--- /dev/null
+From 910206a58e90d7eeb781308ba0816e28bea9a159 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 08:39:51 -0700
+Subject: ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 4734c8b46b901cff2feda8b82abc710b65dc31c1 ]
+
+When a GHES (Generic Hardware Error Source) triggers a panic, add the
+TAINT_MACHINE_CHECK taint flag to the kernel. This explicitly marks the
+kernel as tainted due to a machine check event, improving diagnostics
+and post-mortem analysis. The taint is set with LOCKDEP_STILL_OK to
+indicate lockdep remains valid.
+
+At large scale deployment, this helps to quickly determine panics that
+are coming due to hardware failures.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Link: https://patch.msgid.link/20250702-add_tain-v1-1-9187b10914b9@debian.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 72087e05b5a5..250ea9ec5f0c 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -860,6 +860,8 @@ static void __ghes_panic(struct ghes *ghes,
+
+ __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus);
+
++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
++
+ ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx);
+
+ if (!panic_timeout)
+--
+2.39.5
+
--- /dev/null
+From 37297d74b560b53bcfc4e64eabcf56ccb5e0cc7e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 01:41:04 +0000
+Subject: ACPI: PRM: Reduce unnecessary printing to avoid user confusion
+
+From: Zhu Qiyu <qiyuzhu2@amd.com>
+
+[ Upstream commit 3db5648c4d608b5483470efc1da9780b081242dd ]
+
+Commit 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM
+handler and context") introduced non-essential printing "Failed to find
+VA for GUID: xxxx, PA: 0x0" which may confuse users to think that
+something wrong is going on while it is not the case.
+
+According to the PRM Spec Section 4.1.2 [1], both static data buffer
+address and ACPI parameter buffer address may be NULL if they are not
+needed, so there is no need to print out the "Failed to find VA ... "
+in those cases.
+
+Link: https://uefi.org/sites/default/files/resources/Platform%20Runtime%20Mechanism%20-%20with%20legal%20notice.pdf # [1]
+Signed-off-by: Zhu Qiyu <qiyuzhu2@amd.com>
+Link: https://patch.msgid.link/20250704014104.82524-1-qiyuzhu2@amd.com
+[ rjw: Edits in new comments, subject and changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/prmt.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c
+index 890c74c52beb..6290ed84c595 100644
+--- a/drivers/acpi/prmt.c
++++ b/drivers/acpi/prmt.c
+@@ -85,8 +85,6 @@ static u64 efi_pa_va_lookup(efi_guid_t *guid, u64 pa)
+ }
+ }
+
+- pr_warn("Failed to find VA for GUID: %pUL, PA: 0x%llx", guid, pa);
+-
+ return 0;
+ }
+
+@@ -142,13 +140,37 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end)
+ guid_copy(&th->guid, (guid_t *)handler_info->handler_guid);
+ th->handler_addr =
+ (void *)efi_pa_va_lookup(&th->guid, handler_info->handler_address);
++ /*
++ * Print a warning message if handler_addr is zero which is not expected to
++ * ever happen.
++ */
++ if (unlikely(!th->handler_addr))
++ pr_warn("Failed to find VA of handler for GUID: %pUL, PA: 0x%llx",
++ &th->guid, handler_info->handler_address);
+
+ th->static_data_buffer_addr =
+ efi_pa_va_lookup(&th->guid, handler_info->static_data_buffer_address);
++ /*
++ * According to the PRM specification, static_data_buffer_address can be zero,
++ * so avoid printing a warning message in that case. Otherwise, if the
++ * return value of efi_pa_va_lookup() is zero, print the message.
++ */
++ if (unlikely(!th->static_data_buffer_addr && handler_info->static_data_buffer_address))
++ pr_warn("Failed to find VA of static data buffer for GUID: %pUL, PA: 0x%llx",
++ &th->guid, handler_info->static_data_buffer_address);
+
+ th->acpi_param_buffer_addr =
+ efi_pa_va_lookup(&th->guid, handler_info->acpi_param_buffer_address);
+
++ /*
++ * According to the PRM specification, acpi_param_buffer_address can be zero,
++ * so avoid printing a warning message in that case. Otherwise, if the
++ * return value of efi_pa_va_lookup() is zero, print the message.
++ */
++ if (unlikely(!th->acpi_param_buffer_addr && handler_info->acpi_param_buffer_address))
++ pr_warn("Failed to find VA of acpi param buffer for GUID: %pUL, PA: 0x%llx",
++ &th->guid, handler_info->acpi_param_buffer_address);
++
+ } while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info)));
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 177240c87c5b53743958dc1428e0846349bc5456 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 14:42:15 +0200
+Subject: ACPI: processor: fix acpi_object initialization
+
+From: Sebastian Ott <sebott@redhat.com>
+
+[ Upstream commit 13edf7539211d8f7d0068ce3ed143005f1da3547 ]
+
+Initialization of the local acpi_object in acpi_processor_get_info()
+only sets the first 4 bytes to zero and is thus incomplete. This is
+indicated by messages like:
+ acpi ACPI0007:be: Invalid PBLK length [166288104]
+
+Fix this by initializing all 16 bytes of the processor member of that
+union.
+
+Signed-off-by: Sebastian Ott <sebott@redhat.com>
+Link: https://patch.msgid.link/20250703124215.12522-1-sebott@redhat.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 8bd5c4fa91f2..cfa75b14caa2 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -216,7 +216,7 @@ static inline int acpi_processor_hotadd_init(struct acpi_processor *pr)
+
+ static int acpi_processor_get_info(struct acpi_device *device)
+ {
+- union acpi_object object = { 0 };
++ union acpi_object object = { .processor = { 0 } };
+ struct acpi_buffer buffer = { sizeof(union acpi_object), &object };
+ struct acpi_processor *pr = acpi_driver_data(device);
+ int device_declaration = 0;
+--
+2.39.5
+
--- /dev/null
+From 89e418365274a083ef588686e17b5c42f628a1fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:50:12 +0200
+Subject: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
+
+From: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
+
+[ Upstream commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 ]
+
+The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte
+buffer if either string argument is too long. This triggers a compiler
+warning.
+Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent
+overflow.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/
+Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
+Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index a922c5079880..57c51dc985d9 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4402,7 +4402,7 @@ static int add_tuning_control(struct hda_codec *codec,
+ }
+ knew.private_value =
+ HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);
+- sprintf(namestr, "%s %s Volume", name, dirstr[dir]);
++ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);
+ return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 53f2f425b5af0c070be66bcec031d78bb8aa89d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 11:52:24 -0700
+Subject: ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ]
+
+code mistakenly used a hardcoded index (codec[1]) instead of
+iterating, over the codec array using the loop variable i.
+Use codec[i] instead of codec[1] to match the loop iteration.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/intel8x0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c
+index ae285c0a629c..f3df6fe2b7f1 100644
+--- a/sound/pci/intel8x0.c
++++ b/sound/pci/intel8x0.c
+@@ -2252,7 +2252,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
+ tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT;
+ for (i = 1; i < 4; i++) {
+ if (pcm->r[0].codec[i]) {
+- tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT;
++ tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT;
+ break;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From cabf46cdf2c387131e7c9fb1c5c0c9e57b7b66d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 11:44:02 +0200
+Subject: ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 92f59aeb13252265c20e7aef1379a8080c57e0a2 ]
+
+At the time being recalculate_boundary() is implemented with a
+loop which shows up as costly in a perf profile, as depicted by
+the annotate below:
+
+ 0.00 : c057e934: 3d 40 7f ff lis r10,32767
+ 0.03 : c057e938: 61 4a ff ff ori r10,r10,65535
+ 0.21 : c057e93c: 7d 49 50 50 subf r10,r9,r10
+ 5.39 : c057e940: 7d 3c 4b 78 mr r28,r9
+ 2.11 : c057e944: 55 29 08 3c slwi r9,r9,1
+ 3.04 : c057e948: 7c 09 50 40 cmplw r9,r10
+ 2.47 : c057e94c: 40 81 ff f4 ble c057e940 <snd_pcm_ioctl+0xee0>
+
+Total: 13.2% on that simple loop.
+
+But what the loop does is to multiply the boundary by 2 until it is
+over the wanted border. This can be avoided by using fls() to get the
+boundary value order and shift it by the appropriate number of bits at
+once.
+
+This change provides the following profile:
+
+ 0.04 : c057f6e8: 3d 20 7f ff lis r9,32767
+ 0.02 : c057f6ec: 61 29 ff ff ori r9,r9,65535
+ 0.34 : c057f6f0: 7d 5a 48 50 subf r10,r26,r9
+ 0.23 : c057f6f4: 7c 1a 50 40 cmplw r26,r10
+ 0.02 : c057f6f8: 41 81 00 20 bgt c057f718 <snd_pcm_ioctl+0xf08>
+ 0.26 : c057f6fc: 7f 47 00 34 cntlzw r7,r26
+ 0.09 : c057f700: 7d 48 00 34 cntlzw r8,r10
+ 0.22 : c057f704: 7d 08 38 50 subf r8,r8,r7
+ 0.04 : c057f708: 7f 5a 40 30 slw r26,r26,r8
+ 0.35 : c057f70c: 7c 0a d0 40 cmplw r10,r26
+ 0.13 : c057f710: 40 80 05 f8 bge c057fd08 <snd_pcm_ioctl+0x14f8>
+ 0.00 : c057f714: 57 5a f8 7e srwi r26,r26,1
+
+Total: 1.7% with that loopless alternative.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://patch.msgid.link/4836e2cde653eebaf2709ebe30eec736bb8c67fd.1749202237.git.christophe.leroy@csgroup.eu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index d6169fee5ea0..fdd3f293c439 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -24,6 +24,7 @@
+ #include <sound/minors.h>
+ #include <linux/uio.h>
+ #include <linux/delay.h>
++#include <linux/bitops.h>
+
+ #include "pcm_local.h"
+
+@@ -3114,13 +3115,23 @@ struct snd_pcm_sync_ptr32 {
+ static snd_pcm_uframes_t recalculate_boundary(struct snd_pcm_runtime *runtime)
+ {
+ snd_pcm_uframes_t boundary;
++ snd_pcm_uframes_t border;
++ int order;
+
+ if (! runtime->buffer_size)
+ return 0;
+- boundary = runtime->buffer_size;
+- while (boundary * 2 <= 0x7fffffffUL - runtime->buffer_size)
+- boundary *= 2;
+- return boundary;
++
++ border = 0x7fffffffUL - runtime->buffer_size;
++ if (runtime->buffer_size > border)
++ return runtime->buffer_size;
++
++ order = __fls(border) - __fls(runtime->buffer_size);
++ boundary = runtime->buffer_size << order;
++
++ if (boundary <= border)
++ return boundary;
++ else
++ return boundary / 2;
+ }
+
+ static int snd_pcm_ioctl_sync_ptr_compat(struct snd_pcm_substream *substream,
+--
+2.39.5
+
--- /dev/null
+From 2688ac53662c02e09dcf42698e32b9893ceebe06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 17:07:42 +0300
+Subject: ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit fd3ab72e42e9871a9902b945a2bf8bb87b49c718 ]
+
+Fix all macro related issues identified by checkpatch.pl:
+
+ CHECK: Macro argument 'x' may be better as '(x)' to avoid precedence issues
+
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20250526-dualsense-alsa-jack-v1-3-1a821463b632@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_quirks.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
+index 5eccc8af839f..03cba220fff1 100644
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -2132,15 +2132,15 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
+ #define SND_RME_CLK_FREQMUL_SHIFT 18
+ #define SND_RME_CLK_FREQMUL_MASK 0x7
+ #define SND_RME_CLK_SYSTEM(x) \
+- ((x >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
++ (((x) >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
+ #define SND_RME_CLK_AES(x) \
+- ((x >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
++ (((x) >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ #define SND_RME_CLK_SPDIF(x) \
+- ((x >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
++ (((x) >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ #define SND_RME_CLK_SYNC(x) \
+- ((x >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
++ (((x) >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
+ #define SND_RME_CLK_FREQMUL(x) \
+- ((x >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
++ (((x) >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
+ #define SND_RME_CLK_AES_LOCK 0x1
+ #define SND_RME_CLK_AES_SYNC 0x4
+ #define SND_RME_CLK_SPDIF_LOCK 0x2
+@@ -2149,9 +2149,9 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
+ #define SND_RME_SPDIF_FORMAT_SHIFT 5
+ #define SND_RME_BINARY_MASK 0x1
+ #define SND_RME_SPDIF_IF(x) \
+- ((x >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
++ (((x) >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
+ #define SND_RME_SPDIF_FORMAT(x) \
+- ((x >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
++ (((x) >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
+
+ static const u32 snd_rme_rate_table[] = {
+ 32000, 44100, 48000, 50000,
+--
+2.39.5
+
--- /dev/null
+From 85eb841905ae48521156a8c4597941c3c7d71fa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:04:53 +0300
+Subject: ARM: rockchip: fix kernel hang during smp initialization
+
+From: Alexander Kochetkov <al.kochet@gmail.com>
+
+[ Upstream commit 7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814 ]
+
+In order to bring up secondary CPUs main CPU write trampoline
+code to SRAM. The trampoline code is written while secondary
+CPUs are powered on (at least that true for RK3188 CPU).
+Sometimes that leads to kernel hang. Probably because secondary
+CPU execute trampoline code while kernel doesn't expect.
+
+The patch moves SRAM initialization step to the point where all
+secondary CPUs are powered down.
+
+That fixes rarely hangs on RK3188:
+[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
+[ 0.091996] rockchip_smp_prepare_cpus: ncores 4
+
+Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com>
+Link: https://lore.kernel.org/r/20250703140453.1273027-1-al.kochet@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-rockchip/platsmp.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/mach-rockchip/platsmp.c b/arch/arm/mach-rockchip/platsmp.c
+index d60856898d97..17aee4701e81 100644
+--- a/arch/arm/mach-rockchip/platsmp.c
++++ b/arch/arm/mach-rockchip/platsmp.c
+@@ -279,11 +279,6 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
+ }
+
+ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
+- if (rockchip_smp_prepare_sram(node)) {
+- of_node_put(node);
+- return;
+- }
+-
+ /* enable the SCU power domain */
+ pmu_set_power_domain(PMU_PWRDN_SCU, true);
+
+@@ -316,11 +311,19 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
+ asm ("mrc p15, 1, %0, c9, c0, 2\n" : "=r" (l2ctlr));
+ ncores = ((l2ctlr >> 24) & 0x3) + 1;
+ }
+- of_node_put(node);
+
+ /* Make sure that all cores except the first are really off */
+ for (i = 1; i < ncores; i++)
+ pmu_set_power_domain(0 + i, false);
++
++ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
++ if (rockchip_smp_prepare_sram(node)) {
++ of_node_put(node);
++ return;
++ }
++ }
++
++ of_node_put(node);
+ }
+
+ static void __init rk3036_smp_prepare_cpus(unsigned int max_cpus)
+--
+2.39.5
+
--- /dev/null
+From b6659af51dc8ba8fcb2bf4ef51799d873fd55d72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 11:11:24 -0500
+Subject: ARM: tegra: Use I/O memcpy to write to IRAM
+
+From: Aaron Kling <webgeek1234@gmail.com>
+
+[ Upstream commit 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 ]
+
+Kasan crashes the kernel trying to check boundaries when using the
+normal memcpy.
+
+Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
+Link: https://lore.kernel.org/r/20250522-mach-tegra-kasan-v1-1-419041b8addb@gmail.com
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-tegra/reset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-tegra/reset.c b/arch/arm/mach-tegra/reset.c
+index d5c805adf7a8..ea706fac6358 100644
+--- a/arch/arm/mach-tegra/reset.c
++++ b/arch/arm/mach-tegra/reset.c
+@@ -63,7 +63,7 @@ static void __init tegra_cpu_reset_handler_enable(void)
+ BUG_ON(is_enabled);
+ BUG_ON(tegra_cpu_reset_handler_size > TEGRA_IRAM_RESET_HANDLER_SIZE);
+
+- memcpy(iram_base, (void *)__tegra_cpu_reset_handler_start,
++ memcpy_toio(iram_base, (void *)__tegra_cpu_reset_handler_start,
+ tegra_cpu_reset_handler_size);
+
+ err = call_firmware_op(set_cpu_boot_addr, 0, reset_address);
+--
+2.39.5
+
--- /dev/null
+From 1204ee6c8b6148339d438090593c1b4252f5a48b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:50:25 -0700
+Subject: arm64: Handle KCOV __init vs inline mismatches
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 65c430906efffee9bd7551d474f01a6b1197df90 ]
+
+GCC appears to have kind of fragile inlining heuristics, in the
+sense that it can change whether or not it inlines something based on
+optimizations. It looks like the kcov instrumentation being added (or in
+this case, removed) from a function changes the optimization results,
+and some functions marked "inline" are _not_ inlined. In that case,
+we end up with __init code calling a function not marked __init, and we
+get the build warnings I'm trying to eliminate in the coming patch that
+adds __no_sanitize_coverage to __init functions:
+
+WARNING: modpost: vmlinux: section mismatch in reference: acpi_get_enable_method+0x1c (section: .text.unlikely) -> acpi_psci_present (section: .init.text)
+
+This problem is somewhat fragile (though using either __always_inline
+or __init will deterministically solve it), but we've tripped over
+this before with GCC and the solution has usually been to just use
+__always_inline and move on.
+
+For arm64 this requires forcing one ACPI function to be inlined with
+__always_inline.
+
+Link: https://lore.kernel.org/r/20250724055029.3623499-1-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/acpi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h
+index 702587fda70c..8cbbd08cc8c5 100644
+--- a/arch/arm64/include/asm/acpi.h
++++ b/arch/arm64/include/asm/acpi.h
+@@ -128,7 +128,7 @@ acpi_set_mailbox_entry(int cpu, struct acpi_madt_generic_interrupt *processor)
+ {}
+ #endif
+
+-static inline const char *acpi_get_enable_method(int cpu)
++static __always_inline const char *acpi_get_enable_method(int cpu)
+ {
+ if (acpi_psci_present())
+ return "psci";
+--
+2.39.5
+
--- /dev/null
+From 12409a95180ab835e434e395bae7e59c3fd37483 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 02:42:01 -0700
+Subject: arm64: Mark kernel as tainted on SAE and SError panic
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit d7ce7e3a84642aadf7c4787f7ec4f58eb163d129 ]
+
+Set TAINT_MACHINE_CHECK when SError or Synchronous External Abort (SEA)
+interrupts trigger a panic to flag potential hardware faults. This
+tainting mechanism aids in debugging and enables correlation of
+hardware-related crashes in large-scale deployments.
+
+This change aligns with similar patches[1] that mark machine check
+events when the system crashes due to hardware errors.
+
+Link: https://lore.kernel.org/all/20250702-add_tain-v1-1-9187b10914b9@debian.org/ [1]
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20250716-vmcore_hw_error-v2-1-f187f7d62aba@debian.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/traps.c | 1 +
+ arch/arm64/mm/fault.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
+index c71074cb2bef..6debe95f8a62 100644
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -883,6 +883,7 @@ void panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigned long far)
+
+ void __noreturn arm64_serror_panic(struct pt_regs *regs, unsigned long esr)
+ {
++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
+ console_verbose();
+
+ pr_crit("SError Interrupt on CPU%d, code 0x%016lx -- %s\n",
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 632762039714..d293aac8c554 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -726,6 +726,7 @@ static int do_sea(unsigned long far, unsigned long esr, struct pt_regs *regs)
+ */
+ siaddr = untagged_addr(far);
+ }
++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
+ arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 26746030ab4df8d4c4c673ac2d78e303534ce727 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:21:19 +0200
+Subject: ASoC: codecs: rt5640: Retry DEVICE_ID verification
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xinxin Wan <xinxin.wan@intel.com>
+
+[ Upstream commit 19f971057b2d7b99c80530ec1052b45de236a8da ]
+
+To be more resilient to codec-detection failures when the hardware
+powers on slowly, add retry mechanism to the device verification check.
+Similar pattern is found throughout a number of Realtek codecs. Our
+tests show that 60ms delay is sufficient to address readiness issues on
+rt5640 chip.
+
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Signed-off-by: Xinxin Wan <xinxin.wan@intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530142120.2944095-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index cd1db5caabad..9998bdb954ba 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -2837,6 +2837,11 @@ static int rt5640_i2c_probe(struct i2c_client *i2c,
+ }
+
+ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
++ if (val != RT5640_DEVICE_ID) {
++ usleep_range(60000, 100000);
++ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
++ }
++
+ if (val != RT5640_DEVICE_ID) {
+ dev_err(&i2c->dev,
+ "Device with ID register %#x is not rt5640/39\n", val);
+--
+2.39.5
+
--- /dev/null
+From b181d6ac5867e87e63c61b30b3475eee7f400e6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:42:20 +0300
+Subject: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 2d91cb261cac6d885954b8f5da28b5c176c18131 ]
+
+snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will
+leads to null pointer dereference.
+This was reproduced with topology loading and marking a link as ignore
+due to missing hardware component on the system.
+On module removal the soc_tplg_remove_link() would call
+snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,
+no runtime was created.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://patch.msgid.link/20250619084222.559-3-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 1c4d8b96f77b..d28261ef1d4c 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -959,6 +959,9 @@ static int soc_dai_link_sanity_check(struct snd_soc_card *card,
+ void snd_soc_remove_pcm_runtime(struct snd_soc_card *card,
+ struct snd_soc_pcm_runtime *rtd)
+ {
++ if (!rtd)
++ return;
++
+ lockdep_assert_held(&client_mutex);
+
+ /* release machine specific resources */
+--
+2.39.5
+
--- /dev/null
+From 43d7e15513818a34e361d20b8a956e3f5801b1fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 17:41:04 +0100
+Subject: ASoC: hdac_hdmi: Rate limit logging on connection and disconnection
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit c4ca928a6db1593802cd945f075a7e21dd0430c1 ]
+
+We currently log parse failures for ELD data and some disconnection events
+as errors without rate limiting. These log messages can be triggered very
+frequently in some situations, especially ELD parsing when there is nothing
+connected to a HDMI port which will generate:
+
+hdmi-audio-codec hdmi-audio-codec.1.auto: HDMI: Unknown ELD version 0
+
+While there's doubtless work that could be done on reducing the number of
+connection notification callbacks it's possible these may be legitimately
+generated by poor quality physical connections so let's use rate limiting
+to mitigate the log spam for the parse errors and lower the severity for
+disconnect logging to debug level.
+
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://patch.msgid.link/20250613-asoc-hdmi-eld-logging-v1-1-76d64154d969@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdac_hdmi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
+index 1acd82f81ba0..bafdaedbee86 100644
+--- a/sound/soc/codecs/hdac_hdmi.c
++++ b/sound/soc/codecs/hdac_hdmi.c
+@@ -1230,7 +1230,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
+ >> DRM_ELD_VER_SHIFT;
+
+ if (ver != ELD_VER_CEA_861D && ver != ELD_VER_PARTIAL) {
+- dev_err(&hdev->dev, "HDMI: Unknown ELD version %d\n", ver);
++ dev_err_ratelimited(&hdev->dev,
++ "HDMI: Unknown ELD version %d\n", ver);
+ return -EINVAL;
+ }
+
+@@ -1238,7 +1239,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
+ DRM_ELD_MNL_MASK) >> DRM_ELD_MNL_SHIFT;
+
+ if (mnl > ELD_MAX_MNL) {
+- dev_err(&hdev->dev, "HDMI: MNL Invalid %d\n", mnl);
++ dev_err_ratelimited(&hdev->dev,
++ "HDMI: MNL Invalid %d\n", mnl);
+ return -EINVAL;
+ }
+
+@@ -1297,8 +1299,8 @@ static void hdac_hdmi_present_sense(struct hdac_hdmi_pin *pin,
+
+ if (!port->eld.monitor_present || !port->eld.eld_valid) {
+
+- dev_err(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
+- __func__, pin->nid, port->id);
++ dev_dbg(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
++ __func__, pin->nid, port->id);
+
+ /*
+ * PCMs are not registered during device probe, so don't
+--
+2.39.5
+
--- /dev/null
+From dee27e3d11bffe26880fe6e1f84d2887ba077107 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 02:26:39 +0000
+Subject: ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was
+ successed
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit f40ecc2743652c0b0f19935f81baf57c601eb7f0 ]
+
+ASoC has 2 functions to set bias level.
+ (A) snd_soc_dapm_force_bias_level()
+ (B) snd_soc_dapm_set_bias_level()
+
+snd_soc_dapm_force_bias_level() (A) will set dapm->bias_level (a) if
+successed.
+
+(A) int snd_soc_dapm_force_bias_level(...)
+ {
+ ...
+ if (ret == 0)
+(a) dapm->bias_level = level;
+ ...
+ }
+
+snd_soc_dapm_set_bias_level() (B) is also a function that sets bias_level.
+It will call snd_soc_dapm_force_bias_level() (A) inside, but doesn't
+set dapm->bias_level by itself. One note is that (A) might not be called.
+
+(B) static int snd_soc_dapm_set_bias_level(...)
+ {
+ ...
+ ret = snd_soc_card_set_bias_level(...);
+ ...
+ if (dapm != &card->dapm)
+(A) ret = snd_soc_dapm_force_bias_level(...);
+ ...
+ ret = snd_soc_card_set_bias_level_post(...);
+ ...
+ }
+
+dapm->bias_level will be set if (A) was called, but might not be set
+if (B) was called, even though it calles set_bias_level() function.
+
+We should set dapm->bias_level if we calls
+snd_soc_dapm_set_bias_level() (B), too.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87qzyn4g4h.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-dapm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index 538d84f1c29f..469ffc31068e 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -742,6 +742,10 @@ static int snd_soc_dapm_set_bias_level(struct snd_soc_dapm_context *dapm,
+ out:
+ trace_snd_soc_bias_level_done(card, level);
+
++ /* success */
++ if (ret == 0)
++ snd_soc_dapm_init_bias_level(dapm, level);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 07185dc045e471f700d45f0428612c262065bac4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 21:53:16 +0900
+Subject: ata: libata-sata: Disallow changing LPM state if not supported
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 413e800cadbf67550d76c77c230b2ecd96bce83a ]
+
+Modify ata_scsi_lpm_store() to return an error if a user attempts to set
+a link power management policy for a port that does not support LPM,
+that is, ports flagged with ATA_FLAG_NO_LPM.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20250701125321.69496-6-dlemoal@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sata.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
+index 04bdd53abf20..7cacb2bfc360 100644
+--- a/drivers/ata/libata-sata.c
++++ b/drivers/ata/libata-sata.c
+@@ -815,6 +815,11 @@ static ssize_t ata_scsi_lpm_store(struct device *device,
+
+ spin_lock_irqsave(ap->lock, flags);
+
++ if (ap->flags & ATA_FLAG_NO_LPM) {
++ count = -EOPNOTSUPP;
++ goto out_unlock;
++ }
++
+ ata_for_each_link(link, ap, EDGE) {
+ ata_for_each_dev(dev, &ap->link, ENABLED) {
+ if (dev->horkage & ATA_HORKAGE_NOLPM) {
+--
+2.39.5
+
--- /dev/null
+From db01ac024c0c2bebce8b23548a46d4bdc78829ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 12:35:47 -0700
+Subject: be2net: Use correct byte order and format string for TCP seq and
+ ack_seq
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 4701ee5044fb3992f1c910630a9673c2dc600ce5 ]
+
+The TCP header fields seq and ack_seq are 32-bit values in network
+byte order as (__be32). these fields were earlier printed using
+ntohs(), which converts only 16-bit values and produces incorrect
+results for 32-bit fields. This patch is changeing the conversion
+to ntohl(), ensuring correct interpretation of these sequence numbers.
+
+Notably, the format specifier is updated from %d to %u to reflect the
+unsigned nature of these fields.
+
+improves the accuracy of debug log messages for TCP sequence and
+acknowledgment numbers during TX timeouts.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250717193552.3648791-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index c61dc7d05bcb..69284efbd517 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1466,10 +1466,10 @@ static void be_tx_timeout(struct net_device *netdev, unsigned int txqueue)
+ ntohs(tcphdr->source));
+ dev_info(dev, "TCP dest port %d\n",
+ ntohs(tcphdr->dest));
+- dev_info(dev, "TCP sequence num %d\n",
+- ntohs(tcphdr->seq));
+- dev_info(dev, "TCP ack_seq %d\n",
+- ntohs(tcphdr->ack_seq));
++ dev_info(dev, "TCP sequence num %u\n",
++ ntohl(tcphdr->seq));
++ dev_info(dev, "TCP ack_seq %u\n",
++ ntohl(tcphdr->ack_seq));
+ } else if (ip_hdr(skb)->protocol ==
+ IPPROTO_UDP) {
+ udphdr = udp_hdr(skb);
+--
+2.39.5
+
--- /dev/null
+From bd5d5550c243d5d1cfec2682c92127c525729740 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 22:30:32 -0400
+Subject: better lockdep annotations for simple_recursive_removal()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 2a8061ee5e41034eb14170ec4517b5583dbeff9f ]
+
+We want a class that nests outside of I_MUTEX_NORMAL (for the sake of
+callbacks that might want to lock the victim) and inside I_MUTEX_PARENT
+(so that a variant of that could be used with parent of the victim
+held locked by the caller).
+
+In reality, simple_recursive_removal()
+ * never holds two locks at once
+ * holds the lock on parent of dentry passed to callback
+ * is used only on the trees with fixed topology, so the depths
+are not changing.
+
+So the locking order is actually fine.
+
+AFAICS, the best solution is to assign I_MUTEX_CHILD to the locks
+grabbed by that thing.
+
+Reported-by: syzbot+169de184e9defe7fe709@syzkaller.appspotmail.com
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/libfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/libfs.c b/fs/libfs.c
+index 7bb5d90319cc..eaf96297449e 100644
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -273,7 +273,7 @@ void simple_recursive_removal(struct dentry *dentry,
+ struct dentry *victim = NULL, *child;
+ struct inode *inode = this->d_inode;
+
+- inode_lock(inode);
++ inode_lock_nested(inode, I_MUTEX_CHILD);
+ if (d_is_dir(this))
+ inode->i_flags |= S_DEAD;
+ while ((child = find_next_child(this, victim)) == NULL) {
+@@ -285,7 +285,7 @@ void simple_recursive_removal(struct dentry *dentry,
+ victim = this;
+ this = this->d_parent;
+ inode = this->d_inode;
+- inode_lock(inode);
++ inode_lock_nested(inode, I_MUTEX_CHILD);
+ if (simple_positive(victim)) {
+ d_invalidate(victim); // avoid lost mounts
+ if (d_is_dir(victim))
+--
+2.39.5
+
--- /dev/null
+From bb9422862bca1c7f245431c78a4f68953bbb588f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 09:14:47 +0000
+Subject: block: avoid possible overflow for chunk_sectors check in
+ blk_stack_limits()
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ]
+
+In blk_stack_limits(), we check that the t->chunk_sectors value is a
+multiple of the t->physical_block_size value.
+
+However, by finding the chunk_sectors value in bytes, we may overflow
+the unsigned int which holds chunk_sectors, so change the check to be
+based on sectors.
+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-settings.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-settings.c b/block/blk-settings.c
+index 1b92e6624951..d501084bab4a 100644
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -596,7 +596,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
+ }
+
+ /* chunk_sectors a multiple of the physical block size? */
+- if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) {
++ if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) {
+ t->chunk_sectors = 0;
+ t->misaligned = 1;
+ ret = -1;
+--
+2.39.5
+
--- /dev/null
+From 08824275fc5d0f95fad8b2a731390263ef8b77b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 20:28:11 +0900
+Subject: can: ti_hecc: fix -Woverflow compiler warning
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 7cae4d04717b002cffe41169da3f239c845a0723 ]
+
+Fix below default (W=0) warning:
+
+ drivers/net/can/ti_hecc.c: In function 'ti_hecc_start':
+ drivers/net/can/ti_hecc.c:386:20: warning: conversion from 'long unsigned int' to 'u32' {aka 'unsigned int'} changes value from '18446744073709551599' to '4294967279' [-Woverflow]
+ 386 | mbx_mask = ~BIT(HECC_RX_LAST_MBOX);
+ | ^
+
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20250715-can-compile-test-v2-1-f7fd566db86f@wanadoo.fr
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/ti_hecc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
+index 353062ead98f..a589b659f892 100644
+--- a/drivers/net/can/ti_hecc.c
++++ b/drivers/net/can/ti_hecc.c
+@@ -393,7 +393,7 @@ static void ti_hecc_start(struct net_device *ndev)
+ * overflows instead of the hardware silently dropping the
+ * messages.
+ */
+- mbx_mask = ~BIT(HECC_RX_LAST_MBOX);
++ mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX);
+ hecc_write(priv, HECC_CANOPC, mbx_mask);
+
+ /* Enable interrupts */
+--
+2.39.5
+
--- /dev/null
+From 9fd8695a7dac8cbc5328d714b93085e6a3039112 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 20:54:11 +0100
+Subject: cifs: Fix calling CIFSFindFirst() for root path without msearch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit b460249b9a1dab7a9f58483e5349d045ad6d585c ]
+
+To query root path (without msearch wildcard) it is needed to
+send pattern '\' instead of '' (empty string).
+
+This allows to use CIFSFindFirst() to query information about root path
+which is being used in followup changes.
+
+This change fixes the stat() syscall called on the root path on the mount.
+It is because stat() syscall uses the cifs_query_path_info() function and
+it can fallback to the CIFSFindFirst() usage with msearch=false.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifssmb.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index 6ca08e473a7e..e6541bd5c63d 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -4362,6 +4362,12 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
+ pSMB->FileName[name_len] = 0;
+ pSMB->FileName[name_len+1] = 0;
+ name_len += 2;
++ } else if (!searchName[0]) {
++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
++ pSMB->FileName[1] = 0;
++ pSMB->FileName[2] = 0;
++ pSMB->FileName[3] = 0;
++ name_len = 4;
+ }
+ } else {
+ name_len = copy_path_name(pSMB->FileName, searchName);
+@@ -4373,6 +4379,10 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
+ pSMB->FileName[name_len] = '*';
+ pSMB->FileName[name_len+1] = 0;
+ name_len += 2;
++ } else if (!searchName[0]) {
++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
++ pSMB->FileName[1] = 0;
++ name_len = 2;
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1ce4f107efb143aa9452010d30cc42edc5837669 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 05:55:40 +0000
+Subject: cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag
+
+From: Prashant Malani <pmalani@google.com>
+
+[ Upstream commit 0a1416a49e63c320f6e6c1c8d07e1b58c0d4a3f3 ]
+
+AMU counters on certain CPPC-based platforms tend to yield inaccurate
+delivered performance measurements on systems that are idle/mostly idle.
+This results in an inaccurate frequency being stored by cpufreq in its
+policy structure when the CPU is brought online. [1]
+
+Consequently, if the userspace governor tries to set the frequency to a
+new value, there is a possibility that it would be the erroneous value
+stored earlier. In such a scenario, cpufreq would assume that the
+requested frequency has already been set and return early, resulting in
+the correct/new frequency request never making it to the hardware.
+
+Since the operating frequency is liable to this sort of inconsistency,
+mark the CPPC driver with CPUFREQ_NEED_UPDATE_LIMITS so that it is always
+invoked when a target frequency update is requested.
+
+Link: https://lore.kernel.org/linux-pm/20250619000925.415528-3-pmalani@google.com/ [1]
+Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Prashant Malani <pmalani@google.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://patch.msgid.link/20250722055611.130574-2-pmalani@google.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
+index c5a4aa0c2c9a..b7294531816b 100644
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -682,7 +682,7 @@ static struct freq_attr *cppc_cpufreq_attr[] = {
+ };
+
+ static struct cpufreq_driver cppc_cpufreq_driver = {
+- .flags = CPUFREQ_CONST_LOOPS,
++ .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS,
+ .verify = cppc_verify_policy,
+ .target = cppc_cpufreq_set_target,
+ .get = cppc_cpufreq_get_rate,
+--
+2.39.5
+
--- /dev/null
+From f713ca30070bd1184d1ad2ef4d56b2bffcfa467d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:41:45 +0800
+Subject: cpufreq: Exit governor when failed to start old governor
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit 0ae204405095abfbc2d694ee0fbb49bcbbe55c57 ]
+
+Detect the result of starting old governor in cpufreq_set_policy(). If it
+fails, exit the governor and clear policy->governor.
+
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20250709104145.2348017-5-zhenglifeng1@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index 33c080e08623..addd20bf6be0 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2606,10 +2606,12 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy,
+ pr_debug("starting governor %s failed\n", policy->governor->name);
+ if (old_gov) {
+ policy->governor = old_gov;
+- if (cpufreq_init_governor(policy))
++ if (cpufreq_init_governor(policy)) {
+ policy->governor = NULL;
+- else
+- cpufreq_start_governor(policy);
++ } else if (cpufreq_start_governor(policy)) {
++ cpufreq_exit_governor(policy);
++ policy->governor = NULL;
++ }
+ }
+
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From d84364989f80baea70903058bb2d57e187065b8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 18:05:01 +0800
+Subject: crypto: hisilicon/hpre - fix dma unmap sequence
+
+From: Zhiqi Song <songzhiqi1@huawei.com>
+
+[ Upstream commit 982fd1a74de63c388c060e4fa6f7fbd088d6d02e ]
+
+Perform DMA unmapping operations before processing data.
+Otherwise, there may be unsynchronized data accessed by
+the CPU when the SWIOTLB is enabled.
+
+Signed-off-by: Zhiqi Song <songzhiqi1@huawei.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+index 4062251fd1b6..14e2f2042a55 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+@@ -1458,11 +1458,13 @@ static void hpre_ecdh_cb(struct hpre_ctx *ctx, void *resp)
+ if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
+ atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+
++ /* Do unmap before data processing */
++ hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
++
+ p = sg_virt(areq->dst);
+ memmove(p, p + ctx->key_sz - curve_sz, curve_sz);
+ memmove(p + curve_sz, p + areq->dst_len - curve_sz, curve_sz);
+
+- hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+ kpp_request_complete(areq, ret);
+
+ atomic64_inc(&dfx[HPRE_RECV_CNT].value);
+@@ -1766,9 +1768,11 @@ static void hpre_curve25519_cb(struct hpre_ctx *ctx, void *resp)
+ if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
+ atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+
++ /* Do unmap before data processing */
++ hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
++
+ hpre_key_to_big_end(sg_virt(areq->dst), CURVE25519_KEY_SIZE);
+
+- hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+ kpp_request_complete(areq, ret);
+
+ atomic64_inc(&dfx[HPRE_RECV_CNT].value);
+--
+2.39.5
+
--- /dev/null
+From d51475b26afb26553568c2a81c960ae6ea0555f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 15:36:24 +0530
+Subject: crypto: octeontx2 - add timeout for load_fvc completion poll
+
+From: Bharat Bhushan <bbhushan2@marvell.com>
+
+[ Upstream commit 2157e50f65d2030f07ea27ef7ac4cfba772e98ac ]
+
+Adds timeout to exit from possible infinite loop, which polls
+on CPT instruction(load_fvc) completion.
