--- /dev/null
+From 017f3d1153c7e571aee60f82fb953feb584790dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 12:08:12 +0530
+Subject: arm64/mm: Drop wrong writes into TCR2_EL1
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 9dd1757493416310a5e71146a08bc228869f8dae ]
+
+Register X0 contains PIE_E1_ASM and should not be written into REG_TCR2_EL1
+which could have an adverse impact otherwise. This has remained undetected
+till now probably because current value for PIE_E1_ASM (0xcc880e0ac0800000)
+clears TCR2_EL1 which again gets set subsequently with 'tcr2' after testing
+for FEAT_TCR2.
+
+Drop this unwarranted 'msr' which is a stray change from an earlier commit.
+This line got re-introduced when rebasing on top of the commit 926b66e2ebc8
+("arm64: setup: name 'tcr2' register").
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Fixes: 7052e808c446 ("arm64/sysreg: Get rid of the TCR2_EL1x SysregFields")
+Acked-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20250704063812.298914-1-anshuman.khandual@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/proc.S | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S
+index fb30c8804f87b..46a18af52980d 100644
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -533,7 +533,6 @@ alternative_else_nop_endif
+ #undef PTE_MAYBE_SHARED
+
+ orr tcr2, tcr2, TCR2_EL1_PIE
+- msr REG_TCR2_EL1, x0
+
+ .Lskip_indirection:
+
+--
+2.39.5
+
--- /dev/null
+From 3391b5103a903220e93ac45cbec9deed3f312584 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 17:00:41 +0100
+Subject: arm64: poe: Handle spurious Overlay faults
+
+From: Kevin Brodsky <kevin.brodsky@arm.com>
+
+[ Upstream commit 22f3a4f6085951eff28bd1e44d3f388c1d9a5f44 ]
+
+We do not currently issue an ISB after updating POR_EL0 when
+context-switching it, for instance. The rationale is that if the old
+value of POR_EL0 is more restrictive and causes a fault during
+uaccess, the access will be retried [1]. In other words, we are
+trading an ISB on every context-switching for the (unlikely)
+possibility of a spurious fault. We may also miss faults if the new
+value of POR_EL0 is more restrictive, but that's considered
+acceptable.
+
+However, as things stand, a spurious Overlay fault results in
+uaccess failing right away since it causes fault_from_pkey() to
+return true. If an Overlay fault is reported, we therefore need to
+double check POR_EL0 against vma_pkey(vma) - this is what
+arch_vma_access_permitted() already does.
+
+As it turns out, we already perform that explicit check if no
+Overlay fault is reported, and we need to keep that check (see
+comment added in fault_from_pkey()). Net result: the Overlay ISS2
+bit isn't of much help to decide whether a pkey fault occurred.
+
+Remove the check for the Overlay bit from fault_from_pkey() and
+add a comment to try and explain the situation. While at it, also
+add a comment to permission_overlay_switch() in case anyone gets
+surprised by the lack of ISB.
+
+[1] https://lore.kernel.org/linux-arm-kernel/ZtYNGBrcE-j35fpw@arm.com/
+
+Fixes: 160a8e13de6c ("arm64: context switch POR_EL0 register")
+Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
+Link: https://lore.kernel.org/r/20250619160042.2499290-2-kevin.brodsky@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/process.c | 5 +++++
+ arch/arm64/mm/fault.c | 30 +++++++++++++++++++++---------
+ 2 files changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
+index 42faebb7b7123..4bc70205312e4 100644
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -638,6 +638,11 @@ static void permission_overlay_switch(struct task_struct *next)
+ current->thread.por_el0 = read_sysreg_s(SYS_POR_EL0);
+ if (current->thread.por_el0 != next->thread.por_el0) {
+ write_sysreg_s(next->thread.por_el0, SYS_POR_EL0);
++ /*
++ * No ISB required as we can tolerate spurious Overlay faults -
++ * the fault handler will check again based on the new value
++ * of POR_EL0.
++ */
+ }
+ }
+
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index ec0a337891ddf..11eb8d1adc841 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -487,17 +487,29 @@ static void do_bad_area(unsigned long far, unsigned long esr,
+ }
+ }
+
+-static bool fault_from_pkey(unsigned long esr, struct vm_area_struct *vma,
+- unsigned int mm_flags)
++static bool fault_from_pkey(struct vm_area_struct *vma, unsigned int mm_flags)
+ {
+- unsigned long iss2 = ESR_ELx_ISS2(esr);
+-
+ if (!system_supports_poe())
+ return false;
+
+- if (esr_fsc_is_permission_fault(esr) && (iss2 & ESR_ELx_Overlay))
+- return true;
+-
++ /*
++ * We do not check whether an Overlay fault has occurred because we
++ * cannot make a decision based solely on its value:
++ *
++ * - If Overlay is set, a fault did occur due to POE, but it may be
++ * spurious in those cases where we update POR_EL0 without ISB (e.g.
++ * on context-switch). We would then need to manually check POR_EL0
++ * against vma_pkey(vma), which is exactly what
++ * arch_vma_access_permitted() does.
++ *
++ * - If Overlay is not set, we may still need to report a pkey fault.
++ * This is the case if an access was made within a mapping but with no
++ * page mapped, and POR_EL0 forbids the access (according to
++ * vma_pkey()). Such access will result in a SIGSEGV regardless
++ * because core code checks arch_vma_access_permitted(), but in order
++ * to report the correct error code - SEGV_PKUERR - we must handle
++ * that case here.
++ */
+ return !arch_vma_access_permitted(vma,
+ mm_flags & FAULT_FLAG_WRITE,
+ mm_flags & FAULT_FLAG_INSTRUCTION,
+@@ -635,7 +647,7 @@ static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
+ goto bad_area;
+ }
+
+- if (fault_from_pkey(esr, vma, mm_flags)) {
++ if (fault_from_pkey(vma, mm_flags)) {
+ pkey = vma_pkey(vma);
+ vma_end_read(vma);
+ fault = 0;
+@@ -679,7 +691,7 @@ static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
+ goto bad_area;
+ }
+
+- if (fault_from_pkey(esr, vma, mm_flags)) {
++ if (fault_from_pkey(vma, mm_flags)) {
+ pkey = vma_pkey(vma);
+ mmap_read_unlock(mm);
+ fault = 0;
+--
+2.39.5
+
--- /dev/null
+From eab3f963bcafd84bec97c486b09aff826382fc0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 11:25:21 +0100
+Subject: ASoC: cs35l56: probe() should fail if the device ID is not recognized
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 3b3312f28ee2d9c386602f8521e419cfc69f4823 ]
+
+Return an error from driver probe if the DEVID read from the chip is not
+one supported by this driver.
+
+In cs35l56_hw_init() there is a check for valid DEVID, but the invalid
+case was returning the value of ret. At this point in the code ret == 0
+so the caller would think that cs35l56_hw_init() was successful.
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Fixes: 84851aa055c8 ("ASoC: cs35l56: Move part of cs35l56_init() to shared library")
+Link: https://patch.msgid.link/20250703102521.54204-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs35l56-shared.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs35l56-shared.c b/sound/soc/codecs/cs35l56-shared.c
+index e28bfefa72f33..016a6248ab8f0 100644
+--- a/sound/soc/codecs/cs35l56-shared.c
++++ b/sound/soc/codecs/cs35l56-shared.c
+@@ -811,7 +811,7 @@ int cs35l56_hw_init(struct cs35l56_base *cs35l56_base)
+ break;
+ default:
+ dev_err(cs35l56_base->dev, "Unknown device %x\n", devid);
+- return ret;
++ return -ENODEV;
+ }
+
+ cs35l56_base->type = devid & 0xFF;
+--
+2.39.5
+
--- /dev/null
+From 276f9a6b933294c31285737ae9390d6282aee5ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 10:05:04 +0800
+Subject: ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+[ Upstream commit cbe876121633dadb2b0ce52711985328638e9aab ]
+
+When USRC=0, there is underrun issue for the non-ideal ratio mode;
+according to the reference mannual, the internal measured ratio can be
+used with USRC=1 and IDRC=0.
+
+Fixes: d0250cf4f2ab ("ASoC: fsl_asrc: Add an option to select internal ratio mode")
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Link: https://patch.msgid.link/20250625020504.2728161-1-shengjiu.wang@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl_asrc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl_asrc.c b/sound/soc/fsl/fsl_asrc.c
+index 677529916dc0e..745532ccbdba6 100644
+--- a/sound/soc/fsl/fsl_asrc.c
++++ b/sound/soc/fsl/fsl_asrc.c
+@@ -517,7 +517,8 @@ static int fsl_asrc_config_pair(struct fsl_asrc_pair *pair, bool use_ideal_rate)
+ regmap_update_bits(asrc->regmap, REG_ASRCTR,
+ ASRCTR_ATSi_MASK(index), ASRCTR_ATS(index));
+ regmap_update_bits(asrc->regmap, REG_ASRCTR,
+- ASRCTR_USRi_MASK(index), 0);
++ ASRCTR_IDRi_MASK(index) | ASRCTR_USRi_MASK(index),
++ ASRCTR_USR(index));
+
+ /* Set the input and output clock sources */
+ regmap_update_bits(asrc->regmap, REG_ASRCSR,
+--
+2.39.5
+
--- /dev/null
+From 0ef434798f6f8268002b1b1a780b66def53456c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 14:32:33 +0800
+Subject: ASoC: Intel: add sof_sdw_get_tplg_files ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit 2fbeff33381cf017facbf5f13d34693baa5a2296 ]
+
+Add sof_sdw_get_tplg_files ops to get sub-topology file names for the
+sof_sdw card.
+
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20250414063239.85200-6-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: a7528e9beadb ("ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/common/Makefile | 2 +-
+ .../intel/common/sof-function-topology-lib.c | 135 ++++++++++++++++++
+ .../intel/common/sof-function-topology-lib.h | 15 ++
+ 3 files changed, 151 insertions(+), 1 deletion(-)
+ create mode 100644 sound/soc/intel/common/sof-function-topology-lib.c
+ create mode 100644 sound/soc/intel/common/sof-function-topology-lib.h
+
+diff --git a/sound/soc/intel/common/Makefile b/sound/soc/intel/common/Makefile
+index 0afd114be9e5e..7822bcae6c69d 100644
+--- a/sound/soc/intel/common/Makefile
++++ b/sound/soc/intel/common/Makefile
+@@ -12,7 +12,7 @@ snd-soc-acpi-intel-match-y := soc-acpi-intel-byt-match.o soc-acpi-intel-cht-matc
+ soc-acpi-intel-lnl-match.o \
+ soc-acpi-intel-ptl-match.o \
+ soc-acpi-intel-hda-match.o \
+- soc-acpi-intel-sdw-mockup-match.o
++ soc-acpi-intel-sdw-mockup-match.o sof-function-topology-lib.o
+
+ snd-soc-acpi-intel-match-y += soc-acpi-intel-ssp-common.o
+
+diff --git a/sound/soc/intel/common/sof-function-topology-lib.c b/sound/soc/intel/common/sof-function-topology-lib.c
+new file mode 100644
+index 0000000000000..90fe7aa3df1cb
+--- /dev/null
++++ b/sound/soc/intel/common/sof-function-topology-lib.c
+@@ -0,0 +1,135 @@
++// SPDX-License-Identifier: (GPL-2.0-only OR BSD-3-Clause)
++//
++// This file is provided under a dual BSD/GPLv2 license. When using or
++// redistributing this file, you may do so under either license.
++//
++// Copyright(c) 2025 Intel Corporation.
++//
++
++#include <linux/device.h>
++#include <linux/errno.h>
++#include <linux/firmware.h>
++#include <sound/soc.h>
++#include <sound/soc-acpi.h>
++#include "sof-function-topology-lib.h"
++
++enum tplg_device_id {
++ TPLG_DEVICE_SDCA_JACK,
++ TPLG_DEVICE_SDCA_AMP,
++ TPLG_DEVICE_SDCA_MIC,
++ TPLG_DEVICE_INTEL_PCH_DMIC,
++ TPLG_DEVICE_HDMI,
++ TPLG_DEVICE_MAX
++};
++
++#define SDCA_DEVICE_MASK (BIT(TPLG_DEVICE_SDCA_JACK) | BIT(TPLG_DEVICE_SDCA_AMP) | \
++ BIT(TPLG_DEVICE_SDCA_MIC))
++
++#define SOF_INTEL_PLATFORM_NAME_MAX 4
++
++int sof_sdw_get_tplg_files(struct snd_soc_card *card, const struct snd_soc_acpi_mach *mach,
++ const char *prefix, const char ***tplg_files)
++{
++ struct snd_soc_acpi_mach_params mach_params = mach->mach_params;
++ struct snd_soc_dai_link *dai_link;
++ const struct firmware *fw;
++ char platform[SOF_INTEL_PLATFORM_NAME_MAX];
++ unsigned long tplg_mask = 0;
++ int tplg_num = 0;
++ int tplg_dev;
++ int ret;
++ int i;
++
++ ret = sscanf(mach->sof_tplg_filename, "sof-%3s-*.tplg", platform);
++ if (ret != 1) {
++ dev_err(card->dev, "Invalid platform name %s of tplg %s\n",
++ platform, mach->sof_tplg_filename);
++ return -EINVAL;
++ }
++
++ for_each_card_prelinks(card, i, dai_link) {
++ char *tplg_dev_name;
++
++ dev_dbg(card->dev, "dai_link %s id %d\n", dai_link->name, dai_link->id);
++ if (strstr(dai_link->name, "SimpleJack")) {
++ tplg_dev = TPLG_DEVICE_SDCA_JACK;
++ tplg_dev_name = "sdca-jack";
++ } else if (strstr(dai_link->name, "SmartAmp")) {
++ tplg_dev = TPLG_DEVICE_SDCA_AMP;
++ tplg_dev_name = devm_kasprintf(card->dev, GFP_KERNEL,
++ "sdca-%damp", dai_link->num_cpus);
++ if (!tplg_dev_name)
++ return -ENOMEM;
++ } else if (strstr(dai_link->name, "SmartMic")) {
++ tplg_dev = TPLG_DEVICE_SDCA_MIC;
++ tplg_dev_name = "sdca-mic";
++ } else if (strstr(dai_link->name, "dmic")) {
++ switch (mach_params.dmic_num) {
++ case 2:
++ tplg_dev_name = "dmic-2ch";
++ break;
++ case 4:
++ tplg_dev_name = "dmic-4ch";
++ break;
++ default:
++ dev_warn(card->dev,
++ "only -2ch and -4ch are supported for dmic\n");
++ continue;
++ }
++ tplg_dev = TPLG_DEVICE_INTEL_PCH_DMIC;
++ } else if (strstr(dai_link->name, "iDisp")) {
++ tplg_dev = TPLG_DEVICE_HDMI;
++ tplg_dev_name = "hdmi-pcm5";
++
++ } else {
++ /* The dai link is not supported by separated tplg yet */
++ dev_dbg(card->dev,
++ "dai_link %s is not supported by separated tplg yet\n",
++ dai_link->name);
++ return 0;
++ }
++ if (tplg_mask & BIT(tplg_dev))
++ continue;
++
++ tplg_mask |= BIT(tplg_dev);
++
++ /*
++ * The tplg file naming rule is sof-<platform>-<function>-id<BE id number>.tplg
++ * where <platform> is only required for the DMIC function as the nhlt blob
++ * is platform dependent.
