--- /dev/null
+From eed0e3d305530066b4fc5370107cff8ef1a0d229 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Sat, 9 Aug 2025 10:19:39 -0700
+Subject: KEYS: trusted_tpm1: Compare HMAC values in constant time
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit eed0e3d305530066b4fc5370107cff8ef1a0d229 upstream.
+
+To prevent timing attacks, HMAC value comparison needs to be constant
+time. Replace the memcmp() with the correct function, crypto_memneq().
+
+[For the Fixes commit I used the commit that introduced the memcmp().
+It predates the introduction of crypto_memneq(), but it was still a bug
+at the time even though a helper function didn't exist yet.]
+
+Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted-keys/trusted_tpm1.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/keys/trusted-keys/trusted_tpm1.c
++++ b/security/keys/trusted-keys/trusted_tpm1.c
+@@ -7,6 +7,7 @@
+ */
+
+ #include <crypto/hash_info.h>
++#include <crypto/algapi.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
+ #include <linux/parser.h>
+@@ -241,7 +242,7 @@ int TSS_checkhmac1(unsigned char *buffer
+ if (ret < 0)
+ goto out;
+
+- if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
++ if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE))
+ ret = -EINVAL;
+ out:
+ kfree_sensitive(sdesc);
+@@ -334,7 +335,7 @@ static int TSS_checkhmac2(unsigned char
+ TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
+ if (ret < 0)
+ goto out;
+- if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
++ if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -343,7 +344,7 @@ static int TSS_checkhmac2(unsigned char
+ TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
+ if (ret < 0)
+ goto out;
+- if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
++ if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE))
+ ret = -EINVAL;
+ out:
+ kfree_sensitive(sdesc);
--- /dev/null
+From 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 24 Sep 2025 10:02:07 +0200
+Subject: lib/genalloc: fix device leak in of_gen_pool_get()
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 upstream.
+
+Make sure to drop the reference taken when looking up the genpool platform
+device in of_gen_pool_get() before returning the pool.
+
+Note that holding a reference to a device does typically not prevent its
+devres managed resources from being released so there is no point in
+keeping the reference.
+
+Link: https://lkml.kernel.org/r/20250924080207.18006-1-johan@kernel.org
+Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Vladimir Zapolskiy <vz@mleia.com>
+Cc: <stable@vger.kernel.org> [3.10+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/genalloc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/lib/genalloc.c
++++ b/lib/genalloc.c
+@@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct
+ if (!name)
+ name = np_pool->name;
+ }
+- if (pdev)
++ if (pdev) {
+ pool = gen_pool_get(&pdev->dev, name);
++ put_device(&pdev->dev);
++ }
++
+ of_node_put(np_pool);
+
+ return pool;
--- /dev/null
+From 6744085079e785dae5f7a2239456135407c58b25 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Wed, 6 Aug 2025 10:55:38 +0800
+Subject: memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit 6744085079e785dae5f7a2239456135407c58b25 upstream.
+
+The of_platform_populate() call at the end of the function has a
+possible failure path, causing a resource leak.
+
+Replace of_iomap() with devm_platform_ioremap_resource() to ensure
+automatic cleanup of srom->reg_base.
+
+This issue was detected by smatch static analysis:
+drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn:
+'srom->reg_base' from of_iomap() not released on lines: 155.
+
+Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memory/samsung/exynos-srom.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/memory/samsung/exynos-srom.c
++++ b/drivers/memory/samsung/exynos-srom.c
+@@ -121,20 +121,18 @@ static int exynos_srom_probe(struct plat
+ return -ENOMEM;
+
+ srom->dev = dev;
+- srom->reg_base = of_iomap(np, 0);
+- if (!srom->reg_base) {
++ srom->reg_base = devm_platform_ioremap_resource(pdev, 0);
++ if (IS_ERR(srom->reg_base)) {
+ dev_err(&pdev->dev, "iomap of exynos srom controller failed\n");
+- return -ENOMEM;
++ return PTR_ERR(srom->reg_base);
+ }
+
+ platform_set_drvdata(pdev, srom);
+
+ srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
+ ARRAY_SIZE(exynos_srom_offsets));
+- if (!srom->reg_offset) {
+- iounmap(srom->reg_base);
++ if (!srom->reg_offset)
+ return -ENOMEM;
+- }
+
+ for_each_child_of_node(np, child) {
+ if (exynos_srom_configure_bank(srom, child)) {
--- /dev/null
+From fec40f44afdabcbc4a7748e4278f30737b54bb1a Mon Sep 17 00:00:00 2001
+From: Rex Chen <rex.chen_1@nxp.com>
+Date: Mon, 28 Jul 2025 17:22:29 +0900
+Subject: mmc: core: SPI mode remove cmd7
+
+From: Rex Chen <rex.chen_1@nxp.com>
+
+commit fec40f44afdabcbc4a7748e4278f30737b54bb1a upstream.
+
+SPI mode doesn't support cmd7, so remove it in mmc_sdio_alive() and
+confirm if sdio is active by checking CCCR register value is available
+or not.
+
+Signed-off-by: Rex Chen <rex.chen_1@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250728082230.1037917-2-rex.chen_1@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sdio.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/sdio.c
++++ b/drivers/mmc/core/sdio.c
+@@ -945,7 +945,11 @@ static void mmc_sdio_remove(struct mmc_h
+ */
+ static int mmc_sdio_alive(struct mmc_host *host)
+ {
+- return mmc_select_card(host->card);
++ if (!mmc_host_is_spi(host))
++ return mmc_select_card(host->card);
++ else
++ return mmc_io_rw_direct(host->card, 0, 0, SDIO_CCCR_CCCR, 0,
++ NULL);
+ }
+
+ /*
--- /dev/null
+From b8df622cf7f6808c85764e681847150ed6d85f3d Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Sep 2025 18:07:37 +0200
+Subject: mtd: rawnand: fsmc: Default to autodetect buswidth
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit b8df622cf7f6808c85764e681847150ed6d85f3d upstream.
+
+If you don't specify buswidth 2 (16 bits) in the device
+tree, FSMC doesn't even probe anymore:
+
+fsmc-nand 10100000.flash: FSMC device partno 090,
+ manufacturer 80, revision 00, config 00
+nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
+nand: ST Micro 10100000.flash
+nand: bus width 8 instead of 16 bits
+nand: No NAND device found
+fsmc-nand 10100000.flash: probe with driver fsmc-nand failed
+ with error -22
+
+With this patch to use autodetection unless buswidth is
+specified, the device is properly detected again:
+
+fsmc-nand 10100000.flash: FSMC device partno 090,
+ manufacturer 80, revision 00, config 00
+nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
+nand: ST Micro NAND 128MiB 1,8V 16-bit
+nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
+fsmc-nand 10100000.flash: Using 1-bit HW ECC scheme
+Scanning device for bad blocks
+
+I don't know where or how this happened, I think some change
+in the nand core.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/fsmc_nand.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/fsmc_nand.c
++++ b/drivers/mtd/nand/raw/fsmc_nand.c
+@@ -876,10 +876,14 @@ static int fsmc_nand_probe_config_dt(str
+ if (!of_property_read_u32(np, "bank-width", &val)) {
+ if (val == 2) {
+ nand->options |= NAND_BUSWIDTH_16;
+- } else if (val != 1) {
++ } else if (val == 1) {
++ nand->options |= NAND_BUSWIDTH_AUTO;
++ } else {
+ dev_err(&pdev->dev, "invalid bank-width %u\n", val);
+ return -EINVAL;
+ }
++ } else {
++ nand->options |= NAND_BUSWIDTH_AUTO;
+ }
+
+ if (of_get_property(np, "nand-skip-bbtscan", NULL))
--- /dev/null
+From eeaed48980a7aeb0d3d8b438185d4b5a66154ff9 Mon Sep 17 00:00:00 2001
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+Date: Tue, 1 Jul 2025 22:55:49 +0200
+Subject: nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
+
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+
+commit eeaed48980a7aeb0d3d8b438185d4b5a66154ff9 upstream.
+
+On the TUXEDO InfinityBook S Gen8, a Samsung 990 Evo NVMe leads to
+a high power consumption in s2idle sleep (3.5 watts).
+
+This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with
+a lower power consumption, typically around 1 watts.
+
+Signed-off-by: Georg Gottleuber <ggo@tuxedocomputers.com>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3109,10 +3109,12 @@ static unsigned long check_vendor_combin
+ * Exclude Samsung 990 Evo from NVME_QUIRK_SIMPLE_SUSPEND
+ * because of high power consumption (> 2 Watt) in s2idle
+ * sleep. Only some boards with Intel CPU are affected.
++ * (Note for testing: Samsung 990 Evo Plus has same PCI ID)
+ */
+ if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") ||
+ dmi_match(DMI_BOARD_NAME, "GMxPXxx") ||
+ dmi_match(DMI_BOARD_NAME, "GXxMRXx") ||
++ dmi_match(DMI_BOARD_NAME, "NS5X_NS7XAU") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PG31") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") ||
+ dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71"))
--- /dev/null
+From 042a60680de43175eb4df0977ff04a4eba9da082 Mon Sep 17 00:00:00 2001
+From: Askar Safin <safinaskar@zohomail.com>
+Date: Mon, 25 Aug 2025 18:12:33 +0000
+Subject: openat2: don't trigger automounts with RESOLVE_NO_XDEV
+
+From: Askar Safin <safinaskar@zohomail.com>
+
+commit 042a60680de43175eb4df0977ff04a4eba9da082 upstream.
+
+openat2 had a bug: if we pass RESOLVE_NO_XDEV, then openat2
+doesn't traverse through automounts, but may still trigger them.
+(See the link for full bug report with reproducer.)
