--- /dev/null
+From stable+bounces-169432-greg=kroah.com@vger.kernel.org Wed Aug 13 18:04:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 11:55:06 -0400
+Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
+To: stable@vger.kernel.org
+Cc: "Geoffrey D. Bennett" <g@b4.vu>, Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813155506.2051597-1-sashal@kernel.org>
+
+From: "Geoffrey D. Bennett" <g@b4.vu>
+
+[ Upstream commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 ]
+
+During communication with Focusrite Scarlett Gen 2/3/4 USB audio
+interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(),
+snd_usb_ctl_msg() which can cause initialisation and control
+operations to fail intermittently.
+
+This patch adds up to 5 retries in scarlett2_usb(), with a delay
+starting at 5ms and doubling each time. This follows the same approach
+as the fix for usb_set_interface() in endpoint.c (commit f406005e162b
+("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")),
+which resolved similar -EPROTO issues during device initialisation,
+and is the same approach as in fcp.c:fcp_usb().
+
+Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
+Closes: https://github.com/geoffreybennett/linux-fcp/issues/41
+Cc: stable@vger.kernel.org
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[ Applied retry logic directly in scarlett2_usb() instead of scarlett2_usb_tx() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_scarlett_gen2.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/usb/mixer_scarlett_gen2.c
++++ b/sound/usb/mixer_scarlett_gen2.c
+@@ -95,6 +95,7 @@
+ #include <linux/slab.h>
+ #include <linux/usb.h>
+ #include <linux/moduleparam.h>
++#include <linux/delay.h>
+
+ #include <sound/control.h>
+ #include <sound/tlv.h>
+@@ -591,6 +592,8 @@ static int scarlett2_usb(
+ u16 req_buf_size = sizeof(struct scarlett2_usb_packet) + req_size;
+ u16 resp_buf_size = sizeof(struct scarlett2_usb_packet) + resp_size;
+ struct scarlett2_usb_packet *req = NULL, *resp = NULL;
++ int retries = 0;
++ const int max_retries = 5;
+ int err = 0;
+
+ req = kmalloc(req_buf_size, GFP_KERNEL);
+@@ -614,6 +617,7 @@ static int scarlett2_usb(
+ if (req_size)
+ memcpy(req->data, req_data, req_size);
+
++retry:
+ err = snd_usb_ctl_msg(mixer->chip->dev,
+ usb_sndctrlpipe(mixer->chip->dev, 0),
+ SCARLETT2_USB_VENDOR_SPECIFIC_CMD_REQ,
+@@ -624,6 +628,10 @@ static int scarlett2_usb(
+ req_buf_size);
+
+ if (err != req_buf_size) {
++ if (err == -EPROTO && ++retries <= max_retries) {
++ msleep(5 * (1 << (retries - 1)));
++ goto retry;
++ }
+ usb_audio_err(
+ mixer->chip,
+ "Scarlett Gen 2 USB request result cmd %x was %d\n",
--- /dev/null
+From stable+bounces-169872-greg=kroah.com@vger.kernel.org Sun Aug 17 03:49:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Aug 2025 21:49:28 -0400
+Subject: block: Make REQ_OP_ZONE_FINISH a write operation
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Bart Van Assche <bvanassche@acm.org>, Johannes Thumshirn <johannes.thumshirn@wdc.com>, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817014928.1329192-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ]
+
+REQ_OP_ZONE_FINISH is defined as "12", which makes
+op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a
+zone finish operation is an operation that modifies a zone (transition
+it to full) and so should be considered as a write operation (albeit
+one that does not transfer any data to the device).
+
+Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and
+redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential
+odd numbers from that new value.
+
+Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ Extra renames ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/blk_types.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -353,13 +353,13 @@ enum req_opf {
+ /* Close a zone */
+ REQ_OP_ZONE_CLOSE = 11,
+ /* Transition a zone to full */
+- REQ_OP_ZONE_FINISH = 12,
++ REQ_OP_ZONE_FINISH = 13,
+ /* write data at the current zone write pointer */
+- REQ_OP_ZONE_APPEND = 13,
++ REQ_OP_ZONE_APPEND = 15,
+ /* reset a zone write pointer */
+- REQ_OP_ZONE_RESET = 15,
++ REQ_OP_ZONE_RESET = 17,
+ /* reset all the zone present on the device */
+- REQ_OP_ZONE_RESET_ALL = 17,
++ REQ_OP_ZONE_RESET_ALL = 19,
+
+ /* SCSI passthrough using struct scsi_request */
+ REQ_OP_SCSI_IN = 32,
--- /dev/null
+From stable+bounces-171671-greg=kroah.com@vger.kernel.org Tue Aug 19 01:08:49 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 19:08:39 -0400
+Subject: cdc-acm: fix race between initial clearing halt and open
+To: stable@vger.kernel.org
+Cc: Oliver Neukum <oneukum@suse.com>, stable <stable@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818230839.135733-2-sashal@kernel.org>
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 64690a90cd7c6db16d3af8616be1f4bf8d492850 ]
+
+On the devices that need their endpoints to get an
+initial clear_halt, this needs to be done before
+the devices can be opened. That means it needs to be
+before the devices are registered.
+
+Fixes: 15bf722e6f6c0 ("cdc-acm: Add support of ATOL FPrint fiscal printers")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20250717141259.2345605-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1517,6 +1517,12 @@ skip_countries:
+ usb_driver_claim_interface(&acm_driver, data_interface, acm);
+ usb_set_intfdata(data_interface, acm);
+
++ if (quirks & CLEAR_HALT_CONDITIONS) {
++ /* errors intentionally ignored */
++ usb_clear_halt(usb_dev, acm->in);
++ usb_clear_halt(usb_dev, acm->out);
++ }
++
+ tty_dev = tty_port_register_device(&acm->port, acm_tty_driver, minor,
+ &control_interface->dev);
+ if (IS_ERR(tty_dev)) {
+@@ -1524,11 +1530,6 @@ skip_countries:
+ goto alloc_fail6;
+ }
+
+- if (quirks & CLEAR_HALT_CONDITIONS) {
+- usb_clear_halt(usb_dev, acm->in);
+- usb_clear_halt(usb_dev, acm->out);
+- }
+-
+ dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
+
+ return 0;
--- /dev/null
+From stable+bounces-165099-greg=kroah.com@vger.kernel.org Tue Jul 29 18:44:45 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 12:44:08 -0400
+Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs
+To: stable@vger.kernel.org
+Cc: "Lin.Cao" <lincao12@amd.com>, "Christian König" <christian.koenig@amd.com>, "Philipp Stanner" <phasta@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250729164408.2790772-1-sashal@kernel.org>
+
+From: "Lin.Cao" <lincao12@amd.com>
+
+[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ]
+
+When application A submits jobs and application B submits a job with a
+dependency on A's fence, the normal flow wakes up the scheduler after
+processing each job. However, the optimization in
+drm_sched_entity_add_dependency_cb() uses a callback that only clears
+dependencies without waking up the scheduler.
+
+When application A is killed before its jobs can run, the callback gets
+triggered but only clears the dependency without waking up the scheduler,
+causing the scheduler to enter sleep state and application B to hang.