+
+Signed-off-by: Srujana Challa <schalla@marvell.com>
+Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+index 7c1b92aaab39..6bee19394857 100644
+--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
++++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+@@ -1419,6 +1419,7 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
+ dma_addr_t rptr_baddr;
+ struct pci_dev *pdev;
+ u32 len, compl_rlen;
++ int timeout = 10000;
+ int ret, etype;
+ void *rptr;
+
+@@ -1483,16 +1484,27 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
+ etype);
+ otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr);
+ lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]);
++ timeout = 10000;
+
+ while (lfs->ops->cpt_get_compcode(result) ==
+- OTX2_CPT_COMPLETION_CODE_INIT)
++ OTX2_CPT_COMPLETION_CODE_INIT) {
+ cpu_relax();
++ udelay(1);
++ timeout--;
++ if (!timeout) {
++ ret = -ENODEV;
++ cptpf->is_eng_caps_discovered = false;
++ dev_warn(&pdev->dev, "Timeout on CPT load_fvc completion poll\n");
++ goto error_no_response;
++ }
++ }
+
+ cptpf->eng_caps[etype].u = be64_to_cpup(rptr);
+ }
+- dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
+ cptpf->is_eng_caps_discovered = true;
+
++error_no_response:
++ dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
+ free_result:
+ kfree(result);
+ lf_cleanup:
+--
+2.39.5
+
--- /dev/null
+From 65565f4a54d0db025286f3d56cb95b425b0e1dc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:24:22 +0200
+Subject: dm-mpath: don't print the "loaded" message if registering fails
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 6e11952a6abc4641dc8ae63f01b318b31b44e8db ]
+
+If dm_register_path_selector, don't print the "version X loaded" message.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-ps-historical-service-time.c | 4 +++-
+ drivers/md/dm-ps-queue-length.c | 4 +++-
+ drivers/md/dm-ps-round-robin.c | 4 +++-
+ drivers/md/dm-ps-service-time.c | 4 +++-
+ 4 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/dm-ps-historical-service-time.c b/drivers/md/dm-ps-historical-service-time.c
+index 82f2a06153dc..683ac2e03079 100644
+--- a/drivers/md/dm-ps-historical-service-time.c
++++ b/drivers/md/dm-ps-historical-service-time.c
+@@ -540,8 +540,10 @@ static int __init dm_hst_init(void)
+ {
+ int r = dm_register_path_selector(&hst_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " HST_VERSION " loaded");
+
+diff --git a/drivers/md/dm-ps-queue-length.c b/drivers/md/dm-ps-queue-length.c
+index cef70657bbbc..cc5eff8853ab 100644
+--- a/drivers/md/dm-ps-queue-length.c
++++ b/drivers/md/dm-ps-queue-length.c
+@@ -259,8 +259,10 @@ static int __init dm_ql_init(void)
+ {
+ int r = dm_register_path_selector(&ql_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " QL_VERSION " loaded");
+
+diff --git a/drivers/md/dm-ps-round-robin.c b/drivers/md/dm-ps-round-robin.c
+index 27f44c5fa04e..6f10c4f879ec 100644
+--- a/drivers/md/dm-ps-round-robin.c
++++ b/drivers/md/dm-ps-round-robin.c
+@@ -216,8 +216,10 @@ static int __init dm_rr_init(void)
+ {
+ int r = dm_register_path_selector(&rr_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " RR_VERSION " loaded");
+
+diff --git a/drivers/md/dm-ps-service-time.c b/drivers/md/dm-ps-service-time.c
+index 3ec9c33265c5..eea15af86e69 100644
+--- a/drivers/md/dm-ps-service-time.c
++++ b/drivers/md/dm-ps-service-time.c
+@@ -341,8 +341,10 @@ static int __init dm_st_init(void)
+ {
+ int r = dm_register_path_selector(&st_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " ST_VERSION " loaded");
+
+--
+2.39.5
+
--- /dev/null
+From 1157ad4ca733ece99f2f5467acb1148ffb4a7a8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 23:24:05 +0200
+Subject: dpaa_eth: don't use fixed_phy_change_carrier
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit d8155c1df5c8b717052567b188455d41fa7a8908 ]
+
+This effectively reverts 6e8b0ff1ba4c ("dpaa_eth: Add change_carrier()
+for Fixed PHYs"). Usage of fixed_phy_change_carrier() requires that
+fixed_phy_register() has been called before, directly or indirectly.
+And that's not the case in this driver.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/7eb189b3-d5fd-4be6-8517-a66671a4e4e3@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+index 6fbf4efa0786..c2fe8827346f 100644
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+@@ -52,7 +52,6 @@
+ #include <linux/percpu.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/sort.h>
+-#include <linux/phy_fixed.h>
+ #include <linux/bpf.h>
+ #include <linux/bpf_trace.h>
+ #include <soc/fsl/bman.h>
+@@ -3168,7 +3167,6 @@ static const struct net_device_ops dpaa_ops = {
+ .ndo_stop = dpaa_eth_stop,
+ .ndo_tx_timeout = dpaa_tx_timeout,
+ .ndo_get_stats64 = dpaa_get_stats64,
+- .ndo_change_carrier = fixed_phy_change_carrier,
+ .ndo_set_mac_address = dpaa_set_mac_address,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_set_rx_mode = dpaa_set_rx_mode,
+--
+2.39.5
+
--- /dev/null
+From b0124e32c7233865ac5c265d3d6098c296fde4e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 11:57:28 +0200
+Subject: drbd: add missing kref_get in handle_write_conflicts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sarah Newman <srn@prgmr.com>
+
+[ Upstream commit 00c9c9628b49e368d140cfa61d7df9b8922ec2a8 ]
+
+With `two-primaries` enabled, DRBD tries to detect "concurrent" writes
+and handle write conflicts, so that even if you write to the same sector
+simultaneously on both nodes, they end up with the identical data once
+the writes are completed.
+
+In handling "superseeded" writes, we forgot a kref_get,
+resulting in a premature drbd_destroy_device and use after free,
+and further to kernel crashes with symptoms.
+
+Relevance: No one should use DRBD as a random data generator, and apparently
+all users of "two-primaries" handle concurrent writes correctly on layer up.
+That is cluster file systems use some distributed lock manager,
+and live migration in virtualization environments stops writes on one node
+before starting writes on the other node.
+
+Which means that other than for "test cases",
+this code path is never taken in real life.
+
+FYI, in DRBD 9, things are handled differently nowadays. We still detect
+"write conflicts", but no longer try to be smart about them.
+We decided to disconnect hard instead: upper layers must not submit concurrent
+writes. If they do, that's their fault.
+
+Signed-off-by: Sarah Newman <srn@prgmr.com>
+Signed-off-by: Lars Ellenberg <lars@linbit.com>
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Link: https://lore.kernel.org/r/20250627095728.800688-1-christoph.boehmwalder@linbit.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_receiver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
+index 0104e101b0d7..ea38dd43c6b0 100644
+--- a/drivers/block/drbd/drbd_receiver.c
++++ b/drivers/block/drbd/drbd_receiver.c
+@@ -2532,7 +2532,11 @@ static int handle_write_conflicts(struct drbd_device *device,
+ peer_req->w.cb = superseded ? e_send_superseded :
+ e_send_retry_write;
+ list_add_tail(&peer_req->w.list, &device->done_ee);
+- queue_work(connection->ack_sender, &peer_req->peer_device->send_acks_work);
++ /* put is in drbd_send_acks_wf() */
++ kref_get(&device->kref);
++ if (!queue_work(connection->ack_sender,
++ &peer_req->peer_device->send_acks_work))
++ kref_put(&device->kref, drbd_destroy_device);
+
+ err = -ENOENT;
+ goto out;
+--
+2.39.5
+
--- /dev/null
+From 6bf9869cbb915c34932495eff604601c7855c870 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 22:12:26 -0500
+Subject: drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to
+ manual
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 2d1ec1e955414e8e8358178011c35afca1a1c0b1 ]
+
+Several other ASICs allow printing OD SCLK levels without setting DPM
+control to manual. When OD is disabled it will show the range the
+hardware supports. When OD is enabled it will show what values have
+been programmed. Adjust VanGogh to work the same.
+
+Cc: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Reported-by: Vicki Pfau <vi@endrift.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://lore.kernel.org/r/20250609031227.479079-1-superm1@kernel.org
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++++++++-----------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+index 5a9b47133db1..d64a0a0d5b19 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+@@ -680,7 +680,6 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
+ {
+ DpmClocks_t *clk_table = smu->smu_table.clocks_table;
+ SmuMetrics_t metrics;
+- struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
+ int i, idx, size = 0, ret = 0;
+ uint32_t cur_value = 0, value = 0, count = 0;
+ bool cur_value_match_level = false;
+@@ -695,31 +694,25 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
+
+ switch (clk_type) {
+ case SMU_OD_SCLK:
+- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
+- size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
+- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+- (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
+- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+- (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
+- }
++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
++ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
++ (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
++ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
++ (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
+ break;
+ case SMU_OD_CCLK:
+- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
+- size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
+- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+- (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
+- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+- (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
+- }
++ size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
++ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
++ (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
++ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
++ (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
+ break;
+ case SMU_OD_RANGE:
+- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
+- size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
+- size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
+- smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
+- size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
+- smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
+- }
++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
++ size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
++ smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
++ size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
++ smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
+ break;
+ case SMU_SOCCLK:
+ /* the level 3 ~ 6 of socclk use the same frequency for vangogh */
+--
+2.39.5
+
--- /dev/null
+From 4add22b9356bb7fd26dbd696d8550674686a8e6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 16:37:08 -0400
+Subject: drm/amd/display: Fix 'failed to blank crtc!'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wen Chen <Wen.Chen3@amd.com>
+
+[ Upstream commit 01f60348d8fb6b3fbcdfc7bdde5d669f95b009a4 ]
+
+[why]
+DCN35 is having “DC: failed to blank crtc!” when running HPO
+test cases. It's caused by not having sufficient udelay time.
+
+[how]
+Replace the old wait_for_blank_complete function with fsleep function to
+sleep just until the next frame should come up. This way it doesn't poll
+in case the pixel clock or other clock was bugged or until vactive and
+the vblank are hit again.
+
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Wen Chen <Wen.Chen3@amd.com>
+Signed-off-by: Fangzhi Zuo <jerry.zuo@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index 59d16c553800..3935c8b32a2b 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -729,7 +729,7 @@ enum dc_status dcn20_enable_stream_timing(
+ return DC_ERROR_UNEXPECTED;
+ }
+
+- hws->funcs.wait_for_blank_complete(pipe_ctx->stream_res.opp);
++ fsleep(stream->timing.v_total * (stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz));
+
+ params.vertical_total_min = stream->adjust.v_total_min;
+ params.vertical_total_max = stream->adjust.v_total_max;
+--
+2.39.5
+
--- /dev/null
+From b97a71f8342105dbaf9dca7af67e57233eee7971 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 13:07:14 -0400
+Subject: drm/amd/display: Separate set_gsl from set_gsl_source_select
+
+From: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
+
+[ Upstream commit 660a467a5e7366cd6642de61f1aaeaf0d253ee68 ]
+
+[Why/How]
+Separate the checks for set_gsl and set_gsl_source_select, since
+source_select may not be implemented/necessary.
+
+Reviewed-by: Nevenko Stupar <nevenko.stupar@amd.com>
+Signed-off-by: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
+Signed-off-by: Ray Wu <ray.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index bf2a8f53694b..59d16c553800 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -160,14 +160,13 @@ static void dcn20_setup_gsl_group_as_lock(
+ }
+
+ /* at this point we want to program whether it's to enable or disable */
+- if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL &&
+- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) {
++ if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL) {
+ pipe_ctx->stream_res.tg->funcs->set_gsl(
+ pipe_ctx->stream_res.tg,
+ &gsl);
+-
+- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
+- pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
++ if (pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL)
++ pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
++ pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
+ } else
+ BREAK_TO_DEBUGGER();
+ }
+--
+2.39.5
+
--- /dev/null
+From 5985e25d188097e23be640008ed06080fd06865a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 13:13:22 -0700
+Subject: drm/msm: use trylock for debugfs
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 0a1ff88ec5b60b41ba830c5bf08b6cd8f45ab411 ]
+
+This resolves a potential deadlock vs msm_gem_vm_close(). Otherwise for
+_NO_SHARE buffers msm_gem_describe() could be trying to acquire the
+shared vm resv, while already holding priv->obj_lock. But _vm_close()
+might drop the last reference to a GEM obj while already holding the vm
+resv, and msm_gem_free_object() needs to grab priv->obj_lock, a locking
+inversion.
+
+OTOH this is only for debugfs and it isn't critical if we undercount by
+skipping a locked obj. So just use trylock() and move along if we can't
+get the lock.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Tested-by: Antonino Maniscalco <antomani103@gmail.com>
+Reviewed-by: Antonino Maniscalco <antomani103@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/661525/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
+index d280dd64744d..36ced8f83434 100644
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -886,7 +886,8 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m,
+ uint64_t off = drm_vma_node_start(&obj->vma_node);
+ const char *madv;
+
+- msm_gem_lock(obj);
++ if (!msm_gem_trylock(obj))
++ return;
+
+ stats->all.count++;
+ stats->all.size += obj->size;
+--
+2.39.5
+
--- /dev/null
+From cb1587ce49023a81f95cecd8da0ec20cd9cba73d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 12:27:49 +0100
+Subject: drm/ttm: Respect the shrinker core free target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+
+[ Upstream commit eac21f8ebeb4f84d703cf41dc3f81d16fa9dc00a ]
+
+Currently the TTM shrinker aborts shrinking as soon as it frees pages from
+any of the page order pools and by doing so it can fail to respect the
+freeing target which was configured by the shrinker core.
+
+We use the wording "can fail" because the number of freed pages will
+depend on the presence of pages in the pools and the order of the pools on
+the LRU list. For example if there are no free pages in the high order
+pools the shrinker core may require multiple passes over the TTM shrinker
+before it will free the default target of 128 pages (assuming there are
+free pages in the low order pools). This inefficiency can be compounded by
+the pool LRU where multiple further calls into the TTM shrinker are
+required to end up looking at the pool with pages.
+
+Improve this by never freeing less than the shrinker core has requested.
+
+At the same time we start reporting the number of scanned pages (freed in
+this case), which prevents the core shrinker from giving up on the TTM
+shrinker too soon and moving on.
+
+v2:
+ * Simplify loop logic. (Christian)
+ * Improve commit message.
+
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Link: https://lore.kernel.org/r/20250603112750.34997-2-tvrtko.ursulin@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_pool.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
+index 346db24719f9..69968b3cb73d 100644
+--- a/drivers/gpu/drm/ttm/ttm_pool.c
++++ b/drivers/gpu/drm/ttm/ttm_pool.c
+@@ -588,7 +588,6 @@ void ttm_pool_fini(struct ttm_pool *pool)
+ }
+ }
+
+-/* As long as pages are available make sure to release at least one */
+ static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
+ struct shrink_control *sc)
+ {
+@@ -596,9 +595,12 @@ static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
+
+ do
+ num_freed += ttm_pool_shrink();
+- while (!num_freed && atomic_long_read(&allocated_pages));
++ while (num_freed < sc->nr_to_scan &&
++ atomic_long_read(&allocated_pages));
+
+- return num_freed;
++ sc->nr_scanned = num_freed;
++
++ return num_freed ?: SHRINK_STOP;
+ }
+
+ /* Return the number of pages available or SHRINK_EMPTY if we have none */
+--
+2.39.5
+
--- /dev/null
+From f50052210ad08411788bd33a693baef0392ab23a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 17:11:54 +0800
+Subject: drm/ttm: Should to return the evict error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Emily Deng <Emily.Deng@amd.com>
+
+[ Upstream commit 4e16a9a00239db5d819197b9a00f70665951bf50 ]
+
+For the evict fail case, the evict error should be returned.
+
+v2: Consider ENOENT case.
+
+v3: Abort directly when the eviction failed for some reason (except for -ENOENT)
+ and not wait for the move to finish
+
+Signed-off-by: Emily Deng <Emily.Deng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Link: https://lore.kernel.org/r/20250603091154.3472646-1-Emily.Deng@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_resource.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_resource.c b/drivers/gpu/drm/ttm/ttm_resource.c
+index 2c590b4c46cb..9a8f565aa6ad 100644
+--- a/drivers/gpu/drm/ttm/ttm_resource.c
++++ b/drivers/gpu/drm/ttm/ttm_resource.c
+@@ -150,6 +150,9 @@ int ttm_resource_manager_evict_all(struct ttm_device *bdev,
+ }
+ spin_unlock(&bdev->lru_lock);
+
++ if (ret && ret != -ENOENT)
++ return ret;
++
+ spin_lock(&man->move_lock);
+ fence = dma_fence_get(man->move);
+ spin_unlock(&man->move_lock);
+--
+2.39.5
+
--- /dev/null
+From 36136b6bcd61373e15b7ead50a439dc3f5f10ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jul 2025 10:37:53 +0530
+Subject: EDAC/synopsys: Clear the ECC counters on init
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+
+[ Upstream commit b1dc7f097b78eb8d25b071ead2384b07a549692b ]
+
+Clear the ECC error and counter registers during initialization/probe to avoid
+reporting stale errors that may have occurred before EDAC registration.
+
+For that, unify the Zynq and ZynqMP ECC state reading paths and simplify the
+code.
+
+ [ bp: Massage commit message.
+ Fix an -Wsometimes-uninitialized warning as reported by
+ Reported-by: kernel test robot <lkp@intel.com>
+ Closes: https://lore.kernel.org/oe-kbuild-all/202507141048.obUv3ZUm-lkp@intel.com ]
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250713050753.7042-1-shubhrajyoti.datta@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/synopsys_edac.c | 97 +++++++++++++++++-------------------
+ 1 file changed, 46 insertions(+), 51 deletions(-)
+
+diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c
+index e8ddb029f10d..cbc40f57b27b 100644
+--- a/drivers/edac/synopsys_edac.c
++++ b/drivers/edac/synopsys_edac.c
+@@ -346,20 +346,26 @@ struct synps_edac_priv {
+ #endif
+ };
+
++enum synps_platform_type {
++ ZYNQ,
++ ZYNQMP,
++ SYNPS,
++};
++
+ /**
+ * struct synps_platform_data - synps platform data structure.
++ * @platform: Identifies the target hardware platform
+ * @get_error_info: Get EDAC error info.
+ * @get_mtype: Get mtype.
+ * @get_dtype: Get dtype.
+- * @get_ecc_state: Get ECC state.
+ * @get_mem_info: Get EDAC memory info
+ * @quirks: To differentiate IPs.
+ */
+ struct synps_platform_data {
++ enum synps_platform_type platform;
+ int (*get_error_info)(struct synps_edac_priv *priv);
+ enum mem_type (*get_mtype)(const void __iomem *base);
+ enum dev_type (*get_dtype)(const void __iomem *base);
+- bool (*get_ecc_state)(void __iomem *base);
+ #ifdef CONFIG_EDAC_DEBUG
+ u64 (*get_mem_info)(struct synps_edac_priv *priv);
+ #endif
+@@ -734,51 +740,38 @@ static enum dev_type zynqmp_get_dtype(const void __iomem *base)
+ return dt;
+ }
+
+-/**
+- * zynq_get_ecc_state - Return the controller ECC enable/disable status.
+- * @base: DDR memory controller base address.
+- *
+- * Get the ECC enable/disable status of the controller.
+- *
+- * Return: true if enabled, otherwise false.
+- */
+-static bool zynq_get_ecc_state(void __iomem *base)
++static bool get_ecc_state(struct synps_edac_priv *priv)
+ {
++ u32 ecctype, clearval;
+ enum dev_type dt;
+- u32 ecctype;
+-
+- dt = zynq_get_dtype(base);
+- if (dt == DEV_UNKNOWN)
+- return false;
+
+- ecctype = readl(base + SCRUB_OFST) & SCRUB_MODE_MASK;
+- if ((ecctype == SCRUB_MODE_SECDED) && (dt == DEV_X2))
+- return true;
+-
+- return false;
+-}
+-
+-/**
+- * zynqmp_get_ecc_state - Return the controller ECC enable/disable status.
+- * @base: DDR memory controller base address.
+- *
+- * Get the ECC enable/disable status for the controller.
+- *
+- * Return: a ECC status boolean i.e true/false - enabled/disabled.
+- */
+-static bool zynqmp_get_ecc_state(void __iomem *base)
+-{
+- enum dev_type dt;
+- u32 ecctype;
+-
+- dt = zynqmp_get_dtype(base);
+- if (dt == DEV_UNKNOWN)
+- return false;
+-
+- ecctype = readl(base + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
+- if ((ecctype == SCRUB_MODE_SECDED) &&
+- ((dt == DEV_X2) || (dt == DEV_X4) || (dt == DEV_X8)))
+- return true;
++ if (priv->p_data->platform == ZYNQ) {
++ dt = zynq_get_dtype(priv->baseaddr);
++ if (dt == DEV_UNKNOWN)
++ return false;
++
++ ecctype = readl(priv->baseaddr + SCRUB_OFST) & SCRUB_MODE_MASK;
++ if (ecctype == SCRUB_MODE_SECDED && dt == DEV_X2) {
++ clearval = ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_UE_ERR;
++ writel(clearval, priv->baseaddr + ECC_CTRL_OFST);
++ writel(0x0, priv->baseaddr + ECC_CTRL_OFST);
++ return true;
++ }
++ } else {
++ dt = zynqmp_get_dtype(priv->baseaddr);
++ if (dt == DEV_UNKNOWN)
++ return false;
++
++ ecctype = readl(priv->baseaddr + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
++ if (ecctype == SCRUB_MODE_SECDED &&
++ (dt == DEV_X2 || dt == DEV_X4 || dt == DEV_X8)) {
++ clearval = readl(priv->baseaddr + ECC_CLR_OFST) |
++ ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_CE_ERRCNT |
++ ECC_CTRL_CLR_UE_ERR | ECC_CTRL_CLR_UE_ERRCNT;
++ writel(clearval, priv->baseaddr + ECC_CLR_OFST);
++ return true;
++ }
++ }
+
+ return false;
+ }
+@@ -948,18 +941,18 @@ static int setup_irq(struct mem_ctl_info *mci,
+ }
+
+ static const struct synps_platform_data zynq_edac_def = {
++ .platform = ZYNQ,
+ .get_error_info = zynq_get_error_info,
+ .get_mtype = zynq_get_mtype,
+ .get_dtype = zynq_get_dtype,
+- .get_ecc_state = zynq_get_ecc_state,
+ .quirks = 0,
+ };
+
+ static const struct synps_platform_data zynqmp_edac_def = {
++ .platform = ZYNQMP,
+ .get_error_info = zynqmp_get_error_info,
+ .get_mtype = zynqmp_get_mtype,
+ .get_dtype = zynqmp_get_dtype,
+- .get_ecc_state = zynqmp_get_ecc_state,
+ #ifdef CONFIG_EDAC_DEBUG
+ .get_mem_info = zynqmp_get_mem_info,
+ #endif
+@@ -971,10 +964,10 @@ static const struct synps_platform_data zynqmp_edac_def = {
+ };
+
+ static const struct synps_platform_data synopsys_edac_def = {
++ .platform = SYNPS,
+ .get_error_info = zynqmp_get_error_info,
+ .get_mtype = zynqmp_get_mtype,
+ .get_dtype = zynqmp_get_dtype,
+- .get_ecc_state = zynqmp_get_ecc_state,
+ .quirks = (DDR_ECC_INTR_SUPPORT | DDR_ECC_INTR_SELF_CLEAR
+ #ifdef CONFIG_EDAC_DEBUG
+ | DDR_ECC_DATA_POISON_SUPPORT
+@@ -1406,10 +1399,6 @@ static int mc_probe(struct platform_device *pdev)
+ if (!p_data)
+ return -ENODEV;
+
+- if (!p_data->get_ecc_state(baseaddr)) {
+- edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
+- return -ENXIO;
+- }
+
+ layers[0].type = EDAC_MC_LAYER_CHIP_SELECT;
+ layers[0].size = SYNPS_EDAC_NR_CSROWS;
+@@ -1429,6 +1418,12 @@ static int mc_probe(struct platform_device *pdev)
+ priv = mci->pvt_info;
+ priv->baseaddr = baseaddr;
+ priv->p_data = p_data;
++ if (!get_ecc_state(priv)) {
++ edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
++ rc = -ENODEV;
++ goto free_edac_mc;
++ }
++
+ spin_lock_init(&priv->reglock);
+
+ mc_init(mci, pdev);
+--
+2.39.5
+
--- /dev/null
+From 364eab9409e1294dde14fde6ea73468f254d4d05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 11:47:30 +0200
+Subject: et131x: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit d61f6cb6f6ef3c70d2ccc0d9c85c508cb8017da9 ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Acked-by: Mark Einon <mark.einon@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250716094733.28734-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/agere/et131x.c | 36 +++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c
+index f4edc616388c..1869c0635e56 100644
+--- a/drivers/net/ethernet/agere/et131x.c
++++ b/drivers/net/ethernet/agere/et131x.c
+@@ -2460,6 +2460,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ skb->data,
+ skb_headlen(skb),
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ dma_addr))
++ return -ENOMEM;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2469,6 +2473,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ skb->data,
+ skb_headlen(skb) / 2,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ dma_addr))
++ return -ENOMEM;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2479,6 +2487,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ skb_headlen(skb) / 2,
+ skb_headlen(skb) / 2,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ dma_addr))
++ goto unmap_first_out;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2490,6 +2502,9 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ 0,
+ desc[frag].len_vlan,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev, dma_addr))
++ goto unmap_out;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2579,6 +2594,27 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ &adapter->regs->global.watchdog_timer);
+ }
+ return 0;
++
++unmap_out:
++ // Unmap the body of the packet with map_page
++ while (--i) {
++ frag--;
++ dma_addr = desc[frag].addr_lo;
++ dma_addr |= (u64)desc[frag].addr_hi << 32;
++ dma_unmap_page(&adapter->pdev->dev, dma_addr,
++ desc[frag].len_vlan, DMA_TO_DEVICE);
++ }
++
++unmap_first_out:
++ // Unmap the header with map_single
++ while (frag--) {
++ dma_addr = desc[frag].addr_lo;
++ dma_addr |= (u64)desc[frag].addr_hi << 32;
++ dma_unmap_single(&adapter->pdev->dev, dma_addr,
++ desc[frag].len_vlan, DMA_TO_DEVICE);
++ }
++
++ return -ENOMEM;
+ }
+
+ static int send_packet(struct sk_buff *skb, struct et131x_adapter *adapter)
+--
+2.39.5
+
--- /dev/null
+From 673e95d0ccc9a306f9da5e01e46e13ee119dc92d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 11:18:38 -0400
+Subject: ext2: Handle fiemap on empty files to prevent EINVAL
+
+From: Wei Gao <wegao@suse.com>
+
+[ Upstream commit a099b09a3342a0b28ea330e405501b5b4d0424b4 ]
+
+Previously, ext2_fiemap would unconditionally apply "len = min_t(u64, len,
+i_size_read(inode));", When inode->i_size was 0 (for an empty file), this
+would reduce the requested len to 0. Passing len = 0 to iomap_fiemap could
+then result in an -EINVAL error, even for valid queries on empty files.
+
+Link: https://github.com/linux-test-project/ltp/issues/1246
+Signed-off-by: Wei Gao <wegao@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250613152402.3432135-1-wegao@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext2/inode.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
+index 333fa62661d5..85b6a76378ee 100644
+--- a/fs/ext2/inode.c
++++ b/fs/ext2/inode.c
+@@ -856,9 +856,19 @@ int ext2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ u64 start, u64 len)
+ {
+ int ret;
++ loff_t i_size;
+
+ inode_lock(inode);
+- len = min_t(u64, len, i_size_read(inode));
++ i_size = i_size_read(inode);
++ /*
++ * iomap_fiemap() returns EINVAL for 0 length. Make sure we don't trim
++ * length to 0 but still trim the range as much as possible since
++ * ext2_get_blocks() iterates unmapped space block by block which is
++ * slow.
++ */
++ if (i_size == 0)
++ i_size = 1;
++ len = min_t(u64, len, i_size);
+ ret = iomap_fiemap(inode, fieinfo, start, len, &ext2_iomap_ops);
+ inode_unlock(inode);
+
+--
+2.39.5
+
--- /dev/null
+From d931e1099c7b2bc4f7e6b7d9e4e9d29873e55dbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:54:34 -0400
+Subject: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ]
+
+A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()
+when an inode had the INLINE_DATA_FL flag set but was missing the
+system.data extended attribute.
+
+Since this can happen due to a maiciouly fuzzed file system, we
+shouldn't BUG, but rather, report it as a corrupted file system.
+
+Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii
+ext4_create_inline_data() and ext4_inline_data_truncate().
+
+Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index a1cc14156ced..d2cdb151a9c1 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -298,7 +298,11 @@ static int ext4_create_inline_data(handle_t *handle,
+ if (error)
+ goto out;
+
+- BUG_ON(!is.s.not_found);
++ if (!is.s.not_found) {
++ EXT4_ERROR_INODE(inode, "unexpected inline data xattr");
++ error = -EFSCORRUPTED;
++ goto out;
++ }
+
+ error = ext4_xattr_ibody_set(handle, inode, &i, &is);
+ if (error) {
+@@ -349,7 +353,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
+ if (error)
+ goto out;
+
+- BUG_ON(is.s.not_found);
++ if (is.s.not_found) {
++ EXT4_ERROR_INODE(inode, "missing inline data xattr");
++ error = -EFSCORRUPTED;
++ goto out;
++ }
+
+ len -= EXT4_MIN_INLINE_DATA_SIZE;
+ value = kzalloc(len, GFP_NOFS);
+@@ -1981,7 +1989,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
+ if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0)
+ goto out_error;
+
+- BUG_ON(is.s.not_found);
++ if (is.s.not_found) {
++ EXT4_ERROR_INODE(inode,
++ "missing inline data xattr");
++ err = -EFSCORRUPTED;
++ goto out_error;
++ }
+
+ value_len = le32_to_cpu(is.s.here->e_value_size);
+ value = kmalloc(value_len, GFP_NOFS);
+--
+2.39.5
+
--- /dev/null
+From 7a91ac3c50bf9aba30095049989f87b8716123d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 13:16:16 +0800
+Subject: fs/ntfs3: Add sanity check for file name
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit e841ecb139339602bc1853f5f09daa5d1ea920a2 ]
+
+The length of the file name should be smaller than the directory entry size.
+
+Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/dir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
+index a4ab0164d150..c49e64ebbd0a 100644
+--- a/fs/ntfs3/dir.c
++++ b/fs/ntfs3/dir.c
+@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
+ if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
+ return true;
+
++ if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size))
++ return true;
++
+ name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
+ PATH_MAX);
+ if (name_len <= 0) {
+--
+2.39.5
+
--- /dev/null
+From ffc418bb6da41b2006088f7c241e9918184c3354 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 15:35:34 +0800
+Subject: fs/ntfs3: correctly create symlink for relative path
+
+From: Rong Zhang <ulin0208@gmail.com>
+
+[ Upstream commit b1e9d89408f402858c00103f9831b25ffa0994d3 ]
+
+After applying this patch, could correctly create symlink:
+
+ln -s "relative/path/to/file" symlink
+
+Signed-off-by: Rong Zhang <ulin0208@gmail.com>
+[almaz.alexandrovich@paragon-software.com: added cpu_to_le32 macro to
+rs->Flags assignment]
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/inode.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index 7adfa19a2f06..edd7c89ba1a1 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -1118,10 +1118,10 @@ int inode_write_data(struct inode *inode, const void *data, size_t bytes)
+ * Number of bytes for REPARSE_DATA_BUFFER(IO_REPARSE_TAG_SYMLINK)
+ * for unicode string of @uni_len length.
+ */
+-static inline u32 ntfs_reparse_bytes(u32 uni_len)
++static inline u32 ntfs_reparse_bytes(u32 uni_len, bool is_absolute)
+ {
+ /* Header + unicode string + decorated unicode string. */
+- return sizeof(short) * (2 * uni_len + 4) +
++ return sizeof(short) * (2 * uni_len + (is_absolute ? 4 : 0)) +
+ offsetof(struct REPARSE_DATA_BUFFER,
+ SymbolicLinkReparseBuffer.PathBuffer);
+ }
+@@ -1134,8 +1134,11 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+ struct REPARSE_DATA_BUFFER *rp;
+ __le16 *rp_name;
+ typeof(rp->SymbolicLinkReparseBuffer) *rs;
++ bool is_absolute;
+
+- rp = kzalloc(ntfs_reparse_bytes(2 * size + 2), GFP_NOFS);
++ is_absolute = (strlen(symname) > 1 && symname[1] == ':');
++
++ rp = kzalloc(ntfs_reparse_bytes(2 * size + 2, is_absolute), GFP_NOFS);
+ if (!rp)
+ return ERR_PTR(-ENOMEM);
+
+@@ -1150,7 +1153,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+ goto out;
+
+ /* err = the length of unicode name of symlink. */
+- *nsize = ntfs_reparse_bytes(err);
++ *nsize = ntfs_reparse_bytes(err, is_absolute);
+
+ if (*nsize > sbi->reparse.max_size) {
+ err = -EFBIG;
+@@ -1170,7 +1173,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+
+ /* PrintName + SubstituteName. */
+ rs->SubstituteNameOffset = cpu_to_le16(sizeof(short) * err);
+- rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + 8);
++ rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + (is_absolute ? 8 : 0));
+ rs->PrintNameLength = rs->SubstituteNameOffset;
+
+ /*
+@@ -1178,16 +1181,18 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+ * parse this path.
+ * 0-absolute path 1- relative path (SYMLINK_FLAG_RELATIVE).
+ */
+- rs->Flags = 0;
++ rs->Flags = cpu_to_le32(is_absolute ? 0 : SYMLINK_FLAG_RELATIVE);
+
+- memmove(rp_name + err + 4, rp_name, sizeof(short) * err);
++ memmove(rp_name + err + (is_absolute ? 4 : 0), rp_name, sizeof(short) * err);
+
+- /* Decorate SubstituteName. */
+- rp_name += err;
+- rp_name[0] = cpu_to_le16('\\');
+- rp_name[1] = cpu_to_le16('?');
+- rp_name[2] = cpu_to_le16('?');
+- rp_name[3] = cpu_to_le16('\\');
++ if (is_absolute) {
++ /* Decorate SubstituteName. */
++ rp_name += err;
++ rp_name[0] = cpu_to_le16('\\');
++ rp_name[1] = cpu_to_le16('?');
++ rp_name[2] = cpu_to_le16('?');
++ rp_name[3] = cpu_to_le16('\\');
++ }
+
+ return rp;
+ out:
+--
+2.39.5
+
--- /dev/null
+From 8052173ab679836e8aa92b0c2af4042d0c896363 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 20:05:59 +0330
+Subject: fs/orangefs: use snprintf() instead of sprintf()
+
+From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+
+[ Upstream commit cdfa1304657d6f23be8fd2bb0516380a3c89034e ]
+
+sprintf() is discouraged for use with bounded destination buffers
+as it does not prevent buffer overflows when the formatted output
+exceeds the destination buffer size. snprintf() is a safer
+alternative as it limits the number of bytes written and ensures
+NUL-termination.
+
+Replace sprintf() with snprintf() for copying the debug string
+into a temporary buffer, using ORANGEFS_MAX_DEBUG_STRING_LEN as
+the maximum size to ensure safe formatting and prevent memory
+corruption in edge cases.
+
+EDIT: After this patch sat on linux-next for a few days, Dan
+Carpenter saw it and suggested that I use scnprintf instead of
+snprintf. I made the change and retested.
+
+Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index b57140ebfad0..cd4bfd92ebd6 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -354,7 +354,7 @@ static ssize_t orangefs_debug_read(struct file *file,
+ goto out;
+
+ mutex_lock(&orangefs_debug_lock);
+- sprintf_ret = sprintf(buf, "%s", (char *)file->private_data);
++ sprintf_ret = scnprintf(buf, ORANGEFS_MAX_DEBUG_STRING_LEN, "%s", (char *)file->private_data);
+ mutex_unlock(&orangefs_debug_lock);
+
+ read_ret = simple_read_from_buffer(ubuf, count, ppos, buf, sprintf_ret);
+--
+2.39.5
+
--- /dev/null
+From 1a6580cae1c8ed4ac6ce22aced1b8892e8a32482 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:50:15 +0200
+Subject: gpio: tps65912: check the return value of regmap_update_bits()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit a0b2a6bbff8c26aafdecd320f38f52c341d5cafa ]
+
+regmap_update_bits() can fail, check its return value like we do
+elsewhere in the driver.
+
+Link: https://lore.kernel.org/r/20250707-gpiochip-set-rv-gpio-round4-v1-2-35668aaaf6d2@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tps65912.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c
+index fab771cb6a87..bac757c191c2 100644
+--- a/drivers/gpio/gpio-tps65912.c
++++ b/drivers/gpio/gpio-tps65912.c
+@@ -49,10 +49,13 @@ static int tps65912_gpio_direction_output(struct gpio_chip *gc,
+ unsigned offset, int value)
+ {
+ struct tps65912_gpio *gpio = gpiochip_get_data(gc);
++ int ret;
+
+ /* Set the initial value */
+- regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
+- GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
++ ret = regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
++ GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
++ if (ret)
++ return ret;
+
+ return regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
+ GPIO_CFG_MASK, GPIO_CFG_MASK);
+--
+2.39.5
+
--- /dev/null
+From b08e712dad205f1464fe2ff87ac21633917c6240 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 08:41:39 +0200
+Subject: gpio: wcd934x: check the return value of regmap_update_bits()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit ff0f0d7c6587e38c308be9905e36f86e98fb9c1f ]
+
+regmap_update_bits() can fail so check its return value in
+wcd_gpio_direction_output() for consistency with the rest of the code
+and propagate any errors.
+
+Link: https://lore.kernel.org/r/20250709-gpiochip-set-rv-gpio-remaining-v1-2-b8950f69618d@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-wcd934x.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-wcd934x.c b/drivers/gpio/gpio-wcd934x.c
+index 97e6caedf1f3..c00968ce7a56 100644
+--- a/drivers/gpio/gpio-wcd934x.c
++++ b/drivers/gpio/gpio-wcd934x.c
+@@ -45,9 +45,12 @@ static int wcd_gpio_direction_output(struct gpio_chip *chip, unsigned int pin,
+ int val)
+ {
+ struct wcd_gpio_data *data = gpiochip_get_data(chip);
++ int ret;
+
+- regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
+- WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
++ ret = regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
++ WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
++ if (ret)
++ return ret;
+
+ return regmap_update_bits(data->map, WCD_REG_VAL_CTL_OFFSET,
+ WCD_PIN_MASK(pin),
+--
+2.39.5
+
--- /dev/null
+From 84845b6b0c1be6736c3d2dfb4780b7a421b20a6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 22:45:01 -0700
+Subject: gve: Return error for unknown admin queue command
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b11344f63fdd9e8c5121148a6965b41079071dd2 ]
+
+In gve_adminq_issue_cmd(), return -EINVAL instead of 0 when an unknown
+admin queue command opcode is encountered.
+
+This prevents the function from silently succeeding on invalid input
+and prevents undefined behavior by ensuring the function fails gracefully
+when an unrecognized opcode is provided.
