--- /dev/null
+From 8cbe564974248ee980562be02f2b1912769562c7 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 6 Aug 2025 01:41:53 +0200
+Subject: ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 8cbe564974248ee980562be02f2b1912769562c7 upstream.
+
+In __hdmi_lpe_audio_probe(), strscpy() is incorrectly called with the
+length of the source string (excluding the NUL terminator) rather than
+the size of the destination buffer. This results in one character less
+being copied from 'card->shortname' to 'pcm->name'.
+
+Use the destination buffer size instead to ensure the card name is
+copied correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 75b1a8f9d62e ("ALSA: Convert strlcpy to strscpy when return value is unused")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Link: https://patch.msgid.link/20250805234156.60294-1-thorsten.blum@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/x86/intel_hdmi_audio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/x86/intel_hdmi_audio.c
++++ b/sound/x86/intel_hdmi_audio.c
+@@ -1766,7 +1766,7 @@ static int __hdmi_lpe_audio_probe(struct
+ /* setup private data which can be retrieved when required */
+ pcm->private_data = ctx;
+ pcm->info_flags = 0;
+- strscpy(pcm->name, card->shortname, strlen(card->shortname));
++ strscpy(pcm->name, card->shortname, sizeof(pcm->name));
+ /* setup the ops for playback */
+ snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &had_pcm_ops);
+
--- /dev/null
+From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001
+From: "Geoffrey D. Bennett" <g@b4.vu>
+Date: Mon, 28 Jul 2025 19:00:35 +0930
+Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
+
+From: Geoffrey D. Bennett <g@b4.vu>
+
+commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 upstream.
+
+During communication with Focusrite Scarlett Gen 2/3/4 USB audio
+interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(),
+snd_usb_ctl_msg() which can cause initialisation and control
+operations to fail intermittently.
+
+This patch adds up to 5 retries in scarlett2_usb(), with a delay
+starting at 5ms and doubling each time. This follows the same approach
+as the fix for usb_set_interface() in endpoint.c (commit f406005e162b
+("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")),
+which resolved similar -EPROTO issues during device initialisation,
+and is the same approach as in fcp.c:fcp_usb().
+
+Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
+Closes: https://github.com/geoffreybennett/linux-fcp/issues/41
+Cc: stable@vger.kernel.org
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_scarlett2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/usb/mixer_scarlett2.c
++++ b/sound/usb/mixer_scarlett2.c
+@@ -1279,6 +1279,8 @@ static int scarlett2_usb(
+ struct scarlett2_usb_packet *req, *resp = NULL;
+ size_t req_buf_size = struct_size(req, data, req_size);
+ size_t resp_buf_size = struct_size(resp, data, resp_size);
++ int retries = 0;
++ const int max_retries = 5;
+ int err;
+
+ req = kmalloc(req_buf_size, GFP_KERNEL);
+@@ -1302,10 +1304,15 @@ static int scarlett2_usb(
+ if (req_size)
+ memcpy(req->data, req_data, req_size);
+
++retry:
+ err = scarlett2_usb_tx(dev, private->bInterfaceNumber,
+ req, req_buf_size);
+
+ if (err != req_buf_size) {
++ if (err == -EPROTO && ++retries <= max_retries) {
++ msleep(5 * (1 << (retries - 1)));
++ goto retry;
++ }
+ usb_audio_err(
+ mixer->chip,
+ "%s USB request result cmd %x was %d\n",
+++ /dev/null
-From d9da920233ec85af8b9c87154f2721a7dc4623f5 Mon Sep 17 00:00:00 2001
-From: Zenm Chen <zenmchen@gmail.com>
-Date: Wed, 21 May 2025 09:30:20 +0800
-Subject: Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano
-
-From: Zenm Chen <zenmchen@gmail.com>
-
-commit d9da920233ec85af8b9c87154f2721a7dc4623f5 upstream.
-
-Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano which is based on
-a Realtek RTL8851BU chip.