+
+Remove the optimization by deleting drm_sched_entity_clear_dep() and its
+usage, ensuring the scheduler is always woken up when dependencies are
+cleared.
+
+Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler")
+Cc: stable@vger.kernel.org # v4.6+
+Signed-off-by: Lin.Cao <lincao12@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com
+[ adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 23 ++---------------------
+ 1 file changed, 2 insertions(+), 21 deletions(-)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -314,19 +314,6 @@ void drm_sched_entity_destroy(struct drm
+ EXPORT_SYMBOL(drm_sched_entity_destroy);
+
+ /**
+- * drm_sched_entity_clear_dep - callback to clear the entities dependency
+- */
+-static void drm_sched_entity_clear_dep(struct dma_fence *f,
+- struct dma_fence_cb *cb)
+-{
+- struct drm_sched_entity *entity =
+- container_of(cb, struct drm_sched_entity, cb);
+-
+- entity->dependency = NULL;
+- dma_fence_put(f);
+-}
+-
+-/**
+ * drm_sched_entity_clear_dep - callback to clear the entities dependency and
+ * wake up scheduler
+ */
+@@ -336,7 +323,8 @@ static void drm_sched_entity_wakeup(stru
+ struct drm_sched_entity *entity =
+ container_of(cb, struct drm_sched_entity, cb);
+
+- drm_sched_entity_clear_dep(f, cb);
++ entity->dependency = NULL;
++ dma_fence_put(f);
+ drm_sched_wakeup(entity->rq->sched);
+ }
+
+@@ -392,13 +380,6 @@ static bool drm_sched_entity_add_depende
+ fence = dma_fence_get(&s_fence->scheduled);
+ dma_fence_put(entity->dependency);
+ entity->dependency = fence;
+- if (!dma_fence_add_callback(fence, &entity->cb,
+- drm_sched_entity_clear_dep))
+- return true;
+-
+- /* Ignore it when it is already scheduled */
+- dma_fence_put(fence);
+- return false;
+ }
+
+ if (!dma_fence_add_callback(entity->dependency, &entity->cb,
--- /dev/null
+From stable+bounces-164652-greg=kroah.com@vger.kernel.org Thu Jul 24 19:47:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 13:47:16 -0400
+Subject: f2fs: fix to do sanity check on ino and xnid
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724174716.1409709-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ]
+
+syzbot reported a f2fs bug as below:
+
+INFO: task syz-executor140:5308 blocked for more than 143 seconds.
+ Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006
+Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5378 [inline]
+ __schedule+0x190e/0x4c90 kernel/sched/core.c:6765
+ __schedule_loop kernel/sched/core.c:6842 [inline]
+ schedule+0x14b/0x320 kernel/sched/core.c:6857
+ io_schedule+0x8d/0x110 kernel/sched/core.c:7690
+ folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317
+ __folio_lock mm/filemap.c:1664 [inline]
+ folio_lock include/linux/pagemap.h:1163 [inline]
+ __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917
+ pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87
+ find_get_page_flags include/linux/pagemap.h:842 [inline]
+ f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776
+ __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463
+ read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306
+ lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]
+ f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533
+ __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179
+ f2fs_acl_create fs/f2fs/acl.c:375 [inline]
+ f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418
+ f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539
+ f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666
+ f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765
+ f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808
+ f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]
+ f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766
+ vfs_mknod+0x36d/0x3b0 fs/namei.c:4191
+ unix_bind_bsd net/unix/af_unix.c:1286 [inline]
+ unix_bind+0x563/0xe30 net/unix/af_unix.c:1379
+ __sys_bind_socket net/socket.c:1817 [inline]
+ __sys_bind+0x1e4/0x290 net/socket.c:1848
+ __do_sys_bind net/socket.c:1853 [inline]
+ __se_sys_bind net/socket.c:1851 [inline]
+ __x64_sys_bind+0x7a/0x90 net/socket.c:1851
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Let's dump and check metadata of corrupted inode, it shows its xattr_nid
+is the same to its i_ino.
+
+dump.f2fs -i 3 chaseyu.img.raw
+i_xattr_nid [0x 3 : 3]
+
+So that, during mknod in the corrupted directory, it tries to get and
+lock inode page twice, result in deadlock.
+
+- f2fs_mknod
+ - f2fs_add_inline_entry
+ - f2fs_get_inode_page --- lock dir's inode page
+ - f2fs_init_acl
+ - f2fs_acl_create(dir,..)
+ - __f2fs_get_acl
+ - f2fs_getxattr
+ - lookup_all_xattrs
+ - __get_node_page --- try to lock dir's inode page
+
+In order to fix this, let's add sanity check on ino and xnid.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -222,6 +222,13 @@ static bool sanity_check_inode(struct in
+ return false;
+ }
+
++ if (ino_of_node(node_page) == fi->i_xattr_nid) {
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.",
++ __func__, inode->i_ino, fi->i_xattr_nid);
++ return false;
++ }
++
+ if (f2fs_sb_has_flexible_inline_xattr(sbi)
+ && !f2fs_has_extra_attr(inode)) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
--- /dev/null
+From stable+bounces-171774-greg=kroah.com@vger.kernel.org Tue Aug 19 14:02:42 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 08:01:27 -0400
+Subject: hv_netvsc: Fix panic during namespace deletion with VF
+To: stable@vger.kernel.org
+Cc: Haiyang Zhang <haiyangz@microsoft.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819120127.451817-1-sashal@kernel.org>
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 33caa208dba6fa639e8a92fd0c8320b652e5550c ]
+
+The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
+received on netvsc NIC. During deletion of the namespace,
+default_device_exit_batch() >> default_device_exit_net() is called. When
+netvsc NIC is moved back and registered to the default namespace, it
+automatically brings VF NIC back to the default namespace. This will cause
+the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
+the list end, and hit NULL ptr:
+
+[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
+[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
+[ 231.450246] #PF: supervisor read access in kernel mode
+[ 231.450579] #PF: error_code(0x0000) - not-present page
+[ 231.450916] PGD 17b8a8067 P4D 0
+[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
+[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
+[ 231.452692] Workqueue: netns cleanup_net
+[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
+[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
+[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
+[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
+[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
+[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
+[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
+[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
+[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
+[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
+[ 231.458434] Call Trace:
+[ 231.458600] <TASK>
+[ 231.458777] ops_undo_list+0x100/0x220
+[ 231.459015] cleanup_net+0x1b8/0x300
+[ 231.459285] process_one_work+0x184/0x340
+
+To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
+changing the netdev list when default_device_exit_net() is using it.