+
+This commit fixes this bug.
+
+Link: https://lore.kernel.org/linux-fsdevel/20250817075252.4137628-1-safinaskar@zohomail.com/
+Fixes: fddb5d430ad9fa91b49b1 ("open: introduce openat2(2) syscall")
+Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Askar Safin <safinaskar@zohomail.com>
+Link: https://lore.kernel.org/20250825181233.2464822-5-safinaskar@zohomail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namei.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1360,6 +1360,10 @@ static int follow_automount(struct path
+ dentry->d_inode)
+ return -EISDIR;
+
++ /* No need to trigger automounts if mountpoint crossing is disabled. */
++ if (lookup_flags & LOOKUP_NO_XDEV)
++ return -EXDEV;
++
+ if (count && (*count)++ >= MAXSYMLINKS)
+ return -ELOOP;
+
+@@ -1383,6 +1387,10 @@ static int __traverse_mounts(struct path
+ /* Allow the filesystem to manage the transit without i_mutex
+ * being held. */
+ if (flags & DCACHE_MANAGE_TRANSIT) {
++ if (lookup_flags & LOOKUP_NO_XDEV) {
++ ret = -EXDEV;
++ break;
++ }
+ ret = path->dentry->d_op->d_manage(path, false);
+ flags = smp_load_acquire(&path->dentry->d_flags);
+ if (ret < 0)
--- /dev/null
+From 8ec5a066f88f89bd52094ba18792b34c49dcd55a Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Wed, 1 Oct 2025 23:58:40 +0100
+Subject: parisc: don't reference obsolete termio struct for TC* constants
+
+From: Sam James <sam@gentoo.org>
+
+commit 8ec5a066f88f89bd52094ba18792b34c49dcd55a upstream.
+
+Similar in nature to ab107276607af90b13a5994997e19b7b9731e251. glibc-2.42
+drops the legacy termio struct, but the ioctls.h header still defines some
+TC* constants in terms of termio (via sizeof). Hardcode the values instead.
+
+This fixes building Python for example, which falls over like:
+ ./Modules/termios.c:1119:16: error: invalid application of 'sizeof' to incomplete type 'struct termio'
+
+Link: https://bugs.gentoo.org/961769
+Link: https://bugs.gentoo.org/962600
+Co-authored-by: Stian Halseth <stian@itx.no>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sam James <sam@gentoo.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/uapi/asm/ioctls.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/ioctls.h
++++ b/arch/parisc/include/uapi/asm/ioctls.h
+@@ -10,10 +10,10 @@
+ #define TCSETS _IOW('T', 17, struct termios) /* TCSETATTR */
+ #define TCSETSW _IOW('T', 18, struct termios) /* TCSETATTRD */
+ #define TCSETSF _IOW('T', 19, struct termios) /* TCSETATTRF */
+-#define TCGETA _IOR('T', 1, struct termio)
+-#define TCSETA _IOW('T', 2, struct termio)
+-#define TCSETAW _IOW('T', 3, struct termio)
+-#define TCSETAF _IOW('T', 4, struct termio)
++#define TCGETA 0x40125401
++#define TCSETA 0x80125402
++#define TCSETAW 0x80125403
++#define TCSETAF 0x80125404
+ #define TCSBRK _IO('T', 5)
+ #define TCXONC _IO('T', 6)
+ #define TCFLSH _IO('T', 7)
--- /dev/null
+From 16794e524d310780163fdd49d0bf7fac30f8dbc8 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Tue, 5 Aug 2025 11:35:30 -0400
+Subject: parisc: Remove spurious if statement from raw_copy_from_user()
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 16794e524d310780163fdd49d0bf7fac30f8dbc8 upstream.
+
+Accidently introduced in commit 91428ca9320e.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Fixes: 91428ca9320e ("parisc: Check region is readable by user in raw_copy_from_user()")
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/lib/memcpy.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/parisc/lib/memcpy.c
++++ b/arch/parisc/lib/memcpy.c
+@@ -41,7 +41,6 @@ unsigned long raw_copy_from_user(void *d
+ mtsp(get_kernel_space(), SR_TEMP2);
+
+ /* Check region is user accessible */
+- if (start)
+ while (start < end) {
+ if (!prober_user(SR_TEMP1, start)) {
+ newlen = (start - (unsigned long) src);
--- /dev/null
+From bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Thu, 7 Aug 2025 15:55:38 +0200
+Subject: PCI/AER: Fix missing uevent on recovery when a reset is requested
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b upstream.
+
+Since commit 7b42d97e99d3 ("PCI/ERR: Always report current recovery
+status for udev") AER uses the result of error_detected() as parameter
+to pci_uevent_ers(). As pci_uevent_ers() however does not handle
+PCI_ERS_RESULT_NEED_RESET this results in a missing uevent for the
+beginning of recovery if drivers request a reset. Fix this by treating
+PCI_ERS_RESULT_NEED_RESET as beginning recovery.
+
+Fixes: 7b42d97e99d3 ("PCI/ERR: Always report current recovery status for udev")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250807-add_err_uevents-v5-1-adf85b0620b0@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-driver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -1611,6 +1611,7 @@ void pci_uevent_ers(struct pci_dev *pdev
+ switch (err_type) {
+ case PCI_ERS_RESULT_NONE:
+ case PCI_ERS_RESULT_CAN_RECOVER:
++ case PCI_ERS_RESULT_NEED_RESET:
+ envp[idx++] = "ERROR_EVENT=BEGIN_RECOVERY";
+ envp[idx++] = "DEVICE_ONLINE=0";
+ break;
--- /dev/null
+From 6633875250b38b18b8638cf01e695de031c71f02 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 27 Aug 2025 15:41:09 +0200
+Subject: PCI/AER: Support errors introduced by PCIe r6.0
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 6633875250b38b18b8638cf01e695de031c71f02 upstream.
+
+PCIe r6.0 defined five additional errors in the Uncorrectable Error
+Status, Mask and Severity Registers (PCIe r7.0 sec 7.8.4.2ff).
+
+lspci has been supporting them since commit 144b0911cc0b ("ls-ecaps:
+extend decode support for more fields for AER CE and UE status"):
+
+ https://git.kernel.org/pub/scm/utils/pciutils/pciutils.git/commit/?id=144b0911cc0b
+
+Amend the AER driver to recognize them as well, instead of logging them as
+"Unknown Error Bit".
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/21f1875b18d4078c99353378f37dcd6b994f6d4e.1756301211.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/aer.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/pcie/aer.c
++++ b/drivers/pci/pcie/aer.c
+@@ -37,7 +37,7 @@
+ #define AER_ERROR_SOURCES_MAX 128
+
+ #define AER_MAX_TYPEOF_COR_ERRS 16 /* as per PCI_ERR_COR_STATUS */
+-#define AER_MAX_TYPEOF_UNCOR_ERRS 27 /* as per PCI_ERR_UNCOR_STATUS*/
++#define AER_MAX_TYPEOF_UNCOR_ERRS 32 /* as per PCI_ERR_UNCOR_STATUS*/
+
+ struct aer_err_source {
+ unsigned int status;
+@@ -518,11 +518,11 @@ static const char *aer_uncorrectable_err
+ "AtomicOpBlocked", /* Bit Position 24 */
+ "TLPBlockedErr", /* Bit Position 25 */
+ "PoisonTLPBlocked", /* Bit Position 26 */
+- NULL, /* Bit Position 27 */
+- NULL, /* Bit Position 28 */
+- NULL, /* Bit Position 29 */
+- NULL, /* Bit Position 30 */
+- NULL, /* Bit Position 31 */
++ "DMWrReqBlocked", /* Bit Position 27 */
++ "IDECheck", /* Bit Position 28 */
++ "MisIDETLP", /* Bit Position 29 */
++ "PCRC_CHECK", /* Bit Position 30 */
++ "TLPXlatBlocked", /* Bit Position 31 */
+ };
+
+ static const char *aer_agent_string[] = {
--- /dev/null
+From 1cbc5e25fb70e942a7a735a1f3d6dd391afc9b29 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 13 Aug 2025 07:11:02 +0200
+Subject: PCI/ERR: Fix uevent on failure to recover
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 1cbc5e25fb70e942a7a735a1f3d6dd391afc9b29 upstream.
+
+Upon failure to recover from a PCIe error through AER, DPC or EDR, a
+uevent is sent to inform user space about disconnection of the bridge
+whose subordinate devices failed to recover.
+
+However the bridge itself is not disconnected. Instead, a uevent should
+be sent for each of the subordinate devices.
+
+Only if the "bridge" happens to be a Root Complex Event Collector or
+Integrated Endpoint does it make sense to send a uevent for it (because
+there are no subordinate devices).
+
+Right now if there is a mix of subordinate devices with and without
+pci_error_handlers, a BEGIN_RECOVERY event is sent for those with
+pci_error_handlers but no FAILED_RECOVERY event is ever sent for them
+afterwards. Fix it.
+
+Fixes: 856e1eb9bdd4 ("PCI/AER: Add uevents in AER and EEH error/resume")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v4.16+
+Link: https://patch.msgid.link/68fc527a380821b5d861dd554d2ce42cb739591c.1755008151.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/err.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/err.c
++++ b/drivers/pci/pcie/err.c
+@@ -108,6 +108,12 @@ static int report_normal_detected(struct
+ return report_error_detected(dev, pci_channel_io_normal, data);
+ }
+
++static int report_perm_failure_detected(struct pci_dev *dev, void *data)
++{
++ pci_uevent_ers(dev, PCI_ERS_RESULT_DISCONNECT);
++ return 0;
++}
++
+ static int report_mmio_enabled(struct pci_dev *dev, void *data)
+ {
+ struct pci_driver *pdrv;
+@@ -275,7 +281,7 @@ pci_ers_result_t pcie_do_recovery(struct
+ failed:
+ pci_walk_bridge(bridge, pci_pm_runtime_put, NULL);
+
+- pci_uevent_ers(bridge, PCI_ERS_RESULT_DISCONNECT);
++ pci_walk_bridge(bridge, report_perm_failure_detected, NULL);
+
+ /* TODO: Should kernel panic here? */
+ pci_info(bridge, "device recovery failed\n");
--- /dev/null
+From 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Tue, 26 Aug 2025 10:52:08 +0200
+Subject: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 upstream.
