--- /dev/null
+From stable+bounces-169403-greg=kroah.com@vger.kernel.org Wed Aug 13 16:14:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 10:10:27 -0400
+Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
+To: stable@vger.kernel.org
+Cc: "Geoffrey D. Bennett" <g@b4.vu>, Takashi Iwai <tiwai@suse.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813141027.2043326-1-sashal@kernel.org>
+
+From: "Geoffrey D. Bennett" <g@b4.vu>
+
+[ Upstream commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 ]
+
+During communication with Focusrite Scarlett Gen 2/3/4 USB audio
+interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(),
+snd_usb_ctl_msg() which can cause initialisation and control
+operations to fail intermittently.
+
+This patch adds up to 5 retries in scarlett2_usb(), with a delay
+starting at 5ms and doubling each time. This follows the same approach
+as the fix for usb_set_interface() in endpoint.c (commit f406005e162b
+("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")),
+which resolved similar -EPROTO issues during device initialisation,
+and is the same approach as in fcp.c:fcp_usb().
+
+Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
+Closes: https://github.com/geoffreybennett/linux-fcp/issues/41
+Cc: stable@vger.kernel.org
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[ Applied patch to the older file name mixer_scarlett_gen2.c instead of mixer_scarlett2.c. ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_scarlett_gen2.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/usb/mixer_scarlett_gen2.c
++++ b/sound/usb/mixer_scarlett_gen2.c
+@@ -125,6 +125,7 @@
+ #include <linux/slab.h>
+ #include <linux/usb.h>
+ #include <linux/moduleparam.h>
++#include <linux/delay.h>
+
+ #include <sound/control.h>
+ #include <sound/tlv.h>
+@@ -1064,6 +1065,8 @@ static int scarlett2_usb(
+ u16 req_buf_size = sizeof(struct scarlett2_usb_packet) + req_size;
+ u16 resp_buf_size = sizeof(struct scarlett2_usb_packet) + resp_size;
+ struct scarlett2_usb_packet *req, *resp = NULL;
++ int retries = 0;
++ const int max_retries = 5;
+ int err;
+
+ req = kmalloc(req_buf_size, GFP_KERNEL);
+@@ -1087,10 +1090,15 @@ static int scarlett2_usb(
+ if (req_size)
+ memcpy(req->data, req_data, req_size);
+
++retry:
+ err = scarlett2_usb_tx(dev, private->bInterfaceNumber,
+ req, req_buf_size);
+
+ if (err != req_buf_size) {
++ if (err == -EPROTO && ++retries <= max_retries) {
++ msleep(5 * (1 << (retries - 1)));
++ goto retry;
++ }
+ usb_audio_err(
+ mixer->chip,
+ "Scarlett Gen 2/3 USB request result cmd %x was %d\n",
--- /dev/null
+From stable+bounces-164978-greg=kroah.com@vger.kernel.org Mon Jul 28 16:55:51 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 10:55:37 -0400
+Subject: ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
+To: stable@vger.kernel.org
+Cc: Nathan Chancellor <nathan@kernel.org>, KernelCI bot <bot@kernelci.org>, Masahiro Yamada <masahiroy@kernel.org>, Russell King <rmk+kernel@armlinux.org.uk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250728145537.2340885-1-sashal@kernel.org>
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ]
+
+After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper
+flags and language target"), which updated as-instr to use the
+'assembler-with-cpp' language option, the Kbuild version of as-instr
+always fails internally for arch/arm with
+
+ <command-line>: fatal error: asm/unified.h: No such file or directory
+ compilation terminated.
+
+because '-include' flags are now taken into account by the compiler
+driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not
+found.
+
+This went unnoticed at the time of the Kbuild change because the last
+use of as-instr in Kbuild that arch/arm could reach was removed in 5.7
+by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a
+stable backport of the Kbuild change to before that point exposed this
+potential issue if one were to be reintroduced.
+
+Follow the general pattern of '-include' paths throughout the tree and
+make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can
+be used independently.
+
+Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target")
+Reported-by: KernelCI bot <bot@kernelci.org>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+[ adapted to missing -Wa ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/Makefile
++++ b/arch/arm/Makefile
+@@ -126,7 +126,7 @@ endif
+
+ # Need -Uarm for gcc < 3.x
+ KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm
+-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float
++KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float
+
+ CHECKFLAGS += -D__arm__
+
--- /dev/null
+From stable+bounces-165061-greg=kroah.com@vger.kernel.org Tue Jul 29 14:44:34 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 08:44:24 -0400
+Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
+To: stable@vger.kernel.org
+Cc: Ada Couprie Diaz <ada.coupriediaz@arm.com>, Cristian Prundeanu <cpru@amazon.com>, Will Deacon <will@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729124424.2699860-1-sashal@kernel.org>
+
+From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+
+[ Upstream commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb ]
+
+`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
+to different stacks along with the Shadow Call Stack if it is enabled.
