--- /dev/null
+From a9dec0963187d05725369156a5e0e14cd3487bfb Mon Sep 17 00:00:00 2001
+From: Edip Hazuri <edip@medip.dev>
+Date: Tue, 29 Jul 2025 21:18:50 +0300
+Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26)
+
+From: Edip Hazuri <edip@medip.dev>
+
+commit a9dec0963187d05725369156a5e0e14cd3487bfb upstream.
+
+My friend have Victus 16-d1xxx with board ID 8A26, the existing quirk
+for Victus 16-d1xxx wasn't working because of different board ID
+
+Tested on Victus 16-d1015nt Laptop. The LED behaviour works
+as intended.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Edip Hazuri <edip@medip.dev>
+Link: https://patch.msgid.link/20250729181848.24432-4-edip@medip.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10678,6 +10678,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8a0f, "HP Pavilion 14-ec1xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x8a25, "HP Victus 16-d1xxx (MB 8A25)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
++ SND_PCI_QUIRK(0x103c, 0x8a26, "HP Victus 16-d1xxx (MB 8A26)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8a28, "HP Envy 13", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8a29, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8a2a, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
--- /dev/null
+From bd7814a4c0fd883894bdf9fe5eda24c9df826e4c Mon Sep 17 00:00:00 2001
+From: Edip Hazuri <edip@medip.dev>
+Date: Fri, 25 Jul 2025 18:14:37 +0300
+Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx
+
+From: Edip Hazuri <edip@medip.dev>
+
+commit bd7814a4c0fd883894bdf9fe5eda24c9df826e4c upstream.
+
+The mute led on this laptop is using ALC245 but requires a quirk to work
+This patch enables the existing quirk for the device.
+
+Tested on Victus 16-r1xxx Laptop. The LED behaviour works
+as intended.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Edip Hazuri <edip@medip.dev>
+Link: https://patch.msgid.link/20250725151436.51543-2-edip@medip.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10788,6 +10788,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8c91, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8c97, "HP ZBook", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8c99, "HP Victus 16-r1xxx (MB 8C99)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8c9c, "HP Victus 16-s1xxx (MB 8C9C)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8ca1, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 956048a3cd9d2575032e2c7ca62803677357ae18 Mon Sep 17 00:00:00 2001
+From: Edip Hazuri <edip@medip.dev>
+Date: Tue, 29 Jul 2025 21:18:48 +0300
+Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx
+
+From: Edip Hazuri <edip@medip.dev>
+
+commit 956048a3cd9d2575032e2c7ca62803677357ae18 upstream.
+
+The mute led on this laptop is using ALC245 but requires a quirk to work
+This patch enables the existing quirk for the device.
+
+Tested on Victus 16-S0063NT Laptop. The LED behaviour works
+as intended.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Edip Hazuri <edip@medip.dev>
+Link: https://patch.msgid.link/20250729181848.24432-2-edip@medip.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10736,6 +10736,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8bbe, "HP Victus 16-r0xxx (MB 8BBE)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8bc8, "HP Victus 15-fa1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT),
++ SND_PCI_QUIRK(0x103c, 0x8bd4, "HP Victus 16-s0xxx (MB 8BD4)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
--- /dev/null
+From 8cbe564974248ee980562be02f2b1912769562c7 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 6 Aug 2025 01:41:53 +0200
+Subject: ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 8cbe564974248ee980562be02f2b1912769562c7 upstream.
+
+In __hdmi_lpe_audio_probe(), strscpy() is incorrectly called with the
+length of the source string (excluding the NUL terminator) rather than
+the size of the destination buffer. This results in one character less
+being copied from 'card->shortname' to 'pcm->name'.
+
+Use the destination buffer size instead to ensure the card name is
+copied correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 75b1a8f9d62e ("ALSA: Convert strlcpy to strscpy when return value is unused")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Link: https://patch.msgid.link/20250805234156.60294-1-thorsten.blum@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/x86/intel_hdmi_audio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/x86/intel_hdmi_audio.c
++++ b/sound/x86/intel_hdmi_audio.c
+@@ -1767,7 +1767,7 @@ static int __hdmi_lpe_audio_probe(struct
+ /* setup private data which can be retrieved when required */
+ pcm->private_data = ctx;
+ pcm->info_flags = 0;
+- strscpy(pcm->name, card->shortname, strlen(card->shortname));
++ strscpy(pcm->name, card->shortname, sizeof(pcm->name));
+ /* setup the ops for playback */
+ snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &had_pcm_ops);
+
--- /dev/null
+From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001
+From: "Geoffrey D. Bennett" <g@b4.vu>
+Date: Mon, 28 Jul 2025 19:00:35 +0930
+Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
+
+From: Geoffrey D. Bennett <g@b4.vu>
+
+commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 upstream.
+
+During communication with Focusrite Scarlett Gen 2/3/4 USB audio
+interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(),
+snd_usb_ctl_msg() which can cause initialisation and control
+operations to fail intermittently.
+
+This patch adds up to 5 retries in scarlett2_usb(), with a delay
+starting at 5ms and doubling each time. This follows the same approach
+as the fix for usb_set_interface() in endpoint.c (commit f406005e162b
+("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")),
+which resolved similar -EPROTO issues during device initialisation,
+and is the same approach as in fcp.c:fcp_usb().