+
+Cc: stable@vger.kernel.org
+Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 3 +++
+ drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -985,6 +985,7 @@ struct net_device_context {
+ struct net_device __rcu *vf_netdev;
+ struct netvsc_vf_pcpu_stats __percpu *vf_stats;
+ struct delayed_work vf_takeover;
++ struct delayed_work vfns_work;
+
+ /* 1: allocated, serial number is valid. 0: not allocated */
+ u32 vf_alloc;
+@@ -999,6 +1000,8 @@ struct net_device_context {
+ struct netvsc_device_info *saved_netvsc_dev_info;
+ };
+
++void netvsc_vfns_work(struct work_struct *w);
++
+ /* Per channel data */
+ struct netvsc_channel {
+ struct vmbus_channel *channel;
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2541,6 +2541,7 @@ static int netvsc_probe(struct hv_device
+ spin_lock_init(&net_device_ctx->lock);
+ INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
+ INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work);
+
+ net_device_ctx->vf_stats
+ = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats);
+@@ -2679,6 +2680,8 @@ static int netvsc_remove(struct hv_devic
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
++
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev) {
+ cancel_work_sync(&nvdev->subchan_work);
+@@ -2721,6 +2724,7 @@ static int netvsc_suspend(struct hv_devi
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
+
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev == NULL) {
+@@ -2814,6 +2818,27 @@ static void netvsc_event_set_vf_ns(struc
+ }
+ }
+
++void netvsc_vfns_work(struct work_struct *w)
++{
++ struct net_device_context *ndev_ctx =
++ container_of(w, struct net_device_context, vfns_work.work);
++ struct net_device *ndev;
++
++ if (!rtnl_trylock()) {
++ schedule_delayed_work(&ndev_ctx->vfns_work, 1);
++ return;
++ }
++
++ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
++ if (!ndev)
++ goto out;
++
++ netvsc_event_set_vf_ns(ndev);
++
++out:
++ rtnl_unlock();
++}
++
+ /*
+ * On Hyper-V, every VF interface is matched with a corresponding
+ * synthetic interface. The synthetic interface is presented first
+@@ -2824,10 +2849,12 @@ static int netvsc_netdev_event(struct no
+ unsigned long event, void *ptr)
+ {
+ struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
++ struct net_device_context *ndev_ctx;
+ int ret = 0;
+
+ if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
+- netvsc_event_set_vf_ns(event_dev);
++ ndev_ctx = netdev_priv(event_dev);
++ schedule_delayed_work(&ndev_ctx->vfns_work, 0);
+ return NOTIFY_DONE;
+ }
+
--- /dev/null
+From stable+bounces-165122-greg=kroah.com@vger.kernel.org Tue Jul 29 21:25:38 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 15:25:14 -0400
+Subject: ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
+To: stable@vger.kernel.org
+Cc: Haoxiang Li <haoxiang_li2024@163.com>, Michal Swiatkowski <michal.swiatkowski@linux.intel.com>, Aleksandr Loktionov <aleksandr.loktionov@intel.com>, Simon Horman <horms@kernel.org>, Rinitha S <sx.rinitha@intel.com>, Tony Nguyen <anthony.l.nguyen@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729192514.2872668-1-sashal@kernel.org>
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 ]
+
+Add check for the return value of devm_kmemdup()
+to prevent potential null pointer dereference.
+
+Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+[ applied the patch to ice_flex_pipe.c instead of ice_ddp.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+@@ -1449,6 +1449,8 @@ enum ice_status ice_copy_and_init_pkg(st
+ return ICE_ERR_PARAM;
+
+ buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL);
++ if (!buf_copy)
++ return ICE_ERR_NO_MEMORY;
+
+ status = ice_init_pkg(hw, buf_copy, len);
+ if (status) {
--- /dev/null
+From stable+bounces-164644-greg=kroah.com@vger.kernel.org Thu Jul 24 18:40:11 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 12:39:37 -0400
+Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724163937.1390174-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ]
+
+The OFFSET calculation in the prox_read_raw() was incorrectly using the
+unit exponent, which is intended for SCALE calculations.
+
+Remove the incorrect OFFSET calculation and set it to a fixed value of 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ adapted prox_attr array access to single structure member access ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -101,8 +101,7 @@ static int prox_read_raw(struct iio_dev
+ ret_type = prox_state->scale_precision;
+ break;
+ case IIO_CHAN_INFO_OFFSET:
+- *val = hid_sensor_convert_exponent(
+- prox_state->prox_attr.unit_expo);
++ *val = 0;
+ ret_type = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SAMP_FREQ:
--- /dev/null
+From stable+bounces-165088-greg=kroah.com@vger.kernel.org Tue Jul 29 17:09:42 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 11:09:29 -0400
+Subject: mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n
+To: stable@vger.kernel.org
+Cc: Harry Yoo <harry.yoo@oracle.com>, David Hildenbrand <david@redhat.com>, Sergey Senozhatsky <senozhatsky@chromium.org>, Minchan Kim <minchan@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729150929.2729341-2-sashal@kernel.org>
+
+From: Harry Yoo <harry.yoo@oracle.com>
+
+[ Upstream commit 694d6b99923eb05a8fd188be44e26077d19f0e21 ]
+
+Commit 48b4800a1c6a ("zsmalloc: page migration support") added support for
+migrating zsmalloc pages using the movable_operations migration framework.
+However, the commit did not take into account that zsmalloc supports
+migration only when CONFIG_COMPACTION is enabled. Tracing shows that
+zsmalloc was still passing the __GFP_MOVABLE flag even when compaction is
+not supported.
+
+This can result in unmovable pages being allocated from movable page
+blocks (even without stealing page blocks), ZONE_MOVABLE and CMA area.
+
+Possible user visible effects:
+- Some ZONE_MOVABLE memory can be not actually movable
+- CMA allocation can fail because of this
+- Increased memory fragmentation due to ignoring the page mobility
+ grouping feature
+I'm not really sure who uses kernels without compaction support, though :(
+
+To fix this, clear the __GFP_MOVABLE flag when
+!IS_ENABLED(CONFIG_COMPACTION).
+
+Link: https://lkml.kernel.org/r/20250704103053.6913-1-harry.yoo@oracle.com
+Fixes: 48b4800a1c6a ("zsmalloc: page migration support")
+Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zsmalloc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -1067,6 +1067,9 @@ static struct zspage *alloc_zspage(struc
+ if (!zspage)
+ return NULL;
+
++ if (!IS_ENABLED(CONFIG_COMPACTION))
++ gfp &= ~__GFP_MOVABLE;
++
+ zspage->magic = ZSPAGE_MAGIC;
+ migrate_lock_init(zspage);
+
--- /dev/null
+From stable+bounces-165087-greg=kroah.com@vger.kernel.org Tue Jul 29 17:09:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 11:09:28 -0400
+Subject: mm/zsmalloc.c: convert to use kmem_cache_zalloc in cache_alloc_zspage()
+To: stable@vger.kernel.org
+Cc: Miaohe Lin <linmiaohe@huawei.com>, Sergey Senozhatsky <sergey.senozhatsky@gmail.com>, Minchan Kim <minchan@kernel.org>, Andrew Morton <akpm@linux-foundation.org>, Linus Torvalds <torvalds@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729150929.2729341-1-sashal@kernel.org>
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+[ Upstream commit f0231305acd53375c6cf736971bf5711105dd6bb ]
+
+We always memset the zspage allocated via cache_alloc_zspage. So it's
+more convenient to use kmem_cache_zalloc in cache_alloc_zspage than caller
+do it manually.
