--- /dev/null
+From bdf4252f736cc1d2a8e3e633c70fe6c728f0756e Mon Sep 17 00:00:00 2001
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Date: Wed, 28 May 2025 13:07:37 +0200
+Subject: arm64: dts: ti: k3-am62-verdin: Enable pull-ups on I2C buses
+
+From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+
+commit bdf4252f736cc1d2a8e3e633c70fe6c728f0756e upstream.
+
+Enable internal bias pull-ups on the SoC-side I2C buses that do not have
+external pull resistors populated on the SoM. This ensures proper
+default line levels.
+
+Cc: stable@vger.kernel.org
+Fixes: 316b80246b16 ("arm64: dts: ti: add verdin am62")
+Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20250528110741.262336-1-ghidoliemanuele@gmail.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am62-verdin.dtsi
+@@ -448,16 +448,16 @@
+ /* Verdin I2C_2_DSI */
+ pinctrl_i2c2: main-i2c2-default-pins {
+ pinctrl-single,pins = <
+- AM62X_IOPAD(0x00b0, PIN_INPUT, 1) /* (K22) GPMC0_CSn2.I2C2_SCL */ /* SODIMM 55 */
+- AM62X_IOPAD(0x00b4, PIN_INPUT, 1) /* (K24) GPMC0_CSn3.I2C2_SDA */ /* SODIMM 53 */
++ AM62X_IOPAD(0x00b0, PIN_INPUT_PULLUP, 1) /* (K22) GPMC0_CSn2.I2C2_SCL */ /* SODIMM 55 */
++ AM62X_IOPAD(0x00b4, PIN_INPUT_PULLUP, 1) /* (K24) GPMC0_CSn3.I2C2_SDA */ /* SODIMM 53 */
+ >;
+ };
+
+ /* Verdin I2C_4_CSI */
+ pinctrl_i2c3: main-i2c3-default-pins {
+ pinctrl-single,pins = <
+- AM62X_IOPAD(0x01d0, PIN_INPUT, 2) /* (A15) UART0_CTSn.I2C3_SCL */ /* SODIMM 95 */
+- AM62X_IOPAD(0x01d4, PIN_INPUT, 2) /* (B15) UART0_RTSn.I2C3_SDA */ /* SODIMM 93 */
++ AM62X_IOPAD(0x01d0, PIN_INPUT_PULLUP, 2) /* (A15) UART0_CTSn.I2C3_SCL */ /* SODIMM 95 */
++ AM62X_IOPAD(0x01d4, PIN_INPUT_PULLUP, 2) /* (B15) UART0_RTSn.I2C3_SDA */ /* SODIMM 93 */
+ >;
+ };
+
+@@ -729,8 +729,8 @@
+ /* Verdin I2C_3_HDMI */
+ pinctrl_mcu_i2c0: mcu-i2c0-default-pins {
+ pinctrl-single,pins = <
+- AM62X_MCU_IOPAD(0x0044, PIN_INPUT, 0) /* (A8) MCU_I2C0_SCL */ /* SODIMM 59 */
+- AM62X_MCU_IOPAD(0x0048, PIN_INPUT, 0) /* (D10) MCU_I2C0_SDA */ /* SODIMM 57 */
++ AM62X_MCU_IOPAD(0x0044, PIN_INPUT_PULLUP, 0) /* (A8) MCU_I2C0_SCL */ /* SODIMM 59 */
++ AM62X_MCU_IOPAD(0x0048, PIN_INPUT_PULLUP, 0) /* (D10) MCU_I2C0_SDA */ /* SODIMM 57 */
+ >;
+ };
+
--- /dev/null
+From 8e44ac61abaae56fc6eb537a04ed78b458c5b984 Mon Sep 17 00:00:00 2001
+From: Hong Guan <hguan@ti.com>
+Date: Mon, 7 Jul 2025 11:55:13 -0500
+Subject: arm64: dts: ti: k3-am62a7-sk: fix pinmux for main_uart1
+
+From: Hong Guan <hguan@ti.com>
+
+commit 8e44ac61abaae56fc6eb537a04ed78b458c5b984 upstream.
+
+main_uart1 reserved for TIFS firmware traces is routed to the
+onboard FT4232 via a FET switch which is connected to pin A21 and
+B21 of the SoC and not E17 and C17. Fix it.
+
+Fixes: cf39ff15cc01a ("arm64: dts: ti: k3-am62a7-sk: Describe main_uart1 and wkup_uart")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hong Guan <hguan@ti.com>
+[bb@ti.com: expanded commit message]
+Signed-off-by: Bryan Brattlof <bb@ti.com>
+Link: https://lore.kernel.org/r/20250707-uart-fixes-v1-1-8164147218b0@ti.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62a7-sk.dts | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts
++++ b/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts
+@@ -144,8 +144,8 @@
+
+ main_uart1_pins_default: main-uart1-default-pins {
+ pinctrl-single,pins = <
+- AM62AX_IOPAD(0x01e8, PIN_INPUT, 1) /* (C17) I2C1_SCL.UART1_RXD */
+- AM62AX_IOPAD(0x01ec, PIN_OUTPUT, 1) /* (E17) I2C1_SDA.UART1_TXD */
++ AM62AX_IOPAD(0x01ac, PIN_INPUT, 2) /* (B21) MCASP0_AFSR.UART1_RXD */
++ AM62AX_IOPAD(0x01b0, PIN_OUTPUT, 2) /* (A21) MCASP0_ACLKR.UART1_TXD */
+ AM62AX_IOPAD(0x0194, PIN_INPUT, 2) /* (C19) MCASP0_AXR3.UART1_CTSn */
+ AM62AX_IOPAD(0x0198, PIN_OUTPUT, 2) /* (B19) MCASP0_AXR2.UART1_RTSn */
+ >;
--- /dev/null
+From 5b272127884bded21576a6ddceca13725a351c63 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Date: Tue, 1 Jul 2025 12:54:35 +0200
+Subject: arm64: dts: ti: k3-pinctrl: Enable Schmitt Trigger by default
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+commit 5b272127884bded21576a6ddceca13725a351c63 upstream.
+
+Switch Schmitt Trigger functions for PIN_INPUT* macros by default. This is
+HW PoR configuration, the slew rate requirements without ST enabled are
+pretty tough for these devices. We've noticed spurious GPIO interrupts even
+with noise-free edges but not meeting slew rate requirements (3.3E+6 V/s
+for 3.3v LVCMOS).
+
+It's not obvious why one might want to disable the PoR-enabled ST on any
+pin. Just enable it by default. As it's not possible to provide OR-able
+macros to disable the ST, shall anyone require it, provide a set of
+new macros with _NOST suffix.
+
+Fixes: fe49f2d776f7 ("arm64: dts: ti: Use local header for pinctrl register values")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://lore.kernel.org/r/20250701105437.3539924-1-alexander.sverdlin@siemens.com
+[vigneshr@ti.com: Add Fixes tag]
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/ti/k3-pinctrl.h | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/ti/k3-pinctrl.h
++++ b/arch/arm64/boot/dts/ti/k3-pinctrl.h
+@@ -8,11 +8,16 @@
+ #ifndef DTS_ARM64_TI_K3_PINCTRL_H
+ #define DTS_ARM64_TI_K3_PINCTRL_H
+
++#define ST_EN_SHIFT (14)
+ #define PULLUDEN_SHIFT (16)
+ #define PULLTYPESEL_SHIFT (17)
+ #define RXACTIVE_SHIFT (18)
+ #define DEBOUNCE_SHIFT (11)
+
++/* Schmitt trigger configuration */
++#define ST_DISABLE (0 << ST_EN_SHIFT)
++#define ST_ENABLE (1 << ST_EN_SHIFT)
++
+ #define PULL_DISABLE (1 << PULLUDEN_SHIFT)
+ #define PULL_ENABLE (0 << PULLUDEN_SHIFT)
+
+@@ -26,9 +31,13 @@
+ #define PIN_OUTPUT (INPUT_DISABLE | PULL_DISABLE)
+ #define PIN_OUTPUT_PULLUP (INPUT_DISABLE | PULL_UP)
+ #define PIN_OUTPUT_PULLDOWN (INPUT_DISABLE | PULL_DOWN)
+-#define PIN_INPUT (INPUT_EN | PULL_DISABLE)
+-#define PIN_INPUT_PULLUP (INPUT_EN | PULL_UP)
+-#define PIN_INPUT_PULLDOWN (INPUT_EN | PULL_DOWN)
++#define PIN_INPUT (INPUT_EN | ST_ENABLE | PULL_DISABLE)
++#define PIN_INPUT_PULLUP (INPUT_EN | ST_ENABLE | PULL_UP)
++#define PIN_INPUT_PULLDOWN (INPUT_EN | ST_ENABLE | PULL_DOWN)
++/* Input configurations with Schmitt Trigger disabled */
++#define PIN_INPUT_NOST (INPUT_EN | PULL_DISABLE)
++#define PIN_INPUT_PULLUP_NOST (INPUT_EN | PULL_UP)
++#define PIN_INPUT_PULLDOWN_NOST (INPUT_EN | PULL_DOWN)
+
+ #define PIN_DEBOUNCE_DISABLE (0 << DEBOUNCE_SHIFT)
+ #define PIN_DEBOUNCE_CONF1 (1 << DEBOUNCE_SHIFT)
--- /dev/null
+From cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Tue, 29 Jul 2025 18:28:07 +0900
+Subject: ata: libata-scsi: Fix ata_to_sense_error() status handling
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit cf3fc037623c54de48d2ec1a1ee686e2d1de2d45 upstream.