+
+Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
+Closes: https://github.com/geoffreybennett/linux-fcp/issues/41
+Cc: stable@vger.kernel.org
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_scarlett2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/usb/mixer_scarlett2.c
++++ b/sound/usb/mixer_scarlett2.c
+@@ -2329,6 +2329,8 @@ static int scarlett2_usb(
+ struct scarlett2_usb_packet *req, *resp = NULL;
+ size_t req_buf_size = struct_size(req, data, req_size);
+ size_t resp_buf_size = struct_size(resp, data, resp_size);
++ int retries = 0;
++ const int max_retries = 5;
+ int err;
+
+ req = kmalloc(req_buf_size, GFP_KERNEL);
+@@ -2352,10 +2354,15 @@ static int scarlett2_usb(
+ if (req_size)
+ memcpy(req->data, req_data, req_size);
+
++retry:
+ err = scarlett2_usb_tx(dev, private->bInterfaceNumber,
+ req, req_buf_size);
+
+ if (err != req_buf_size) {
++ if (err == -EPROTO && ++retries <= max_retries) {
++ msleep(5 * (1 << (retries - 1)));
++ goto retry;
++ }
+ usb_audio_err(
+ mixer->chip,
+ "%s USB request result cmd %x was %d\n",
--- /dev/null
+From 1bb3363da862e0464ec050eea2fb5472a36ad86b Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Mon, 14 Jul 2025 00:30:08 +0100
+Subject: HID: apple: validate feature-report field count to prevent NULL pointer dereference
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 1bb3363da862e0464ec050eea2fb5472a36ad86b upstream.
+
+A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL
+pointer dereference whilst the power feature-report is toggled and sent to
+the device in apple_magic_backlight_report_set(). The power feature-report
+is expected to have two data fields, but if the descriptor declares one
+field then accessing field[1] and dereferencing it in
+apple_magic_backlight_report_set() becomes invalid
+since field[1] will be NULL.
+
+An example of a minimal descriptor which can cause the crash is something
+like the following where the report with ID 3 (power report) only
+references a single 1-byte field. When hid core parses the descriptor it
+will encounter the final feature tag, allocate a hid_report (all members
+of field[] will be zeroed out), create field structure and populate it,
+increasing the maxfield to 1. The subsequent field[1] access and
+dereference causes the crash.
+
+ Usage Page (Vendor Defined 0xFF00)
+ Usage (0x0F)
+ Collection (Application)
+ Report ID (1)
+ Usage (0x01)
+ Logical Minimum (0)
+ Logical Maximum (255)
+ Report Size (8)
+ Report Count (1)
+ Feature (Data,Var,Abs)
+
+ Usage (0x02)
+ Logical Maximum (32767)
+ Report Size (16)
+ Report Count (1)
+ Feature (Data,Var,Abs)
+
+ Report ID (3)
+ Usage (0x03)
+ Logical Minimum (0)
+ Logical Maximum (1)
+ Report Size (8)
+ Report Count (1)
+ Feature (Data,Var,Abs)
+ End Collection
+
+Here we see the KASAN splat when the kernel dereferences the
+NULL pointer and crashes:
+
+ [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI
+ [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+ [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)
+ [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+ [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210
+ [ 15.165691] Call Trace:
+ [ 15.165691] <TASK>
+ [ 15.165691] apple_probe+0x571/0xa20
+ [ 15.165691] hid_device_probe+0x2e2/0x6f0
+ [ 15.165691] really_probe+0x1ca/0x5c0
+ [ 15.165691] __driver_probe_device+0x24f/0x310
+ [ 15.165691] driver_probe_device+0x4a/0xd0
+ [ 15.165691] __device_attach_driver+0x169/0x220
+ [ 15.165691] bus_for_each_drv+0x118/0x1b0
+ [ 15.165691] __device_attach+0x1d5/0x380
+ [ 15.165691] device_initial_probe+0x12/0x20
+ [ 15.165691] bus_probe_device+0x13d/0x180
+ [ 15.165691] device_add+0xd87/0x1510
+ [...]
+
+To fix this issue we should validate the number of fields that the
+backlight and power reports have and if they do not have the required
+number of fields then bail.
+
+Fixes: 394ba612f941 ("HID: apple: Add support for magic keyboard backlight on T2 Macs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Reviewed-by: Orlando Chamberlain <orlandoch.dev@gmail.com>
+Tested-by: Aditya Garg <gargaditya08@live.com>
+Link: https://patch.msgid.link/20250713233008.15131-1-qasdev00@gmail.com
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-apple.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -890,7 +890,8 @@ static int apple_magic_backlight_init(st
+ backlight->brightness = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_BRIGHTNESS];
+ backlight->power = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_POWER];
+
+- if (!backlight->brightness || !backlight->power)
++ if (!backlight->brightness || backlight->brightness->maxfield < 2 ||
++ !backlight->power || backlight->power->maxfield < 2)
+ return -ENODEV;
+
+ backlight->cdev.name = ":white:" LED_FUNCTION_KBD_BACKLIGHT;
--- /dev/null
+From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 10 Jun 2025 16:20:06 -0700
+Subject: KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 upstream.
+
+Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the
+guest CPUID model, as debug support is supposed to be available if RTM is
+supported, and there are no known downsides to letting the guest debug RTM
+aborts.
+
+Note, there are no known bug reports related to RTM_DEBUG, the primary
+motivation is to reduce the probability of breaking existing guests when a
+future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL
+(KVM currently lets L2 run with whatever hardware supports; whoops).
+
+Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to
+DR7.RTM.
+
+Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kvm/vmx/vmx.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -417,6 +417,7 @@
+ #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12)
+ #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14
+ #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT)
++#define DEBUGCTLMSR_RTM_DEBUG BIT(15)
+
+ #define MSR_PEBS_FRONTEND 0x000003f7
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -2185,6 +2185,10 @@ static u64 vmx_get_supported_debugctl(st
+ (host_initiated || intel_pmu_lbr_is_enabled(vcpu)))
+ debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI;
+
++ if (boot_cpu_has(X86_FEATURE_RTM) &&
++ (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM)))
++ debugctl |= DEBUGCTLMSR_RTM_DEBUG;
++
+ return debugctl;
+ }
+
--- /dev/null
+From ae42c6fe531425ef2f47e82f96851427d24bbf6b Mon Sep 17 00:00:00 2001
+From: Julien Massot <julien.massot@collabora.com>
+Date: Mon, 30 Jun 2025 12:46:43 +0200
+Subject: media: ti: j721e-csi2rx: fix list_del corruption
+
+From: Julien Massot <julien.massot@collabora.com>
+
+commit ae42c6fe531425ef2f47e82f96851427d24bbf6b upstream.
