--- /dev/null
+From 847e04dbf47ed80f39c5c98f5ce21d311a354adf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 18:54:54 +0200
+Subject: ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ]
+
+As specified in section 5.7.2 of the ACPI specification the feature
+group string "3.0 _SCP Extensions" implies that the operating system
+evaluates the _SCP control method with additional parameters.
+
+However the ACPI thermal driver evaluates the _SCP control method
+without those additional parameters, conflicting with the above
+feature group string advertised to the firmware thru _OSI.
+
+Stop advertising support for this feature string to avoid confusing
+the ACPI firmware.
+
+Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/osi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
+index 9f68538091384..d93409f2b2a07 100644
+--- a/drivers/acpi/osi.c
++++ b/drivers/acpi/osi.c
+@@ -42,7 +42,6 @@ static struct acpi_osi_entry
+ osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = {
+ {"Module Device", true},
+ {"Processor Device", true},
+- {"3.0 _SCP Extensions", true},
+ {"Processor Aggregator Device", true},
+ /*
+ * Linux-Dell-Video is used by BIOS to disable RTD3 for NVidia graphics
+--
+2.39.5
+
--- /dev/null
+From ee9ad51e5be945037bc1f3ce85f360b076714d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 23:04:46 +0200
+Subject: ARM: dts: at91: at91sam9263: fix NAND chip selects
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ]
+
+NAND did not work on my USB-A9263. I discovered that the offending
+commit converted the PIO bank for chip selects wrongly, so all A9263
+boards need to be fixed.
+
+Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/at91sam9263ek.dts | 2 +-
+ arch/arm/boot/dts/tny_a9263.dts | 2 +-
+ arch/arm/boot/dts/usb_a9263.dts | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/at91sam9263ek.dts b/arch/arm/boot/dts/at91sam9263ek.dts
+index 71f60576761a0..df206bdb67883 100644
+--- a/arch/arm/boot/dts/at91sam9263ek.dts
++++ b/arch/arm/boot/dts/at91sam9263ek.dts
+@@ -148,7 +148,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+diff --git a/arch/arm/boot/dts/tny_a9263.dts b/arch/arm/boot/dts/tny_a9263.dts
+index 62b7d9f9a926c..c8b6318aaa838 100644
+--- a/arch/arm/boot/dts/tny_a9263.dts
++++ b/arch/arm/boot/dts/tny_a9263.dts
+@@ -64,7 +64,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts
+index d1c07503ff76f..87a5f96014e01 100644
+--- a/arch/arm/boot/dts/usb_a9263.dts
++++ b/arch/arm/boot/dts/usb_a9263.dts
+@@ -84,7 +84,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+--
+2.39.5
+
--- /dev/null
+From 0c4f9b5c3f63f531e8c401cb28171742d5457af5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 13:27:43 +0200
+Subject: ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ]
+
+Dataflash did not work on my board. After checking schematics and using
+the proper GPIO, it works now. Also, make it active low to avoid:
+
+flash@0 enforce active low on GPIO handle
+
+Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/usb_a9263.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/usb_a9263.dts b/arch/arm/boot/dts/usb_a9263.dts
+index 8a0cfbfd0c452..d1c07503ff76f 100644
+--- a/arch/arm/boot/dts/usb_a9263.dts
++++ b/arch/arm/boot/dts/usb_a9263.dts
+@@ -58,7 +58,7 @@
+ };
+
+ spi0: spi@fffa4000 {
+- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>;
+ status = "okay";
+ mtd_dataflash@0 {
+ compatible = "atmel,at45", "atmel,dataflash";
+--
+2.39.5
+
--- /dev/null
+From 1d768b80a8e8b604372e60c4ede91c05420d77bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 15:22:00 +0200
+Subject: ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon
+ device
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ]
+
+Follow up the expected way of describing the SFPB hwspinlock and merge
+hwspinlock node into corresponding syscon node, fixing several dt-schema
+warnings.
+
+Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom-apq8064.dtsi | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
+index d70f071fd8304..50436197fff4a 100644
+--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
+@@ -211,12 +211,6 @@
+ };
+ };
+
+- sfpb_mutex: hwmutex {
+- compatible = "qcom,sfpb-mutex";
+- syscon = <&sfpb_wrapper_mutex 0x604 0x4>;
+- #hwlock-cells = <1>;
+- };
+-
+ smem {
+ compatible = "qcom,smem";
+ memory-region = <&smem_region>;
+@@ -360,9 +354,10 @@
+ pinctrl-0 = <&ps_hold>;
+ };
+
+- sfpb_wrapper_mutex: syscon@1200000 {
+- compatible = "syscon";
+- reg = <0x01200000 0x8000>;
++ sfpb_mutex: hwmutex@1200600 {
++ compatible = "qcom,sfpb-mutex";
++ reg = <0x01200600 0x100>;
++ #hwlock-cells = <1>;
+ };
+
+ intc: interrupt-controller@2000000 {
+--
+2.39.5
+
--- /dev/null
+From 5b6bb3af43ce2a0f6dd33af83ee52b389e00d848 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:27 -0500
+Subject: arm64: dts: imx8mm-beacon: Fix RTC capacitive load
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ]
+
+Although not noticeable when used every day, the RTC appears to drift when
+left to sit over time. This is due to the capacitive load not being
+properly set. Fix RTC drift by correcting the capacitive load setting
+from 7000 to 12500, which matches the actual hardware configuration.
+
+Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+index 40f5e7a3b0644..7ed267bf9b8f4 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+@@ -231,6 +231,7 @@
+ rtc: rtc@51 {
+ compatible = "nxp,pcf85263";
+ reg = <0x51>;
++ quartz-load-femtofarads = <12500>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From bbe4384c3451778e5bd2791e23988c768cccc73f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:28 -0500
+Subject: arm64: dts: imx8mn-beacon: Fix RTC capacitive load
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit c3f03bec30efd5082b55876846d57b5d17dae7b9 ]
+
+Although not noticeable when used every day, the RTC appears to drift when
+left to sit over time. This is due to the capacitive load not being
+properly set. Fix RTC drift by correcting the capacitive load setting
+from 7000 to 12500, which matches the actual hardware configuration.
+
+Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+index 3b2d627a03428..4c339b06c87e5 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+@@ -240,6 +240,7 @@
+ rtc: rtc@51 {
+ compatible = "nxp,pcf85263";
+ reg = <0x51>;
++ quartz-load-femtofarads = <12500>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 787386e6ff2c3538a53904180862116e3e608dc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 17:18:10 +0200
+Subject: arm64: dts: rockchip: disable unrouted USB controllers and PHY on
+ RK3399 Puma with Haikou
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ]
+
+The u2phy0_host port is the part of the USB PHY0 (namely the
+HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST
+controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG
+controller (dwc3), which we do use.
+
+The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply
+disable the USB2.0 controllers.
+
+USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a
+while, one of the recurring issues being that only USB2 is detected and
+not USB3 in host mode. Reading the justification above and seeing that
+we are keeping u2phy0_host in the Haikou carrierboard DTS probably may
+have bothered you since it should be changed to u2phy0_otg. The issue is
+that if it's switched to that, USB OTG on Haikou is entirely broken. I
+have checked the routing in the Gerber file, the lanes are going to the
+expected ball pins (that is, NOT HOST0_DP/DM).
+u2phy0_host is for sure the wrong part of the PHY to use, but it's the
+only one that works at the moment for that board so keep it until we
+figure out what exactly is broken.
+
+No intended functional change.
+
+[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf
+ Chapter 2 USB2.0 PHY
+
+Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+index f07f4b8231f91..f9f9ff5628ac6 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+@@ -251,14 +251,6 @@
+ status = "okay";
+ };
+
+-&usb_host0_ehci {
+- status = "okay";
+-};
+-
+-&usb_host0_ohci {
+- status = "okay";
+-};
+-
+ &vopb {
+ status = "okay";
+ };
+--
+2.39.5
+
--- /dev/null
+From 6b2458f8ef4de444f3e6144a0df4da2f5d955d45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 17:16:47 +0800
+Subject: backlight: pm8941: Add NULL check in wled_configure()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+wled_configure() does not check for this case, which results in a NULL
+pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: "Daniel Thompson (RISCstar)" <danielt@kernel.org>
+Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index f12c76d6e61de..21c1fba64ad5d 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -1404,9 +1404,11 @@ static int wled_configure(struct wled *wled)
+ wled->ctrl_addr = be32_to_cpu(*prop_addr);
+
+ rc = of_property_read_string(dev->of_node, "label", &wled->name);
+- if (rc)
++ if (rc) {
+ wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node);
+-
++ if (!wled->name)
++ return -ENOMEM;
++ }
+ switch (wled->version) {
+ case 3:
+ u32_opts = wled3_opts;
+--
+2.39.5
+
--- /dev/null
+From 2695f379c036a09493b3513d7a47546d5a86541f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 14:53:11 -0400
+Subject: Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ]
+
+Depending on the security set the response to L2CAP_LE_CONN_REQ shall be
+just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM
+is selected since that means security mode 2 which doesn't require
+authentication which is something that is covered in the qualification
+test L2CAP/LE/CFC/BV-25-C.
+
+Link: https://github.com/bluez/bluez/issues/1270
+Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 872a0249f53c8..89021b3b8f443 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5859,7 +5859,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
+
+ if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
+ SMP_ALLOW_STK)) {
+- result = L2CAP_CR_LE_AUTHENTICATION;
++ result = pchan->sec_level == BT_SECURITY_MEDIUM ?
++ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION;
+ chan = NULL;
+ goto response_unlock;
+ }
+--
+2.39.5
+
--- /dev/null
+From 69d27445a998a77649ed8f0c6de623eccb31e923 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 21:33:58 +0800
+Subject: bpf: Avoid __bpf_prog_ret0_warn when jit fails
+
+From: KaFai Wan <mannkafai@gmail.com>
+
+[ Upstream commit 86bc9c742426a16b52a10ef61f5b721aecca2344 ]
+
+syzkaller reported an issue:
+
+WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
+Modules linked in:
+CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
+RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
+Call Trace:
+ <TASK>
+ bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
+ __bpf_prog_run include/linux/filter.h:718 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105
+ ...
+
+When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.
+This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set
+and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,
+but jit failed due to FAULT_INJECTION. As a result, incorrectly
+treats the program as valid, when the program runs it calls
+`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).
+
+Reported-by: syzbot+0903f6d7f285e41cdf10@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/6816e34e.a70a0220.254cdc.002c.GAE@google.com
+Fixes: fa9dd599b4da ("bpf: get rid of pure_initcall dependency to enable jits")
+Signed-off-by: KaFai Wan <mannkafai@gmail.com>
+Link: https://lore.kernel.org/r/20250526133358.2594176-1-mannkafai@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index d7dbca573df31..1ded3eb492b8e 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -1909,7 +1909,7 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
+ /* In case of BPF to BPF calls, verifier did all the prep
+ * work with regards to JITing, etc.
+ */
+- bool jit_needed = false;
++ bool jit_needed = fp->jit_requested;
+
+ if (fp->bpf_func)
+ goto finalize;
+--
+2.39.5
+
--- /dev/null
+From 106940313d0efd5cae4a7fc7f0a319ed56dc6433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 19:30:31 +0000
+Subject: bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit 41d4ce6df3f4945341ec509a840cc002a413b6cc ]
+
+With the latest LLVM bpf selftests build will fail with
+the following error message:
+
+ progs/profiler.inc.h:710:31: error: default initialization of an object of type 'typeof ((parent_task)->real_cred->uid.val)' (aka 'const unsigned int') leaves the object uninitialized and is incompatible with C++ [-Werror,-Wdefault-const-init-unsafe]
+ 710 | proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val);
+ | ^
+ tools/testing/selftests/bpf/tools/include/bpf/bpf_core_read.h:520:35: note: expanded from macro 'BPF_CORE_READ'
+ 520 | ___type((src), a, ##__VA_ARGS__) __r; \
+ | ^
+
+This happens because BPF_CORE_READ (and other macro) declare the
+variable __r using the ___type macro which can inherit const modifier
+from intermediate types.
+
+Fix this by using __typeof_unqual__, when supported. (And when it
+is not supported, the problem shouldn't appear, as older compilers
+haven't complained.)
+
+Fixes: 792001f4f7aa ("libbpf: Add user-space variants of BPF_CORE_READ() family of macros")
+Fixes: a4b09a9ef945 ("libbpf: Add non-CO-RE variants of BPF_CORE_READ() macro family")
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250502193031.3522715-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_core_read.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
+index b8e68a17f3f1b..442551a501762 100644
+--- a/tools/lib/bpf/bpf_core_read.h
++++ b/tools/lib/bpf/bpf_core_read.h
+@@ -272,7 +272,13 @@ enum bpf_enum_value_kind {
+ #define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j
+ #define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__)
+
++#if defined(__clang__) && (__clang_major__ >= 19)
++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
++#elif defined(__GNUC__) && (__GNUC__ >= 14)
++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
++#else
+ #define ___type(...) typeof(___arrow(__VA_ARGS__))
++#endif
+
+ #define ___read(read_fn, dst, src_type, src, accessor) \
+ read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor)
+--
+2.39.5
+
--- /dev/null
+From 84af8cd3228f0425abb455e94a2de8cc51310bd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:27:47 +0800
+Subject: bpf: Fix WARN() in get_bpf_raw_tp_regs
+
+From: Tao Chen <chen.dylane@linux.dev>
+
+[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ]
+
+syzkaller reported an issue:
+
+WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
+Modules linked in:
+CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
+RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c
+RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005
+RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003
+R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004
+R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900
+FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]
+ bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931
+ bpf_prog_ec3b2eefa702d8d3+0x43/0x47
+ bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
+ __bpf_prog_run include/linux/filter.h:718 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
+ bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
+ __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
+ __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
+ __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
+ trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
+ __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
+ __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
+ mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
+ stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
+ __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
+ ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
+ bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
+ ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
+ bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
+ bpf_prog_ec3b2eefa702d8d3+0x43/0x47
+
+Tracepoint like trace_mmap_lock_acquire_returned may cause nested call
+as the corner case show above, which will be resolved with more general
+method in the future. As a result, WARN_ON_ONCE will be triggered. As
+Alexei suggested, remove the WARN_ON_ONCE first.
+
+Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data")
+Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com
+Suggested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Tao Chen <chen.dylane@linux.dev>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev
+
+Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index dba736defdfec..e08928f4a862f 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1408,7 +1408,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void)
+ struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs);
+ int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level);
+
+- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) {
++ if (nest_level > ARRAY_SIZE(tp_regs->regs)) {
+ this_cpu_dec(bpf_raw_tp_nest_level);
+ return ERR_PTR(-EBUSY);
+ }
+--
+2.39.5
+
--- /dev/null
+From 5d207427c56f48552df5ec5e11bf5b930f8c5cba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 22:17:12 +0800
+Subject: bpf, sockmap: Avoid using sk_socket after free when sending
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 ]
+
+The sk->sk_socket is not locked or referenced in backlog thread, and
+during the call to skb_send_sock(), there is a race condition with
+the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)
+will be affected.
+
+Race conditions:
+'''
+CPU0 CPU1
+
+backlog::skb_send_sock
+ sendmsg_unlocked
+ sock_sendmsg
+ sock_sendmsg_nosec
+ close(fd):
+ ...
+ ops->release() -> sock_map_close()
+ sk_socket->ops = NULL
+ free(socket)
+ sock->ops->sendmsg
+ ^
+ panic here
+'''
+
+The ref of psock become 0 after sock_map_close() executed.
+'''
+void sock_map_close()
+{
+ ...
+ if (likely(psock)) {
+ ...
+ // !! here we remove psock and the ref of psock become 0
+ sock_map_remove_links(sk, psock)
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ goto no_psock; <=== Control jumps here via goto
+ ...
+ cancel_delayed_work_sync(&psock->work); <=== not executed
+ sk_psock_put(sk, psock);
+ ...
+}
+'''
+
+Based on the fact that we already wait for the workqueue to finish in
+sock_map_close() if psock is held, we simply increase the psock
+reference count to avoid race conditions.
+
+With this patch, if the backlog thread is running, sock_map_close() will
+wait for the backlog thread to complete and cancel all pending work.
+
+If no backlog running, any pending work that hasn't started by then will
+fail when invoked by sk_psock_get(), as the psock reference count have
+been zeroed, and sk_psock_drop() will cancel all jobs via
+cancel_delayed_work_sync().
+
+In summary, we require synchronization to coordinate the backlog thread
+and close() thread.
+
+The panic I catched:
+'''
+Workqueue: events sk_psock_backlog
+RIP: 0010:sock_sendmsg+0x21d/0x440
+RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
+...
+Call Trace:
+ <TASK>
+ ? die_addr+0x40/0xa0
+ ? exc_general_protection+0x14c/0x230
+ ? asm_exc_general_protection+0x26/0x30
+ ? sock_sendmsg+0x21d/0x440
+ ? sock_sendmsg+0x3e0/0x440
+ ? __pfx_sock_sendmsg+0x10/0x10
+ __skb_send_sock+0x543/0xb70
+ sk_psock_backlog+0x247/0xb80
+...
+'''
+
+Fixes: 4b4647add7d3 ("sock_map: avoid race between sock_map_close and sk_psock_put")
+Reported-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20250516141713.291150-1-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index f4186d4980b92..8a0a23079d902 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -638,6 +638,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ bool ingress;
+ int ret;
+
++ /* Increment the psock refcnt to synchronize with close(fd) path in
++ * sock_map_close(), ensuring we wait for backlog thread completion
++ * before sk_socket freed. If refcnt increment fails, it indicates
++ * sock_map_close() completed with sk_socket potentially already freed.
++ */
++ if (!sk_psock_get(psock->sk))
++ return;
+ mutex_lock(&psock->work_mutex);
+ while ((skb = skb_peek(&psock->ingress_skb))) {
+ len = skb->len;
+@@ -691,6 +698,7 @@ static void sk_psock_backlog(struct work_struct *work)
+ }
+ end:
+ mutex_unlock(&psock->work_mutex);
++ sk_psock_put(psock->sk, psock);
+ }
+
+ struct sk_psock *sk_psock_init(struct sock *sk, int node)
+--
+2.39.5
+
--- /dev/null
+From e1f649d69fbd5941accd2bdd22bea31731eb7ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 22:21:21 +0800
+Subject: bpf, sockmap: fix duplicated data transmission
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 3b4f14b794287be137ea2c6158765d1ea1e018a4 ]
+
+In the !ingress path under sk_psock_handle_skb(), when sending data to the
+remote under snd_buf limitations, partial skb data might be transmitted.
+
+Although we preserved the partial transmission state (offset/length), the
+state wasn't properly consumed during retries. This caused the retry path
+to resend the entire skb data instead of continuing from the previous
+offset, resulting in data overlap at the receiver side.
+
+Fixes: 405df89dd52c ("bpf, sockmap: Improved check for empty queue")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://lore.kernel.org/r/20250407142234.47591-3-jiayuan.chen@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index a5947aa559837..f4186d4980b92 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -639,11 +639,6 @@ static void sk_psock_backlog(struct work_struct *work)
+ int ret;
+
+ mutex_lock(&psock->work_mutex);
+- if (unlikely(state->len)) {
+- len = state->len;
+- off = state->off;
+- }
+-
+ while ((skb = skb_peek(&psock->ingress_skb))) {
+ len = skb->len;
+ off = 0;
+@@ -653,6 +648,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ off = stm->offset;
+ len = stm->full_len;
+ }
++
++ /* Resume processing from previous partial state */
++ if (unlikely(state->len)) {
++ len = state->len;
++ off = state->off;
++ }
++
+ ingress = skb_bpf_ingress(skb);
+ skb_bpf_redirect_clear(skb);
+ do {
+@@ -680,6 +682,8 @@ static void sk_psock_backlog(struct work_struct *work)
+ len -= ret;
+ } while (len);
+
++ /* The entire skb sent, clear state */
++ sk_psock_skb_state(psock, state, 0, 0);
+ skb = skb_dequeue(&psock->ingress_skb);
+ if (!ingress) {
+ kfree_skb(skb);
+--
+2.39.5
+
--- /dev/null
+From 46b3666b486264c77a3e9a27b5f4342aa403355d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 13:58:09 +0300
+Subject: bus: fsl-mc: fix double-free on mc_dev
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ]
+
+The blamed commit tried to simplify how the deallocations are done but,
+in the process, introduced a double-free on the mc_dev variable.
+
+In case the MC device is a DPRC, a new mc_bus is allocated and the
+mc_dev variable is just a reference to one of its fields. In this
+circumstance, on the error path only the mc_bus should be freed.
+
+This commit introduces back the following checkpatch warning which is a
+false-positive.
+
+WARNING: kfree(NULL) is safe and this check is probably not required
++ if (mc_bus)
++ kfree(mc_bus);
+
+Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c
+index 74593a1722fe0..108ff5658e26c 100644
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -907,8 +907,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc,
+
+ error_cleanup_dev:
+ kfree(mc_dev->regions);
+- kfree(mc_bus);
+- kfree(mc_dev);
++ if (mc_bus)
++ kfree(mc_bus);
++ else
++ kfree(mc_dev);
+
+ return error;
+ }
+--
+2.39.5
+
--- /dev/null
+From ceea482be862c621dcd15c86615c99870fed6b6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 15:18:56 -0700
+Subject: calipso: Don't call calipso functions for AF_INET sk.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ]
+
+syzkaller reported a null-ptr-deref in txopt_get(). [0]
+
+The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,
+so struct ipv6_pinfo was NULL there.
+
+However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6
+is always set in inet6_create(), meaning the socket was not IPv6 one.
+
+The root cause is missing validation in netlbl_conn_setattr().
+
+netlbl_conn_setattr() switches branches based on struct
+sockaddr.sa_family, which is passed from userspace. However,
+netlbl_conn_setattr() does not check if the address family matches
+the socket.
+
+The syzkaller must have called connect() for an IPv6 address on
+an IPv4 socket.
+
+We have a proper validation in tcp_v[46]_connect(), but
+security_socket_connect() is called in the earlier stage.
+
+Let's copy the validation to netlbl_conn_setattr().
+
+[0]:
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI
+KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
+CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:txopt_get include/net/ipv6.h:390 [inline]
+RIP: 0010:
+Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00
+RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212
+RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c
+RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070
+RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e
+R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00
+R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80
+FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0
+PKRU: 80000000
+Call Trace:
+ <TASK>
+ calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557
+ netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177
+ selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569
+ selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]
+ selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615
+ selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931
+ security_socket_connect+0x50/0xa0 security/security.c:4598
+ __sys_connect_file+0xa4/0x190 net/socket.c:2067
+ __sys_connect+0x12c/0x170 net/socket.c:2088
+ __do_sys_connect net/socket.c:2098 [inline]
+ __se_sys_connect net/socket.c:2095 [inline]
+ __x64_sys_connect+0x73/0xb0 net/socket.c:2095
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f901b61a12d
+Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d
+RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003
+RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000
+ </TASK>
+Modules linked in:
+
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Reported-by: John Cheung <john.cs.hey@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_kapi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
+index 27511c90a26f4..75b645c1928db 100644
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk,
+ break;
+ #if IS_ENABLED(CONFIG_IPV6)
+ case AF_INET6:
++ if (sk->sk_family != AF_INET6)
++ return -EAFNOSUPPORT;
++
+ addr6 = (struct sockaddr_in6 *)addr;
+ entry = netlbl_domhsh_getentry_af6(secattr->domain,
+ &addr6->sin6_addr);
+--
+2.39.5
+
--- /dev/null
+From b68894a00a2b87aa8ac42e36ab2b61fef8ac6453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 10:05:13 +0800
+Subject: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+raspberrypi_clk_register() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-raspberrypi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
+index 56c5166f841ae..280fd7a5ac75d 100644
+--- a/drivers/clk/bcm/clk-raspberrypi.c
++++ b/drivers/clk/bcm/clk-raspberrypi.c
+@@ -199,6 +199,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi,
+ init.name = devm_kasprintf(rpi->dev, GFP_KERNEL,
+ "fw-clk-%s",
+ rpi_firmware_clk_names[id]);
++ if (!init.name)
++ return ERR_PTR(-ENOMEM);
+ init.ops = &raspberrypi_firmware_clk_ops;
+ init.flags = CLK_GET_RATE_NOCACHE;
+
+--
+2.39.5
+
--- /dev/null
+From 4f0979b3d1bb9b55426cba7d91ccfc917a5ad71b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:45:12 +0200
+Subject: clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
+
+From: Vincent Knecht <vincent.knecht@mailoo.org>
+
+[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ]
+
+Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and
+freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz.
