--- /dev/null
+From 44143967918a67334fe92585fce5bfda298588a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 20:25:00 +0530
+Subject: 8250: microchip: pci1xxxx: Add PCIe Hot reset disable support for Rev
+ C0 and later devices
+
+From: Rengarajan S <rengarajan.s@microchip.com>
+
+[ Upstream commit c40b91e38eb8d4489def095d62ab476d45871323 ]
+
+Systems that issue PCIe hot reset requests during a suspend/resume
+cycle cause PCI1XXXX device revisions prior to C0 to get its UART
+configuration registers reset to hardware default values. This results
+in device inaccessibility and data transfer failures. Starting with
+Revision C0, support was added in the device hardware (via the Hot
+Reset Disable Bit) to allow resetting only the PCIe interface and its
+associated logic, but preserving the UART configuration during a hot
+reset. This patch enables the hot reset disable feature during suspend/
+resume for C0 and later revisions of the device.
+
+Signed-off-by: Rengarajan S <rengarajan.s@microchip.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20250425145500.29036-1-rengarajan.s@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_pci1xxxx.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/tty/serial/8250/8250_pci1xxxx.c b/drivers/tty/serial/8250/8250_pci1xxxx.c
+index e9c51d4e447dd..4c149db846925 100644
+--- a/drivers/tty/serial/8250/8250_pci1xxxx.c
++++ b/drivers/tty/serial/8250/8250_pci1xxxx.c
+@@ -115,6 +115,7 @@
+
+ #define UART_RESET_REG 0x94
+ #define UART_RESET_D3_RESET_DISABLE BIT(16)
++#define UART_RESET_HOT_RESET_DISABLE BIT(17)
+
+ #define UART_BURST_STATUS_REG 0x9C
+ #define UART_TX_BURST_FIFO 0xA0
+@@ -620,6 +621,10 @@ static int pci1xxxx_suspend(struct device *dev)
+ }
+
+ data = readl(p + UART_RESET_REG);
++
++ if (priv->dev_rev >= 0xC0)
++ data |= UART_RESET_HOT_RESET_DISABLE;
++
+ writel(data | UART_RESET_D3_RESET_DISABLE, p + UART_RESET_REG);
+
+ if (wakeup)
+@@ -647,7 +652,12 @@ static int pci1xxxx_resume(struct device *dev)
+ }
+
+ data = readl(p + UART_RESET_REG);
++
++ if (priv->dev_rev >= 0xC0)
++ data &= ~UART_RESET_HOT_RESET_DISABLE;
++
+ writel(data & ~UART_RESET_D3_RESET_DISABLE, p + UART_RESET_REG);
++
+ iounmap(p);
+
+ for (i = 0; i < priv->nr; i++) {
+--
+2.39.5
+
--- /dev/null
+From b8bb5bdaa801d6552858902c2b09624a2a5252fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 21:13:55 -0700
+Subject: af_unix: Don't leave consecutive consumed OOB skbs.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 32ca245464e1479bfea8592b9db227fdc1641705 ]
+
+Jann Horn reported a use-after-free in unix_stream_read_generic().
+
+The following sequences reproduce the issue:
+
+ $ python3
+ from socket import *
+ s1, s2 = socketpair(AF_UNIX, SOCK_STREAM)
+ s1.send(b'x', MSG_OOB)
+ s2.recv(1, MSG_OOB) # leave a consumed OOB skb
+ s1.send(b'y', MSG_OOB)
+ s2.recv(1, MSG_OOB) # leave a consumed OOB skb
+ s1.send(b'z', MSG_OOB)
+ s2.recv(1) # recv 'z' illegally
+ s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free)
+
+Even though a user reads OOB data, the skb holding the data stays on
+the recv queue to mark the OOB boundary and break the next recv().
+
+After the last send() in the scenario above, the sk2's recv queue has
+2 leading consumed OOB skbs and 1 real OOB skb.
+
+Then, the following happens during the next recv() without MSG_OOB
+
+ 1. unix_stream_read_generic() peeks the first consumed OOB skb
+ 2. manage_oob() returns the next consumed OOB skb
+ 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb
+ 4. unix_stream_read_generic() reads and frees the OOB skb
+
+, and the last recv(MSG_OOB) triggers KASAN splat.
+
+The 3. above occurs because of the SO_PEEK_OFF code, which does not
+expect unix_skb_len(skb) to be 0, but this is true for such consumed
+OOB skbs.
+
+ while (skip >= unix_skb_len(skb)) {
+ skip -= unix_skb_len(skb);
+ skb = skb_peek_next(skb, &sk->sk_receive_queue);
+ ...
+ }
+
+In addition to this use-after-free, there is another issue that
+ioctl(SIOCATMARK) does not function properly with consecutive consumed
+OOB skbs.
+
+So, nothing good comes out of such a situation.
+
+Instead of complicating manage_oob(), ioctl() handling, and the next
+ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs,
+let's not leave such consecutive OOB unnecessarily.
+
+Now, while receiving an OOB skb in unix_stream_recv_urg(), if its
+previous skb is a consumed OOB skb, it is freed.
+
+[0]:
+BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027)
+Read of size 4 at addr ffff888106ef2904 by task python3/315
+
+CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl (lib/dump_stack.c:122)
+ print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
+ kasan_report (mm/kasan/report.c:636)
+ unix_stream_read_actor (net/unix/af_unix.c:3027)
+ unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847)
+ unix_stream_recvmsg (net/unix/af_unix.c:3048)
+ sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))
+ __sys_recvfrom (net/socket.c:2278)
+ __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+RIP: 0033:0x7f8911fcea06
+Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08
+RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d
+RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06
+RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006
+RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20
+R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000
+ </TASK>
+
+Allocated by task 315:
+ kasan_save_stack (mm/kasan/common.c:48)
+ kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
+ __kasan_slab_alloc (mm/kasan/common.c:348)
+ kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249)
+ __alloc_skb (net/core/skbuff.c:660 (discriminator 4))
+ alloc_skb_with_frags (./include/linux/skbuff.h:1336 net/core/skbuff.c:6668)
+ sock_alloc_send_pskb (net/core/sock.c:2993)
+ unix_stream_sendmsg (./include/net/sock.h:1847 net/unix/af_unix.c:2256 net/unix/af_unix.c:2418)
+ __sys_sendto (net/socket.c:712 (discriminator 20) net/socket.c:727 (discriminator 20) net/socket.c:2226 (discriminator 20))
+ __x64_sys_sendto (net/socket.c:2233 (discriminator 1) net/socket.c:2229 (discriminator 1) net/socket.c:2229 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+Freed by task 315:
+ kasan_save_stack (mm/kasan/common.c:48)
+ kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))
+ kasan_save_free_info (mm/kasan/generic.c:579 (discriminator 1))
+ __kasan_slab_free (mm/kasan/common.c:271)
+ kmem_cache_free (mm/slub.c:4643 (discriminator 3) mm/slub.c:4745 (discriminator 3))
+ unix_stream_read_generic (net/unix/af_unix.c:3010)
+ unix_stream_recvmsg (net/unix/af_unix.c:3048)
+ sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20))
+ __sys_recvfrom (net/socket.c:2278)
+ __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1))
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+
+The buggy address belongs to the object at ffff888106ef28c0
+ which belongs to the cache skbuff_head_cache of size 224
+The buggy address is located 68 bytes inside of
+ freed 224-byte region [ffff888106ef28c0, ffff888106ef29a0)
+
+The buggy address belongs to the physical page:
+page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888106ef3cc0 pfn:0x106ef2
+head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0x200000000000040(head|node=0|zone=2)
+page_type: f5(slab)
+raw: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004
+raw: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000
+head: 0200000000000040 ffff8881001d28c0 ffffea000422fe00 0000000000000004
+head: ffff888106ef3cc0 0000000080190010 00000000f5000000 0000000000000000
+head: 0200000000000001 ffffea00041bbc81 00000000ffffffff 00000000ffffffff
+head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888106ef2800: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
+ ffff888106ef2880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
+>ffff888106ef2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888106ef2980: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff888106ef2a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: 314001f0bf92 ("af_unix: Add OOB support")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Jann Horn <jannh@google.com>
+Link: https://patch.msgid.link/20250619041457.1132791-2-kuni1840@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index f78a2492826f9..af003831f4c67 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2597,11 +2597,11 @@ struct unix_stream_read_state {
+ #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
+ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
+ {
++ struct sk_buff *oob_skb, *read_skb = NULL;
+ struct socket *sock = state->socket;
+ struct sock *sk = sock->sk;
+ struct unix_sock *u = unix_sk(sk);
+ int chunk = 1;
+- struct sk_buff *oob_skb;
+
+ mutex_lock(&u->iolock);
+ unix_state_lock(sk);
+@@ -2616,9 +2616,16 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
+
+ oob_skb = u->oob_skb;
+
+- if (!(state->flags & MSG_PEEK))
++ if (!(state->flags & MSG_PEEK)) {
+ WRITE_ONCE(u->oob_skb, NULL);
+
++ if (oob_skb->prev != (struct sk_buff *)&sk->sk_receive_queue &&
++ !unix_skb_len(oob_skb->prev)) {
++ read_skb = oob_skb->prev;
++ __skb_unlink(read_skb, &sk->sk_receive_queue);
++ }
++ }
++
+ spin_unlock(&sk->sk_receive_queue.lock);
+ unix_state_unlock(sk);
+
+@@ -2629,6 +2636,8 @@ static int unix_stream_recv_urg(struct unix_stream_read_state *state)
+
+ mutex_unlock(&u->iolock);
+
++ consume_skb(read_skb);
++
+ if (chunk < 0)
+ return -EFAULT;
+
+--
+2.39.5
+
--- /dev/null
+From 8329e9e0ce962ce1ac132c4aca94a36a29f3341b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 11:08:13 +0530
+Subject: ALSA: hda: Add new pci id for AMD GPU display HD audio controller
+
+From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+
+[ Upstream commit ab72bfce7647522e01a181e3600c3d14ff5c143e ]
+
+Add new pci id for AMD GPU display HD audio controller(device id- 0xab40).
+
+Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://patch.msgid.link/20250529053838.2350071-1-Vijendar.Mukunda@amd.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 77a2984c3741d..eb7ffa152b97b 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2717,6 +2717,9 @@ static const struct pci_device_id azx_ids[] = {
+ { PCI_VDEVICE(ATI, 0xab38),
+ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS |
+ AZX_DCAPS_PM_RUNTIME },
++ { PCI_VDEVICE(ATI, 0xab40),
++ .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS |
++ AZX_DCAPS_PM_RUNTIME },
+ /* GLENFLY */
+ { PCI_DEVICE(PCI_VENDOR_ID_GLENFLY, PCI_ANY_ID),
+ .class = PCI_CLASS_MULTIMEDIA_HD_AUDIO << 8,
+--
+2.39.5
+
--- /dev/null
+From 69dc4a578ccb21e4ef19ec6ca7f51a19621ed7a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:13:09 +0200
+Subject: ALSA: hda: Ignore unsol events for cards being shut down
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 3f100f524e75586537e337b34d18c8d604b398e7 ]
+
+For the classic snd_hda_intel driver, codec->card and bus->card point to
+the exact same thing. When snd_card_diconnect() fires, bus->shutdown is
+set thanks to azx_dev_disconnect(). card->shutdown is already set when
+that happens but both provide basically the same functionality.
+
+For the DSP snd_soc_avs driver where multiple codecs are located on
+multiple cards, bus->shutdown 'shortcut' is not sufficient. One codec
+card may be unregistered while other codecs are still operational.
+Proper check in form of card->shutdown must be used to verify whether
+the codec's card is being shut down.
+
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530141309.2943404-1-cezary.rojewski@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_bind.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_bind.c b/sound/pci/hda/hda_bind.c
+index 1fef350d821ef..df8f88beddd07 100644
+--- a/sound/pci/hda/hda_bind.c
++++ b/sound/pci/hda/hda_bind.c
+@@ -44,7 +44,7 @@ static void hda_codec_unsol_event(struct hdac_device *dev, unsigned int ev)
+ struct hda_codec *codec = container_of(dev, struct hda_codec, core);
+
+ /* ignore unsol events during shutdown */
+- if (codec->bus->shutdown)
++ if (codec->card->shutdown || codec->bus->shutdown)
+ return;
+
+ /* ignore unsol events during system suspend/resume */
+--
+2.39.5
+
--- /dev/null
+From 2534578b8406c98690ebe36d1eca29a478bd92c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 12:26:56 -0500
+Subject: ALSA: usb-audio: Add a quirk for Lenovo Thinkpad Thunderbolt 3 dock
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 4919353c7789b8047e06a9b2b943f775a8f72883 ]
+
+The audio controller in the Lenovo Thinkpad Thunderbolt 3 dock doesn't
+support reading the sampling rate.
+
+Add a quirk for it.
+
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20250527172657.1972565-1-superm1@kernel.org
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index dbbc9eb935a4b..f302bcebaa9d0 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2284,6 +2284,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
+ QUIRK_FLAG_DISABLE_AUTOSUSPEND),
+ DEVICE_FLG(0x17aa, 0x104d, /* Lenovo ThinkStation P620 Internal Speaker + Front Headset */
+ QUIRK_FLAG_DISABLE_AUTOSUSPEND),
++ DEVICE_FLG(0x17ef, 0x3083, /* Lenovo TBT3 dock */
++ QUIRK_FLAG_GET_SAMPLE_RATE),
+ DEVICE_FLG(0x1852, 0x5062, /* Luxman D-08u */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
+ DEVICE_FLG(0x1852, 0x5065, /* Luxman DA-06 */
+--
+2.39.5
+
--- /dev/null
+From ccd0b00c69e41ea1d0990d263edb22f63573d950 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 18:06:28 +0800
+Subject: amd/amdkfd: fix a kfd_process ref leak
+
+From: Yifan Zhang <yifan1.zhang@amd.com>
+
+[ Upstream commit 90237b16ec1d7afa16e2173cc9a664377214cdd9 ]
+
+This patch is to fix a kfd_prcess ref leak.
+
+Signed-off-by: Yifan Zhang <yifan1.zhang@amd.com>
+Reviewed-by: Philip Yang <Philip.Yang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_events.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+index fecdb67940750..3a926eb82379b 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_events.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_events.c
+@@ -1331,6 +1331,7 @@ void kfd_signal_poison_consumed_event(struct kfd_node *dev, u32 pasid)
+ user_gpu_id = kfd_process_get_user_gpu_id(p, dev->id);
+ if (unlikely(user_gpu_id == -EINVAL)) {
+ WARN_ONCE(1, "Could not get user_gpu_id from dev->id:%x\n", dev->id);
++ kfd_unref_process(p);
+ return;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 189c66f56f29610cbe27504adf4b2ab4699466e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 19:51:29 +0800
+Subject: ASoC: codec: wcd9335: Convert to GPIO descriptors
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit d5099bc1b56417733f4cccf10c61ee74dadd5562 ]
+
+of_gpio.h is deprecated, update the driver to use GPIO descriptors.
+- Use dev_gpiod_get to get GPIO descriptor.
+- Use gpiod_set_value to configure output value.
+
+With legacy of_gpio API, the driver set gpio value 0 to assert reset,
+and 1 to deassert reset. And the reset-gpios use GPIO_ACTIVE_LOW flag in
+DTS, so set GPIOD_OUT_LOW when get GPIO descriptors, and set value 1 means
+output low, set value 0 means output high with gpiod API.
+
+The in-tree DTS files have the right polarity set up already so we can
+expect this to "just work"
+
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://patch.msgid.link/20250324-wcd-gpiod-v2-3-773f67ce3b56@nxp.com
+Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: 9079db287fc3 ("ASoC: codecs: wcd9335: Fix missing free of regulator supplies")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index 7cef43bb2a880..8ee4360aff929 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -17,7 +17,7 @@
+ #include <sound/soc.h>
+ #include <sound/pcm_params.h>
+ #include <sound/soc-dapm.h>
+-#include <linux/of_gpio.h>
++#include <linux/gpio/consumer.h>
+ #include <linux/of.h>
+ #include <linux/of_irq.h>
+ #include <sound/tlv.h>
+@@ -331,7 +331,7 @@ struct wcd9335_codec {
+ int comp_enabled[COMPANDER_MAX];
+
+ int intr1;
+- int reset_gpio;
++ struct gpio_desc *reset_gpio;
+ struct regulator_bulk_data supplies[WCD9335_MAX_SUPPLY];
+
+ unsigned int rx_port_value[WCD9335_RX_MAX];
+@@ -4975,12 +4975,11 @@ static const struct regmap_irq_chip wcd9335_regmap_irq1_chip = {
+ static int wcd9335_parse_dt(struct wcd9335_codec *wcd)
+ {
+ struct device *dev = wcd->dev;
+- struct device_node *np = dev->of_node;
+ int ret;
+
+- wcd->reset_gpio = of_get_named_gpio(np, "reset-gpios", 0);
+- if (wcd->reset_gpio < 0)
+- return dev_err_probe(dev, wcd->reset_gpio, "Reset GPIO missing from DT\n");
++ wcd->reset_gpio = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW);
++ if (IS_ERR(wcd->reset_gpio))
++ return dev_err_probe(dev, PTR_ERR(wcd->reset_gpio), "Reset GPIO missing from DT\n");
+
+ wcd->mclk = devm_clk_get(dev, "mclk");
+ if (IS_ERR(wcd->mclk))
+@@ -5023,9 +5022,9 @@ static int wcd9335_power_on_reset(struct wcd9335_codec *wcd)
+ */
+ usleep_range(600, 650);
+
+- gpio_direction_output(wcd->reset_gpio, 0);
++ gpiod_set_value(wcd->reset_gpio, 1);
+ msleep(20);
+- gpio_set_value(wcd->reset_gpio, 1);
++ gpiod_set_value(wcd->reset_gpio, 0);
+ msleep(20);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From f50aa7dc7a4c20faf77142437473855a755e5ba6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 11:47:01 +0200
+Subject: ASoC: codecs: wcd9335: Fix missing free of regulator supplies
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 9079db287fc3e38e040b0edeb0a25770bb679c8e ]
+
+Driver gets and enables all regulator supplies in probe path
+(wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup
+in final error paths and in unbind (missing remove() callback). This
+leads to leaked memory and unbalanced regulator enable count during
+probe errors or unbind.
+
+Fix this by converting entire code into devm_regulator_bulk_get_enable()
+which also greatly simplifies the code.
+
+Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://patch.msgid.link/20250526-b4-b4-asoc-wcd9395-vdd-px-fixes-v1-1-0b8a2993b7d3@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd9335.c | 25 +++++++------------------
+ 1 file changed, 7 insertions(+), 18 deletions(-)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index 8ee4360aff929..5e19e813748df 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -332,7 +332,6 @@ struct wcd9335_codec {
+
+ int intr1;
+ struct gpio_desc *reset_gpio;
+- struct regulator_bulk_data supplies[WCD9335_MAX_SUPPLY];
+
+ unsigned int rx_port_value[WCD9335_RX_MAX];
+ unsigned int tx_port_value[WCD9335_TX_MAX];
+@@ -355,6 +354,10 @@ struct wcd9335_irq {
+ char *name;
+ };
+
++static const char * const wcd9335_supplies[] = {
++ "vdd-buck", "vdd-buck-sido", "vdd-tx", "vdd-rx", "vdd-io",
++};
++
+ static const struct wcd9335_slim_ch wcd9335_tx_chs[WCD9335_TX_MAX] = {
+ WCD9335_SLIM_TX_CH(0),
+ WCD9335_SLIM_TX_CH(1),
+@@ -4989,30 +4992,16 @@ static int wcd9335_parse_dt(struct wcd9335_codec *wcd)
+ if (IS_ERR(wcd->native_clk))
+ return dev_err_probe(dev, PTR_ERR(wcd->native_clk), "slimbus clock not found\n");
+
+- wcd->supplies[0].supply = "vdd-buck";
+- wcd->supplies[1].supply = "vdd-buck-sido";
+- wcd->supplies[2].supply = "vdd-tx";
+- wcd->supplies[3].supply = "vdd-rx";
+- wcd->supplies[4].supply = "vdd-io";
+-
+- ret = regulator_bulk_get(dev, WCD9335_MAX_SUPPLY, wcd->supplies);
++ ret = devm_regulator_bulk_get_enable(dev, ARRAY_SIZE(wcd9335_supplies),
++ wcd9335_supplies);
+ if (ret)
+- return dev_err_probe(dev, ret, "Failed to get supplies\n");
++ return dev_err_probe(dev, ret, "Failed to get and enable supplies\n");
+
+ return 0;
+ }
+
+ static int wcd9335_power_on_reset(struct wcd9335_codec *wcd)
+ {
+- struct device *dev = wcd->dev;
+- int ret;
+-
+- ret = regulator_bulk_enable(WCD9335_MAX_SUPPLY, wcd->supplies);
+- if (ret) {
+- dev_err(dev, "Failed to get supplies: err = %d\n", ret);
+- return ret;
+- }
+-
+ /*
+ * For WCD9335, it takes about 600us for the Vout_A and
+ * Vout_D to be ready after BUCK_SIDO is powered up.
+--
+2.39.5
+
--- /dev/null
+From a0c02b07184b4fab72a63ae8bebf28aad168bfd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 16:58:51 +0800
+Subject: ASoC: rt1320: fix speaker noise when volume bar is 100%
+
+From: Shuming Fan <shumingf@realtek.com>
+
+[ Upstream commit 9adf2de86611ac108d07e769a699556d87f052e2 ]
+
+This patch updates the settings to fix the speaker noise.
+
+Signed-off-by: Shuming Fan <shumingf@realtek.com>
+Link: https://patch.msgid.link/20250602085851.4081886-1-shumingf@realtek.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt1320-sdw.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/rt1320-sdw.c b/sound/soc/codecs/rt1320-sdw.c
+index f51ba345a16e6..015cc710e6dc0 100644
+--- a/sound/soc/codecs/rt1320-sdw.c
++++ b/sound/soc/codecs/rt1320-sdw.c
+@@ -204,7 +204,7 @@ static const struct reg_sequence rt1320_vc_blind_write[] = {
+ { 0x3fc2bfc0, 0x03 },
+ { 0x0000d486, 0x43 },
+ { SDW_SDCA_CTL(FUNC_NUM_AMP, RT1320_SDCA_ENT_PDE23, RT1320_SDCA_CTL_REQ_POWER_STATE, 0), 0x00 },
+- { 0x1000db00, 0x04 },
++ { 0x1000db00, 0x07 },
+ { 0x1000db01, 0x00 },
+ { 0x1000db02, 0x11 },
+ { 0x1000db03, 0x00 },
+@@ -225,6 +225,21 @@ static const struct reg_sequence rt1320_vc_blind_write[] = {
+ { 0x1000db12, 0x00 },
+ { 0x1000db13, 0x00 },
+ { 0x1000db14, 0x45 },
++ { 0x1000db15, 0x0d },
++ { 0x1000db16, 0x01 },
++ { 0x1000db17, 0x00 },
++ { 0x1000db18, 0x00 },
++ { 0x1000db19, 0xbf },
++ { 0x1000db1a, 0x13 },
++ { 0x1000db1b, 0x09 },
++ { 0x1000db1c, 0x00 },
++ { 0x1000db1d, 0x00 },
++ { 0x1000db1e, 0x00 },
++ { 0x1000db1f, 0x12 },
++ { 0x1000db20, 0x09 },
++ { 0x1000db21, 0x00 },
++ { 0x1000db22, 0x00 },
++ { 0x1000db23, 0x00 },
+ { 0x0000d540, 0x01 },
+ { 0x0000c081, 0xfc },
+ { 0x0000f01e, 0x80 },
+--
+2.39.5
+
--- /dev/null
+From 6455f0e829479bd131de63fe1358103050c75129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 13:15:59 +0800
+Subject: bcache: fix NULL pointer in cache_set_flush()
+
+From: Linggang Zeng <linggang.zeng@easystack.cn>
+
+[ Upstream commit 1e46ed947ec658f89f1a910d880cd05e42d3763e ]
+
+1. LINE#1794 - LINE#1887 is some codes about function of
+ bch_cache_set_alloc().
+2. LINE#2078 - LINE#2142 is some codes about function of
+ register_cache_set().
+3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098.
+
+ 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
+ 1795 {
+ ...
+ 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) ||
+ 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) ||
+ 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2,
+ 1863 sizeof(struct bbio) + sizeof(struct bio_vec) *
+ 1864 bucket_pages(c)) ||
+ 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) ||
+ 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio),
+ 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) ||
+ 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) ||
+ 1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc",
+ 1870 WQ_MEM_RECLAIM, 0)) ||
+ 1871 bch_journal_alloc(c) ||
+ 1872 bch_btree_cache_alloc(c) ||
+ 1873 bch_open_buckets_alloc(c) ||
+ 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages)))
+ 1875 goto err;
+ ^^^^^^^^
+ 1876
+ ...
+ 1883 return c;
+ 1884 err:
+ 1885 bch_cache_set_unregister(c);
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ 1886 return NULL;
+ 1887 }
+ ...
+ 2078 static const char *register_cache_set(struct cache *ca)
+ 2079 {
+ ...
+ 2098 c = bch_cache_set_alloc(&ca->sb);
+ 2099 if (!c)
+ 2100 return err;
+ ^^^^^^^^^^
+ ...
+ 2128 ca->set = c;
+ 2129 ca->set->cache[ca->sb.nr_this_dev] = ca;
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ ...
+ 2138 return NULL;
+ 2139 err:
+ 2140 bch_cache_set_unregister(c);
+ 2141 return err;
+ 2142 }
+
+(1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and
+ call bch_cache_set_unregister()(LINE#1885).
+(2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return.
+(3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the
+ value to c->cache[], it means that c->cache[] is NULL.
+
+LINE#1624 - LINE#1665 is some codes about function of cache_set_flush().
+As (1), in LINE#1885 call
+bch_cache_set_unregister()
+---> bch_cache_set_stop()
+ ---> closure_queue()
+ -.-> cache_set_flush() (as below LINE#1624)
+
+ 1624 static void cache_set_flush(struct closure *cl)
+ 1625 {
+ ...
+ 1654 for_each_cache(ca, c, i)
+ 1655 if (ca->alloc_thread)
+ ^^
+ 1656 kthread_stop(ca->alloc_thread);
+ ...
+ 1665 }
+
+(4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the
+ kernel crash occurred as below:
+[ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory
+[ 846.713242] bcache: register_bcache() error : failed to register device
+[ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered
+[ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8
+[ 846.714790] PGD 0 P4D 0
+[ 846.715129] Oops: 0000 [#1] SMP PTI
+[ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1
+[ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018
+[ 846.716451] Workqueue: events cache_set_flush [bcache]
+[ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache]
+[ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 00 48 85 ff 74 05 e8 b6 58 a2 e1 0f b7 95 3c f7
+[ 846.718026] RSP: 0018:ffffb56dcf85fe70 EFLAGS: 00010202
+[ 846.718372] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 846.718725] RDX: 0000000000000001 RSI: 0000000040000001 RDI: 0000000000000000
+[ 846.719076] RBP: ffffa0ccc0f20df8 R08: ffffa0ce1fedb118 R09: 000073746e657665
+[ 846.719428] R10: 8080808080808080 R11: 0000000000000000 R12: ffffa0ce1fee8700
+[ 846.719779] R13: ffffa0ccc0f211a8 R14: ffffa0cd1b902840 R15: ffffa0ccc0f20e00
+[ 846.720132] FS: 0000000000000000(0000) GS:ffffa0ce1fec0000(0000) knlGS:0000000000000000
+[ 846.720726] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 846.721073] CR2: 00000000000009f8 CR3: 00000008ba00a005 CR4: 00000000007606e0
+[ 846.721426] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 846.721778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 846.722131] PKRU: 55555554
+[ 846.722467] Call Trace:
+[ 846.722814] process_one_work+0x1a7/0x3b0
+[ 846.723157] worker_thread+0x30/0x390
+[ 846.723501] ? create_worker+0x1a0/0x1a0
+[ 846.723844] kthread+0x112/0x130
+[ 846.724184] ? kthread_flush_work_fn+0x10/0x10
+[ 846.724535] ret_from_fork+0x35/0x40
+
+Now, check whether that ca is NULL in LINE#1655 to fix the issue.
+
+Signed-off-by: Linggang Zeng <linggang.zeng@easystack.cn>
+Signed-off-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Signed-off-by: Coly Li <colyli@kernel.org>
+Link: https://lore.kernel.org/r/20250527051601.74407-2-colyli@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/bcache/super.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
+index 813b38aec3e4e..37f5e31618c0a 100644
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1733,7 +1733,12 @@ static CLOSURE_CALLBACK(cache_set_flush)
+ mutex_unlock(&b->write_lock);
+ }
+
+- if (ca->alloc_thread)
++ /*
++ * If the register_cache_set() call to bch_cache_set_alloc() failed,
++ * ca has not been assigned a value and return error.
++ * So we need check ca is not NULL during bch_cache_set_unregister().
++ */
++ if (ca && ca->alloc_thread)
+ kthread_stop(ca->alloc_thread);
+
+ if (c->journal.cur) {
+--
+2.39.5
+
--- /dev/null
+From 4f682c23e4f9b4a6cc2489b82e21a9ecf1f00980 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 13:05:36 +0100
+Subject: btrfs: fix qgroup reservation leak on failure to allocate ordered
+ extent
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1f2889f5594a2bc4c6a52634c4a51b93e785def5 ]
+
+If we fail to allocate an ordered extent for a COW write we end up leaking
+a qgroup data reservation since we called btrfs_qgroup_release_data() but
+we didn't call btrfs_qgroup_free_refroot() (which would happen when
+running the respective data delayed ref created by ordered extent
+completion or when finishing the ordered extent in case an error happened).
+
+So make sure we call btrfs_qgroup_free_refroot() if we fail to allocate an
+ordered extent for a COW write.
+
+Fixes: 7dbeaad0af7d ("btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ordered-data.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
+index f61b0bb1faccf..1d7ddd664c0d3 100644
+--- a/fs/btrfs/ordered-data.c
++++ b/fs/btrfs/ordered-data.c
+@@ -153,9 +153,10 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(
+ struct btrfs_ordered_extent *entry;
+ int ret;
+ u64 qgroup_rsv = 0;
++ const bool is_nocow = (flags &
++ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC)));
+
+- if (flags &
+- ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC))) {
++ if (is_nocow) {
+ /* For nocow write, we can release the qgroup rsv right now */
+ ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv);
+ if (ret < 0)
+@@ -170,8 +171,13 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(
+ return ERR_PTR(ret);
+ }
+ entry = kmem_cache_zalloc(btrfs_ordered_extent_cache, GFP_NOFS);
+- if (!entry)
++ if (!entry) {
++ if (!is_nocow)
++ btrfs_qgroup_free_refroot(inode->root->fs_info,
++ btrfs_root_id(inode->root),
++ qgroup_rsv, BTRFS_QGROUP_RSV_DATA);
+ return ERR_PTR(-ENOMEM);
++ }
+
+ entry->file_offset = file_offset;
+ entry->num_bytes = num_bytes;
+--
+2.39.5
+
--- /dev/null
+From acd59b3a901d32573c5ab3201519bbdf8d380958 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 16:54:44 +0100
+Subject: btrfs: fix race between async reclaim worker and close_ctree()
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit a26bf338cdad3643a6e7c3d78a172baadba15c1a ]
+
+Syzbot reported an assertion failure due to an attempt to add a delayed
+iput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info
+state:
+
+ WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420
+ Modules linked in:
+ CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full)
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+ Workqueue: btrfs-endio-write btrfs_work_helper
+ RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420
+ Code: 4e ad 5d (...)
+ RSP: 0018:ffffc9000213f780 EFLAGS: 00010293
+ RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00
+ RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000
+ RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c
+ R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001
+ R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100
+ FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ Call Trace:
+ <TASK>
+ btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635
+ btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312
+ btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312
+ process_one_work kernel/workqueue.c:3238 [inline]
+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
+ kthread+0x70e/0x8a0 kernel/kthread.c:464
+ ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+This can happen due to a race with the async reclaim worker like this:
+
+1) The async metadata reclaim worker enters shrink_delalloc(), which calls
+ btrfs_start_delalloc_roots() with an nr_pages argument that has a value
+ less than LONG_MAX, and that in turn enters start_delalloc_inodes(),
+ which sets the local variable 'full_flush' to false because
+ wbc->nr_to_write is less than LONG_MAX;
+
+2) There it finds inode X in a root's delalloc list, grabs a reference for
+ inode X (with igrab()), and triggers writeback for it with
+ filemap_fdatawrite_wbc(), which creates an ordered extent for inode X;
+
+3) The unmount sequence starts from another task, we enter close_ctree()
+ and we flush the workqueue fs_info->endio_write_workers, which waits
+ for the ordered extent for inode X to complete and when dropping the
+ last reference of the ordered extent, with btrfs_put_ordered_extent(),
+ when we call btrfs_add_delayed_iput() we don't add the inode to the
+ list of delayed iputs because it has a refcount of 2, so we decrement
+ it to 1 and return;
+
+4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which
+ runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT
+ in the fs_info state;
+
+5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now
+ calls btrfs_add_delayed_iput() for inode X and there we trigger an
+ assertion failure since the fs_info state has the flag
+ BTRFS_FS_STATE_NO_DELAYED_IPUT set.
+
+Fix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for
+the async reclaim workers to finish, after we call cancel_work_sync() for
+them at close_ctree(), and by running delayed iputs after wait for the
+reclaim workers to finish and before setting the bit.