+Those two stack changes cannot be done atomically and both functions
+can be interrupted by SErrors or Debug Exceptions which, though unlikely,
+is very much broken : if interrupted, we can end up with mismatched stacks
+and Shadow Call Stack leading to clobbered stacks.
+
+In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
+but x18 stills points to the old task's SCS. When the interrupt handler
+tries to save the task's SCS pointer, it will save the old task
+SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
+clobbering it.
+
+In `call_on_irq_stack()`, it can happen when switching from the task stack
+to the IRQ stack and when switching back. In both cases, we can be
+interrupted when the SCS pointer points to the IRQ SCS, but SP points to
+the task stack. The nested interrupt handler pushes its return addresses
+on the IRQ SCS. It then detects that SP points to the task stack,
+calls `call_on_irq_stack()` and clobbers the task SCS pointer with
+the IRQ SCS pointer, which it will also use !
+
+This leads to tasks returning to addresses on the wrong SCS,
+or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
+or FPAC if enabled.
+
+This is possible on a default config, but unlikely.
+However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
+instead the GIC is responsible for filtering what interrupts the CPU
+should receive based on priority.
+Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
+even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
+frequently depending on the system configuration and workload, leading
+to unpredictable kernel panics.
+
+Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
+Do the same in `call_on_irq_stack()`, but restore and mask around
+the branch.
+Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
+of behaviour between all configurations.
+
+Introduce and use an assembly macro for saving and masking DAIF,
+as the existing one saves but only masks IF.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Reported-by: Cristian Prundeanu <cpru@amazon.com>
+Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt")
+Tested-by: Cristian Prundeanu <cpru@amazon.com>
+Acked-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+[ removed duplicate save_and_disable_daif macro ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/entry.S | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -833,6 +833,7 @@ SYM_CODE_END(__bp_harden_el1_vectors)
+ *
+ */
+ SYM_FUNC_START(cpu_switch_to)
++ save_and_disable_daif x11
+ mov x10, #THREAD_CPU_CONTEXT
+ add x8, x0, x10
+ mov x9, sp
+@@ -856,6 +857,7 @@ SYM_FUNC_START(cpu_switch_to)
+ ptrauth_keys_install_kernel x1, x8, x9, x10
+ scs_save x0
+ scs_load_current
++ restore_irq x11
+ ret
+ SYM_FUNC_END(cpu_switch_to)
+ NOKPROBE(cpu_switch_to)
+@@ -882,6 +884,7 @@ NOKPROBE(ret_from_fork)
+ * Calls func(regs) using this CPU's irq stack and shadow irq stack.
+ */
+ SYM_FUNC_START(call_on_irq_stack)
++ save_and_disable_daif x9
+ #ifdef CONFIG_SHADOW_CALL_STACK
+ get_current_task x16
+ scs_save x16
+@@ -896,8 +899,10 @@ SYM_FUNC_START(call_on_irq_stack)
+
+ /* Move to the new stack and call the function there */
+ add sp, x16, #IRQ_STACK_SIZE
++ restore_irq x9
+ blr x1
+
++ save_and_disable_daif x9
+ /*
+ * Restore the SP from the FP, and restore the FP and LR from the frame
+ * record.
+@@ -905,6 +910,7 @@ SYM_FUNC_START(call_on_irq_stack)
+ mov sp, x29
+ ldp x29, x30, [sp], #16
+ scs_load_current
++ restore_irq x9
+ ret
+ SYM_FUNC_END(call_on_irq_stack)
+ NOKPROBE(call_on_irq_stack)
--- /dev/null
+From stable+bounces-172210-greg=kroah.com@vger.kernel.org Thu Aug 21 20:09:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 14:08:59 -0400
+Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Hannes Reinecke <hare@suse.de>, Niklas Cassel <cassel@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821180859.884176-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ]
+
+Improve the description of the possible default SATA link power
+management policies and add the missing description for policy 5.
+No functional changes.
+
+Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/Kconfig | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/Kconfig
++++ b/drivers/ata/Kconfig
+@@ -117,22 +117,39 @@ config SATA_AHCI
+
+ config SATA_MOBILE_LPM_POLICY
+ int "Default SATA Link Power Management policy for mobile chipsets"
+- range 0 4
++ range 0 5
+ default 0
+ depends on SATA_AHCI
+ help
+ Select the Default SATA Link Power Management (LPM) policy to use
+ for mobile / laptop variants of chipsets / "South Bridges".
+
+- The value set has the following meanings:
++ Each policy combines power saving states and features:
++ - Partial: The Phy logic is powered but is in a reduced power
++ state. The exit latency from this state is no longer than
++ 10us).
++ - Slumber: The Phy logic is powered but is in an even lower power
++ state. The exit latency from this state is potentially
++ longer, but no longer than 10ms.
++ - DevSleep: The Phy logic may be powered down. The exit latency from
++ this state is no longer than 20 ms, unless otherwise
++ specified by DETO in the device Identify Device Data log.
++ - HIPM: Host Initiated Power Management (host automatically
++ transitions to partial and slumber).
