power_off = imx8_pcie_phy_power_off,
+ .owner = THIS_MODULE,
+ };
+
--- /dev/null
+From e225128c3f8be879e7d4eb71a25949e188b420ae Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Wed, 12 Mar 2025 14:19:27 +0100
+Subject: pinctrl: qcom: Clear latched interrupt status when changing IRQ type
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit e225128c3f8be879e7d4eb71a25949e188b420ae upstream.
+
+When submitting the TLMM test driver, Bjorn reported that some of the test
+cases are failing for GPIOs that not are backed by PDC (i.e. "non-wakeup"
+GPIOs that are handled directly in pinctrl-msm). Basically, lingering
+latched interrupt state is still being delivered at IRQ request time, e.g.:
+
+ ok 1 tlmm_test_silent_rising
+ tlmm_test_silent_falling: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
+ Expected atomic_read(&priv->intr_count) == 0, but
+ atomic_read(&priv->intr_count) == 1 (0x1)
+ not ok 2 tlmm_test_silent_falling
+ tlmm_test_silent_low: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
+ Expected atomic_read(&priv->intr_count) == 0, but
+ atomic_read(&priv->intr_count) == 1 (0x1)
+ not ok 3 tlmm_test_silent_low
+ ok 4 tlmm_test_silent_high
+
+Whether to report interrupts that came in while the IRQ was unclaimed
+doesn't seem to be well-defined in the Linux IRQ API. However, looking
+closer at these specific cases, we're actually reporting events that do not
+match the interrupt type requested by the driver:
+
+ 1. After "ok 1 tlmm_test_silent_rising", the GPIO is in low state and
+ configured for IRQF_TRIGGER_RISING.
+
+ 2. (a) In preparation for "tlmm_test_silent_falling", the GPIO is switched
+ to high state. The rising interrupt gets latched.
+ (b) The GPIO is re-configured for IRQF_TRIGGER_FALLING, but the latched
+ interrupt isn't cleared.
+ (c) The IRQ handler is called for the latched interrupt, but there
+ wasn't any falling edge.
+
+ 3. (a) For "tlmm_test_silent_low", the GPIO remains in high state.
+ (b) The GPIO is re-configured for IRQF_TRIGGER_LOW. This seems to
+ result in a phantom interrupt that gets latched.
+ (c) The IRQ handler is called for the latched interrupt, but the GPIO
+ isn't in low state.
+
+ 4. (a) For "tlmm_test_silent_high", the GPIO is switched to low state.
+ (b) This doesn't result in a latched interrupt, because RAW_STATUS_EN
+ was cleared when masking the level-triggered interrupt.
+
+Fix this by clearing the interrupt state whenever making any changes to the
+interrupt configuration. This includes previously disabled interrupts, but
+also any changes to interrupt polarity or detection type.
+
+With this change, all 16 test cases are now passing for the non-wakeup
+GPIOs in the TLMM.
+
+Cc: stable@vger.kernel.org
+Fixes: cf9d052aa600 ("pinctrl: qcom: Don't clear pending interrupts when enabling")
+Reported-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Closes: https://lore.kernel.org/r/20250227-tlmm-test-v1-1-d18877b4a5db@oss.qualcomm.com/
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Tested-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/20250312-pinctrl-msm-type-latch-v1-1-ce87c561d3d7@linaro.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -1044,8 +1044,7 @@ static int msm_gpio_irq_set_type(struct
+ const struct msm_pingroup *g;
+ u32 intr_target_mask = GENMASK(2, 0);
+ unsigned long flags;
+- bool was_enabled;
+- u32 val;
++ u32 val, oldval;
+
+ if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) {
+ set_bit(d->hwirq, pctrl->dual_edge_irqs);
+@@ -1107,8 +1106,7 @@ static int msm_gpio_irq_set_type(struct
+ * internal circuitry of TLMM, toggling the RAW_STATUS
+ * could cause the INTR_STATUS to be set for EDGE interrupts.
+ */
+- val = msm_readl_intr_cfg(pctrl, g);
+- was_enabled = val & BIT(g->intr_raw_status_bit);
++ val = oldval = msm_readl_intr_cfg(pctrl, g);
+ val |= BIT(g->intr_raw_status_bit);
+ if (g->intr_detection_width == 2) {
+ val &= ~(3 << g->intr_detection_bit);
+@@ -1161,9 +1159,11 @@ static int msm_gpio_irq_set_type(struct
+ /*
+ * The first time we set RAW_STATUS_EN it could trigger an interrupt.
+ * Clear the interrupt. This is safe because we have
+- * IRQCHIP_SET_TYPE_MASKED.
++ * IRQCHIP_SET_TYPE_MASKED. When changing the interrupt type, we could
++ * also still have a non-matching interrupt latched, so clear whenever
++ * making changes to the interrupt configuration.
+ */
+- if (!was_enabled)
++ if (val != oldval)
+ msm_ack_intr_status(pctrl, g);
+
+ if (test_bit(d->hwirq, pctrl->dual_edge_irqs))
--- /dev/null
+From 701d0e910955627734917c3587258aa7e73068bb Mon Sep 17 00:00:00 2001
+From: Peter Griffin <peter.griffin@linaro.org>
+Date: Fri, 7 Mar 2025 10:29:05 +0000
+Subject: pinctrl: samsung: add support for eint_fltcon_offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Griffin <peter.griffin@linaro.org>
+
+commit 701d0e910955627734917c3587258aa7e73068bb upstream.
+
+On gs101 SoC the fltcon0 (filter configuration 0) offset isn't at a
+fixed offset like previous SoCs as the fltcon1 register only exists when
+there are more than 4 pins in the bank.
+
+Add a eint_fltcon_offset and new GS101_PIN_BANK_EINT* macros that take
+an additional fltcon_offs variable.
+
+This can then be used in suspend/resume callbacks to save and restore
+the fltcon0 and fltcon1 registers.