+
+Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller")
+Suggested-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vincent Knecht <vincent.knecht@mailoo.org>
+Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-msm8939.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c
+index de0022e5450de..81db8877acc2c 100644
+--- a/drivers/clk/qcom/gcc-msm8939.c
++++ b/drivers/clk/qcom/gcc-msm8939.c
+@@ -433,7 +433,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = {
+ { P_XO, 0 },
+ { P_GPLL0, 1 },
+ { P_GPLL1_AUX, 2 },
+- { P_GPLL6, 2 },
++ { P_GPLL6, 3 },
+ { P_SLEEP_CLK, 6 },
+ };
+
+@@ -1087,7 +1087,7 @@ static struct clk_rcg2 jpeg0_clk_src = {
+ };
+
+ static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = {
+- F(24000000, P_GPLL0, 1, 1, 45),
++ F(24000000, P_GPLL6, 1, 1, 45),
+ F(66670000, P_GPLL0, 12, 0, 0),
+ { }
+ };
+--
+2.39.5
+
--- /dev/null
+From ef48d42a250979e7c1c6ba0420bd20cab9c3077b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:57 +0200
+Subject: clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit afdfd829a99e467869e3ca1955fb6c6e337c340a ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used.
+
+Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-3-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sm6350.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c
+index 0860c6178b4d3..e31a25084b0a3 100644
+--- a/drivers/clk/qcom/gcc-sm6350.c
++++ b/drivers/clk/qcom/gcc-sm6350.c
+@@ -2319,6 +2319,9 @@ static struct clk_branch gcc_video_xo_clk = {
+
+ static struct gdsc usb30_prim_gdsc = {
+ .gdscr = 0x1a004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "usb30_prim_gdsc",
+ },
+@@ -2327,6 +2330,9 @@ static struct gdsc usb30_prim_gdsc = {
+
+ static struct gdsc ufs_phy_gdsc = {
+ .gdscr = 0x3a004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "ufs_phy_gdsc",
+ },
+--
+2.39.5
+
--- /dev/null
+From 213e1ab15765f0aa7e8e7b246755920a2493ca9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:28:08 +0800
+Subject: crypto: lrw - Only add ecb if it is not already there
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ]
+
+Only add ecb to the cipher name if it isn't already ecb.
+
+Also use memcmp instead of strncmp since these strings are all
+stored in an array of length CRYPTO_MAX_ALG_NAME.
+
+Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/lrw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/lrw.c b/crypto/lrw.c
+index 80d9076e42e0b..7adc105c12f71 100644
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
+
+ err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst),
+ cipher_name, 0, mask);
+- if (err == -ENOENT) {
++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
+ err = -ENAMETOOLONG;
+ if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
+ cipher_name) >= CRYPTO_MAX_ALG_NAME)
+@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
+ /* Alas we screwed up the naming so we have to mangle the
+ * cipher name.
+ */
+- if (!strncmp(cipher_name, "ecb(", 4)) {
++ if (!memcmp(cipher_name, "ecb(", 4)) {
+ int len;
+
+ len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name));
+--
+2.39.5
+
--- /dev/null
+From 8c53019dde52ac1516db0e703078fe82333cc8b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:43:33 +0800
+Subject: crypto: marvell/cesa - Avoid empty transfer descriptor
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ]
+
+The user may set req->src even if req->nbytes == 0. If there
+is no data to hash from req->src, do not generate an empty TDMA
+descriptor.
+
+Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
+index 84c1065092796..72b0f863dee07 100644
+--- a/drivers/crypto/marvell/cesa/hash.c
++++ b/drivers/crypto/marvell/cesa/hash.c
+@@ -663,7 +663,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req)
+ if (ret)
+ goto err_free_tdma;
+
+- if (iter.src.sg) {
++ if (iter.base.len > iter.src.op_offset) {
+ /*
+ * Add all the new data, inserting an operation block and
+ * launch command between each full SRAM block-worth of
+--
+2.39.5
+
--- /dev/null
+From 1db3311b95d5992093bd16a210bedeca85bea326 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:41:31 +0800
+Subject: crypto: marvell/cesa - Handle zero-length skcipher requests
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ]
+
+Do not access random memory for zero-length skcipher requests.
+Just return 0.
+
+Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/cipher.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
+index 0f37dfd42d850..3876e3ce822f4 100644
+--- a/drivers/crypto/marvell/cesa/cipher.c
++++ b/drivers/crypto/marvell/cesa/cipher.c
+@@ -459,6 +459,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req,
+ struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
+ struct mv_cesa_engine *engine;
+
++ if (!req->cryptlen)
++ return 0;
++
+ ret = mv_cesa_skcipher_req_init(req, tmpl);
+ if (ret)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From e0c89cfbe20117027f3c1bab6511a50edb6050cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 15:06:56 +0300
+Subject: crypto: sun8i-ce - move fallback ahash_request to the end of the
+ struct
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ]
+
+'struct ahash_request' has a flexible array at the end, so it must be the
+last member in a struct, to avoid overwriting other struct members.
+
+Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx'
+struct.
+
+Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+index cec781d5063c1..d87d482cf73ba 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+@@ -296,8 +296,8 @@ struct sun8i_ce_hash_tfm_ctx {
+ * @flow: the flow to use for this request
+ */
+ struct sun8i_ce_hash_reqctx {
+- struct ahash_request fallback_req;
+ int flow;
++ struct ahash_request fallback_req; // keep at the end
+ };
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 5bb9e833538f846cd1d6c62a2247c71d694510d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Apr 2025 13:12:36 +0200
+Subject: crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
+
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+
+[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ]
+
+When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto
+selftests.
+This is strange since on sunxi_defconfig, everything was ok.
+The problem was in the IV setup loop which never run because sg_dma_len
+was 0.
+
+Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV")
+Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+index 0cc8cafdde27c..3bf56ac1132fd 100644
+--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+@@ -117,7 +117,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq)
+
+ /* we need to copy all IVs from source in case DMA is bi-directionnal */
+ while (sg && len) {
+- if (sg_dma_len(sg) == 0) {
++ if (sg->length == 0) {
+ sg = sg_next(sg);
+ continue;
+ }
+--
+2.39.5
+
--- /dev/null
+From c10b26c78c92d5bfe6f6cc632e5dde4f6d150dbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:34:04 +0800
+Subject: crypto: xts - Only add ecb if it is not already there
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ]
+
+Only add ecb to the cipher name if it isn't already ecb.
+
+Also use memcmp instead of strncmp since these strings are all
+stored in an array of length CRYPTO_MAX_ALG_NAME.
+
+Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/xts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/xts.c b/crypto/xts.c
+index b05020657cdc8..1972f40333f04 100644
+--- a/crypto/xts.c
++++ b/crypto/xts.c
+@@ -361,7 +361,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
+
+ err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst),
+ cipher_name, 0, mask);
+- if (err == -ENOENT) {
++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
+ err = -ENAMETOOLONG;
+ if (snprintf(ctx->name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
+ cipher_name) >= CRYPTO_MAX_ALG_NAME)
+@@ -395,7 +395,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
+ /* Alas we screwed up the naming so we have to mangle the
+ * cipher name.
+ */
+- if (!strncmp(cipher_name, "ecb(", 4)) {
++ if (!memcmp(cipher_name, "ecb(", 4)) {
+ int len;
+
+ len = strscpy(ctx->name, cipher_name + 4, sizeof(ctx->name));
+--
+2.39.5
+
--- /dev/null
+From 378d12469b7ddd279728fd85c634a102c1d70d09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 10:39:00 +0800
+Subject: dmaengine: ti: Add NULL check in udma_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+udma_probe() does not check for this case, which results in a NULL
+pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Nathan Lynch <nathan.lynch@amd.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/k3-udma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
+index 1ca552a324778..ce5875a00f28d 100644
+--- a/drivers/dma/ti/k3-udma.c
++++ b/drivers/dma/ti/k3-udma.c
+@@ -5425,7 +5425,8 @@ static int udma_probe(struct platform_device *pdev)
+ uc->config.dir = DMA_MEM_TO_MEM;
+ uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d",
+ dev_name(dev), i);
+-
++ if (!uc->name)
++ return -ENOMEM;
+ vchan_init(&uc->vc, &ud->ddev);
+ /* Use custom vchan completion handling */
+ tasklet_setup(&uc->vc.task, udma_vchan_complete);
+--
+2.39.5
+
--- /dev/null
+From c2a782b2ebb5a89b699bfdbe3e706499a445c9ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 12:27:08 -0400
+Subject: do_change_type(): refuse to operate on unmounted/not ours mounts
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ]
+
+Ensure that propagation settings can only be changed for mounts located
+in the caller's mount namespace. This change aligns permission checking
+with the rest of mount(2).
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Fixes: 07b20889e305 ("beginning of the shared-subtree proper")
+Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 76a1cf75457be..900738eab33ff 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2327,6 +2327,10 @@ static int do_change_type(struct path *path, int ms_flags)
+ return -EINVAL;
+
+ namespace_lock();
++ if (!check_mnt(mnt)) {
++ err = -EINVAL;
++ goto out_unlock;
++ }
+ if (type == MS_SHARED) {
+ err = invent_group_ids(mnt, recurse);
+ if (err)
+--
+2.39.5
+
--- /dev/null
+From cee46cf8cc340ba8d4abc1b85f4670c27d691916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 15:53:51 +0800
+Subject: driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
+
+From: Yanqing Wang <ot_yanqing.wang@mediatek.com>
+
+[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ]
+
+Identify the cause of the suspend/resume hang: netif_carrier_off()
+is called during link state changes and becomes stuck while
+executing linkwatch_work().
+
+To resolve this issue, call netif_device_detach() during the Ethernet
+suspend process to temporarily detach the network device from the
+kernel and prevent the suspend/resume hang.
+
+Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver")
+Signed-off-by: Yanqing Wang <ot_yanqing.wang@mediatek.com>
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Signed-off-by: Biao Huang <biao.huang@mediatek.com>
+Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+index 639cf1c27dbd4..e336730ba1257 100644
+--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c
++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+@@ -1464,6 +1464,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev)
+ if (netif_running(ndev))
+ mtk_star_disable(ndev);
+
++ netif_device_detach(ndev);
++
+ clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
+
+ return 0;
+@@ -1488,6 +1490,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev)
+ clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
+ }
+
++ netif_device_attach(ndev);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d72813efde7ac34c0c67ad3d779c52a004d6484b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 12:04:35 +0800
+Subject: drm/amd/pp: Fix potential NULL pointer dereference in
+ atomctrl_initialize_mc_reg_table
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 820116a39f96bdc7d426c33a804b52f53700a919 ]
+
+The function atomctrl_initialize_mc_reg_table() and
+atomctrl_initialize_mc_reg_table_v2_2() does not check the return
+value of smu_atom_get_data_table(). If smu_atom_get_data_table()
+fails to retrieve vram_info, it returns NULL which is later
+dereferenced.
+
+Fixes: b3892e2bb519 ("drm/amd/pp: Use atombios api directly in powerplay (v2)")
+Fixes: 5f92b48cf62c ("drm/amd/pm: add mc register table initialization")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+index 1fbd23922082a..7e37354a03411 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+@@ -144,6 +144,10 @@ int atomctrl_initialize_mc_reg_table(
+ vram_info = (ATOM_VRAM_INFO_HEADER_V2_1 *)
+ smu_atom_get_data_table(hwmgr->adev,
+ GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
++ if (!vram_info) {
++ pr_err("Could not retrieve the VramInfo table!");
++ return -EINVAL;
++ }
+
+ if (module_index >= vram_info->ucNumOfVRAMModule) {
+ pr_err("Invalid VramInfo table.");
+@@ -181,6 +185,10 @@ int atomctrl_initialize_mc_reg_table_v2_2(
+ vram_info = (ATOM_VRAM_INFO_HEADER_V2_2 *)
+ smu_atom_get_data_table(hwmgr->adev,
+ GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
++ if (!vram_info) {
++ pr_err("Could not retrieve the VramInfo table!");
++ return -EINVAL;
++ }
+
+ if (module_index >= vram_info->ucNumOfVRAMModule) {
+ pr_err("Invalid VramInfo table.");
+--
+2.39.5
+
--- /dev/null
+From 97315278b31a3672da6ed0901f742ccc66f72d41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Nov 2023 12:24:24 +0000
+Subject: drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ]
+
+The rcar_du_vsps_init() doesn't free the np allocated by
+of_parse_phandle_with_fixed_args() for the non-error case.
+
+Fix memory leak for the non-error case.
+
+While at it, replace the label 'error'->'done' as it applies to non-error
+case as well and update the error check condition for rcar_du_vsp_init()
+to avoid breakage in future, if it returns positive value.
+
+Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rcar-du/rcar_du_kms.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
+index fdb8a0d127ad3..11dc0f44d2bd8 100644
+--- a/drivers/gpu/drm/rcar-du/rcar_du_kms.c
++++ b/drivers/gpu/drm/rcar-du/rcar_du_kms.c
+@@ -627,7 +627,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
+ ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name,
+ cells, i, &args);
+ if (ret < 0)
+- goto error;
++ goto done;
+
+ /*
+ * Add the VSP to the list or update the corresponding existing
+@@ -665,13 +665,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
+ vsp->dev = rcdu;
+
+ ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask);
+- if (ret < 0)
+- goto error;
++ if (ret)
++ goto done;
+ }
+
+- return 0;
+-
+-error:
++done:
+ for (i = 0; i < ARRAY_SIZE(vsps); ++i)
+ of_node_put(vsps[i].np);
+
+--
+2.39.5
+
--- /dev/null
+From 3303fbc75c2db95e09234555245b16a1e5a6f42d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 11:21:35 +0000
+Subject: drm/tegra: rgb: Fix the unbound reference count
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ]
+
+The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe,
+but the driver does not decrement the refcount during unbind. Fix the
+unbound reference count using devm_add_action_or_reset() helper.
+
+Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c
+index 761cfd49c4876..fab24d77bb986 100644
+--- a/drivers/gpu/drm/tegra/rgb.c
++++ b/drivers/gpu/drm/tegra/rgb.c
+@@ -193,6 +193,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = {
+ .atomic_check = tegra_rgb_encoder_atomic_check,
+ };
+
++static void tegra_dc_of_node_put(void *data)
++{
++ of_node_put(data);
++}
++
+ int tegra_dc_rgb_probe(struct tegra_dc *dc)
+ {
+ struct device_node *np;
+@@ -200,7 +205,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc)
+ int err;
+
+ np = of_get_child_by_name(dc->dev->of_node, "rgb");
+- if (!np || !of_device_is_available(np))
++ if (!np)
++ return -ENODEV;
++
++ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np);
++ if (err < 0)
++ return err;
++
++ if (!of_device_is_available(np))
+ return -ENODEV;
+
+ rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From d34bd9c6578327ca5659cae3cdbee3c8de60dfb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 23:14:32 -0700
+Subject: drm/vkms: Adjust vkms_state->active_planes allocation type
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ]
+
+In preparation for making the kmalloc family of allocators type aware,
+we need to make sure that the returned type from the allocation matches
+the type of the variable being assigned. (Before, the allocator would
+always return "void *", which can be implicitly cast to any pointer type.)
+
+The assigned type is "struct vkms_plane_state **", but the returned type
+will be "struct drm_plane **". These are the same size (pointer size), but
+the types don't match. Adjust the allocation type to match the assignment.
+
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking")
+Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org
+Signed-off-by: Louis Chauvet <contact@louischauvet.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vkms/vkms_crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c
+index 57bbd32e9bebb..de8c2d5cc89c0 100644
+--- a/drivers/gpu/drm/vkms/vkms_crtc.c
++++ b/drivers/gpu/drm/vkms/vkms_crtc.c
+@@ -202,7 +202,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc,
+ i++;
+ }
+
+- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL);
++ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL);
+ if (!vkms_state->active_planes)
+ return -ENOMEM;
+ vkms_state->num_active_planes = i;
+--
+2.39.5
+
--- /dev/null
+From 457416bd809b30bbb22d71173521e8f1fe1c2638 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Feb 2025 14:06:33 -0600
+Subject: drm/vmwgfx: Add seqno waiter for sync_files
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ]
+
+Because sync_files are passive waiters they do not participate in
+the processing of fences like the traditional vmw_fence_wait IOCTL.
+If userspace exclusively uses sync_files for synchronization then
+nothing in the kernel actually processes fence updates as interrupts
+for fences are masked and ignored if the kernel does not indicate to the
+SVGA device that there are active waiters.
+
+This oversight results in a bug where the entire GUI can freeze waiting
+on a sync_file that will never be signalled as we've masked the interrupts
+to signal its completion. This bug is incredibly racy as any process which
+interacts with the fencing code via the 3D stack can process the stuck
+fences on behalf of the stuck process causing it to run again. Even a
+simple app like eglinfo is enough to resume the stuck process. Usually
+this bug is seen at a login screen like GDM because there are no other
+3D apps running.
+
+By adding a seqno waiter we re-enable interrupt based processing of the
+dma_fences associated with the sync_file which is signalled as part of a
+dma_fence_callback.
+
+This has likely been broken since it was initially added to the kernel in
+2017 but has gone unnoticed until mutter recently started using sync_files
+heavily over the course of 2024 as part of their explicit sync support.
+
+Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+index 21134c7f18382..d25d30078343b 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -4032,6 +4032,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv,
+ return 0;
+ }
+
++/*
++ * DMA fence callback to remove a seqno_waiter
++ */
++struct seqno_waiter_rm_context {
++ struct dma_fence_cb base;
++ struct vmw_private *dev_priv;
++};
++
++static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb)
++{
++ struct seqno_waiter_rm_context *ctx =
++ container_of(cb, struct seqno_waiter_rm_context, base);
++
++ vmw_seqno_waiter_remove(ctx->dev_priv);
++ kfree(ctx);
++}
++
+ int vmw_execbuf_process(struct drm_file *file_priv,
+ struct vmw_private *dev_priv,
+ void __user *user_commands, void *kernel_commands,
+@@ -4221,6 +4238,15 @@ int vmw_execbuf_process(struct drm_file *file_priv,
+ } else {
+ /* Link the fence with the FD created earlier */
+ fd_install(out_fence_fd, sync_file->file);
++ struct seqno_waiter_rm_context *ctx =
++ kmalloc(sizeof(*ctx), GFP_KERNEL);
++ ctx->dev_priv = dev_priv;
++ vmw_seqno_waiter_add(dev_priv);
++ if (dma_fence_add_callback(&fence->base, &ctx->base,
++ seqno_waiter_rm_cb) < 0) {
++ vmw_seqno_waiter_remove(dev_priv);
++ kfree(ctx);
++ }
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 995bd2c2fd9015879b4cdb5a2cc1cf902faca075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 23:07:18 +0800
+Subject: EDAC/skx_common: Fix general protection fault
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ]
+
+After loading i10nm_edac (which automatically loads skx_edac_common), if
+unload only i10nm_edac, then reload it and perform error injection testing,
+a general protection fault may occur:
+
+ mce: [Hardware Error]: Machine check events logged
+ Oops: general protection fault ...
+ ...
+ Workqueue: events mce_gen_pool_process
+ RIP: 0010:string+0x53/0xe0
+ ...
+ Call Trace:
+ <TASK>
+ ? die_addr+0x37/0x90
+ ? exc_general_protection+0x1e7/0x3f0
+ ? asm_exc_general_protection+0x26/0x30
+ ? string+0x53/0xe0
+ vsnprintf+0x23e/0x4c0
+ snprintf+0x4d/0x70
+ skx_adxl_decode+0x16a/0x330 [skx_edac_common]
+ skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common]
+ skx_mce_check_error+0x17/0x20 [skx_edac_common]
+ ...
+
+The issue arose was because the variable 'adxl_component_count' (inside
+skx_edac_common), which counts the ADXL components, was not reset. During
+the reloading of i10nm_edac, the count was incremented by the actual number
+of ADXL components again, resulting in a count that was double the real
+number of ADXL components. This led to an out-of-bounds reference to the
+ADXL component array, causing the general protection fault above.
+
+Fix this issue by resetting the 'adxl_component_count' in adxl_put(),
+which is called during the unloading of {skx,i10nm}_edac.
+
+Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module")
+Reported-by: Feng Xu <feng.f.xu@intel.com>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Feng Xu <feng.f.xu@intel.com>
+Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/skx_common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c
+index 88c44d5359076..46eeaa142a610 100644
+--- a/drivers/edac/skx_common.c
++++ b/drivers/edac/skx_common.c
+@@ -112,6 +112,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get);
+
+ void skx_adxl_put(void)
+ {
++ adxl_component_count = 0;
+ kfree(adxl_values);
+ kfree(adxl_msg);
+ }
+--
+2.39.5
+
--- /dev/null
+From 6c1ec8036a1f7dc87769848ef068014acec0a76e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:52:36 +0800
+Subject: f2fs: clean up w/ fscrypt_is_bounce_page()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ]
+
+Just cleanup, no logic changes.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 3f8dae229d422..b5bcfb8288a13 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -56,7 +56,7 @@ static bool __is_cp_guaranteed(struct page *page)
+ struct inode *inode;
+ struct f2fs_sb_info *sbi;
+
+- if (!mapping)
++ if (fscrypt_is_bounce_page(page))
+ return false;
+
+ inode = mapping->host;
+--
+2.39.5
+
--- /dev/null
+From 2e9b1576a76463376127f96ad6244891afa0fa8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 16:45:49 +0800
+Subject: f2fs: fix to correct check conditions in f2fs_cross_rename
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ]
+
+Should be "old_dir" here.
+
+Fixes: 5c57132eaf52 ("f2fs: support project quota")
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 364731547f696..ecdcde93ade4c 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1076,7 +1076,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+ if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(new_dir)->i_projid,
+ F2FS_I(old_inode)->i_projid)) ||
+- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
++ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(old_dir)->i_projid,
+ F2FS_I(new_inode)->i_projid)))
+ return -EXDEV;
+--
+2.39.5
+
--- /dev/null
+From 15a8b254aae8523f69fad78b17fdd0e0d6259d65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:52:37 +0800
+Subject: f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit aa1be8dd64163eca4dde7fd2557eb19927a06a47 ]
+
+Jan Prusakowski reported a f2fs bug as below:
+
+f2fs/007 will hang kernel during testing w/ below configs:
+
+kernel 6.12.18 (from pixel-kernel/android16-6.12)
+export MKFS_OPTIONS="-O encrypt -O extra_attr -O project_quota -O quota"
+export F2FS_MOUNT_OPTIONS="test_dummy_encryption,discard,fsync_mode=nobarrier,reserve_root=32768,checkpoint_merge,atgc"
+
+cat /proc/<umount_proc_id>/stack
+f2fs_wait_on_all_pages+0xa3/0x130
+do_checkpoint+0x40c/0x5d0
+f2fs_write_checkpoint+0x258/0x550
+kill_f2fs_super+0x14f/0x190
+deactivate_locked_super+0x30/0xb0
+cleanup_mnt+0xba/0x150
+task_work_run+0x59/0xa0
+syscall_exit_to_user_mode+0x12d/0x130
+do_syscall_64+0x57/0x110
+entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+cat /sys/kernel/debug/f2fs/status
+
+ - IO_W (CP: -256, Data: 256, Flush: ( 0 0 1), Discard: ( 0 0)) cmd: 0 undiscard: 0
+
+CP IOs reference count becomes negative.
+
+The root cause is:
+
+After 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block
+migration"), we will tag page w/ gcing flag for raw page of cluster
+during its migration.
+
+However, if the inode is both encrypted and compressed, during
+ioc_decompress(), it will tag page w/ gcing flag, and it increase
+F2FS_WB_DATA reference count:
+- f2fs_write_multi_page
+ - f2fs_write_raw_page
+ - f2fs_write_single_page
+ - do_write_page
+ - f2fs_submit_page_write
+ - WB_DATA_TYPE(bio_page, fio->compressed_page)
+ : bio_page is encrypted, so mapping is NULL, and fio->compressed_page
+ is NULL, it returns F2FS_WB_DATA
+ - inc_page_count(.., F2FS_WB_DATA)
+
+Then, during end_io(), it decrease F2FS_WB_CP_DATA reference count:
+- f2fs_write_end_io
+ - f2fs_compress_write_end_io
+ - fscrypt_pagecache_folio
+ : get raw page from encrypted page
+ - WB_DATA_TYPE(&folio->page, false)
+ : raw page has gcing flag, it returns F2FS_WB_CP_DATA
+ - dec_page_count(.., F2FS_WB_CP_DATA)
+
+In order to fix this issue, we need to detect gcing flag in raw page
+in f2fs_is_cp_guaranteed().
