--- /dev/null
+From stable+bounces-169408-greg=kroah.com@vger.kernel.org Wed Aug 13 16:49:18 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 10:44:47 -0400
+Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
+To: stable@vger.kernel.org
+Cc: "Geoffrey D. Bennett" <g@b4.vu>, Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813144447.2048274-1-sashal@kernel.org>
+
+From: "Geoffrey D. Bennett" <g@b4.vu>
+
+[ Upstream commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 ]
+
+During communication with Focusrite Scarlett Gen 2/3/4 USB audio
+interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(),
+snd_usb_ctl_msg() which can cause initialisation and control
+operations to fail intermittently.
+
+This patch adds up to 5 retries in scarlett2_usb(), with a delay
+starting at 5ms and doubling each time. This follows the same approach
+as the fix for usb_set_interface() in endpoint.c (commit f406005e162b
+("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")),
+which resolved similar -EPROTO issues during device initialisation,
+and is the same approach as in fcp.c:fcp_usb().
+
+Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
+Closes: https://github.com/geoffreybennett/linux-fcp/issues/41
+Cc: stable@vger.kernel.org
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[ Applied retry logic around snd_usb_ctl_msg() instead of scarlett2_usb_tx() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_scarlett_gen2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/sound/usb/mixer_scarlett_gen2.c
++++ b/sound/usb/mixer_scarlett_gen2.c
+@@ -118,6 +118,8 @@
+ #define SCARLETT2_MIXER_MAX_VALUE \
+ ((SCARLETT2_MIXER_MAX_DB - SCARLETT2_MIXER_MIN_DB) * 2)
+
++#include <linux/delay.h>
++
+ /* map from (dB + 80) * 2 to mixer value
+ * for dB in 0 .. 172: int(8192 * pow(10, ((dB - 160) / 2 / 20)))
+ */
+@@ -591,6 +593,8 @@ static int scarlett2_usb(
+ u16 req_buf_size = sizeof(struct scarlett2_usb_packet) + req_size;
+ u16 resp_buf_size = sizeof(struct scarlett2_usb_packet) + resp_size;
+ struct scarlett2_usb_packet *req = NULL, *resp = NULL;
++ int retries = 0;
++ const int max_retries = 5;
+ int err = 0;
+
+ req = kmalloc(req_buf_size, GFP_KERNEL);
+@@ -614,6 +618,7 @@ static int scarlett2_usb(
+ if (req_size)
+ memcpy(req->data, req_data, req_size);
+
++retry:
+ err = snd_usb_ctl_msg(mixer->chip->dev,
+ usb_sndctrlpipe(mixer->chip->dev, 0),
+ SCARLETT2_USB_VENDOR_SPECIFIC_CMD_REQ,
+@@ -624,6 +629,10 @@ static int scarlett2_usb(
+ req_buf_size);
+
+ if (err != req_buf_size) {
++ if (err == -EPROTO && ++retries <= max_retries) {
++ msleep(5 * (1 << (retries - 1)));
++ goto retry;
++ }
+ usb_audio_err(
+ mixer->chip,
+ "Scarlett Gen 2 USB request result cmd %x was %d\n",
--- /dev/null
+From stable+bounces-172214-greg=kroah.com@vger.kernel.org Thu Aug 21 20:27:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 14:26:54 -0400
+Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Hannes Reinecke <hare@suse.de>, Niklas Cassel <cassel@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821182654.891907-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ]
+
+Improve the description of the possible default SATA link power
+management policies and add the missing description for policy 5.
+No functional changes.
+
+Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/Kconfig | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/Kconfig
++++ b/drivers/ata/Kconfig
+@@ -92,22 +92,39 @@ config SATA_AHCI
+
+ config SATA_MOBILE_LPM_POLICY
+ int "Default SATA Link Power Management policy for mobile chipsets"
+- range 0 4
++ range 0 5
+ default 0
+ depends on SATA_AHCI
+ help
+ Select the Default SATA Link Power Management (LPM) policy to use
+ for mobile / laptop variants of chipsets / "South Bridges".
+
+- The value set has the following meanings:
++ Each policy combines power saving states and features:
++ - Partial: The Phy logic is powered but is in a reduced power
++ state. The exit latency from this state is no longer than
++ 10us).
++ - Slumber: The Phy logic is powered but is in an even lower power
++ state. The exit latency from this state is potentially
++ longer, but no longer than 10ms.
++ - DevSleep: The Phy logic may be powered down. The exit latency from
++ this state is no longer than 20 ms, unless otherwise
++ specified by DETO in the device Identify Device Data log.
++ - HIPM: Host Initiated Power Management (host automatically
++ transitions to partial and slumber).
++ - DIPM: Device Initiated Power Management (device automatically
++ transitions to partial and slumber).
++
++ The possible values for the default SATA link power management
++ policies are:
+ 0 => Keep firmware settings
+- 1 => Maximum performance
+- 2 => Medium power
+- 3 => Medium power with Device Initiated PM enabled
+- 4 => Minimum power
++ 1 => No power savings (maximum performance)
++ 2 => HIPM (Partial)
++ 3 => HIPM (Partial) and DIPM (Partial and Slumber)
++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber)
++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber)
+
+- Note "Minimum power" is known to cause issues, including disk
+- corruption, with some disks and should not be used.
++ Excluding the value 0, higher values represent policies with higher
++ power savings.
+
+ config SATA_AHCI_PLATFORM
+ tristate "Platform AHCI SATA support"
--- /dev/null
+From stable+bounces-171808-greg=kroah.com@vger.kernel.org Tue Aug 19 17:04:22 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 10:57:54 -0400
+Subject: btrfs: populate otime when logging an inode item
+To: stable@vger.kernel.org
+Cc: Qu Wenruo <wqu@suse.com>, Filipe Manana <fdmanana@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819145754.527446-1-sashal@kernel.org>
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ]
+
+[TEST FAILURE WITH EXPERIMENTAL FEATURES]
+When running test case generic/508, the test case will fail with the new
+btrfs shutdown support:
+
+generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad)
+# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930
+# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930
+# @@ -1,2 +1,6 @@
+# QA output created by 508
+# Silence is golden
+# +Before:
+# +After : stat.btime = Thu Jan 1 09:30:00 1970
+# +Before:
+# +After : stat.btime = Wed Jul 2 14:53:22 2025
+# ...
+# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff)
+Ran: generic/508
+Failures: generic/508
+Failed 1 of 1 tests
+
+Please note that the test case requires shutdown support, thus the test
+case will be skipped using the current upstream kernel, as it doesn't
+have shutdown ioctl support.
+
+[CAUSE]
+The direct cause the 0 time stamp in the log tree:
+
+leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG
+leaf 30507008 flags 0x1(WRITTEN) backref revision 1
+checksum stored e522548d
+checksum calced e522548d
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 9 transid 9 size 0 nbytes 0
+ block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0
+ sequence 1 flags 0x0(none)
+ atime 1751432947.492000000 (2025-07-02 14:39:07)
+ ctime 1751432947.492000000 (2025-07-02 14:39:07)
+ mtime 1751432947.492000000 (2025-07-02 14:39:07)
+ otime 0.0 (1970-01-01 09:30:00) <<<
+
+But the old fs tree has all the correct time stamp:
+
+btrfs-progs v6.12
+fs tree key (FS_TREE ROOT_ITEM 0)
+leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE
+leaf 30425088 flags 0x1(WRITTEN) backref revision 1
+checksum stored 48f6c57e
+checksum calced 48f6c57e
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 3 transid 0 size 0 nbytes 16384
+ block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0
+ sequence 0 flags 0x0(none)
+ atime 1751432947.0 (2025-07-02 14:39:07)
+ ctime 1751432947.0 (2025-07-02 14:39:07)
+ mtime 1751432947.0 (2025-07-02 14:39:07)
+ otime 1751432947.0 (2025-07-02 14:39:07) <<<
+
+The root cause is that fill_inode_item() in tree-log.c is only
+populating a/c/m time, not the otime (or btime in statx output).
+
+Part of the reason is that, the vfs inode only has a/c/m time, no native
+btime support yet.
+
+[FIX]
+Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and
+btrfs_inode::i_otime_nsec.
+
+So what we really need is just fill the otime time stamp in
+fill_inode_item() of tree-log.c
+
+There is another fill_inode_item() in inode.c, which is doing the proper
+otime population.
+
+Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing")
+CC: stable@vger.kernel.org
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ adapted token-based API and timespec64 field structure ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -3953,6 +3953,11 @@ static void fill_inode_item(struct btrfs
+ btrfs_set_token_timespec_nsec(leaf, &item->ctime,
+ inode->i_ctime.tv_nsec, &token);
+
++ btrfs_set_token_timespec_sec(leaf, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_sec, &token);
++ btrfs_set_token_timespec_nsec(leaf, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_nsec, &token);
++
+ btrfs_set_token_inode_nbytes(leaf, item, inode_get_bytes(inode),
+ &token);
+
--- /dev/null
+From stable+bounces-171675-greg=kroah.com@vger.kernel.org Tue Aug 19 01:14:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 19:13:58 -0400
+Subject: cdc-acm: fix race between initial clearing halt and open
+To: stable@vger.kernel.org
+Cc: Oliver Neukum <oneukum@suse.com>, stable <stable@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818231358.138342-2-sashal@kernel.org>
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 64690a90cd7c6db16d3af8616be1f4bf8d492850 ]
+
+On the devices that need their endpoints to get an
+initial clear_halt, this needs to be done before
+the devices can be opened. That means it needs to be
+before the devices are registered.
+
+Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1527,6 +1527,12 @@ skip_countries:
+ usb_driver_claim_interface(&acm_driver, data_interface, acm);
+ usb_set_intfdata(data_interface, acm);
+
++ if (quirks & CLEAR_HALT_CONDITIONS) {
++ /* errors intentionally ignored */
++ usb_clear_halt(usb_dev, acm->in);
++ usb_clear_halt(usb_dev, acm->out);
++ }
++
+ tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
+ &control_interface->dev);
+ if (IS_ERR(tty_dev)) {
+@@ -1534,11 +1540,6 @@ skip_countries:
+ goto alloc_fail6;
+ }
+
+- if (quirks & CLEAR_HALT_CONDITIONS) {
+- usb_clear_halt(usb_dev, acm->in);
+- usb_clear_halt(usb_dev, acm->out);
+- }
+-
+ dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
+
+ return 0;
--- /dev/null
+From stable+bounces-172609-greg=kroah.com@vger.kernel.org Sat Aug 23 16:46:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 10:44:36 -0400
+Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
+To: stable@vger.kernel.org
+Cc: "Imre Deak" <imre.deak@intel.com>, "Ville Syrjälä" <ville.syrjala@linux.intel.com>, "Jani Nikula" <jani.nikula@linux.intel.com>, "Jani Nikula" <jani.nikula@intel.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250823144436.2255063-1-sashal@kernel.org>
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ]
+
+Reading DPCD registers has side-effects in general. In particular
+accessing registers outside of the link training register range
+(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
+forbidden by the DP v2.1 Standard, see
+
+3.6.5.1 DPTX AUX Transaction Handling Mandates
+3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
+
+Based on my tests, accessing the DPCD_REV register during the link
+training of an UHBR TBT DP tunnel sink leads to link training failures.
+
+Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
+DPCD register access quirk.
+
+Cc: <stable@vger.kernel.org>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
+[ Call to drm_dp_dpcd_access() instead of drm_dp_dpcd_probe() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_dp_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_helper.c
++++ b/drivers/gpu/drm/drm_dp_helper.c
+@@ -280,7 +280,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
+ * We just have to do it before any DPCD access and hope that the
+ * monitor doesn't power down exactly after the throw away read.
+ */
+- ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_DPCD_REV, buffer,
++ ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_LANE0_1_STATUS, buffer,
+ 1);
+ if (ret != 1)
+ goto out;
--- /dev/null
+From stable+bounces-165106-greg=kroah.com@vger.kernel.org Tue Jul 29 19:15:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 13:14:55 -0400
+Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs
+To: stable@vger.kernel.org
+Cc: "Lin.Cao" <lincao12@amd.com>, "Christian König" <christian.koenig@amd.com>, "Philipp Stanner" <phasta@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250729171455.2825719-1-sashal@kernel.org>
+
+From: "Lin.Cao" <lincao12@amd.com>
+
+[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ]
+
+When application A submits jobs and application B submits a job with a
+dependency on A's fence, the normal flow wakes up the scheduler after
+processing each job. However, the optimization in
+drm_sched_entity_add_dependency_cb() uses a callback that only clears
+dependencies without waking up the scheduler.
+
+When application A is killed before its jobs can run, the callback gets
+triggered but only clears the dependency without waking up the scheduler,
+causing the scheduler to enter sleep state and application B to hang.
+
+Remove the optimization by deleting drm_sched_entity_clear_dep() and its
+usage, ensuring the scheduler is always woken up when dependencies are
+cleared.