++ */
++ switch (tplg_dev) {
++ case TPLG_DEVICE_INTEL_PCH_DMIC:
++ (*tplg_files)[tplg_num] = devm_kasprintf(card->dev, GFP_KERNEL,
++ "%s/sof-%s-%s-id%d.tplg",
++ prefix, platform,
++ tplg_dev_name, dai_link->id);
++ break;
++ default:
++ (*tplg_files)[tplg_num] = devm_kasprintf(card->dev, GFP_KERNEL,
++ "%s/sof-%s-id%d.tplg",
++ prefix, tplg_dev_name,
++ dai_link->id);
++ break;
++ }
++ if (!(*tplg_files)[tplg_num])
++ return -ENOMEM;
++ tplg_num++;
++ }
++
++ dev_dbg(card->dev, "tplg_mask %#lx tplg_num %d\n", tplg_mask, tplg_num);
++
++ /* Check presence of sub-topologies */
++ for (i = 0; i < tplg_num; i++) {
++ ret = firmware_request_nowarn(&fw, (*tplg_files)[i], card->dev);
++ if (!ret) {
++ release_firmware(fw);
++ } else {
++ dev_dbg(card->dev, "Failed to open topology file: %s\n", (*tplg_files)[i]);
++ return 0;
++ }
++ }
++
++ return tplg_num;
++}
++
+diff --git a/sound/soc/intel/common/sof-function-topology-lib.h b/sound/soc/intel/common/sof-function-topology-lib.h
+new file mode 100644
+index 0000000000000..e7d0c39d07883
+--- /dev/null
++++ b/sound/soc/intel/common/sof-function-topology-lib.h
+@@ -0,0 +1,15 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++/*
++ * soc-acpi-intel-get-tplg.h - get-tplg-files ops
++ *
++ * Copyright (c) 2025, Intel Corporation.
++ *
++ */
++
++#ifndef _SND_SOC_ACPI_INTEL_GET_TPLG_H
++#define _SND_SOC_ACPI_INTEL_GET_TPLG_H
++
++int sof_sdw_get_tplg_files(struct snd_soc_card *card, const struct snd_soc_acpi_mach *mach,
++ const char *prefix, const char ***tplg_files);
++
++#endif
+--
+2.39.5
+
--- /dev/null
+From 526c765f051fa7c3ca548560c7b61f328d9fd58a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 14:44:20 +0800
+Subject: ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select
+ SND_SOC_ACPI_INTEL_MATCH
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit 960aed31eedbaeb2e47b1bc485b462fd38a53311 ]
+
+The helpers that are provided by SND_SOC_ACPI_INTEL_MATCH
+(soc-acpi-intel-ssp-common) are used in SND_SOC_INTEL_SOF_BOARD_HELPERS
+(sof_board_helpers).
+SND_SOC_ACPI_INTEL_MATCH is selected by machine drivers. When
+skl_hda_dsp_generic uses the board helpers, it select
+SND_SOC_INTEL_SOF_BOARD_HELPERS only but not SND_SOC_ACPI_INTEL_MATCH
+which initroduce the undefined symbol errors. However, it makes more
+sense that SND_SOC_INTEL_SOF_BOARD_HELPERS select
+SND_SOC_ACPI_INTEL_MATCH itself.
+
+Fixes: b28b23dea314 ("ASoC: Intel: skl_hda_dsp_generic: use common module for DAI links")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506141543.dN0JJyZC-lkp@intel.com/
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Link: https://patch.msgid.link/20250626064420.450334-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/intel/boards/Kconfig b/sound/soc/intel/boards/Kconfig
+index 9b80b19bb8d06..4db7931ba561e 100644
+--- a/sound/soc/intel/boards/Kconfig
++++ b/sound/soc/intel/boards/Kconfig
+@@ -42,6 +42,7 @@ config SND_SOC_INTEL_SOF_NUVOTON_COMMON
+ tristate
+
+ config SND_SOC_INTEL_SOF_BOARD_HELPERS
++ select SND_SOC_ACPI_INTEL_MATCH
+ tristate
+
+ if SND_SOC_INTEL_CATPT
+--
+2.39.5
+
--- /dev/null
+From 211764a949f4372103b5b4ce3dd47c39172aae61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 15:18:41 +0100
+Subject: ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit a7528e9beadbddcec21b394ce5fa8dc4e5cdaa24 ]
+
+Matches should go from more specific to less specific, correct the
+ordering of two cs42l43 entries.
+
+Fixes: c0524067653d ("ASoC: Intel: soc-acpi: arl: Add match entries for new cs42l43 laptops")
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://patch.msgid.link/20250626141841.77780-1-ckeepax@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/common/soc-acpi-intel-arl-match.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/sound/soc/intel/common/soc-acpi-intel-arl-match.c b/sound/soc/intel/common/soc-acpi-intel-arl-match.c
+index 73e581e937554..1ad704ca2c5f2 100644
+--- a/sound/soc/intel/common/soc-acpi-intel-arl-match.c
++++ b/sound/soc/intel/common/soc-acpi-intel-arl-match.c
+@@ -468,17 +468,17 @@ struct snd_soc_acpi_mach snd_soc_acpi_intel_arl_sdw_machines[] = {
+ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+- .link_mask = BIT(2),
+- .links = arl_cs42l43_l2,
++ .link_mask = BIT(2) | BIT(3),
++ .links = arl_cs42l43_l2_cs35l56_l3,
+ .drv_name = "sof_sdw",
+- .sof_tplg_filename = "sof-arl-cs42l43-l2.tplg",
++ .sof_tplg_filename = "sof-arl-cs42l43-l2-cs35l56-l3.tplg",
+ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+- .link_mask = BIT(2) | BIT(3),
+- .links = arl_cs42l43_l2_cs35l56_l3,
++ .link_mask = BIT(2),
++ .links = arl_cs42l43_l2,
+ .drv_name = "sof_sdw",
+- .sof_tplg_filename = "sof-arl-cs42l43-l2-cs35l56-l3.tplg",
++ .sof_tplg_filename = "sof-arl-cs42l43-l2.tplg",
+ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+--
+2.39.5
+
--- /dev/null
+From 30e6baf79a15721ef2d1feb59f58185b7437cd57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 14:32:35 +0800
+Subject: ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files
+ ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit d348b4181cd15ed432c2ae7eb33ef1bb7dfd7527 ]
+
+The audio configs with multi-function SDCA codecs can use the
+sof_sdw_get_tplg_files ops to get function topologies dynamically.
+
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20250414063239.85200-8-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: a7528e9beadb ("ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/common/soc-acpi-intel-arl-match.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/sound/soc/intel/common/soc-acpi-intel-arl-match.c b/sound/soc/intel/common/soc-acpi-intel-arl-match.c
+index 32147dc9d2d66..73e581e937554 100644
+--- a/sound/soc/intel/common/soc-acpi-intel-arl-match.c
++++ b/sound/soc/intel/common/soc-acpi-intel-arl-match.c
+@@ -8,6 +8,7 @@
+ #include <sound/soc-acpi.h>
+ #include <sound/soc-acpi-intel-match.h>
+ #include <sound/soc-acpi-intel-ssp-common.h>
++#include "sof-function-topology-lib.h"
+
+ static const struct snd_soc_acpi_endpoint single_endpoint = {
+ .num = 0,
+@@ -436,42 +437,49 @@ struct snd_soc_acpi_mach snd_soc_acpi_intel_arl_sdw_machines[] = {
+ .links = arl_cs42l43_l0_cs35l56_l23,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-cs42l43-l0-cs35l56-l23.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+ .link_mask = BIT(0) | BIT(2) | BIT(3),
+ .links = arl_cs42l43_l0_cs35l56_2_l23,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-cs42l43-l0-cs35l56-l23.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+ .link_mask = BIT(0) | BIT(2) | BIT(3),
+ .links = arl_cs42l43_l0_cs35l56_3_l23,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-cs42l43-l0-cs35l56-l23.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+ .link_mask = BIT(0) | BIT(2),
+ .links = arl_cs42l43_l0_cs35l56_l2,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-cs42l43-l0-cs35l56-l2.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+ .link_mask = BIT(0),
+ .links = arl_cs42l43_l0,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-cs42l43-l0.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+ .link_mask = BIT(2),
+ .links = arl_cs42l43_l2,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-cs42l43-l2.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+ .link_mask = BIT(2) | BIT(3),
+ .links = arl_cs42l43_l2_cs35l56_l3,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-cs42l43-l2-cs35l56-l3.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {
+ .link_mask = 0x1, /* link0 required */
+@@ -490,6 +498,7 @@ struct snd_soc_acpi_mach snd_soc_acpi_intel_arl_sdw_machines[] = {
+ .links = arl_rt722_l0_rt1320_l2,
+ .drv_name = "sof_sdw",
+ .sof_tplg_filename = "sof-arl-rt722-l0_rt1320-l2.tplg",
++ .get_function_tplg_files = sof_sdw_get_tplg_files,
+ },
+ {},
+ };
+--
+2.39.5
+
--- /dev/null
+From 7f197d1e2ccedf1333aaedfd331713f79b6d04e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 14:32:31 +0800
+Subject: ASoC: soc-acpi: add get_function_tplg_files ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit d1e70eed0b30bd2b15fc6c93b5701be564bbe353 ]
+
+We always use a single topology that contains all PCM devices belonging
+to a machine configuration.
+However, with SDCA, we want to be able to load function topologies based
+on the supported device functions. This change is in preparation for
+loading those function topologies.
+
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20250414063239.85200-4-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: a7528e9beadb ("ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/soc-acpi.h | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/include/sound/soc-acpi.h b/include/sound/soc-acpi.h
+index 72e371a217676..b8af309c2683f 100644
+--- a/include/sound/soc-acpi.h
++++ b/include/sound/soc-acpi.h
+@@ -10,6 +10,7 @@
+ #include <linux/acpi.h>
+ #include <linux/mod_devicetable.h>
+ #include <linux/soundwire/sdw.h>
++#include <sound/soc.h>
+
+ struct snd_soc_acpi_package_context {
+ char *name; /* package name */
+@@ -193,6 +194,15 @@ struct snd_soc_acpi_link_adr {
+ * is not constant since this field may be updated at run-time
+ * @sof_tplg_filename: Sound Open Firmware topology file name, if enabled
+ * @tplg_quirk_mask: quirks to select different topology files dynamically
++ * @get_function_tplg_files: This is an optional callback, if specified then instead of
++ * the single sof_tplg_filename the callback will return the list of function topology
++ * files to be loaded.
++ * Return value: The number of the files or negative ERRNO. 0 means that the single topology
++ * file should be used, no function topology split can be used on the machine.
++ * @card: the pointer of the card
++ * @mach: the pointer of the machine driver
++ * @prefix: the prefix of the topology file name. Typically, it is the path.
++ * @tplg_files: the pointer of the array of the topology file names.
+ */
+ /* Descriptor for SST ASoC machine driver */
+ struct snd_soc_acpi_mach {
+@@ -212,6 +222,9 @@ struct snd_soc_acpi_mach {
+ struct snd_soc_acpi_mach_params mach_params;
+ const char *sof_tplg_filename;
+ const u32 tplg_quirk_mask;
++ int (*get_function_tplg_files)(struct snd_soc_card *card,
++ const struct snd_soc_acpi_mach *mach,
++ const char *prefix, const char ***tplg_files);
+ };
+
+ #define SND_SOC_ACPI_MAX_CODECS 3
+--
+2.39.5
+
--- /dev/null
+From 19530c9a5051d58e15a7162343c80e25a5249139 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:53 +0000
+Subject: atm: clip: Fix infinite recursive call of clip_push().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit c489f3283dbfc0f3c00c312149cae90d27552c45 ]
+
+syzbot reported the splat below. [0]
+
+This happens if we call ioctl(ATMARP_MKIP) more than once.
+
+During the first call, clip_mkip() sets clip_push() to vcc->push(),
+and the second call copies it to clip_vcc->old_push().
+
+Later, when the socket is close()d, vcc_destroy_socket() passes
+NULL skb to clip_push(), which calls clip_vcc->old_push(),
+triggering the infinite recursion.
+
+Let's prevent the second ioctl(ATMARP_MKIP) by checking
+vcc->user_back, which is allocated by the first call as clip_vcc.
+
+Note also that we use lock_sock() to prevent racy calls.
+
+[0]:
+BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)
+Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191
+Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00
+RSP: 0018:ffffc9000d670000 EFLAGS: 00010246
+RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000
+RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e
+R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300
+R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578
+FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+...
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ clip_push+0x6dc/0x720 net/atm/clip.c:200
+ vcc_destroy_socket net/atm/common.c:183 [inline]
+ vcc_release+0x157/0x460 net/atm/common.c:205
+ __sock_release net/socket.c:647 [inline]
+ sock_close+0xc0/0x240 net/socket.c:1391
+ __fput+0x449/0xa70 fs/file_table.c:465
+ task_work_run+0x1d1/0x260 kernel/task_work.c:227
+ resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
+ exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114
+ exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
+ syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
+ syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
+ do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7ff31c98e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
+RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929
+RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
+RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f
+R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c
+R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090
+ </TASK>
+Modules linked in:
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+0c77cccd6b7cd917b35a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=2371d94d248d126c1eb1
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-4-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index 9c9c6c3d98861..a30c5a2705455 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -429,6 +429,8 @@ static int clip_mkip(struct atm_vcc *vcc, int timeout)
+
+ if (!vcc->push)
+ return -EBADFD;
++ if (vcc->user_back)
++ return -EINVAL;
+ clip_vcc = kmalloc(sizeof(struct clip_vcc), GFP_KERNEL);
+ if (!clip_vcc)
+ return -ENOMEM;
+--
+2.39.5
+
--- /dev/null
+From e43a4738c8e3b95f25c800319de1d2b11bb62896 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:52 +0000
+Subject: atm: clip: Fix memory leak of struct clip_vcc.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 62dba28275a9a3104d4e33595c7b3328d4032d8d ]
+
+ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to
+vcc->user_back.
+
+The code assumes that vcc_destroy_socket() passes NULL skb
+to vcc->push() when the socket is close()d, and then clip_push()
+frees clip_vcc.
+
+However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in
+atm_init_atmarp(), resulting in memory leak.
+
+Let's serialise two ioctl() by lock_sock() and check vcc->push()
+in atm_init_atmarp() to prevent memleak.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-3-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index f36f2c7d87146..9c9c6c3d98861 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -645,6 +645,9 @@ static struct atm_dev atmarpd_dev = {
+
+ static int atm_init_atmarp(struct atm_vcc *vcc)
+ {
++ if (vcc->push == clip_push)
++ return -EINVAL;
++
+ mutex_lock(&atmarpd_lock);
+ if (atmarpd) {
+ mutex_unlock(&atmarpd_lock);
+@@ -669,6 +672,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc)
+ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ {
+ struct atm_vcc *vcc = ATM_SD(sock);
++ struct sock *sk = sock->sk;
+ int err = 0;
+
+ switch (cmd) {
+@@ -689,14 +693,18 @@ static int clip_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+ err = clip_create(arg);
+ break;
+ case ATMARPD_CTRL:
++ lock_sock(sk);
+ err = atm_init_atmarp(vcc);
+ if (!err) {
+ sock->state = SS_CONNECTED;
+ __module_get(THIS_MODULE);
+ }
++ release_sock(sk);
+ break;
+ case ATMARP_MKIP:
++ lock_sock(sk);
+ err = clip_mkip(vcc, arg);
++ release_sock(sk);
+ break;
+ case ATMARP_SETENTRY:
+ err = clip_setentry(vcc, (__force __be32)arg);
+--
+2.39.5
+
--- /dev/null
+From 5dad758018f0397af60949f40e31f35ae3251a40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jul 2025 16:52:28 +0800
+Subject: atm: clip: Fix NULL pointer dereference in vcc_sendmsg()
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+[ Upstream commit 22fc46cea91df3dce140a7dc6847c6fcf0354505 ]
+
+atmarpd_dev_ops does not implement the send method, which may cause crash
+as bellow.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+PGD 0 P4D 0
+Oops: Oops: 0010 [#1] SMP KASAN NOPTI
+CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:0x0
+Code: Unable to access opcode bytes at 0xffffffffffffffd6.
+RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246
+RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000
+RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000
+RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287
+R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00
+R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88
+FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg+0x219/0x270 net/socket.c:727
+ ____sys_sendmsg+0x52d/0x830 net/socket.c:2566
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620
+ __sys_sendmmsg+0x227/0x430 net/socket.c:2709
+ __do_sys_sendmmsg net/socket.c:2736 [inline]
+ __se_sys_sendmmsg net/socket.c:2733 [inline]
+ __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+e34e5e6b5eddb0014def@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/682f82d5.a70a0220.1765ec.0143.GAE@google.com/T
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250705085228.329202-1-yuehaibing@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index a30c5a2705455..f7a5565e794ef 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -632,8 +632,16 @@ static void atmarpd_close(struct atm_vcc *vcc)
+ module_put(THIS_MODULE);
+ }
+
++static int atmarpd_send(struct atm_vcc *vcc, struct sk_buff *skb)
++{
++ atm_return_tx(vcc, skb);
++ dev_kfree_skb_any(skb);
++ return 0;
++}
++
+ static const struct atmdev_ops atmarpd_dev_ops = {
+- .close = atmarpd_close
++ .close = atmarpd_close,
++ .send = atmarpd_send
+ };
+
+
+--
+2.39.5
+
--- /dev/null
+From c965f2552577165d21d9bcf8787fb5fdbc93b699 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 06:23:51 +0000
+Subject: atm: clip: Fix potential null-ptr-deref in to_atmarpd().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 706cc36477139c1616a9b2b96610a8bb520b7119 ]
+
+atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip
+causes unregister hang").
+
+However, it is not enough because to_atmarpd() is called without RTNL,
+especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable.
+
+Also, there is no RTNL dependency around atmarpd.
+
+Let's use a private mutex and RCU to protect access to atmarpd in
+to_atmarpd().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250704062416.1613927-2-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/atm/clip.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/net/atm/clip.c b/net/atm/clip.c
+index b234dc3bcb0d4..f36f2c7d87146 100644
+--- a/net/atm/clip.c
++++ b/net/atm/clip.c
+@@ -45,7 +45,8 @@
+ #include <net/atmclip.h>
+
+ static struct net_device *clip_devs;
+-static struct atm_vcc *atmarpd;
++static struct atm_vcc __rcu *atmarpd;
++static DEFINE_MUTEX(atmarpd_lock);
+ static struct timer_list idle_timer;
+ static const struct neigh_ops clip_neigh_ops;
+
+@@ -53,24 +54,35 @@ static int to_atmarpd(enum atmarp_ctrl_type type, int itf, __be32 ip)
+ {
+ struct sock *sk;
+ struct atmarp_ctrl *ctrl;
++ struct atm_vcc *vcc;
+ struct sk_buff *skb;
++ int err = 0;
+
+ pr_debug("(%d)\n", type);
+- if (!atmarpd)
+- return -EUNATCH;
++
++ rcu_read_lock();
++ vcc = rcu_dereference(atmarpd);
++ if (!vcc) {
++ err = -EUNATCH;
++ goto unlock;
++ }
+ skb = alloc_skb(sizeof(struct atmarp_ctrl), GFP_ATOMIC);
+- if (!skb)
+- return -ENOMEM;
++ if (!skb) {
++ err = -ENOMEM;
++ goto unlock;
++ }
+ ctrl = skb_put(skb, sizeof(struct atmarp_ctrl));
+ ctrl->type = type;
+ ctrl->itf_num = itf;
+ ctrl->ip = ip;
+- atm_force_charge(atmarpd, skb->truesize);
++ atm_force_charge(vcc, skb->truesize);
+
+- sk = sk_atm(atmarpd);
++ sk = sk_atm(vcc);
+ skb_queue_tail(&sk->sk_receive_queue, skb);
+ sk->sk_data_ready(sk);
+- return 0;
++unlock:
++ rcu_read_unlock();
++ return err;
+ }
+
+ static void link_vcc(struct clip_vcc *clip_vcc, struct atmarp_entry *entry)
+@@ -607,10 +619,12 @@ static void atmarpd_close(struct atm_vcc *vcc)
+ {
+ pr_debug("\n");
+
+- rtnl_lock();
+- atmarpd = NULL;
++ mutex_lock(&atmarpd_lock);
++ RCU_INIT_POINTER(atmarpd, NULL);
++ mutex_unlock(&atmarpd_lock);
++
++ synchronize_rcu();
+ skb_queue_purge(&sk_atm(vcc)->sk_receive_queue);
+- rtnl_unlock();
+
+ pr_debug("(done)\n");
+ module_put(THIS_MODULE);
+@@ -631,15 +645,15 @@ static struct atm_dev atmarpd_dev = {
+
+ static int atm_init_atmarp(struct atm_vcc *vcc)
+ {
+- rtnl_lock();
++ mutex_lock(&atmarpd_lock);
+ if (atmarpd) {
+- rtnl_unlock();
++ mutex_unlock(&atmarpd_lock);
+ return -EADDRINUSE;
+ }
+
+ mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ);
+
+- atmarpd = vcc;
++ rcu_assign_pointer(atmarpd, vcc);
+ set_bit(ATM_VF_META, &vcc->flags);
+ set_bit(ATM_VF_READY, &vcc->flags);
+ /* allow replies and avoid getting closed if signaling dies */
+@@ -648,7 +662,7 @@ static int atm_init_atmarp(struct atm_vcc *vcc)
+ vcc->push = NULL;
+ vcc->pop = NULL; /* crash */
+ vcc->push_oam = NULL; /* crash */
+- rtnl_unlock();
++ mutex_unlock(&atmarpd_lock);
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c5dc8d58169327a2fae09ba5ffb2941be342e0e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:37:46 -0400
+Subject: Bluetooth: hci_core: Remove check of BDADDR_ANY in
+ hci_conn_hash_lookup_big_state
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 59710a26a289ad4e7ef227d22063e964930928b0 ]
+
+The check for destination to be BDADDR_ANY is no longer necessary with
+the introduction of BIS_LINK.
+
+Fixes: 23205562ffc8 ("Bluetooth: separate CIS_LINK and BIS_LINK link types")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 6e9d2a856a6b0..1cf60ed7ac89b 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1346,8 +1346,7 @@ hci_conn_hash_lookup_big_state(struct hci_dev *hdev, __u8 handle, __u16 state)
+ rcu_read_lock();
+
+ list_for_each_entry_rcu(c, &h->list, list) {
+- if (c->type != BIS_LINK || bacmp(&c->dst, BDADDR_ANY) ||
+- c->state != state)
++ if (c->type != BIS_LINK || c->state != state)
+ continue;
+
+ if (handle == c->iso_qos.bcast.big) {
+--
+2.39.5
+
--- /dev/null
+From bd7f70209a6e27cad923e6e95aa768826d38e2a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 11:19:02 -0400
+Subject: Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit c7349772c268ec3c91d83cbfbbcf63f1bd7c256c ]
+
+Upon receiving HCI_EVT_LE_BIG_SYNC_ESTABLISHED with status 0x00
+(success) the corresponding BIS hci_conn state shall be set to
+BT_CONNECTED otherwise they will be left with BT_OPEN which is invalid
+at that point, also create the debugfs and sysfs entries following the
+same logic as the likes of Broadcast Source BIS and CIS connections.
+
+Fixes: f777d8827817 ("Bluetooth: ISO: Notify user space about failed bis connections")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 4d5ace9d245d9..992131f88a456 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -6966,7 +6966,10 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
+ bis->iso_qos.bcast.in.sdu = le16_to_cpu(ev->max_pdu);
+
+ if (!ev->status) {
++ bis->state = BT_CONNECTED;
+ set_bit(HCI_CONN_BIG_SYNC, &bis->flags);
++ hci_debugfs_create_conn(bis);
++ hci_conn_add_sysfs(bis);
+ hci_iso_setup_path(bis);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From e729f3997b7f67acdb1d5264c232e785f59aaef5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 09:45:08 -0400
+Subject: Bluetooth: hci_sync: Fix attempting to send HCI_Disconnect to BIS
+ handle
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 314d30b1508682e27c8a324096262c66f23455d9 ]
+
+BIS/PA connections do have their own cleanup proceedure which are
+performed by hci_conn_cleanup/bis_cleanup.
+
+Fixes: 23205562ffc8 ("Bluetooth: separate CIS_LINK and BIS_LINK link types")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index f3897395ac129..3ac8d436e3e3a 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -5479,7 +5479,7 @@ static int hci_disconnect_sync(struct hci_dev *hdev, struct hci_conn *conn,
+ {
+ struct hci_cp_disconnect cp;
+
+- if (test_bit(HCI_CONN_BIG_CREATED, &conn->flags)) {
++ if (conn->type == BIS_LINK) {
+ /* This is a BIS connection, hci_conn_del will
+ * do the necessary cleanup.
+ */
+--
+2.39.5
+
--- /dev/null
+From 2ab89d3643c312b28511b9e40e5031078fbd3156 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 12:31:33 -0400
+Subject: Bluetooth: hci_sync: Fix not disabling advertising instance
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit ef9675b0ef030d135413e8638989f3a7d1f3217a ]
+
+As the code comments on hci_setup_ext_adv_instance_sync suggests the
+advertising instance needs to be disabled in order to update its
+parameters, but it was wrongly checking that !adv->pending.
+
+Fixes: cba6b758711c ("Bluetooth: hci_sync: Make use of hci_cmd_sync_queue set 2")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 9955d6cd7b76f..f3897395ac129 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1345,7 +1345,7 @@ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance)
+ * Command Disallowed error, so we must first disable the
+ * instance if it is active.
+ */
+- if (adv && !adv->pending) {
++ if (adv) {
+ err = hci_disable_ext_adv_instance_sync(hdev, instance);
+ if (err)
+ return err;
+--
+2.39.5
+
--- /dev/null
+From 74f2113c4958166840195e2735eb0fe86ac3ad67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 14:48:22 +0800
+Subject: bnxt_en: eliminate the compile warning in bnxt_request_irq due to
+ CONFIG_RFS_ACCEL
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit b9fd9888a5654e59f6c6249337e36c53c1faa329 ]
+
+I received a kernel-test-bot report[1] that shows the
+[-Wunused-but-set-variable] warning. Since the previous commit I made, as
+the 'Fixes' tag shows, gives users an option to turn on and off the
+CONFIG_RFS_ACCEL, the issue then can be discovered and reproduced with
+GCC specifically.
+
+Like Simon and Jakub suggested, use fewer #ifdefs which leads to fewer
+bugs.
+
+[1]
+All warnings (new ones prefixed by >>):
+
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c: In function 'bnxt_request_irq':
+>> drivers/net/ethernet/broadcom/bnxt/bnxt.c:10703:9: warning: variable 'j' set but not used [-Wunused-but-set-variable]
+ 10703 | int i, j, rc = 0;
+ | ^
+
+Fixes: 9b6a30febddf ("net: allow rps/rfs related configs to be switched")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506282102.x1tXt0qz-lkp@intel.com/
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 9de6eefad9791..d66519ce57af0 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -11565,11 +11565,9 @@ static void bnxt_free_irq(struct bnxt *bp)
+
+ static int bnxt_request_irq(struct bnxt *bp)
+ {
++ struct cpu_rmap *rmap = NULL;
+ int i, j, rc = 0;
+ unsigned long flags = 0;
+-#ifdef CONFIG_RFS_ACCEL
+- struct cpu_rmap *rmap;
+-#endif
+
+ rc = bnxt_setup_int_mode(bp);
+ if (rc) {
+@@ -11590,15 +11588,15 @@ static int bnxt_request_irq(struct bnxt *bp)
+ int map_idx = bnxt_cp_num_to_irq_num(bp, i);
+ struct bnxt_irq *irq = &bp->irq_tbl[map_idx];
+
+-#ifdef CONFIG_RFS_ACCEL
+- if (rmap && bp->bnapi[i]->rx_ring) {
++ if (IS_ENABLED(CONFIG_RFS_ACCEL) &&
++ rmap && bp->bnapi[i]->rx_ring) {
+ rc = irq_cpu_rmap_add(rmap, irq->vector);
+ if (rc)
+ netdev_warn(bp->dev, "failed adding irq rmap for ring %d\n",
+ j);
+ j++;
+ }
+-#endif
++
+ rc = request_irq(irq->vector, irq->handler, flags, irq->name,
+ bp->bnapi[i]);
+ if (rc)
+--
+2.39.5
+
--- /dev/null
+From 52eb2059c24141164f667574051a0942a8893579 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 11:13:44 +0100
+Subject: EDAC: Initialize EDAC features sysfs attributes
+
+From: Shiju Jose <shiju.jose@huawei.com>
+
+[ Upstream commit 1e14ea901dc8d976d355ddc3e0de84ee86ef0596 ]
+
+Fix the lockdep splat caused by missing sysfs_attr_init() calls for the
+recently added EDAC feature's sysfs attributes.
+
+In lockdep_init_map_type(), the check for the lock-class key if
+(!static_obj(key) && !is_dynamic_key(key)) causes the splat.
+
+ Backtrace:
+ RIP: 0010:lockdep_init_map_type
+ Call Trace:
+ __kernfs_create_file
+ sysfs_add_file_mode_ns
+ internal_create_group
+ internal_create_groups
+ device_add
+ ? __init_waitqueue_head
+ edac_dev_register
+ devm_cxl_memdev_edac_register
+ ? lock_acquire
+ ? find_held_lock
+ ? cxl_mem_probe
+ ? cxl_mem_probe
+ ? lockdep_hardirqs_on
+ ? cxl_mem_probe
+ cxl_mem_probe
+
+ [ bp: Massage. ]
+
+Fixes: f90b738166fe ("EDAC: Add scrub control feature")
+Fixes: bcbd069b11b0 ("EDAC: Add a Error Check Scrub control feature")
+Fixes: 699ea5219c4b ("EDAC: Add a memory repair control feature")
+Reported-by: Dave Jiang <dave.jiang@intel.com>
+Suggested-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Shiju Jose <shiju.jose@huawei.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Link: https://lore.kernel.org/20250626101344.1726-1-shiju.jose@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ecs.c | 4 +++-
+ drivers/edac/mem_repair.c | 1 +
+ drivers/edac/scrub.c | 1 +
+ 3 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/ecs.c b/drivers/edac/ecs.c
+index 1d51838a60c11..51c451c7f0f0b 100755
+--- a/drivers/edac/ecs.c
++++ b/drivers/edac/ecs.c
+@@ -170,8 +170,10 @@ static int ecs_create_desc(struct device *ecs_dev, const struct attribute_group
+ fru_ctx->dev_attr[ECS_RESET] = EDAC_ECS_ATTR_WO(reset, fru);
+ fru_ctx->dev_attr[ECS_THRESHOLD] = EDAC_ECS_ATTR_RW(threshold, fru);
+
+- for (i = 0; i < ECS_MAX_ATTRS; i++)
++ for (i = 0; i < ECS_MAX_ATTRS; i++) {
++ sysfs_attr_init(&fru_ctx->dev_attr[i].dev_attr.attr);
+ fru_ctx->ecs_attrs[i] = &fru_ctx->dev_attr[i].dev_attr.attr;
++ }
+
+ sprintf(fru_ctx->name, "%s%d", EDAC_ECS_FRU_NAME, fru);
+ group->name = fru_ctx->name;
+diff --git a/drivers/edac/mem_repair.c b/drivers/edac/mem_repair.c
+index 3b1a845457b08..1df8957a8459a 100755
+--- a/drivers/edac/mem_repair.c
++++ b/drivers/edac/mem_repair.c
+@@ -324,6 +324,7 @@ static int mem_repair_create_desc(struct device *dev,
+ for (i = 0; i < MR_MAX_ATTRS; i++) {
+ memcpy(&ctx->mem_repair_dev_attr[i],
+ &dev_attr[i], sizeof(dev_attr[i]));
++ sysfs_attr_init(&ctx->mem_repair_dev_attr[i].dev_attr.attr);
+ ctx->mem_repair_attrs[i] =
+ &ctx->mem_repair_dev_attr[i].dev_attr.attr;
+ }
+diff --git a/drivers/edac/scrub.c b/drivers/edac/scrub.c
+index e421d3ebd959f..f9d02af2fc3a2 100755
+--- a/drivers/edac/scrub.c
++++ b/drivers/edac/scrub.c
+@@ -176,6 +176,7 @@ static int scrub_create_desc(struct device *scrub_dev,
+ group = &scrub_ctx->group;
+ for (i = 0; i < SCRUB_MAX_ATTRS; i++) {
+ memcpy(&scrub_ctx->scrub_dev_attr[i], &dev_attr[i], sizeof(dev_attr[i]));
++ sysfs_attr_init(&scrub_ctx->scrub_dev_attr[i].dev_attr.attr);
+ scrub_ctx->scrub_attrs[i] = &scrub_ctx->scrub_dev_attr[i].dev_attr.attr;
+ }
+ sprintf(scrub_ctx->name, "%s%d", "scrub", instance);
+--
+2.39.5
+
--- /dev/null
+From 5b55b7e4c0896a944ea12b77993b4920e27b8c56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 02:52:13 -0400
+Subject: fix proc_sys_compare() handling of in-lookup dentries
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit b969f9614885c20f903e1d1f9445611daf161d6d ]
+
+There's one case where ->d_compare() can be called for an in-lookup
+dentry; usually that's nothing special from ->d_compare() point of
+view, but... proc_sys_compare() is weird.