+
+Commit 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
+inadvertantly added the entry 0x40 (ATA_DRDY) to the stat_table array in
+the function ata_to_sense_error(). This entry ties a failed qc which has
+a status filed equal to ATA_DRDY to the sense key ILLEGAL REQUEST with
+the additional sense code UNALIGNED WRITE COMMAND. This entry will be
+used to generate a failed qc sense key and sense code when the qc is
+missing sense data and there is no match for the qc error field in the
+sense_table array of ata_to_sense_error().
+
+As a result, for a failed qc for which we failed to get sense data (e.g.
+read log 10h failed if qc is an NCQ command, or REQUEST SENSE EXT
+command failed for the non-ncq case, the user very often end up seeing
+the completely misleading "unaligned write command" error, even if qc
+was not a write command. E.g.:
+
+sd 0:0:0:0: [sda] tag#12 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
+sd 0:0:0:0: [sda] tag#12 Sense Key : Illegal Request [current]
+sd 0:0:0:0: [sda] tag#12 Add. Sense: Unaligned write command
+sd 0:0:0:0: [sda] tag#12 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
+I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
+
+Fix this by removing the ATA_DRDY entry from the stat_table array so
+that we default to always returning ABORTED COMMAND without any
+additional sense code, since we do not know any better. The entry 0x08
+(ATA_DRQ) is also removed since signaling ABORTED COMMAND with a parity
+error is also misleading (as a parity error would likely be signaled
+through a bus error). So for this case, also default to returning
+ABORTED COMMAND without any additional sense code. With this, the
+previous example error case becomes:
+
+sd 0:0:0:0: [sda] tag#17 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s
+sd 0:0:0:0: [sda] tag#17 Sense Key : Aborted Command [current]
+sd 0:0:0:0: [sda] tag#17 Add. Sense: No additional sense information
+sd 0:0:0:0: [sda] tag#17 CDB: Read(10) 28 00 00 00 10 00 00 00 08 00
+I/O error, dev sda, sector 4096 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
+
+Together with these fixes, refactor stat_table to make it more readable
+by putting the entries comments in front of the entries and using the
+defined status bits macros instead of hardcoded values.
+
+Reported-by: Lorenz Brun <lorenz@brun.one>
+Reported-by: Brandon Schwartz <Brandon.Schwartz@wdc.com>
+Fixes: 8ae720449fca ("libata: whitespace fixes in ata_to_sense_error()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -856,18 +856,14 @@ static void ata_to_sense_error(unsigned
+ {0xFF, 0xFF, 0xFF, 0xFF}, // END mark
+ };
+ static const unsigned char stat_table[][4] = {
+- /* Must be first because BUSY means no other bits valid */
+- {0x80, ABORTED_COMMAND, 0x47, 0x00},
+- // Busy, fake parity for now
+- {0x40, ILLEGAL_REQUEST, 0x21, 0x04},
+- // Device ready, unaligned write command
+- {0x20, HARDWARE_ERROR, 0x44, 0x00},
+- // Device fault, internal target failure
+- {0x08, ABORTED_COMMAND, 0x47, 0x00},
+- // Timed out in xfer, fake parity for now
+- {0x04, RECOVERED_ERROR, 0x11, 0x00},
+- // Recovered ECC error Medium error, recovered
+- {0xFF, 0xFF, 0xFF, 0xFF}, // END mark
++ /* Busy: must be first because BUSY means no other bits valid */
++ { ATA_BUSY, ABORTED_COMMAND, 0x00, 0x00 },
++ /* Device fault: INTERNAL TARGET FAILURE */
++ { ATA_DF, HARDWARE_ERROR, 0x44, 0x00 },
++ /* Corrected data error */
++ { ATA_CORR, RECOVERED_ERROR, 0x00, 0x00 },
++
++ { 0xFF, 0xFF, 0xFF, 0xFF }, /* END mark */
+ };
+
+ /*
--- /dev/null
+From 58768b0563916ddcb73d8ed26ede664915f8df31 Mon Sep 17 00:00:00 2001
+From: Igor Pylypiv <ipylypiv@google.com>
+Date: Wed, 13 Aug 2025 19:22:56 -0700
+Subject: ata: libata-scsi: Fix CDL control
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+commit 58768b0563916ddcb73d8ed26ede664915f8df31 upstream.
+
+Delete extra checks for the ATA_DFLAG_CDL_ENABLED flag that prevent
+SET FEATURES command from being issued to a drive when NCQ commands
+are active.
+
+ata_mselect_control_ata_feature() sets / clears the ATA_DFLAG_CDL_ENABLED
+flag during the translation of MODE SELECT to SET FEATURES. If SET FEATURES
+gets deferred due to outstanding NCQ commands, the original MODE SELECT
+command will be re-queued. When the re-queued MODE SELECT goes through
+the ata_mselect_control_ata_feature() translation again, SET FEATURES
+will not be issued because ATA_DFLAG_CDL_ENABLED has been already set or
+cleared by the initial translation of MODE SELECT.
+
+The ATA_DFLAG_CDL_ENABLED checks in ata_mselect_control_ata_feature()
+are safe to remove because scsi_cdl_enable() implements a similar logic
+that avoids enabling CDL if it has been enabled already.
+
+Fixes: 17e897a45675 ("ata: libata-scsi: Improve CDL control")
+Cc: stable@vger.kernel.org
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3782,21 +3782,16 @@ static int ata_mselect_control_ata_featu
+ /* Check cdl_ctrl */
+ switch (buf[0] & 0x03) {
+ case 0:
+- /* Disable CDL if it is enabled */
+- if (!(dev->flags & ATA_DFLAG_CDL_ENABLED))
+- return 0;
++ /* Disable CDL */
+ ata_dev_dbg(dev, "Disabling CDL\n");
+ cdl_action = 0;
+ dev->flags &= ~ATA_DFLAG_CDL_ENABLED;
+ break;
+ case 0x02:
+ /*
+- * Enable CDL if not already enabled. Since this is mutually
+- * exclusive with NCQ priority, allow this only if NCQ priority
+- * is disabled.
++ * Enable CDL. Since CDL is mutually exclusive with NCQ
++ * priority, allow this only if NCQ priority is disabled.
+ */
+- if (dev->flags & ATA_DFLAG_CDL_ENABLED)
+- return 0;
+ if (dev->flags & ATA_DFLAG_NCQ_PRIO_ENABLED) {
+ ata_dev_err(dev,
+ "NCQ priority must be disabled to enable CDL\n");
--- /dev/null
+From 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Wed, 16 Jul 2025 16:59:54 +0900
+Subject: btrfs: zoned: fix write time activation failure for metadata block group
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 5c4b93f4c8e5c53574c1a48d66a27a2c68b414af upstream.