+
+Link: https://lkml.kernel.org/r/20210114120032.25885-1-linmiaohe@huawei.com
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: 694d6b99923e ("mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/zsmalloc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/mm/zsmalloc.c
++++ b/mm/zsmalloc.c
+@@ -357,7 +357,7 @@ static void cache_free_handle(struct zs_
+
+ static struct zspage *cache_alloc_zspage(struct zs_pool *pool, gfp_t flags)
+ {
+- return kmem_cache_alloc(pool->zspage_cachep,
++ return kmem_cache_zalloc(pool->zspage_cachep,
+ flags & ~(__GFP_HIGHMEM|__GFP_MOVABLE));
+ }
+
+@@ -1067,7 +1067,6 @@ static struct zspage *alloc_zspage(struc
+ if (!zspage)
+ return NULL;
+
+- memset(zspage, 0, sizeof(struct zspage));
+ zspage->magic = ZSPAGE_MAGIC;
+ migrate_lock_init(zspage);
+
--- /dev/null
+From stable+bounces-169394-greg=kroah.com@vger.kernel.org Wed Aug 13 15:48:18 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 09:44:55 -0400
+Subject: net: usbnet: Avoid potential RCU stall on LINK_CHANGE event
+To: stable@vger.kernel.org
+Cc: John Ernberg <john.ernberg@actia.se>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813134455.2037227-1-sashal@kernel.org>
+
+From: John Ernberg <john.ernberg@actia.se>
+
+[ Upstream commit 0d9cfc9b8cb17dbc29a98792d36ec39a1cf1395f ]
+
+The Gemalto Cinterion PLS83-W modem (cdc_ether) is emitting confusing link
+up and down events when the WWAN interface is activated on the modem-side.
+
+Interrupt URBs will in consecutive polls grab:
+* Link Connected
+* Link Disconnected
+* Link Connected
+
+Where the last Connected is then a stable link state.
+
+When the system is under load this may cause the unlink_urbs() work in
+__handle_link_change() to not complete before the next usbnet_link_change()
+call turns the carrier on again, allowing rx_submit() to queue new SKBs.
+
+In that event the URB queue is filled faster than it can drain, ending up
+in a RCU stall:
+
+ rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 0-.... } 33108 jiffies s: 201 root: 0x1/.
+ rcu: blocking rcu_node structures (internal RCU debug):
+ Sending NMI from CPU 1 to CPUs 0:
+ NMI backtrace for cpu 0
+
+ Call trace:
+ arch_local_irq_enable+0x4/0x8
+ local_bh_enable+0x18/0x20
+ __netdev_alloc_skb+0x18c/0x1cc
+ rx_submit+0x68/0x1f8 [usbnet]
+ rx_alloc_submit+0x4c/0x74 [usbnet]
+ usbnet_bh+0x1d8/0x218 [usbnet]
+ usbnet_bh_tasklet+0x10/0x18 [usbnet]
+ tasklet_action_common+0xa8/0x110
+ tasklet_action+0x2c/0x34
+ handle_softirqs+0x2cc/0x3a0
+ __do_softirq+0x10/0x18
+ ____do_softirq+0xc/0x14
+ call_on_irq_stack+0x24/0x34
+ do_softirq_own_stack+0x18/0x20
+ __irq_exit_rcu+0xa8/0xb8
+ irq_exit_rcu+0xc/0x30
+ el1_interrupt+0x34/0x48
+ el1h_64_irq_handler+0x14/0x1c
+ el1h_64_irq+0x68/0x6c
+ _raw_spin_unlock_irqrestore+0x38/0x48
+ xhci_urb_dequeue+0x1ac/0x45c [xhci_hcd]
+ unlink1+0xd4/0xdc [usbcore]
+ usb_hcd_unlink_urb+0x70/0xb0 [usbcore]
+ usb_unlink_urb+0x24/0x44 [usbcore]
+ unlink_urbs.constprop.0.isra.0+0x64/0xa8 [usbnet]
+ __handle_link_change+0x34/0x70 [usbnet]
+ usbnet_deferred_kevent+0x1c0/0x320 [usbnet]
+ process_scheduled_works+0x2d0/0x48c
+ worker_thread+0x150/0x1dc
+ kthread+0xd8/0xe8
+ ret_from_fork+0x10/0x20
+
+Get around the problem by delaying the carrier on to the scheduled work.
+
+This needs a new flag to keep track of the necessary action.
+
+The carrier ok check cannot be removed as it remains required for the
+LINK_RESET event flow.
+
+Fixes: 4b49f58fff00 ("usbnet: handle link change")
+Cc: stable@vger.kernel.org
+Signed-off-by: John Ernberg <john.ernberg@actia.se>
+Link: https://patch.msgid.link/20250723102526.1305339-1-john.ernberg@actia.se
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ adjust context in header ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 11 ++++++++---
+ include/linux/usb/usbnet.h | 1 +
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1080,6 +1080,9 @@ static void __handle_link_change(struct
+ * tx queue is stopped by netcore after link becomes off
+ */
+ } else {
++ if (test_and_clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags))
++ netif_carrier_on(dev->net);
++
+ /* submitting URBs for reading packets */
+ tasklet_schedule(&dev->bh);
+ }
+@@ -1960,10 +1963,12 @@ EXPORT_SYMBOL(usbnet_manage_power);
+ void usbnet_link_change(struct usbnet *dev, bool link, bool need_reset)
+ {
+ /* update link after link is reseted */
+- if (link && !need_reset)
+- netif_carrier_on(dev->net);
+- else
++ if (link && !need_reset) {
++ set_bit(EVENT_LINK_CARRIER_ON, &dev->flags);
++ } else {
++ clear_bit(EVENT_LINK_CARRIER_ON, &dev->flags);
+ netif_carrier_off(dev->net);
++ }
+
+ if (need_reset && link)
+ usbnet_defer_kevent(dev, EVENT_LINK_RESET);
+--- a/include/linux/usb/usbnet.h
++++ b/include/linux/usb/usbnet.h
+@@ -83,6 +83,7 @@ struct usbnet {
+ # define EVENT_LINK_CHANGE 11
+ # define EVENT_SET_RX_MODE 12
+ # define EVENT_NO_IP_ALIGN 13
++# define EVENT_LINK_CARRIER_ON 14
+ u32 rx_speed; /* in bps - NOT Mbps */
+ u32 tx_speed; /* in bps - NOT Mbps */
+ };
--- /dev/null
+From stable+bounces-169886-greg=kroah.com@vger.kernel.org Sun Aug 17 15:18:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Aug 2025 09:18:01 -0400
+Subject: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
+To: stable@vger.kernel.org
+Cc: Lukas Wunner <lukas@wunner.de>, Laurent Bigonville <bigon@bigon.be>, Mario Limonciello <mario.limonciello@amd.com>, Bjorn Helgaas <bhelgaas@google.com>, "Rafael J. Wysocki" <rafael@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817131801.1432444-1-sashal@kernel.org>
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ]
+
+pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and
+pcie_portdrv_remove() to determine whether runtime power management shall
+be enabled (on probe) or disabled (on remove) on a PCIe port.
+
+The underlying assumption is that pci_bridge_d3_possible() always returns
+the same value, else a runtime PM reference imbalance would occur. That
+assumption is not given if the PCIe port is inaccessible on remove due to
+hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which
+accesses Config Space to determine whether the port is Hot-Plug Capable.