+
+Before disabling SR-IOV via config space accesses to the parent PF,
+sriov_disable() first removes the PCI devices representing the VFs.
+
+Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()")
+such removal operations are serialized against concurrent remove and
+rescan using the pci_rescan_remove_lock. No such locking was ever added
+in sriov_disable() however. In particular when commit 18f9e9d150fc
+("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device
+removal into sriov_del_vfs() there was still no locking around the
+pci_iov_remove_virtfn() calls.
+
+On s390 the lack of serialization in sriov_disable() may cause double
+remove and list corruption with the below (amended) trace being observed:
+
+ PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)
+ GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001
+ 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480
+ 0000000000000001 0000000000000000 0000000000000000 0000000180692828
+ 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8
+ #0 [3800313fb20] device_del at c9158ad5c
+ #1 [3800313fb88] pci_remove_bus_device at c915105ba
+ #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198
+ #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0
+ #4 [3800313fc60] zpci_bus_remove_device at c90fb6104
+ #5 [3800313fca0] __zpci_event_availability at c90fb3dca
+ #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2
+ #7 [3800313fd60] crw_collect_info at c91905822
+ #8 [3800313fe10] kthread at c90feb390
+ #9 [3800313fe68] __ret_from_fork at c90f6aa64
+ #10 [3800313fe98] ret_from_fork at c9194f3f2.
+
+This is because in addition to sriov_disable() removing the VFs, the
+platform also generates hot-unplug events for the VFs. This being the
+reverse operation to the hotplug events generated by sriov_enable() and
+handled via pdev->no_vf_scan. And while the event processing takes
+pci_rescan_remove_lock and checks whether the struct pci_dev still exists,
+the lack of synchronization makes this checking racy.
+
+Other races may also be possible of course though given that this lack of
+locking persisted so long observable races seem very rare. Even on s390 the
+list corruption was only observed with certain devices since the platform
+events are only triggered by config accesses after the removal, so as long
+as the removal finished synchronously they would not race. Either way the
+locking is missing so fix this by adding it to the sriov_del_vfs() helper.
+
+Just like PCI rescan-remove, locking is also missing in sriov_add_vfs()
+including for the error case where pci_stop_and_remove_bus_device() is
+called without the PCI rescan-remove lock being held. Even in the non-error
+case, adding new PCI devices and buses should be serialized via the PCI
+rescan-remove lock. Add the necessary locking.
+
+Fixes: 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
+Reviewed-by: Julian Ruess <julianr@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250826-pci_fix_sriov_disable-v1-1-2d0bc938f2a3@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/iov.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -582,15 +582,18 @@ static int sriov_add_vfs(struct pci_dev
+ if (dev->no_vf_scan)
+ return 0;
+
++ pci_lock_rescan_remove();
+ for (i = 0; i < num_vfs; i++) {
+ rc = pci_iov_add_virtfn(dev, i);
+ if (rc)
+ goto failed;
+ }
++ pci_unlock_rescan_remove();
+ return 0;
+ failed:
+ while (i--)
+ pci_iov_remove_virtfn(dev, i);
++ pci_unlock_rescan_remove();
+
+ return rc;
+ }
+@@ -710,8 +713,10 @@ static void sriov_del_vfs(struct pci_dev
+ struct pci_sriov *iov = dev->sriov;
+ int i;
+
++ pci_lock_rescan_remove();
+ for (i = 0; i < iov->num_VFs; i++)
+ pci_iov_remove_virtfn(dev, i);
++ pci_unlock_rescan_remove();
+ }
+
+ static void sriov_disable(struct pci_dev *dev)
--- /dev/null
+From e51d05f523e43ce5d2bad957943a2b14f68078cd Mon Sep 17 00:00:00 2001
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+Date: Fri, 12 Sep 2025 15:37:58 +0530
+Subject: PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+commit e51d05f523e43ce5d2bad957943a2b14f68078cd upstream.
+
+Commit under Fixes introduced the IRQ handler for "ks-pcie-error-irq".
+The interrupt is acquired using "request_irq()" but is never freed if
+the driver exits due to an error. Although the section in the driver that
+invokes "request_irq()" has moved around over time, the issue hasn't been
+addressed until now.
+
+Fix this by using "devm_request_irq()" which automatically frees the
+interrupt if the driver exits.
+
+Fixes: 025dd3daeda7 ("PCI: keystone: Add error IRQ handler")
+Reported-by: Jiri Slaby <jirislaby@kernel.org>
+Closes: https://lore.kernel.org/r/3d3a4b52-e343-42f3-9d69-94c259812143@kernel.org
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250912100802.3136121-2-s-vadapalli@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -1214,8 +1214,8 @@ static int ks_pcie_probe(struct platform
+ if (irq < 0)
+ return irq;
+
+- ret = request_irq(irq, ks_pcie_err_irq_handler, IRQF_SHARED,
+- "ks-pcie-error-irq", ks_pcie);
++ ret = devm_request_irq(dev, irq, ks_pcie_err_irq_handler, IRQF_SHARED,
++ "ks-pcie-error-irq", ks_pcie);
+ if (ret < 0) {
+ dev_err(dev, "failed to request error IRQ %d\n",
+ irq);
--- /dev/null
+From 5ed35b4d490d8735021cce9b715b62a418310864 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Date: Tue, 9 Sep 2025 18:26:25 +0200
+Subject: PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock
+
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+
+commit 5ed35b4d490d8735021cce9b715b62a418310864 upstream.
+
+The rcar_msi_irq_unmask() function may be called from a PCI driver
+request_threaded_irq() function. This triggers kernel/irq/manage.c
+__setup_irq() which locks raw spinlock &desc->lock descriptor lock
+and with that descriptor lock held, calls rcar_msi_irq_unmask().
+
+Since the &desc->lock descriptor lock is a raw spinlock, and the rcar_msi
+.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait
+context' with CONFIG_PROVE_RAW_LOCK_NESTING=y.
+
+Use scoped_guard() to simplify the locking.
+
+Fixes: 83ed8d4fa656 ("PCI: rcar: Convert to MSI domains")
+Reported-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
+Reported-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
+Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250909162707.13927-2-marek.vasut+renesas@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rcar-host.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rcar-host.c
++++ b/drivers/pci/controller/pcie-rcar-host.c
+@@ -12,6 +12,7 @@
+ */
+
+ #include <linux/bitops.h>
++#include <linux/cleanup.h>
+ #include <linux/clk.h>
+ #include <linux/clk-provider.h>
+ #include <linux/delay.h>
+@@ -36,7 +37,7 @@ struct rcar_msi {
+ DECLARE_BITMAP(used, INT_PCI_MSI_NR);
+ struct irq_domain *domain;
+ struct mutex map_lock;
+- spinlock_t mask_lock;
++ raw_spinlock_t mask_lock;
+ int irq1;
+ int irq2;
+ };
+@@ -639,28 +640,26 @@ static void rcar_msi_irq_mask(struct irq
+ {
+ struct rcar_msi *msi = irq_data_get_irq_chip_data(d);
+ struct rcar_pcie *pcie = &msi_to_host(msi)->pcie;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = rcar_pci_read_reg(pcie, PCIEMSIIER);
+- value &= ~BIT(d->hwirq);
+- rcar_pci_write_reg(pcie, value, PCIEMSIIER);
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = rcar_pci_read_reg(pcie, PCIEMSIIER);
++ value &= ~BIT(d->hwirq);
++ rcar_pci_write_reg(pcie, value, PCIEMSIIER);
++ }
+ }
+
+ static void rcar_msi_irq_unmask(struct irq_data *d)
+ {
+ struct rcar_msi *msi = irq_data_get_irq_chip_data(d);
+ struct rcar_pcie *pcie = &msi_to_host(msi)->pcie;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = rcar_pci_read_reg(pcie, PCIEMSIIER);
+- value |= BIT(d->hwirq);
+- rcar_pci_write_reg(pcie, value, PCIEMSIIER);
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = rcar_pci_read_reg(pcie, PCIEMSIIER);
++ value |= BIT(d->hwirq);
++ rcar_pci_write_reg(pcie, value, PCIEMSIIER);
++ }
+ }
+
+ static int rcar_msi_set_affinity(struct irq_data *d, const struct cpumask *mask, bool force)
+@@ -776,7 +775,7 @@ static int rcar_pcie_enable_msi(struct r
+ int err;
+
+ mutex_init(&msi->map_lock);
+- spin_lock_init(&msi->mask_lock);
++ raw_spin_lock_init(&msi->mask_lock);
+
+ err = of_address_to_resource(dev->of_node, 0, &res);
+ if (err)
--- /dev/null
+From 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Date: Tue, 9 Sep 2025 18:26:24 +0200
+Subject: PCI: rcar-host: Drop PMSR spinlock
+
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+
+commit 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 upstream.
+
+The pmsr_lock spinlock used to be necessary to synchronize access to the
+PMSR register, because that access could have been triggered from either
+config space access in rcar_pcie_config_access() or an exception handler
+rcar_pcie_aarch32_abort_handler().
+
+The rcar_pcie_aarch32_abort_handler() case is no longer applicable since
+commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read
+which triggered an exception"), which performs more accurate, controlled
+invocation of the exception, and a fixup.