+
+Since commit 13bb483d32ab ("btrfs: zoned: activate metadata block group on
+write time"), we activate a metadata block group at the write time. If the
+zone capacity is small enough, we can allocate the entire region before the
+first write. Then, we hit the btrfs_zoned_bg_is_full() in
+btrfs_zone_activate() and the activation fails.
+
+For a data block group, we activate it at the allocation time and we should
+check the fullness condition in the caller side. Add, a WARN to check the
+fullness condition.
+
+For a metadata block group, we don't need the fullness check because we
+activate it at the write time. Instead, activating it once it is written
+should be invalid. Catch that with a WARN too.
+
+Fixes: 13bb483d32ab ("btrfs: zoned: activate metadata block group on write time")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/zoned.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/zoned.c
++++ b/fs/btrfs/zoned.c
+@@ -1992,10 +1992,15 @@ bool btrfs_zone_activate(struct btrfs_bl
+ goto out_unlock;
+ }
+
+- /* No space left */
+- if (btrfs_zoned_bg_is_full(block_group)) {
+- ret = false;
+- goto out_unlock;
++ if (block_group->flags & BTRFS_BLOCK_GROUP_DATA) {
++ /* The caller should check if the block group is full. */
++ if (WARN_ON_ONCE(btrfs_zoned_bg_is_full(block_group))) {
++ ret = false;
++ goto out_unlock;
++ }
++ } else {
++ /* Since it is already written, it should have been active. */
++ WARN_ON_ONCE(block_group->meta_write_pointer != block_group->start);
+ }
+
+ for (i = 0; i < map->num_stripes; i++) {
--- /dev/null
+From 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Fri, 11 Jul 2025 13:27:43 +0100
+Subject: crypto: qat - flush misc workqueue during device shutdown
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 3d4df408ba9bad2b205c7fb8afc1836a6a4ca88a upstream.
+
+Repeated loading and unloading of a device specific QAT driver, for
+example qat_4xxx, in a tight loop can lead to a crash due to a
+use-after-free scenario. This occurs when a power management (PM)
+interrupt triggers just before the device-specific driver (e.g.,
+qat_4xxx.ko) is unloaded, while the core driver (intel_qat.ko) remains
+loaded.
+
+Since the driver uses a shared workqueue (`qat_misc_wq`) across all
+devices and owned by intel_qat.ko, a deferred routine from the
+device-specific driver may still be pending in the queue. If this
+routine executes after the driver is unloaded, it can dereference freed
+memory, resulting in a page fault and kernel crash like the following:
+
+ BUG: unable to handle page fault for address: ffa000002e50a01c
+ #PF: supervisor read access in kernel mode
+ RIP: 0010:pm_bh_handler+0x1d2/0x250 [intel_qat]
+ Call Trace:
+ pm_bh_handler+0x1d2/0x250 [intel_qat]
+ process_one_work+0x171/0x340
+ worker_thread+0x277/0x3a0
+ kthread+0xf0/0x120
+ ret_from_fork+0x2d/0x50
+
+To prevent this, flush the misc workqueue during device shutdown to
+ensure that all pending work items are completed before the driver is
+unloaded.
+
+Note: This approach may slightly increase shutdown latency if the
+workqueue contains jobs from other devices, but it ensures correctness
+and stability.
+
+Fixes: e5745f34113b ("crypto: qat - enable power management for QAT GEN4")
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/intel/qat/qat_common/adf_common_drv.h | 1 +
+ drivers/crypto/intel/qat/qat_common/adf_init.c | 1 +
+ drivers/crypto/intel/qat/qat_common/adf_isr.c | 5 +++++
+ 3 files changed, 7 insertions(+)
+
+--- a/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
++++ b/drivers/crypto/intel/qat/qat_common/adf_common_drv.h
+@@ -193,6 +193,7 @@ void adf_exit_misc_wq(void);
+ bool adf_misc_wq_queue_work(struct work_struct *work);
+ bool adf_misc_wq_queue_delayed_work(struct delayed_work *work,
+ unsigned long delay);
++void adf_misc_wq_flush(void);
+ #if defined(CONFIG_PCI_IOV)
+ int adf_sriov_configure(struct pci_dev *pdev, int numvfs);
+ void adf_disable_sriov(struct adf_accel_dev *accel_dev);
+--- a/drivers/crypto/intel/qat/qat_common/adf_init.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_init.c
+@@ -381,6 +381,7 @@ static void adf_dev_shutdown(struct adf_
+ hw_data->exit_admin_comms(accel_dev);
+
+ adf_cleanup_etr_data(accel_dev);
++ adf_misc_wq_flush();
+ adf_dev_restore(accel_dev);
+ }
+
+--- a/drivers/crypto/intel/qat/qat_common/adf_isr.c
++++ b/drivers/crypto/intel/qat/qat_common/adf_isr.c
+@@ -386,3 +386,8 @@ bool adf_misc_wq_queue_delayed_work(stru
+ {
+ return queue_delayed_work(adf_misc_wq, work, delay);
+ }
++
++void adf_misc_wq_flush(void)
++{
++ flush_workqueue(adf_misc_wq);
++}
--- /dev/null
+From 8024774190a5ef2af2c5846f60a50b23e0980a32 Mon Sep 17 00:00:00 2001
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Date: Fri, 13 Jun 2025 11:32:27 +0100
+Subject: crypto: qat - lower priority for skcipher and aead algorithms
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+commit 8024774190a5ef2af2c5846f60a50b23e0980a32 upstream.
+
+Most kernel applications utilizing the crypto API operate synchronously
+and on small buffer sizes, therefore do not benefit from QAT acceleration.
+
+Reduce the priority of QAT implementations for both skcipher and aead
+algorithms, allowing more suitable alternatives to be selected by default.
+
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Link: https://lore.kernel.org/all/20250613012357.GA3603104@google.com/
+Cc: stable@vger.kernel.org
+Acked-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/intel/qat/qat_common/qat_algs.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/intel/qat/qat_common/qat_algs.c
++++ b/drivers/crypto/intel/qat/qat_common/qat_algs.c
+@@ -1277,7 +1277,7 @@ static struct aead_alg qat_aeads[] = { {
+ .base = {
+ .cra_name = "authenc(hmac(sha1),cbc(aes))",
+ .cra_driver_name = "qat_aes_cbc_hmac_sha1",
+- .cra_priority = 4001,
++ .cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct qat_alg_aead_ctx),
+@@ -1294,7 +1294,7 @@ static struct aead_alg qat_aeads[] = { {
+ .base = {
+ .cra_name = "authenc(hmac(sha256),cbc(aes))",
+ .cra_driver_name = "qat_aes_cbc_hmac_sha256",
+- .cra_priority = 4001,
++ .cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct qat_alg_aead_ctx),
+@@ -1311,7 +1311,7 @@ static struct aead_alg qat_aeads[] = { {
+ .base = {
+ .cra_name = "authenc(hmac(sha512),cbc(aes))",
+ .cra_driver_name = "qat_aes_cbc_hmac_sha512",
+- .cra_priority = 4001,
++ .cra_priority = 100,
+ .cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .cra_blocksize = AES_BLOCK_SIZE,
+ .cra_ctxsize = sizeof(struct qat_alg_aead_ctx),
+@@ -1329,7 +1329,7 @@ static struct aead_alg qat_aeads[] = { {
+ static struct skcipher_alg qat_skciphers[] = { {
+ .base.cra_name = "cbc(aes)",
+ .base.cra_driver_name = "qat_aes_cbc",
+- .base.cra_priority = 4001,
++ .base.cra_priority = 100,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .base.cra_blocksize = AES_BLOCK_SIZE,
+ .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx),
+@@ -1347,7 +1347,7 @@ static struct skcipher_alg qat_skciphers
+ }, {
+ .base.cra_name = "ctr(aes)",
+ .base.cra_driver_name = "qat_aes_ctr",
+- .base.cra_priority = 4001,
++ .base.cra_priority = 100,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_ALLOCATES_MEMORY,
+ .base.cra_blocksize = 1,
+ .base.cra_ctxsize = sizeof(struct qat_alg_skcipher_ctx),
+@@ -1365,7 +1365,7 @@ static struct skcipher_alg qat_skciphers
+ }, {
+ .base.cra_name = "xts(aes)",
+ .base.cra_driver_name = "qat_aes_xts",
+- .base.cra_priority = 4001,
++ .base.cra_priority = 100,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK |
+ CRYPTO_ALG_ALLOCATES_MEMORY,
+ .base.cra_blocksize = AES_BLOCK_SIZE,
--- /dev/null
+From 934da599e694d476f493d3927a30414e98a81561 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sun, 20 Jul 2025 14:30:04 +0200
+Subject: dt-bindings: display: sprd,sharkl3-dpu: Fix missing clocks constraints
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 934da599e694d476f493d3927a30414e98a81561 upstream.