+
+If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is
+marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue.
+This causes the same buffer to be retried in the next iteration, resulting
+in a double list_del() and eventual list corruption.
+
+Fix this by removing the buffer from the queue before calling
+vb2_buffer_done() on error.
+
+This resolves a crash due to list_del corruption:
+[ 37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA
+[ 37.832187] slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048
+[ 37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428)
+[ 37.850799] ------------[ cut here ]------------
+[ 37.855424] kernel BUG at lib/list_debug.c:65!
+[ 37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
+[ 37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul
+[ 37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY
+[ 37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT)
+[ 37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114
+[ 37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114
+[ 37.914059] sp : ffff800080003db0
+[ 37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000
+[ 37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122
+[ 37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0
+[ 37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a
+[ 37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720
+[ 37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea
+[ 37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568
+[ 37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff
+[ 37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000
+[ 37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d
+[ 37.988832] Call trace:
+[ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P)
+[ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4
+[ 38.001419] udma_vchan_complete+0x1e0/0x344
+[ 38.005705] tasklet_action_common+0x118/0x310
+[ 38.010163] tasklet_action+0x30/0x3c
+[ 38.013832] handle_softirqs+0x10c/0x2e0
+[ 38.017761] __do_softirq+0x14/0x20
+[ 38.021256] ____do_softirq+0x10/0x20
+[ 38.024931] call_on_irq_stack+0x24/0x60
+[ 38.028873] do_softirq_own_stack+0x1c/0x40
+[ 38.033064] __irq_exit_rcu+0x130/0x15c
+[ 38.036909] irq_exit_rcu+0x10/0x20
+[ 38.040403] el1_interrupt+0x38/0x60
+[ 38.043987] el1h_64_irq_handler+0x18/0x24
+[ 38.048091] el1h_64_irq+0x6c/0x70
+[ 38.051501] default_idle_call+0x34/0xe0 (P)
+[ 38.055783] do_idle+0x1f8/0x250
+[ 38.059021] cpu_startup_entry+0x34/0x3c
+[ 38.062951] rest_init+0xb4/0xc0
+[ 38.066186] console_on_rootfs+0x0/0x6c
+[ 38.070031] __primary_switched+0x88/0x90
+[ 38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000)
+[ 38.080168] ---[ end trace 0000000000000000 ]---
+[ 38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
+[ 38.092197] SMP: stopping secondary CPUs
+[ 38.096139] Kernel Offset: disabled
+[ 38.099631] CPU features: 0x0000,00002000,02000801,0400420b
+[ 38.105202] Memory Limit: none
+[ 38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---
+
+Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E")
+Cc: stable@vger.kernel.org
+Suggested-by: Sjoerd Simons <sjoerd@collabora.com>
+Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
+Signed-off-by: Julien Massot <julien.massot@collabora.com>
+Reviewed-by: Jai Luthra <jai.luthra@linux.dev>
+Tested-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
++++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
+@@ -619,6 +619,7 @@ static void ti_csi2rx_dma_callback(void
+
+ if (ti_csi2rx_start_dma(csi, buf)) {
+ dev_err(csi->dev, "Failed to queue the next buffer for DMA\n");
++ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR);
+ } else {
+ list_move_tail(&buf->list, &dma->submitted);
--- /dev/null
+From 35ad7e181541aa5757f9f316768d3e64403ec843 Mon Sep 17 00:00:00 2001
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Date: Sat, 7 Jun 2025 13:43:56 +0100
+Subject: MIPS: mm: tlb-r4k: Uniquify TLB entries on init
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+commit 35ad7e181541aa5757f9f316768d3e64403ec843 upstream.
+
+Hardware or bootloader will initialize TLB entries to any value, which
+may collide with kernel's UNIQUE_ENTRYHI value. On MIPS microAptiv/M5150
+family of cores this will trigger machine check exception and cause boot
+failure. On M5150 simulation this could happen 7 times out of 1000 boots.
+
+Replace local_flush_tlb_all() with r4k_tlb_uniquify() which probes each
+TLB ENTRIHI unique value for collisions before it's written, and in case
+of collision try a different ASID.
+
+Cc: stable@kernel.org
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 55 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -508,6 +508,60 @@ static int __init set_ntlb(char *str)
+
+ __setup("ntlb=", set_ntlb);
+
++/* Initialise all TLB entries with unique values */
++static void r4k_tlb_uniquify(void)
++{
++ int entry = num_wired_entries();
++
++ htw_stop();
++ write_c0_entrylo0(0);
++ write_c0_entrylo1(0);
++
++ while (entry < current_cpu_data.tlbsize) {
++ unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data);
++ unsigned long asid = 0;
++ int idx;
++
++ /* Skip wired MMID to make ginvt_mmid work */
++ if (cpu_has_mmid)
++ asid = MMID_KERNEL_WIRED + 1;
++
++ /* Check for match before using UNIQUE_ENTRYHI */
++ do {
++ if (cpu_has_mmid) {
++ write_c0_memorymapid(asid);
++ write_c0_entryhi(UNIQUE_ENTRYHI(entry));
++ } else {
++ write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid);
++ }
++ mtc0_tlbw_hazard();
++ tlb_probe();
++ tlb_probe_hazard();
++ idx = read_c0_index();
++ /* No match or match is on current entry */
++ if (idx < 0 || idx == entry)
++ break;
++ /*
++ * If we hit a match, we need to try again with
++ * a different ASID.