+
+Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
+Reported-by: Jan Prusakowski <jprusakowski@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index b5bcfb8288a13..8843f2bd613d5 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -57,7 +57,7 @@ static bool __is_cp_guaranteed(struct page *page)
+ struct f2fs_sb_info *sbi;
+
+ if (fscrypt_is_bounce_page(page))
+- return false;
++ return page_private_gcing(fscrypt_pagecache_page(page));
+
+ inode = mapping->host;
+ sbi = F2FS_I_SB(inode);
+--
+2.39.5
+
--- /dev/null
+From 1080867aa04c86aa6639f94fb86c1cc8881d20d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 20:22:08 +0800
+Subject: f2fs: fix to do sanity check on sbi->total_valid_block_count
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ]
+
+syzbot reported a f2fs bug as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/f2fs.h:2521!
+RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
+Call Trace:
+ f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
+ truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
+ truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
+ f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
+ f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
+ f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
+ f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
+ f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112
+ notify_change+0xbca/0xe90 fs/attr.c:552
+ do_truncate+0x222/0x310 fs/open.c:65
+ handle_truncate fs/namei.c:3466 [inline]
+ do_open fs/namei.c:3849 [inline]
+ path_openat+0x2e4f/0x35d0 fs/namei.c:4004
+ do_filp_open+0x284/0x4e0 fs/namei.c:4031
+ do_sys_openat2+0x12b/0x1d0 fs/open.c:1429
+ do_sys_open fs/open.c:1444 [inline]
+ __do_sys_creat fs/open.c:1522 [inline]
+ __se_sys_creat fs/open.c:1516 [inline]
+ __x64_sys_creat+0x124/0x170 fs/open.c:1516
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
+
+The reason is: in fuzzed image, sbi->total_valid_block_count is
+inconsistent w/ mapped blocks indexed by inode, so, we should
+not trigger panic for such case, instead, let's print log and
+set fsck flag.
+
+Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure")
+Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 8b04e43356909..28db323dd4005 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -2260,8 +2260,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi,
+ blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK;
+
+ spin_lock(&sbi->stat_lock);
+- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count);
+- sbi->total_valid_block_count -= (block_t)count;
++ if (unlikely(sbi->total_valid_block_count < count)) {
++ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u",
++ sbi->total_valid_block_count, inode->i_ino, count);
++ sbi->total_valid_block_count = 0;
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ } else {
++ sbi->total_valid_block_count -= count;
++ }
+ if (sbi->reserved_blocks &&
+ sbi->current_reserved_blocks < sbi->reserved_blocks)
+ sbi->current_reserved_blocks = min(sbi->reserved_blocks,
+--
+2.39.5
+
--- /dev/null
+From 7c52b2a566abade732c83fbf97210e62a79fed61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 16:45:48 +0800
+Subject: f2fs: use d_inode(dentry) cleanup dentry->d_inode
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ]
+
+no logic changes.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 8 ++++----
+ fs/f2fs/super.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index b70ac99267728..364731547f696 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -406,7 +406,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir,
+
+ if (is_inode_flag_set(dir, FI_PROJ_INHERIT) &&
+ (!projid_eq(F2FS_I(dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)))
++ F2FS_I(inode)->i_projid)))
+ return -EXDEV;
+
+ err = f2fs_dquot_initialize(dir);
+@@ -885,7 +885,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
+
+ if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ (!projid_eq(F2FS_I(new_dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)))
++ F2FS_I(old_inode)->i_projid)))
+ return -EXDEV;
+
+ /*
+@@ -1075,10 +1075,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+
+ if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(new_dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)) ||
++ F2FS_I(old_inode)->i_projid)) ||
+ (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(old_dir)->i_projid,
+- F2FS_I(new_dentry->d_inode)->i_projid)))
++ F2FS_I(new_inode)->i_projid)))
+ return -EXDEV;
+
+ err = f2fs_dquot_initialize(old_dir);
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 0cf564ded140a..8d06b8b99d939 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1811,9 +1811,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf)
+ buf->f_fsid = u64_to_fsid(id);
+
+ #ifdef CONFIG_QUOTA
+- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) &&
++ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) &&
+ sb_has_quota_limits_enabled(sb, PRJQUOTA)) {
+- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf);
++ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf);
+ }
+ #endif
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 24c25540fe5c7f9458838fbc8dd0fca27959768d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 23:35:58 +0300
+Subject: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ]
+
+In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000,
+cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's
+then passed to fb_cvt_hperiod(), where it's used as a divider -- division
+by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to
+avoid such overflow...
+
+Found by Linux Verification Center (linuxtesting.org) with the Svace static
+analysis tool.
+
+Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbcvt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c
+index 64843464c6613..cd3821bd82e56 100644
+--- a/drivers/video/fbdev/core/fbcvt.c
++++ b/drivers/video/fbdev/core/fbcvt.c
+@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb)
+ cvt.f_refresh = cvt.refresh;
+ cvt.interlace = 1;
+
+- if (!cvt.xres || !cvt.yres || !cvt.refresh) {
++ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) {
+ printk(KERN_INFO "fbcvt: Invalid input parameters\n");
+ return 1;
+ }
+--
+2.39.5
+
--- /dev/null
+From dc212ed783ea9b4189a612cdbe260e1826e375aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 23:17:12 +0800
+Subject: firmware: psci: Fix refcount leak in psci_dt_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ]
+
+Fix a reference counter leak in psci_dt_init() where of_node_put(np) was
+missing after of_find_matching_node_and_match() when np is unavailable.
+
+Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/psci/psci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c
+index cfb448eabdaa2..ec888aba57ffd 100644
+--- a/drivers/firmware/psci/psci.c
++++ b/drivers/firmware/psci/psci.c
+@@ -619,8 +619,10 @@ int __init psci_dt_init(void)
+
+ np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np);
+
+- if (!np || !of_device_is_available(np))
++ if (!np || !of_device_is_available(np)) {
++ of_node_put(np);
+ return -ENODEV;
++ }
+
+ init_fn = (psci_initcall_t)matched_np->data;
+ ret = init_fn(np);
+--
+2.39.5
+
--- /dev/null
+From ff1ecadb9466b182985a9dbc347150789ff11108 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 12:57:57 +0800
+Subject: firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
+
+From: Huang Yiwei <quic_hyiwei@quicinc.com>
+
+[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ]
+
+SDEI usually initialize with the ACPI table, but on platforms where
+ACPI is not used, the SDEI feature can still be used to handle
+specific firmware calls or other customized purposes. Therefore, it
+is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES.
+
+In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES
+in acpi_init()"), to make APEI ready earlier, sdei_init was moved
+into acpi_ghes_init instead of being a standalone initcall, adding
+ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the
+flexibility and usability of SDEI.
+
+This patch corrects the dependency in Kconfig and splits sdei_init()
+into two separate functions: sdei_init() and acpi_sdei_init().
+sdei_init() will be called by arch_initcall and will only initialize
+the platform driver, while acpi_sdei_init() will initialize the
+device from acpi_ghes_init() when ACPI is ready. This allows the
+initialization of SDEI without ACPI_APEI_GHES enabled.
+
+Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()")
+Cc: Shuai Xue <xueshuai@linux.alibaba.com>
+Signed-off-by: Huang Yiwei <quic_hyiwei@quicinc.com>
+Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/Kconfig | 1 +
+ drivers/acpi/apei/ghes.c | 2 +-
+ drivers/firmware/Kconfig | 1 -
+ drivers/firmware/arm_sdei.c | 11 ++++++++---
+ include/linux/arm_sdei.h | 4 ++--
+ 5 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig
+index 6b18f8bc7be35..71e0d64a7792e 100644
+--- a/drivers/acpi/apei/Kconfig
++++ b/drivers/acpi/apei/Kconfig
+@@ -23,6 +23,7 @@ config ACPI_APEI_GHES
+ select ACPI_HED
+ select IRQ_WORK
+ select GENERIC_ALLOCATOR
++ select ARM_SDE_INTERFACE if ARM64
+ help
+ Generic Hardware Error Source provides a way to report
+ platform hardware errors (such as that from chipset). It
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index a6c8514110736..72087e05b5a5f 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -1478,7 +1478,7 @@ void __init ghes_init(void)
+ {
+ int rc;
+
+- sdei_init();
++ acpi_sdei_init();
+
+ if (acpi_disabled)
+ return;
+diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
+index b4d83c08acef8..059cb18f4bece 100644
+--- a/drivers/firmware/Kconfig
++++ b/drivers/firmware/Kconfig
+@@ -40,7 +40,6 @@ config ARM_SCPI_POWER_DOMAIN
+ config ARM_SDE_INTERFACE
+ bool "ARM Software Delegated Exception Interface (SDEI)"
+ depends on ARM64
+- depends on ACPI_APEI_GHES
+ help
+ The Software Delegated Exception Interface (SDEI) is an ARM
+ standard for registering callbacks from the platform firmware
+diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
+index 3e8051fe82965..71e2a9a89f6ad 100644
+--- a/drivers/firmware/arm_sdei.c
++++ b/drivers/firmware/arm_sdei.c
+@@ -1062,13 +1062,12 @@ static bool __init sdei_present_acpi(void)
+ return true;
+ }
+
+-void __init sdei_init(void)
++void __init acpi_sdei_init(void)
+ {
+ struct platform_device *pdev;
+ int ret;
+
+- ret = platform_driver_register(&sdei_driver);
+- if (ret || !sdei_present_acpi())
++ if (!sdei_present_acpi())
+ return;
+
+ pdev = platform_device_register_simple(sdei_driver.driver.name,
+@@ -1081,6 +1080,12 @@ void __init sdei_init(void)
+ }
+ }
+
++static int __init sdei_init(void)
++{
++ return platform_driver_register(&sdei_driver);
++}
++arch_initcall(sdei_init);
++
+ int sdei_event_handler(struct pt_regs *regs,
+ struct sdei_registered_event *arg)
+ {
+diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h
+index 255701e1251b4..f652a5028b590 100644
+--- a/include/linux/arm_sdei.h
++++ b/include/linux/arm_sdei.h
+@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes);
+ /* For use by arch code when CPU hotplug notifiers are not appropriate. */
+ int sdei_mask_local_cpu(void);
+ int sdei_unmask_local_cpu(void);
+-void __init sdei_init(void);
++void __init acpi_sdei_init(void);
+ void sdei_handler_abort(void);
+ #else
+ static inline int sdei_mask_local_cpu(void) { return 0; }
+ static inline int sdei_unmask_local_cpu(void) { return 0; }
+-static inline void sdei_init(void) { }
++static inline void acpi_sdei_init(void) { }
+ static inline void sdei_handler_abort(void) { }
+ #endif /* CONFIG_ARM_SDE_INTERFACE */
+
+--
+2.39.5
+
--- /dev/null
+From 891a00ba98b035d88db12aef6c8050898febe863 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 17:57:27 -0400
+Subject: fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit d8cc0362f918d020ca1340d7694f07062dc30f36 ]
+
+9ffb14ef61ba "move_mount: allow to add a mount into an existing group"
+breaks assertions on ->mnt_share/->mnt_slave. For once, the data structures
+in question are actually documented.
+
+Documentation/filesystem/sharedsubtree.rst:
+ All vfsmounts in a peer group have the same ->mnt_master. If it is
+ non-NULL, they form a contiguous (ordered) segment of slave list.
+
+do_set_group() puts a mount into the same place in propagation graph
+as the old one. As the result, if old mount gets events from somewhere
+and is not a pure event sink, new one needs to be placed next to the
+old one in the slave list the old one's on. If it is a pure event
+sink, we only need to make sure the new one doesn't end up in the
+middle of some peer group.
+
+"move_mount: allow to add a mount into an existing group" ends up putting
+the new one in the beginning of list; that's definitely not going to be
+in the middle of anything, so that's fine for case when old is not marked
+shared. In case when old one _is_ marked shared (i.e. is not a pure event
+sink), that breaks the assumptions of propagation graph iterators.
+
+Put the new mount next to the old one on the list - that does the right thing
+in "old is marked shared" case and is just as correct as the current behaviour
+if old is not marked shared (kudos to Pavel for pointing that out - my original
+suggested fix changed behaviour in the "nor marked" case, which complicated
+things for no good reason).
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Fixes: 9ffb14ef61ba ("move_mount: allow to add a mount into an existing group")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index a99a060e89316..76a1cf75457be 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2765,7 +2765,7 @@ static int do_set_group(struct path *from_path, struct path *to_path)
+ if (IS_MNT_SLAVE(from)) {
+ struct mount *m = from->mnt_master;
+
+- list_add(&to->mnt_slave, &m->mnt_slave_list);
++ list_add(&to->mnt_slave, &from->mnt_slave);
+ to->mnt_master = m;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c878ebac6bcc13a7b169a6aa934120f1d5c08ab1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 13:42:18 +0000
+Subject: fs/ntfs3: handle hdr_first_de() return value
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+[ Upstream commit af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 ]
+
+The hdr_first_de() function returns a pointer to a struct NTFS_DE. This
+pointer may be NULL. To handle the NULL error effectively, it is important
+to implement an error handler. This will help manage potential errors
+consistently.
+
+Additionally, error handling for the return value already exists at other
+points where this function is called.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/index.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
+index cc2d29261859a..0fe1b5696e855 100644
+--- a/fs/ntfs3/index.c
++++ b/fs/ntfs3/index.c
+@@ -2173,6 +2173,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
+
+ e = hdr_first_de(&n->index->ihdr);
+ fnd_push(fnd, n, e);
++ if (!e) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ if (!de_is_last(e)) {
+ /*
+@@ -2194,6 +2198,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
+
+ n = fnd->nodes[level];
+ te = hdr_first_de(&n->index->ihdr);
++ if (!te) {
++ err = -EINVAL;
++ goto out;
++ }
+ /* Copy the candidate entry into the replacement entry buffer. */
+ re = kmalloc(le16_to_cpu(te->size) + sizeof(u64), GFP_NOFS);
+ if (!re) {
+--
+2.39.5
+
--- /dev/null
+From 48da8c3be1cee26447c176a90d506e39abc1d768 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Apr 2025 16:40:58 +0200
+Subject: gfs2: gfs2_create_inode error handling fix
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ]
+
+When gfs2_create_inode() finds a directory, make sure to return -EISDIR.
+
+Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory")
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
+index 763d8dccdfc13..a7af9904e3edb 100644
+--- a/fs/gfs2/inode.c
++++ b/fs/gfs2/inode.c
+@@ -640,7 +640,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
+ if (!IS_ERR(inode)) {
+ if (S_ISDIR(inode->i_mode)) {
+ iput(inode);
+- inode = ERR_PTR(-EISDIR);
++ inode = NULL;
++ error = -EISDIR;
+ goto fail_gunlock;
+ }
+ d_instantiate(dentry, inode);
+--
+2.39.5
+
--- /dev/null
+From f365d3376eb18c64c7c13ecdad92884cf3ecbe95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 03:34:29 -0700
+Subject: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 12c331b29c7397ac3b03584e12902990693bc248 ]
+
+gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()
+did not check for this case before dereferencing the returned pointer.
+
+Add a missing NULL check to prevent a potential NULL pointer
+dereference when allocation fails.
+
+This improves robustness in low-memory scenarios.
+
+Fixes: a57e5de476be ("gve: DQO: Add TX path")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Mina Almasry <almasrymina@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+index dfbb524bf7392..c6f1f4fddf8a7 100644
+--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+@@ -462,6 +462,9 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx,
+ int i;
+
+ pkt = gve_alloc_pending_packet(tx);
++ if (!pkt)
++ return -ENOMEM;
++
+ pkt->skb = skb;
+ pkt->num_bufs = 0;
+ completion_tag = pkt - tx->dqo.pending_packets;
+--
+2.39.5
+
--- /dev/null
+From aebf7f05edf7d93af9cc734a30c9a840096613bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 06:08:16 -0700
+Subject: gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ]
+
+Previously, the RX_BUFFERS_POSTED stat incorrectly reported the
+fill_cnt from RX queue 0 for all queues, resulting in inaccurate
+per-queue statistics.
+Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue.
+
+Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index 2e2069e8130b2..f014b7230e256 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -1299,7 +1299,7 @@ void gve_handle_report_stats(struct gve_priv *priv)
+ };
+ stats[stats_idx++] = (struct stats) {
+ .stat_name = cpu_to_be32(RX_BUFFERS_POSTED),
+- .value = cpu_to_be64(priv->rx[0].fill_cnt),
++ .value = cpu_to_be64(priv->rx[idx].fill_cnt),
+ .queue_id = cpu_to_be32(idx),
+ };
+ }
+--
+2.39.5
+
--- /dev/null
+From 65cbc901de1532e6e1a1afd41da004593bc1dab4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 17:56:12 +0000
+Subject: IB/cm: use rwlock for MAD agent lock
+
+From: Jacob Moroni <jmoroni@google.com>
+
+[ Upstream commit 4dab26bed543584577b64b36aadb8b5b165bf44f ]
+
+In workloads where there are many processes establishing connections using
+RDMA CM in parallel (large scale MPI), there can be heavy contention for
+mad_agent_lock in cm_alloc_msg.
+
+This contention can occur while inside of a spin_lock_irq region, leading
+to interrupts being disabled for extended durations on many
+cores. Furthermore, it leads to the serialization of rdma_create_ah calls,
+which has negative performance impacts for NICs which are capable of
+processing multiple address handle creations in parallel.
+
+The end result is the machine becoming unresponsive, hung task warnings,
+netdev TX timeouts, etc.
+
+Since the lock appears to be only for protection from cm_remove_one, it
+can be changed to a rwlock to resolve these issues.
+
+Reproducer:
+
+Server:
+ for i in $(seq 1 512); do
+ ucmatose -c 32 -p $((i + 5000)) &
+ done
+
+Client:
+ for i in $(seq 1 512); do
+ ucmatose -c 32 -p $((i + 5000)) -s 10.2.0.52 &
+ done
+
+Fixes: 76039ac9095f ("IB/cm: Protect cm_dev, cm_ports and mad_agent with kref and lock")
+Link: https://patch.msgid.link/r/20250220175612.2763122-1-jmoroni@google.com
+Signed-off-by: Jacob Moroni <jmoroni@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cm.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index c8a7fe5fbc233..96e00e86ebbf6 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -166,7 +166,7 @@ struct cm_port {
+ struct cm_device {
+ struct kref kref;
+ struct list_head list;
+- spinlock_t mad_agent_lock;
++ rwlock_t mad_agent_lock;
+ struct ib_device *ib_device;
+ u8 ack_delay;
+ int going_down;
+@@ -283,7 +283,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
+ if (!cm_id_priv->av.port)
+ return ERR_PTR(-EINVAL);
+
+- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ mad_agent = cm_id_priv->av.port->mad_agent;
+ if (!mad_agent) {
+ m = ERR_PTR(-EINVAL);
+@@ -314,7 +314,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
+ m->context[0] = cm_id_priv;
+
+ out:
+- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ return m;
+ }
+
+@@ -1310,10 +1310,10 @@ static __be64 cm_form_tid(struct cm_id_private *cm_id_priv)
+ if (!cm_id_priv->av.port)
+ return cpu_to_be64(low_tid);
+
+- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ if (cm_id_priv->av.port->mad_agent)
+ hi_tid = ((u64)cm_id_priv->av.port->mad_agent->hi_tid) << 32;
+- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ return cpu_to_be64(hi_tid | low_tid);
+ }
+
+@@ -4365,7 +4365,7 @@ static int cm_add_one(struct ib_device *ib_device)
+ return -ENOMEM;
+
+ kref_init(&cm_dev->kref);
+- spin_lock_init(&cm_dev->mad_agent_lock);
++ rwlock_init(&cm_dev->mad_agent_lock);
+ cm_dev->ib_device = ib_device;
+ cm_dev->ack_delay = ib_device->attrs.local_ca_ack_delay;
+ cm_dev->going_down = 0;
+@@ -4481,9 +4481,9 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data)
+ * The above ensures no call paths from the work are running,
+ * the remaining paths all take the mad_agent_lock.
+ */
+- spin_lock(&cm_dev->mad_agent_lock);
++ write_lock(&cm_dev->mad_agent_lock);
+ port->mad_agent = NULL;
+- spin_unlock(&cm_dev->mad_agent_lock);
++ write_unlock(&cm_dev->mad_agent_lock);
+ ib_unregister_mad_agent(mad_agent);
+ ib_port_unregister_client_groups(ib_device, i,
+ cm_counter_groups);
+--
+2.39.5
+
--- /dev/null
+From 6ca4fb9e410aa8e30fcdca94b07704a9a8a85850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:55:28 +0200
+Subject: ice: create new Tx scheduler nodes for new queues only
+
+From: Michal Kubiak <michal.kubiak@intel.com>
+
+[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ]
+
+The current implementation of the Tx scheduler tree attempts
+to create nodes for all Tx queues, ignoring the fact that some
+queues may already exist in the tree. For example, if the VSI
+already has 128 Tx queues and the user requests for 16 new queues,
+the Tx scheduler will compute the tree for 272 queues (128 existing
+queues + 144 new queues), instead of 144 queues (128 existing queues
+and 16 new queues).
+Fix that by modifying the node count calculation algorithm to skip
+the queues that already exist in the tree.
+
+Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support")
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
+index 209e3a9d9b7ab..7446ef141410e 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sched.c
++++ b/drivers/net/ethernet/intel/ice/ice_sched.c
+@@ -1576,16 +1576,16 @@ ice_sched_get_agg_node(struct ice_port_info *pi, struct ice_sched_node *tc_node,
+ /**
+ * ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes
+ * @hw: pointer to the HW struct
+- * @num_qs: number of queues
++ * @num_new_qs: number of new queues that will be added to the tree
+ * @num_nodes: num nodes array
+ *
+ * This function calculates the number of VSI child nodes based on the
+ * number of queues.
+ */
+ static void
+-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes)
++ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes)
+ {
+- u16 num = num_qs;
++ u16 num = num_new_qs;
+ u8 i, qgl, vsil;
+
+ qgl = ice_sched_get_qgrp_layer(hw);
+@@ -1833,8 +1833,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
+ return status;
+ }
+
+- if (new_numqs)
+- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes);
++ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
++ new_num_nodes);
++
+ /* Keep the max number of queue configuration all the time. Update the
+ * tree only if number of queues > previous number of queues. This may
+ * leave some extra nodes in the tree if number of queues < previous
+--
+2.39.5
+
--- /dev/null
+From fa1901b1f9d542918734409bf38acf78a375a170 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 12:52:47 +0100
+Subject: iio: adc: ad7124: Fix 3dB filter frequency reading
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ]
+
+The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB}
+and for sinc3 the factor is 0.272 according to the data sheets for
+ad7124-4 (Rev. E.) and ad7124-8 (Rev. F).
+
+Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
+Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7124.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
+index 31c8cb3bf811b..c018437177ba6 100644
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -297,9 +297,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st,
+
+ switch (st->channels[channel].cfg.filter_type) {
+ case AD7124_SINC3_FILTER:
+- return DIV_ROUND_CLOSEST(fadc * 230, 1000);
++ return DIV_ROUND_CLOSEST(fadc * 272, 1000);
+ case AD7124_SINC4_FILTER:
+- return DIV_ROUND_CLOSEST(fadc * 262, 1000);
++ return DIV_ROUND_CLOSEST(fadc * 230, 1000);
+ default:
+ return -EINVAL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 99c7b956027c69db98dd221a148e808fb5054a5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 10:08:37 -0300
+Subject: iommu: Protect against overflow in iommu_pgsize()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 ]
+
+On a 32 bit system calling:
+ iommu_map(0, 0x40000000)
+
+When using the AMD V1 page table type with a domain->pgsize of 0xfffff000
+causes iommu_pgsize() to miscalculate a result of:
+ size=0x40000000 count=2
+
+count should be 1. This completely corrupts the mapping process.
+
+This is because the final test to adjust the pagesize malfunctions when
+the addition overflows. Use check_add_overflow() to prevent this.
+
+Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/0-v1-3ad28fc2e3a3+163327-iommu_overflow_pgsize_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index d06dbf035c7c7..01e01ca760cf1 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -2411,6 +2411,7 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
+ unsigned int pgsize_idx, pgsize_idx_next;
+ unsigned long pgsizes;
+ size_t offset, pgsize, pgsize_next;
++ size_t offset_end;
+ unsigned long addr_merge = paddr | iova;
+
+ /* Page sizes supported by the hardware and small enough for @size */
+@@ -2451,7 +2452,8 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
+ * If size is big enough to accommodate the larger page, reduce
+ * the number of smaller pages.
+ */
+- if (offset + pgsize_next <= size)
++ if (!check_add_overflow(offset, pgsize_next, &offset_end) &&
++ offset_end <= size)
+ size = offset;
+
+ out_set_count:
+--
+2.39.5
+
--- /dev/null
+From cb6caa9bd9fd5ed4894caa383a6b78b8d3cb2f5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 13:59:57 +0800
+Subject: ktls, sockmap: Fix missing uncharge operation
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ]
+
+When we specify apply_bytes, we divide the msg into multiple segments,
+each with a length of 'send', and every time we send this part of the data
+using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the
+memory of the specified 'send' size.