+
+The thing is, /proc/sys subdirectories can look differently for
+different processes. Up to and including having the same name
+resolve to different dentries - all of them hashed.
+
+The way it's done is ->d_compare() refusing to admit a match unless
+this dentry is supposed to be visible to this caller. The information
+needed to discriminate between them is stored in inode; it is set
+during proc_sys_lookup() and until it's done d_splice_alias() we really
+can't tell who should that dentry be visible for.
+
+Normally there's no negative dentries in /proc/sys; we can run into
+a dying dentry in RCU dcache lookup, but those can be safely rejected.
+
+However, ->d_compare() is also called for in-lookup dentries, before
+they get positive - or hashed, for that matter. In case of match
+we will wait until dentry leaves in-lookup state and repeat ->d_compare()
+afterwards. In other words, the right behaviour is to treat the
+name match as sufficient for in-lookup dentries; if dentry is not
+for us, we'll see that when we recheck once proc_sys_lookup() is
+done with it.
+
+While we are at it, fix the misspelled READ_ONCE and WRITE_ONCE there.
+
+Fixes: d9171b934526 ("parallel lookups machinery, part 4 (and last)")
+Reported-by: NeilBrown <neilb@brown.name>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Reviewed-by: NeilBrown <neil@brown.name>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/inode.c | 2 +-
+ fs/proc/proc_sysctl.c | 18 +++++++++++-------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/fs/proc/inode.c b/fs/proc/inode.c
+index a3eb3b740f766..3604b616311c2 100644
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -42,7 +42,7 @@ static void proc_evict_inode(struct inode *inode)
+
+ head = ei->sysctl;
+ if (head) {
+- RCU_INIT_POINTER(ei->sysctl, NULL);
++ WRITE_ONCE(ei->sysctl, NULL);
+ proc_sys_evict_inode(inode, head);
+ }
+ }
+diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
+index cc9d74a06ff03..08b78150cdde1 100644
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -918,17 +918,21 @@ static int proc_sys_compare(const struct dentry *dentry,
+ struct ctl_table_header *head;
+ struct inode *inode;
+
+- /* Although proc doesn't have negative dentries, rcu-walk means
+- * that inode here can be NULL */
+- /* AV: can it, indeed? */
+- inode = d_inode_rcu(dentry);
+- if (!inode)
+- return 1;
+ if (name->len != len)
+ return 1;
+ if (memcmp(name->name, str, len))
+ return 1;
+- head = rcu_dereference(PROC_I(inode)->sysctl);
++
++ // false positive is fine here - we'll recheck anyway
++ if (d_in_lookup(dentry))
++ return 0;
++
++ inode = d_inode_rcu(dentry);
++ // we just might have run into dentry in the middle of __dentry_kill()
++ if (!inode)
++ return 1;
++
++ head = READ_ONCE(PROC_I(inode)->sysctl);
+ return !head || !sysctl_is_seen(head);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 109c630921dd5ff4a84f021253a1cd6d04d8432e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 12:26:14 +0200
+Subject: irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ
+
+From: Nam Cao <namcao@linutronix.de>
+
+[ Upstream commit eb2c93e7028b4c9fe4761734d65ee40712d1c242 ]
+
+irq-msi-lib directly uses struct msi_domain_info and more things which are
+only available when CONFIG_GENERIC_MSI_IRQ=y.
+
+However, there is no dependency specified and CONFIG_IRQ_MSI_LIB can be
+enabled without CONFIG_GENERIC_MSI_IRQ, which causes the kernel build fail.
+
+Make IRQ_MSI_LIB select GENEREIC_MSI_IRQ to prevent that.
+
+Fixes: 72e257c6f058 ("irqchip: Provide irq-msi-lib")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/b0c44007f3b7e062228349a2395f8d850050db33.1751277765.git.namcao@linutronix.de
+Closes: https://lore.kernel.org/oe-kbuild-all/202506282256.cHlEHrdc-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
+index 08bb3b031f230..6539869759b9e 100644
+--- a/drivers/irqchip/Kconfig
++++ b/drivers/irqchip/Kconfig
+@@ -74,6 +74,7 @@ config ARM_VIC_NR
+
+ config IRQ_MSI_LIB
+ bool
++ select GENERIC_MSI_IRQ
+
+ config ARMADA_370_XP_IRQ
+ bool
+--
+2.39.5
+
--- /dev/null
+From 4ee5fe6eee8ab045303c68fab9176b15d1367fc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:26:26 +0200
+Subject: module: Fix memory deallocation on error path in move_module()
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+[ Upstream commit ca3881f6fd8e9b6eb2d51e8718d07d3b8029d886 ]
+
+The function move_module() uses the variable t to track how many memory
+types it has allocated and consequently how many should be freed if an
+error occurs.
+
+The variable is initially set to 0 and is updated when a call to
+module_memory_alloc() fails. However, move_module() can fail for other
+reasons as well, in which case t remains set to 0 and no memory is freed.
+
+Fix the problem by initializing t to MOD_MEM_NUM_TYPES. Additionally, make
+the deallocation loop more robust by not relying on the mod_mem_type_t enum
+having a signed integer as its underlying type.
+
+Fixes: c7ee8aebf6c0 ("module: add stop-grap sanity check on module memcpy()")
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
+Link: https://lore.kernel.org/r/20250618122730.51324-2-petr.pavlu@suse.com
+Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
+Message-ID: <20250618122730.51324-2-petr.pavlu@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/module/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/module/main.c b/kernel/module/main.c
+index 9861c2ac5fd50..9d8a845d94665 100644
+--- a/kernel/module/main.c
++++ b/kernel/module/main.c
+@@ -2615,7 +2615,7 @@ static int find_module_sections(struct module *mod, struct load_info *info)
+ static int move_module(struct module *mod, struct load_info *info)
+ {
+ int i;
+- enum mod_mem_type t = 0;
++ enum mod_mem_type t = MOD_MEM_NUM_TYPES;
+ int ret = -ENOMEM;
+ bool codetag_section_found = false;
+
+@@ -2694,7 +2694,7 @@ static int move_module(struct module *mod, struct load_info *info)
+ return 0;
+ out_err:
+ module_memory_restore_rox(mod);
+- for (t--; t >= 0; t--)
++ while (t--)
+ module_memory_free(mod, t);
+ if (codetag_section_found)
+ codetag_free_module_sections(mod);
+--
+2.39.5
+
--- /dev/null
+From 92dd8aaf610a1cd255a81be375a8654791dc552b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Jul 2025 10:34:32 +0200
+Subject: net: airoha: Fix an error handling path in airoha_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 3ef07434c7dbfba302df477bb6c70e082965f232 ]
+
+If an error occurs after a successful airoha_hw_init() call,
+airoha_ppe_deinit() needs to be called as already done in the remove
+function.
+
+Fixes: 00a7678310fe ("net: airoha: Introduce flowtable offload support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Link: https://patch.msgid.link/1c940851b4fa3c3ed2a142910c821493a136f121.1746715755.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/airoha/airoha_eth.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/airoha/airoha_eth.c b/drivers/net/ethernet/airoha/airoha_eth.c
+index af28a9300a15c..9e70cf14c8c70 100644
+--- a/drivers/net/ethernet/airoha/airoha_eth.c
++++ b/drivers/net/ethernet/airoha/airoha_eth.c
+@@ -2628,6 +2628,7 @@ static int airoha_probe(struct platform_device *pdev)
+ error_napi_stop:
+ for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
+ airoha_qdma_stop_napi(ð->qdma[i]);
++ airoha_ppe_deinit(eth);
+ error_hw_cleanup:
+ for (i = 0; i < ARRAY_SIZE(eth->qdma); i++)
+ airoha_hw_cleanup(ð->qdma[i]);
+--
+2.39.5
+
--- /dev/null
+From 9d74410fa40d042ba96931573dd4e1665d40fe34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 14:22:01 +0530
+Subject: net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for
+ skb_shared_info
+
+From: Chintan Vankar <c-vankar@ti.com>
+
+[ Upstream commit 02c4d6c26f1f662da8885b299c224ca6628ad232 ]
+
+While transitioning from netdev_alloc_ip_align() to build_skb(), memory
+for the "skb_shared_info" member of an "skb" was not allocated. Fix this
+by allocating "PAGE_SIZE" as the skb length, accounting for the packet
+length, headroom and tailroom, thereby including the required memory space
+for skb_shared_info.
+
+Fixes: 8acacc40f733 ("net: ethernet: ti: am65-cpsw: Add minimal XDP support")
+Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Chintan Vankar <c-vankar@ti.com>
+Link: https://patch.msgid.link/20250707085201.1898818-1-c-vankar@ti.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+index 4cec05e0e3d9b..10e8a8309a034 100644
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -856,8 +856,6 @@ static struct sk_buff *am65_cpsw_build_skb(void *page_addr,
+ {
+ struct sk_buff *skb;
+
+- len += AM65_CPSW_HEADROOM;
+-
+ skb = build_skb(page_addr, len);
+ if (unlikely(!skb))
+ return NULL;
+@@ -1344,7 +1342,7 @@ static int am65_cpsw_nuss_rx_packets(struct am65_cpsw_rx_flow *flow,
+ }
+
+ skb = am65_cpsw_build_skb(page_addr, ndev,
+- AM65_CPSW_MAX_PACKET_SIZE, headroom);
++ PAGE_SIZE, headroom);
+ if (unlikely(!skb)) {
+ new_page = page;
+ goto requeue;
+--
+2.39.5
+
--- /dev/null
+From 7b59f4e8b91815f2abad3f6a021110275048b071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 13:31:13 +0800
+Subject: net: phy: qcom: move the WoL function to shared library
+
+From: Luo Jie <quic_luoj@quicinc.com>
+
+[ Upstream commit e31cf3cce2102af984656fed6e2254cbdd46da02 ]
+
+Move the WoL (Wake-on-LAN) functionality to a shared library to enable
+its reuse by the QCA808X PHY driver, incorporating support for WoL
+functionality similar to the implementation in at8031_set_wol().
+
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Signed-off-by: Luo Jie <quic_luoj@quicinc.com>
+Link: https://patch.msgid.link/20250704-qcom_phy_wol_support-v1-1-053342b1538d@quicinc.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 4ab9ada765b7 ("net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/qcom/at803x.c | 27 ---------------------------
+ drivers/net/phy/qcom/qcom-phy-lib.c | 25 +++++++++++++++++++++++++
+ drivers/net/phy/qcom/qcom.h | 5 +++++
+ 3 files changed, 30 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/phy/qcom/at803x.c b/drivers/net/phy/qcom/at803x.c
+index 26350b962890b..8f26e395e39f9 100644
+--- a/drivers/net/phy/qcom/at803x.c
++++ b/drivers/net/phy/qcom/at803x.c
+@@ -26,9 +26,6 @@
+
+ #define AT803X_LED_CONTROL 0x18
+
+-#define AT803X_PHY_MMD3_WOL_CTRL 0x8012
+-#define AT803X_WOL_EN BIT(5)
+-
+ #define AT803X_REG_CHIP_CONFIG 0x1f
+ #define AT803X_BT_BX_REG_SEL 0x8000
+
+@@ -866,30 +863,6 @@ static int at8031_config_init(struct phy_device *phydev)
+ return at803x_config_init(phydev);
+ }
+
+-static int at8031_set_wol(struct phy_device *phydev,
+- struct ethtool_wolinfo *wol)
+-{
+- int ret;
+-
+- /* First setup MAC address and enable WOL interrupt */
+- ret = at803x_set_wol(phydev, wol);
+- if (ret)
+- return ret;
+-
+- if (wol->wolopts & WAKE_MAGIC)
+- /* Enable WOL function for 1588 */
+- ret = phy_modify_mmd(phydev, MDIO_MMD_PCS,
+- AT803X_PHY_MMD3_WOL_CTRL,
+- 0, AT803X_WOL_EN);
+- else
+- /* Disable WoL function for 1588 */
+- ret = phy_modify_mmd(phydev, MDIO_MMD_PCS,
+- AT803X_PHY_MMD3_WOL_CTRL,
+- AT803X_WOL_EN, 0);
+-
+- return ret;
+-}
+-
+ static int at8031_config_intr(struct phy_device *phydev)
+ {
+ struct at803x_priv *priv = phydev->priv;
+diff --git a/drivers/net/phy/qcom/qcom-phy-lib.c b/drivers/net/phy/qcom/qcom-phy-lib.c
+index d28815ef56bbf..af7d0d8e81be5 100644
+--- a/drivers/net/phy/qcom/qcom-phy-lib.c
++++ b/drivers/net/phy/qcom/qcom-phy-lib.c
+@@ -115,6 +115,31 @@ int at803x_set_wol(struct phy_device *phydev,
+ }
+ EXPORT_SYMBOL_GPL(at803x_set_wol);
+
++int at8031_set_wol(struct phy_device *phydev,
++ struct ethtool_wolinfo *wol)
++{
++ int ret;
++
++ /* First setup MAC address and enable WOL interrupt */
++ ret = at803x_set_wol(phydev, wol);
++ if (ret)
++ return ret;
++
++ if (wol->wolopts & WAKE_MAGIC)
++ /* Enable WOL function for 1588 */
++ ret = phy_modify_mmd(phydev, MDIO_MMD_PCS,
++ AT803X_PHY_MMD3_WOL_CTRL,
++ 0, AT803X_WOL_EN);
++ else
++ /* Disable WoL function for 1588 */
++ ret = phy_modify_mmd(phydev, MDIO_MMD_PCS,
++ AT803X_PHY_MMD3_WOL_CTRL,
++ AT803X_WOL_EN, 0);
++
++ return ret;
++}
++EXPORT_SYMBOL_GPL(at8031_set_wol);
++
+ void at803x_get_wol(struct phy_device *phydev,
+ struct ethtool_wolinfo *wol)
+ {
+diff --git a/drivers/net/phy/qcom/qcom.h b/drivers/net/phy/qcom/qcom.h
+index 4bb541728846d..7f7151c8bacaa 100644
+--- a/drivers/net/phy/qcom/qcom.h
++++ b/drivers/net/phy/qcom/qcom.h
+@@ -172,6 +172,9 @@
+ #define AT803X_LOC_MAC_ADDR_16_31_OFFSET 0x804B
+ #define AT803X_LOC_MAC_ADDR_32_47_OFFSET 0x804A
+
++#define AT803X_PHY_MMD3_WOL_CTRL 0x8012
++#define AT803X_WOL_EN BIT(5)
++
+ #define AT803X_DEBUG_ADDR 0x1D
+ #define AT803X_DEBUG_DATA 0x1E
+
+@@ -215,6 +218,8 @@ int at803x_debug_reg_mask(struct phy_device *phydev, u16 reg,
+ int at803x_debug_reg_write(struct phy_device *phydev, u16 reg, u16 data);
+ int at803x_set_wol(struct phy_device *phydev,
+ struct ethtool_wolinfo *wol);
++int at8031_set_wol(struct phy_device *phydev,
++ struct ethtool_wolinfo *wol);
+ void at803x_get_wol(struct phy_device *phydev,
+ struct ethtool_wolinfo *wol);
+ int at803x_ack_interrupt(struct phy_device *phydev);
+--
+2.39.5
+
--- /dev/null
+From a1018c4692b5601fc89acee6f920d41527bc1114 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 13:31:14 +0800
+Subject: net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol()
+
+From: Luo Jie <quic_luoj@quicinc.com>
+
+[ Upstream commit 4ab9ada765b7acb5cd02fe27632ec2586b7868ee ]
+
+The previous commit unintentionally removed the code responsible for
+enabling WoL via MMD3 register 0x8012 BIT5. As a result, Wake-on-LAN
+(WoL) support for the QCA808X PHY is no longer functional.