+An inaccessible port returns "all ones", which is converted to "all
+zeroes" by pcie_capability_read_dword(). Hence the port no longer seems
+Hot-Plug Capable on remove even though it was on probe.
+
+The resulting runtime PM ref imbalance causes warning messages such as:
+
+ pcieport 0000:02:04.0: Runtime PM usage count underflow!
+
+Avoid the Config Space access (and thus the runtime PM ref imbalance) by
+caching the Hot-Plug Capable bit in struct pci_dev.
+
+The struct already contains an "is_hotplug_bridge" flag, which however is
+not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI
+Hot-Plug bridges and ACPI slots. The flag identifies bridges which are
+allocated additional MMIO and bus number resources to allow for hierarchy
+expansion.
+
+The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of
+places to identify Hot-Plug Capable PCIe ports, even though the flag
+encompasses other devices. Subsequent commits replace these occurrences
+with the new flag to clearly delineate Hot-Plug Capable PCIe ports from
+other kinds of hotplug bridges.
+
+Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag
+and document the (non-obvious) requirement that pci_bridge_d3_possible()
+always returns the same value across the entire lifetime of a bridge,
+including its hot-removal.
+
+Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter")
+Reported-by: Laurent Bigonville <bigon@bigon.be>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216
+Reported-by: Mario Limonciello <mario.limonciello@amd.com>
+Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/
+Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Rafael J. Wysocki <rafael@kernel.org>
+Cc: stable@vger.kernel.org # v4.18+
+Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de
+[ Adjust surrounding documentation changes ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-acpi.c | 4 +---
+ drivers/pci/pci.c | 8 ++++++--
+ drivers/pci/probe.c | 2 +-
+ include/linux/pci.h | 1 +
+ 4 files changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/pci-acpi.c
++++ b/drivers/pci/pci-acpi.c
+@@ -791,13 +791,11 @@ int pci_acpi_program_hp_params(struct pc
+ bool pciehp_is_native(struct pci_dev *bridge)
+ {
+ const struct pci_host_bridge *host;
+- u32 slot_cap;
+
+ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
+ return false;
+
+- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap);
+- if (!(slot_cap & PCI_EXP_SLTCAP_HPC))
++ if (!bridge->is_pciehp)
+ return false;
+
+ if (pcie_ports_native)
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2860,8 +2860,12 @@ static const struct dmi_system_id bridge
+ * pci_bridge_d3_possible - Is it possible to put the bridge into D3
+ * @bridge: Bridge to check
+ *
+- * This function checks if it is possible to move the bridge to D3.
+- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt.
++ * Currently we only allow D3 for some PCIe ports and for Thunderbolt.
++ *
++ * Return: Whether it is possible to move the bridge to D3.
++ *
++ * The return value is guaranteed to be constant across the entire lifetime
++ * of the bridge, including its hot-removal.
+ */
+ bool pci_bridge_d3_possible(struct pci_dev *bridge)
+ {
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1582,7 +1582,7 @@ void set_pcie_hotplug_bridge(struct pci_
+
+ pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32);
+ if (reg32 & PCI_EXP_SLTCAP_HPC)
+- pdev->is_hotplug_bridge = 1;
++ pdev->is_hotplug_bridge = pdev->is_pciehp = 1;
+ }
+
+ static void set_pcie_thunderbolt(struct pci_dev *dev)
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -439,6 +439,7 @@ struct pci_dev {
+ unsigned int is_virtfn:1;
+ unsigned int reset_fn:1;
+ unsigned int is_hotplug_bridge:1;
++ unsigned int is_pciehp:1;
+ unsigned int shpc_managed:1; /* SHPC owned by shpchp */
+ unsigned int is_thunderbolt:1; /* Thunderbolt controller */
+ /*
--- /dev/null
+From stable+bounces-163717-greg=kroah.com@vger.kernel.org Tue Jul 22 15:44:41 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 09:44:28 -0400
+Subject: pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov
+To: stable@vger.kernel.org
+Cc: Maulik Shah <maulik.shah@oss.qualcomm.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722134428.946158-1-sashal@kernel.org>
+
+From: Maulik Shah <maulik.shah@oss.qualcomm.com>
+
+[ Upstream commit 500ba33284416255b9a5b50ace24470b6fe77ea5 ]
+
+pm_domain_cpu_gov is selecting a cluster idle state but does not consider
+latency tolerance of child CPUs. This results in deeper cluster idle state
+whose latency does not meet latency tolerance requirement.
+
+Select deeper idle state only if global and device latency tolerance of all
+child CPUs meet.
+
+Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than
+domain idle state entry (2150) + exit (1983) usec latency mentioned in
+devicetree, demonstrate the issue.
+
+ # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us
+
+Before: (Usage is incrementing)
+======
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 29817 537 8 270 0
+
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 30348 542 8 271 0
+
+After: (Usage is not incrementing due to latency tolerance)
+======
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 39319 626 14 307 0
+
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 39319 626 14 307 0
+
+Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
+Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ adapted file path from drivers/pmdomain/governor.c to drivers/base/power/domain_governor.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/domain_governor.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain_governor.c
++++ b/drivers/base/power/domain_governor.c
+@@ -8,6 +8,7 @@
+ #include <linux/pm_domain.h>
+ #include <linux/pm_qos.h>
+ #include <linux/hrtimer.h>
++#include <linux/cpu.h>
+ #include <linux/cpuidle.h>
+ #include <linux/cpumask.h>
+ #include <linux/ktime.h>
+@@ -254,6 +255,8 @@ static bool cpu_power_down_ok(struct dev
+ struct generic_pm_domain *genpd = pd_to_genpd(pd);
+ struct cpuidle_device *dev;
+ ktime_t domain_wakeup, next_hrtimer;
++ struct device *cpu_dev;
++ s64 cpu_constraint, global_constraint;
+ s64 idle_duration_ns;
+ int cpu, i;
+
+@@ -264,6 +267,7 @@ static bool cpu_power_down_ok(struct dev
+ if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN))
+ return true;
+
++ global_constraint = cpu_latency_qos_limit();
+ /*
+ * Find the next wakeup for any of the online CPUs within the PM domain
+ * and its subdomains. Note, we only need the genpd->cpus, as it already
+@@ -277,8 +281,16 @@ static bool cpu_power_down_ok(struct dev
+ if (ktime_before(next_hrtimer, domain_wakeup))
+ domain_wakeup = next_hrtimer;
+ }
++
++ cpu_dev = get_cpu_device(cpu);
++ if (cpu_dev) {
++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev);
++ if (cpu_constraint < global_constraint)
++ global_constraint = cpu_constraint;
++ }
+ }
+
++ global_constraint *= NSEC_PER_USEC;
+ /* The minimum idle duration is from now - until the next wakeup. */
+ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, ktime_get()));
+ if (idle_duration_ns <= 0)
+@@ -291,8 +303,10 @@ static bool cpu_power_down_ok(struct dev
+ */
+ i = genpd->state_idx;
+ do {
+- if (idle_duration_ns >= (genpd->states[i].residency_ns +
+- genpd->states[i].power_off_latency_ns)) {
++ if ((idle_duration_ns >= (genpd->states[i].residency_ns +
++ genpd->states[i].power_off_latency_ns)) &&
++ (global_constraint >= (genpd->states[i].power_on_latency_ns +
++ genpd->states[i].power_off_latency_ns))) {
+ genpd->state_idx = i;
+ return true;
+ }
usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch
usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch
kbuild-userprogs-use-correct-linker-when-mixing-clang-and-gnu-ld.patch
+f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch
+iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch
+x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch
+usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch
+usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch
+smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch
+tracing-add-down_write-trace_event_sem-when-adding-trace-event.patch
+pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch
+ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch
+drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch
+mm-zsmalloc.c-convert-to-use-kmem_cache_zalloc-in-cache_alloc_zspage.patch
+mm-zsmalloc-do-not-pass-__gfp_movable-if-config_compaction-n.patch
+x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch
+alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch
+net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch
+usb-typec-fusb302-cache-pd-rx-state.patch
+pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch
+block-make-req_op_zone_finish-a-write-operation.patch
+hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch
+usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch
+cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch
--- /dev/null
+From stable+bounces-164307-greg=kroah.com@vger.kernel.org Wed Jul 23 00:00:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 17:59:01 -0400
+Subject: smb: client: fix use-after-free in crypt_message when using async crypto
+To: stable@vger.kernel.org
+Cc: Wang Zhaolong <wangzhaolong@huaweicloud.com>, Paulo Alcantara <pc@manguebit.org>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722215901.981691-1-sashal@kernel.org>
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+[ Upstream commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 ]
+
+The CVE-2024-50047 fix removed asynchronous crypto handling from
+crypt_message(), assuming all crypto operations are synchronous.