+
+Fixes: 4a8be01a1a7a ("pinctrl: samsung: Add gs101 SoC pinctrl configuration")
+Cc: stable@vger.kernel.org
+Reviewed-by: André Draszik <andre.draszik@linaro.org>
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20250307-pinctrl-fltcon-suspend-v4-1-2d775e486036@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 98 ++++++++++++-------------
+ drivers/pinctrl/samsung/pinctrl-exynos.h | 22 +++++
+ drivers/pinctrl/samsung/pinctrl-samsung.c | 1
+ drivers/pinctrl/samsung/pinctrl-samsung.h | 4 +
+ 4 files changed, 76 insertions(+), 49 deletions(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c
++++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c
+@@ -1370,83 +1370,83 @@ const struct samsung_pinctrl_of_match_da
+
+ /* pin banks of gs101 pin-controller (ALIVE) */
+ static const struct samsung_pin_bank_data gs101_pin_alive[] = {
+- EXYNOS850_PIN_BANK_EINTW(8, 0x0, "gpa0", 0x00),
+- EXYNOS850_PIN_BANK_EINTW(7, 0x20, "gpa1", 0x04),
+- EXYNOS850_PIN_BANK_EINTW(5, 0x40, "gpa2", 0x08),
+- EXYNOS850_PIN_BANK_EINTW(4, 0x60, "gpa3", 0x0c),
+- EXYNOS850_PIN_BANK_EINTW(4, 0x80, "gpa4", 0x10),
+- EXYNOS850_PIN_BANK_EINTW(7, 0xa0, "gpa5", 0x14),
+- EXYNOS850_PIN_BANK_EINTW(8, 0xc0, "gpa9", 0x18),
+- EXYNOS850_PIN_BANK_EINTW(2, 0xe0, "gpa10", 0x1c),
++ GS101_PIN_BANK_EINTW(8, 0x0, "gpa0", 0x00, 0x00),
++ GS101_PIN_BANK_EINTW(7, 0x20, "gpa1", 0x04, 0x08),
++ GS101_PIN_BANK_EINTW(5, 0x40, "gpa2", 0x08, 0x10),
++ GS101_PIN_BANK_EINTW(4, 0x60, "gpa3", 0x0c, 0x18),
++ GS101_PIN_BANK_EINTW(4, 0x80, "gpa4", 0x10, 0x1c),
++ GS101_PIN_BANK_EINTW(7, 0xa0, "gpa5", 0x14, 0x20),
++ GS101_PIN_BANK_EINTW(8, 0xc0, "gpa9", 0x18, 0x28),
++ GS101_PIN_BANK_EINTW(2, 0xe0, "gpa10", 0x1c, 0x30),
+ };
+
+ /* pin banks of gs101 pin-controller (FAR_ALIVE) */
+ static const struct samsung_pin_bank_data gs101_pin_far_alive[] = {
+- EXYNOS850_PIN_BANK_EINTW(8, 0x0, "gpa6", 0x00),
+- EXYNOS850_PIN_BANK_EINTW(4, 0x20, "gpa7", 0x04),
+- EXYNOS850_PIN_BANK_EINTW(8, 0x40, "gpa8", 0x08),
+- EXYNOS850_PIN_BANK_EINTW(2, 0x60, "gpa11", 0x0c),
++ GS101_PIN_BANK_EINTW(8, 0x0, "gpa6", 0x00, 0x00),
++ GS101_PIN_BANK_EINTW(4, 0x20, "gpa7", 0x04, 0x08),
++ GS101_PIN_BANK_EINTW(8, 0x40, "gpa8", 0x08, 0x0c),
++ GS101_PIN_BANK_EINTW(2, 0x60, "gpa11", 0x0c, 0x14),
+ };
+
+ /* pin banks of gs101 pin-controller (GSACORE) */
+ static const struct samsung_pin_bank_data gs101_pin_gsacore[] = {
+- EXYNOS850_PIN_BANK_EINTG(2, 0x0, "gps0", 0x00),
+- EXYNOS850_PIN_BANK_EINTG(8, 0x20, "gps1", 0x04),
+- EXYNOS850_PIN_BANK_EINTG(3, 0x40, "gps2", 0x08),
++ GS101_PIN_BANK_EINTG(2, 0x0, "gps0", 0x00, 0x00),
++ GS101_PIN_BANK_EINTG(8, 0x20, "gps1", 0x04, 0x04),
++ GS101_PIN_BANK_EINTG(3, 0x40, "gps2", 0x08, 0x0c),
+ };
+
+ /* pin banks of gs101 pin-controller (GSACTRL) */
+ static const struct samsung_pin_bank_data gs101_pin_gsactrl[] = {
+- EXYNOS850_PIN_BANK_EINTW(6, 0x0, "gps3", 0x00),
++ GS101_PIN_BANK_EINTW(6, 0x0, "gps3", 0x00, 0x00),
+ };
+
+ /* pin banks of gs101 pin-controller (PERIC0) */
+ static const struct samsung_pin_bank_data gs101_pin_peric0[] = {
+- EXYNOS850_PIN_BANK_EINTG(5, 0x0, "gpp0", 0x00),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x20, "gpp1", 0x04),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x40, "gpp2", 0x08),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x60, "gpp3", 0x0c),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x80, "gpp4", 0x10),
+- EXYNOS850_PIN_BANK_EINTG(2, 0xa0, "gpp5", 0x14),
+- EXYNOS850_PIN_BANK_EINTG(4, 0xc0, "gpp6", 0x18),
+- EXYNOS850_PIN_BANK_EINTG(2, 0xe0, "gpp7", 0x1c),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x100, "gpp8", 0x20),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x120, "gpp9", 0x24),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x140, "gpp10", 0x28),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x160, "gpp11", 0x2c),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x180, "gpp12", 0x30),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x1a0, "gpp13", 0x34),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x1c0, "gpp14", 0x38),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x1e0, "gpp15", 0x3c),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x200, "gpp16", 0x40),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x220, "gpp17", 0x44),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x240, "gpp18", 0x48),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x260, "gpp19", 0x4c),
++ GS101_PIN_BANK_EINTG(5, 0x0, "gpp0", 0x00, 0x00),
++ GS101_PIN_BANK_EINTG(4, 0x20, "gpp1", 0x04, 0x08),
++ GS101_PIN_BANK_EINTG(4, 0x40, "gpp2", 0x08, 0x0c),
++ GS101_PIN_BANK_EINTG(2, 0x60, "gpp3", 0x0c, 0x10),
++ GS101_PIN_BANK_EINTG(4, 0x80, "gpp4", 0x10, 0x14),
++ GS101_PIN_BANK_EINTG(2, 0xa0, "gpp5", 0x14, 0x18),
++ GS101_PIN_BANK_EINTG(4, 0xc0, "gpp6", 0x18, 0x1c),
++ GS101_PIN_BANK_EINTG(2, 0xe0, "gpp7", 0x1c, 0x20),
++ GS101_PIN_BANK_EINTG(4, 0x100, "gpp8", 0x20, 0x24),
++ GS101_PIN_BANK_EINTG(2, 0x120, "gpp9", 0x24, 0x28),
++ GS101_PIN_BANK_EINTG(4, 0x140, "gpp10", 0x28, 0x2c),
++ GS101_PIN_BANK_EINTG(2, 0x160, "gpp11", 0x2c, 0x30),
++ GS101_PIN_BANK_EINTG(4, 0x180, "gpp12", 0x30, 0x34),
++ GS101_PIN_BANK_EINTG(2, 0x1a0, "gpp13", 0x34, 0x38),
++ GS101_PIN_BANK_EINTG(4, 0x1c0, "gpp14", 0x38, 0x3c),
++ GS101_PIN_BANK_EINTG(2, 0x1e0, "gpp15", 0x3c, 0x40),
++ GS101_PIN_BANK_EINTG(4, 0x200, "gpp16", 0x40, 0x44),
++ GS101_PIN_BANK_EINTG(2, 0x220, "gpp17", 0x44, 0x48),
++ GS101_PIN_BANK_EINTG(4, 0x240, "gpp18", 0x48, 0x4c),
++ GS101_PIN_BANK_EINTG(4, 0x260, "gpp19", 0x4c, 0x50),
+ };
+
+ /* pin banks of gs101 pin-controller (PERIC1) */
+ static const struct samsung_pin_bank_data gs101_pin_peric1[] = {
+- EXYNOS850_PIN_BANK_EINTG(8, 0x0, "gpp20", 0x00),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x20, "gpp21", 0x04),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x40, "gpp22", 0x08),
+- EXYNOS850_PIN_BANK_EINTG(8, 0x60, "gpp23", 0x0c),
+- EXYNOS850_PIN_BANK_EINTG(4, 0x80, "gpp24", 0x10),
+- EXYNOS850_PIN_BANK_EINTG(4, 0xa0, "gpp25", 0x14),
+- EXYNOS850_PIN_BANK_EINTG(5, 0xc0, "gpp26", 0x18),
+- EXYNOS850_PIN_BANK_EINTG(4, 0xe0, "gpp27", 0x1c),
++ GS101_PIN_BANK_EINTG(8, 0x0, "gpp20", 0x00, 0x00),
++ GS101_PIN_BANK_EINTG(4, 0x20, "gpp21", 0x04, 0x08),
++ GS101_PIN_BANK_EINTG(2, 0x40, "gpp22", 0x08, 0x0c),
++ GS101_PIN_BANK_EINTG(8, 0x60, "gpp23", 0x0c, 0x10),
++ GS101_PIN_BANK_EINTG(4, 0x80, "gpp24", 0x10, 0x18),