+
+The WoL (Wake-on-LAN) feature for the QCA808X PHY is enabled via MMD3
+register 0x8012, BIT5. This implementation is aligned with the approach
+used in at8031_set_wol().
+
+Fixes: e58f30246c35 ("net: phy: at803x: fix the wol setting functions")
+Signed-off-by: Luo Jie <quic_luoj@quicinc.com>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250704-qcom_phy_wol_support-v1-2-053342b1538d@quicinc.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/qcom/qca808x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/qcom/qca808x.c b/drivers/net/phy/qcom/qca808x.c
+index 71498c518f0fe..6de16c0eaa089 100644
+--- a/drivers/net/phy/qcom/qca808x.c
++++ b/drivers/net/phy/qcom/qca808x.c
+@@ -633,7 +633,7 @@ static struct phy_driver qca808x_driver[] = {
+ .handle_interrupt = at803x_handle_interrupt,
+ .get_tunable = at803x_get_tunable,
+ .set_tunable = at803x_set_tunable,
+- .set_wol = at803x_set_wol,
++ .set_wol = at8031_set_wol,
+ .get_wol = at803x_get_wol,
+ .get_features = qca808x_get_features,
+ .config_aneg = qca808x_config_aneg,
+--
+2.39.5
+
--- /dev/null
+From 2280a63405eea8d720000b9d7c6162bfd7a9002c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:49:39 +0200
+Subject: net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit a141af8eb2272ab0f677a7f2653874840bc9b214 ]
+
+Correct the Auto-MDIX configuration to ensure userspace settings are
+respected when the feature is disabled by the AUTOMDIX_EN hardware strap.
+
+The LAN9500 PHY allows its default MDI-X mode to be configured via a
+hardware strap. If this strap sets the default to "MDI-X off", the
+driver was previously unable to enable Auto-MDIX from userspace.
+
+When handling the ETH_TP_MDI_AUTO case, the driver would set the
+SPECIAL_CTRL_STS_AMDIX_ENABLE_ bit but neglected to set the required
+SPECIAL_CTRL_STS_OVRRD_AMDIX_ bit. Without the override flag, the PHY
+falls back to its hardware strap default, ignoring the software request.
+
+This patch corrects the behavior by also setting the override bit when
+enabling Auto-MDIX. This ensures that the userspace configuration takes
+precedence over the hardware strap, allowing Auto-MDIX to be enabled
+correctly in all scenarios.
+
+Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: Andre Edich <andre.edich@microchip.com>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250703114941.3243890-2-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index 31463b9e5697f..adf12d7108b5c 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -167,7 +167,8 @@ static int lan87xx_config_aneg(struct phy_device *phydev)
+ SPECIAL_CTRL_STS_AMDIX_STATE_;
+ break;
+ case ETH_TP_MDI_AUTO:
+- val = SPECIAL_CTRL_STS_AMDIX_ENABLE_;
++ val = SPECIAL_CTRL_STS_OVRRD_AMDIX_ |
++ SPECIAL_CTRL_STS_AMDIX_ENABLE_;
+ break;
+ default:
+ return genphy_config_aneg(phydev);
+--
+2.39.5
+
--- /dev/null
+From cb7309b834c6c7dc483bb4c184ba7fd1423ee993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:49:41 +0200
+Subject: net: phy: smsc: Fix link failure in forced mode with Auto-MDIX
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 9dfe110cc0f6ef42af8e81ce52aef34a647d0b8a ]
+
+Force a fixed MDI-X mode when auto-negotiation is disabled to prevent
+link instability.
+
+When forcing the link speed and duplex on a LAN9500 PHY (e.g., with
+`ethtool -s eth0 autoneg off ...`) while leaving MDI-X control in auto
+mode, the PHY fails to establish a stable link. This occurs because the
+PHY's Auto-MDIX algorithm is not designed to operate when
+auto-negotiation is disabled. In this state, the PHY continuously
+toggles the TX/RX signal pairs, which prevents the link partner from
+synchronizing.
+
+This patch resolves the issue by detecting when auto-negotiation is
+disabled. If the MDI-X control mode is set to 'auto', the driver now
+forces a specific, stable mode (ETH_TP_MDI) to prevent the pair
+toggling. This choice of a fixed MDI mode mirrors the behavior the
+hardware would exhibit if the AUTOMDIX_EN strap were configured for a
+fixed MDI connection.
+
+Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: Andre Edich <andre.edich@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250703114941.3243890-4-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index ad9a3d91bb8ae..b6489da5cfcdf 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -155,10 +155,29 @@ static int smsc_phy_reset(struct phy_device *phydev)
+
+ static int lan87xx_config_aneg(struct phy_device *phydev)
+ {
+- int rc;
++ u8 mdix_ctrl;
+ int val;
++ int rc;
++
++ /* When auto-negotiation is disabled (forced mode), the PHY's
++ * Auto-MDIX will continue toggling the TX/RX pairs.
++ *
++ * To establish a stable link, we must select a fixed MDI mode.
++ * If the user has not specified a fixed MDI mode (i.e., mdix_ctrl is
++ * 'auto'), we default to ETH_TP_MDI. This choice of a ETH_TP_MDI mode
++ * mirrors the behavior the hardware would exhibit if the AUTOMDIX_EN
++ * strap were configured for a fixed MDI connection.
++ */
++ if (phydev->autoneg == AUTONEG_DISABLE) {
++ if (phydev->mdix_ctrl == ETH_TP_MDI_AUTO)
++ mdix_ctrl = ETH_TP_MDI;
++ else
++ mdix_ctrl = phydev->mdix_ctrl;
++ } else {
++ mdix_ctrl = phydev->mdix_ctrl;
++ }
+
+- switch (phydev->mdix_ctrl) {
++ switch (mdix_ctrl) {
+ case ETH_TP_MDI:
+ val = SPECIAL_CTRL_STS_OVRRD_AMDIX_;
+ break;
+@@ -184,7 +203,7 @@ static int lan87xx_config_aneg(struct phy_device *phydev)
+ rc |= val;
+ phy_write(phydev, SPECIAL_CTRL_STS, rc);
+
+- phydev->mdix = phydev->mdix_ctrl;
++ phydev->mdix = mdix_ctrl;
+ return genphy_config_aneg(phydev);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5fb6f3dd62bd7c6129f161c81017aa21a0c5f234 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:49:40 +0200
+Subject: net: phy: smsc: Force predictable MDI-X state on LAN87xx
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 0713e55533c88a20edb53eea6517dc56786a0078 ]
+
+Override the hardware strap configuration for MDI-X mode to ensure a
+predictable initial state for the driver. The initial mode of the LAN87xx
+PHY is determined by the AUTOMDIX_EN strap pin, but the driver has no
+documented way to read its latched status.
+
+This unpredictability means the driver cannot know if the PHY has
+initialized with Auto-MDIX enabled or disabled, preventing it from
+providing a reliable interface to the user.
+
+This patch introduces a `config_init` hook that forces the PHY into a
+known state by explicitly enabling Auto-MDIX.
+
+Fixes: 05b35e7eb9a1 ("smsc95xx: add phylib support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: Andre Edich <andre.edich@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250703114941.3243890-3-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 29 ++++++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index adf12d7108b5c..ad9a3d91bb8ae 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -262,6 +262,33 @@ int lan87xx_read_status(struct phy_device *phydev)
+ }
+ EXPORT_SYMBOL_GPL(lan87xx_read_status);
+
++static int lan87xx_phy_config_init(struct phy_device *phydev)
++{
++ int rc;
++
++ /* The LAN87xx PHY's initial MDI-X mode is determined by the AUTOMDIX_EN
++ * hardware strap, but the driver cannot read the strap's status. This
++ * creates an unpredictable initial state.
++ *
++ * To ensure consistent and reliable behavior across all boards,
++ * override the strap configuration on initialization and force the PHY
++ * into a known state with Auto-MDIX enabled, which is the expected
++ * default for modern hardware.
++ */
++ rc = phy_modify(phydev, SPECIAL_CTRL_STS,
++ SPECIAL_CTRL_STS_OVRRD_AMDIX_ |
++ SPECIAL_CTRL_STS_AMDIX_ENABLE_ |
++ SPECIAL_CTRL_STS_AMDIX_STATE_,
++ SPECIAL_CTRL_STS_OVRRD_AMDIX_ |
++ SPECIAL_CTRL_STS_AMDIX_ENABLE_);
++ if (rc < 0)
++ return rc;
++
++ phydev->mdix_ctrl = ETH_TP_MDI_AUTO;
++
++ return smsc_phy_config_init(phydev);
++}
++
+ static int lan874x_phy_config_init(struct phy_device *phydev)
+ {
+ u16 val;
+@@ -696,7 +723,7 @@ static struct phy_driver smsc_phy_driver[] = {
+
+ /* basic functions */
+ .read_status = lan87xx_read_status,
+- .config_init = smsc_phy_config_init,
++ .config_init = lan87xx_phy_config_init,
+ .soft_reset = smsc_phy_reset,
+ .config_aneg = lan87xx_config_aneg,
+
+--
+2.39.5
+
--- /dev/null
+From 5930a583997cde10f97ec0ad16ac26ef0e9a2e2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 18:08:01 -0300
+Subject: net/sched: Abort __tc_modify_qdisc if parent class does not exist
+
+From: Victor Nogueira <victor@mojatatu.com>
+
+[ Upstream commit ffdde7bf5a439aaa1955ebd581f5c64ab1533963 ]
+
+Lion's patch [1] revealed an ancient bug in the qdisc API.
+Whenever a user creates/modifies a qdisc specifying as a parent another
+qdisc, the qdisc API will, during grafting, detect that the user is
+not trying to attach to a class and reject. However grafting is
+performed after qdisc_create (and thus the qdiscs' init callback) is
+executed. In qdiscs that eventually call qdisc_tree_reduce_backlog
+during init or change (such as fq, hhf, choke, etc), an issue
+arises. For example, executing the following commands:
+
+sudo tc qdisc add dev lo root handle a: htb default 2
+sudo tc qdisc add dev lo parent a: handle beef fq
+
+Qdiscs such as fq, hhf, choke, etc unconditionally invoke
+qdisc_tree_reduce_backlog() in their control path init() or change() which
+then causes a failure to find the child class; however, that does not stop
+the unconditional invocation of the assumed child qdisc's qlen_notify with
+a null class. All these qdiscs make the assumption that class is non-null.
+
+The solution is ensure that qdisc_leaf() which looks up the parent
+class, and is invoked prior to qdisc_create(), should return failure on
+not finding the class.
+In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the
+parentid doesn't correspond to a class, so that we can detect it
+earlier on and abort before qdisc_create is called.
+
+[1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
+
+Fixes: 5e50da01d0ce ("[NET_SCHED]: Fix endless loops (part 2): "simple" qdiscs")
+Reported-by: syzbot+d8b58d7b0ad89a678a16@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68663c93.a70a0220.5d25f.0857.GAE@google.com/
+Reported-by: syzbot+5eccb463fa89309d8bdc@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68663c94.a70a0220.5d25f.0858.GAE@google.com/
+Reported-by: syzbot+1261670bbdefc5485a06@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0013.GAE@google.com/
+Reported-by: syzbot+15b96fc3aac35468fe77@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/686764a5.a00a0220.c7b3.0014.GAE@google.com/
+Reported-by: syzbot+4dadc5aecf80324d5a51@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/68679e81.a70a0220.29cf51.0016.GAE@google.com/
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Victor Nogueira <victor@mojatatu.com>
+Link: https://patch.msgid.link/20250707210801.372995-1-victor@mojatatu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index d58921ffcf35e..a96f9f74777bc 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -335,17 +335,22 @@ struct Qdisc *qdisc_lookup_rcu(struct net_device *dev, u32 handle)
+ return q;
+ }
+
+-static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid)
++static struct Qdisc *qdisc_leaf(struct Qdisc *p, u32 classid,
++ struct netlink_ext_ack *extack)
+ {
+ unsigned long cl;
+ const struct Qdisc_class_ops *cops = p->ops->cl_ops;
+
+- if (cops == NULL)
+- return NULL;
++ if (cops == NULL) {
++ NL_SET_ERR_MSG(extack, "Parent qdisc is not classful");
++ return ERR_PTR(-EOPNOTSUPP);
++ }
+ cl = cops->find(p, classid);
+
+- if (cl == 0)
+- return NULL;
++ if (cl == 0) {
++ NL_SET_ERR_MSG(extack, "Specified class not found");
++ return ERR_PTR(-ENOENT);
++ }
+ return cops->leaf(p, cl);
+ }
+
+@@ -1489,7 +1494,7 @@ static int __tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+ NL_SET_ERR_MSG(extack, "Failed to find qdisc with specified classid");
+ return -ENOENT;
+ }
+- q = qdisc_leaf(p, clid);
++ q = qdisc_leaf(p, clid, extack);
+ } else if (dev_ingress_queue(dev)) {
+ q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping);
+ }
+@@ -1500,6 +1505,8 @@ static int __tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+ NL_SET_ERR_MSG(extack, "Cannot find specified qdisc on specified device");
+ return -ENOENT;
+ }
++ if (IS_ERR(q))
++ return PTR_ERR(q);
+
+ if (tcm->tcm_handle && q->handle != tcm->tcm_handle) {
+ NL_SET_ERR_MSG(extack, "Invalid handle");
+@@ -1601,7 +1608,9 @@ static int __tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+ NL_SET_ERR_MSG(extack, "Failed to find specified qdisc");
+ return -ENOENT;
+ }
+- q = qdisc_leaf(p, clid);
++ q = qdisc_leaf(p, clid, extack);
++ if (IS_ERR(q))
++ return PTR_ERR(q);
+ } else if (dev_ingress_queue_create(dev)) {
+ q = rtnl_dereference(dev_ingress_queue(dev)->qdisc_sleeping);
+ }
+--
+2.39.5
+
--- /dev/null
+From 1e5930731b33add41dba7b0949054e9838f6bb29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 10:04:49 +0800
+Subject: net: stmmac: Fix interrupt handling for level-triggered mode in
+ DWC_XGMAC2
+
+From: EricChan <chenchuangyu@xiaomi.com>
+
+[ Upstream commit 78b7920a03351a8402de2f81914c1d2e2bdf24b7 ]
+
+According to the Synopsys Controller IP XGMAC-10G Ethernet MAC Databook
+v3.30a (section 2.7.2), when the INTM bit in the DMA_Mode register is set
+to 2, the sbd_perch_tx_intr_o[] and sbd_perch_rx_intr_o[] signals operate
+in level-triggered mode. However, in this configuration, the DMA does not
+assert the XGMAC_NIS status bit for Rx or Tx interrupt events.