++ - DIPM: Device Initiated Power Management (device automatically
++ transitions to partial and slumber).
++
++ The possible values for the default SATA link power management
++ policies are:
+ 0 => Keep firmware settings
+- 1 => Maximum performance
+- 2 => Medium power
+- 3 => Medium power with Device Initiated PM enabled
+- 4 => Minimum power
++ 1 => No power savings (maximum performance)
++ 2 => HIPM (Partial)
++ 3 => HIPM (Partial) and DIPM (Partial and Slumber)
++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber)
++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber)
+
+- Note "Minimum power" is known to cause issues, including disk
+- corruption, with some disks and should not be used.
++ Excluding the value 0, higher values represent policies with higher
++ power savings.
+
+ config SATA_AHCI_PLATFORM
+ tristate "Platform AHCI SATA support"
--- /dev/null
+From stable+bounces-169867-greg=kroah.com@vger.kernel.org Sat Aug 16 23:06:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Aug 2025 17:05:52 -0400
+Subject: block: Make REQ_OP_ZONE_FINISH a write operation
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Bart Van Assche <bvanassche@acm.org>, Johannes Thumshirn <johannes.thumshirn@wdc.com>, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250816210552.1246430-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ]
+
+REQ_OP_ZONE_FINISH is defined as "12", which makes
+op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a
+zone finish operation is an operation that modifies a zone (transition
+it to full) and so should be considered as a write operation (albeit
+one that does not transfer any data to the device).
+
+Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and
+redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential
+odd numbers from that new value.
+
+Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ More renumbering... ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/blk_types.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -341,13 +341,13 @@ enum req_opf {
+ /* Close a zone */
+ REQ_OP_ZONE_CLOSE = 11,
+ /* Transition a zone to full */
+- REQ_OP_ZONE_FINISH = 12,
++ REQ_OP_ZONE_FINISH = 13,
+ /* write data at the current zone write pointer */
+- REQ_OP_ZONE_APPEND = 13,
++ REQ_OP_ZONE_APPEND = 15,
+ /* reset a zone write pointer */
+- REQ_OP_ZONE_RESET = 15,
++ REQ_OP_ZONE_RESET = 17,
+ /* reset all the zone present on the device */
+- REQ_OP_ZONE_RESET_ALL = 17,
++ REQ_OP_ZONE_RESET_ALL = 19,
+
+ /* Driver private requests */
+ REQ_OP_DRV_IN = 34,
--- /dev/null
+From stable+bounces-171776-greg=kroah.com@vger.kernel.org Tue Aug 19 14:05:42 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 08:04:02 -0400
+Subject: btrfs: populate otime when logging an inode item
+To: stable@vger.kernel.org
+Cc: Qu Wenruo <wqu@suse.com>, Filipe Manana <fdmanana@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819120402.453011-1-sashal@kernel.org>
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ]
+
+[TEST FAILURE WITH EXPERIMENTAL FEATURES]
+When running test case generic/508, the test case will fail with the new
+btrfs shutdown support:
+
+generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad)
+# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930
+# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930
+# @@ -1,2 +1,6 @@
+# QA output created by 508
+# Silence is golden
+# +Before:
+# +After : stat.btime = Thu Jan 1 09:30:00 1970
+# +Before:
+# +After : stat.btime = Wed Jul 2 14:53:22 2025
+# ...
+# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff)
+Ran: generic/508
+Failures: generic/508
+Failed 1 of 1 tests
+
+Please note that the test case requires shutdown support, thus the test
+case will be skipped using the current upstream kernel, as it doesn't
+have shutdown ioctl support.
+
+[CAUSE]
+The direct cause the 0 time stamp in the log tree:
+
+leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG
+leaf 30507008 flags 0x1(WRITTEN) backref revision 1
+checksum stored e522548d
+checksum calced e522548d
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 9 transid 9 size 0 nbytes 0
+ block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0
+ sequence 1 flags 0x0(none)
+ atime 1751432947.492000000 (2025-07-02 14:39:07)
+ ctime 1751432947.492000000 (2025-07-02 14:39:07)
+ mtime 1751432947.492000000 (2025-07-02 14:39:07)
+ otime 0.0 (1970-01-01 09:30:00) <<<
+
+But the old fs tree has all the correct time stamp:
+
+btrfs-progs v6.12
+fs tree key (FS_TREE ROOT_ITEM 0)
+leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE
+leaf 30425088 flags 0x1(WRITTEN) backref revision 1
+checksum stored 48f6c57e
+checksum calced 48f6c57e
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 3 transid 0 size 0 nbytes 16384
+ block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0
+ sequence 0 flags 0x0(none)
+ atime 1751432947.0 (2025-07-02 14:39:07)
+ ctime 1751432947.0 (2025-07-02 14:39:07)
+ mtime 1751432947.0 (2025-07-02 14:39:07)
+ otime 1751432947.0 (2025-07-02 14:39:07) <<<
+
+The root cause is that fill_inode_item() in tree-log.c is only
+populating a/c/m time, not the otime (or btime in statx output).