++ */
++ asid++;
++ } while (asid < asid_mask);
++
++ if (idx >= 0 && idx != entry)
++ panic("Unable to uniquify TLB entry %d", idx);
++
++ write_c0_index(entry);
++ mtc0_tlbw_hazard();
++ tlb_write_indexed();
++ entry++;
++ }
++
++ tlbw_use_hazard();
++ htw_start();
++ flush_micro_tlb();
++}
++
+ /*
+ * Configure TLB (for init or after a CPU has been powered off).
+ */
+@@ -547,7 +601,7 @@ static void r4k_tlb_configure(void)
+ temp_tlb_entry = current_cpu_data.tlbsize - 1;
+
+ /* From this point on the ARC firmware is dead. */
+- local_flush_tlb_all();
++ r4k_tlb_uniquify();
+
+ /* Did I tell you that ARC SUCKS? */
+ }
--- /dev/null
+From 188cb385bbf04d486df3e52f28c47b3961f5f0c0 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Thu, 10 Jul 2025 11:23:53 +0300
+Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 upstream.
+
+When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with
+clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n:
+
+ mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function]
+
+Fix this by moving the function to the respective existing ifdeffery
+for its the only user.
+
+See also:
+
+ 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build")
+
+Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com
+Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Alistair Popple <apopple@nvidia.com>
+Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hmm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hmm.c
++++ b/mm/hmm.c
+@@ -173,6 +173,7 @@ static inline unsigned long hmm_pfn_flag
+ return order << HMM_PFN_ORDER_SHIFT;
+ }
+
++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range,
+ pmd_t pmd)
+ {
+@@ -183,7 +184,6 @@ static inline unsigned long pmd_to_hmm_p
+ hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT);
+ }
+
+-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr,
+ unsigned long end, unsigned long hmm_pfns[],
+ pmd_t pmd)
--- /dev/null
+From 255116c5b0fa2145ede28c2f7b248df5e73834d1 Mon Sep 17 00:00:00 2001
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+Date: Thu, 22 May 2025 20:25:52 +0800
+Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+commit 255116c5b0fa2145ede28c2f7b248df5e73834d1 upstream.
+
+We use maxpages from read_swap_header() to initialize swap_info_struct,
+however the maxpages might be reduced in setup_swap_extents() and the
+si->max is assigned with the reduced maxpages from the
+setup_swap_extents().
+
+Obviously, this could lead to memory waste as we allocated memory based on
+larger maxpages, besides, this could lead to a potential deadloop as
+following:
+
+1) When calling setup_clusters() with larger maxpages, unavailable
+ pages within range [si->max, larger maxpages) are not accounted with
+ inc_cluster_info_page(). As a result, these pages are assumed
+ available but can not be allocated. The cluster contains these pages
+ can be moved to frag_clusters list after it's all available pages were
+ allocated.
+
+2) When the cluster mentioned in 1) is the only cluster in
+ frag_clusters list, cluster_alloc_swap_entry() assume order 0
+ allocation will never failed and will enter a deadloop by keep trying
+ to allocate page from the only cluster in frag_clusters which contains
+ no actually available page.
+
+Call setup_swap_extents() to get the final maxpages before
+swap_info_struct initialization to fix the issue.
+
+After this change, span will include badblocks and will become large
+value which I think is correct value:
+In summary, there are two kinds of swapfile_activate operations.
+
+1. Filesystem style: Treat all blocks logical continuity and find
+ usable physical extents in logical range. In this way, si->pages will
+ be actual usable physical blocks and span will be "1 + highest_block -
+ lowest_block".
+
+2. Block device style: Treat all blocks physically continue and only
+ one single extent is added. In this way, si->pages will be si->max and
+ span will be "si->pages - 1". Actually, si->pages and si->max is only
+ used in block device style and span value is set with si->pages. As a
+ result, span value in block device style will become a larger value as
+ you mentioned.
+
+I think larger value is correct based on:
+
+1. Span value in filesystem style is "1 + highest_block -
+ lowest_block" which is the range cover all possible phisical blocks
+ including the badblocks.
+
+2. For block device style, si->pages is the actual usable block number
+ and is already in pr_info. The original span value before this patch
+ is also refer to usable block number which is redundant in pr_info.
+
+[shikemeng@huaweicloud.com: ensure si->pages == si->max - 1 after setup_swap_extents()]
+ Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com
+ Link: https://lkml.kernel.org/r/20250718065139.61989-1-shikemeng@huaweicloud.com
+Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com
+Fixes: 661383c6111a ("mm: swap: relaim the cached parts that got scanned")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Baoquan He <bhe@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Kairui Song <kasong@tencent.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c | 53 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 26 insertions(+), 27 deletions(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -3237,43 +3237,30 @@ static unsigned long read_swap_header(st
+ #define SWAP_CLUSTER_COLS \
+ max_t(unsigned int, SWAP_CLUSTER_INFO_COLS, SWAP_CLUSTER_SPACE_COLS)
+
+-static int setup_swap_map_and_extents(struct swap_info_struct *si,
+- union swap_header *swap_header,
+- unsigned char *swap_map,
+- unsigned long maxpages,
+- sector_t *span)
++static int setup_swap_map(struct swap_info_struct *si,
++ union swap_header *swap_header,
++ unsigned char *swap_map,
++ unsigned long maxpages)
+ {
+- unsigned int nr_good_pages;
+ unsigned long i;
+- int nr_extents;
+-
+- nr_good_pages = maxpages - 1; /* omit header page */
+
++ swap_map[0] = SWAP_MAP_BAD; /* omit header page */
+ for (i = 0; i < swap_header->info.nr_badpages; i++) {
+ unsigned int page_nr = swap_header->info.badpages[i];
+ if (page_nr == 0 || page_nr > swap_header->info.last_page)
+ return -EINVAL;
+ if (page_nr < maxpages) {
+ swap_map[page_nr] = SWAP_MAP_BAD;
+- nr_good_pages--;
++ si->pages--;
+ }
+ }
+
+- if (nr_good_pages) {
+- swap_map[0] = SWAP_MAP_BAD;
+- si->max = maxpages;
+- si->pages = nr_good_pages;
+- nr_extents = setup_swap_extents(si, span);
+- if (nr_extents < 0)
+- return nr_extents;
+- nr_good_pages = si->pages;
+- }
+- if (!nr_good_pages) {
++ if (!si->pages) {
+ pr_warn("Empty swap-file\n");
+ return -EINVAL;
+ }
+
+- return nr_extents;
++ return 0;
+ }
+
+ static struct swap_cluster_info *setup_clusters(struct swap_info_struct *si,
+@@ -3318,7 +3305,7 @@ static struct swap_cluster_info *setup_c
+ * Mark unusable pages as unavailable. The clusters aren't
+ * marked free yet, so no list operations are involved yet.