+
+Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler")
+Cc: stable@vger.kernel.org # v4.6+
+Signed-off-by: Lin.Cao <lincao12@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com
+[ adjusted context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 23 ++---------------------
+ 1 file changed, 2 insertions(+), 21 deletions(-)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -328,19 +328,6 @@ void drm_sched_entity_destroy(struct drm
+ EXPORT_SYMBOL(drm_sched_entity_destroy);
+
+ /**
+- * drm_sched_entity_clear_dep - callback to clear the entities dependency
+- */
+-static void drm_sched_entity_clear_dep(struct dma_fence *f,
+- struct dma_fence_cb *cb)
+-{
+- struct drm_sched_entity *entity =
+- container_of(cb, struct drm_sched_entity, cb);
+-
+- entity->dependency = NULL;
+- dma_fence_put(f);
+-}
+-
+-/**
+ * drm_sched_entity_clear_dep - callback to clear the entities dependency and
+ * wake up scheduler
+ */
+@@ -350,7 +337,8 @@ static void drm_sched_entity_wakeup(stru
+ struct drm_sched_entity *entity =
+ container_of(cb, struct drm_sched_entity, cb);
+
+- drm_sched_entity_clear_dep(f, cb);
++ entity->dependency = NULL;
++ dma_fence_put(f);
+ drm_sched_wakeup(entity->rq->sched);
+ }
+
+@@ -426,13 +414,6 @@ static bool drm_sched_entity_add_depende
+ fence = dma_fence_get(&s_fence->scheduled);
+ dma_fence_put(entity->dependency);
+ entity->dependency = fence;
+- if (!dma_fence_add_callback(fence, &entity->cb,
+- drm_sched_entity_clear_dep))
+- return true;
+-
+- /* Ignore it when it is already scheduled */
+- dma_fence_put(fence);
+- return false;
+ }
+
+ if (!dma_fence_add_callback(entity->dependency, &entity->cb,
--- /dev/null
+From stable+bounces-172554-greg=kroah.com@vger.kernel.org Sat Aug 23 06:23:21 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 00:23:11 -0400
+Subject: f2fs: fix to avoid out-of-boundary access in dnode page
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, Jiaming Zhang <r772577952@gmail.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823042311.1849185-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ]
+
+As Jiaming Zhang reported:
+
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x17e/0x800 mm/kasan/report.c:480
+ kasan_report+0x147/0x180 mm/kasan/report.c:593
+ data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
+ f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
+ f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
+ f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
+ prepare_write_begin fs/f2fs/data.c:3395 [inline]
+ f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
+ generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
+ f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
+ f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x546/0xa90 fs/read_write.c:686
+ ksys_write+0x149/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is in the corrupted image, there is a dnode has the same
+node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
+access block address in dnode at offset 934, however it parses the dnode
+as inode node, so that get_dnode_addr() returns 360, then it tries to
+access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
+
+To fix this issue, let's add sanity check for node id of all direct nodes
+during f2fs_get_dnode_of_data().
+
+Cc: stable@kernel.org
+Reported-by: Jiaming Zhang <r772577952@gmail.com>
+Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ replaced f2fs_err_ratelimited() with f2fs_err() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -764,6 +764,16 @@ int f2fs_get_dnode_of_data(struct dnode_
+ for (i = 1; i <= level; i++) {
+ bool done = false;
+
++ if (nids[i] && nids[i] == dn->inode->i_ino) {
++ err = -EFSCORRUPTED;
++ f2fs_err(sbi,
++ "inode mapping table is corrupted, run fsck to fix it, "
++ "ino:%lu, nid:%u, level:%d, offset:%d",
++ dn->inode->i_ino, nids[i], level, offset[level]);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ goto release_pages;
++ }
++
+ if (!nids[i] && mode == ALLOC_NODE) {
+ /* alloc new node */
+ if (!f2fs_alloc_nid(sbi, &(nids[i]))) {
--- /dev/null
+From stable+bounces-164653-greg=kroah.com@vger.kernel.org Thu Jul 24 19:51:02 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 13:50:53 -0400
+Subject: f2fs: fix to do sanity check on ino and xnid
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724175053.1410867-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ]
+
+syzbot reported a f2fs bug as below:
+
+INFO: task syz-executor140:5308 blocked for more than 143 seconds.
+ Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006
+Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5378 [inline]
+ __schedule+0x190e/0x4c90 kernel/sched/core.c:6765
+ __schedule_loop kernel/sched/core.c:6842 [inline]
+ schedule+0x14b/0x320 kernel/sched/core.c:6857
+ io_schedule+0x8d/0x110 kernel/sched/core.c:7690
+ folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317
+ __folio_lock mm/filemap.c:1664 [inline]
+ folio_lock include/linux/pagemap.h:1163 [inline]
+ __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917
+ pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87
+ find_get_page_flags include/linux/pagemap.h:842 [inline]
+ f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776
+ __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463
+ read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306
+ lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]
+ f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533
+ __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179
+ f2fs_acl_create fs/f2fs/acl.c:375 [inline]
+ f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418
+ f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539
+ f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666
+ f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765
+ f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808
+ f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]
+ f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766
+ vfs_mknod+0x36d/0x3b0 fs/namei.c:4191
+ unix_bind_bsd net/unix/af_unix.c:1286 [inline]
+ unix_bind+0x563/0xe30 net/unix/af_unix.c:1379
+ __sys_bind_socket net/socket.c:1817 [inline]
+ __sys_bind+0x1e4/0x290 net/socket.c:1848
+ __do_sys_bind net/socket.c:1853 [inline]
+ __se_sys_bind net/socket.c:1851 [inline]
+ __x64_sys_bind+0x7a/0x90 net/socket.c:1851
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Let's dump and check metadata of corrupted inode, it shows its xattr_nid
+is the same to its i_ino.
+
+dump.f2fs -i 3 chaseyu.img.raw
+i_xattr_nid [0x 3 : 3]
+
+So that, during mknod in the corrupted directory, it tries to get and
+lock inode page twice, result in deadlock.
+
+- f2fs_mknod
+ - f2fs_add_inline_entry
+ - f2fs_get_inode_page --- lock dir's inode page
+ - f2fs_init_acl
+ - f2fs_acl_create(dir,..)
+ - __f2fs_get_acl
+ - f2fs_getxattr
+ - lookup_all_xattrs
+ - __get_node_page --- try to lock dir's inode page
+
+In order to fix this, let's add sanity check on ino and xnid.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -221,6 +221,13 @@ static bool sanity_check_inode(struct in
+ return false;
+ }
+
++ if (ino_of_node(node_page) == fi->i_xattr_nid) {
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.",
++ __func__, inode->i_ino, fi->i_xattr_nid);
++ return false;
++ }
++
+ if (f2fs_sb_has_flexible_inline_xattr(sbi)
+ && !f2fs_has_extra_attr(inode)) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
--- /dev/null
+From stable+bounces-165123-greg=kroah.com@vger.kernel.org Tue Jul 29 21:31:32 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 15:31:23 -0400
+Subject: ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
+To: stable@vger.kernel.org
+Cc: Haoxiang Li <haoxiang_li2024@163.com>, Michal Swiatkowski <michal.swiatkowski@linux.intel.com>, Aleksandr Loktionov <aleksandr.loktionov@intel.com>, Simon Horman <horms@kernel.org>, Rinitha S <sx.rinitha@intel.com>, Tony Nguyen <anthony.l.nguyen@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729193123.2873807-1-sashal@kernel.org>
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 ]
+
+Add check for the return value of devm_kmemdup()
+to prevent potential null pointer dereference.
+
+Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+[ applied the patch to ice_flex_pipe.c instead of ice_ddp.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+@@ -753,6 +753,8 @@ enum ice_status ice_copy_and_init_pkg(st
+ return ICE_ERR_PARAM;
+
+ buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL);
++ if (!buf_copy)
++ return ICE_ERR_NO_MEMORY;
+
+ status = ice_init_pkg(hw, buf_copy, len);
+ if (status) {
--- /dev/null
+From stable+bounces-164643-greg=kroah.com@vger.kernel.org Thu Jul 24 18:36:16 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 12:33:27 -0400
+Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724163327.1369882-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ]
+
+The OFFSET calculation in the prox_read_raw() was incorrectly using the
+unit exponent, which is intended for SCALE calculations.
+
+Remove the incorrect OFFSET calculation and set it to a fixed value of 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ adapted prox_attr array access to single structure member access ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev
+ ret_type = prox_state->scale_precision;
+ break;
+ case IIO_CHAN_INFO_OFFSET:
+- *val = hid_sensor_convert_exponent(
+- prox_state->prox_attr.unit_expo);
++ *val = 0;
+ ret_type = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SAMP_FREQ:
--- /dev/null
+From stable+bounces-172557-greg=kroah.com@vger.kernel.org Sat Aug 23 06:50:25 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 00:50:18 -0400
+Subject: media: qcom: camss: cleanup media device allocated resource on error path
+To: stable@vger.kernel.org
+Cc: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823045018.1878034-1-sashal@kernel.org>
+
+From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+
+[ Upstream commit 69080ec3d0daba8a894025476c98ab16b5a505a4 ]
+
+A call to media_device_init() requires media_device_cleanup() counterpart
+to complete cleanup and release any allocated resources.
+
+This has been done in the driver .remove() right from the beginning, but
+error paths on .probe() shall also be fixed.
+
+Fixes: a1d7c116fcf7 ("media: camms: Add core files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ err_genpd_cleanup => err_cleanup ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/camss/camss.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -888,7 +888,7 @@ static int camss_probe(struct platform_d
+ ret = v4l2_device_register(camss->dev, &camss->v4l2_dev);
+ if (ret < 0) {
+ dev_err(dev, "Failed to register V4L2 device: %d\n", ret);
+- goto err_cleanup;
++ goto err_media_device_cleanup;
+ }
+
+ ret = camss_register_entities(camss);
+@@ -945,6 +945,8 @@ err_register_subdevs:
+ camss_unregister_entities(camss);
+ err_register_entities:
+ v4l2_device_unregister(&camss->v4l2_dev);
++err_media_device_cleanup:
++ media_device_cleanup(&camss->media_dev);
+ err_cleanup:
+ v4l2_async_notifier_cleanup(&camss->notifier);
+ err_free:
--- /dev/null
+From stable+bounces-172533-greg=kroah.com@vger.kernel.org Sat Aug 23 03:45:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 21:45:18 -0400
+Subject: media: rainshadow-cec: fix TOCTOU race condition in rain_interrupt()
+To: stable@vger.kernel.org
+Cc: Gui-Dong Han <hanguidong02@gmail.com>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823014519.1670171-1-sashal@kernel.org>
+
+From: Gui-Dong Han <hanguidong02@gmail.com>
+
+[ Upstream commit 7af160aea26c7dc9e6734d19306128cce156ec40 ]
+
+In the interrupt handler rain_interrupt(), the buffer full check on
+rain->buf_len is performed before acquiring rain->buf_lock. This
+creates a Time-of-Check to Time-of-Use (TOCTOU) race condition, as
+rain->buf_len is concurrently accessed and modified in the work
+handler rain_irq_work_handler() under the same lock.
+
+Multiple interrupt invocations can race, with each reading buf_len
+before it becomes full and then proceeding. This can lead to both
+interrupts attempting to write to the buffer, incrementing buf_len
+beyond its capacity (DATA_SIZE) and causing a buffer overflow.
+
+Fix this bug by moving the spin_lock() to before the buffer full
+check. This ensures that the check and the subsequent buffer modification
+are performed atomically, preventing the race condition. An corresponding
+spin_unlock() is added to the overflow path to correctly release the
+lock.
+
+This possible bug was found by an experimental static analysis tool
+developed by our team.
+
+Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ drivers/media/cec/usb/rainshadow/ => drivers/media/usb/rainshadow-cec/ ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/rainshadow-cec/rainshadow-cec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/rainshadow-cec/rainshadow-cec.c
++++ b/drivers/media/usb/rainshadow-cec/rainshadow-cec.c
+@@ -171,11 +171,12 @@ static irqreturn_t rain_interrupt(struct
+ {
+ struct rain *rain = serio_get_drvdata(serio);
+
++ spin_lock(&rain->buf_lock);
+ if (rain->buf_len == DATA_SIZE) {
++ spin_unlock(&rain->buf_lock);
+ dev_warn_once(rain->dev, "buffer overflow\n");
+ return IRQ_HANDLED;
+ }
+- spin_lock(&rain->buf_lock);
+ rain->buf_len++;
+ rain->buf[rain->buf_wr_idx] = data;
+ rain->buf_wr_idx = (rain->buf_wr_idx + 1) & 0xff;
--- /dev/null
+From stable+bounces-172536-greg=kroah.com@vger.kernel.org Sat Aug 23 03:59:20 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 21:59:11 -0400
+Subject: media: v4l2-ctrls: always copy the controls on completion
+To: stable@vger.kernel.org
+Cc: Hans Verkuil <hverkuil-cisco@xs4all.nl>, Mauro Carvalho Chehab <mchehab+huawei@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823015912.1675214-1-sashal@kernel.org>
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit c3bf5129f33923c92bf3bddaf4359b7b25ecb4ba ]
+
+When v4l2_ctrl_request_complete() is called and there is no control
+handler object found in the request, then create such an object so
+that all controls at completion state can be stored and are available
+to userspace.
+
+Otherwise any attempt by userspace to read the completed request data
+will fail.
+
+If allocating the control handler object failed, then indicate that
+by returning ENOMEM when attempting to get the controls from the
+completed request instead of returning ENOENT.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Stable-dep-of: 5a0400aca5fa ("media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 36 +++++++++++++++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -3529,8 +3529,19 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl
+ obj = media_request_object_find(req, &req_ops, hdl);
+ if (obj)
+ return obj;
++ /*
++ * If there are no controls in this completed request,
++ * then that can only happen if:
++ *
++ * 1) no controls were present in the queued request, and
++ * 2) v4l2_ctrl_request_complete() could not allocate a
++ * control handler object to store the completed state in.
++ *
++ * So return ENOMEM to indicate that there was an out-of-memory
++ * error.
++ */
+ if (!set)
+- return ERR_PTR(-ENOENT);
++ return ERR_PTR(-ENOMEM);
+
+ new_hdl = kzalloc(sizeof(*new_hdl), GFP_KERNEL);
+ if (!new_hdl)
+@@ -3541,8 +3552,8 @@ v4l2_ctrls_find_req_obj(struct v4l2_ctrl
+ if (!ret)
+ ret = v4l2_ctrl_request_bind(req, new_hdl, hdl);
+ if (ret) {
++ v4l2_ctrl_handler_free(new_hdl);
+ kfree(new_hdl);
+-
+ return ERR_PTR(ret);
+ }
+
+@@ -4113,8 +4124,25 @@ void v4l2_ctrl_request_complete(struct m
+ * wants to leave the controls unchanged.