+
+Part of the reason is that, the vfs inode only has a/c/m time, no native
+btime support yet.
+
+[FIX]
+Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and
+btrfs_inode::i_otime_nsec.
+
+So what we really need is just fill the otime time stamp in
+fill_inode_item() of tree-log.c
+
+There is another fill_inode_item() in inode.c, which is doing the proper
+otime population.
+
+Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing")
+CC: stable@vger.kernel.org
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ timespec changes in older tree ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4000,6 +4000,11 @@ static void fill_inode_item(struct btrfs
+ btrfs_set_token_timespec_nsec(&token, &item->ctime,
+ inode->i_ctime.tv_nsec);
+
++ btrfs_set_token_timespec_sec(&token, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_sec);
++ btrfs_set_token_timespec_nsec(&token, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_nsec);
++
+ /*
+ * We do not need to set the nbytes field, in fact during a fast fsync
+ * its value may not even be correct, since a fast fsync does not wait
--- /dev/null
+From stable+bounces-172208-greg=kroah.com@vger.kernel.org Thu Aug 21 19:56:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 13:56:00 -0400
+Subject: bus: mhi: host: Detect events pointing to unexpected TREs
+To: stable@vger.kernel.org
+Cc: Youssef Samir <quic_yabdulra@quicinc.com>, Manivannan Sadhasivam <mani@kernel.org>, Jeff Hugo <jeff.hugo@oss.qualcomm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821175600.873291-1-sashal@kernel.org>
+
+From: Youssef Samir <quic_yabdulra@quicinc.com>
+
+[ Upstream commit 5bd398e20f0833ae8a1267d4f343591a2dd20185 ]
+
+When a remote device sends a completion event to the host, it contains a
+pointer to the consumed TRE. The host uses this pointer to process all of
+the TREs between it and the host's local copy of the ring's read pointer.
+This works when processing completion for chained transactions, but can
+lead to nasty results if the device sends an event for a single-element
+transaction with a read pointer that is multiple elements ahead of the
+host's read pointer.
+
+For instance, if the host accesses an event ring while the device is
+updating it, the pointer inside of the event might still point to an old
+TRE. If the host uses the channel's xfer_cb() to directly free the buffer
+pointed to by the TRE, the buffer will be double-freed.
+
+This behavior was observed on an ep that used upstream EP stack without
+'commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer
+is written")'. Where the device updated the events ring pointer before
+updating the event contents, so it left a window where the host was able to
+access the stale data the event pointed to, before the device had the
+chance to update them. The usual pattern was that the host received an
+event pointing to a TRE that is not immediately after the last processed
+one, so it got treated as if it was a chained transaction, processing all
+of the TREs in between the two read pointers.
+
+This commit aims to harden the host by ensuring transactions where the
+event points to a TRE that isn't local_rp + 1 are chained.
+
+Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device")
+Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
+[mani: added stable tag and reworded commit message]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250714163039.3438985-1-quic_yabdulra@quicinc.com
+[ Replaced missing MHI_TRE_DATA_GET_CHAIN macro with direct bit 0 check on dword[1]. ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/main.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/bus/mhi/host/main.c
++++ b/drivers/bus/mhi/host/main.c
+@@ -594,7 +594,7 @@ static int parse_xfer_event(struct mhi_c
+ {
+ dma_addr_t ptr = MHI_TRE_GET_EV_PTR(event);
+ struct mhi_ring_element *local_rp, *ev_tre;
+- void *dev_rp;
++ void *dev_rp, *next_rp;
+ struct mhi_buf_info *buf_info;
+ u16 xfer_len;
+
+@@ -613,6 +613,19 @@ static int parse_xfer_event(struct mhi_c
+ result.dir = mhi_chan->dir;
+
+ local_rp = tre_ring->rp;
++
++ next_rp = local_rp + 1;
++ if (next_rp >= tre_ring->base + tre_ring->len)
++ next_rp = tre_ring->base;
++ /* Check if the event points to an unexpected TRE.
++ * Chain flag is bit 0 of dword[1] in the TRE.
++ */
++ if (dev_rp != next_rp && !(le32_to_cpu(local_rp->dword[1]) & 0x1)) {
++ dev_err(&mhi_cntrl->mhi_dev->dev,
++ "Event element points to an unexpected TRE\n");
++ break;
++ }
++
+ while (local_rp != dev_rp) {
+ buf_info = buf_ring->rp;
+ /* If it's the last TRE, get length from the event */
--- /dev/null
+From stable+bounces-165095-greg=kroah.com@vger.kernel.org Tue Jul 29 18:16:50 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 12:16:38 -0400
+Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs
+To: stable@vger.kernel.org
+Cc: "Lin.Cao" <lincao12@amd.com>, "Christian König" <christian.koenig@amd.com>, "Philipp Stanner" <phasta@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250729161638.2745002-1-sashal@kernel.org>
+
+From: "Lin.Cao" <lincao12@amd.com>
+
+[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ]
+
+When application A submits jobs and application B submits a job with a
+dependency on A's fence, the normal flow wakes up the scheduler after
+processing each job. However, the optimization in
+drm_sched_entity_add_dependency_cb() uses a callback that only clears
+dependencies without waking up the scheduler.