+ *
+- * See setup_swap_map_and_extents(): header page, bad pages,
++ * See setup_swap_map(): header page, bad pages,
+ * and the EOF part of the last cluster.
+ */
+ inc_cluster_info_page(si, cluster_info, 0);
+@@ -3456,6 +3443,21 @@ SYSCALL_DEFINE2(swapon, const char __use
+ goto bad_swap_unlock_inode;
+ }
+
++ si->max = maxpages;
++ si->pages = maxpages - 1;
++ nr_extents = setup_swap_extents(si, &span);
++ if (nr_extents < 0) {
++ error = nr_extents;
++ goto bad_swap_unlock_inode;
++ }
++ if (si->pages != si->max - 1) {
++ pr_err("swap:%u != (max:%u - 1)\n", si->pages, si->max);
++ error = -EINVAL;
++ goto bad_swap_unlock_inode;
++ }
++
++ maxpages = si->max;
++
+ /* OK, set up the swap map and apply the bad block list */
+ swap_map = vzalloc(maxpages);
+ if (!swap_map) {
+@@ -3467,12 +3469,9 @@ SYSCALL_DEFINE2(swapon, const char __use
+ if (error)
+ goto bad_swap_unlock_inode;
+
+- nr_extents = setup_swap_map_and_extents(si, swap_header, swap_map,
+- maxpages, &span);
+- if (unlikely(nr_extents < 0)) {
+- error = nr_extents;
++ error = setup_swap_map(si, swap_header, swap_map, maxpages);
++ if (error)
+ goto bad_swap_unlock_inode;
+- }
+
+ /*
+ * Use kvmalloc_array instead of bitmap_zalloc as the allocation order might
--- /dev/null
+From 152c1339dc13ad46f1b136e8693de15980750835 Mon Sep 17 00:00:00 2001
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+Date: Thu, 22 May 2025 20:25:53 +0800
+Subject: mm: swap: fix potential buffer overflow in setup_clusters()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+commit 152c1339dc13ad46f1b136e8693de15980750835 upstream.
+
+In setup_swap_map(), we only ensure badpages are in range (0, last_page].
+As maxpages might be < last_page, setup_clusters() will encounter a buffer
+overflow when a badpage is >= maxpages.
+
+Only call inc_cluster_info_page() for badpage which is < maxpages to fix
+the issue.
+
+Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com
+Fixes: b843786b0bd0 ("mm: swapfile: fix SSD detection with swapfile on btrfs")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Baoquan He <bhe@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Kairui Song <kasong@tencent.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -3309,9 +3309,13 @@ static struct swap_cluster_info *setup_c
+ * and the EOF part of the last cluster.
+ */
+ inc_cluster_info_page(si, cluster_info, 0);
+- for (i = 0; i < swap_header->info.nr_badpages; i++)
+- inc_cluster_info_page(si, cluster_info,
+- swap_header->info.badpages[i]);
++ for (i = 0; i < swap_header->info.nr_badpages; i++) {
++ unsigned int page_nr = swap_header->info.badpages[i];
++
++ if (page_nr >= maxpages)
++ continue;
++ inc_cluster_info_page(si, cluster_info, page_nr);
++ }
+ for (i = maxpages; i < round_up(maxpages, SWAPFILE_CLUSTER); i++)
+ inc_cluster_info_page(si, cluster_info, i);
+
--- /dev/null
+From c872d7c837382517c51a76dfdcf550332cfab231 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Tue, 13 May 2025 16:38:58 +0100
+Subject: perf/arm-ni: Set initial IRQ affinity
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit c872d7c837382517c51a76dfdcf550332cfab231 upstream.
+
+While we do request our IRQs with the right flags to stop their affinity
+changing unexpectedly, we forgot to actually set it to start with. Oops.
+
+Cc: stable@vger.kernel.org
+Fixes: 4d5a7680f2b4 ("perf: Add driver for Arm NI-700 interconnect PMU")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Tested-by: Shouping Wang <allen.wang@hj-micro.com>
+Link: https://lore.kernel.org/r/614ced9149ee8324e58930862bd82cbf46228d27.1747149165.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/perf/arm-ni.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/perf/arm-ni.c
++++ b/drivers/perf/arm-ni.c
+@@ -545,6 +545,8 @@ static int arm_ni_init_cd(struct arm_ni
+ return err;
+
+ cd->cpu = cpumask_local_spread(0, dev_to_node(ni->dev));
++ irq_set_affinity(cd->irq, cpumask_of(cd->cpu));
++
+ cd->pmu = (struct pmu) {
+ .module = THIS_MODULE,
+ .parent = ni->dev,
--- /dev/null
+From 54d5cd4719c5e87f33d271c9ac2e393147d934f8 Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Sun, 13 Jul 2025 13:29:31 -0400
+Subject: platform/x86/intel/pmt: fix a crashlog NULL pointer access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit 54d5cd4719c5e87f33d271c9ac2e393147d934f8 upstream.