+ */
+ obj = media_request_object_find(req, &req_ops, main_hdl);
+- if (!obj)
+- return;
++ if (!obj) {
++ int ret;
++
++ /* Create a new request so the driver can return controls */
++ hdl = kzalloc(sizeof(*hdl), GFP_KERNEL);
++ if (!hdl)
++ return;
++
++ ret = v4l2_ctrl_handler_init(hdl, (main_hdl->nr_of_buckets - 1) * 8);
++ if (!ret)
++ ret = v4l2_ctrl_request_bind(req, hdl, main_hdl);
++ if (ret) {
++ v4l2_ctrl_handler_free(hdl);
++ kfree(hdl);
++ return;
++ }
++ hdl->request_is_queued = true;
++ obj = media_request_object_find(req, &req_ops, main_hdl);
++ }
+ hdl = container_of(obj, struct v4l2_ctrl_handler, req_obj);
+
+ list_for_each_entry(ref, &hdl->ctrl_refs, node) {
--- /dev/null
+From stable+bounces-172537-greg=kroah.com@vger.kernel.org Sat Aug 23 03:59:21 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 21:59:12 -0400
+Subject: media: v4l2-ctrls: Don't reset handler's error in v4l2_ctrl_handler_free()
+To: stable@vger.kernel.org
+Cc: Sakari Ailus <sakari.ailus@linux.intel.com>, Hans Verkuil <hverkuil@xs4all.nl>, Laurent Pinchart <laurent.pinchart@ideasonboard.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823015912.1675214-2-sashal@kernel.org>
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+[ Upstream commit 5a0400aca5fa7c6b8ba456c311a460e733571c88 ]
+
+It's a common pattern in drivers to free the control handler's resources
+and then return the handler's error code on drivers' error handling paths.
+Alas, the v4l2_ctrl_handler_free() function also zeroes the error field,
+effectively indicating successful return to the caller.
+
+There's no apparent need to touch the error field while releasing the
+control handler's resources and cleaning up stale pointers. Not touching
+the handler's error field is a more certain way to address this problem
+than changing all the users, in which case the pattern would be likely to
+re-emerge in new drivers.
+
+Do just that, don't touch the control handler's error field in
+v4l2_ctrl_handler_free().
+
+Fixes: 0996517cf8ea ("V4L/DVB: v4l2: Add new control handling framework")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ v4l2-ctrls.c => v4l2-ctrls-core.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls.c
+@@ -2187,7 +2187,6 @@ void v4l2_ctrl_handler_free(struct v4l2_
+ kvfree(hdl->buckets);
+ hdl->buckets = NULL;
+ hdl->cached = NULL;
+- hdl->error = 0;
+ mutex_unlock(hdl->lock);
+ mutex_destroy(&hdl->_lock);
+ }
--- /dev/null
+From stable+bounces-172548-greg=kroah.com@vger.kernel.org Sat Aug 23 05:41:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 23:41:51 -0400
+Subject: media: venus: hfi: explicitly release IRQ during teardown
+To: stable@vger.kernel.org
+Cc: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>, Dikshita Agarwal <quic_dikshita@quicinc.com>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823034151.1807520-1-sashal@kernel.org>
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+
+[ Upstream commit 640803003cd903cea73dc6a86bf6963e238e2b3f ]
+
+Ensure the IRQ is disabled - and all pending handlers completed - before
+dismantling the interrupt routing and clearing related pointers.
+
+This prevents any possibility of the interrupt triggering after the
+handler context has been invalidated.
+
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -1608,6 +1608,7 @@ void venus_hfi_destroy(struct venus_core
+ mutex_destroy(&hdev->lock);
+ kfree(hdev);
+ core->priv = NULL;
++ disable_irq(core->irq);
+ core->ops = NULL;
+ }
+
--- /dev/null
+From stable+bounces-172556-greg=kroah.com@vger.kernel.org Sat Aug 23 06:50:22 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 00:50:14 -0400
+Subject: media: venus: protect against spurious interrupts during probe
+To: stable@vger.kernel.org
+Cc: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Vikash Garodia <quic_vgarodia@quicinc.com>, Dikshita Agarwal <quic_dikshita@quicinc.com>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823045015.1877984-1-sashal@kernel.org>
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+
+[ Upstream commit 3200144a2fa4209dc084a19941b9b203b43580f0 ]
+
+Make sure the interrupt handler is initialized before the interrupt is
+registered.
+
+If the IRQ is registered before hfi_create(), it's possible that an
+interrupt fires before the handler setup is complete, leading to a NULL
+dereference.
+
+This error condition has been observed during system boot on Rb3Gen2.
+
+Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ kept hfi_isr_thread instead of venus_isr_thread ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -267,13 +267,13 @@ static int venus_probe(struct platform_d
+ mutex_init(&core->lock);
+ INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
+
+- ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread,
+- IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+- "venus", core);
++ ret = hfi_create(core, &venus_core_ops);
+ if (ret)
+ return ret;
+
+- ret = hfi_create(core, &venus_core_ops);
++ ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread,
++ IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
++ "venus", core);
+ if (ret)
+ return ret;
+
--- /dev/null
+From stable+bounces-172584-greg=kroah.com@vger.kernel.org Sat Aug 23 14:55:02 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 08:54:54 -0400
+Subject: media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.
+To: stable@vger.kernel.org
+Cc: Ricardo Ribalda <ribalda@chromium.org>, Hans Verkuil <hverkuil@xs4all.nl>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Bryan O'Donoghue <bod@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823125454.2100689-1-sashal@kernel.org>
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 377dc500d253f0b26732b2cb062e89668aef890a ]
+
+The driver uses "whole" fps in all its calculations (e.g. in
+load_per_instance()). Those calculation expect an fps bigger than 1, and
+not big enough to overflow.
+
+Clamp the value if the user provides a param that will result in an invalid
+fps.
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0
+Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files")
+Cc: stable@vger.kernel.org
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # qrb5615-rb5
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+[bod: Change "parm" to "param"]
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ Adjust context in header ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.h | 2 ++
+ drivers/media/platform/qcom/venus/vdec.c | 5 ++---
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.h
++++ b/drivers/media/platform/qcom/venus/core.h
+@@ -16,6 +16,8 @@
+
+ #define VIDC_CLKS_NUM_MAX 4
+
++#define VENUS_MAX_FPS 240
++
+ struct freq_tbl {
+ unsigned int load;
+ unsigned long freq;
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -418,11 +418,10 @@ static int vdec_s_parm(struct file *file
+ us_per_frame = timeperframe->numerator * (u64)USEC_PER_SEC;
+ do_div(us_per_frame, timeperframe->denominator);
+
+- if (!us_per_frame)
+- return -EINVAL;
+-
++ us_per_frame = clamp(us_per_frame, 1, USEC_PER_SEC);
+ fps = (u64)USEC_PER_SEC;
+ do_div(fps, us_per_frame);
++ fps = min(VENUS_MAX_FPS, fps);
+
+ inst->fps = fps;
+ inst->timeperframe = *timeperframe;
--- /dev/null
+From stable+bounces-169604-greg=kroah.com@vger.kernel.org Thu Aug 14 18:57:50 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Aug 2025 12:53:56 -0400
+Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery
+To: stable@vger.kernel.org
+Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Leon Romanovsky <leonro@nvidia.com>, Alistair Popple <apopple@nvidia.com>, Bill Wendling <morbo@google.com>, Jerome Glisse <jglisse@redhat.com>, Justin Stitt <justinstitt@google.com>, Nathan Chancellor <nathan@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250814165356.2131524-1-sashal@kernel.org>
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 ]
+
+When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with
+clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n:
+
+ mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function]
+
+Fix this by moving the function to the respective existing ifdeffery
+for its the only user.
+
+See also:
+
+ 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build")
+
+Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com
+Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Alistair Popple <apopple@nvidia.com>
+Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ Minor context adjustment ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hmm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hmm.c
++++ b/mm/hmm.c
+@@ -392,6 +392,7 @@ static int hmm_vma_walk_hole(unsigned lo
+ return hmm_vma_walk_hole_(addr, end, fault, write_fault, walk);
+ }
+
++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static inline uint64_t pmd_to_hmm_pfn_flags(struct hmm_range *range, pmd_t pmd)
+ {
+ if (pmd_protnone(pmd))
+@@ -401,7 +402,6 @@ static inline uint64_t pmd_to_hmm_pfn_fl
+ range->flags[HMM_PFN_VALID];
+ }
+
+-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr,
+ unsigned long end, uint64_t *pfns, pmd_t pmd)
+ {
--- /dev/null
+From stable+bounces-171815-greg=kroah.com@vger.kernel.org Tue Aug 19 17:26:24 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 11:26:13 -0400
+Subject: mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock
+To: stable@vger.kernel.org
+Cc: Breno Leitao <leitao@debian.org>, Jakub Kicinski <kuba@kernel.org>, Catalin Marinas <catalin.marinas@arm.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819152613.541716-2-sashal@kernel.org>
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 47b0f6d8f0d2be4d311a49e13d2fd5f152f492b2 ]
+
+When netpoll is enabled, calling pr_warn_once() while holding
+kmemleak_lock in mem_pool_alloc() can cause a deadlock due to lock
+inversion with the netconsole subsystem. This occurs because
+pr_warn_once() may trigger netpoll, which eventually leads to
+__alloc_skb() and back into kmemleak code, attempting to reacquire
+kmemleak_lock.
+
+This is the path for the deadlock.
+
+mem_pool_alloc()
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ -> pr_warn_once()
+ -> netconsole subsystem
+ -> netpoll
+ -> __alloc_skb
+ -> __create_object
+ -> raw_spin_lock_irqsave(&kmemleak_lock, flags);
+
+Fix this by setting a flag and issuing the pr_warn_once() after
+kmemleak_lock is released.
+
+Link: https://lkml.kernel.org/r/20250731-kmemleak_lock-v1-1-728fd470198f@debian.org
+Fixes: c5665868183f ("mm: kmemleak: use the memory pool for early allocations")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -417,6 +417,7 @@ static struct kmemleak_object *mem_pool_
+ {
+ unsigned long flags;
+ struct kmemleak_object *object;
++ bool warn = false;
+
+ /* try the slab allocator first */
+ if (object_cache) {
+@@ -434,8 +435,10 @@ static struct kmemleak_object *mem_pool_
+ else if (mem_pool_free_count)
+ object = &mem_pool[--mem_pool_free_count];
+ else
+- pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
++ warn = true;
+ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
++ if (warn)
++ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
+
+ return object;
+ }
--- /dev/null
+From stable+bounces-171814-greg=kroah.com@vger.kernel.org Tue Aug 19 17:26:21 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 11:26:12 -0400
+Subject: mm/kmemleak: turn kmemleak_lock and object->lock to raw_spinlock_t
+To: stable@vger.kernel.org
+Cc: He Zhe <zhe.he@windriver.com>, Liu Haitao <haitao.liu@windriver.com>, Yongxin Liu <yongxin.liu@windriver.com>, Sebastian Andrzej Siewior <bigeasy@linutronix.de>, Catalin Marinas <catalin.marinas@arm.com>, Andrew Morton <akpm@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819152613.541716-1-sashal@kernel.org>
+
+From: He Zhe <zhe.he@windriver.com>
+
+[ Upstream commit 8c96f1bc6fc49c724c4cdd22d3e99260263b7384 ]
+
+kmemleak_lock as a rwlock on RT can possibly be acquired in atomic
+context which does work.
+
+Since the kmemleak operation is performed in atomic context make it a
+raw_spinlock_t so it can also be acquired on RT. This is used for
+debugging and is not enabled by default in a production like environment
+(where performance/latency matters) so it makes sense to make it a
+raw_spinlock_t instead trying to get rid of the atomic context. Turn
+also the kmemleak_object->lock into raw_spinlock_t which is acquired
+(nested) while the kmemleak_lock is held.
+
+The time spent in "echo scan > kmemleak" slightly improved on 64core box
+with this patch applied after boot.
+
+[bigeasy@linutronix.de: redo the description, update comments. Merge the individual bits: He Zhe did the kmemleak_lock, Liu Haitao the ->lock and Yongxin Liu forwarded Liu's patch.]
+Link: http://lkml.kernel.org/r/20191219170834.4tah3prf2gdothz4@linutronix.de
+Link: https://lkml.kernel.org/r/20181218150744.GB20197@arrakis.emea.arm.com
+Link: https://lkml.kernel.org/r/1542877459-144382-1-git-send-email-zhe.he@windriver.com
+Link: https://lkml.kernel.org/r/20190927082230.34152-1-yongxin.liu@windriver.com
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 47b0f6d8f0d2 ("mm/kmemleak: avoid deadlock by moving pr_warn() outside kmemleak_lock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 112 +++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 56 insertions(+), 56 deletions(-)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -13,7 +13,7 @@
+ *
+ * The following locks and mutexes are used by kmemleak:
+ *
+- * - kmemleak_lock (rwlock): protects the object_list modifications and
++ * - kmemleak_lock (raw_spinlock_t): protects the object_list modifications and
+ * accesses to the object_tree_root. The object_list is the main list
+ * holding the metadata (struct kmemleak_object) for the allocated memory
+ * blocks. The object_tree_root is a red black tree used to look-up
+@@ -22,13 +22,13 @@
+ * object_tree_root in the create_object() function called from the
+ * kmemleak_alloc() callback and removed in delete_object() called from the
+ * kmemleak_free() callback
+- * - kmemleak_object.lock (spinlock): protects a kmemleak_object. Accesses to
+- * the metadata (e.g. count) are protected by this lock. Note that some
+- * members of this structure may be protected by other means (atomic or
+- * kmemleak_lock). This lock is also held when scanning the corresponding
+- * memory block to avoid the kernel freeing it via the kmemleak_free()
+- * callback. This is less heavyweight than holding a global lock like
+- * kmemleak_lock during scanning
++ * - kmemleak_object.lock (raw_spinlock_t): protects a kmemleak_object.
++ * Accesses to the metadata (e.g. count) are protected by this lock. Note
++ * that some members of this structure may be protected by other means
++ * (atomic or kmemleak_lock). This lock is also held when scanning the
++ * corresponding memory block to avoid the kernel freeing it via the
++ * kmemleak_free() callback. This is less heavyweight than holding a global
++ * lock like kmemleak_lock during scanning.
+ * - scan_mutex (mutex): ensures that only one thread may scan the memory for
+ * unreferenced objects at a time. The gray_list contains the objects which
+ * are already referenced or marked as false positives and need to be
+@@ -135,7 +135,7 @@ struct kmemleak_scan_area {
+ * (use_count) and freed using the RCU mechanism.