+
+When application A is killed before its jobs can run, the callback gets
+triggered but only clears the dependency without waking up the scheduler,
+causing the scheduler to enter sleep state and application B to hang.
+
+Remove the optimization by deleting drm_sched_entity_clear_dep() and its
+usage, ensuring the scheduler is always woken up when dependencies are
+cleared.
+
+Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler")
+Cc: stable@vger.kernel.org # v4.6+
+Signed-off-by: Lin.Cao <lincao12@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com
+[ Changed drm_sched_wakeup_if_can_queue() calls to drm_sched_wakeup() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 27 ++++-----------------------
+ 1 file changed, 4 insertions(+), 23 deletions(-)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -317,21 +317,8 @@ void drm_sched_entity_destroy(struct drm
+ EXPORT_SYMBOL(drm_sched_entity_destroy);
+
+ /*
+- * drm_sched_entity_clear_dep - callback to clear the entities dependency
+- */
+-static void drm_sched_entity_clear_dep(struct dma_fence *f,
+- struct dma_fence_cb *cb)
+-{
+- struct drm_sched_entity *entity =
+- container_of(cb, struct drm_sched_entity, cb);
+-
+- entity->dependency = NULL;
+- dma_fence_put(f);
+-}
+-
+-/*
+- * drm_sched_entity_clear_dep - callback to clear the entities dependency and
+- * wake up scheduler
++ * drm_sched_entity_wakeup - callback to clear the entity's dependency and
++ * wake up the scheduler
+ */
+ static void drm_sched_entity_wakeup(struct dma_fence *f,
+ struct dma_fence_cb *cb)
+@@ -339,7 +326,8 @@ static void drm_sched_entity_wakeup(stru
+ struct drm_sched_entity *entity =
+ container_of(cb, struct drm_sched_entity, cb);
+
+- drm_sched_entity_clear_dep(f, cb);
++ entity->dependency = NULL;
++ dma_fence_put(f);
+ drm_sched_wakeup(entity->rq->sched);
+ }
+
+@@ -395,13 +383,6 @@ static bool drm_sched_entity_add_depende
+ fence = dma_fence_get(&s_fence->scheduled);
+ dma_fence_put(entity->dependency);
+ entity->dependency = fence;
+- if (!dma_fence_add_callback(fence, &entity->cb,
+- drm_sched_entity_clear_dep))
+- return true;
+-
+- /* Ignore it when it is already scheduled */
+- dma_fence_put(fence);
+- return false;
+ }
+
+ if (!dma_fence_add_callback(entity->dependency, &entity->cb,
--- /dev/null
+From stable+bounces-164651-greg=kroah.com@vger.kernel.org Thu Jul 24 19:44:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 13:43:58 -0400
+Subject: f2fs: fix to do sanity check on ino and xnid
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724174358.1407937-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ]
+
+syzbot reported a f2fs bug as below:
+
+INFO: task syz-executor140:5308 blocked for more than 143 seconds.
+ Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006
+Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5378 [inline]
+ __schedule+0x190e/0x4c90 kernel/sched/core.c:6765
+ __schedule_loop kernel/sched/core.c:6842 [inline]
+ schedule+0x14b/0x320 kernel/sched/core.c:6857
+ io_schedule+0x8d/0x110 kernel/sched/core.c:7690
+ folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317
+ __folio_lock mm/filemap.c:1664 [inline]
+ folio_lock include/linux/pagemap.h:1163 [inline]
+ __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917
+ pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87
+ find_get_page_flags include/linux/pagemap.h:842 [inline]
+ f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776
+ __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463
+ read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306
+ lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]
+ f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533
+ __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179
+ f2fs_acl_create fs/f2fs/acl.c:375 [inline]
+ f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418
+ f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539
+ f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666
+ f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765
+ f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808
+ f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]
+ f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766
+ vfs_mknod+0x36d/0x3b0 fs/namei.c:4191
+ unix_bind_bsd net/unix/af_unix.c:1286 [inline]
+ unix_bind+0x563/0xe30 net/unix/af_unix.c:1379
+ __sys_bind_socket net/socket.c:1817 [inline]
+ __sys_bind+0x1e4/0x290 net/socket.c:1848
+ __do_sys_bind net/socket.c:1853 [inline]
+ __se_sys_bind net/socket.c:1851 [inline]
+ __x64_sys_bind+0x7a/0x90 net/socket.c:1851
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Let's dump and check metadata of corrupted inode, it shows its xattr_nid
+is the same to its i_ino.
+
+dump.f2fs -i 3 chaseyu.img.raw
+i_xattr_nid [0x 3 : 3]
+
+So that, during mknod in the corrupted directory, it tries to get and
+lock inode page twice, result in deadlock.