+
+Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The
+current use of the endpoint value is only valid for telemetry endpoint
+usage.
+
+Without the ep, the crashlog usage causes the following NULL pointer
+exception:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+Oops: Oops: 0000 [#1] SMP NOPTI
+RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class]
+Code:
+Call Trace:
+ <TASK>
+ ? sysfs_kf_bin_read+0xc0/0xe0
+ kernfs_fop_read_iter+0xac/0x1a0
+ vfs_read+0x26d/0x350
+ ksys_read+0x6b/0xe0
+ __x64_sys_read+0x1d/0x30
+ x64_sys_call+0x1bc8/0x1d70
+ do_syscall_64+0x6d/0x110
+
+Augment struct intel_pmt_entry with a pointer to the pcidev to avoid
+the NULL pointer exception.
+
+Fixes: 045a513040cc ("platform/x86/intel/pmt: Use PMT callbacks")
+Cc: stable@vger.kernel.org
+Reviewed-by: David E. Box <david.e.box@linux.intel.com>
+Reviewed-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Link: https://lore.kernel.org/r/20250713172943.7335-2-michael.j.ruhl@intel.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/pmt/class.c | 3 ++-
+ drivers/platform/x86/intel/pmt/class.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/intel/pmt/class.c
++++ b/drivers/platform/x86/intel/pmt/class.c
+@@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct
+ if (count > entry->size - off)
+ count = entry->size - off;
+
+- count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf,
++ count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf,
+ entry->base, off, count);
+
+ return count;
+@@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(stru
+ return -EINVAL;
+ }
+
++ entry->pcidev = pci_dev;
+ entry->guid = header->guid;
+ entry->size = header->size;
+ entry->cb = ivdev->priv_data;
+--- a/drivers/platform/x86/intel/pmt/class.h
++++ b/drivers/platform/x86/intel/pmt/class.h
+@@ -39,6 +39,7 @@ struct intel_pmt_header {
+
+ struct intel_pmt_entry {
+ struct telem_endpoint *ep;
++ struct pci_dev *pcidev;
+ struct intel_pmt_header header;
+ struct bin_attribute pmt_bin_attr;
+ struct kobject *kobj;
--- /dev/null
+From 5647f61ad9171e8f025558ed6dc5702c56a33ba3 Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Date: Wed, 9 Jul 2025 20:34:30 +0200
+Subject: s390/mm: Remove possible false-positive warning in pte_free_defer()
+
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+
+commit 5647f61ad9171e8f025558ed6dc5702c56a33ba3 upstream.
+
+Commit 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing
+page") added a warning to pte_free_defer(), on our request. It was meant
+to warn if this would ever be reached for KVM guest mappings, because
+the page table would be freed w/o a gmap_unlink(). THP mappings are not
+allowed for KVM guests on s390, so this should never happen.
+
+However, it is possible that the warning is triggered in a valid case as
+false-positive.
+
+s390_enable_sie() takes the mmap_lock, marks all VMAs as VM_NOHUGEPAGE and
+splits possibly existing THP guest mappings. mm->context.has_pgste is set
+to 1 before that, to prevent races with the mm_has_pgste() check in
+MADV_HUGEPAGE.
+
+khugepaged drops the mmap_lock for file mappings and might run in parallel,
+before a vma is marked VM_NOHUGEPAGE, but after mm->context.has_pgste was
+set to 1. If it finds file mappings to collapse, it will eventually call
+pte_free_defer(). This will trigger the warning, but it is a valid case
+because gmap is not yet set up, and the THP mappings will be split again.
+
+Therefore, remove the warning and the comment.
+
+Fixes: 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing page")
+Cc: <stable@vger.kernel.org> # 6.6+
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/pgalloc.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -219,11 +219,6 @@ void pte_free_defer(struct mm_struct *mm
+ struct ptdesc *ptdesc = virt_to_ptdesc(pgtable);
+
+ call_rcu(&ptdesc->pt_rcu_head, pte_free_now);
+- /*
+- * THPs are not allowed for KVM guests. Warn if pgste ever reaches here.
+- * Turn to the generic pte_free_defer() version once gmap is removed.
+- */
+- WARN_ON_ONCE(mm_has_pgste(mm));
+ }
+ #endif /* CONFIG_TRANSPARENT_HUGEPAGE */
+
bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch
net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch
net-usbnet-fix-the-wrong-netif_carrier_on-call.patch
+x86-sev-evict-cache-lines-during-snp-memory-validation.patch
+alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch
+alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch
+alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r1xxx.patch
+alsa-hda-realtek-fix-mute-led-for-hp-victus-16-s0xxx.patch
+alsa-hda-realtek-fix-mute-led-for-hp-victus-16-d1xxx-mb-8a26.patch
+platform-x86-intel-pmt-fix-a-crashlog-null-pointer-access.patch
+x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch
+kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch
+s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch
+mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch
+mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch
+mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potential-deadloop.patch
+mm-swap-fix-potential-buffer-overflow-in-setup_clusters.patch
+perf-arm-ni-set-initial-irq-affinity.patch
+media-ti-j721e-csi2rx-fix-list_del-corruption.patch
+hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch
+usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch
+usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
--- /dev/null
+From 62783c30d78aecf9810dae46fd4d11420ad38b74 Mon Sep 17 00:00:00 2001
+From: Yuhao Jiang <danisjiang@gmail.com>
+Date: Mon, 23 Jun 2025 17:48:44 +0800
+Subject: USB: gadget: f_hid: Fix memory leak in hidg_bind error path
+
+From: Yuhao Jiang <danisjiang@gmail.com>
+
+commit 62783c30d78aecf9810dae46fd4d11420ad38b74 upstream.