+
+This leaves rcar_pcie_config_access() as the only call site from which
+rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be
+called from the controller struct pci_ops .read and .write callbacks,
+and those are serialized in drivers/pci/access.c using raw spinlock
+'pci_lock' . It should be noted that CONFIG_PCI_LOCKLESS_CONFIG is never
+set on this platform.
+
+Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a
+raw spinlock, this constellation triggers 'BUG: Invalid wait context'
+with CONFIG_PROVE_RAW_LOCK_NESTING=y .
+
+Remove the pmsr_lock to fix the locking.
+
+Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook")
+Reported-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
+Reported-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
+Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250909162707.13927-1-marek.vasut+renesas@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rcar-host.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rcar-host.c
++++ b/drivers/pci/controller/pcie-rcar-host.c
+@@ -65,20 +65,13 @@ struct rcar_pcie_host {
+ int (*phy_init_fn)(struct rcar_pcie_host *host);
+ };
+
+-static DEFINE_SPINLOCK(pmsr_lock);
+-
+ static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base)
+ {
+- unsigned long flags;
+ u32 pmsr, val;
+ int ret = 0;
+
+- spin_lock_irqsave(&pmsr_lock, flags);
+-
+- if (!pcie_base || pm_runtime_suspended(pcie_dev)) {
+- ret = -EINVAL;
+- goto unlock_exit;
+- }
++ if (!pcie_base || pm_runtime_suspended(pcie_dev))
++ return -EINVAL;
+
+ pmsr = readl(pcie_base + PMSR);
+
+@@ -100,8 +93,6 @@ static int rcar_pcie_wakeup(struct devic
+ writel(L1FAEG | PMEL1RX, pcie_base + PMSR);
+ }
+
+-unlock_exit:
+- spin_unlock_irqrestore(&pmsr_lock, flags);
+ return ret;
+ }
+
--- /dev/null
+From 48991e4935078b05f80616c75d1ee2ea3ae18e58 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@google.com>
+Date: Wed, 24 Sep 2025 09:57:11 -0700
+Subject: PCI/sysfs: Ensure devices are powered for config reads
+
+From: Brian Norris <briannorris@google.com>
+
+commit 48991e4935078b05f80616c75d1ee2ea3ae18e58 upstream.
+
+The "max_link_width", "current_link_speed", "current_link_width",
+"secondary_bus_number", and "subordinate_bus_number" sysfs files all access
+config registers, but they don't check the runtime PM state. If the device
+is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus
+values, or worse, depending on implementation details.
+
+Wrap these access in pci_config_pm_runtime_{get,put}() like most of the
+rest of the similar sysfs attributes.
+
+Notably, "max_link_speed" does not access config registers; it returns a
+cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link
+Speeds").
+
+Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc")
+Signed-off-by: Brian Norris <briannorris@google.com>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250924095711.v2.1.Ibb5b6ca1e2c059e04ec53140cd98a44f2684c668@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -196,8 +196,14 @@ static ssize_t max_link_width_show(struc
+ struct device_attribute *attr, char *buf)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
++ ssize_t ret;
+
+- return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev));
++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */
++ pci_config_pm_runtime_get(pdev);
++ ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev));
++ pci_config_pm_runtime_put(pdev);
++
++ return ret;
+ }
+ static DEVICE_ATTR_RO(max_link_width);
+
+@@ -209,7 +215,10 @@ static ssize_t current_link_speed_show(s
+ int err;
+ enum pci_bus_speed speed;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
+@@ -226,7 +235,10 @@ static ssize_t current_link_width_show(s
+ u16 linkstat;
+ int err;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
+@@ -242,7 +254,10 @@ static ssize_t secondary_bus_number_show
+ u8 sec_bus;
+ int err;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
+@@ -258,7 +273,10 @@ static ssize_t subordinate_bus_number_sh
+ u8 sub_bus;
+ int err;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
--- /dev/null
+From 26fda92d3b56bf44a02bcb4001c5a5548e0ae8ee Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Date: Mon, 22 Sep 2025 17:07:48 +0200
+Subject: PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock
+
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+
+commit 26fda92d3b56bf44a02bcb4001c5a5548e0ae8ee upstream.
+
+The tegra_msi_irq_unmask() function may be called from a PCI driver
+request_threaded_irq() function. This triggers kernel/irq/manage.c
+__setup_irq() which locks raw spinlock &desc->lock descriptor lock
+and with that descriptor lock held, calls tegra_msi_irq_unmask().
+
+Since the &desc->lock descriptor lock is a raw spinlock, and the tegra_msi
+.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait
+context' with CONFIG_PROVE_RAW_LOCK_NESTING=y.
+
+Use scoped_guard() to simplify the locking.
+
+Fixes: 2c99e55f7955 ("PCI: tegra: Convert to MSI domains")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Closes: https://patchwork.kernel.org/project/linux-pci/patch/20250909162707.13927-2-marek.vasut+renesas@mailbox.org/#26574451
+Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250922150811.88450-1-marek.vasut+renesas@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pci-tegra.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/pci/controller/pci-tegra.c
++++ b/drivers/pci/controller/pci-tegra.c
+@@ -14,6 +14,7 @@
+ */
+
+ #include <linux/clk.h>
++#include <linux/cleanup.h>
+ #include <linux/debugfs.h>
+ #include <linux/delay.h>
+ #include <linux/export.h>
+@@ -269,7 +270,7 @@ struct tegra_msi {
+ DECLARE_BITMAP(used, INT_PCI_MSI_NR);
+ struct irq_domain *domain;
+ struct mutex map_lock;
+- spinlock_t mask_lock;
++ raw_spinlock_t mask_lock;
+ void *virt;
+ dma_addr_t phys;
+ int irq;
+@@ -1607,14 +1608,13 @@ static void tegra_msi_irq_mask(struct ir
+ struct tegra_msi *msi = irq_data_get_irq_chip_data(d);
+ struct tegra_pcie *pcie = msi_to_pcie(msi);
+ unsigned int index = d->hwirq / 32;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
+- value &= ~BIT(d->hwirq % 32);
+- afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
++ value &= ~BIT(d->hwirq % 32);
++ afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
++ }
+ }
+
+ static void tegra_msi_irq_unmask(struct irq_data *d)
+@@ -1622,14 +1622,13 @@ static void tegra_msi_irq_unmask(struct
+ struct tegra_msi *msi = irq_data_get_irq_chip_data(d);
+ struct tegra_pcie *pcie = msi_to_pcie(msi);
+ unsigned int index = d->hwirq / 32;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
+- value |= BIT(d->hwirq % 32);
+- afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
++ value |= BIT(d->hwirq % 32);
++ afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
++ }
+ }
+
+ static int tegra_msi_set_affinity(struct irq_data *d, const struct cpumask *mask, bool force)
+@@ -1745,7 +1744,7 @@ static int tegra_pcie_msi_setup(struct t
+ int err;
+
+ mutex_init(&msi->map_lock);
+- spin_lock_init(&msi->mask_lock);
++ raw_spin_lock_init(&msi->mask_lock);
+
+ if (IS_ENABLED(CONFIG_PCI_MSI)) {
+ err = tegra_allocate_domains(msi);
--- /dev/null
+From b640d42a6ac9ba01abe65ec34f7c73aaf6758ab8 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Mon, 22 Sep 2025 16:08:24 +0200
+Subject: PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit b640d42a6ac9ba01abe65ec34f7c73aaf6758ab8 upstream.
+
+The pci_epc_raise_irq() supplies a MSI or MSI-X interrupt number in range
+(1-N), as per the pci_epc_raise_irq() kdoc, where N is 32 for MSI.
+
+But tegra_pcie_ep_raise_msi_irq() incorrectly uses the interrupt number as
+the MSI vector. This causes wrong MSI vector to be triggered, leading to
+the failure of PCI endpoint Kselftest MSI_TEST test case.
+
+To fix this issue, convert the interrupt number to MSI vector.
+
+Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250922140822.519796-6-cassel@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -1949,10 +1949,10 @@ static int tegra_pcie_ep_raise_legacy_ir
+
+ static int tegra_pcie_ep_raise_msi_irq(struct tegra_pcie_dw *pcie, u16 irq)
+ {
+- if (unlikely(irq > 31))
++ if (unlikely(irq > 32))
+ return -EINVAL;
+
+- appl_writel(pcie, BIT(irq), APPL_MSI_CTRL_1);
++ appl_writel(pcie, BIT(irq - 1), APPL_MSI_CTRL_1);
+
+ return 0;
+ }
--- /dev/null
+From f8c9ad46b00453a8c075453f3745f8d263f44834 Mon Sep 17 00:00:00 2001
+From: Vidya Sagar <vidyas@nvidia.com>
+Date: Mon, 22 Sep 2025 16:08:26 +0200
+Subject: PCI: tegra194: Handle errors in BPMP response
+
+From: Vidya Sagar <vidyas@nvidia.com>
+
+commit f8c9ad46b00453a8c075453f3745f8d263f44834 upstream.
+
+The return value from tegra_bpmp_transfer() indicates the success or
+failure of the IPC transaction with BPMP. If the transaction succeeded, we
+also need to check the actual command's result code.
+
+If we don't have error handling for tegra_bpmp_transfer(), we will set the
+pcie->ep_state to EP_STATE_ENABLED even when the tegra_bpmp_transfer()
+command fails. Thus, the pcie->ep_state will get out of sync with reality,
+and any further PERST# assert + deassert will be a no-op and will not
+trigger the hardware initialization sequence.
+
+This is because pex_ep_event_pex_rst_deassert() checks the current
+pcie->ep_state, and does nothing if the current state is already
+EP_STATE_ENABLED.