+
+- f2fs_mknod
+ - f2fs_add_inline_entry
+ - f2fs_get_inode_page --- lock dir's inode page
+ - f2fs_init_acl
+ - f2fs_acl_create(dir,..)
+ - __f2fs_get_acl
+ - f2fs_getxattr
+ - lookup_all_xattrs
+ - __get_node_page --- try to lock dir's inode page
+
+In order to fix this, let's add sanity check on ino and xnid.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -226,6 +226,13 @@ static bool sanity_check_inode(struct in
+ return false;
+ }
+
++ if (ino_of_node(node_page) == fi->i_xattr_nid) {
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.",
++ __func__, inode->i_ino, fi->i_xattr_nid);
++ return false;
++ }
++
+ if (f2fs_sb_has_flexible_inline_xattr(sbi)
+ && !f2fs_has_extra_attr(inode)) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
--- /dev/null
+From stable+bounces-171771-greg=kroah.com@vger.kernel.org Tue Aug 19 13:54:56 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 07:53:45 -0400
+Subject: hv_netvsc: Fix panic during namespace deletion with VF
+To: stable@vger.kernel.org
+Cc: Haiyang Zhang <haiyangz@microsoft.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819115346.448012-1-sashal@kernel.org>
+
+From: Haiyang Zhang <haiyangz@microsoft.com>
+
+[ Upstream commit 33caa208dba6fa639e8a92fd0c8320b652e5550c ]
+
+The existing code move the VF NIC to new namespace when NETDEV_REGISTER is
+received on netvsc NIC. During deletion of the namespace,
+default_device_exit_batch() >> default_device_exit_net() is called. When
+netvsc NIC is moved back and registered to the default namespace, it
+automatically brings VF NIC back to the default namespace. This will cause
+the default_device_exit_net() >> for_each_netdev_safe loop unable to detect
+the list end, and hit NULL ptr:
+
+[ 231.449420] mana 7870:00:00.0 enP30832s1: Moved VF to namespace with: eth0
+[ 231.449656] BUG: kernel NULL pointer dereference, address: 0000000000000010
+[ 231.450246] #PF: supervisor read access in kernel mode
+[ 231.450579] #PF: error_code(0x0000) - not-present page
+[ 231.450916] PGD 17b8a8067 P4D 0
+[ 231.451163] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 231.451450] CPU: 82 UID: 0 PID: 1394 Comm: kworker/u768:1 Not tainted 6.16.0-rc4+ #3 VOLUNTARY
+[ 231.452042] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/21/2024
+[ 231.452692] Workqueue: netns cleanup_net
+[ 231.452947] RIP: 0010:default_device_exit_batch+0x16c/0x3f0
+[ 231.453326] Code: c0 0c f5 b3 e8 d5 db fe ff 48 85 c0 74 15 48 c7 c2 f8 fd ca b2 be 10 00 00 00 48 8d 7d c0 e8 7b 77 25 00 49 8b 86 28 01 00 00 <48> 8b 50 10 4c 8b 2a 4c 8d 62 f0 49 83 ed 10 4c 39 e0 0f 84 d6 00
+[ 231.454294] RSP: 0018:ff75fc7c9bf9fd00 EFLAGS: 00010246
+[ 231.454610] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 61c8864680b583eb
+[ 231.455094] RDX: ff1fa9f71462d800 RSI: ff75fc7c9bf9fd38 RDI: 0000000030766564
+[ 231.455686] RBP: ff75fc7c9bf9fd78 R08: 0000000000000000 R09: 0000000000000000
+[ 231.456126] R10: 0000000000000001 R11: 0000000000000004 R12: ff1fa9f70088e340
+[ 231.456621] R13: ff1fa9f70088e340 R14: ffffffffb3f50c20 R15: ff1fa9f7103e6340
+[ 231.457161] FS: 0000000000000000(0000) GS:ff1faa6783a08000(0000) knlGS:0000000000000000
+[ 231.457707] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 231.458031] CR2: 0000000000000010 CR3: 0000000179ab2006 CR4: 0000000000b73ef0
+[ 231.458434] Call Trace:
+[ 231.458600] <TASK>
+[ 231.458777] ops_undo_list+0x100/0x220
+[ 231.459015] cleanup_net+0x1b8/0x300
+[ 231.459285] process_one_work+0x184/0x340
+
+To fix it, move the ns change to a workqueue, and take rtnl_lock to avoid
+changing the netdev list when default_device_exit_net() is using it.