+
+This creates a functional regression where the condition
+if (likely(intr_status & XGMAC_NIS)) in dwxgmac2_dma_interrupt() will
+never evaluate to true, preventing proper interrupt handling for
+level-triggered mode. The hardware specification explicitly states that
+"The DMA does not assert the NIS status bit for the Rx or Tx interrupt
+events" (Synopsys DWC_XGMAC2 Databook v3.30a, sec. 2.7.2).
+
+The fix ensures correct handling of both edge and level-triggered
+interrupts while maintaining backward compatibility with existing
+configurations. It has been tested on the hardware device (not publicly
+available), and it can properly trigger the RX and TX interrupt handling
+in both the INTM=0 and INTM=2 configurations.
+
+Fixes: d6ddfacd95c7 ("net: stmmac: Add DMA related callbacks for XGMAC2")
+Tested-by: EricChan <chenchuangyu@xiaomi.com>
+Signed-off-by: EricChan <chenchuangyu@xiaomi.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250703020449.105730-1-chenchuangyu@xiaomi.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/stmicro/stmmac/dwxgmac2_dma.c | 24 +++++++++----------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+index 7840bc403788e..5dcc95bc0ad28 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
++++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_dma.c
+@@ -364,19 +364,17 @@ static int dwxgmac2_dma_interrupt(struct stmmac_priv *priv,
+ }
+
+ /* TX/RX NORMAL interrupts */
+- if (likely(intr_status & XGMAC_NIS)) {
+- if (likely(intr_status & XGMAC_RI)) {
+- u64_stats_update_begin(&stats->syncp);
+- u64_stats_inc(&stats->rx_normal_irq_n[chan]);
+- u64_stats_update_end(&stats->syncp);
+- ret |= handle_rx;
+- }
+- if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) {
+- u64_stats_update_begin(&stats->syncp);
+- u64_stats_inc(&stats->tx_normal_irq_n[chan]);
+- u64_stats_update_end(&stats->syncp);
+- ret |= handle_tx;
+- }
++ if (likely(intr_status & XGMAC_RI)) {
++ u64_stats_update_begin(&stats->syncp);
++ u64_stats_inc(&stats->rx_normal_irq_n[chan]);
++ u64_stats_update_end(&stats->syncp);
++ ret |= handle_rx;
++ }
++ if (likely(intr_status & (XGMAC_TI | XGMAC_TBU))) {
++ u64_stats_update_begin(&stats->syncp);
++ u64_stats_inc(&stats->tx_normal_irq_n[chan]);
++ u64_stats_update_end(&stats->syncp);
++ ret |= handle_tx;
+ }
+
+ /* Clear interrupts */
+--
+2.39.5
+
--- /dev/null
+From e4d0a205d2bc933cf70856be4380d84f61752b7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 05:48:18 +0000
+Subject: netlink: Fix wraparounds of sk->sk_rmem_alloc.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit ae8f160e7eb24240a2a79fc4c815c6a0d4ee16cc ]
+
+Netlink has this pattern in some places
+
+ if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
+ atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+
+, which has the same problem fixed by commit 5a465a0da13e ("udp:
+Fix multiple wraparounds of sk->sk_rmem_alloc.").
+
+For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition
+is always false as the two operands are of int.
+
+Then, a single socket can eat as many skb as possible until OOM
+happens, and we can see multiple wraparounds of sk->sk_rmem_alloc.
+
+Let's fix it by using atomic_add_return() and comparing the two
+variables as unsigned int.
+
+Before:
+ [root@fedora ~]# ss -f netlink
+ Recv-Q Send-Q Local Address:Port Peer Address:Port
+ -1668710080 0 rtnl:nl_wraparound/293 *
+
+After:
+ [root@fedora ~]# ss -f netlink
+ Recv-Q Send-Q Local Address:Port Peer Address:Port
+ 2147483072 0 rtnl:nl_wraparound/290 *
+ ^
+ `--- INT_MAX - 576
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Jason Baron <jbaron@akamai.com>
+Closes: https://lore.kernel.org/netdev/cover.1750285100.git.jbaron@akamai.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250704054824.1580222-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 81 ++++++++++++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 32 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index e8972a857e51e..79fbaf7333ce2 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -387,7 +387,6 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk)
+ WARN_ON(skb->sk != NULL);
+ skb->sk = sk;
+ skb->destructor = netlink_skb_destructor;
+- atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+ sk_mem_charge(sk, skb->truesize);
+ }
+
+@@ -1212,41 +1211,48 @@ struct sk_buff *netlink_alloc_large_skb(unsigned int size, int broadcast)
+ int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
+ long *timeo, struct sock *ssk)
+ {
++ DECLARE_WAITQUEUE(wait, current);
+ struct netlink_sock *nlk;
++ unsigned int rmem;
+
+ nlk = nlk_sk(sk);
++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
+
+- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
+- test_bit(NETLINK_S_CONGESTED, &nlk->state))) {
+- DECLARE_WAITQUEUE(wait, current);
+- if (!*timeo) {
+- if (!ssk || netlink_is_kernel(ssk))
+- netlink_overrun(sk);
+- sock_put(sk);
+- kfree_skb(skb);
+- return -EAGAIN;
+- }
+-
+- __set_current_state(TASK_INTERRUPTIBLE);
+- add_wait_queue(&nlk->wait, &wait);
++ if ((rmem == skb->truesize || rmem < READ_ONCE(sk->sk_rcvbuf)) &&
++ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
++ netlink_skb_set_owner_r(skb, sk);
++ return 0;
++ }
+
+- if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
+- test_bit(NETLINK_S_CONGESTED, &nlk->state)) &&
+- !sock_flag(sk, SOCK_DEAD))
+- *timeo = schedule_timeout(*timeo);
++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+
+- __set_current_state(TASK_RUNNING);
+- remove_wait_queue(&nlk->wait, &wait);
++ if (!*timeo) {
++ if (!ssk || netlink_is_kernel(ssk))
++ netlink_overrun(sk);
+ sock_put(sk);
++ kfree_skb(skb);
++ return -EAGAIN;
++ }
+
+- if (signal_pending(current)) {
+- kfree_skb(skb);
+- return sock_intr_errno(*timeo);
+- }
+- return 1;
++ __set_current_state(TASK_INTERRUPTIBLE);
++ add_wait_queue(&nlk->wait, &wait);
++ rmem = atomic_read(&sk->sk_rmem_alloc);
++
++ if (((rmem && rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf)) ||
++ test_bit(NETLINK_S_CONGESTED, &nlk->state)) &&
++ !sock_flag(sk, SOCK_DEAD))
++ *timeo = schedule_timeout(*timeo);
++
++ __set_current_state(TASK_RUNNING);
++ remove_wait_queue(&nlk->wait, &wait);
++ sock_put(sk);
++
++ if (signal_pending(current)) {
++ kfree_skb(skb);
++ return sock_intr_errno(*timeo);
+ }
+- netlink_skb_set_owner_r(skb, sk);
+- return 0;
++
++ return 1;
+ }
+
+ static int __netlink_sendskb(struct sock *sk, struct sk_buff *skb)
+@@ -1307,6 +1313,7 @@ static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb,
+ ret = -ECONNREFUSED;
+ if (nlk->netlink_rcv != NULL) {
+ ret = skb->len;
++ atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+ netlink_skb_set_owner_r(skb, sk);
+ NETLINK_CB(skb).sk = ssk;
+ netlink_deliver_tap_kernel(sk, ssk, skb);
+@@ -1383,13 +1390,19 @@ EXPORT_SYMBOL_GPL(netlink_strict_get_check);
+ static int netlink_broadcast_deliver(struct sock *sk, struct sk_buff *skb)
+ {
+ struct netlink_sock *nlk = nlk_sk(sk);
++ unsigned int rmem, rcvbuf;
+
+- if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf &&
++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
++ rcvbuf = READ_ONCE(sk->sk_rcvbuf);
++
++ if ((rmem != skb->truesize || rmem <= rcvbuf) &&
+ !test_bit(NETLINK_S_CONGESTED, &nlk->state)) {
+ netlink_skb_set_owner_r(skb, sk);
+ __netlink_sendskb(sk, skb);
+- return atomic_read(&sk->sk_rmem_alloc) > (sk->sk_rcvbuf >> 1);
++ return rmem > (rcvbuf >> 1);
+ }
++
++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+ return -1;
+ }
+
+@@ -2249,6 +2262,7 @@ static int netlink_dump(struct sock *sk, bool lock_taken)
+ struct module *module;
+ int err = -ENOBUFS;
+ int alloc_min_size;
++ unsigned int rmem;
+ int alloc_size;
+
+ if (!lock_taken)
+@@ -2258,9 +2272,6 @@ static int netlink_dump(struct sock *sk, bool lock_taken)
+ goto errout_skb;
+ }
+
+- if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
+- goto errout_skb;
+-
+ /* NLMSG_GOODSIZE is small to avoid high order allocations being
+ * required, but it makes sense to _attempt_ a 32KiB allocation
+ * to reduce number of system calls on dump operations, if user
+@@ -2283,6 +2294,12 @@ static int netlink_dump(struct sock *sk, bool lock_taken)
+ if (!skb)
+ goto errout_skb;
+
++ rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc);
++ if (rmem >= READ_ONCE(sk->sk_rcvbuf)) {
++ atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
++ goto errout_skb;
++ }
++
+ /* Trim skb to allocated size. User is expected to provide buffer as
+ * large as max(min_dump_alloc, 32KiB (max_recvmsg_len capped at
+ * netlink_recvmsg())). dump will pack as many smaller messages as
+--
+2.39.5
+
--- /dev/null
+From 15f4f5ee25893a0fbc0d26730256eaa89cb434a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:12:30 +0200
+Subject: objtool: Add missing endian conversion to read_annotate()
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit ccdd09e0fc0d5ce6dfc8360f0c88da9a5045b6ea ]
+
+Trying to compile an x86 kernel on big endian results in this error:
+
+net/ipv4/netfilter/iptable_nat.o: warning: objtool: iptable_nat_table_init+0x150: Unknown annotation type: 50331648
+make[5]: *** [scripts/Makefile.build:287: net/ipv4/netfilter/iptable_nat.o] Error 255
+
+Reason is a missing endian conversion in read_annotate().
+Add the missing conversion to fix this.
+
+Fixes: 2116b349e29a ("objtool: Generic annotation infrastructure")
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20250630131230.4130185-1-hca@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index f23bdda737aaa..d967ac001498b 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -2318,6 +2318,7 @@ static int read_annotate(struct objtool_file *file,
+
+ for_each_reloc(sec->rsec, reloc) {
+ type = *(u32 *)(sec->data->d_buf + (reloc_idx(reloc) * sec->sh.sh_entsize) + 4);
++ type = bswap_if_needed(file->elf, type);
+
+ offset = reloc->sym->offset + reloc_addend(reloc);
+ insn = find_insn(file, reloc->sym->sec, offset);
+--
+2.39.5
+
--- /dev/null
+From 816479cca3f9d9d4533b1c342b065687087335e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 13:54:03 +0000
+Subject: perf/core: Fix the WARN_ON_ONCE is out of lock protected region
+
+From: Luo Gengkun <luogengkun@huaweicloud.com>
+
+[ Upstream commit 7b4c5a37544ba22c6ebe72c0d4ea56c953459fa5 ]
+
+commit 3172fb986666 ("perf/core: Fix WARN in perf_cgroup_switch()") try to
+fix a concurrency problem between perf_cgroup_switch and
+perf_cgroup_event_disable. But it does not to move the WARN_ON_ONCE into
+lock-protected region, so the warning is still be triggered.
+
+Fixes: 3172fb986666 ("perf/core: Fix WARN in perf_cgroup_switch()")
+Signed-off-by: Luo Gengkun <luogengkun@huaweicloud.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20250626135403.2454105-1-luogengkun@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 2d1131e2cfc02..53d2457f5c08a 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -951,8 +951,6 @@ static void perf_cgroup_switch(struct task_struct *task)
+ if (READ_ONCE(cpuctx->cgrp) == NULL)
+ return;
+
+- WARN_ON_ONCE(cpuctx->ctx.nr_cgroups == 0);
+-
+ cgrp = perf_cgroup_from_task(task, NULL);
+ if (READ_ONCE(cpuctx->cgrp) == cgrp)
+ return;
+@@ -964,6 +962,8 @@ static void perf_cgroup_switch(struct task_struct *task)
+ if (READ_ONCE(cpuctx->cgrp) == NULL)
+ return;
+
++ WARN_ON_ONCE(cpuctx->ctx.nr_cgroups == 0);
++
+ perf_ctx_disable(&cpuctx->ctx, true);
+
+ ctx_sched_out(&cpuctx->ctx, NULL, EVENT_ALL|EVENT_CGROUP);
+--
+2.39.5
+
--- /dev/null
+From 519ad1760e979524495c6c30127e0e5fe2b07f75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 18:21:44 +0200
+Subject: perf: Revert to requiring CAP_SYS_ADMIN for uprobes
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit ba677dbe77af5ffe6204e0f3f547f3ba059c6302 ]
+
+Jann reports that uprobes can be used destructively when used in the
+middle of an instruction. The kernel only verifies there is a valid
+instruction at the requested offset, but due to variable instruction
+length cannot determine if this is an instruction as seen by the
+intended execution stream.
+
+Additionally, Mark Rutland notes that on architectures that mix data
+in the text segment (like arm64), a similar things can be done if the
+data word is 'mistaken' for an instruction.
+
+As such, require CAP_SYS_ADMIN for uprobes.
+
+Fixes: c9e0924e5c2b ("perf/core: open access to probes for CAP_PERFMON privileged process")
+Reported-by: Jann Horn <jannh@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/CAG48ez1n4520sq0XrWYDHKiKxE_+WCfAK+qt9qkY4ZiBGmL-5g@mail.gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 53d2457f5c08a..5a2ed3344392f 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -11050,7 +11050,7 @@ static int perf_uprobe_event_init(struct perf_event *event)
+ if (event->attr.type != perf_uprobe.type)
+ return -ENOENT;
+
+- if (!perfmon_capable())
++ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From de8313f9af23118d92d9d54b4c0bc79847b45607 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 10:01:46 -0500
+Subject: pinctrl: amd: Clear GPIO debounce for suspend
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 8ff4fb276e2384a87ae7f65f3c28e1e139dbb3fe ]
+
+soc-button-array hardcodes a debounce value by means of gpio_keys
+which uses pinctrl-amd as a backend to program debounce for a GPIO.
+
+This hardcoded value doesn't match what the firmware intended to be
+programmed in _AEI. The hardcoded debounce leads to problems waking
+from suspend. There isn't appetite to conditionalize the behavior in
+soc-button-array or gpio-keys so clear it when the system suspends to
+avoid problems with being able to resume.