+
+However, if the first segment of data fails to send, for example, the
+peer's buffer is full, we need to release all of the msg. When releasing
+the msg, we haven't uncharged the memory of the subsequent segments.
+
+This modification does not make significant logical changes, but only
+fills in the missing uncharge places.
+
+This issue has existed all along, until it was exposed after we added the
+apply test in test_sockmap:
+commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap")
+
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 0f93b0ba72df1..6648008f5da73 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -893,6 +893,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ &msg_redir, send, flags);
+ lock_sock(sk);
+ if (err < 0) {
++ /* Regardless of whether the data represented by
++ * msg_redir is sent successfully, we have already
++ * uncharged it via sk_msg_return_zero(). The
++ * msg->sg.size represents the remaining unprocessed
++ * data, which needs to be uncharged here.
++ */
++ sk_mem_uncharge(sk, msg->sg.size);
+ *copied -= sk_msg_free_nocharge(sk, &msg_redir);
+ msg->sg.size = 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 587a825e31720b36ca67f323d78676088f3f133b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 17:50:14 +0200
+Subject: libbpf: Fix buffer overflow in bpf_object__init_prog
+
+From: Viktor Malik <vmalik@redhat.com>
+
+[ Upstream commit ee684de5c1b0ac01821320826baec7da93f3615b ]
+
+As shown in [1], it is possible to corrupt a BPF ELF file such that
+arbitrary BPF instructions are loaded by libbpf. This can be done by
+setting a symbol (BPF program) section offset to a large (unsigned)
+number such that <section start + symbol offset> overflows and points
+before the section data in the memory.
+
+Consider the situation below where:
+- prog_start = sec_start + symbol_offset <-- size_t overflow here
+- prog_end = prog_start + prog_size
+
+ prog_start sec_start prog_end sec_end
+ | | | |
+ v v v v
+ .....................|################################|............
+
+The report in [1] also provides a corrupted BPF ELF which can be used as
+a reproducer:
+
+ $ readelf -S crash
+ Section Headers:
+ [Nr] Name Type Address Offset
+ Size EntSize Flags Link Info Align
+ ...
+ [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
+ 0000000000000068 0000000000000000 AX 0 0 8
+
+ $ readelf -s crash
+ Symbol table '.symtab' contains 8 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+ ...
+ 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
+
+Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
+point before the actual memory where section 2 is allocated.
+
+This is also reported by AddressSanitizer:
+
+ =================================================================
+ ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
+ READ of size 104 at 0x7c7302fe0000 thread T0
+ #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
+ #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
+ #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
+ #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
+ #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
+ #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
+ #6 0x000000400c16 in main /poc/poc.c:8
+ #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
+ #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
+ #9 0x000000400b34 in _start (/poc/poc+0x400b34)
+
+ 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
+ allocated by thread T0 here:
+ #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
+ #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
+ #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
+ #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
+
+The problem here is that currently, libbpf only checks that the program
+end is within the section bounds. There used to be a check
+`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
+removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
+sections to support overriden weak functions").
+
+Add a check for detecting the overflow of `sec_off + prog_sz` to
+bpf_object__init_prog to fix this issue.
+
+[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+
+Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
+Reported-by: lmarch2 <2524158037@qq.com>
+Signed-off-by: Viktor Malik <vmalik@redhat.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 40e0d84e3d8ed..13dea519e59f2 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -692,7 +692,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
+ return -LIBBPF_ERRNO__FORMAT;
+ }
+
+- if (sec_off + prog_sz > sec_sz) {
++ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
+ pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
+ sec_name, sec_off);
+ return -LIBBPF_ERRNO__FORMAT;
+--
+2.39.5
+
--- /dev/null
+From 4ee13ad6e3aed39c7b4855debd56a46199fb2b81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Apr 2025 12:08:20 +0000
+Subject: libbpf: Use proper errno value in linker
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit 358b1c0f56ebb6996fcec7dcdcf6bae5dcbc8b6c ]
+
+Return values of the linker_append_sec_data() and the
+linker_append_elf_relos() functions are propagated all the
+way up to users of libbpf API. In some error cases these
+functions return -1 which will be seen as -EPERM from user's
+point of view. Instead, return a more reasonable -EINVAL.
+
+Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250430120820.2262053-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/linker.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
+index fc91814a35e8e..3e06af5b5352e 100644
+--- a/tools/lib/bpf/linker.c
++++ b/tools/lib/bpf/linker.c
+@@ -1181,7 +1181,7 @@ static int linker_append_sec_data(struct bpf_linker *linker, struct src_obj *obj
+ } else {
+ if (!secs_match(dst_sec, src_sec)) {
+ pr_warn("ELF sections %s are incompatible\n", src_sec->sec_name);
+- return -1;
++ return -EINVAL;
+ }
+
+ /* "license" and "version" sections are deduped */
+@@ -2027,7 +2027,7 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob
+ }
+ } else if (!secs_match(dst_sec, src_sec)) {
+ pr_warn("sections %s are not compatible\n", src_sec->sec_name);
+- return -1;
++ return -EINVAL;
+ }
+
+ /* add_dst_sec() above could have invalidated linker->secs */
+--
+2.39.5
+
--- /dev/null
+From dc5a56f9c5fe22e56dc0bee57c775aa2fba68e17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:20:11 +0000
+Subject: libbpf: Use proper errno value in nlattr
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ]
+
+Return value of the validate_nla() function can be propagated all the
+way up to users of libbpf API. In case of error this libbpf version
+of validate_nla returns -1 which will be seen as -EPERM from user's
+point of view. Instead, return a more reasonable -EINVAL.
+
+Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP")
+Suggested-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/nlattr.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c
+index 2dbe7b99f28f1..0e6df58fedae3 100644
+--- a/tools/lib/bpf/nlattr.c
++++ b/tools/lib/bpf/nlattr.c
+@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype,
+ minlen = nla_attr_minlen[pt->type];
+
+ if (libbpf_nla_len(nla) < minlen)
+- return -1;
++ return -EINVAL;
+
+ if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen)
+- return -1;
++ return -EINVAL;
+
+ if (pt->type == LIBBPF_NLA_STRING) {
+ char *data = libbpf_nla_data(nla);
+
+ if (data[libbpf_nla_len(nla) - 1] != '\0')
+- return -1;
++ return -EINVAL;
+ }
+
+ return 0;
+@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head,
+ if (policy) {
+ err = validate_nla(nla, maxtype, policy);
+ if (err < 0)
+- goto errout;
++ return err;
+ }
+
+- if (tb[type])
++ if (tb[type]) {
+ pr_warn("Attribute of type %#x found multiple times in message, "
+ "previous attribute is being ignored.\n", type);
++ }
+
+ tb[type] = nla;
+ }
+
+- err = 0;
+-errout:
+- return err;
++ return 0;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 6d3087b24ac8fc458ed7015831b2335af1da099d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 10:07:26 +1000
+Subject: m68k: mac: Fix macintosh_config for Mac II
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ]
+
+When booted on my Mac II, the kernel prints this:
+
+ Detected Macintosh model: 6
+ Apple Macintosh Unknown
+
+The catch-all entry ("Unknown") is mac_data_table[0] which is only needed
+in the unlikely event that the bootinfo model ID can't be matched.
+When model ID is 6, the search should begin and end at mac_data_table[1].
+Fix the off-by-one error that causes this problem.
+
+Cc: Joshua Thompson <funaho@jurai.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
+index 5d16f9b47aa90..75a5dd778d882 100644
+--- a/arch/m68k/mac/config.c
++++ b/arch/m68k/mac/config.c
+@@ -798,7 +798,7 @@ static void __init mac_identify(void)
+ }
+
+ macintosh_config = mac_data_table;
+- for (m = macintosh_config; m->ident != -1; m++) {
++ for (m = &mac_data_table[1]; m->ident != -1; m++) {
+ if (m->ident == model) {
+ macintosh_config = m;
+ break;
+--
+2.39.5
+
--- /dev/null
+From b5e2e574ef19630b1440eda7e7f24ea3efa207d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 10:40:33 +0100
+Subject: media: rkvdec: Fix frame size enumeration
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ]
+
+The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e.
+width and height in pixels) that the device supports for the given pixel
+format.
+
+It doesn't make a lot of sense to return the frame-sizes in a stepwise
+manner, which is used to enforce hardware alignments requirements for
+CAPTURE buffers, for coded formats.
+
+Instead, applications should receive an indication, about the maximum
+supported frame size for that hardware decoder, via a continuous
+frame-size enumeration.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Suggested-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
+index 29b68a13674ee..9c85370fd81bc 100644
+--- a/drivers/staging/media/rkvdec/rkvdec.c
++++ b/drivers/staging/media/rkvdec/rkvdec.c
+@@ -188,8 +188,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv,
+ if (!fmt)
+ return -EINVAL;
+
+- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE;
+- fsize->stepwise = fmt->frmsize;
++ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS;
++ fsize->stepwise.min_width = 1;
++ fsize->stepwise.max_width = fmt->frmsize.max_width;
++ fsize->stepwise.step_width = 1;
++ fsize->stepwise.min_height = 1;
++ fsize->stepwise.max_height = fmt->frmsize.max_height;
++ fsize->stepwise.step_height = 1;
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 3b31a144c3933f9eeb4b0f7f4c2dd583005fe54a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 17:00:34 +0200
+Subject: mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in
+ exynos_lpass_remove()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ]
+
+exynos_lpass_disable() is called twice in the remove function. Remove
+one of these calls.
+
+Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/exynos-lpass.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c
+index 99bd0e73c19c3..ffda3445d1c0f 100644
+--- a/drivers/mfd/exynos-lpass.c
++++ b/drivers/mfd/exynos-lpass.c
+@@ -144,7 +144,6 @@ static int exynos_lpass_remove(struct platform_device *pdev)
+ {
+ struct exynos_lpass *lpass = platform_get_drvdata(pdev);
+
+- exynos_lpass_disable(lpass);
+ pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+ exynos_lpass_disable(lpass);
+--
+2.39.5
+
--- /dev/null
+From 1c9b5d24b3644bc7442eecb1e0ce636cbf0a291a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Apr 2025 18:16:32 +0200
+Subject: mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
+
+From: Alexey Gladkov <legion@kernel.org>
+
+[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ]
+
+The name used in the macro does not exist.
+
+drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id'
+ 132 | MODULE_DEVICE_TABLE(spi, stmpe_id);
+
+Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface")
+Signed-off-by: Alexey Gladkov <legion@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/stmpe-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c
+index 7351734f75938..07fa56e5337d1 100644
+--- a/drivers/mfd/stmpe-spi.c
++++ b/drivers/mfd/stmpe-spi.c
+@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = {
+ { "stmpe2403", STMPE2403 },
+ { }
+ };
+-MODULE_DEVICE_TABLE(spi, stmpe_id);
++MODULE_DEVICE_TABLE(spi, stmpe_spi_id);
+
+ static struct spi_driver stmpe_spi_driver = {
+ .driver = {
+--
+2.39.5
+
--- /dev/null
+From 0981d52aa27f458cb4484f7a901a1065f8f2cd83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:45:48 +0800
+Subject: MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ]
+
+Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a").
+
+Fix follow warnings:
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider'
+
+Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH")
+Tested-by: WangYuli <wangyuli@uniontech.com>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+index c7ea4f1c0bb21..6c277ab83d4b9 100644
+--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
++++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+@@ -29,6 +29,7 @@
+ compatible = "loongson,pch-msi-1.0";
+ reg = <0 0x2ff00000 0 0x8>;
+ interrupt-controller;
++ #interrupt-cells = <1>;
+ msi-controller;
+ loongson,msi-base-vec = <64>;
+ loongson,msi-num-vecs = <64>;
+--
+2.39.5
+
--- /dev/null
+From b12a25b746c748c8517805af517c4ebdf984a364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 14:44:06 +0200
+Subject: net: dsa: tag_brcm: legacy: fix pskb_may_pull length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit efdddc4484859082da6c7877ed144c8121c8ea55 ]
+
+BRCM_LEG_PORT_ID was incorrectly used for pskb_may_pull length.
+The correct check is BRCM_LEG_TAG_LEN + VLAN_HLEN, or 10 bytes.
+
+Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags")
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529124406.2513779-1-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_brcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c
+index ed5f68c4f1dad..3c681d174c58b 100644
+--- a/net/dsa/tag_brcm.c
++++ b/net/dsa/tag_brcm.c
+@@ -253,7 +253,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb,
+ int source_port;
+ u8 *brcm_tag;
+
+- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_PORT_ID)))
++ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN)))
+ return NULL;
+
+ brcm_tag = dsa_etype_header_pos_rx(skb);
+--
+2.39.5
+
--- /dev/null
+From 6107f31ff0eac73b97c3612e4e0138be7f8a30ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 11:00:47 +0530
+Subject: net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
+
+From: Thangaraj Samynathan <thangaraj.s@microchip.com>
+
+[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ]
+
+rename the function to lan743x_hw_reset_phy to better describe it
+operation.
+
+Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver")
+Signed-off-by: Thangaraj Samynathan <thangaraj.s@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan743x_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
+index fe919c1974505..49d40685136d4 100644
+--- a/drivers/net/ethernet/microchip/lan743x_main.c
++++ b/drivers/net/ethernet/microchip/lan743x_main.c
+@@ -910,7 +910,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu)
+ }
+
+ /* PHY */
+-static int lan743x_phy_reset(struct lan743x_adapter *adapter)
++static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter)
+ {
+ u32 data;
+
+@@ -944,7 +944,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter,
+
+ static int lan743x_phy_init(struct lan743x_adapter *adapter)
+ {
+- return lan743x_phy_reset(adapter);
++ return lan743x_hw_reset_phy(adapter);
+ }
+
+ static void lan743x_phy_link_status_change(struct net_device *netdev)
+--
+2.39.5
+
--- /dev/null
+From b71f1bd37d0cf69047241d5cfeb2c143313fde7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 11:11:09 +0300
+Subject: net/mlx4_en: Prevent potential integer overflow calculating Hz
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ]
+
+The "freq" variable is in terms of MHz and "max_val_cycles" is in terms
+of Hz. The fact that "max_val_cycles" is a u64 suggests that support
+for high frequency is intended but the "freq_khz * 1000" would overflow
+the u32 type if we went above 4GHz. Use unsigned long long type for the
+mutliplication to prevent that.
+
+Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+index 024788549c256..060698b0c65cc 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+@@ -251,7 +251,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = {
+ static u32 freq_to_shift(u16 freq)
+ {
+ u32 freq_khz = freq * 1000;
+- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
++ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC;
+ u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1);
+ /* calculate max possible multiplier in order to fit in 64bit */
+ u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded);
+--
+2.39.5
+
--- /dev/null
+From b0488b409ab590007cc3a98f050f6d2208797924 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 18:23:08 -0700
+Subject: net: ncsi: Fix GCPS 64-bit member variables
+
+From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+
+[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ]
+
+Correct Get Controller Packet Statistics (GCPS) 64-bit wide member
+variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently
+collects these stats, but they are yet to be exposed to the user.
+Therefore, no user impact.
+
+Statistics fixes:
+Total Bytes Received (byte range 28..35)
+Total Bytes Transmitted (byte range 36..43)
+Total Unicast Packets Received (byte range 44..51)
+Total Multicast Packets Received (byte range 52..59)
+Total Broadcast Packets Received (byte range 60..67)
+Total Unicast Packets Transmitted (byte range 68..75)
+Total Multicast Packets Transmitted (byte range 76..83)
+Total Broadcast Packets Transmitted (byte range 84..91)
+Valid Bytes Received (byte range 204..11)
+
+Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+Reviewed-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 21 ++++++++++-----------
+ net/ncsi/ncsi-pkt.h | 23 +++++++++++------------
+ net/ncsi/ncsi-rsp.c | 21 ++++++++++-----------
+ 3 files changed, 31 insertions(+), 34 deletions(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index 4e0842df5234e..2c260f33b55cc 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -143,16 +143,15 @@ struct ncsi_channel_vlan_filter {
+ };
+
+ struct ncsi_channel_stats {
+- u32 hnc_cnt_hi; /* Counter cleared */
+- u32 hnc_cnt_lo; /* Counter cleared */
+- u32 hnc_rx_bytes; /* Rx bytes */
+- u32 hnc_tx_bytes; /* Tx bytes */
+- u32 hnc_rx_uc_pkts; /* Rx UC packets */
+- u32 hnc_rx_mc_pkts; /* Rx MC packets */
+- u32 hnc_rx_bc_pkts; /* Rx BC packets */
+- u32 hnc_tx_uc_pkts; /* Tx UC packets */
+- u32 hnc_tx_mc_pkts; /* Tx MC packets */
+- u32 hnc_tx_bc_pkts; /* Tx BC packets */
++ u64 hnc_cnt; /* Counter cleared */
++ u64 hnc_rx_bytes; /* Rx bytes */
++ u64 hnc_tx_bytes; /* Tx bytes */
++ u64 hnc_rx_uc_pkts; /* Rx UC packets */
++ u64 hnc_rx_mc_pkts; /* Rx MC packets */
++ u64 hnc_rx_bc_pkts; /* Rx BC packets */
++ u64 hnc_tx_uc_pkts; /* Tx UC packets */
++ u64 hnc_tx_mc_pkts; /* Tx MC packets */
++ u64 hnc_tx_bc_pkts; /* Tx BC packets */
+ u32 hnc_fcs_err; /* FCS errors */
+ u32 hnc_align_err; /* Alignment errors */
+ u32 hnc_false_carrier; /* False carrier detection */
+@@ -181,7 +180,7 @@ struct ncsi_channel_stats {
+ u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */
+ u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */
+ u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */
+- u32 hnc_rx_valid_bytes; /* Rx valid bytes */
++ u64 hnc_rx_valid_bytes; /* Rx valid bytes */
+ u32 hnc_rx_runt_pkts; /* Rx error runt packets */
+ u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */
+ u32 ncsi_rx_cmds; /* Rx NCSI commands */
+diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h
+index f2f3b5c1b9412..24edb27379724 100644
+--- a/net/ncsi/ncsi-pkt.h
++++ b/net/ncsi/ncsi-pkt.h
+@@ -252,16 +252,15 @@ struct ncsi_rsp_gp_pkt {
+ /* Get Controller Packet Statistics */
+ struct ncsi_rsp_gcps_pkt {
+ struct ncsi_rsp_pkt_hdr rsp; /* Response header */
+- __be32 cnt_hi; /* Counter cleared */
+- __be32 cnt_lo; /* Counter cleared */
+- __be32 rx_bytes; /* Rx bytes */
+- __be32 tx_bytes; /* Tx bytes */
+- __be32 rx_uc_pkts; /* Rx UC packets */
+- __be32 rx_mc_pkts; /* Rx MC packets */
+- __be32 rx_bc_pkts; /* Rx BC packets */
+- __be32 tx_uc_pkts; /* Tx UC packets */
+- __be32 tx_mc_pkts; /* Tx MC packets */
+- __be32 tx_bc_pkts; /* Tx BC packets */
++ __be64 cnt; /* Counter cleared */
++ __be64 rx_bytes; /* Rx bytes */
++ __be64 tx_bytes; /* Tx bytes */
++ __be64 rx_uc_pkts; /* Rx UC packets */
++ __be64 rx_mc_pkts; /* Rx MC packets */
++ __be64 rx_bc_pkts; /* Rx BC packets */
++ __be64 tx_uc_pkts; /* Tx UC packets */
++ __be64 tx_mc_pkts; /* Tx MC packets */
++ __be64 tx_bc_pkts; /* Tx BC packets */
+ __be32 fcs_err; /* FCS errors */
+ __be32 align_err; /* Alignment errors */
+ __be32 false_carrier; /* False carrier detection */
+@@ -290,11 +289,11 @@ struct ncsi_rsp_gcps_pkt {
+ __be32 tx_1023_frames; /* Tx 512-1023 bytes frames */
+ __be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */
+ __be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */
+- __be32 rx_valid_bytes; /* Rx valid bytes */
++ __be64 rx_valid_bytes; /* Rx valid bytes */
+ __be32 rx_runt_pkts; /* Rx error runt packets */
+ __be32 rx_jabber_pkts; /* Rx error jabber packets */
+ __be32 checksum; /* Checksum */
+-};
++} __packed __aligned(4);
+
+ /* Get NCSI Statistics */
+ struct ncsi_rsp_gns_pkt {
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index 4a8ce2949faea..8668888c5a2f9 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -926,16 +926,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
+
+ /* Update HNC's statistics */
+ ncs = &nc->stats;
+- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi);
+- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo);
+- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes);
+- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes);
+- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts);
+- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts);
+- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts);
+- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts);
+- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts);
+- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts);
++ ncs->hnc_cnt = be64_to_cpu(rsp->cnt);
++ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes);
++ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes);
++ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts);
++ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts);
++ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts);
++ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts);
++ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts);
++ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts);
+ ncs->hnc_fcs_err = ntohl(rsp->fcs_err);
+ ncs->hnc_align_err = ntohl(rsp->align_err);
+ ncs->hnc_false_carrier = ntohl(rsp->false_carrier);
+@@ -964,7 +963,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
+ ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames);
+ ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames);
+ ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames);
+- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes);
++ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes);
+ ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts);
+ ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts);
+
+--
+2.39.5
+
--- /dev/null
+From c373208ad2ac30194026c3240d7b1fddf3b8d1c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 03:41:43 +0000
+Subject: net: openvswitch: Fix the dead loop of MPLS parse
+
+From: Faicker Mo <faicker.mo@zenlayer.com>
+
+[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ]
+
+The unexpected MPLS packet may not end with the bottom label stack.
+When there are many stacks, The label count value has wrapped around.
+A dead loop occurs, soft lockup/CPU stuck finally.
+
+stack backtrace:
+UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
+index -1 is out of range for type '__be32 [3]'
+CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
+Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
+Call Trace:
+ <IRQ>
+ show_stack+0x52/0x5c
+ dump_stack_lvl+0x4a/0x63
+ dump_stack+0x10/0x16
+ ubsan_epilogue+0x9/0x36
+ __ubsan_handle_out_of_bounds.cold+0x44/0x49
+ key_extract_l3l4+0x82a/0x840 [openvswitch]
+ ? kfree_skbmem+0x52/0xa0
+ key_extract+0x9c/0x2b0 [openvswitch]
+ ovs_flow_key_extract+0x124/0x350 [openvswitch]
+ ovs_vport_receive+0x61/0xd0 [openvswitch]
+ ? kernel_init_free_pages.part.0+0x4a/0x70
+ ? get_page_from_freelist+0x353/0x540
+ netdev_port_receive+0xc4/0x180 [openvswitch]
+ ? netdev_port_receive+0x180/0x180 [openvswitch]
+ netdev_frame_hook+0x1f/0x40 [openvswitch]
+ __netif_receive_skb_core.constprop.0+0x23a/0xf00
+ __netif_receive_skb_list_core+0xfa/0x240
+ netif_receive_skb_list_internal+0x18e/0x2a0
+ napi_complete_done+0x7a/0x1c0
+ bnxt_poll+0x155/0x1c0 [bnxt_en]
+ __napi_poll+0x30/0x180
+ net_rx_action+0x126/0x280
+ ? bnxt_msix+0x67/0x80 [bnxt_en]
+ handle_softirqs+0xda/0x2d0
+ irq_exit_rcu+0x96/0xc0
+ common_interrupt+0x8e/0xa0
+ </IRQ>
+
+Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction")
+Signed-off-by: Faicker Mo <faicker.mo@zenlayer.com>
+Acked-by: Ilya Maximets <i.maximets@ovn.org>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/flow.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
+index 209b42cf5aeaf..52ba0e7721cd6 100644
+--- a/net/openvswitch/flow.c
++++ b/net/openvswitch/flow.c
+@@ -644,7 +644,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key)
+ memset(&key->ipv4, 0, sizeof(key->ipv4));
+ }
+ } else if (eth_p_mpls(key->eth.type)) {
+- u8 label_count = 1;
++ size_t label_count = 1;
+
+ memset(&key->mpls, 0, sizeof(key->mpls));
+ skb_set_inner_network_header(skb, skb->mac_len);
+--
+2.39.5
+
--- /dev/null
+From 89dfa525b461b699a7dcd0278da560036c2ddf80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 10:27:16 +0200
+Subject: net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ]
+
+We have noticed that when PHY timestamping is enabled, L2 frames seems
+to be modified by changing two 2 bytes with a value of 0. The place were
+these 2 bytes seems to be random(or I couldn't find a pattern). In most
+of the cases the userspace can ignore these frames but if for example
+those 2 bytes are in the correction field there is nothing to do. This
+seems to happen when configuring the HW for IPv4 even that the flow is
+not enabled.