+
+Cc: stable@vger.kernel.org
+Fixes: 4c262801ea60 ("hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event")
+Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1754511711-11188-1-git-send-email-haiyangz@linux.microsoft.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/hyperv_net.h | 3 +++
+ drivers/net/hyperv/netvsc_drv.c | 29 ++++++++++++++++++++++++++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/hyperv/hyperv_net.h
++++ b/drivers/net/hyperv/hyperv_net.h
+@@ -1032,6 +1032,7 @@ struct net_device_context {
+ struct net_device __rcu *vf_netdev;
+ struct netvsc_vf_pcpu_stats __percpu *vf_stats;
+ struct delayed_work vf_takeover;
++ struct delayed_work vfns_work;
+
+ /* 1: allocated, serial number is valid. 0: not allocated */
+ u32 vf_alloc;
+@@ -1046,6 +1047,8 @@ struct net_device_context {
+ struct netvsc_device_info *saved_netvsc_dev_info;
+ };
+
++void netvsc_vfns_work(struct work_struct *w);
++
+ /* Per channel data */
+ struct netvsc_channel {
+ struct vmbus_channel *channel;
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -2565,6 +2565,7 @@ static int netvsc_probe(struct hv_device
+ spin_lock_init(&net_device_ctx->lock);
+ INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
+ INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
++ INIT_DELAYED_WORK(&net_device_ctx->vfns_work, netvsc_vfns_work);
+
+ net_device_ctx->vf_stats
+ = netdev_alloc_pcpu_stats(struct netvsc_vf_pcpu_stats);
+@@ -2703,6 +2704,8 @@ static int netvsc_remove(struct hv_devic
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
++
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev) {
+ cancel_work_sync(&nvdev->subchan_work);
+@@ -2745,6 +2748,7 @@ static int netvsc_suspend(struct hv_devi
+ cancel_delayed_work_sync(&ndev_ctx->dwork);
+
+ rtnl_lock();
++ cancel_delayed_work_sync(&ndev_ctx->vfns_work);
+
+ nvdev = rtnl_dereference(ndev_ctx->nvdev);
+ if (nvdev == NULL) {
+@@ -2838,6 +2842,27 @@ static void netvsc_event_set_vf_ns(struc
+ }
+ }
+
++void netvsc_vfns_work(struct work_struct *w)
++{
++ struct net_device_context *ndev_ctx =
++ container_of(w, struct net_device_context, vfns_work.work);
++ struct net_device *ndev;
++
++ if (!rtnl_trylock()) {
++ schedule_delayed_work(&ndev_ctx->vfns_work, 1);
++ return;
++ }
++
++ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
++ if (!ndev)
++ goto out;
++
++ netvsc_event_set_vf_ns(ndev);
++
++out:
++ rtnl_unlock();
++}
++
+ /*
+ * On Hyper-V, every VF interface is matched with a corresponding
+ * synthetic interface. The synthetic interface is presented first
+@@ -2848,10 +2873,12 @@ static int netvsc_netdev_event(struct no
+ unsigned long event, void *ptr)
+ {
+ struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
++ struct net_device_context *ndev_ctx;
+ int ret = 0;
+
+ if (event_dev->netdev_ops == &device_ops && event == NETDEV_REGISTER) {
+- netvsc_event_set_vf_ns(event_dev);
++ ndev_ctx = netdev_priv(event_dev);
++ schedule_delayed_work(&ndev_ctx->vfns_work, 0);
+ return NOTIFY_DONE;
+ }
+
--- /dev/null
+From stable+bounces-165121-greg=kroah.com@vger.kernel.org Tue Jul 29 21:17:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 15:16:44 -0400
+Subject: ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
+To: stable@vger.kernel.org
+Cc: Haoxiang Li <haoxiang_li2024@163.com>, Michal Swiatkowski <michal.swiatkowski@linux.intel.com>, Aleksandr Loktionov <aleksandr.loktionov@intel.com>, Simon Horman <horms@kernel.org>, Rinitha S <sx.rinitha@intel.com>, Tony Nguyen <anthony.l.nguyen@intel.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729191644.2869910-1-sashal@kernel.org>
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit 4ff12d82dac119b4b99b5a78b5af3bf2474c0a36 ]
+
+Add check for the return value of devm_kmemdup()
+to prevent potential null pointer dereference.
+
+Fixes: c76488109616 ("ice: Implement Dynamic Device Personalization (DDP) download")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+[ applied the patch to ice_flex_pipe.c instead of ice_ddp.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/ice/ice_flex_pipe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
++++ b/drivers/net/ethernet/intel/ice/ice_flex_pipe.c
+@@ -1448,6 +1448,8 @@ enum ice_status ice_copy_and_init_pkg(st
+ return ICE_ERR_PARAM;
+
+ buf_copy = devm_kmemdup(ice_hw_to_dev(hw), buf, len, GFP_KERNEL);
++ if (!buf_copy)
++ return ICE_ERR_NO_MEMORY;
+
+ status = ice_init_pkg(hw, buf_copy, len);
+ if (status) {
--- /dev/null
+From stable+bounces-164623-greg=kroah.com@vger.kernel.org Thu Jul 24 17:14:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 11:14:00 -0400
+Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724151400.1363747-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ]
+
+The OFFSET calculation in the prox_read_raw() was incorrectly using the
+unit exponent, which is intended for SCALE calculations.