++ GS101_PIN_BANK_EINTG(4, 0xa0, "gpp25", 0x14, 0x1c),
++ GS101_PIN_BANK_EINTG(5, 0xc0, "gpp26", 0x18, 0x20),
++ GS101_PIN_BANK_EINTG(4, 0xe0, "gpp27", 0x1c, 0x28),
+ };
+
+ /* pin banks of gs101 pin-controller (HSI1) */
+ static const struct samsung_pin_bank_data gs101_pin_hsi1[] = {
+- EXYNOS850_PIN_BANK_EINTG(6, 0x0, "gph0", 0x00),
+- EXYNOS850_PIN_BANK_EINTG(7, 0x20, "gph1", 0x04),
++ GS101_PIN_BANK_EINTG(6, 0x0, "gph0", 0x00, 0x00),
++ GS101_PIN_BANK_EINTG(7, 0x20, "gph1", 0x04, 0x08),
+ };
+
+ /* pin banks of gs101 pin-controller (HSI2) */
+ static const struct samsung_pin_bank_data gs101_pin_hsi2[] = {
+- EXYNOS850_PIN_BANK_EINTG(6, 0x0, "gph2", 0x00),
+- EXYNOS850_PIN_BANK_EINTG(2, 0x20, "gph3", 0x04),
+- EXYNOS850_PIN_BANK_EINTG(6, 0x40, "gph4", 0x08),
++ GS101_PIN_BANK_EINTG(6, 0x0, "gph2", 0x00, 0x00),
++ GS101_PIN_BANK_EINTG(2, 0x20, "gph3", 0x04, 0x08),
++ GS101_PIN_BANK_EINTG(6, 0x40, "gph4", 0x08, 0x0c),
+ };
+
+ static const struct samsung_pin_ctrl gs101_pin_ctrl[] __initconst = {
+--- a/drivers/pinctrl/samsung/pinctrl-exynos.h
++++ b/drivers/pinctrl/samsung/pinctrl-exynos.h
+@@ -175,6 +175,28 @@
+ .name = id \
+ }
+
++#define GS101_PIN_BANK_EINTG(pins, reg, id, offs, fltcon_offs) \
++ { \
++ .type = &exynos850_bank_type_off, \
++ .pctl_offset = reg, \
++ .nr_pins = pins, \
++ .eint_type = EINT_TYPE_GPIO, \
++ .eint_offset = offs, \
++ .eint_fltcon_offset = fltcon_offs, \
++ .name = id \
++ }
++
++#define GS101_PIN_BANK_EINTW(pins, reg, id, offs, fltcon_offs) \
++ { \
++ .type = &exynos850_bank_type_alive, \
++ .pctl_offset = reg, \
++ .nr_pins = pins, \
++ .eint_type = EINT_TYPE_WKUP, \
++ .eint_offset = offs, \
++ .eint_fltcon_offset = fltcon_offs, \
++ .name = id \
++ }
++
+ /**
+ * struct exynos_weint_data: irq specific data for all the wakeup interrupts
+ * generated by the external wakeup interrupt controller.
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -1230,6 +1230,7 @@ samsung_pinctrl_get_soc_data(struct sams
+ bank->eint_con_offset = bdata->eint_con_offset;
+ bank->eint_mask_offset = bdata->eint_mask_offset;
+ bank->eint_pend_offset = bdata->eint_pend_offset;
++ bank->eint_fltcon_offset = bdata->eint_fltcon_offset;
+ bank->name = bdata->name;
+
+ raw_spin_lock_init(&bank->slock);
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.h
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.h
+@@ -144,6 +144,7 @@ struct samsung_pin_bank_type {
+ * @eint_con_offset: ExynosAuto SoC-specific EINT control register offset of bank.
+ * @eint_mask_offset: ExynosAuto SoC-specific EINT mask register offset of bank.
+ * @eint_pend_offset: ExynosAuto SoC-specific EINT pend register offset of bank.
++ * @eint_fltcon_offset: GS101 SoC-specific EINT filter config register offset.
+ * @name: name to be prefixed for each pin in this pin bank.
+ */
+ struct samsung_pin_bank_data {
+@@ -158,6 +159,7 @@ struct samsung_pin_bank_data {
+ u32 eint_con_offset;
+ u32 eint_mask_offset;
+ u32 eint_pend_offset;
++ u32 eint_fltcon_offset;
+ const char *name;
+ };
+
+@@ -175,6 +177,7 @@ struct samsung_pin_bank_data {
+ * @eint_con_offset: ExynosAuto SoC-specific EINT register or interrupt offset of bank.
+ * @eint_mask_offset: ExynosAuto SoC-specific EINT mask register offset of bank.
+ * @eint_pend_offset: ExynosAuto SoC-specific EINT pend register offset of bank.
++ * @eint_fltcon_offset: GS101 SoC-specific EINT filter config register offset.
+ * @name: name to be prefixed for each pin in this pin bank.
+ * @id: id of the bank, propagated to the pin range.
+ * @pin_base: starting pin number of the bank.
+@@ -201,6 +204,7 @@ struct samsung_pin_bank {
+ u32 eint_con_offset;
+ u32 eint_mask_offset;
+ u32 eint_pend_offset;
++ u32 eint_fltcon_offset;
+ const char *name;
+ u32 id;
+
--- /dev/null
+From e4d4b8670c44cdd22212cab3c576e2d317efa67c Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Wed, 2 Apr 2025 10:49:07 -0400
+Subject: ring-buffer: Use flush_kernel_vmap_range() over flush_dcache_folio()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit e4d4b8670c44cdd22212cab3c576e2d317efa67c upstream.
+
+Some architectures do not have data cache coherency between user and
+kernel space. For these architectures, the cache needs to be flushed on
+both the kernel and user addresses so that user space can see the updates
+the kernel has made.
+
+Instead of using flush_dcache_folio() and playing with virt_to_folio()
+within the call to that function, use flush_kernel_vmap_range() which
+takes the virtual address and does the work for those architectures that
+need it.
+
+This also fixes a bug where the flush of the reader page only flushed one
+page. If the sub-buffer order is 1 or more, where the sub-buffer size
+would be greater than a page, it would miss the rest of the sub-buffer
+content, as the "reader page" is not just a page, but the size of a
+sub-buffer.
+
+Link: https://lore.kernel.org/all/CAG48ez3w0my4Rwttbc5tEbNsme6tc0mrSN95thjXUFaJ3aQ6SA@mail.gmail.com/
+
+Cc: stable@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Vincent Donnefort <vdonnefort@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: Mike Rapoport <rppt@kernel.org>
+Link: https://lore.kernel.org/20250402144953.920792197@goodmis.org
+Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions");
+Suggested-by: Jann Horn <jannh@google.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ring_buffer.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -5994,7 +5994,7 @@ static void rb_update_meta_page(struct r
+ meta->read = cpu_buffer->read;
+
+ /* Some archs do not have data cache coherency between kernel and user-space */
+- flush_dcache_folio(virt_to_folio(cpu_buffer->meta_page));
++ flush_kernel_vmap_range(cpu_buffer->meta_page, PAGE_SIZE);
+ }
+
+ static void
+@@ -7309,7 +7309,8 @@ consume:
+
+ out:
+ /* Some archs do not have data cache coherency between kernel and user-space */
+- flush_dcache_folio(virt_to_folio(cpu_buffer->reader_page->page));
++ flush_kernel_vmap_range(cpu_buffer->reader_page->page,
++ buffer->subbuf_size + BUF_PAGE_HDR_SIZE);
+
+ rb_update_meta_page(cpu_buffer);
+
--- /dev/null
+From 991a20173a1fbafd9fc0df0c7e17bb62d44a4deb Mon Sep 17 00:00:00 2001
+From: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Date: Tue, 25 Mar 2025 19:02:45 +0100
+Subject: s390: Fix linker error when -no-pie option is unavailable
+
+From: Sumanth Korikkar <sumanthk@linux.ibm.com>
+
+commit 991a20173a1fbafd9fc0df0c7e17bb62d44a4deb upstream.