+These 2 bytes correspond to the UDPv4 checksum and once we don't enable
+clearing the checksum when using L2 frames then the frame doesn't seem
+to be changed anymore.
+
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index edb951695b13e..7a3a8cce02d3d 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk,
+ /* UDP checksum offset in IPv4 packet
+ * according to: https://tools.ietf.org/html/rfc768
+ */
+- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
++ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26);
++ if (enable)
++ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
+ vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM,
+ val);
+
+--
+2.39.5
+
--- /dev/null
+From 4c1f0ec41288c65c3948d6642bb0ad4174fa12bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 13:56:23 +0200
+Subject: net: stmmac: platform: guarantee uniqueness of bus_id
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ]
+
+bus_id is currently derived from the ethernetX alias. If one is missing
+for the device, 0 is used. If ethernet0 points to another stmmac device
+or if there are 2+ stmmac devices without an ethernet alias, then bus_id
+will be 0 for all of those.
+
+This is an issue because the bus_id is used to generate the mdio bus id
+(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+stmmac_mdio_register) and this needs to be unique.
+
+This allows to avoid needing to define ethernet aliases for devices with
+multiple stmmac controllers (such as the Rockchip RK3588) for multiple
+stmmac devices to probe properly.
+
+Obviously, the bus_id isn't guaranteed to be stable across reboots if no
+alias is set for the device but that is easily fixed by simply adding an
+alias if this is desired.
+
+Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710")
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index 36b013b9d99e6..d6327c8fd35c6 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -417,6 +417,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ struct device_node *np = pdev->dev.of_node;
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_dma_cfg *dma_cfg;
++ static int bus_id = -ENODEV;
+ int phy_mode;
+ void *ret;
+ int rc;
+@@ -453,8 +454,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ of_property_read_u32(np, "max-speed", &plat->max_speed);
+
+ plat->bus_id = of_alias_get_id(np, "ethernet");
+- if (plat->bus_id < 0)
+- plat->bus_id = 0;
++ if (plat->bus_id < 0) {
++ if (bus_id < 0)
++ bus_id = of_alias_get_highest_id("ethernet");
++ /* No ethernet alias found, init at -1 so first bus_id is 0 */
++ if (bus_id < 0)
++ bus_id = -1;
++ plat->bus_id = ++bus_id;
++ }
+
+ /* Default to phy auto-detection */
+ plat->phy_addr = -1;
+--
+2.39.5
+
--- /dev/null
+From d7148e20c674dfc2bef74b483789125246c84071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 16:35:44 +0000
+Subject: net: tipc: fix refcount warning in tipc_aead_encrypt
+
+From: Charalampos Mitrodimas <charmitro@posteo.net>
+
+[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ]
+
+syzbot reported a refcount warning [1] caused by calling get_net() on
+a network namespace that is being destroyed (refcount=0). This happens
+when a TIPC discovery timer fires during network namespace cleanup.
+
+The recently added get_net() call in commit e279024617134 ("net/tipc:
+fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
+hold a reference to the network namespace. However, if the namespace
+is already being destroyed, its refcount might be zero, leading to the
+use-after-free warning.
+
+Replace get_net() with maybe_get_net(), which safely checks if the
+refcount is non-zero before incrementing it. If the namespace is being
+destroyed, return -ENODEV early, after releasing the bearer reference.
+
+[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
+
+Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
+Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done")
+Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index 35e0ffa1bd84b..07f35c48bd3a2 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -829,7 +829,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb,
+ }
+
+ /* Get net to avoid freed tipc_crypto when delete namespace */
+- get_net(aead->crypto->net);
++ if (!maybe_get_net(aead->crypto->net)) {
++ tipc_bearer_put(b);
++ rc = -ENODEV;
++ goto exit;
++ }
+
+ /* Now, do encrypt */
+ rc = crypto_aead_encrypt(req);
+--
+2.39.5
+
--- /dev/null
+From 85afb327a48db0dbc7cbe43fe6a5067842dba98a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 14:32:39 +0300
+Subject: net: usb: aqc111: fix error handling of usbnet read calls
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ]
+
+Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
+aqc111 driver, caused by incomplete sanitation of usb read calls'
+results. This problem is quite similar to the one fixed in commit
+920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
+
+For instance, usbnet_read_cmd() may read fewer than 'size' bytes,
+even if the caller expected the full amount, and aqc111_read_cmd()
+will not check its result properly. As [1] shows, this may lead
+to MAC address in aqc111_bind() being only partly initialized,
+triggering KMSAN warnings.
+
+Fix the issue by verifying that the number of bytes read is
+as expected and not less.
+
+[1] Partial syzbot report:
+BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
+BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
+ is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
+ usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+ call_driver_probe drivers/base/dd.c:-1 [inline]
+ really_probe+0x4d1/0xd90 drivers/base/dd.c:658
+ __driver_probe_device+0x268/0x380 drivers/base/dd.c:800
+...
+
+Uninit was stored to memory at:
+ dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
+ __dev_addr_set include/linux/netdevice.h:4874 [inline]
+ eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
+ aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+...
+
+Uninit was stored to memory at:
+ ether_addr_copy include/linux/etherdevice.h:305 [inline]
+ aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
+ aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+ call_driver_probe drivers/base/dd.c:-1 [inline]
+...
+
+Local variable buf.i created at:
+ aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
+ aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+
+Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b
+Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
+Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 4b48a5c09bd49..a67960bea770b 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value,
+ ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, value, index, data, size);
+
+- if (unlikely(ret < 0))
++ if (unlikely(ret < size)) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ netdev_warn(dev->net,
+ "Failed to read(0x%x) reg index 0x%04x: %d\n",
+ cmd, index, ret);
++ }
+
+ return ret;
+ }
+@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value,
+ ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, value, index, data, size);
+
+- if (unlikely(ret < 0))
++ if (unlikely(ret < size)) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ netdev_warn(dev->net,
+ "Failed to read(0x%x) reg index 0x%04x: %d\n",
+ cmd, index, ret);
++ }
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From 5dbd7c5e243fd639c2b7a9e5f0f25c92ec49e31e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 17:29:53 +0800
+Subject: netfilter: bridge: Move specific fragmented packet to slow_path
+ instead of dropping it
+
+From: Huajian Yang <huajianyang@asrmicro.com>
+
+[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ]
+
+The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for
+fragmented packets.
+
+The original bridge does not know that it is a fragmented packet and
+forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function
+nf_br_ip_fragment and br_ip6_fragment will check the headroom.
+
+In original br_forward, insufficient headroom of skb may indeed exist,
+but there's still a way to save the skb in the device driver after
+dev_queue_xmit.So droping the skb will change the original bridge
+forwarding in some cases.
+
+Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
+Signed-off-by: Huajian Yang <huajianyang@asrmicro.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------
+ net/ipv6/netfilter.c | 12 ++++++------
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
+index fbdb1ad448c3a..c63ad63db25ed 100644
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@ -59,19 +59,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
+ struct ip_fraglist_iter iter;
+ struct sk_buff *frag;
+
+- if (first_len - hlen > mtu ||
+- skb_headroom(skb) < ll_rs)
++ if (first_len - hlen > mtu)
+ goto blackhole;
+
+- if (skb_cloned(skb))
++ if (skb_cloned(skb) ||
++ skb_headroom(skb) < ll_rs)
+ goto slow_path;
+
+ skb_walk_frags(skb, frag) {
+- if (frag->len > mtu ||
+- skb_headroom(frag) < hlen + ll_rs)
++ if (frag->len > mtu)
+ goto blackhole;
+
+- if (skb_shared(frag))
++ if (skb_shared(frag) ||
++ skb_headroom(frag) < hlen + ll_rs)
+ goto slow_path;
+ }
+
+diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
+index 118e834e91902..064163b41cbf6 100644
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -163,20 +163,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ struct ip6_fraglist_iter iter;
+ struct sk_buff *frag2;
+
+- if (first_len - hlen > mtu ||
+- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
++ if (first_len - hlen > mtu)
+ goto blackhole;
+
+- if (skb_cloned(skb))
++ if (skb_cloned(skb) ||
++ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
+ goto slow_path;
+
+ skb_walk_frags(skb, frag2) {
+- if (frag2->len > mtu ||
+- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
++ if (frag2->len > mtu)
+ goto blackhole;
+
+ /* Partially cloned skb? */
+- if (skb_shared(frag2))
++ if (skb_shared(frag2) ||
++ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
+ goto slow_path;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f5650bd0bc83300b536be45480f13af1685963e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 14:20:44 +0200
+Subject: netfilter: nf_set_pipapo_avx2: fix initial map fill
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 ]
+
+If the first field doesn't cover the entire start map, then we must zero
+out the remainder, else we leak those bits into the next match round map.
+
+The early fix was incomplete and did only fix up the generic C
+implementation.
+
+A followup patch adds a test case to nft_concat_range.sh.
+
+Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index ecabe66368eab..cf5683afaf833 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -1115,6 +1115,25 @@ bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features,
+ return true;
+ }
+
++/**
++ * pipapo_resmap_init_avx2() - Initialise result map before first use
++ * @m: Matching data, including mapping table
++ * @res_map: Result map
++ *
++ * Like pipapo_resmap_init() but do not set start map bits covered by the first field.
++ */
++static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map)
++{
++ const struct nft_pipapo_field *f = m->f;
++ int i;
++
++ /* Starting map doesn't need to be set to all-ones for this implementation,
++ * but we do need to zero the remaining bits, if any.
++ */
++ for (i = f->bsize; i < m->bsize_max; i++)
++ res_map[i] = 0ul;
++}
++
+ /**
+ * nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation
+ * @net: Network namespace
+@@ -1173,7 +1192,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
+ res = scratch->map + (map_index ? m->bsize_max : 0);
+ fill = scratch->map + (map_index ? 0 : m->bsize_max);
+
+- /* Starting map doesn't need to be set for this implementation */
++ pipapo_resmap_init_avx2(m, res);
+
+ nft_pipapo_avx2_prepare();
+
+--
+2.39.5
+
--- /dev/null
+From 4990beacdc39cd0b23cb2394c243235934b3d979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:38:47 +0200
+Subject: netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result
+ discrepancy
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ]
+
+With a VRF, ipv4 and ipv6 FIB expression behave differently.
+
+ fib daddr . iif oif
+
+Will return the input interface name for ipv4, but the real device
+for ipv6. Example:
+
+If VRF device name is tvrf and real (incoming) device is veth0.
+First round is ok, both ipv4 and ipv6 will yield 'veth0'.
+
+But in the second round (incoming device will be set to "tvrf"), ipv4
+will yield "tvrf" whereas ipv6 returns "veth0" for the second round too.
+
+This makes ipv6 behave like ipv4.
+
+A followup patch will add a test case for this, without this change
+it will fail with:
+ get element inet t fibif6iif { tvrf . dead:1::99 . tvrf }
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif
+
+Alternatively we could either not do anything at all or change
+ipv4 to also return the lower/real device, however, nft (userspace)
+doc says "iif: if fib lookup provides a route then check its output
+interface is identical to the packets input interface." which is what
+the nft fib ipv4 behaviour is.
+
+Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
+index 1a08b00aa3213..b7e543d4d57be 100644
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -154,6 +154,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ {
+ const struct nft_fib *priv = nft_expr_priv(expr);
+ int noff = skb_network_offset(pkt->skb);
++ const struct net_device *found = NULL;
+ const struct net_device *oif = NULL;
+ u32 *dest = ®s->data[priv->dreg];
+ struct ipv6hdr *iph, _iph;
+@@ -198,11 +199,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
+ goto put_rt_err;
+
+- if (oif && oif != rt->rt6i_idev->dev &&
+- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
+- goto put_rt_err;
++ if (!oif) {
++ found = rt->rt6i_idev->dev;
++ } else {
++ if (oif == rt->rt6i_idev->dev ||
++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex)
++ found = oif;
++ }
+
+- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);
++ nft_fib_store_result(dest, priv, found);
+ put_rt_err:
+ ip6_rt_put(rt);
+ }
+--
+2.39.5
+
--- /dev/null
+From 96ef304dbaa59e331e59f4100c115f4b500aae4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 15:49:30 +0000
+Subject: netfilter: nft_quota: match correctly when the quota just depleted
+
+From: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+
+[ Upstream commit bfe7cfb65c753952735c3eed703eba9a8b96a18d ]
+
+The xt_quota compares skb length with remaining quota, but the nft_quota
+compares it with consumed bytes.
+
+The xt_quota can match consumed bytes up to quota at maximum. But the
+nft_quota break match when consumed bytes equal to quota.
+
+i.e., nft_quota match consumed bytes in [0, quota - 1], not [0, quota].
+
+Fixes: 795595f68d6c ("netfilter: nft_quota: dump consumed quota")
+Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_quota.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
+index 586a6df645bcb..c2b5bcc7ac056 100644
+--- a/net/netfilter/nft_quota.c
++++ b/net/netfilter/nft_quota.c
+@@ -19,10 +19,16 @@ struct nft_quota {
+ };
+
+ static inline bool nft_overquota(struct nft_quota *priv,
+- const struct sk_buff *skb)
++ const struct sk_buff *skb,
++ bool *report)
+ {
+- return atomic64_add_return(skb->len, priv->consumed) >=
+- atomic64_read(&priv->quota);
++ u64 consumed = atomic64_add_return(skb->len, priv->consumed);
++ u64 quota = atomic64_read(&priv->quota);
++
++ if (report)
++ *report = consumed >= quota;
++
++ return consumed > quota;
+ }
+
+ static inline bool nft_quota_invert(struct nft_quota *priv)
+@@ -34,7 +40,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+ {
+- if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv))
++ if (nft_overquota(priv, pkt->skb, NULL) ^ nft_quota_invert(priv))
+ regs->verdict.code = NFT_BREAK;
+ }
+
+@@ -51,13 +57,13 @@ static void nft_quota_obj_eval(struct nft_object *obj,
+ const struct nft_pktinfo *pkt)
+ {
+ struct nft_quota *priv = nft_obj_data(obj);
+- bool overquota;
++ bool overquota, report;
+
+- overquota = nft_overquota(priv, pkt->skb);
++ overquota = nft_overquota(priv, pkt->skb, &report);
+ if (overquota ^ nft_quota_invert(priv))
+ regs->verdict.code = NFT_BREAK;
+
+- if (overquota &&
++ if (report &&
+ !test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags))
+ nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0,
+ NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC);
+--
+2.39.5
+
--- /dev/null
+From 14a5a1c4189e1a70f8abd38827d38d2b85e9bdfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:41:08 +0200
+Subject: netfilter: nft_tunnel: fix geneve_opt dump
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ]
+
+When dumping a nft_tunnel with more than one geneve_opt configured the
+netlink attribute hierarchy should be as follow:
+
+ NFTA_TUNNEL_KEY_OPTS
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ | |
+ | |--NFTA_TUNNEL_KEY_GENEVE_CLASS
+ | |--NFTA_TUNNEL_KEY_GENEVE_TYPE
+ | |--NFTA_TUNNEL_KEY_GENEVE_DATA
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ | |
+ | |--NFTA_TUNNEL_KEY_GENEVE_CLASS
+ | |--NFTA_TUNNEL_KEY_GENEVE_TYPE
+ | |--NFTA_TUNNEL_KEY_GENEVE_DATA
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ ...
+
+Otherwise, userspace tools won't be able to fetch the geneve options
+configured correctly.
+
+Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tunnel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index cfe6cf1be4217..95f8230322289 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -588,10 +588,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ struct geneve_opt *opt;
+ int offset = 0;
+
+- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
+- if (!inner)
+- goto failure;
+ while (opts->len > offset) {
++ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
++ if (!inner)
++ goto failure;
+ opt = (struct geneve_opt *)(opts->u.data + offset);
+ if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
+ opt->opt_class) ||
+@@ -601,8 +601,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ opt->length * 4, opt->opt_data))
+ goto inner_failure;
+ offset += sizeof(*opt) + opt->length * 4;
++ nla_nest_end(skb, inner);
+ }
+- nla_nest_end(skb, inner);
+ }
+ nla_nest_end(skb, nest);
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 85590bce7b09f3cbeb9db6b69aaf8170827ce9ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 21:05:32 +0800
+Subject: nfs: clear SB_RDONLY before getting superblock
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ]
+
+As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when
+mounting nfs") removed the check for the ro flag when determining whether
+to share the superblock, which caused issues when mounting different
+subdirectories under the same export directory via NFSv3. However, this
+change did not affect NFSv4.
+
+For NFSv3:
+1) A single superblock is created for the initial mount.
+2) When mounted read-only, this superblock carries the SB_RDONLY flag.
+3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"):
+Subsequent rw mounts would not share the existing ro superblock due to
+flag mismatch, creating a new superblock without SB_RDONLY.
+After the commit:
+ The SB_RDONLY flag is ignored during superblock comparison, and this leads
+ to sharing the existing superblock even for rw mounts.
+ Ultimately results in write operations being rejected at the VFS layer.
+
+For NFSv4:
+1) Multiple superblocks are created and the last one will be kept.
+2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag.
+Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts.
+
+Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not
+set to fix it.
+
+Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs")
+Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index f91cb1267b44e..aa11a6dcf6ce7 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1269,8 +1269,17 @@ int nfs_get_tree_common(struct fs_context *fc)
+ if (IS_ERR(server))
+ return PTR_ERR(server);
+
++ /*
++ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a
++ * superblock among each filesystem that mounts sub-directories
++ * belonging to a single exported root path.
++ * To prevent interference between different filesystems, the
++ * SB_RDONLY flag should be removed from the superblock.
++ */
+ if (server->flags & NFS_MOUNT_UNSHARED)
+ compare_super = NULL;
++ else
++ fc->sb_flags &= ~SB_RDONLY;
+
+ /* -o noac implies -o sync */
+ if (server->flags & NFS_MOUNT_NOAC)
+--
+2.39.5
+
--- /dev/null
+From da5fa246ed99698417d89f558771c8717cfc6396 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 21:05:33 +0800
+Subject: nfs: ignore SB_RDONLY when remounting nfs
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ]
+
+In some scenarios, when mounting NFS, more than one superblock may be
+created. The final superblock used is the last one created, but only the
+first superblock carries the ro flag passed from user space. If a ro flag
+is added to the superblock via remount, it will trigger the issue
+described in Link[1].
+
+Link[2] attempted to address this by marking the superblock as ro during
+the initial mount. However, this introduced a new problem in scenarios
+where multiple mount points share the same superblock:
+[root@a ~]# mount /dev/sdb /mnt/sdb
+[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports
+[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports
+[root@a ~]# systemctl restart nfs-server
+[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1
+[root@a ~]# mount | grep nfs4
+127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,...
+[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2
+[root@a ~]# mount | grep nfs4
+127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,...
+127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,...
+[root@a ~]#
+
+When mounting the second NFS, the shared superblock is marked as ro,
+causing the previous NFS mount to become read-only.
+
+To resolve both issues, the ro flag is no longer applied to the superblock
+during remount. Instead, the ro flag on the mount is used to control
+whether the mount point is read-only.
+
+Fixes: 281cad46b34d ("NFS: Create a submount rpc_op")
+Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/
+Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index aa11a6dcf6ce7..cc70800b9a4b2 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1017,6 +1017,16 @@ int nfs_reconfigure(struct fs_context *fc)
+
+ sync_filesystem(sb);
+
++ /*
++ * The SB_RDONLY flag has been removed from the superblock during
++ * mounts to prevent interference between different filesystems.
++ * Similarly, it is also necessary to ignore the SB_RDONLY flag
++ * during reconfiguration; otherwise, it may also result in the
++ * creation of redundant superblocks when mounting a directory with
++ * different rw and ro flags multiple times.
++ */
++ fc->sb_flags_mask &= ~SB_RDONLY;
++
+ /*
+ * Userspace mount programs that send binary options generally send
+ * them populated with default values. We have no way to know which
+--
+2.39.5
+
--- /dev/null
+From 1aeec5ca0cb1ade071d4b1c5b57e0e01e275405f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 02:37:07 +0900
+Subject: nilfs2: add pointer check for nilfs_direct_propagate()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+[ Upstream commit f43f02429295486059605997bc43803527d69791 ]
+
+Patch series "nilfs2: improve sanity checks in dirty state propagation".
+
+This fixes one missed check for block mapping anomalies and one improper
+return of an error code during a preparation step for log writing, thereby
+improving checking for filesystem corruption on writeback.
+
+This patch (of 2):
+
+In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr()
+need to be checked to ensure it is not an invalid pointer.
+
+If the pointer value obtained by nilfs_direct_get_ptr() is
+NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in
+the nilfs_inode_info struct) that should point to the data block at the
+buffer head of the argument is corrupted and the data block is orphaned,
+meaning that the file system has lost consistency.
+
+Add a value check and return -EINVAL when it is an invalid pointer.
+
+Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com
+Fixes: 36a580eb489f ("nilfs2: direct block mapping")
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/direct.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c
+index 7faf8c285d6c9..a72371cd6b956 100644
+--- a/fs/nilfs2/direct.c
++++ b/fs/nilfs2/direct.c
+@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap,
+ dat = nilfs_bmap_get_dat(bmap);
+ key = nilfs_bmap_data_get_key(bmap, bh);
+ ptr = nilfs_direct_get_ptr(bmap, key);
++ if (ptr == NILFS_BMAP_INVALID_PTR)
++ return -EINVAL;
++
+ if (!buffer_nilfs_volatile(bh)) {
+ oldreq.pr_entry_nr = ptr;
+ newreq.pr_entry_nr = ptr;
+--
+2.39.5
+
--- /dev/null
+From 23dff40879bf7382b6ba96cff91895ba6d7438ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 02:37:08 +0900
+Subject: nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ]
+
+In preparation for writing logs, in nilfs_btree_propagate(), which makes
+parent and ancestor node blocks dirty starting from a modified data block
+or b-tree node block, if the starting block does not belong to the b-tree,
+i.e. is isolated, nilfs_btree_do_lookup() called within the function
+fails with -ENOENT.
+
+In this case, even though -ENOENT is an internal code, it is propagated to
+the log writer via nilfs_bmap_propagate() and may be erroneously returned
+to system calls such as fsync().
+
+Fix this issue by changing the error code to -EINVAL in this case, and
+having the bmap layer detect metadata corruption and convert the error
+code appropriately.
+
+Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com
+Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index 29f967fb7e9b6..b2abab4b28732 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -2096,11 +2096,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree,
+
+ ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0);
+ if (ret < 0) {
+- if (unlikely(ret == -ENOENT))
++ if (unlikely(ret == -ENOENT)) {
+ nilfs_crit(btree->b_inode->i_sb,
+ "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d",
+ btree->b_inode->i_ino,
+ (unsigned long long)key, level);
++ ret = -EINVAL;
++ }
+ goto out;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1d4aa65f2201d44871d9c14045f28aac25c41e1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 09:56:27 +0300
+Subject: ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit cdc3ed3035d0fe934aa1d9b78ce256752fd3bb7d ]
+
+If ocfs2_finish_quota_recovery() exits due to an error before passing all
+rc_list elements to ocfs2_recover_local_quota_file() then it can lead to a
+memory leak as rc_list may still contain elements that have to be freed.
+
+Release all memory allocated by ocfs2_add_recovery_chunk() using
+ocfs2_free_quota_recovery() instead of kfree().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Link: https://lkml.kernel.org/r/20250402065628.706359-2-m.masimov@mt-integration.ru
+Fixes: 2205363dce74 ("ocfs2: Implement quota recovery")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/quota_local.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
+index 1baa68c01c671..e199c54aeb0bc 100644
+--- a/fs/ocfs2/quota_local.c
++++ b/fs/ocfs2/quota_local.c
+@@ -671,7 +671,7 @@ int ocfs2_finish_quota_recovery(struct ocfs2_super *osb,
+ break;
+ }
+ out:
+- kfree(rec);
++ ocfs2_free_quota_recovery(rec);
+ return status;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 676b532e0f12d165c2c6695c19bbf46092468372 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Apr 2025 21:30:58 +0800
+Subject: PCI: cadence: Fix runtime atomic count underflow
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ]
+
+If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM
+runtime count is decremented in the error path using pm_runtime_put_sync().
+But the runtime count is not incremented by this driver, but only by the
+callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also
+decrement the runtime PM count in their error path. So this leads to the
+below warning from the PM core:
+
+ "runtime PM usage count underflow!"
+
+So fix it by getting rid of pm_runtime_put_sync() in the error path and
+directly return the errno.