+
+This race was recently introduced by commit 19e60b2a95f5 ("btrfs: add
+extra warning if delayed iput is added when it's not allowed"). Without
+the new validation at btrfs_add_delayed_iput(), this described scenario
+was safe because close_ctree() later calls btrfs_commit_super(). That
+will run any final delayed iputs added by reclaim workers in the window
+between the btrfs_run_delayed_iputs() and the the reclaim workers being
+shut down.
+
+Reported-by: syzbot+0ed30ad435bf6f5b7a42@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/6840481c.a00a0220.d4325.000c.GAE@google.com/T/#u
+Fixes: 19e60b2a95f5 ("btrfs: add extra warning if delayed iput is added when it's not allowed")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index aa58e0663a5d7..87501762d81fb 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4385,8 +4385,8 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info)
+ *
+ * So wait for all ongoing ordered extents to complete and then run
+ * delayed iputs. This works because once we reach this point no one
+- * can either create new ordered extents nor create delayed iputs
+- * through some other means.
++ * can create new ordered extents, but delayed iputs can still be added
++ * by a reclaim worker (see comments further below).
+ *
+ * Also note that btrfs_wait_ordered_roots() is not safe here, because
+ * it waits for BTRFS_ORDERED_COMPLETE to be set on an ordered extent,
+@@ -4397,15 +4397,29 @@ void __cold close_ctree(struct btrfs_fs_info *fs_info)
+ btrfs_flush_workqueue(fs_info->endio_write_workers);
+ /* Ordered extents for free space inodes. */
+ btrfs_flush_workqueue(fs_info->endio_freespace_worker);
++ /*
++ * Run delayed iputs in case an async reclaim worker is waiting for them
++ * to be run as mentioned above.
++ */
+ btrfs_run_delayed_iputs(fs_info);
+- /* There should be no more workload to generate new delayed iputs. */
+- set_bit(BTRFS_FS_STATE_NO_DELAYED_IPUT, &fs_info->fs_state);
+
+ cancel_work_sync(&fs_info->async_reclaim_work);
+ cancel_work_sync(&fs_info->async_data_reclaim_work);
+ cancel_work_sync(&fs_info->preempt_reclaim_work);
+ cancel_work_sync(&fs_info->em_shrinker_work);
+
++ /*
++ * Run delayed iputs again because an async reclaim worker may have
++ * added new ones if it was flushing delalloc:
++ *
++ * shrink_delalloc() -> btrfs_start_delalloc_roots() ->
++ * start_delalloc_inodes() -> btrfs_add_delayed_iput()
++ */
++ btrfs_run_delayed_iputs(fs_info);
++
++ /* There should be no more workload to generate new delayed iputs. */
++ set_bit(BTRFS_FS_STATE_NO_DELAYED_IPUT, &fs_info->fs_state);
++
+ /* Cancel or finish ongoing discard work */
+ btrfs_discard_cleanup(fs_info);
+
+--
+2.39.5
+
--- /dev/null
+From 6e6a047d823181b2e10aa2e4e67d9d759f088831 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jun 2025 09:18:43 +0930
+Subject: btrfs: handle csum tree error with rescue=ibadroots correctly
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 547e836661554dcfa15c212a3821664e85b4191a ]
+
+[BUG]
+There is syzbot based reproducer that can crash the kernel, with the
+following call trace: (With some debug output added)
+
+ DEBUG: rescue=ibadroots parsed
+ BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010)
+ BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8
+ BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm
+ BTRFS info (device loop0): using free-space-tree
+ BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0
+ DEBUG: read tree root path failed for tree csum, ret=-5
+ BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0
+ BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0
+ process 'repro' launched './file2' with NULL argv: empty string added
+ DEBUG: no csum root, idatacsums=0 ibadroots=134217728
+ Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI
+ KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]
+ CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full)
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
+ RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs]
+ Call Trace:
+ <TASK>
+ btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs]
+ btrfs_submit_bbio+0x43e/0x1a80 [btrfs]
+ submit_one_bio+0xde/0x160 [btrfs]
+ btrfs_readahead+0x498/0x6a0 [btrfs]
+ read_pages+0x1c3/0xb20
+ page_cache_ra_order+0x4b5/0xc20
+ filemap_get_pages+0x2d3/0x19e0
+ filemap_read+0x314/0xde0
+ __kernel_read+0x35b/0x900
+ bprm_execve+0x62e/0x1140
+ do_execveat_common.isra.0+0x3fc/0x520
+ __x64_sys_execveat+0xdc/0x130
+ do_syscall_64+0x54/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ---[ end trace 0000000000000000 ]---
+
+[CAUSE]
+Firstly the fs has a corrupted csum tree root, thus to mount the fs we
+have to go "ro,rescue=ibadroots" mount option.
+
+Normally with that mount option, a bad csum tree root should set
+BTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will
+ignore csum search.
+
+But in this particular case, we have the following call trace that
+caused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS:
+
+load_global_roots_objectid():
+
+ ret = btrfs_search_slot();
+ /* Succeeded */
+ btrfs_item_key_to_cpu()
+ found = true;
+ /* We found the root item for csum tree. */
+ root = read_tree_root_path();
+ if (IS_ERR(root)) {
+ if (!btrfs_test_opt(fs_info, IGNOREBADROOTS))
+ /*
+ * Since we have rescue=ibadroots mount option,
+ * @ret is still 0.
+ */
+ break;
+ if (!found || ret) {
+ /* @found is true, @ret is 0, error handling for csum
+ * tree is skipped.
+ */
+ }
+
+This means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if
+the csum tree is corrupted, which results unexpected later csum lookup.
+
+[FIX]
+If read_tree_root_path() failed, always populate @ret to the error
+number.
+
+As at the end of the function, we need @ret to determine if we need to
+do the extra error handling for csum tree.
+
+Fixes: abed4aaae4f7 ("btrfs: track the csum, extent, and free space trees in a rb tree")
+Reported-by: Zhiyu Zhang <zhiyuzhang999@gmail.com>
+Reported-by: Longxing Li <coregee2000@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index 87501762d81fb..321feb99c1797 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2164,8 +2164,7 @@ static int load_global_roots_objectid(struct btrfs_root *tree_root,
+ found = true;
+ root = read_tree_root_path(tree_root, path, &key);
+ if (IS_ERR(root)) {
+- if (!btrfs_test_opt(fs_info, IGNOREBADROOTS))
+- ret = PTR_ERR(root);
++ ret = PTR_ERR(root);
+ break;
+ }
+ set_bit(BTRFS_ROOT_TRACK_DIRTY, &root->state);
+--
+2.39.5
+
--- /dev/null
+From 9a57e7a7141c5ec088033ca13e65119a83356fc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Apr 2025 17:55:41 +0200
+Subject: btrfs: use unsigned types for constants defined as bit shifts
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 05a6ec865d091fe8244657df8063f74e704d1711 ]
+
+The unsigned type is a recommended practice (CWE-190, CWE-194) for bit
+shifts to avoid problems with potential unwanted sign extensions.
+Although there are no such cases in btrfs codebase, follow the
+recommendation.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: 1f2889f5594a ("btrfs: fix qgroup reservation leak on failure to allocate ordered extent")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/backref.h | 4 ++--
+ fs/btrfs/direct-io.c | 4 ++--
+ fs/btrfs/extent_io.h | 2 +-
+ fs/btrfs/inode.c | 12 ++++++------
+ fs/btrfs/ordered-data.c | 4 ++--
+ fs/btrfs/raid56.c | 5 ++---
+ fs/btrfs/tests/extent-io-tests.c | 6 +++---
+ fs/btrfs/zstd.c | 2 +-
+ 8 files changed, 19 insertions(+), 20 deletions(-)
+
+diff --git a/fs/btrfs/backref.h b/fs/btrfs/backref.h
+index 74e6140312747..953637115956b 100644
+--- a/fs/btrfs/backref.h
++++ b/fs/btrfs/backref.h
+@@ -423,8 +423,8 @@ struct btrfs_backref_node *btrfs_backref_alloc_node(
+ struct btrfs_backref_edge *btrfs_backref_alloc_edge(
+ struct btrfs_backref_cache *cache);
+
+-#define LINK_LOWER (1 << 0)
+-#define LINK_UPPER (1 << 1)
++#define LINK_LOWER (1U << 0)
++#define LINK_UPPER (1U << 1)
+
+ void btrfs_backref_link_edge(struct btrfs_backref_edge *edge,
+ struct btrfs_backref_node *lower,
+diff --git a/fs/btrfs/direct-io.c b/fs/btrfs/direct-io.c
+index a374ce7a1813b..7900cba56225d 100644
+--- a/fs/btrfs/direct-io.c
++++ b/fs/btrfs/direct-io.c
+@@ -151,8 +151,8 @@ static struct extent_map *btrfs_create_dio_extent(struct btrfs_inode *inode,
+ }
+
+ ordered = btrfs_alloc_ordered_extent(inode, start, file_extent,
+- (1 << type) |
+- (1 << BTRFS_ORDERED_DIRECT));
++ (1U << type) |
++ (1U << BTRFS_ORDERED_DIRECT));
+ if (IS_ERR(ordered)) {
+ if (em) {
+ free_extent_map(em);
+diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h
+index f5b28b5c4908b..91d9cb5ff401b 100644
+--- a/fs/btrfs/extent_io.h
++++ b/fs/btrfs/extent_io.h
+@@ -79,7 +79,7 @@ enum {
+ * single word in a bitmap may straddle two pages in the extent buffer.
+ */
+ #define BIT_BYTE(nr) ((nr) / BITS_PER_BYTE)
+-#define BYTE_MASK ((1 << BITS_PER_BYTE) - 1)
++#define BYTE_MASK ((1U << BITS_PER_BYTE) - 1)
+ #define BITMAP_FIRST_BYTE_MASK(start) \
+ ((BYTE_MASK << ((start) & (BITS_PER_BYTE - 1))) & BYTE_MASK)
+ #define BITMAP_LAST_BYTE_MASK(nbits) \
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 8a3f44302788c..867b438652ef7 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1171,7 +1171,7 @@ static void submit_one_async_extent(struct async_chunk *async_chunk,
+ free_extent_map(em);
+
+ ordered = btrfs_alloc_ordered_extent(inode, start, &file_extent,
+- 1 << BTRFS_ORDERED_COMPRESSED);
++ 1U << BTRFS_ORDERED_COMPRESSED);
+ if (IS_ERR(ordered)) {
+ btrfs_drop_extent_map_range(inode, start, end, false);
+ ret = PTR_ERR(ordered);
+@@ -1418,7 +1418,7 @@ static noinline int cow_file_range(struct btrfs_inode *inode,
+ free_extent_map(em);
+
+ ordered = btrfs_alloc_ordered_extent(inode, start, &file_extent,
+- 1 << BTRFS_ORDERED_REGULAR);
++ 1U << BTRFS_ORDERED_REGULAR);
+ if (IS_ERR(ordered)) {
+ unlock_extent(&inode->io_tree, start,
+ start + cur_alloc_size - 1, &cached);
+@@ -1999,8 +1999,8 @@ static int nocow_one_range(struct btrfs_inode *inode, struct folio *locked_folio
+
+ ordered = btrfs_alloc_ordered_extent(inode, file_pos, &nocow_args->file_extent,
+ is_prealloc
+- ? (1 << BTRFS_ORDERED_PREALLOC)
+- : (1 << BTRFS_ORDERED_NOCOW));
++ ? (1U << BTRFS_ORDERED_PREALLOC)
++ : (1U << BTRFS_ORDERED_NOCOW));
+ if (IS_ERR(ordered)) {
+ if (is_prealloc)
+ btrfs_drop_extent_map_range(inode, file_pos, end, false);
+@@ -9733,8 +9733,8 @@ ssize_t btrfs_do_encoded_write(struct kiocb *iocb, struct iov_iter *from,
+ free_extent_map(em);
+
+ ordered = btrfs_alloc_ordered_extent(inode, start, &file_extent,
+- (1 << BTRFS_ORDERED_ENCODED) |
+- (1 << BTRFS_ORDERED_COMPRESSED));
++ (1U << BTRFS_ORDERED_ENCODED) |
++ (1U << BTRFS_ORDERED_COMPRESSED));
+ if (IS_ERR(ordered)) {
+ btrfs_drop_extent_map_range(inode, start, end, false);
+ ret = PTR_ERR(ordered);
+diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
+index 03c945711003c..f61b0bb1faccf 100644
+--- a/fs/btrfs/ordered-data.c
++++ b/fs/btrfs/ordered-data.c
+@@ -155,7 +155,7 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(
+ u64 qgroup_rsv = 0;
+
+ if (flags &
+- ((1 << BTRFS_ORDERED_NOCOW) | (1 << BTRFS_ORDERED_PREALLOC))) {
++ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC))) {
+ /* For nocow write, we can release the qgroup rsv right now */
+ ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv);
+ if (ret < 0)
+@@ -253,7 +253,7 @@ static void insert_ordered_extent(struct btrfs_ordered_extent *entry)
+ * @disk_bytenr: Offset of extent on disk.
+ * @disk_num_bytes: Size of extent on disk.
+ * @offset: Offset into unencoded data where file data starts.
+- * @flags: Flags specifying type of extent (1 << BTRFS_ORDERED_*).
++ * @flags: Flags specifying type of extent (1U << BTRFS_ORDERED_*).
+ * @compress_type: Compression algorithm used for data.
+ *
+ * Most of these parameters correspond to &struct btrfs_file_extent_item. The
+diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c
+index cdd373c277848..7285bf7926e3a 100644
+--- a/fs/btrfs/raid56.c
++++ b/fs/btrfs/raid56.c
+@@ -200,8 +200,7 @@ int btrfs_alloc_stripe_hash_table(struct btrfs_fs_info *info)
+ struct btrfs_stripe_hash_table *x;
+ struct btrfs_stripe_hash *cur;
+ struct btrfs_stripe_hash *h;
+- int num_entries = 1 << BTRFS_STRIPE_HASH_TABLE_BITS;
+- int i;
++ unsigned int num_entries = 1U << BTRFS_STRIPE_HASH_TABLE_BITS;
+
+ if (info->stripe_hash_table)
+ return 0;
+@@ -222,7 +221,7 @@ int btrfs_alloc_stripe_hash_table(struct btrfs_fs_info *info)
+
+ h = table->table;
+
+- for (i = 0; i < num_entries; i++) {
++ for (unsigned int i = 0; i < num_entries; i++) {
+ cur = h + i;
+ INIT_LIST_HEAD(&cur->hash_list);
+ spin_lock_init(&cur->lock);
+diff --git a/fs/btrfs/tests/extent-io-tests.c b/fs/btrfs/tests/extent-io-tests.c
+index 74aca7180a5a9..400574c6e82ec 100644
+--- a/fs/btrfs/tests/extent-io-tests.c
++++ b/fs/btrfs/tests/extent-io-tests.c
+@@ -14,9 +14,9 @@
+ #include "../disk-io.h"
+ #include "../btrfs_inode.h"
+
+-#define PROCESS_UNLOCK (1 << 0)
+-#define PROCESS_RELEASE (1 << 1)
+-#define PROCESS_TEST_LOCKED (1 << 2)
++#define PROCESS_UNLOCK (1U << 0)
++#define PROCESS_RELEASE (1U << 1)
++#define PROCESS_TEST_LOCKED (1U << 2)
+
+ static noinline int process_page_range(struct inode *inode, u64 start, u64 end,
+ unsigned long flags)
+diff --git a/fs/btrfs/zstd.c b/fs/btrfs/zstd.c
+index 3541efa765c73..94c19331823a9 100644
+--- a/fs/btrfs/zstd.c
++++ b/fs/btrfs/zstd.c
+@@ -24,7 +24,7 @@
+ #include "super.h"
+
+ #define ZSTD_BTRFS_MAX_WINDOWLOG 17
+-#define ZSTD_BTRFS_MAX_INPUT (1 << ZSTD_BTRFS_MAX_WINDOWLOG)
++#define ZSTD_BTRFS_MAX_INPUT (1U << ZSTD_BTRFS_MAX_WINDOWLOG)
+ #define ZSTD_BTRFS_DEFAULT_LEVEL 3
+ #define ZSTD_BTRFS_MIN_LEVEL -15
+ #define ZSTD_BTRFS_MAX_LEVEL 15
+--
+2.39.5
+
--- /dev/null
+From ed3c2a89782c03d03b0b16ee7aba874e5ce9bd0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 11:34:58 +0200
+Subject: bus: mhi: host: pci_generic: Add Telit FN920C04 modem support
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+[ Upstream commit 6348f62ef7ecc5855b710a7d4ea682425c38bb80 ]
+
+Add SDX35 based modem Telit FN920C04.
+
+$ lspci -vv
+01:00.0 Unassigned class [ff00]: Qualcomm Device 011a
+ Subsystem: Device 1c5d:2020
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://patch.msgid.link/20250401093458.2953872-1-dnlplm@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/mhi/host/pci_generic.c | 39 ++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/drivers/bus/mhi/host/pci_generic.c b/drivers/bus/mhi/host/pci_generic.c
+index 03aa887952098..059cfd77382f0 100644
+--- a/drivers/bus/mhi/host/pci_generic.c
++++ b/drivers/bus/mhi/host/pci_generic.c
+@@ -782,6 +782,42 @@ static const struct mhi_pci_dev_info mhi_telit_fe990a_info = {
+ .mru_default = 32768,
+ };
+
++static const struct mhi_channel_config mhi_telit_fn920c04_channels[] = {
++ MHI_CHANNEL_CONFIG_UL_SBL(2, "SAHARA", 32, 0),
++ MHI_CHANNEL_CONFIG_DL_SBL(3, "SAHARA", 32, 0),
++ MHI_CHANNEL_CONFIG_UL(4, "DIAG", 64, 1),
++ MHI_CHANNEL_CONFIG_DL(5, "DIAG", 64, 1),
++ MHI_CHANNEL_CONFIG_UL(14, "QMI", 32, 0),
++ MHI_CHANNEL_CONFIG_DL(15, "QMI", 32, 0),
++ MHI_CHANNEL_CONFIG_UL(32, "DUN", 32, 0),
++ MHI_CHANNEL_CONFIG_DL(33, "DUN", 32, 0),
++ MHI_CHANNEL_CONFIG_UL_FP(34, "FIREHOSE", 32, 0),
++ MHI_CHANNEL_CONFIG_DL_FP(35, "FIREHOSE", 32, 0),
++ MHI_CHANNEL_CONFIG_UL(92, "DUN2", 32, 1),
++ MHI_CHANNEL_CONFIG_DL(93, "DUN2", 32, 1),
++ MHI_CHANNEL_CONFIG_HW_UL(100, "IP_HW0", 128, 2),
++ MHI_CHANNEL_CONFIG_HW_DL(101, "IP_HW0", 128, 3),
++};
++
++static const struct mhi_controller_config modem_telit_fn920c04_config = {
++ .max_channels = 128,
++ .timeout_ms = 50000,
++ .num_channels = ARRAY_SIZE(mhi_telit_fn920c04_channels),
++ .ch_cfg = mhi_telit_fn920c04_channels,
++ .num_events = ARRAY_SIZE(mhi_telit_fn990_events),
++ .event_cfg = mhi_telit_fn990_events,
++};
++
++static const struct mhi_pci_dev_info mhi_telit_fn920c04_info = {
++ .name = "telit-fn920c04",
++ .config = &modem_telit_fn920c04_config,
++ .bar_num = MHI_PCI_DEFAULT_BAR_NUM,
++ .dma_data_width = 32,
++ .sideband_wake = false,
++ .mru_default = 32768,
++ .edl_trigger = true,
++};
++
+ static const struct mhi_pci_dev_info mhi_netprisma_lcur57_info = {
+ .name = "netprisma-lcur57",
+ .edl = "qcom/prog_firehose_sdx24.mbn",
+@@ -806,6 +842,9 @@ static const struct mhi_pci_dev_info mhi_netprisma_fcun69_info = {
+ static const struct pci_device_id mhi_pci_id_table[] = {
+ {PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0116),
+ .driver_data = (kernel_ulong_t) &mhi_qcom_sa8775p_info },
++ /* Telit FN920C04 (sdx35) */
++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x011a, 0x1c5d, 0x2020),
++ .driver_data = (kernel_ulong_t) &mhi_telit_fn920c04_info },
+ { PCI_DEVICE(PCI_VENDOR_ID_QCOM, 0x0304),
+ .driver_data = (kernel_ulong_t) &mhi_qcom_sdx24_info },
+ { PCI_DEVICE_SUB(PCI_VENDOR_ID_QCOM, 0x0306, PCI_VENDOR_ID_QCOM, 0x010c),
+--
+2.39.5
+
--- /dev/null
+From 8003c2e63910d4fd249f2356f8ced2e143f30b82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Apr 2025 12:32:04 +0300
+Subject: ceph: fix possible integer overflow in ceph_zero_objects()
+
+From: Dmitry Kandybka <d.kandybka@gmail.com>
+
+[ Upstream commit 0abd87942e0c93964e93224836944712feba1d91 ]
+
+In 'ceph_zero_objects', promote 'object_size' to 'u64' to avoid possible
+integer overflow.
+
+Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
+Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ceph/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ceph/file.c b/fs/ceph/file.c
+index 851d70200c6b8..a7254cab44cc2 100644
+--- a/fs/ceph/file.c
++++ b/fs/ceph/file.c
+@@ -2616,7 +2616,7 @@ static int ceph_zero_objects(struct inode *inode, loff_t offset, loff_t length)
+ s32 stripe_unit = ci->i_layout.stripe_unit;
+ s32 stripe_count = ci->i_layout.stripe_count;
+ s32 object_size = ci->i_layout.object_size;
+- u64 object_set_size = object_size * stripe_count;
++ u64 object_set_size = (u64) object_size * stripe_count;
+ u64 nearly, t;
+
+ /* round offset up to next period boundary */
+--
+2.39.5
+
--- /dev/null
+From 26d2b524c2b9b2102922f2344b2a87911d1e629f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Nov 2024 17:58:31 +0100
+Subject: cifs: Correctly set SMB1 SessionKey field in Session Setup Request
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 89381c72d52094988e11d23ef24a00066a0fa458 ]
+
+[MS-CIFS] specification in section 2.2.4.53.1 where is described
+SMB_COM_SESSION_SETUP_ANDX Request, for SessionKey field says:
+
+ The client MUST set this field to be equal to the SessionKey field in
+ the SMB_COM_NEGOTIATE Response for this SMB connection.
+
+Linux SMB client currently set this field to zero. This is working fine
+against Windows NT SMB servers thanks to [MS-CIFS] product behavior <94>:
+
+ Windows NT Server ignores the client's SessionKey.
+
+For compatibility with [MS-CIFS], set this SessionKey field in Session
+Setup Request to value retrieved from Negotiate response.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsglob.h | 1 +
+ fs/smb/client/cifspdu.h | 6 +++---
+ fs/smb/client/cifssmb.c | 1 +
+ fs/smb/client/sess.c | 1 +
+ 4 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
+index 0c80ca352f3fa..214e53acf72a8 100644
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -773,6 +773,7 @@ struct TCP_Server_Info {
+ char workstation_RFC1001_name[RFC1001_NAME_LEN_WITH_NULL];
+ __u32 sequence_number; /* for signing, protected by srv_mutex */
+ __u32 reconnect_instance; /* incremented on each reconnect */
++ __le32 session_key_id; /* retrieved from negotiate response and send in session setup request */
+ struct session_key session_key;
+ unsigned long lstrp; /* when we got last response from this server */
+ struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
+diff --git a/fs/smb/client/cifspdu.h b/fs/smb/client/cifspdu.h
+index 1b79fe07476f6..d9cf7db0ac35e 100644
+--- a/fs/smb/client/cifspdu.h
++++ b/fs/smb/client/cifspdu.h
+@@ -597,7 +597,7 @@ typedef union smb_com_session_setup_andx {
+ __le16 MaxBufferSize;
+ __le16 MaxMpxCount;
+ __le16 VcNumber;
+- __u32 SessionKey;
++ __le32 SessionKey;
+ __le16 SecurityBlobLength;
+ __u32 Reserved;
+ __le32 Capabilities; /* see below */
+@@ -616,7 +616,7 @@ typedef union smb_com_session_setup_andx {
+ __le16 MaxBufferSize;
+ __le16 MaxMpxCount;
+ __le16 VcNumber;
+- __u32 SessionKey;
++ __le32 SessionKey;
+ __le16 CaseInsensitivePasswordLength; /* ASCII password len */
+ __le16 CaseSensitivePasswordLength; /* Unicode password length*/
+ __u32 Reserved; /* see below */
+@@ -654,7 +654,7 @@ typedef union smb_com_session_setup_andx {
+ __le16 MaxBufferSize;
+ __le16 MaxMpxCount;
+ __le16 VcNumber;
+- __u32 SessionKey;
++ __le32 SessionKey;
+ __le16 PasswordLength;
+ __u32 Reserved; /* encrypt key len and offset */
+ __le16 ByteCount;
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index a3ba3346ed313..7216fcec79e8b 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -498,6 +498,7 @@ CIFSSMBNegotiate(const unsigned int xid,
+ server->max_rw = le32_to_cpu(pSMBr->MaxRawSize);
+ cifs_dbg(NOISY, "Max buf = %d\n", ses->server->maxBuf);
+ server->capabilities = le32_to_cpu(pSMBr->Capabilities);
++ server->session_key_id = pSMBr->SessionKey;
+ server->timeAdj = (int)(__s16)le16_to_cpu(pSMBr->ServerTimeZone);
+ server->timeAdj *= 60;
+
+diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
+index 12c99fb4023dc..5a24b80dc146a 100644
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -631,6 +631,7 @@ static __u32 cifs_ssetup_hdr(struct cifs_ses *ses,
+ USHRT_MAX));
+ pSMB->req.MaxMpxCount = cpu_to_le16(server->maxReq);
+ pSMB->req.VcNumber = cpu_to_le16(1);
++ pSMB->req.SessionKey = server->session_key_id;
+
+ /* Now no need to set SMBFLG_CASELESS or obsolete CANONICAL PATH */
+
+--
+2.39.5
+
--- /dev/null
+From 238201cb479cffde9e90ee65f5ec1f77d897fe66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 31 Dec 2024 16:06:22 +0100
+Subject: cifs: Fix cifs_query_path_info() for Windows NT servers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit a3e771afbb3bce91c8296828304903e7348003fe ]
+
+For TRANS2 QUERY_PATH_INFO request when the path does not exist, the
+Windows NT SMB server returns error response STATUS_OBJECT_NAME_NOT_FOUND
+or ERRDOS/ERRbadfile without the SMBFLG_RESPONSE flag set. Similarly it
+returns STATUS_DELETE_PENDING when the file is being deleted. And looks
+like that any error response from TRANS2 QUERY_PATH_INFO does not have
+SMBFLG_RESPONSE flag set.
+
+So relax check in check_smb_hdr() for detecting if the packet is response
+for this special case.
+
+This change fixes stat() operation against Windows NT SMB servers and also
+all operations which depends on -ENOENT result from stat like creat() or
+mkdir().
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/misc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/smb/client/misc.c b/fs/smb/client/misc.c
+index 7b6ed9b23e713..e77017f470845 100644
+--- a/fs/smb/client/misc.c
++++ b/fs/smb/client/misc.c
+@@ -326,6 +326,14 @@ check_smb_hdr(struct smb_hdr *smb)
+ if (smb->Command == SMB_COM_LOCKING_ANDX)
+ return 0;
+
++ /*
++ * Windows NT server returns error resposne (e.g. STATUS_DELETE_PENDING
++ * or STATUS_OBJECT_NAME_NOT_FOUND or ERRDOS/ERRbadfile or any other)
++ * for some TRANS2 requests without the RESPONSE flag set in header.
++ */
++ if (smb->Command == SMB_COM_TRANSACTION2 && smb->Status.CifsError != 0)
++ return 0;
++
+ cifs_dbg(VFS, "Server sent request, not response. mid=%u\n",
+ get_mid(smb));
+ return 1;
+--
+2.39.5
+
--- /dev/null
+From b2a240351e98ed9961357f45d0dc39fdffac5589 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 19:24:29 +0200
+Subject: cifs: Fix encoding of SMB1 Session Setup NTLMSSP Request in
+ non-UNICODE mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 6510ef4230b68c960309e0c1d6eb3e32eb785142 ]
+
+SMB1 Session Setup NTLMSSP Request in non-UNICODE mode is similar to
+UNICODE mode, just strings are encoded in ASCII and not in UTF-16.
+
+With this change it is possible to setup SMB1 session with NTLM
+authentication in non-UNICODE mode with Windows SMB server.
+
+This change fixes mounting SMB1 servers with -o nounicode mount option
+together with -o sec=ntlmssp mount option (which is the default sec=).
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/sess.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
+index 5a24b80dc146a..330bc3d25badd 100644
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -1688,22 +1688,22 @@ _sess_auth_rawntlmssp_assemble_req(struct sess_data *sess_data)
+ pSMB = (SESSION_SETUP_ANDX *)sess_data->iov[0].iov_base;
+
+ capabilities = cifs_ssetup_hdr(ses, server, pSMB);
+- if ((pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) == 0) {
+- cifs_dbg(VFS, "NTLMSSP requires Unicode support\n");
+- return -ENOSYS;
+- }
+-
+ pSMB->req.hdr.Flags2 |= SMBFLG2_EXT_SEC;
+ capabilities |= CAP_EXTENDED_SECURITY;
+ pSMB->req.Capabilities |= cpu_to_le32(capabilities);
+
+ bcc_ptr = sess_data->iov[2].iov_base;
+- /* unicode strings must be word aligned */
+- if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
+- *bcc_ptr = 0;
+- bcc_ptr++;
++
++ if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) {
++ /* unicode strings must be word aligned */
++ if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
++ *bcc_ptr = 0;
++ bcc_ptr++;
++ }
++ unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
++ } else {
++ ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp);
+ }
+- unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
+
+ sess_data->iov[2].iov_len = (long) bcc_ptr -
+ (long) sess_data->iov[2].iov_base;
+--
+2.39.5
+
--- /dev/null
+From 9b235838090e0384b991bf39ba99b8c54994dba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 11:58:47 +0000
+Subject: coresight: Only check bottom two claim bits
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit a4e65842e1142aa18ef36113fbd81d614eaefe5a ]
+
+The use of the whole register and == could break the claim mechanism if
+any of the other bits are used in the future. The referenced doc "PSCI -
+ARM DEN 0022D" also says to only read and clear the bottom two bits.
+
+Use FIELD_GET() to extract only the relevant part.
+
+Reviewed-by: Leo Yan <leo.yan@arm.com>
+Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Signed-off-by: James Clark <james.clark@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250325-james-coresight-claim-tags-v4-2-dfbd3822b2e5@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-core.c | 3 ++-
+ drivers/hwtracing/coresight/coresight-priv.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c
+index d3523f0262af8..dfcb30da2e20b 100644
+--- a/drivers/hwtracing/coresight/coresight-core.c
++++ b/drivers/hwtracing/coresight/coresight-core.c
+@@ -131,7 +131,8 @@ coresight_find_out_connection(struct coresight_device *csdev,
+
+ static inline u32 coresight_read_claim_tags(struct coresight_device *csdev)
+ {
+- return csdev_access_relaxed_read32(&csdev->access, CORESIGHT_CLAIMCLR);
++ return FIELD_GET(CORESIGHT_CLAIM_MASK,
++ csdev_access_relaxed_read32(&csdev->access, CORESIGHT_CLAIMCLR));
+ }
+
+ static inline bool coresight_is_claimed_self_hosted(struct coresight_device *csdev)
+diff --git a/drivers/hwtracing/coresight/coresight-priv.h b/drivers/hwtracing/coresight/coresight-priv.h
+index 82644aff8d2b7..38bb4e8b50ef6 100644
+--- a/drivers/hwtracing/coresight/coresight-priv.h
++++ b/drivers/hwtracing/coresight/coresight-priv.h
+@@ -35,6 +35,7 @@ extern const struct device_type coresight_dev_type[];
+ * Coresight device CLAIM protocol.
+ * See PSCI - ARM DEN 0022D, Section: 6.8.1 Debug and Trace save and restore.
+ */
++#define CORESIGHT_CLAIM_MASK GENMASK(1, 0)
+ #define CORESIGHT_CLAIM_SELF_HOSTED BIT(1)
+
+ #define TIMEOUT_US 100
+--
+2.39.5
+
--- /dev/null
+From 9860320750b44be81d241a83757b3374e9acde00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 19:25:52 -0400
+Subject: cxl: core/region - ignore interleave granularity when ways=1
+
+From: Gregory Price <gourry@gourry.net>
+
+[ Upstream commit ce32b0c9c522e5a69ef9c62a56d6ca08fb036d67 ]
+
+When validating decoder IW/IG when setting up regions, the granularity
+is irrelevant when iw=1 - all accesses will always route to the only
+target anyway - so all ig values are "correct". Loosen the requirement
+that `ig = (parent_iw * parent_ig)` when iw=1.
+
+On some Zen5 platforms, the platform BIOS specifies a 256-byte
+interleave granularity window for host bridges when there is only
+one target downstream. This leads to Linux rejecting the configuration
+of a region with a x2 root with two x1 hostbridges.
+
+Decoder Programming:
+ root - iw:2 ig:256
+ hb1 - iw:1 ig:256 (Linux expects 512)
+ hb2 - iw:1 ig:256 (Linux expects 512)
+ ep1 - iw:2 ig:256
+ ep2 - iw:2 ig:256
+
+This change allows all decoders downstream of a passthrough decoder to
+also be configured as passthrough (iw:1 ig:X), but still disallows
+downstream decoders from applying subsequent interleaves.
+
+e.g. in the above example if there was another decoder south of hb1
+attempting to interleave 2 endpoints - Linux would enforce hb1.ig=512
+because the southern decoder would have iw:2 and require ig=pig*piw.