+However, when hardware crypto accelerators are used, this can cause
+use-after-free crashes:
+
+ crypt_message()
+ // Allocate the creq buffer containing the req
+ creq = smb2_get_aead_req(..., &req);
+
+ // Async encryption returns -EINPROGRESS immediately
+ rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
+
+ // Free creq while async operation is still in progress
+ kvfree_sensitive(creq, ...);
+
+Hardware crypto modules often implement async AEAD operations for
+performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,
+the operation completes asynchronously. Without crypto_wait_req(),
+the function immediately frees the request buffer, leading to crashes
+when the driver later accesses the freed memory.
+
+This results in a use-after-free condition when the hardware crypto
+driver later accesses the freed request structure, leading to kernel
+crashes with NULL pointer dereferences.
+
+The issue occurs because crypto_alloc_aead() with mask=0 doesn't
+guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in
+the mask, async implementations can be selected.
+
+Fix by restoring the async crypto handling:
+- DECLARE_CRYPTO_WAIT(wait) for completion tracking
+- aead_request_set_callback() for async completion notification
+- crypto_wait_req() to wait for operation completion
+
+This ensures the request buffer isn't freed until the crypto operation
+completes, whether synchronous or asynchronous, while preserving the
+CVE-2024-50047 fix.
+
+Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
+Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -4302,6 +4302,7 @@ crypt_message(struct TCP_Server_Info *se
+ u8 key[SMB3_ENC_DEC_KEY_SIZE];
+ struct aead_request *req;
+ u8 *iv;
++ DECLARE_CRYPTO_WAIT(wait);
+ unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
+ void *creq;
+
+@@ -4350,7 +4351,11 @@ crypt_message(struct TCP_Server_Info *se
+ aead_request_set_crypt(req, sg, sg, crypt_len, iv);
+ aead_request_set_ad(req, assoc_data_len);
+
+- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
++ crypto_req_done, &wait);
++
++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)
++ : crypto_aead_decrypt(req), &wait);
+
+ if (!rc && enc)
+ memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
--- /dev/null
+From stable+bounces-164083-greg=kroah.com@vger.kernel.org Tue Jul 22 16:09:52 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 10:06:16 -0400
+Subject: tracing: Add down_write(trace_event_sem) when adding trace event
+To: stable@vger.kernel.org
+Cc: Steven Rostedt <rostedt@goodmis.org>, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>, Masami Hiramatsu <mhiramat@kernel.org>, Fusheng Huang <Fusheng.Huang@luxshare-ict.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722140616.951726-1-sashal@kernel.org>
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit b5e8acc14dcb314a9b61ff19dcd9fdd0d88f70df ]
+
+When a module is loaded, it adds trace events defined by the module. It
+may also need to modify the modules trace printk formats to replace enum
+names with their values.
+
+If two modules are loaded at the same time, the adding of the event to the
+ftrace_events list can corrupt the walking of the list in the code that is
+modifying the printk format strings and crash the kernel.
+
+The addition of the event should take the trace_event_sem for write while
+it adds the new event.
+
+Also add a lockdep_assert_held() on that semaphore in
+__trace_add_event_dirs() as it iterates the list.
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/20250718223158.799bfc0c@batman.local.home
+Reported-by: Fusheng Huang(黄富生) <Fusheng.Huang@luxshare-ict.com>
+Closes: https://lore.kernel.org/all/20250717105007.46ccd18f@batman.local.home/
+Fixes: 110bf2b764eb6 ("tracing: add protection around module events unload")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -2324,7 +2324,10 @@ __register_event(struct trace_event_call
+ if (ret < 0)
+ return ret;
+
++ down_write(&trace_event_sem);
+ list_add(&call->list, &ftrace_events);
++ up_write(&trace_event_sem);
++
+ call->mod = mod;
+
+ return 0;
+@@ -2710,6 +2713,8 @@ __trace_add_event_dirs(struct trace_arra
+ struct trace_event_call *call;
+ int ret;
+
++ lockdep_assert_held(&trace_event_sem);
++
+ list_for_each_entry(call, &ftrace_events, list) {
+ ret = __trace_add_new_event(call, tr);
+ if (ret < 0)
--- /dev/null
+From stable+bounces-171670-greg=kroah.com@vger.kernel.org Tue Aug 19 01:08:47 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 19:08:38 -0400
+Subject: USB: cdc-acm: do not log successful probe on later errors
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818230839.135733-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 79579411826647fd573dbe301c4d933bc90e4be7 ]
+
+Do not log the successful-probe message until the tty device has been
+registered.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210322155318.9837-9-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 64690a90cd7c ("cdc-acm: fix race between initial clearing halt and open")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1510,8 +1510,6 @@ skip_countries:
+ acm->nb_index = 0;
+ acm->nb_size = 0;
+
+- dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
+-
+ acm->line.dwDTERate = cpu_to_le32(9600);
+ acm->line.bDataBits = 8;
+ acm_set_line(acm, &acm->line);
+@@ -1531,6 +1529,8 @@ skip_countries:
+ usb_clear_halt(usb_dev, acm->out);
+ }
+
++ dev_info(&intf->dev, "ttyACM%d: USB ACM device\n", minor);
++
+ return 0;
+ alloc_fail6:
+ if (!acm->combined_interfaces) {
--- /dev/null
+From stable+bounces-164312-greg=kroah.com@vger.kernel.org Wed Jul 23 00:51:01 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 18:50:49 -0400
+Subject: usb: hub: avoid warm port reset during USB3 disconnect
+To: stable@vger.kernel.org
+Cc: Mathias Nyman <mathias.nyman@linux.intel.com>, Mark Pearson <markpearson@lenovo.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722225050.997941-1-sashal@kernel.org>
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit f59f93cd1d720809466c7fd5aa16a236156c672b ]
+
+During disconnect USB-3 ports often go via SS.Inactive link error state
+before the missing terminations are noticed, and link finally goes to
+RxDetect state
+
+Avoid immediately warm-resetting ports in SS.Inactive state.