-
-The information in /sys/kernel/debug/usb/devices about the Bluetooth
-device is listed as the below:
-
-T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
-D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
-P: Vendor=3625 ProdID=010b Rev= 0.00
-S: Manufacturer=Realtek
-S: Product=802.11ax WLAN Adapter
-S: SerialNumber=00e04c000001
-C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA
-A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01
-I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
-E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
-E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
-I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
-E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
-I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
-E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
-I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
-E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
-I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
-E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
-I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
-E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
-I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
-E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
-E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
-I:* If#= 2 Alt= 0 #EPs= 8 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8851bu
-E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-E: Ad=0c(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Zenm Chen <zenmchen@gmail.com>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/bluetooth/btusb.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/bluetooth/btusb.c
-+++ b/drivers/bluetooth/btusb.c
-@@ -502,6 +502,10 @@ static const struct usb_device_id blackl
- { USB_DEVICE(0x0bda, 0xc822), .driver_info = BTUSB_REALTEK |
- BTUSB_WIDEBAND_SPEECH },
-
-+ /* Realtek 8851BU Bluetooth devices */
-+ { USB_DEVICE(0x3625, 0x010b), .driver_info = BTUSB_REALTEK |
-+ BTUSB_WIDEBAND_SPEECH },
-+
- /* Realtek 8852AE Bluetooth devices */
- { USB_DEVICE(0x0bda, 0x2852), .driver_info = BTUSB_REALTEK |
- BTUSB_WIDEBAND_SPEECH },
--- /dev/null
+From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 10 Jun 2025 16:20:06 -0700
+Subject: KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 upstream.
+
+Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the
+guest CPUID model, as debug support is supposed to be available if RTM is
+supported, and there are no known downsides to letting the guest debug RTM
+aborts.
+
+Note, there are no known bug reports related to RTM_DEBUG, the primary
+motivation is to reduce the probability of breaking existing guests when a
+future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL
+(KVM currently lets L2 run with whatever hardware supports; whoops).
+
+Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to
+DR7.RTM.
+
+Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kvm/vmx/vmx.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -379,6 +379,7 @@
+ #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12)
+ #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14
+ #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT)
++#define DEBUGCTLMSR_RTM_DEBUG BIT(15)
+
+ #define MSR_PEBS_FRONTEND 0x000003f7
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -2068,6 +2068,10 @@ static u64 vmx_get_supported_debugctl(st
+ (host_initiated || intel_pmu_lbr_is_enabled(vcpu)))
+ debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI;
+
++ if (boot_cpu_has(X86_FEATURE_RTM) &&
++ (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM)))
++ debugctl |= DEBUGCTLMSR_RTM_DEBUG;
++
+ return debugctl;
+ }
+
--- /dev/null
+From 35ad7e181541aa5757f9f316768d3e64403ec843 Mon Sep 17 00:00:00 2001
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Date: Sat, 7 Jun 2025 13:43:56 +0100
+Subject: MIPS: mm: tlb-r4k: Uniquify TLB entries on init
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+commit 35ad7e181541aa5757f9f316768d3e64403ec843 upstream.
+
+Hardware or bootloader will initialize TLB entries to any value, which
+may collide with kernel's UNIQUE_ENTRYHI value. On MIPS microAptiv/M5150
+family of cores this will trigger machine check exception and cause boot
+failure. On M5150 simulation this could happen 7 times out of 1000 boots.
+
+Replace local_flush_tlb_all() with r4k_tlb_uniquify() which probes each
+TLB ENTRIHI unique value for collisions before it's written, and in case
+of collision try a different ASID.
+
+Cc: stable@kernel.org
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 55 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -498,6 +498,60 @@ static int __init set_ntlb(char *str)
+
+ __setup("ntlb=", set_ntlb);
+
++/* Initialise all TLB entries with unique values */
++static void r4k_tlb_uniquify(void)
++{
++ int entry = num_wired_entries();
++
++ htw_stop();
++ write_c0_entrylo0(0);
++ write_c0_entrylo1(0);
++
++ while (entry < current_cpu_data.tlbsize) {
++ unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data);
++ unsigned long asid = 0;
++ int idx;
++
++ /* Skip wired MMID to make ginvt_mmid work */
++ if (cpu_has_mmid)
++ asid = MMID_KERNEL_WIRED + 1;
++
++ /* Check for match before using UNIQUE_ENTRYHI */
++ do {
++ if (cpu_has_mmid) {
++ write_c0_memorymapid(asid);
++ write_c0_entryhi(UNIQUE_ENTRYHI(entry));
++ } else {
++ write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid);
++ }
++ mtc0_tlbw_hazard();
++ tlb_probe();
++ tlb_probe_hazard();
++ idx = read_c0_index();
++ /* No match or match is on current entry */
++ if (idx < 0 || idx == entry)
++ break;
++ /*
++ * If we hit a match, we need to try again with
++ * a different ASID.