+
+These changes improve error handling.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250616054504.1644770-2-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_adminq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c
+index 54d649e5ee65..872b169b920c 100644
+--- a/drivers/net/ethernet/google/gve/gve_adminq.c
++++ b/drivers/net/ethernet/google/gve/gve_adminq.c
+@@ -389,6 +389,7 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv,
+ break;
+ default:
+ dev_err(&priv->pdev->dev, "unknown AQ command opcode %d\n", opcode);
++ return -EINVAL;
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 7f650a910f380ab517becde2337f55d85235e54f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 17:12:11 -0700
+Subject: hfs: fix not erasing deleted b-tree node issue
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit d3ed6d6981f4756f145766753c872482bc3b28d3 ]
+
+The generic/001 test of xfstests suite fails and corrupts
+the HFS volume:
+
+sudo ./check generic/001
+FSTYP -- hfs
+PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2>
+MKFS_OPTIONS -- /dev/loop51
+MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
+
+generic/001 32s ... _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent
+(see /home/slavad/XFSTESTS-2/xfstests-dev/results//generic/001.full for details)
+
+Ran: generic/001
+Failures: generic/001
+Failed 1 of 1 tests
+
+fsck.hfs -d -n ./test-image.bin
+** ./test-image.bin (NO WRITE)
+ Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
+ Executing fsck_hfs (version 540.1-Linux).
+** Checking HFS volume.
+ The volume name is untitled
+** Checking extents overflow file.
+** Checking catalog file.
+ Unused node is not erased (node = 2)
+ Unused node is not erased (node = 4)
+<skipped>
+ Unused node is not erased (node = 253)
+ Unused node is not erased (node = 254)
+ Unused node is not erased (node = 255)
+ Unused node is not erased (node = 256)
+** Checking catalog hierarchy.
+** Checking volume bitmap.
+** Checking volume information.
+ Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000
+ CBTStat = 0x0004 CatStat = 0x00000000
+** The volume untitled was found corrupt and needs to be repaired.
+ volume type is HFS
+ primary MDB is at block 2 0x02
+ alternate MDB is at block 20971518 0x13ffffe
+ primary VHB is at block 0 0x00
+ alternate VHB is at block 0 0x00
+ sector size = 512 0x200
+ VolumeObject flags = 0x19
+ total sectors for volume = 20971520 0x1400000
+ total sectors for embedded volume = 0 0x00
+
+This patch adds logic of clearing the deleted b-tree node.
+
+sudo ./check generic/001
+FSTYP -- hfs
+PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2025
+MKFS_OPTIONS -- /dev/loop51
+MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
+
+generic/001 9s ... 32s
+Ran: generic/001
+Passed all 1 tests
+
+fsck.hfs -d -n ./test-image.bin
+** ./test-image.bin (NO WRITE)
+ Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
+ Executing fsck_hfs (version 540.1-Linux).
+** Checking HFS volume.
+ The volume name is untitled
+** Checking extents overflow file.
+** Checking catalog file.
+** Checking catalog hierarchy.
+** Checking volume bitmap.
+** Checking volume information.
+** The volume untitled appears to be OK.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Link: https://lore.kernel.org/r/20250430001211.1912533-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bnode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
+index 2039cb6d5f66..219e3b8fd6a8 100644
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -586,6 +586,7 @@ void hfs_bnode_put(struct hfs_bnode *node)
+ if (test_bit(HFS_BNODE_DELETED, &node->flags)) {
+ hfs_bnode_unhash(node);
+ spin_unlock(&tree->hash_lock);
++ hfs_bnode_clear(node, 0, tree->node_size);
+ hfs_bmap_free(node);
+ hfs_bnode_free(node);
+ return;
+--
+2.39.5
+
--- /dev/null
+From 0103c7b34dabf8d58d3780e5c43dad4023d0b2fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 14:49:12 -0700
+Subject: hfs: fix slab-out-of-bounds in hfs_bnode_read()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 ]
+
+This patch introduces is_bnode_offset_valid() method that checks
+the requested offset value. Also, it introduces
+check_and_correct_requested_length() method that checks and
+correct the requested length (if it is necessary). These methods
+are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),
+hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent
+the access out of allocated memory and triggering the crash.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250703214912.244138-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+
+diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
+index 2251286cd83f..2039cb6d5f66 100644
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -15,6 +15,48 @@
+
+ #include "btree.h"
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+ {
+ struct page *page;
+@@ -23,6 +65,20 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+ int bytes_to_read;
+ void *vaddr;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagenum = off >> PAGE_SHIFT;
+ off &= ~PAGE_MASK; /* compute page offset for the first page */
+@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
+ {
+ struct page *page;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ page = node->page[0];
+
+@@ -108,6 +178,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
+ {
+ struct page *page;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ page = node->page[0];
+
+@@ -124,6 +208,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
+ hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(src_node, src, len);
++ len = check_and_correct_requested_length(dst_node, dst, len);
++
+ src += src_node->page_offset;
+ dst += dst_node->page_offset;
+ src_page = src_node->page[0];
+@@ -143,6 +231,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
+ hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(node, src, len);
++ len = check_and_correct_requested_length(node, dst, len);
++
+ src += node->page_offset;
+ dst += node->page_offset;
+ page = node->page[0];
+--
+2.39.5
+
--- /dev/null
+From e32116b8842f22336dd0e58775467a0e60266e75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 14:17:56 +0900
+Subject: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 ]
+
+When the volume header contains erroneous values that do not reflect
+the actual state of the filesystem, hfsplus_fill_super() assumes that
+the attributes file is not yet created, which later results in hitting
+BUG_ON() when hfsplus_create_attributes_file() is called. Replace this
+BUG_ON() with -EIO error with a message to suggest running fsck tool.
+
+Reported-by: syzbot <syzbot+1107451c16b9eb9d29e6@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=1107451c16b9eb9d29e6
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/7b587d24-c8a1-4413-9b9a-00a33fbd849f@I-love.SAKURA.ne.jp
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/xattr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
+index 71fb2f8e9117..7ad3071debd6 100644
+--- a/fs/hfsplus/xattr.c
++++ b/fs/hfsplus/xattr.c
+@@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct super_block *sb)
+ return PTR_ERR(attr_file);
+ }
+
+- BUG_ON(i_size_read(attr_file) != 0);
++ if (i_size_read(attr_file) != 0) {
++ err = -EIO;
++ pr_err("detected inconsistent attributes file, running fsck.hfsplus is recommended.\n");
++ goto end_attr_file_creation;
++ }
+
+ hip = HFSPLUS_I(attr_file);
+
+--
+2.39.5
+
--- /dev/null
+From 65d7337d147df43ec2a28ba59ea1fc0313b316ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 14:48:04 -0700
+Subject: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2 ]
+
+The hfsplus_bnode_read() method can trigger the issue:
+
+[ 174.852007][ T9784] ==================================================================
+[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360
+[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784
+[ 174.854059][ T9784]
+[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)
+[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 174.854286][ T9784] Call Trace:
+[ 174.854289][ T9784] <TASK>
+[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0
+[ 174.854305][ T9784] print_report+0xd0/0x660
+[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610
+[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180
+[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
+[ 174.854337][ T9784] kasan_report+0xc6/0x100
+[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
+[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360
+[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380
+[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10
+[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0
+[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310
+[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40
+[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0
+[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0
+[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10
+[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10
+[ 174.854436][ T9784] ? __asan_memset+0x23/0x50
+[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320
+[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10
+[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0
+[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40
+[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0
+[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10
+[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0
+[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10
+[ 174.854525][ T9784] ? down_write+0x148/0x200
+[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10
+[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0
+[ 174.854549][ T9784] do_unlinkat+0x490/0x670
+[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10
+[ 174.854565][ T9784] ? __might_fault+0xbc/0x130
+[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550
+[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110
+[ 174.854592][ T9784] do_syscall_64+0xc9/0x480
+[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167
+[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08
+[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
+[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167
+[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50
+[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40
+[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0
+[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 174.854658][ T9784] </TASK>
+[ 174.854661][ T9784]
+[ 174.879281][ T9784] Allocated by task 9784:
+[ 174.879664][ T9784] kasan_save_stack+0x20/0x40
+[ 174.880082][ T9784] kasan_save_track+0x14/0x30
+[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0
+[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550
+[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890
+[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10
+[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520
+[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x320
+[ 174.883144][ T9784] hfsplus_delete_cat+0x845/0xde0
+[ 174.883595][ T9784] hfsplus_rmdir+0x106/0x1b0
+[ 174.884004][ T9784] vfs_rmdir+0x206/0x690
+[ 174.884379][ T9784] do_rmdir+0x2b7/0x390
+[ 174.884751][ T9784] __x64_sys_rmdir+0xc5/0x110
+[ 174.885167][ T9784] do_syscall_64+0xc9/0x480
+[ 174.885568][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 174.886083][ T9784]
+[ 174.886293][ T9784] The buggy address belongs to the object at ffff88810b5fc600
+[ 174.886293][ T9784] which belongs to the cache kmalloc-192 of size 192
+[ 174.887507][ T9784] The buggy address is located 40 bytes to the right of
+[ 174.887507][ T9784] allocated 152-byte region [ffff88810b5fc600, ffff88810b5fc698)
+[ 174.888766][ T9784]
+[ 174.888976][ T9784] The buggy address belongs to the physical page:
+[ 174.889533][ T9784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b5fc
+[ 174.890295][ T9784] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
+[ 174.890927][ T9784] page_type: f5(slab)
+[ 174.891284][ T9784] raw: 057ff00000000000 ffff88801b4423c0 ffffea000426dc80 dead000000000002
+[ 174.892032][ T9784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
+[ 174.892774][ T9784] page dumped because: kasan: bad access detected
+[ 174.893327][ T9784] page_owner tracks the page as allocated
+[ 174.893825][ T9784] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NO1
+[ 174.895373][ T9784] post_alloc_hook+0x1c0/0x230
+[ 174.895801][ T9784] get_page_from_freelist+0xdeb/0x3b30
+[ 174.896284][ T9784] __alloc_frozen_pages_noprof+0x25c/0x2460
+[ 174.896810][ T9784] alloc_pages_mpol+0x1fb/0x550
+[ 174.897242][ T9784] new_slab+0x23b/0x340
+[ 174.897614][ T9784] ___slab_alloc+0xd81/0x1960
+[ 174.898028][ T9784] __slab_alloc.isra.0+0x56/0xb0
+[ 174.898468][ T9784] __kmalloc_noprof+0x2b0/0x550
+[ 174.898896][ T9784] usb_alloc_urb+0x73/0xa0
+[ 174.899289][ T9784] usb_control_msg+0x1cb/0x4a0
+[ 174.899718][ T9784] usb_get_string+0xab/0x1a0
+[ 174.900133][ T9784] usb_string_sub+0x107/0x3c0
+[ 174.900549][ T9784] usb_string+0x307/0x670
+[ 174.900933][ T9784] usb_cache_string+0x80/0x150
+[ 174.901355][ T9784] usb_new_device+0x1d0/0x19d0
+[ 174.901786][ T9784] register_root_hub+0x299/0x730
+[ 174.902231][ T9784] page last free pid 10 tgid 10 stack trace:
+[ 174.902757][ T9784] __free_frozen_pages+0x80c/0x1250
+[ 174.903217][ T9784] vfree.part.0+0x12b/0xab0
+[ 174.903645][ T9784] delayed_vfree_work+0x93/0xd0
+[ 174.904073][ T9784] process_one_work+0x9b5/0x1b80
+[ 174.904519][ T9784] worker_thread+0x630/0xe60
+[ 174.904927][ T9784] kthread+0x3a8/0x770
+[ 174.905291][ T9784] ret_from_fork+0x517/0x6e0
+[ 174.905709][ T9784] ret_from_fork_asm+0x1a/0x30
+[ 174.906128][ T9784]
+[ 174.906338][ T9784] Memory state around the buggy address:
+[ 174.906828][ T9784] ffff88810b5fc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 174.907528][ T9784] ffff88810b5fc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 174.908222][ T9784] >ffff88810b5fc680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 174.908917][ T9784] ^
+[ 174.909481][ T9784] ffff88810b5fc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 174.910432][ T9784] ffff88810b5fc780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 174.911401][ T9784] ==================================================================
+
+The reason of the issue that code doesn't check the correctness
+of the requested offset and length. As a result, incorrect value
+of offset or/and length could result in access out of allocated
+memory.
+
+This patch introduces is_bnode_offset_valid() method that checks
+the requested offset value. Also, it introduces
+check_and_correct_requested_length() method that checks and
+correct the requested length (if it is necessary). These methods
+are used in hfsplus_bnode_read(), hfsplus_bnode_write(),
+hfsplus_bnode_clear(), hfsplus_bnode_copy(), and hfsplus_bnode_move()
+with the goal to prevent the access out of allocated memory
+and triggering the crash.
+
+Reported-by: Kun Hu <huk23@m.fudan.edu.cn>
+Reported-by: Jiaji Qin <jjtan24@m.fudan.edu.cn>
+Reported-by: Shuoran Bai <baishuoran@hrbeu.edu.cn>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250703214804.244077-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index cf6e5de7b9da..c9c38fddf505 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,12 +18,68 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+ {
+ struct page **pagep;
+ int l;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ off &= ~PAGE_MASK;
+@@ -83,6 +139,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
+ struct page **pagep;
+ int l;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ off &= ~PAGE_MASK;
+@@ -113,6 +183,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
+ struct page **pagep;
+ int l;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ off &= ~PAGE_MASK;
+@@ -139,6 +223,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
+ hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(src_node, src, len);
++ len = check_and_correct_requested_length(dst_node, dst, len);
++
+ src += src_node->page_offset;
+ dst += dst_node->page_offset;
+ src_page = src_node->page + (src >> PAGE_SHIFT);
+@@ -196,6 +284,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
+ hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(node, src, len);
++ len = check_and_correct_requested_length(node, dst, len);
++
+ src += node->page_offset;
+ dst += node->page_offset;
+ if (dst > src) {
+--
+2.39.5
+
--- /dev/null
+From 800a97e0495f9fa9388963ca49d88819bd5584b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:08:30 -0700
+Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 94458781aee6045bd3d0ad4b80b02886b9e2219b ]
+
+The hfsplus_readdir() method is capable to crash by calling
+hfsplus_uni2asc():
+
+[ 667.121659][ T9805] ==================================================================
+[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10
+[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805
+[ 667.124578][ T9805]
+[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)
+[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 667.124890][ T9805] Call Trace:
+[ 667.124893][ T9805] <TASK>
+[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0
+[ 667.124911][ T9805] print_report+0xd0/0x660
+[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610
+[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180
+[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10
+[ 667.124942][ T9805] kasan_report+0xc6/0x100
+[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10
+[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10
+[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360
+[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0
+[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10
+[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0
+[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20
+[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0
+[ 667.125022][ T9805] ? lock_acquire+0x30/0x80
+[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20
+[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0
+[ 667.125044][ T9805] ? putname+0x154/0x1a0
+[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10
+[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0
+[ 667.125069][ T9805] iterate_dir+0x296/0xb20
+[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0
+[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10
+[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200
+[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10
+[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0
+[ 667.125143][ T9805] do_syscall_64+0xc9/0x480
+[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9
+[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9
+[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9
+[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004
+[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110
+[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260
+[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 667.125207][ T9805] </TASK>
+[ 667.125210][ T9805]
+[ 667.145632][ T9805] Allocated by task 9805:
+[ 667.145991][ T9805] kasan_save_stack+0x20/0x40
+[ 667.146352][ T9805] kasan_save_track+0x14/0x30
+[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0
+[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550
+[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0
+[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0
+[ 667.148174][ T9805] iterate_dir+0x296/0xb20
+[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0
+[ 667.148937][ T9805] do_syscall_64+0xc9/0x480
+[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 667.149809][ T9805]
+[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000
+[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048
+[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of
+[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)
+[ 667.152580][ T9805]
+[ 667.152798][ T9805] The buggy address belongs to the physical page:
+[ 667.153373][ T9805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25928
+[ 667.154157][ T9805] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ 667.154916][ T9805] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
+[ 667.155631][ T9805] page_type: f5(slab)
+[ 667.155997][ T9805] raw: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
+[ 667.156770][ T9805] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
+[ 667.157536][ T9805] head: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
+[ 667.158317][ T9805] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
+[ 667.159088][ T9805] head: 00fff00000000003 ffffea0000964a01 00000000ffffffff 00000000ffffffff
+[ 667.159865][ T9805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
+[ 667.160643][ T9805] page dumped because: kasan: bad access detected
+[ 667.161216][ T9805] page_owner tracks the page as allocated
+[ 667.161732][ T9805] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN9
+[ 667.163566][ T9805] post_alloc_hook+0x1c0/0x230
+[ 667.164003][ T9805] get_page_from_freelist+0xdeb/0x3b30
+[ 667.164503][ T9805] __alloc_frozen_pages_noprof+0x25c/0x2460
+[ 667.165040][ T9805] alloc_pages_mpol+0x1fb/0x550
+[ 667.165489][ T9805] new_slab+0x23b/0x340
+[ 667.165872][ T9805] ___slab_alloc+0xd81/0x1960
+[ 667.166313][ T9805] __slab_alloc.isra.0+0x56/0xb0
+[ 667.166767][ T9805] __kmalloc_cache_noprof+0x255/0x3e0
+[ 667.167255][ T9805] psi_cgroup_alloc+0x52/0x2d0
+[ 667.167693][ T9805] cgroup_mkdir+0x694/0x1210
+[ 667.168118][ T9805] kernfs_iop_mkdir+0x111/0x190
+[ 667.168568][ T9805] vfs_mkdir+0x59b/0x8d0
+[ 667.168956][ T9805] do_mkdirat+0x2ed/0x3d0
+[ 667.169353][ T9805] __x64_sys_mkdir+0xef/0x140
+[ 667.169784][ T9805] do_syscall_64+0xc9/0x480
+[ 667.170195][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 667.170730][ T9805] page last free pid 1257 tgid 1257 stack trace:
+[ 667.171304][ T9805] __free_frozen_pages+0x80c/0x1250
+[ 667.171770][ T9805] vfree.part.0+0x12b/0xab0
+[ 667.172182][ T9805] delayed_vfree_work+0x93/0xd0
+[ 667.172612][ T9805] process_one_work+0x9b5/0x1b80
+[ 667.173067][ T9805] worker_thread+0x630/0xe60
+[ 667.173486][ T9805] kthread+0x3a8/0x770
+[ 667.173857][ T9805] ret_from_fork+0x517/0x6e0
+[ 667.174278][ T9805] ret_from_fork_asm+0x1a/0x30
+[ 667.174703][ T9805]
+[ 667.174917][ T9805] Memory state around the buggy address:
+[ 667.175411][ T9805] ffff88802592f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 667.176114][ T9805] ffff88802592f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 667.176830][ T9805] >ffff88802592f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 667.177547][ T9805] ^
+[ 667.177933][ T9805] ffff88802592f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 667.178640][ T9805] ffff88802592f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 667.179350][ T9805] ==================================================================
+
+The hfsplus_uni2asc() method operates by struct hfsplus_unistr:
+
+struct hfsplus_unistr {
+ __be16 length;
+ hfsplus_unichr unicode[HFSPLUS_MAX_STRLEN];
+} __packed;
+
+where HFSPLUS_MAX_STRLEN is 255 bytes. The issue happens if length
+of the structure instance has value bigger than 255 (for example,
+65283). In such case, pointer on unicode buffer is going beyond of
+the allocated memory.
+
+The patch fixes the issue by checking the length value of
+hfsplus_unistr instance and using 255 value in the case if length
+value is bigger than HFSPLUS_MAX_STRLEN. Potential reason of such
+situation could be a corruption of Catalog File b-tree's node.
+
+Reported-by: Wenzhi Wang <wenzhi.wang@uwaterloo.ca>
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Reviewed-by: Yangtao Li <frank.li@vivo.com>
+Link: https://lore.kernel.org/r/20250710230830.110500-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/unicode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c
+index 73342c925a4b..36b6cf2a3abb 100644
+--- a/fs/hfsplus/unicode.c
++++ b/fs/hfsplus/unicode.c
+@@ -132,7 +132,14 @@ int hfsplus_uni2asc(struct super_block *sb,
+
+ op = astr;
+ ip = ustr->unicode;
++
+ ustrlen = be16_to_cpu(ustr->length);
++ if (ustrlen > HFSPLUS_MAX_STRLEN) {
++ ustrlen = HFSPLUS_MAX_STRLEN;
++ pr_err("invalid length %u has been corrected to %d\n",
++ be16_to_cpu(ustr->length), ustrlen);
++ }
++
+ len = *len_p;
+ ce1 = NULL;
+ compose = !test_bit(HFSPLUS_SB_NODECOMPOSE, &HFSPLUS_SB(sb)->flags);
+--
+2.39.5
+
--- /dev/null
+From 8847fa69e0d9f751d44362fccc1b16221d16b9f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Aug 2025 07:15:54 +0800
+Subject: i2c: Force DLL0945 touchpad i2c freq to 100khz
+
+From: fangzhong.zhou <myth5@myth5.com>
+
+[ Upstream commit 0b7c9528facdb5a73ad78fea86d2e95a6c48dbc4 ]
+
+This patch fixes an issue where the touchpad cursor movement becomes
+slow on the Dell Precision 5560. Force the touchpad freq to 100khz
+as a workaround.
+
+Tested on Dell Precision 5560 with 6.14 to 6.14.6. Cursor movement
+is now smooth and responsive.
+
+Signed-off-by: fangzhong.zhou <myth5@myth5.com>
+[wsa: kept sorting and removed unnecessary parts from commit msg]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index 8b06f5d4a4c3..3fabf4b1f6fd 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -342,6 +342,7 @@ static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = {
+ * the device works without issues on Windows at what is expected to be
+ * a 400KHz frequency. The root cause of the issue is not known.
+ */
++ { "DLL0945", 0 },
+ { "ELAN06FA", 0 },
+ {}
+ };
+--
+2.39.5
+
--- /dev/null
+From fbc02f2b086d57a61106e47a2488275877120b1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 14:00:47 +0200
+Subject: i3c: add missing include to internal header
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 3b661ca549b9e5bb11d0bc97ada6110aac3282d2 ]
+
+LKP found a random config which failed to build because IO accessors
+were not defined:
+
+ In file included from drivers/i3c/master.c:21:
+ drivers/i3c/internals.h: In function 'i3c_writel_fifo':
+>> drivers/i3c/internals.h:35:9: error: implicit declaration of function 'writesl' [-Werror=implicit-function-declaration]
+
+Add the proper header to where the IO accessors are used.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202507150208.BZDzzJ5E-lkp@intel.com/
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250717120046.9022-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/internals.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i3c/internals.h b/drivers/i3c/internals.h
+index 86b7b44cfca2..1906c711f38a 100644
+--- a/drivers/i3c/internals.h
++++ b/drivers/i3c/internals.h
+@@ -9,6 +9,7 @@
+ #define I3C_INTERNALS_H
+
+ #include <linux/i3c/master.h>
++#include <linux/io.h>
+
+ extern struct bus_type i3c_bus_type;
+
+--
+2.39.5
+
--- /dev/null
+From c1630d3d8facdf9443a3632a1ece1d3776a57211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 22:44:32 +0200
+Subject: i3c: don't fail if GETHDRCAP is unsupported
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 447270cdb41b1c8c3621bb14b93a6749f942556e ]
+
+'I3C_BCR_HDR_CAP' is still spec v1.0 and has been renamed to 'advanced
+capabilities' in v1.1 onwards. The ST pressure sensor LPS22DF does not
+have HDR, but has the 'advanced cap' bit set. The core still wants to
+get additional information using the CCC 'GETHDRCAP' (or GETCAPS in v1.1
+onwards). Not all controllers support this CCC and will notify the upper
+layers about it. For instantiating the device, we can ignore this
+unsupported CCC as standard communication will work. Without this patch,
+the device will not be instantiated at all.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250704204524.6124-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
+index ea6556f91302..717b337f9e22 100644
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -1262,7 +1262,7 @@ static int i3c_master_retrieve_dev_info(struct i3c_dev_desc *dev)
+
+ if (dev->info.bcr & I3C_BCR_HDR_CAP) {
+ ret = i3c_master_gethdrcap_locked(master, &dev->info);
+- if (ret)
++ if (ret && ret != -ENOTSUPP)
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 70b93508a34833f398cbfb8cd491f57ac4720ecf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 16:35:21 -0300
+Subject: iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Santos <Jonathan.Santos@analog.com>
+
+[ Upstream commit 7e54d932873d91a55d1b89b7389876d78aeeab32 ]
+
+The SYNC_IN pulse width must be at least 1.5 x Tmclk, corresponding to
+~2.5 µs at the lowest supported MCLK frequency. Add a 3 µs delay to
+ensure reliable synchronization timing even for the worst-case scenario.
+
+Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/d3ee92a533cd1207cf5c5cc4d7bdbb5c6c267f68.1749063024.git.Jonathan.Santos@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7768-1.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
+index e240fac8b6b3..c518aeb35c70 100644
+--- a/drivers/iio/adc/ad7768-1.c
++++ b/drivers/iio/adc/ad7768-1.c
+@@ -203,6 +203,24 @@ static int ad7768_spi_reg_write(struct ad7768_state *st,
+ return spi_write(st->spi, st->data.d8, 2);
+ }
+
++static int ad7768_send_sync_pulse(struct ad7768_state *st)
++{
++ /*
++ * The datasheet specifies a minimum SYNC_IN pulse width of 1.5 × Tmclk,
++ * where Tmclk is the MCLK period. The supported MCLK frequencies range
++ * from 0.6 MHz to 17 MHz, which corresponds to a minimum SYNC_IN pulse
++ * width of approximately 2.5 µs in the worst-case scenario (0.6 MHz).
++ *
++ * Add a delay to ensure the pulse width is always sufficient to
++ * trigger synchronization.
++ */
++ gpiod_set_value_cansleep(st->gpio_sync_in, 1);
++ fsleep(3);
++ gpiod_set_value_cansleep(st->gpio_sync_in, 0);
++
++ return 0;
++}
++
+ static int ad7768_set_mode(struct ad7768_state *st,
+ enum ad7768_conv_mode mode)
+ {
+@@ -288,10 +306,7 @@ static int ad7768_set_dig_fil(struct ad7768_state *st,
+ return ret;
+
+ /* A sync-in pulse is required every time the filter dec rate changes */
+- gpiod_set_value(st->gpio_sync_in, 1);
+- gpiod_set_value(st->gpio_sync_in, 0);
+-
+- return 0;
++ return ad7768_send_sync_pulse(st);
+ }
+
+ static int ad7768_set_freq(struct ad7768_state *st,
+--
+2.39.5
+
--- /dev/null
+From 84cecfa32db51f94e9ac3c0bd58bf854dcb002b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 19:06:26 -0500
+Subject: ipmi: Fix strcpy source and destination the same
+
+From: Corey Minyard <corey@minyard.net>
+
+[ Upstream commit 8ffcb7560b4a15faf821df95e3ab532b2b020f8c ]
+
+The source and destination of some strcpy operations was the same.
+Split out the part of the operations that needed to be done for those
+particular calls so the unnecessary copy wasn't done.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506140756.EFXXvIP4-lkp@intel.com/
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 59 ++++++++++++++++++++++---------
+ 1 file changed, 42 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
+index 883b4a341012..56be20f7485b 100644
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -1198,14 +1198,8 @@ static struct ipmi_smi_watcher smi_watcher = {
+ .smi_gone = ipmi_smi_gone
+ };
+
+-static int action_op(const char *inval, char *outval)
++static int action_op_set_val(const char *inval)
+ {
+- if (outval)
+- strcpy(outval, action);
+-
+- if (!inval)
+- return 0;
+-
+ if (strcmp(inval, "reset") == 0)
+ action_val = WDOG_TIMEOUT_RESET;
+ else if (strcmp(inval, "none") == 0)
+@@ -1216,18 +1210,26 @@ static int action_op(const char *inval, char *outval)
+ action_val = WDOG_TIMEOUT_POWER_DOWN;
+ else
+ return -EINVAL;
+- strcpy(action, inval);
+ return 0;
+ }
+
+-static int preaction_op(const char *inval, char *outval)
++static int action_op(const char *inval, char *outval)
+ {
++ int rv;
++
+ if (outval)
+- strcpy(outval, preaction);
++ strcpy(outval, action);
+
+ if (!inval)
+ return 0;
++ rv = action_op_set_val(inval);
++ if (!rv)
++ strcpy(action, inval);
++ return rv;
++}
+
++static int preaction_op_set_val(const char *inval)
++{
+ if (strcmp(inval, "pre_none") == 0)
+ preaction_val = WDOG_PRETIMEOUT_NONE;
+ else if (strcmp(inval, "pre_smi") == 0)
+@@ -1240,18 +1242,26 @@ static int preaction_op(const char *inval, char *outval)
+ preaction_val = WDOG_PRETIMEOUT_MSG_INT;
+ else
+ return -EINVAL;
+- strcpy(preaction, inval);
+ return 0;
+ }
+
+-static int preop_op(const char *inval, char *outval)
++static int preaction_op(const char *inval, char *outval)
+ {
++ int rv;
++
+ if (outval)
+- strcpy(outval, preop);
++ strcpy(outval, preaction);
+
+ if (!inval)
+ return 0;
++ rv = preaction_op_set_val(inval);
++ if (!rv)
++ strcpy(preaction, inval);
++ return 0;
++}
+
++static int preop_op_set_val(const char *inval)
++{
+ if (strcmp(inval, "preop_none") == 0)
+ preop_val = WDOG_PREOP_NONE;
+ else if (strcmp(inval, "preop_panic") == 0)
+@@ -1260,7 +1270,22 @@ static int preop_op(const char *inval, char *outval)
+ preop_val = WDOG_PREOP_GIVE_DATA;
+ else
+ return -EINVAL;
+- strcpy(preop, inval);
++ return 0;
++}
++
++static int preop_op(const char *inval, char *outval)
++{
++ int rv;
++
++ if (outval)
++ strcpy(outval, preop);
++
++ if (!inval)
++ return 0;
++
++ rv = preop_op_set_val(inval);
++ if (!rv)
++ strcpy(preop, inval);
+ return 0;
+ }
+
+@@ -1297,18 +1322,18 @@ static int __init ipmi_wdog_init(void)
+ {
+ int rv;
+
+- if (action_op(action, NULL)) {
++ if (action_op_set_val(action)) {
+ action_op("reset", NULL);
+ pr_info("Unknown action '%s', defaulting to reset\n", action);
+ }
+
+- if (preaction_op(preaction, NULL)) {
++ if (preaction_op_set_val(preaction)) {
+ preaction_op("pre_none", NULL);
+ pr_info("Unknown preaction '%s', defaulting to none\n",
+ preaction);
+ }
+
+- if (preop_op(preop, NULL)) {
++ if (preop_op_set_val(preop)) {
+ preop_op("preop_none", NULL);
+ pr_info("Unknown preop '%s', defaulting to none\n", preop);
+ }
+--
+2.39.5
+
--- /dev/null
+From 1a8efc7d287866594d1306d981f1c6f994fc04fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 05:57:26 -0700
+Subject: ipmi: Use dev_warn_ratelimited() for incorrect message warnings
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit ec50ec378e3fd83bde9b3d622ceac3509a60b6b5 ]
+
+During BMC firmware upgrades on live systems, the ipmi_msghandler
+generates excessive "BMC returned incorrect response" warnings
+while the BMC is temporarily offline. This can flood system logs
+in large deployments.
+
+Replace dev_warn() with dev_warn_ratelimited() to throttle these
+warnings and prevent log spam during BMC maintenance operations.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Message-ID: <20250710-ipmi_ratelimit-v1-1-6d417015ebe9@debian.org>
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index 15c211c5d6f4..af563ee827aa 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -4294,10 +4294,10 @@ static int handle_one_recv_msg(struct ipmi_smi *intf,
+ * The NetFN and Command in the response is not even
+ * marginally correct.
+ */
+- dev_warn(intf->si_dev,
+- "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
+- (msg->data[0] >> 2) | 1, msg->data[1],
+- msg->rsp[0] >> 2, msg->rsp[1]);
++ dev_warn_ratelimited(intf->si_dev,
++ "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
++ (msg->data[0] >> 2) | 1, msg->data[1],
++ msg->rsp[0] >> 2, msg->rsp[1]);
+
+ /* Generate an error response for the message. */
+ msg->rsp[0] = msg->data[0] | (1 << 2);
+--
+2.39.5
+
--- /dev/null
+From 97d5e3ce41d9dd82265e97c6192d97e3a5fed331 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 16:01:20 -0700
+Subject: ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in
+ __ipv6_dev_mc_inc().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit dbd40f318cf2f59759bd170c401adc20ba360a3e ]
+
+Since commit 63ed8de4be81 ("mld: add mc_lock for protecting
+per-interface mld data"), every multicast resource is protected
+by inet6_dev->mc_lock.
+
+RTNL is unnecessary in terms of protection but still needed for
+synchronisation between addrconf_ifdown() and __ipv6_dev_mc_inc().
+
+Once we removed RTNL, there would be a race below, where we could
+add a multicast address to a dead inet6_dev.
+
+ CPU1 CPU2
+ ==== ====
+ addrconf_ifdown() __ipv6_dev_mc_inc()
+ if (idev->dead) <-- false
+ dead = true return -ENODEV;
+ ipv6_mc_destroy_dev() / ipv6_mc_down()
+ mutex_lock(&idev->mc_lock)
+ ...
+ mutex_unlock(&idev->mc_lock)
+ mutex_lock(&idev->mc_lock)
+ ...
+ mutex_unlock(&idev->mc_lock)
+
+The race window can be easily closed by checking inet6_dev->dead
+under inet6_dev->mc_lock in __ipv6_dev_mc_inc() as addrconf_ifdown()
+will acquire it after marking inet6_dev dead.
+
+Let's check inet6_dev->dead under mc_lock in __ipv6_dev_mc_inc().
+
+Note that now __ipv6_dev_mc_inc() no longer depends on RTNL and
+we can remove ASSERT_RTNL() there and the RTNL comment above
+addrconf_join_solict().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250702230210.3115355-4-kuni1840@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 7 +++----
+ net/ipv6/mcast.c | 11 +++++------
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index bb0e385992fc..43df9ad96e39 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2189,13 +2189,12 @@ void addrconf_dad_failure(struct sk_buff *skb, struct inet6_ifaddr *ifp)
+ in6_ifa_put(ifp);
+ }
+
+-/* Join to solicited addr multicast group.
+- * caller must hold RTNL */
++/* Join to solicited addr multicast group. */
+ void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr)
+ {
+ struct in6_addr maddr;
+
+- if (dev->flags&(IFF_LOOPBACK|IFF_NOARP))
++ if (READ_ONCE(dev->flags) & (IFF_LOOPBACK | IFF_NOARP))
+ return;
+
+ addrconf_addr_solict_mult(addr, &maddr);
+@@ -3784,7 +3783,7 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister)
+ * Do not dev_put!
+ */
+ if (unregister) {
+- idev->dead = 1;
++ WRITE_ONCE(idev->dead, 1);
+
+ /* protected by rtnl_lock */
+ RCU_INIT_POINTER(dev->ip6_ptr, NULL);
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index 574a30d7f930..77a9f17c816b 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -906,23 +906,22 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev,
+ static int __ipv6_dev_mc_inc(struct net_device *dev,
+ const struct in6_addr *addr, unsigned int mode)
+ {
+- struct ifmcaddr6 *mc;
+ struct inet6_dev *idev;
+-
+- ASSERT_RTNL();
++ struct ifmcaddr6 *mc;
+
+ /* we need to take a reference on idev */
+ idev = in6_dev_get(dev);
+-
+ if (!idev)
+ return -EINVAL;
+
+- if (idev->dead) {
++ mutex_lock(&idev->mc_lock);
++
++ if (READ_ONCE(idev->dead)) {
++ mutex_unlock(&idev->mc_lock);
+ in6_dev_put(idev);
+ return -ENODEV;
+ }
+
+- mutex_lock(&idev->mc_lock);
+ for_each_mc_mclock(idev, mc) {
+ if (ipv6_addr_equal(&mc->mca_addr, addr)) {
+ mc->mca_users++;
+--
+2.39.5
+
--- /dev/null
+From d51922515cd59bdd53b4fbe6f7d22b60a6d30282 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 14:48:43 +0800
+Subject: jfs: Regular file corruption check
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ]
+
+The reproducer builds a corrupted file on disk with a negative i_size value.
+Add a check when opening this file to avoid subsequent operation failures.
+
+Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e
+Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/jfs/file.c b/fs/jfs/file.c
+index 1d732fd223d4..5c28883eee4e 100644
+--- a/fs/jfs/file.c
++++ b/fs/jfs/file.c
+@@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file)
+ {
+ int rc;
+
++ if (S_ISREG(inode->i_mode) && inode->i_size < 0)
++ return -EIO;
++
+ if ((rc = dquot_file_open(inode, file)))
+ return rc;
+
+--
+2.39.5
+
--- /dev/null
+From 464b8bebccebeaa7046ae30d43cd5838cf427591 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 11:05:34 +0800
+Subject: jfs: truncate good inode pages when hard link is 0
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 2d91b3765cd05016335cd5df5e5c6a29708ec058 ]
+
+The fileset value of the inode copy from the disk by the reproducer is
+AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its
+inode pages are not truncated. This causes the bugon to be triggered when
+executing clear_inode() because nrpages is greater than 0.
+
+Reported-by: syzbot+6e516bb515d93230bc7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6e516bb515d93230bc7b
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c
+index 072821b50ab9..e132dafa1b6c 100644
+--- a/fs/jfs/inode.c
++++ b/fs/jfs/inode.c
+@@ -145,9 +145,9 @@ void jfs_evict_inode(struct inode *inode)
+ if (!inode->i_nlink && !is_bad_inode(inode)) {
+ dquot_initialize(inode);
+
++ truncate_inode_pages_final(&inode->i_data);
+ if (JFS_IP(inode)->fileset == FILESYSTEM_I) {
+ struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap;
+- truncate_inode_pages_final(&inode->i_data);
+
+ if (test_cflag(COMMIT_Freewmap, inode))
+ jfs_free_zero_link(inode);
+--
+2.39.5
+
--- /dev/null
+From deb01ee6e5533b5194ba1a288db22ce403ce8d45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 00:13:51 +0200
+Subject: jfs: upper bound check of tree index in dbAllocAG
+
+From: Arnaud Lecomte <contact@arnaud-lcm.com>
+
+[ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ]
+
+When computing the tree index in dbAllocAG, we never check if we are
+out of bounds realative to the size of the stree.
+This could happen in a scenario where the filesystem metadata are
+corrupted.