+ */
+ struct kmemleak_object {
+- spinlock_t lock;
++ raw_spinlock_t lock;
+ unsigned int flags; /* object status flags */
+ struct list_head object_list;
+ struct list_head gray_list;
+@@ -191,8 +191,8 @@ static int mem_pool_free_count = ARRAY_S
+ static LIST_HEAD(mem_pool_free_list);
+ /* search tree for object boundaries */
+ static struct rb_root object_tree_root = RB_ROOT;
+-/* rw_lock protecting the access to object_list and object_tree_root */
+-static DEFINE_RWLOCK(kmemleak_lock);
++/* protecting the access to object_list and object_tree_root */
++static DEFINE_RAW_SPINLOCK(kmemleak_lock);
+
+ /* allocation caches for kmemleak internal data */
+ static struct kmem_cache *object_cache;
+@@ -426,7 +426,7 @@ static struct kmemleak_object *mem_pool_
+ }
+
+ /* slab allocation failed, try the memory pool */
+- write_lock_irqsave(&kmemleak_lock, flags);
++ raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ object = list_first_entry_or_null(&mem_pool_free_list,
+ typeof(*object), object_list);
+ if (object)
+@@ -435,7 +435,7 @@ static struct kmemleak_object *mem_pool_
+ object = &mem_pool[--mem_pool_free_count];
+ else
+ pr_warn_once("Memory pool empty, consider increasing CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE\n");
+- write_unlock_irqrestore(&kmemleak_lock, flags);
++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+
+ return object;
+ }
+@@ -453,9 +453,9 @@ static void mem_pool_free(struct kmemlea
+ }
+
+ /* add the object to the memory pool free list */
+- write_lock_irqsave(&kmemleak_lock, flags);
++ raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ list_add(&object->object_list, &mem_pool_free_list);
+- write_unlock_irqrestore(&kmemleak_lock, flags);
++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+ }
+
+ /*
+@@ -514,9 +514,9 @@ static struct kmemleak_object *find_and_
+ struct kmemleak_object *object;
+
+ rcu_read_lock();
+- read_lock_irqsave(&kmemleak_lock, flags);
++ raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ object = lookup_object(ptr, alias);
+- read_unlock_irqrestore(&kmemleak_lock, flags);
++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+
+ /* check whether the object is still available */
+ if (object && !get_object(object))
+@@ -546,11 +546,11 @@ static struct kmemleak_object *find_and_
+ unsigned long flags;
+ struct kmemleak_object *object;
+
+- write_lock_irqsave(&kmemleak_lock, flags);
++ raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ object = lookup_object(ptr, alias);
+ if (object)
+ __remove_object(object);
+- write_unlock_irqrestore(&kmemleak_lock, flags);
++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+
+ return object;
+ }
+@@ -585,7 +585,7 @@ static struct kmemleak_object *create_ob
+ INIT_LIST_HEAD(&object->object_list);
+ INIT_LIST_HEAD(&object->gray_list);
+ INIT_HLIST_HEAD(&object->area_list);
+- spin_lock_init(&object->lock);
++ raw_spin_lock_init(&object->lock);
+ atomic_set(&object->use_count, 1);
+ object->flags = OBJECT_ALLOCATED;
+ object->pointer = ptr;
+@@ -617,7 +617,7 @@ static struct kmemleak_object *create_ob
+ /* kernel backtrace */
+ object->trace_len = __save_stack_trace(object->trace);
+
+- write_lock_irqsave(&kmemleak_lock, flags);
++ raw_spin_lock_irqsave(&kmemleak_lock, flags);
+
+ untagged_ptr = (unsigned long)kasan_reset_tag((void *)ptr);
+ min_addr = min(min_addr, untagged_ptr);
+@@ -649,7 +649,7 @@ static struct kmemleak_object *create_ob
+
+ list_add_tail_rcu(&object->object_list, &object_list);
+ out:
+- write_unlock_irqrestore(&kmemleak_lock, flags);
++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+ return object;
+ }
+
+@@ -667,9 +667,9 @@ static void __delete_object(struct kmeml
+ * Locking here also ensures that the corresponding memory block
+ * cannot be freed when it is being scanned.
+ */
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ object->flags &= ~OBJECT_ALLOCATED;
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ put_object(object);
+ }
+
+@@ -739,9 +739,9 @@ static void paint_it(struct kmemleak_obj
+ {
+ unsigned long flags;
+
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ __paint_it(object, color);
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ }
+
+ static void paint_ptr(unsigned long ptr, int color)
+@@ -803,7 +803,7 @@ static void add_scan_area(unsigned long
+ if (scan_area_cache)
+ area = kmem_cache_alloc(scan_area_cache, gfp_kmemleak_mask(gfp));
+
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ if (!area) {
+ pr_warn_once("Cannot allocate a scan area, scanning the full object\n");
+ /* mark the object for full scan to avoid false positives */
+@@ -825,7 +825,7 @@ static void add_scan_area(unsigned long
+
+ hlist_add_head(&area->node, &object->area_list);
+ out_unlock:
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ put_object(object);
+ }
+
+@@ -847,9 +847,9 @@ static void object_set_excess_ref(unsign
+ return;
+ }
+
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ object->excess_ref = excess_ref;
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ put_object(object);
+ }
+
+@@ -869,9 +869,9 @@ static void object_no_scan(unsigned long
+ return;
+ }
+
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ object->flags |= OBJECT_NO_SCAN;
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ put_object(object);
+ }
+
+@@ -1031,9 +1031,9 @@ void __ref kmemleak_update_trace(const v
+ return;
+ }
+
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ object->trace_len = __save_stack_trace(object->trace);
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+
+ put_object(object);
+ }
+@@ -1238,7 +1238,7 @@ static void scan_block(void *_start, voi
+ unsigned long flags;
+ unsigned long untagged_ptr;
+
+- read_lock_irqsave(&kmemleak_lock, flags);
++ raw_spin_lock_irqsave(&kmemleak_lock, flags);
+ for (ptr = start; ptr < end; ptr++) {
+ struct kmemleak_object *object;
+ unsigned long pointer;
+@@ -1273,7 +1273,7 @@ static void scan_block(void *_start, voi
+ * previously acquired in scan_object(). These locks are
+ * enclosed by scan_mutex.
+ */
+- spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING);
++ raw_spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING);
+ /* only pass surplus references (object already gray) */
+ if (color_gray(object)) {
+ excess_ref = object->excess_ref;
+@@ -1282,7 +1282,7 @@ static void scan_block(void *_start, voi
+ excess_ref = 0;
+ update_refs(object);
+ }
+- spin_unlock(&object->lock);
++ raw_spin_unlock(&object->lock);
+
+ if (excess_ref) {
+ object = lookup_object(excess_ref, 0);
+@@ -1291,12 +1291,12 @@ static void scan_block(void *_start, voi
+ if (object == scanned)
+ /* circular reference, ignore */
+ continue;
+- spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING);
++ raw_spin_lock_nested(&object->lock, SINGLE_DEPTH_NESTING);
+ update_refs(object);
+- spin_unlock(&object->lock);
++ raw_spin_unlock(&object->lock);
+ }
+ }
+- read_unlock_irqrestore(&kmemleak_lock, flags);
++ raw_spin_unlock_irqrestore(&kmemleak_lock, flags);
+ }
+
+ /*
+@@ -1329,7 +1329,7 @@ static void scan_object(struct kmemleak_
+ * Once the object->lock is acquired, the corresponding memory block
+ * cannot be freed (the same lock is acquired in delete_object).
+ */
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ if (object->flags & OBJECT_NO_SCAN)
+ goto out;
+ if (!(object->flags & OBJECT_ALLOCATED))
+@@ -1349,9 +1349,9 @@ static void scan_object(struct kmemleak_
+ if (start >= end)
+ break;
+
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ cond_resched();
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ } while (object->flags & OBJECT_ALLOCATED);
+ } else
+ hlist_for_each_entry(area, &object->area_list, node)
+@@ -1359,7 +1359,7 @@ static void scan_object(struct kmemleak_
+ (void *)(area->start + area->size),
+ object);
+ out:
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ }
+
+ /*
+@@ -1413,7 +1413,7 @@ static void kmemleak_scan(void)
+ /* prepare the kmemleak_object's */
+ rcu_read_lock();
+ list_for_each_entry_rcu(object, &object_list, object_list) {
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ #ifdef DEBUG
+ /*
+ * With a few exceptions there should be a maximum of
+@@ -1430,7 +1430,7 @@ static void kmemleak_scan(void)
+ if (color_gray(object) && get_object(object))
+ list_add_tail(&object->gray_list, &gray_list);
+
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ }
+ rcu_read_unlock();
+
+@@ -1498,14 +1498,14 @@ static void kmemleak_scan(void)
+ */
+ rcu_read_lock();
+ list_for_each_entry_rcu(object, &object_list, object_list) {
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ if (color_white(object) && (object->flags & OBJECT_ALLOCATED)
+ && update_checksum(object) && get_object(object)) {
+ /* color it gray temporarily */
+ object->count = object->min_count;
+ list_add_tail(&object->gray_list, &gray_list);
+ }
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ }
+ rcu_read_unlock();
+
+@@ -1525,7 +1525,7 @@ static void kmemleak_scan(void)
+ */
+ rcu_read_lock();
+ list_for_each_entry_rcu(object, &object_list, object_list) {
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ if (unreferenced_object(object) &&
+ !(object->flags & OBJECT_REPORTED)) {
+ object->flags |= OBJECT_REPORTED;
+@@ -1535,7 +1535,7 @@ static void kmemleak_scan(void)
+
+ new_leaks++;
+ }
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ }
+ rcu_read_unlock();
+
+@@ -1687,10 +1687,10 @@ static int kmemleak_seq_show(struct seq_
+ struct kmemleak_object *object = v;
+ unsigned long flags;
+
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ if ((object->flags & OBJECT_REPORTED) && unreferenced_object(object))
+ print_unreferenced(seq, object);
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ return 0;
+ }
+
+@@ -1720,9 +1720,9 @@ static int dump_str_object_info(const ch
+ return -EINVAL;
+ }
+
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ dump_object_info(object);
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+
+ put_object(object);
+ return 0;
+@@ -1741,11 +1741,11 @@ static void kmemleak_clear(void)
+
+ rcu_read_lock();
+ list_for_each_entry_rcu(object, &object_list, object_list) {
+- spin_lock_irqsave(&object->lock, flags);
++ raw_spin_lock_irqsave(&object->lock, flags);
+ if ((object->flags & OBJECT_REPORTED) &&
+ unreferenced_object(object))
+ __paint_it(object, KMEMLEAK_GREY);
+- spin_unlock_irqrestore(&object->lock, flags);
++ raw_spin_unlock_irqrestore(&object->lock, flags);
+ }
+ rcu_read_unlock();
+
--- /dev/null
+From stable+bounces-165090-greg=kroah.com@vger.kernel.org Tue Jul 29 17:13:39 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 11:13:26 -0400
+Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n
+To: stable@vger.kernel.org
+Cc: Harry Yoo <harry.yoo@oracle.com>, David Hildenbrand <david@redhat.com>, Sergey Senozhatsky <senozhatsky@chromium.org>, Minchan Kim <minchan@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729151326.2730116-2-sashal@kernel.org>
+
+From: Harry Yoo <harry.yoo@oracle.com>
+
+[ Upstream commit 694d6b99923eb05a8fd188be44e26077d19f0e21 ]
+
+Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for
+migrating zsmalloc pages using the movable_operations migration framework.
+However, the commit did not take into account that zsmalloc supports
+migration only when CONFIG_COMPACTION is enabled. Tracing shows that
+zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is
+not supported.
+
+This can result in unmovable pages being allocated from movable page
+blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area.
+
+Possible user visible effects:
+- Some ZONE_MOVABLE memory can be not actually movable
+- CMA allocation can fail because of this
+- Increased memory fragmentation due to ignoring the page mobility
+ grouping feature
+I'm not really sure who uses kernels without compaction support, though :(
+
+To fix this, clear the __GFP_MOVABLE flag when
+!IS_ENABLED(CONFIG_COMPACTION).
+
+Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com
+Fixes: 48b4800a1c6a ("zsmalloc: page migration support")
+Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zsmalloc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1067,6 +1067,9 @@ static struct zspage *alloc_zspage(struc
+ if (!zspage)
+ return NULL;
+
++ if (!IS_ENABLED(CONFIG_COMPACTION))
++ gfp &= ~__GFP_MOVABLE;
++
+ zspage->magic = ZSPAGE_MAGIC;
+ migrate_lock_init(zspage);
+
--- /dev/null
+From stable+bounces-165089-greg=kroah.com@vger.kernel.org Tue Jul 29 17:13:38 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 11:13:25 -0400
+Subject: mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage()
+To: stable@vger.kernel.org
+Cc: Miaohe Lin <linmiaohe@huawei.com>, Sergey Senozhatsky <sergey.senozhatsky@gmail.com>, Minchan Kim <minchan@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729151326.2730116-1-sashal@kernel.org>
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit f0231305acd53375c6cf736971bf5711105dd6bb ]
+
+We always memset the zspage allocated via cache_alloc_zspage. So it's
+more convenient to use kmem_cache_zalloc in cache_alloc_zspage than caller
+do it manually.
+
+Link: https://lkml.kernel.org/r/20210114120032.25885-1-linmiaohe@huawei.com
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 694d6b99923e ("mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zsmalloc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -357,7 +357,7 @@ static void cache_free_handle(struct zs_
+
+ static struct zspage *cache_alloc_zspage(struct zs_pool *pool, gfp_t flags)
+ {
+- return kmem_cache_alloc(pool->zspage_cachep,
++ return kmem_cache_zalloc(pool->zspage_cachep,
+ flags & ~(__GFP_HIGHMEM|__GFP_MOVABLE));
+ }
+
+@@ -1067,7 +1067,6 @@ static struct zspage *alloc_zspage(struc
+ if (!zspage)
+ return NULL;
+
+- memset(zspage, 0, sizeof(struct zspage));
+ zspage->magic = ZSPAGE_MAGIC;
+ migrate_lock_init(zspage);
+
--- /dev/null
+From 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f Mon Sep 17 00:00:00 2001
+From: John Ernberg <john.ernberg@actia.se>
+Date: Wed, 23 Jul 2025 10:25:35 +0000
+Subject: net: usbnet: Avoid potential RCU stall on LINK_CHANGE event
+
+From: John Ernberg <john.ernberg@actia.se>
+
+commit 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f upstream.