+
+In hidg_bind(), if alloc_workqueue() fails after usb_assign_descriptors()
+has successfully allocated the USB descriptors, the current error handling
+does not call usb_free_all_descriptors() to free the allocated descriptors,
+resulting in a memory leak.
+
+Restructure the error handling by adding proper cleanup labels:
+- fail_free_all: cleans up workqueue and descriptors
+- fail_free_descs: cleans up descriptors only
+- fail: original cleanup for earlier failures
+
+This ensures that allocated resources are properly freed in reverse order
+of their allocation, preventing the memory leak when alloc_workqueue() fails.
+
+Fixes: a139c98f760ef ("USB: gadget: f_hid: Add GET_REPORT via userspace IOCTL")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuhao Jiang <danisjiang@gmail.com>
+Link: https://lore.kernel.org/r/20250623094844.244977-1-danisjiang@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -1275,18 +1275,19 @@ static int hidg_bind(struct usb_configur
+
+ if (!hidg->workqueue) {
+ status = -ENOMEM;
+- goto fail;
++ goto fail_free_descs;
+ }
+
+ /* create char device */
+ cdev_init(&hidg->cdev, &f_hidg_fops);
+ status = cdev_device_add(&hidg->cdev, &hidg->dev);
+ if (status)
+- goto fail_free_descs;
++ goto fail_free_all;
+
+ return 0;
+-fail_free_descs:
++fail_free_all:
+ destroy_workqueue(hidg->workqueue);
++fail_free_descs:
+ usb_free_all_descriptors(f);
+ fail:
+ ERROR(f->config->cdev, "hidg_bind FAILED\n");
--- /dev/null
+From 151c0aa896c47a4459e07fee7d4843f44c1bb18e Mon Sep 17 00:00:00 2001
+From: Tao Xue <xuetao09@huawei.com>
+Date: Mon, 21 Jul 2025 17:39:08 +0800
+Subject: usb: gadget : fix use-after-free in composite_dev_cleanup()
+
+From: Tao Xue <xuetao09@huawei.com>
+
+commit 151c0aa896c47a4459e07fee7d4843f44c1bb18e upstream.
+
+1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
+if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
+set to NULL. Then it will return a failure to the upper-level function.
+2. in func configfs_composite_bind() -> composite_dev_cleanup():
+it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
+will attempt to use it.This will lead to a use-after-free issue.
+
+BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
+Read of size 8 at addr 0000004827837a00 by task init/1
+
+CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
+ kasan_report+0x188/0x1cc
+ __asan_load8+0xb4/0xbc
+ composite_dev_cleanup+0xf4/0x2c0
+ configfs_composite_bind+0x210/0x7ac
+ udc_bind_to_driver+0xb4/0x1ec
+ usb_gadget_probe_driver+0xec/0x21c
+ gadget_dev_desc_UDC_store+0x264/0x27c
+
+Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Tao Xue <xuetao09@huawei.com>
+Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2489,6 +2489,11 @@ int composite_os_desc_req_prepare(struct
+ if (!cdev->os_desc_req->buf) {
+ ret = -ENOMEM;
+ usb_ep_free_request(ep0, cdev->os_desc_req);
++ /*
++ * Set os_desc_req to NULL so that composite_dev_cleanup()
++ * will not try to free it again.
++ */
++ cdev->os_desc_req = NULL;
+ goto end;
+ }
+ cdev->os_desc_req->context = cdev;
--- /dev/null
+From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue, 24 Jun 2025 14:01:48 -0700
+Subject: x86/fpu: Delay instruction pointer fixup until after warning
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit 1cec9ac2d071cfd2da562241aab0ef701355762a upstream.
+
+Right now, if XRSTOR fails a console message like this is be printed:
+
+ Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers.
+
+However, the text location (...+0x9a in this case) is the instruction
+*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump
+also points one instruction late.
+
+The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and
+keep on running after returning from the #GP handler. But it does this
+fixup before warning.
+
+The resulting warning output is nonsensical because it looks like the
+non-FPU-related instruction is #GP'ing.
+
+Do not fix up RIP until after printing the warning. Do this by using
+the more generic and standard ex_handler_default().
+
+Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Chao Gao <chao.gao@intel.com>
+Acked-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/extable.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/extable.c
++++ b/arch/x86/mm/extable.c
+@@ -122,13 +122,12 @@ static bool ex_handler_sgx(const struct
+ static bool ex_handler_fprestore(const struct exception_table_entry *fixup,
+ struct pt_regs *regs)
+ {
+- regs->ip = ex_fixup_addr(fixup);
+-
+ WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.",
+ (void *)instruction_pointer(regs));
+
+ fpu_reset_from_exception_fixup();
+- return true;
++
++ return ex_handler_default(fixup, regs);
+ }
+
+ /*
--- /dev/null
+From a436a0238803ed3ee2c590e9fa53c8f7dcd1139f Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 30 Jul 2025 09:17:48 -0500
+Subject: x86/sev: Evict cache lines during SNP memory validation
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+Commit 7b306dfa326f70114312b320d083b21fa9481e1e upstream.
+
+An SNP cache coherency vulnerability requires a cache line eviction
+mitigation when validating memory after a page state change to private.
+The specific mitigation is to touch the first and last byte of each 4K
+page that is being validated. There is no need to perform the mitigation
+when performing a page state change to shared and rescinding validation.