+
+[DJ: Fixed up against 6.15-rc1]
+
+Signed-off-by: Gregory Price <gourry@gourry.net>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Tested-by: Li Zhijian <lizhijian@fujitsu.com>
+Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Link: https://patch.msgid.link/20250402232552.999634-1-gourry@gourry.net
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/region.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
+index 24b161c7749f9..7585f0302f3a2 100644
+--- a/drivers/cxl/core/region.c
++++ b/drivers/cxl/core/region.c
+@@ -1446,7 +1446,7 @@ static int cxl_port_setup_targets(struct cxl_port *port,
+
+ if (test_bit(CXL_REGION_F_AUTO, &cxlr->flags)) {
+ if (cxld->interleave_ways != iw ||
+- cxld->interleave_granularity != ig ||
++ (iw > 1 && cxld->interleave_granularity != ig) ||
+ !region_res_match_cxl_range(p, &cxld->hpa_range) ||
+ ((cxld->flags & CXL_DECODER_F_ENABLE) == 0)) {
+ dev_err(&cxlr->dev,
+--
+2.39.5
+
--- /dev/null
+From 18d19aaa2002d6a6fe492bd4d1ff626c0e6a3e61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 17:06:58 +0200
+Subject: cxl/region: Add a dev_err() on missing target list entries
+
+From: Robert Richter <rrichter@amd.com>
+
+[ Upstream commit d90acdf49e18029cfe4194475c45ef143657737a ]
+
+Broken target lists are hard to discover as the driver fails at a
+later initialization stage. Add an error message for this.
+
+Example log messages:
+
+ cxl_mem mem1: failed to find endpoint6:0000:e0:01.3 in target list of decoder1.1
+ cxl_port endpoint6: failed to register decoder6.0: -6
+ cxl_port endpoint6: probe: 0
+
+Signed-off-by: Robert Richter <rrichter@amd.com>
+Reviewed-by: Gregory Price <gourry@gourry.net>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: "Fabio M. De Francesco" <fabio.m.de.francesco@linux.intel.com>
+Tested-by: Gregory Price <gourry@gourry.net>
+Acked-by: Dan Williams <dan.j.williams@intel.com>
+Link: https://patch.msgid.link/20250509150700.2817697-14-rrichter@amd.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/region.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
+index c3f4dc244df77..24b161c7749f9 100644
+--- a/drivers/cxl/core/region.c
++++ b/drivers/cxl/core/region.c
+@@ -1805,6 +1805,13 @@ static int find_pos_and_ways(struct cxl_port *port, struct range *range,
+ }
+ put_device(dev);
+
++ if (rc)
++ dev_err(port->uport_dev,
++ "failed to find %s:%s in target list of %s\n",
++ dev_name(&port->dev),
++ dev_name(port->parent_dport->dport_dev),
++ dev_name(&cxlsd->cxld.dev));
++
+ return rc;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ef50052315c22690f5c7eb630c3e3c06a3657c3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 21:10:10 -0400
+Subject: dm vdo indexer: don't read request structure after enqueuing
+
+From: Matthew Sakai <msakai@redhat.com>
+
+[ Upstream commit 3da732687d72078e52cc7f334a482383e84ca156 ]
+
+The function get_volume_page_protected may place a request on
+a queue for another thread to process asynchronously. When this
+happens, the volume should not read the request from the original
+thread. This can not currently cause problems, due to the way
+request processing is handled, but it is not safe in general.
+
+Reviewed-by: Ken Raeburn <raeburn@redhat.com>
+Signed-off-by: Matthew Sakai <msakai@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-vdo/indexer/volume.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/md/dm-vdo/indexer/volume.c b/drivers/md/dm-vdo/indexer/volume.c
+index 655453bb276be..425b3a74f4dba 100644
+--- a/drivers/md/dm-vdo/indexer/volume.c
++++ b/drivers/md/dm-vdo/indexer/volume.c
+@@ -754,10 +754,11 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *
+ u32 physical_page, struct cached_page **page_ptr)
+ {
+ struct cached_page *page;
++ unsigned int zone_number = request->zone_number;
+
+ get_page_from_cache(&volume->page_cache, physical_page, &page);
+ if (page != NULL) {
+- if (request->zone_number == 0) {
++ if (zone_number == 0) {
+ /* Only one zone is allowed to update the LRU. */
+ make_page_most_recent(&volume->page_cache, page);
+ }
+@@ -767,7 +768,7 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *
+ }
+
+ /* Prepare to enqueue a read for the page. */
+- end_pending_search(&volume->page_cache, request->zone_number);
++ end_pending_search(&volume->page_cache, zone_number);
+ mutex_lock(&volume->read_threads_mutex);
+
+ /*
+@@ -787,8 +788,7 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *
+ * the order does not matter for correctness as it does below.
+ */
+ mutex_unlock(&volume->read_threads_mutex);
+- begin_pending_search(&volume->page_cache, physical_page,
+- request->zone_number);
++ begin_pending_search(&volume->page_cache, physical_page, zone_number);
+ return UDS_QUEUED;
+ }
+
+@@ -797,7 +797,7 @@ static int get_volume_page_protected(struct volume *volume, struct uds_request *
+ * "search pending" state in careful order so no other thread can mess with the data before
+ * the caller gets to look at it.
+ */
+- begin_pending_search(&volume->page_cache, physical_page, request->zone_number);
++ begin_pending_search(&volume->page_cache, physical_page, zone_number);
+ mutex_unlock(&volume->read_threads_mutex);
+ *page_ptr = page;
+ return UDS_SUCCESS;
+@@ -849,6 +849,7 @@ static int search_cached_index_page(struct volume *volume, struct uds_request *r
+ {
+ int result;
+ struct cached_page *page = NULL;
++ unsigned int zone_number = request->zone_number;
+ u32 physical_page = map_to_physical_page(volume->geometry, chapter,
+ index_page_number);
+
+@@ -858,18 +859,18 @@ static int search_cached_index_page(struct volume *volume, struct uds_request *r
+ * invalidation by the reader thread, before the reader thread has noticed that the
+ * invalidate_counter has been incremented.
+ */
+- begin_pending_search(&volume->page_cache, physical_page, request->zone_number);
++ begin_pending_search(&volume->page_cache, physical_page, zone_number);
+
+ result = get_volume_page_protected(volume, request, physical_page, &page);
+ if (result != UDS_SUCCESS) {
+- end_pending_search(&volume->page_cache, request->zone_number);
++ end_pending_search(&volume->page_cache, zone_number);
+ return result;
+ }
+
+ result = uds_search_chapter_index_page(&page->index_page, volume->geometry,
+ &request->record_name,
+ record_page_number);
+- end_pending_search(&volume->page_cache, request->zone_number);
++ end_pending_search(&volume->page_cache, zone_number);
+ return result;
+ }
+
+@@ -882,6 +883,7 @@ int uds_search_cached_record_page(struct volume *volume, struct uds_request *req
+ {
+ struct cached_page *record_page;
+ struct index_geometry *geometry = volume->geometry;
++ unsigned int zone_number = request->zone_number;
+ int result;
+ u32 physical_page, page_number;
+
+@@ -905,11 +907,11 @@ int uds_search_cached_record_page(struct volume *volume, struct uds_request *req
+ * invalidation by the reader thread, before the reader thread has noticed that the
+ * invalidate_counter has been incremented.
+ */
+- begin_pending_search(&volume->page_cache, physical_page, request->zone_number);
++ begin_pending_search(&volume->page_cache, physical_page, zone_number);
+
+ result = get_volume_page_protected(volume, request, physical_page, &record_page);
+ if (result != UDS_SUCCESS) {
+- end_pending_search(&volume->page_cache, request->zone_number);
++ end_pending_search(&volume->page_cache, zone_number);
+ return result;
+ }
+
+@@ -917,7 +919,7 @@ int uds_search_cached_record_page(struct volume *volume, struct uds_request *req
+ &request->record_name, geometry, &request->old_metadata))
+ *found = true;
+
+- end_pending_search(&volume->page_cache, request->zone_number);
++ end_pending_search(&volume->page_cache, zone_number);
+ return UDS_SUCCESS;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1f84dfaacf959eff8eb9e251d91311c2ac6d23b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 08:03:04 +0800
+Subject: dmaengine: idxd: Check availability of workqueue allocated by idxd wq
+ driver before using
+
+From: Yi Sun <yi.sun@intel.com>
+
+[ Upstream commit 17502e7d7b7113346296f6758324798d536c31fd ]
+
+Running IDXD workloads in a container with the /dev directory mounted can
+trigger a call trace or even a kernel panic when the parent process of the
+container is terminated.
+
+This issue occurs because, under certain configurations, Docker does not
+properly propagate the mount replica back to the original mount point.
+
+In this case, when the user driver detaches, the WQ is destroyed but it
+still calls destroy_workqueue() attempting to completes all pending work.
+It's necessary to check wq->wq and skip the drain if it no longer exists.
+
+Signed-off-by: Yi Sun <yi.sun@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
+
+Link: https://lore.kernel.org/r/20250509000304.1402863-1-yi.sun@intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/idxd/cdev.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/idxd/cdev.c b/drivers/dma/idxd/cdev.c
+index 6d12033649f81..bc934bc249df1 100644
+--- a/drivers/dma/idxd/cdev.c
++++ b/drivers/dma/idxd/cdev.c
+@@ -349,7 +349,9 @@ static void idxd_cdev_evl_drain_pasid(struct idxd_wq *wq, u32 pasid)
+ set_bit(h, evl->bmap);
+ h = (h + 1) % size;
+ }
+- drain_workqueue(wq->wq);
++ if (wq->wq)
++ drain_workqueue(wq->wq);
++
+ mutex_unlock(&evl->lock);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e2f8733290c715e961ba49fd8d42efe7b9001c2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 20:21:01 +0200
+Subject: dmaengine: xilinx_dma: Set dma_device directions
+
+From: Thomas Gessler <thomas.gessler@brueckmann-gmbh.de>
+
+[ Upstream commit 7e01511443c30a55a5ae78d3debd46d4d872517e ]
+
+Coalesce the direction bits from the enabled TX and/or RX channels into
+the directions bit mask of dma_device. Without this mask set,
+dma_get_slave_caps() in the DMAEngine fails, which prevents the driver
+from being used with an IIO DMAEngine buffer.
+
+Signed-off-by: Thomas Gessler <thomas.gessler@brueckmann-gmbh.de>
+Reviewed-by: Suraj Gupta <suraj.gupta2@amd.com>
+Tested-by: Folker Schwesinger <dev@folker-schwesinger.de>
+Link: https://lore.kernel.org/r/20250507182101.909010-1-thomas.gessler@brueckmann-gmbh.de
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/xilinx/xilinx_dma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
+index 3ad44afd0e74e..8f26b6eff3f3e 100644
+--- a/drivers/dma/xilinx/xilinx_dma.c
++++ b/drivers/dma/xilinx/xilinx_dma.c
+@@ -2909,6 +2909,8 @@ static int xilinx_dma_chan_probe(struct xilinx_dma_device *xdev,
+ return -EINVAL;
+ }
+
++ xdev->common.directions |= chan->direction;
++
+ /* Request the interrupt */
+ chan->irq = of_irq_get(node, chan->tdest);
+ if (chan->irq < 0)
+--
+2.39.5
+
--- /dev/null
+From 659b6da5ca4bc3f06532fb24c7a7beb73d905965 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 11:13:52 -0400
+Subject: drm/amdgpu: seq64 memory unmap uses uninterruptible lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+[ Upstream commit a359288ccb4dd8edb086e7de8fdf6e36f544c922 ]
+
+To unmap and free seq64 memory when drm node close to free vm, if there
+is signal accepted, then taking vm lock failed and leaking seq64 va
+mapping, and then dmesg has error log "still active bo inside vm".
+
+Change to use uninterruptible lock fix the mapping leaking and no dmesg
+error log.
+
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c
+index e22cb2b5cd926..dba8051b8c14b 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_seq64.c
+@@ -133,7 +133,7 @@ void amdgpu_seq64_unmap(struct amdgpu_device *adev, struct amdgpu_fpriv *fpriv)
+
+ vm = &fpriv->vm;
+
+- drm_exec_init(&exec, DRM_EXEC_INTERRUPTIBLE_WAIT, 0);
++ drm_exec_init(&exec, 0, 0);
+ drm_exec_until_all_locked(&exec) {
+ r = amdgpu_vm_lock_pd(vm, &exec, 0);
+ if (likely(!r))
+--
+2.39.5
+
--- /dev/null
+From 8522d10ab9db1e41585387320af75de8ce957c13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 18:54:01 -0400
+Subject: drm/amdgpu/vcn2.5: read back register after written
+
+From: David (Ming Qiang) Wu <David.Wu3@amd.com>
+
+[ Upstream commit d9e688b9148bb23629d32017344888dd67ec2ab1 ]
+
+The addition of register read-back in VCN v2.5 is intended to prevent
+potential race conditions.
+
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
+index 3eec1b8feaeea..58b527a6b795f 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c
+@@ -1158,6 +1158,11 @@ static int vcn_v2_5_start_dpg_mode(struct amdgpu_vcn_inst *vinst, bool indirect)
+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS),
+ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1343,6 +1348,11 @@ static int vcn_v2_5_start(struct amdgpu_vcn_inst *vinst)
+ WREG32_SOC15(VCN, i, mmUVD_RB_SIZE2, ring->ring_size / 4);
+ fw_shared->multi_queue.encode_lowlatency_queue_mode &= ~FW_QUEUE_RING_RESET;
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, i, mmUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1569,6 +1579,11 @@ static int vcn_v2_5_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)
+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), 0,
+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1635,6 +1650,10 @@ static int vcn_v2_5_stop(struct amdgpu_vcn_inst *vinst)
+ UVD_POWER_STATUS__UVD_POWER_STATUS_MASK,
+ ~UVD_POWER_STATUS__UVD_POWER_STATUS_MASK);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, i, mmUVD_STATUS);
+ done:
+ if (adev->pm.dpm_enabled)
+ amdgpu_dpm_enable_vcn(adev, false, i);
+--
+2.39.5
+
--- /dev/null
+From 59a1a655521843da8844c282f500c1d60bb053fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 18:54:39 -0400
+Subject: drm/amdgpu/vcn3: read back register after written
+
+From: David (Ming Qiang) Wu <David.Wu3@amd.com>
+
+[ Upstream commit b7a4842a917e3a251b5a6aa1a21a5daf6d396ef3 ]
+
+The addition of register read-back in VCN v3.0 is intended to prevent
+potential race conditions.
+
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+index 0b19f0ab4480d..9fb0d53805892 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1173,6 +1173,11 @@ static int vcn_v3_0_start_dpg_mode(struct amdgpu_vcn_inst *vinst, bool indirect)
+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS),
+ 0, ~UVD_POWER_STATUS__STALL_DPG_POWER_UP_MASK);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1360,6 +1365,11 @@ static int vcn_v3_0_start(struct amdgpu_vcn_inst *vinst)
+ fw_shared->multi_queue.encode_lowlatency_queue_mode &= cpu_to_le32(~FW_QUEUE_RING_RESET);
+ }
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, i, mmUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1602,6 +1612,11 @@ static int vcn_v3_0_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)
+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, mmUVD_POWER_STATUS), 0,
+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, inst_idx, mmUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1674,6 +1689,11 @@ static int vcn_v3_0_stop(struct amdgpu_vcn_inst *vinst)
+ /* enable VCN power gating */
+ vcn_v3_0_enable_static_power_gating(vinst);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, i, mmUVD_STATUS);
++
+ done:
+ if (adev->pm.dpm_enabled)
+ amdgpu_dpm_enable_vcn(adev, false, i);
+--
+2.39.5
+
--- /dev/null
+From 57c2f4e28684b6b498a93233a3fbc2deda675563 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 18:55:27 -0400
+Subject: drm/amdgpu/vcn4: read back register after written
+
+From: David (Ming Qiang) Wu <David.Wu3@amd.com>
+
+[ Upstream commit a3810a5e37c58329aa2c7992f3172a423f4ae194 ]
+
+The addition of register read-back in VCN v4.0.0 is intended to prevent
+potential race conditions.
+
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+index 1f777c125b00d..4a88a4d37aeeb 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1122,6 +1122,11 @@ static int vcn_v4_0_start_dpg_mode(struct amdgpu_vcn_inst *vinst, bool indirect)
+ ring->doorbell_index << VCN_RB1_DB_CTRL__OFFSET__SHIFT |
+ VCN_RB1_DB_CTRL__EN_MASK);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, inst_idx, regUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1303,6 +1308,11 @@ static int vcn_v4_0_start(struct amdgpu_vcn_inst *vinst)
+ WREG32_SOC15(VCN, i, regVCN_RB_ENABLE, tmp);
+ fw_shared->sq.queue_mode &= ~(FW_QUEUE_RING_RESET | FW_QUEUE_DPG_HOLD_OFF);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, i, regUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -1583,6 +1593,11 @@ static void vcn_v4_0_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)
+ /* disable dynamic power gating mode */
+ WREG32_P(SOC15_REG_OFFSET(VCN, inst_idx, regUVD_POWER_STATUS), 0,
+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);
++
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, inst_idx, regUVD_STATUS);
+ }
+
+ /**
+@@ -1666,6 +1681,11 @@ static int vcn_v4_0_stop(struct amdgpu_vcn_inst *vinst)
+ /* enable VCN power gating */
+ vcn_v4_0_enable_static_power_gating(vinst);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, i, regUVD_STATUS);
++
+ done:
+ if (adev->pm.dpm_enabled)
+ amdgpu_dpm_enable_vcn(adev, false, i);
+--
+2.39.5
+
--- /dev/null
+From dbc495d7a38a59a6b45c526bac067673ccc2b7c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 18:59:11 -0400
+Subject: drm/amdgpu/vcn5.0.1: read back register after written
+
+From: David (Ming Qiang) Wu <David.Wu3@amd.com>
+
+[ Upstream commit bf394d28548c3c0a01e113fdef20ddb6cd2df106 ]
+
+The addition of register read-back in VCN v5.0.1 is intended to prevent
+potential race conditions.
+
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: David (Ming Qiang) Wu <David.Wu3@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c
+index e0e84ef7f5686..9a142a21aaea8 100644
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v5_0_1.c
+@@ -809,6 +809,11 @@ static int vcn_v5_0_1_start(struct amdgpu_vcn_inst *vinst)
+ WREG32_SOC15(VCN, vcn_inst, regVCN_RB_ENABLE, tmp);
+ fw_shared->sq.queue_mode &= ~(FW_QUEUE_RING_RESET | FW_QUEUE_DPG_HOLD_OFF);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, vcn_inst, regUVD_STATUS);
++
+ return 0;
+ }
+
+@@ -843,6 +848,11 @@ static void vcn_v5_0_1_stop_dpg_mode(struct amdgpu_vcn_inst *vinst)
+ /* disable dynamic power gating mode */
+ WREG32_P(SOC15_REG_OFFSET(VCN, vcn_inst, regUVD_POWER_STATUS), 0,
+ ~UVD_POWER_STATUS__UVD_PG_MODE_MASK);
++
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, vcn_inst, regUVD_STATUS);
+ }
+
+ /**
+@@ -918,6 +928,11 @@ static int vcn_v5_0_1_stop(struct amdgpu_vcn_inst *vinst)
+ /* clear status */
+ WREG32_SOC15(VCN, vcn_inst, regUVD_STATUS, 0);
+
++ /* Keeping one read-back to ensure all register writes are done,
++ * otherwise it may introduce race conditions.
++ */
++ RREG32_SOC15(VCN, vcn_inst, regUVD_STATUS);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From be7d4aae9d9d5d03209ccc8de784143814449e1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 15:16:54 +0300
+Subject: drm/i915/display: Add check for alloc_ordered_workqueue() and
+ alloc_workqueue()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit f4c7baa0699b69edb6887a992283b389761e0e81 ]
+
+Add check for the return value of alloc_ordered_workqueue()
+and alloc_workqueue(). Furthermore, if some allocations fail,
+cleanup works are added to avoid potential memory leak problem.
+
+Fixes: 40053823baad ("drm/i915/display: move modeset probe/remove functions to intel_display_driver.c")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://lore.kernel.org/r/20d3d096c6a4907636f8a1389b3b4dd753ca356e.1747397638.git.jani.nikula@intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit dcab7a228f4ea9cda3f5b0a1f0679e046d23d7f7)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/i915/display/intel_display_driver.c | 30 +++++++++++++++----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_display_driver.c b/drivers/gpu/drm/i915/display/intel_display_driver.c
+index 31740a677dd80..14c8b3259bbf5 100644
+--- a/drivers/gpu/drm/i915/display/intel_display_driver.c
++++ b/drivers/gpu/drm/i915/display/intel_display_driver.c
+@@ -241,31 +241,45 @@ int intel_display_driver_probe_noirq(struct intel_display *display)
+ intel_dmc_init(display);
+
+ display->wq.modeset = alloc_ordered_workqueue("i915_modeset", 0);
++ if (!display->wq.modeset) {
++ ret = -ENOMEM;
++ goto cleanup_vga_client_pw_domain_dmc;
++ }
++
+ display->wq.flip = alloc_workqueue("i915_flip", WQ_HIGHPRI |
+ WQ_UNBOUND, WQ_UNBOUND_MAX_ACTIVE);
++ if (!display->wq.flip) {
++ ret = -ENOMEM;
++ goto cleanup_wq_modeset;
++ }
++
+ display->wq.cleanup = alloc_workqueue("i915_cleanup", WQ_HIGHPRI, 0);
++ if (!display->wq.cleanup) {
++ ret = -ENOMEM;
++ goto cleanup_wq_flip;
++ }
+
+ intel_mode_config_init(display);
+
+ ret = intel_cdclk_init(display);
+ if (ret)
+- goto cleanup_vga_client_pw_domain_dmc;
++ goto cleanup_wq_cleanup;
+
+ ret = intel_color_init(display);
+ if (ret)
+- goto cleanup_vga_client_pw_domain_dmc;
++ goto cleanup_wq_cleanup;
+
+ ret = intel_dbuf_init(i915);
+ if (ret)
+- goto cleanup_vga_client_pw_domain_dmc;
++ goto cleanup_wq_cleanup;
+
+ ret = intel_bw_init(i915);
+ if (ret)
+- goto cleanup_vga_client_pw_domain_dmc;
++ goto cleanup_wq_cleanup;
+
+ ret = intel_pmdemand_init(display);
+ if (ret)
+- goto cleanup_vga_client_pw_domain_dmc;
++ goto cleanup_wq_cleanup;
+
+ intel_init_quirks(display);
+
+@@ -273,6 +287,12 @@ int intel_display_driver_probe_noirq(struct intel_display *display)
+
+ return 0;
+
++cleanup_wq_cleanup:
++ destroy_workqueue(display->wq.cleanup);
++cleanup_wq_flip:
++ destroy_workqueue(display->wq.flip);
++cleanup_wq_modeset:
++ destroy_workqueue(display->wq.modeset);
+ cleanup_vga_client_pw_domain_dmc:
+ intel_dmc_fini(display);
+ intel_power_domains_driver_remove(display);
+--
+2.39.5
+
--- /dev/null
+From 9abc670c831b689d5f1ad1af6f45df79795a280f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 21:22:15 +0200
+Subject: drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit 25eeba495b2fc16037647c1a51bcdf6fc157af5c ]
+
+The intel-media-driver is currently broken on DG1 because
+it uses EXEC_CAPTURE with recovarable contexts. Relax the
+check to allow that.
+
+I've also submitted a fix for the intel-media-driver:
+https://github.com/intel/media-driver/pull/1920
+
+Cc: stable@vger.kernel.org # v6.0+
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Testcase: igt/gem_exec_capture/capture-invisible
+Fixes: 71b1669ea9bd ("drm/i915/uapi: tweak error capture on recoverable contexts")
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250411144313.11660-2-ville.syrjala@linux.intel.com
+(cherry picked from commit d6e020819612a4a06207af858e0978be4d3e3140)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Stable-dep-of: ed5915cfce2a ("Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on DG1"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+index 7796c4119ef5e..1974a300b24a1 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+@@ -2014,7 +2014,7 @@ static int eb_capture_stage(struct i915_execbuffer *eb)
+ continue;
+
+ if (i915_gem_context_is_recoverable(eb->gem_context) &&
+- (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0)))
++ GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 10))
+ return -EINVAL;
+
+ for_each_batch_create_order(eb, j) {
+--
+2.39.5
+
--- /dev/null
+From 1488db9c5db8e6d5663a026bf141178735c5f1f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 10:07:13 +0800
+Subject: drm/scheduler: signal scheduled fence when kill job
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lin.Cao <lincao12@amd.com>
+
+[ Upstream commit 471db2c2d4f80ee94225a1ef246e4f5011733e50 ]
+
+When an entity from application B is killed, drm_sched_entity_kill()
+removes all jobs belonging to that entity through
+drm_sched_entity_kill_jobs_work(). If application A's job depends on a
+scheduled fence from application B's job, and that fence is not properly
+signaled during the killing process, application A's dependency cannot be
+cleared.
+
+This leads to application A hanging indefinitely while waiting for a
+dependency that will never be resolved. Fix this issue by ensuring that
+scheduled fences are properly signaled when an entity is killed, allowing
+dependent applications to continue execution.
+
+Signed-off-by: Lin.Cao <lincao12@amd.com>
+Reviewed-by: Philipp Stanner <phasta@kernel.org>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Link: https://lore.kernel.org/r/20250515020713.1110476-1-lincao12@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/scheduler/sched_entity.c b/drivers/gpu/drm/scheduler/sched_entity.c
+index bd39db7bb2408..e671aa2417206 100644
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -176,6 +176,7 @@ static void drm_sched_entity_kill_jobs_work(struct work_struct *wrk)
+ {
+ struct drm_sched_job *job = container_of(wrk, typeof(*job), work);
+
++ drm_sched_fence_scheduled(job->s_fence, NULL);
+ drm_sched_fence_finished(job->s_fence, -ESRCH);
+ WARN_ON(job->s_fence->parent);
+ job->sched->ops->free_job(job);
+--
+2.39.5
+
--- /dev/null
+From 81b113d948a44c1edda719cd1d870e8bfdc5bd07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 19:25:38 +0800
+Subject: f2fs: don't over-report free space or inodes in statvfs
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit a9201960623287927bf5776de3f70fb2fbde7e02 ]
+
+This fixes an analogus bug that was fixed in modern filesystems:
+a) xfs in commit 4b8d867ca6e2 ("xfs: don't over-report free space or
+inodes in statvfs")
+b) ext4 in commit f87d3af74193 ("ext4: don't over-report free space
+or inodes in statvfs")
+where statfs can report misleading / incorrect information where
+project quota is enabled, and the free space is less than the
+remaining quota.
+
+This commit will resolve a test failure in generic/762 which tests
+for this bug.
+
+generic/762 - output mismatch (see /share/git/fstests/results//generic/762.out.bad)
+ --- tests/generic/762.out 2025-04-15 10:21:53.371067071 +0800
+ +++ /share/git/fstests/results//generic/762.out.bad 2025-05-13 16:13:37.000000000 +0800
+ @@ -6,8 +6,10 @@
+ root blocks2 is in range
+ dir blocks2 is in range
+ root bavail2 is in range
+ -dir bavail2 is in range
+ +dir bavail2 has value of 1539066
+ +dir bavail2 is NOT in range 304734.87 .. 310891.13
+ root blocks3 is in range
+ ...
+ (Run 'diff -u /share/git/fstests/tests/generic/762.out /share/git/fstests/results//generic/762.out.bad' to see the entire diff)
+
+HINT: You _MAY_ be missing kernel fix:
+ XXXXXXXXXXXXXX xfs: don't over-report free space or inodes in statvfs
+
+Cc: stable@kernel.org
+Fixes: ddc34e328d06 ("f2fs: introduce f2fs_statfs_project")
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/super.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index bc510c91f3eba..86dd30eb50b1d 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1806,26 +1806,32 @@ static int f2fs_statfs_project(struct super_block *sb,
+
+ limit = min_not_zero(dquot->dq_dqb.dqb_bsoftlimit,
+ dquot->dq_dqb.dqb_bhardlimit);
+- if (limit)
+- limit >>= sb->s_blocksize_bits;
++ limit >>= sb->s_blocksize_bits;
++
++ if (limit) {
++ uint64_t remaining = 0;
+
+- if (limit && buf->f_blocks > limit) {
+ curblock = (dquot->dq_dqb.dqb_curspace +
+ dquot->dq_dqb.dqb_rsvspace) >> sb->s_blocksize_bits;
+- buf->f_blocks = limit;
+- buf->f_bfree = buf->f_bavail =
+- (buf->f_blocks > curblock) ?
+- (buf->f_blocks - curblock) : 0;
++ if (limit > curblock)
++ remaining = limit - curblock;
++
++ buf->f_blocks = min(buf->f_blocks, limit);
++ buf->f_bfree = min(buf->f_bfree, remaining);
++ buf->f_bavail = min(buf->f_bavail, remaining);
+ }
+
+ limit = min_not_zero(dquot->dq_dqb.dqb_isoftlimit,
+ dquot->dq_dqb.dqb_ihardlimit);
+
+- if (limit && buf->f_files > limit) {
+- buf->f_files = limit;
+- buf->f_ffree =
+- (buf->f_files > dquot->dq_dqb.dqb_curinodes) ?
+- (buf->f_files - dquot->dq_dqb.dqb_curinodes) : 0;
++ if (limit) {
++ uint64_t remaining = 0;
++
++ if (limit > dquot->dq_dqb.dqb_curinodes)
++ remaining = limit - dquot->dq_dqb.dqb_curinodes;
++
++ buf->f_files = min(buf->f_files, limit);
++ buf->f_ffree = min(buf->f_ffree, remaining);
+ }
+
+ spin_unlock(&dquot->dq_dqb_lock);
+--
+2.39.5
+
--- /dev/null
+From 51f707dabe335e675b05edcc20a1a0616175222a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 04:04:21 +0000
+Subject: fuse: fix race between concurrent setattrs from multiple nodes
+
+From: Guang Yuan Wu <gwu@ddn.com>
+
+[ Upstream commit 69efbff69f89c9b2b72c4d82ad8b59706add768a ]
+
+When mounting a user-space filesystem on multiple clients, after
+concurrent ->setattr() calls from different node, stale inode
+attributes may be cached in some node.
+
+This is caused by fuse_setattr() racing with
+fuse_reverse_inval_inode().
+
+When filesystem server receives setattr request, the client node
+with valid iattr cached will be required to update the fuse_inode's
+attr_version and invalidate the cache by fuse_reverse_inval_inode(),
+and at the next call to ->getattr() they will be fetched from user
+space.
+
+The race scenario is:
+1. client-1 sends setattr (iattr-1) request to server
+2. client-1 receives the reply from server
+3. before client-1 updates iattr-1 to the cached attributes by
+ fuse_change_attributes_common(), server receives another setattr
+ (iattr-2) request from client-2
+4. server requests client-1 to update the inode attr_version and
+ invalidate the cached iattr, and iattr-1 becomes staled
+5. client-2 receives the reply from server, and caches iattr-2
+6. continue with step 2, client-1 invokes
+ fuse_change_attributes_common(), and caches iattr-1
+
+The issue has been observed from concurrent of chmod, chown, or
+truncate, which all invoke ->setattr() call.
+
+The solution is to use fuse_inode's attr_version to check whether
+the attributes have been modified during the setattr request's
+lifetime. If so, mark the attributes as invalid in the function
+fuse_change_attributes_common().
+
+Signed-off-by: Guang Yuan Wu <gwu@ddn.com>
+Reviewed-by: Bernd Schubert <bschubert@ddn.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/dir.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index 83ac192e7fdd1..fa90309030e21 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1946,6 +1946,7 @@ int fuse_do_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ int err;
+ bool trust_local_cmtime = is_wb;
+ bool fault_blocked = false;
++ u64 attr_version;
+
+ if (!fc->default_permissions)
+ attr->ia_valid |= ATTR_FORCE;
+@@ -2030,6 +2031,8 @@ int fuse_do_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ if (fc->handle_killpriv_v2 && !capable(CAP_FSETID))
+ inarg.valid |= FATTR_KILL_SUIDGID;
+ }
++
++ attr_version = fuse_get_attr_version(fm->fc);
+ fuse_setattr_fill(fc, &args, inode, &inarg, &outarg);
+ err = fuse_simple_request(fm, &args);
+ if (err) {
+@@ -2055,6 +2058,14 @@ int fuse_do_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ /* FIXME: clear I_DIRTY_SYNC? */
+ }
+
++ if (fi->attr_version > attr_version) {
++ /*
++ * Apply attributes, for example for fsnotify_change(), but set
++ * attribute timeout to zero.
++ */
++ outarg.attr_valid = outarg.attr_valid_nsec = 0;
++ }
++
+ fuse_change_attributes_common(inode, &outarg.attr, NULL,
+ ATTR_TIMEOUT(&outarg),
+ fuse_get_cache_mask(inode), 0);
+--
+2.39.5
+
--- /dev/null
+From d520e9108f4180c94d2b333d8dc8e8726cb0507e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 16:40:51 +0800
+Subject: hwmon: (isl28022) Fix current reading calculation
+
+From: Yikai Tsai <yikai.tsai.wiwynn@gmail.com>
+
+[ Upstream commit b2446a16dbf2347a07af0cf994ca36576d94df77 ]
+
+According to the ISL28022 datasheet, bit15 of the current register is
+representing -32768. Fix the calculation to properly handle this bit,
+ensuring correct measurements for negative values.