+
+'minItems' alone does not impose upper bound, unlike 'maxItems' which
+implies lower bound. Add missing clock constraint so the list will have
+exact number of items (clocks).
+
+Fixes: 8cae15c60cf0 ("dt-bindings: display: add Unisoc's dpu bindings")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250720123003.37662-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml
++++ b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dpu.yaml
+@@ -25,7 +25,7 @@ properties:
+ maxItems: 1
+
+ clocks:
+- minItems: 2
++ maxItems: 2
+
+ clock-names:
+ items:
--- /dev/null
+From 2558df8c13ae3bd6c303b28f240ceb0189519c91 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sun, 20 Jul 2025 14:30:05 +0200
+Subject: dt-bindings: display: sprd,sharkl3-dsi-host: Fix missing clocks constraints
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 2558df8c13ae3bd6c303b28f240ceb0189519c91 upstream.
+
+'minItems' alone does not impose upper bound, unlike 'maxItems' which
+implies lower bound. Add missing clock constraint so the list will have
+exact number of items (clocks).
+
+Fixes: 2295bbd35edb ("dt-bindings: display: add Unisoc's mipi dsi controller bindings")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250720123003.37662-4-krzysztof.kozlowski@linaro.org
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml
++++ b/Documentation/devicetree/bindings/display/sprd/sprd,sharkl3-dsi-host.yaml
+@@ -20,7 +20,7 @@ properties:
+ maxItems: 2
+
+ clocks:
+- minItems: 1
++ maxItems: 1
+
+ clock-names:
+ items:
--- /dev/null
+From b4cc4a4077268522e3d0d34de4b2dc144e2330fa Mon Sep 17 00:00:00 2001
+From: Andreas Dilger <adilger@dilger.ca>
+Date: Wed, 16 Jul 2025 19:36:42 -0600
+Subject: ext4: check fast symlink for ea_inode correctly
+
+From: Andreas Dilger <adilger@dilger.ca>
+
+commit b4cc4a4077268522e3d0d34de4b2dc144e2330fa upstream.
+
+The check for a fast symlink in the presence of only an
+external xattr inode is incorrect. If a fast symlink does
+not have an xattr block (i_file_acl == 0), but does have
+an external xattr inode that increases inode i_blocks, then
+the check for a fast symlink will incorrectly fail and
+__ext4_iget()->ext4_ind_check_inode() will report the inode
+is corrupt when it "validates" i_data[] on the next read:
+
+ # ln -s foo /mnt/tmp/bar
+ # setfattr -h -n trusted.test \
+ -v "$(yes | head -n 4000)" /mnt/tmp/bar
+ # umount /mnt/tmp
+ # mount /mnt/tmp
+ # ls -l /mnt/tmp
+ ls: cannot access '/mnt/tmp/bar': Structure needs cleaning
+ total 4
+ ? l?????????? ? ? ? ? ? bar
+ # dmesg | tail -1
+ EXT4-fs error (device dm-8): __ext4_iget:5098:
+ inode #24578: block 7303014: comm ls: invalid block
+
+(note that "block 7303014" = 0x6f6f66 = "foo" in LE order).
+
+ext4_inode_is_fast_symlink() should check the superblock
+EXT4_FEATURE_INCOMPAT_EA_INODE feature flag, not the inode
+EXT4_EA_INODE_FL, since the latter is only set on the xattr
+inode itself, and not on the inode that uses this xattr.
+
+Cc: stable@vger.kernel.org
+Fixes: fc82228a5e38 ("ext4: support fast symlinks from ext3 file systems")
+Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
+Reviewed-by: Li Dongyang <dongyangli@ddn.com>
+Reviewed-by: Alex Zhuravlev <bzzz@whamcloud.com>
+Reviewed-by: Oleg Drokin <green@whamcloud.com>
+Reviewed-on: https://review.whamcloud.com/59879
+Lustre-bug-id: https://jira.whamcloud.com/browse/LU-19121
+Link: https://patch.msgid.link/20250717063709.757077-1-adilger@dilger.ca
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -146,7 +146,7 @@ static int ext4_meta_trans_blocks(struct
+ */
+ int ext4_inode_is_fast_symlink(struct inode *inode)
+ {
+- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
++ if (!ext4_has_feature_ea_inode(inode->i_sb)) {
+ int ea_blocks = EXT4_I(inode)->i_file_acl ?
+ EXT4_CLUSTER_SIZE(inode->i_sb) >> 9 : 0;
+
--- /dev/null
+From c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 7 Aug 2025 09:35:20 -0400
+Subject: ext4: don't try to clear the orphan_present feature block device is r/o
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit c5e104a91e7b6fa12c1dc2d8bf84abb7ef9b89ad upstream.
+
+When the file system is frozen in preparation for taking an LVM
+snapshot, the journal is checkpointed and if the orphan_file feature
+is enabled, and the orphan file is empty, we clear the orphan_present
+feature flag. But if there are pending inodes that need to be removed
+the orphan_present feature flag can't be cleared.
+
+The problem comes if the block device is read-only. In that case, we
+can't process the orphan inode list, so it is skipped in
+ext4_orphan_cleanup(). But then in ext4_mark_recovery_complete(),
+this results in the ext4 error "Orphan file not empty on read-only fs"
+firing and the file system mount is aborted.
+
+Fix this by clearing the needs_recovery flag in the block device is
+read-only. We do this after the call to ext4_load_and_init-journal()
+since there are some error checks need to be done in case the journal
+needs to be replayed and the block device is read-only, or if the
+block device containing the externa journal is read-only, etc.
+
+Cc: stable@kernel.org
+Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108271
+Cc: stable@vger.kernel.org
+Fixes: 02f310fcf47f ("ext4: Speedup ext4 orphan inode handling")
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5398,6 +5398,8 @@ static int __ext4_fill_super(struct fs_c
+ err = ext4_load_and_init_journal(sb, es, ctx);
+ if (err)
+ goto failed_mount3a;
++ if (bdev_read_only(sb->s_bdev))
++ needs_recovery = 0;
+ } else if (test_opt(sb, NOLOAD) && !sb_rdonly(sb) &&
+ ext4_has_feature_journal_needs_recovery(sb)) {
+ ext4_msg(sb, KERN_ERR, "required journal recovery "
--- /dev/null
+From bae76c035bf0852844151e68098c9b7cd63ef238 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Tue, 5 Aug 2025 14:00:30 +0530
+Subject: ext4: fix fsmap end of range reporting with bigalloc
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+commit bae76c035bf0852844151e68098c9b7cd63ef238 upstream.
+
+With bigalloc enabled, the logic to report last extent has a bug since
+we try to use cluster units instead of block units. This can cause an
+issue where extra incorrect entries might be returned back to the
+user. This was flagged by generic/365 with 64k bs and -O bigalloc.
+
+** Details of issue **
+
+The issue was noticed on 5G 64k blocksize FS with -O bigalloc which has
+only 1 bg.