+
+The kernel build may fail if the linker does not support -no-pie option,
+as it always included in LDFLAGS_vmlinux.
+
+Error log:
+s390-linux-ld: unable to disambiguate: -no-pie (did you mean --no-pie ?)
+
+Although the GNU linker defaults to -no-pie, the ability to explicitly
+specify this option was introduced in binutils 2.36.
+
+Hence, fix it by adding -no-pie to LDFLAGS_vmlinux only when it is
+available.
+
+Cc: stable@vger.kernel.org
+Fixes: 00cda11d3b2e ("s390: Compile kernel with -fPIC and link with -no-pie")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202503220342.T3fElO9L-lkp@intel.com/
+Suggested-by: Jens Remus <jremus@linux.ibm.com>
+Reviewed-by: Jens Remus <jremus@linux.ibm.com>
+Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/Makefile
++++ b/arch/s390/Makefile
+@@ -15,7 +15,7 @@ KBUILD_CFLAGS_MODULE += -fPIC
+ KBUILD_AFLAGS += -m64
+ KBUILD_CFLAGS += -m64
+ KBUILD_CFLAGS += -fPIC
+-LDFLAGS_vmlinux := -no-pie --emit-relocs --discard-none
++LDFLAGS_vmlinux := $(call ld-option,-no-pie) --emit-relocs --discard-none
+ extra_tools := relocs
+ aflags_dwarf := -Wa,-gdwarf-2
+ KBUILD_AFLAGS_DECOMPRESSOR := $(CLANG_FLAGS) -m64 -D__ASSEMBLY__
--- /dev/null
+From 8691abd3afaadd816a298503ec1a759df1305d2e Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Thu, 20 Mar 2025 17:26:12 +0100
+Subject: s390/pci: Fix zpci_bus_is_isolated_vf() for non-VFs
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 8691abd3afaadd816a298503ec1a759df1305d2e upstream.
+
+For non-VFs, zpci_bus_is_isolated_vf() should return false because they
+aren't VFs. While zpci_iov_find_parent_pf() specifically checks if
+a function is a VF, it then simply returns that there is no parent. The
+simplistic check for a parent then leads to these functions being
+confused with isolated VFs and isolating them on their own domain even
+if sibling PFs should share the domain.
+
+Fix this by explicitly checking if a function is not a VF. Note also
+that at this point the case where RIDs are ignored is already handled
+and in this case all PCI functions get isolated by being detected in
+zpci_bus_is_multifunction_root().
+
+Cc: stable@vger.kernel.org
+Fixes: 2844ddbd540f ("s390/pci: Fix handling of isolated VFs")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci_bus.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/s390/pci/pci_bus.c
++++ b/arch/s390/pci/pci_bus.c
+@@ -335,6 +335,9 @@ static bool zpci_bus_is_isolated_vf(stru
+ {
+ struct pci_dev *pdev;
+
++ if (!zdev->vfn)
++ return false;
++
+ pdev = zpci_iov_find_parent_pf(zbus, zdev);
+ if (!pdev)
+ return true;
--- /dev/null
+From 2ccd42b959aaf490333dbd3b9b102eaf295c036a Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Wed, 2 Apr 2025 22:36:21 +0200
+Subject: s390/virtio_ccw: Don't allocate/assign airqs for non-existing queues
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 2ccd42b959aaf490333dbd3b9b102eaf295c036a upstream.
+
+If we finds a vq without a name in our input array in
+virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer
+to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq.
+
+Consequently, we create only a queue if it actually exists (name != NULL)
+and assign an incremental queue index to each such existing queue.
+
+However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we
+will not ignore these "non-existing queues", but instead assign an airq
+indicator to them.
+
+Besides never releasing them in virtio_ccw_drop_indicators() (because
+there is no virtqueue), the bigger issue seems to be that there will be a
+disagreement between the device and the Linux guest about the airq
+indicator to be used for notifying a queue, because the indicator bit
+for adapter I/O interrupt is derived from the queue index.
+
+The virtio spec states under "Setting Up Two-Stage Queue Indicators":
+
+ ... indicator contains the guest address of an area wherein the
+ indicators for the devices are contained, starting at bit_nr, one
+ bit per virtqueue of the device.
+
+And further in "Notification via Adapter I/O Interrupts":
+
+ For notifying the driver of virtqueue buffers, the device sets the
+ bit in the guest-provided indicator area at the corresponding
+ offset.
+
+For example, QEMU uses in virtio_ccw_notify() the queue index (passed as
+"vector") to select the relevant indicator bit. If a queue does not exist,
+it does not have a corresponding indicator bit assigned, because it
+effectively doesn't have a queue index.
+
+Using a virtio-balloon-ccw device under QEMU with free-page-hinting
+disabled ("free-page-hint=off") but free-page-reporting enabled
+("free-page-reporting=on") will result in free page reporting
+not working as expected: in the virtio_balloon driver, we'll be stuck
+forever in virtballoon_free_page_report()->wait_event(), because the
+waitqueue will not be woken up as the notification from the device is
+lost: it would use the wrong indicator bit.
+
+Free page reporting stops working and we get splats (when configured to
+detect hung wqs) like:
+
+ INFO: task kworker/1:3:463 blocked for more than 61 seconds.
+ Not tainted 6.14.0 #4
+ "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+ task:kworker/1:3 [...]
+ Workqueue: events page_reporting_process
+ Call Trace:
+ [<000002f404e6dfb2>] __schedule+0x402/0x1640
+ [<000002f404e6f22e>] schedule+0x3e/0xe0
+ [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110 [virtio_balloon]
+ [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740
+ [<000002f403fd3ee2>] process_one_work+0x1c2/0x400
+ [<000002f403fd4b96>] worker_thread+0x296/0x420
+ [<000002f403fe10b4>] kthread+0x124/0x290
+ [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60
+ [<000002f404e77272>] ret_from_fork+0xa/0x38
+
+There was recently a discussion [1] whether the "holes" should be
+treated differently again, effectively assigning also non-existing
+queues a queue index: that should also fix the issue, but requires other
+workarounds to not break existing setups.
+
+Let's fix it without affecting existing setups for now by properly ignoring
+the non-existing queues, so the indicator bits will match the queue
+indexes.
+
+[1] https://lore.kernel.org/all/cover.1720611677.git.mst@redhat.com/
+
+Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL")
+Reported-by: Chandra Merla <cmerla@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Tested-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250402203621.940090-1-david@redhat.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/virtio/virtio_ccw.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/s390/virtio/virtio_ccw.c
++++ b/drivers/s390/virtio/virtio_ccw.c
+@@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(i
+ static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs,
+ u64 *first, void **airq_info)
+ {
+- int i, j;
++ int i, j, queue_idx, highest_queue_idx = -1;
+ struct airq_info *info;
+ unsigned long *indicator_addr = NULL;
+ unsigned long bit, flags;
+
++ /* Array entries without an actual queue pointer must be ignored. */
++ for (i = 0; i < nvqs; i++) {
++ if (vqs[i])
++ highest_queue_idx++;
++ }
++
+ for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) {
+ mutex_lock(&airq_areas_lock);
+ if (!airq_areas[i])
+@@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator
+ if (!info)
+ return NULL;
+ write_lock_irqsave(&info->lock, flags);
+- bit = airq_iv_alloc(info->aiv, nvqs);
++ bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1);
+ if (bit == -1UL) {
+ /* Not enough vacancies. */
+ write_unlock_irqrestore(&info->lock, flags);
+@@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator
+ *first = bit;
+ *airq_info = info;
+ indicator_addr = info->aiv->vector;
+- for (j = 0; j < nvqs; j++) {
+- airq_iv_set_ptr(info->aiv, bit + j,
++ for (j = 0, queue_idx = 0; j < nvqs; j++) {
++ if (!vqs[j])
++ continue;
++ airq_iv_set_ptr(info->aiv, bit + queue_idx++,
+ (unsigned long)vqs[j]);
+ }
+ write_unlock_irqrestore(&info->lock, flags);
--- /dev/null
+From a8897ed8523d4c9d782e282b18005a3779c92714 Mon Sep 17 00:00:00 2001
+From: Jake Hillion <jake@hillion.co.uk>
+Date: Tue, 25 Mar 2025 22:41:52 +0000
+Subject: sched_ext: create_dsq: Return -EEXIST on duplicate request
+
+From: Jake Hillion <jake@hillion.co.uk>
+
+commit a8897ed8523d4c9d782e282b18005a3779c92714 upstream.