+
+Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c
+index 4d8d15ac51ef4..c29176bdecd19 100644
+--- a/drivers/pci/controller/cadence/pcie-cadence-host.c
++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c
+@@ -548,14 +548,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc)
+ if (!bridge->ops)
+ bridge->ops = &cdns_pcie_host_ops;
+
+- ret = pci_host_probe(bridge);
+- if (ret < 0)
+- goto err_init;
+-
+- return 0;
+-
+- err_init:
+- pm_runtime_put_sync(dev);
+-
+- return ret;
++ return pci_host_probe(bridge);
+ }
+--
+2.39.5
+
--- /dev/null
+From bb225433cdfa93a3201af85fdf10870804e4af12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 18:21:07 -0500
+Subject: PCI/DPC: Initialize aer_err_info before using it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ]
+
+Previously the struct aer_err_info "info" was allocated on the stack
+without being initialized, so it contained junk except for the fields we
+explicitly set later.
+
+Initialize "info" at declaration so it starts as all zeros.
+
+Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/dpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
+index ab83f78f3eb1d..cabbaacdb6e61 100644
+--- a/drivers/pci/pcie/dpc.c
++++ b/drivers/pci/pcie/dpc.c
+@@ -263,7 +263,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev,
+ void dpc_process_error(struct pci_dev *pdev)
+ {
+ u16 cap = pdev->dpc_cap, status, source, reason, ext_reason;
+- struct aer_err_info info;
++ struct aer_err_info info = {};
+
+ pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status);
+ pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source);
+--
+2.39.5
+
--- /dev/null
+From 87386898a90e73e16d6a597df2f02e3785cace67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 11:37:20 -0300
+Subject: perf build: Warn when libdebuginfod devel files are not available
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ]
+
+While working on 'perf version --build-options' I noticed that:
+
+ $ perf version --build-options
+ perf version 6.15.rc1.g312a07a00d31
+ aio: [ on ] # HAVE_AIO_SUPPORT
+ bpf: [ on ] # HAVE_LIBBPF_SUPPORT
+ bpf_skeletons: [ on ] # HAVE_BPF_SKEL
+ debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT
+ <SNIP>
+
+And looking at tools/perf/Makefile.config I also noticed that it is not
+opt-in, meaning we will attempt to build with it in all normal cases.
+
+So add the usual warning at build time to let the user know that
+something recommended is missing, now we see:
+
+ Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent
+
+And after following the recommendation:
+
+ $ perf check feature debuginfod
+ debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT
+ $ ldd ~/bin/perf | grep debuginfo
+ libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000)
+ $
+
+With this feature on several perf tools will fetch what is needed and
+not require all the contents of the debuginfo packages, for instance:
+
+ # rpm -qa | grep kernel-debuginfo
+ # pahole --running_kernel_vmlinux
+ pahole: couldn't find a vmlinux that matches the running kernel
+ HINT: Maybe you're inside a container or missing a debuginfo package?
+ #
+ # perf trace -e open* perf probe --vars icmp_rcv
+ 0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3
+ 0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3
+ <SNIP>
+ 32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3
+ <SNIP>
+ Available variables at icmp_rcv
+ @<icmp_rcv+0>
+ struct sk_buff* skb
+ <SNIP>
+ #
+ # pahole --running_kernel_vmlinux
+ /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ # file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped
+ # ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ -r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ #
+
+Then, cached:
+
+ # perf stat --null perf probe --vars icmp_rcv
+ Available variables at icmp_rcv
+ @<icmp_rcv+0>
+ struct sk_buff* skb
+
+ Performance counter stats for 'perf probe --vars icmp_rcv':
+
+ 0.671389041 seconds time elapsed
+
+ 0.519176000 seconds user
+ 0.150860000 seconds sys
+
+Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found")
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Howard Chu <howardchu95@gmail.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Frank Ch. Eigler <fche@redhat.com>
+Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com
+[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/Makefile.config | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
+index 973c0d5ed8d8b..90cbbe2e90f9b 100644
+--- a/tools/perf/Makefile.config
++++ b/tools/perf/Makefile.config
+@@ -538,6 +538,8 @@ ifndef NO_LIBELF
+ ifeq ($(feature-libdebuginfod), 1)
+ CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT
+ EXTLIBS += -ldebuginfod
++ else
++ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent)
+ endif
+ endif
+
+--
+2.39.5
+
--- /dev/null
+From 15129bfe2b451fb4a04cd0955cab013f2a5750cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Apr 2025 22:16:35 +0800
+Subject: perf/core: Fix broken throttling when max_samples_per_tick=1
+
+From: Qing Wang <wangqing7171@gmail.com>
+
+[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ]
+
+According to the throttling mechanism, the pmu interrupts number can not
+exceed the max_samples_per_tick in one tick. But this mechanism is
+ineffective when max_samples_per_tick=1, because the throttling check is
+skipped during the first interrupt and only performed when the second
+interrupt arrives.
+
+Perhaps this bug may cause little influence in one tick, but if in a
+larger time scale, the problem can not be underestimated.
+
+When max_samples_per_tick = 1:
+Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH
+200 100 100 X86
+500 250 250 ARM64
+...
+Obviously, the pmu interrupt number far exceed the user's expect.
+
+Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling")
+Signed-off-by: Qing Wang <wangqing7171@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 520a890a2a6f7..cb0c8aa71c98b 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9401,14 +9401,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle)
+ hwc->interrupts = 1;
+ } else {
+ hwc->interrupts++;
+- if (unlikely(throttle &&
+- hwc->interrupts > max_samples_per_tick)) {
+- __this_cpu_inc(perf_throttled_count);
+- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
+- hwc->interrupts = MAX_INTERRUPTS;
+- perf_log_throttle(event, 0);
+- ret = 1;
+- }
++ }
++
++ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) {
++ __this_cpu_inc(perf_throttled_count);
++ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
++ hwc->interrupts = MAX_INTERRUPTS;
++ perf_log_throttle(event, 0);
++ ret = 1;
+ }
+
+ if (event->attr.freq) {
+--
+2.39.5
+
--- /dev/null
+From d84841402c81cf355c3ab88b2286e0a89a24c0a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 06:08:10 +0000
+Subject: perf record: Fix incorrect --user-regs comments
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ]
+
+The comment of "--user-regs" option is not correct, fix it.
+
+"on interrupt," -> "in user space,"
+
+Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-record.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
+index b92c26f6aa1d7..701592342d150 100644
+--- a/tools/perf/builtin-record.c
++++ b/tools/perf/builtin-record.c
+@@ -2547,7 +2547,7 @@ static struct option __record_options[] = {
+ "sample selected machine registers on interrupt,"
+ " use '-I?' to list register names", parse_intr_regs),
+ OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register",
+- "sample selected machine registers on interrupt,"
++ "sample selected machine registers in user space,"
+ " use '--user-regs=?' to list register names", parse_user_regs),
+ OPT_BOOLEAN(0, "running-time", &record.opts.running_time,
+ "Record running/enabled time of read (:S) events"),
+--
+2.39.5
+
--- /dev/null
+From 9a98252b2c36d29d5b10527f5d85ba6934a4556e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 12:39:32 +0300
+Subject: perf scripts python: exported-sql-viewer.py: Fix pattern matching
+ with Python 3
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ]
+
+The script allows the user to enter patterns to find symbols.
+
+The pattern matching characters are converted for use in SQL.
+
+For PostgreSQL the conversion involves using the Python maketrans()
+method which is slightly different in Python 3 compared with Python 2.
+
+Fix to work in Python 3.
+
+Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Tony Jones <tonyj@suse.de>
+Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py
+index 13f2d8a816109..99742013676b3 100755
+--- a/tools/perf/scripts/python/exported-sql-viewer.py
++++ b/tools/perf/scripts/python/exported-sql-viewer.py
+@@ -680,7 +680,10 @@ class CallGraphModelBase(TreeModel):
+ s = value.replace("%", "\%")
+ s = s.replace("_", "\_")
+ # Translate * and ? into SQL LIKE pattern characters % and _
+- trans = string.maketrans("*?", "%_")
++ if sys.version_info[0] == 3:
++ trans = str.maketrans("*?", "%_")
++ else:
++ trans = string.maketrans("*?", "%_")
+ match = " LIKE '" + str(s).translate(trans) + "'"
+ else:
+ match = " GLOB '" + str(value) + "'"
+--
+2.39.5
+
--- /dev/null
+From 4543f1f5320f10617925e151130a4f57251829b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 18:27:59 +0100
+Subject: perf tests switch-tracking: Fix timestamp comparison
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ]
+
+The test might fail on the Arm64 platform with the error:
+
+ # perf test -vvv "Track with sched_switch"
+ Missing sched_switch events
+ #
+
+The issue is caused by incorrect handling of timestamp comparisons. The
+comparison result, a signed 64-bit value, was being directly cast to an
+int, leading to incorrect sorting for sched events.
+
+The case does not fail everytime, usually I can trigger the failure
+after run 20 ~ 30 times:
+
+ # while true; do perf test "Track with sched_switch"; done
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : FAILED!
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : FAILED!
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+
+I used cross compiler to build Perf tool on my host machine and tested on
+Debian / Juno board. Generally, I think this issue is not very specific
+to GCC versions. As both internal CI and my local env can reproduce the
+issue.
+
+My Host Build compiler:
+
+ # aarch64-linux-gnu-gcc --version
+ aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
+
+Juno Board:
+
+ # lsb_release -a
+ No LSB modules are available.
+ Distributor ID: Debian
+ Description: Debian GNU/Linux 12 (bookworm)
+ Release: 12
+ Codename: bookworm
+
+Fix this by explicitly returning 0, 1, or -1 based on whether the result
+is zero, positive, or negative.
+
+Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/switch-tracking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c
+index 72abf5d86f712..e6a4efc20fd61 100644
+--- a/tools/perf/tests/switch-tracking.c
++++ b/tools/perf/tests/switch-tracking.c
+@@ -256,7 +256,7 @@ static int compar(const void *a, const void *b)
+ const struct event_node *nodeb = b;
+ s64 cmp = nodea->event_time - nodeb->event_time;
+
+- return cmp;
++ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0);
+ }
+
+ static int process_events(struct evlist *evlist,
+--
+2.39.5
+
--- /dev/null
+From e50443887baab559d48589dd4b3cb9f583b906f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 21:58:19 -0300
+Subject: perf ui browser hists: Set actions->thread before calling
+ do_zoom_thread()
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ]
+
+In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct
+perf_hpp_list") it assumes that act->thread is set prior to calling
+do_zoom_thread().
+
+This doesn't happen when we use ESC or the Left arrow key to Zoom out of
+a specific thread, making this operation not to work and we get stuck
+into the thread zoom.
+
+In 6422184b087ff435 ("perf hists browser: Simplify zooming code using
+pstack_peek()") it says no need to set actions->thread, and at that
+point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL
+check was added before the zoom out of thread could kick in.
+
+We can zoom out using the alternative 't' thread zoom toggle hotkey to
+finally set actions->thread before calling do_zoom_thread() and zoom
+out, but lets also fix the ESC/Zoom out of thread case.
+
+Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list")
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/browsers/hists.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
+index fd3e67d2c6bdd..a68d3ee1769d6 100644
+--- a/tools/perf/ui/browsers/hists.c
++++ b/tools/perf/ui/browsers/hists.c
+@@ -3238,10 +3238,10 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
+ /*
+ * No need to set actions->dso here since
+ * it's just to remove the current filter.
+- * Ditto for thread below.
+ */
+ do_zoom_dso(browser, actions);
+ } else if (top == &browser->hists->thread_filter) {
++ actions->thread = thread;
+ do_zoom_thread(browser, actions);
+ } else if (top == &browser->hists->socket_filter) {
+ do_zoom_socket(browser, actions);
+--
+2.39.5
+
--- /dev/null
+From 7afce5cd3b7ec036e019858e1981e5fa51b1fa46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 23:08:07 +0300
+Subject: pinctrl: at91: Fix possible out-of-boundary access
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ]
+
+at91_gpio_probe() doesn't check that given OF alias is not available or
+something went wrong when trying to get it. This might have consequences
+when accessing gpio_chips array with that value as an index. Note, that
+BUG() can be compiled out and hence won't actually perform the required
+checks.
+
+Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/
+Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-at91.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
+index 9c92838428b8f..40080b0ad020a 100644
+--- a/drivers/pinctrl/pinctrl-at91.c
++++ b/drivers/pinctrl/pinctrl-at91.c
+@@ -1820,12 +1820,16 @@ static int at91_gpio_probe(struct platform_device *pdev)
+ struct at91_gpio_chip *at91_chip = NULL;
+ struct gpio_chip *chip;
+ struct pinctrl_gpio_range *range;
++ int alias_idx;
+ int ret = 0;
+ int irq, i;
+- int alias_idx = of_alias_get_id(np, "gpio");
+ uint32_t ngpio;
+ char **names;
+
++ alias_idx = of_alias_get_id(np, "gpio");
++ if (alias_idx < 0)
++ return alias_idx;
++
+ BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips));
+ if (gpio_chips[alias_idx]) {
+ ret = -EBUSY;
+--
+2.39.5
+
--- /dev/null
+From 4cf5286abdb8244ac4a53d02d2460910508de40a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 18:19:27 +0200
+Subject: PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ]
+
+Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete
+set on errors") caused power.is_suspended to be set for devices with
+power.direct_complete set, but it forgot to ensure the clearing of that
+flag for them in device_resume(), so power.is_suspended is still set for
+them during the next system suspend-resume cycle.
+
+If that cycle is aborted in dpm_suspend(), the subsequent invocation of
+dpm_resume() will trigger a device_resume() call for every device and
+because power.is_suspended is set for the devices in question, they will
+not be skipped by device_resume() as expected which causes scary error
+messages to be logged (as appropriate).
+
+To address this issue, move the clearing of power.is_suspended in
+device_resume() immediately after the power.is_suspended check so it
+will be always cleared for all devices processed by that function.
+
+Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280
+Reported-and-tested-by: Chris Bainbridge <chris.bainbridge@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index d77ab224b861a..c784de10b494e 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -900,6 +900,8 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ if (!dev->power.is_suspended)
+ goto Complete;
+
++ dev->power.is_suspended = false;
++
+ if (dev->power.direct_complete) {
+ /* Match the pm_runtime_disable() in __device_suspend(). */
+ pm_runtime_enable(dev);
+@@ -955,7 +957,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+
+ End:
+ error = dpm_run_callback(callback, dev, state, info);
+- dev->power.is_suspended = false;
+
+ device_unlock(dev);
+ dpm_watchdog_clear(&wd);
+--
+2.39.5
+
--- /dev/null
+From 0eadcbc6f416889eaaac2020d227bfc29c538451 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 17:26:51 +0800
+Subject: PM: wakeup: Delete space in the end of string shown by
+ pm_show_wakelocks()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ]
+
+pm_show_wakelocks() is called to generate a string when showing
+attributes /sys/power/wake_(lock|unlock), but the string ends
+with an unwanted space that was added back by mistake by commit
+c9d967b2ce40 ("PM: wakeup: simplify the output logic of
+pm_show_wakelocks()").
+
+Remove the unwanted space.
+
+Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/wakelock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c
+index 52571dcad768b..4e941999a53ba 100644
+--- a/kernel/power/wakelock.c
++++ b/kernel/power/wakelock.c
+@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active)
+ len += sysfs_emit_at(buf, len, "%s ", wl->name);
+ }
+
++ if (len > 0)
++ --len;
++
+ len += sysfs_emit_at(buf, len, "\n");
+
+ mutex_unlock(&wakelocks_lock);
+--
+2.39.5
+
--- /dev/null
+From 3dac7c170210e166ee2739d1555192153fe3e606 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 08:38:09 +0300
+Subject: power: reset: at91-reset: Optimize at91_reset()
+
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+
+[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ]
+
+This patch adds a small optimization to the low-level at91_reset()
+function, which includes:
+- Removes the extra branch, since the following store operations
+ already have proper condition checks.
+- Removes the definition of the clobber register r4, since it is
+ no longer used in the code.
+
+Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic")
+Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/reset/at91-reset.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
+index 64def79d557a8..e6743a3d7877a 100644
+--- a/drivers/power/reset/at91-reset.c
++++ b/drivers/power/reset/at91-reset.c
+@@ -81,12 +81,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
+ " str %4, [%0, %6]\n\t"
+ /* Disable SDRAM1 accesses */
+ "1: tst %1, #0\n\t"
+- " beq 2f\n\t"
+ " strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t"
+ /* Power down SDRAM1 */
+ " strne %4, [%1, %6]\n\t"
+ /* Reset CPU */
+- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
++ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
+
+ " b .\n\t"
+ :
+@@ -97,7 +96,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
+ "r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN),
+ "r" (reset->args),
+ "r" (reset->ramc_lpr)
+- : "r4");
++ );
+
+ return NOTIFY_DONE;
+ }
+--
+2.39.5
+
--- /dev/null
+From c7e8694ef8e1ea400494159e6e179d8f18f4efe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 15:18:28 -0700
+Subject: randstruct: gcc-plugin: Fix attribute addition
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ]
+
+Based on changes in the 2021 public version of the randstruct
+out-of-tree GCC plugin[1], more carefully update the attributes on
+resulting decls, to avoid tripping checks in GCC 15's
+comptypes_check_enum_int() when it has been configured with
+"--enable-checking=misc":
+
+arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519
+ 132 | const struct kexec_file_ops kexec_image_ops = {
+ | ^~~~~~~~~~~~~~
+ internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517
+ fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803
+ comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519
+ ...
+
+Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1]
+Reported-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
+Closes: https://github.com/KSPP/linux/issues/367
+Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/
+Reported-by: Ingo Saitz <ingo@hannover.ccc.de>
+Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745
+Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
+Tested-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
+Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++
+ scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++-------
+ 2 files changed, 43 insertions(+), 11 deletions(-)
+
+diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
+index cba1440993450..8658e9d220b69 100644
+--- a/scripts/gcc-plugins/gcc-common.h
++++ b/scripts/gcc-plugins/gcc-common.h
+@@ -137,6 +137,38 @@ static inline tree build_const_char_string(int len, const char *str)
+ return cstr;
+ }
+
++static inline void __add_type_attr(tree type, const char *attr, tree args)
++{
++ tree oldattr;
++
++ if (type == NULL_TREE)
++ return;
++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type));
++ if (oldattr != NULL_TREE) {
++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args));
++ return;
++ }
++
++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type));
++}
++
++static inline void add_type_attr(tree type, const char *attr, tree args)
++{
++ tree main_variant = TYPE_MAIN_VARIANT(type);
++
++ __add_type_attr(TYPE_CANONICAL(type), attr, args);
++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args);
++ __add_type_attr(main_variant, attr, args);
++
++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) {
++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type)))
++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant);
++
++ __add_type_attr(TYPE_CANONICAL(type), attr, args);
++ }
++}
++
+ #define PASS_INFO(NAME, REF, ID, POS) \
+ struct register_pass_info NAME##_pass_info = { \
+ .pass = make_##NAME##_pass(), \
+diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
+index a8595df5fb6e8..24155ce812664 100644
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c
+@@ -95,6 +95,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f
+
+ if (TYPE_P(*node)) {
+ type = *node;
++ } else if (TREE_CODE(*node) == FIELD_DECL) {
++ *no_add_attrs = false;
++ return NULL_TREE;
+ } else {
+ gcc_assert(TREE_CODE(*node) == TYPE_DECL);
+ type = TREE_TYPE(*node);
+@@ -381,15 +384,14 @@ static int relayout_struct(tree type)
+ TREE_CHAIN(newtree[i]) = newtree[i+1];
+ TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+
++ add_type_attr(type, "randomize_performed", NULL_TREE);
++ add_type_attr(type, "designated_init", NULL_TREE);
++ if (has_flexarray)
++ add_type_attr(type, "has_flexarray", NULL_TREE);
++
+ main_variant = TYPE_MAIN_VARIANT(type);
+- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant))
+ TYPE_FIELDS(variant) = newtree[0];
+- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
+- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+- if (has_flexarray)
+- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type));
+- }
+
+ /*
+ * force a re-layout of the main variant
+@@ -457,10 +459,8 @@ static void randomize_type(tree type)
+ if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type))
+ relayout_struct(type);
+
+- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) {
+- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
+- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type));
+- }
++ add_type_attr(type, "randomize_considered", NULL_TREE);
++
+ #ifdef __DEBUG_PLUGIN
+ fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type));
+ #ifdef __DEBUG_VERBOSE
+--
+2.39.5
+
--- /dev/null
+From a5303ea968e5db62968b511eebfa0d4d558e501b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Apr 2025 00:37:52 -0700
+Subject: randstruct: gcc-plugin: Remove bogus void member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ]
+
+When building the randomized replacement tree of struct members, the
+randstruct GCC plugin would insert, as the first member, a 0-sized void
+member. This appears as though it was done to catch non-designated
+("unnamed") static initializers, which wouldn't be stable since they
+depend on the original struct layout order.
+
+This was accomplished by having the side-effect of the "void member"
+tripping an assert in GCC internals (count_type_elements) if the member
+list ever needed to be counted (e.g. for figuring out the order of members
+during a non-designated initialization), which would catch impossible type
+(void) in the struct:
+
+security/landlock/fs.c: In function ‘hook_file_ioctl_common’:
+security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075
+ 1745 | .u.op = &(struct lsm_ioctlop_audit) {
+ | ^
+
+static HOST_WIDE_INT
+count_type_elements (const_tree type, bool for_ctor_p)
+{
+ switch (TREE_CODE (type))
+...
+ case VOID_TYPE:
+ default:
+ gcc_unreachable ();
+ }
+}
+
+However this is a redundant safety measure since randstruct uses the
+__designated_initializer attribute both internally and within the
+__randomized_layout attribute macro so that this would be enforced
+by the compiler directly even when randstruct was not enabled (via
+-Wdesignated-init).
+
+A recent change in Landlock ended up tripping the same member counting
+routine when using a full-struct copy initializer as part of an anonymous
+initializer. This, however, is a false positive as the initializer is
+copying between identical structs (and hence identical layouts). The
+"path" member is "struct path", a randomized struct, and is being copied
+to from another "struct path", the "f_path" member:
+
+ landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) {
+ .type = LANDLOCK_REQUEST_FS_ACCESS,
+ .audit = {
+ .type = LSM_AUDIT_DATA_IOCTL_OP,
+ .u.op = &(struct lsm_ioctlop_audit) {
+ .path = file->f_path,
+ .cmd = cmd,
+ },
+ },
+ ...
+
+As can be seen with the coming randstruct KUnit test, there appears to
+be no behavioral problems with this kind of initialization when the void
+member is removed from the randstruct GCC plugin, so remove it.
+
+Reported-by: "Dr. David Alan Gilbert" <linux@treblig.org>
+Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/
+Reported-by: Mark Brown <broonie@kernel.org>
+Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/
+Reported-by: WangYuli <wangyuli@uniontech.com>
+Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/
+Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/randomize_layout_plugin.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
+index 60e9359a71a50..a8595df5fb6e8 100644
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c
+@@ -377,29 +377,13 @@ static int relayout_struct(tree type)
+
+ shuffle(type, (tree *)newtree, shuffle_length);
+
+- /*
+- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers
+- * as gcc provides no other way to detect such code
+- */
+- list = make_node(FIELD_DECL);
+- TREE_CHAIN(list) = newtree[0];
+- TREE_TYPE(list) = void_type_node;
+- DECL_SIZE(list) = bitsize_zero_node;
+- DECL_NONADDRESSABLE_P(list) = 1;
+- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node;
+- DECL_SIZE_UNIT(list) = size_zero_node;
+- DECL_FIELD_OFFSET(list) = size_zero_node;
+- DECL_CONTEXT(list) = type;
+- // to satisfy the constify plugin
+- TREE_READONLY(list) = 1;
+-
+ for (i = 0; i < num_fields - 1; i++)
+ TREE_CHAIN(newtree[i]) = newtree[i+1];
+ TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+
+ main_variant = TYPE_MAIN_VARIANT(type);
+ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
+- TYPE_FIELDS(variant) = list;
++ TYPE_FIELDS(variant) = newtree[0];
+ TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
+ TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+ TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+--
+2.39.5
+
--- /dev/null
+From 36a8e2612cf6c10b502e36075f899a7aea531363 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 21:27:49 +0800
+Subject: RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ]
+
+hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the
+inline function hns_roce_write64(), but it doesn't include this
+header currently. This leads to that files including
+hns_roce_hw_v2.h must also include hnae3.h to avoid compilation
+errors, even if they themselves don't really rely on hnae3.h.
+This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h
+directly.