+
+$ xfs_io -c "fsmap -d" /mnt/scratch
+
+ 0: 253:48 [0..127]: static fs metadata 128 /* sb */
+ 1: 253:48 [128..255]: special 102:1 128 /* gdt */
+ 3: 253:48 [256..383]: special 102:3 128 /* block bitmap */
+ 4: 253:48 [384..2303]: unknown 1920 /* flex bg empty space */
+ 5: 253:48 [2304..2431]: special 102:4 128 /* inode bitmap */
+ 6: 253:48 [2432..4351]: unknown 1920 /* flex bg empty space */
+ 7: 253:48 [4352..6911]: inodes 2560
+ 8: 253:48 [6912..538623]: unknown 531712
+ 9: 253:48 [538624..10485759]: free space 9947136
+
+The issue can be seen with:
+
+$ xfs_io -c "fsmap -d 0 3" /mnt/scratch
+
+ 0: 253:48 [0..127]: static fs metadata 128
+ 1: 253:48 [384..2047]: unknown 1664
+
+Only the first entry was expected to be returned but we get 2. This is
+because:
+
+ext4_getfsmap_datadev()
+ first_cluster, last_cluster = 0
+ ...
+ info->gfi_last = true;
+ ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1, 0, info);
+ fsb = C2B(1) = 16
+ fslen = 0
+ ...
+ /* Merge in any relevant extents from the meta_list */
+ list_for_each_entry_safe(p, tmp, &info->gfi_meta_list, fmr_list) {
+ ...
+ // since fsb = 16, considers all metadata which starts before 16 blockno
+ iter 1: error = ext4_getfsmap_helper(sb, info, p); // p = sb (0,1), nop
+ info->gfi_next_fsblk = 1
+ iter 2: error = ext4_getfsmap_helper(sb, info, p); // p = gdt (1,2), nop
+ info->gfi_next_fsblk = 2
+ iter 3: error = ext4_getfsmap_helper(sb, info, p); // p = blk bitmap (2,3), nop
+ info->gfi_next_fsblk = 3
+ iter 4: error = ext4_getfsmap_helper(sb, info, p); // p = ino bitmap (18,19)
+ if (rec_blk > info->gfi_next_fsblk) { // (18 > 3)
+ // emits an extra entry ** BUG **
+ }
+ }
+
+Fix this by directly calling ext4_getfsmap_datadev() with a dummy
+record that has fmr_physical set to (end_fsb + 1) instead of
+last_cluster + 1. By using the block instead of cluster we get the
+correct behavior.
+
+Replacing ext4_getfsmap_datadev_helper() with ext4_getfsmap_helper()
+is okay since the gfi_lastfree and metadata checks in
+ext4_getfsmap_datadev_helper() are anyways redundant when we only want
+to emit the last allocated block of the range, as we have already
+taken care of emitting metadata and any last free blocks.
+
+Cc: stable@kernel.org
+Reported-by: Disha Goel <disgoel@linux.ibm.com>
+Fixes: 4a622e4d477b ("ext4: fix FS_IOC_GETFSMAP handling")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://patch.msgid.link/e7472c8535c9c5ec10f425f495366864ea12c9da.1754377641.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/fsmap.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -526,6 +526,7 @@ static int ext4_getfsmap_datadev(struct
+ ext4_group_t end_ag;
+ ext4_grpblk_t first_cluster;
+ ext4_grpblk_t last_cluster;
++ struct ext4_fsmap irec;
+ int error = 0;
+
+ bofs = le32_to_cpu(sbi->s_es->s_first_data_block);
+@@ -609,10 +610,18 @@ static int ext4_getfsmap_datadev(struct
+ goto err;
+ }
+
+- /* Report any gaps at the end of the bg */
++ /*
++ * The dummy record below will cause ext4_getfsmap_helper() to report
++ * any allocated blocks at the end of the range.
++ */
++ irec.fmr_device = 0;
++ irec.fmr_physical = end_fsb + 1;
++ irec.fmr_length = 0;
++ irec.fmr_owner = EXT4_FMR_OWN_FREE;
++ irec.fmr_flags = 0;
++
+ info->gfi_last = true;
+- error = ext4_getfsmap_datadev_helper(sb, end_ag, last_cluster + 1,
+- 0, info);
++ error = ext4_getfsmap_helper(sb, info, &irec);
+ if (error)
+ goto err;
+
--- /dev/null
+From 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 Mon Sep 17 00:00:00 2001
+From: Zhang Yi <yi.zhang@huawei.com>
+Date: Mon, 11 Aug 2025 14:45:32 +0800
+Subject: ext4: fix hole length calculation overflow in non-extent inodes
+
+From: Zhang Yi <yi.zhang@huawei.com>
+
+commit 02c7f7219ac0e2277b3379a3a0e9841ef464b6d4 upstream.
+
+In a filesystem with a block size larger than 4KB, the hole length
+calculation for a non-extent inode in ext4_ind_map_blocks() can easily
+exceed INT_MAX. Then it could return a zero length hole and trigger the
+following waring and infinite in the iomap infrastructure.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 3 PID: 434101 at fs/iomap/iter.c:34 iomap_iter_done+0x148/0x190
+ CPU: 3 UID: 0 PID: 434101 Comm: fsstress Not tainted 6.16.0-rc7+ #128 PREEMPT(voluntary)
+ Hardware name: QEMU KVM Virtual Machine, BIOS unknown 2/2/2022
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : iomap_iter_done+0x148/0x190
+ lr : iomap_iter+0x174/0x230
+ sp : ffff8000880af740
+ x29: ffff8000880af740 x28: ffff0000db8e6840 x27: 0000000000000000
+ x26: 0000000000000000 x25: ffff8000880af830 x24: 0000004000000000
+ x23: 0000000000000002 x22: 000001bfdbfa8000 x21: ffffa6a41c002e48
+ x20: 0000000000000001 x19: ffff8000880af808 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffa6a495ee6cd0 x15: 0000000000000000
+ x14: 00000000000003d4 x13: 00000000fa83b2da x12: 0000b236fc95f18c
+ x11: ffffa6a4978b9c08 x10: 0000000000001da0 x9 : ffffa6a41c1a2a44
+ x8 : ffff8000880af5c8 x7 : 0000000001000000 x6 : 0000000000000000
+ x5 : 0000000000000004 x4 : 000001bfdbfa8000 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 0000004004030000 x0 : 0000000000000000
+ Call trace:
+ iomap_iter_done+0x148/0x190 (P)
+ iomap_iter+0x174/0x230
+ iomap_fiemap+0x154/0x1d8
+ ext4_fiemap+0x110/0x140 [ext4]
+ do_vfs_ioctl+0x4b8/0xbc0
+ __arm64_sys_ioctl+0x8c/0x120
+ invoke_syscall+0x6c/0x100
+ el0_svc_common.constprop.0+0x48/0xf0
+ do_el0_svc+0x24/0x38
+ el0_svc+0x38/0x120
+ el0t_64_sync_handler+0x10c/0x138
+ el0t_64_sync+0x198/0x1a0
+ ---[ end trace 0000000000000000 ]---
+
+Cc: stable@kernel.org
+Fixes: facab4d9711e ("ext4: return hole from ext4_map_blocks()")
+Reported-by: Qu Wenruo <wqu@suse.com>
+Closes: https://lore.kernel.org/linux-ext4/9b650a52-9672-4604-a765-bb6be55d1e4a@gmx.com/
+Tested-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://patch.msgid.link/20250811064532.1788289-1-yi.zhang@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/indirect.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/indirect.c
++++ b/fs/ext4/indirect.c
+@@ -539,7 +539,7 @@ int ext4_ind_map_blocks(handle_t *handle
+ int indirect_blks;
+ int blocks_to_boundary = 0;
+ int depth;
+- int count = 0;
++ u64 count = 0;
+ ext4_fsblk_t first_block = 0;
+
+ trace_ext4_ind_map_blocks_enter(inode, map->m_lblk, map->m_len, flags);
+@@ -588,7 +588,7 @@ int ext4_ind_map_blocks(handle_t *handle
+ count++;
+ /* Fill in size of a hole we found */
+ map->m_pblk = 0;
+- map->m_len = min_t(unsigned int, map->m_len, count);
++ map->m_len = umin(map->m_len, count);
+ goto cleanup;
+ }
+
--- /dev/null
+From 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 Mon Sep 17 00:00:00 2001
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Date: Tue, 5 Aug 2025 14:00:31 +0530
+Subject: ext4: fix reserved gdt blocks handling in fsmap
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+commit 3ffbdd1f1165f1b2d6a94d1b1aabef57120deaf7 upstream.