+
+The Gemalto Cinterion PLS83-W modem (cdc_ether) is emitting confusing link
+up and down events when the WWAN interface is activated on the modem-side.
+
+Interrupt URBs will in consecutive polls grab:
+* Link Connected
+* Link Disconnected
+* Link Connected
+
+Where the last Connected is then a stable link state.
+
+When the system is under load this may cause the unlink_urbs() work in
+__handle_link_change() to not complete before the next usbnet_link_change()
+call turns the carrier on again, allowing rx_submit() to queue new SKBs.
+
+In that event the URB queue is filled faster than it can drain, ending up
+in a RCU stall:
+
+ rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 0-.... } 33108 jiffies s: 201 root: 0x1/.
+ rcu: blocking rcu_node structures (internal RCU debug):
+ Sending NMI from CPU 1 to CPUs 0:
+ NMI backtrace for cpu 0
+
+ Call trace:
+ arch_local_irq_enable+0x4/0x8
+ local_bh_enable+0x18/0x20
+ __netdev_alloc_skb+0x18c/0x1cc
+ rx_submit+0x68/0x1f8 [usbnet]
+ rx_alloc_submit+0x4c/0x74 [usbnet]
+ usbnet_bh+0x1d8/0x218 [usbnet]
+ usbnet_bh_tasklet+0x10/0x18 [usbnet]
+ tasklet_action_common+0xa8/0x110
+ tasklet_action+0x2c/0x34
+ handle_softirqs+0x2cc/0x3a0
+ __do_softirq+0x10/0x18
+ ____do_softirq+0xc/0x14
+ call_on_irq_stack+0x24/0x34
+ do_softirq_own_stack+0x18/0x20
+ __irq_exit_rcu+0xa8/0xb8
+ irq_exit_rcu+0xc/0x30
+ el1_interrupt+0x34/0x48
+ el1h_64_irq_handler+0x14/0x1c
+ el1h_64_irq+0x68/0x6c
+ _raw_spin_unlock_irqrestore+0x38/0x48
+ xhci_urb_dequeue+0x1ac/0x45c [xhci_hcd]
+ unlink1+0xd4/0xdc [usbcore]
+ usb_hcd_unlink_urb+0x70/0xb0 [usbcore]
+ usb_unlink_urb+0x24/0x44 [usbcore]
+ unlink_urbs.constprop.0.isra.0+0x64/0xa8 [usbnet]
+ __handle_link_change+0x34/0x70 [usbnet]
+ usbnet_deferred_kevent+0x1c0/0x320 [usbnet]
+ process_scheduled_works+0x2d0/0x48c
+ worker_thread+0x150/0x1dc
+ kthread+0xd8/0xe8
+ ret_from_fork+0x10/0x20
+
+Get around the problem by delaying the carrier on to the scheduled work.
+
+This needs a new flag to keep track of the necessary action.
+
+The carrier ok check cannot be removed as it remains required for the
+LINK_RESET event flow.
+
+Fixes: 4b49f58fff00 ("usbnet: handle link change")
+Cc: stable@vger.kernel.org
+Signed-off-by: John Ernberg <john.ernberg@actia.se>
+Link: https://patch.msgid.link/20250723102526.1305339-1-john.ernberg@actia.se
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ adjust context in header ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 11 ++++++++---
+ include/linux/usb/usbnet.h | 1 +
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1106,6 +1106,9 @@ static void __handle_link_change(struct
+ * tx queue is stopped by netcore after link becomes off
+ */
+ } else {
++ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags))
++ netif_carrier_on(dev->net);
++
+ /* submitting URBs for reading packets */
+ tasklet_schedule(&dev->bh);
+ }
+@@ -1978,10 +1981,12 @@ EXPORT_SYMBOL(usbnet_manage_power);
+ void usbnet_link_change(struct usbnet *dev, bool link, bool need_reset)
+ {
+ /* update link after link is reseted */
+- if (link && !need_reset)
+- netif_carrier_on(dev->net);
+- else
++ if (link && !need_reset) {
++ set_bit(EVENT_LINK_CARRIER_ON, &dev->flags);
++ } else {
++ clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags);
+ netif_carrier_off(dev->net);
++ }
+
+ if (need_reset && link)
+ usbnet_defer_kevent(dev, EVENT_LINK_RESET);
+--- a/include/linux/usb/usbnet.h
++++ b/include/linux/usb/usbnet.h
+@@ -83,6 +83,7 @@ struct usbnet {
+ # define EVENT_LINK_CHANGE 11
+ # define EVENT_SET_RX_MODE 12
+ # define EVENT_NO_IP_ALIGN 13
++# define EVENT_LINK_CARRIER_ON 14
+ u32 rx_speed; /* in bps - NOT Mbps */
+ u32 tx_speed; /* in bps - NOT Mbps */
+ };
--- /dev/null
+From 8466d393700f9ccef68134d3349f4e0a087679b9 Mon Sep 17 00:00:00 2001
+From: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+Date: Wed, 6 Aug 2025 07:31:05 +0700
+Subject: net: usbnet: Fix the wrong netif_carrier_on() call
+
+From: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+
+commit 8466d393700f9ccef68134d3349f4e0a087679b9 upstream.
+
+The commit referenced in the Fixes tag causes usbnet to malfunction
+(identified via git bisect). Post-commit, my external RJ45 LAN cable
+fails to connect. Linus also reported the same issue after pulling that
+commit.
+
+The code has a logic error: netif_carrier_on() is only called when the
+link is already on. Fix this by moving the netif_carrier_on() call
+outside the if-statement entirely. This ensures it is always called
+when EVENT_LINK_CARRIER_ON is set and properly clears it regardless
+of the link state.
+
+Cc: stable@vger.kernel.org
+Cc: Armando Budianto <sprite@gnuweeb.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/all/CAHk-=wjqL4uF0MG_c8+xHX1Vv8==sPYQrtzbdA3kzi96284nuQ@mail.gmail.com
+Closes: https://lore.kernel.org/netdev/CAHk-=wjKh8X4PT_mU1kD4GQrbjivMfPn-_hXa6han_BTDcXddw@mail.gmail.com
+Closes: https://lore.kernel.org/netdev/0752dee6-43d6-4e1f-81d2-4248142cccd2@gnuweeb.org
+Fixes: 0d9cfc9b8cb1 ("net: usbnet: Avoid potential RCU stall on LINK_CHANGE event")
+Signed-off-by: Ammar Faizi <ammarfaizi2@gnuweeb.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1097,6 +1097,9 @@ static void __handle_link_change(struct
+ if (!test_bit(EVENT_DEV_OPEN, &dev->flags))
+ return;
+
++ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags))
++ netif_carrier_on(dev->net);
++
+ if (!netif_carrier_ok(dev->net)) {
+ /* kill URBs for reading packets to save bus bandwidth */
+ unlink_urbs(dev, &dev->rxq);
+@@ -1106,9 +1109,6 @@ static void __handle_link_change(struct
+ * tx queue is stopped by netcore after link becomes off
+ */
+ } else {
+- if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags))
+- netif_carrier_on(dev->net);
+-
+ /* submitting URBs for reading packets */
+ tasklet_schedule(&dev->bh);
+ }
--- /dev/null
+From stable+bounces-169876-greg=kroah.com@vger.kernel.org Sun Aug 17 04:28:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Aug 2025 22:28:12 -0400
+Subject: NFS: Fix the setting of capabilities when automounting a new filesystem
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Benjamin Coddington <bcodding@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817022812.1338100-3-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit b01f21cacde9f2878492cf318fee61bf4ccad323 ]
+
+Capabilities cannot be inherited when we cross into a new filesystem.
+They need to be reset to the minimal defaults, and then probed for
+again.
+
+Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+[ adapted to older fs_context-less API structures ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/client.c | 44 ++++++++++++++++++++++++++++++++++++++++----
+ fs/nfs/internal.h | 1 +
+ fs/nfs/nfs4client.c | 13 +------------
+ fs/nfs/nfs4proc.c | 2 ++
+ 4 files changed, 44 insertions(+), 16 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -646,6 +646,42 @@ struct nfs_client *nfs_init_client(struc
+ }
+ EXPORT_SYMBOL_GPL(nfs_init_client);
+
++static void nfs4_server_set_init_caps(struct nfs_server *server)
++{
++#if IS_ENABLED(CONFIG_NFS_V4)
++ /* Set the basic capabilities */
++ server->caps = server->nfs_client->cl_mvops->init_caps;
++ if (server->flags & NFS_MOUNT_NORDIRPLUS)
++ server->caps &= ~NFS_CAP_READDIRPLUS;
++
++ /*
++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
++ * authentication.
++ */
++ if (nfs4_disable_idmapping &&
++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
++ server->caps |= NFS_CAP_UIDGID_NOMAP;
++#endif
++}
++
++void nfs_server_set_init_caps(struct nfs_server *server)
++{
++ switch (server->nfs_client->rpc_ops->version) {
++ case 2:
++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
++ break;
++ case 3:
++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
++ if (!(server->flags & NFS_MOUNT_NORDIRPLUS))
++ server->caps |= NFS_CAP_READDIRPLUS;
++ break;
++ default:
++ nfs4_server_set_init_caps(server);
++ break;
++ }
++}
++EXPORT_SYMBOL_GPL(nfs_server_set_init_caps);
++
+ /*
+ * Create a version 2 or 3 client
+ */
+@@ -683,9 +719,6 @@ static int nfs_init_server(struct nfs_se
+ /* Initialise the client representation from the mount data */
+ server->flags = data->flags;
+ server->options = data->options;
+- server->caps |= NFS_CAP_HARDLINKS|NFS_CAP_SYMLINKS|NFS_CAP_FILEID|
+- NFS_CAP_MODE|NFS_CAP_NLINK|NFS_CAP_OWNER|NFS_CAP_OWNER_GROUP|
+- NFS_CAP_ATIME|NFS_CAP_CTIME|NFS_CAP_MTIME;
+
+ if (data->rsize)
+ server->rsize = nfs_block_size(data->rsize, NULL);
+@@ -710,6 +743,8 @@ static int nfs_init_server(struct nfs_se
+ if (error < 0)
+ goto error;
+
++ nfs_server_set_init_caps(server);
++
+ /* Preserve the values of mount_server-related mount options */
+ if (data->mount_server.addrlen) {
+ memcpy(&server->mountd_address, &data->mount_server.address,
+@@ -834,7 +869,6 @@ void nfs_server_copy_userdata(struct nfs
+ target->acregmax = source->acregmax;
+ target->acdirmin = source->acdirmin;
+ target->acdirmax = source->acdirmax;
+- target->caps = source->caps;
+ target->options = source->options;
+ target->auth_info = source->auth_info;
+ target->port = source->port;
+@@ -1042,6 +1076,8 @@ struct nfs_server *nfs_clone_server(stru
+ if (error < 0)
+ goto out_free_server;
+
++ nfs_server_set_init_caps(server);
++
+ /* probe the filesystem info for this server filesystem */
+ error = nfs_probe_fsinfo(server, fh, fattr_fsinfo);
+ if (error < 0)
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -172,6 +172,7 @@ nfs4_find_client_sessionid(struct net *,
+ struct nfs4_sessionid *, u32);
+ extern struct nfs_server *nfs_create_server(struct nfs_mount_info *,
+ struct nfs_subversion *);
++extern void nfs_server_set_init_caps(struct nfs_server *);
+ extern struct nfs_server *nfs4_create_server(
+ struct nfs_mount_info *,
+ struct nfs_subversion *);
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -1011,18 +1011,7 @@ static int nfs4_server_common_setup(stru
+ if (error < 0)
+ goto out;
+
+- /* Set the basic capabilities */
+- server->caps |= server->nfs_client->cl_mvops->init_caps;
+- if (server->flags & NFS_MOUNT_NORDIRPLUS)
+- server->caps &= ~NFS_CAP_READDIRPLUS;
+- /*
+- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+- * authentication.
+- */
+- if (nfs4_disable_idmapping &&
+- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+- server->caps |= NFS_CAP_UIDGID_NOMAP;
+-
++ nfs_server_set_init_caps(server);
+
+ /* Probe the root fh to retrieve its FSID and filehandle */
+ error = nfs4_get_rootfh(server, mntfh, auth_probe);
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3884,6 +3884,8 @@ int nfs4_server_capabilities(struct nfs_
+ .interruptible = true,
+ };
+ int err;
++
++ nfs_server_set_init_caps(server);
+ do {
+ err = nfs4_handle_exception(server,
+ _nfs4_server_capabilities(server, fhandle),
--- /dev/null
+From stable+bounces-169875-greg=kroah.com@vger.kernel.org Sun Aug 17 04:28:21 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Aug 2025 22:28:11 -0400
+Subject: NFS: Fix up handling of outstanding layoutcommit in nfs_update_inode()
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817022812.1338100-2-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 709fa5769914b377af87962bbe4ff81ffb019b2d ]
+
+If there is an outstanding layoutcommit, then the list of attributes
+whose values are expected to change is not the full set. So let's
+be explicit about the full list.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/inode.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -1869,7 +1869,11 @@ static int nfs_update_inode(struct inode
+ nfs_wcc_update_inode(inode, fattr);
+
+ if (pnfs_layoutcommit_outstanding(inode)) {
+- nfsi->cache_validity |= save_cache_validity & NFS_INO_INVALID_ATTR;
++ nfsi->cache_validity |=
++ save_cache_validity &
++ (NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME |
++ NFS_INO_INVALID_MTIME | NFS_INO_INVALID_SIZE |
++ NFS_INO_REVAL_FORCED);
+ cache_revalidated = false;
+ }
+
--- /dev/null
+From stable+bounces-169820-greg=kroah.com@vger.kernel.org Fri Aug 15 22:27:54 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:27:45 -0400
+Subject: nfsd: handle get_client_locked() failure in nfsd4_setclientid_confirm()
+To: stable@vger.kernel.org
+Cc: Jeff Layton <jlayton@kernel.org>, lei lu <llfamsec@gmail.com>, Chuck Lever <chuck.lever@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815202745.212176-1-sashal@kernel.org>
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 908e4ead7f757504d8b345452730636e298cbf68 ]
+
+Lei Lu recently reported that nfsd4_setclientid_confirm() did not check
+the return value from get_client_locked(). a SETCLIENTID_CONFIRM could
+race with a confirmed client expiring and fail to get a reference. That
+could later lead to a UAF.