+
+create_dsq and therefore the scx_bpf_create_dsq kfunc currently silently
+ignore duplicate entries. As a sched_ext scheduler is creating each DSQ
+for a different purpose this is surprising behaviour.
+
+Replace rhashtable_insert_fast which ignores duplicates with
+rhashtable_lookup_insert_fast that reports duplicates (though doesn't
+return their value). The rest of the code is structured correctly and
+this now returns -EEXIST.
+
+Tested by adding an extra scx_bpf_create_dsq to scx_simple. Previously
+this was ignored, now init fails with a -17 code. Also ran scx_lavd
+which continued to work well.
+
+Signed-off-by: Jake Hillion <jake@hillion.co.uk>
+Acked-by: Andrea Righi <arighi@nvidia.com>
+Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
+Cc: stable@vger.kernel.org # v6.12+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -4501,8 +4501,8 @@ static struct scx_dispatch_q *create_dsq
+
+ init_dsq(dsq, dsq_id);
+
+- ret = rhashtable_insert_fast(&dsq_hash, &dsq->hash_node,
+- dsq_hash_params);
++ ret = rhashtable_lookup_insert_fast(&dsq_hash, &dsq->hash_node,
++ dsq_hash_params);
+ if (ret) {
+ kfree(dsq);
+ return ERR_PTR(ret);
--- /dev/null
+From c5efa393d82cf68812e0ae4d93e339873eabe9fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:42 +0100
+Subject: selftests/landlock: Add a new test for setuid()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit c5efa393d82cf68812e0ae4d93e339873eabe9fe upstream.
+
+The new signal_scoping_thread_setuid tests check that the libc's
+setuid() function works as expected even when a thread is sandboxed with
+scoped signal restrictions.
+
+Before the signal scoping fix, this test would have failed with the
+setuid() call:
+
+ [pid 65] getpid() = 65
+ [pid 65] tgkill(65, 66, SIGRT_1) = -1 EPERM (Operation not permitted)
+ [pid 65] futex(0x40a66cdc, FUTEX_WAKE_PRIVATE, 1) = 0
+ [pid 65] setuid(1001) = 0
+
+After the fix, tgkill(2) is successfully leveraged to synchronize
+credentials update across threads:
+
+ [pid 65] getpid() = 65
+ [pid 65] tgkill(65, 66, SIGRT_1) = 0
+ [pid 66] <... read resumed>0x40a65eb7, 1) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
+ [pid 66] --- SIGRT_1 {si_signo=SIGRT_1, si_code=SI_TKILL, si_pid=65, si_uid=1000} ---
+ [pid 66] getpid() = 65
+ [pid 66] setuid(1001) = 0
+ [pid 66] futex(0x40a66cdc, FUTEX_WAKE_PRIVATE, 1) = 0
+ [pid 66] rt_sigreturn({mask=[]}) = 0
+ [pid 66] read(3, <unfinished ...>
+ [pid 65] setuid(1001) = 0
+
+Test coverage for security/landlock is 92.9% of 1137 lines according to
+gcc/gcov-14.
+
+Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
+Cc: Günther Noack <gnoack@google.com>
+Cc: Tahera Fahimi <fahimitahera@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318161443.279194-8-mic@digikod.net
+[mic: Update test coverage]
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/landlock/common.h | 1
+ tools/testing/selftests/landlock/scoped_signal_test.c | 59 ++++++++++++++++++
+ 2 files changed, 60 insertions(+)
+
+--- a/tools/testing/selftests/landlock/common.h
++++ b/tools/testing/selftests/landlock/common.h
+@@ -68,6 +68,7 @@ static void _init_caps(struct __test_met
+ CAP_MKNOD,
+ CAP_NET_ADMIN,
+ CAP_NET_BIND_SERVICE,
++ CAP_SETUID,
+ CAP_SYS_ADMIN,
+ CAP_SYS_CHROOT,
+ /* clang-format on */
+--- a/tools/testing/selftests/landlock/scoped_signal_test.c
++++ b/tools/testing/selftests/landlock/scoped_signal_test.c
+@@ -253,6 +253,7 @@ enum thread_return {
+ THREAD_INVALID = 0,
+ THREAD_SUCCESS = 1,
+ THREAD_ERROR = 2,
++ THREAD_TEST_FAILED = 3,
+ };
+
+ static void *thread_sync(void *arg)
+@@ -316,6 +317,64 @@ TEST(signal_scoping_thread_after)
+ EXPECT_EQ(0, close(thread_pipe[1]));
+ }
+
++struct thread_setuid_args {
++ int pipe_read, new_uid;
++};
++
++void *thread_setuid(void *ptr)
++{
++ const struct thread_setuid_args *arg = ptr;
++ char buf;
++
++ if (read(arg->pipe_read, &buf, 1) != 1)
++ return (void *)THREAD_ERROR;
++
++ /* libc's setuid() should update all thread's credentials. */
++ if (getuid() != arg->new_uid)
++ return (void *)THREAD_TEST_FAILED;
++
++ return (void *)THREAD_SUCCESS;
++}
++
++TEST(signal_scoping_thread_setuid)
++{
++ struct thread_setuid_args arg;
++ pthread_t no_sandbox_thread;
++ enum thread_return ret = THREAD_INVALID;
++ int pipe_parent[2];
++ int prev_uid;
++
++ disable_caps(_metadata);
++
++ /* This test does not need to be run as root. */
++ prev_uid = getuid();
++ arg.new_uid = prev_uid + 1;
++ EXPECT_LT(0, arg.new_uid);
++
++ ASSERT_EQ(0, pipe2(pipe_parent, O_CLOEXEC));
++ arg.pipe_read = pipe_parent[0];
++
++ /* Capabilities must be set before creating a new thread. */
++ set_cap(_metadata, CAP_SETUID);
++ ASSERT_EQ(0, pthread_create(&no_sandbox_thread, NULL, thread_setuid,
++ &arg));
++
++ /* Enforces restriction after creating the thread. */
++ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
++
++ EXPECT_NE(arg.new_uid, getuid());
++ EXPECT_EQ(0, setuid(arg.new_uid));
++ EXPECT_EQ(arg.new_uid, getuid());
++ EXPECT_EQ(1, write(pipe_parent[1], ".", 1));
++
++ EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret));
++ EXPECT_EQ(THREAD_SUCCESS, ret);
++
++ clear_cap(_metadata, CAP_SETUID);
++ EXPECT_EQ(0, close(pipe_parent[0]));
++ EXPECT_EQ(0, close(pipe_parent[1]));
++}
++
+ const short backlog = 10;
+
+ static volatile sig_atomic_t signal_received;
--- /dev/null
+From bbe72274035a83159c8fff7d553b4a0b3c473690 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:41 +0100
+Subject: selftests/landlock: Split signal_scoping_threads tests
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit bbe72274035a83159c8fff7d553b4a0b3c473690 upstream.