+
+Thus, it is important to have error handling for tegra_bpmp_transfer(),
+such that the pcie->ep_state can not get out of sync with reality, so that
+we will try to initialize the hardware not only during the first PERST#
+assert + deassert, but also during any succeeding PERST# assert + deassert.
+
+One example where this fix is needed is when using a rock5b as host.
+During the initial PERST# assert + deassert (triggered by the bootloader on
+the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some
+unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails.
+Once Linux has been loaded on the rock5b, the PCIe driver will once again
+assert + deassert PERST#. However, without tegra_bpmp_transfer() error
+handling, this second PERST# assert + deassert will not trigger the
+hardware initialization sequence.
+
+With tegra_bpmp_transfer() error handling, the second PERST# assert +
+deassert will once again trigger the hardware to be initialized and this
+time the tegra_bpmp_transfer() succeeds.
+
+Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
+Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
+[cassel: improve commit log]
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250922140822.519796-8-cassel@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -1204,6 +1204,7 @@ static int tegra_pcie_bpmp_set_ctrl_stat
+ struct mrq_uphy_response resp;
+ struct tegra_bpmp_message msg;
+ struct mrq_uphy_request req;
++ int err;
+
+ /*
+ * Controller-5 doesn't need to have its state set by BPMP-FW in
+@@ -1226,7 +1227,13 @@ static int tegra_pcie_bpmp_set_ctrl_stat
+ msg.rx.data = &resp;
+ msg.rx.size = sizeof(resp);
+
+- return tegra_bpmp_transfer(pcie->bpmp, &msg);
++ err = tegra_bpmp_transfer(pcie->bpmp, &msg);
++ if (err)
++ return err;
++ if (msg.rx.ret)
++ return -EINVAL;
++
++ return 0;
+ }
+
+ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
+@@ -1235,6 +1242,7 @@ static int tegra_pcie_bpmp_set_pll_state
+ struct mrq_uphy_response resp;
+ struct tegra_bpmp_message msg;
+ struct mrq_uphy_request req;
++ int err;
+
+ memset(&req, 0, sizeof(req));
+ memset(&resp, 0, sizeof(resp));
+@@ -1254,7 +1262,13 @@ static int tegra_pcie_bpmp_set_pll_state
+ msg.rx.data = &resp;
+ msg.rx.size = sizeof(resp);
+
+- return tegra_bpmp_transfer(pcie->bpmp, &msg);
++ err = tegra_bpmp_transfer(pcie->bpmp, &msg);
++ if (err)
++ return err;
++ if (msg.rx.ret)
++ return -EINVAL;
++
++ return 0;
+ }
+
+ static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
--- /dev/null
+From ee6cd8f3e28ee5a929c3b67c01a350f550f9b73a Mon Sep 17 00:00:00 2001
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+Date: Thu, 18 Sep 2025 20:06:45 +0300
+Subject: power: supply: max77976_charger: fix constant current reporting
+
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+
+commit ee6cd8f3e28ee5a929c3b67c01a350f550f9b73a upstream.
+
+CHARGE_CONTROL_LIMIT is a wrong property to report charge current limit,
+because `CHARGE_*` attributes represents capacity, not current. The
+correct attribute to report and set charge current limit is
+CONSTANT_CHARGE_CURRENT.
+
+Rename CHARGE_CONTROL_LIMIT to CONSTANT_CHARGE_CURRENT.
+
+Cc: stable@vger.kernel.org
+Fixes: 715ecbc10d6a ("power: supply: max77976: add Maxim MAX77976 charger driver")
+Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/max77976_charger.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/power/supply/max77976_charger.c
++++ b/drivers/power/supply/max77976_charger.c
+@@ -292,10 +292,10 @@ static int max77976_get_property(struct
+ case POWER_SUPPLY_PROP_ONLINE:
+ err = max77976_get_online(chg, &val->intval);
+ break;
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX:
+ val->intval = MAX77976_CHG_CC_MAX;
+ break;
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+ err = max77976_get_integer(chg, CHG_CC,
+ MAX77976_CHG_CC_MIN,
+ MAX77976_CHG_CC_MAX,
+@@ -330,7 +330,7 @@ static int max77976_set_property(struct
+ int err = 0;
+
+ switch (psp) {
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+ err = max77976_set_integer(chg, CHG_CC,
+ MAX77976_CHG_CC_MIN,
+ MAX77976_CHG_CC_MAX,
+@@ -355,7 +355,7 @@ static int max77976_property_is_writeabl
+ enum power_supply_property psp)
+ {
+ switch (psp) {
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+ case POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT:
+ return true;
+ default:
+@@ -368,8 +368,8 @@ static enum power_supply_property max779
+ POWER_SUPPLY_PROP_CHARGE_TYPE,
+ POWER_SUPPLY_PROP_HEALTH,
+ POWER_SUPPLY_PROP_ONLINE,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX,
++ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT,
++ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX,
+ POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT,
+ POWER_SUPPLY_PROP_MODEL_NAME,
+ POWER_SUPPLY_PROP_MANUFACTURER,
--- /dev/null
+From a39087905af9ffecaa237a918a2c03a04e479934 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 4 Aug 2025 12:07:28 +0200
+Subject: powerpc/powernv/pci: Fix underflow and leak issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit a39087905af9ffecaa237a918a2c03a04e479934 upstream.
+
+pnv_irq_domain_alloc() allocates interrupts at parent's interrupt
+domain. If it fails in the progress, all allocated interrupts are
+freed.
+
+The number of successfully allocated interrupts so far is stored
+"i". However, "i - 1" interrupts are freed. This is broken:
+
+ - One interrupt is not be freed
+
+ - If "i" is zero, "i - 1" wraps around
+
+Correct the number of freed interrupts to "i".
+
+Fixes: 0fcfe2247e75 ("powerpc/powernv/pci: Add MSI domains")
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/70f8debe8688e0b467367db769b71c20146a836d.1754300646.git.namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -2234,7 +2234,7 @@ static int pnv_irq_domain_alloc(struct i
+ return 0;
+
+ out:
+- irq_domain_free_irqs_parent(domain, virq, i - 1);
++ irq_domain_free_irqs_parent(domain, virq, i);
+ msi_bitmap_free_hwirqs(&phb->msi_bmp, hwirq, nr_irqs);
+ return ret;
+ }
--- /dev/null
+From 3443ff3be6e59b80d74036bb39f5b6409eb23cc9 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 4 Aug 2025 12:07:27 +0200
+Subject: powerpc/pseries/msi: Fix potential underflow and leak issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 3443ff3be6e59b80d74036bb39f5b6409eb23cc9 upstream.
+
+pseries_irq_domain_alloc() allocates interrupts at parent's interrupt
+domain. If it fails in the progress, all allocated interrupts are
+freed.
+
+The number of successfully allocated interrupts so far is stored
+"i". However, "i - 1" interrupts are freed. This is broken:
+
+ - One interrupt is not be freed
+
+ - If "i" is zero, "i - 1" wraps around
+
+Correct the number of freed interrupts to 'i'.
+
+Fixes: a5f3d2c17b07 ("powerpc/pseries/pci: Add MSI domains")
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/a980067f2b256bf716b4cd713bc1095966eed8cd.1754300646.git.namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/msi.c
++++ b/arch/powerpc/platforms/pseries/msi.c
+@@ -590,7 +590,7 @@ static int pseries_irq_domain_alloc(stru
+
+ out:
+ /* TODO: handle RTAS cleanup in ->msi_finish() ? */
+- irq_domain_free_irqs_parent(domain, virq, i - 1);
++ irq_domain_free_irqs_parent(domain, virq, i);
+ return ret;
+ }
+
--- /dev/null
+From 3a4b9d027e4061766f618292df91760ea64a1fcc Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Tue, 19 Aug 2025 19:42:24 +0800
+Subject: pwm: berlin: Fix wrong register in suspend/resume
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit 3a4b9d027e4061766f618292df91760ea64a1fcc upstream.
+
+The 'enable' register should be BERLIN_PWM_EN rather than
+BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
+will be cpu exception then kernel panic during suspend/resume.
+
+Fixes: bbf0722c1c66 ("pwm: berlin: Add suspend/resume support")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Link: https://lore.kernel.org/r/20250819114224.31825-1-jszhang@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-berlin.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pwm/pwm-berlin.c
++++ b/drivers/pwm/pwm-berlin.c
+@@ -274,7 +274,7 @@ static int berlin_pwm_suspend(struct dev
+ if (!channel)
+ continue;
+
+- channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_ENABLE);
++ channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_EN);
+ channel->ctrl = berlin_pwm_readl(bpc, i, BERLIN_PWM_CONTROL);
+ channel->duty = berlin_pwm_readl(bpc, i, BERLIN_PWM_DUTY);
+ channel->tcnt = berlin_pwm_readl(bpc, i, BERLIN_PWM_TCNT);
+@@ -305,7 +305,7 @@ static int berlin_pwm_resume(struct devi
+ berlin_pwm_writel(bpc, i, channel->ctrl, BERLIN_PWM_CONTROL);
+ berlin_pwm_writel(bpc, i, channel->duty, BERLIN_PWM_DUTY);
+ berlin_pwm_writel(bpc, i, channel->tcnt, BERLIN_PWM_TCNT);
+- berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_ENABLE);
++ berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_EN);
+ }
+
+ return 0;
--- /dev/null
+From a001cd248ab244633c5fabe4f7c707e13fc1d1cc Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 19 Aug 2025 15:29:44 -0700
+Subject: rseq/selftests: Use weak symbol reference, not definition, to link with glibc
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit a001cd248ab244633c5fabe4f7c707e13fc1d1cc upstream.