++ */
++ asid++;
++ } while (asid < asid_mask);
++
++ if (idx >= 0 && idx != entry)
++ panic("Unable to uniquify TLB entry %d", idx);
++
++ write_c0_index(entry);
++ mtc0_tlbw_hazard();
++ tlb_write_indexed();
++ entry++;
++ }
++
++ tlbw_use_hazard();
++ htw_start();
++ flush_micro_tlb();
++}
++
+ /*
+ * Configure TLB (for init or after a CPU has been powered off).
+ */
+@@ -537,7 +591,7 @@ static void r4k_tlb_configure(void)
+ temp_tlb_entry = current_cpu_data.tlbsize - 1;
+
+ /* From this point on the ARC firmware is dead. */
+- local_flush_tlb_all();
++ r4k_tlb_uniquify();
+
+ /* Did I tell you that ARC SUCKS? */
+ }
--- /dev/null
+From 188cb385bbf04d486df3e52f28c47b3961f5f0c0 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Thu, 10 Jul 2025 11:23:53 +0300
+Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 upstream.
+
+When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with
+clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n:
+
+ mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function]
+
+Fix this by moving the function to the respective existing ifdeffery
+for its the only user.
+
+See also:
+
+ 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build")
+
+Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com
+Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Alistair Popple <apopple@nvidia.com>
+Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hmm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hmm.c
++++ b/mm/hmm.c
+@@ -173,6 +173,7 @@ static inline unsigned long hmm_pfn_flag
+ return order << HMM_PFN_ORDER_SHIFT;
+ }
+
++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range,
+ pmd_t pmd)
+ {
+@@ -183,7 +184,6 @@ static inline unsigned long pmd_to_hmm_p
+ hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT);
+ }
+
+-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr,
+ unsigned long end, unsigned long hmm_pfns[],
+ pmd_t pmd)
ksmbd-limit-repeated-connections-from-clients-with-the-same-ip.patch
smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch
usb-serial-option-add-foxconn-t99w709.patch
-bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch
net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch
net-usbnet-fix-the-wrong-netif_carrier_on-call.patch
+x86-sev-evict-cache-lines-during-snp-memory-validation.patch
+alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch
+alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch
+x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch
+kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch
+mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch
+mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch
+usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
--- /dev/null
+From 151c0aa896c47a4459e07fee7d4843f44c1bb18e Mon Sep 17 00:00:00 2001
+From: Tao Xue <xuetao09@huawei.com>
+Date: Mon, 21 Jul 2025 17:39:08 +0800
+Subject: usb: gadget : fix use-after-free in composite_dev_cleanup()
+
+From: Tao Xue <xuetao09@huawei.com>
+
+commit 151c0aa896c47a4459e07fee7d4843f44c1bb18e upstream.
+
+1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
+if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
+set to NULL. Then it will return a failure to the upper-level function.
+2. in func configfs_composite_bind() -> composite_dev_cleanup():
+it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
+will attempt to use it.This will lead to a use-after-free issue.
+
+BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
+Read of size 8 at addr 0000004827837a00 by task init/1
+
+CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
+ kasan_report+0x188/0x1cc
+ __asan_load8+0xb4/0xbc
+ composite_dev_cleanup+0xf4/0x2c0
+ configfs_composite_bind+0x210/0x7ac
+ udc_bind_to_driver+0xb4/0x1ec
+ usb_gadget_probe_driver+0xec/0x21c
+ gadget_dev_desc_UDC_store+0x264/0x27c
+
+Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Tao Xue <xuetao09@huawei.com>
+Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2366,6 +2366,11 @@ int composite_os_desc_req_prepare(struct
+ if (!cdev->os_desc_req->buf) {
+ ret = -ENOMEM;
+ usb_ep_free_request(ep0, cdev->os_desc_req);
++ /*
++ * Set os_desc_req to NULL so that composite_dev_cleanup()
++ * will not try to free it again.