+
+Split signal_scoping_threads tests into signal_scoping_thread_before
+and signal_scoping_thread_after.
+
+Use local variables for thread synchronization. Fix exported function.
+Replace some asserts with expects.
+
+Fixes: c8994965013e ("selftests/landlock: Test signal scoping for threads")
+Cc: Günther Noack <gnoack@google.com>
+Cc: Tahera Fahimi <fahimitahera@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318161443.279194-7-mic@digikod.net
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/landlock/scoped_signal_test.c | 49 ++++++++++++------
+ 1 file changed, 34 insertions(+), 15 deletions(-)
+
+--- a/tools/testing/selftests/landlock/scoped_signal_test.c
++++ b/tools/testing/selftests/landlock/scoped_signal_test.c
+@@ -249,47 +249,66 @@ TEST_F(scoped_domains, check_access_sign
+ _metadata->exit_code = KSFT_FAIL;
+ }
+
+-static int thread_pipe[2];
+-
+ enum thread_return {
+ THREAD_INVALID = 0,
+ THREAD_SUCCESS = 1,
+ THREAD_ERROR = 2,
+ };
+
+-void *thread_func(void *arg)
++static void *thread_sync(void *arg)
+ {
++ const int pipe_read = *(int *)arg;
+ char buf;
+
+- if (read(thread_pipe[0], &buf, 1) != 1)
++ if (read(pipe_read, &buf, 1) != 1)
+ return (void *)THREAD_ERROR;
+
+ return (void *)THREAD_SUCCESS;
+ }
+
+-TEST(signal_scoping_threads)
++TEST(signal_scoping_thread_before)
+ {
+- pthread_t no_sandbox_thread, scoped_thread;
++ pthread_t no_sandbox_thread;
+ enum thread_return ret = THREAD_INVALID;
++ int thread_pipe[2];
+
+ drop_caps(_metadata);
+ ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC));
+
+- ASSERT_EQ(0,
+- pthread_create(&no_sandbox_thread, NULL, thread_func, NULL));
++ ASSERT_EQ(0, pthread_create(&no_sandbox_thread, NULL, thread_sync,
++ &thread_pipe[0]));
+
+- /* Restricts the domain after creating the first thread. */
++ /* Enforces restriction after creating the thread. */
+ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
+
+- ASSERT_EQ(0, pthread_kill(no_sandbox_thread, 0));
+- ASSERT_EQ(1, write(thread_pipe[1], ".", 1));
+-
+- ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_func, NULL));
+- ASSERT_EQ(0, pthread_kill(scoped_thread, 0));
+- ASSERT_EQ(1, write(thread_pipe[1], ".", 1));
++ EXPECT_EQ(0, pthread_kill(no_sandbox_thread, 0));
++ EXPECT_EQ(1, write(thread_pipe[1], ".", 1));
+
+ EXPECT_EQ(0, pthread_join(no_sandbox_thread, (void **)&ret));
+ EXPECT_EQ(THREAD_SUCCESS, ret);
++
++ EXPECT_EQ(0, close(thread_pipe[0]));
++ EXPECT_EQ(0, close(thread_pipe[1]));
++}
++
++TEST(signal_scoping_thread_after)
++{
++ pthread_t scoped_thread;
++ enum thread_return ret = THREAD_INVALID;
++ int thread_pipe[2];
++
++ drop_caps(_metadata);
++ ASSERT_EQ(0, pipe2(thread_pipe, O_CLOEXEC));
++
++ /* Enforces restriction before creating the thread. */
++ create_scoped_domain(_metadata, LANDLOCK_SCOPE_SIGNAL);
++
++ ASSERT_EQ(0, pthread_create(&scoped_thread, NULL, thread_sync,
++ &thread_pipe[0]));
++
++ EXPECT_EQ(0, pthread_kill(scoped_thread, 0));
++ EXPECT_EQ(1, write(thread_pipe[1], ".", 1));
++
+ EXPECT_EQ(0, pthread_join(scoped_thread, (void **)&ret));
+ EXPECT_EQ(THREAD_SUCCESS, ret);
+
--- /dev/null
+From c183165f87a486d5879f782c05a23c179c3794ab Mon Sep 17 00:00:00 2001
+From: Geliang Tang <tanggeliang@kylinos.cn>
+Date: Fri, 28 Mar 2025 15:27:18 +0100
+Subject: selftests: mptcp: close fd_in before returning in main_loop
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+commit c183165f87a486d5879f782c05a23c179c3794ab upstream.
+
+The file descriptor 'fd_in' is opened when cfg_input is configured, but
+not closed in main_loop(), this patch fixes it.
+
+Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
+Cc: stable@vger.kernel.org
+Co-developed-by: Cong Liu <liucong2@kylinos.cn>
+Signed-off-by: Cong Liu <liucong2@kylinos.cn>
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-3-34161a482a7f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -1299,7 +1299,7 @@ again:
+
+ ret = copyfd_io(fd_in, fd, 1, 0, &winfo);
+ if (ret)
+- return ret;
++ goto out;
+
+ if (cfg_truncate > 0) {
+ shutdown(fd, SHUT_WR);
+@@ -1320,7 +1320,10 @@ again:
+ close(fd);
+ }
+
+- return 0;
++out:
++ if (cfg_input)
++ close(fd_in);
++ return ret;
+ }
+
+ int parse_proto(const char *proto)
--- /dev/null
+From 7335d4ac812917c16e04958775826d12d481c92d Mon Sep 17 00:00:00 2001
+From: Cong Liu <liucong2@kylinos.cn>
+Date: Fri, 28 Mar 2025 15:27:17 +0100
+Subject: selftests: mptcp: fix incorrect fd checks in main_loop
+
+From: Cong Liu <liucong2@kylinos.cn>
+
+commit 7335d4ac812917c16e04958775826d12d481c92d upstream.
+
+Fix a bug where the code was checking the wrong file descriptors
+when opening the input files. The code was checking 'fd' instead
+of 'fd_in', which could lead to incorrect error handling.
+
+Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
+Cc: stable@vger.kernel.org
+Fixes: ca7ae8916043 ("selftests: mptcp: mptfo Initiator/Listener")
+Co-developed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Cong Liu <liucong2@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-2-34161a482a7f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -1270,7 +1270,7 @@ int main_loop(void)
+
+ if (cfg_input && cfg_sockopt_types.mptfo) {
+ fd_in = open(cfg_input, O_RDONLY);
+- if (fd < 0)
++ if (fd_in < 0)
+ xerror("can't open %s:%d", cfg_input, errno);
+ }
+
+@@ -1293,7 +1293,7 @@ again:
+
+ if (cfg_input && !cfg_sockopt_types.mptfo) {
+ fd_in = open(cfg_input, O_RDONLY);
+- if (fd < 0)
++ if (fd_in < 0)
+ xerror("can't open %s:%d", cfg_input, errno);
+ }
+
kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch
kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch
scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch
+landlock-move-code-to-ease-future-backports.patch
+landlock-add-the-errata-interface.patch
+landlock-add-erratum-for-tcp-fix.patch
+landlock-always-allow-signals-between-threads-of-the-same-process.patch
+landlock-prepare-to-add-second-errata.patch
+selftests-landlock-split-signal_scoping_threads-tests.patch
+selftests-landlock-add-a-new-test-for-setuid.patch
+misc-pci_endpoint_test-fix-displaying-irq_type-after-request_irq-error.patch
+net-mana-switch-to-page-pool-for-jumbo-frames.patch
+ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch
+of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch
+of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch
+of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch
+of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch
+of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch
+pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch
+pci-j721e-fix-the-value-of-.linkdown_irq_regfield-for-j784s4.patch
+pci-pciehp-avoid-unnecessary-device-replacement-check.patch
+pci-fix-reference-leak-in-pci_alloc_child_bus.patch
+pci-fix-reference-leak-in-pci_register_host_bridge.patch
+pci-fix-wrong-length-of-devres-array.patch
+phy-freescale-imx8m-pcie-assert-phy-reset-and-perst-in-power-off.patch
+pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch
+pinctrl-samsung-add-support-for-eint_fltcon_offset.patch
+ring-buffer-use-flush_kernel_vmap_range-over-flush_dcache_folio.patch
+s390-pci-fix-zpci_bus_is_isolated_vf-for-non-vfs.patch
+s390-virtio_ccw-don-t-allocate-assign-airqs-for-non-existing-queues.patch
+s390-fix-linker-error-when-no-pie-option-is-unavailable.patch
+sched_ext-create_dsq-return-eexist-on-duplicate-request.patch
+selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch
+selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch
+spi-fsl-qspi-use-devm-function-instead-of-driver-remove.patch
+spi-fsl-qspi-fix-double-cleanup-in-probe-error-path.patch
+thermal-drivers-mediatek-lvts-disable-monitor-mode-during-suspend.patch
+thermal-drivers-mediatek-lvts-disable-stage-3-thermal-threshold.patch
--- /dev/null
+From 5d07ab2a7fa1305e429d9221716582f290b58078 Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Thu, 10 Apr 2025 14:56:09 +0800
+Subject: spi: fsl-qspi: Fix double cleanup in probe error path
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit 5d07ab2a7fa1305e429d9221716582f290b58078 upstream.