+
+Add "extern" to the glibc-defined weak rseq symbols to convert the rseq
+selftest's usage from weak symbol definitions to weak symbol _references_.
+Effectively re-defining the glibc symbols wreaks havoc when building with
+-fno-common, e.g. generates segfaults when running multi-threaded programs,
+as dynamically linked applications end up with multiple versions of the
+symbols.
+
+Building with -fcommon, which until recently has the been the default for
+GCC and clang, papers over the bug by allowing the linker to resolve the
+weak/tentative definition to glibc's "real" definition.
+
+Note, the symbol itself (or rather its address), not the value of the
+symbol, is set to 0/NULL for unresolved weak symbol references, as the
+symbol doesn't exist and thus can't have a value. Check for a NULL rseq
+size pointer to handle the scenario where the test is statically linked
+against a libc that doesn't support rseq in any capacity.
+
+Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+")
+Reported-by: Thomas Gleixner <tglx@linutronix.de>
+Suggested-by: Florian Weimer <fweimer@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/87frdoybk4.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/rseq/rseq.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/rseq/rseq.c
++++ b/tools/testing/selftests/rseq/rseq.c
+@@ -38,9 +38,9 @@
+ * Define weak versions to play nice with binaries that are statically linked
+ * against a libc that doesn't support registering its own rseq.
+ */
+-__weak ptrdiff_t __rseq_offset;
+-__weak unsigned int __rseq_size;
+-__weak unsigned int __rseq_flags;
++extern __weak ptrdiff_t __rseq_offset;
++extern __weak unsigned int __rseq_size;
++extern __weak unsigned int __rseq_flags;
+
+ static const ptrdiff_t *libc_rseq_offset_p = &__rseq_offset;
+ static const unsigned int *libc_rseq_size_p = &__rseq_size;
+@@ -124,7 +124,7 @@ void rseq_init(void)
+ * libc not having registered a restartable sequence. Try to find the
+ * symbols if that's the case.
+ */
+- if (!*libc_rseq_size_p) {
++ if (!libc_rseq_size_p || !*libc_rseq_size_p) {
+ libc_rseq_offset_p = dlsym(RTLD_NEXT, "__rseq_offset");
+ libc_rseq_size_p = dlsym(RTLD_NEXT, "__rseq_size");
+ libc_rseq_flags_p = dlsym(RTLD_NEXT, "__rseq_flags");
--- /dev/null
+From 9db26d5855d0374d4652487bfb5aacf40821c469 Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Fri, 16 May 2025 09:23:39 +0200
+Subject: rtc: interface: Ensure alarm irq is enabled when UIE is enabled
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit 9db26d5855d0374d4652487bfb5aacf40821c469 upstream.
+
+When setting a normal alarm, user-space is responsible for using
+RTC_AIE_ON/RTC_AIE_OFF to control if alarm irq should be enabled.
+
+But when RTC_UIE_ON is used, interrupts must be enabled so that the
+requested irq events are generated.
+When RTC_UIE_OFF is used, alarm irq is disabled if there are no other
+alarms queued, so this commit brings symmetry to that.
+
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-5-3de8e530a39e@geanix.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/interface.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -594,6 +594,10 @@ int rtc_update_irq_enable(struct rtc_dev
+ rtc->uie_rtctimer.node.expires = ktime_add(now, onesec);
+ rtc->uie_rtctimer.period = ktime_set(1, 0);
+ err = rtc_timer_enqueue(rtc, &rtc->uie_rtctimer);
++ if (!err && rtc->ops && rtc->ops->alarm_irq_enable)
++ err = rtc->ops->alarm_irq_enable(rtc->dev.parent, 1);
++ if (err)
++ goto out;
+ } else {
+ rtc_timer_remove(rtc, &rtc->uie_rtctimer);
+ }
--- /dev/null
+From 795cda8338eab036013314dbc0b04aae728880ab Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Fri, 16 May 2025 09:23:35 +0200
+Subject: rtc: interface: Fix long-standing race when setting alarm
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit 795cda8338eab036013314dbc0b04aae728880ab upstream.
+
+As described in the old comment dating back to
+commit 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events")
+from 2010, we have been living with a race window when setting alarm
+with an expiry in the near future (i.e. next second).
+With 1 second resolution, it can happen that the second ticks after the
+check for the timer having expired, but before the alarm is actually set.
+When this happen, no alarm IRQ is generated, at least not with some RTC
+chips (isl12022 is an example of this).
+
+With UIE RTC timer being implemented on top of alarm irq, being re-armed
+every second, UIE will occasionally fail to work, as an alarm irq lost
+due to this race will stop the re-arming loop.
+
+For now, I have limited the additional expiry check to only be done for
+alarms set to next seconds. I expect it should be good enough, although I
+don't know if we can now for sure that systems with loads could end up
+causing the same problems for alarms set 2 seconds or even longer in the
+future.
+
+I haven't been able to reproduce the problem with this check in place.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-1-3de8e530a39e@geanix.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/interface.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -443,6 +443,29 @@ static int __rtc_set_alarm(struct rtc_de
+ else
+ err = rtc->ops->set_alarm(rtc->dev.parent, alarm);
+
++ /*
++ * Check for potential race described above. If the waiting for next
++ * second, and the second just ticked since the check above, either
++ *
++ * 1) It ticked after the alarm was set, and an alarm irq should be
++ * generated.
++ *
++ * 2) It ticked before the alarm was set, and alarm irq most likely will
++ * not be generated.
++ *
++ * While we cannot easily check for which of these two scenarios we
++ * are in, we can return -ETIME to signal that the timer has already
++ * expired, which is true in both cases.
++ */
++ if ((scheduled - now) <= 1) {
++ err = __rtc_read_time(rtc, &tm);
++ if (err)
++ return err;
++ now = rtc_tm_to_time64(&tm);
++ if (scheduled <= now)
++ return -ETIME;
++ }
++
+ trace_rtc_set_alarm(rtc_tm_to_time64(&alarm->time), err);
+ return err;
+ }
--- /dev/null
+From 8fd5485fb4f3d9da3977fd783fcb8e5452463420 Mon Sep 17 00:00:00 2001
+From: Harshit Agarwal <harshit@nutanix.com>
+Date: Tue, 8 Apr 2025 04:50:21 +0000
+Subject: sched/deadline: Fix race in push_dl_task()
+
+From: Harshit Agarwal <harshit@nutanix.com>
+
+commit 8fd5485fb4f3d9da3977fd783fcb8e5452463420 upstream.
+
+When a CPU chooses to call push_dl_task and picks a task to push to
+another CPU's runqueue then it will call find_lock_later_rq method
+which would take a double lock on both CPUs' runqueues. If one of the
+locks aren't readily available, it may lead to dropping the current
+runqueue lock and reacquiring both the locks at once. During this window
+it is possible that the task is already migrated and is running on some
+other CPU. These cases are already handled. However, if the task is
+migrated and has already been executed and another CPU is now trying to
+wake it up (ttwu) such that it is queued again on the runqeue
+(on_rq is 1) and also if the task was run by the same CPU, then the
+current checks will pass even though the task was migrated out and is no
+longer in the pushable tasks list.
+Please go through the original rt change for more details on the issue.
+
+To fix this, after the lock is obtained inside the find_lock_later_rq,
+it ensures that the task is still at the head of pushable tasks list.
+Also removed some checks that are no longer needed with the addition of
+this new check.
+However, the new check of pushable tasks list only applies when
+find_lock_later_rq is called by push_dl_task. For the other caller i.e.
+dl_task_offline_migration, existing checks are used.
+
+Signed-off-by: Harshit Agarwal <harshit@nutanix.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250408045021.3283624-1-harshit@nutanix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 73 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 24 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2217,6 +2217,25 @@ static int find_later_rq(struct task_str
+ return -1;
+ }
+
++static struct task_struct *pick_next_pushable_dl_task(struct rq *rq)
++{
++ struct task_struct *p;
++
++ if (!has_pushable_dl_tasks(rq))
++ return NULL;
++
++ p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root));
++
++ WARN_ON_ONCE(rq->cpu != task_cpu(p));
++ WARN_ON_ONCE(task_current(rq, p));
++ WARN_ON_ONCE(p->nr_cpus_allowed <= 1);
++
++ WARN_ON_ONCE(!task_on_rq_queued(p));
++ WARN_ON_ONCE(!dl_task(p));
++
++ return p;
++}
++
+ /* Locks the rq it finds */
+ static struct rq *find_lock_later_rq(struct task_struct *task, struct rq *rq)
+ {
+@@ -2244,12 +2263,37 @@ static struct rq *find_lock_later_rq(str
+
+ /* Retry if something changed. */
+ if (double_lock_balance(rq, later_rq)) {
+- if (unlikely(task_rq(task) != rq ||
++ /*
++ * double_lock_balance had to release rq->lock, in the
++ * meantime, task may no longer be fit to be migrated.
++ * Check the following to ensure that the task is
++ * still suitable for migration:
++ * 1. It is possible the task was scheduled,
++ * migrate_disabled was set and then got preempted,
++ * so we must check the task migration disable
++ * flag.
++ * 2. The CPU picked is in the task's affinity.
++ * 3. For throttled task (dl_task_offline_migration),
++ * check the following:
++ * - the task is not on the rq anymore (it was
++ * migrated)
++ * - the task is not on CPU anymore
++ * - the task is still a dl task
++ * - the task is not queued on the rq anymore
++ * 4. For the non-throttled task (push_dl_task), the
++ * check to ensure that this task is still at the
++ * head of the pushable tasks list is enough.