+
+Fix this by getting a reference early in the case where there is an
+extant confirmed client. If that fails then treat it as if there were no
+confirmed client found at all.
+
+In the case where the unconfirmed client is expiring, just fail and
+return the result from get_client_locked().
+
+Reported-by: lei lu <llfamsec@gmail.com>
+Closes: https://lore.kernel.org/linux-nfs/CAEBF3_b=UvqzNKdnfD_52L05Mqrqui9vZ2eFamgAbV0WG+FNWQ@mail.gmail.com/
+Fixes: d20c11d86d8f ("nfsd: Protect session creation and client confirm using client_lock")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -3956,10 +3956,16 @@ nfsd4_setclientid_confirm(struct svc_rqs
+ }
+ status = nfs_ok;
+ if (conf) { /* case 1: callback update */
+- old = unconf;
+- unhash_client_locked(old);
+- nfsd4_change_callback(conf, &unconf->cl_cb_conn);
+- } else { /* case 3: normal case; new or rebooted client */
++ if (get_client_locked(conf) == nfs_ok) {
++ old = unconf;
++ unhash_client_locked(old);
++ nfsd4_change_callback(conf, &unconf->cl_cb_conn);
++ } else {
++ conf = NULL;
++ }
++ }
++
++ if (!conf) { /* case 3: normal case; new or rebooted client */
+ old = find_confirmed_client_by_name(&unconf->cl_name, nn);
+ if (old) {
+ status = nfserr_clid_inuse;
+@@ -3975,10 +3981,14 @@ nfsd4_setclientid_confirm(struct svc_rqs
+ goto out;
+ }
+ }
++ status = get_client_locked(unconf);
++ if (status != nfs_ok) {
++ old = NULL;
++ goto out;
++ }
+ move_to_confirmed(unconf);
+ conf = unconf;
+ }
+- get_client_locked(conf);
+ spin_unlock(&nn->client_lock);
+ nfsd4_probe_callback(conf);
+ spin_lock(&nn->client_lock);
--- /dev/null
+From stable+bounces-169874-greg=kroah.com@vger.kernel.org Sun Aug 17 04:28:27 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Aug 2025 22:28:10 -0400
+Subject: NFSv4: Fix nfs4_bitmap_copy_adjust()
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817022812.1338100-1-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit a71029b86752e8d40301af235a6bbf4896cc1402 ]
+
+Don't remove flags from the set retrieved from the cache_validity.
+We do want to retrieve all attributes that are listed as being
+invalid, whether or not there is a delegation set.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4proc.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -282,7 +282,7 @@ const u32 nfs4_fs_locations_bitmap[3] =
+ };
+
+ static void nfs4_bitmap_copy_adjust(__u32 *dst, const __u32 *src,
+- struct inode *inode)
++ struct inode *inode, unsigned long flags)
+ {
+ unsigned long cache_validity;
+
+@@ -290,22 +290,19 @@ static void nfs4_bitmap_copy_adjust(__u3
+ if (!inode || !nfs4_have_delegation(inode, FMODE_READ))
+ return;
+
+- cache_validity = READ_ONCE(NFS_I(inode)->cache_validity);
+- if (!(cache_validity & NFS_INO_REVAL_FORCED))
+- cache_validity &= ~(NFS_INO_INVALID_CHANGE
+- | NFS_INO_INVALID_SIZE);
++ cache_validity = READ_ONCE(NFS_I(inode)->cache_validity) | flags;
+
++ /* Remove the attributes over which we have full control */
++ dst[1] &= ~FATTR4_WORD1_RAWDEV;
+ if (!(cache_validity & NFS_INO_INVALID_SIZE))
+ dst[0] &= ~FATTR4_WORD0_SIZE;
+
+ if (!(cache_validity & NFS_INO_INVALID_CHANGE))
+ dst[0] &= ~FATTR4_WORD0_CHANGE;
+-}
+
+-static void nfs4_bitmap_copy_adjust_setattr(__u32 *dst,
+- const __u32 *src, struct inode *inode)
+-{
+- nfs4_bitmap_copy_adjust(dst, src, inode);
++ if (!(cache_validity & NFS_INO_INVALID_OTHER))
++ dst[1] &= ~(FATTR4_WORD1_MODE | FATTR4_WORD1_OWNER |
++ FATTR4_WORD1_OWNER_GROUP);
+ }
+
+ static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dentry,
+@@ -3333,12 +3330,15 @@ static int nfs4_do_setattr(struct inode
+ .inode = inode,
+ .stateid = &arg.stateid,
+ };
++ unsigned long adjust_flags = NFS_INO_INVALID_CHANGE;
+ int err;
+
++ if (sattr->ia_valid & (ATTR_MODE|ATTR_UID|ATTR_GID))
++ adjust_flags |= NFS_INO_INVALID_OTHER;
++
+ do {
+- nfs4_bitmap_copy_adjust_setattr(bitmask,
+- nfs4_bitmask(server, olabel),
+- inode);
++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, olabel),
++ inode, adjust_flags);
+
+ err = _nfs4_do_setattr(inode, &arg, &res, cred, ctx);
+ switch (err) {
+@@ -4143,8 +4143,7 @@ static int _nfs4_proc_getattr(struct nfs
+ .rpc_resp = &res,
+ };
+
+- nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode);
+-
++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, label), inode, 0);
+ nfs_fattr_init(fattr);
+ return nfs4_call_sync(server->client, server, &msg, &args.seq_args, &res.seq_res, 0);
+ }
+@@ -4732,8 +4731,8 @@ static int _nfs4_proc_link(struct inode
+ }
+
+ nfs4_inode_make_writeable(inode);
+- nfs4_bitmap_copy_adjust_setattr(bitmask, nfs4_bitmask(server, res.label), inode);
+-
++ nfs4_bitmap_copy_adjust(bitmask, nfs4_bitmask(server, res.label), inode,
++ NFS_INO_INVALID_CHANGE);
+ status = nfs4_call_sync(server->client, server, &msg, &arg.seq_args, &res.seq_res, 1);
+ if (!status) {
+ update_changeattr(dir, &res.cinfo, res.fattr->time_start, 0);
--- /dev/null
+From stable+bounces-163758-greg=kroah.com@vger.kernel.org Tue Jul 22 15:48:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 09:48:27 -0400
+Subject: pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov
+To: stable@vger.kernel.org
+Cc: Maulik Shah <maulik.shah@oss.qualcomm.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722134827.947709-1-sashal@kernel.org>
+
+From: Maulik Shah <maulik.shah@oss.qualcomm.com>
+
+[ Upstream commit 500ba33284416255b9a5b50ace24470b6fe77ea5 ]
+
+pm_domain_cpu_gov is selecting a cluster idle state but does not consider
+latency tolerance of child CPUs. This results in deeper cluster idle state
+whose latency does not meet latency tolerance requirement.
+
+Select deeper idle state only if global and device latency tolerance of all
+child CPUs meet.
+
+Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than
+domain idle state entry (2150) + exit (1983) usec latency mentioned in
+devicetree, demonstrate the issue.
+
+ # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us
+
+Before: (Usage is incrementing)
+======
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 29817 537 8 270 0
+
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 30348 542 8 271 0
+
+After: (Usage is not incrementing due to latency tolerance)
+======
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 39319 626 14 307 0
+
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 39319 626 14 307 0
+
+Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
+Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ replaced cpu_latency_qos_limit() with pm_qos_request(PM_QOS_CPU_DMA_LATENCY) ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/domain_governor.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain_governor.c
++++ b/drivers/base/power/domain_governor.c
+@@ -8,6 +8,7 @@
+ #include <linux/pm_domain.h>
+ #include <linux/pm_qos.h>
+ #include <linux/hrtimer.h>
++#include <linux/cpu.h>
+ #include <linux/cpuidle.h>
+ #include <linux/cpumask.h>
+ #include <linux/ktime.h>
+@@ -254,6 +255,8 @@ static bool cpu_power_down_ok(struct dev
+ struct generic_pm_domain *genpd = pd_to_genpd(pd);
+ struct cpuidle_device *dev;
+ ktime_t domain_wakeup, next_hrtimer;
++ struct device *cpu_dev;
++ s64 cpu_constraint, global_constraint;
+ s64 idle_duration_ns;
+ int cpu, i;
+
+@@ -264,6 +267,7 @@ static bool cpu_power_down_ok(struct dev
+ if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN))
+ return true;
+
++ global_constraint = pm_qos_request(PM_QOS_CPU_DMA_LATENCY);
+ /*
+ * Find the next wakeup for any of the online CPUs within the PM domain
+ * and its subdomains. Note, we only need the genpd->cpus, as it already
+@@ -277,8 +281,16 @@ static bool cpu_power_down_ok(struct dev
+ if (ktime_before(next_hrtimer, domain_wakeup))
+ domain_wakeup = next_hrtimer;
+ }
++
++ cpu_dev = get_cpu_device(cpu);
++ if (cpu_dev) {
++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev);
++ if (cpu_constraint < global_constraint)
++ global_constraint = cpu_constraint;
++ }
+ }
+
++ global_constraint *= NSEC_PER_USEC;
+ /* The minimum idle duration is from now - until the next wakeup. */
+ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, ktime_get()));
+ if (idle_duration_ns <= 0)
+@@ -291,8 +303,10 @@ static bool cpu_power_down_ok(struct dev
+ */
+ i = genpd->state_idx;
+ do {
+- if (idle_duration_ns >= (genpd->states[i].residency_ns +
+- genpd->states[i].power_off_latency_ns)) {
++ if ((idle_duration_ns >= (genpd->states[i].residency_ns +
++ genpd->states[i].power_off_latency_ns)) &&
++ (global_constraint >= (genpd->states[i].power_on_latency_ns +
++ genpd->states[i].power_off_latency_ns))) {
+ genpd->state_idx = i;
+ return true;
+ }
--- /dev/null
+From stable+bounces-172501-greg=kroah.com@vger.kernel.org Fri Aug 22 21:05:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:05:27 -0400
+Subject: pwm: mediatek: Fix duty and period setting
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@baylibre.com>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Uwe Kleine-König" <ukleinek@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822190527.1408882-3-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit f21d136caf8171f94159d975ea4620c164431bd9 ]
+
+The period generated by the hardware is
+
+ (PWMDWIDTH + 1) << CLKDIV) / freq
+
+according to my tests with a signal analyser and also the documentation.
+
+The current algorithm doesn't consider the `+ 1` part and so configures
+slightly too high periods. The same issue exists for the duty cycle
+setting. So subtract 1 from both the register values for period and
+duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable
+the PWM which results in a constant low output.
+
+Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -168,7 +168,10 @@ static int pwm_mediatek_config(struct pw
+ do_div(resolution, clk_rate);
+
+ cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
+- while (cnt_period > 8191) {
++ if (!cnt_period)
++ return -EINVAL;
++
++ while (cnt_period > 8192) {
+ resolution *= 2;
+ clkdiv++;
+ cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000,
+@@ -191,9 +194,16 @@ static int pwm_mediatek_config(struct pw
+ }
+
+ cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution);
++
+ pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv);
+- pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period);
+- pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty);
++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1);
++
++ if (cnt_duty) {
++ pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1);
++ pwm_mediatek_enable(chip, pwm);
++ } else {
++ pwm_mediatek_disable(chip, pwm);
++ }
+
+ out:
+ pwm_mediatek_clk_disable(chip, pwm);
+@@ -222,11 +232,8 @@ static int pwm_mediatek_apply(struct pwm
+ if (err)
+ return err;
+
+- if (!pwm->state.enabled) {
++ if (!pwm->state.enabled)
+ err = pwm_mediatek_clk_enable(chip, pwm);
+- if (!err)
+- pwm_mediatek_enable(chip, pwm);
+- }
+
+ return err;
+ }
--- /dev/null
+From stable+bounces-172500-greg=kroah.com@vger.kernel.org Fri Aug 22 21:05:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:05:26 -0400
+Subject: pwm: mediatek: Handle hardware enable and clock enable separately
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@baylibre.com>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Uwe Kleine-König" <ukleinek@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822190527.1408882-2-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 704d918341c378c5f9505dfdf32d315e256d3846 ]
+
+Stop handling the clocks in pwm_mediatek_enable() and
+pwm_mediatek_disable(). This is a preparing change for the next commit
+that requires that clocks and the enable bit are handled separately.