+
+In some cases like small FSes with no meta_bg and where the resize
+doesn't need extra gdt blocks as it can fit in the current one,
+s_reserved_gdt_blocks is set as 0, which causes fsmap to emit a 0
+length entry, which is incorrect.
+
+ $ mkfs.ext4 -b 65536 -O bigalloc /dev/sda 5G
+ $ mount /dev/sda /mnt/scratch
+ $ xfs_io -c "fsmap -d" /mnt/scartch
+
+ 0: 253:48 [0..127]: static fs metadata 128
+ 1: 253:48 [128..255]: special 102:1 128
+ 2: 253:48 [256..255]: special 102:2 0 <---- 0 len entry
+ 3: 253:48 [256..383]: special 102:3 128
+
+Fix this by adding a check for this case.
+
+Cc: stable@kernel.org
+Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls")
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Link: https://patch.msgid.link/08781b796453a5770112aa96ad14c864fbf31935.1754377641.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/fsmap.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/ext4/fsmap.c
++++ b/fs/ext4/fsmap.c
+@@ -393,6 +393,14 @@ static unsigned int ext4_getfsmap_find_s
+ /* Reserved GDT blocks */
+ if (!ext4_has_feature_meta_bg(sb) || metagroup < first_meta_bg) {
+ len = le16_to_cpu(sbi->s_es->s_reserved_gdt_blocks);
++
++ /*
++ * mkfs.ext4 can set s_reserved_gdt_blocks as 0 in some cases,
++ * check for that.
++ */
++ if (!len)
++ return 0;
++
+ error = ext4_getfsmap_fill(meta_list, fsb, len,
+ EXT4_FMR_OWN_RESV_GDT);
+ if (error)
--- /dev/null
+From 76dba1fe277f6befd6ef650e1946f626c547387a Mon Sep 17 00:00:00 2001
+From: Liao Yuanhong <liaoyuanhong@vivo.com>
+Date: Mon, 11 Aug 2025 20:58:16 +0800
+Subject: ext4: use kmalloc_array() for array space allocation
+
+From: Liao Yuanhong <liaoyuanhong@vivo.com>
+
+commit 76dba1fe277f6befd6ef650e1946f626c547387a upstream.
+
+Replace kmalloc(size * sizeof) with kmalloc_array() for safer memory
+allocation and overflow prevention.
+
+Cc: stable@kernel.org
+Signed-off-by: Liao Yuanhong <liaoyuanhong@vivo.com>
+Link: https://patch.msgid.link/20250811125816.570142-1-liaoyuanhong@vivo.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/orphan.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ext4/orphan.c
++++ b/fs/ext4/orphan.c
+@@ -590,8 +590,9 @@ int ext4_init_orphan_info(struct super_b
+ }
+ oi->of_blocks = inode->i_size >> sb->s_blocksize_bits;
+ oi->of_csum_seed = EXT4_I(inode)->i_csum_seed;
+- oi->of_binfo = kmalloc(oi->of_blocks*sizeof(struct ext4_orphan_block),
+- GFP_KERNEL);
++ oi->of_binfo = kmalloc_array(oi->of_blocks,
++ sizeof(struct ext4_orphan_block),
++ GFP_KERNEL);
+ if (!oi->of_binfo) {
+ ret = -ENOMEM;
+ goto out_put;
--- /dev/null
+From c0d41112f1a5828c194b59cca953114bc3776ef2 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 17 Aug 2025 09:48:40 +0900
+Subject: ksmbd: extend the connection limiting mechanism to support IPv6
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit c0d41112f1a5828c194b59cca953114bc3776ef2 upstream.
+
+Update the connection tracking logic to handle both IPv4 and IPv6
+address families.
+
+Cc: stable@vger.kernel.org
+Fixes: e6bb91939740 ("ksmbd: limit repeated connections from clients with the same IP")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/connection.h | 7 ++++++-
+ fs/smb/server/transport_tcp.c | 26 +++++++++++++++++++++++---
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -45,7 +45,12 @@ struct ksmbd_conn {
+ struct mutex srv_mutex;
+ int status;
+ unsigned int cli_cap;
+- __be32 inet_addr;
++ union {
++ __be32 inet_addr;
++#if IS_ENABLED(CONFIG_IPV6)
++ u8 inet6_addr[16];
++#endif
++ };
+ char *request_buf;
+ struct ksmbd_transport *transport;
+ struct nls_table *local_nls;
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -87,7 +87,14 @@ static struct tcp_transport *alloc_trans
+ return NULL;
+ }
+
++#if IS_ENABLED(CONFIG_IPV6)
++ if (client_sk->sk->sk_family == AF_INET6)
++ memcpy(&conn->inet6_addr, &client_sk->sk->sk_v6_daddr, 16);
++ else
++ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
++#else
+ conn->inet_addr = inet_sk(client_sk->sk)->inet_daddr;
++#endif
+ conn->transport = KSMBD_TRANS(t);
+ KSMBD_TRANS(t)->conn = conn;
+ KSMBD_TRANS(t)->ops = &ksmbd_tcp_transport_ops;
+@@ -231,7 +238,6 @@ static int ksmbd_kthread_fn(void *p)
+ {
+ struct socket *client_sk = NULL;
+ struct interface *iface = (struct interface *)p;
+- struct inet_sock *csk_inet;
+ struct ksmbd_conn *conn;
+ int ret;
+
+@@ -254,13 +260,27 @@ static int ksmbd_kthread_fn(void *p)
+ /*
+ * Limits repeated connections from clients with the same IP.
+ */
+- csk_inet = inet_sk(client_sk->sk);
+ down_read(&conn_list_lock);
+ list_for_each_entry(conn, &conn_list, conns_list)
+- if (csk_inet->inet_daddr == conn->inet_addr) {
++#if IS_ENABLED(CONFIG_IPV6)
++ if (client_sk->sk->sk_family == AF_INET6) {
++ if (memcmp(&client_sk->sk->sk_v6_daddr,
++ &conn->inet6_addr, 16) == 0) {
++ ret = -EAGAIN;
++ break;
++ }
++ } else if (inet_sk(client_sk->sk)->inet_daddr ==
++ conn->inet_addr) {
+ ret = -EAGAIN;
+ break;
+ }
++#else
++ if (inet_sk(client_sk->sk)->inet_daddr ==
++ conn->inet_addr) {
++ ret = -EAGAIN;
++ break;
++ }
++#endif
+ up_read(&conn_list_lock);
+ if (ret == -EAGAIN)
+ continue;
--- /dev/null
+From 89bb430f621124af39bb31763c4a8b504c9651e2 Mon Sep 17 00:00:00 2001
+From: Ziyan Xu <ziyan@securitygossip.com>
+Date: Sat, 16 Aug 2025 10:20:05 +0900
+Subject: ksmbd: fix refcount leak causing resource not released
+
+From: Ziyan Xu <ziyan@securitygossip.com>
+
+commit 89bb430f621124af39bb31763c4a8b504c9651e2 upstream.
+
+When ksmbd_conn_releasing(opinfo->conn) returns true,the refcount was not
+decremented properly, causing a refcount leak that prevents the count from
+reaching zero and the memory from being released.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziyan Xu <ziyan@securitygossip.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/oplock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -1102,8 +1102,10 @@ void smb_send_parent_lease_break_noti(st
+ if (!atomic_inc_not_zero(&opinfo->refcount))
+ continue;
+
+- if (ksmbd_conn_releasing(opinfo->conn))
++ if (ksmbd_conn_releasing(opinfo->conn)) {
++ opinfo_put(opinfo);
+ continue;
++ }
+
+ oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL);
+ opinfo_put(opinfo);
+@@ -1139,8 +1141,11 @@ void smb_lazy_parent_lease_break_close(s
+ if (!atomic_inc_not_zero(&opinfo->refcount))
+ continue;
+
+- if (ksmbd_conn_releasing(opinfo->conn))
++ if (ksmbd_conn_releasing(opinfo->conn)) {
++ opinfo_put(opinfo);
+ continue;
++ }
++
+ oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE, NULL);
+ opinfo_put(opinfo);
+ }
+@@ -1343,8 +1348,10 @@ void smb_break_all_levII_oplock(struct k
+ if (!atomic_inc_not_zero(&brk_op->refcount))
+ continue;
+
+- if (ksmbd_conn_releasing(brk_op->conn))
++ if (ksmbd_conn_releasing(brk_op->conn)) {
++ opinfo_put(brk_op);
+ continue;
++ }
+
+ if (brk_op->is_lease && (brk_op->o_lease->state &
+ (~(SMB2_LEASE_READ_CACHING_LE |
--- /dev/null
+From 22375adaa0d9fbba9646c8e2b099c6e87c97bfae Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Thu, 19 Jun 2025 15:55:35 -0700
+Subject: lib/crypto: mips/chacha: Fix clang build and remove unneeded byteswap
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit 22375adaa0d9fbba9646c8e2b099c6e87c97bfae upstream.