+
+CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that,
+when set, indicates that the software mitigation for this vulnerability is
+not needed.
+
+Implement the mitigation and invoke it when validating memory (making it
+private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest
+is vulnerable.
+
+Co-developed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/cpuflags.c | 13 ++++++++++
+ arch/x86/coco/sev/shared.c | 46 +++++++++++++++++++++++++++++++++++++
+ arch/x86/include/asm/cpufeatures.h | 1
+ arch/x86/kernel/cpu/scattered.c | 1
+ 4 files changed, 61 insertions(+)
+
+--- a/arch/x86/boot/cpuflags.c
++++ b/arch/x86/boot/cpuflags.c
+@@ -115,5 +115,18 @@ void get_cpuflags(void)
+ cpuid(0x80000001, &ignored, &ignored, &cpu.flags[6],
+ &cpu.flags[1]);
+ }
++
++ if (max_amd_level >= 0x8000001f) {
++ u32 ebx;
++
++ /*
++ * The X86_FEATURE_COHERENCY_SFW_NO feature bit is in
++ * the virtualization flags entry (word 8) and set by
++ * scattered.c, so the bit needs to be explicitly set.
++ */
++ cpuid(0x8000001f, &ignored, &ebx, &ignored, &ignored);
++ if (ebx & BIT(31))
++ set_bit(X86_FEATURE_COHERENCY_SFW_NO, cpu.flags);
++ }
+ }
+ }
+--- a/arch/x86/coco/sev/shared.c
++++ b/arch/x86/coco/sev/shared.c
+@@ -1243,6 +1243,24 @@ static void svsm_pval_terminate(struct s
+ __pval_terminate(pfn, action, page_size, ret, svsm_ret);
+ }
+
++static inline void sev_evict_cache(void *va, int npages)
++{
++ volatile u8 val __always_unused;
++ u8 *bytes = va;
++ int page_idx;
++
++ /*
++ * For SEV guests, a read from the first/last cache-lines of a 4K page
++ * using the guest key is sufficient to cause a flush of all cache-lines
++ * associated with that 4K page without incurring all the overhead of a
++ * full CLFLUSH sequence.
++ */
++ for (page_idx = 0; page_idx < npages; page_idx++) {
++ val = bytes[page_idx * PAGE_SIZE];
++ val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
++ }
++}
++
+ static void svsm_pval_4k_page(unsigned long paddr, bool validate)
+ {
+ struct svsm_pvalidate_call *pc;
+@@ -1295,6 +1313,13 @@ static void pvalidate_4k_page(unsigned l
+ if (ret)
+ __pval_terminate(PHYS_PFN(paddr), validate, RMP_PG_SIZE_4K, ret, 0);
+ }
++
++ /*
++ * If validating memory (making it private) and affected by the
++ * cache-coherency vulnerability, perform the cache eviction mitigation.
++ */
++ if (validate && !has_cpuflag(X86_FEATURE_COHERENCY_SFW_NO))
++ sev_evict_cache((void *)vaddr, 1);
+ }
+
+ static void pval_pages(struct snp_psc_desc *desc)
+@@ -1479,10 +1504,31 @@ static void svsm_pval_pages(struct snp_p
+
+ static void pvalidate_pages(struct snp_psc_desc *desc)
+ {
++ struct psc_entry *e;
++ unsigned int i;
++
+ if (snp_vmpl)
+ svsm_pval_pages(desc);
+ else
+ pval_pages(desc);
++
++ /*
++ * If not affected by the cache-coherency vulnerability there is no need
++ * to perform the cache eviction mitigation.
++ */
++ if (cpu_feature_enabled(X86_FEATURE_COHERENCY_SFW_NO))
++ return;
++
++ for (i = 0; i <= desc->hdr.end_entry; i++) {
++ e = &desc->entries[i];
++
++ /*
++ * If validating memory (making it private) perform the cache
++ * eviction mitigation.
++ */
++ if (e->operation == SNP_PAGE_STATE_PRIVATE)
++ sev_evict_cache(pfn_to_kaddr(e->gfn), e->pagesize ? 512 : 1);
++ }
+ }
+
+ static int vmgexit_psc(struct ghcb *ghcb, struct snp_psc_desc *desc)
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -227,6 +227,7 @@
+ #define X86_FEATURE_FLEXPRIORITY ( 8*32+ 1) /* "flexpriority" Intel FlexPriority */
+ #define X86_FEATURE_EPT ( 8*32+ 2) /* "ept" Intel Extended Page Table */
+ #define X86_FEATURE_VPID ( 8*32+ 3) /* "vpid" Intel Virtual Processor ID */
++#define X86_FEATURE_COHERENCY_SFW_NO ( 8*32+ 4) /* SNP cache coherency software work around not needed */
+
+ #define X86_FEATURE_VMMCALL ( 8*32+15) /* "vmmcall" Prefer VMMCALL to VMCALL */
+ #define X86_FEATURE_XENPV ( 8*32+16) /* Xen paravirtual guest */
+--- a/arch/x86/kernel/cpu/scattered.c
++++ b/arch/x86/kernel/cpu/scattered.c
+@@ -47,6 +47,7 @@ static const struct cpuid_bit cpuid_bits
+ { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 },
+ { X86_FEATURE_FAST_CPPC, CPUID_EDX, 15, 0x80000007, 0 },
+ { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 },
++ { X86_FEATURE_COHERENCY_SFW_NO, CPUID_EBX, 31, 0x8000001f, 0 },
+ { X86_FEATURE_SMBA, CPUID_EBX, 2, 0x80000020, 0 },
+ { X86_FEATURE_BMEC, CPUID_EBX, 3, 0x80000020, 0 },
+ { X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 },
projects / thirdparty / kernel / stable-queue.git / commitdiff