+
+Also move these two functions a bit further up in the source file to
+make them usable in pwm_mediatek_config(), which is needed in the next
+commit, too.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c | 60 +++++++++++++++++++++------------------------
+ 1 file changed, 28 insertions(+), 32 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -119,6 +119,26 @@ static inline void pwm_mediatek_writel(s
+ writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset);
+ }
+
++static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
++{
++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
++ u32 value;
++
++ value = readl(pc->regs);
++ value |= BIT(pwm->hwpwm);
++ writel(value, pc->regs);
++}
++
++static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
++{
++ struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
++ u32 value;
++
++ value = readl(pc->regs);
++ value &= ~BIT(pwm->hwpwm);
++ writel(value, pc->regs);
++}
++
+ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
+ int duty_ns, int period_ns)
+ {
+@@ -181,35 +201,6 @@ out:
+ return ret;
+ }
+
+-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+-{
+- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+- u32 value;
+- int ret;
+-
+- ret = pwm_mediatek_clk_enable(chip, pwm);
+- if (ret < 0)
+- return ret;
+-
+- value = readl(pc->regs);
+- value |= BIT(pwm->hwpwm);
+- writel(value, pc->regs);
+-
+- return 0;
+-}
+-
+-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+-{
+- struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+- u32 value;
+-
+- value = readl(pc->regs);
+- value &= ~BIT(pwm->hwpwm);
+- writel(value, pc->regs);
+-
+- pwm_mediatek_clk_disable(chip, pwm);
+-}
+-
+ static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+ const struct pwm_state *state)
+ {
+@@ -219,8 +210,10 @@ static int pwm_mediatek_apply(struct pwm
+ return -EINVAL;
+
+ if (!state->enabled) {
+- if (pwm->state.enabled)
++ if (pwm->state.enabled) {
+ pwm_mediatek_disable(chip, pwm);
++ pwm_mediatek_clk_disable(chip, pwm);
++ }
+
+ return 0;
+ }
+@@ -229,8 +222,11 @@ static int pwm_mediatek_apply(struct pwm
+ if (err)
+ return err;
+
+- if (!pwm->state.enabled)
+- err = pwm_mediatek_enable(chip, pwm);
++ if (!pwm->state.enabled) {
++ err = pwm_mediatek_clk_enable(chip, pwm);
++ if (!err)
++ pwm_mediatek_enable(chip, pwm);
++ }
+
+ return err;
+ }
--- /dev/null
+From stable+bounces-172499-greg=kroah.com@vger.kernel.org Fri Aug 22 21:06:18 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:05:25 -0400
+Subject: pwm: mediatek: Implement .apply() callback
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Thierry Reding" <thierry.reding@gmail.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822190527.1408882-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 758de66f4bd2cac2b1d71db917c65c3d611d4e74 ]
+
+To eventually get rid of all legacy drivers convert this driver to the
+modern world implementing .apply().
+This just pushed a variant of pwm_apply_legacy() into the driver that was
+slightly simplified because the driver doesn't provide a .set_polarity()
+callback.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c | 29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -210,10 +210,33 @@ static void pwm_mediatek_disable(struct
+ pwm_mediatek_clk_disable(chip, pwm);
+ }
+
++static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
++ const struct pwm_state *state)
++{
++ int err;
++
++ if (state->polarity != PWM_POLARITY_NORMAL)
++ return -EINVAL;
++
++ if (!state->enabled) {
++ if (pwm->state.enabled)
++ pwm_mediatek_disable(chip, pwm);
++
++ return 0;
++ }
++
++ err = pwm_mediatek_config(pwm->chip, pwm, state->duty_cycle, state->period);
++ if (err)
++ return err;
++
++ if (!pwm->state.enabled)
++ err = pwm_mediatek_enable(chip, pwm);
++
++ return err;
++}
++
+ static const struct pwm_ops pwm_mediatek_ops = {
+- .config = pwm_mediatek_config,
+- .enable = pwm_mediatek_enable,
+- .disable = pwm_mediatek_disable,
++ .apply = pwm_mediatek_apply,
+ .owner = THIS_MODULE,
+ };
+
--- /dev/null
+From stable-commits+bounces-96325-greg=kroah.com@vger.kernel.org Thu Aug 21 01:07:02 2025
+From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+Date: Wed, 20 Aug 2025 16:06:04 -0700
+Subject: rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
+To: sashal@kernel.org
+Cc: alexandre.belloni@bootlin.com, meaganlloyd@linux.microsoft.com, stable-commits@vger.kernel.org, stable@vger.kernel.org
+Message-ID: <1755731164-17255-1-git-send-email-meaganlloyd@linux.microsoft.com>
+
+From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+
+[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ]
+
+In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
+kernel time as long as rtc_read_time() succeeds. In some power loss
+situations, our supercapacitor-backed DS1342 RTC comes up with either an
+unpredictable future time or the default 01/01/00 from the datasheet.
+The oscillator stop flag (OSF) is set in these scenarios due to the
+power loss and can be used to determine the validity of the RTC data.
+
+This change expands the oscillator stop flag (OSF) handling that has
+already been implemented for some chips to the ds1341 chip (DS1341 and
+DS1342 share a datasheet). This handling manages the validity of the RTC
+data in .read_time and .set_time based on the OSF.
+
+Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+Reviewed-by: Tyler Hicks <code@tyhicks.com>
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Git was trying to insert the code above the ds_1388 case statement block (in
+each respective function) which don't exist in the v5.4.296 rtc-ds1307 driver,
+thus a manual fixup was required. ]
+Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+Here's the backport of patch 2/2 of the series for v5.4.
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-ds1307.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -252,6 +252,13 @@ static int ds1307_get_time(struct device
+ if (tmp & DS1340_BIT_OSF)
+ return -EINVAL;
+ break;
++ case ds_1341:
++ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp);
++ if (ret)
++ return ret;
++ if (tmp & DS1337_BIT_OSF)
++ return -EINVAL;
++ break;
+ case mcp794xx:
+ if (!(tmp & MCP794XX_BIT_ST))
+ return -EINVAL;
+@@ -343,6 +350,10 @@ static int ds1307_set_time(struct device
+ regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG,
+ DS1340_BIT_OSF, 0);
+ break;
++ case ds_1341:
++ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS,
++ DS1337_BIT_OSF, 0);
++ break;
+ case mcp794xx:
+ /*
+ * these bits were cleared when preparing the date/time
comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch
acpi-processor-idle-check-acpi_fetch_acpi_dev-return-value.patch
pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch
+net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch
+net-usbnet-fix-the-wrong-netif_carrier_on-call.patch
+ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch
+drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch
+mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch
+mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch
+f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch
+iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch
+x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch
+usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch
+usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch
+tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch
+pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch
+nfsd-handle-get_client_locked-failure-in-nfsd4_setclientid_confirm.patch
+mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch
+x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch
+alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch
+mm-kmemleak-turn-kmemleak_lock-and-object-lock-to-raw_spinlock_t.patch
+mm-kmemleak-avoid-deadlock-by-moving-pr_warn-outside-kmemleak_lock.patch
+usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch
+cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch
+usb-typec-fusb302-cache-pd-rx-state.patch
+nfsv4-fix-nfs4_bitmap_copy_adjust.patch
+nfs-fix-up-handling-of-outstanding-layoutcommit-in-nfs_update_inode.patch
+nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch
+usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch
+usb-musb-omap2430-fix-device-leak-at-unbind.patch
+rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds1341.patch
+soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
+ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch
+media-v4l2-ctrls-always-copy-the-controls-on-completion.patch
+media-v4l2-ctrls-don-t-reset-handler-s-error-in-v4l2_ctrl_handler_free.patch
+media-rainshadow-cec-fix-toctou-race-condition-in-rain_interrupt.patch
+pwm-mediatek-implement-.apply-callback.patch
+pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
+pwm-mediatek-fix-duty-and-period-setting.patch
+drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
+media-venus-vdec-clamp-param-smaller-than-1fps-and-bigger-than-240.patch
+media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
+media-venus-protect-against-spurious-interrupts-during-probe.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
+media-venus-hfi-explicitly-release-irq-during-teardown.patch
+btrfs-populate-otime-when-logging-an-inode-item.patch
--- /dev/null
+From stable+bounces-172492-greg=kroah.com@vger.kernel.org Fri Aug 22 20:49:48 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 14:49:39 -0400
+Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>, Doug Anderson <dianders@chromium.org>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822184939.1400692-1-sashal@kernel.org>
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ]
+
+When the MDT loader is used in remoteproc, the ELF header is sanitized
+beforehand, but that's not necessary the case for other clients.
+
+Validate the size of the firmware buffer to ensure that we don't read
+past the end as we iterate over the header. e_phentsize and e_shentsize
+are validated as well, to ensure that the assumptions about step size in
+the traversal are valid.
+
+Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
+Cc: stable@vger.kernel.org
+Reported-by: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -12,11 +12,43 @@
+ #include <linux/firmware.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
++#include <linux/overflow.h>
+ #include <linux/qcom_scm.h>
+ #include <linux/sizes.h>
+ #include <linux/slab.h>
+ #include <linux/soc/qcom/mdt_loader.h>
+
++static bool mdt_header_valid(const struct firmware *fw)
++{
++ const struct elf32_hdr *ehdr;
++ size_t phend;
++ size_t shend;
++
++ if (fw->size < sizeof(*ehdr))
++ return false;
++
++ ehdr = (struct elf32_hdr *)fw->data;
++
++ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
++ return false;
++
++ if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
++ return false;
++
++ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
++ if (phend > fw->size)
++ return false;
++
++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++ return false;
++
++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++ if (shend > fw->size)
++ return false;
++
++ return true;
++}
++
+ static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
+ {
+ if (phdr->p_type != PT_LOAD)
+@@ -46,6 +78,9 @@ ssize_t qcom_mdt_get_size(const struct f
+ phys_addr_t max_addr = 0;
+ int i;
+
++ if (!mdt_header_valid(fw))
++ return -EINVAL;
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -92,6 +127,9 @@ void *qcom_mdt_read_metadata(const struc
+ size_t ehdr_size;
+ void *data;
+
++ if (!mdt_header_valid(fw))
++ return ERR_PTR(-EINVAL);
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -151,6 +189,9 @@ static int __qcom_mdt_load(struct device
+ if (!fw || !mem_region || !mem_phys || !mem_size)
+ return -EINVAL;
+
++ if (!mdt_header_valid(fw))
++ return -EINVAL;
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
--- /dev/null
+From stable+bounces-164210-greg=kroah.com@vger.kernel.org Tue Jul 22 16:25:44 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 10:13:20 -0400
+Subject: tracing: Add down_write(trace_event_sem) when adding trace event
+To: stable@vger.kernel.org
+Cc: Steven Rostedt <rostedt@goodmis.org>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, Masami Hiramatsu <mhiramat@kernel.org>, Fusheng Huang <Fusheng.Huang@luxshare-ict.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722141320.952515-1-sashal@kernel.org>
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df ]
+
+When a module is loaded, it adds trace events defined by the module. It
+may also need to modify the modules trace printk formats to replace enum
+names with their values.
+
+If two modules are loaded at the same time, the adding of the event to the
+ftrace_events list can corrupt the walking of the list in the code that is
+modifying the printk format strings and crash the kernel.
+
+The addition of the event should take the trace_event_sem for write while
+it adds the new event.
+
+Also add a lockdep_assert_held() on that semaphore in
+__trace_add_event_dirs() as it iterates the list.
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home
+Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang@luxshare-ict.com>
+Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/
+Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -2109,7 +2109,10 @@ __register_event(struct trace_event_call
+ if (ret < 0)
+ return ret;
+
++ down_write(&trace_event_sem);
+ list_add(&call->list, &ftrace_events);
++ up_write(&trace_event_sem);
++
+ call->mod = mod;
+
+ return 0;
+@@ -2489,6 +2492,8 @@ __trace_add_event_dirs(struct trace_arra
+ struct trace_event_call *call;
+ int ret;
+
++ lockdep_assert_held(&trace_event_sem);
++
+ list_for_each_entry(call, &ftrace_events, list) {
+ ret = __trace_add_new_event(call, tr);
+ if (ret < 0)
--- /dev/null
+From stable+bounces-171674-greg=kroah.com@vger.kernel.org Tue Aug 19 01:14:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 19:13:57 -0400
+Subject: USB: cdc-acm: do not log successful probe on later errors
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818231358.138342-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 79579411826647fd573dbe301c4d933bc90e4be7 ]
+
+Do not log the successful-probe message until the tty device has been
+registered.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210322155318.9837-9-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 64690a90cd7c ("cdc-acm: fix race between initial clearing halt and open")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1520,8 +1520,6 @@ skip_countries:
+ acm->nb_index = 0;
+ acm->nb_size = 0;
+
+- dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
+-
+ acm->line.dwDTERate = cpu_to_le32(9600);
+ acm->line.bDataBits = 8;
+ acm_set_line(acm, &acm->line);
+@@ -1541,6 +1539,8 @@ skip_countries:
+ usb_clear_halt(usb_dev, acm->out);
+ }
+
++ dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
++
+ return 0;
+ alloc_fail6:
+ if (!acm->combined_interfaces) {
--- /dev/null
+From stable+bounces-164314-greg=kroah.com@vger.kernel.org Wed Jul 23 00:58:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 18:58:38 -0400
+Subject: usb: hub: avoid warm port reset during USB3 disconnect
+To: stable@vger.kernel.org
+Cc: Mathias Nyman <mathias.nyman@linux.intel.com>, Mark Pearson <markpearson@lenovo.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722225839.999383-1-sashal@kernel.org>
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit f59f93cd1d720809466c7fd5aa16a236156c672b ]
+
+During disconnect USB-3 ports often go via SS.Inactive link error state
+before the missing terminations are noticed, and link finally goes to
+RxDetect state
+
+Avoid immediately warm-resetting ports in SS.Inactive state.
+Let ports settle for a while and re-read the link status a few times 20ms
+apart to see if the ports transitions out of SS.Inactive.
+
+According to USB 3.x spec 7.5.2, a port in SS.Inactive should
+automatically check for missing far-end receiver termination every
+12 ms (SSInactiveQuietTimeout)
+
+The futile multiple warm reset retries of a disconnected device takes
+a lot of time, also the resetting of a removed devices has caused cases
+where the reset bit got stuck for a long time on xHCI roothub.
+This lead to issues in detecting new devices connected to the same port
+shortly after.
+
+Tested-by: Mark Pearson <markpearson@lenovo.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211210111653.1378381-1-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 2521106fc732 ("usb: hub: Don't try to recover devices lost during warm reset.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2788,6 +2788,8 @@ static unsigned hub_is_wusb(struct usb_h
+ #define SET_CONFIG_TRIES (2 * (use_both_schemes + 1))
+ #define USE_NEW_SCHEME(i, scheme) ((i) / 2 == (int)(scheme))
+
++#define DETECT_DISCONNECT_TRIES 5
++
+ #define HUB_ROOT_RESET_TIME 60 /* times are in msec */
+ #define HUB_SHORT_RESET_TIME 10
+ #define HUB_BH_RESET_TIME 50
+@@ -5422,6 +5424,7 @@ static void port_event(struct usb_hub *h
+ struct usb_device *udev = port_dev->child;
+ struct usb_device *hdev = hub->hdev;
+ u16 portstatus, portchange;
++ int i = 0;
+
+ connect_change = test_bit(port1, hub->change_bits);
+ clear_bit(port1, hub->event_bits);
+@@ -5498,17 +5501,27 @@ static void port_event(struct usb_hub *h
+ connect_change = 1;
+
+ /*
+- * Warm reset a USB3 protocol port if it's in
+- * SS.Inactive state.