+
+Signed-off-by: Yikai Tsai <yikai.tsai.wiwynn@gmail.com>
+Link: https://lore.kernel.org/r/20250519084055.3787-2-yikai.tsai.wiwynn@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/isl28022.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/isl28022.c b/drivers/hwmon/isl28022.c
+index 1fb9864635db9..1b4fb0824d6c0 100644
+--- a/drivers/hwmon/isl28022.c
++++ b/drivers/hwmon/isl28022.c
+@@ -154,6 +154,7 @@ static int isl28022_read_current(struct device *dev, u32 attr, long *val)
+ struct isl28022_data *data = dev_get_drvdata(dev);
+ unsigned int regval;
+ int err;
++ u16 sign_bit;
+
+ switch (attr) {
+ case hwmon_curr_input:
+@@ -161,8 +162,9 @@ static int isl28022_read_current(struct device *dev, u32 attr, long *val)
+ ISL28022_REG_CURRENT, ®val);
+ if (err < 0)
+ return err;
+- *val = ((long)regval * 1250L * (long)data->gain) /
+- (long)data->shunt;
++ sign_bit = (regval >> 15) & 0x01;
++ *val = (((long)(((u16)regval) & 0x7FFF) - (sign_bit * 32768)) *
++ 1250L * (long)data->gain) / (long)data->shunt;
+ break;
+ default:
+ return -EOPNOTSUPP;
+--
+2.39.5
+
--- /dev/null
+From 2f23389a15b91a1cb9e9bd6a66c88e64d26067a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 11:47:24 +0800
+Subject: hwmon: (pmbus/max34440) Fix support for max34451
+
+From: Alexis Czezar Torreno <alexisczezar.torreno@analog.com>
+
+[ Upstream commit 19932f844f3f51646f762f3eac4744ec3a405064 ]
+
+The max344** family has an issue with some PMBUS address being switched.
+This includes max34451 however version MAX34451-NA6 and later has this
+issue fixed and this commit supports that update.
+
+Signed-off-by: Alexis Czezar Torreno <alexisczezar.torreno@analog.com>
+Link: https://lore.kernel.org/r/20250407-dev_adpm12160-v3-1-9cd3095445c8@analog.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pmbus/max34440.c | 48 +++++++++++++++++++++++++++++++---
+ 1 file changed, 44 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwmon/pmbus/max34440.c b/drivers/hwmon/pmbus/max34440.c
+index c9dda33831ff2..d6d556b013853 100644
+--- a/drivers/hwmon/pmbus/max34440.c
++++ b/drivers/hwmon/pmbus/max34440.c
+@@ -34,16 +34,21 @@ enum chips { max34440, max34441, max34446, max34451, max34460, max34461 };
+ /*
+ * The whole max344* family have IOUT_OC_WARN_LIMIT and IOUT_OC_FAULT_LIMIT
+ * swapped from the standard pmbus spec addresses.
++ * For max34451, version MAX34451ETNA6+ and later has this issue fixed.
+ */
+ #define MAX34440_IOUT_OC_WARN_LIMIT 0x46
+ #define MAX34440_IOUT_OC_FAULT_LIMIT 0x4A
+
++#define MAX34451ETNA6_MFR_REV 0x0012
++
+ #define MAX34451_MFR_CHANNEL_CONFIG 0xe4
+ #define MAX34451_MFR_CHANNEL_CONFIG_SEL_MASK 0x3f
+
+ struct max34440_data {
+ int id;
+ struct pmbus_driver_info info;
++ u8 iout_oc_warn_limit;
++ u8 iout_oc_fault_limit;
+ };
+
+ #define to_max34440_data(x) container_of(x, struct max34440_data, info)
+@@ -60,11 +65,11 @@ static int max34440_read_word_data(struct i2c_client *client, int page,
+ switch (reg) {
+ case PMBUS_IOUT_OC_FAULT_LIMIT:
+ ret = pmbus_read_word_data(client, page, phase,
+- MAX34440_IOUT_OC_FAULT_LIMIT);
++ data->iout_oc_fault_limit);
+ break;
+ case PMBUS_IOUT_OC_WARN_LIMIT:
+ ret = pmbus_read_word_data(client, page, phase,
+- MAX34440_IOUT_OC_WARN_LIMIT);
++ data->iout_oc_warn_limit);
+ break;
+ case PMBUS_VIRT_READ_VOUT_MIN:
+ ret = pmbus_read_word_data(client, page, phase,
+@@ -133,11 +138,11 @@ static int max34440_write_word_data(struct i2c_client *client, int page,
+
+ switch (reg) {
+ case PMBUS_IOUT_OC_FAULT_LIMIT:
+- ret = pmbus_write_word_data(client, page, MAX34440_IOUT_OC_FAULT_LIMIT,
++ ret = pmbus_write_word_data(client, page, data->iout_oc_fault_limit,
+ word);
+ break;
+ case PMBUS_IOUT_OC_WARN_LIMIT:
+- ret = pmbus_write_word_data(client, page, MAX34440_IOUT_OC_WARN_LIMIT,
++ ret = pmbus_write_word_data(client, page, data->iout_oc_warn_limit,
+ word);
+ break;
+ case PMBUS_VIRT_RESET_POUT_HISTORY:
+@@ -235,6 +240,25 @@ static int max34451_set_supported_funcs(struct i2c_client *client,
+ */
+
+ int page, rv;
++ bool max34451_na6 = false;
++
++ rv = i2c_smbus_read_word_data(client, PMBUS_MFR_REVISION);
++ if (rv < 0)
++ return rv;
++
++ if (rv >= MAX34451ETNA6_MFR_REV) {
++ max34451_na6 = true;
++ data->info.format[PSC_VOLTAGE_IN] = direct;
++ data->info.format[PSC_CURRENT_IN] = direct;
++ data->info.m[PSC_VOLTAGE_IN] = 1;
++ data->info.b[PSC_VOLTAGE_IN] = 0;
++ data->info.R[PSC_VOLTAGE_IN] = 3;
++ data->info.m[PSC_CURRENT_IN] = 1;
++ data->info.b[PSC_CURRENT_IN] = 0;
++ data->info.R[PSC_CURRENT_IN] = 2;
++ data->iout_oc_fault_limit = PMBUS_IOUT_OC_FAULT_LIMIT;
++ data->iout_oc_warn_limit = PMBUS_IOUT_OC_WARN_LIMIT;
++ }
+
+ for (page = 0; page < 16; page++) {
+ rv = i2c_smbus_write_byte_data(client, PMBUS_PAGE, page);
+@@ -251,16 +275,30 @@ static int max34451_set_supported_funcs(struct i2c_client *client,
+ case 0x20:
+ data->info.func[page] = PMBUS_HAVE_VOUT |
+ PMBUS_HAVE_STATUS_VOUT;
++
++ if (max34451_na6)
++ data->info.func[page] |= PMBUS_HAVE_VIN |
++ PMBUS_HAVE_STATUS_INPUT;
+ break;
+ case 0x21:
+ data->info.func[page] = PMBUS_HAVE_VOUT;
++
++ if (max34451_na6)
++ data->info.func[page] |= PMBUS_HAVE_VIN;
+ break;
+ case 0x22:
+ data->info.func[page] = PMBUS_HAVE_IOUT |
+ PMBUS_HAVE_STATUS_IOUT;
++
++ if (max34451_na6)
++ data->info.func[page] |= PMBUS_HAVE_IIN |
++ PMBUS_HAVE_STATUS_INPUT;
+ break;
+ case 0x23:
+ data->info.func[page] = PMBUS_HAVE_IOUT;
++
++ if (max34451_na6)
++ data->info.func[page] |= PMBUS_HAVE_IIN;
+ break;
+ default:
+ break;
+@@ -494,6 +532,8 @@ static int max34440_probe(struct i2c_client *client)
+ return -ENOMEM;
+ data->id = i2c_match_id(max34440_id, client)->driver_data;
+ data->info = max34440_info[data->id];
++ data->iout_oc_fault_limit = MAX34440_IOUT_OC_FAULT_LIMIT;
++ data->iout_oc_warn_limit = MAX34440_IOUT_OC_WARN_LIMIT;
+
+ if (data->id == max34451) {
+ rv = max34451_set_supported_funcs(client, data);
+--
+2.39.5
+
--- /dev/null
+From 686f464e2f0822c17ccffb41f0919f47d1d29a8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:52:10 -0500
+Subject: iio: adc: ad7606_spi: check error in ad7606B_sw_mode_config()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 4d71bf6021818a039a534c5954acefdfc4d6962c ]
+
+Add missing error check in ad7606B_sw_mode_config().
+
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250318-iio-adc-ad7606-improvements-v2-2-4b605427774c@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606_spi.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c
+index b37458ce3c708..5553a44ff83bc 100644
+--- a/drivers/iio/adc/ad7606_spi.c
++++ b/drivers/iio/adc/ad7606_spi.c
+@@ -174,11 +174,13 @@ static int ad7616_sw_mode_config(struct iio_dev *indio_dev)
+ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev)
+ {
+ struct ad7606_state *st = iio_priv(indio_dev);
++ int ret;
+
+ /* Configure device spi to output on a single channel */
+- st->bops->reg_write(st,
+- AD7606_CONFIGURATION_REGISTER,
+- AD7606_SINGLE_DOUT);
++ ret = st->bops->reg_write(st, AD7606_CONFIGURATION_REGISTER,
++ AD7606_SINGLE_DOUT);
++ if (ret)
++ return ret;
+
+ /*
+ * Scale can be configured individually for each channel
+--
+2.39.5
+
--- /dev/null
+From 6ed74dad3cd71cba939d5c1f0fa405267ffee216 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 22:34:08 +0530
+Subject: iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos
+
+From: Purva Yeshi <purvayeshi550@gmail.com>
+
+[ Upstream commit e5cdb098a3cb165d52282ffc3a6448642953ea13 ]
+
+Fix Smatch-detected issue:
+drivers/iio/adc/ad_sigma_delta.c:604 ad_sd_trigger_handler() error:
+uninitialized symbol 'status_pos'.
+
+The variable `status_pos` was only initialized in specific switch cases
+(1, 2, 3, 4), which could leave it uninitialized if `reg_size` had an
+unexpected value.
+
+Fix by adding a default case to the switch block to catch unexpected
+values of `reg_size`. Use `dev_err_ratelimited()` for error logging and
+`goto irq_handled` instead of returning early.
+
+Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
+Link: https://patch.msgid.link/20250410170408.8585-1-purvayeshi550@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
+index 6c37f8e21120b..4c5f8d29a559f 100644
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -587,6 +587,10 @@ static irqreturn_t ad_sd_trigger_handler(int irq, void *p)
+ * byte set to zero. */
+ ad_sd_read_reg_raw(sigma_delta, data_reg, transfer_size, &data[1]);
+ break;
++
++ default:
++ dev_err_ratelimited(&indio_dev->dev, "Unsupported reg_size: %u\n", reg_size);
++ goto irq_handled;
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 7526149d2e7f0003f772ce070609ee2fe194d398 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 20:36:28 +0200
+Subject: iio: dac: adi-axi-dac: add cntrl chan check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Angelo Dureghello <adureghello@baylibre.com>
+
+[ Upstream commit 029035636de37395124a602c830152ef39a35fab ]
+
+Add validity check on CNTRL_X channels (valid as 0 to 15).
+
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Signed-off-by: Angelo Dureghello <adureghello@baylibre.com>
+Link: https://patch.msgid.link/20250409-wip-bl-ad3552r-fixes-v5-1-fb429c3a6515@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/dac/adi-axi-dac.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/drivers/iio/dac/adi-axi-dac.c b/drivers/iio/dac/adi-axi-dac.c
+index 05b374e137d35..fd93ed3132835 100644
+--- a/drivers/iio/dac/adi-axi-dac.c
++++ b/drivers/iio/dac/adi-axi-dac.c
+@@ -84,6 +84,7 @@
+ #define AXI_DAC_CHAN_CNTRL_7_REG(c) (0x0418 + (c) * 0x40)
+ #define AXI_DAC_CHAN_CNTRL_7_DATA_SEL GENMASK(3, 0)
+
++#define AXI_DAC_CHAN_CNTRL_MAX 15
+ #define AXI_DAC_RD_ADDR(x) (BIT(7) | (x))
+
+ /* 360 degrees in rad */
+@@ -186,6 +187,9 @@ static int __axi_dac_frequency_get(struct axi_dac_state *st, unsigned int chan,
+ u32 reg, raw;
+ int ret;
+
++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
++
+ if (!st->dac_clk) {
+ dev_err(st->dev, "Sampling rate is 0...\n");
+ return -EINVAL;
+@@ -230,6 +234,9 @@ static int axi_dac_scale_get(struct axi_dac_state *st,
+ int ret, vals[2];
+ u32 reg, raw;
+
++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
++
+ if (tone_2)
+ reg = AXI_DAC_CHAN_CNTRL_3_REG(chan->channel);
+ else
+@@ -264,6 +271,9 @@ static int axi_dac_phase_get(struct axi_dac_state *st,
+ u32 reg, raw, phase;
+ int ret, vals[2];
+
++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
++
+ if (tone_2)
+ reg = AXI_DAC_CHAN_CNTRL_4_REG(chan->channel);
+ else
+@@ -291,6 +301,9 @@ static int __axi_dac_frequency_set(struct axi_dac_state *st, unsigned int chan,
+ u16 raw;
+ int ret;
+
++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
++
+ if (!sample_rate || freq > sample_rate / 2) {
+ dev_err(st->dev, "Invalid frequency(%u) dac_clk(%llu)\n",
+ freq, sample_rate);
+@@ -342,6 +355,9 @@ static int axi_dac_scale_set(struct axi_dac_state *st,
+ u32 raw = 0, reg;
+ int ret;
+
++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
++
+ ret = iio_str_to_fixpoint(buf, 100000, &integer, &frac);
+ if (ret)
+ return ret;
+@@ -385,6 +401,9 @@ static int axi_dac_phase_set(struct axi_dac_state *st,
+ u32 raw, reg;
+ int ret;
+
++ if (chan->channel > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
++
+ ret = iio_str_to_fixpoint(buf, 100000, &integer, &frac);
+ if (ret)
+ return ret;
+@@ -493,6 +512,9 @@ static int axi_dac_data_source_set(struct iio_backend *back, unsigned int chan,
+ {
+ struct axi_dac_state *st = iio_backend_get_priv(back);
+
++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
++
+ switch (data) {
+ case IIO_BACKEND_INTERNAL_CONTINUOUS_WAVE:
+ return regmap_update_bits(st->regmap,
+@@ -521,6 +543,8 @@ static int axi_dac_set_sample_rate(struct iio_backend *back, unsigned int chan,
+ unsigned int freq;
+ int ret, tone;
+
++ if (chan > AXI_DAC_CHAN_CNTRL_MAX)
++ return -EINVAL;
+ if (!sample_rate)
+ return -EINVAL;
+ if (st->reg_config & AXI_DAC_CONFIG_DDS_DISABLE)
+--
+2.39.5
+
--- /dev/null
+From 42c9f481c58e7fcc41639f0b05abeb5ef2d4c7f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 09:36:34 +0800
+Subject: iio: hid-sensor-prox: Add support for 16-bit report size
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit ad02ca57e44e9936fca5095840fad9d4b47c5559 ]
+
+On Intel platforms, the HID_USAGE_SENSOR_HUMAN_PROXIMITY report size is 16
+bits. This patch adds support for handling 16-bit report sizes for the
+HID_USAGE_SENSOR_HUMAN_PROXIMITY usage in the HID sensor proximity driver.
+
+Previously, the driver only supported 8-bit and 32-bit report sizes. With
+this change, the driver can now correctly process 16-bit proximity data,
+ensuring accurate human presence detection on platforms where this report
+size is used.
+
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250317013634.4117399-1-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c
+index 4c65b32d34ce4..46f788b0bc3e2 100644
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -215,6 +215,9 @@ static int prox_capture_sample(struct hid_sensor_hub_device *hsdev,
+ case 1:
+ prox_state->human_presence[chan] = *(u8 *)raw_data * multiplier;
+ return 0;
++ case 2:
++ prox_state->human_presence[chan] = *(u16 *)raw_data * multiplier;
++ return 0;
+ case 4:
+ prox_state->human_presence[chan] = *(u32 *)raw_data * multiplier;
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From e29de0a9ccacac93dd09a4eb370748a1c34ad187 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 21:33:25 +0200
+Subject: iio: light: al3000a: Fix an error handling path in al3000a_probe()
+
+From: David Heidelberg <david@ixit.cz>
+
+[ Upstream commit c0461f8e842495041c18b2c67647501d55c17441 ]
+
+If regmap_write() fails in al3000a_init(), al3000a_set_pwr_off is
+not called.
+
+In order to avoid such a situation, move the devm_add_action_or_reset()
+which calls al3000a_set_pwr_off right after a successful
+al3000a_set_pwr_on.
+
+Signed-off-by: David Heidelberg <david@ixit.cz>
+Link: https://patch.msgid.link/20250402-al3010-iio-regmap-v4-2-d189bea87261@ixit.cz
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/light/al3000a.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/light/al3000a.c b/drivers/iio/light/al3000a.c
+index e2fbb1270040f..6d5115b2a06c5 100644
+--- a/drivers/iio/light/al3000a.c
++++ b/drivers/iio/light/al3000a.c
+@@ -85,12 +85,17 @@ static void al3000a_set_pwr_off(void *_data)
+
+ static int al3000a_init(struct al3000a_data *data)
+ {
++ struct device *dev = regmap_get_device(data->regmap);
+ int ret;
+
+ ret = al3000a_set_pwr_on(data);
+ if (ret)
+ return ret;
+
++ ret = devm_add_action_or_reset(dev, al3000a_set_pwr_off, data);
++ if (ret)
++ return dev_err_probe(dev, ret, "failed to add action\n");
++
+ ret = regmap_write(data->regmap, AL3000A_REG_SYSTEM, AL3000A_CONFIG_RESET);
+ if (ret)
+ return ret;
+@@ -157,10 +162,6 @@ static int al3000a_probe(struct i2c_client *client)
+ if (ret)
+ return dev_err_probe(dev, ret, "failed to init ALS\n");
+
+- ret = devm_add_action_or_reset(dev, al3000a_set_pwr_off, data);
+- if (ret)
+- return dev_err_probe(dev, ret, "failed to add action\n");
+-
+ return devm_iio_device_register(dev, indio_dev);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 575a270ba739e7ec07d0b939574fcbd2ed6f244e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Apr 2025 11:34:41 +0100
+Subject: iio: pressure: zpa2326: Use aligned_s64 for the timestamp
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 886a446b76afddfad307488e95e87f23a08ffd51 ]
+
+On x86_32 s64 fields are only 32-bit aligned. Hence force the alignment of
+the field and padding in the structure by using aligned_s64 instead.
+
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250413103443.2420727-19-jic23@kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/pressure/zpa2326.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/pressure/zpa2326.c b/drivers/iio/pressure/zpa2326.c
+index 9db1c94dfc188..b2e04368532a0 100644
+--- a/drivers/iio/pressure/zpa2326.c
++++ b/drivers/iio/pressure/zpa2326.c
+@@ -582,7 +582,7 @@ static int zpa2326_fill_sample_buffer(struct iio_dev *indio_dev,
+ struct {
+ u32 pressure;
+ u16 temperature;
+- u64 timestamp;
++ aligned_s64 timestamp;
+ } sample;
+ int err;
+
+--
+2.39.5
+
--- /dev/null
+From 60da997053295181d2200bced7eb0182d1f5ffcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 18:07:33 +0100
+Subject: io_uring/zcrx: fix area release on registration failure
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit 0ec33c81d9c7342f03864101ddb2e717a0cce03e ]
+
+On area registration failure there might be no ifq set and it's not safe
+to access area->ifq in the release path without checking it first.
+
+Cc: stable@vger.kernel.org
+Fixes: f12ecf5e1c5ec ("io_uring/zcrx: fix late dma unmap for a dead dev")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/bc02878678a5fec28bc77d33355cdba735418484.1748365640.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/zcrx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
+index 7214236c14882..a53058dd6b7a1 100644
+--- a/io_uring/zcrx.c
++++ b/io_uring/zcrx.c
+@@ -222,7 +222,8 @@ static void io_free_rbuf_ring(struct io_zcrx_ifq *ifq)
+
+ static void io_zcrx_free_area(struct io_zcrx_area *area)
+ {
+- io_zcrx_unmap_area(area->ifq, area);
++ if (area->ifq)
++ io_zcrx_unmap_area(area->ifq, area);
+ io_release_area_mem(&area->mem);
+
+ kvfree(area->freelist);
+--
+2.39.5
+
--- /dev/null
+From 01bf24ba051bc30dd3e31caa00c32e6a2d074b32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 13:17:14 +0100
+Subject: io_uring/zcrx: improve area validation
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit d760d3f59f0d8d0df2895db30d36cf23106d6b05 ]
+
+dmabuf backed area will be taking an offset instead of addresses, and
+io_buffer_validate() is not flexible enough to facilitate it. It also
+takes an iovec, which may truncate the u64 length zcrx takes. Add a new
+helper function for validation.
+
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/0b3b735391a0a8f8971bf0121c19765131fddd3b.1746097431.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 0ec33c81d9c7 ("io_uring/zcrx: fix area release on registration failure")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/rsrc.c | 27 +++++++++++++++------------
+ io_uring/rsrc.h | 2 +-
+ io_uring/zcrx.c | 7 +++----
+ 3 files changed, 19 insertions(+), 17 deletions(-)
+
+diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
+index 794d4ae6f0bc8..6d61683223870 100644
+--- a/io_uring/rsrc.c
++++ b/io_uring/rsrc.c
+@@ -80,10 +80,21 @@ static int io_account_mem(struct io_ring_ctx *ctx, unsigned long nr_pages)
+ return 0;
+ }
+
+-int io_buffer_validate(struct iovec *iov)
++int io_validate_user_buf_range(u64 uaddr, u64 ulen)
+ {
+- unsigned long tmp, acct_len = iov->iov_len + (PAGE_SIZE - 1);
++ unsigned long tmp, base = (unsigned long)uaddr;
++ unsigned long acct_len = (unsigned long)PAGE_ALIGN(ulen);
+
++ /* arbitrary limit, but we need something */
++ if (ulen > SZ_1G || !ulen)
++ return -EFAULT;
++ if (check_add_overflow(base, acct_len, &tmp))
++ return -EOVERFLOW;
++ return 0;
++}
++
++static int io_buffer_validate(struct iovec *iov)
++{
+ /*
+ * Don't impose further limits on the size and buffer
+ * constraints here, we'll -EINVAL later when IO is
+@@ -91,17 +102,9 @@ int io_buffer_validate(struct iovec *iov)
+ */
+ if (!iov->iov_base)
+ return iov->iov_len ? -EFAULT : 0;
+- if (!iov->iov_len)
+- return -EFAULT;
+-
+- /* arbitrary limit, but we need something */
+- if (iov->iov_len > SZ_1G)
+- return -EFAULT;
+
+- if (check_add_overflow((unsigned long)iov->iov_base, acct_len, &tmp))
+- return -EOVERFLOW;
+-
+- return 0;
++ return io_validate_user_buf_range((unsigned long)iov->iov_base,
++ iov->iov_len);
+ }
+
+ static void io_release_ubuf(void *priv)
+diff --git a/io_uring/rsrc.h b/io_uring/rsrc.h
+index b52242852ff34..4373524f993c7 100644
+--- a/io_uring/rsrc.h
++++ b/io_uring/rsrc.h
+@@ -83,7 +83,7 @@ int io_register_rsrc_update(struct io_ring_ctx *ctx, void __user *arg,
+ unsigned size, unsigned type);
+ int io_register_rsrc(struct io_ring_ctx *ctx, void __user *arg,
+ unsigned int size, unsigned int type);
+-int io_buffer_validate(struct iovec *iov);
++int io_validate_user_buf_range(u64 uaddr, u64 ulen);
+
+ bool io_check_coalesce_buffer(struct page **page_array, int nr_pages,
+ struct io_imu_folio_data *data);
+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
+index ecb59182d9b2c..0771a57d81a5b 100644
+--- a/io_uring/zcrx.c
++++ b/io_uring/zcrx.c
+@@ -205,7 +205,6 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,
+ {
+ struct io_zcrx_area *area;
+ int i, ret, nr_pages, nr_iovs;
+- struct iovec iov;
+
+ if (area_reg->flags || area_reg->rq_area_token)
+ return -EINVAL;
+@@ -214,11 +213,11 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,
+ if (area_reg->addr & ~PAGE_MASK || area_reg->len & ~PAGE_MASK)
+ return -EINVAL;
+
+- iov.iov_base = u64_to_user_ptr(area_reg->addr);
+- iov.iov_len = area_reg->len;
+- ret = io_buffer_validate(&iov);
++ ret = io_validate_user_buf_range(area_reg->addr, area_reg->len);
+ if (ret)
+ return ret;
++ if (!area_reg->addr)
++ return -EFAULT;
+
+ ret = -ENOMEM;
+ area = kzalloc(sizeof(*area), GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From 24b25ba877fdfc1b7ff5a1cbcd23a076c27332d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 20 Apr 2025 10:31:16 +0100
+Subject: io_uring/zcrx: move io_zcrx_iov_page
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit a79154ae5df9e21dbacb1eb77fad984fd4c45cca ]
+
+We'll need io_zcrx_iov_page at the top to keep offset calculations
+closer together, move it there.
+
+Reviewed-by: David Wei <dw@davidwei.uk>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/575617033a8b84a5985c7eb760b7121efdbe7e56.1745141261.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 0ec33c81d9c7 ("io_uring/zcrx: fix area release on registration failure")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/zcrx.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
+index fe86606b9f304..ecb59182d9b2c 100644
+--- a/io_uring/zcrx.c
++++ b/io_uring/zcrx.c
+@@ -31,6 +31,20 @@ static inline struct io_zcrx_ifq *io_pp_to_ifq(struct page_pool *pp)
+ return pp->mp_priv;
+ }
+
++static inline struct io_zcrx_area *io_zcrx_iov_to_area(const struct net_iov *niov)
++{
++ struct net_iov_area *owner = net_iov_owner(niov);
++
++ return container_of(owner, struct io_zcrx_area, nia);
++}
++
++static inline struct page *io_zcrx_iov_page(const struct net_iov *niov)
++{
++ struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);
++
++ return area->pages[net_iov_idx(niov)];
++}
++
+ #define IO_DMA_ATTR (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING)
+
+ static void __io_zcrx_unmap_area(struct io_zcrx_ifq *ifq,
+@@ -118,13 +132,6 @@ struct io_zcrx_args {
+
+ static const struct memory_provider_ops io_uring_pp_zc_ops;
+
+-static inline struct io_zcrx_area *io_zcrx_iov_to_area(const struct net_iov *niov)
+-{
+- struct net_iov_area *owner = net_iov_owner(niov);
+-
+- return container_of(owner, struct io_zcrx_area, nia);
+-}
+-
+ static inline atomic_t *io_get_user_counter(struct net_iov *niov)
+ {
+ struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);
+@@ -147,13 +154,6 @@ static void io_zcrx_get_niov_uref(struct net_iov *niov)
+ atomic_inc(io_get_user_counter(niov));
+ }
+
+-static inline struct page *io_zcrx_iov_page(const struct net_iov *niov)
+-{
+- struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);
+-
+- return area->pages[net_iov_idx(niov)];
+-}
+-
+ static int io_allocate_rbuf_ring(struct io_zcrx_ifq *ifq,
+ struct io_uring_zcrx_ifq_reg *reg,
+ struct io_uring_region_desc *rd)
+--
+2.39.5
+
--- /dev/null
+From 0a1ec2cbc56734baff8c0d8b68fee11aa7a729e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 13:17:16 +0100
+Subject: io_uring/zcrx: split out memory holders from area
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit 782dfa329ac9d1b5ca7b6df56a7696bac58cb829 ]
+
+In the data path users of struct io_zcrx_area don't need to know what
+kind of memory it's backed by. Only keep there generic bits in there and
+and split out memory type dependent fields into a new structure. It also
+logically separates the step that actually imports the memory, e.g.
+pinning user pages, from the generic area initialisation.
+
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/b60fc09c76921bf69e77eb17e07eb4decedb3bf4.1746097431.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 0ec33c81d9c7 ("io_uring/zcrx: fix area release on registration failure")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/zcrx.c | 71 ++++++++++++++++++++++++++++++++-----------------
+ io_uring/zcrx.h | 11 ++++++--
+ 2 files changed, 56 insertions(+), 26 deletions(-)
+
+diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c
+index 0771a57d81a5b..7214236c14882 100644
+--- a/io_uring/zcrx.c
++++ b/io_uring/zcrx.c
+@@ -26,6 +26,8 @@
+ #include "zcrx.h"
+ #include "rsrc.h"
+
++#define IO_DMA_ATTR (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING)
++
+ static inline struct io_zcrx_ifq *io_pp_to_ifq(struct page_pool *pp)
+ {
+ return pp->mp_priv;
+@@ -42,10 +44,43 @@ static inline struct page *io_zcrx_iov_page(const struct net_iov *niov)
+ {
+ struct io_zcrx_area *area = io_zcrx_iov_to_area(niov);
+
+- return area->pages[net_iov_idx(niov)];
++ return area->mem.pages[net_iov_idx(niov)];
+ }
+
+-#define IO_DMA_ATTR (DMA_ATTR_SKIP_CPU_SYNC | DMA_ATTR_WEAK_ORDERING)
++static void io_release_area_mem(struct io_zcrx_mem *mem)
++{
++ if (mem->pages) {
++ unpin_user_pages(mem->pages, mem->nr_folios);
++ kvfree(mem->pages);
++ }
++}
++
++static int io_import_area(struct io_zcrx_ifq *ifq,
++ struct io_zcrx_mem *mem,
++ struct io_uring_zcrx_area_reg *area_reg)
++{
++ struct page **pages;
++ int nr_pages;
++ int ret;
++
++ ret = io_validate_user_buf_range(area_reg->addr, area_reg->len);
++ if (ret)
++ return ret;
++ if (!area_reg->addr)
++ return -EFAULT;
++ if (area_reg->addr & ~PAGE_MASK || area_reg->len & ~PAGE_MASK)
++ return -EINVAL;
++
++ pages = io_pin_pages((unsigned long)area_reg->addr, area_reg->len,
++ &nr_pages);
++ if (IS_ERR(pages))
++ return PTR_ERR(pages);
++
++ mem->pages = pages;
++ mem->nr_folios = nr_pages;
++ mem->size = area_reg->len;
++ return 0;
++}
+
+ static void __io_zcrx_unmap_area(struct io_zcrx_ifq *ifq,
+ struct io_zcrx_area *area, int nr_mapped)
+@@ -84,8 +119,8 @@ static int io_zcrx_map_area(struct io_zcrx_ifq *ifq, struct io_zcrx_area *area)
+ struct net_iov *niov = &area->nia.niovs[i];
+ dma_addr_t dma;
+
+- dma = dma_map_page_attrs(ifq->dev, area->pages[i], 0, PAGE_SIZE,
+- DMA_FROM_DEVICE, IO_DMA_ATTR);
++ dma = dma_map_page_attrs(ifq->dev, area->mem.pages[i], 0,
++ PAGE_SIZE, DMA_FROM_DEVICE, IO_DMA_ATTR);
+ if (dma_mapping_error(ifq->dev, dma))
+ break;
+ if (net_mp_niov_set_dma_addr(niov, dma)) {
+@@ -188,14 +223,11 @@ static void io_free_rbuf_ring(struct io_zcrx_ifq *ifq)
+ static void io_zcrx_free_area(struct io_zcrx_area *area)
+ {
+ io_zcrx_unmap_area(area->ifq, area);
++ io_release_area_mem(&area->mem);
+
+ kvfree(area->freelist);
+ kvfree(area->nia.niovs);
+ kvfree(area->user_refs);
+- if (area->pages) {
+- unpin_user_pages(area->pages, area->nr_folios);
+- kvfree(area->pages);
+- }
+ kfree(area);
+ }
+
+@@ -204,36 +236,27 @@ static int io_zcrx_create_area(struct io_zcrx_ifq *ifq,
+ struct io_uring_zcrx_area_reg *area_reg)
+ {
+ struct io_zcrx_area *area;
+- int i, ret, nr_pages, nr_iovs;
++ unsigned nr_iovs;
++ int i, ret;
+
+ if (area_reg->flags || area_reg->rq_area_token)
+ return -EINVAL;
+ if (area_reg->__resv1 || area_reg->__resv2[0] || area_reg->__resv2[1])
+ return -EINVAL;
+- if (area_reg->addr & ~PAGE_MASK || area_reg->len & ~PAGE_MASK)
+- return -EINVAL;
+-
+- ret = io_validate_user_buf_range(area_reg->addr, area_reg->len);
+- if (ret)
+- return ret;
+- if (!area_reg->addr)
+- return -EFAULT;
+
+ ret = -ENOMEM;
+ area = kzalloc(sizeof(*area), GFP_KERNEL);
+ if (!area)
+ goto err;
+
+- area->pages = io_pin_pages((unsigned long)area_reg->addr, area_reg->len,
+- &nr_pages);
+- if (IS_ERR(area->pages)) {
+- ret = PTR_ERR(area->pages);
+- area->pages = NULL;
++ ret = io_import_area(ifq, &area->mem, area_reg);
++ if (ret)
+ goto err;
+- }
+- area->nr_folios = nr_iovs = nr_pages;
++
++ nr_iovs = area->mem.size >> PAGE_SHIFT;
+ area->nia.num_niovs = nr_iovs;
+
++ ret = -ENOMEM;
+ area->nia.niovs = kvmalloc_array(nr_iovs, sizeof(area->nia.niovs[0]),
+ GFP_KERNEL | __GFP_ZERO);
+ if (!area->nia.niovs)
+diff --git a/io_uring/zcrx.h b/io_uring/zcrx.h
+index f2bc811f022c6..64796c90851e1 100644
+--- a/io_uring/zcrx.h
++++ b/io_uring/zcrx.h
+@@ -7,6 +7,13 @@
+ #include <net/page_pool/types.h>
+ #include <net/net_trackers.h>
+
++struct io_zcrx_mem {
++ unsigned long size;
++
++ struct page **pages;
++ unsigned long nr_folios;
++};
++
+ struct io_zcrx_area {
+ struct net_iov_area nia;
+ struct io_zcrx_ifq *ifq;
+@@ -14,13 +21,13 @@ struct io_zcrx_area {
+
+ bool is_mapped;
+ u16 area_id;
+- struct page **pages;
+- unsigned long nr_folios;
+
+ /* freelist */
+ spinlock_t freelist_lock ____cacheline_aligned_in_smp;
+ u32 free_count;
+ u32 *freelist;
++
++ struct io_zcrx_mem mem;
+ };
+
+ struct io_zcrx_ifq {
+--
+2.39.5
+
--- /dev/null
+From bf5ceb52c04fb1f399674afe9a9c047471ad41b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 11:23:01 +0900
+Subject: ksmbd: allow a filename to contain special characters on SMB3.1.1
+ posix extension
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit dc3e0f17f74558e8a2fce00608855f050de10230 ]
+
+If client send SMB2_CREATE_POSIX_CONTEXT to ksmbd, Allow a filename
+to contain special characters.