+
+Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
+Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
+Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index c2d4349cd959..f4f4c5ec38c6 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -1457,6 +1457,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
+ (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
+ ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
+
++ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
++ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
++ release_metapage(mp);
++ return -EIO;
++ }
++
+ /* dmap control page trees fan-out by 4 and a single allocation
+ * group may be described by 1 or 2 subtrees within the ag level
+ * dmap control page, depending upon the ag size. examine the ag's
+--
+2.39.5
+
--- /dev/null
+From 460002247cf0c858988c795f009a2570eff6d2f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 00:05:20 +0900
+Subject: kconfig: gconf: avoid hardcoding model2 in
+ on_treeview2_cursor_changed()
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ]
+
+The on_treeview2_cursor_changed() handler is connected to both the left
+and right tree views, but it hardcodes model2 (the GtkTreeModel of the
+right tree view). This is incorrect. Get the associated model from the
+view.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/gconf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
+index 5d1404178e48..87f8a4db5bc6 100644
+--- a/scripts/kconfig/gconf.c
++++ b/scripts/kconfig/gconf.c
+@@ -977,13 +977,14 @@ on_treeview2_key_press_event(GtkWidget * widget,
+ void
+ on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data)
+ {
++ GtkTreeModel *model = gtk_tree_view_get_model(treeview);
+ GtkTreeSelection *selection;
+ GtkTreeIter iter;
+ struct menu *menu;
+
+ selection = gtk_tree_view_get_selection(treeview);
+- if (gtk_tree_selection_get_selected(selection, &model2, &iter)) {
+- gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
++ if (gtk_tree_selection_get_selected(selection, &model, &iter)) {
++ gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1);
+ text_insert_help(menu);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 093a2d8f8b3b596acdb4a7eefcdb345cbb533941 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 00:04:55 +0900
+Subject: kconfig: gconf: fix potential memory leak in renderer_edited()
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ]
+
+If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/gconf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
+index 87f8a4db5bc6..3c726ead8f7e 100644
+--- a/scripts/kconfig/gconf.c
++++ b/scripts/kconfig/gconf.c
+@@ -783,7 +783,7 @@ static void renderer_edited(GtkCellRendererText * cell,
+ struct symbol *sym;
+
+ if (!gtk_tree_model_get_iter(model2, &iter, path))
+- return;
++ goto free;
+
+ gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
+ sym = menu->sym;
+@@ -795,6 +795,7 @@ static void renderer_edited(GtkCellRendererText * cell,
+
+ update_tree(&rootmenu, NULL);
+
++free:
+ gtk_tree_path_free(path);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From bf48961040b3f3cdbcb388db76b26e0b68a2081b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2013 00:53:32 +0100
+Subject: kconfig: lxdialog: fix 'space' to (de)select options
+
+From: Yann E. MORIN <yann.morin.1998@free.fr>
+
+[ Upstream commit 694174f94ebeeb5ec5cc0e9de9b40c82057e1d95 ]
+
+In case a menu has comment without letters/numbers (eg. characters
+matching the regexp '^[^[:alpha:][:digit:]]+$', for example - or *),
+hitting space will cycle through those comments, rather than
+selecting/deselecting the currently-highlighted option.
+
+This is the behaviour of hitting any letter/digit: jump to the next
+option which prompt starts with that letter. The only letters that
+do not behave as such are 'y' 'm' and 'n'. Prompts that start with
+one of those three letters are instead matched on the first letter
+that is not 'y', 'm' or 'n'.
+
+Fix that by treating 'space' as we treat y/m/n, ie. as an action key,
+not as shortcut to jump to prompt.
+
+Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Signed-off-by: Cherniaev Andrei <dungeonlords789@naver.com>
+[masahiro: took from Buildroot, adjusted the commit subject]
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/lxdialog/menubox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/lxdialog/menubox.c b/scripts/kconfig/lxdialog/menubox.c
+index 58c2f8afe59b..7e10e919fbdc 100644
+--- a/scripts/kconfig/lxdialog/menubox.c
++++ b/scripts/kconfig/lxdialog/menubox.c
+@@ -272,7 +272,7 @@ int dialog_menu(const char *title, const char *prompt,
+ if (key < 256 && isalpha(key))
+ key = tolower(key);
+
+- if (strchr("ynmh", key))
++ if (strchr("ynmh ", key))
+ i = max_choice;
+ else {
+ for (i = choice + 1; i < max_choice; i++) {
+--
+2.39.5
+
--- /dev/null
+From 9f25322c1799da972e8873f8934610ea9ecd371d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jul 2025 22:14:33 +0530
+Subject: kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c
+
+From: Suchit Karunakaran <suchitkarunakaran@gmail.com>
+
+[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ]
+
+strcpy() performs no bounds checking and can lead to buffer overflows if
+the input string exceeds the destination buffer size. This patch replaces
+it with strncpy(), and null terminates the input string.
+
+Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com>
+Reviewed-by: Nicolas Schier <nicolas.schier@linux.dev>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/lxdialog/inputbox.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
+index 1dcfb288ee63..327b60cdb8da 100644
+--- a/scripts/kconfig/lxdialog/inputbox.c
++++ b/scripts/kconfig/lxdialog/inputbox.c
+@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
+
+ if (!init)
+ instr[0] = '\0';
+- else
+- strcpy(instr, init);
++ else {
++ strncpy(instr, init, sizeof(dialog_input_result) - 1);
++ instr[sizeof(dialog_input_result) - 1] = '\0';
++ }
+
+ do_resize:
+ if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGTH_MIN))
+--
+2.39.5
+
--- /dev/null
+From 7ee0e88f228fa42b9556a3ffbb5c33a800ef0c45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 00:36:54 +0530
+Subject: kconfig: nconf: Ensure null termination where strncpy is used
+
+From: Shankari Anand <shankari.ak0208@gmail.com>
+
+[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ]
+
+strncpy() does not guarantee null-termination if the source string is
+longer than the destination buffer.
+
+Ensure the buffer is explicitly null-terminated to prevent potential
+string overflows or undefined behavior.
+
+Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Nicolas Schier <n.schier@avm.de>
+Acked-by: Nicolas Schier <n.schier@avm.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 2 ++
+ scripts/kconfig/nconf.gui.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 7b371bd7fb36..8b166ccb0447 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -585,6 +585,8 @@ static void item_add_str(const char *fmt, ...)
+ tmp_str,
+ sizeof(k_menu_items[index].str));
+
++ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0';
++
+ free_item(curses_menu_items[index]);
+ curses_menu_items[index] = new_item(
+ k_menu_items[index].str,
+diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
+index 9aedf40f1dc0..da06ea2afe08 100644
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -349,6 +349,7 @@ int dialog_inputbox(WINDOW *main_window,
+ x = (columns-win_cols)/2;
+
+ strncpy(result, init, *result_len);
++ result[*result_len - 1] = '\0';
+
+ /* create the windows */
+ win = newwin(win_lines, win_cols, y, x);
+--
+2.39.5
+
--- /dev/null
+From 6edf7f3b3345ca4bca0b78dc8cc14fff7802136f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 16:18:44 -0400
+Subject: ktest.pl: Prevent recursion of default variable options
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 61f7e318e99d3b398670518dd3f4f8510d1800fc ]
+
+If a default variable contains itself, do not recurse on it.
+
+For example:
+
+ ADD_CONFIG := ${CONFIG_DIR}/temp_config
+ DEFAULTS
+ ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
+
+The above works because the temp variable ADD_CONFIG (is a temp because it
+is created with ":=") is already defined, it will be substituted in the
+variable option. But if it gets commented out:
+
+ # ADD_CONFIG := ${CONFIG_DIR}/temp_config
+ DEFAULTS
+ ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
+
+Then the above will go into a recursive loop where ${ADD_CONFIG} will
+get replaced with the current definition of ADD_CONFIG which contains the
+${ADD_CONFIG} and that will also try to get converted. ktest.pl will error
+after 100 attempts of recursion and fail.
+
+When replacing a variable with the default variable, if the default
+variable contains itself, do not replace it.
+
+Cc: "John Warthog9 Hawley" <warthog9@kernel.org>
+Cc: Dhaval Giani <dhaval.giani@gmail.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/20250718202053.732189428@kernel.org
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/ktest/ktest.pl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
+index 2109bd42c144..26544bba3f8f 100755
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -1351,7 +1351,10 @@ sub __eval_option {
+ # If a variable contains itself, use the default var
+ if (($var eq $name) && defined($opt{$var})) {
+ $o = $opt{$var};
+- $retval = "$retval$o";
++ # Only append if the default doesn't contain itself
++ if ($o !~ m/\$\{$var\}/) {
++ $retval = "$retval$o";
++ }
+ } elsif (defined($opt{$o})) {
+ $o = $opt{$o};
+ $retval = "$retval$o";
+--
+2.39.5
+
--- /dev/null
+From 028b2e5c2e47d92991d748b1fc0374e7a00ff376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 12:23:54 +0200
+Subject: leds: leds-lp50xx: Handle reg to get correct multi_index
+
+From: Johan Adolfsson <johan.adolfsson@axis.com>
+
+[ Upstream commit 2e84a5e5374232e6f356ce5c079a5658d7e4af2c ]
+
+mc_subled used for multi_index needs well defined array indexes,
+to guarantee the desired result, use reg for that.
+
+If devicetree child nodes is processed in random or reverse order
+you may end up with multi_index "blue green red" instead of the expected
+"red green blue".
+If user space apps uses multi_index to deduce how to control the leds
+they would most likely be broken without this patch if devicetree
+processing is reversed (which it appears to be).
+
+arch/arm/boot/dts/aspeed/aspeed-bmc-facebook-fuji.dts has reg set
+but I don't see how it can have worked without this change.
+
+If reg is not set, an error is returned,
+If reg is out of range, an error is returned.
+reg within led child nodes starts with 0, to map to the iout in each bank.
+
+Signed-off-by: Johan Adolfsson <johan.adolfsson@axis.com>
+Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Link: https://lore.kernel.org/r/20250617-led-fix-v7-1-cdbe8efc88fa@axis.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lp50xx.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c
+index 401df1e2e05d..a2748e467451 100644
+--- a/drivers/leds/leds-lp50xx.c
++++ b/drivers/leds/leds-lp50xx.c
+@@ -487,6 +487,7 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
+ }
+
+ fwnode_for_each_child_node(child, led_node) {
++ int multi_index;
+ ret = fwnode_property_read_u32(led_node, "color",
+ &color_id);
+ if (ret) {
+@@ -494,8 +495,16 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
+ dev_err(priv->dev, "Cannot read color\n");
+ goto child_out;
+ }
++ ret = fwnode_property_read_u32(led_node, "reg", &multi_index);
++ if (ret != 0) {
++ dev_err(priv->dev, "reg must be set\n");
++ return -EINVAL;
++ } else if (multi_index >= LP50XX_LEDS_PER_MODULE) {
++ dev_err(priv->dev, "reg %i out of range\n", multi_index);
++ return -EINVAL;
++ }
+
+- mc_led_info[num_colors].color_index = color_id;
++ mc_led_info[multi_index].color_index = color_id;
+ num_colors++;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a0b934a56c110ccb749147aa28ac9ffe5310677f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 13:11:57 +0530
+Subject: md: dm-zoned-target: Initialize return variable r to avoid
+ uninitialized use
+
+From: Purva Yeshi <purvayeshi550@gmail.com>
+
+[ Upstream commit 487767bff572d46f7c37ad846c4078f6d6c9cc55 ]
+
+Fix Smatch-detected error:
+drivers/md/dm-zoned-target.c:1073 dmz_iterate_devices()
+error: uninitialized symbol 'r'.
+
+Smatch detects a possible use of the uninitialized variable 'r' in
+dmz_iterate_devices() because if dmz->nr_ddevs is zero, the loop is
+skipped and 'r' is returned without being set, leading to undefined
+behavior.
+
+Initialize 'r' to 0 before the loop. This ensures that if there are no
+devices to iterate over, the function still returns a defined value.
+
+Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-zoned-target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c
+index 48b56d6434f7..98c3c8be3bcc 100644
+--- a/drivers/md/dm-zoned-target.c
++++ b/drivers/md/dm-zoned-target.c
+@@ -1066,7 +1066,7 @@ static int dmz_iterate_devices(struct dm_target *ti,
+ struct dmz_target *dmz = ti->private;
+ unsigned int zone_nr_sectors = dmz_zone_nr_sectors(dmz->metadata);
+ sector_t capacity;
+- int i, r;
++ int i, r = 0;
+
+ for (i = 0; i < dmz->nr_ddevs; i++) {
+ capacity = dmz->dev[i].capacity & ~(zone_nr_sectors - 1);
+--
+2.39.5
+
--- /dev/null
+From 4d9b2ffe387b8999c52efb24eead52455e516424 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 21:32:31 -0400
+Subject: media: dvb-frontends: dib7090p: fix null-ptr-deref in
+ dib7090p_rw_on_apb()
+
+From: Alex Guo <alexguo1023@gmail.com>
+
+[ Upstream commit ce5cac69b2edac3e3246fee03e8f4c2a1075238b ]
+
+In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and
+msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing
+msg[0].buf[2] without sanity check, null pointer deref would happen. We add
+check on msg[0].len to prevent crash. Similar issue occurs when access
+msg[1].buf[0] and msg[1].buf[1].
+
+Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Alex Guo <alexguo1023@gmail.com>
+Link: https://lore.kernel.org/r/20250616013231.730221-1-alexguo1023@gmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib7000p.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c
+index 8c426baf76ee..a4d060fb1bab 100644
+--- a/drivers/media/dvb-frontends/dib7000p.c
++++ b/drivers/media/dvb-frontends/dib7000p.c
+@@ -2261,8 +2261,12 @@ static int dib7090p_rw_on_apb(struct i2c_adapter *i2c_adap,
+ u16 word;
+
+ if (num == 1) { /* write */
++ if (msg[0].len < 3)
++ return -EOPNOTSUPP;
+ dib7000p_write_word(state, apb_address, ((msg[0].buf[1] << 8) | (msg[0].buf[2])));
+ } else {
++ if (msg[1].len < 2)
++ return -EOPNOTSUPP;
+ word = dib7000p_read_word(state, apb_address);
+ msg[1].buf[0] = (word >> 8) & 0xff;
+ msg[1].buf[1] = (word) & 0xff;
+--
+2.39.5
+
--- /dev/null
+From 0c03d43c13d7d866c0220cfa1f61d7b7b4141972 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 21:33:53 -0400
+Subject: media: dvb-frontends: w7090p: fix null-ptr-deref in
+ w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
+
+From: Alex Guo <alexguo1023@gmail.com>
+
+[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ]
+
+In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add
+check on msg[0].len to prevent crash.
+
+Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Alex Guo <alexguo1023@gmail.com>
+Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib7000p.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c
+index a4d060fb1bab..08b3ac8ff108 100644
+--- a/drivers/media/dvb-frontends/dib7000p.c
++++ b/drivers/media/dvb-frontends/dib7000p.c
+@@ -2198,6 +2198,8 @@ static int w7090p_tuner_write_serpar(struct i2c_adapter *i2c_adap, struct i2c_ms
+ struct dib7000p_state *state = i2c_get_adapdata(i2c_adap);
+ u8 n_overflow = 1;
+ u16 i = 1000;
++ if (msg[0].len < 3)
++ return -EOPNOTSUPP;
+ u16 serpar_num = msg[0].buf[0];
+
+ while (n_overflow == 1 && i) {
+@@ -2217,6 +2219,8 @@ static int w7090p_tuner_read_serpar(struct i2c_adapter *i2c_adap, struct i2c_msg
+ struct dib7000p_state *state = i2c_get_adapdata(i2c_adap);
+ u8 n_overflow = 1, n_empty = 1;
+ u16 i = 1000;
++ if (msg[0].len < 1 || msg[1].len < 2)
++ return -EOPNOTSUPP;
+ u16 serpar_num = msg[0].buf[0];
+ u16 read_word;
+
+--
+2.39.5
+
--- /dev/null
+From c8df2c43325bd82c92ecc2b82e4eb843ed762723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 19:37:15 +0100
+Subject: media: tc358743: Check I2C succeeded during probe
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 303d81635e1d9c949b370215cc94526ed81f2e3d ]
+
+The probe for the TC358743 reads the CHIPID register from
+the device and compares it to the expected value of 0.
+If the I2C request fails then that also returns 0, so
+the driver loads thinking that the device is there.
+
+Generally I2C communications are reliable so there is
+limited need to check the return value on every transfer,
+therefore only amend the one read during probe to check
+for I2C errors.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index 87feada1f602..fe53823ba6f7 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -110,7 +110,7 @@ static inline struct tc358743_state *to_state(struct v4l2_subdev *sd)
+
+ /* --------------- I2C --------------- */
+
+-static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
++static int i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+ {
+ struct tc358743_state *state = to_state(sd);
+ struct i2c_client *client = state->i2c_client;
+@@ -136,6 +136,7 @@ static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+ v4l2_err(sd, "%s: reading register 0x%x from 0x%x failed\n",
+ __func__, reg, client->addr);
+ }
++ return err != ARRAY_SIZE(msgs);
+ }
+
+ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+@@ -192,15 +193,24 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+ }
+ }
+
+-static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
++static noinline u32 i2c_rdreg_err(struct v4l2_subdev *sd, u16 reg, u32 n,
++ int *err)
+ {
++ int error;
+ __le32 val = 0;
+
+- i2c_rd(sd, reg, (u8 __force *)&val, n);
++ error = i2c_rd(sd, reg, (u8 __force *)&val, n);
++ if (err)
++ *err = error;
+
+ return le32_to_cpu(val);
+ }
+
++static inline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
++{
++ return i2c_rdreg_err(sd, reg, n, NULL);
++}
++
+ static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n)
+ {
+ __le32 raw = cpu_to_le32(val);
+@@ -229,6 +239,13 @@ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg)
+ return i2c_rdreg(sd, reg, 2);
+ }
+
++static int i2c_rd16_err(struct v4l2_subdev *sd, u16 reg, u16 *value)
++{
++ int err;
++ *value = i2c_rdreg_err(sd, reg, 2, &err);
++ return err;
++}
++
+ static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val)
+ {
+ i2c_wrreg(sd, reg, val, 2);
+@@ -2042,6 +2059,7 @@ static int tc358743_probe(struct i2c_client *client)
+ struct tc358743_platform_data *pdata = client->dev.platform_data;
+ struct v4l2_subdev *sd;
+ u16 irq_mask = MASK_HDMI_MSK | MASK_CSI_MSK;
++ u16 chipid;
+ int err;
+
+ if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_BYTE_DATA))
+@@ -2073,7 +2091,8 @@ static int tc358743_probe(struct i2c_client *client)
+ sd->flags |= V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS;
+
+ /* i2c access */
+- if ((i2c_rd16(sd, CHIPID) & MASK_CHIPID) != 0) {
++ if (i2c_rd16_err(sd, CHIPID, &chipid) ||
++ (chipid & MASK_CHIPID) != 0) {
+ v4l2_info(sd, "not a TC358743 on address 0x%x\n",
+ client->addr << 1);
+ return -ENODEV;
+--
+2.39.5
+
--- /dev/null
+From e2dfbfa5c72a93db27eba996bb358be5c42ad36d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 19:37:14 +0100
+Subject: media: tc358743: Increase FIFO trigger level to 374
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 86addd25314a1e77dbdcfddfeed0bab2f27da0e2 ]
+
+The existing fixed value of 16 worked for UYVY 720P60 over
+2 lanes at 594MHz, or UYVY 1080P60 over 4 lanes. (RGB888
+1080P60 needs 6 lanes at 594MHz).
+It doesn't allow for lower resolutions to work as the FIFO
+underflows.
+
+374 is required for 1080P24 or 1080P30 UYVY over 2 lanes @
+972Mbit/s, but >374 means that the FIFO underflows on 1080P50
+UYVY over 2 lanes @ 972Mbit/s.
+
+Whilst it would be nice to compute it, the required information
+isn't published by Toshiba.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index a389e2d58d3d..3167beca4056 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1960,8 +1960,19 @@ static int tc358743_probe_of(struct tc358743_state *state)
+ state->pdata.refclk_hz = clk_get_rate(refclk);
+ state->pdata.ddc5v_delay = DDC5V_DELAY_100_MS;
+ state->pdata.enable_hdcp = false;
+- /* A FIFO level of 16 should be enough for 2-lane 720p60 at 594 MHz. */
+- state->pdata.fifo_level = 16;
++ /*
++ * Ideally the FIFO trigger level should be set based on the input and
++ * output data rates, but the calculations required are buried in
++ * Toshiba's register settings spreadsheet.
++ * A value of 16 works with a 594Mbps data rate for 720p60 (using 2
++ * lanes) and 1080p60 (using 4 lanes), but fails when the data rate
++ * is increased, or a lower pixel clock is used that result in CSI
++ * reading out faster than the data is arriving.
++ *
++ * A value of 374 works with both those modes at 594Mbps, and with most
++ * modes on 972Mbps.
++ */
++ state->pdata.fifo_level = 374;
+ /*
+ * The PLL input clock is obtained by dividing refclk by pll_prd.
+ * It must be between 6 MHz and 40 MHz, lower frequency is better.
+--
+2.39.5
+
--- /dev/null
+From 658bfd0fa8fce9b2315429f3d975fe4e5557ee35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 19:37:16 +0100
+Subject: media: tc358743: Return an appropriate colorspace from
+ tc358743_set_fmt
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 377cc006a364dfdab2f3f221cfad63a9265200b8 ]
+
+When calling tc358743_set_fmt, the code was calling tc358743_get_fmt
+to choose a valid format. However that sets the colorspace
+based on information read back from the chip, not the colour
+format requested.
+
+The result was that if you called try or set format for UYVY
+when the current format was RGB3 then you would get told SRGB,
+and try RGB3 when current was UYVY and you would get told
+SMPTE170M.
+
+The value programmed in the VI_REP register for the colorspace
+is always set by this driver, therefore there is no need to read
+back the value, and never set to REC709.
+Return the colorspace based on the format set/tried instead.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 44 ++++++++++++++----------------------
+ 1 file changed, 17 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index fe53823ba6f7..a389e2d58d3d 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1686,12 +1686,23 @@ static int tc358743_enum_mbus_code(struct v4l2_subdev *sd,
+ return 0;
+ }
+
++static u32 tc358743_g_colorspace(u32 code)
++{
++ switch (code) {
++ case MEDIA_BUS_FMT_RGB888_1X24:
++ return V4L2_COLORSPACE_SRGB;
++ case MEDIA_BUS_FMT_UYVY8_1X16:
++ return V4L2_COLORSPACE_SMPTE170M;
++ default:
++ return 0;
++ }
++}
++
+ static int tc358743_get_fmt(struct v4l2_subdev *sd,
+ struct v4l2_subdev_state *sd_state,
+ struct v4l2_subdev_format *format)
+ {
+ struct tc358743_state *state = to_state(sd);
+- u8 vi_rep = i2c_rd8(sd, VI_REP);
+
+ if (format->pad != 0)
+ return -EINVAL;
+@@ -1701,23 +1712,7 @@ static int tc358743_get_fmt(struct v4l2_subdev *sd,
+ format->format.height = state->timings.bt.height;
+ format->format.field = V4L2_FIELD_NONE;
+
+- switch (vi_rep & MASK_VOUT_COLOR_SEL) {
+- case MASK_VOUT_COLOR_RGB_FULL:
+- case MASK_VOUT_COLOR_RGB_LIMITED:
+- format->format.colorspace = V4L2_COLORSPACE_SRGB;
+- break;
+- case MASK_VOUT_COLOR_601_YCBCR_LIMITED:
+- case MASK_VOUT_COLOR_601_YCBCR_FULL:
+- format->format.colorspace = V4L2_COLORSPACE_SMPTE170M;
+- break;
+- case MASK_VOUT_COLOR_709_YCBCR_FULL:
+- case MASK_VOUT_COLOR_709_YCBCR_LIMITED:
+- format->format.colorspace = V4L2_COLORSPACE_REC709;
+- break;
+- default:
+- format->format.colorspace = 0;
+- break;
+- }
++ format->format.colorspace = tc358743_g_colorspace(format->format.code);
+
+ return 0;
+ }
+@@ -1731,19 +1726,14 @@ static int tc358743_set_fmt(struct v4l2_subdev *sd,
+ u32 code = format->format.code; /* is overwritten by get_fmt */
+ int ret = tc358743_get_fmt(sd, sd_state, format);
+
+- format->format.code = code;
++ if (code == MEDIA_BUS_FMT_RGB888_1X24 ||
++ code == MEDIA_BUS_FMT_UYVY8_1X16)
++ format->format.code = code;
++ format->format.colorspace = tc358743_g_colorspace(format->format.code);
+
+ if (ret)
+ return ret;
+
+- switch (code) {
+- case MEDIA_BUS_FMT_RGB888_1X24:
+- case MEDIA_BUS_FMT_UYVY8_1X16:
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+ if (format->which == V4L2_SUBDEV_FORMAT_TRY)
+ return 0;
+
+--
+2.39.5
+
--- /dev/null
+From 7ce0301a2289f32fb6984c8e8f427d10e4799644 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 10:09:54 +0200
+Subject: media: usb: hdpvr: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit b5ae5a79825ba8037b0be3ef677a24de8c063abf ]
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-i2c.c b/drivers/media/usb/hdpvr/hdpvr-i2c.c
+index 070559b01b01..54956a8ff15e 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-i2c.c
++++ b/drivers/media/usb/hdpvr/hdpvr-i2c.c
+@@ -165,10 +165,16 @@ static const struct i2c_algorithm hdpvr_algo = {
+ .functionality = hdpvr_functionality,
+ };
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks hdpvr_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ static const struct i2c_adapter hdpvr_i2c_adapter_template = {
+ .name = "Hauppauge HD PVR I2C",
+ .owner = THIS_MODULE,
+ .algo = &hdpvr_algo,
++ .quirks = &hdpvr_quirks,
+ };
+
+ static int hdpvr_activate_ir(struct hdpvr_device *dev)
+--
+2.39.5
+
--- /dev/null
+From 844ca06b862f54c7409f0d6cd387a5e88df172f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 14:18:03 +0800
+Subject: media: uvcvideo: Fix bandwidth issue for Alcor camera
+
+From: chenchangcheng <chenchangcheng@kylinos.cn>
+
+[ Upstream commit 9764401bf6f8a20eb11c2e78470f20fee91a9ea7 ]
+
+Some broken device return wrong dwMaxPayloadTransferSize fields as
+follows:
+
+[ 218.632537] uvcvideo: Device requested 2752512 B/frame bandwidth.
+[ 218.632598] uvcvideo: No fast enough alt setting for requested bandwidth.
+
+When dwMaxPayloadTransferSize is greater than maxpsize, it will prevent
+the camera from starting. So use the bandwidth of maxpsize.
+
+Signed-off-by: chenchangcheng <chenchangcheng@kylinos.cn>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20250510061803.811433-1-ccc194101@163.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
+index 446fe67e07c4..89a43c0558ed 100644
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -231,6 +231,15 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
+
+ ctrl->dwMaxPayloadTransferSize = bandwidth;
+ }
++
++ if (stream->intf->num_altsetting > 1 &&
++ ctrl->dwMaxPayloadTransferSize > stream->maxpsize) {
++ dev_warn_ratelimited(&stream->intf->dev,
++ "UVC non compliance: the max payload transmission size (%u) exceeds the size of the ep max packet (%u). Using the max size.\n",
++ ctrl->dwMaxPayloadTransferSize,
++ stream->maxpsize);
++ ctrl->dwMaxPayloadTransferSize = stream->maxpsize;
++ }
+ }
+
+ static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
+--
+2.39.5
+
--- /dev/null
+From ca76926751a6c5aed2cf57bf4329f5bde421531c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 10:37:45 +0200
+Subject: media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ
+ control
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit 5a0abb8909b9dcf347fce1d201ac6686ac33fd64 ]
+
+When operating a pipeline with a missing V4L2_CID_LINK_FREQ control this
+two line warning is printed each time the pipeline is started. Reduce
+this excessive logging by only warning once for the missing control.
+
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-common.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c
+index 04af03285a20..90f76a7ff447 100644
+--- a/drivers/media/v4l2-core/v4l2-common.c
++++ b/drivers/media/v4l2-core/v4l2-common.c
+@@ -470,10 +470,10 @@ s64 v4l2_get_link_freq(struct v4l2_ctrl_handler *handler, unsigned int mul,
+
+ freq = div_u64(v4l2_ctrl_g_ctrl_int64(ctrl) * mul, div);
+
+- pr_warn("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
+- __func__);
+- pr_warn("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
+- __func__);
++ pr_warn_once("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
++ __func__);
++ pr_warn_once("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
++ __func__);
+ }
+
+ return freq > 0 ? freq : -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From 357ac70e13f8fd38aee87eac44def6267a679ac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 13:28:26 +0200
+Subject: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ]
+
+Not all tasks have an ABI associated or vDSO mapped,
+for example kthreads never do.
+If such a task ever ends up calling stack_top(), it will derefence the
+NULL ABI pointer and crash.
+
+This can for example happen when using kunit:
+
+ mips_stack_top+0x28/0xc0
+ arch_pick_mmap_layout+0x190/0x220
+ kunit_vm_mmap_init+0xf8/0x138
+ __kunit_add_resource+0x40/0xa8
+ kunit_vm_mmap+0x88/0xd8
+ usercopy_test_init+0xb8/0x240
+ kunit_try_run_case+0x5c/0x1a8
+ kunit_generic_run_threadfn_adapter+0x28/0x50
+ kthread+0x118/0x240
+ ret_from_kernel_thread+0x14/0x1c
+
+Only dereference the ABI point if it is set.
+
+The GIC page is also included as it is specific to the vDSO.
+Also move the randomization adjustment into the same conditional.
+
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: David Gow <davidgow@google.com>
+Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/process.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index cbff1b974f88..b9ef72ab967f 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -688,18 +688,20 @@ unsigned long mips_stack_top(void)
+ }
+
+ /* Space for the VDSO, data page & GIC user page */
+- top -= PAGE_ALIGN(current->thread.abi->vdso->size);
+- top -= PAGE_SIZE;
+- top -= mips_gic_present() ? PAGE_SIZE : 0;
++ if (current->thread.abi) {
++ top -= PAGE_ALIGN(current->thread.abi->vdso->size);
++ top -= PAGE_SIZE;
++ top -= mips_gic_present() ? PAGE_SIZE : 0;
++
++ /* Space to randomize the VDSO base */
++ if (current->flags & PF_RANDOMIZE)
++ top -= VDSO_RANDOMIZE_SIZE;
++ }
+
+ /* Space for cache colour alignment */
+ if (cpu_has_dc_aliases)
+ top -= shm_align_mask + 1;
+
+- /* Space to randomize the VDSO base */
+- if (current->flags & PF_RANDOMIZE)
+- top -= VDSO_RANDOMIZE_SIZE;
+-
+ return top;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 3d5aee964feea436f9dac3162a1dec436ed43d65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 21:06:32 +0800
+Subject: MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}
+
+From: Shiji Yang <yangshiji66@outlook.com>
+
+[ Upstream commit 844615dd0f2d95c018ec66b943e08af22b62aff3 ]
+
+These functions are exported but their prototypes are not defined.
+This patch adds the missing function prototypes to fix the following
+compilation warnings:
+
+arch/mips/kernel/vpe-mt.c:180:7: error: no previous prototype for 'vpe_alloc' [-Werror=missing-prototypes]
+ 180 | void *vpe_alloc(void)
+ | ^~~~~~~~~
+arch/mips/kernel/vpe-mt.c:198:5: error: no previous prototype for 'vpe_start' [-Werror=missing-prototypes]
+ 198 | int vpe_start(void *vpe, unsigned long start)
+ | ^~~~~~~~~
+arch/mips/kernel/vpe-mt.c:208:5: error: no previous prototype for 'vpe_stop' [-Werror=missing-prototypes]
+ 208 | int vpe_stop(void *vpe)
+ | ^~~~~~~~
+arch/mips/kernel/vpe-mt.c:229:5: error: no previous prototype for 'vpe_free' [-Werror=missing-prototypes]
+ 229 | int vpe_free(void *vpe)
+ | ^~~~~~~~
+
+Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/vpe.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h
+index ef7e07829607..0094709b617d 100644
+--- a/arch/mips/include/asm/vpe.h
++++ b/arch/mips/include/asm/vpe.h
+@@ -123,4 +123,12 @@ void cleanup_tc(struct tc *tc);
+
+ int __init vpe_module_init(void);
+ void __exit vpe_module_exit(void);
++
++#ifdef CONFIG_MIPS_VPE_LOADER_MT
++void *vpe_alloc(void);
++int vpe_start(void *vpe, unsigned long start);
++int vpe_stop(void *vpe);
++int vpe_free(void *vpe);
++#endif /* CONFIG_MIPS_VPE_LOADER_MT */
++
+ #endif /* _ASM_VPE_H */
+--
+2.39.5
+
--- /dev/null
+From a5df201bacdd8518c2b7d378578b0facf2e303b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 13:16:23 +0200
+Subject: mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit 47a255f7d2eabee06cfbf5b1c2379749442fd01d ]
+
+In the error path of sd_set_power_mode() we don't update host->power_mode,
+which could lead to an imbalance of the runtime PM usage count. Fix this by
+always updating host->power_mode.
+
+Reviewed-by: Avri Altman <avri.altman@sandisk.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Ricky Wu <ricky_wu@realtek.com>
+Link: https://lore.kernel.org/r/20250610111633.504366-2-ulf.hansson@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c
+index 1be3a355f10d..ab7023d956eb 100644
+--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
+@@ -1032,9 +1032,7 @@ static int sd_set_power_mode(struct rtsx_usb_sdmmc *host,
+ err = sd_power_on(host);
+ }
+
+- if (!err)
+- host->power_mode = power_mode;
+-
++ host->power_mode = power_mode;
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ccd187c38e4b3eaa40adbc7687a8ea4f2bbca027 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 15:36:59 +0530
+Subject: mmc: sdhci-msm: Ensure SD card power isn't ON when card removed
+
+From: Sarthak Garg <quic_sartgarg@quicinc.com>
+
+[ Upstream commit db58532188ebf51d52b1d7693d9e94c76b926e9f ]
+
+Many mobile phones feature multi-card tray designs, where the same
+tray is used for both SD and SIM cards. If the SD card is placed
+at the outermost location in the tray, the SIM card may come in
+contact with SD card power-supply while removing the tray, possibly
+resulting in SIM damage.
+
+To prevent that, make sure the SD card is really inserted by reading
+the Card Detect pin state. If it's not, turn off the power in
+sdhci_msm_check_power_status() and also set the BUS_FAIL power state
+on the controller as part of pwr_irq handling for BUS_ON request.
+
+Signed-off-by: Sarthak Garg <quic_sartgarg@quicinc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250701100659.3310386-1-quic_sartgarg@quicinc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index 4b727754d8e3..8fb2ba20e221 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -1560,6 +1560,7 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
++ struct mmc_host *mmc = host->mmc;
+ bool done = false;
+ u32 val = SWITCHABLE_SIGNALING_VOLTAGE;
+ const struct sdhci_msm_offset *msm_offset =
+@@ -1617,6 +1618,12 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
+ "%s: pwr_irq for req: (%d) timed out\n",
+ mmc_hostname(host->mmc), req_type);
+ }
++
++ if ((req_type & REQ_BUS_ON) && mmc->card && !mmc->ops->get_cd(mmc)) {
++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL);
++ host->pwr = 0;
++ }
++
+ pr_debug("%s: %s: request %d done\n", mmc_hostname(host->mmc),
+ __func__, req_type);
+ }
+@@ -1675,6 +1682,13 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq)
+ udelay(10);
+ }
+
++ if ((irq_status & CORE_PWRCTL_BUS_ON) && mmc->card &&
++ !mmc->ops->get_cd(mmc)) {
++ msm_host_writel(msm_host, CORE_PWRCTL_BUS_FAIL, host,
++ msm_offset->core_pwrctl_ctl);
++ return;
++ }
++
+ /* Handle BUS ON/OFF*/
+ if (irq_status & CORE_PWRCTL_BUS_ON) {
+ pwr_state = REQ_BUS_ON;
+--
+2.39.5
+
--- /dev/null
+From 01fc6d65c3886e64988e9efbeecd8073ecff5ebe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 11:57:25 +0200
+Subject: net: ag71xx: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 96a1e15e60216b52da0e6da5336b6d7f5b0188b0 ]
+
+The DMA map functions can fail and should be tested for errors.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250716095733.37452-3-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/ag71xx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c
+index 9d8b214c129d..d5be9ca4d4fe 100644
+--- a/drivers/net/ethernet/atheros/ag71xx.c
++++ b/drivers/net/ethernet/atheros/ag71xx.c
+@@ -1287,6 +1287,11 @@ static bool ag71xx_fill_rx_buf(struct ag71xx *ag, struct ag71xx_buf *buf,
+ buf->rx.rx_buf = data;
+ buf->rx.dma_addr = dma_map_single(&ag->pdev->dev, data, ag->rx_buf_size,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(&ag->pdev->dev, buf->rx.dma_addr)) {
++ skb_free_frag(data);
++ buf->rx.rx_buf = NULL;
++ return false;
++ }
+ desc->data = (u32)buf->rx.dma_addr + offset;
+ return true;
+ }
+@@ -1585,6 +1590,10 @@ static netdev_tx_t ag71xx_hard_start_xmit(struct sk_buff *skb,
+
+ dma_addr = dma_map_single(&ag->pdev->dev, skb->data, skb->len,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&ag->pdev->dev, dma_addr)) {
++ netif_dbg(ag, tx_err, ndev, "DMA mapping error\n");
++ goto err_drop;
++ }
+
+ i = ring->curr & ring_mask;
+ desc = ag71xx_ring_desc(ring, i);
+--
+2.39.5
+
--- /dev/null
+From 3f9d6c0319774034e049f9bf3ce8a998e53da67a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 22:15:28 -0700
+Subject: net: atlantic: add set_power to fw_ops for atl2 to fix wol
+
+From: Eric Work <work.eric@gmail.com>
+
+[ Upstream commit fad9cf216597a71936ac87143d1618fbbcf97cbe ]
+
+Aquantia AQC113(C) using ATL2FW doesn't properly prepare the NIC for
+enabling wake-on-lan. The FW operation `set_power` was only implemented
+for `hw_atl` and not `hw_atl2`. Implement the `set_power` functionality
+for `hw_atl2`.
+
+Tested with both AQC113 and AQC113C devices. Confirmed you can shutdown
+the system and wake from S5 using magic packets. NIC was previously
+powered off when entering S5. If the NIC was configured for WOL by the
+Windows driver, loading the atlantic driver would disable WOL.
+
+Partially cherry-picks changes from commit,
+https://github.com/Aquantia/AQtion/commit/37bd5cc
+
+Attributing original authors from Marvell for the referenced commit.