++ */
++ if (unlikely(is_migration_disabled(task) ||
+ !cpumask_test_cpu(later_rq->cpu, &task->cpus_mask) ||
+- task_on_cpu(rq, task) ||
+- !dl_task(task) ||
+- is_migration_disabled(task) ||
+- !task_on_rq_queued(task))) {
++ (task->dl.dl_throttled &&
++ (task_rq(task) != rq ||
++ task_on_cpu(rq, task) ||
++ !dl_task(task) ||
++ !task_on_rq_queued(task))) ||
++ (!task->dl.dl_throttled &&
++ task != pick_next_pushable_dl_task(rq)))) {
++
+ double_unlock_balance(rq, later_rq);
+ later_rq = NULL;
+ break;
+@@ -2272,25 +2316,6 @@ static struct rq *find_lock_later_rq(str
+ return later_rq;
+ }
+
+-static struct task_struct *pick_next_pushable_dl_task(struct rq *rq)
+-{
+- struct task_struct *p;
+-
+- if (!has_pushable_dl_tasks(rq))
+- return NULL;
+-
+- p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root));
+-
+- WARN_ON_ONCE(rq->cpu != task_cpu(p));
+- WARN_ON_ONCE(task_current(rq, p));
+- WARN_ON_ONCE(p->nr_cpus_allowed <= 1);
+-
+- WARN_ON_ONCE(!task_on_rq_queued(p));
+- WARN_ON_ONCE(!dl_task(p));
+-
+- return p;
+-}
+-
+ /*
+ * See if the non running -deadline tasks on this rq
+ * can be sent to some other CPU where they can preempt
--- /dev/null
+From b81296591c567b12d3873b05a37b975707959b94 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Fri, 19 Sep 2025 11:26:37 +0200
+Subject: scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit b81296591c567b12d3873b05a37b975707959b94 upstream.
+
+Replace kmalloc() followed by copy_from_user() with memdup_user() to fix
+a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and
+the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using
+memdup_user() avoids this by freeing the memory internally.
+
+Since memdup_user() already allocates memory, use kzalloc() in the else
+branch instead of manually zeroing 'buff[sg_used]' using memset(0).
+
+Cc: stable@vger.kernel.org
+Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Acked-by: Don Brace <don.brace@microchip.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -6528,18 +6528,21 @@ static int hpsa_big_passthru_ioctl(struc
+ while (left) {
+ sz = (left > ioc->malloc_size) ? ioc->malloc_size : left;
+ buff_size[sg_used] = sz;
+- buff[sg_used] = kmalloc(sz, GFP_KERNEL);
+- if (buff[sg_used] == NULL) {
+- status = -ENOMEM;
+- goto cleanup1;
+- }
++
+ if (ioc->Request.Type.Direction & XFER_WRITE) {
+- if (copy_from_user(buff[sg_used], data_ptr, sz)) {
+- status = -EFAULT;
++ buff[sg_used] = memdup_user(data_ptr, sz);
++ if (IS_ERR(buff[sg_used])) {
++ status = PTR_ERR(buff[sg_used]);
++ goto cleanup1;
++ }
++ } else {
++ buff[sg_used] = kzalloc(sz, GFP_KERNEL);
++ if (!buff[sg_used]) {
++ status = -ENOMEM;
+ goto cleanup1;
+ }
+- } else
+- memset(buff[sg_used], 0, sz);
++ }
++
+ left -= sz;
+ data_ptr += sz;
+ sg_used++;
--- /dev/null
+From dd91c79e4f58fbe2898dac84858033700e0e99fb Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Mon, 18 Aug 2025 13:54:23 -0700
+Subject: sctp: Fix MAC comparison to be constant-time
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit dd91c79e4f58fbe2898dac84858033700e0e99fb upstream.
+
+To prevent timing attacks, MACs need to be compared in constant time.
+Use the appropriate helper function for this.
+
+Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Link: https://patch.msgid.link/20250818205426.30222-3-ebiggers@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 3 ++-
+ net/sctp/sm_statefuns.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -31,6 +31,7 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <crypto/hash.h>
++#include <crypto/algapi.h>
+ #include <linux/types.h>
+ #include <linux/kernel.h>
+ #include <linux/ip.h>
+@@ -1796,7 +1797,7 @@ struct sctp_association *sctp_unpack_coo
+ }
+ }
+
+- if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
++ if (crypto_memneq(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
+ *error = -SCTP_IERROR_BAD_SIG;
+ goto fail;
+ }
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -30,6 +30,7 @@
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
++#include <crypto/algapi.h>
+ #include <linux/types.h>
+ #include <linux/kernel.h>
+ #include <linux/ip.h>
+@@ -4418,7 +4419,7 @@ static enum sctp_ierror sctp_sf_authenti
+ sh_key, GFP_ATOMIC);
+
+ /* Discard the packet if the digests do not match */
+- if (memcmp(save_digest, digest, sig_len)) {
++ if (crypto_memneq(save_digest, digest, sig_len)) {
+ kfree(save_digest);
+ return SCTP_IERROR_BAD_SIG;
+ }
iio-imu-inv_icm42600-drop-redundant-pm_runtime-reinitialization-in-resume.patch
iommu-vt-d-prs-isn-t-usable-if-pds-isn-t-supported.patch
kernel-sys.c-fix-the-racy-usage-of-task_lock-tsk-group_leader-in-sys_prlimit64-paths.patch
+keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
+lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch
+openat2-don-t-trigger-automounts-with-resolve_no_xdev.patch
+parisc-don-t-reference-obsolete-termio-struct-for-tc-constants.patch
+parisc-remove-spurious-if-statement-from-raw_copy_from_user.patch
+nvme-pci-add-tuxedo-ibs-gen8-to-samsung-sleep-quirk.patch
+power-supply-max77976_charger-fix-constant-current-reporting.patch
+powerpc-powernv-pci-fix-underflow-and-leak-issue.patch
+powerpc-pseries-msi-fix-potential-underflow-and-leak-issue.patch
+pwm-berlin-fix-wrong-register-in-suspend-resume.patch
+sched-deadline-fix-race-in-push_dl_task.patch
+scsi-hpsa-fix-potential-memory-leak-in-hpsa_big_passthru_ioctl.patch
+sctp-fix-mac-comparison-to-be-constant-time.patch
+sparc64-fix-hugetlb-for-sun4u.patch
+sparc-fix-error-handling-in-scan_one_device.patch
+xtensa-simdisk-add-input-size-check-in-proc_write_simdisk.patch
+mtd-rawnand-fsmc-default-to-autodetect-buswidth.patch
+mmc-core-spi-mode-remove-cmd7.patch
+memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
+rtc-interface-ensure-alarm-irq-is-enabled-when-uie-is-enabled.patch
+rtc-interface-fix-long-standing-race-when-setting-alarm.patch
+rseq-selftests-use-weak-symbol-reference-not-definition-to-link-with-glibc.patch
+pci-tegra-convert-struct-tegra_msi-mask_lock-into-raw-spinlock.patch
+pci-sysfs-ensure-devices-are-powered-for-config-reads.patch
+pci-iov-add-pci-rescan-remove-locking-when-enabling-disabling-sr-iov.patch
+pci-err-fix-uevent-on-failure-to-recover.patch
+pci-aer-fix-missing-uevent-on-recovery-when-a-reset-is-requested.patch
+pci-aer-support-errors-introduced-by-pcie-r6.0.patch
+pci-keystone-use-devm_request_irq-to-free-ks-pcie-error-irq-on-exit.patch
+pci-rcar-host-drop-pmsr-spinlock.patch
+pci-rcar-host-convert-struct-rcar_msi-mask_lock-into-raw-spinlock.patch
+pci-tegra194-fix-broken-tegra_pcie_ep_raise_msi_irq.patch
+pci-tegra194-handle-errors-in-bpmp-response.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
+x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch
+x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch
--- /dev/null
+From 302c04110f0ce70d25add2496b521132548cd408 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Sat, 20 Sep 2025 20:53:12 +0800
+Subject: sparc: fix error handling in scan_one_device()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 302c04110f0ce70d25add2496b521132548cd408 upstream.
+
+Once of_device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it could cause memory leak.
+So fix this by calling put_device(), then the name can be freed in
+kobject_cleanup().
+
+Calling path: of_device_register() -> of_device_add() -> device_add().
+As comment of device_add() says, 'if device_add() succeeds, you should
+call device_del() when you want to get rid of it. If device_add() has
+not succeeded, use only put_device() to drop the reference count'.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Reviewed-by: Andreas Larsson <andreas@gaisler.com>
+Signed-off-by: Andreas Larsson <andreas@gaisler.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/of_device_32.c | 1 +
+ arch/sparc/kernel/of_device_64.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/sparc/kernel/of_device_32.c
++++ b/arch/sparc/kernel/of_device_32.c
+@@ -387,6 +387,7 @@ static struct platform_device * __init s
+
+ if (of_device_register(op)) {
+ printk("%pOF: Could not register of device.\n", dp);
++ put_device(&op->dev);
+ kfree(op);
+ op = NULL;
+ }
+--- a/arch/sparc/kernel/of_device_64.c
++++ b/arch/sparc/kernel/of_device_64.c
+@@ -680,6 +680,7 @@ static struct platform_device * __init s
+
+ if (of_device_register(op)) {
+ printk("%pOF: Could not register of device.\n", dp);
++ put_device(&op->dev);
+ kfree(op);
+ op = NULL;
+ }
--- /dev/null
+From 6fd44a481b3c6111e4801cec964627791d0f3ec5 Mon Sep 17 00:00:00 2001
+From: Anthony Yznaga <anthony.yznaga@oracle.com>
+Date: Tue, 15 Jul 2025 18:24:46 -0700
+Subject: sparc64: fix hugetlb for sun4u
+
+From: Anthony Yznaga <anthony.yznaga@oracle.com>
+
+commit 6fd44a481b3c6111e4801cec964627791d0f3ec5 upstream.