+
+Commit 40369bfe717e ("spi: fsl-qspi: use devm function instead of driver
+remove") introduced managed cleanup via fsl_qspi_cleanup(), but
+incorrectly retain manual cleanup in two scenarios:
+
+- On devm_add_action_or_reset() failure, the function automatically call
+ fsl_qspi_cleanup(). However, the current code still jumps to
+ err_destroy_mutex, repeating cleanup.
+
+- After the fsl_qspi_cleanup() action is added successfully, there is no
+ need to manually perform the cleanup in the subsequent error path.
+ However, the current code still jumps to err_destroy_mutex on spi
+ controller failure, repeating cleanup.
+
+Skip redundant manual cleanup calls to fix these issues.
+
+Cc: stable@vger.kernel.org
+Fixes: 40369bfe717e ("spi: fsl-qspi: use devm function instead of driver remove")
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Link: https://patch.msgid.link/20250410-spi-v1-1-56e867cc19cf@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-qspi.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/spi/spi-fsl-qspi.c
++++ b/drivers/spi/spi-fsl-qspi.c
+@@ -943,17 +943,14 @@ static int fsl_qspi_probe(struct platfor
+
+ ret = devm_add_action_or_reset(dev, fsl_qspi_cleanup, q);
+ if (ret)
+- goto err_destroy_mutex;
++ goto err_put_ctrl;
+
+ ret = devm_spi_register_controller(dev, ctlr);
+ if (ret)
+- goto err_destroy_mutex;
++ goto err_put_ctrl;
+
+ return 0;
+
+-err_destroy_mutex:
+- mutex_destroy(&q->lock);
+-
+ err_disable_clk:
+ fsl_qspi_clk_disable_unprep(q);
+
--- /dev/null
+From 40369bfe717e96e26650eeecfa5a6363563df6e4 Mon Sep 17 00:00:00 2001
+From: Han Xu <han.xu@nxp.com>
+Date: Wed, 26 Mar 2025 17:41:51 -0500
+Subject: spi: fsl-qspi: use devm function instead of driver remove
+
+From: Han Xu <han.xu@nxp.com>
+
+commit 40369bfe717e96e26650eeecfa5a6363563df6e4 upstream.
+
+Driver use devm APIs to manage clk/irq/resources and register the spi
+controller, but the legacy remove function will be called first during
+device detach and trigger kernel panic. Drop the remove function and use
+devm_add_action_or_reset() for driver cleanup to ensure the release
+sequence.
+
+Trigger kernel panic on i.MX8MQ by
+echo 30bb0000.spi >/sys/bus/platform/drivers/fsl-quadspi/unbind
+
+Cc: stable@vger.kernel.org
+Fixes: 8fcb830a00f0 ("spi: spi-fsl-qspi: use devm_spi_register_controller")
+Reported-by: Kevin Hao <haokexin@gmail.com>
+Signed-off-by: Han Xu <han.xu@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250326224152.2147099-1-han.xu@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-fsl-qspi.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/drivers/spi/spi-fsl-qspi.c
++++ b/drivers/spi/spi-fsl-qspi.c
+@@ -839,6 +839,19 @@ static const struct spi_controller_mem_o
+ .get_name = fsl_qspi_get_name,
+ };
+
++static void fsl_qspi_cleanup(void *data)
++{
++ struct fsl_qspi *q = data;
++
++ /* disable the hardware */
++ qspi_writel(q, QUADSPI_MCR_MDIS_MASK, q->iobase + QUADSPI_MCR);
++ qspi_writel(q, 0x0, q->iobase + QUADSPI_RSER);
++
++ fsl_qspi_clk_disable_unprep(q);
++
++ mutex_destroy(&q->lock);
++}
++
+ static int fsl_qspi_probe(struct platform_device *pdev)
+ {
+ struct spi_controller *ctlr;
+@@ -928,6 +941,10 @@ static int fsl_qspi_probe(struct platfor
+
+ ctlr->dev.of_node = np;
+
++ ret = devm_add_action_or_reset(dev, fsl_qspi_cleanup, q);
++ if (ret)
++ goto err_destroy_mutex;
++
+ ret = devm_spi_register_controller(dev, ctlr);
+ if (ret)
+ goto err_destroy_mutex;
+@@ -947,19 +964,6 @@ err_put_ctrl:
+ return ret;
+ }
+
+-static void fsl_qspi_remove(struct platform_device *pdev)
+-{
+- struct fsl_qspi *q = platform_get_drvdata(pdev);
+-
+- /* disable the hardware */
+- qspi_writel(q, QUADSPI_MCR_MDIS_MASK, q->iobase + QUADSPI_MCR);
+- qspi_writel(q, 0x0, q->iobase + QUADSPI_RSER);
+-
+- fsl_qspi_clk_disable_unprep(q);
+-
+- mutex_destroy(&q->lock);
+-}
+-
+ static int fsl_qspi_suspend(struct device *dev)
+ {
+ return 0;
+@@ -997,7 +1001,6 @@ static struct platform_driver fsl_qspi_d
+ .pm = &fsl_qspi_pm_ops,
+ },
+ .probe = fsl_qspi_probe,
+- .remove = fsl_qspi_remove,
+ };
+ module_platform_driver(fsl_qspi_driver);
+
--- /dev/null
+From 65594b3745024857f812145a58db3601d733676c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?=
+ <nfraprado@collabora.com>
+Date: Mon, 13 Jan 2025 10:27:12 -0300
+Subject: thermal/drivers/mediatek/lvts: Disable monitor mode during suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+commit 65594b3745024857f812145a58db3601d733676c upstream.
+
+When configured in filtered mode, the LVTS thermal controller will
+monitor the temperature from the sensors and trigger an interrupt once a
+thermal threshold is crossed.
+
+Currently this is true even during suspend and resume. The problem with
+that is that when enabling the internal clock of the LVTS controller in
+lvts_ctrl_set_enable() during resume, the temperature reading can glitch
+and appear much higher than the real one, resulting in a spurious
+interrupt getting generated.