+
+The MIPS32r2 ChaCha code has never been buildable with the clang
+assembler. First, clang doesn't support the 'rotl' pseudo-instruction:
+
+ error: unknown instruction, did you mean: rol, rotr?
+
+Second, clang requires that both operands of the 'wsbh' instruction be
+explicitly given:
+
+ error: too few operands for instruction
+
+To fix this, align the code with the real instruction set by (1) using
+the real instruction 'rotr' instead of the nonstandard pseudo-
+instruction 'rotl', and (2) explicitly giving both operands to 'wsbh'.
+
+To make removing the use of 'rotl' a bit easier, also remove the
+unnecessary special-casing for big endian CPUs at
+.Lchacha_mips_xor_bytes. The tail handling is actually
+endian-independent since it processes one byte at a time. On big endian
+CPUs the old code byte-swapped SAVED_X, then iterated through it in
+reverse order. But the byteswap and reverse iteration canceled out.
+
+Tested with chacha20poly1305-selftest in QEMU using "-M malta" with both
+little endian and big endian mips32r2 kernels.
+
+Fixes: 49aa7c00eddf ("crypto: mips/chacha - import 32r2 ChaCha code from Zinc")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202505080409.EujEBwA0-lkp@intel.com/
+Link: https://lore.kernel.org/r/20250619225535.679301-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/crypto/chacha-core.S | 20 +++++++-------------
+ 1 file changed, 7 insertions(+), 13 deletions(-)
+
+--- a/arch/mips/crypto/chacha-core.S
++++ b/arch/mips/crypto/chacha-core.S
+@@ -55,17 +55,13 @@
+ #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+ #define MSB 0
+ #define LSB 3
+-#define ROTx rotl
+-#define ROTR(n) rotr n, 24
+ #define CPU_TO_LE32(n) \
+- wsbh n; \
++ wsbh n, n; \
+ rotr n, 16;
+ #else
+ #define MSB 3
+ #define LSB 0
+-#define ROTx rotr
+ #define CPU_TO_LE32(n)
+-#define ROTR(n)
+ #endif
+
+ #define FOR_EACH_WORD(x) \
+@@ -192,10 +188,10 @@ CONCAT3(.Lchacha_mips_xor_aligned_, PLUS
+ xor X(W), X(B); \
+ xor X(Y), X(C); \
+ xor X(Z), X(D); \
+- rotl X(V), S; \
+- rotl X(W), S; \
+- rotl X(Y), S; \
+- rotl X(Z), S;
++ rotr X(V), 32 - S; \
++ rotr X(W), 32 - S; \
++ rotr X(Y), 32 - S; \
++ rotr X(Z), 32 - S;
+
+ .text
+ .set reorder
+@@ -372,21 +368,19 @@ chacha_crypt_arch:
+ /* First byte */
+ lbu T1, 0(IN)
+ addiu $at, BYTES, 1
+- CPU_TO_LE32(SAVED_X)
+- ROTR(SAVED_X)
+ xor T1, SAVED_X
+ sb T1, 0(OUT)
+ beqz $at, .Lchacha_mips_xor_done
+ /* Second byte */
+ lbu T1, 1(IN)
+ addiu $at, BYTES, 2
+- ROTx SAVED_X, 8
++ rotr SAVED_X, 8
+ xor T1, SAVED_X
+ sb T1, 1(OUT)
+ beqz $at, .Lchacha_mips_xor_done
+ /* Third byte */
+ lbu T1, 2(IN)
+- ROTx SAVED_X, 8
++ rotr SAVED_X, 8
+ xor T1, SAVED_X
+ sb T1, 2(OUT)
+ b .Lchacha_mips_xor_done
--- /dev/null
+From e4fc307d8e24f122402907ebf585248cad52841d Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 2 Aug 2025 21:34:37 +0200
+Subject: Revert "vgacon: Add check for vc_origin address range in vgacon_scroll()"
+
+From: Helge Deller <deller@gmx.de>
+
+commit e4fc307d8e24f122402907ebf585248cad52841d upstream.
+
+This reverts commit 864f9963ec6b4b76d104d595ba28110b87158003.
+
+The patch is wrong as it checks vc_origin against vc_screenbuf,
+while in text mode it should compare against vga_vram_base.
+
+As such it broke VGA text scrolling, which can be reproduced like this:
+(1) boot a kernel that is configured to use text mode VGA-console
+(2) type commands: ls -l /usr/bin | less -S
+(3) scroll up/down with cursor-down/up keys
+
+Reported-by: Jari Ruusu <jariruusu@protonmail.com>
+Cc: stable@vger.kernel.org
+Cc: Yi Yang <yiyang13@huawei.com>
+Cc: GONG Ruiqi <gongruiqi1@huawei.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/console/vgacon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -1139,7 +1139,7 @@ static bool vgacon_scroll(struct vc_data
+ c->vc_screenbuf_size - delta);
+ c->vc_origin = vga_vram_end - c->vc_screenbuf_size;
+ vga_rolled_over = 0;
+- } else if (oldo - delta >= (unsigned long)c->vc_screenbuf)
++ } else
+ c->vc_origin -= delta;
+ c->vc_scr_end = c->vc_origin + c->vc_screenbuf_size;
+ scr_memsetw((u16 *) (c->vc_origin), c->vc_video_erase_char,
--- /dev/null
+From e6327c4acf925bb6d6d387d76fc3bd94471e10d8 Mon Sep 17 00:00:00 2001
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Date: Sat, 28 Jun 2025 01:15:36 +0530
+Subject: scsi: mpi3mr: Fix race between config read submit and interrupt completion
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+commit e6327c4acf925bb6d6d387d76fc3bd94471e10d8 upstream.
+
+The "is_waiting" flag was updated after calling complete(), which could
+lead to a race where the waiting thread wakes up before the flag is
+cleared. This may cause a missed wakeup or stale state check.
+
+Reorder the operations to update "is_waiting" before signaling completion
+to ensure consistent state.
+
+Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
+Cc: stable@vger.kernel.org
+Co-developed-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-2-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -411,8 +411,8 @@ static void mpi3mr_process_admin_reply_d
+ MPI3MR_SENSE_BUF_SZ);
+ }
+ if (cmdptr->is_waiting) {
+- complete(&cmdptr->done);
+ cmdptr->is_waiting = 0;
++ complete(&cmdptr->done);
+ } else if (cmdptr->callback)
+ cmdptr->callback(mrioc, cmdptr);
+ }
--- /dev/null
+From 6de7435e6b81fe52c0ab4c7e181f6b5decd18eb1 Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Wed, 23 Jul 2025 19:58:50 +0300
+Subject: scsi: ufs: ufs-pci: Fix default runtime and system PM levels
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 6de7435e6b81fe52c0ab4c7e181f6b5decd18eb1 upstream.
+
+Intel MTL-like host controllers support auto-hibernate. Using
+auto-hibernate with manual (driver initiated) hibernate produces more
+complex operation. For example, the host controller will have to exit
+auto-hibernate simply to allow the driver to enter hibernate state
+manually. That is not recommended.
+
+The default rpm_lvl and spm_lvl is 3, which includes manual hibernate.
+
+Change the default values to 2, which does not.
+
+Note, to be simpler to backport to stable kernels, utilize the UFS PCI
+driver's ->late_init() call back. Recent commits have made it possible
+to set up a controller-specific default in the regular ->init() call
+back, but not all stable kernels have those changes.