+
+Reported-by: Philipp Kerling <pkerling@casix.org>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 53 +++++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 26 deletions(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index c6b990c93bfa7..a9f9426e91acb 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -2875,7 +2875,7 @@ int smb2_open(struct ksmbd_work *work)
+ int req_op_level = 0, open_flags = 0, may_flags = 0, file_info = 0;
+ int rc = 0;
+ int contxt_cnt = 0, query_disk_id = 0;
+- int maximal_access_ctxt = 0, posix_ctxt = 0;
++ bool maximal_access_ctxt = false, posix_ctxt = false;
+ int s_type = 0;
+ int next_off = 0;
+ char *name = NULL;
+@@ -2904,6 +2904,27 @@ int smb2_open(struct ksmbd_work *work)
+ return create_smb2_pipe(work);
+ }
+
++ if (req->CreateContextsOffset && tcon->posix_extensions) {
++ context = smb2_find_context_vals(req, SMB2_CREATE_TAG_POSIX, 16);
++ if (IS_ERR(context)) {
++ rc = PTR_ERR(context);
++ goto err_out2;
++ } else if (context) {
++ struct create_posix *posix = (struct create_posix *)context;
++
++ if (le16_to_cpu(context->DataOffset) +
++ le32_to_cpu(context->DataLength) <
++ sizeof(struct create_posix) - 4) {
++ rc = -EINVAL;
++ goto err_out2;
++ }
++ ksmbd_debug(SMB, "get posix context\n");
++
++ posix_mode = le32_to_cpu(posix->Mode);
++ posix_ctxt = true;
++ }
++ }
++
+ if (req->NameLength) {
+ name = smb2_get_name((char *)req + le16_to_cpu(req->NameOffset),
+ le16_to_cpu(req->NameLength),
+@@ -2926,9 +2947,11 @@ int smb2_open(struct ksmbd_work *work)
+ goto err_out2;
+ }
+
+- rc = ksmbd_validate_filename(name);
+- if (rc < 0)
+- goto err_out2;
++ if (posix_ctxt == false) {
++ rc = ksmbd_validate_filename(name);
++ if (rc < 0)
++ goto err_out2;
++ }
+
+ if (ksmbd_share_veto_filename(share, name)) {
+ rc = -ENOENT;
+@@ -3086,28 +3109,6 @@ int smb2_open(struct ksmbd_work *work)
+ rc = -EBADF;
+ goto err_out2;
+ }
+-
+- if (tcon->posix_extensions) {
+- context = smb2_find_context_vals(req,
+- SMB2_CREATE_TAG_POSIX, 16);
+- if (IS_ERR(context)) {
+- rc = PTR_ERR(context);
+- goto err_out2;
+- } else if (context) {
+- struct create_posix *posix =
+- (struct create_posix *)context;
+- if (le16_to_cpu(context->DataOffset) +
+- le32_to_cpu(context->DataLength) <
+- sizeof(struct create_posix) - 4) {
+- rc = -EINVAL;
+- goto err_out2;
+- }
+- ksmbd_debug(SMB, "get posix context\n");
+-
+- posix_mode = le32_to_cpu(posix->Mode);
+- posix_ctxt = 1;
+- }
+- }
+ }
+
+ if (ksmbd_override_fsids(work)) {
+--
+2.39.5
+
--- /dev/null
+From 1c9892193ce02e4d561c972c481a9c08fe48c352 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 09:02:29 +0900
+Subject: ksmbd: provide zero as a unique ID to the Mac client
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 571781eb7ffefa65b0e922c8031e42b4411a40d4 ]
+
+The Mac SMB client code seems to expect the on-disk file identifier
+to have the semantics of HFS+ Catalog Node Identifier (CNID).
+ksmbd provides the inode number as a unique ID to the client,
+but in the case of subvolumes of btrfs, there are cases where different
+files have the same inode number, so the mac smb client treats it
+as an error. There is a report that a similar problem occurs
+when the share is ZFS.
+Returning UniqueId of zero will make the Mac client to stop using and
+trusting the file id returned from the server.
+
+Reported-by: Justin Turner Arthur <justinarthur@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/connection.h | 1 +
+ fs/smb/server/smb2pdu.c | 19 +++++++++++++++++--
+ fs/smb/server/smb2pdu.h | 3 +++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h
+index 572102098c108..dd3e0e3f7bf04 100644
+--- a/fs/smb/server/connection.h
++++ b/fs/smb/server/connection.h
+@@ -108,6 +108,7 @@ struct ksmbd_conn {
+ __le16 signing_algorithm;
+ bool binding;
+ atomic_t refcnt;
++ bool is_aapl;
+ };
+
+ struct ksmbd_conn_ops {
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index a9f9426e91acb..ad2b15ec3b561 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -3541,6 +3541,15 @@ int smb2_open(struct ksmbd_work *work)
+ ksmbd_debug(SMB, "get query on disk id context\n");
+ query_disk_id = 1;
+ }
++
++ if (conn->is_aapl == false) {
++ context = smb2_find_context_vals(req, SMB2_CREATE_AAPL, 4);
++ if (IS_ERR(context)) {
++ rc = PTR_ERR(context);
++ goto err_out1;
++ } else if (context)
++ conn->is_aapl = true;
++ }
+ }
+
+ rc = ksmbd_vfs_getattr(&path, &stat);
+@@ -3980,7 +3989,10 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,
+ if (dinfo->EaSize)
+ dinfo->ExtFileAttributes = FILE_ATTRIBUTE_REPARSE_POINT_LE;
+ dinfo->Reserved = 0;
+- dinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);
++ if (conn->is_aapl)
++ dinfo->UniqueId = 0;
++ else
++ dinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);
+ if (d_info->hide_dot_file && d_info->name[0] == '.')
+ dinfo->ExtFileAttributes |= FILE_ATTRIBUTE_HIDDEN_LE;
+ memcpy(dinfo->FileName, conv_name, conv_len);
+@@ -3997,7 +4009,10 @@ static int smb2_populate_readdir_entry(struct ksmbd_conn *conn, int info_level,
+ smb2_get_reparse_tag_special_file(ksmbd_kstat->kstat->mode);
+ if (fibdinfo->EaSize)
+ fibdinfo->ExtFileAttributes = FILE_ATTRIBUTE_REPARSE_POINT_LE;
+- fibdinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);
++ if (conn->is_aapl)
++ fibdinfo->UniqueId = 0;
++ else
++ fibdinfo->UniqueId = cpu_to_le64(ksmbd_kstat->kstat->ino);
+ fibdinfo->ShortNameLength = 0;
+ fibdinfo->Reserved = 0;
+ fibdinfo->Reserved2 = cpu_to_le16(0);
+diff --git a/fs/smb/server/smb2pdu.h b/fs/smb/server/smb2pdu.h
+index 17a0b18a8406b..16ae8a10490be 100644
+--- a/fs/smb/server/smb2pdu.h
++++ b/fs/smb/server/smb2pdu.h
+@@ -63,6 +63,9 @@ struct preauth_integrity_info {
+
+ #define SMB2_SESSION_TIMEOUT (10 * HZ)
+
++/* Apple Defined Contexts */
++#define SMB2_CREATE_AAPL "AAPL"
++
+ struct create_durable_req_v2 {
+ struct create_context_hdr ccontext;
+ __u8 Name[8];
+--
+2.39.5
+
--- /dev/null
+From 06744561b276e091b99daa9aae024f7ccd42a129 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 20:40:36 +0200
+Subject: leds: multicolor: Fix intensity setting while SW blinking
+
+From: Sven Schwermer <sven.schwermer@disruptive-technologies.com>
+
+[ Upstream commit e35ca991a777ef513040cbb36bc8245a031a2633 ]
+
+When writing to the multi_intensity file, don't unconditionally call
+led_set_brightness. By only doing this if blinking is inactive we
+prevent blinking from stopping if the blinking is in its off phase while
+the file is written.
+
+Instead, if blinking is active, the changed intensity values are applied
+upon the next blink. This is consistent with changing the brightness on
+monochrome LEDs with active blinking.
+
+Suggested-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Acked-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Reviewed-by: Tobias Deiminger <tobias.deiminger@linutronix.de>
+Tested-by: Sven Schuchmann <schuchmann@schleissheimer.de>
+Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com>
+Link: https://lore.kernel.org/r/20250404184043.227116-1-sven@svenschwermer.de
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/led-class-multicolor.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/led-class-multicolor.c b/drivers/leds/led-class-multicolor.c
+index b2a87c9948165..fd66d2bdeace8 100644
+--- a/drivers/leds/led-class-multicolor.c
++++ b/drivers/leds/led-class-multicolor.c
+@@ -59,7 +59,8 @@ static ssize_t multi_intensity_store(struct device *dev,
+ for (i = 0; i < mcled_cdev->num_colors; i++)
+ mcled_cdev->subled_info[i].intensity = intensity_value[i];
+
+- led_set_brightness(led_cdev, led_cdev->brightness);
++ if (!test_bit(LED_BLINK_SW, &led_cdev->work_flags))
++ led_set_brightness(led_cdev, led_cdev->brightness);
+ ret = size;
+ err_out:
+ mutex_unlock(&led_cdev->led_access);
+--
+2.39.5
+
--- /dev/null
+From a72ccda91d04b14a3eb0b21942321bfd7238bff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 21:14:10 +0800
+Subject: mailbox: Not protect module_put with spin_lock_irqsave
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit dddbd233e67e792bb0a3f9694a4707e6be29b2c6 ]
+
+&chan->lock is not supposed to protect 'chan->mbox'.
+And in __mbox_bind_client, try_module_get is also not protected
+by &chan->lock. So move module_put out of the lock protected
+region.
+
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/mailbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
+index 0593b4d036859..aea0e690b63ee 100644
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -486,8 +486,8 @@ void mbox_free_channel(struct mbox_chan *chan)
+ if (chan->txdone_method == TXDONE_BY_ACK)
+ chan->txdone_method = TXDONE_BY_POLL;
+
+- module_put(chan->mbox->dev->driver->owner);
+ spin_unlock_irqrestore(&chan->lock, flags);
++ module_put(chan->mbox->dev->driver->owner);
+ }
+ EXPORT_SYMBOL_GPL(mbox_free_channel);
+
+--
+2.39.5
+
--- /dev/null
+From df9d43b0008e510b6783ac6edfc94d319c479ad0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 24 May 2025 14:13:10 +0800
+Subject: md/md-bitmap: fix dm-raid max_write_behind setting
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 2afe17794cfed5f80295b1b9facd66e6f65e5002 ]
+
+It's supposed to be COUNTER_MAX / 2, not COUNTER_MAX.
+
+Link: https://lore.kernel.org/linux-raid/20250524061320.370630-14-yukuai1@huaweicloud.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md-bitmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
+index 37b08f26c62f5..45dd3d9f01a8e 100644
+--- a/drivers/md/md-bitmap.c
++++ b/drivers/md/md-bitmap.c
+@@ -789,7 +789,7 @@ static int md_bitmap_new_disk_sb(struct bitmap *bitmap)
+ * is a good choice? We choose COUNTER_MAX / 2 arbitrarily.
+ */
+ write_behind = bitmap->mddev->bitmap_info.max_write_behind;
+- if (write_behind > COUNTER_MAX)
++ if (write_behind > COUNTER_MAX / 2)
+ write_behind = COUNTER_MAX / 2;
+ sb->write_behind = cpu_to_le32(write_behind);
+ bitmap->mddev->bitmap_info.max_write_behind = write_behind;
+--
+2.39.5
+
--- /dev/null
+From 5f9d6b4e4f05df03dffbbbf9a1d08438abd219de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 21:05:28 +0000
+Subject: media: uvcvideo: Create uvc_pm_(get|put) functions
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 2f101572c0a3ae4630f2a57c8033b78ee84ac5a6 ]
+
+Most of the times that we have to call uvc_status_(get|put) we need to
+call the usb_autopm_ functions.
+
+Create a new pair of functions that automate this for us. This
+simplifies the current code and future PM changes in the driver.
+
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250327-uvc-granpower-ng-v6-2-35a2357ff348@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Stable-dep-of: a70705d3c020 ("media: uvcvideo: Rollback non processed entities on error")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 36 +++++++++++++++++++++-----------
+ drivers/media/usb/uvc/uvcvideo.h | 4 ++++
+ 2 files changed, 28 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index 22886b47d81c2..1d5be045d04ec 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -26,6 +26,27 @@
+
+ #include "uvcvideo.h"
+
++int uvc_pm_get(struct uvc_device *dev)
++{
++ int ret;
++
++ ret = usb_autopm_get_interface(dev->intf);
++ if (ret)
++ return ret;
++
++ ret = uvc_status_get(dev);
++ if (ret)
++ usb_autopm_put_interface(dev->intf);
++
++ return ret;
++}
++
++void uvc_pm_put(struct uvc_device *dev)
++{
++ uvc_status_put(dev);
++ usb_autopm_put_interface(dev->intf);
++}
++
+ static int uvc_acquire_privileges(struct uvc_fh *handle);
+
+ static int uvc_control_add_xu_mapping(struct uvc_video_chain *chain,
+@@ -642,20 +663,13 @@ static int uvc_v4l2_open(struct file *file)
+ stream = video_drvdata(file);
+ uvc_dbg(stream->dev, CALLS, "%s\n", __func__);
+
+- ret = usb_autopm_get_interface(stream->dev->intf);
+- if (ret < 0)
+- return ret;
+-
+ /* Create the device handle. */
+ handle = kzalloc(sizeof(*handle), GFP_KERNEL);
+- if (handle == NULL) {
+- usb_autopm_put_interface(stream->dev->intf);
++ if (!handle)
+ return -ENOMEM;
+- }
+
+- ret = uvc_status_get(stream->dev);
++ ret = uvc_pm_get(stream->dev);
+ if (ret) {
+- usb_autopm_put_interface(stream->dev->intf);
+ kfree(handle);
+ return ret;
+ }
+@@ -690,9 +704,7 @@ static int uvc_v4l2_release(struct file *file)
+ kfree(handle);
+ file->private_data = NULL;
+
+- uvc_status_put(stream->dev);
+-
+- usb_autopm_put_interface(stream->dev->intf);
++ uvc_pm_put(stream->dev);
+ return 0;
+ }
+
+diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h
+index 5ceb01e7831a8..b9f8eb62ba1d8 100644
+--- a/drivers/media/usb/uvc/uvcvideo.h
++++ b/drivers/media/usb/uvc/uvcvideo.h
+@@ -768,6 +768,10 @@ void uvc_status_suspend(struct uvc_device *dev);
+ int uvc_status_get(struct uvc_device *dev);
+ void uvc_status_put(struct uvc_device *dev);
+
++/* PM */
++int uvc_pm_get(struct uvc_device *dev);
++void uvc_pm_put(struct uvc_device *dev);
++
+ /* Controls */
+ extern const struct v4l2_subscribed_event_ops uvc_ctrl_sub_ev_ops;
+
+--
+2.39.5
+
--- /dev/null
+From c0b04b3084198c842813f08d4c68085705ecf750 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 21:05:29 +0000
+Subject: media: uvcvideo: Increase/decrease the PM counter per IOCTL
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 10acb9101355484c3e4f2625003cd1b6c203cfe4 ]
+
+Now we call uvc_pm_get/put from the device open/close. This low
+level of granularity might leave the camera powered on in situations
+where it is not needed.
+
+Increase the granularity by increasing and decreasing the Power
+Management counter per ioctl. There are two special cases where the
+power management outlives the ioctl: async controls and streamon. Handle
+those cases as well.
+
+In a future patch, we will remove the uvc_pm_get/put from open/close.
+
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250327-uvc-granpower-ng-v6-3-35a2357ff348@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Stable-dep-of: a70705d3c020 ("media: uvcvideo: Rollback non processed entities on error")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 38 ++++++++++++++++++++++---------
+ drivers/media/usb/uvc/uvc_v4l2.c | 39 ++++++++++++++++++++++++++++++--
+ 2 files changed, 64 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index bc7e2005fc6c7..636ce1eb2a6bf 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -1812,38 +1812,49 @@ static void uvc_ctrl_send_slave_event(struct uvc_video_chain *chain,
+ uvc_ctrl_send_event(chain, handle, ctrl, mapping, val, changes);
+ }
+
+-static void uvc_ctrl_set_handle(struct uvc_fh *handle, struct uvc_control *ctrl,
+- struct uvc_fh *new_handle)
++static int uvc_ctrl_set_handle(struct uvc_fh *handle, struct uvc_control *ctrl,
++ struct uvc_fh *new_handle)
+ {
+ lockdep_assert_held(&handle->chain->ctrl_mutex);
+
+ if (new_handle) {
++ int ret;
++
+ if (ctrl->handle)
+ dev_warn_ratelimited(&handle->stream->dev->udev->dev,
+ "UVC non compliance: Setting an async control with a pending operation.");
+
+ if (new_handle == ctrl->handle)
+- return;
++ return 0;
+
+ if (ctrl->handle) {
+ WARN_ON(!ctrl->handle->pending_async_ctrls);
+ if (ctrl->handle->pending_async_ctrls)
+ ctrl->handle->pending_async_ctrls--;
++ ctrl->handle = new_handle;
++ handle->pending_async_ctrls++;
++ return 0;
+ }
+
++ ret = uvc_pm_get(handle->chain->dev);
++ if (ret)
++ return ret;
++
+ ctrl->handle = new_handle;
+ handle->pending_async_ctrls++;
+- return;
++ return 0;
+ }
+
+ /* Cannot clear the handle for a control not owned by us.*/
+ if (WARN_ON(ctrl->handle != handle))
+- return;
++ return -EINVAL;
+
+ ctrl->handle = NULL;
+ if (WARN_ON(!handle->pending_async_ctrls))
+- return;
++ return -EINVAL;
+ handle->pending_async_ctrls--;
++ uvc_pm_put(handle->chain->dev);
++ return 0;
+ }
+
+ void uvc_ctrl_status_event(struct uvc_video_chain *chain,
+@@ -2150,15 +2161,15 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,
+
+ ctrl->dirty = 0;
+
++ if (!rollback && handle && !ret &&
++ ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
++ ret = uvc_ctrl_set_handle(handle, ctrl, handle);
++
+ if (ret < 0) {
+ if (err_ctrl)
+ *err_ctrl = ctrl;
+ return ret;
+ }
+-
+- if (!rollback && handle &&
+- ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
+- uvc_ctrl_set_handle(handle, ctrl, handle);
+ }
+
+ return processed_ctrls;
+@@ -3237,6 +3248,7 @@ int uvc_ctrl_init_device(struct uvc_device *dev)
+ void uvc_ctrl_cleanup_fh(struct uvc_fh *handle)
+ {
+ struct uvc_entity *entity;
++ int i;
+
+ guard(mutex)(&handle->chain->ctrl_mutex);
+
+@@ -3251,7 +3263,11 @@ void uvc_ctrl_cleanup_fh(struct uvc_fh *handle)
+ }
+ }
+
+- WARN_ON(handle->pending_async_ctrls);
++ if (!WARN_ON(handle->pending_async_ctrls))
++ return;
++
++ for (i = 0; i < handle->pending_async_ctrls; i++)
++ uvc_pm_put(handle->stream->dev);
+ }
+
+ /*
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index 1d5be045d04ec..8bccf7e17528b 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -697,6 +697,9 @@ static int uvc_v4l2_release(struct file *file)
+ if (uvc_has_privileges(handle))
+ uvc_queue_release(&stream->queue);
+
++ if (handle->is_streaming)
++ uvc_pm_put(stream->dev);
++
+ /* Release the file handle. */
+ uvc_dismiss_privileges(handle);
+ v4l2_fh_del(&handle->vfh);
+@@ -862,6 +865,11 @@ static int uvc_ioctl_streamon(struct file *file, void *fh,
+ if (ret)
+ return ret;
+
++ ret = uvc_pm_get(stream->dev);
++ if (ret) {
++ uvc_queue_streamoff(&stream->queue, type);
++ return ret;
++ }
+ handle->is_streaming = true;
+
+ return 0;
+@@ -879,7 +887,10 @@ static int uvc_ioctl_streamoff(struct file *file, void *fh,
+ guard(mutex)(&stream->mutex);
+
+ uvc_queue_streamoff(&stream->queue, type);
+- handle->is_streaming = false;
++ if (handle->is_streaming) {
++ handle->is_streaming = false;
++ uvc_pm_put(stream->dev);
++ }
+
+ return 0;
+ }
+@@ -1378,9 +1389,11 @@ static int uvc_v4l2_put_xu_query(const struct uvc_xu_control_query *kp,
+ #define UVCIOC_CTRL_MAP32 _IOWR('u', 0x20, struct uvc_xu_control_mapping32)
+ #define UVCIOC_CTRL_QUERY32 _IOWR('u', 0x21, struct uvc_xu_control_query32)
+
++DEFINE_FREE(uvc_pm_put, struct uvc_device *, if (_T) uvc_pm_put(_T))
+ static long uvc_v4l2_compat_ioctl32(struct file *file,
+ unsigned int cmd, unsigned long arg)
+ {
++ struct uvc_device *uvc_device __free(uvc_pm_put) = NULL;
+ struct uvc_fh *handle = file->private_data;
+ union {
+ struct uvc_xu_control_mapping xmap;
+@@ -1389,6 +1402,12 @@ static long uvc_v4l2_compat_ioctl32(struct file *file,
+ void __user *up = compat_ptr(arg);
+ long ret;
+
++ ret = uvc_pm_get(handle->stream->dev);
++ if (ret)
++ return ret;
++
++ uvc_device = handle->stream->dev;
++
+ switch (cmd) {
+ case UVCIOC_CTRL_MAP32:
+ ret = uvc_v4l2_get_xu_mapping(&karg.xmap, up);
+@@ -1423,6 +1442,22 @@ static long uvc_v4l2_compat_ioctl32(struct file *file,
+ }
+ #endif
+
++static long uvc_v4l2_unlocked_ioctl(struct file *file,
++ unsigned int cmd, unsigned long arg)
++{
++ struct uvc_fh *handle = file->private_data;
++ int ret;
++
++ ret = uvc_pm_get(handle->stream->dev);
++ if (ret)
++ return ret;
++
++ ret = video_ioctl2(file, cmd, arg);
++
++ uvc_pm_put(handle->stream->dev);
++ return ret;
++}
++
+ static ssize_t uvc_v4l2_read(struct file *file, char __user *data,
+ size_t count, loff_t *ppos)
+ {
+@@ -1507,7 +1542,7 @@ const struct v4l2_file_operations uvc_fops = {
+ .owner = THIS_MODULE,
+ .open = uvc_v4l2_open,
+ .release = uvc_v4l2_release,
+- .unlocked_ioctl = video_ioctl2,
++ .unlocked_ioctl = uvc_v4l2_unlocked_ioctl,
+ #ifdef CONFIG_COMPAT
+ .compat_ioctl32 = uvc_v4l2_compat_ioctl32,
+ #endif
+--
+2.39.5
+
--- /dev/null
+From df56336a215a0781bf901647283d47c1e5b88245 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 21:05:27 +0000
+Subject: media: uvcvideo: Keep streaming state in the file handle
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 14f6e205e5599c2217b68c05b903ce162e7c1e27 ]
+
+Add a variable in the file handle state to figure out if a camera is in
+the streaming state or not. This variable will be used in the future for
+power management policies.
+
+Now that we are at it, make use of guards to simplify the code.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250327-uvc-granpower-ng-v6-1-35a2357ff348@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Stable-dep-of: a70705d3c020 ("media: uvcvideo: Rollback non processed entities on error")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_v4l2.c | 18 +++++++++++++-----
+ drivers/media/usb/uvc/uvcvideo.h | 1 +
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c
+index 39065db44e864..22886b47d81c2 100644
+--- a/drivers/media/usb/uvc/uvc_v4l2.c
++++ b/drivers/media/usb/uvc/uvc_v4l2.c
+@@ -841,11 +841,18 @@ static int uvc_ioctl_streamon(struct file *file, void *fh,
+ if (!uvc_has_privileges(handle))
+ return -EBUSY;
+
+- mutex_lock(&stream->mutex);
++ guard(mutex)(&stream->mutex);
++
++ if (handle->is_streaming)
++ return 0;
++
+ ret = uvc_queue_streamon(&stream->queue, type);
+- mutex_unlock(&stream->mutex);
++ if (ret)
++ return ret;
+
+- return ret;
++ handle->is_streaming = true;
++
++ return 0;
+ }
+
+ static int uvc_ioctl_streamoff(struct file *file, void *fh,
+@@ -857,9 +864,10 @@ static int uvc_ioctl_streamoff(struct file *file, void *fh,
+ if (!uvc_has_privileges(handle))
+ return -EBUSY;
+
+- mutex_lock(&stream->mutex);
++ guard(mutex)(&stream->mutex);
++
+ uvc_queue_streamoff(&stream->queue, type);
+- mutex_unlock(&stream->mutex);
++ handle->is_streaming = false;
+
+ return 0;
+ }
+diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h
+index b4ee701835fc0..5ceb01e7831a8 100644
+--- a/drivers/media/usb/uvc/uvcvideo.h
++++ b/drivers/media/usb/uvc/uvcvideo.h
+@@ -630,6 +630,7 @@ struct uvc_fh {
+ struct uvc_streaming *stream;
+ enum uvc_handle_state state;
+ unsigned int pending_async_ctrls;
++ bool is_streaming;
+ };
+
+ /* ------------------------------------------------------------------------
+--
+2.39.5
+
--- /dev/null
+From 7d8d2893044cfca43319dfef46b5a4f31a78ddb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Feb 2025 10:34:55 +0000
+Subject: media: uvcvideo: Rollback non processed entities on error
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit a70705d3c020d0d5c3ab6a5cc93e011ac35e7d48 ]
+
+If we fail to commit an entity, we need to restore the
+UVC_CTRL_DATA_BACKUP for the other uncommitted entities. Otherwise the
+control cache and the device would be out of sync.
+
+Cc: stable@kernel.org
+Fixes: b4012002f3a3 ("[media] uvcvideo: Add support for control events")
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Closes: https://lore.kernel.org/linux-media/fe845e04-9fde-46ee-9763-a6f00867929a@redhat.com/
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Message-ID: <20250224-uvc-data-backup-v2-3-de993ed9823b@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_ctrl.c | 32 ++++++++++++++++++++++----------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c
+index 636ce1eb2a6bf..44b6513c52642 100644
+--- a/drivers/media/usb/uvc/uvc_ctrl.c
++++ b/drivers/media/usb/uvc/uvc_ctrl.c
+@@ -2119,7 +2119,7 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,
+ unsigned int processed_ctrls = 0;
+ struct uvc_control *ctrl;
+ unsigned int i;
+- int ret;
++ int ret = 0;
+
+ if (entity == NULL)
+ return 0;
+@@ -2148,8 +2148,6 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,
+ dev->intfnum, ctrl->info.selector,
+ uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
+ ctrl->info.size);
+- else
+- ret = 0;
+
+ if (!ret)
+ processed_ctrls++;
+@@ -2165,13 +2163,20 @@ static int uvc_ctrl_commit_entity(struct uvc_device *dev,
+ ctrl->info.flags & UVC_CTRL_FLAG_ASYNCHRONOUS)
+ ret = uvc_ctrl_set_handle(handle, ctrl, handle);
+
+- if (ret < 0) {
++ if (ret < 0 && !rollback) {
+ if (err_ctrl)
+ *err_ctrl = ctrl;
+- return ret;
++ /*
++ * If we fail to set a control, we need to rollback
++ * the next ones.
++ */
++ rollback = 1;
+ }
+ }
+
++ if (ret)
++ return ret;
++
+ return processed_ctrls;
+ }
+
+@@ -2202,7 +2207,8 @@ int __uvc_ctrl_commit(struct uvc_fh *handle, int rollback,
+ struct uvc_video_chain *chain = handle->chain;
+ struct uvc_control *err_ctrl;
+ struct uvc_entity *entity;
+- int ret = 0;
++ int ret_out = 0;
++ int ret;
+
+ /* Find the control. */
+ list_for_each_entry(entity, &chain->entities, chain) {
+@@ -2213,17 +2219,23 @@ int __uvc_ctrl_commit(struct uvc_fh *handle, int rollback,
+ ctrls->error_idx =
+ uvc_ctrl_find_ctrl_idx(entity, ctrls,
+ err_ctrl);
+- goto done;
++ /*
++ * When we fail to commit an entity, we need to
++ * restore the UVC_CTRL_DATA_BACKUP for all the
++ * controls in the other entities, otherwise our cache
++ * and the hardware will be out of sync.
++ */
++ rollback = 1;
++
++ ret_out = ret;
+ } else if (ret > 0 && !rollback) {
+ uvc_ctrl_send_events(handle, entity,
+ ctrls->controls, ctrls->count);
+ }
+ }
+
+- ret = 0;
+-done:
+ mutex_unlock(&chain->ctrl_mutex);
+- return ret;
++ return ret_out;
+ }
+
+ static int uvc_mapping_get_xctrl_compound(struct uvc_video_chain *chain,
+--
+2.39.5
+
--- /dev/null
+From dd06d3843e66b372fef9b9d44bd3dc5885615509 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 21:50:09 +0200
+Subject: mfd: 88pm886: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 6d0b2398b2638208d68ba06601f776cd5d983b75 ]
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Karel Balej <balejk@matfyz.cz>
+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-1-318e14bdba0a@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/88pm886.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/88pm886.c b/drivers/mfd/88pm886.c
+index 891fdce5d8c12..177878aa32f86 100644
+--- a/drivers/mfd/88pm886.c
++++ b/drivers/mfd/88pm886.c
+@@ -124,7 +124,11 @@ static int pm886_probe(struct i2c_client *client)
+ if (err)
+ return dev_err_probe(dev, err, "Failed to register power off handler\n");
+
+- device_init_wakeup(dev, device_property_read_bool(dev, "wakeup-source"));
++ if (device_property_read_bool(dev, "wakeup-source")) {
++ err = devm_device_init_wakeup(dev);
++ if (err)
++ return dev_err_probe(dev, err, "Failed to init wakeup\n");
++ }
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From d1f5166072d14417186c3e4923107b7250900ab6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 21:50:11 +0200
+Subject: mfd: max14577: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit d905d06e64b0eb3da43af6186c132f5282197998 ]
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-3-318e14bdba0a@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/max14577.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mfd/max14577.c b/drivers/mfd/max14577.c
+index 6fce79ec2dc64..7e7e8af9af224 100644
+--- a/drivers/mfd/max14577.c
++++ b/drivers/mfd/max14577.c
+@@ -456,6 +456,7 @@ static void max14577_i2c_remove(struct i2c_client *i2c)
+ {
+ struct max14577 *max14577 = i2c_get_clientdata(i2c);
+
++ device_init_wakeup(max14577->dev, false);
+ mfd_remove_devices(max14577->dev);
+ regmap_del_irq_chip(max14577->irq, max14577->irq_data);
+ if (max14577->dev_type == MAXIM_DEVICE_TYPE_MAX77836)
+--
+2.39.5
+
--- /dev/null
+From df87a218e46e4f8989cc465b67fc6bb4d244813d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 21:50:12 +0200
+Subject: mfd: max77541: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 6c7115cdf6440e1e2f15e21efe92e2b757940627 ]
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-4-318e14bdba0a@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/max77541.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/max77541.c b/drivers/mfd/max77541.c
+index d77c31c86e435..f91b4f5373ce9 100644
+--- a/drivers/mfd/max77541.c
++++ b/drivers/mfd/max77541.c
+@@ -152,7 +152,7 @@ static int max77541_pmic_setup(struct device *dev)
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to initialize IRQ\n");
+
+- ret = device_init_wakeup(dev, true);
++ ret = devm_device_init_wakeup(dev);
+ if (ret)
+ return dev_err_probe(dev, ret, "Unable to init wakeup\n");
+
+--
+2.39.5
+
--- /dev/null
+From 2a2045257fcc2b92e6be1969de2511ed71b47534 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 21:50:13 +0200
+Subject: mfd: max77705: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit a59a56cc4fb1f7d101f7ce1f5396ceaa2e304b71 ]
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-5-318e14bdba0a@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/max77705.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/max77705.c b/drivers/mfd/max77705.c
+index 60c457c21d952..6b263bacb8c28 100644
+--- a/drivers/mfd/max77705.c
++++ b/drivers/mfd/max77705.c
+@@ -131,7 +131,9 @@ static int max77705_i2c_probe(struct i2c_client *i2c)
+ if (ret)
+ return dev_err_probe(dev, ret, "Failed to register child devices\n");
+
+- device_init_wakeup(dev, true);
++ ret = devm_device_init_wakeup(dev);
++ if (ret)
++ return dev_err_probe(dev, ret, "Failed to init wakeup\n");
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 0b1865eb891b2b2e39079d0f0543491d5734734c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 21:50:16 +0200
+Subject: mfd: sprd-sc27xx: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 37ef4aa4039c42f4b15dc7e40d3e437b7f031522 ]
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250406-mfd-device-wakekup-leak-v1-8-318e14bdba0a@linaro.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/sprd-sc27xx-spi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/sprd-sc27xx-spi.c b/drivers/mfd/sprd-sc27xx-spi.c
+index 7186e2108108f..d6b4350779e6a 100644
+--- a/drivers/mfd/sprd-sc27xx-spi.c
++++ b/drivers/mfd/sprd-sc27xx-spi.c
+@@ -210,7 +210,10 @@ static int sprd_pmic_probe(struct spi_device *spi)
+ return ret;
+ }
+
+- device_init_wakeup(&spi->dev, true);
++ ret = devm_device_init_wakeup(&spi->dev);
++ if (ret)
++ return dev_err_probe(&spi->dev, ret, "Failed to init wakeup\n");
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d0d5783e7c1484bc82bf747edfcbecdd26c2fe77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 20:05:11 -0500
+Subject: misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe()
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit a99b598d836c9c6411110c70a2da134c78d96e67 ]
+
+The returned value, pfsm->miscdev.name, from devm_kasprintf()
+could be NULL.