+
+Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
+ drivers/infiniband/hw/hns/hns_roce_main.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 -
+ 4 files changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index 4f2e8f9d228bd..e10fe47d45c1d 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -42,7 +42,6 @@
+ #include <rdma/ib_umem.h>
+ #include <rdma/uverbs_ioctl.h>
+
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_cmd.h"
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index a03dfde796ca4..07ea5fe4a59bb 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -34,6 +34,7 @@
+ #define _HNS_ROCE_HW_V2_H
+
+ #include <linux/bitops.h>
++#include "hnae3.h"
+
+ #define HNS_ROCE_VF_QPC_BT_NUM 256
+ #define HNS_ROCE_VF_SCCC_BT_NUM 64
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index 4fc8e0c8b7ab0..5bafd451ca8da 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -38,7 +38,6 @@
+ #include <rdma/ib_smi.h>
+ #include <rdma/ib_user_verbs.h>
+ #include <rdma/ib_cache.h>
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hem.h"
+diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+index 259444c0a6301..8acab99f7ea6a 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c
++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+@@ -4,7 +4,6 @@
+ #include <rdma/rdma_cm.h>
+ #include <rdma/restrack.h>
+ #include <uapi/rdma/rdma_netlink.h>
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hw_v2.h"
+--
+2.39.5
+
--- /dev/null
+From ae0cd59031a47e6b20710e60c3829193bfedcda7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 14:34:07 +0300
+Subject: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ]
+
+Upon RQ destruction if the firmware command fails which is the
+last resource to be destroyed some SW resources were already cleaned
+regardless of the failure.
+
+Now properly rollback the object to its original state upon such failure.
+
+In order to avoid a use-after free in case someone tries to destroy the
+object again, which results in the following kernel trace:
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148
+Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)
+CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : refcount_warn_saturate+0xf4/0x148
+lr : refcount_warn_saturate+0xf4/0x148
+sp : ffff80008b81b7e0
+x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001
+x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00
+x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000
+x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006
+x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f
+x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78
+x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90
+x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff
+x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000
+x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600
+Call trace:
+ refcount_warn_saturate+0xf4/0x148
+ mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]
+ mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]
+ mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]
+ ib_destroy_wq_user+0x30/0xc0 [ib_core]
+ uverbs_free_wq+0x28/0x58 [ib_uverbs]
+ destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]
+ uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]
+ __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]
+ uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]
+ ib_uverbs_close+0x2c/0x100 [ib_uverbs]
+ __fput+0xd8/0x2f0
+ __fput_sync+0x50/0x70
+ __arm64_sys_close+0x40/0x90
+ invoke_syscall.constprop.0+0x74/0xd0
+ do_el0_svc+0x48/0xe8
+ el0_svc+0x44/0x1d0
+ el0t_64_sync_handler+0x120/0x130
+ el0t_64_sync+0x1a4/0x1a8
+
+Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++--
+ include/linux/mlx5/driver.h | 1 +
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c
+index e508c0753dd37..2d56c94d0af7c 100644
+--- a/drivers/infiniband/hw/mlx5/qpc.c
++++ b/drivers/infiniband/hw/mlx5/qpc.c
+@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn)
+ spin_lock_irqsave(&table->lock, flags);
+
+ common = radix_tree_lookup(&table->tree, rsn);
+- if (common)
++ if (common && !common->invalid)
+ refcount_inc(&common->refcount);
++ else
++ common = NULL;
+
+ spin_unlock_irqrestore(&table->lock, flags);
+
+@@ -172,6 +174,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev,
+ return 0;
+ }
+
++static void modify_resource_common_state(struct mlx5_ib_dev *dev,
++ struct mlx5_core_qp *qp,
++ bool invalid)
++{
++ struct mlx5_qp_table *table = &dev->qp_table;
++ unsigned long flags;
++
++ spin_lock_irqsave(&table->lock, flags);
++ qp->common.invalid = invalid;
++ spin_unlock_irqrestore(&table->lock, flags);
++}
++
+ static void destroy_resource_common(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *qp)
+ {
+@@ -584,8 +598,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen,
+ int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *rq)
+ {
++ int ret;
++
++ /* The rq destruction can be called again in case it fails, hence we
++ * mark the common resource as invalid and only once FW destruction
++ * is completed successfully we actually destroy the resources.
++ */
++ modify_resource_common_state(dev, rq, true);
++ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid);
++ if (ret) {
++ modify_resource_common_state(dev, rq, false);
++ return ret;
++ }
+ destroy_resource_common(dev, rq);
+- return destroy_rq_tracked(dev, rq->qpn, rq->uid);
++ return 0;
+ }
+
+ static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid)
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index ff47cff408aad..9ed1b3cb9823c 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -388,6 +388,7 @@ struct mlx5_core_rsc_common {
+ enum mlx5_res_type res;
+ refcount_t refcount;
+ struct completion free;
++ bool invalid;
+ };
+
+ struct mlx5_uars_page {
+--
+2.39.5
+
--- /dev/null
+From d2b2126a7e41d3689a887632606aad39c5c8d4bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 13:59:51 +0300
+Subject: remoteproc: qcom_wcnss_iris: Add missing put_device() on error in
+ probe
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 0cb4b1b97041d8a1f773425208ded253c1cb5869 ]
+
+The device_del() call matches with the device_add() but we also need
+to call put_device() to trigger the qcom_iris_release().
+
+Fixes: 1fcef985c8bd ("remoteproc: qcom: wcnss: Fix race with iris probe")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/4604f7e0-3217-4095-b28a-3ff8b5afad3a@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_wcnss_iris.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/remoteproc/qcom_wcnss_iris.c b/drivers/remoteproc/qcom_wcnss_iris.c
+index 09720ddddc857..7c7b688eda1d9 100644
+--- a/drivers/remoteproc/qcom_wcnss_iris.c
++++ b/drivers/remoteproc/qcom_wcnss_iris.c
+@@ -196,6 +196,7 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
+
+ err_device_del:
+ device_del(&iris->dev);
++ put_device(&iris->dev);
+
+ return ERR_PTR(ret);
+ }
+@@ -203,4 +204,5 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
+ void qcom_iris_remove(struct qcom_iris *iris)
+ {
+ device_del(&iris->dev);
++ put_device(&iris->dev);
+ }
+--
+2.39.5
+
--- /dev/null
+From a97e84a2003097de1cff970433216359a0e3cc53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 20:22:05 +0300
+Subject: rpmsg: qcom_smd: Fix uninitialized return variable in
+ __qcom_smd_send()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ]
+
+The "ret" variable isn't initialized if we don't enter the loop. For
+example, if "channel->state" is not SMD_CHANNEL_OPENED.
+
+Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_smd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
+index 56bc622de25e5..74546b5f18817 100644
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
+ __le32 hdr[5] = { cpu_to_le32(len), };
+ int tlen = sizeof(hdr) + len;
+ unsigned long flags;
+- int ret;
++ int ret = 0;
+
+ /* Word aligned channels only accept word size aligned data */
+ if (channel->info_word && len % 4)
+--
+2.39.5
+
--- /dev/null
+From 0ddf0f11e0dd07f1bac1cfa5eeed802c26c2a813 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 14:42:56 +0100
+Subject: rtc: sh: assign correct interrupts with DT
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ]
+
+The DT bindings for this driver define the interrupts in the order as
+they are numbered in the interrupt controller. The old platform_data,
+however, listed them in a different order. So, for DT based platforms,
+they are mixed up. Assign them specifically for DT, so we can keep the
+bindings stable. After the fix, 'rtctest' passes again on the Renesas
+Genmai board (RZ-A1 / R7S72100).
+
+Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-sh.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c
+index cd146b5741431..341b1b776e1a3 100644
+--- a/drivers/rtc/rtc-sh.c
++++ b/drivers/rtc/rtc-sh.c
+@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev)
+ return -ENOENT;
+ }
+
+- rtc->periodic_irq = ret;
+- rtc->carry_irq = platform_get_irq(pdev, 1);
+- rtc->alarm_irq = platform_get_irq(pdev, 2);
++ if (!pdev->dev.of_node) {
++ rtc->periodic_irq = ret;
++ rtc->carry_irq = platform_get_irq(pdev, 1);
++ rtc->alarm_irq = platform_get_irq(pdev, 2);
++ } else {
++ rtc->alarm_irq = ret;
++ rtc->periodic_irq = platform_get_irq(pdev, 1);
++ rtc->carry_irq = platform_get_irq(pdev, 2);
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_IO, 0);
+ if (!res)
+--
+2.39.5
+
--- /dev/null
+From 12d325ca27bba90fe6d400e4ad98cb621d5d9b0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 14:26:15 +0200
+Subject: s390/bpf: Store backchain even for leaf progs
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ]
+
+Currently a crash in a leaf prog (caused by a bug) produces the
+following call trace:
+
+ [<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78
+ [<0000000000000000>] 0x0
+
+This is because leaf progs do not store backchain. Fix by making all
+progs do it. This is what GCC and Clang-generated code does as well.
+Now the call trace looks like this:
+
+ [<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80
+ [<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4
+ [<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0
+ [<000003ffe0aef070>] bpf_test_run+0x210/0x390
+ [<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668
+ [<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0
+ [<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50
+ [<000003ffe0defea8>] __do_syscall+0x150/0x280
+ [<000003ffe0e01d5c>] system_call+0x74/0x98
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 88020b4ddbab6..0c7f4c1ff3479 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -543,17 +543,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, u32 stack_depth)
+ }
+ /* Setup stack and backchain */
+ if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) {
+- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
+- /* lgr %w1,%r15 (backchain) */
+- EMIT4(0xb9040000, REG_W1, REG_15);
++ /* lgr %w1,%r15 (backchain) */
++ EMIT4(0xb9040000, REG_W1, REG_15);
+ /* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */
+ EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED);
+ /* aghi %r15,-STK_OFF */
+ EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth));
+- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
+- /* stg %w1,152(%r15) (backchain) */
+- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
+- REG_15, 152);
++ /* stg %w1,152(%r15) (backchain) */
++ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
++ REG_15, 152);
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 87e23d6bf2de1aa4439ef19c2f3f60a6577e1694 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 14:32:52 +0300
+Subject: seg6: Fix validation of nexthop addresses
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ]
+
+The kernel currently validates that the length of the provided nexthop
+address does not exceed the specified length. This can lead to the
+kernel reading uninitialized memory if user space provided a shorter
+length than the specified one.
+
+Fix by validating that the provided length exactly matches the specified
+one.
+
+Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6_local.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
+index 0b64cf5b0f267..98af48b3fcce6 100644
+--- a/net/ipv6/seg6_local.c
++++ b/net/ipv6/seg6_local.c
+@@ -1123,10 +1123,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = {
+ [SEG6_LOCAL_SRH] = { .type = NLA_BINARY },
+ [SEG6_LOCAL_TABLE] = { .type = NLA_U32 },
+ [SEG6_LOCAL_VRFTABLE] = { .type = NLA_U32 },
+- [SEG6_LOCAL_NH4] = { .type = NLA_BINARY,
+- .len = sizeof(struct in_addr) },
+- [SEG6_LOCAL_NH6] = { .type = NLA_BINARY,
+- .len = sizeof(struct in6_addr) },
++ [SEG6_LOCAL_NH4] = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
++ [SEG6_LOCAL_NH6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [SEG6_LOCAL_IIF] = { .type = NLA_U32 },
+ [SEG6_LOCAL_OIF] = { .type = NLA_U32 },
+ [SEG6_LOCAL_BPF] = { .type = NLA_NESTED },
+--
+2.39.5
+
--- /dev/null
+From 2a2fd688bd20dd736a0bdcbe316c8286d5cd5c9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Apr 2025 09:40:58 +0000
+Subject: selftests/seccomp: fix syscall_restart test for arm compat
+
+From: Neill Kapron <nkapron@google.com>
+
+[ Upstream commit 797002deed03491215a352ace891749b39741b69 ]
+
+The inconsistencies in the systcall ABI between arm and arm-compat can
+can cause a failure in the syscall_restart test due to the logic
+attempting to work around the differences. The 'machine' field for an
+ARM64 device running in compat mode can report 'armv8l' or 'armv8b'
+which matches with the string 'arm' when only examining the first three
+characters of the string.
+
+This change adds additional validation to the workaround logic to make
+sure we only take the arm path when running natively, not in arm-compat.
+
+Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64")
+Signed-off-by: Neill Kapron <nkapron@google.com>
+Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
+index ac340a9c09187..c1da445ab4db9 100644
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -3085,12 +3085,15 @@ TEST(syscall_restart)
+ ret = get_syscall(_metadata, child_pid);
+ #if defined(__arm__)
+ /*
+- * FIXME:
+ * - native ARM registers do NOT expose true syscall.
+ * - compat ARM registers on ARM64 DO expose true syscall.
++ * - values of utsbuf.machine include 'armv8l' or 'armb8b'
++ * for ARM64 running in compat mode.
+ */
+ ASSERT_EQ(0, uname(&utsbuf));
+- if (strncmp(utsbuf.machine, "arm", 3) == 0) {
++ if ((strncmp(utsbuf.machine, "arm", 3) == 0) &&
++ (strncmp(utsbuf.machine, "armv8l", 6) != 0) &&
++ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) {
+ EXPECT_EQ(__NR_nanosleep, ret);
+ } else
+ #endif
+--
+2.39.5
+
--- /dev/null
+From 249b97fca257465839d5f80aa6cd0559bad26d02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 15:03:39 +0800
+Subject: serial: Fix potential null-ptr-deref in mlb_usio_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ]
+
+devm_ioremap() can return NULL on error. Currently, mlb_usio_probe()
+does not check for this case, which could result in a NULL pointer
+dereference.
+
+Add NULL check after devm_ioremap() to prevent this issue.
+
+Fixes: ba44dc043004 ("serial: Add Milbeaut serial control")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/milbeaut_usio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c
+index 8f2cab7f66ad3..d9f094514945b 100644
+--- a/drivers/tty/serial/milbeaut_usio.c
++++ b/drivers/tty/serial/milbeaut_usio.c
+@@ -523,7 +523,10 @@ static int mlb_usio_probe(struct platform_device *pdev)
+ }
+ port->membase = devm_ioremap(&pdev->dev, res->start,
+ resource_size(res));
+-
++ if (!port->membase) {
++ ret = -ENOMEM;
++ goto failed;
++ }
+ ret = platform_get_irq_byname(pdev, "rx");
+ mlb_usio_irq[index][RX] = ret;
+
+--
+2.39.5
+
usb-serial-pl2303-add-new-chip-pl2303gc-q20-and-pl2303gt-2ab.patch
usb-usbtmc-fix-timeout-value-in-get_stb.patch
thunderbolt-do-not-double-dequeue-a-configuration-request.patch
+gfs2-gfs2_create_inode-error-handling-fix.patch
+perf-core-fix-broken-throttling-when-max_samples_per.patch
+crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch
+x86-cpu-sanitize-cpuid-0x80000000-output.patch
+crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch
+crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch
+crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch
+crypto-xts-only-add-ecb-if-it-is-not-already-there.patch
+crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch
+edac-skx_common-fix-general-protection-fault.patch
+power-reset-at91-reset-optimize-at91_reset.patch
+pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch
+x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch
+acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch
+spi-sh-msiof-fix-maximum-dma-transfer-size.patch
+drm-vmwgfx-add-seqno-waiter-for-sync_files.patch
+drm-amd-pp-fix-potential-null-pointer-dereference-in.patch
+media-rkvdec-fix-frame-size-enumeration.patch
+fs-ntfs3-handle-hdr_first_de-return-value.patch
+m68k-mac-fix-macintosh_config-for-mac-ii.patch
+firmware-psci-fix-refcount-leak-in-psci_dt_init.patch
+selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch
+drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch
+drm-vkms-adjust-vkms_state-active_planes-allocation-.patch
+drm-tegra-rgb-fix-the-unbound-reference-count.patch
+firmware-sdei-allow-sdei-initialization-without-acpi.patch
+wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch
+ib-cm-use-rwlock-for-mad-agent-lock.patch
+bpf-sockmap-fix-duplicated-data-transmission.patch
+f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch
+net-ncsi-fix-gcps-64-bit-member-variables.patch
+libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch
+wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch
+rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch
+iommu-protect-against-overflow-in-iommu_pgsize.patch
+f2fs-clean-up-w-fscrypt_is_bounce_page.patch
+f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch
+libbpf-use-proper-errno-value-in-linker.patch
+netfilter-bridge-move-specific-fragmented-packet-to-.patch
+netfilter-nft_quota-match-correctly-when-the-quota-j.patch
+rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch
+bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch
+clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch
+clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch
+ktls-sockmap-fix-missing-uncharge-operation.patch
+libbpf-use-proper-errno-value-in-nlattr.patch
+pinctrl-at91-fix-possible-out-of-boundary-access.patch
+bpf-fix-warn-in-get_bpf_raw_tp_regs.patch
+clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch
+s390-bpf-store-backchain-even-for-leaf-progs.patch
+wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch
+wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch
+netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch
+vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch
+bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch
+netfilter-nft_tunnel-fix-geneve_opt-dump.patch
+net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch
+bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch
+net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch
+calipso-don-t-call-calipso-functions-for-af_inet-sk.patch
+net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch
+net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch
+f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch
+f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch
+arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch
+arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch
+arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch
+arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch
+squashfs-check-return-result-of-sb_min_blocksize.patch
+ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch
+nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch
+nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch
+bus-fsl-mc-fix-double-free-on-mc_dev.patch
+arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch
+arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch
+soc-aspeed-lpc-fix-impossible-judgment-condition.patch
+soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch
+fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch
+randstruct-gcc-plugin-remove-bogus-void-member.patch
+randstruct-gcc-plugin-fix-attribute-addition.patch
+perf-build-warn-when-libdebuginfod-devel-files-are-n.patch
+perf-ui-browser-hists-set-actions-thread-before-call.patch
+backlight-pm8941-add-null-check-in-wled_configure.patch
+perf-scripts-python-exported-sql-viewer.py-fix-patte.patch
+remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch
+rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch
+mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch
+mfd-stmpe-spi-correct-the-name-used-in-module_device.patch
+perf-tests-switch-tracking-fix-timestamp-comparison.patch
+perf-record-fix-incorrect-user-regs-comments.patch
+nfs-clear-sb_rdonly-before-getting-superblock.patch
+nfs-ignore-sb_rdonly-when-remounting-nfs.patch
+rtc-sh-assign-correct-interrupts-with-dt.patch
+pci-cadence-fix-runtime-atomic-count-underflow.patch
+dmaengine-ti-add-null-check-in-udma_probe.patch
+pci-dpc-initialize-aer_err_info-before-using-it.patch
+usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch
+serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch
+iio-adc-ad7124-fix-3db-filter-frequency-reading.patch
+mips-loongson64-add-missing-interrupt-cells-for-loon.patch
+vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch
+net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch
+gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch
+net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch
+driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch
+net-mlx4_en-prevent-potential-integer-overflow-calcu.patch
+spi-bcm63xx-spi-fix-shared-reset.patch
+spi-bcm63xx-hsspi-fix-shared-reset.patch
+bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch
+ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch
+net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch
+vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch
+pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch
+gve-add-missing-null-check-for-gve_alloc_pending_pac.patch
+netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch
+wireguard-device-enable-threaded-napi.patch
+seg6-fix-validation-of-nexthop-addresses.patch
+fix-propagation-graph-breakage-by-move_mount_set_gro.patch
+do_change_type-refuse-to-operate-on-unmounted-not-ou.patch
--- /dev/null
+From 29cded7b3d778cc92d54593161ca013f7cc20cf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:44 +0930
+Subject: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+aspeed_lpc_enable_snoop() does not check for this case, which results in a
+NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com
+[arj: Fix Fixes: tag to use subject from 3772e5da4454]
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+index d9bdc2e084086..22619b853f449 100644
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -201,11 +201,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR;
+ lpc_snoop->chan[channel].miscdev.name =
+ devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel);
++ if (!lpc_snoop->chan[channel].miscdev.name) {
++ rc = -ENOMEM;
++ goto err_free_fifo;
++ }
+ lpc_snoop->chan[channel].miscdev.fops = &snoop_fops;
+ lpc_snoop->chan[channel].miscdev.parent = dev;
+ rc = misc_register(&lpc_snoop->chan[channel].miscdev);
+ if (rc)
+- return rc;
++ goto err_free_fifo;
+
+ /* Enable LPC snoop channel at requested port */
+ switch (channel) {
+@@ -222,7 +226,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ hicrb_en = HICRB_ENSNP1D;
+ break;
+ default:
+- return -EINVAL;
++ rc = -EINVAL;
++ goto err_misc_deregister;
+ }
+
+ regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en);
+@@ -232,6 +237,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ regmap_update_bits(lpc_snoop->regmap, HICRB,
+ hicrb_en, hicrb_en);
+
++ return 0;
++
++err_misc_deregister:
++ misc_deregister(&lpc_snoop->chan[channel].miscdev);
++err_free_fifo:
++ kfifo_free(&lpc_snoop->chan[channel].fifo);
+ return rc;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c0c3b02e5b17537b9777205b02172fabef8cb120 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:43 +0930
+Subject: soc: aspeed: lpc: Fix impossible judgment condition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ]
+
+smatch error:
+drivers/soc/aspeed/aspeed-lpc-snoop.c:169
+aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero
+
+platform_get_irq() return non-zero IRQ number or negative error code,
+change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this.
+
+Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+index eceeaf8dfbeba..d9bdc2e084086 100644
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -167,7 +167,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop,
+ int rc;
+
+ lpc_snoop->irq = platform_get_irq(pdev, 0);
+- if (!lpc_snoop->irq)
++ if (lpc_snoop->irq < 0)
+ return -ENODEV;
+
+ rc = devm_request_irq(dev, lpc_snoop->irq,
+--
+2.39.5
+
--- /dev/null
+From c04911cd5067a02163ee20365ea0c5c47cb9c47b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 15:09:15 +0200
+Subject: spi: bcm63xx-hsspi: fix shared reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ]
+
+Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
+and HSSPI controllers, so reset shouldn't be exclusive.
+
+Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support")
+Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
+index 02f56fc001b47..7d8e5c66f6d17 100644
+--- a/drivers/spi/spi-bcm63xx-hsspi.c
++++ b/drivers/spi/spi-bcm63xx-hsspi.c
+@@ -357,7 +357,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev)
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+
+- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
++ reset = devm_reset_control_get_optional_shared(dev, NULL);
+ if (IS_ERR(reset))
+ return PTR_ERR(reset);
+
+--
+2.39.5
+
--- /dev/null
+From 7f8bc53596f327a81ea32700b5bdd76e04fe511d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 15:09:14 +0200
+Subject: spi: bcm63xx-spi: fix shared reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ]
+
+Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
+and HSSPI controllers, so reset shouldn't be exclusive.
+
+Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support")
+Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
+index 695ac74571286..2f2a130464651 100644
+--- a/drivers/spi/spi-bcm63xx.c
++++ b/drivers/spi/spi-bcm63xx.c
+@@ -533,7 +533,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev)
+ return PTR_ERR(clk);
+ }
+
+- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
++ reset = devm_reset_control_get_optional_shared(dev, NULL);
+ if (IS_ERR(reset))
+ return PTR_ERR(reset);
+
+--
+2.39.5
+
--- /dev/null
+From 2a05df65339719fea6a5dc67bbf61f760f4fd7b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 15:32:06 +0200
+Subject: spi: sh-msiof: Fix maximum DMA transfer size
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ]
+
+The maximum amount of data to transfer in a single DMA request is
+calculated from the FIFO sizes (which is technically not 100% correct,
+but a simplification, as it is limited by the maximum word count values
+in the Transmit and Control Data Registers). However, in case there is
+both data to transmit and to receive, the transmit limit is overwritten
+by the receive limit.
+
+Fix this by using the minimum applicable FIFO size instead. Move the
+calculation outside the loop, so it is not repeated for each individual
+DMA transfer.
+
+As currently tx_fifo_size is always equal to rx_fifo_size, this bug had
+no real impact.
+
+Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sh-msiof.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
+index b7b3ec76e2cbd..f118dff626d0b 100644
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -919,6 +919,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
+ void *rx_buf = t->rx_buf;
+ unsigned int len = t->len;
+ unsigned int bits = t->bits_per_word;
++ unsigned int max_wdlen = 256;
+ unsigned int bytes_per_word;
+ unsigned int words;
+ int n;
+@@ -932,17 +933,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
+ if (!spi_controller_is_slave(p->ctlr))
+ sh_msiof_spi_set_clk_regs(p, t);
+
++ if (tx_buf)
++ max_wdlen = min(max_wdlen, p->tx_fifo_size);
++ if (rx_buf)
++ max_wdlen = min(max_wdlen, p->rx_fifo_size);
++
+ while (ctlr->dma_tx && len > 15) {
+ /*
+ * DMA supports 32-bit words only, hence pack 8-bit and 16-bit
+ * words, with byte resp. word swapping.