+- */
+- if (hub_port_warm_reset_required(hub, port1, portstatus)) {
+- dev_dbg(&port_dev->dev, "do warm reset\n");
+- if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
++ * Avoid trying to recover a USB3 SS.Inactive port with a warm reset if
++ * the device was disconnected. A 12ms disconnect detect timer in
++ * SS.Inactive state transitions the port to RxDetect automatically.
++ * SS.Inactive link error state is common during device disconnect.
++ */
++ while (hub_port_warm_reset_required(hub, port1, portstatus)) {
++ if ((i++ < DETECT_DISCONNECT_TRIES) && udev) {
++ u16 unused;
++
++ msleep(20);
++ hub_port_status(hub, port1, &portstatus, &unused);
++ dev_dbg(&port_dev->dev, "Wait for inactive link disconnect detect\n");
++ continue;
++ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
+ || udev->state == USB_STATE_NOTATTACHED) {
++ dev_dbg(&port_dev->dev, "do warm reset, port only\n");
+ if (hub_port_reset(hub, port1, NULL,
+ HUB_BH_RESET_TIME, true) < 0)
+ hub_port_disable(hub, port1, 1);
+ } else {
++ dev_dbg(&port_dev->dev, "do warm reset, full device\n");
+ usb_unlock_port(port_dev);
+ usb_lock_device(udev);
+ usb_reset_device(udev);
+@@ -5516,6 +5529,7 @@ static void port_event(struct usb_hub *h
+ usb_lock_port(port_dev);
+ connect_change = 0;
+ }
++ break;
+ }
+
+ if (connect_change)
--- /dev/null
+From stable+bounces-164315-greg=kroah.com@vger.kernel.org Wed Jul 23 00:58:54 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 18:58:39 -0400
+Subject: usb: hub: Don't try to recover devices lost during warm reset.
+To: stable@vger.kernel.org
+Cc: "Mathias Nyman" <mathias.nyman@linux.intel.com>, "Łukasz Bartosik" <ukaszb@chromium.org>, "Alan Stern" <stern@rowland.harvard.edu>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250722225839.999383-2-sashal@kernel.org>
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 2521106fc732b0b75fd3555c689b1ed1d29d273c ]
+
+Hub driver warm-resets ports in SS.Inactive or Compliance mode to
+recover a possible connected device. The port reset code correctly
+detects if a connection is lost during reset, but hub driver
+port_event() fails to take this into account in some cases.
+port_event() ends up using stale values and assumes there is a
+connected device, and will try all means to recover it, including
+power-cycling the port.
+
+Details:
+This case was triggered when xHC host was suspended with DbC (Debug
+Capability) enabled and connected. DbC turns one xHC port into a simple
+usb debug device, allowing debugging a system with an A-to-A USB debug
+cable.
+
+xhci DbC code disables DbC when xHC is system suspended to D3, and
+enables it back during resume.
+We essentially end up with two hosts connected to each other during
+suspend, and, for a short while during resume, until DbC is enabled back.
+The suspended xHC host notices some activity on the roothub port, but
+can't train the link due to being suspended, so xHC hardware sets a CAS
+(Cold Attach Status) flag for this port to inform xhci host driver that
+the port needs to be warm reset once xHC resumes.
+
+CAS is xHCI specific, and not part of USB specification, so xhci driver
+tells usb core that the port has a connection and link is in compliance
+mode. Recovery from complinace mode is similar to CAS recovery.
+
+xhci CAS driver support that fakes a compliance mode connection was added
+in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
+
+Once xHCI resumes and DbC is enabled back, all activity on the xHC
+roothub host side port disappears. The hub driver will anyway think
+port has a connection and link is in compliance mode, and hub driver
+will try to recover it.
+
+The port power-cycle during recovery seems to cause issues to the active
+DbC connection.
+
+Fix this by clearing connect_change flag if hub_port_reset() returns
+-ENOTCONN, thus avoiding the whole unnecessary port recovery and
+initialization attempt.
+
+Cc: stable@vger.kernel.org
+Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
+Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5425,6 +5425,7 @@ static void port_event(struct usb_hub *h
+ struct usb_device *hdev = hub->hdev;
+ u16 portstatus, portchange;
+ int i = 0;
++ int err;
+
+ connect_change = test_bit(port1, hub->change_bits);
+ clear_bit(port1, hub->event_bits);
+@@ -5517,8 +5518,11 @@ static void port_event(struct usb_hub *h
+ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
+ || udev->state == USB_STATE_NOTATTACHED) {
+ dev_dbg(&port_dev->dev, "do warm reset, port only\n");
+- if (hub_port_reset(hub, port1, NULL,
+- HUB_BH_RESET_TIME, true) < 0)
++ err = hub_port_reset(hub, port1, NULL,
++ HUB_BH_RESET_TIME, true);
++ if (!udev && err == -ENOTCONN)
++ connect_change = 0;
++ else if (err < 0)
+ hub_port_disable(hub, port1, 1);
+ } else {
+ dev_dbg(&port_dev->dev, "do warm reset, full device\n");
--- /dev/null
+From sashal@kernel.org Thu Aug 21 18:20:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:20:24 -0400
+Subject: usb: musb: omap2430: Convert to platform remove callback returning void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250821162025.780036-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is (mostly) ignored
+and this typically results in resource leaks. To improve here there is a
+quest to make the remove callback return void. In the first step of this
+quest all drivers are converted to .remove_new() which already returns
+void.
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -505,14 +505,12 @@ err0:
+ return ret;
+ }
+
+-static int omap2430_remove(struct platform_device *pdev)
++static void omap2430_remove(struct platform_device *pdev)
+ {
+ struct omap2430_glue *glue = platform_get_drvdata(pdev);
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
+-
+- return 0;
+ }
+
+ #ifdef CONFIG_PM
+@@ -579,7 +577,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl
+
+ static struct platform_driver omap2430_driver = {
+ .probe = omap2430_probe,
+- .remove = omap2430_remove,
++ .remove_new = omap2430_remove,
+ .driver = {
+ .name = "musb-omap2430",
+ .pm = DEV_PM_OPS,
--- /dev/null
+From sashal@kernel.org Thu Aug 21 18:20:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:20:25 -0400
+Subject: usb: musb: omap2430: fix device leak at unbind
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Roger Quadros <rogerq@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821162025.780036-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ]
+
+Make sure to drop the reference to the control device taken by
+of_find_device_by_node() during probe when the driver is unbound.
+
+Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Removed populate_irqs-related goto changes ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -476,13 +476,13 @@ static int omap2430_probe(struct platfor
+ ARRAY_SIZE(musb_resources));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add resources\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ ret = platform_device_add_data(musb, pdata, sizeof(*pdata));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add platform_data\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ pm_runtime_enable(glue->dev);
+@@ -497,7 +497,9 @@ static int omap2430_probe(struct platfor
+
+ err3:
+ pm_runtime_disable(glue->dev);
+-
++err_put_control_otghs:
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ err2:
+ platform_device_put(musb);
+
+@@ -511,6 +513,8 @@ static void omap2430_remove(struct platf
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ }
+
+ #ifdef CONFIG_PM
--- /dev/null
+From stable+bounces-171672-greg=kroah.com@vger.kernel.org Tue Aug 19 01:08:51 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 19:08:42 -0400
+Subject: usb: typec: fusb302: cache PD RX state
+To: stable@vger.kernel.org
+Cc: Sebastian Reichel <sebastian.reichel@collabora.com>, stable <stable@kernel.org>, Heikki Krogerus <heikki.krogerus@linux.intel.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818230842.135812-1-sashal@kernel.org>
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ]
+
+This patch fixes a race condition communication error, which ends up in
+PD hard resets when losing the race. Some systems, like the Radxa ROCK
+5B are powered through USB-C without any backup power source and use a
+FUSB302 chip to do the PD negotiation. This means it is quite important
+to avoid hard resets, since that effectively kills the system's
+power-supply.
+
+I've found the following race condition while debugging unplanned power
+loss during booting the board every now and then:
+
+1. lots of TCPM/FUSB302/PD initialization stuff
+2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here)
+3. the remote PD source does not send anything, so TCPM does a SOFT RESET
+4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time
+ (tcpm_set_pd_rx is enabled again, even though it is still on)
+
+At this point I've seen broken CRC good messages being send by the
+FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like
+messages are being lost and things generally going haywire with one of
+the two sides doing a hard reset once a broken CRC good message was send
+to the bus.
+
+I think the system is running into a race condition, that the FIFOs are
+being cleared and/or the automatic good CRC message generation flag is
+being updated while a message is already arriving.
+
+Let's avoid this by caching the PD RX enabled state, as we have already
+processed anything in the FIFOs and are in a good state. As a side
+effect that this also optimizes I2C bus usage :)
+
+As far as I can tell the problem theoretically also exists when TCPM
+enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less
+critical for the following reason:
+
+On devices like the ROCK 5B, which are powered through a TCPM backed
+USB-C port, the bootloader must have done some prior PD communication
+(initial communication must happen within 5 seconds after plugging the
+USB-C plug). This means the first time the kernel TCPM state machine
+reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages
+actively. On other devices a hard reset simply adds some extra delay and
+things should be good afterwards.
+
+Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ replaced str_on_off(on) with ternary operator ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/fusb302.c
++++ b/drivers/usb/typec/tcpm/fusb302.c
+@@ -104,6 +104,7 @@ struct fusb302_chip {
+ bool vconn_on;
+ bool vbus_on;
+ bool charge_on;
++ bool pd_rx_on;
+ bool vbus_present;
+ enum typec_cc_polarity cc_polarity;
+ enum typec_cc_status cc1;
+@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ int ret = 0;
+
+ mutex_lock(&chip->lock);
++ if (chip->pd_rx_on == on) {
++ fusb302_log(chip, "pd is already %s", on ? "on" : "off");
++ goto done;
++ }
++
+ ret = fusb302_pd_rx_flush(chip);
+ if (ret < 0) {
+ fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret);
+@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ on ? "on" : "off", ret);
+ goto done;
+ }
++
++ chip->pd_rx_on = on;
+ fusb302_log(chip, "pd := %s", on ? "on" : "off");
+ done:
+ mutex_unlock(&chip->lock);
--- /dev/null
+From stable+bounces-169440-greg=kroah.com@vger.kernel.org Wed Aug 13 18:47:21 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 12:42:19 -0400
+Subject: x86/fpu: Delay instruction pointer fixup until after warning
+To: stable@vger.kernel.org
+Cc: Dave Hansen <dave.hansen@linux.intel.com>, Chao Gao <chao.gao@intel.com>, Alison Schofield <alison.schofield@intel.com>, Peter Zijlstra <peterz@infradead.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813164219.2063341-1-sashal@kernel.org>
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 1cec9ac2d071cfd2da562241aab0ef701355762a ]
+
+Right now, if XRSTOR fails a console message like this is be printed:
+
+ Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers.
+
+However, the text location (...+0x9a in this case) is the instruction
+*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump
+also points one instruction late.
+
+The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and
+keep on running after returning from the #GP handler. But it does this
+fixup before warning.
+
+The resulting warning output is nonsensical because it looks like the
+non-FPU-related instruction is #GP'ing.
+
+Do not fix up RIP until after printing the warning. Do this by using
+the more generic and standard ex_handler_default().
+
+Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Chao Gao <chao.gao@intel.com>
+Acked-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com
+[ adapted ex_handler_default() call ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/extable.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/extable.c
++++ b/arch/x86/mm/extable.c
+@@ -59,13 +59,12 @@ __visible bool ex_handler_fprestore(cons
+ unsigned long error_code,
+ unsigned long fault_addr)
+ {
+- regs->ip = ex_fixup_addr(fixup);
+-
+ WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.",
+ (void *)instruction_pointer(regs));
+
+ __copy_kernel_to_fpregs(&init_fpstate, -1);
+- return true;
++
++ return ex_handler_default(fixup, regs, trapnr, error_code, fault_addr);
+ }
+ EXPORT_SYMBOL_GPL(ex_handler_fprestore);
+
--- /dev/null
+From stable+bounces-164366-greg=kroah.com@vger.kernel.org Wed Jul 23 06:25:01 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 00:24:51 -0400
+Subject: x86/mce/amd: Add default names for MCA banks and blocks
+To: stable@vger.kernel.org
+Cc: Yazen Ghannam <yazen.ghannam@amd.com>, Borislav Petkov <bp@alien8.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250723042451.1048106-1-sashal@kernel.org>
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ]
+
+Ensure that sysfs init doesn't fail for new/unrecognized bank types or if
+a bank has additional blocks available.
+
+Most MCA banks have a single thresholding block, so the block takes the same
+name as the bank.
+
+Unified Memory Controllers (UMCs) are a special case where there are two
+blocks and each has a unique name.
+
+However, the microarchitecture allows for five blocks. Any new MCA bank types
+with more than one block will be missing names for the extra blocks. The MCE
+sysfs will fail to initialize in this case.
+
+Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems")
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mce/amd.c
++++ b/arch/x86/kernel/cpu/mce/amd.c
+@@ -1180,13 +1180,20 @@ static const char *get_name(unsigned int
+ }
+
+ bank_type = smca_get_bank_type(bank);
+- if (bank_type >= N_SMCA_BANK_TYPES)
+- return NULL;
+
+ if (b && bank_type == SMCA_UMC) {
+ if (b->block < ARRAY_SIZE(smca_umc_block_names))
+ return smca_umc_block_names[b->block];
+- return NULL;
++ }
++
++ if (b && b->block) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block);
++ return buf_mcatype;
++ }
++
++ if (bank_type >= N_SMCA_BANK_TYPES) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank);
++ return buf_mcatype;
+ }
+
+ if (smca_banks[bank].hwid->count == 1)
projects / thirdparty / kernel / stable-queue.git / commitdiff