+
+Disable the temperature monitoring and give some time for the signals to
+stabilize during suspend in order to prevent such spurious interrupts.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Closes: https://lore.kernel.org/all/20241108-lvts-v1-1-eee339c6ca20@chromium.org/
+Fixes: 8137bb90600d ("thermal/drivers/mediatek/lvts_thermal: Add suspend and resume")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20250113-mt8192-lvts-filtered-suspend-fix-v2-1-07a25200c7c6@collabora.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/mediatek/lvts_thermal.c | 36 ++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+--- a/drivers/thermal/mediatek/lvts_thermal.c
++++ b/drivers/thermal/mediatek/lvts_thermal.c
+@@ -860,6 +860,32 @@ static int lvts_ctrl_init(struct device
+ return 0;
+ }
+
++static void lvts_ctrl_monitor_enable(struct device *dev, struct lvts_ctrl *lvts_ctrl, bool enable)
++{
++ /*
++ * Bitmaps to enable each sensor on filtered mode in the MONCTL0
++ * register.
++ */
++ static const u8 sensor_filt_bitmap[] = { BIT(0), BIT(1), BIT(2), BIT(3) };
++ u32 sensor_map = 0;
++ int i;
++
++ if (lvts_ctrl->mode != LVTS_MSR_FILTERED_MODE)
++ return;
++
++ if (enable) {
++ lvts_for_each_valid_sensor(i, lvts_ctrl)
++ sensor_map |= sensor_filt_bitmap[i];
++ }
++
++ /*
++ * Bits:
++ * 9: Single point access flow
++ * 0-3: Enable sensing point 0-3
++ */
++ writel(sensor_map | BIT(9), LVTS_MONCTL0(lvts_ctrl->base));
++}
++
+ /*
+ * At this point the configuration register is the only place in the
+ * driver where we write multiple values. Per hardware constraint,
+@@ -1381,8 +1407,11 @@ static int lvts_suspend(struct device *d
+
+ lvts_td = dev_get_drvdata(dev);
+
+- for (i = 0; i < lvts_td->num_lvts_ctrl; i++)
++ for (i = 0; i < lvts_td->num_lvts_ctrl; i++) {
++ lvts_ctrl_monitor_enable(dev, &lvts_td->lvts_ctrl[i], false);
++ usleep_range(100, 200);
+ lvts_ctrl_set_enable(&lvts_td->lvts_ctrl[i], false);
++ }
+
+ clk_disable_unprepare(lvts_td->clk);
+
+@@ -1400,8 +1429,11 @@ static int lvts_resume(struct device *de
+ if (ret)
+ return ret;
+
+- for (i = 0; i < lvts_td->num_lvts_ctrl; i++)
++ for (i = 0; i < lvts_td->num_lvts_ctrl; i++) {
+ lvts_ctrl_set_enable(&lvts_td->lvts_ctrl[i], true);
++ usleep_range(100, 200);
++ lvts_ctrl_monitor_enable(dev, &lvts_td->lvts_ctrl[i], true);
++ }
+
+ return 0;
+ }
--- /dev/null
+From c612cbcdf603aefb3358b2e3964dcd5aa3f827a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?=
+ <nfraprado@collabora.com>
+Date: Mon, 13 Jan 2025 10:27:13 -0300
+Subject: thermal/drivers/mediatek/lvts: Disable Stage 3 thermal threshold
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+commit c612cbcdf603aefb3358b2e3964dcd5aa3f827a0 upstream.
+
+The Stage 3 thermal threshold is currently configured during
+the controller initialization to 105 Celsius. From the kernel
+perspective, this configuration is harmful because:
+* The stage 3 interrupt that gets triggered when the threshold is
+ crossed is not handled in any way by the IRQ handler, it just gets
+ cleared. Besides, the temperature used for stage 3 comes from the
+ sensors, and the critical thermal trip points described in the
+ Devicetree will already cause a shutdown when crossed (at a lower
+ temperature, of 100 Celsius, for all SoCs currently using this
+ driver).
+* The only effect of crossing the stage 3 threshold that has been
+ observed is that it causes the machine to no longer be able to enter
+ suspend. Even if that was a result of a momentary glitch in the
+ temperature reading of a sensor (as has been observed on the
+ MT8192-based Chromebooks).
+
+For those reasons, disable the Stage 3 thermal threshold configuration.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Closes: https://lore.kernel.org/all/20241108-lvts-v1-1-eee339c6ca20@chromium.org/
+Fixes: f5f633b18234 ("thermal/drivers/mediatek: Add the Low Voltage Thermal Sensor driver")
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20250113-mt8192-lvts-filtered-suspend-fix-v2-2-07a25200c7c6@collabora.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/mediatek/lvts_thermal.c | 16 ++--------------
+ 1 file changed, 2 insertions(+), 14 deletions(-)
+
+--- a/drivers/thermal/mediatek/lvts_thermal.c
++++ b/drivers/thermal/mediatek/lvts_thermal.c
+@@ -65,7 +65,7 @@
+ #define LVTS_HW_FILTER 0x0
+ #define LVTS_TSSEL_CONF 0x13121110
+ #define LVTS_CALSCALE_CONF 0x300
+-#define LVTS_MONINT_CONF 0x8300318C
++#define LVTS_MONINT_CONF 0x0300318C
+
+ #define LVTS_MONINT_OFFSET_SENSOR0 0xC
+ #define LVTS_MONINT_OFFSET_SENSOR1 0x180
+@@ -91,8 +91,6 @@
+ #define LVTS_MSR_READ_TIMEOUT_US 400
+ #define LVTS_MSR_READ_WAIT_US (LVTS_MSR_READ_TIMEOUT_US / 2)
+
+-#define LVTS_HW_TSHUT_TEMP 105000
+-
+ #define LVTS_MINIMUM_THRESHOLD 20000
+
+ static int golden_temp = LVTS_GOLDEN_TEMP_DEFAULT;
+@@ -145,7 +143,6 @@ struct lvts_ctrl {
+ struct lvts_sensor sensors[LVTS_SENSOR_MAX];
+ const struct lvts_data *lvts_data;
+ u32 calibration[LVTS_SENSOR_MAX];
+- u32 hw_tshut_raw_temp;
+ u8 valid_sensor_mask;
+ int mode;
+ void __iomem *base;
+@@ -837,14 +834,6 @@ static int lvts_ctrl_init(struct device
+ */
+ lvts_ctrl[i].mode = lvts_data->lvts_ctrl[i].mode;
+
+- /*
+- * The temperature to raw temperature must be done
+- * after initializing the calibration.
+- */
+- lvts_ctrl[i].hw_tshut_raw_temp =
+- lvts_temp_to_raw(LVTS_HW_TSHUT_TEMP,
+- lvts_data->temp_factor);
+-
+ lvts_ctrl[i].low_thresh = INT_MIN;
+ lvts_ctrl[i].high_thresh = INT_MIN;
+ }
+@@ -919,7 +908,6 @@ static int lvts_irq_init(struct lvts_ctr
+ * 10 : Selected sensor with bits 19-18
+ * 11 : Reserved
+ */
+- writel(BIT(16), LVTS_PROTCTL(lvts_ctrl->base));
+
+ /*
+ * LVTS_PROTTA : Stage 1 temperature threshold
+@@ -932,8 +920,8 @@ static int lvts_irq_init(struct lvts_ctr
+ *
+ * writel(0x0, LVTS_PROTTA(lvts_ctrl->base));
+ * writel(0x0, LVTS_PROTTB(lvts_ctrl->base));
++ * writel(0x0, LVTS_PROTTC(lvts_ctrl->base));
+ */
+- writel(lvts_ctrl->hw_tshut_raw_temp, LVTS_PROTTC(lvts_ctrl->base));
+
+ /*
+ * LVTS_MONINT : Interrupt configuration register
projects / thirdparty / kernel / stable-queue.git / commitdiff