+Let ports settle for a while and re-read the link status a few times 20ms
+apart to see if the ports transitions out of SS.Inactive.
+
+According to USB 3.x spec 7.5.2, a port in SS.Inactive should
+automatically check for missing far-end receiver termination every
+12 ms (SSInactiveQuietTimeout)
+
+The futile multiple warm reset retries of a disconnected device takes
+a lot of time, also the resetting of a removed devices has caused cases
+where the reset bit got stuck for a long time on xHCI roothub.
+This lead to issues in detecting new devices connected to the same port
+shortly after.
+
+Tested-by: Mark Pearson <markpearson@lenovo.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211210111653.1378381-1-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 2521106fc732 ("usb: hub: Don't try to recover devices lost during warm reset.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2884,6 +2884,8 @@ static unsigned hub_is_wusb(struct usb_h
+ #define PORT_INIT_TRIES 4
+ #endif /* CONFIG_USB_FEW_INIT_RETRIES */
+
++#define DETECT_DISCONNECT_TRIES 5
++
+ #define HUB_ROOT_RESET_TIME 60 /* times are in msec */
+ #define HUB_SHORT_RESET_TIME 10
+ #define HUB_BH_RESET_TIME 50
+@@ -5685,6 +5687,7 @@ static void port_event(struct usb_hub *h
+ struct usb_device *udev = port_dev->child;
+ struct usb_device *hdev = hub->hdev;
+ u16 portstatus, portchange;
++ int i = 0;
+
+ connect_change = test_bit(port1, hub->change_bits);
+ clear_bit(port1, hub->event_bits);
+@@ -5761,17 +5764,27 @@ static void port_event(struct usb_hub *h
+ connect_change = 1;
+
+ /*
+- * Warm reset a USB3 protocol port if it's in
+- * SS.Inactive state.
+- */
+- if (hub_port_warm_reset_required(hub, port1, portstatus)) {
+- dev_dbg(&port_dev->dev, "do warm reset\n");
+- if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
++ * Avoid trying to recover a USB3 SS.Inactive port with a warm reset if
++ * the device was disconnected. A 12ms disconnect detect timer in
++ * SS.Inactive state transitions the port to RxDetect automatically.
++ * SS.Inactive link error state is common during device disconnect.
++ */
++ while (hub_port_warm_reset_required(hub, port1, portstatus)) {
++ if ((i++ < DETECT_DISCONNECT_TRIES) && udev) {
++ u16 unused;
++
++ msleep(20);
++ hub_port_status(hub, port1, &portstatus, &unused);
++ dev_dbg(&port_dev->dev, "Wait for inactive link disconnect detect\n");
++ continue;
++ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
+ || udev->state == USB_STATE_NOTATTACHED) {
++ dev_dbg(&port_dev->dev, "do warm reset, port only\n");
+ if (hub_port_reset(hub, port1, NULL,
+ HUB_BH_RESET_TIME, true) < 0)
+ hub_port_disable(hub, port1, 1);
+ } else {
++ dev_dbg(&port_dev->dev, "do warm reset, full device\n");
+ usb_unlock_port(port_dev);
+ usb_lock_device(udev);
+ usb_reset_device(udev);
+@@ -5779,6 +5792,7 @@ static void port_event(struct usb_hub *h
+ usb_lock_port(port_dev);
+ connect_change = 0;
+ }
++ break;
+ }
+
+ if (connect_change)
--- /dev/null
+From stable+bounces-164313-greg=kroah.com@vger.kernel.org Wed Jul 23 00:51:03 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 18:50:50 -0400
+Subject: usb: hub: Don't try to recover devices lost during warm reset.
+To: stable@vger.kernel.org
+Cc: "Mathias Nyman" <mathias.nyman@linux.intel.com>, "Łukasz Bartosik" <ukaszb@chromium.org>, "Alan Stern" <stern@rowland.harvard.edu>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250722225050.997941-2-sashal@kernel.org>
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 2521106fc732b0b75fd3555c689b1ed1d29d273c ]
+
+Hub driver warm-resets ports in SS.Inactive or Compliance mode to
+recover a possible connected device. The port reset code correctly
+detects if a connection is lost during reset, but hub driver
+port_event() fails to take this into account in some cases.
+port_event() ends up using stale values and assumes there is a
+connected device, and will try all means to recover it, including
+power-cycling the port.
+
+Details:
+This case was triggered when xHC host was suspended with DbC (Debug
+Capability) enabled and connected. DbC turns one xHC port into a simple
+usb debug device, allowing debugging a system with an A-to-A USB debug
+cable.
+
+xhci DbC code disables DbC when xHC is system suspended to D3, and
+enables it back during resume.
+We essentially end up with two hosts connected to each other during
+suspend, and, for a short while during resume, until DbC is enabled back.
+The suspended xHC host notices some activity on the roothub port, but
+can't train the link due to being suspended, so xHC hardware sets a CAS
+(Cold Attach Status) flag for this port to inform xhci host driver that
+the port needs to be warm reset once xHC resumes.
+
+CAS is xHCI specific, and not part of USB specification, so xhci driver
+tells usb core that the port has a connection and link is in compliance
+mode. Recovery from complinace mode is similar to CAS recovery.
+
+xhci CAS driver support that fakes a compliance mode connection was added
+in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
+
+Once xHCI resumes and DbC is enabled back, all activity on the xHC
+roothub host side port disappears. The hub driver will anyway think
+port has a connection and link is in compliance mode, and hub driver
+will try to recover it.
+
+The port power-cycle during recovery seems to cause issues to the active
+DbC connection.
+
+Fix this by clearing connect_change flag if hub_port_reset() returns
+-ENOTCONN, thus avoiding the whole unnecessary port recovery and
+initialization attempt.