+
+Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Cc: Hans de Goede <hansg@kernel.org>
+Fixes: 5c4fa2a6da7fb ("Input: soc_button_array - debounce the buttons")
+Link: https://lore.kernel.org/linux-input/mkgtrb5gt7miyg6kvqdlbu4nj3elym6ijudobpdi26gp4xxay5@rsa6ytrjvj2q/
+Link: https://lore.kernel.org/linux-input/20250625215813.3477840-1-superm1@kernel.org/
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/20250627150155.3311574-1-superm1@kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-amd.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/pinctrl/pinctrl-amd.c b/drivers/pinctrl/pinctrl-amd.c
+index 1d7fdcdec4c85..bf55d1b4db67b 100644
+--- a/drivers/pinctrl/pinctrl-amd.c
++++ b/drivers/pinctrl/pinctrl-amd.c
+@@ -934,6 +934,17 @@ static int amd_gpio_suspend_hibernate_common(struct device *dev, bool is_suspend
+ pin, is_suspend ? "suspend" : "hibernate");
+ }
+
++ /*
++ * debounce enabled over suspend has shown issues with a GPIO
++ * being unable to wake the system, as we're only interested in
++ * the actual wakeup event, clear it.
++ */
++ if (gpio_dev->saved_regs[i] & (DB_CNTRl_MASK << DB_CNTRL_OFF)) {
++ amd_gpio_set_debounce(gpio_dev, pin, 0);
++ pm_pr_dbg("Clearing debounce for GPIO #%d during %s.\n",
++ pin, is_suspend ? "suspend" : "hibernate");
++ }
++
+ raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From da2d5372783c0f9708a5998269bc1018f05ad18d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 22:15:03 +0100
+Subject: rxrpc: Fix bug due to prealloc collision
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 69e4186773c6445b258fb45b6e1df18df831ec45 ]
+
+When userspace is using AF_RXRPC to provide a server, it has to preallocate
+incoming calls and assign to them call IDs that will be used to thread
+related recvmsg() and sendmsg() together. The preallocated call IDs will
+automatically be attached to calls as they come in until the pool is empty.
+
+To the kernel, the call IDs are just arbitrary numbers, but userspace can
+use the call ID to hold a pointer to prepared structs. In any case, the
+user isn't permitted to create two calls with the same call ID (call IDs
+become available again when the call ends) and EBADSLT should result from
+sendmsg() if an attempt is made to preallocate a call with an in-use call
+ID.
+
+However, the cleanup in the error handling will trigger both assertions in
+rxrpc_cleanup_call() because the call isn't marked complete and isn't
+marked as having been released.
+
+Fix this by setting the call state in rxrpc_service_prealloc_one() and then
+marking it as being released before calling the cleanup function.
+
+Fixes: 00e907127e6f ("rxrpc: Preallocate peers, conns and calls for incoming service requests")
+Reported-by: Junvyyang, Tencent Zhuque Lab <zhuque@tencent.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: LePremierHomme <kwqcheii@proton.me>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+Link: https://patch.msgid.link/20250708211506.2699012-2-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rxrpc/call_accept.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
+index e685034ce4f7c..e862990c5b37c 100644
+--- a/net/rxrpc/call_accept.c
++++ b/net/rxrpc/call_accept.c
+@@ -149,6 +149,7 @@ static int rxrpc_service_prealloc_one(struct rxrpc_sock *rx,
+
+ id_in_use:
+ write_unlock(&rx->call_lock);
++ rxrpc_prefail_call(call, RXRPC_CALL_LOCAL_ERROR, -EBADSLT);
+ rxrpc_cleanup_call(call);
+ _leave(" = -EBADSLT");
+ return -EBADSLT;
+--
+2.39.5
+
--- /dev/null
+From de8906fb9a1166ba22a3985ad7348b7a82a1293a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 12:00:09 +0200
+Subject: sched/core: Fix migrate_swap() vs. hotplug
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 009836b4fa52f92cba33618e773b1094affa8cd2 ]
+
+On Mon, Jun 02, 2025 at 03:22:13PM +0800, Kuyo Chang wrote:
+
+> So, the potential race scenario is:
+>
+> CPU0 CPU1
+> // doing migrate_swap(cpu0/cpu1)
+> stop_two_cpus()
+> ...
+> // doing _cpu_down()
+> sched_cpu_deactivate()
+> set_cpu_active(cpu, false);
+> balance_push_set(cpu, true);
+> cpu_stop_queue_two_works
+> __cpu_stop_queue_work(stopper1,...);
+> __cpu_stop_queue_work(stopper2,..);
+> stop_cpus_in_progress -> true
+> preempt_enable();
+> ...
+> 1st balance_push
+> stop_one_cpu_nowait
+> cpu_stop_queue_work
+> __cpu_stop_queue_work
+> list_add_tail -> 1st add push_work
+> wake_up_q(&wakeq); -> "wakeq is empty.
+> This implies that the stopper is at wakeq@migrate_swap."
+> preempt_disable
+> wake_up_q(&wakeq);
+> wake_up_process // wakeup migrate/0
+> try_to_wake_up
+> ttwu_queue
+> ttwu_queue_cond ->meet below case
+> if (cpu == smp_processor_id())
+> return false;
+> ttwu_do_activate
+> //migrate/0 wakeup done
+> wake_up_process // wakeup migrate/1
+> try_to_wake_up
+> ttwu_queue
+> ttwu_queue_cond
+> ttwu_queue_wakelist
+> __ttwu_queue_wakelist
+> __smp_call_single_queue
+> preempt_enable();
+>
+> 2nd balance_push
+> stop_one_cpu_nowait
+> cpu_stop_queue_work
+> __cpu_stop_queue_work
+> list_add_tail -> 2nd add push_work, so the double list add is detected
+> ...
+> ...
+> cpu1 get ipi, do sched_ttwu_pending, wakeup migrate/1
+>
+
+So this balance_push() is part of schedule(), and schedule() is supposed
+to switch to stopper task, but because of this race condition, stopper
+task is stuck in WAKING state and not actually visible to be picked.
+
+Therefore CPU1 can do another schedule() and end up doing another
+balance_push() even though the last one hasn't been done yet.
+
+This is a confluence of fail, where both wake_q and ttwu_wakelist can
+cause crucial wakeups to be delayed, resulting in the malfunction of
+balance_push.
+
+Since there is only a single stopper thread to be woken, the wake_q
+doesn't really add anything here, and can be removed in favour of
+direct wakeups of the stopper thread.
+
+Then add a clause to ttwu_queue_cond() to ensure the stopper threads
+are never queued / delayed.
+
+Of all 3 moving parts, the last addition was the balance_push()
+machinery, so pick that as the point the bug was introduced.
+
+Fixes: 2558aacff858 ("sched/hotplug: Ensure only per-cpu kthreads run during hotplug")
+Reported-by: Kuyo Chang <kuyo.chang@mediatek.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Kuyo Chang <kuyo.chang@mediatek.com>
+Link: https://lkml.kernel.org/r/20250605100009.GO39944@noisy.programming.kicks-ass.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 5 +++++
+ kernel/stop_machine.c | 20 ++++++++++----------
+ 2 files changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 39fac649aa142..566fbf0c1b0b2 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -3935,6 +3935,11 @@ static inline bool ttwu_queue_cond(struct task_struct *p, int cpu)
+ if (!scx_allow_ttwu_queue(p))
+ return false;
+
++#ifdef CONFIG_SMP
++ if (p->sched_class == &stop_sched_class)
++ return false;
++#endif
++
+ /*
+ * Do not complicate things with the async wake_list while the CPU is
+ * in hotplug state.
+diff --git a/kernel/stop_machine.c b/kernel/stop_machine.c
+index 5d2d0562115b3..3fe6b0c99f3d8 100644
+--- a/kernel/stop_machine.c
++++ b/kernel/stop_machine.c
+@@ -82,18 +82,15 @@ static void cpu_stop_signal_done(struct cpu_stop_done *done)
+ }
+
+ static void __cpu_stop_queue_work(struct cpu_stopper *stopper,
+- struct cpu_stop_work *work,
+- struct wake_q_head *wakeq)
++ struct cpu_stop_work *work)
+ {
+ list_add_tail(&work->list, &stopper->works);
+- wake_q_add(wakeq, stopper->thread);
+ }
+
+ /* queue @work to @stopper. if offline, @work is completed immediately */
+ static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work)
+ {
+ struct cpu_stopper *stopper = &per_cpu(cpu_stopper, cpu);
+- DEFINE_WAKE_Q(wakeq);
+ unsigned long flags;
+ bool enabled;
+
+@@ -101,12 +98,13 @@ static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work)
+ raw_spin_lock_irqsave(&stopper->lock, flags);
+ enabled = stopper->enabled;
+ if (enabled)
+- __cpu_stop_queue_work(stopper, work, &wakeq);
++ __cpu_stop_queue_work(stopper, work);
+ else if (work->done)
+ cpu_stop_signal_done(work->done);
+ raw_spin_unlock_irqrestore(&stopper->lock, flags);
+
+- wake_up_q(&wakeq);
++ if (enabled)
++ wake_up_process(stopper->thread);
+ preempt_enable();
+
+ return enabled;
+@@ -264,7 +262,6 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1,
+ {
+ struct cpu_stopper *stopper1 = per_cpu_ptr(&cpu_stopper, cpu1);
+ struct cpu_stopper *stopper2 = per_cpu_ptr(&cpu_stopper, cpu2);
+- DEFINE_WAKE_Q(wakeq);
+ int err;
+
+ retry:
+@@ -300,8 +297,8 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1,
+ }
+
+ err = 0;
+- __cpu_stop_queue_work(stopper1, work1, &wakeq);
+- __cpu_stop_queue_work(stopper2, work2, &wakeq);
++ __cpu_stop_queue_work(stopper1, work1);
++ __cpu_stop_queue_work(stopper2, work2);
+
+ unlock:
+ raw_spin_unlock(&stopper2->lock);
+@@ -316,7 +313,10 @@ static int cpu_stop_queue_two_works(int cpu1, struct cpu_stop_work *work1,
+ goto retry;
+ }
+
+- wake_up_q(&wakeq);
++ if (!err) {
++ wake_up_process(stopper1->thread);
++ wake_up_process(stopper2->thread);
++ }
+ preempt_enable();
+
+ return err;
+--
+2.39.5
+
--- /dev/null
+From 3cccd970ebd7bf910be486dedc9b96bdf1c9dd52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 10:12:25 +0800
+Subject: sched/deadline: Fix dl_server runtime calculation formula
+
+From: kuyo chang <kuyo.chang@mediatek.com>
+
+[ Upstream commit fc975cfb36393db1db517fbbe366e550bcdcff14 ]
+
+In our testing with 6.12 based kernel on a big.LITTLE system, we were
+seeing instances of RT tasks being blocked from running on the LITTLE
+cpus for multiple seconds of time, apparently by the dl_server. This
+far exceeds the default configured 50ms per second runtime.
+
+This is due to the fair dl_server runtime calculation being scaled
+for frequency & capacity of the cpu.
+
+Consider the following case under a Big.LITTLE architecture:
+Assume the runtime is: 50,000,000 ns, and Frequency/capacity
+scale-invariance defined as below:
+Frequency scale-invariance: 100
+Capacity scale-invariance: 50
+First by Frequency scale-invariance,
+the runtime is scaled to 50,000,000 * 100 >> 10 = 4,882,812
+Then by capacity scale-invariance,
+it is further scaled to 4,882,812 * 50 >> 10 = 238,418.
+So it will scaled to 238,418 ns.
+
+This smaller "accounted runtime" value is what ends up being
+subtracted against the fair-server's runtime for the current period.
+Thus after 50ms of real time, we've only accounted ~238us against the
+fair servers runtime. This 209:1 ratio in this example means that on
+the smaller cpu the fair server is allowed to continue running,
+blocking RT tasks, for over 10 seconds before it exhausts its supposed
+50ms of runtime. And on other hardware configurations it can be even
+worse.
+
+For the fair deadline_server, to prevent realtime tasks from being
+unexpectedly delayed, we really do want to use fixed time, and not
+scaled time for smaller capacity/frequency cpus. So remove the scaling
+from the fair server's accounting to fix this.
+
+Fixes: a110a81c52a9 ("sched/deadline: Deferrable dl server")
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Suggested-by: John Stultz <jstultz@google.com>
+Signed-off-by: kuyo chang <kuyo.chang@mediatek.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Acked-by: John Stultz <jstultz@google.com>
+Tested-by: John Stultz <jstultz@google.com>
+Link: https://lore.kernel.org/r/20250702021440.2594736-1-kuyo.chang@mediatek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index ad45a8fea245e..89019a1408264 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -1504,7 +1504,9 @@ static void update_curr_dl_se(struct rq *rq, struct sched_dl_entity *dl_se, s64
+ if (dl_entity_is_special(dl_se))
+ return;
+
+- scaled_delta_exec = dl_scaled_delta_exec(rq, dl_se, delta_exec);
++ scaled_delta_exec = delta_exec;
++ if (!dl_server(dl_se))
++ scaled_delta_exec = dl_scaled_delta_exec(rq, dl_se, delta_exec);
+
+ dl_se->runtime -= scaled_delta_exec;
+
+@@ -1611,7 +1613,7 @@ static void update_curr_dl_se(struct rq *rq, struct sched_dl_entity *dl_se, s64
+ */
+ void dl_server_update_idle_time(struct rq *rq, struct task_struct *p)
+ {
+- s64 delta_exec, scaled_delta_exec;
++ s64 delta_exec;
+
+ if (!rq->fair_server.dl_defer)
+ return;
+@@ -1624,9 +1626,7 @@ void dl_server_update_idle_time(struct rq *rq, struct task_struct *p)
+ if (delta_exec < 0)
+ return;
+
+- scaled_delta_exec = dl_scaled_delta_exec(rq, &rq->fair_server, delta_exec);
+-
+- rq->fair_server.runtime -= scaled_delta_exec;
++ rq->fair_server.runtime -= delta_exec;
+
+ if (rq->fair_server.runtime < 0) {
+ rq->fair_server.dl_defer_running = 0;
+--
+2.39.5
+
eventpoll-don-t-decrement-ep-refcount-while-still-holding-the-ep-mutex.patch
drm-exynos-exynos7_drm_decon-add-vblank-check-in-irq-handling.patch
+asoc-fsl_asrc-use-internal-measured-ratio-for-non-id.patch
+asoc-intel-snd_soc_intel_sof_board_helpers-select-sn.patch
+asoc-soc-acpi-add-get_function_tplg_files-ops.patch
+asoc-intel-add-sof_sdw_get_tplg_files-ops.patch
+asoc-intel-soc-acpi-intel-arl-match-set-get_function.patch
+asoc-intel-soc-acpi-arl-correct-order-of-cs42l43-mat.patch
+perf-core-fix-the-warn_on_once-is-out-of-lock-protec.patch
+edac-initialize-edac-features-sysfs-attributes.patch
+irqchip-irq-msi-lib-select-config_generic_msi_irq.patch
+sched-core-fix-migrate_swap-vs.-hotplug.patch
+objtool-add-missing-endian-conversion-to-read_annota.patch
+perf-revert-to-requiring-cap_sys_admin-for-uprobes.patch
+asoc-cs35l56-probe-should-fail-if-the-device-id-is-n.patch
+bluetooth-hci_sync-fix-not-disabling-advertising-ins.patch
+bluetooth-hci_core-remove-check-of-bdaddr_any-in-hci.patch
+bluetooth-hci_sync-fix-attempting-to-send-hci_discon.patch
+bluetooth-hci_event-fix-not-marking-broadcast-sink-b.patch
+pinctrl-amd-clear-gpio-debounce-for-suspend.patch
+fix-proc_sys_compare-handling-of-in-lookup-dentries.patch
+sched-deadline-fix-dl_server-runtime-calculation-for.patch
+bnxt_en-eliminate-the-compile-warning-in-bnxt_reques.patch
+arm64-poe-handle-spurious-overlay-faults.patch
+arm64-mm-drop-wrong-writes-into-tcr2_el1.patch
+net-phy-qcom-move-the-wol-function-to-shared-library.patch
+net-phy-qcom-qca808x-fix-wol-issue-by-utilizing-at80.patch
+netlink-fix-wraparounds-of-sk-sk_rmem_alloc.patch
+vsock-fix-vsock_proto-declaration.patch
+tipc-fix-use-after-free-in-tipc_conn_close.patch
+tcp-correct-signedness-in-skb-remaining-space-calcul.patch
+vsock-fix-transport_-g2h-h2g-toctou.patch
+vsock-fix-transport_-toctou.patch
+vsock-fix-ioctl_vm_sockets_get_local_cid-to-check-al.patch
+net-airoha-fix-an-error-handling-path-in-airoha_prob.patch
+module-fix-memory-deallocation-on-error-path-in-move.patch
+net-stmmac-fix-interrupt-handling-for-level-triggere.patch
+net-phy-smsc-fix-auto-mdix-configuration-when-disabl.patch
+net-phy-smsc-force-predictable-mdi-x-state-on-lan87x.patch
+net-phy-smsc-fix-link-failure-in-forced-mode-with-au.patch
+atm-clip-fix-potential-null-ptr-deref-in-to_atmarpd.patch
+atm-clip-fix-memory-leak-of-struct-clip_vcc.patch
+atm-clip-fix-infinite-recursive-call-of-clip_push.patch
+atm-clip-fix-null-pointer-dereference-in-vcc_sendmsg.patch
+net-ethernet-ti-am65-cpsw-nuss-fix-skb-size-by-accou.patch
+net-sched-abort-__tc_modify_qdisc-if-parent-class-do.patch
+rxrpc-fix-bug-due-to-prealloc-collision.patch
--- /dev/null
+From c963ec6f2c1984865e2f69badaba5e7010b0a9f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 13:41:11 +0800
+Subject: tcp: Correct signedness in skb remaining space calculation
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit d3a5f2871adc0c61c61869f37f3e697d97f03d8c ]
+
+Syzkaller reported a bug [1] where sk->sk_forward_alloc can overflow.