+
+An attempt to exercise sparc hugetlb code in a sun4u-based guest
+running under qemu results in the guest hanging due to being stuck
+in a trap loop. This is due to invalid hugetlb TTEs being installed
+that do not have the expected _PAGE_PMD_HUGE and page size bits set.
+Although the breakage has gone apparently unnoticed for several years,
+fix it now so there is the option to exercise sparc hugetlb code under
+qemu. This can be useful because sun4v support in qemu does not support
+linux guests currently and sun4v-based hardware resources may not be
+readily available.
+
+Fix tested with a 6.15.2 and 6.16-rc6 kernels by running libhugetlbfs
+tests on a qemu guest running Debian 13.
+
+Fixes: c7d9f77d33a7 ("sparc64: Multi-page size support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anthony Yznaga <anthony.yznaga@oracle.com>
+Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Reviewed-by: Andreas Larsson <andreas@gaisler.com>
+Link: https://lore.kernel.org/r/20250716012446.10357-1-anthony.yznaga@oracle.com
+Signed-off-by: Andreas Larsson <andreas@gaisler.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/mm/hugetlbpage.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/arch/sparc/mm/hugetlbpage.c
++++ b/arch/sparc/mm/hugetlbpage.c
+@@ -133,6 +133,26 @@ hugetlb_get_unmapped_area(struct file *f
+
+ static pte_t sun4u_hugepage_shift_to_tte(pte_t entry, unsigned int shift)
+ {
++ unsigned long hugepage_size = _PAGE_SZ4MB_4U;
++
++ pte_val(entry) = pte_val(entry) & ~_PAGE_SZALL_4U;
++
++ switch (shift) {
++ case HPAGE_256MB_SHIFT:
++ hugepage_size = _PAGE_SZ256MB_4U;
++ pte_val(entry) |= _PAGE_PMD_HUGE;
++ break;
++ case HPAGE_SHIFT:
++ pte_val(entry) |= _PAGE_PMD_HUGE;
++ break;
++ case HPAGE_64K_SHIFT:
++ hugepage_size = _PAGE_SZ64K_4U;
++ break;
++ default:
++ WARN_ONCE(1, "unsupported hugepage shift=%u\n", shift);
++ }
++
++ pte_val(entry) = pte_val(entry) | hugepage_size;
+ return entry;
+ }
+
--- /dev/null
+From 1ad55767e77a853c98752ed1e33b68049a243bd7 Mon Sep 17 00:00:00 2001
+From: Pratyush Yadav <pratyush@kernel.org>
+Date: Sat, 6 Sep 2025 00:29:56 +0530
+Subject: spi: cadence-quadspi: Flush posted register writes before DAC access
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+commit 1ad55767e77a853c98752ed1e33b68049a243bd7 upstream.
+
+cqspi_read_setup() and cqspi_write_setup() program the address width as
+the last step in the setup. This is likely to be immediately followed by
+a DAC region read/write. On TI K3 SoCs the DAC region is on a different
+endpoint from the register region. This means that the order of the two
+operations is not guaranteed, and they might be reordered at the
+interconnect level. It is possible that the DAC read/write goes through
+before the address width update goes through. In this situation if the
+previous command used a different address width the OSPI command is sent
+with the wrong number of address bytes, resulting in an invalid command
+and undefined behavior.
+
+Read back the size register to make sure the write gets flushed before
+accessing the DAC region.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-3-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -655,6 +655,7 @@ static int cqspi_read_setup(struct cqspi
+ reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ reg |= (op->addr.nbytes - 1);
+ writel(reg, reg_base + CQSPI_REG_SIZE);
++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ return 0;
+ }
+
+@@ -944,6 +945,7 @@ static int cqspi_write_setup(struct cqsp
+ reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ reg |= (op->addr.nbytes - 1);
+ writel(reg, reg_base + CQSPI_REG_SIZE);
++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ return 0;
+ }
+
--- /dev/null
+From 29e0b471ccbd674d20d4bbddea1a51e7105212c5 Mon Sep 17 00:00:00 2001
+From: Pratyush Yadav <pratyush@kernel.org>
+Date: Sat, 6 Sep 2025 00:29:55 +0530
+Subject: spi: cadence-quadspi: Flush posted register writes before INDAC access
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+commit 29e0b471ccbd674d20d4bbddea1a51e7105212c5 upstream.
+
+cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first
+set the enable bit on APB region and then start reading/writing to the
+AHB region. On TI K3 SoCs these regions lie on different endpoints. This
+means that the order of the two operations is not guaranteed, and they
+might be reordered at the interconnect level.
+
+It is possible for the AHB write to be executed before the APB write to
+enable the indirect controller, causing the transaction to be invalid
+and the write erroring out. Read back the APB region write before
+accessing the AHB region to make sure the write got flushed and the race
+condition is eliminated.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-2-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -694,6 +694,7 @@ static int cqspi_indirect_read_execute(s
+ reinit_completion(&cqspi->transfer_complete);
+ writel(CQSPI_REG_INDIRECTRD_START_MASK,
+ reg_base + CQSPI_REG_INDIRECTRD);
++ readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */
+
+ while (remaining > 0) {
+ if (!wait_for_completion_timeout(&cqspi->transfer_complete,
+@@ -968,6 +969,8 @@ static int cqspi_indirect_write_execute(
+ reinit_completion(&cqspi->transfer_complete);
+ writel(CQSPI_REG_INDIRECTWR_START_MASK,
+ reg_base + CQSPI_REG_INDIRECTWR);
++ readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */
++
+ /*
+ * As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access
+ * Controller programming sequence, couple of cycles of
--- /dev/null
+From 32278c677947ae2f042c9535674a7fff9a245dd3 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 8 Aug 2025 10:23:56 -0700
+Subject: x86/umip: Check that the instruction opcode is at least two bytes
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 32278c677947ae2f042c9535674a7fff9a245dd3 upstream.
+
+When checking for a potential UMIP violation on #GP, verify the decoder found
+at least two opcode bytes to avoid false positives when the kernel encounters
+an unknown instruction that starts with 0f. Because the array of opcode.bytes
+is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret
+garbage as a potential SLDT or STR instruction, and can incorrectly trigger
+emulation.
+
+E.g. if a VPALIGNR instruction
+
+ 62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff
+
+hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts
+the userspace code stream).
+
+Arguably the check should look for exactly two bytes, but no three byte
+opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be
+impossible to get a false positive if the first two opcode bytes match '0f 00'
+or '0f 01'. Go with a more conservative check with respect to the existing
+code to minimize the chances of breaking userspace, e.g. due to decoder
+weirdness.
+
+Analyzed by Nick Bray <ncbray@google.com>.
+
+Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
+Reported-by: Dan Snyder <dansnyder@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/umip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/umip.c
++++ b/arch/x86/kernel/umip.c
+@@ -156,8 +156,8 @@ static int identify_insn(struct insn *in
+ if (!insn->modrm.nbytes)
+ return -EINVAL;
+
+- /* All the instructions of interest start with 0x0f. */
+- if (insn->opcode.bytes[0] != 0xf)
++ /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */
++ if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf)
+ return -EINVAL;
+
+ if (insn->opcode.bytes[1] == 0x1) {
--- /dev/null
+From 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 8 Aug 2025 10:23:57 -0700
+Subject: x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf upstream.
+
+Filter out the register forms of 0F 01 when determining whether or not to
+emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only
+accept memory operands. The register variants of 0F 01 are used to encode
+instructions for things like VMX and SGX, i.e. not checking the Mod field
+would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL
+violation on VMLAUNCH.
+
+Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/umip.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/kernel/umip.c
++++ b/arch/x86/kernel/umip.c
+@@ -163,8 +163,19 @@ static int identify_insn(struct insn *in
+ if (insn->opcode.bytes[1] == 0x1) {
+ switch (X86_MODRM_REG(insn->modrm.value)) {
+ case 0:
++ /* The reg form of 0F 01 /0 encodes VMX instructions. */
++ if (X86_MODRM_MOD(insn->modrm.value) == 3)
++ return -EINVAL;
++
+ return UMIP_INST_SGDT;
+ case 1:
++ /*
++ * The reg form of 0F 01 /1 encodes MONITOR/MWAIT,
++ * STAC/CLAC, and ENCLS.
++ */
++ if (X86_MODRM_MOD(insn->modrm.value) == 3)
++ return -EINVAL;
++
+ return UMIP_INST_SIDT;
+ case 4:
+ return UMIP_INST_SMSW;
--- /dev/null
+From 5d5f08fd0cd970184376bee07d59f635c8403f63 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Fri, 29 Aug 2025 16:30:15 +0800
+Subject: xtensa: simdisk: add input size check in proc_write_simdisk
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 5d5f08fd0cd970184376bee07d59f635c8403f63 upstream.
+
+A malicious user could pass an arbitrarily bad value
+to memdup_user_nul(), potentially causing kernel crash.
+
+This follows the same pattern as commit ee76746387f6
+("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
+
+Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk")
+Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Message-Id: <20250829083015.1992751-1-linmq006@gmail.com>
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/xtensa/platforms/iss/simdisk.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/xtensa/platforms/iss/simdisk.c
++++ b/arch/xtensa/platforms/iss/simdisk.c
+@@ -230,10 +230,14 @@ static ssize_t proc_read_simdisk(struct
+ static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- char *tmp = memdup_user_nul(buf, count);
++ char *tmp;
+ struct simdisk *dev = pde_data(file_inode(file));
+ int err;
+
++ if (count == 0 || count > PAGE_SIZE)
++ return -EINVAL;
++
++ tmp = memdup_user_nul(buf, count);
+ if (IS_ERR(tmp))
+ return PTR_ERR(tmp);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