+
+Closes: https://github.com/Aquantia/AQtion/issues/70
+Co-developed-by: Igor Russkikh <irusskikh@marvell.com>
+Co-developed-by: Mark Starovoitov <mstarovoitov@marvell.com>
+Co-developed-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Co-developed-by: Pavel Belous <pbelous@marvell.com>
+Co-developed-by: Nikita Danilov <ndanilov@marvell.com>
+Signed-off-by: Eric Work <work.eric@gmail.com>
+Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
+Link: https://patch.msgid.link/20250629051535.5172-1-work.eric@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
+ .../atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 +++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
+index dbd284660135..7f616abd3db2 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
+@@ -113,6 +113,8 @@ struct aq_stats_s {
+ #define AQ_HW_POWER_STATE_D0 0U
+ #define AQ_HW_POWER_STATE_D3 3U
+
++#define AQ_FW_WAKE_ON_LINK_RTPM BIT(10)
++
+ #define AQ_HW_FLAG_STARTED 0x00000004U
+ #define AQ_HW_FLAG_STOPPING 0x00000008U
+ #define AQ_HW_FLAG_RESETTING 0x00000010U
+diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
+index 58d426dda3ed..1c5c27a9f30d 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
+@@ -462,6 +462,44 @@ static int aq_a2_fw_get_mac_temp(struct aq_hw_s *self, int *temp)
+ return aq_a2_fw_get_phy_temp(self, temp);
+ }
+
++static int aq_a2_fw_set_wol_params(struct aq_hw_s *self, const u8 *mac, u32 wol)
++{
++ struct mac_address_aligned_s mac_address;
++ struct link_control_s link_control;
++ struct wake_on_lan_s wake_on_lan;
++
++ memcpy(mac_address.aligned.mac_address, mac, ETH_ALEN);
++ hw_atl2_shared_buffer_write(self, mac_address, mac_address);
++
++ memset(&wake_on_lan, 0, sizeof(wake_on_lan));
++
++ if (wol & WAKE_MAGIC)
++ wake_on_lan.wake_on_magic_packet = 1U;
++
++ if (wol & (WAKE_PHY | AQ_FW_WAKE_ON_LINK_RTPM))
++ wake_on_lan.wake_on_link_up = 1U;
++
++ hw_atl2_shared_buffer_write(self, sleep_proxy, wake_on_lan);
++
++ hw_atl2_shared_buffer_get(self, link_control, link_control);
++ link_control.mode = AQ_HOST_MODE_SLEEP_PROXY;
++ hw_atl2_shared_buffer_write(self, link_control, link_control);
++
++ return hw_atl2_shared_buffer_finish_ack(self);
++}
++
++static int aq_a2_fw_set_power(struct aq_hw_s *self, unsigned int power_state,
++ const u8 *mac)
++{
++ u32 wol = self->aq_nic_cfg->wol;
++ int err = 0;
++
++ if (wol)
++ err = aq_a2_fw_set_wol_params(self, mac, wol);
++
++ return err;
++}
++
+ static int aq_a2_fw_set_eee_rate(struct aq_hw_s *self, u32 speed)
+ {
+ struct link_options_s link_options;
+@@ -605,6 +643,7 @@ const struct aq_fw_ops aq_a2_fw_ops = {
+ .set_state = aq_a2_fw_set_state,
+ .update_link_status = aq_a2_fw_update_link_status,
+ .update_stats = aq_a2_fw_update_stats,
++ .set_power = aq_a2_fw_set_power,
+ .get_mac_temp = aq_a2_fw_get_mac_temp,
+ .get_phy_temp = aq_a2_fw_get_phy_temp,
+ .set_eee_rate = aq_a2_fw_set_eee_rate,
+--
+2.39.5
+
--- /dev/null
+From 7b4f5386ca8dd9d4d621b47af89dfdfb13b81366 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:59 +0200
+Subject: net: dsa: b53: fix b53_imp_vlan_setup for BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit c00df1018791185ea398f78af415a2a0aaa0c79c ]
+
+CPU port should be B53_CPU_PORT instead of B53_CPU_PORT_25 for
+B53_PVLAN_PORT_MASK register.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-14-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 3bd0d1632b65..091ca9ca49aa 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -507,6 +507,10 @@ void b53_imp_vlan_setup(struct dsa_switch *ds, int cpu_port)
+ unsigned int i;
+ u16 pvlan;
+
++ /* BCM5325 CPU port is at 8 */
++ if ((is5325(dev) || is5365(dev)) && cpu_port == B53_CPU_PORT_25)
++ cpu_port = B53_CPU_PORT;
++
+ /* Enable the IMP port to be in the same VLAN as the other ports
+ * on a per-port basis such that we only have Port i and IMP in
+ * the same VLAN.
+--
+2.39.5
+
--- /dev/null
+From d4c535ae41a708798d74103b929f1caf3337c540 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:54 +0200
+Subject: net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 044d5ce2788b165798bfd173548e61bf7b6baf4d ]
+
+BCM5325 doesn't implement B53_UC_FWD_EN, B53_MC_FWD_EN or B53_IPMC_FWD_EN.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-9-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 18 +++++++++++-------
+ drivers/net/dsa/b53/b53_regs.h | 1 +
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 2de7a3254455..42fd1b4ed56e 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -344,14 +344,18 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
+ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
+ mgmt |= B53_MII_DUMB_FWDG_EN;
+ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
+- }
+
+- /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
+- * frames should be flooded or not.
+- */
+- b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
+- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
+- b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
++ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
++ * frames should be flooded or not.
++ */
++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
++ } else {
++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
++ mgmt |= B53_IP_MCAST_25;
++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
++ }
+ }
+
+ static void b53_enable_vlan(struct b53_device *dev, int port, bool enable,
+diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
+index e5776545a8a0..77fb7ae660b8 100644
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -104,6 +104,7 @@
+
+ /* IP Multicast control (8 bit) */
+ #define B53_IP_MULTICAST_CTRL 0x21
++#define B53_IP_MCAST_25 BIT(0)
+ #define B53_IPMC_FWD_EN BIT(1)
+ #define B53_UC_FWD_EN BIT(6)
+ #define B53_MC_FWD_EN BIT(7)
+--
+2.39.5
+
--- /dev/null
+From 0d26632291ab93d593e1858036a5e38dbca88acf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:55 +0200
+Subject: net: dsa: b53: prevent DIS_LEARNING access on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 800728abd9f83bda4de62a30ce62a8b41c242020 ]
+
+BCM5325 doesn't implement DIS_LEARNING register so we should avoid reading
+or writing it.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-10-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 2def9ed34beb..ef6191d753e8 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -561,6 +561,9 @@ static void b53_port_set_learning(struct b53_device *dev, int port,
+ {
+ u16 reg;
+
++ if (is5325(dev))
++ return;
++
+ b53_read16(dev, B53_CTRL_PAGE, B53_DIS_LEARNING, ®);
+ if (learning)
+ reg &= ~BIT(port);
+@@ -2034,7 +2037,13 @@ int b53_br_flags_pre(struct dsa_switch *ds, int port,
+ struct switchdev_brport_flags flags,
+ struct netlink_ext_ack *extack)
+ {
+- if (flags.mask & ~(BR_FLOOD | BR_MCAST_FLOOD | BR_LEARNING))
++ struct b53_device *dev = ds->priv;
++ unsigned long mask = (BR_FLOOD | BR_MCAST_FLOOD);
++
++ if (!is5325(dev))
++ mask |= BR_LEARNING;
++
++ if (flags.mask & ~mask)
+ return -EINVAL;
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From fb21058e932aa7d9a418761ad89b5f6d00c04f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:57 +0200
+Subject: net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 37883bbc45a8555d6eca88d3a9730504d2dac86c ]
+
+BCM5325 doesn't implement GMII_PORT_OVERRIDE_CTRL register so we should
+avoid reading or writing it.
+PORT_OVERRIDE_RX_FLOW and PORT_OVERRIDE_TX_FLOW aren't defined on BCM5325
+and we should use PORT_OVERRIDE_LP_FLOW_25 instead.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-12-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 21 +++++++++++++++++----
+ drivers/net/dsa/b53/b53_regs.h | 1 +
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 091ca9ca49aa..2def9ed34beb 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1167,6 +1167,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link)
+ if (port == dev->imp_port) {
+ off = B53_PORT_OVERRIDE_CTRL;
+ val = PORT_OVERRIDE_EN;
++ } else if (is5325(dev)) {
++ return;
+ } else {
+ off = B53_GMII_PORT_OVERRIDE_CTRL(port);
+ val = GMII_PO_EN;
+@@ -1191,6 +1193,8 @@ static void b53_force_port_config(struct b53_device *dev, int port,
+ if (port == dev->imp_port) {
+ off = B53_PORT_OVERRIDE_CTRL;
+ val = PORT_OVERRIDE_EN;
++ } else if (is5325(dev)) {
++ return;
+ } else {
+ off = B53_GMII_PORT_OVERRIDE_CTRL(port);
+ val = GMII_PO_EN;
+@@ -1221,10 +1225,19 @@ static void b53_force_port_config(struct b53_device *dev, int port,
+ return;
+ }
+
+- if (rx_pause)
+- reg |= PORT_OVERRIDE_RX_FLOW;
+- if (tx_pause)
+- reg |= PORT_OVERRIDE_TX_FLOW;
++ if (rx_pause) {
++ if (is5325(dev))
++ reg |= PORT_OVERRIDE_LP_FLOW_25;
++ else
++ reg |= PORT_OVERRIDE_RX_FLOW;
++ }
++
++ if (tx_pause) {
++ if (is5325(dev))
++ reg |= PORT_OVERRIDE_LP_FLOW_25;
++ else
++ reg |= PORT_OVERRIDE_TX_FLOW;
++ }
+
+ b53_write8(dev, B53_CTRL_PAGE, off, reg);
+ }
+diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
+index b2c539a42154..e5776545a8a0 100644
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -92,6 +92,7 @@
+ #define PORT_OVERRIDE_SPEED_10M (0 << PORT_OVERRIDE_SPEED_S)
+ #define PORT_OVERRIDE_SPEED_100M (1 << PORT_OVERRIDE_SPEED_S)
+ #define PORT_OVERRIDE_SPEED_1000M (2 << PORT_OVERRIDE_SPEED_S)
++#define PORT_OVERRIDE_LP_FLOW_25 BIT(3) /* BCM5325 only */
+ #define PORT_OVERRIDE_RV_MII_25 BIT(4) /* BCM5325 only */
+ #define PORT_OVERRIDE_RX_FLOW BIT(4)
+ #define PORT_OVERRIDE_TX_FLOW BIT(5)
+--
+2.39.5
+
--- /dev/null
+From f40d4ed166ea54727b009dfb6ee4cba0efc79192 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:53 +0200
+Subject: net: dsa: b53: prevent SWITCH_CTRL access on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 22ccaaca43440e90a3b68d2183045b42247dc4be ]
+
+BCM5325 doesn't implement SWITCH_CTRL register so we should avoid reading
+or writing it.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-8-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index ef6191d753e8..2de7a3254455 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -339,11 +339,12 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
+
+ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_MODE, mgmt);
+
+- /* Include IMP port in dumb forwarding mode
+- */
+- b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
+- mgmt |= B53_MII_DUMB_FWDG_EN;
+- b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
++ if (!is5325(dev)) {
++ /* Include IMP port in dumb forwarding mode */
++ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
++ mgmt |= B53_MII_DUMB_FWDG_EN;
++ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
++ }
+
+ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
+ * frames should be flooded or not.
+--
+2.39.5
+
--- /dev/null
+From d3097d77b0b62eeeb7aa1f9dc4677022fbcc2111 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 15:44:02 +0200
+Subject: net: fec: allow disable coalescing
+
+From: Jonas Rebmann <jre@pengutronix.de>
+
+[ Upstream commit b7ad21258f9e9a7f58b19595d5ceed2cde3bed68 ]
+
+In the current implementation, IP coalescing is always enabled and
+cannot be disabled.
+
+As setting maximum frames to 0 or 1, or setting delay to zero implies
+immediate delivery of single packets/IRQs, disable coalescing in
+hardware in these cases.
+
+This also guarantees that coalescing is never enabled with ICFT or ICTT
+set to zero, a configuration that could lead to unpredictable behaviour
+according to i.MX8MP reference manual.
+
+Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
+Reviewed-by: Wei Fang <wei.fang@nxp.com>
+Link: https://patch.msgid.link/20250626-fec_deactivate_coalescing-v2-1-0b217f2e80da@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 34 +++++++++++------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 5c860eef0300..437e72110ab5 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -2727,27 +2727,25 @@ static int fec_enet_us_to_itr_clock(struct net_device *ndev, int us)
+ static void fec_enet_itr_coal_set(struct net_device *ndev)
+ {
+ struct fec_enet_private *fep = netdev_priv(ndev);
+- int rx_itr, tx_itr;
++ u32 rx_itr = 0, tx_itr = 0;
++ int rx_ictt, tx_ictt;
+
+- /* Must be greater than zero to avoid unpredictable behavior */
+- if (!fep->rx_time_itr || !fep->rx_pkts_itr ||
+- !fep->tx_time_itr || !fep->tx_pkts_itr)
+- return;
+-
+- /* Select enet system clock as Interrupt Coalescing
+- * timer Clock Source
+- */
+- rx_itr = FEC_ITR_CLK_SEL;
+- tx_itr = FEC_ITR_CLK_SEL;
++ rx_ictt = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr);
++ tx_ictt = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr);
+
+- /* set ICFT and ICTT */
+- rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
+- rx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr));
+- tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
+- tx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr));
++ if (rx_ictt > 0 && fep->rx_pkts_itr > 1) {
++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
++ rx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
++ rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
++ rx_itr |= FEC_ITR_ICTT(rx_ictt);
++ }
+
+- rx_itr |= FEC_ITR_EN;
+- tx_itr |= FEC_ITR_EN;
++ if (tx_ictt > 0 && fep->tx_pkts_itr > 1) {
++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
++ tx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
++ tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
++ tx_itr |= FEC_ITR_ICTT(tx_ictt);
++ }
+
+ writel(tx_itr, fep->hwp + FEC_TXIC0);
+ writel(rx_itr, fep->hwp + FEC_RXIC0);
+--
+2.39.5
+
--- /dev/null
+From be9d91e7ad8e3886f954794647accdf61a7b74ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:27:13 +0200
+Subject: net: ipv4: fix incorrect MTU in broadcast routes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oscar Maes <oscmaes92@gmail.com>
+
+[ Upstream commit 9e30ecf23b1b8f091f7d08b27968dea83aae7908 ]
+
+Currently, __mkroute_output overrules the MTU value configured for
+broadcast routes.
+
+This buggy behaviour can be reproduced with:
+
+ip link set dev eth1 mtu 9000
+ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2
+ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500
+
+The maximum packet size should be 1500, but it is actually 8000:
+
+ping -b 192.168.0.255 -s 8000
+
+Fix __mkroute_output to allow MTU values to be configured for
+for broadcast routes (to support a mixed-MTU local-area-network).
+
+Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
+Link: https://patch.msgid.link/20250710142714.12986-1-oscmaes92@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index cbc584c386e9..df4cbf9ba288 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2565,7 +2565,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
+ do_cache = true;
+ if (type == RTN_BROADCAST) {
+ flags |= RTCF_BROADCAST | RTCF_LOCAL;
+- fi = NULL;
+ } else if (type == RTN_MULTICAST) {
+ flags |= RTCF_MULTICAST | RTCF_LOCAL;
+ if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
+--
+2.39.5
+
--- /dev/null
+From ae22f1bd8d175b60aca36c2dbb2e927892d0f54b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:55:55 +0800
+Subject: net: mctp: Prevent duplicate binds
+
+From: Matt Johnston <matt@codeconstruct.com.au>
+
+[ Upstream commit 3954502377ec05a1b37e2dc9bef0bacd4bbd71b2 ]
+
+Disallow bind() calls that have the same arguments as existing bound
+sockets. Previously multiple sockets could bind() to the same
+type/local address, with an arbitrary socket receiving matched messages.
+
+This is only a partial fix, a future commit will define precedence order
+for MCTP_ADDR_ANY versus specific EID bind(), which are allowed to exist
+together.
+
+Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250710-mctp-bind-v4-2-8ec2f6460c56@codeconstruct.com.au
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 53b3a294b042..61476eb6aac7 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -60,7 +60,6 @@ static int mctp_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
+
+ lock_sock(sk);
+
+- /* TODO: allow rebind */
+ if (sk_hashed(sk)) {
+ rc = -EADDRINUSE;
+ goto out_release;
+@@ -252,15 +251,36 @@ static void mctp_sk_close(struct sock *sk, long timeout)
+ static int mctp_sk_hash(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
++ struct sock *existing;
++ struct mctp_sock *msk;
++ int rc;
++
++ msk = container_of(sk, struct mctp_sock, sk);
+
+ /* Bind lookup runs under RCU, remain live during that. */
+ sock_set_flag(sk, SOCK_RCU_FREE);
+
+ mutex_lock(&net->mctp.bind_lock);
++
++ /* Prevent duplicate binds. */
++ sk_for_each(existing, &net->mctp.binds) {
++ struct mctp_sock *mex =
++ container_of(existing, struct mctp_sock, sk);
++
++ if (mex->bind_type == msk->bind_type &&
++ mex->bind_addr == msk->bind_addr &&
++ mex->bind_net == msk->bind_net) {
++ rc = -EADDRINUSE;
++ goto out;
++ }
++ }
++
+ sk_add_node_rcu(sk, &net->mctp.binds);
+- mutex_unlock(&net->mctp.bind_lock);
++ rc = 0;
+
+- return 0;
++out:
++ mutex_unlock(&net->mctp.bind_lock);
++ return rc;
+ }
+
+ static void mctp_sk_unhash(struct sock *sk)
+--
+2.39.5
+
--- /dev/null
+From cccc530a1e1402a696a4b936cc1ac06ae6cb39e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 17:17:49 +0300
+Subject: net/mlx5e: Properly access RCU protected qdisc_sleeping variable
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 2a601b2d35623065d31ebaf697b07502d54878c9 ]
+
+qdisc_sleeping variable is declared as "struct Qdisc __rcu" and
+as such needs proper annotation while accessing it.
+
+Without rtnl_dereference(), the following error is generated by sparse:
+
+drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: warning:
+ incorrect type in initializer (different address spaces)
+drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: expected
+ struct Qdisc *qdisc
+drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: got struct
+ Qdisc [noderef] __rcu *qdisc_sleeping
+
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/1752675472-201445-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
+index 965838893432..7291ccabecba 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
+@@ -724,7 +724,7 @@ static void mlx5e_reactivate_qos_sq(struct mlx5e_priv *priv, u16 qid, struct net
+ static void mlx5e_reset_qdisc(struct net_device *dev, u16 qid)
+ {
+ struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, qid);
+- struct Qdisc *qdisc = dev_queue->qdisc_sleeping;
++ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
+
+ if (!qdisc)
+ return;
+--
+2.39.5
+
--- /dev/null
+From 7ab6e09df0a8dab1cacabb7e66432a911a179441 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 12:33:38 -0700
+Subject: net: ncsi: Fix buffer overflow in fetching version id
+
+From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+
+[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ]
+
+In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
+need to be null terminated while its size occupies the full size
+of the field. Fix the buffer overflow issue by adding one
+additional byte for null terminator.
+
+Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+Reviewed-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 2 +-
+ net/ncsi/ncsi-rsp.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index 2c260f33b55c..ad1f671ffc37 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -110,7 +110,7 @@ struct ncsi_channel_version {
+ u8 update; /* NCSI version update */
+ char alpha1; /* NCSI version alpha1 */
+ char alpha2; /* NCSI version alpha2 */
+- u8 fw_name[12]; /* Firmware name string */
++ u8 fw_name[12 + 1]; /* Firmware name string */
+ u32 fw_version; /* Firmware version */
+ u16 pci_ids[4]; /* PCI identification */
+ u32 mf_id; /* Manufacture ID */
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index 8668888c5a2f..d5ed80731e89 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
+ ncv->alpha1 = rsp->alpha1;
+ ncv->alpha2 = rsp->alpha2;
+ memcpy(ncv->fw_name, rsp->fw_name, 12);
++ ncv->fw_name[12] = '\0';
+ ncv->fw_version = ntohl(rsp->fw_version);
+ for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
+ ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);
+--
+2.39.5
+
--- /dev/null
+From 6b82a39d93888948654337edcf89dce2c9023d54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 17:29:16 +0200
+Subject: net: phy: smsc: add proper reset flags for LAN8710A
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Buday Csaba <buday.csaba@prolan.hu>
+
+[ Upstream commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d ]
+
+According to the LAN8710A datasheet (Rev. B, section 3.8.5.1), a hardware
+reset is required after power-on, and the reference clock (REF_CLK) must be
+established before asserting reset.
+
+Signed-off-by: Buday Csaba <buday.csaba@prolan.hu>
+Cc: Csókás Bence <csokas.bence@prolan.hu>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250728152916.46249-2-csokas.bence@prolan.hu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index 5c3ebb66fceb..4175df632de2 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -452,6 +452,7 @@ static struct phy_driver smsc_phy_driver[] = {
+
+ /* PHY_BASIC_FEATURES */
+
++ .flags = PHY_RST_AFTER_CLK_EN,
+ .probe = smsc_phy_probe,
+ .remove = smsc_phy_remove,
+
+--
+2.39.5
+
--- /dev/null
+From 82dcc3657c5b05e65e02d8c04983a9d950b1e84b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 17:49:20 +0800
+Subject: net: thunderbolt: Fix the parameter passing of
+ tb_xdomain_enable_paths()/tb_xdomain_disable_paths()
+
+From: zhangjianrong <zhangjianrong5@huawei.com>
+
+[ Upstream commit 8ec31cb17cd355cea25cdb8496d9b3fbf1321647 ]
+
+According to the description of tb_xdomain_enable_paths(), the third
+parameter represents the transmit ring and the fifth parameter represents
+the receive ring. tb_xdomain_disable_paths() is the same case.
+
+[Jakub] Mika says: it works now because both rings ->hop is the same
+
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/20250625051149.GD2824380@black.fi.intel.com
+Signed-off-by: zhangjianrong <zhangjianrong5@huawei.com>
+Link: https://patch.msgid.link/20250628094920.656658-1-zhangjianrong5@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/thunderbolt.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
+index 470852f7a64d..ba9f7062f5a7 100644
+--- a/drivers/net/thunderbolt.c
++++ b/drivers/net/thunderbolt.c
+@@ -380,9 +380,9 @@ static void tbnet_tear_down(struct tbnet *net, bool send_logout)
+
+ ret = tb_xdomain_disable_paths(net->xd,
+ net->local_transmit_path,
+- net->rx_ring.ring->hop,
++ net->tx_ring.ring->hop,
+ net->remote_transmit_path,
+- net->tx_ring.ring->hop);
++ net->rx_ring.ring->hop);
+ if (ret)
+ netdev_warn(net->dev, "failed to disable DMA paths\n");
+
+@@ -631,9 +631,9 @@ static void tbnet_connected_work(struct work_struct *work)
+ goto err_free_rx_buffers;
+
+ ret = tb_xdomain_enable_paths(net->xd, net->local_transmit_path,
+- net->rx_ring.ring->hop,
++ net->tx_ring.ring->hop,
+ net->remote_transmit_path,
+- net->tx_ring.ring->hop);
++ net->rx_ring.ring->hop);
+ if (ret) {
+ netdev_err(net->dev, "failed to enable DMA paths\n");
+ goto err_free_tx_buffers;
+--
+2.39.5
+
--- /dev/null
+From 410af60888f793834309b939f7e71c6429ef370c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 07:05:30 -0700
+Subject: net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 53d20606c40678d425cc03f0978c614dca51f25e ]
+
+The buffer bgx_sel used in snprintf() was too small to safely hold
+the formatted string "BGX%d" for all valid bgx_id values. This caused
+a -Wformat-truncation warning with `Werror` enabled during build.
+
+Increase the buffer size from 5 to 7 and use `sizeof(bgx_sel)` in
+snprintf() to ensure safety and suppress the warning.
+
+Build warning:
+ CC drivers/net/ethernet/cavium/thunder/thunder_bgx.o
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function
+‘bgx_acpi_match_id’:
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:27: error: ‘%d’
+directive output may be truncated writing between 1 and 3 bytes into a
+region of size 2 [-Werror=format-truncation=]
+ snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+ ^~
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:23: note:
+directive argument in the range [0, 255]
+ snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+ ^~~~~~~
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:2: note:
+‘snprintf’ output between 5 and 7 bytes into a destination of size 5
+ snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+
+compiler warning due to insufficient snprintf buffer size.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250711140532.2463602-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index daaffae1a89f..1831066c7647 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1427,9 +1427,9 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl,
+ {
+ struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL };
+ struct bgx *bgx = context;
+- char bgx_sel[5];
++ char bgx_sel[7];
+
+- snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
++ snprintf(bgx_sel, sizeof(bgx_sel), "BGX%d", bgx->bgx_id);
+ if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) {
+ pr_warn("Invalid link device\n");
+ return AE_OK;
+--
+2.39.5
+
--- /dev/null
+From 2ee1076fedf64f15290cf86f793cfcbbb69d5c90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 16:26:25 +0300
+Subject: net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 60a8b1a5d0824afda869f18dc0ecfe72f8dfda42 ]
+
+When CONFIG_VLAN_8021Q=n, a set of stub helpers are used, three of these
+helpers use BUG() unconditionally.
+
+This code should not be reached, as callers of these functions should
+always check for is_vlan_dev() first, but the usage of BUG() is not
+recommended, replace it with WARN_ON() instead.
+
+Reviewed-by: Alex Lazar <alazar@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Link: https://patch.msgid.link/20250616132626.1749331-3-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/if_vlan.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
+index 64cfe7cd292c..3728e3978f83 100644
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -248,19 +248,19 @@ vlan_for_each(struct net_device *dev,
+
+ static inline struct net_device *vlan_dev_real_dev(const struct net_device *dev)
+ {
+- BUG();
++ WARN_ON_ONCE(1);
+ return NULL;
+ }
+
+ static inline u16 vlan_dev_vlan_id(const struct net_device *dev)
+ {
+- BUG();
++ WARN_ON_ONCE(1);
+ return 0;
+ }
+
+ static inline __be16 vlan_dev_vlan_proto(const struct net_device *dev)
+ {
+- BUG();
++ WARN_ON_ONCE(1);
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b7576a851859e2957a1113fc9be6199c55531731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 17:52:38 +0000
+Subject: netmem: fix skb_frag_address_safe with unreadable skbs
+
+From: Mina Almasry <almasrymina@google.com>
+
+[ Upstream commit 4672aec56d2e8edabcb74c3e2320301d106a377e ]
+
+skb_frag_address_safe() needs a check that the
+skb_frag_page exists check similar to skb_frag_address().
+
+Cc: ap420073@gmail.com
+
+Signed-off-by: Mina Almasry <almasrymina@google.com>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250619175239.3039329-1-almasrymina@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 9155d0d7f706..a8d6e976507e 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3287,7 +3287,13 @@ static inline void *skb_frag_address(const skb_frag_t *frag)
+ */
+ static inline void *skb_frag_address_safe(const skb_frag_t *frag)
+ {
+- void *ptr = page_address(skb_frag_page(frag));
++ struct page *page = skb_frag_page(frag);
++ void *ptr;
++
++ if (!page)
++ return NULL;
++
++ ptr = page_address(page);
+ if (unlikely(!ptr))
+ return NULL;
+
+--
+2.39.5
+
--- /dev/null
+From 3a03dea5f71ee4c18c9e6ae657bde06c4c47689b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 16:30:39 +0200
+Subject: pinctrl: stm32: Manage irq affinity settings
+
+From: Cheick Traore <cheick.traore@foss.st.com>
+
+[ Upstream commit 4c5cc2f65386e22166ce006efe515c667aa075e4 ]
+
+Trying to set the affinity of the interrupts associated to stm32
+pinctrl results in a write error.
+
+Fill struct irq_chip::irq_set_affinity to use the default helper
+function.
+
+Signed-off-by: Cheick Traore <cheick.traore@foss.st.com>
+Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
+Link: https://lore.kernel.org/20250610143042.295376-3-antonio.borneo@foss.st.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/stm32/pinctrl-stm32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
+index abb12a5c3c32..821ec5a97551 100644
+--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
+@@ -412,6 +412,7 @@ static struct irq_chip stm32_gpio_irq_chip = {
+ .irq_set_wake = irq_chip_set_wake_parent,
+ .irq_request_resources = stm32_gpio_irq_request_resources,
+ .irq_release_resources = stm32_gpio_irq_release_resources,
++ .irq_set_affinity = IS_ENABLED(CONFIG_SMP) ? irq_chip_set_affinity_parent : NULL,
+ };
+
+ static int stm32_gpio_domain_translate(struct irq_domain *d,
+--
+2.39.5
+
--- /dev/null
+From 257bcefc362b4db94c8ab8d4fd8ea5b559fbd0e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 17:37:47 +0200
+Subject: platform/chrome: cros_ec_typec: Defer probe on missing EC parent
+
+From: Tomasz Michalec <tmichalec@google.com>
+
+[ Upstream commit 8866f4e557eba43e991f99711515217a95f62d2e ]
+
+If cros_typec_probe is called before EC device is registered,
+cros_typec_probe will fail. It may happen when cros-ec-typec.ko is
+loaded before EC bus layer module (e.g. cros_ec_lpcs.ko,
+cros_ec_spi.ko).
+
+Return -EPROBE_DEFER when cros_typec_probe doesn't get EC device, so
+the probe function can be called again after EC device is registered.
+
+Signed-off-by: Tomasz Michalec <tmichalec@google.com>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Link: https://lore.kernel.org/r/20250610153748.1858519-1-tmichalec@google.com
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index c065963b9a42..6f3fdd38c393 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -1110,8 +1110,8 @@ static int cros_typec_probe(struct platform_device *pdev)
+
+ typec->ec = dev_get_drvdata(pdev->dev.parent);
+ if (!typec->ec) {
+- dev_err(dev, "couldn't find parent EC device\n");
+- return -ENODEV;
++ dev_warn(dev, "couldn't find parent EC device\n");
++ return -EPROBE_DEFER;
+ }
+
+ platform_set_drvdata(pdev, typec);
+--
+2.39.5
+
--- /dev/null
+From 09d949926f5188c69ddfc7dcd2aaed6406158dc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 11:18:37 -0700
+Subject: platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 6418a8504187dc7f5b6f9d0649c03e362cb0664b ]
+
+When KCOV is enabled all functions get instrumented, unless the
+__no_sanitize_coverage attribute is used. To prepare for
+__no_sanitize_coverage being applied to __init functions[1], we have
+to handle differences in how GCC's inline optimizations get resolved.
+For thinkpad_acpi routines, this means forcing two functions to be
+inline with __always_inline.
+
+Link: https://lore.kernel.org/lkml/20250523043935.2009972-11-kees@kernel.org/ [1]
+Signed-off-by: Kees Cook <kees@kernel.org>
+Link: https://lore.kernel.org/r/20250529181831.work.439-kees@kernel.org
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 9b700a3ad7b2..89a8e074c16d 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -523,12 +523,12 @@ static unsigned long __init tpacpi_check_quirks(
+ return 0;
+ }
+
+-static inline bool __pure __init tpacpi_is_lenovo(void)
++static __always_inline bool __pure __init tpacpi_is_lenovo(void)
+ {
+ return thinkpad_id.vendor == PCI_VENDOR_ID_LENOVO;
+ }
+
+-static inline bool __pure __init tpacpi_is_ibm(void)
++static __always_inline bool __pure __init tpacpi_is_ibm(void)
+ {
+ return thinkpad_id.vendor == PCI_VENDOR_ID_IBM;
+ }
+--
+2.39.5
+
--- /dev/null
+From 368bbecab45dc723199d5011ce81c348b340bdb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 17:53:54 +0530
+Subject: pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in
+ mperf_stop()
+
+From: Gautham R. Shenoy <gautham.shenoy@amd.com>
+
+[ Upstream commit cda7ac8ce7de84cf32a3871ba5f318aa3b79381e ]
+
+In the function mperf_start(), mperf_monitor snapshots the time, tsc
+and finally the aperf,mperf MSRs. However, this order of snapshotting
+in is reversed in mperf_stop(). As a result, the C0 residency (which
+is computed as delta_mperf * 100 / delta_tsc) is under-reported on
+CPUs that is 100% busy.
+
+Fix this by snapshotting time, tsc and then aperf,mperf in
+mperf_stop() in the same order as in mperf_start().
+
+Link: https://lore.kernel.org/r/20250612122355.19629-2-gautham.shenoy@amd.com
+Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+index 08a399b0be28..6ab9139f16af 100644
+--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+@@ -240,9 +240,9 @@ static int mperf_stop(void)
+ int cpu;
+
+ for (cpu = 0; cpu < cpu_count; cpu++) {
+- mperf_measure_stats(cpu);
+- mperf_get_tsc(&tsc_at_measure_end[cpu]);
+ clock_gettime(CLOCK_REALTIME, &time_end[cpu]);
++ mperf_get_tsc(&tsc_at_measure_end[cpu]);
++ mperf_measure_stats(cpu);
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From a173d881d15dd03ba2aa123c8c100613f4e2e59b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 11:00:17 +0800
+Subject: PM / devfreq: governor: Replace sscanf() with kstrtoul() in
+ set_freq_store()
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ]
+
+Replace sscanf() with kstrtoul() in set_freq_store() and check the result
+to avoid invalid input.
+
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/governor_userspace.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c
+index d69672ccacc4..8d057cea09d5 100644
+--- a/drivers/devfreq/governor_userspace.c
++++ b/drivers/devfreq/governor_userspace.c
+@@ -9,6 +9,7 @@
+ #include <linux/slab.h>
+ #include <linux/device.h>
+ #include <linux/devfreq.h>
++#include <linux/kstrtox.h>
+ #include <linux/pm.h>
+ #include <linux/mutex.h>
+ #include <linux/module.h>
+@@ -39,10 +40,13 @@ static ssize_t set_freq_store(struct device *dev, struct device_attribute *attr,
+ unsigned long wanted;
+ int err = 0;
+
++ err = kstrtoul(buf, 0, &wanted);
++ if (err)
++ return err;
++
+ mutex_lock(&devfreq->lock);
+ data = devfreq->governor_data;
+
+- sscanf(buf, "%lu", &wanted);
+ data->user_frequency = wanted;
+ data->valid = true;
+ err = update_devfreq(devfreq);
+--
+2.39.5
+
--- /dev/null
+From 73c864f0aecdee808c10642621dc131998d710c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 21:16:05 +0200
+Subject: PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 89d9cec3b1e9c49bae9375a2db6dc49bc7468af0 ]
+
+Clear power.needs_force_resume in pm_runtime_reinit() in case it has
+been set by pm_runtime_force_suspend() invoked from a driver remove
+callback.
+
+Suggested-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://patch.msgid.link/9495163.CDJkKcVGEf@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index 35e1a090ef90..26ea7f5c8d42 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1714,6 +1714,11 @@ void pm_runtime_reinit(struct device *dev)
+ pm_runtime_put(dev->parent);
+ }
+ }
++ /*
++ * Clear power.needs_force_resume in case it has been set by
++ * pm_runtime_force_suspend() invoked from a driver remove callback.
++ */
++ dev->power.needs_force_resume = false;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 046e4f8a5ff034c8d0061e00020b4eef30667c3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 11:23:45 +0800
+Subject: PM: sleep: console: Fix the black screen issue
+
+From: tuhaowen <tuhaowen@uniontech.com>
+
+[ Upstream commit 4266e8fa56d3d982bf451d382a410b9db432015c ]
+
+When the computer enters sleep status without a monitor
+connected, the system switches the console to the virtual
+terminal tty63(SUSPEND_CONSOLE).
+
+If a monitor is subsequently connected before waking up,
+the system skips the required VT restoration process
+during wake-up, leaving the console on tty63 instead of
+switching back to tty1.
+
+To fix this issue, a global flag vt_switch_done is introduced
+to record whether the system has successfully switched to
+the suspend console via vt_move_to_console() during suspend.
+
+If the switch was completed, vt_switch_done is set to 1.
+Later during resume, this flag is checked to ensure that
+the original console is restored properly by calling
+vt_move_to_console(orig_fgconsole, 0).
+
+This prevents scenarios where the resume logic skips console
+restoration due to incorrect detection of the console state,
+especially when a monitor is reconnected before waking up.
+
+Signed-off-by: tuhaowen <tuhaowen@uniontech.com>
+Link: https://patch.msgid.link/20250611032345.29962-1-tuhaowen@uniontech.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/console.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/console.c b/kernel/power/console.c
+index fcdf0e14a47d..19c48aa5355d 100644
+--- a/kernel/power/console.c
++++ b/kernel/power/console.c
+@@ -16,6 +16,7 @@
+ #define SUSPEND_CONSOLE (MAX_NR_CONSOLES-1)
+
+ static int orig_fgconsole, orig_kmsg;
++static bool vt_switch_done;
+
+ static DEFINE_MUTEX(vt_switch_mutex);
+
+@@ -136,17 +137,21 @@ void pm_prepare_console(void)
+ if (orig_fgconsole < 0)
+ return;
+
++ vt_switch_done = true;
++
+ orig_kmsg = vt_kmsg_redirect(SUSPEND_CONSOLE);
+ return;
+ }
+
+ void pm_restore_console(void)
+ {
+- if (!pm_vt_switch())
++ if (!pm_vt_switch() && !vt_switch_done)
+ return;
+
+ if (orig_fgconsole >= 0) {
+ vt_move_to_console(orig_fgconsole, 0);
+ vt_kmsg_redirect(orig_kmsg);
+ }
++
++ vt_switch_done = false;
+ }
+--
+2.39.5
+
--- /dev/null
+From 1bf495c8b052df64baf4e6d1bada9a104ddc2b84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 16:32:21 +0300
+Subject: pNFS: Fix disk addr range check in block/scsi layout
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 7db6e66663681abda54f81d5916db3a3b8b1a13d ]
+
+At the end of the isect translation, disc_addr represents the physical
+disk offset. Thus, end calculated from disk_addr is also a physical disk
+offset. Therefore, range checking should be done using map->disk_offset,
+not map->start.
+
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250702133226.212537-1-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/blocklayout.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
+index dc657b12822d..76423557f5b3 100644
+--- a/fs/nfs/blocklayout/blocklayout.c
++++ b/fs/nfs/blocklayout/blocklayout.c
+@@ -166,8 +166,8 @@ do_add_page_to_bio(struct bio *bio, int npg, int rw, sector_t isect,
+
+ /* limit length to what the device mapping allows */
+ end = disk_addr + *len;
+- if (end >= map->start + map->len)
+- *len = map->start + map->len - disk_addr;
++ if (end >= map->disk_offset + map->len)
++ *len = map->disk_offset + map->len - disk_addr;
+
+ retry:
+ if (!bio) {
+--
+2.39.5
+
--- /dev/null
+From 138a3bb6a590138f85ba94e9191c7026c35c5585 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 15:21:48 +0300
+Subject: pNFS: Fix stripe mapping in block/scsi layout
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 81438498a285759f31e843ac4800f82a5ce6521f ]
+
+Because of integer division, we need to carefully calculate the
+disk offset. Consider the example below for a stripe of 6 volumes,
+a chunk size of 4096, and an offset of 70000.
+
+chunk = div_u64(offset, dev->chunk_size) = 70000 / 4096 = 17
+offset = chunk * dev->chunk_size = 17 * 4096 = 69632
+disk_offset_wrong = div_u64(offset, dev->nr_children) = 69632 / 6 = 11605
+disk_chunk = div_u64(chunk, dev->nr_children) = 17 / 6 = 2
+disk_offset = disk_chunk * dev->chunk_size = 2 * 4096 = 8192
+
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250701122341.199112-1-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/dev.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
+index 16412d6636e8..4e176d7d704d 100644
+--- a/fs/nfs/blocklayout/dev.c
++++ b/fs/nfs/blocklayout/dev.c
+@@ -199,10 +199,11 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
+ struct pnfs_block_dev *child;
+ u64 chunk;
+ u32 chunk_idx;
++ u64 disk_chunk;
+ u64 disk_offset;
+
+ chunk = div_u64(offset, dev->chunk_size);
+- div_u64_rem(chunk, dev->nr_children, &chunk_idx);
++ disk_chunk = div_u64_rem(chunk, dev->nr_children, &chunk_idx);
+
+ if (chunk_idx >= dev->nr_children) {
+ dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
+@@ -215,7 +216,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
+ offset = chunk * dev->chunk_size;
+
+ /* disk offset of the stripe */
+- disk_offset = div_u64(offset, dev->nr_children);
++ disk_offset = disk_chunk * dev->chunk_size;
+
+ child = &dev->children[chunk_idx];
+ child->map(child, disk_offset, map);
+--
+2.39.5
+
--- /dev/null
+From 14ea7db4870b9f0890770e87bd172f2808bf30dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 21:35:26 +0300
+Subject: pNFS: Fix uninited ptr deref in block/scsi layout
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ]
+
+The error occurs on the third attempt to encode extents. When function
+ext_tree_prepare_commit() reallocates a larger buffer to retry encoding
+extents, the "layoutupdate_pages" page array is initialized only after the
+retry loop. But ext_tree_free_commitdata() is called on every iteration
+and tries to put pages in the array, thus dereferencing uninitialized
+pointers.