++ */
++ cdev->os_desc_req = NULL;
+ goto end;
+ }
+ cdev->os_desc_req->context = cdev;
--- /dev/null
+From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue, 24 Jun 2025 14:01:48 -0700
+Subject: x86/fpu: Delay instruction pointer fixup until after warning
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit 1cec9ac2d071cfd2da562241aab0ef701355762a upstream.
+
+Right now, if XRSTOR fails a console message like this is be printed:
+
+ Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers.
+
+However, the text location (...+0x9a in this case) is the instruction
+*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump
+also points one instruction late.
+
+The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and
+keep on running after returning from the #GP handler. But it does this
+fixup before warning.
+
+The resulting warning output is nonsensical because it looks like the
+non-FPU-related instruction is #GP'ing.
+
+Do not fix up RIP until after printing the warning. Do this by using
+the more generic and standard ex_handler_default().
+
+Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Chao Gao <chao.gao@intel.com>
+Acked-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/extable.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/extable.c
++++ b/arch/x86/mm/extable.c
+@@ -121,13 +121,12 @@ static bool ex_handler_sgx(const struct
+ static bool ex_handler_fprestore(const struct exception_table_entry *fixup,
+ struct pt_regs *regs)
+ {
+- regs->ip = ex_fixup_addr(fixup);
+-
+ WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.",
+ (void *)instruction_pointer(regs));
+
+ fpu_reset_from_exception_fixup();
+- return true;
++
++ return ex_handler_default(fixup, regs);
+ }
+
+ static bool ex_handler_uaccess(const struct exception_table_entry *fixup,
--- /dev/null
+From ab3038454906d633499df4e0da2d44a9493f3a88 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 30 Jul 2025 09:57:45 -0500
+Subject: x86/sev: Evict cache lines during SNP memory validation
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+Commit 7b306dfa326f70114312b320d083b21fa9481e1e upstream.
+
+An SNP cache coherency vulnerability requires a cache line eviction
+mitigation when validating memory after a page state change to private.
+The specific mitigation is to touch the first and last byte of each 4K
+page that is being validated. There is no need to perform the mitigation
+when performing a page state change to shared and rescinding validation.
+
+CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that,
+when set, indicates that the software mitigation for this vulnerability is
+not needed.
+
+Implement the mitigation and invoke it when validating memory (making it
+private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest
+is vulnerable.
+
+Co-developed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/sev.c | 7 +++++++
+ arch/x86/boot/cpuflags.c | 13 +++++++++++++
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/kernel/cpu/scattered.c | 1 +
+ arch/x86/kernel/sev-shared.c | 18 ++++++++++++++++++
+ arch/x86/kernel/sev.c | 11 ++++++++++-
+ 6 files changed, 50 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/boot/compressed/sev.c
++++ b/arch/x86/boot/compressed/sev.c
+@@ -164,6 +164,13 @@ static void __page_state_change(unsigned
+ */
+ if (op == SNP_PAGE_STATE_PRIVATE && pvalidate(paddr, RMP_PG_SIZE_4K, 1))
+ sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE);
++
++ /*
++ * If validating memory (making it private) and affected by the
++ * cache-coherency vulnerability, perform the cache eviction mitigation.
++ */
++ if (op == SNP_PAGE_STATE_PRIVATE && !has_cpuflag(X86_FEATURE_COHERENCY_SFW_NO))
++ sev_evict_cache((void *)paddr, 1);
+ }
+
+ void snp_set_page_private(unsigned long paddr)
+--- a/arch/x86/boot/cpuflags.c
++++ b/arch/x86/boot/cpuflags.c
+@@ -124,5 +124,18 @@ void get_cpuflags(void)
+ cpuid(0x80000001, &ignored, &ignored, &cpu.flags[6],
+ &cpu.flags[1]);
+ }
++
++ if (max_amd_level >= 0x8000001f) {
++ u32 ebx;
++
++ /*
++ * The X86_FEATURE_COHERENCY_SFW_NO feature bit is in
++ * the virtualization flags entry (word 8) and set by
++ * scattered.c, so the bit needs to be explicitly set.