+
+When we send data, if an skb exists at the tail of the write queue, the
+kernel will attempt to append the new data to that skb. However, the code
+that checks for available space in the skb is flawed:
+'''
+copy = size_goal - skb->len
+'''
+
+The types of the variables involved are:
+'''
+copy: ssize_t (s64 on 64-bit systems)
+size_goal: int
+skb->len: unsigned int
+'''
+
+Due to C's type promotion rules, the signed size_goal is converted to an
+unsigned int to match skb->len before the subtraction. The result is an
+unsigned int.
+
+When this unsigned int result is then assigned to the s64 copy variable,
+it is zero-extended, preserving its non-negative value. Consequently, copy
+is always >= 0.
+
+Assume we are sending 2GB of data and size_goal has been adjusted to a
+value smaller than skb->len. The subtraction will result in copy holding a
+very large positive integer. In the subsequent logic, this large value is
+used to update sk->sk_forward_alloc, which can easily cause it to overflow.
+
+The syzkaller reproducer uses TCP_REPAIR to reliably create this
+condition. However, this can also occur in real-world scenarios. The
+tcp_bound_to_half_wnd() function can also reduce size_goal to a small
+value. This would cause the subsequent tcp_wmem_schedule() to set
+sk->sk_forward_alloc to a value close to INT_MAX. Further memory
+allocation requests would then cause sk_forward_alloc to wrap around and
+become negative.
+
+[1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47
+
+Reported-by: syzbot+de6565462ab540f50e47@syzkaller.appspotmail.com
+Fixes: 270a1c3de47e ("tcp: Support MSG_SPLICE_PAGES")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Link: https://patch.msgid.link/20250707054112.101081-1-jiayuan.chen@linux.dev
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 6edc441b37023..905cf7635f77f 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1154,7 +1154,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
+ goto do_error;
+
+ while (msg_data_left(msg)) {
+- ssize_t copy = 0;
++ int copy = 0;
+
+ skb = tcp_write_queue_tail(sk);
+ if (skb)
+--
+2.39.5
+
--- /dev/null
+From a698f6f6376f09b725e0f61c02723a740c2d46b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 01:43:40 +0000
+Subject: tipc: Fix use-after-free in tipc_conn_close().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 667eeab4999e981c96b447a4df5f20bdf5c26f13 ]
+
+syzbot reported a null-ptr-deref in tipc_conn_close() during netns
+dismantle. [0]
+
+tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls
+tipc_conn_close() for each tipc_conn.
+
+The problem is that tipc_conn_close() is called after releasing the
+IDR lock.
+
+At the same time, there might be tipc_conn_recv_work() running and it
+could call tipc_conn_close() for the same tipc_conn and release its
+last ->kref.
+
+Once we release the IDR lock in tipc_topsrv_stop(), there is no
+guarantee that the tipc_conn is alive.
+
+Let's hold the ref before releasing the lock and put the ref after
+tipc_conn_close() in tipc_topsrv_stop().
+
+[0]:
+BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
+Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435
+
+CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: netns cleanup_net
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
+ print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
+ kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
+ kasan_report mm/kasan/report.c:412 [inline]
+ __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
+ tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165
+ tipc_topsrv_stop net/tipc/topsrv.c:701 [inline]
+ tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722
+ ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153
+ cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+Allocated by task 23:
+ kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625
+ kmalloc include/linux/slab.h:515 [inline]
+ kzalloc include/linux/slab.h:709 [inline]
+ tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192
+ tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+Freed by task 23:
+ __cache_free mm/slab.c:3503 [inline]
+ kfree+0xcc/0x210 mm/slab.c:3822
+ tipc_conn_kref_release net/tipc/topsrv.c:150 [inline]
+ kref_put include/linux/kref.h:70 [inline]
+ conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155
+ process_one_work+0x864/0x1570 kernel/workqueue.c:2153
+ worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
+ kthread+0x33f/0x460 kernel/kthread.c:259
+ ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
+
+The buggy address belongs to the object at ffff888099305a00
+ which belongs to the cache kmalloc-512 of size 512
+The buggy address is located 8 bytes inside of
+ 512-byte region [ffff888099305a00, ffff888099305c00)
+The buggy address belongs to the page:
+page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0
+flags: 0xfff00000000100(slab)
+raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940
+raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+>ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+
+Fixes: c5fa7b3cf3cb ("tipc: introduce new TIPC server infrastructure")
+Reported-by: syzbot+d333febcf8f4bc5f6110@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=27169a847a70550d17be
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20250702014350.692213-1-kuniyu@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/topsrv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
+index 8ee0c07d00e9b..ffe577bf6b515 100644
+--- a/net/tipc/topsrv.c
++++ b/net/tipc/topsrv.c
+@@ -704,8 +704,10 @@ static void tipc_topsrv_stop(struct net *net)
+ for (id = 0; srv->idr_in_use; id++) {
+ con = idr_find(&srv->conn_idr, id);
+ if (con) {
++ conn_get(con);
+ spin_unlock_bh(&srv->idr_lock);
+ tipc_conn_close(con);
++ conn_put(con);
+ spin_lock_bh(&srv->idr_lock);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 7ee3d2f773e8256da795ea1e43391fb252401186 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:18:20 +0200
+Subject: vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also
+ `transport_local`
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 1e7d9df379a04ccd0c2f82f39fbb69d482e864cc ]
+
+Support returning VMADDR_CID_LOCAL in case no other vsock transport is
+available.
+
+Fixes: 0e12190578d0 ("vsock: add local transport support in the vsock core")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-3-98f0eb530747@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index f947ab8787899..c50184eddb445 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -2548,6 +2548,8 @@ static long vsock_dev_do_ioctl(struct file *filp,
+ cid = vsock_registered_transport_cid(&transport_g2h);
+ if (cid == VMADDR_CID_ANY)
+ cid = vsock_registered_transport_cid(&transport_h2g);
++ if (cid == VMADDR_CID_ANY)
++ cid = vsock_registered_transport_cid(&transport_local);
+
+ if (put_user(cid, p) != 0)
+ retval = -EFAULT;
+--
+2.39.5
+
--- /dev/null
+From b88f643120e2a8fe3d683febc741987feb3d8689 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:18:18 +0200
+Subject: vsock: Fix transport_{g2h,h2g} TOCTOU
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 209fd720838aaf1420416494c5505096478156b4 ]
+
+vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.
+transport_{g2h,h2g} may become NULL after the NULL check.
+
+Introduce vsock_transport_local_cid() to protect from a potential
+null-ptr-deref.
+
+KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
+RIP: 0010:vsock_find_cid+0x47/0x90
+Call Trace:
+ __vsock_bind+0x4b2/0x720
+ vsock_bind+0x90/0xe0
+ __sys_bind+0x14d/0x1e0
+ __x64_sys_bind+0x6e/0xc0
+ do_syscall_64+0x92/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
+RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0
+Call Trace:
+ __x64_sys_ioctl+0x12d/0x190
+ do_syscall_64+0x92/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-1-98f0eb530747@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index fc6afbc8d6806..43be340233dae 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -531,9 +531,25 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ }
+ EXPORT_SYMBOL_GPL(vsock_assign_transport);
+
++/*
++ * Provide safe access to static transport_{h2g,g2h,dgram,local} callbacks.
++ * Otherwise we may race with module removal. Do not use on `vsk->transport`.
++ */
++static u32 vsock_registered_transport_cid(const struct vsock_transport **transport)
++{
++ u32 cid = VMADDR_CID_ANY;
++
++ mutex_lock(&vsock_register_mutex);
++ if (*transport)
++ cid = (*transport)->get_local_cid();
++ mutex_unlock(&vsock_register_mutex);
++
++ return cid;
++}
++
+ bool vsock_find_cid(unsigned int cid)
+ {
+- if (transport_g2h && cid == transport_g2h->get_local_cid())
++ if (cid == vsock_registered_transport_cid(&transport_g2h))
+ return true;
+
+ if (transport_h2g && cid == VMADDR_CID_HOST)
+@@ -2503,18 +2519,17 @@ static long vsock_dev_do_ioctl(struct file *filp,
+ unsigned int cmd, void __user *ptr)
+ {
+ u32 __user *p = ptr;
+- u32 cid = VMADDR_CID_ANY;
+ int retval = 0;
++ u32 cid;
+
+ switch (cmd) {
+ case IOCTL_VM_SOCKETS_GET_LOCAL_CID:
+ /* To be compatible with the VMCI behavior, we prioritize the
+ * guest CID instead of well-know host CID (VMADDR_CID_HOST).
+ */
+- if (transport_g2h)
+- cid = transport_g2h->get_local_cid();
+- else if (transport_h2g)
+- cid = transport_h2g->get_local_cid();
++ cid = vsock_registered_transport_cid(&transport_g2h);
++ if (cid == VMADDR_CID_ANY)
++ cid = vsock_registered_transport_cid(&transport_h2g);
+
+ if (put_user(cid, p) != 0)
+ retval = -EFAULT;
+--
+2.39.5
+
--- /dev/null
+From 7b33eed02f98a2e60340188a4650125bc03431db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:18:19 +0200
+Subject: vsock: Fix transport_* TOCTOU
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 687aa0c5581b8d4aa87fd92973e4ee576b550cdf ]
+
+Transport assignment may race with module unload. Protect new_transport
+from becoming a stale pointer.
+
+This also takes care of an insecure call in vsock_use_local_transport();
+add a lockdep assert.
+
+BUG: unable to handle page fault for address: fffffbfff8056000
+Oops: Oops: 0000 [#1] SMP KASAN
+RIP: 0010:vsock_assign_transport+0x366/0x600
+Call Trace:
+ vsock_connect+0x59c/0xc40
+ __sys_connect+0xe8/0x100
+ __x64_sys_connect+0x6e/0xc0
+ do_syscall_64+0x92/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Link: https://patch.msgid.link/20250703-vsock-transports-toctou-v4-2-98f0eb530747@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 43be340233dae..f947ab8787899 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -407,6 +407,8 @@ EXPORT_SYMBOL_GPL(vsock_enqueue_accept);
+
+ static bool vsock_use_local_transport(unsigned int remote_cid)
+ {
++ lockdep_assert_held(&vsock_register_mutex);
++
+ if (!transport_local)
+ return false;
+
+@@ -464,6 +466,8 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+
+ remote_flags = vsk->remote_addr.svm_flags;
+
++ mutex_lock(&vsock_register_mutex);
++
+ switch (sk->sk_type) {
+ case SOCK_DGRAM:
+ new_transport = transport_dgram;
+@@ -479,12 +483,15 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ new_transport = transport_h2g;
+ break;
+ default:
+- return -ESOCKTNOSUPPORT;
++ ret = -ESOCKTNOSUPPORT;
++ goto err;
+ }
+
+ if (vsk->transport) {
+- if (vsk->transport == new_transport)
+- return 0;
++ if (vsk->transport == new_transport) {
++ ret = 0;
++ goto err;
++ }
+
+ /* transport->release() must be called with sock lock acquired.
+ * This path can only be taken during vsock_connect(), where we
+@@ -508,8 +515,16 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ /* We increase the module refcnt to prevent the transport unloading
+ * while there are open sockets assigned to it.
+ */
+- if (!new_transport || !try_module_get(new_transport->module))
+- return -ENODEV;
++ if (!new_transport || !try_module_get(new_transport->module)) {
++ ret = -ENODEV;
++ goto err;
++ }
++
++ /* It's safe to release the mutex after a successful try_module_get().
++ * Whichever transport `new_transport` points at, it won't go away until
++ * the last module_put() below or in vsock_deassign_transport().
++ */
++ mutex_unlock(&vsock_register_mutex);
+
+ if (sk->sk_type == SOCK_SEQPACKET) {
+ if (!new_transport->seqpacket_allow ||
+@@ -528,6 +543,9 @@ int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk)
+ vsk->transport = new_transport;
+
+ return 0;
++err:
++ mutex_unlock(&vsock_register_mutex);
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(vsock_assign_transport);
+
+--
+2.39.5
+
--- /dev/null
+From 409add6eca103e9a9fa2e7cff5719e05f3589349 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:23:29 +0200
+Subject: vsock: fix `vsock_proto` declaration
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit 1e3b66e326015f77bc4b36976bebeedc2ac0f588 ]
+
+From commit 634f1a7110b4 ("vsock: support sockmap"), `struct proto
+vsock_proto`, defined in af_vsock.c, is not static anymore, since it's
+used by vsock_bpf.c.
+
+If CONFIG_BPF_SYSCALL is not defined, `make C=2` will print a warning:
+ $ make O=build C=2 W=1 net/vmw_vsock/
+ ...
+ CC [M] net/vmw_vsock/af_vsock.o
+ CHECK ../net/vmw_vsock/af_vsock.c
+ ../net/vmw_vsock/af_vsock.c:123:14: warning: symbol 'vsock_proto' was not declared. Should it be static?
+
+Declare `vsock_proto` regardless of CONFIG_BPF_SYSCALL, since it's defined
+in af_vsock.c, which is built regardless of CONFIG_BPF_SYSCALL.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Link: https://patch.msgid.link/20250703112329.28365-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/af_vsock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h
+index 9e85424c83435..70302c92d329f 100644
+--- a/include/net/af_vsock.h
++++ b/include/net/af_vsock.h
+@@ -242,8 +242,8 @@ int __vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
+ int vsock_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
+ size_t len, int flags);
+
+-#ifdef CONFIG_BPF_SYSCALL
+ extern struct proto vsock_proto;
++#ifdef CONFIG_BPF_SYSCALL
+ int vsock_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore);
+ void __init vsock_bpf_build_proto(void);
+ #else
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