+
+An additional problem is that there is no limit on the maximum possible
+buffer_size. When there are too many extents, the client may create a
+layoutcommit that is larger than the maximum possible RPC size accepted
+by the server.
+
+During testing, we observed two typical scenarios. First, one memory page
+for extents is enough when we work with small files, append data to the
+end of the file, or preallocate extents before writing. But when we fill
+a new large file without preallocating, the number of extents can be huge,
+and counting the number of written extents in ext_tree_encode_commit()
+does not help much. Since this number increases even more between
+unlocking and locking of ext_tree, the reallocated buffer may not be
+large enough again and again.
+
+Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c
+index 8f7cff7a4293..0add0f329816 100644
+--- a/fs/nfs/blocklayout/extent_tree.c
++++ b/fs/nfs/blocklayout/extent_tree.c
+@@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p,
+ return ret;
+ }
+
++/**
++ * ext_tree_prepare_commit - encode extents that need to be committed
++ * @arg: layout commit data
++ *
++ * Return values:
++ * %0: Success, all required extents are encoded
++ * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit
++ * %-ENOMEM: Out of memory, extents not encoded
++ */
+ int
+ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ {
+@@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ start_p = page_address(arg->layoutupdate_page);
+ arg->layoutupdate_pages = &arg->layoutupdate_page;
+
+-retry:
+- ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten);
++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
++ &count, &arg->lastbytewritten);
+ if (unlikely(ret)) {
+ ext_tree_free_commitdata(arg, buffer_size);
+
+- buffer_size = ext_tree_layoutupdate_size(bl, count);
++ buffer_size = NFS_SERVER(arg->inode)->wsize;
+ count = 0;
+
+ arg->layoutupdate_pages =
+@@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ return -ENOMEM;
+ }
+
+- goto retry;
++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
++ &count, &arg->lastbytewritten);
+ }
+
+ *start_p = cpu_to_be32(count);
+@@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ }
+
+ dprintk("%s found %zu ranges\n", __func__, count);
+- return 0;
++ return ret;
+ }
+
+ void
+--
+2.39.5
+
--- /dev/null
+From 4aced47e6fd53fd391979f58b77d94488c73ad85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 21:35:29 +0300
+Subject: pNFS: Handle RPC size limit for layoutcommits
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit d897d81671bc4615c80f4f3bd5e6b218f59df50c ]
+
+When there are too many block extents for a layoutcommit, they may not
+all fit into the maximum-sized RPC. This patch allows the generic pnfs
+code to properly handle -ENOSPC returned by the block/scsi layout driver
+and trigger additional layoutcommits if necessary.
+
+Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250630183537.196479-5-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index b41c6fced75a..ef273b71f019 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -3216,6 +3216,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
+ struct nfs_inode *nfsi = NFS_I(inode);
+ loff_t end_pos;
+ int status;
++ bool mark_as_dirty = false;
+
+ if (!pnfs_layoutcommit_outstanding(inode))
+ return 0;
+@@ -3267,19 +3268,23 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
+ if (ld->prepare_layoutcommit) {
+ status = ld->prepare_layoutcommit(&data->args);
+ if (status) {
+- put_cred(data->cred);
++ if (status != -ENOSPC)
++ put_cred(data->cred);
+ spin_lock(&inode->i_lock);
+ set_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags);
+ if (end_pos > nfsi->layout->plh_lwb)
+ nfsi->layout->plh_lwb = end_pos;
+- goto out_unlock;
++ if (status != -ENOSPC)
++ goto out_unlock;
++ spin_unlock(&inode->i_lock);
++ mark_as_dirty = true;
+ }
+ }
+
+
+ status = nfs4_proc_layoutcommit(data, sync);
+ out:
+- if (status)
++ if (status || mark_as_dirty)
+ mark_inode_dirty_sync(inode);
+ dprintk("<-- %s status %d\n", __func__, status);
+ return status;
+--
+2.39.5
+
--- /dev/null
+From 8f7ff405af6accabc6acfff5f23da255fd91183e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 16:29:11 +0200
+Subject: (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized
+ pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 760b9b4f6de9a33ca56a05f950cabe82138d25bd ]
+
+If the device configuration fails (if `dma_dev->device_config()`),
+`sg_dma_address(&sg)` is not initialized and the jump to `err_dma_prep`
+leads to calling `dma_unmap_single()` on `sg_dma_address(&sg)`.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250610142918.169540-2-fourier.thomas@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
+index 04bf6ecf7d55..85e0fa7d902b 100644
+--- a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
++++ b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
+@@ -240,10 +240,8 @@ static int mpc512x_lpbfifo_kick(void)
+ dma_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+
+ /* Make DMA channel work with LPB FIFO data register */
+- if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) {
+- ret = -EINVAL;
+- goto err_dma_prep;
+- }
++ if (dma_dev->device_config(lpbfifo.chan, &dma_conf))
++ return -EINVAL;
+
+ sg_init_table(&sg, 1);
+
+--
+2.39.5
+
--- /dev/null
+From 8853843ec38fd16aee122c80c62b7d976904e6c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 05:33:55 +0000
+Subject: pps: clients: gpio: fix interrupt handling order in remove path
+
+From: Eliav Farber <farbere@amazon.com>
+
+[ Upstream commit 6bca1e955830808dc90e0506b2951b4256b81bbb ]
+
+The interrupt handler in pps_gpio_probe() is registered after calling
+pps_register_source() using devm_request_irq(). However, in the
+corresponding remove function, pps_unregister_source() is called before
+the IRQ is freed, since devm-managed resources are released after the
+remove function completes.
+
+This creates a potential race condition where an interrupt may occur
+after the PPS source is unregistered but before the handler is removed,
+possibly leading to a kernel panic.
+
+To prevent this, switch from devm-managed IRQ registration to manual
+management by using request_irq() and calling free_irq() explicitly in
+the remove path before unregistering the PPS source. This ensures the
+interrupt handler is safely removed before deactivating the PPS source.
+
+Signed-off-by: Eliav Farber <farbere@amazon.com>
+Link: https://lore.kernel.org/r/20250527053355.37185-1-farbere@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pps/clients/pps-gpio.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pps/clients/pps-gpio.c b/drivers/pps/clients/pps-gpio.c
+index bf3b6f1aa984..41e1fdbcda16 100644
+--- a/drivers/pps/clients/pps-gpio.c
++++ b/drivers/pps/clients/pps-gpio.c
+@@ -206,8 +206,8 @@ static int pps_gpio_probe(struct platform_device *pdev)
+ }
+
+ /* register IRQ interrupt handler */
+- ret = devm_request_irq(dev, data->irq, pps_gpio_irq_handler,
+- get_irqf_trigger_flags(data), data->info.name, data);
++ ret = request_irq(data->irq, pps_gpio_irq_handler,
++ get_irqf_trigger_flags(data), data->info.name, data);
+ if (ret) {
+ pps_unregister_source(data->pps);
+ dev_err(dev, "failed to acquire IRQ %d\n", data->irq);
+@@ -224,6 +224,7 @@ static int pps_gpio_remove(struct platform_device *pdev)
+ {
+ struct pps_gpio_device_data *data = platform_get_drvdata(pdev);
+
++ free_irq(data->irq, data);
+ pps_unregister_source(data->pps);
+ del_timer_sync(&data->echo_timer);
+ /* reset echo pin in any case */
+--
+2.39.5
+
--- /dev/null
+From 6d2e03e26c6cbf2ab85c2a6319930652a552363e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 16:49:53 -0700
+Subject: rcu: Protect ->defer_qs_iw_pending from data race
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 90c09d57caeca94e6f3f87c49e96a91edd40cbfd ]
+
+On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is
+invoked within an interrupts-disabled region of code [1], it will invoke
+rcu_read_unlock_special(), which uses an irq-work handler to force the
+system to notice when the RCU read-side critical section actually ends.
+That end won't happen until interrupts are enabled at the soonest.
+
+In some kernels, such as those booted with rcutree.use_softirq=y, the
+irq-work handler is used unconditionally.
+
+The per-CPU rcu_data structure's ->defer_qs_iw_pending field is
+updated by the irq-work handler and is both read and updated by
+rcu_read_unlock_special(). This resulted in the following KCSAN splat:
+
+------------------------------------------------------------------------
+
+BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special
+
+read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:
+ rcu_read_unlock_special+0x175/0x260
+ __rcu_read_unlock+0x92/0xa0
+ rt_spin_unlock+0x9b/0xc0
+ __local_bh_enable+0x10d/0x170
+ __local_bh_enable_ip+0xfb/0x150
+ rcu_do_batch+0x595/0xc40
+ rcu_cpu_kthread+0x4e9/0x830
+ smpboot_thread_fn+0x24d/0x3b0
+ kthread+0x3bd/0x410
+ ret_from_fork+0x35/0x40
+ ret_from_fork_asm+0x1a/0x30
+
+write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:
+ rcu_preempt_deferred_qs_handler+0x1e/0x30
+ irq_work_single+0xaf/0x160
+ run_irq_workd+0x91/0xc0
+ smpboot_thread_fn+0x24d/0x3b0
+ kthread+0x3bd/0x410
+ ret_from_fork+0x35/0x40
+ ret_from_fork_asm+0x1a/0x30
+
+no locks held by irq_work/8/88.
+irq event stamp: 200272
+hardirqs last enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320
+hardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70
+softirqs last enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0
+softirqs last disabled at (0): [<0000000000000000>] 0x0
+
+------------------------------------------------------------------------
+
+The problem is that irq-work handlers run with interrupts enabled, which
+means that rcu_preempt_deferred_qs_handler() could be interrupted,
+and that interrupt handler might contain an RCU read-side critical
+section, which might invoke rcu_read_unlock_special(). In the strict
+KCSAN mode of operation used by RCU, this constitutes a data race on
+the ->defer_qs_iw_pending field.
+
+This commit therefore disables interrupts across the portion of the
+rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending
+field. This suffices because this handler is not a fast path.
+
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_plugin.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
+index 9e84d603e882..73483f0fcf6b 100644
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -607,10 +607,13 @@ static notrace void rcu_preempt_deferred_qs(struct task_struct *t)
+ */
+ static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp)
+ {
++ unsigned long flags;
+ struct rcu_data *rdp;
+
+ rdp = container_of(iwp, struct rcu_data, defer_qs_iw);
++ local_irq_save(flags);
+ rdp->defer_qs_iw_pending = false;
++ local_irq_restore(flags);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 3c2b8f0ff0798150fc254a3d566d49886ae5c67d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:33:26 +0200
+Subject: RDMA/core: reduce stack using in nldev_stat_get_doit()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 43163f4c30f94d2103c948a247cdf2cda5068ca7 ]
+
+In the s390 defconfig, gcc-10 and earlier end up inlining three functions
+into nldev_stat_get_doit(), and each of them uses some 600 bytes of stack.
+
+The result is a function with an overly large stack frame and a warning:
+
+drivers/infiniband/core/nldev.c:2466:1: error: the frame size of 1720 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
+
+Mark the three functions noinline_for_stack to prevent this, ensuring
+that only one copy of the nlattr array is on the stack of each function.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250620113335.3776965-1-arnd@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index 050bafc7c52d..1bfa957b8775 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -1391,10 +1391,11 @@ static const struct nldev_fill_res_entry fill_entries[RDMA_RESTRACK_MAX] = {
+
+ };
+
+-static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+- struct netlink_ext_ack *extack,
+- enum rdma_restrack_type res_type,
+- res_fill_func_t fill_func)
++static noinline_for_stack int
++res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct netlink_ext_ack *extack,
++ enum rdma_restrack_type res_type,
++ res_fill_func_t fill_func)
+ {
+ const struct nldev_fill_res_entry *fe = &fill_entries[res_type];
+ struct nlattr *tb[RDMA_NLDEV_ATTR_MAX];
+@@ -2041,10 +2042,10 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+ return ret;
+ }
+
+-static int stat_get_doit_default_counter(struct sk_buff *skb,
+- struct nlmsghdr *nlh,
+- struct netlink_ext_ack *extack,
+- struct nlattr *tb[])
++static noinline_for_stack int
++stat_get_doit_default_counter(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct netlink_ext_ack *extack,
++ struct nlattr *tb[])
+ {
+ struct rdma_hw_stats *stats;
+ struct nlattr *table_attr;
+@@ -2130,8 +2131,9 @@ static int stat_get_doit_default_counter(struct sk_buff *skb,
+ return ret;
+ }
+
+-static int stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
+- struct netlink_ext_ack *extack, struct nlattr *tb[])
++static noinline_for_stack int
++stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct netlink_ext_ack *extack, struct nlattr *tb[])
+
+ {
+ static enum rdma_nl_counter_mode mode;
+--
+2.39.5
+
--- /dev/null
+From 9df4d1a833cf65edd34045d314499c16a637375f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 15:39:38 -0400
+Subject: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
+
+From: Yury Norov [NVIDIA] <yury.norov@gmail.com>
+
+[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ]
+
+The function divides number of online CPUs by num_core_siblings, and
+later checks the divider by zero. This implies a possibility to get
+and divide-by-zero runtime error. Fix it by moving the check prior to
+division. This also helps to save one indentation level.
+
+Signed-off-by: Yury Norov [NVIDIA] <yury.norov@gmail.com>
+Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------
+ 1 file changed, 24 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c
+index 4c403d9e90cb..2b17acbb3569 100644
+--- a/drivers/infiniband/hw/hfi1/affinity.c
++++ b/drivers/infiniband/hw/hfi1/affinity.c
+@@ -967,31 +967,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask,
+ struct hfi1_affinity_node_list *affinity)
+ {
+ int possible, curr_cpu, i;
+- uint num_cores_per_socket = node_affinity.num_online_cpus /
++ uint num_cores_per_socket;
++
++ cpumask_copy(hw_thread_mask, &affinity->proc.mask);
++
++ if (affinity->num_core_siblings == 0)
++ return;
++
++ num_cores_per_socket = node_affinity.num_online_cpus /
+ affinity->num_core_siblings /
+ node_affinity.num_online_nodes;
+
+- cpumask_copy(hw_thread_mask, &affinity->proc.mask);
+- if (affinity->num_core_siblings > 0) {
+- /* Removing other siblings not needed for now */
+- possible = cpumask_weight(hw_thread_mask);
+- curr_cpu = cpumask_first(hw_thread_mask);
+- for (i = 0;
+- i < num_cores_per_socket * node_affinity.num_online_nodes;
+- i++)
+- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+-
+- for (; i < possible; i++) {
+- cpumask_clear_cpu(curr_cpu, hw_thread_mask);
+- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+- }
++ /* Removing other siblings not needed for now */
++ possible = cpumask_weight(hw_thread_mask);
++ curr_cpu = cpumask_first(hw_thread_mask);
++ for (i = 0;
++ i < num_cores_per_socket * node_affinity.num_online_nodes;
++ i++)
++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+
+- /* Identifying correct HW threads within physical cores */
+- cpumask_shift_left(hw_thread_mask, hw_thread_mask,
+- num_cores_per_socket *
+- node_affinity.num_online_nodes *
+- hw_thread_no);
++ for (; i < possible; i++) {
++ cpumask_clear_cpu(curr_cpu, hw_thread_mask);
++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+ }
++
++ /* Identifying correct HW threads within physical cores */
++ cpumask_shift_left(hw_thread_mask, hw_thread_mask,
++ num_cores_per_socket *
++ node_affinity.num_online_nodes *
++ hw_thread_no);
+ }
+
+ int hfi1_get_proc_affinity(int node)
+--
+2.39.5
+
--- /dev/null
+From 3cb17b0018862a6902b6a65e93f2d638a6a2cec2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 18:52:58 +0100
+Subject: reset: brcmstb: Enable reset drivers for ARCH_BCM2835
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 1d99f92f71b6b4b2eee776562c991428490f71ef ]
+
+The BRCMSTB and BRCMSTB_RESCAL reset drivers are also
+used in the BCM2712, AKA the RPi5. The RPi platforms
+have typically used the ARCH_BCM2835, and the PCIe
+support for this SoC can use this config which depends
+on these drivers so enable building them when just that
+arch option is enabled to ensure the platform works as
+expected.
+
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20250630175301.846082-1-pbrobinson@gmail.com
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/Kconfig | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/reset/Kconfig b/drivers/reset/Kconfig
+index b0056ae5d463..d1bc691b2900 100644
+--- a/drivers/reset/Kconfig
++++ b/drivers/reset/Kconfig
+@@ -51,8 +51,8 @@ config RESET_BERLIN
+
+ config RESET_BRCMSTB
+ tristate "Broadcom STB reset controller"
+- depends on ARCH_BRCMSTB || COMPILE_TEST
+- default ARCH_BRCMSTB
++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
++ default ARCH_BRCMSTB || ARCH_BCM2835
+ help
+ This enables the reset controller driver for Broadcom STB SoCs using
+ a SUN_TOP_CTRL_SW_INIT style controller.
+@@ -60,11 +60,11 @@ config RESET_BRCMSTB
+ config RESET_BRCMSTB_RESCAL
+ bool "Broadcom STB RESCAL reset controller"
+ depends on HAS_IOMEM
+- depends on ARCH_BRCMSTB || COMPILE_TEST
+- default ARCH_BRCMSTB
++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
++ default ARCH_BRCMSTB || ARCH_BCM2835
+ help
+ This enables the RESCAL reset controller for SATA, PCIe0, or PCIe1 on
+- BCM7216.
++ BCM7216 or the BCM2712.
+
+ config RESET_HSDK
+ bool "Synopsys HSDK Reset Driver"
+--
+2.39.5
+
--- /dev/null
+From c18542fc013d2ac49506850f71319a28b0c92d2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 11:14:16 -0700
+Subject: rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
+
+From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+
+[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ]
+
+In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
+kernel time as long as rtc_read_time() succeeds. In some power loss
+situations, our supercapacitor-backed DS1342 RTC comes up with either an
+unpredictable future time or the default 01/01/00 from the datasheet.
+The oscillator stop flag (OSF) is set in these scenarios due to the
+power loss and can be used to determine the validity of the RTC data.
+
+This change expands the oscillator stop flag (OSF) handling that has
+already been implemented for some chips to the ds1341 chip (DS1341 and
+DS1342 share a datasheet). This handling manages the validity of the RTC
+data in .read_time and .set_time based on the OSF.
+
+Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+Reviewed-by: Tyler Hicks <code@tyhicks.com>
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index 1e621080f666..f8e32f5c37e3 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -273,6 +273,13 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t)
+ if (tmp & DS1340_BIT_OSF)
+ return -EINVAL;
+ break;
++ case ds_1341:
++ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp);
++ if (ret)
++ return ret;
++ if (tmp & DS1337_BIT_OSF)
++ return -EINVAL;
++ break;
+ case ds_1388:
+ ret = regmap_read(ds1307->regmap, DS1388_REG_FLAG, &tmp);
+ if (ret)
+@@ -371,6 +378,10 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t)
+ regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG,
+ DS1340_BIT_OSF, 0);
+ break;
++ case ds_1341:
++ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS,
++ DS1337_BIT_OSF, 0);
++ break;
+ case ds_1388:
+ regmap_update_bits(ds1307->regmap, DS1388_REG_FLAG,
+ DS1388_BIT_OSF, 0);
+--
+2.39.5
+
--- /dev/null
+From f3f432f0ac66b5cc22e1970091e5fa4807150a76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 11:14:15 -0700
+Subject: rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe
+
+From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+
+[ Upstream commit 48458654659c9c2e149c211d86637f1592470da5 ]
+
+In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
+kernel time as long as rtc_read_time() succeeds. In some power loss
+situations, our supercapacitor-backed DS1342 RTC comes up with either an
+unpredictable future time or the default 01/01/00 from the datasheet.
+The oscillator stop flag (OSF) is set in these scenarios due to the
+power loss and can be used to determine the validity of the RTC data.
+
+Some chip types in the ds1307 driver already have OSF handling to
+determine whether .read_time provides valid RTC data or returns -EINVAL.
+
+This change removes the clear of the OSF in .probe as the OSF needs to
+be preserved to expand the OSF handling to the ds1341 chip type (note
+that DS1341 and DS1342 share a datasheet).
+
+Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+Reviewed-by: Tyler Hicks <code@tyhicks.com>
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/1749665656-30108-2-git-send-email-meaganlloyd@linux.microsoft.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index f8e32f5c37e3..e02bc2a2e77f 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -1819,10 +1819,8 @@ static int ds1307_probe(struct i2c_client *client,
+ regmap_write(ds1307->regmap, DS1337_REG_CONTROL,
+ regs[0]);
+
+- /* oscillator fault? clear flag, and warn */
++ /* oscillator fault? warn */
+ if (regs[1] & DS1337_BIT_OSF) {
+- regmap_write(ds1307->regmap, DS1337_REG_STATUS,
+- regs[1] & ~DS1337_BIT_OSF);
+ dev_warn(ds1307->dev, "SET TIME!\n");
+ }
+ break;
+--
+2.39.5
+
--- /dev/null
+From 288bf70582d41206e1741d2ca74b041212c07f9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:50:27 +0200
+Subject: s390/stp: Remove udelay from stp_sync_clock()
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit b367017cdac21781a74eff4e208d3d38e1f38d3f ]
+
+When an stp sync check is handled on a system with multiple
+cpus each cpu gets a machine check but only the first one
+actually handles the sync operation. All other CPUs spin
+waiting for the first one to finish with a short udelay().
+But udelay can't be used here as the first CPU modifies tod_clock_base
+before performing the sync op. During this timeframe
+get_tod_clock_monotonic() might return a non-monotonic time.
+
+The time spent waiting should be very short and udelay is a busy loop
+anyways, therefore simply remove the udelay.
+
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c
+index f0a1484ee00b..58cdd4119f45 100644
+--- a/arch/s390/kernel/time.c
++++ b/arch/s390/kernel/time.c
+@@ -576,7 +576,7 @@ static int stp_sync_clock(void *data)
+ atomic_dec(&sync->cpus);
+ /* Wait for in_sync to be set. */
+ while (READ_ONCE(sync->in_sync) == 0)
+- __udelay(1);
++ ;
+ }
+ if (sync->in_sync != 1)
+ /* Didn't work. Clear per-cpu in sync bit again. */
+--
+2.39.5
+
--- /dev/null
+From 27c99d05b84f660e48d9fed8d57a4fb39fd41f9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 09:42:29 +0200
+Subject: s390/time: Use monotonic clock in get_cycles()
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit 09e7e29d2b49ba84bcefb3dc1657726d2de5bb24 ]
+
+Otherwise the code might not work correctly when the clock
+is changed.
+
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/timex.h | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h
+index bc50ee0e91ff..a046a4d13816 100644
+--- a/arch/s390/include/asm/timex.h
++++ b/arch/s390/include/asm/timex.h
+@@ -196,13 +196,6 @@ static inline unsigned long get_tod_clock_fast(void)
+ return get_tod_clock();
+ #endif
+ }
+-
+-static inline cycles_t get_cycles(void)
+-{
+- return (cycles_t) get_tod_clock() >> 2;
+-}
+-#define get_cycles get_cycles
+-
+ int get_phys_clock(unsigned long *clock);
+ void init_cpu_timer(void);
+
+@@ -225,6 +218,12 @@ static inline unsigned long get_tod_clock_monotonic(void)
+ return tod;
+ }
+
++static inline cycles_t get_cycles(void)
++{
++ return (cycles_t)get_tod_clock_monotonic() >> 2;
++}
++#define get_cycles get_cycles
++
+ /**
+ * tod_to_ns - convert a TOD format value to nanoseconds
+ * @todval: to be converted TOD format value
+--
+2.39.5
+
--- /dev/null
+From 7d1c67c9b9e3fbba4530fa4547fce1159eb97bb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:51:16 +0200
+Subject: sched/deadline: Fix accounting after global limits change
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit 440989c10f4e32620e9e2717ca52c3ed7ae11048 ]
+
+A global limits change (sched_rt_handler() logic) currently leaves stale
+and/or incorrect values in variables related to accounting (e.g.
+extra_bw).
+
+Properly clean up per runqueue variables before implementing the change
+and rebuild scheduling domains (so that accounting is also properly
+restored) after such a change is complete.
+
+Reported-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk>
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Marcel Ziswiler <marcel.ziswiler@codethink.co.uk> # nuc & rock5b
+Link: https://lore.kernel.org/r/20250627115118.438797-4-juri.lelli@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 4 +++-
+ kernel/sched/rt.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 66eb68c59f0b..708c3960bd06 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2661,6 +2661,9 @@ void sched_dl_do_global(void)
+ if (global_rt_runtime() != RUNTIME_INF)
+ new_bw = to_ratio(global_rt_period(), global_rt_runtime());
+
++ for_each_possible_cpu(cpu)
++ init_dl_rq_bw_ratio(&cpu_rq(cpu)->dl);
++
+ for_each_possible_cpu(cpu) {
+ rcu_read_lock_sched();
+
+@@ -2676,7 +2679,6 @@ void sched_dl_do_global(void)
+ raw_spin_unlock_irqrestore(&dl_b->lock, flags);
+
+ rcu_read_unlock_sched();
+- init_dl_rq_bw_ratio(&cpu_rq(cpu)->dl);
+ }
+ }
+
+diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c
+index 5fc99dce5145..9720b3c19ab9 100644
+--- a/kernel/sched/rt.c
++++ b/kernel/sched/rt.c
+@@ -2861,6 +2861,12 @@ int sched_rt_handler(struct ctl_table *table, int write, void *buffer,
+ }
+ mutex_unlock(&mutex);
+
++ /*
++ * After changing maximum available bandwidth for DEADLINE, we need to
++ * recompute per root domain and per cpus variables accordingly.
++ */
++ rebuild_sched_domains();
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5a96ced6a6caafe370ebdd1a19baccad4cdae069 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 11:15:35 +0000
+Subject: scsi: aacraid: Stop using PCI_IRQ_AFFINITY
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit dafeaf2c03e71255438ffe5a341d94d180e6c88e ]
+
+When PCI_IRQ_AFFINITY is set for calling pci_alloc_irq_vectors(), it
+means interrupts are spread around the available CPUs. It also means that
+the interrupts become managed, which means that an interrupt is shutdown
+when all the CPUs in the interrupt affinity mask go offline.
+
+Using managed interrupts in this way means that we should ensure that
+completions should not occur on HW queues where the associated interrupt
+is shutdown. This is typically achieved by ensuring only CPUs which are
+online can generate IO completion traffic to the HW queue which they are
+mapped to (so that they can also serve completion interrupts for that HW
+queue).
+
+The problem in the driver is that a CPU can generate completions to a HW
+queue whose interrupt may be shutdown, as the CPUs in the HW queue
+interrupt affinity mask may be offline. This can cause IOs to never
+complete and hang the system. The driver maintains its own CPU <-> HW
+queue mapping for submissions, see aac_fib_vector_assign(), but this does
+not reflect the CPU <-> HW queue interrupt affinity mapping.
+
+Commit 9dc704dcc09e ("scsi: aacraid: Reply queue mapping to CPUs based on
+IRQ affinity") tried to remedy this issue may mapping CPUs properly to HW
+queue interrupts. However this was later reverted in commit c5becf57dd56
+("Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ
+affinity") - it seems that there were other reports of hangs. I guess
+that this was due to some implementation issue in the original commit or
+maybe a HW issue.
+
+Fix the very original hang by just not using managed interrupts by not
+setting PCI_IRQ_AFFINITY. In this way, all CPUs will be in each HW queue
+affinity mask, so should not create completion problems if any CPUs go
+offline.
+
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20250715111535.499853-1-john.g.garry@oracle.com
+Closes: https://lore.kernel.org/linux-scsi/20250618192427.3845724-1-jmeneghi@redhat.com/
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Tested-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/comminit.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
+index 34e45c87cae0..7b520e824c29 100644
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -481,8 +481,7 @@ void aac_define_int_mode(struct aac_dev *dev)
+ pci_find_capability(dev->pdev, PCI_CAP_ID_MSIX)) {
+ min_msix = 2;
+ i = pci_alloc_irq_vectors(dev->pdev,
+- min_msix, msi_count,
+- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY);
++ min_msix, msi_count, PCI_IRQ_MSIX);
+ if (i > 0) {
+ dev->msi_enabled = 1;
+ msi_count = i;
+--
+2.39.5
+
--- /dev/null
+From aa1dcf12f7d6800c4ffb6d707aba7765807429e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 19:58:24 +0800
+Subject: scsi: bfa: Double-free fix
+
+From: jackysliu <1972843537@qq.com>
+
+[ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ]
+
+When the bfad_im_probe() function fails during initialization, the memory
+pointed to by bfad->im is freed without setting bfad->im to NULL.
+
+Subsequently, during driver uninstallation, when the state machine enters
+the bfad_sm_stopping state and calls the bfad_im_probe_undo() function,
+it attempts to free the memory pointed to by bfad->im again, thereby
+triggering a double-free vulnerability.
+
+Set bfad->im to NULL if probing fails.
+
+Signed-off-by: jackysliu <1972843537@qq.com>
+Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfad_im.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
+index 6b5841b1c06e..38292bc43d91 100644
+--- a/drivers/scsi/bfa/bfad_im.c
++++ b/drivers/scsi/bfa/bfad_im.c
+@@ -707,6 +707,7 @@ bfad_im_probe(struct bfad_s *bfad)
+
+ if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
+ kfree(im);
++ bfad->im = NULL;
+ return BFA_STATUS_FAILED;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b985adfbb9896982abf0c1a0c99f2c1c08537987 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 11:46:49 +0530
+Subject: scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit 37c4e72b0651e7697eb338cd1fb09feef472cc1a ]
+
+sas_user_scan() did not fully process wildcard channel scans
+(SCAN_WILD_CARD) when a transport-specific user_scan() callback was
+present. Only channel 0 would be scanned via user_scan(), while the
+remaining channels were skipped, potentially missing devices.
+
+user_scan() invokes updated sas_user_scan() for channel 0, and if
+successful, iteratively scans remaining channels (1 to
+shost->max_channel) via scsi_scan_host_selected(). This ensures complete
+wildcard scanning without affecting transport-specific scanning behavior.
+
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250624061649.17990-1-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_scan.c | 2 +-
+ drivers/scsi/scsi_transport_sas.c | 60 ++++++++++++++++++++++++-------
+ 2 files changed, 49 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
+index f00b4624e46b..e39648762896 100644
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -1762,7 +1762,7 @@ int scsi_scan_host_selected(struct Scsi_Host *shost, unsigned int channel,
+
+ return 0;
+ }
+-
++EXPORT_SYMBOL(scsi_scan_host_selected);
+ static void scsi_sysfs_add_devices(struct Scsi_Host *shost)
+ {
+ struct scsi_device *sdev;
+diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c
+index 8649608faec2..87c5ed56e47b 100644
+--- a/drivers/scsi/scsi_transport_sas.c
++++ b/drivers/scsi/scsi_transport_sas.c
+@@ -41,6 +41,8 @@
+ #include <scsi/scsi_transport_sas.h>
+
+ #include "scsi_sas_internal.h"
++#include "scsi_priv.h"
++
+ struct sas_host_attrs {
+ struct list_head rphy_list;
+ struct mutex lock;
+@@ -1681,32 +1683,66 @@ int scsi_is_sas_rphy(const struct device *dev)
+ }
+ EXPORT_SYMBOL(scsi_is_sas_rphy);
+
+-
+-/*
+- * SCSI scan helper
+- */
+-
+-static int sas_user_scan(struct Scsi_Host *shost, uint channel,
+- uint id, u64 lun)
++static void scan_channel_zero(struct Scsi_Host *shost, uint id, u64 lun)
+ {
+ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
+ struct sas_rphy *rphy;
+
+- mutex_lock(&sas_host->lock);
+ list_for_each_entry(rphy, &sas_host->rphy_list, list) {
+ if (rphy->identify.device_type != SAS_END_DEVICE ||
+ rphy->scsi_target_id == -1)
+ continue;
+
+- if ((channel == SCAN_WILD_CARD || channel == 0) &&
+- (id == SCAN_WILD_CARD || id == rphy->scsi_target_id)) {
++ if (id == SCAN_WILD_CARD || id == rphy->scsi_target_id) {
+ scsi_scan_target(&rphy->dev, 0, rphy->scsi_target_id,
+ lun, SCSI_SCAN_MANUAL);
+ }
+ }
+- mutex_unlock(&sas_host->lock);
++}
+
+- return 0;
++/*
++ * SCSI scan helper
++ */
++
++static int sas_user_scan(struct Scsi_Host *shost, uint channel,
++ uint id, u64 lun)
++{
++ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
++ int res = 0;
++ int i;
++
++ switch (channel) {
++ case 0:
++ mutex_lock(&sas_host->lock);
++ scan_channel_zero(shost, id, lun);
++ mutex_unlock(&sas_host->lock);
++ break;
++
++ case SCAN_WILD_CARD:
++ mutex_lock(&sas_host->lock);
++ scan_channel_zero(shost, id, lun);
++ mutex_unlock(&sas_host->lock);
++
++ for (i = 1; i <= shost->max_channel; i++) {
++ res = scsi_scan_host_selected(shost, i, id, lun,
++ SCSI_SCAN_MANUAL);
++ if (res)
++ goto exit_scan;
++ }
++ break;
++
++ default:
++ if (channel < shost->max_channel) {
++ res = scsi_scan_host_selected(shost, channel, id, lun,
++ SCSI_SCAN_MANUAL);
++ } else {
++ res = -EINVAL;
++ }
++ break;
++ }
++
++exit_scan:
++ return res;
+ }
+
+
+--
+2.39.5
+
--- /dev/null
+From fdbb1aaaf002e8d87eeed08736067809d7886bb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 16:53:29 +0530
+Subject: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is
+ allocated
+
+From: Showrya M N <showrya@chelsio.com>
+
+[ Upstream commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 ]
+
+In case of an ib_fast_reg_mr allocation failure during iSER setup, the
+machine hits a panic because iscsi_conn->dd_data is initialized
+unconditionally, even when no memory is allocated (dd_size == 0). This
+leads invalid pointer dereference during connection teardown.
+
+Fix by setting iscsi_conn->dd_data only if memory is actually allocated.
+
+Panic trace:
+------------
+ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12
+ iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers
+ BUG: unable to handle page fault for address: fffffffffffffff8
+ RIP: 0010:swake_up_locked.part.5+0xa/0x40
+ Call Trace:
+ complete+0x31/0x40
+ iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]
+ iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]
+ iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]
+ iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]
+ ? netlink_lookup+0x12f/0x1b0
+ ? netlink_deliver_tap+0x2c/0x200
+ netlink_unicast+0x1ab/0x280
+ netlink_sendmsg+0x257/0x4f0
+ ? _copy_from_user+0x29/0x60
+ sock_sendmsg+0x5f/0x70
+
+Signed-off-by: Showrya M N <showrya@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com
+Reviewed-by: Chris Leech <cleech@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libiscsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
+index d422e8fd7137..225aa8279960 100644
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -3104,7 +3104,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size,
+ conn = cls_conn->dd_data;
+ memset(conn, 0, sizeof(*conn) + dd_size);
+
+- conn->dd_data = cls_conn->dd_data + sizeof(*conn);
++ if (dd_size)
++ conn->dd_data = cls_conn->dd_data + sizeof(*conn);
+ conn->session = session;
+ conn->cls_conn = cls_conn;
+ conn->c_stage = ISCSI_CONN_INITIAL_STAGE;
+--
+2.39.5
+
--- /dev/null
+From f82995592d69b4cc1bcf165d85881d0c798242ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 12:21:28 -0700
+Subject: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport
+ structure
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 6698796282e828733cde3329c887b4ae9e5545e9 ]
+
+If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the
+resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may
+occur before sli4_hba.hdwqs are allocated. This may result in a null
+pointer dereference when attempting to take the abts_io_buf_list_lock for
+the first hardware queue. Fix by adding a null ptr check on
+phba->sli4_hba.hdwq and early return because this situation means there
+must have been an error during port initialization.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_scsi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
+index d9fb5e09fb53..520491a8b56e 100644
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -454,6 +454,10 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport)
+ if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP))
+ return;
+
++ /* may be called before queues established if hba_setup fails */
++ if (!phba->sli4_hba.hdwq)
++ return;
++
+ spin_lock_irqsave(&phba->hbalock, iflag);
+ for (idx = 0; idx < phba->cfg_hdw_queue; idx++) {
+ qp = &phba->sli4_hba.hdwq[idx];
+--
+2.39.5
+
--- /dev/null
+From b7f2dc955dab761d3225e4e73fcdfcae66c0ac21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 14:27:47 +0900
+Subject: scsi: mpt3sas: Correctly handle ATA device errors
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 15592a11d5a5c8411ac8494ec49736b658f6fbff ]
+
+With the ATA error model, an NCQ command failure always triggers an abort
+(termination) of all NCQ commands queued on the device. In such case, the
+SAT or the host must handle the failed command according to the command
+sense data and immediately retry all other NCQ commands that were aborted
+due to the failed NCQ command.
+
+For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not
+handled by the HBA SAT and sent back to the host, with an ioc log
+information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code
+PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function
+_scsih_io_done() always forces a retry of commands terminated with the
+status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result
+DID_SOFT_ERROR, regardless of the log_info for the command. This
+correctly forces the retry of collateral NCQ abort commands, but with the
+retry counter for the command being incremented. If a command to an ATA
+device is subject to too many retries due to other NCQ commands failing
+(e.g. read commands trying to access unreadable sectors), the collateral
+NCQ abort commands may be terminated with an error as they run out of
+retries. This violates the SAT specification and causes hard-to-debug
+command errors.
+
+Solve this issue by modifying the handling of the
+MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an
+ATA device and if the command loginfo indicates an NCQ collateral
+abort. If that is the case, force the command retry using the SCSI result
+DID_IMM_RETRY to avoid incrementing the command retry count.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org
+Tested-by: Yafang Shao <laoar.shao@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 055929021818..0066a99587d9 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -197,6 +197,14 @@ struct sense_info {
+ #define MPT3SAS_PORT_ENABLE_COMPLETE (0xFFFD)
+ #define MPT3SAS_ABRT_TASK_SET (0xFFFE)
+ #define MPT3SAS_REMOVE_UNRESPONDING_DEVICES (0xFFFF)
++
++/*
++ * SAS Log info code for a NCQ collateral abort after an NCQ error:
++ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR
++ * See: drivers/message/fusion/lsi/mpi_log_sas.h
++ */
++#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000
++
+ /**
+ * struct fw_event_work - firmware event struct
+ * @list: link list framework
+@@ -5812,6 +5820,17 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply)
+ scmd->result = DID_TRANSPORT_DISRUPTED << 16;
+ goto out;
+ }
++ if (log_info == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) {
++ /*
++ * This is a ATA NCQ command aborted due to another NCQ
++ * command failure. We must retry this command
++ * immediately but without incrementing its retry
++ * counter.