+A pointer check is added to prevent potential NULL pointer dereference.
+This is similar to the fix in commit 3027e7b15b02
+("ice: Fix some null pointer dereference issues in ice_ptp.c").
+
+This issue is found by our static analysis tool.
+
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Link: https://lore.kernel.org/r/20250311010511.1028269-1-chenyuan0y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/tps6594-pfsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/misc/tps6594-pfsm.c b/drivers/misc/tps6594-pfsm.c
+index 0a24ce44cc37c..6db1c9d48f8fc 100644
+--- a/drivers/misc/tps6594-pfsm.c
++++ b/drivers/misc/tps6594-pfsm.c
+@@ -281,6 +281,9 @@ static int tps6594_pfsm_probe(struct platform_device *pdev)
+ pfsm->miscdev.minor = MISC_DYNAMIC_MINOR;
+ pfsm->miscdev.name = devm_kasprintf(dev, GFP_KERNEL, "pfsm-%ld-0x%02x",
+ tps->chip_id, tps->reg);
++ if (!pfsm->miscdev.name)
++ return -ENOMEM;
++
+ pfsm->miscdev.fops = &tps6594_pfsm_fops;
+ pfsm->miscdev.parent = dev->parent;
+ pfsm->chip_id = tps->chip_id;
+--
+2.39.5
+
--- /dev/null
+From 0e93b854dea45bd77b421d0f62115872216632e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 May 2025 20:57:04 +0800
+Subject: NFSv4: Always set NLINK even if the server doesn't support it
+
+From: Han Young <hanyang.tony@bytedance.com>
+
+[ Upstream commit 3a3065352f73381d3a1aa0ccab44aec3a5a9b365 ]
+
+fattr4_numlinks is a recommended attribute, so the client should emulate
+it even if the server doesn't support it. In decode_attr_nlink function
+in nfs4xdr.c, nlink is initialized to 1. However, this default value
+isn't set to the inode due to the check in nfs_fhget.
+
+So if the server doesn't support numlinks, inode's nlink will be zero,
+the mount will fail with error "Stale file handle". Set the nlink to 1
+if the server doesn't support it.
+
+Signed-off-by: Han Young <hanyang.tony@bytedance.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 119e447758b99..4695292378bbe 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -557,6 +557,8 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)
+ set_nlink(inode, fattr->nlink);
+ else if (fattr_supported & NFS_ATTR_FATTR_NLINK)
+ nfs_set_cache_invalid(inode, NFS_INO_INVALID_NLINK);
++ else
++ set_nlink(inode, 1);
+ if (fattr->valid & NFS_ATTR_FATTR_OWNER)
+ inode->i_uid = fattr->uid;
+ else if (fattr_supported & NFS_ATTR_FATTR_OWNER)
+--
+2.39.5
+
--- /dev/null
+From b11eef736fa346084f9c59c74a63ffb7ba1095a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:23:38 -0400
+Subject: NFSv4: xattr handlers should check for absent nfs filehandles
+
+From: Scott Mayhew <smayhew@redhat.com>
+
+[ Upstream commit 6e9a2f8dbe93c8004c2af2c0158888628b7ca034 ]
+
+The nfs inodes for referral anchors that have not yet been followed have
+their filehandles zeroed out.
+
+Attempting to call getxattr() on one of these will cause the nfs client
+to send a GETATTR to the nfs server with the preceding PUTFH sans
+filehandle. The server will reply NFS4ERR_NOFILEHANDLE, leading to -EIO
+being returned to the application.
+
+For example:
+
+$ strace -e trace=getxattr getfattr -n system.nfs4_acl /mnt/t/ref
+getxattr("/mnt/t/ref", "system.nfs4_acl", NULL, 0) = -1 EIO (Input/output error)
+/mnt/t/ref: system.nfs4_acl: Input/output error
++++ exited with 1 +++
+
+Have the xattr handlers return -ENODATA instead.
+
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 6c3896a9b9d0f..2f5a6aa3fd48e 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -6220,6 +6220,8 @@ static ssize_t nfs4_proc_get_acl(struct inode *inode, void *buf, size_t buflen,
+ struct nfs_server *server = NFS_SERVER(inode);
+ int ret;
+
++ if (unlikely(NFS_FH(inode)->size == 0))
++ return -ENODATA;
+ if (!nfs4_server_supports_acls(server, type))
+ return -EOPNOTSUPP;
+ ret = nfs_revalidate_inode(inode, NFS_INO_INVALID_CHANGE);
+@@ -6294,6 +6296,9 @@ static int nfs4_proc_set_acl(struct inode *inode, const void *buf,
+ {
+ struct nfs4_exception exception = { };
+ int err;
++
++ if (unlikely(NFS_FH(inode)->size == 0))
++ return -ENODATA;
+ do {
+ err = __nfs4_proc_set_acl(inode, buf, buflen, type);
+ trace_nfs4_set_acl(inode, err);
+--
+2.39.5
+
--- /dev/null
+From 3f3d1db4af58c3b4679646285b4bf71ef8eef4d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:09:21 -0400
+Subject: NFSv4.2: fix listxattr to return selinux security label
+
+From: Olga Kornievskaia <okorniev@redhat.com>
+
+[ Upstream commit 243fea134633ba3d64aceb4c16129c59541ea2c6 ]
+
+Currently, when NFS is queried for all the labels present on the
+file via a command example "getfattr -d -m . /mnt/testfile", it
+does not return the security label. Yet when asked specifically for
+the label (getfattr -n security.selinux) it will be returned.
+Include the security label when all attributes are queried.
+
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 9db317e7dea17..56f41ec327397 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -10861,7 +10861,7 @@ const struct nfs4_minor_version_ops *nfs_v4_minor_ops[] = {
+
+ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
+ {
+- ssize_t error, error2, error3;
++ ssize_t error, error2, error3, error4;
+ size_t left = size;
+
+ error = generic_listxattr(dentry, list, left);
+@@ -10884,8 +10884,16 @@ static ssize_t nfs4_listxattr(struct dentry *dentry, char *list, size_t size)
+ error3 = nfs4_listxattr_nfs4_user(d_inode(dentry), list, left);
+ if (error3 < 0)
+ return error3;
++ if (list) {
++ list += error3;
++ left -= error3;
++ }
++
++ error4 = security_inode_listsecurity(d_inode(dentry), list, left);
++ if (error4 < 0)
++ return error4;
+
+- error += error2 + error3;
++ error += error2 + error3 + error4;
+ if (size && error > size)
+ return -ERANGE;
+ return error;
+--
+2.39.5
+
--- /dev/null
+From c79a2b3b14391311b369c0cbaadd95c11b306caf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 15:49:19 +0300
+Subject: NFSv4.2: fix setattr caching of TIME_[MODIFY|ACCESS]_SET when
+ timestamps are delegated
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit aba41e90aadeca8d4656f90639aa5f91ce564f1c ]
+
+nfs_setattr will flush all pending writes before updating a file time
+attributes. However when the client holds delegated timestamps, it can
+update its timestamps locally as it is the authority for the file
+times attributes. The client will later set the file attributes by
+adding a setattr to the delegreturn compound updating the server time
+attributes.
+
+Fix nfs_setattr to avoid flushing pending writes when the file time
+attributes are delegated and the mtime/atime are set to a fixed
+timestamp (ATTR_[MODIFY|ACCESS]_SET. Also, when sending the setattr
+procedure over the wire, we need to clear the correct attribute bits
+from the bitmask.
+
+I was able to measure a noticable speedup when measuring untar performance.
+Test: $ time tar xzf ~/dir.tgz
+Baseline: 1m13.072s
+Patched: 0m49.038s
+
+Which is more than 30% latency improvement.
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 49 +++++++++++++++++++++++++++++++++++++++++++----
+ fs/nfs/nfs4proc.c | 8 ++++----
+ 2 files changed, 49 insertions(+), 8 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 4695292378bbe..8ab7868807a7d 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -635,6 +635,34 @@ nfs_fattr_fixup_delegated(struct inode *inode, struct nfs_fattr *fattr)
+ }
+ }
+
++static void nfs_set_timestamps_to_ts(struct inode *inode, struct iattr *attr)
++{
++ unsigned int cache_flags = 0;
++
++ if (attr->ia_valid & ATTR_MTIME_SET) {
++ struct timespec64 ctime = inode_get_ctime(inode);
++ struct timespec64 mtime = inode_get_mtime(inode);
++ struct timespec64 now;
++ int updated = 0;
++
++ now = inode_set_ctime_current(inode);
++ if (!timespec64_equal(&now, &ctime))
++ updated |= S_CTIME;
++
++ inode_set_mtime_to_ts(inode, attr->ia_mtime);
++ if (!timespec64_equal(&now, &mtime))
++ updated |= S_MTIME;
++
++ inode_maybe_inc_iversion(inode, updated);
++ cache_flags |= NFS_INO_INVALID_CTIME | NFS_INO_INVALID_MTIME;
++ }
++ if (attr->ia_valid & ATTR_ATIME_SET) {
++ inode_set_atime_to_ts(inode, attr->ia_atime);
++ cache_flags |= NFS_INO_INVALID_ATIME;
++ }
++ NFS_I(inode)->cache_validity &= ~cache_flags;
++}
++
+ static void nfs_update_timestamps(struct inode *inode, unsigned int ia_valid)
+ {
+ enum file_time_flags time_flags = 0;
+@@ -703,14 +731,27 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+
+ if (nfs_have_delegated_mtime(inode) && attr->ia_valid & ATTR_MTIME) {
+ spin_lock(&inode->i_lock);
+- nfs_update_timestamps(inode, attr->ia_valid);
++ if (attr->ia_valid & ATTR_MTIME_SET) {
++ nfs_set_timestamps_to_ts(inode, attr);
++ attr->ia_valid &= ~(ATTR_MTIME|ATTR_MTIME_SET|
++ ATTR_ATIME|ATTR_ATIME_SET);
++ } else {
++ nfs_update_timestamps(inode, attr->ia_valid);
++ attr->ia_valid &= ~(ATTR_MTIME|ATTR_ATIME);
++ }
+ spin_unlock(&inode->i_lock);
+- attr->ia_valid &= ~(ATTR_MTIME | ATTR_ATIME);
+ } else if (nfs_have_delegated_atime(inode) &&
+ attr->ia_valid & ATTR_ATIME &&
+ !(attr->ia_valid & ATTR_MTIME)) {
+- nfs_update_delegated_atime(inode);
+- attr->ia_valid &= ~ATTR_ATIME;
++ if (attr->ia_valid & ATTR_ATIME_SET) {
++ spin_lock(&inode->i_lock);
++ nfs_set_timestamps_to_ts(inode, attr);
++ spin_unlock(&inode->i_lock);
++ attr->ia_valid &= ~(ATTR_ATIME|ATTR_ATIME_SET);
++ } else {
++ nfs_update_delegated_atime(inode);
++ attr->ia_valid &= ~ATTR_ATIME;
++ }
+ }
+
+ /* Optimization: if the end result is no change, don't RPC */
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 56f41ec327397..6c3896a9b9d0f 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -325,14 +325,14 @@ static void nfs4_bitmap_copy_adjust(__u32 *dst, const __u32 *src,
+
+ if (nfs_have_delegated_mtime(inode)) {
+ if (!(cache_validity & NFS_INO_INVALID_ATIME))
+- dst[1] &= ~FATTR4_WORD1_TIME_ACCESS;
++ dst[1] &= ~(FATTR4_WORD1_TIME_ACCESS|FATTR4_WORD1_TIME_ACCESS_SET);
+ if (!(cache_validity & NFS_INO_INVALID_MTIME))
+- dst[1] &= ~FATTR4_WORD1_TIME_MODIFY;
++ dst[1] &= ~(FATTR4_WORD1_TIME_MODIFY|FATTR4_WORD1_TIME_MODIFY_SET);
+ if (!(cache_validity & NFS_INO_INVALID_CTIME))
+- dst[1] &= ~FATTR4_WORD1_TIME_METADATA;
++ dst[1] &= ~(FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY_SET);
+ } else if (nfs_have_delegated_atime(inode)) {
+ if (!(cache_validity & NFS_INO_INVALID_ATIME))
+- dst[1] &= ~FATTR4_WORD1_TIME_ACCESS;
++ dst[1] &= ~(FATTR4_WORD1_TIME_ACCESS|FATTR4_WORD1_TIME_ACCESS_SET);
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 67fd157ea429bb81bf89f0d5272992272f758a88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 08:45:34 +0200
+Subject: nvme-tcp: fix I/O stalls on congested sockets
+
+From: Hannes Reinecke <hare@kernel.org>
+
+[ Upstream commit f42d4796ee100fade86086d1cf98537fb4d326c8 ]
+
+When the socket is busy processing nvme_tcp_try_recv() might return
+-EAGAIN, but this doesn't automatically imply that the sending side is
+blocked, too. So check if there are pending requests once
+nvme_tcp_try_recv() returns -EAGAIN and continue with the sending loop
+to avoid I/O stalls.
+
+Signed-off-by: Hannes Reinecke <hare@kernel.org>
+Acked-by: Chris Leech <cleech@redhat.com>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 947fac9128b30..9f4f6464dee04 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -1348,7 +1348,7 @@ static int nvme_tcp_try_recv(struct nvme_tcp_queue *queue)
+ queue->nr_cqe = 0;
+ consumed = sock->ops->read_sock(sk, &rd_desc, nvme_tcp_recv_skb);
+ release_sock(sk);
+- return consumed;
++ return consumed == -EAGAIN ? 0 : consumed;
+ }
+
+ static void nvme_tcp_io_work(struct work_struct *w)
+@@ -1376,6 +1376,11 @@ static void nvme_tcp_io_work(struct work_struct *w)
+ else if (unlikely(result < 0))
+ return;
+
++ /* did we get some space after spending time in recv? */
++ if (nvme_tcp_queue_has_pending(queue) &&
++ sk_stream_is_writeable(queue->sock->sk))
++ pending = true;
++
+ if (!pending || !queue->rd_enabled)
+ return;
+
+--
+2.39.5
+
--- /dev/null
+From a296677c6ceac5a597bde22d017a56a4b912ca9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 08:45:33 +0200
+Subject: nvme-tcp: sanitize request list handling
+
+From: Hannes Reinecke <hare@kernel.org>
+
+[ Upstream commit 0bf04c874fcb1ae46a863034296e4b33d8fbd66c ]
+
+Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of
+any list, otherwise a malicious R2T PDU might inject a loop in request
+list processing.
+
+Signed-off-by: Hannes Reinecke <hare@kernel.org>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index 9f4f6464dee04..b882ee6ef40f6 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -452,7 +452,8 @@ nvme_tcp_fetch_request(struct nvme_tcp_queue *queue)
+ return NULL;
+ }
+
+- list_del(&req->entry);
++ list_del_init(&req->entry);
++ init_llist_node(&req->lentry);
+ return req;
+ }
+
+@@ -560,6 +561,8 @@ static int nvme_tcp_init_request(struct blk_mq_tag_set *set,
+ req->queue = queue;
+ nvme_req(rq)->ctrl = &ctrl->ctrl;
+ nvme_req(rq)->cmd = &pdu->cmd;
++ init_llist_node(&req->lentry);
++ INIT_LIST_HEAD(&req->entry);
+
+ return 0;
+ }
+@@ -764,6 +767,14 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue,
+ return -EPROTO;
+ }
+
++ if (llist_on_list(&req->lentry) ||
++ !list_empty(&req->entry)) {
++ dev_err(queue->ctrl->ctrl.device,
++ "req %d unexpected r2t while processing request\n",
++ rq->tag);
++ return -EPROTO;
++ }
++
+ req->pdu_len = 0;
+ req->h2cdata_left = r2t_length;
+ req->h2cdata_offset = r2t_offset;
+@@ -2641,6 +2652,8 @@ static void nvme_tcp_submit_async_event(struct nvme_ctrl *arg)
+ ctrl->async_req.offset = 0;
+ ctrl->async_req.curr_bio = NULL;
+ ctrl->async_req.data_len = 0;
++ init_llist_node(&ctrl->async_req.lentry);
++ INIT_LIST_HEAD(&ctrl->async_req.entry);
+
+ nvme_tcp_queue_request(&ctrl->async_req, true, true);
+ }
+--
+2.39.5
+
--- /dev/null
+From 463e25f99ba1eb0545cf7262184fc0896f427d88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 16:15:19 -0700
+Subject: ovl: Check for NULL d_inode() in ovl_dentry_upper()
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 8a39f1c870e9d6fbac5638f3a42a6a6363829c49 ]
+
+In ovl_path_type() and ovl_is_metacopy_dentry() GCC notices that it is
+possible for OVL_E() to return NULL (which implies that d_inode(dentry)
+may be NULL). This would result in out of bounds reads via container_of(),
+seen with GCC 15's -Warray-bounds -fdiagnostics-details. For example:
+
+In file included from arch/x86/include/generated/asm/rwonce.h:1,
+ from include/linux/compiler.h:339,
+ from include/linux/export.h:5,
+ from include/linux/linkage.h:7,
+ from include/linux/fs.h:5,
+ from fs/overlayfs/util.c:7:
+In function 'ovl_upperdentry_dereference',
+ inlined from 'ovl_dentry_upper' at ../fs/overlayfs/util.c:305:9,
+ inlined from 'ovl_path_type' at ../fs/overlayfs/util.c:216:6:
+include/asm-generic/rwonce.h:44:26: error: array subscript 0 is outside array bounds of 'struct inode[7486503276667837]' [-Werror=array-bounds=]
+ 44 | #define __READ_ONCE(x) (*(const volatile __unqual_scalar_typeof(x) *)&(x))
+ | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+include/asm-generic/rwonce.h:50:9: note: in expansion of macro '__READ_ONCE'
+ 50 | __READ_ONCE(x); \
+ | ^~~~~~~~~~~
+fs/overlayfs/ovl_entry.h:195:16: note: in expansion of macro 'READ_ONCE'
+ 195 | return READ_ONCE(oi->__upperdentry);
+ | ^~~~~~~~~
+ 'ovl_path_type': event 1
+ 185 | return inode ? OVL_I(inode)->oe : NULL;
+ 'ovl_path_type': event 2
+
+Avoid this by allowing ovl_dentry_upper() to return NULL if d_inode() is
+NULL, as that means the problematic dereferencing can never be reached.
+Note that this fixes the over-eager compiler warning in an effort to
+being able to enable -Warray-bounds globally. There is no known
+behavioral bug here.
+
+Suggested-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/util.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
+index 0819c739cc2ff..5d6b60d56c275 100644
+--- a/fs/overlayfs/util.c
++++ b/fs/overlayfs/util.c
+@@ -305,7 +305,9 @@ enum ovl_path_type ovl_path_realdata(struct dentry *dentry, struct path *path)
+
+ struct dentry *ovl_dentry_upper(struct dentry *dentry)
+ {
+- return ovl_upperdentry_dereference(OVL_I(d_inode(dentry)));
++ struct inode *inode = d_inode(dentry);
++
++ return inode ? ovl_upperdentry_dereference(OVL_I(inode)) : NULL;
+ }
+
+ struct dentry *ovl_dentry_lower(struct dentry *dentry)
+--
+2.39.5
+
--- /dev/null
+From ed859a9d26cbadf6d6dcde62048ce14c5f9191ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 10:17:08 +0100
+Subject: PCI: apple: Fix missing OF node reference in apple_pcie_setup_port
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit 7fa9fbf39116b061f8a41cd84f1884c545f322c4 ]
+
+In the success path, we hang onto a reference to the node, so make sure
+to grab one. The caller iterator puts our borrowed reference when we
+return.
+
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Tested-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
+Link: https://patch.msgid.link/20250401091713.2765724-9-maz@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-apple.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c
+index 32f57b8a6ecbd..8f7fc9161760c 100644
+--- a/drivers/pci/controller/pcie-apple.c
++++ b/drivers/pci/controller/pcie-apple.c
+@@ -584,6 +584,9 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
+ list_add_tail(&port->entry, &pcie->ports);
+ init_completion(&pcie->event);
+
++ /* In the success path, we keep a reference to np around */
++ of_node_get(np);
++
+ ret = apple_pcie_port_register_irqs(port);
+ WARN_ON(ret);
+
+--
+2.39.5
+
--- /dev/null
+From 18cfae82a0e1f9a25144ce9cb0ae788d1a17bc55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Apr 2025 18:36:23 +0800
+Subject: PCI: dwc: Make link training more robust by setting
+ PORT_LOGIC_LINK_WIDTH to one lane
+
+From: Wenbin Yao <quic_wenbyao@quicinc.com>
+
+[ Upstream commit af3c6eacce0c464f28fe0e3d365b3860aba07931 ]
+
+As per DWC PCIe registers description 4.30a, section 1.13.43, NUM_OF_LANES
+named as PORT_LOGIC_LINK_WIDTH in PCIe DWC driver, is referred to as the
+"Predetermined Number of Lanes" in PCIe r6.0, sec 4.2.7.2.1, which explains
+the conditions required to enter Polling.Configuration:
+
+ Next state is Polling.Configuration after at least 1024 TS1 Ordered Sets
+ were transmitted, and all Lanes that detected a Receiver during Detect
+ receive eight consecutive training sequences ...
+
+ Otherwise, after a 24 ms timeout the next state is:
+
+ Polling.Configuration if,
+
+ (i) Any Lane, which detected a Receiver during Detect, received eight
+ consecutive training sequences ... and a minimum of 1024 TS1 Ordered
+ Sets are transmitted after receiving one TS1 or TS2 Ordered Set.
+
+ And
+
+ (ii) At least a predetermined set of Lanes that detected a Receiver
+ during Detect have detected an exit from Electrical Idle at least
+ once since entering Polling.Active.
+
+ Note: This may prevent one or more bad Receivers or Transmitters
+ from holding up a valid Link from being configured, and allow for
+ additional training in Polling.Configuration. The exact set of
+ predetermined Lanes is implementation specific.
+
+ Note: Any Lane that receives eight consecutive TS1 or TS2 Ordered
+ Sets should have detected an exit from Electrical Idle at least
+ once since entering Polling.Active.
+
+In a PCIe link supporting multiple lanes, if PORT_LOGIC_LINK_WIDTH is set
+to lane width the hardware supports, all lanes that detect a receiver
+during the Detect phase must receive eight consecutive training sequences.
+Otherwise, LTSSM will not enter Polling.Configuration and link training
+will fail.
+
+Therefore, always set PORT_LOGIC_LINK_WIDTH to 1, regardless of the number
+of lanes the port actually supports, to make link up more robust. This
+setting will not affect the intended link width if all lanes are
+functional. Additionally, the link can still be established with at least
+one lane if other lanes are faulty.
+
+Co-developed-by: Qiang Yu <quic_qianyu@quicinc.com>
+Signed-off-by: Qiang Yu <quic_qianyu@quicinc.com>
+Signed-off-by: Wenbin Yao <quic_wenbyao@quicinc.com>
+[mani: subject change]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+[bhelgaas: update PCIe spec citation, format quote]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Niklas Cassel <cassel@kernel.org>
+Link: https://patch.msgid.link/20250422103623.462277-1-quic_wenbyao@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-designware.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
+index 97d76d3dc066e..be348b341e3cf 100644
+--- a/drivers/pci/controller/dwc/pcie-designware.c
++++ b/drivers/pci/controller/dwc/pcie-designware.c
+@@ -797,22 +797,19 @@ static void dw_pcie_link_set_max_link_width(struct dw_pcie *pci, u32 num_lanes)
+ /* Set link width speed control register */
+ lwsc = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
+ lwsc &= ~PORT_LOGIC_LINK_WIDTH_MASK;
++ lwsc |= PORT_LOGIC_LINK_WIDTH_1_LANES;
+ switch (num_lanes) {
+ case 1:
+ plc |= PORT_LINK_MODE_1_LANES;
+- lwsc |= PORT_LOGIC_LINK_WIDTH_1_LANES;
+ break;
+ case 2:
+ plc |= PORT_LINK_MODE_2_LANES;
+- lwsc |= PORT_LOGIC_LINK_WIDTH_2_LANES;
+ break;
+ case 4:
+ plc |= PORT_LINK_MODE_4_LANES;
+- lwsc |= PORT_LOGIC_LINK_WIDTH_4_LANES;
+ break;
+ case 8:
+ plc |= PORT_LINK_MODE_8_LANES;
+- lwsc |= PORT_LOGIC_LINK_WIDTH_8_LANES;
+ break;
+ default:
+ dev_err(pci->dev, "num-lanes %u: invalid value\n", num_lanes);
+--
+2.39.5
+
--- /dev/null
+From 82bae92628b84df89d1b7172f2a4d3ccfe4e3d36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 16:13:11 +0800
+Subject: PCI: imx6: Add workaround for errata ERR051624
+
+From: Richard Zhu <hongxing.zhu@nxp.com>
+
+[ Upstream commit ce0c43e855c7f652b6351110aaaabf9b521debd7 ]
+
+ERR051624: The Controller Without Vaux Cannot Exit L23 Ready Through Beacon
+or PERST# De-assertion
+
+When the auxiliary power is not available, the controller cannot exit from
+L23 Ready with beacon or PERST# de-assertion when main power is not
+removed. So the workaround is to set SS_RW_REG_1[SYS_AUX_PWR_DET] to 1.
+
+This workaround is required irrespective of whether Vaux is supplied to the
+link partner or not.
+
+Signed-off-by: Richard Zhu <hongxing.zhu@nxp.com>
+[mani: subject and description rewording]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://patch.msgid.link/20250416081314.3929794-5-hongxing.zhu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-imx6.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c
+index ea5c06371171f..1b6fbf507166f 100644
+--- a/drivers/pci/controller/dwc/pci-imx6.c
++++ b/drivers/pci/controller/dwc/pci-imx6.c
+@@ -48,6 +48,8 @@
+ #define IMX95_PCIE_SS_RW_REG_0 0xf0
+ #define IMX95_PCIE_REF_CLKEN BIT(23)
+ #define IMX95_PCIE_PHY_CR_PARA_SEL BIT(9)
++#define IMX95_PCIE_SS_RW_REG_1 0xf4
++#define IMX95_PCIE_SYS_AUX_PWR_DET BIT(31)
+
+ #define IMX95_PE0_GEN_CTRL_1 0x1050
+ #define IMX95_PCIE_DEVICE_TYPE GENMASK(3, 0)
+@@ -231,6 +233,19 @@ static unsigned int imx_pcie_grp_offset(const struct imx_pcie *imx_pcie)
+
+ static int imx95_pcie_init_phy(struct imx_pcie *imx_pcie)
+ {
++ /*
++ * ERR051624: The Controller Without Vaux Cannot Exit L23 Ready
++ * Through Beacon or PERST# De-assertion
++ *
++ * When the auxiliary power is not available, the controller
++ * cannot exit from L23 Ready with beacon or PERST# de-assertion
++ * when main power is not removed.
++ *
++ * Workaround: Set SS_RW_REG_1[SYS_AUX_PWR_DET] to 1.
++ */
++ regmap_set_bits(imx_pcie->iomuxc_gpr, IMX95_PCIE_SS_RW_REG_1,
++ IMX95_PCIE_SYS_AUX_PWR_DET);
++
+ regmap_update_bits(imx_pcie->iomuxc_gpr,
+ IMX95_PCIE_SS_RW_REG_0,
+ IMX95_PCIE_PHY_CR_PARA_SEL,
+--
+2.39.5
+
--- /dev/null
+From c551d280d7c000cec6c0e71fe088d172d6d4c513 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 09:41:27 +0300
+Subject: Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on
+ DG1"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+[ Upstream commit ed5915cfce2abb9a553c3737badebd4a11d6c9c7 ]
+
+This reverts commit d6e020819612a4a06207af858e0978be4d3e3140.
+
+The IS_DGFX check was put in place because error capture of buffer
+objects is expected to be broken on devices with VRAM.
+
+Userspace fix[1] to the impacted media driver has been submitted, merged
+and a new driver release is out as 25.2.3 where the capture flag is
+dropped on DG1 thus unblocking the usage of media driver on DG1.
+
+[1] https://github.com/intel/media-driver/commit/93c07d9b4b96a78bab21f6acd4eb863f4313ea4a
+
+Cc: stable@vger.kernel.org # v6.0+
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Tvrtko Ursulin <tursulin@ursulin.net>
+Acked-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20250522064127.24293-1-joonas.lahtinen@linux.intel.com
+[Joonas: Update message to point out the merged userspace fix]
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+(cherry picked from commit d2dc30e0aa252830f908c8e793d3139d51321370)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+index 1974a300b24a1..7796c4119ef5e 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+@@ -2014,7 +2014,7 @@ static int eb_capture_stage(struct i915_execbuffer *eb)
+ continue;
+
+ if (i915_gem_context_is_recoverable(eb->gem_context) &&
+- GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 10))
++ (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0)))
+ return -EINVAL;
+
+ for_each_batch_create_order(eb, j) {
+--
+2.39.5
+
--- /dev/null
+From dc9201183da1397962428249e42c7f7233afbfba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 11:24:21 +0200
+Subject: Revert "iommu/amd: Prevent binding other PCI drivers to IOMMU PCI
+ devices"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 3be5fa236649da6404f1bca1491bf02d4b0d5cce ]
+
+Commit 991de2e59090 ("PCI, x86: Implement pcibios_alloc_irq() and
+pcibios_free_irq()") changed IRQ handling on PCI driver probing.
+It inadvertently broke resume from system sleep on AMD platforms:
+
+ https://lore.kernel.org/r/20150926164651.GA3640@pd.tnic/
+
+This was fixed by two independent commits:
+
+* 8affb487d4a4 ("x86/PCI: Don't alloc pcibios-irq when MSI is enabled")
+* cbbc00be2ce3 ("iommu/amd: Prevent binding other PCI drivers to IOMMU PCI devices")
+
+The breaking change and one of these two fixes were subsequently reverted:
+
+* fe25d078874f ("Revert "x86/PCI: Don't alloc pcibios-irq when MSI is enabled"")
+* 6c777e8799a9 ("Revert "PCI, x86: Implement pcibios_alloc_irq() and pcibios_free_irq()"")
+
+This rendered the second fix unnecessary, so revert it as well. It used
+the match_driver flag in struct pci_dev, which is internal to the PCI core
+and not supposed to be touched by arbitrary drivers.
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+Link: https://patch.msgid.link/9a3ddff5cc49512044f963ba0904347bd404094d.1745572340.git.lukas@wunner.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/amd/init.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/iommu/amd/init.c b/drivers/iommu/amd/init.c
+index 14aa0d77df26d..f9037dad53f31 100644
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -2030,9 +2030,6 @@ static int __init iommu_init_pci(struct amd_iommu *iommu)
+ if (!iommu->dev)
+ return -ENODEV;
+
+- /* Prevent binding other PCI device drivers to IOMMU devices */
+- iommu->dev->match_driver = false;
+-
+ /* ACPI _PRT won't have an IRQ for IOMMU */
+ iommu->dev->irq_managed = 1;
+
+--
+2.39.5
+
--- /dev/null
+From 5aa894bff3828a8432bfd017152f5b2fd11e9b39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 02:08:32 +0800
+Subject: riscv: add a data fence for CMODX in the kernel mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Chiu <andybnac@gmail.com>
+
+[ Upstream commit ca358692de41b273468e625f96926fa53e13bd8c ]
+
+RISC-V spec explicitly calls out that a local fence.i is not enough for
+the code modification to be visble from a remote hart. In fact, it
+states:
+
+To make a store to instruction memory visible to all RISC-V harts, the
+writing hart also has to execute a data FENCE before requesting that all
+remote RISC-V harts execute a FENCE.I.