+
+Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250723165856.145750-3-adrian.hunter@intel.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufshcd-pci.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/ufs/host/ufshcd-pci.c
++++ b/drivers/ufs/host/ufshcd-pci.c
+@@ -465,10 +465,23 @@ static int ufs_intel_adl_init(struct ufs
+ return ufs_intel_common_init(hba);
+ }
+
++static void ufs_intel_mtl_late_init(struct ufs_hba *hba)
++{
++ hba->rpm_lvl = UFS_PM_LVL_2;
++ hba->spm_lvl = UFS_PM_LVL_2;
++}
++
+ static int ufs_intel_mtl_init(struct ufs_hba *hba)
+ {
++ struct ufs_host *ufs_host;
++ int err;
++
+ hba->caps |= UFSHCD_CAP_CRYPTO | UFSHCD_CAP_WB_EN;
+- return ufs_intel_common_init(hba);
++ err = ufs_intel_common_init(hba);
++ /* Get variant after it is set in ufs_intel_common_init() */
++ ufs_host = ufshcd_get_variant(hba);
++ ufs_host->late_init = ufs_intel_mtl_late_init;
++ return err;
+ }
+
+ static struct ufs_hba_variant_ops ufs_intel_cnl_hba_vops = {
--- /dev/null
+From 4428ddea832cfdb63e476eb2e5c8feb5d36057fe Mon Sep 17 00:00:00 2001
+From: Archana Patni <archana.patni@intel.com>
+Date: Wed, 23 Jul 2025 19:58:49 +0300
+Subject: scsi: ufs: ufs-pci: Fix hibernate state transition for Intel MTL-like host controllers
+
+From: Archana Patni <archana.patni@intel.com>
+
+commit 4428ddea832cfdb63e476eb2e5c8feb5d36057fe upstream.
+
+UFSHCD core disables the UIC completion interrupt when issuing UIC
+hibernation commands, and re-enables it afterwards if it was enabled to
+start with, refer ufshcd_uic_pwr_ctrl(). For Intel MTL-like host
+controllers, accessing the register to re-enable the interrupt disrupts
+the state transition.
+
+Use hibern8_notify variant operation to disable the interrupt during the
+entire hibernation, thereby preventing the disruption.
+
+Fixes: 4049f7acef3e ("scsi: ufs: ufs-pci: Add support for Intel MTL")
+Cc: stable@vger.kernel.org
+Signed-off-by: Archana Patni <archana.patni@intel.com>
+Link: https://lore.kernel.org/r/20250723165856.145750-2-adrian.hunter@intel.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufshcd-pci.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/drivers/ufs/host/ufshcd-pci.c
++++ b/drivers/ufs/host/ufshcd-pci.c
+@@ -213,6 +213,32 @@ out:
+ return ret;
+ }
+
++static void ufs_intel_ctrl_uic_compl(struct ufs_hba *hba, bool enable)
++{
++ u32 set = ufshcd_readl(hba, REG_INTERRUPT_ENABLE);
++
++ if (enable)
++ set |= UIC_COMMAND_COMPL;
++ else
++ set &= ~UIC_COMMAND_COMPL;
++ ufshcd_writel(hba, set, REG_INTERRUPT_ENABLE);
++}
++
++static void ufs_intel_mtl_h8_notify(struct ufs_hba *hba,
++ enum uic_cmd_dme cmd,
++ enum ufs_notify_change_status status)
++{
++ /*
++ * Disable UIC COMPL INTR to prevent access to UFSHCI after
++ * checking HCS.UPMCRS
++ */
++ if (status == PRE_CHANGE && cmd == UIC_CMD_DME_HIBER_ENTER)
++ ufs_intel_ctrl_uic_compl(hba, false);
++
++ if (status == POST_CHANGE && cmd == UIC_CMD_DME_HIBER_EXIT)
++ ufs_intel_ctrl_uic_compl(hba, true);
++}
++
+ #define INTEL_ACTIVELTR 0x804
+ #define INTEL_IDLELTR 0x808
+
+@@ -487,6 +513,7 @@ static struct ufs_hba_variant_ops ufs_in
+ .init = ufs_intel_mtl_init,
+ .exit = ufs_intel_common_exit,
+ .hce_enable_notify = ufs_intel_hce_enable_notify,
++ .hibern8_notify = ufs_intel_mtl_h8_notify,
+ .link_startup_notify = ufs_intel_link_startup_notify,
+ .resume = ufs_intel_resume,
+ .device_reset = ufs_intel_device_reset,
bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch
vt-keyboard-don-t-process-unicode-characters-in-k_off-mode.patch
vt-defkeymap-map-keycodes-above-127-to-k_hole.patch
+lib-crypto-mips-chacha-fix-clang-build-and-remove-unneeded-byteswap.patch
+crypto-qat-lower-priority-for-skcipher-and-aead-algorithms.patch
+crypto-qat-flush-misc-workqueue-during-device-shutdown.patch
+revert-vgacon-add-check-for-vc_origin-address-range-in-vgacon_scroll.patch
+ksmbd-fix-refcount-leak-causing-resource-not-released.patch
+ksmbd-extend-the-connection-limiting-mechanism-to-support-ipv6.patch
+tracing-fprobe-event-sanitize-wildcard-for-fprobe-event-name.patch
+ext4-check-fast-symlink-for-ea_inode-correctly.patch
+ext4-fix-fsmap-end-of-range-reporting-with-bigalloc.patch
+ext4-fix-reserved-gdt-blocks-handling-in-fsmap.patch
+ext4-don-t-try-to-clear-the-orphan_present-feature-block-device-is-r-o.patch
+ext4-use-kmalloc_array-for-array-space-allocation.patch
+ext4-fix-hole-length-calculation-overflow-in-non-extent-inodes.patch
+btrfs-zoned-fix-write-time-activation-failure-for-metadata-block-group.patch
+arm64-dts-ti-k3-pinctrl-enable-schmitt-trigger-by-default.patch
+arm64-dts-ti-k3-am62a7-sk-fix-pinmux-for-main_uart1.patch
+arm64-dts-ti-k3-am62-verdin-enable-pull-ups-on-i2c-buses.patch
+dt-bindings-display-sprd-sharkl3-dpu-fix-missing-clocks-constraints.patch
+dt-bindings-display-sprd-sharkl3-dsi-host-fix-missing-clocks-constraints.patch
+scsi-mpi3mr-fix-race-between-config-read-submit-and-interrupt-completion.patch
+ata-libata-scsi-fix-ata_to_sense_error-status-handling.patch
+scsi-ufs-ufs-pci-fix-hibernate-state-transition-for-intel-mtl-like-host-controllers.patch
+scsi-ufs-ufs-pci-fix-default-runtime-and-system-pm-levels.patch
+ata-libata-scsi-fix-cdl-control.patch
--- /dev/null
+From ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Sat, 16 Aug 2025 23:10:51 +0900
+Subject: tracing: fprobe-event: Sanitize wildcard for fprobe event name
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit ec879e1a0be8007aa232ffedcf6a6445dfc1a3d7 upstream.
+
+Fprobe event accepts wildcards for the target functions, but unless user
+specifies its event name, it makes an event with the wildcards.
+
+ /sys/kernel/tracing # echo 'f mutex*' >> dynamic_events
+ /sys/kernel/tracing # cat dynamic_events
+ f:fprobes/mutex*__entry mutex*
+ /sys/kernel/tracing # ls events/fprobes/
+ enable filter mutex*__entry
+
+To fix this, replace the wildcard ('*') with an underscore.
+
+Link: https://lore.kernel.org/all/175535345114.282990.12294108192847938710.stgit@devnote2/
+
+Fixes: 334e5519c375 ("tracing/probes: Add fprobe events for tracing function entry and exit.")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -2053,7 +2053,7 @@ static inline bool is_good_system_name(c
+ static inline void sanitize_event_name(char *name)
+ {
+ while (*name++ != '\0')
+- if (*name == ':' || *name == '.')
++ if (*name == ':' || *name == '.' || *name == '*')
+ *name = '_';
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