++ */
++ WARN_ON_ONCE(xfer_cnt != 0);
++ scmd->result = DID_IMM_RETRY << 16;
++ break;
++ }
+ if (log_info == 0x31110630) {
+ if (scmd->retries > 2) {
+ scmd->result = DID_NO_CONNECT << 16;
+--
+2.39.5
+
--- /dev/null
+From c28db7dfd823f69d83797b72831ccc29feb7c588 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 15:37:38 +0200
+Subject: scsi: target: core: Generate correct identifiers for PR OUT transport
+ IDs
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 6e0f6aa44b68335df404a2df955055f416b5f2aa ]
+
+Fix target_parse_pr_out_transport_id() to return a string representing
+the transport ID in a human-readable format (e.g., naa.xxxxxxxx...) for
+various SCSI protocol types (SAS, FCP, SRP, SBP).
+
+Previously, the function returned a pointer to the raw binary buffer,
+which was incorrectly compared against human-readable strings, causing
+comparisons to fail. Now, the function writes a properly formatted
+string into a buffer provided by the caller. The output format depends
+on the transport protocol:
+
+* SAS: 64-bit identifier, "naa." prefix.
+* FCP: 64-bit identifier, colon separated values.
+* SBP: 64-bit identifier, no prefix.
+* SRP: 128-bit identifier, "0x" prefix.
+* iSCSI: IQN string.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20250714133738.11054-1-mlombard@redhat.com
+Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_fabric_lib.c | 63 +++++++++++++++++++------
+ drivers/target/target_core_internal.h | 4 +-
+ drivers/target/target_core_pr.c | 18 +++----
+ 3 files changed, 60 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/target/target_core_fabric_lib.c b/drivers/target/target_core_fabric_lib.c
+index 6600ae44f29d..d3ab251ba049 100644
+--- a/drivers/target/target_core_fabric_lib.c
++++ b/drivers/target/target_core_fabric_lib.c
+@@ -257,11 +257,41 @@ static int iscsi_get_pr_transport_id_len(
+ return len;
+ }
+
+-static char *iscsi_parse_pr_out_transport_id(
++static void sas_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ char hex[17] = {};
++
++ bin2hex(hex, buf + 4, 8);
++ snprintf(i_str, TRANSPORT_IQN_LEN, "naa.%s", hex);
++}
++
++static void srp_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ char hex[33] = {};
++
++ bin2hex(hex, buf + 8, 16);
++ snprintf(i_str, TRANSPORT_IQN_LEN, "0x%s", hex);
++}
++
++static void fcp_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ snprintf(i_str, TRANSPORT_IQN_LEN, "%8phC", buf + 8);
++}
++
++static void sbp_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ char hex[17] = {};
++
++ bin2hex(hex, buf + 8, 8);
++ snprintf(i_str, TRANSPORT_IQN_LEN, "%s", hex);
++}
++
++static bool iscsi_parse_pr_out_transport_id(
+ struct se_portal_group *se_tpg,
+ char *buf,
+ u32 *out_tid_len,
+- char **port_nexus_ptr)
++ char **port_nexus_ptr,
++ char *i_str)
+ {
+ char *p;
+ int i;
+@@ -282,7 +312,7 @@ static char *iscsi_parse_pr_out_transport_id(
+ if ((format_code != 0x00) && (format_code != 0x40)) {
+ pr_err("Illegal format code: 0x%02x for iSCSI"
+ " Initiator Transport ID\n", format_code);
+- return NULL;
++ return false;
+ }
+ /*
+ * If the caller wants the TransportID Length, we set that value for the
+@@ -306,7 +336,7 @@ static char *iscsi_parse_pr_out_transport_id(
+ pr_err("Unable to locate \",i,0x\" separator"
+ " for Initiator port identifier: %s\n",
+ &buf[4]);
+- return NULL;
++ return false;
+ }
+ *p = '\0'; /* Terminate iSCSI Name */
+ p += 5; /* Skip over ",i,0x" separator */
+@@ -339,7 +369,8 @@ static char *iscsi_parse_pr_out_transport_id(
+ } else
+ *port_nexus_ptr = NULL;
+
+- return &buf[4];
++ strscpy(i_str, &buf[4], TRANSPORT_IQN_LEN);
++ return true;
+ }
+
+ int target_get_pr_transport_id_len(struct se_node_acl *nacl,
+@@ -387,33 +418,35 @@ int target_get_pr_transport_id(struct se_node_acl *nacl,
+ }
+ }
+
+-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+- char *buf, u32 *out_tid_len, char **port_nexus_ptr)
++bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
++ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str)
+ {
+- u32 offset;
+-
+ switch (tpg->proto_id) {
+ case SCSI_PROTOCOL_SAS:
+ /*
+ * Assume the FORMAT CODE 00b from spc4r17, 7.5.4.7 TransportID
+ * for initiator ports using SCSI over SAS Serial SCSI Protocol.
+ */
+- offset = 4;
++ sas_parse_pr_out_transport_id(buf, i_str);
+ break;
+- case SCSI_PROTOCOL_SBP:
+ case SCSI_PROTOCOL_SRP:
++ srp_parse_pr_out_transport_id(buf, i_str);
++ break;
+ case SCSI_PROTOCOL_FCP:
+- offset = 8;
++ fcp_parse_pr_out_transport_id(buf, i_str);
++ break;
++ case SCSI_PROTOCOL_SBP:
++ sbp_parse_pr_out_transport_id(buf, i_str);
+ break;
+ case SCSI_PROTOCOL_ISCSI:
+ return iscsi_parse_pr_out_transport_id(tpg, buf, out_tid_len,
+- port_nexus_ptr);
++ port_nexus_ptr, i_str);
+ default:
+ pr_err("Unknown proto_id: 0x%02x\n", tpg->proto_id);
+- return NULL;
++ return false;
+ }
+
+ *port_nexus_ptr = NULL;
+ *out_tid_len = 24;
+- return buf + offset;
++ return true;
+ }
+diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h
+index a889a6237d9c..1e8dbfcc4323 100644
+--- a/drivers/target/target_core_internal.h
++++ b/drivers/target/target_core_internal.h
+@@ -103,8 +103,8 @@ int target_get_pr_transport_id_len(struct se_node_acl *nacl,
+ int target_get_pr_transport_id(struct se_node_acl *nacl,
+ struct t10_pr_registration *pr_reg, int *format_code,
+ unsigned char *buf);
+-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+- char *buf, u32 *out_tid_len, char **port_nexus_ptr);
++bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
++ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str);
+
+ /* target_core_hba.c */
+ struct se_hba *core_alloc_hba(const char *, u32, u32);
+diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
+index f4a797d3c573..28ba6a3109f2 100644
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1487,11 +1487,12 @@ core_scsi3_decode_spec_i_port(
+ LIST_HEAD(tid_dest_list);
+ struct pr_transport_id_holder *tidh_new, *tidh, *tidh_tmp;
+ unsigned char *buf, *ptr, proto_ident;
+- const unsigned char *i_str = NULL;
++ unsigned char i_str[TRANSPORT_IQN_LEN];
+ char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN];
+ sense_reason_t ret;
+ u32 tpdl, tid_len = 0;
+ u32 dest_rtpi = 0;
++ bool tid_found;
+
+ /*
+ * Allocate a struct pr_transport_id_holder and setup the
+@@ -1580,9 +1581,9 @@ core_scsi3_decode_spec_i_port(
+ dest_rtpi = tmp_lun->lun_rtpi;
+
+ iport_ptr = NULL;
+- i_str = target_parse_pr_out_transport_id(tmp_tpg,
+- ptr, &tid_len, &iport_ptr);
+- if (!i_str)
++ tid_found = target_parse_pr_out_transport_id(tmp_tpg,
++ ptr, &tid_len, &iport_ptr, i_str);
++ if (!tid_found)
+ continue;
+ /*
+ * Determine if this SCSI device server requires that
+@@ -3148,13 +3149,14 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
+ struct t10_pr_registration *pr_reg, *pr_res_holder, *dest_pr_reg;
+ struct t10_reservation *pr_tmpl = &dev->t10_pr;
+ unsigned char *buf;
+- const unsigned char *initiator_str;
++ unsigned char initiator_str[TRANSPORT_IQN_LEN];
+ char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN] = { };
+ u32 tid_len, tmp_tid_len;
+ int new_reg = 0, type, scope, matching_iname;
+ sense_reason_t ret;
+ unsigned short rtpi;
+ unsigned char proto_ident;
++ bool tid_found;
+
+ if (!se_sess || !se_lun) {
+ pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n");
+@@ -3273,9 +3275,9 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
+ ret = TCM_INVALID_PARAMETER_LIST;
+ goto out;
+ }
+- initiator_str = target_parse_pr_out_transport_id(dest_se_tpg,
+- &buf[24], &tmp_tid_len, &iport_ptr);
+- if (!initiator_str) {
++ tid_found = target_parse_pr_out_transport_id(dest_se_tpg,
++ &buf[24], &tmp_tid_len, &iport_ptr, initiator_str);
++ if (!tid_found) {
+ pr_err("SPC-3 PR REGISTER_AND_MOVE: Unable to locate"
+ " initiator_str from Transport ID\n");
+ ret = TCM_INVALID_PARAMETER_LIST;
+--
+2.39.5
+
--- /dev/null
+From 0765231947d354c04b9793b01e2c2ecf6a238f5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 23:38:01 -0400
+Subject: securityfs: don't pin dentries twice, once is enough...
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 27cd1bf1240d482e4f02ca4f9812e748f3106e4f ]
+
+incidentally, securityfs_recursive_remove() is broken without that -
+it leaks dentries, since simple_recursive_removal() does not expect
+anything of that sort. It could be worked around by dput() in
+remove_one() callback, but it's easier to just drop that double-get
+stuff.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/inode.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/security/inode.c b/security/inode.c
+index 6c326939750d..e6e07787eec9 100644
+--- a/security/inode.c
++++ b/security/inode.c
+@@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode,
+ inode->i_fop = fops;
+ }
+ d_instantiate(dentry, inode);
+- dget(dentry);
+ inode_unlock(dir);
+ return dentry;
+
+@@ -306,7 +305,6 @@ void securityfs_remove(struct dentry *dentry)
+ simple_rmdir(dir, dentry);
+ else
+ simple_unlink(dir, dentry);
+- dput(dentry);
+ }
+ inode_unlock(dir);
+ simple_release_fs(&mount, &mount_count);
+--
+2.39.5
+
--- /dev/null
+From a78cf58471eb71c35cb85e552f0c560107c8fc8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 18:36:30 +0800
+Subject: selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit
+ time_t
+
+From: Cynthia Huang <cynthia@andestech.com>
+
+[ Upstream commit 04850819c65c8242072818655d4341e70ae998b5 ]
+
+The kernel does not provide sys_futex() on 32-bit architectures that do not
+support 32-bit time representations, such as riscv32.
+
+As a result, glibc cannot define SYS_futex, causing compilation failures in
+tests that rely on this syscall. Define SYS_futex as SYS_futex_time64 in
+such cases to ensure successful compilation and compatibility.
+
+Signed-off-by: Cynthia Huang <cynthia@andestech.com>
+Signed-off-by: Ben Zong-You Xie <ben717@andestech.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/all/20250710103630.3156130-1-ben717@andestech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/futex/include/futextest.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tools/testing/selftests/futex/include/futextest.h b/tools/testing/selftests/futex/include/futextest.h
+index ddbcfc9b7bac..7a5fd1d5355e 100644
+--- a/tools/testing/selftests/futex/include/futextest.h
++++ b/tools/testing/selftests/futex/include/futextest.h
+@@ -47,6 +47,17 @@ typedef volatile u_int32_t futex_t;
+ FUTEX_PRIVATE_FLAG)
+ #endif
+
++/*
++ * SYS_futex is expected from system C library, in glibc some 32-bit
++ * architectures (e.g. RV32) are using 64-bit time_t, therefore it doesn't have
++ * SYS_futex defined but just SYS_futex_time64. Define SYS_futex as
++ * SYS_futex_time64 in this situation to ensure the compilation and the
++ * compatibility.
++ */
++#if !defined(SYS_futex) && defined(SYS_futex_time64)
++#define SYS_futex SYS_futex_time64
++#endif
++
+ /**
+ * futex() - SYS_futex syscall wrapper
+ * @uaddr: address of first futex
+--
+2.39.5
+
--- /dev/null
+From 3be369b1f01082bd9a6debe22055409109c52ee7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:26:43 +0900
+Subject: selftests: tracing: Use mutex_unlock for testing glob filter
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit a089bb2822a49b0c5777a8936f82c1f8629231fb ]
+
+Since commit c5b6ababd21a ("locking/mutex: implement
+mutex_trylock_nested") makes mutex_trylock() as an inlined
+function if CONFIG_DEBUG_LOCK_ALLOC=y, we can not use
+mutex_trylock() for testing the glob filter of ftrace.
+
+Use mutex_unlock instead.
+
+Link: https://lore.kernel.org/r/175151680309.2149615.9795104805153538717.stgit@mhiramat.tok.corp.google.com
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
+index 4b994b6df5ac..ed81eaf2afd6 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
+@@ -29,7 +29,7 @@ ftrace_filter_check 'schedule*' '^schedule.*$'
+ ftrace_filter_check '*pin*lock' '.*pin.*lock$'
+
+ # filter by start*mid*
+-ftrace_filter_check 'mutex*try*' '^mutex.*try.*'
++ftrace_filter_check 'mutex*unl*' '^mutex.*unl.*'
+
+ # Advanced full-glob matching feature is recently supported.
+ # Skip the tests if we are sure the kernel does not support it.
+--
+2.39.5
+
intel_idle-allow-loading-acpi-tables-for-any-family.patch
cpuidle-governors-menu-avoid-using-invalid-recent-in.patch
ptp-prevent-possible-abba-deadlock-in-ptp_clock_free.patch
+hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch
+hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch
+hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch
+hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch
+arm64-handle-kcov-__init-vs-inline-mismatches.patch
+smb-server-avoid-deadlock-when-linking-with-replacei.patch
+udf-verify-partition-map-count.patch
+drbd-add-missing-kref_get-in-handle_write_conflicts.patch
+hfs-fix-not-erasing-deleted-b-tree-node-issue.patch
+better-lockdep-annotations-for-simple_recursive_remo.patch
+ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch
+fs-ntfs3-add-sanity-check-for-file-name.patch
+fs-ntfs3-correctly-create-symlink-for-relative-path.patch
+ext2-handle-fiemap-on-empty-files-to-prevent-einval.patch
+securityfs-don-t-pin-dentries-twice-once-is-enough.patch
+usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch
+cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch
+selftests-futex-define-sys_futex-on-32-bit-architect.patch
+usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch
+usb-xhci-avoid-showing-warnings-for-dying-controller.patch
+usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch
+usb-xhci-avoid-showing-errors-during-surprise-remova.patch
+gpio-wcd934x-check-the-return-value-of-regmap_update.patch
+cpufreq-exit-governor-when-failed-to-start-old-gover.patch
+arm-rockchip-fix-kernel-hang-during-smp-initializati.patch
+pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch
+edac-synopsys-clear-the-ecc-counters-on-init.patch
+asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch
+thermal-drivers-qcom-spmi-temp-alarm-enable-stage-2-.patch
+tools-nolibc-define-time_t-in-terms-of-__kernel_old_.patch
+gpio-tps65912-check-the-return-value-of-regmap_updat.patch
+arm-tegra-use-i-o-memcpy-to-write-to-iram.patch
+selftests-tracing-use-mutex_unlock-for-testing-glob-.patch
+acpi-prm-reduce-unnecessary-printing-to-avoid-user-c.patch
+pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch
+thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch
+pm-sleep-console-fix-the-black-screen-issue.patch
+acpi-processor-fix-acpi_object-initialization.patch
+mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch
+acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch
+pps-clients-gpio-fix-interrupt-handling-order-in-rem.patch
+reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch
+mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch
+x86-bugs-avoid-warning-when-overriding-return-thunk.patch
+asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch
+alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch
+asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch
+usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch
+usb-core-usb_submit_urb-downgrade-type-check.patch
+pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch
+platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch
+platform-chrome-cros_ec_typec-defer-probe-on-missing.patch
+alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch
+alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch
+alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch
+iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch
+asoc-codecs-rt5640-retry-device_id-verification.patch
+xen-netfront-fix-tx-response-spurious-interrupts.patch
+ktest.pl-prevent-recursion-of-default-variable-optio.patch
+wifi-cfg80211-reject-htc-bit-for-management-frames.patch
+s390-time-use-monotonic-clock-in-get_cycles.patch
+be2net-use-correct-byte-order-and-format-string-for-.patch
+et131x-add-missing-check-after-dma-map.patch
+net-ag71xx-add-missing-check-after-dma-map.patch
+net-mlx5e-properly-access-rcu-protected-qdisc_sleepi.patch
+arm64-mark-kernel-as-tainted-on-sae-and-serror-panic.patch
+rcu-protect-defer_qs_iw_pending-from-data-race.patch
+can-ti_hecc-fix-woverflow-compiler-warning.patch
+net-mctp-prevent-duplicate-binds.patch
+wifi-cfg80211-fix-interface-type-validation.patch
+net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch
+net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch
+sched-deadline-fix-accounting-after-global-limits-ch.patch
+wifi-iwlwifi-mvm-fix-scan-request-validation.patch
+s390-stp-remove-udelay-from-stp_sync_clock.patch
+wifi-mac80211-don-t-complete-management-tx-on-sae-co.patch
+powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch
+ipv6-mcast-check-inet6_dev-dead-under-idev-mc_lock-i.patch
+drm-msm-use-trylock-for-debugfs.patch
+net-thunderbolt-fix-the-parameter-passing-of-tb_xdom.patch
+net-atlantic-add-set_power-to-fw_ops-for-atl2-to-fix.patch
+net-fec-allow-disable-coalescing.patch
+drm-amd-display-separate-set_gsl-from-set_gsl_source.patch
+wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch
+wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch
+drm-amd-display-fix-failed-to-blank-crtc.patch
+wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch
+netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch
+wifi-iwlegacy-check-rate_idx-range-after-addition.patch
+dpaa_eth-don-t-use-fixed_phy_change_carrier.patch
+drm-amd-allow-printing-vangogh-od-sclk-levels-withou.patch
+net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch
+gve-return-error-for-unknown-admin-queue-command.patch
+net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch
+net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch
+net-dsa-b53-prevent-dis_learning-access-on-bcm5325.patch
+net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch
+wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-4064
+net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch
+drm-ttm-should-to-return-the-evict-error.patch
+uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch
+drm-ttm-respect-the-shrinker-core-free-target.patch
+net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch
+vhost-fail-early-when-__vhost_add_used-fails.patch
+watchdog-sbsa-adjust-keepalive-timeout-to-avoid-medi.patch
+cifs-fix-calling-cifsfindfirst-for-root-path-without.patch
+crypto-hisilicon-hpre-fix-dma-unmap-sequence.patch
+ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch
+scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch
+fs-orangefs-use-snprintf-instead-of-sprintf.patch
+watchdog-dw_wdt-fix-default-timeout.patch
+mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch
+watchdog-itco_wdt-report-error-if-timeout-configurat.patch
+scsi-bfa-double-free-fix.patch
+jfs-truncate-good-inode-pages-when-hard-link-is-0.patch
+jfs-regular-file-corruption-check.patch
+jfs-upper-bound-check-of-tree-index-in-dballocag.patch
+mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch
+media-v4l2-common-reduce-warnings-about-missing-v4l2.patch
+leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch
+rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch
+rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch
+scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch
+scsi-mpt3sas-correctly-handle-ata-device-errors.patch
+pinctrl-stm32-manage-irq-affinity-settings.patch
+media-tc358743-check-i2c-succeeded-during-probe.patch
+media-tc358743-return-an-appropriate-colorspace-from.patch
+media-tc358743-increase-fifo-trigger-level-to-374.patch
+media-usb-hdpvr-disable-zero-length-read-messages.patch
+media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch
+media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch
+media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch
+crypto-octeontx2-add-timeout-for-load_fvc-completion.patch
+md-dm-zoned-target-initialize-return-variable-r-to-a.patch
+i3c-add-missing-include-to-internal-header.patch
+rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch
+i3c-don-t-fail-if-gethdrcap-is-unsupported.patch
+dm-mpath-don-t-print-the-loaded-message-if-registeri.patch
+i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch
+kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch
+vfio-type1-conditional-rescheduling-while-pinning.patch
+kconfig-nconf-ensure-null-termination-where-strncpy-.patch
+scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch
+scsi-target-core-generate-correct-identifiers-for-pr.patch
+scsi-aacraid-stop-using-pci_irq_affinity.patch
+ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch
+kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch
+kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch
+kconfig-lxdialog-fix-space-to-de-select-options.patch
+ipmi-fix-strcpy-source-and-destination-the-same.patch
+net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch
+block-avoid-possible-overflow-for-chunk_sectors-chec.patch
+pnfs-fix-stripe-mapping-in-block-scsi-layout.patch
+pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch
+pnfs-handle-rpc-size-limit-for-layoutcommits.patch
+pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch
+rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch
--- /dev/null
+From ba97283cb038ae7fe68e849ebd4341d2925b1a41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 09:35:09 +1000
+Subject: smb/server: avoid deadlock when linking with ReplaceIfExists
+
+From: NeilBrown <neil@brown.name>
+
+[ Upstream commit d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694 ]
+
+If smb2_create_link() is called with ReplaceIfExists set and the name
+does exist then a deadlock will happen.
+
+ksmbd_vfs_kern_path_locked() will return with success and the parent
+directory will be locked. ksmbd_vfs_remove_file() will then remove the
+file. ksmbd_vfs_link() will then be called while the parent is still
+locked. It will try to lock the same parent and will deadlock.
+
+This patch moves the ksmbd_vfs_kern_path_unlock() call to *before*
+ksmbd_vfs_link() and then simplifies the code, removing the file_present
+flag variable.
+
+Signed-off-by: NeilBrown <neil@brown.name>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ksmbd/smb2pdu.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/fs/ksmbd/smb2pdu.c b/fs/ksmbd/smb2pdu.c
+index 76334a983cd2..3439dbad9389 100644
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -5612,7 +5612,6 @@ static int smb2_create_link(struct ksmbd_work *work,
+ {
+ char *link_name = NULL, *target_name = NULL, *pathname = NULL;
+ struct path path, parent_path;
+- bool file_present = false;
+ int rc;
+
+ if (buf_len < (u64)sizeof(struct smb2_file_link_info) +
+@@ -5645,11 +5644,8 @@ static int smb2_create_link(struct ksmbd_work *work,
+ if (rc) {
+ if (rc != -ENOENT)
+ goto out;
+- } else
+- file_present = true;
+-
+- if (file_info->ReplaceIfExists) {
+- if (file_present) {
++ } else {
++ if (file_info->ReplaceIfExists) {
+ rc = ksmbd_vfs_remove_file(work, &path);
+ if (rc) {
+ rc = -EINVAL;
+@@ -5657,21 +5653,17 @@ static int smb2_create_link(struct ksmbd_work *work,
+ link_name);
+ goto out;
+ }
+- }
+- } else {
+- if (file_present) {
++ } else {
+ rc = -EEXIST;
+ ksmbd_debug(SMB, "link already exists\n");
+ goto out;
+ }
++ ksmbd_vfs_kern_path_unlock(&parent_path, &path);
+ }
+-
+ rc = ksmbd_vfs_link(work, target_name, link_name);
+ if (rc)
+ rc = -EINVAL;
+ out:
+- if (file_present)
+- ksmbd_vfs_kern_path_unlock(&parent_path, &path);
+
+ if (!IS_ERR(link_name))
+ kfree(link_name);
+--
+2.39.5
+
--- /dev/null
+From 9e2e5c7d2ee2f4bbef9dee1afae6543e61db3135 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 15:45:51 -0700
+Subject: thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when
+ required
+
+From: David Collins <david.collins@oss.qualcomm.com>
+
+[ Upstream commit f8e157ff2df46ddabd930815d196895976227831 ]
+
+Certain TEMP_ALARM GEN2 PMIC peripherals need over-temperature stage 2
+automatic PMIC partial shutdown. This will ensure that in the event of
+reaching the hotter stage 3 over-temperature threshold, repeated faults
+will be avoided during the automatic PMIC hardware full shutdown.
+Modify the stage 2 shutdown control logic to ensure that stage 2
+shutdown is enabled on all affected PMICs. Read the digital major
+and minor revision registers to identify these PMICs.
+
+Signed-off-by: David Collins <david.collins@oss.qualcomm.com>
+Signed-off-by: Anjelique Melendez <anjelique.melendez@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250710224555.3047790-2-anjelique.melendez@oss.qualcomm.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 ++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+index 1037de19873a..f466bbfa128d 100644
+--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+ * Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved.
++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+ */
+
+ #include <linux/bitops.h>
+@@ -17,6 +18,7 @@
+
+ #include "../thermal_core.h"
+
++#define QPNP_TM_REG_DIG_MINOR 0x00
+ #define QPNP_TM_REG_DIG_MAJOR 0x01
+ #define QPNP_TM_REG_TYPE 0x04
+ #define QPNP_TM_REG_SUBTYPE 0x05
+@@ -32,7 +34,7 @@
+ #define STATUS_GEN2_STATE_MASK GENMASK(6, 4)
+ #define STATUS_GEN2_STATE_SHIFT 4
+
+-#define SHUTDOWN_CTRL1_OVERRIDE_S2 BIT(6)
++#define SHUTDOWN_CTRL1_OVERRIDE_STAGE2 BIT(6)
+ #define SHUTDOWN_CTRL1_THRESHOLD_MASK GENMASK(1, 0)
+
+ #define SHUTDOWN_CTRL1_RATE_25HZ BIT(3)
+@@ -80,6 +82,7 @@ struct qpnp_tm_chip {
+ /* protects .thresh, .stage and chip registers */
+ struct mutex lock;
+ bool initialized;
++ bool require_stage2_shutdown;
+
+ struct iio_channel *adc;
+ const long (*temp_map)[THRESH_COUNT][STAGE_COUNT];
+@@ -222,13 +225,13 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
+ {
+ long stage2_threshold_min = (*chip->temp_map)[THRESH_MIN][1];
+ long stage2_threshold_max = (*chip->temp_map)[THRESH_MAX][1];
+- bool disable_s2_shutdown = false;
++ bool disable_stage2_shutdown = false;
+ u8 reg;
+
+ WARN_ON(!mutex_is_locked(&chip->lock));
+
+ /*
+- * Default: S2 and S3 shutdown enabled, thresholds at
++ * Default: Stage 2 and Stage 3 shutdown enabled, thresholds at
+ * lowest threshold set, monitoring at 25Hz
+ */
+ reg = SHUTDOWN_CTRL1_RATE_25HZ;
+@@ -243,12 +246,12 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
+ chip->thresh = THRESH_MAX -
+ ((stage2_threshold_max - temp) /
+ TEMP_THRESH_STEP);
+- disable_s2_shutdown = true;
++ disable_stage2_shutdown = true;
+ } else {
+ chip->thresh = THRESH_MAX;
+
+ if (chip->adc)
+- disable_s2_shutdown = true;
++ disable_stage2_shutdown = true;
+ else
+ dev_warn(chip->dev,
+ "No ADC is configured and critical temperature %d mC is above the maximum stage 2 threshold of %ld mC! Configuring stage 2 shutdown at %ld mC.\n",
+@@ -257,8 +260,8 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
+
+ skip:
+ reg |= chip->thresh;
+- if (disable_s2_shutdown)
+- reg |= SHUTDOWN_CTRL1_OVERRIDE_S2;
++ if (disable_stage2_shutdown && !chip->require_stage2_shutdown)
++ reg |= SHUTDOWN_CTRL1_OVERRIDE_STAGE2;
+
+ return qpnp_tm_write(chip, QPNP_TM_REG_SHUTDOWN_CTRL1, reg);
+ }
+@@ -372,8 +375,8 @@ static int qpnp_tm_probe(struct platform_device *pdev)
+ {
+ struct qpnp_tm_chip *chip;
+ struct device_node *node;
+- u8 type, subtype, dig_major;
+- u32 res;
++ u8 type, subtype, dig_major, dig_minor;
++ u32 res, dig_revision;
+ int ret, irq;
+
+ node = pdev->dev.of_node;
+@@ -428,6 +431,11 @@ static int qpnp_tm_probe(struct platform_device *pdev)
+ return ret;
+ }
+
++ ret = qpnp_tm_read(chip, QPNP_TM_REG_DIG_MINOR, &dig_minor);
++ if (ret < 0)
++ return dev_err_probe(&pdev->dev, ret,
++ "could not read dig_minor\n");
++
+ if (type != QPNP_TM_TYPE || (subtype != QPNP_TM_SUBTYPE_GEN1
+ && subtype != QPNP_TM_SUBTYPE_GEN2)) {
+ dev_err(&pdev->dev, "invalid type 0x%02x or subtype 0x%02x\n",
+@@ -441,6 +449,23 @@ static int qpnp_tm_probe(struct platform_device *pdev)
+ else
+ chip->temp_map = &temp_map_gen1;
+
++ if (chip->subtype == QPNP_TM_SUBTYPE_GEN2) {
++ dig_revision = (dig_major << 8) | dig_minor;
++ /*
++ * Check if stage 2 automatic partial shutdown must remain
++ * enabled to avoid potential repeated faults upon reaching
++ * over-temperature stage 3.
++ */
++ switch (dig_revision) {
++ case 0x0001:
++ case 0x0002:
++ case 0x0100:
++ case 0x0101:
++ chip->require_stage2_shutdown = true;
++ break;
++ }
++ }
++
+ /*
+ * Register the sensor before initializing the hardware to be able to
+ * read the trip points. get_temp() returns the default temperature
+--
+2.39.5
+
--- /dev/null
+From 24bcc1deb570b73124ff5e31ddcef5954a60e4b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 10:41:43 +0000
+Subject: thermal: sysfs: Return ENODATA instead of EAGAIN for reads
+
+From: Hsin-Te Yuan <yuanhsinte@chromium.org>
+
+[ Upstream commit 1a4aabc27e95674837f2e25f4ef340c0469e6203 ]
+
+According to POSIX spec, EAGAIN returned by read with O_NONBLOCK set
+means the read would block. Hence, the common implementation in
+nonblocking model will poll the file when the nonblocking read returns
+EAGAIN. However, when the target file is thermal zone, this mechanism
+will totally malfunction because thermal zone doesn't implement sysfs
+notification and thus the poll will never return.
+
+For example, the read in Golang implemnts such method and sometimes
+hangs at reading some thermal zones via sysfs.
+
+Change to return -ENODATA instead of -EAGAIN to userspace.
+
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Link: https://patch.msgid.link/20250620-temp-v3-1-6becc6aeb66c@chromium.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_sysfs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
+index de7cdec3db90..a21af02f6347 100644
+--- a/drivers/thermal/thermal_sysfs.c
++++ b/drivers/thermal/thermal_sysfs.c
+@@ -39,10 +39,13 @@ temp_show(struct device *dev, struct device_attribute *attr, char *buf)
+
+ ret = thermal_zone_get_temp(tz, &temperature);
+
+- if (ret)
+- return ret;
++ if (!ret)
++ return sprintf(buf, "%d\n", temperature);
+
+- return sprintf(buf, "%d\n", temperature);
++ if (ret == -EAGAIN)
++ return -ENODATA;
++
++ return ret;
+ }
+
+ static ssize_t
+--
+2.39.5
+
--- /dev/null
+From 5299f9a7db908e67e3834b86ca622abea6a60168 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jul 2025 11:00:55 +0200
+Subject: tools/nolibc: define time_t in terms of __kernel_old_time_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit d5094bcb5bfdfea2cf0de8aaf77cc65db56cbdb5 ]
+
+Nolibc assumes that the kernel ABI is using a time values that are as
+large as a long integer. For most ABIs this holds true.
+But for x32 this is not correct, as it uses 32bit longs but 64bit times.
+
+Also the 'struct stat' implementation of nolibc relies on timespec::tv_sec
+and time_t being the same type. While timespec::tv_sec comes from the
+kernel and is of type __kernel_old_time_t, time_t is defined within nolibc.
+
+Switch to the __kernel_old_time_t to always get the correct type.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lore.kernel.org/r/20250712-nolibc-x32-v1-1-6d81cb798710@weissschuh.net
+Acked-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/std.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/include/nolibc/std.h b/tools/include/nolibc/std.h
+index 1747ae125392..a0ea830e1ba1 100644
+--- a/tools/include/nolibc/std.h
++++ b/tools/include/nolibc/std.h
+@@ -33,6 +33,8 @@ typedef unsigned long uintptr_t;
+ typedef signed long intptr_t;
+ typedef signed long ptrdiff_t;
+
++#include <linux/types.h>
++
+ /* those are commonly provided by sys/types.h */
+ typedef unsigned int dev_t;
+ typedef unsigned long ino_t;
+@@ -44,6 +46,6 @@ typedef unsigned long nlink_t;
+ typedef signed long off_t;
+ typedef signed long blksize_t;
+ typedef signed long blkcnt_t;
+-typedef signed long time_t;
++typedef __kernel_old_time_t time_t;
+
+ #endif /* _NOLIBC_STD_H */
+--
+2.39.5
+
--- /dev/null
+From bf3f5fffee04a386d64998facd1bcda2ce4d0f9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 07:39:33 -0700
+Subject: uapi: in6: restore visibility of most IPv6 socket options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 31557b3487b349464daf42bc4366153743c1e727 ]
+
+A decade ago commit 6d08acd2d32e ("in6: fix conflict with glibc")
+hid the definitions of IPV6 options, because GCC was complaining
+about duplicates. The commit did not list the warnings seen, but
+trying to recreate them now I think they are (building iproute2):
+
+In file included from ./include/uapi/rdma/rdma_user_cm.h:39,
+ from rdma.h:16,
+ from res.h:9,
+ from res-ctx.c:7:
+../include/uapi/linux/in6.h:171:9: warning: ‘IPV6_ADD_MEMBERSHIP’ redefined
+ 171 | #define IPV6_ADD_MEMBERSHIP 20
+ | ^~~~~~~~~~~~~~~~~~~
+In file included from /usr/include/netinet/in.h:37,
+ from rdma.h:13:
+/usr/include/bits/in.h:233:10: note: this is the location of the previous definition
+ 233 | # define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP
+ | ^~~~~~~~~~~~~~~~~~~
+../include/uapi/linux/in6.h:172:9: warning: ‘IPV6_DROP_MEMBERSHIP’ redefined
+ 172 | #define IPV6_DROP_MEMBERSHIP 21
+ | ^~~~~~~~~~~~~~~~~~~~
+/usr/include/bits/in.h:234:10: note: this is the location of the previous definition
+ 234 | # define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP
+ | ^~~~~~~~~~~~~~~~~~~~
+
+Compilers don't complain about redefinition if the defines
+are identical, but here we have the kernel using the literal
+value, and glibc using an indirection (defining to a name
+of another define, with the same numerical value).
+
+Problem is, the commit in question hid all the IPV6 socket
+options, and glibc has a pretty sparse list. For instance
+it lacks Flow Label related options. Willem called this out
+in commit 3fb321fde22d ("selftests/net: ipv6 flowlabel"):
+
+ /* uapi/glibc weirdness may leave this undefined */
+ #ifndef IPV6_FLOWINFO
+ #define IPV6_FLOWINFO 11
+ #endif
+
+More interestingly some applications (socat) use
+a #ifdef IPV6_FLOWINFO to gate compilation of thier
+rudimentary flow label support. (For added confusion
+socat misspells it as IPV4_FLOWINFO in some places.)
+
+Hide only the two defines we know glibc has a problem
+with. If we discover more warnings we can hide more
+but we should avoid covering the entire block of
+defines for "IPV6 socket options".
+
+Link: https://patch.msgid.link/20250609143933.1654417-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/in6.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h
+index ff8d21f9e95b..5a47339ef7d7 100644
+--- a/include/uapi/linux/in6.h
++++ b/include/uapi/linux/in6.h
+@@ -152,7 +152,6 @@ struct in6_flowlabel_req {
+ /*
+ * IPV6 socket options
+ */
+-#if __UAPI_DEF_IPV6_OPTIONS
+ #define IPV6_ADDRFORM 1
+ #define IPV6_2292PKTINFO 2
+ #define IPV6_2292HOPOPTS 3
+@@ -169,8 +168,10 @@ struct in6_flowlabel_req {
+ #define IPV6_MULTICAST_IF 17
+ #define IPV6_MULTICAST_HOPS 18
+ #define IPV6_MULTICAST_LOOP 19
++#if __UAPI_DEF_IPV6_OPTIONS
+ #define IPV6_ADD_MEMBERSHIP 20
+ #define IPV6_DROP_MEMBERSHIP 21
++#endif
+ #define IPV6_ROUTER_ALERT 22
+ #define IPV6_MTU_DISCOVER 23
+ #define IPV6_MTU 24
+@@ -203,7 +204,6 @@ struct in6_flowlabel_req {
+ #define IPV6_IPSEC_POLICY 34
+ #define IPV6_XFRM_POLICY 35
+ #define IPV6_HDRINCL 36
+-#endif
+
+ /*
+ * Multicast:
+--
+2.39.5
+
--- /dev/null
+From 72211be40d5ecce7806dd524713b5a5f3ca167ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 19:01:20 +0200
+Subject: udf: Verify partition map count
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 1a11201668e8635602577dcf06f2e96c591d8819 ]
+
+Verify that number of partition maps isn't insanely high which can lead
+to large allocation in udf_sb_alloc_partition_maps(). All partition maps
+have to fit in the LVD which is in a single block.
+
+Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 4275d2bc0c36..69e4f00ce791 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1411,7 +1411,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ struct genericPartitionMap *gpm;
+ uint16_t ident;
+ struct buffer_head *bh;
+- unsigned int table_len;
++ unsigned int table_len, part_map_count;
+ int ret;
+
+ bh = udf_read_tagged(sb, block, block, &ident);
+@@ -1432,7 +1432,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ "logical volume");
+ if (ret)
+ goto out_bh;
+- ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
++
++ part_map_count = le32_to_cpu(lvd->numPartitionMaps);
++ if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) {
++ udf_err(sb, "error loading logical volume descriptor: "
++ "Too many partition maps (%u > %u)\n", part_map_count,
++ table_len / (unsigned)sizeof(struct genericPartitionMap1));
++ ret = -EIO;
++ goto out_bh;
++ }
++ ret = udf_sb_alloc_partition_maps(sb, part_map_count);
+ if (ret)
+ goto out_bh;
+
+--
+2.39.5
+
--- /dev/null
+From 482008d6661d74c474fb9eb5cd8aa507f82f02f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 14:20:25 +0200
+Subject: usb: core: usb_submit_urb: downgrade type check
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 503bbde34cc3dd2acd231f277ba70c3f9ed22e59 ]
+
+Checking for the endpoint type is no reason for a WARN, as that can
+cause a reboot. A driver not checking the endpoint type must not cause a
+reboot, as there is just no point in this. We cannot prevent a device
+from doing something incorrect as a reaction to a transfer. Hence
+warning for a mere assumption being wrong is not sensible.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20250612122149.2559724-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/urb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
+index 33d62d7e3929..201f8519d9d6 100644
+--- a/drivers/usb/core/urb.c
++++ b/drivers/usb/core/urb.c
+@@ -499,7 +499,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
+
+ /* Check that the pipe's type matches the endpoint's type */
+ if (usb_pipe_type_check(urb->dev, urb->pipe))
+- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
++ dev_warn_once(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
+ usb_pipetype(urb->pipe), pipetypes[xfertype]);
+
+ /* Check against a simple/standard policy */
+--
+2.39.5
+
--- /dev/null
+From 5e8705fbb795ffa796e3151600ed12ab18d86117 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 17:40:58 +0200
+Subject: usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present
+
+From: Tomasz Michalec <tmichalec@google.com>
+
+[ Upstream commit df9a825f330e76c72d1985bc9bdc4b8981e3d15f ]
+
+If pmc_usb_probe is called before SCU IPC is registered, pmc_usb_probe
+will fail.