+
+Although current riscv drivers for IPI use ordered MMIO when sending IPIs
+in order to synchronize the action between previous csd writes, riscv
+does not restrict itself to any particular flavor of IPI. Any driver or
+firmware implementation that does not order data writes before the IPI
+may pose a risk for code-modifying race.
+
+Thus, add a fence here to order data writes before making the IPI.
+
+Signed-off-by: Andy Chiu <andybnac@gmail.com>
+Reviewed-by: Björn Töpel <bjorn@rivosinc.com>
+Link: https://lore.kernel.org/r/20250407180838.42877-8-andybnac@gmail.com
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/mm/cacheflush.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/arch/riscv/mm/cacheflush.c b/arch/riscv/mm/cacheflush.c
+index b816727298872..b2e4b81763f88 100644
+--- a/arch/riscv/mm/cacheflush.c
++++ b/arch/riscv/mm/cacheflush.c
+@@ -24,7 +24,20 @@ void flush_icache_all(void)
+
+ if (num_online_cpus() < 2)
+ return;
+- else if (riscv_use_sbi_for_rfence())
++
++ /*
++ * Make sure all previous writes to the D$ are ordered before making
++ * the IPI. The RISC-V spec states that a hart must execute a data fence
++ * before triggering a remote fence.i in order to make the modification
++ * visable for remote harts.
++ *
++ * IPIs on RISC-V are triggered by MMIO writes to either CLINT or
++ * S-IMSIC, so the fence ensures previous data writes "happen before"
++ * the MMIO.
++ */
++ RISCV_FENCE(w, o);
++
++ if (riscv_use_sbi_for_rfence())
+ sbi_remote_fence_i(NULL);
+ else
+ on_each_cpu(ipi_remote_fence_i, NULL, 1);
+--
+2.39.5
+
--- /dev/null
+From a0684b34376892feebb2f5b5af75943d9e1d6673 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 12:19:25 +0200
+Subject: riscv: misaligned: declare misaligned_access_speed under
+ CONFIG_RISCV_MISALIGNED
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <cleger@rivosinc.com>
+
+[ Upstream commit 1317045a7d6f397904d105f6d40dc9787876a34b ]
+
+While misaligned_access_speed was defined in a file compile with
+CONFIG_RISCV_MISALIGNED, its definition was under
+CONFIG_RISCV_SCALAR_MISALIGNED. This resulted in compilation problems
+when using it in a file compiled with CONFIG_RISCV_MISALIGNED.
+
+Move the declaration under CONFIG_RISCV_MISALIGNED so that it can be
+used unconditionnally when compiled with that config and remove the check
+for that variable in traps_misaligned.c.
+
+Signed-off-by: Clément Léger <cleger@rivosinc.com>
+Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
+Tested-by: Charlie Jenkins <charlie@rivosinc.com>
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Link: https://lore.kernel.org/r/20250523101932.1594077-9-cleger@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/cpufeature.h | 5 ++++-
+ arch/riscv/kernel/traps_misaligned.c | 2 --
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/arch/riscv/include/asm/cpufeature.h b/arch/riscv/include/asm/cpufeature.h
+index f56b409361fbe..7201da46694f7 100644
+--- a/arch/riscv/include/asm/cpufeature.h
++++ b/arch/riscv/include/asm/cpufeature.h
+@@ -71,7 +71,6 @@ bool __init check_unaligned_access_emulated_all_cpus(void);
+ void check_unaligned_access_emulated(struct work_struct *work __always_unused);
+ void unaligned_emulation_finish(void);
+ bool unaligned_ctl_available(void);
+-DECLARE_PER_CPU(long, misaligned_access_speed);
+ #else
+ static inline bool unaligned_ctl_available(void)
+ {
+@@ -79,6 +78,10 @@ static inline bool unaligned_ctl_available(void)
+ }
+ #endif
+
++#if defined(CONFIG_RISCV_MISALIGNED)
++DECLARE_PER_CPU(long, misaligned_access_speed);
++#endif
++
+ bool __init check_vector_unaligned_access_emulated_all_cpus(void);
+ #if defined(CONFIG_RISCV_VECTOR_MISALIGNED)
+ void check_vector_unaligned_access_emulated(struct work_struct *work __always_unused);
+diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps_misaligned.c
+index 56f06a27d45fb..a6b6047693105 100644
+--- a/arch/riscv/kernel/traps_misaligned.c
++++ b/arch/riscv/kernel/traps_misaligned.c
+@@ -368,9 +368,7 @@ static int handle_scalar_misaligned_load(struct pt_regs *regs)
+
+ perf_sw_event(PERF_COUNT_SW_ALIGNMENT_FAULTS, 1, regs, addr);
+
+-#ifdef CONFIG_RISCV_PROBE_UNALIGNED_ACCESS
+ *this_cpu_ptr(&misaligned_access_speed) = RISCV_HWPROBE_MISALIGNED_SCALAR_EMULATED;
+-#endif
+
+ if (!unaligned_enabled)
+ return -1;
+--
+2.39.5
+
--- /dev/null
+From 3391661043bc6c8f8ac874589b1f9395ac104434 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 07:05:22 +0000
+Subject: riscv: save the SR_SUM status over switches
+
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+
+[ Upstream commit 788aa64c01f1262310b4c1fb827a36df170d86ea ]
+
+When threads/tasks are switched we need to ensure the old execution's
+SR_SUM state is saved and the new thread has the old SR_SUM state
+restored.
+
+The issue was seen under heavy load especially with the syz-stress tool
+running, with crashes as follows in schedule_tail:
+
+Unable to handle kernel access to user memory without uaccess routines
+at virtual address 000000002749f0d0
+Oops [#1]
+Modules linked in:
+CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted
+5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0
+Hardware name: riscv-virtio,qemu (DT)
+epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
+ ra : task_pid_vnr include/linux/sched.h:1421 [inline]
+ ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264
+epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0
+ gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000
+ t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0
+ s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003
+ a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00
+ a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba
+ s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0
+ s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850
+ s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8
+ s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2
+ t5 : ffffffc4043cafba t6 : 0000000000040000
+status: 0000000000000120 badaddr: 000000002749f0d0 cause:
+000000000000000f
+Call Trace:
+[<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264
+[<ffffffe000005570>] ret_from_exception+0x0/0x14
+Dumping ftrace buffer:
+ (ftrace buffer empty)
+---[ end trace b5f8f9231dc87dda ]---
+
+The issue comes from the put_user() in schedule_tail
+(kernel/sched/core.c) doing the following:
+
+asmlinkage __visible void schedule_tail(struct task_struct *prev)
+{
+...
+ if (current->set_child_tid)
+ put_user(task_pid_vnr(current), current->set_child_tid);
+...
+}
+
+the put_user() macro causes the code sequence to come out as follows:
+
+1: __enable_user_access()
+2: reg = task_pid_vnr(current);
+3: *current->set_child_tid = reg;
+4: __disable_user_access()
+
+The problem is that we may have a sleeping function as argument which
+could clear SR_SUM causing the panic above. This was fixed by
+evaluating the argument of the put_user() macro outside the user-enabled
+section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before
+enabling user access")"
+
+In order for riscv to take advantage of unsafe_get/put_XXX() macros and
+to avoid the same issue we had with put_user() and sleeping functions we
+must ensure code flow can go through switch_to() from within a region of
+code with SR_SUM enabled and come back with SR_SUM still enabled. This
+patch addresses the problem allowing future work to enable full use of
+unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost
+on every access. Make switch_to() save and restore SR_SUM.
+
+Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com
+Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
+Signed-off-by: Cyril Bur <cyrilbur@tenstorrent.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Deepak Gupta <debug@rivosinc.com>
+Link: https://lore.kernel.org/r/20250410070526.3160847-2-cyrilbur@tenstorrent.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/processor.h | 1 +
+ arch/riscv/kernel/asm-offsets.c | 5 +++++
+ arch/riscv/kernel/entry.S | 8 ++++++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h
+index 5f56eb9d114a9..58fd11c89fe9f 100644
+--- a/arch/riscv/include/asm/processor.h
++++ b/arch/riscv/include/asm/processor.h
+@@ -103,6 +103,7 @@ struct thread_struct {
+ struct __riscv_d_ext_state fstate;
+ unsigned long bad_cause;
+ unsigned long envcfg;
++ unsigned long status;
+ u32 riscv_v_flags;
+ u32 vstate_ctrl;
+ struct __riscv_v_ext_state vstate;
+diff --git a/arch/riscv/kernel/asm-offsets.c b/arch/riscv/kernel/asm-offsets.c
+index 16490755304e0..969c65b1fe41d 100644
+--- a/arch/riscv/kernel/asm-offsets.c
++++ b/arch/riscv/kernel/asm-offsets.c
+@@ -34,6 +34,7 @@ void asm_offsets(void)
+ OFFSET(TASK_THREAD_S9, task_struct, thread.s[9]);
+ OFFSET(TASK_THREAD_S10, task_struct, thread.s[10]);
+ OFFSET(TASK_THREAD_S11, task_struct, thread.s[11]);
++ OFFSET(TASK_THREAD_STATUS, task_struct, thread.status);
+
+ OFFSET(TASK_TI_CPU, task_struct, thread_info.cpu);
+ OFFSET(TASK_TI_PREEMPT_COUNT, task_struct, thread_info.preempt_count);
+@@ -346,6 +347,10 @@ void asm_offsets(void)
+ offsetof(struct task_struct, thread.s[11])
+ - offsetof(struct task_struct, thread.ra)
+ );
++ DEFINE(TASK_THREAD_STATUS_RA,
++ offsetof(struct task_struct, thread.status)
++ - offsetof(struct task_struct, thread.ra)
++ );
+
+ DEFINE(TASK_THREAD_F0_F0,
+ offsetof(struct task_struct, thread.fstate.f[0])
+diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
+index 33a5a9f2a0d4e..00bd0de9faa28 100644
+--- a/arch/riscv/kernel/entry.S
++++ b/arch/riscv/kernel/entry.S
+@@ -397,9 +397,17 @@ SYM_FUNC_START(__switch_to)
+ REG_S s9, TASK_THREAD_S9_RA(a3)
+ REG_S s10, TASK_THREAD_S10_RA(a3)
+ REG_S s11, TASK_THREAD_S11_RA(a3)
++
++ /* save the user space access flag */
++ li s0, SR_SUM
++ csrr s1, CSR_STATUS
++ REG_S s1, TASK_THREAD_STATUS_RA(a3)
++
+ /* Save the kernel shadow call stack pointer */
+ scs_save_current
+ /* Restore context from next->thread */
++ REG_L s0, TASK_THREAD_STATUS_RA(a4)
++ csrs CSR_STATUS, s0
+ REG_L ra, TASK_THREAD_RA_RA(a4)
+ REG_L sp, TASK_THREAD_SP_RA(a4)
+ REG_L s0, TASK_THREAD_S0_RA(a4)
+--
+2.39.5
+
--- /dev/null
+From 1880157f9b459a1c1e5cd0c8cbb5c03b8fb780da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 05:02:31 -0700
+Subject: rust: arm: fix unknown (to Clang) argument '-mno-fdpic'
+
+From: Rudraksha Gupta <guptarud@gmail.com>
+
+[ Upstream commit 977c4308ee4270cf46e2c66b37de8e04670daa0c ]
+
+Currently rust on arm fails to compile due to '-mno-fdpic'. This flag
+disables a GCC feature that we don't want for kernel builds, so let's
+skip it as it doesn't apply to Clang.
+
+ UPD include/generated/asm-offsets.h
+ CALL scripts/checksyscalls.sh
+ RUSTC L rust/core.o
+ BINDGEN rust/bindings/bindings_generated.rs
+ BINDGEN rust/bindings/bindings_helpers_generated.rs
+ CC rust/helpers/helpers.o
+ Unable to generate bindings: clang diagnosed error: error: unknown argument: '-mno-fdpic'
+ make[2]: *** [rust/Makefile:369: rust/bindings/bindings_helpers_generated.rs] Error 1
+ make[2]: *** Deleting file 'rust/bindings/bindings_helpers_generated.rs'
+ make[2]: *** Waiting for unfinished jobs....
+ Unable to generate bindings: clang diagnosed error: error: unknown argument: '-mno-fdpic'
+ make[2]: *** [rust/Makefile:349: rust/bindings/bindings_generated.rs] Error 1
+ make[2]: *** Deleting file 'rust/bindings/bindings_generated.rs'
+ make[1]: *** [/home/pmos/build/src/linux-next-next-20250521/Makefile:1285: prepare] Error 2
+ make: *** [Makefile:248: __sub-make] Error 2
+
+[ Naresh provided the draft diff [1].
+
+ Ben explained [2]:
+
+ FDPIC is only relevant with no-MMU targets, and then only for userspace.
+ When configured for the arm-*-uclinuxfdpiceabi target, GCC enables FDPIC
+ by default to facilitate compiling userspace programs. FDPIC is never
+ used for the kernel, and we pass -mno-fdpic when building the kernel to
+ override the default and make sure FDPIC is disabled.
+
+ and [3]:
+
+ -mno-fdpic disables a GCC feature that we don't want for kernel builds.
+ clang does not support this feature, so it always behaves as though
+ -mno-fdpic is passed. Therefore, it should be fine to mix the two, at
+ least as far as FDPIC is concerned.
+
+ [1] https://lore.kernel.org/rust-for-linux/CA+G9fYt4otQK4pHv8pJBW9e28yHSGCDncKquwuJiJ_1ou0pq0w@mail.gmail.com/
+ [2] https://lore.kernel.org/rust-for-linux/aAKrq2InExQk7f_k@dell-precision-5540/
+ [3] https://lore.kernel.org/rust-for-linux/aAo_F_UP1Gd4jHlZ@dell-precision-5540/
+
+ - Miguel ]
+
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/all/CA+G9fYvOanQBYXKSg7C6EU30k8sTRC0JRPJXYu7wWK51w38QUQ@mail.gmail.com/
+Suggested-by: Miguel Ojeda <ojeda@kernel.org>
+Acked-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Signed-off-by: Rudraksha Gupta <guptarud@gmail.com>
+Link: https://lore.kernel.org/r/20250522-rust-mno-fdpic-arm-fix-v2-1-a6f691d9c198@gmail.com
+[ Reworded title. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ rust/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rust/Makefile b/rust/Makefile
+index 313a200112ce1..d62b58d0a55cc 100644
+--- a/rust/Makefile
++++ b/rust/Makefile
+@@ -275,7 +275,7 @@ bindgen_skip_c_flags := -mno-fp-ret-in-387 -mpreferred-stack-boundary=% \
+ -fzero-call-used-regs=% -fno-stack-clash-protection \
+ -fno-inline-functions-called-once -fsanitize=bounds-strict \
+ -fstrict-flex-arrays=% -fmin-function-alignment=% \
+- -fzero-init-padding-bits=% \
++ -fzero-init-padding-bits=% -mno-fdpic \
+ --param=% --param asan-%
+
+ # Derived from `scripts/Makefile.clang`.
+--
+2.39.5
+
--- /dev/null
+From 07ad1cfcd0f5724025927a8b7cf6855af0e2b47b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Mar 2025 13:45:06 +0900
+Subject: rust: module: place cleanup_module() in .exit.text section
+
+From: FUJITA Tomonori <fujita.tomonori@gmail.com>
+
+[ Upstream commit 249c3a0e53acefc2b06d3b3e1fc28fb2081f878d ]
+
+Place cleanup_module() in .exit.text section. Currently,
+cleanup_module() is likely placed in the .text section. It's
+inconsistent with the layout of C modules, where cleanup_module() is
+placed in .exit.text.
+
+[ Boqun asked for an example of how the section changed to be
+ put in the log. Tomonori provided the following examples:
+
+ C module:
+
+ $ objdump -t ~/build/x86/drivers/block/loop.o|grep clean
+ 0000000000000000 l O .exit.data 0000000000000008 __UNIQUE_ID___addressable_cleanup_module412
+ 0000000000000000 g F .exit.text 000000000000009c cleanup_module
+
+ Rust module without this patch:
+
+ $ objdump -t ~/build/x86/samples/rust/rust_minimal.o|grep clean
+ 00000000000002b0 g F .text 00000000000000c6 cleanup_module
+ 0000000000000000 g O .exit.data 0000000000000008 _R...___UNIQUE_ID___addressable_cleanup_module
+
+ Rust module with this patch:
+
+ $ objdump -t ~/build/x86/samples/rust/rust_minimal.o|grep clean
+ 0000000000000000 g F .exit.text 00000000000000c6 cleanup_module
+ 0000000000000000 g O .exit.data 0000000000000008 _R...___UNIQUE_ID___addressable_cleanup_module
+
+ - Miguel ]
+
+Signed-off-by: FUJITA Tomonori <fujita.tomonori@gmail.com>
+Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
+Link: https://lore.kernel.org/r/20250308044506.14458-1-fujita.tomonori@gmail.com
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ rust/macros/module.rs | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rust/macros/module.rs b/rust/macros/module.rs
+index 2f66107847f78..44e5cb108cea7 100644
+--- a/rust/macros/module.rs
++++ b/rust/macros/module.rs
+@@ -278,6 +278,7 @@ pub(crate) fn module(ts: TokenStream) -> TokenStream {
+ #[cfg(MODULE)]
+ #[doc(hidden)]
+ #[no_mangle]
++ #[link_section = \".exit.text\"]
+ pub extern \"C\" fn cleanup_module() {{
+ // SAFETY:
+ // - This function is inaccessible to the outside due to the double
+--
+2.39.5
+
--- /dev/null
+From 4661c4b1972ab71ee9e402e688029308091e08f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 15:49:36 +0200
+Subject: s390/mm: Fix in_atomic() handling in do_secure_storage_access()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 11709abccf93b08adde95ef313c300b0d4bc28f1 ]
+
+Kernel user spaces accesses to not exported pages in atomic context
+incorrectly try to resolve the page fault.
+With debug options enabled call traces like this can be seen:
+
+BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523
+in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39
+preempt_count: 1, expected: 0
+RCU nest depth: 0, expected: 0
+INFO: lockdep is turned off.
+Preemption disabled at:
+[<00000383ea47cfa2>] copy_page_from_iter_atomic+0xa2/0x8a0
+CPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39
+Tainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT
+Tainted: [W]=WARN
+Hardware name: IBM 3931 A01 703 (LPAR)
+Call Trace:
+ [<00000383e990d282>] dump_stack_lvl+0xa2/0xe8
+ [<00000383e99bf152>] __might_resched+0x292/0x2d0
+ [<00000383eaa7c374>] down_read+0x34/0x2d0
+ [<00000383e99432f8>] do_secure_storage_access+0x108/0x360
+ [<00000383eaa724b0>] __do_pgm_check+0x130/0x220
+ [<00000383eaa842e4>] pgm_check_handler+0x114/0x160
+ [<00000383ea47d028>] copy_page_from_iter_atomic+0x128/0x8a0
+([<00000383ea47d016>] copy_page_from_iter_atomic+0x116/0x8a0)
+ [<00000383e9c45eae>] generic_perform_write+0x16e/0x310
+ [<00000383e9eb87f4>] ext4_buffered_write_iter+0x84/0x160
+ [<00000383e9da0de4>] vfs_write+0x1c4/0x460
+ [<00000383e9da123c>] ksys_write+0x7c/0x100
+ [<00000383eaa7284e>] __do_syscall+0x15e/0x280
+ [<00000383eaa8417e>] system_call+0x6e/0x90
+INFO: lockdep is turned off.
+
+It is not allowed to take the mmap_lock while in atomic context. Therefore
+handle such a secure storage access fault as if the accessed page is not
+mapped: the uaccess function will return -EFAULT, and the caller has to
+deal with this. Usually this means that the access is retried in process
+context, which allows to resolve the page fault (or in this case export the
+page).
+
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Acked-by: Christian Borntraeger <borntraeger@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250603134936.1314139-1-hca@linux.ibm.com
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/fault.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
+index da84ff6770dec..8b3f6dd00eab2 100644
+--- a/arch/s390/mm/fault.c
++++ b/arch/s390/mm/fault.c
+@@ -442,6 +442,8 @@ void do_secure_storage_access(struct pt_regs *regs)
+ if (rc)
+ BUG();
+ } else {
++ if (faulthandler_disabled())
++ return handle_fault_error_nolock(regs, 0);
+ mm = current->mm;
+ mmap_read_lock(mm);
+ vma = find_vma(mm, addr);
+--
+2.39.5
+
--- /dev/null
+From 60a206ed6d2f0c7cca3226fc2137585a6683bae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 16:12:28 +0800
+Subject: scsi: ufs: core: Don't perform UFS clkscaling during host async scan
+
+From: Ziqi Chen <quic_ziqichen@quicinc.com>
+
+[ Upstream commit e97633492f5a3eca7b3ff03b4ef6f993017f7955 ]
+
+When preparing for UFS clock scaling, the UFS driver will quiesce all
+sdevs queues in the UFS SCSI host tagset list and then unquiesce them in
+ufshcd_clock_scaling_unprepare(). If the UFS SCSI host async scan is in
+progress at this time, some LUs may be added to the tagset list between
+UFS clkscale prepare and unprepare. This can cause two issues:
+
+1. During clock scaling, there may be I/O requests issued through new
+added queues that have not been quiesced, leading to task abort issue.
+
+2. These new added queues that have not been quiesced will be unquiesced
+as well when UFS clkscale is unprepared, resulting in warning prints.
+
+Therefore, use the mutex lock scan_mutex in
+ufshcd_clock_scaling_prepare() and ufshcd_clock_scaling_unprepare() to
+protect it.
+
+Co-developed-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Ziqi Chen <quic_ziqichen@quicinc.com>
+Link: https://lore.kernel.org/r/20250522081233.2358565-1-quic_ziqichen@quicinc.com
+Suggested-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 04f769d907a44..ea24080c26e89 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -1379,6 +1379,7 @@ static int ufshcd_clock_scaling_prepare(struct ufs_hba *hba, u64 timeout_us)
+ * make sure that there are no outstanding requests when
+ * clock scaling is in progress
+ */
++ mutex_lock(&hba->host->scan_mutex);
+ blk_mq_quiesce_tagset(&hba->host->tag_set);
+ mutex_lock(&hba->wb_mutex);
+ down_write(&hba->clk_scaling_lock);
+@@ -1389,6 +1390,7 @@ static int ufshcd_clock_scaling_prepare(struct ufs_hba *hba, u64 timeout_us)
+ up_write(&hba->clk_scaling_lock);
+ mutex_unlock(&hba->wb_mutex);
+ blk_mq_unquiesce_tagset(&hba->host->tag_set);
++ mutex_unlock(&hba->host->scan_mutex);
+ goto out;
+ }
+
+@@ -1410,6 +1412,7 @@ static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, int err)
+ mutex_unlock(&hba->wb_mutex);
+
+ blk_mq_unquiesce_tagset(&hba->host->tag_set);
++ mutex_unlock(&hba->host->scan_mutex);
+ ufshcd_release(hba);
+ }
+
+--
+2.39.5
+
--- /dev/null
+cifs-correctly-set-smb1-sessionkey-field-in-session-.patch
+cifs-fix-cifs_query_path_info-for-windows-nt-servers.patch
+cifs-fix-encoding-of-smb1-session-setup-ntlmssp-requ.patch
+nfsv4-always-set-nlink-even-if-the-server-doesn-t-su.patch
+nfsv4.2-fix-listxattr-to-return-selinux-security-lab.patch
+nfsv4.2-fix-setattr-caching-of-time_-modify-access-_.patch
+mailbox-not-protect-module_put-with-spin_lock_irqsav.patch
+mfd-max77541-fix-wakeup-source-leaks-on-device-unbin.patch
+mfd-max14577-fix-wakeup-source-leaks-on-device-unbin.patch
+mfd-max77705-fix-wakeup-source-leaks-on-device-unbin.patch
+mfd-88pm886-fix-wakeup-source-leaks-on-device-unbind.patch
+mfd-sprd-sc27xx-fix-wakeup-source-leaks-on-device-un.patch
+sunrpc-don-t-immediately-retransmit-on-seqno-miss.patch
+hwmon-isl28022-fix-current-reading-calculation.patch
+dm-vdo-indexer-don-t-read-request-structure-after-en.patch
+leds-multicolor-fix-intensity-setting-while-sw-blink.patch
+fuse-fix-race-between-concurrent-setattrs-from-multi.patch
+cxl-region-add-a-dev_err-on-missing-target-list-entr.patch
+cxl-core-region-ignore-interleave-granularity-when-w.patch
+nfsv4-xattr-handlers-should-check-for-absent-nfs-fil.patch
+hwmon-pmbus-max34440-fix-support-for-max34451.patch
+ksmbd-allow-a-filename-to-contain-special-characters.patch
+ksmbd-provide-zero-as-a-unique-id-to-the-mac-client.patch
+rust-module-place-cleanup_module-in-.exit.text-secti.patch
+rust-arm-fix-unknown-to-clang-argument-mno-fdpic.patch
+revert-iommu-amd-prevent-binding-other-pci-drivers-t.patch
+dmaengine-idxd-check-availability-of-workqueue-alloc.patch
+dmaengine-xilinx_dma-set-dma_device-directions.patch
+pci-dwc-make-link-training-more-robust-by-setting-po.patch
+pci-apple-fix-missing-of-node-reference-in-apple_pci.patch
+pci-imx6-add-workaround-for-errata-err051624.patch
+wifi-iwlwifi-mld-move-regulatory-domain-initializati.patch
+nvme-tcp-fix-i-o-stalls-on-congested-sockets.patch
+nvme-tcp-sanitize-request-list-handling.patch
+md-md-bitmap-fix-dm-raid-max_write_behind-setting.patch
+amd-amdkfd-fix-a-kfd_process-ref-leak.patch
+drm-amdgpu-vcn5.0.1-read-back-register-after-written.patch
+drm-amdgpu-vcn4-read-back-register-after-written.patch
+drm-amdgpu-vcn3-read-back-register-after-written.patch
+drm-amdgpu-vcn2.5-read-back-register-after-written.patch
+bcache-fix-null-pointer-in-cache_set_flush.patch
+drm-amdgpu-seq64-memory-unmap-uses-uninterruptible-l.patch
+drm-scheduler-signal-scheduled-fence-when-kill-job.patch
+iio-pressure-zpa2326-use-aligned_s64-for-the-timesta.patch
+bus-mhi-host-pci_generic-add-telit-fn920c04-modem-su.patch
+um-add-cmpxchg8b_emu-and-checksum-functions-to-asm-p.patch
+um-use-proper-care-when-taking-mmap-lock-during-segf.patch
+8250-microchip-pci1xxxx-add-pcie-hot-reset-disable-s.patch
+coresight-only-check-bottom-two-claim-bits.patch
+usb-dwc2-also-exit-clock_gating-when-stopping-udc-wh.patch
+iio-adc-ad_sigma_delta-fix-use-of-uninitialized-stat.patch
+iio-dac-adi-axi-dac-add-cntrl-chan-check.patch
+iio-light-al3000a-fix-an-error-handling-path-in-al30.patch
+iio-adc-ad7606_spi-check-error-in-ad7606b_sw_mode_co.patch
+iio-hid-sensor-prox-add-support-for-16-bit-report-si.patch
+misc-tps6594-pfsm-add-null-pointer-check-in-tps6594_.patch
+usb-potential-integer-overflow-in-usbg_make_tpg.patch
+tty-serial-uartlite-register-uart-driver-in-init.patch
+usb-common-usb-conn-gpio-use-a-unique-name-for-usb-c.patch
+usb-add-checks-for-snprintf-calls-in-usb_alloc_dev.patch
+usb-cdc-wdm-avoid-setting-wdm_read-for-zlp-s.patch
+usb-gadget-f_hid-wake-up-readers-on-disable-unbind.patch
+usb-typec-displayport-receive-dp-status-update-nak-r.patch
+usb-typec-tcpci-fix-wakeup-source-leaks-on-device-un.patch
+usb-typec-tipd-fix-wakeup-source-leaks-on-device-unb.patch
+usb-typec-mux-do-not-return-on-eopnotsupp-in-mux-swi.patch
+riscv-add-a-data-fence-for-cmodx-in-the-kernel-mode.patch
+s390-mm-fix-in_atomic-handling-in-do_secure_storage_.patch
+riscv-misaligned-declare-misaligned_access_speed-und.patch
+alsa-hda-ignore-unsol-events-for-cards-being-shut-do.patch
+alsa-hda-add-new-pci-id-for-amd-gpu-display-hd-audio.patch
+alsa-usb-audio-add-a-quirk-for-lenovo-thinkpad-thund.patch
+asoc-rt1320-fix-speaker-noise-when-volume-bar-is-100.patch
+ceph-fix-possible-integer-overflow-in-ceph_zero_obje.patch
+scsi-ufs-core-don-t-perform-ufs-clkscaling-during-ho.patch
+riscv-save-the-sr_sum-status-over-switches.patch
+ovl-check-for-null-d_inode-in-ovl_dentry_upper.patch
+btrfs-fix-race-between-async-reclaim-worker-and-clos.patch
+btrfs-handle-csum-tree-error-with-rescue-ibadroots-c.patch
+drm-i915-gem-allow-exec_capture-on-recoverable-conte.patch
+revert-drm-i915-gem-allow-exec_capture-on-recoverabl.patch
+btrfs-use-unsigned-types-for-constants-defined-as-bi.patch
+btrfs-fix-qgroup-reservation-leak-on-failure-to-allo.patch
+media-uvcvideo-keep-streaming-state-in-the-file-hand.patch
+media-uvcvideo-create-uvc_pm_-get-put-functions.patch
+media-uvcvideo-increase-decrease-the-pm-counter-per-.patch
+media-uvcvideo-rollback-non-processed-entities-on-er.patch
+asoc-codec-wcd9335-convert-to-gpio-descriptors.patch
+asoc-codecs-wcd9335-fix-missing-free-of-regulator-su.patch
+f2fs-don-t-over-report-free-space-or-inodes-in-statv.patch
+io_uring-zcrx-move-io_zcrx_iov_page.patch
+io_uring-zcrx-improve-area-validation.patch
+io_uring-zcrx-split-out-memory-holders-from-area.patch
+io_uring-zcrx-fix-area-release-on-registration-failu.patch
+drm-i915-display-add-check-for-alloc_ordered_workque.patch
+af_unix-don-t-leave-consecutive-consumed-oob-skbs.patch
--- /dev/null
+From c5d2cdd40776aff74d6f2f5d0cced3c6520f7492 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 13:02:40 -0400
+Subject: sunrpc: don't immediately retransmit on seqno miss
+
+From: Nikhil Jha <njha@janestreet.com>
+
+[ Upstream commit fadc0f3bb2de8c570ced6d9c1f97222213d93140 ]
+
+RFC2203 requires that retransmitted messages use a new gss sequence
+number, but the same XID. This means that if the server is just slow
+(e.x. overloaded), the client might receive a response using an older
+seqno than the one it has recorded.
+
+Currently, Linux's client immediately retransmits in this case. However,
+this leads to a lot of wasted retransmits until the server eventually
+responds faster than the client can resend.
+
+Client -> SEQ 1 -> Server
+Client -> SEQ 2 -> Server
+Client <- SEQ 1 <- Server (misses, expecting seqno = 2)
+Client -> SEQ 3 -> Server (immediate retransmission on miss)
+Client <- SEQ 2 <- Server (misses, expecting seqno = 3)
+Client -> SEQ 4 -> Server (immediate retransmission on miss)
+... and so on ...
+
+This commit makes it so that we ignore messages with bad checksums
+due to seqnum mismatch, and rely on the usual timeout behavior for
+retransmission instead of doing so immediately.
+
+Signed-off-by: Nikhil Jha <njha@janestreet.com>
+Acked-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/clnt.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index 6f75862d97820..21426c3049d35 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -2771,8 +2771,13 @@ rpc_decode_header(struct rpc_task *task, struct xdr_stream *xdr)
+ case -EPROTONOSUPPORT:
+ goto out_err;
+ case -EACCES:
+- /* Re-encode with a fresh cred */
+- fallthrough;
++ /* possible RPCSEC_GSS out-of-sequence event (RFC2203),
++ * reset recv state and keep waiting, don't retransmit
++ */
++ task->tk_rqstp->rq_reply_bytes_recvd = 0;
++ task->tk_status = xprt_request_enqueue_receive(task);
++ task->tk_action = call_transmit_status;
++ return -EBADMSG;
+ default:
+ goto out_garbage;
+ }
+--
+2.39.5
+
--- /dev/null
+From bd82a5cb249caa635ed17a086b4a731169a53c75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 18:06:19 +0200
+Subject: tty: serial: uartlite: register uart driver in init
+
+From: Jakub Lewalski <jakub.lewalski@nokia.com>
+
+[ Upstream commit 6bd697b5fc39fd24e2aa418c7b7d14469f550a93 ]
+
+When two instances of uart devices are probing, a concurrency race can
+occur. If one thread calls uart_register_driver function, which first
+allocates and assigns memory to 'uart_state' member of uart_driver
+structure, the other instance can bypass uart driver registration and
+call ulite_assign. This calls uart_add_one_port, which expects the uart
+driver to be fully initialized. This leads to a kernel panic due to a
+null pointer dereference:
+
+[ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8
+[ 8.156982] #PF: supervisor write access in kernel mode
+[ 8.156984] #PF: error_code(0x0002) - not-present page
+[ 8.156986] PGD 0 P4D 0
+...