+ */
+- unsigned int l = 0;
+-
+- if (tx_buf)
+- l = min(round_down(len, 4), p->tx_fifo_size * 4);
+- if (rx_buf)
+- l = min(round_down(len, 4), p->rx_fifo_size * 4);
++ unsigned int l = min(round_down(len, 4), max_wdlen * 4);
+
+ if (bits <= 8) {
+ copy32 = copy_bswap32;
+--
+2.39.5
+
--- /dev/null
+From 0390e06dad66ff4d7273c895639d8379d51ce2a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 03:47:47 +0100
+Subject: Squashfs: check return result of sb_min_blocksize
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ]
+
+Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.
+
+Syzkaller forks multiple processes which after mounting the Squashfs
+filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000).
+Now if this ioctl occurs at the same time another process is in the
+process of mounting a Squashfs filesystem on /dev/loop0, the failure
+occurs. When this happens the following code in squashfs_fill_super()
+fails.
+
+----
+msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
+msblk->devblksize_log2 = ffz(~msblk->devblksize);
+----
+
+sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.
+
+As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2
+is set to 64.
+
+This subsequently causes the
+
+UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36
+shift exponent 64 is too large for 64-bit type 'u64' (aka
+'unsigned long long')
+
+This commit adds a check for a 0 return by sb_min_blocksize().
+
+Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk
+Fixes: 0aa666190509 ("Squashfs: super block operations")
+Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
+index 60d6951915f44..5108740f9653c 100644
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -136,6 +136,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc)
+ msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
+
+ msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
++ if (!msblk->devblksize) {
++ errorf(fc, "squashfs: unable to set blocksize\n");
++ return -EINVAL;
++ }
++
+ msblk->devblksize_log2 = ffz(~msblk->devblksize);
+
+ mutex_init(&msblk->meta_index_mutex);
+--
+2.39.5
+
--- /dev/null
+From 76db24c55291950b3f279c78740e8e900eb08e01 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 11:50:02 +0100
+Subject: usb: renesas_usbhs: Reorder clock handling and power management in
+ probe
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ]
+
+Reorder the initialization sequence in `usbhs_probe()` to enable runtime
+PM before accessing registers, preventing potential crashes due to
+uninitialized clocks.
+
+Currently, in the probe path, registers are accessed before enabling the
+clocks, leading to a synchronous external abort on the RZ/V2H SoC.
+The problematic call flow is as follows:
+
+ usbhs_probe()
+ usbhs_sys_clock_ctrl()
+ usbhs_bset()
+ usbhs_write()
+ iowrite16() <-- Register access before enabling clocks
+
+Since `iowrite16()` is performed without ensuring the required clocks are
+enabled, this can lead to access errors. To fix this, enable PM runtime
+early in the probe function and ensure clocks are acquired before register
+access, preventing crashes like the following on RZ/V2H:
+
+[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
+[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6
+[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98
+[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)
+[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]
+[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]
+[13.321138] sp : ffff8000827e3850
+[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0
+[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025
+[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010
+[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff
+[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce
+[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000
+[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750
+[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c
+[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000
+[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080
+[13.395574] Call trace:
+[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)
+[13.403076] platform_probe+0x68/0xdc
+[13.406738] really_probe+0xbc/0x2c0
+[13.410306] __driver_probe_device+0x78/0x120
+[13.414653] driver_probe_device+0x3c/0x154
+[13.418825] __driver_attach+0x90/0x1a0
+[13.422647] bus_for_each_dev+0x7c/0xe0
+[13.426470] driver_attach+0x24/0x30
+[13.430032] bus_add_driver+0xe4/0x208
+[13.433766] driver_register+0x68/0x130
+[13.437587] __platform_driver_register+0x24/0x30
+[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]
+[13.448450] do_one_initcall+0x60/0x1d4
+[13.452276] do_init_module+0x54/0x1f8
+[13.456014] load_module+0x1754/0x1c98
+[13.459750] init_module_from_file+0x88/0xcc
+[13.464004] __arm64_sys_finit_module+0x1c4/0x328
+[13.468689] invoke_syscall+0x48/0x104
+[13.472426] el0_svc_common.constprop.0+0xc0/0xe0
+[13.477113] do_el0_svc+0x1c/0x28
+[13.480415] el0_svc+0x30/0xcc
+[13.483460] el0t_64_sync_handler+0x10c/0x138
+[13.487800] el0t_64_sync+0x198/0x19c
+[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)
+[13.497522] ---[ end trace 0000000000000000 ]---
+
+Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++-------
+ 1 file changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
+index df679908b8d21..23d160ef4cd22 100644
+--- a/drivers/usb/renesas_usbhs/common.c
++++ b/drivers/usb/renesas_usbhs/common.c
+@@ -678,10 +678,29 @@ static int usbhs_probe(struct platform_device *pdev)
+ INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug);
+ spin_lock_init(usbhs_priv_to_lock(priv));
+
++ /*
++ * Acquire clocks and enable power management (PM) early in the
++ * probe process, as the driver accesses registers during
++ * initialization. Ensure the device is active before proceeding.
++ */
++ pm_runtime_enable(dev);
++
++ ret = usbhsc_clk_get(dev, priv);
++ if (ret)
++ goto probe_pm_disable;
++
++ ret = pm_runtime_resume_and_get(dev);
++ if (ret)
++ goto probe_clk_put;
++
++ ret = usbhsc_clk_prepare_enable(priv);
++ if (ret)
++ goto probe_pm_put;
++
+ /* call pipe and module init */
+ ret = usbhs_pipe_probe(priv);
+ if (ret < 0)
+- return ret;
++ goto probe_clk_dis_unprepare;
+
+ ret = usbhs_fifo_probe(priv);
+ if (ret < 0)
+@@ -698,10 +717,6 @@ static int usbhs_probe(struct platform_device *pdev)
+ if (ret)
+ goto probe_fail_rst;
+
+- ret = usbhsc_clk_get(dev, priv);
+- if (ret)
+- goto probe_fail_clks;
+-
+ /*
+ * deviece reset here because
+ * USB device might be used in boot loader.
+@@ -714,7 +729,7 @@ static int usbhs_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_warn(dev, "USB function not selected (GPIO)\n");
+ ret = -ENOTSUPP;
+- goto probe_end_mod_exit;
++ goto probe_assert_rest;
+ }
+ }
+
+@@ -728,14 +743,19 @@ static int usbhs_probe(struct platform_device *pdev)
+ ret = usbhs_platform_call(priv, hardware_init, pdev);
+ if (ret < 0) {
+ dev_err(dev, "platform init failed.\n");
+- goto probe_end_mod_exit;
++ goto probe_assert_rest;
+ }
+
+ /* reset phy for connection */
+ usbhs_platform_call(priv, phy_reset, pdev);
+
+- /* power control */
+- pm_runtime_enable(dev);
++ /*
++ * Disable the clocks that were enabled earlier in the probe path,
++ * and let the driver handle the clocks beyond this point.
++ */
++ usbhsc_clk_disable_unprepare(priv);
++ pm_runtime_put(dev);
++
+ if (!usbhs_get_dparam(priv, runtime_pwctrl)) {
+ usbhsc_power_ctrl(priv, 1);
+ usbhs_mod_autonomy_mode(priv);
+@@ -752,9 +772,7 @@ static int usbhs_probe(struct platform_device *pdev)
+
+ return ret;
+
+-probe_end_mod_exit:
+- usbhsc_clk_put(priv);
+-probe_fail_clks:
++probe_assert_rest:
+ reset_control_assert(priv->rsts);
+ probe_fail_rst:
+ usbhs_mod_remove(priv);
+@@ -762,6 +780,14 @@ static int usbhs_probe(struct platform_device *pdev)
+ usbhs_fifo_remove(priv);
+ probe_end_pipe_exit:
+ usbhs_pipe_remove(priv);
++probe_clk_dis_unprepare:
++ usbhsc_clk_disable_unprepare(priv);
++probe_pm_put:
++ pm_runtime_put(dev);
++probe_clk_put:
++ usbhsc_clk_put(priv);
++probe_pm_disable:
++ pm_runtime_disable(dev);
+
+ dev_info(dev, "probe failed (%d)\n", ret);
+
+--
+2.39.5
+
--- /dev/null
+From 48b6c86f64dd489e17be15c9fb9ea2da0106da5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:46:47 +0800
+Subject: vfio/type1: Fix error unwind in migration dirty bitmap allocation
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ]
+
+When setting up dirty page tracking at the vfio IOMMU backend for
+device migration, if an error is encountered allocating a tracking
+bitmap, the unwind loop fails to free previously allocated tracking
+bitmaps. This occurs because the wrong loop index is used to
+generate the tracking object. This results in unintended memory
+usage for the life of the current DMA mappings where bitmaps were
+successfully allocated.
+
+Use the correct loop index to derive the tracking object for
+freeing during unwind.
+
+Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 66bbb125d7615..6a89bbec738f6 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -303,7 +303,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize)
+ struct rb_node *p;
+
+ for (p = rb_prev(n); p; p = rb_prev(p)) {
+- struct vfio_dma *dma = rb_entry(n,
++ struct vfio_dma *dma = rb_entry(p,
+ struct vfio_dma, node);
+
+ vfio_dma_bitmap_free(dma);
+--
+2.39.5
+
--- /dev/null
+From 3a67010e9675a9331ec725de8fef1aa0f978a478 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 15:27:00 +0000
+Subject: vmxnet3: correctly report gso type for UDP tunnels
+
+From: Ronak Doshi <ronak.doshi@broadcom.com>
+
+[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ]
+
+Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing
+in a tunnel") added checks in linux stack to not accept non-tunnel
+GRO packets landing in a tunnel. This exposed an issue in vmxnet3
+which was not correctly reporting GRO packets for tunnel packets.
+
+This patch fixes this issue by setting correct GSO type for the
+tunnel packets.
+
+Currently, vmxnet3 does not support reporting inner fields for LRO
+tunnel packets. The issue is not seen for egress drivers that do not
+use skb inner fields. The workaround is to enable tnl-segmentation
+offload on the egress interfaces if the driver supports it. This
+problem pre-exists this patch fix and can be addressed as a separate
+future patch.
+
+Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
+Signed-off-by: Ronak Doshi <ronak.doshi@broadcom.com>
+Acked-by: Guolin Yang <guolin.yang@broadcom.com>
+Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com
+[pabeni@redhat.com: dropped the changelog]
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
+index b88092a6bc851..78d8c04b00a7f 100644
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -1361,6 +1361,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb,
+ return (hlen + (hdr.tcp->doff << 2));
+ }
+
++static void
++vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto)
++{
++ struct udphdr *uh = NULL;
++
++ if (ip_proto == htons(ETH_P_IP)) {
++ struct iphdr *iph = (struct iphdr *)skb->data;
++
++ if (iph->protocol == IPPROTO_UDP)
++ uh = (struct udphdr *)(iph + 1);
++ } else {
++ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data;
++
++ if (iph->nexthdr == IPPROTO_UDP)
++ uh = (struct udphdr *)(iph + 1);
++ }
++ if (uh) {
++ if (uh->check)
++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
++ else
++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL;
++ }
++}
++
+ static int
+ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ struct vmxnet3_adapter *adapter, int quota)
+@@ -1615,6 +1639,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ if (segCnt != 0 && mss != 0) {
+ skb_shinfo(skb)->gso_type = rcd->v4 ?
+ SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
++ if (encap_lro)
++ vmxnet3_lro_tunnel(skb, skb->protocol);
+ skb_shinfo(skb)->gso_size = mss;
+ skb_shinfo(skb)->gso_segs = segCnt;
+ } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) {
+--
+2.39.5
+
--- /dev/null
+From 8b03179dface9ac532bac1a91aaa25c4c1b7de4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 11:30:52 -0400
+Subject: vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
+
+From: Nicolas Pitre <npitre@baylibre.com>
+
+[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ]
+
+They are listed amon those cmd values that "treat 'arg' as an integer"
+which is wrong. They should instead fall into the default case. Probably
+nobody ever relied on that code since 2009 but still.
+
+Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver")
+Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index 58013698635f0..fadecf3485862 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -1103,8 +1103,6 @@ long vt_compat_ioctl(struct tty_struct *tty,
+ case VT_WAITACTIVE:
+ case VT_RELDISP:
+ case VT_DISALLOCATE:
+- case VT_RESIZE:
+- case VT_RESIZEX:
+ return vt_ioctl(tty, cmd, arg);
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From baa2c9ac0b70c0c13e7054753bd1cf8b0388c6d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Mar 2025 13:31:45 +0800
+Subject: wifi: ath11k: fix node corruption in ar->arvifs list
+
+From: Stone Zhang <quic_stonez@quicinc.com>
+
+[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ]
+
+In current WLAN recovery code flow, ath11k_core_halt() only
+reinitializes the "arvifs" list head. This will cause the
+list node immediately following the list head to become an
+invalid list node. Because the prev of that node still points
+to the list head "arvifs", but the next of the list head "arvifs"
+no longer points to that list node.
+
+When a WLAN recovery occurs during the execution of a vif
+removal, and it happens before the spin_lock_bh(&ar->data_lock)
+in ath11k_mac_op_remove_interface(), list_del() will detect the
+previously mentioned situation, thereby triggering a kernel panic.
+
+The fix is to remove and reinitialize all vif list nodes from the
+list head "arvifs" during WLAN halt. The reinitialization is to make
+the list nodes valid, ensuring that the list_del() in
+ath11k_mac_op_remove_interface() can execute normally.
+
+Call trace:
+__list_del_entry_valid_or_report+0xb8/0xd0
+ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
+drv_remove_interface+0x48/0x194 [mac80211]
+ieee80211_do_stop+0x6e0/0x844 [mac80211]
+ieee80211_stop+0x44/0x17c [mac80211]
+__dev_close_many+0xac/0x150
+__dev_change_flags+0x194/0x234
+dev_change_flags+0x24/0x6c
+devinet_ioctl+0x3a0/0x670
+inet_ioctl+0x200/0x248
+sock_do_ioctl+0x60/0x118
+sock_ioctl+0x274/0x35c
+__arm64_sys_ioctl+0xac/0xf0
+invoke_syscall+0x48/0x114
+...
+
+Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Stone Zhang <quic_stonez@quicinc.com>
+Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index 48a449fbd2bcc..e86ecdf433de5 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -968,6 +968,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab)
+ void ath11k_core_halt(struct ath11k *ar)
+ {
+ struct ath11k_base *ab = ar->ab;
++ struct list_head *pos, *n;
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+@@ -981,7 +982,12 @@ void ath11k_core_halt(struct ath11k *ar)
+
+ rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL);
+ synchronize_rcu();
+- INIT_LIST_HEAD(&ar->arvifs);
++
++ spin_lock_bh(&ar->data_lock);
++ list_for_each_safe(pos, n, &ar->arvifs)
++ list_del_init(pos);
++ spin_unlock_bh(&ar->data_lock);
++
+ idr_init(&ar->txmgmt_idr);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1f819e83618563c1adcc5f5ec2d79458159beba7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 13:22:16 +0200
+Subject: wifi: ath9k_htc: Abort software beacon handling if disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@toke.dk>
+
+[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ]
+
+A malicious USB device can send a WMI_SWBA_EVENTID event from an
+ath9k_htc-managed device before beaconing has been enabled. This causes
+a device-by-zero error in the driver, leading to either a crash or an
+out of bounds read.
+
+Prevent this by aborting the handling in ath9k_htc_swba() if beacons are
+not enabled.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Closes: https://lore.kernel.org/r/88967.1743099372@localhost
+Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots")
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+index c745897aa3d6c..259a36b4c7cb0 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv,
+ struct ath_common *common = ath9k_hw_common(priv->ah);
+ int slot;
+
++ if (!priv->cur_beacon_conf.enable_beacon)
++ return;
++
+ if (swba->beacon_pending != 0) {
+ priv->beacon.bmisscnt++;
+ if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
+--
+2.39.5
+
--- /dev/null
+From ea3fd39dcad92358dc515206d4eb76b6d933d57f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 12:07:20 +0300
+Subject: wifi: rtw88: do not ignore hardware read error during DPK
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ]
+
+In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned
+by 'check_hw_ready()' but issue a warning to denote possible
+DPK issue. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support")
+Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+index b799655d08e15..96b7f2efeaaa9 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+@@ -3946,7 +3946,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev)
+ rtw_write32(rtwdev, REG_NCTL0, 0x00001148);
+ rtw_write32(rtwdev, REG_NCTL0, 0x00001149);
+
+- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55);
++ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55))
++ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal");
+
+ rtw_write8(rtwdev, 0x1b10, 0x0);
+ rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c);
+--
+2.39.5
+
--- /dev/null
+From 0f66f613f9e5dc5ffd4304e7bb6a71b7e801bd76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:13:04 +0000
+Subject: wifi: rtw88: fix the 'para' buffer size to avoid reading out of
+ bounds
+
+From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+
+[ Upstream commit 4c2c372de2e108319236203cce6de44d70ae15cd ]
+
+Set the size to 6 instead of 2, since 'para' array is passed to
+'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads
+5 bytes:
+
+void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
+{
+ ...
+ SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
+ SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
+ ...
+ SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
+
+Detected using the static analysis tool - Svace.
+Fixes: 4136214f7c46 ("rtw88: add BT co-existence support")
+Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
+index 347fc36068edb..a37c963146a26 100644
+--- a/drivers/net/wireless/realtek/rtw88/coex.c
++++ b/drivers/net/wireless/realtek/rtw88/coex.c
+@@ -305,7 +305,7 @@ static void rtw_coex_tdma_timer_base(struct rtw_dev *rtwdev, u8 type)
+ {
+ struct rtw_coex *coex = &rtwdev->coex;
+ struct rtw_coex_stat *coex_stat = &coex->stat;
+- u8 para[2] = {0};
++ u8 para[6] = {};
+ u8 times;
+ u16 tbtt_interval = coex_stat->wl_beacon_interval;
+
+--
+2.39.5
+
--- /dev/null
+From d9bfa61e54bf937c167f3a5c255bbd8ac08c2b6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 14:06:16 +0200
+Subject: wireguard: device: enable threaded NAPI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirco Barone <mirco.barone@polito.it>
+
+[ Upstream commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e ]
+
+Enable threaded NAPI by default for WireGuard devices in response to low
+performance behavior that we observed when multiple tunnels (and thus
+multiple wg devices) are deployed on a single host. This affects any
+kind of multi-tunnel deployment, regardless of whether the tunnels share
+the same endpoints or not (i.e., a VPN concentrator type of gateway
+would also be affected).
+
+The problem is caused by the fact that, in case of a traffic surge that
+involves multiple tunnels at the same time, the polling of the NAPI
+instance of all these wg devices tends to converge onto the same core,
+causing underutilization of the CPU and bottlenecking performance.
+
+This happens because NAPI polling is hosted by default in softirq
+context, but the WireGuard driver only raises this softirq after the rx
+peer queue has been drained, which doesn't happen during high traffic.
+In this case, the softirq already active on a core is reused instead of
+raising a new one.
+
+As a result, once two or more tunnel softirqs have been scheduled on
+the same core, they remain pinned there until the surge ends.
+
+In our experiments, this almost always leads to all tunnel NAPIs being
+handled on a single core shortly after a surge begins, limiting
+scalability to less than 3× the performance of a single tunnel, despite
+plenty of unused CPU cores being available.
+
+The proposed mitigation is to enable threaded NAPI for all WireGuard
+devices. This moves the NAPI polling context to a dedicated per-device
+kernel thread, allowing the scheduler to balance the load across all
+available cores.
+
+On our 32-core gateways, enabling threaded NAPI yields a ~4× performance
+improvement with 16 tunnels, increasing throughput from ~13 Gbps to
+~48 Gbps. Meanwhile, CPU usage on the receiver (which is the bottleneck)
+jumps from 20% to 100%.
+
+We have found no performance regressions in any scenario we tested.
+Single-tunnel throughput remains unchanged.
+
+More details are available in our Netdev paper.
+
+Link: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf
+Signed-off-by: Mirco Barone <mirco.barone@polito.it>
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://patch.msgid.link/20250605120616.2808744-1-Jason@zx2c4.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireguard/device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
+index e5e344af34237..7bf1ec4ccaa98 100644
+--- a/drivers/net/wireguard/device.c
++++ b/drivers/net/wireguard/device.c
+@@ -352,6 +352,7 @@ static int wg_newlink(struct net *src_net, struct net_device *dev,
+ if (ret < 0)
+ goto err_free_handshake_queue;
+
++ dev_set_threaded(dev, true);
+ ret = register_netdevice(dev);
+ if (ret < 0)
+ goto err_uninit_ratelimiter;
+--
+2.39.5
+
--- /dev/null
+From 164637338e9db1ae3f1f6b61e6c583ea710064dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 07:04:13 +0200
+Subject: x86/cpu: Sanitize CPUID(0x80000000) output
+
+From: Ahmed S. Darwish <darwi@linutronix.de>
+
+[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ]
+
+CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On
+x86-32 machines without an extended CPUID range, a CPUID(0x80000000)
+query will just repeat the output of the last valid standard CPUID leaf
+on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against
+this by doing:
+
+ eax = cpuid_eax(0x80000000);
+ c->extended_cpuid_level = eax;
+
+ if ((eax & 0xffff0000) == 0x80000000) {
+ // CPU has an extended CPUID range. Check for 0x80000001
+ if (eax >= 0x80000001) {
+ cpuid(0x80000001, ...);
+ }
+ }
+
+This is correct so far. Afterwards though, the same possibly broken EAX
+value is used to check the availability of other extended CPUID leaves:
+
+ if (c->extended_cpuid_level >= 0x80000007)
+ ...
+ if (c->extended_cpuid_level >= 0x80000008)
+ ...
+ if (c->extended_cpuid_level >= 0x8000000a)
+ ...
+ if (c->extended_cpuid_level >= 0x8000001f)
+ ...
+
+which is invalid. Fix this by immediately setting the CPU's max extended
+CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid
+CPUID extended range.
+
+While at it, add a comment, similar to kernel/head_32.S, clarifying the
+CPUID(0x80000000) sanity check.
+
+References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX")
+Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit")
+Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: John Ogness <john.ogness@linutronix.de>
+Cc: x86-cpuid@lists.linux.dev
+Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/common.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index dc15568e14d93..8db11483e1e15 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -937,17 +937,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
+ c->x86_capability[CPUID_D_1_EAX] = eax;
+ }
+
+- /* AMD-defined flags: level 0x80000001 */
++ /*
++ * Check if extended CPUID leaves are implemented: Max extended
++ * CPUID leaf must be in the 0x80000001-0x8000ffff range.
++ */
+ eax = cpuid_eax(0x80000000);
+- c->extended_cpuid_level = eax;
++ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0;
+
+- if ((eax & 0xffff0000) == 0x80000000) {
+- if (eax >= 0x80000001) {
+- cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
++ if (c->extended_cpuid_level >= 0x80000001) {
++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
+
+- c->x86_capability[CPUID_8000_0001_ECX] = ecx;
+- c->x86_capability[CPUID_8000_0001_EDX] = edx;
+- }
++ c->x86_capability[CPUID_8000_0001_ECX] = ecx;
++ c->x86_capability[CPUID_8000_0001_EDX] = edx;
+ }
+
+ if (c->extended_cpuid_level >= 0x80000007) {
+--
+2.39.5
+
--- /dev/null
+From 6cba417c667f0b2da790307573debbc94e6c6ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 17:06:33 +0000
+Subject: x86/mtrr: Check if fixed-range MTRRs exist in
+ mtrr_save_fixed_ranges()
+
+From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+
+[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ]
+
+When suspending, save_processor_state() calls mtrr_save_fixed_ranges()
+to save fixed-range MTRRs.
+
+On platforms without fixed-range MTRRs like the ACRN hypervisor which
+has removed fixed-range MTRR emulation, accessing these MSRs will
+trigger an unchecked MSR access error. Make sure fixed-range MTRRs are
+supported before access to prevent such error.
+
+Since mtrr_state.have_fixed is only set when MTRRs are present and
+enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is
+unnecessary.
+
+Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending")
+Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
+index 558108296f3cf..31549e7f6b7c6 100644
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -349,7 +349,7 @@ static void get_fixed_ranges(mtrr_type *frs)
+
+ void mtrr_save_fixed_ranges(void *info)
+ {
+- if (boot_cpu_has(X86_FEATURE_MTRR))
++ if (mtrr_state.have_fixed)
+ get_fixed_ranges(mtrr_state.fixed_ranges);
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