+
+Return -EPROBE_DEFER when pmc_usb_probe doesn't get SCU IPC device, so
+the probe function can be called again after SCU IPC is initialized.
+
+Signed-off-by: Tomasz Michalec <tmichalec@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250610154058.1859812-1-tmichalec@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/mux/intel_pmc_mux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/mux/intel_pmc_mux.c b/drivers/usb/typec/mux/intel_pmc_mux.c
+index a7313c2d9f0f..806ffeacdecb 100644
+--- a/drivers/usb/typec/mux/intel_pmc_mux.c
++++ b/drivers/usb/typec/mux/intel_pmc_mux.c
+@@ -650,7 +650,7 @@ static int pmc_usb_probe(struct platform_device *pdev)
+
+ pmc->ipc = devm_intel_scu_ipc_dev_get(&pdev->dev);
+ if (!pmc->ipc)
+- return -ENODEV;
++ return -EPROBE_DEFER;
+
+ pmc->dev = &pdev->dev;
+
+--
+2.39.5
+
--- /dev/null
+From 82d472796df3de318fb94ddfdba5d1fd671c558c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 20:08:05 +0000
+Subject: usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and
+ Default
+
+From: Benson Leung <bleung@chromium.org>
+
+[ Upstream commit af833e7f7db3cf4c82f063668e1b52297a30ec18 ]
+
+ucsi_psy_get_current_max would return 0mA as the maximum current if
+UCSI detected a BC or a Default USB Power sporce.
+
+The comment in this function is true that we can't tell the difference
+between DCP/CDP or SDP chargers, but we can guarantee that at least 1-unit
+of USB 1.1/2.0 power is available, which is 100mA, which is a better
+fallback value than 0, which causes some userspaces, including the ChromeOS
+power manager, to regard this as a power source that is not providing
+any power.
+
+In reality, 100mA is guaranteed from all sources in these classes.
+
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Reviewed-by: Jameson Thies <jthies@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://lore.kernel.org/r/20250717200805.3710473-1-bleung@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/ucsi/psy.c | 2 +-
+ drivers/usb/typec/ucsi/ucsi.h | 7 ++++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/typec/ucsi/psy.c b/drivers/usb/typec/ucsi/psy.c
+index 56bf56517f75..b7d16ad38c44 100644
+--- a/drivers/usb/typec/ucsi/psy.c
++++ b/drivers/usb/typec/ucsi/psy.c
+@@ -142,7 +142,7 @@ static int ucsi_psy_get_current_max(struct ucsi_connector *con,
+ case UCSI_CONSTAT_PWR_OPMODE_DEFAULT:
+ /* UCSI can't tell b/w DCP/CDP or USB2/3x1/3x2 SDP chargers */
+ default:
+- val->intval = 0;
++ val->intval = UCSI_TYPEC_DEFAULT_CURRENT * 1000;
+ break;
+ }
+ return 0;
+diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h
+index 87b1a54d68e8..44c788b4a8b3 100644
+--- a/drivers/usb/typec/ucsi/ucsi.h
++++ b/drivers/usb/typec/ucsi/ucsi.h
+@@ -309,9 +309,10 @@ struct ucsi {
+ #define UCSI_MAX_SVID 5
+ #define UCSI_MAX_ALTMODES (UCSI_MAX_SVID * 6)
+
+-#define UCSI_TYPEC_VSAFE5V 5000
+-#define UCSI_TYPEC_1_5_CURRENT 1500
+-#define UCSI_TYPEC_3_0_CURRENT 3000
++#define UCSI_TYPEC_VSAFE5V 5000
++#define UCSI_TYPEC_DEFAULT_CURRENT 100
++#define UCSI_TYPEC_1_5_CURRENT 1500
++#define UCSI_TYPEC_3_0_CURRENT 3000
+
+ struct ucsi_connector {
+ int num;
+--
+2.39.5
+
--- /dev/null
+From 00eb8a7bd6be295ee56ced088931f545ea80ff36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:31:05 +0300
+Subject: usb: xhci: Avoid showing errors during surprise removal
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 4b9c60e440525b729ac5f071e00bcee12e0a7e84 ]
+
+When a USB4 dock is unplugged from a system it won't respond to ring
+events. The PCI core handles the surprise removal event and notifies
+all PCI drivers. The XHCI PCI driver sets a flag that the device is
+being removed as well.
+
+When that flag is set don't show messages in the cleanup path for
+marking the controller dead.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250717073107.488599-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-ring.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 626f02605192..d56740af8160 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1297,12 +1297,15 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci,
+ */
+ void xhci_hc_died(struct xhci_hcd *xhci)
+ {
++ bool notify;
+ int i, j;
+
+ if (xhci->xhc_state & XHCI_STATE_DYING)
+ return;
+
+- xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
++ notify = !(xhci->xhc_state & XHCI_STATE_REMOVING);
++ if (notify)
++ xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
+ xhci->xhc_state |= XHCI_STATE_DYING;
+
+ xhci_cleanup_command_queue(xhci);
+@@ -1316,7 +1319,7 @@ void xhci_hc_died(struct xhci_hcd *xhci)
+ }
+
+ /* inform usb core hc died if PCI remove isn't already handling it */
+- if (!(xhci->xhc_state & XHCI_STATE_REMOVING))
++ if (notify)
+ usb_hc_died(xhci_to_hcd(xhci));
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5cea7d149808f3e0ed477b3f58246050d752a772 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:31:06 +0300
+Subject: usb: xhci: Avoid showing warnings for dying controller
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 65fc0fc137b5da3ee1f4ca4f61050fcb203d7582 ]
+
+When a USB4 dock is unplugged from a system it won't respond to ring
+events. The PCI core handles the surprise removal event and notifies
+all PCI drivers. The XHCI PCI driver sets a flag that the device is
+being removed, and when the device stops responding a flag is also
+added to indicate it's dying.
+
+When that flag is set don't bother to show warnings about a missing
+controller.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250717073107.488599-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index e9ebb6c7954f..2d8ca3356ff3 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -118,7 +118,8 @@ int xhci_halt(struct xhci_hcd *xhci)
+ ret = xhci_handshake(&xhci->op_regs->status,
+ STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC);
+ if (ret) {
+- xhci_warn(xhci, "Host halt failed, %d\n", ret);
++ if (!(xhci->xhc_state & XHCI_STATE_DYING))
++ xhci_warn(xhci, "Host halt failed, %d\n", ret);
+ return ret;
+ }
+ xhci->xhc_state |= XHCI_STATE_HALTED;
+@@ -175,7 +176,8 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us)
+ state = readl(&xhci->op_regs->status);
+
+ if (state == ~(u32)0) {
+- xhci_warn(xhci, "Host not accessible, reset failed.\n");
++ if (!(xhci->xhc_state & XHCI_STATE_DYING))
++ xhci_warn(xhci, "Host not accessible, reset failed.\n");
+ return -ENODEV;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 436369cd9b388f9d0e3cb39c14c32f823b3a53d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:01:18 +0800
+Subject: usb: xhci: print xhci->xhc_state when queue_command failed
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ]
+
+When encounters some errors like these:
+xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command
+xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment
+usb usb5-port6: couldn't allocate usb_device
+
+It's hard to know whether xhc_state is dying or halted. So it's better
+to print xhc_state's value which can help locate the resaon of the bug.
+
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-ring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index cd94b0a4e021..626f02605192 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -4486,7 +4486,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd,
+
+ if ((xhci->xhc_state & XHCI_STATE_DYING) ||
+ (xhci->xhc_state & XHCI_STATE_HALTED)) {
+- xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n");
++ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n",
++ xhci->xhc_state);
+ return -ESHUTDOWN;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 20ea5a225c0dce5a3f9c266d3cb936c2608ad42a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:31:07 +0300
+Subject: usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command
+
+From: Jay Chen <shawn2000100@gmail.com>
+
+[ Upstream commit f72b9aa821a2bfe4b6dfec4be19f264d0673b008 ]
+
+There is a subtle contradiction between sections of the xHCI 1.2 spec
+regarding the initialization of Input Endpoint Context fields. Section
+4.8.2 ("Endpoint Context Initialization") states that all fields should
+be initialized to 0. However, Section 6.2.3 ("Endpoint Context", p.453)
+specifies that the Average TRB Length (avg_trb_len) field shall be
+greater than 0, and explicitly notes (p.454): "Software shall set
+Average TRB Length to '8' for control endpoints."
+
+Strictly setting all fields to 0 during initialization conflicts with
+the specific recommendation for control endpoints. In practice, setting
+avg_trb_len = 0 is not meaningful for the hardware/firmware, as the
+value is used for bandwidth calculation.
+
+Motivation: Our company is developing a custom Virtual xHC hardware
+platform that strictly follows the xHCI spec and its recommendations.
+During validation, we observed that enumeration fails and a parameter
+error (TRB Completion Code = 5) is reported if avg_trb_len for EP0 is
+not set to 8 as recommended by Section 6.2.3. This demonstrates the
+importance of assigning a meaningful, non-zero value to avg_trb_len,
+even in virtualized or emulated environments.
+
+This patch explicitly sets avg_trb_len to 8 for EP0 in
+xhci_setup_addressable_virt_dev(), as recommended in Section 6.2.3, to
+prevent potential issues with xHCI host controllers that enforce the
+spec strictly.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220033
+Signed-off-by: Jay Chen <shawn2000100@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250717073107.488599-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 149128b89100..43cbaadf933d 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1209,6 +1209,8 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud
+ ep0_ctx->deq = cpu_to_le64(dev->eps[0].ring->first_seg->dma |
+ dev->eps[0].ring->cycle_state);
+
++ ep0_ctx->tx_info = cpu_to_le32(EP_AVG_TRB_LENGTH(8));
++
+ trace_xhci_setup_addressable_virt_device(dev);
+
+ /* Steps 7 and 8 were done in xhci_alloc_virt_device() */
+--
+2.39.5
+
--- /dev/null
+From 5064002ccd542e4b0a1228293768b0afdbd1a979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 11:46:22 -0700
+Subject: vfio/type1: conditional rescheduling while pinning
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit b1779e4f209c7ff7e32f3c79d69bca4e3a3a68b6 ]
+
+A large DMA mapping request can loop through dma address pinning for
+many pages. In cases where THP can not be used, the repeated vmf_insert_pfn can
+be costly, so let the task reschedule as need to prevent CPU stalls. Failure to
+do so has potential harmful side effects, like increased memory pressure
+as unrelated rcu tasks are unable to make their reclaim callbacks and
+result in OOM conditions.
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 36-....: (20999 ticks this GP) idle=b01c/1/0x4000000000000000 softirq=35839/35839 fqs=3538
+ rcu: hardirqs softirqs csw/system
+ rcu: number: 0 107 0
+ rcu: cputime: 50 0 10446 ==> 10556(ms)
+ rcu: (t=21075 jiffies g=377761 q=204059 ncpus=384)
+...
+ <TASK>
+ ? asm_sysvec_apic_timer_interrupt+0x16/0x20
+ ? walk_system_ram_range+0x63/0x120
+ ? walk_system_ram_range+0x46/0x120
+ ? pgprot_writethrough+0x20/0x20
+ lookup_memtype+0x67/0xf0
+ track_pfn_insert+0x20/0x40
+ vmf_insert_pfn_prot+0x88/0x140
+ vfio_pci_mmap_huge_fault+0xf9/0x1b0 [vfio_pci_core]
+ __do_fault+0x28/0x1b0
+ handle_mm_fault+0xef1/0x2560
+ fixup_user_fault+0xf5/0x270
+ vaddr_get_pfns+0x169/0x2f0 [vfio_iommu_type1]
+ vfio_pin_pages_remote+0x162/0x8e0 [vfio_iommu_type1]
+ vfio_iommu_type1_ioctl+0x1121/0x1810 [vfio_iommu_type1]
+ ? futex_wake+0x1c1/0x260
+ x64_sys_call+0x234/0x17a0
+ do_syscall_64+0x63/0x130
+ ? exc_page_fault+0x63/0x130
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Link: https://lore.kernel.org/r/20250715184622.3561598-1-kbusch@meta.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 6a89bbec738f..03f4274bdbb7 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -696,6 +696,13 @@ static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr,
+
+ while (npage) {
+ if (!batch->size) {
++ /*
++ * Large mappings may take a while to repeatedly refill
++ * the batch, so conditionally relinquish the CPU when
++ * needed to avoid stalls.
++ */
++ cond_resched();
++
+ /* Empty batch, so refill it. */
+ long req_pages = min_t(long, npage, batch->capacity);
+
+--
+2.39.5
+
--- /dev/null
+From 6793be909125287effabcdad3759cd0058c34f65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 16:47:53 +0800
+Subject: vhost: fail early when __vhost_add_used() fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit b4ba1207d45adaafa2982c035898b36af2d3e518 ]
+
+This patch fails vhost_add_used_n() early when __vhost_add_used()
+fails to make sure used idx is not updated with stale used ring
+information.
+
+Reported-by: Eugenio Pérez <eperezma@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20250714084755.11921-2-jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Tested-by: Lei Yang <leiyang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vhost.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 061af5dc92e6..973e079025a9 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2421,6 +2421,9 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
+ }
+ r = __vhost_add_used_n(vq, heads, count);
+
++ if (r < 0)
++ return r;
++
+ /* Make sure buffer is written before we update index. */
+ smp_wmb();
+ if (vhost_put_used_idx(vq)) {
+--
+2.39.5
+
--- /dev/null
+From 714e67fc8b7c1c4f5b11cbade7f9e575d71a549c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 18:55:02 +0200
+Subject: watchdog: dw_wdt: Fix default timeout
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit ac3dbb91e0167d017f44701dd51c1efe30d0c256 ]
+
+The Synopsys Watchdog driver sets the default timeout to 30 seconds,
+but on some devices this is not a valid timeout. E.g. on RK3588 the
+actual timeout being used is 44 seconds instead.
+
+Once the watchdog is started the value is updated accordingly, but
+it would be better to expose a sensible timeout to userspace without
+the need to first start the watchdog.
+
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250717-dw-wdt-fix-initial-timeout-v1-1-86dc864d48dd@kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/dw_wdt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/watchdog/dw_wdt.c b/drivers/watchdog/dw_wdt.c
+index 498c1c403fc9..7571fc2df541 100644
+--- a/drivers/watchdog/dw_wdt.c
++++ b/drivers/watchdog/dw_wdt.c
+@@ -660,6 +660,8 @@ static int dw_wdt_drv_probe(struct platform_device *pdev)
+ } else {
+ wdd->timeout = DW_WDT_DEFAULT_SECONDS;
+ watchdog_init_timeout(wdd, 0, dev);
++ /* Limit timeout value to hardware constraints. */
++ dw_wdt_set_timeout(wdd, wdd->timeout);
+ }
+
+ platform_set_drvdata(pdev, dw_wdt);
+--
+2.39.5
+
--- /dev/null
+From b2f72df6c4c967e5ea9dbfd509ef57d70637c3dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:35:18 +0800
+Subject: watchdog: iTCO_wdt: Report error if timeout configuration fails
+
+From: Ziyan Fu <fuzy5@lenovo.com>
+
+[ Upstream commit 40efc43eb7ffb5a4e2f998c13b8cfb555e671b92 ]
+
+The driver probes with the invalid timeout value when
+'iTCO_wdt_set_timeout()' fails, as its return value is not checked. In
+this case, when executing "wdctl", we may get:
+
+Device: /dev/watchdog0
+Timeout: 30 seconds
+Timeleft: 613 seconds
+
+The timeout value is the value of "heartbeat" or "WATCHDOG_TIMEOUT", and
+the timeleft value is calculated from the register value we actually read
+(0xffff) by masking with 0x3ff and converting ticks to seconds (* 6 / 10).
+
+Add error handling to return the failure code if 'iTCO_wdt_set_timeout()'
+fails, ensuring the driver probe fails and prevents invalid operation.
+
+Signed-off-by: Ziyan Fu <fuzy5@lenovo.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250704073518.7838-1-13281011316@163.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/iTCO_wdt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c
+index 3cebb83b3e67..02bcbfe8f8c9 100644
+--- a/drivers/watchdog/iTCO_wdt.c
++++ b/drivers/watchdog/iTCO_wdt.c
+@@ -605,7 +605,11 @@ static int iTCO_wdt_probe(struct platform_device *pdev)
+ /* Check that the heartbeat value is within it's range;
+ if not reset to the default */
+ if (iTCO_wdt_set_timeout(&p->wddev, heartbeat)) {
+- iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
++ ret = iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
++ if (ret != 0) {
++ dev_err(dev, "Failed to set watchdog timeout (%d)\n", WATCHDOG_TIMEOUT);
++ return ret;
++ }
+ dev_info(dev, "timeout value out of range, using %d\n",
+ WATCHDOG_TIMEOUT);
+ }
+--
+2.39.5
+
--- /dev/null
+From c8c758c6a1339599d5c76acadab5ecbe3c5b34e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 16:06:39 -0700
+Subject: watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race
+ condition
+
+From: Aaron Plattner <aplattner@nvidia.com>
+
+[ Upstream commit 48defdf6b083f74a44e1f742db284960d3444aec ]
+
+The MediaTek implementation of the sbsa_gwdt watchdog has a race
+condition where a write to SBSA_GWDT_WRR is ignored if it occurs while
+the hardware is processing a timeout refresh that asserts WS0.
+
+Detect this based on the hardware implementer and adjust
+wdd->min_hw_heartbeat_ms to avoid the race by forcing the keepalive ping
+to be one second later.
+
+Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
+Acked-by: Timur Tabi <ttabi@nvidia.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250721230640.2244915-1-aplattner@nvidia.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/sbsa_gwdt.c | 50 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 47 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/watchdog/sbsa_gwdt.c b/drivers/watchdog/sbsa_gwdt.c
+index 7bf28545b47a..f07ffc7b8312 100644
+--- a/drivers/watchdog/sbsa_gwdt.c
++++ b/drivers/watchdog/sbsa_gwdt.c
+@@ -76,11 +76,17 @@
+ #define SBSA_GWDT_VERSION_MASK 0xF
+ #define SBSA_GWDT_VERSION_SHIFT 16
+
++#define SBSA_GWDT_IMPL_MASK 0x7FF
++#define SBSA_GWDT_IMPL_SHIFT 0
++#define SBSA_GWDT_IMPL_MEDIATEK 0x426
++
+ /**
+ * struct sbsa_gwdt - Internal representation of the SBSA GWDT
+ * @wdd: kernel watchdog_device structure
+ * @clk: store the System Counter clock frequency, in Hz.
+ * @version: store the architecture version
++ * @need_ws0_race_workaround:
++ * indicate whether to adjust wdd->timeout to avoid a race with WS0
+ * @refresh_base: Virtual address of the watchdog refresh frame
+ * @control_base: Virtual address of the watchdog control frame
+ */
+@@ -88,6 +94,7 @@ struct sbsa_gwdt {
+ struct watchdog_device wdd;
+ u32 clk;
+ int version;
++ bool need_ws0_race_workaround;
+ void __iomem *refresh_base;
+ void __iomem *control_base;
+ };
+@@ -162,6 +169,31 @@ static int sbsa_gwdt_set_timeout(struct watchdog_device *wdd,
+ */
+ sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt);
+
++ /*
++ * Some watchdog hardware has a race condition where it will ignore
++ * sbsa_gwdt_keepalive() if it is called at the exact moment that a
++ * timeout occurs and WS0 is being asserted. Unfortunately, the default
++ * behavior of the watchdog core is very likely to trigger this race
++ * when action=0 because it programs WOR to be half of the desired
++ * timeout, and watchdog_next_keepalive() chooses the exact same time to
++ * send keepalive pings.
++ *
++ * This triggers a race where sbsa_gwdt_keepalive() can be called right
++ * as WS0 is being asserted, and affected hardware will ignore that
++ * write and continue to assert WS0. After another (timeout / 2)
++ * seconds, the same race happens again. If the driver wins then the
++ * explicit refresh will reset WS0 to false but if the hardware wins,
++ * then WS1 is asserted and the system resets.
++ *
++ * Avoid the problem by scheduling keepalive heartbeats one second later
++ * than the WOR timeout.
++ *
++ * This workaround might not be needed in a future revision of the
++ * hardware.
++ */
++ if (gwdt->need_ws0_race_workaround)
++ wdd->min_hw_heartbeat_ms = timeout * 500 + 1000;
++
+ return 0;
+ }
+
+@@ -203,12 +235,15 @@ static int sbsa_gwdt_keepalive(struct watchdog_device *wdd)
+ static void sbsa_gwdt_get_version(struct watchdog_device *wdd)
+ {
+ struct sbsa_gwdt *gwdt = watchdog_get_drvdata(wdd);
+- int ver;
++ int iidr, ver, impl;
+
+- ver = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
+- ver = (ver >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
++ iidr = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
++ ver = (iidr >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
++ impl = (iidr >> SBSA_GWDT_IMPL_SHIFT) & SBSA_GWDT_IMPL_MASK;
+
+ gwdt->version = ver;
++ gwdt->need_ws0_race_workaround =
++ !action && (impl == SBSA_GWDT_IMPL_MEDIATEK);
+ }
+
+ static int sbsa_gwdt_start(struct watchdog_device *wdd)
+@@ -300,6 +335,15 @@ static int sbsa_gwdt_probe(struct platform_device *pdev)
+ else
+ wdd->max_hw_heartbeat_ms = GENMASK_ULL(47, 0) / gwdt->clk * 1000;
+
++ if (gwdt->need_ws0_race_workaround) {
++ /*
++ * A timeout of 3 seconds means that WOR will be set to 1.5
++ * seconds and the heartbeat will be scheduled every 2.5
++ * seconds.
++ */
++ wdd->min_timeout = 3;
++ }
++
+ status = readl(cf_base + SBSA_GWDT_WCS);
+ if (status & SBSA_GWDT_WCS_WS1) {
+ dev_warn(dev, "System reset by WDT.\n");
+--
+2.39.5
+
--- /dev/null
+From f17377eba583f2771847fc276311c5e7af7ecdfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 23:37:55 +0300
+Subject: wifi: cfg80211: Fix interface type validation
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 14450be2332a49445106403492a367412b8c23f4 ]
+
+Fix a condition that verified valid values of interface types.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250709233537.7ad199ca5939.I0ac1ff74798bf59a87a57f2e18f2153c308b119b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index 963a810ed70d..66a75723f559 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -507,7 +507,7 @@ ieee80211_get_sband_iftype_data(const struct ieee80211_supported_band *sband,
+ {
+ int i;
+
+- if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
++ if (WARN_ON(iftype >= NUM_NL80211_IFTYPES))
+ return NULL;
+
+ if (iftype == NL80211_IFTYPE_AP_VLAN)
+--
+2.39.5
+
--- /dev/null
+From 4e0dfcb9213819077272a623f85a463225f27cda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 20:23:06 +0200
+Subject: wifi: cfg80211: reject HTC bit for management frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ]
+
+Management frames sent by userspace should never have the
+order/HTC bit set, reject that. It could also cause some
+confusion with the length of the buffer and the header so
+the validation might end up wrong.
+
+Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/mlme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
+index 783acd2c4211..5c805a2bda62 100644
+--- a/net/wireless/mlme.c
++++ b/net/wireless/mlme.c
+@@ -661,7 +661,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
+
+ mgmt = (const struct ieee80211_mgmt *)params->buf;
+
+- if (!ieee80211_is_mgmt(mgmt->frame_control))
++ if (!ieee80211_is_mgmt(mgmt->frame_control) ||
++ ieee80211_has_order(mgmt->frame_control))
+ return -EINVAL;
+
+ stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
+--
+2.39.5
+
--- /dev/null
+From ac654087809482dc91614d27d188d7b698f812a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 May 2025 16:45:24 +0200
+Subject: wifi: iwlegacy: Check rate_idx range after addition
+
+From: Stanislaw Gruszka <stf_xl@wp.pl>
+
+[ Upstream commit 0de19d5ae0b2c5b18b88c5c7f0442f707a207409 ]
+
+Limit rate_idx to IL_LAST_OFDM_RATE for 5GHz band for thinkable case
+the index is incorrect.
+
+Reported-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reported-by: Alexei Safin <a.safin@rosa.ru>
+Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Reviewed-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20250525144524.GA172583@wp.pl
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+index ceab7704897d..df9d139a008e 100644
+--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+@@ -1575,8 +1575,11 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
+ || rate_idx > RATE_COUNT_LEGACY)
+ rate_idx = rate_lowest_index(&il->bands[info->band], sta);
+ /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
+- if (info->band == NL80211_BAND_5GHZ)
++ if (info->band == NL80211_BAND_5GHZ) {
+ rate_idx += IL_FIRST_OFDM_RATE;
++ if (rate_idx > IL_LAST_OFDM_RATE)
++ rate_idx = IL_LAST_OFDM_RATE;
++ }
+ /* Get PLCP rate for tx_cmd->rate_n_flags */
+ rate_plcp = il_rates[rate_idx].plcp;
+ /* Zero out flags for this packet */
+--
+2.39.5
+
--- /dev/null
+From 52168175ba9e8ec1e2b50ff1671d2188ba5a655f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 13:17:55 +0300
+Subject: wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
+
+From: Rand Deeb <rand.sec96@gmail.com>
+
+[ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ]
+
+The 'index' variable in the rs_fill_link_cmd() function can reach
+LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This
+variable is used as an index for the lq_cmd->rs_table array, which has a
+size of LINK_QUAL_MAX_RETRY_NUM, without proper validation.
+
+Modify the condition of the inner loop to ensure that the 'index' variable
+does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any
+potential overflow issues.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
+Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+index 958bfc38d390..f44448a13172 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+@@ -2926,7 +2926,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv,
+ /* Repeat initial/next rate.
+ * For legacy IWL_NUMBER_TRY == 1, this loop will not execute.
+ * For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */
+- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) {
++ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) {
+ if (is_legacy(tbl_type.lq_type)) {
+ if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE)
+ ant_toggle_cnt++;
+--
+2.39.5
+
--- /dev/null
+From 76995f54851dc5c9867a50a7e9ed1bad20b04ebf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 22:26:23 +0300
+Subject: wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect
+
+From: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
+
+[ Upstream commit cc8d9cbf269dab363c768bfa9312265bc807fca5 ]
+
+Ensure descriptor is freed on error to avoid memory leak.
+
+Signed-off-by: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250611222325.8158d15ec866.Ifa3e422c302397111f20a16da7509e6574bc19e3@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+index f1d07ddb3f83..2c5358fc05b1 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -2561,6 +2561,7 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
+ struct iwl_fw_dump_desc *desc;
+ unsigned int delay = 0;
+ bool monitor_only = false;
++ int ret;
+
+ if (trigger) {
+ u16 occurrences = le16_to_cpu(trigger->occurrences) - 1;
+@@ -2591,7 +2592,11 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
+ desc->trig_desc.type = cpu_to_le32(trig);
+ memcpy(desc->trig_desc.data, str, len);
+
+- return iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
++ ret = iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
++ if (ret)
++ kfree(desc);
++
++ return ret;
+ }
+ IWL_EXPORT_SYMBOL(iwl_fw_dbg_collect);
+
+--
+2.39.5
+
--- /dev/null
+From d4822cf1f006dade7330ad55b16071be4d5302b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 23:05:43 +0300
+Subject: wifi: iwlwifi: mvm: fix scan request validation
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 7c2f3ec7707188d8d5269ae2dce97d7be3e9f261 ]
+
+The scan request validation function uses bitwise and instead
+of logical and. Fix it.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Reviewed-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250709230308.3fbc1f27871b.I7a8ee91f463c1a2d9d8561c8232e196885d02c43@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+index 16818dcdae22..3d0396b8afaa 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+@@ -832,7 +832,7 @@ static inline bool iwl_mvm_scan_fits(struct iwl_mvm *mvm, int n_ssids,
+ int n_channels)
+ {
+ return ((n_ssids <= PROBE_OPTION_MAX) &&
+- (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &
++ (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &&
+ (ies->common_ie_len +
+ ies->len[NL80211_BAND_2GHZ] + ies->len[NL80211_BAND_5GHZ] +
+ ies->len[NL80211_BAND_6GHZ] <=
+--
+2.39.5
+
--- /dev/null
+From 5c409f0f1b7c62501c8a32917de4c54525b3ed8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 21:35:27 +0300
+Subject: wifi: mac80211: don't complete management TX on SAE commit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 6b04716cdcac37bdbacde34def08bc6fdb5fc4e2 ]
+
+When SAE commit is sent and received in response, there's no
+ordering for the SAE confirm messages. As such, don't call
+drivers to stop listening on the channel when the confirm
+message is still expected.
+
+This fixes an issue if the local confirm is transmitted later
+than the AP's confirm, for iwlwifi (and possibly mt76) the
+AP's confirm would then get lost since the device isn't on
+the channel at the time the AP transmit the confirm.
+
+For iwlwifi at least, this also improves the overall timing
+of the authentication handshake (by about 15ms according to
+the report), likely since the session protection won't be
+aborted and rescheduled.
+
+Note that even before this, mgd_complete_tx() wasn't always
+called for each call to mgd_prepare_tx() (e.g. in the case
+of WEP key shared authentication), and the current drivers
+that have the complete callback don't seem to mind. Document
+this as well though.
+
+Reported-by: Jan Hendrik Farr <kernel@jfarr.cc>
+Closes: https://lore.kernel.org/all/aB30Ea2kRG24LINR@archlinux/
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250609213232.12691580e140.I3f1d3127acabcd58348a110ab11044213cf147d3@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 2 ++
+ net/mac80211/mlme.c | 9 ++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index c713edfbe2b6..f101ef4a1fd6 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -3787,6 +3787,8 @@ struct ieee80211_prep_tx_info {
+ * @mgd_complete_tx: Notify the driver that the response frame for a previously
+ * transmitted frame announced with @mgd_prepare_tx was received, the data
+ * is filled similarly to @mgd_prepare_tx though the duration is not used.
++ * Note that this isn't always called for each mgd_prepare_tx() call, for
++ * example for SAE the 'confirm' messages can be on the air in any order.
+ *
+ * @mgd_protect_tdls_discover: Protect a TDLS discovery session. After sending
+ * a TDLS discovery-request, we expect a reply to arrive on the AP's
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index ae379bd9dccc..6e86a23c647d 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2960,6 +2960,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_prep_tx_info info = {
+ .subtype = IEEE80211_STYPE_AUTH,
+ };
++ bool sae_need_confirm = false;
+
+ sdata_assert_lock(sdata);
+
+@@ -3005,6 +3006,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+ jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY;
+ ifmgd->auth_data->timeout_started = true;
+ run_again(sdata, ifmgd->auth_data->timeout);
++ if (auth_transaction == 1)
++ sae_need_confirm = true;
+ goto notify_driver;
+ }
+
+@@ -3047,6 +3050,9 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+ ifmgd->auth_data->expected_transaction == 2)) {
+ if (!ieee80211_mark_sta_auth(sdata, bssid))
+ return; /* ignore frame -- wait for timeout */
++ } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
++ auth_transaction == 1) {
++ sae_need_confirm = true;
+ } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
+ auth_transaction == 2) {
+ sdata_info(sdata, "SAE peer confirmed\n");
+@@ -3055,7 +3061,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+
+ cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
+ notify_driver:
+- drv_mgd_complete_tx(sdata->local, sdata, &info);
++ if (!sae_need_confirm)
++ drv_mgd_complete_tx(sdata->local, sdata, &info);
+ }
+
+ #define case_WLAN(type) \
+--
+2.39.5
+
--- /dev/null
+From e4186a236de99a34b867fea32ce36a9642847a77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:56:30 +0200
+Subject: wifi: rtlwifi: fix possible skb memory leak in
+ `_rtl_pci_rx_interrupt()`.
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 44c0e191004f0e3aa1bdee3be248be14dbe5b020 ]
+
+The function `_rtl_pci_init_one_rxdesc()` can fail even when the new
+`skb` is passed because of a DMA mapping error. If it fails, the `skb`
+is not saved in the rx ringbuffer and thus lost.
+
+Compile tested only
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250616105631.444309-4-fourier.thomas@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index f024533d34a9..bccb959d8210 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -803,13 +803,19 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
+ skb = new_skb;
+ no_new:
+ if (rtlpriv->use_new_trx_flow) {
+- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
+- rxring_idx,
+- rtlpci->rx_ring[rxring_idx].idx);
++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
++ rxring_idx,
++ rtlpci->rx_ring[rxring_idx].idx)) {
++ if (new_skb)
++ dev_kfree_skb_any(skb);
++ }
+ } else {
+- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
+- rxring_idx,
+- rtlpci->rx_ring[rxring_idx].idx);
++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
++ rxring_idx,
++ rtlpci->rx_ring[rxring_idx].idx)) {
++ if (new_skb)
++ dev_kfree_skb_any(skb);
++ }
+ if (rtlpci->rx_ring[rxring_idx].idx ==
+ rtlpci->rxringcount - 1)
+ rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc,
+--
+2.39.5
+
--- /dev/null
+From c2cd84176b0bcea20cf31b15722578e8af695375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 09:38:36 +0200
+Subject: wifi: rtlwifi: fix possible skb memory leak in
+ _rtl_pci_init_one_rxdesc()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 76b3e5078d76f0eeadb7aacf9845399f8473da0d ]
+
+When `dma_mapping_error()` is true, if a new `skb` has been allocated,
+then it must be de-allocated.
+
+Compile tested only
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250613074014.69856-2-fourier.thomas@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index bccb959d8210..02821588673e 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -573,8 +573,11 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw,
+ dma_map_single(&rtlpci->pdev->dev, skb_tail_pointer(skb),
+ rtlpci->rxbuffersize, DMA_FROM_DEVICE);
+ bufferaddress = *((dma_addr_t *)skb->cb);
+- if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress))
++ if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) {
++ if (!new_skb)
++ kfree_skb(skb);
+ return 0;
++ }
+ rtlpci->rx_ring[rxring_idx].rx_buf[desc_idx] = skb;
+ if (rtlpriv->use_new_trx_flow) {
+ /* skb->cb may be 64 bit address */
+--
+2.39.5
+
--- /dev/null
+From 9b37cee75ffaef23216e7c868d0c921d5c8adff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 10:29:31 -0700
+Subject: x86/bugs: Avoid warning when overriding return thunk
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit 9f85fdb9fc5a1bd308a10a0a7d7e34f2712ba58b ]
+
+The purpose of the warning is to prevent an unexpected change to the return
+thunk mitigation. However, there are legitimate cases where the return
+thunk is intentionally set more than once. For example, ITS and SRSO both
+can set the return thunk after retbleed has set it. In both the cases
+retbleed is still mitigated.
+
+Replace the warning with an info about the active return thunk.
+
+Suggested-by: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250611-eibrs-fix-v4-3-5ff86cac6c61@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 261aa716971d..9e313ee9ba66 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -70,10 +70,9 @@ void (*x86_return_thunk)(void) __ro_after_init = &__x86_return_thunk;
+
+ static void __init set_return_thunk(void *thunk)
+ {
+- if (x86_return_thunk != __x86_return_thunk)
+- pr_warn("x86/bugs: return thunk changed\n");
+-
+ x86_return_thunk = thunk;
++
++ pr_info("active return thunk: %ps\n", thunk);
+ }
+
+ /* Update SPEC_CTRL MSR and its cached copy unconditionally */
+--
+2.39.5
+
--- /dev/null
+From 96fc490836cebccbe623dd867bb20048a41f1d14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 09:34:54 +0000
+Subject: xen/netfront: Fix TX response spurious interrupts
+
+From: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
+
+[ Upstream commit 114a2de6fa86d99ed9546cc9113a3cad58beef79 ]
+
+We found at Vates that there are lot of spurious interrupts when
+benchmarking the xen-net PV driver frontend. This issue appeared with a
+patch that addresses security issue XSA-391 (b27d47950e48 "xen/netfront:
+harden netfront against event channel storms"). On an iperf benchmark,
+spurious interrupts can represent up to 50% of the interrupts.
+
+Spurious interrupts are interrupts that are rised for nothing, there is
+no work to do. This appends because the function that handles the
+interrupts ("xennet_tx_buf_gc") is also called at the end of the request
+path to garbage collect the responses received during the transmission
+load.
+
+The request path is doing the work that the interrupt handler should
+have done otherwise. This is particurary true when there is more than
+one vcpu and get worse linearly with the number of vcpu/queue.
+
+Moreover, this problem is amplifyed by the penalty imposed by a spurious
+interrupt. When an interrupt is found spurious the interrupt chip will
+delay the EOI to slowdown the backend. This delay will allow more
+responses to be handled by the request path and then there will be more
+chance the next interrupt will not find any work to do, creating a new
+spurious interrupt.
+
+This causes performance issue. The solution here is to remove the calls
+from the request path and let the interrupt handler do the processing of
+the responses. This approch removes most of the spurious interrupts
+(<0.05%) and also has the benefit of freeing up cycles in the request
+path, allowing it to process more work, which improves performance
+compared to masking the spurious interrupt one way or another.
+
+This optimization changes a part of the code that is present since the
+net frontend driver was upstreamed. There is no similar pattern in the
+other xen PV drivers. Since the first commit of xen-netfront is a blob
+that doesn't explain all the design choices I can only guess why this
+specific mecanism was here. This could have been introduce to compensate
+a slow backend at the time (maybe the backend was fixed or optimize
+later) or a small queue. In 18 years, both frontend and backend gain lot
+of features and optimizations that could have obsolete the feature of
+reaping completions from the TX path.
+
+Some vif throughput performance figures from a 8 vCPUs, 4GB of RAM HVM
+guest(s):
+
+Without this patch on the :
+vm -> dom0: 4.5Gb/s
+vm -> vm: 7.0Gb/s
+
+Without XSA-391 patch (revert of b27d47950e48):
+vm -> dom0: 8.3Gb/s
+vm -> vm: 8.7Gb/s
+
+With XSA-391 and this patch:
+vm -> dom0: 11.5Gb/s
+vm -> vm: 12.6Gb/s
+
+v2:
+- add revewed and tested by tags
+- resend with the maintainers in the recipients list
+
+v3:
+- remove Fixes tag but keep the commit ref in the explanation
+- add a paragraph on why this code was here
+
+Signed-off-by: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Tested-by: Elliott Mitchell <ehem+xen@m5p.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250721093316.23560-1-anthoine.bourgeois@vates.tech>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 0add51f1b7e4..4b19d54fa2e2 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -639,8 +639,6 @@ static int xennet_xdp_xmit_one(struct net_device *dev,
+ tx_stats->packets++;
+ u64_stats_update_end(&tx_stats->syncp);
+
+- xennet_tx_buf_gc(queue);
+-
+ return 0;
+ }
+
+@@ -850,9 +848,6 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
+ tx_stats->packets++;
+ u64_stats_update_end(&tx_stats->syncp);
+
+- /* Note: It is not safe to access skb after xennet_tx_buf_gc()! */
+- xennet_tx_buf_gc(queue);
+-
+ if (!netfront_tx_slot_available(queue))
+ netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