+[ 8.180668] RIP: 0010:mutex_lock+0x19/0x30
+[ 8.188624] Call Trace:
+[ 8.188629] ? __die_body.cold+0x1a/0x1f
+[ 8.195260] ? page_fault_oops+0x15c/0x290
+[ 8.209183] ? __irq_resolve_mapping+0x47/0x80
+[ 8.209187] ? exc_page_fault+0x64/0x140
+[ 8.209190] ? asm_exc_page_fault+0x22/0x30
+[ 8.209196] ? mutex_lock+0x19/0x30
+[ 8.223116] uart_add_one_port+0x60/0x440
+[ 8.223122] ? proc_tty_register_driver+0x43/0x50
+[ 8.223126] ? tty_register_driver+0x1ca/0x1e0
+[ 8.246250] ulite_probe+0x357/0x4b0 [uartlite]
+
+To prevent it, move uart driver registration in to init function. This
+will ensure that uart_driver is always registered when probe function
+is called.
+
+Signed-off-by: Jakub Lewalski <jakub.lewalski@nokia.com>
+Signed-off-by: Elodie Decerle <elodie.decerle@nokia.com>
+Link: https://lore.kernel.org/r/20250331160732.2042-1-elodie.decerle@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/uartlite.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c
+index a41e7fc373b7c..39c1fd1ff9ced 100644
+--- a/drivers/tty/serial/uartlite.c
++++ b/drivers/tty/serial/uartlite.c
+@@ -880,16 +880,6 @@ static int ulite_probe(struct platform_device *pdev)
+ pm_runtime_set_active(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+- if (!ulite_uart_driver.state) {
+- dev_dbg(&pdev->dev, "uartlite: calling uart_register_driver()\n");
+- ret = uart_register_driver(&ulite_uart_driver);
+- if (ret < 0) {
+- dev_err(&pdev->dev, "Failed to register driver\n");
+- clk_disable_unprepare(pdata->clk);
+- return ret;
+- }
+- }
+-
+ ret = ulite_assign(&pdev->dev, id, res->start, irq, pdata);
+
+ pm_runtime_mark_last_busy(&pdev->dev);
+@@ -929,16 +919,25 @@ static struct platform_driver ulite_platform_driver = {
+
+ static int __init ulite_init(void)
+ {
++ int ret;
++
++ pr_debug("uartlite: calling uart_register_driver()\n");
++ ret = uart_register_driver(&ulite_uart_driver);
++ if (ret)
++ return ret;
+
+ pr_debug("uartlite: calling platform_driver_register()\n");
+- return platform_driver_register(&ulite_platform_driver);
++ ret = platform_driver_register(&ulite_platform_driver);
++ if (ret)
++ uart_unregister_driver(&ulite_uart_driver);
++
++ return ret;
+ }
+
+ static void __exit ulite_exit(void)
+ {
+ platform_driver_unregister(&ulite_platform_driver);
+- if (ulite_uart_driver.state)
+- uart_unregister_driver(&ulite_uart_driver);
++ uart_unregister_driver(&ulite_uart_driver);
+ }
+
+ module_init(ulite_init);
+--
+2.39.5
+
--- /dev/null
+From e11d9f5feb2ce90f1d8f733bb93765f521e0aa67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Mar 2025 19:05:00 +0000
+Subject: um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h
+
+From: Sami Tolvanen <samitolvanen@google.com>
+
+[ Upstream commit 674d03f6bd6b0f8327f1a4920ff5893557facfbd ]
+
+With CONFIG_GENDWARFKSYMS, um builds fail due to missing prototypes
+in asm/asm-prototypes.h. Add declarations for cmpxchg8b_emu and the
+exported checksum functions, including csum_partial_copy_generic as
+it's also exported.
+
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: linux-kbuild@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202503251216.lE4t9Ikj-lkp@intel.com/
+Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
+Link: https://patch.msgid.link/20250326190500.847236-2-samitolvanen@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/asm/asm-prototypes.h | 5 +++++
+ arch/x86/um/asm/checksum.h | 3 +++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/arch/um/include/asm/asm-prototypes.h b/arch/um/include/asm/asm-prototypes.h
+index 5898a26daa0dd..408b31d591279 100644
+--- a/arch/um/include/asm/asm-prototypes.h
++++ b/arch/um/include/asm/asm-prototypes.h
+@@ -1 +1,6 @@
+ #include <asm-generic/asm-prototypes.h>
++#include <asm/checksum.h>
++
++#ifdef CONFIG_UML_X86
++extern void cmpxchg8b_emu(void);
++#endif
+diff --git a/arch/x86/um/asm/checksum.h b/arch/x86/um/asm/checksum.h
+index b07824500363f..ddc144657efad 100644
+--- a/arch/x86/um/asm/checksum.h
++++ b/arch/x86/um/asm/checksum.h
+@@ -20,6 +20,9 @@
+ */
+ extern __wsum csum_partial(const void *buff, int len, __wsum sum);
+
++/* Do not call this directly. Declared for export type visibility. */
++extern __visible __wsum csum_partial_copy_generic(const void *src, void *dst, int len);
++
+ /**
+ * csum_fold - Fold and invert a 32bit checksum.
+ * sum: 32bit unfolded sum
+--
+2.39.5
+
--- /dev/null
+From 9eff0c92d4691ddfd230aa1885af31edb157dfb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 09:45:24 +0200
+Subject: um: use proper care when taking mmap lock during segfault
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 6767e8784cd2e8b386a62330ea6864949d983a3e ]
+
+Segfaults can occur at times where the mmap lock cannot be taken. If
+that happens the segfault handler may not be able to take the mmap lock.
+
+Fix the code to use the same approach as most other architectures.
+Unfortunately, this requires copying code from mm/memory.c and modifying
+it slightly as UML does not have exception tables.
+
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Link: https://patch.msgid.link/20250408074524.300153-2-benjamin@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/kernel/trap.c | 129 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 117 insertions(+), 12 deletions(-)
+
+diff --git a/arch/um/kernel/trap.c b/arch/um/kernel/trap.c
+index ef2272e92a432..8a2e68d07de61 100644
+--- a/arch/um/kernel/trap.c
++++ b/arch/um/kernel/trap.c
+@@ -18,6 +18,122 @@
+ #include <skas.h>
+ #include <arch.h>
+
++/*
++ * NOTE: UML does not have exception tables. As such, this is almost a copy
++ * of the code in mm/memory.c, only adjusting the logic to simply check whether
++ * we are coming from the kernel instead of doing an additional lookup in the
++ * exception table.
++ * We can do this simplification because we never get here if the exception was
++ * fixable.
++ */
++static inline bool get_mmap_lock_carefully(struct mm_struct *mm, bool is_user)
++{
++ if (likely(mmap_read_trylock(mm)))
++ return true;
++
++ if (!is_user)
++ return false;
++
++ return !mmap_read_lock_killable(mm);
++}
++
++static inline bool mmap_upgrade_trylock(struct mm_struct *mm)
++{
++ /*
++ * We don't have this operation yet.
++ *
++ * It should be easy enough to do: it's basically a
++ * atomic_long_try_cmpxchg_acquire()
++ * from RWSEM_READER_BIAS -> RWSEM_WRITER_LOCKED, but
++ * it also needs the proper lockdep magic etc.
++ */
++ return false;
++}
++
++static inline bool upgrade_mmap_lock_carefully(struct mm_struct *mm, bool is_user)
++{
++ mmap_read_unlock(mm);
++ if (!is_user)
++ return false;
++
++ return !mmap_write_lock_killable(mm);
++}
++
++/*
++ * Helper for page fault handling.
++ *
++ * This is kind of equivalend to "mmap_read_lock()" followed
++ * by "find_extend_vma()", except it's a lot more careful about
++ * the locking (and will drop the lock on failure).
++ *
++ * For example, if we have a kernel bug that causes a page
++ * fault, we don't want to just use mmap_read_lock() to get
++ * the mm lock, because that would deadlock if the bug were
++ * to happen while we're holding the mm lock for writing.
++ *
++ * So this checks the exception tables on kernel faults in
++ * order to only do this all for instructions that are actually
++ * expected to fault.
++ *
++ * We can also actually take the mm lock for writing if we
++ * need to extend the vma, which helps the VM layer a lot.
++ */
++static struct vm_area_struct *
++um_lock_mm_and_find_vma(struct mm_struct *mm,
++ unsigned long addr, bool is_user)
++{
++ struct vm_area_struct *vma;
++
++ if (!get_mmap_lock_carefully(mm, is_user))
++ return NULL;
++
++ vma = find_vma(mm, addr);
++ if (likely(vma && (vma->vm_start <= addr)))
++ return vma;
++
++ /*
++ * Well, dang. We might still be successful, but only
++ * if we can extend a vma to do so.
++ */
++ if (!vma || !(vma->vm_flags & VM_GROWSDOWN)) {
++ mmap_read_unlock(mm);
++ return NULL;
++ }
++
++ /*
++ * We can try to upgrade the mmap lock atomically,
++ * in which case we can continue to use the vma
++ * we already looked up.
++ *
++ * Otherwise we'll have to drop the mmap lock and
++ * re-take it, and also look up the vma again,
++ * re-checking it.
++ */
++ if (!mmap_upgrade_trylock(mm)) {
++ if (!upgrade_mmap_lock_carefully(mm, is_user))
++ return NULL;
++
++ vma = find_vma(mm, addr);
++ if (!vma)
++ goto fail;
++ if (vma->vm_start <= addr)
++ goto success;
++ if (!(vma->vm_flags & VM_GROWSDOWN))
++ goto fail;
++ }
++
++ if (expand_stack_locked(vma, addr))
++ goto fail;
++
++success:
++ mmap_write_downgrade(mm);
++ return vma;
++
++fail:
++ mmap_write_unlock(mm);
++ return NULL;
++}
++
+ /*
+ * Note this is constrained to return 0, -EFAULT, -EACCES, -ENOMEM by
+ * segv().
+@@ -44,21 +160,10 @@ int handle_page_fault(unsigned long address, unsigned long ip,
+ if (is_user)
+ flags |= FAULT_FLAG_USER;
+ retry:
+- mmap_read_lock(mm);
+- vma = find_vma(mm, address);
+- if (!vma)
+- goto out;
+- if (vma->vm_start <= address)
+- goto good_area;
+- if (!(vma->vm_flags & VM_GROWSDOWN))
+- goto out;
+- if (is_user && !ARCH_IS_STACKGROW(address))
+- goto out;
+- vma = expand_stack(mm, address);
++ vma = um_lock_mm_and_find_vma(mm, address, is_user);
+ if (!vma)
+ goto out_nosemaphore;
+
+-good_area:
+ *code_out = SEGV_ACCERR;
+ if (is_write) {
+ if (!(vma->vm_flags & VM_WRITE))
+--
+2.39.5
+
--- /dev/null
+From 531e645edb7f800994fbe5f21a86c2c7157cbba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 18:49:49 +0200
+Subject: usb: Add checks for snprintf() calls in usb_alloc_dev()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 82fe5107fa3d21d6c3fba091c9dbc50495588630 ]
+
+When creating a device path in the driver the snprintf() takes
+up to 16 characters long argument along with the additional up to
+12 characters for the signed integer (as it can't see the actual limits)
+and tries to pack this into 16 bytes array. GCC complains about that
+when build with `make W=1`:
+
+ drivers/usb/core/usb.c:705:25: note: ‘snprintf’ output between 3 and 28 bytes into a destination of size 16
+
+Since everything works until now, let's just check for the potential
+buffer overflow and bail out. It is most likely a never happen situation,
+but at least it makes GCC happy.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20250321164949.423957-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/usb.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
+index 0b4685aad2d50..118fa4c93a795 100644
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -695,15 +695,16 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent,
+ device_set_of_node_from_dev(&dev->dev, bus->sysdev);
+ dev_set_name(&dev->dev, "usb%d", bus->busnum);
+ } else {
++ int n;
++
+ /* match any labeling on the hubs; it's one-based */
+ if (parent->devpath[0] == '0') {
+- snprintf(dev->devpath, sizeof dev->devpath,
+- "%d", port1);
++ n = snprintf(dev->devpath, sizeof(dev->devpath), "%d", port1);
+ /* Root ports are not counted in route string */
+ dev->route = 0;
+ } else {
+- snprintf(dev->devpath, sizeof dev->devpath,
+- "%s.%d", parent->devpath, port1);
++ n = snprintf(dev->devpath, sizeof(dev->devpath), "%s.%d",
++ parent->devpath, port1);
+ /* Route string assumes hubs have less than 16 ports */
+ if (port1 < 15)
+ dev->route = parent->route +
+@@ -712,6 +713,11 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent,
+ dev->route = parent->route +
+ (15 << ((parent->level - 1)*4));
+ }
++ if (n >= sizeof(dev->devpath)) {
++ usb_put_hcd(bus_to_hcd(bus));
++ usb_put_dev(dev);
++ return NULL;
++ }
+
+ dev->dev.parent = &parent->dev;
+ dev_set_name(&dev->dev, "%d-%s", bus->busnum, dev->devpath);
+--
+2.39.5
+
--- /dev/null
+From 07a6b2ee44f771d78f284c19353812daa967e720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 16:40:04 +0200
+Subject: usb: cdc-wdm: avoid setting WDM_READ for ZLP-s
+
+From: Robert Hodaszi <robert.hodaszi@digi.com>
+
+[ Upstream commit 387602d8a75574fafb451b7a8215e78dfd67ee63 ]
+
+Don't set WDM_READ flag in wdm_in_callback() for ZLP-s, otherwise when
+userspace tries to poll for available data, it might - incorrectly -
+believe there is something available, and when it tries to non-blocking
+read it, it might get stuck in the read loop.
+
+For example this is what glib does for non-blocking read (briefly):
+
+ 1. poll()
+ 2. if poll returns with non-zero, starts a read data loop:
+ a. loop on poll() (EINTR disabled)
+ b. if revents was set, reads data
+ I. if read returns with EINTR or EAGAIN, goto 2.a.
+ II. otherwise return with data
+
+So if ZLP sets WDM_READ (#1), we expect data, and try to read it (#2).
+But as that was a ZLP, and we are doing non-blocking read, wdm_read()
+returns with EAGAIN (#2.b.I), so loop again, and try to read again
+(#2.a.).
+
+With glib, we might stuck in this loop forever, as EINTR is disabled
+(#2.a).
+
+Signed-off-by: Robert Hodaszi <robert.hodaszi@digi.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20250403144004.3889125-1-robert.hodaszi@digi.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/class/cdc-wdm.c | 23 +++++++++--------------
+ 1 file changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c
+index 16e7fa4d488d3..ecd6d1f39e498 100644
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -92,7 +92,6 @@ struct wdm_device {
+ u16 wMaxCommand;
+ u16 wMaxPacketSize;
+ __le16 inum;
+- int reslength;
+ int length;
+ int read;
+ int count;
+@@ -214,6 +213,11 @@ static void wdm_in_callback(struct urb *urb)
+ if (desc->rerr == 0 && status != -EPIPE)
+ desc->rerr = status;
+
++ if (length == 0) {
++ dev_dbg(&desc->intf->dev, "received ZLP\n");
++ goto skip_zlp;
++ }
++
+ if (length + desc->length > desc->wMaxCommand) {
+ /* The buffer would overflow */
+ set_bit(WDM_OVERFLOW, &desc->flags);
+@@ -222,18 +226,18 @@ static void wdm_in_callback(struct urb *urb)
+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
+ memmove(desc->ubuf + desc->length, desc->inbuf, length);
+ desc->length += length;
+- desc->reslength = length;
+ }
+ }
+ skip_error:
+
+ if (desc->rerr) {
+ /*
+- * Since there was an error, userspace may decide to not read
+- * any data after poll'ing.
++ * If there was a ZLP or an error, userspace may decide to not
++ * read any data after poll'ing.
+ * We should respond to further attempts from the device to send
+ * data, so that we can get unstuck.
+ */
++skip_zlp:
+ schedule_work(&desc->service_outs_intr);
+ } else {
+ set_bit(WDM_READ, &desc->flags);
+@@ -585,15 +589,6 @@ static ssize_t wdm_read
+ goto retry;
+ }
+
+- if (!desc->reslength) { /* zero length read */
+- dev_dbg(&desc->intf->dev, "zero length - clearing WDM_READ\n");
+- clear_bit(WDM_READ, &desc->flags);
+- rv = service_outstanding_interrupt(desc);
+- spin_unlock_irq(&desc->iuspin);
+- if (rv < 0)
+- goto err;
+- goto retry;
+- }
+ cntr = desc->length;
+ spin_unlock_irq(&desc->iuspin);
+ }
+@@ -1016,7 +1011,7 @@ static void service_interrupt_work(struct work_struct *work)
+
+ spin_lock_irq(&desc->iuspin);
+ service_outstanding_interrupt(desc);
+- if (!desc->resp_count) {
++ if (!desc->resp_count && (desc->length || desc->rerr)) {
+ set_bit(WDM_READ, &desc->flags);
+ wake_up(&desc->wait);
+ }
+--
+2.39.5
+
--- /dev/null
+From 7c21a071d7791e6807f746438825d5fc6bb5569b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 16:33:26 +0800
+Subject: usb: common: usb-conn-gpio: use a unique name for usb connector
+ device
+
+From: Chance Yang <chance.yang@kneron.us>
+
+[ Upstream commit d4e5b10c55627e2f3fc9e5b337a28b4e2f02a55e ]
+
+The current implementation of the usb-conn-gpio driver uses a fixed
+"usb-charger" name for all USB connector devices. This causes conflicts
+in the power supply subsystem when multiple USB connectors are present,
+as duplicate names are not allowed.
+
+Use IDA to manage unique IDs for naming usb connectors (e.g.,
+usb-charger-0, usb-charger-1).
+
+Signed-off-by: Chance Yang <chance.yang@kneron.us>
+Link: https://lore.kernel.org/r/20250411-work-next-v3-1-7cd9aa80190c@kneron.us
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/common/usb-conn-gpio.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/common/usb-conn-gpio.c b/drivers/usb/common/usb-conn-gpio.c
+index 1e36be2a28fd5..421c3af38e069 100644
+--- a/drivers/usb/common/usb-conn-gpio.c
++++ b/drivers/usb/common/usb-conn-gpio.c
+@@ -21,6 +21,9 @@
+ #include <linux/regulator/consumer.h>
+ #include <linux/string_choices.h>
+ #include <linux/usb/role.h>
++#include <linux/idr.h>
++
++static DEFINE_IDA(usb_conn_ida);
+
+ #define USB_GPIO_DEB_MS 20 /* ms */
+ #define USB_GPIO_DEB_US ((USB_GPIO_DEB_MS) * 1000) /* us */
+@@ -30,6 +33,7 @@
+
+ struct usb_conn_info {
+ struct device *dev;
++ int conn_id; /* store the IDA-allocated ID */
+ struct usb_role_switch *role_sw;
+ enum usb_role last_role;
+ struct regulator *vbus;
+@@ -161,7 +165,17 @@ static int usb_conn_psy_register(struct usb_conn_info *info)
+ .fwnode = dev_fwnode(dev),
+ };
+
+- desc->name = "usb-charger";
++ info->conn_id = ida_alloc(&usb_conn_ida, GFP_KERNEL);
++ if (info->conn_id < 0)
++ return info->conn_id;
++
++ desc->name = devm_kasprintf(dev, GFP_KERNEL, "usb-charger-%d",
++ info->conn_id);
++ if (!desc->name) {
++ ida_free(&usb_conn_ida, info->conn_id);
++ return -ENOMEM;
++ }
++
+ desc->properties = usb_charger_properties;
+ desc->num_properties = ARRAY_SIZE(usb_charger_properties);
+ desc->get_property = usb_charger_get_property;
+@@ -169,8 +183,10 @@ static int usb_conn_psy_register(struct usb_conn_info *info)
+ cfg.drv_data = info;
+
+ info->charger = devm_power_supply_register(dev, desc, &cfg);
+- if (IS_ERR(info->charger))
+- dev_err(dev, "Unable to register charger\n");
++ if (IS_ERR(info->charger)) {
++ dev_err(dev, "Unable to register charger %d\n", info->conn_id);
++ ida_free(&usb_conn_ida, info->conn_id);
++ }
+
+ return PTR_ERR_OR_ZERO(info->charger);
+ }
+@@ -278,6 +294,9 @@ static void usb_conn_remove(struct platform_device *pdev)
+
+ cancel_delayed_work_sync(&info->dw_det);
+
++ if (info->charger)
++ ida_free(&usb_conn_ida, info->conn_id);
++
+ if (info->last_role == USB_ROLE_HOST && info->vbus)
+ regulator_disable(info->vbus);
+
+--
+2.39.5
+
--- /dev/null
+From 8377ba08200e23981b5cbc77c2b9a5f7e80b0c63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 19:40:17 +0200
+Subject: usb: dwc2: also exit clock_gating when stopping udc while suspended
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit af076a41f8a28faf9ceb9dd2d88aef2c202ef39a ]
+
+It is possible that the gadget will be disabled, while the udc is
+suspended. When enabling the udc in that case, the clock gating
+will not be enabled again. Leaving the phy unclocked. Even when the
+udc is not enabled, connecting this powered but not clocked phy leads
+to enumeration errors on the host side.
+
+To ensure that the clock gating will be in an valid state, we ensure
+that the clock gating will be enabled before stopping the udc.
+
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Link: https://lore.kernel.org/r/20250417-dwc2_clock_gating-v1-1-8ea7c4d53d73@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/gadget.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c
+index 300ea4969f0cf..f323fb5597b32 100644
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -4604,6 +4604,12 @@ static int dwc2_hsotg_udc_stop(struct usb_gadget *gadget)
+ if (!hsotg)
+ return -ENODEV;
+
++ /* Exit clock gating when driver is stopped. */
++ if (hsotg->params.power_down == DWC2_POWER_DOWN_PARAM_NONE &&
++ hsotg->bus_suspended && !hsotg->params.no_clock_gating) {
++ dwc2_gadget_exit_clock_gating(hsotg, 0);
++ }
++
+ /* all endpoints should be shutdown */
+ for (ep = 1; ep < hsotg->num_of_eps; ep++) {
+ if (hsotg->eps_in[ep])
+--
+2.39.5
+
--- /dev/null
+From c62f3425adbe036bdf520cb54eb97aa404a3762f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 16:22:07 +0100
+Subject: usb: gadget: f_hid: wake up readers on disable/unbind
+
+From: Peter Korsgaard <peter@korsgaard.com>
+
+[ Upstream commit 937a8a3a8d46a3377b4195cd8f2aa656666ebc8b ]
+
+Similar to how it is done in the write path.
+
+Add a disabled flag to track the function state and use it to exit the read
+loops to ensure no readers get stuck when the function is disabled/unbound,
+protecting against corruption when the waitq and spinlocks are reinitialized
+in hidg_bind().
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://lore.kernel.org/r/20250318152207.330997-1-peter@korsgaard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
+index c7a05f842745b..d8bd2d82e9ec6 100644
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -75,6 +75,7 @@ struct f_hidg {
+ /* recv report */
+ spinlock_t read_spinlock;
+ wait_queue_head_t read_queue;
++ bool disabled;
+ /* recv report - interrupt out only (use_out_ep == 1) */
+ struct list_head completed_out_req;
+ unsigned int qlen;
+@@ -329,7 +330,7 @@ static ssize_t f_hidg_intout_read(struct file *file, char __user *buffer,
+
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
+
+-#define READ_COND_INTOUT (!list_empty(&hidg->completed_out_req))
++#define READ_COND_INTOUT (!list_empty(&hidg->completed_out_req) || hidg->disabled)
+
+ /* wait for at least one buffer to complete */
+ while (!READ_COND_INTOUT) {
+@@ -343,6 +344,11 @@ static ssize_t f_hidg_intout_read(struct file *file, char __user *buffer,
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
+ }
+
++ if (hidg->disabled) {
++ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
++ return -ESHUTDOWN;
++ }
++
+ /* pick the first one */
+ list = list_first_entry(&hidg->completed_out_req,
+ struct f_hidg_req_list, list);
+@@ -387,7 +393,7 @@ static ssize_t f_hidg_intout_read(struct file *file, char __user *buffer,
+ return count;
+ }
+
+-#define READ_COND_SSREPORT (hidg->set_report_buf != NULL)
++#define READ_COND_SSREPORT (hidg->set_report_buf != NULL || hidg->disabled)
+
+ static ssize_t f_hidg_ssreport_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *ptr)
+@@ -1012,6 +1018,11 @@ static void hidg_disable(struct usb_function *f)
+ }
+ spin_unlock_irqrestore(&hidg->get_report_spinlock, flags);
+
++ spin_lock_irqsave(&hidg->read_spinlock, flags);
++ hidg->disabled = true;
++ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
++ wake_up(&hidg->read_queue);
++
+ spin_lock_irqsave(&hidg->write_spinlock, flags);
+ if (!hidg->write_pending) {
+ free_ep_req(hidg->in_ep, hidg->req);
+@@ -1097,6 +1108,10 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
+ }
+ }
+
++ spin_lock_irqsave(&hidg->read_spinlock, flags);
++ hidg->disabled = false;
++ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
++
+ if (hidg->in_ep != NULL) {
+ spin_lock_irqsave(&hidg->write_spinlock, flags);
+ hidg->req = req_in;
+--
+2.39.5
+
--- /dev/null
+From 293ebf0879e12188f3887b9226ee91e5b388ce19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 14:58:57 +0800
+Subject: usb: potential integer overflow in usbg_make_tpg()
+
+From: Chen Yufeng <chenyufeng@iie.ac.cn>
+
+[ Upstream commit 153874010354d050f62f8ae25cbb960c17633dc5 ]
+
+The variable tpgt in usbg_make_tpg() is defined as unsigned long and is
+assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an
+integer overflow when tpgt is greater than USHRT_MAX (65535). I
+haven't tried to trigger it myself, but it is possible to trigger it
+by calling usbg_make_tpg() with a large value for tpgt.
+
+I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the
+relevant code accordingly.
+
+This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential
+memory corruption").
+
+Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
+Link: https://lore.kernel.org/r/20250415065857.1619-1-chenyufeng@iie.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_tcm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
+index 5a2e1237f85c3..6e8804f04baa7 100644
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -1641,14 +1641,14 @@ static struct se_portal_group *usbg_make_tpg(struct se_wwn *wwn,
+ struct usbg_tport *tport = container_of(wwn, struct usbg_tport,
+ tport_wwn);
+ struct usbg_tpg *tpg;
+- unsigned long tpgt;
++ u16 tpgt;
+ int ret;
+ struct f_tcm_opts *opts;
+ unsigned i;
+
+ if (strstr(name, "tpgt_") != name)
+ return ERR_PTR(-EINVAL);
+- if (kstrtoul(name + 5, 0, &tpgt) || tpgt > UINT_MAX)
++ if (kstrtou16(name + 5, 0, &tpgt))
+ return ERR_PTR(-EINVAL);
+ ret = -ENODEV;
+ mutex_lock(&tpg_instances_lock);
+--
+2.39.5
+
--- /dev/null
+From 215953657ac0650d7515d183f29843f477b612ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Feb 2025 15:19:26 +0800
+Subject: usb: typec: displayport: Receive DP Status Update NAK request exit dp
+ altmode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jos Wang <joswang@lenovo.com>
+
+[ Upstream commit b4b38ffb38c91afd4dc387608db26f6fc34ed40b ]
+
+Although some Type-C DRD devices that do not support the DP Sink
+function (such as Huawei Mate 40Pro), the Source Port initiates
+Enter Mode CMD, but the device responds to Enter Mode ACK, the
+Source port then initiates DP Status Update CMD, and the device
+responds to DP Status Update NAK.
+
+As PD2.0 spec ("6.4.4.3.4 Enter Mode Command"),A DR_Swap Message
+Shall Not be sent during Modal Operation between the Port Partners.
+At this time, the source port initiates DR_Swap message through the
+"echo device > /sys/class/typec/port0/data_role" command to switch
+the data role from host to device. The device will initiate a Hard
+Reset for recovery, resulting in the failure of data role swap.
+
+Therefore, when DP Status Update NAK is received, Exit Mode CMD is
+initiated to exit the currently entered DP altmode.
+
+Signed-off-by: Jos Wang <joswang@lenovo.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250209071926.69625-1-joswang1221@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/altmodes/displayport.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/usb/typec/altmodes/displayport.c b/drivers/usb/typec/altmodes/displayport.c
+index ac84a6d64c2fb..b09b58d7311de 100644
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -393,6 +393,10 @@ static int dp_altmode_vdm(struct typec_altmode *alt,
+ break;
+ case CMDT_RSP_NAK:
+ switch (cmd) {
++ case DP_CMD_STATUS_UPDATE:
++ if (typec_altmode_exit(alt))
++ dev_err(&dp->alt->dev, "Exit Mode Failed!\n");
++ break;
+ case DP_CMD_CONFIGURE:
+ dp->data.conf = 0;
+ ret = dp_altmode_configured(dp);
+--
+2.39.5
+
--- /dev/null
+From 40ac93bae9a05db360ae5057b355fd5a9d1971d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 00:21:01 +0200
+Subject: usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set
+
+From: Michael Grzeschik <m.grzeschik@pengutronix.de>
+
+[ Upstream commit 0f7bbef1794dc87141897f804e5871a293aa174b ]
+
+Since the typec connectors can have many muxes or switches for different
+lanes (sbu, usb2, usb3) going into different modal states (usb2, usb3,
+audio, debug) all of them will be called on typec_switch_set and
+typec_mux_set. But not all of them will be handling the expected mode.
+
+If one of the mux or switch will come back with EOPTNOSUPP this is no
+reason to stop running through the next ones. Therefor we skip this
+particular error value and continue calling the next.
+
+Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250404-ml-topic-typec-mux-v1-1-22c0526381ba@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/mux.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/typec/mux.c b/drivers/usb/typec/mux.c
+index 49926d6e72c71..182c902c42f61 100644
+--- a/drivers/usb/typec/mux.c
++++ b/drivers/usb/typec/mux.c
+@@ -214,7 +214,7 @@ int typec_switch_set(struct typec_switch *sw,
+ sw_dev = sw->sw_devs[i];
+
+ ret = sw_dev->set(sw_dev, orientation);
+- if (ret)
++ if (ret && ret != -EOPNOTSUPP)
+ return ret;
+ }
+
+@@ -378,7 +378,7 @@ int typec_mux_set(struct typec_mux *mux, struct typec_mux_state *state)
+ mux_dev = mux->mux_devs[i];
+
+ ret = mux_dev->set(mux_dev, state);
+- if (ret)
++ if (ret && ret != -EOPNOTSUPP)
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 14bcca59cf99aa8e40b0200c902048a4e225639e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 22:40:50 +0200
+Subject: usb: typec: tcpci: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 9fc5986fbcd7e1e63afb04be94cd4e8a536a4b04 ]
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250406204051.63446-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tcpm/tcpci_maxim_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tcpm/tcpci_maxim_core.c b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
+index 648311f5e3cf1..b5a5ed40faea9 100644
+--- a/drivers/usb/typec/tcpm/tcpci_maxim_core.c
++++ b/drivers/usb/typec/tcpm/tcpci_maxim_core.c
+@@ -537,7 +537,10 @@ static int max_tcpci_probe(struct i2c_client *client)
+ return dev_err_probe(&client->dev, ret,
+ "IRQ initialization failed\n");
+
+- device_init_wakeup(chip->dev, true);
++ ret = devm_device_init_wakeup(chip->dev);
++ if (ret)
++ return dev_err_probe(chip->dev, ret, "Failed to init wakeup\n");
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5a72cbd3001a54a1bb8e83ec7f99b08780cc36f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 22:40:51 +0200
+Subject: usb: typec: tipd: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit aaa8f2e959341fd4a3ccf111500eb1e6176678e0 ]
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250406204051.63446-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/tipd/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
+index 7ee721a877c12..dcf141ada0781 100644
+--- a/drivers/usb/typec/tipd/core.c
++++ b/drivers/usb/typec/tipd/core.c
+@@ -1431,7 +1431,7 @@ static int tps6598x_probe(struct i2c_client *client)
+
+ tps->wakeup = device_property_read_bool(tps->dev, "wakeup-source");
+ if (tps->wakeup && client->irq) {
+- device_init_wakeup(&client->dev, true);
++ devm_device_init_wakeup(&client->dev);
+ enable_irq_wake(client->irq);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From eea2f7a996b2cad992f7a2d7866850633991c9d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 06:13:21 +0300
+Subject: wifi: iwlwifi: mld: Move regulatory domain initialization
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit f81aa834bfa91c827f290b62a245e23c5ad2813c ]
+
+The regulatory domain information was initialized every time the
+FW was loaded and the device was restarted. This was unnecessary
+and useless as at this stage the wiphy channels information was
+not setup yet so while the regulatory domain was set to the wiphy,
+the channel information was not updated.
+
+In case that a specific MCC was configured during FW initialization
+then following updates with this MCC are ignored, and thus the
+wiphy channels information is left with information not matching
+the regulatory domain.
+
+This commit moves the regulatory domain initialization to after the
+operational firmware is started, i.e., after the wiphy channels were
+configured and the regulatory information is needed.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250604061200.f138a7382093.I2fd8b3e99be13c2687da483e2cb1311ffb4fbfce@changeid
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mld/fw.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mld/fw.c b/drivers/net/wireless/intel/iwlwifi/mld/fw.c
+index 4b083d447ee2f..6be9366bd4b14 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mld/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mld/fw.c
+@@ -339,10 +339,6 @@ int iwl_mld_load_fw(struct iwl_mld *mld)
+ if (ret)
+ goto err;
+
+- ret = iwl_mld_init_mcc(mld);
+- if (ret)
+- goto err;
+-
+ mld->fw_status.running = true;
+
+ return 0;
+@@ -535,6 +531,10 @@ int iwl_mld_start_fw(struct iwl_mld *mld)
+ if (ret)
+ goto error;
+
++ ret = iwl_mld_init_mcc(mld);
++ if (ret)
++ goto error;
++
+ return 0;
+
+ error:
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