++ */
++ cpuid(0x8000001f, &ignored, &ebx, &ignored, &ignored);
++ if (ebx & BIT(31))
++ set_bit(X86_FEATURE_COHERENCY_SFW_NO, cpu.flags);
++ }
+ }
+ }
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -230,6 +230,7 @@
+ #define X86_FEATURE_FLEXPRIORITY ( 8*32+ 2) /* Intel FlexPriority */
+ #define X86_FEATURE_EPT ( 8*32+ 3) /* Intel Extended Page Table */
+ #define X86_FEATURE_VPID ( 8*32+ 4) /* Intel Virtual Processor ID */
++#define X86_FEATURE_COHERENCY_SFW_NO ( 8*32+ 5) /* "" SNP cache coherency software work around not needed */
+
+ #define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer VMMCALL to VMCALL */
+ #define X86_FEATURE_XENPV ( 8*32+16) /* "" Xen paravirtual guest */
+--- a/arch/x86/kernel/cpu/scattered.c
++++ b/arch/x86/kernel/cpu/scattered.c
+@@ -45,6 +45,7 @@ static const struct cpuid_bit cpuid_bits
+ { X86_FEATURE_CPB, CPUID_EDX, 9, 0x80000007, 0 },
+ { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 },
+ { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 },
++ { X86_FEATURE_COHERENCY_SFW_NO, CPUID_EBX, 31, 0x8000001f, 0 },
+ { X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 },
+ { X86_FEATURE_TSA_L1_NO, CPUID_ECX, 2, 0x80000021, 0 },
+ { X86_FEATURE_PERFMON_V2, CPUID_EAX, 0, 0x80000022, 0 },
+--- a/arch/x86/kernel/sev-shared.c
++++ b/arch/x86/kernel/sev-shared.c
+@@ -1064,3 +1064,21 @@ static void __head setup_cpuid_table(con
+ RIP_REL_REF(cpuid_ext_range_max) = fn->eax;
+ }
+ }
++
++static inline void sev_evict_cache(void *va, int npages)
++{
++ volatile u8 val __always_unused;
++ u8 *bytes = va;
++ int page_idx;
++
++ /*
++ * For SEV guests, a read from the first/last cache-lines of a 4K page
++ * using the guest key is sufficient to cause a flush of all cache-lines
++ * associated with that 4K page without incurring all the overhead of a
++ * full CLFLUSH sequence.
++ */
++ for (page_idx = 0; page_idx < npages; page_idx++) {
++ val = bytes[page_idx * PAGE_SIZE];
++ val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
++ }
++}
+--- a/arch/x86/kernel/sev.c
++++ b/arch/x86/kernel/sev.c
+@@ -676,10 +676,12 @@ static u64 __init get_jump_table_addr(vo
+
+ static void pvalidate_pages(unsigned long vaddr, unsigned long npages, bool validate)
+ {
+- unsigned long vaddr_end;
++ unsigned long vaddr_begin, vaddr_end;
+ int rc;
+
+ vaddr = vaddr & PAGE_MASK;
++
++ vaddr_begin = vaddr;
+ vaddr_end = vaddr + (npages << PAGE_SHIFT);
+
+ while (vaddr < vaddr_end) {
+@@ -689,6 +691,13 @@ static void pvalidate_pages(unsigned lon
+
+ vaddr = vaddr + PAGE_SIZE;
+ }
++
++ /*
++ * If validating memory (making it private) and affected by the
++ * cache-coherency vulnerability, perform the cache eviction mitigation.
++ */
++ if (validate && !cpu_feature_enabled(X86_FEATURE_COHERENCY_SFW_NO))
++ sev_evict_cache((void *)vaddr_begin, npages);
+ }
+
+ static void __head early_set_pages_state(unsigned long paddr, unsigned long npages, enum psc_op op)
projects / thirdparty / kernel / stable-queue.git / commitdiff