+
+Cc: stable@vger.kernel.org
+Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
+Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5688,6 +5688,7 @@ static void port_event(struct usb_hub *h
+ struct usb_device *hdev = hub->hdev;
+ u16 portstatus, portchange;
+ int i = 0;
++ int err;
+
+ connect_change = test_bit(port1, hub->change_bits);
+ clear_bit(port1, hub->event_bits);
+@@ -5780,8 +5781,11 @@ static void port_event(struct usb_hub *h
+ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
+ || udev->state == USB_STATE_NOTATTACHED) {
+ dev_dbg(&port_dev->dev, "do warm reset, port only\n");
+- if (hub_port_reset(hub, port1, NULL,
+- HUB_BH_RESET_TIME, true) < 0)
++ err = hub_port_reset(hub, port1, NULL,
++ HUB_BH_RESET_TIME, true);
++ if (!udev && err == -ENOTCONN)
++ connect_change = 0;
++ else if (err < 0)
+ hub_port_disable(hub, port1, 1);
+ } else {
+ dev_dbg(&port_dev->dev, "do warm reset, full device\n");
--- /dev/null
+From stable+bounces-171668-greg=kroah.com@vger.kernel.org Tue Aug 19 00:54:38 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 18:54:25 -0400
+Subject: usb: typec: fusb302: cache PD RX state
+To: stable@vger.kernel.org
+Cc: Sebastian Reichel <sebastian.reichel@collabora.com>, stable <stable@kernel.org>, Heikki Krogerus <heikki.krogerus@linux.intel.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818225425.129459-1-sashal@kernel.org>
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ]
+
+This patch fixes a race condition communication error, which ends up in
+PD hard resets when losing the race. Some systems, like the Radxa ROCK
+5B are powered through USB-C without any backup power source and use a
+FUSB302 chip to do the PD negotiation. This means it is quite important
+to avoid hard resets, since that effectively kills the system's
+power-supply.
+
+I've found the following race condition while debugging unplanned power
+loss during booting the board every now and then:
+
+1. lots of TCPM/FUSB302/PD initialization stuff
+2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here)
+3. the remote PD source does not send anything, so TCPM does a SOFT RESET
+4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time
+ (tcpm_set_pd_rx is enabled again, even though it is still on)
+
+At this point I've seen broken CRC good messages being send by the
+FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like
+messages are being lost and things generally going haywire with one of
+the two sides doing a hard reset once a broken CRC good message was send
+to the bus.
+
+I think the system is running into a race condition, that the FIFOs are
+being cleared and/or the automatic good CRC message generation flag is
+being updated while a message is already arriving.
+
+Let's avoid this by caching the PD RX enabled state, as we have already
+processed anything in the FIFOs and are in a good state. As a side
+effect that this also optimizes I2C bus usage :)
+
+As far as I can tell the problem theoretically also exists when TCPM
+enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less
+critical for the following reason:
+
+On devices like the ROCK 5B, which are powered through a TCPM backed
+USB-C port, the bootloader must have done some prior PD communication
+(initial communication must happen within 5 seconds after plugging the
+USB-C plug). This means the first time the kernel TCPM state machine
+reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages
+actively. On other devices a hard reset simply adds some extra delay and
+things should be good afterwards.
+
+Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ replaced str_on_off(on) with ternary operator ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/fusb302.c
++++ b/drivers/usb/typec/tcpm/fusb302.c
+@@ -103,6 +103,7 @@ struct fusb302_chip {
+ bool vconn_on;
+ bool vbus_on;
+ bool charge_on;
++ bool pd_rx_on;
+ bool vbus_present;
+ enum typec_cc_polarity cc_polarity;
+ enum typec_cc_status cc1;
+@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ int ret = 0;
+
+ mutex_lock(&chip->lock);
++ if (chip->pd_rx_on == on) {
++ fusb302_log(chip, "pd is already %s", on ? "on" : "off");
++ goto done;
++ }
++
+ ret = fusb302_pd_rx_flush(chip);
+ if (ret < 0) {
+ fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret);
+@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ on ? "on" : "off", ret);
+ goto done;
+ }
++
++ chip->pd_rx_on = on;
+ fusb302_log(chip, "pd := %s", on ? "on" : "off");
+ done:
+ mutex_unlock(&chip->lock);
--- /dev/null
+From stable+bounces-169438-greg=kroah.com@vger.kernel.org Wed Aug 13 18:29:55 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 12:24:25 -0400
+Subject: x86/fpu: Delay instruction pointer fixup until after warning
+To: stable@vger.kernel.org
+Cc: Dave Hansen <dave.hansen@linux.intel.com>, Chao Gao <chao.gao@intel.com>, Alison Schofield <alison.schofield@intel.com>, Peter Zijlstra <peterz@infradead.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813162425.2060269-1-sashal@kernel.org>
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 1cec9ac2d071cfd2da562241aab0ef701355762a ]
+
+Right now, if XRSTOR fails a console message like this is be printed:
+
+ Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers.
+
+However, the text location (...+0x9a in this case) is the instruction
+*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump
+also points one instruction late.
+
+The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and
+keep on running after returning from the #GP handler. But it does this
+fixup before warning.
+
+The resulting warning output is nonsensical because it looks like the
+non-FPU-related instruction is #GP'ing.
+
+Do not fix up RIP until after printing the warning. Do this by using
+the more generic and standard ex_handler_default().
+
+Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Chao Gao <chao.gao@intel.com>
+Acked-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com
+[ Adapted ex_handler_default() call ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/extable.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/extable.c
++++ b/arch/x86/mm/extable.c
+@@ -60,13 +60,12 @@ __visible bool ex_handler_fprestore(cons
+ unsigned long error_code,
+ unsigned long fault_addr)
+ {
+- regs->ip = ex_fixup_addr(fixup);
+-
+ WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.",
+ (void *)instruction_pointer(regs));
+
+ __copy_kernel_to_fpregs(&init_fpstate, -1);
+- return true;
++
++ return ex_handler_default(fixup, regs, trapnr, error_code, fault_addr);
+ }
+ EXPORT_SYMBOL_GPL(ex_handler_fprestore);
+
--- /dev/null
+From stable+bounces-164363-greg=kroah.com@vger.kernel.org Wed Jul 23 06:04:47 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 00:04:37 -0400
+Subject: x86/mce/amd: Add default names for MCA banks and blocks
+To: stable@vger.kernel.org
+Cc: Yazen Ghannam <yazen.ghannam@amd.com>, Borislav Petkov <bp@alien8.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250723040437.1045199-1-sashal@kernel.org>
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ]
+
+Ensure that sysfs init doesn't fail for new/unrecognized bank types or if
+a bank has additional blocks available.
+
+Most MCA banks have a single thresholding block, so the block takes the same
+name as the bank.
+
+Unified Memory Controllers (UMCs) are a special case where there are two
+blocks and each has a unique name.
+
+However, the microarchitecture allows for five blocks. Any new MCA bank types
+with more than one block will be missing names for the extra blocks. The MCE
+sysfs will fail to initialize in this case.
+
+Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems")
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com
+[ adapted get_name() function signature ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mce/amd.c
++++ b/arch/x86/kernel/cpu/mce/amd.c
+@@ -1215,13 +1215,20 @@ static const char *get_name(unsigned int
+ }
+
+ bank_type = smca_get_bank_type(bank);
+- if (bank_type >= N_SMCA_BANK_TYPES)
+- return NULL;
+
+ if (b && bank_type == SMCA_UMC) {
+ if (b->block < ARRAY_SIZE(smca_umc_block_names))
+ return smca_umc_block_names[b->block];
+- return NULL;
++ }
++
++ if (b && b->block) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block);
++ return buf_mcatype;
++ }
++
++ if (bank_type >= N_SMCA_BANK_TYPES) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank);
++ return buf_mcatype;
+ }
+
+ if (smca_banks[bank].hwid->count == 1)
projects / thirdparty / kernel / stable-queue.git / commitdiff