+
+Remove the incorrect OFFSET calculation and set it to a fixed value of 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ adapted prox_attr array access to single structure member access ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev
+ ret_type = prox_state->scale_precision;
+ break;
+ case IIO_CHAN_INFO_OFFSET:
+- *val = hid_sensor_convert_exponent(
+- prox_state->prox_attr.unit_expo);
++ *val = 0;
+ ret_type = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SAMP_FREQ:
--- /dev/null
+From stable+bounces-164640-greg=kroah.com@vger.kernel.org Thu Jul 24 18:27:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 12:27:03 -0400
+Subject: iio: hid-sensor-prox: Restore lost scale assignments
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724162703.1368510-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ]
+
+The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision`
+were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not
+correct issue"), but due to a merge conflict in
+commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of
+https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"),
+these assignments were lost.
+
+Add back lost assignments and replace `st->prox_attr` with
+`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add
+support for more channels") changed `prox_attr` to an array.
+
+Cc: stable@vger.kernel.org # 5.13+
+Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ changed st->prox_attr[0] array access to st->prox_attr single struct member ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -222,6 +222,11 @@ static int prox_parse_report(struct plat
+ dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index,
+ st->prox_attr.report_id);
+
++ st->scale_precision = hid_sensor_format_scale(hsdev->usage,
++ &st->prox_attr,
++ &st->scale_pre_decml,
++ &st->scale_post_decml);
++
+ return ret;
+ }
+
--- /dev/null
+From stable+bounces-164655-greg=kroah.com@vger.kernel.org Thu Jul 24 20:11:44 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 14:11:34 -0400
+Subject: KVM: VMX: Flush shadow VMCS on emergency reboot
+To: stable@vger.kernel.org
+Cc: Chao Gao <chao.gao@intel.com>, Kai Huang <kai.huang@intel.com>, Sean Christopherson <seanjc@google.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724181134.1457856-1-sashal@kernel.org>
+
+From: Chao Gao <chao.gao@intel.com>
+
+[ Upstream commit a0ee1d5faff135e28810f29e0f06328c66f89852 ]
+
+Ensure the shadow VMCS cache is evicted during an emergency reboot to
+prevent potential memory corruption if the cache is evicted after reboot.
+
+This issue was identified through code inspection, as __loaded_vmcs_clear()
+flushes both the normal VMCS and the shadow VMCS.
+
+Avoid checking the "launched" state during an emergency reboot, unlike the
+behavior in __loaded_vmcs_clear(). This is important because reboot NMIs
+can interfere with operations like copy_shadow_to_vmcs12(), where shadow
+VMCSes are loaded directly using VMPTRLD. In such cases, if NMIs occur
+right after the VMCS load, the shadow VMCSes will be active but the
+"launched" state may not be set.
+
+Fixes: 16f5b9034b69 ("KVM: nVMX: Copy processor-specific shadow-vmcs to VMCS12")
+Cc: stable@vger.kernel.org
+Signed-off-by: Chao Gao <chao.gao@intel.com>
+Reviewed-by: Kai Huang <kai.huang@intel.com>
+Link: https://lore.kernel.org/r/20250324140849.2099723-1-chao.gao@intel.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+[ adjusted context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/vmx/vmx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -681,8 +681,11 @@ static void crash_vmclear_local_loaded_v
+ struct loaded_vmcs *v;
+
+ list_for_each_entry(v, &per_cpu(loaded_vmcss_on_cpu, cpu),
+- loaded_vmcss_on_cpu_link)
++ loaded_vmcss_on_cpu_link) {
+ vmcs_clear(v->vmcs);
++ if (v->shadow_vmcs)
++ vmcs_clear(v->shadow_vmcs);
++ }
+ }
+ #endif /* CONFIG_KEXEC_CORE */
+
--- /dev/null
+From stable+bounces-171809-greg=kroah.com@vger.kernel.org Tue Aug 19 17:06:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 11:00:30 -0400
+Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
+To: stable@vger.kernel.org
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>, David Hildenbrand <david@redhat.com>, Dev Jain <dev.jain@arm.com>, Alexander Gordeev <agordeev@linux.ibm.com>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Ryan Roberts <ryan.roberts@arm.com>, Paul Walmsley <paul.walmsley@sifive.com>, Palmer Dabbelt <palmer@dabbelt.com>, Gerald Schaefer <gerald.schaefer@linux.ibm.com>, Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Sven Schnelle <svens@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819150030.528447-1-sashal@kernel.org>
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ]
+
+Memory hot remove unmaps and tears down various kernel page table regions
+as required. The ptdump code can race with concurrent modifications of
+the kernel page tables. When leaf entries are modified concurrently, the
+dump code may log stale or inconsistent information for a VA range, but
+this is otherwise not harmful.
+
+But when intermediate levels of kernel page table are freed, the dump code
+will continue to use memory that has been freed and potentially
+reallocated for another purpose. In such cases, the ptdump code may
+dereference bogus addresses, leading to a number of potential problems.
+
+To avoid the above mentioned race condition, platforms such as arm64,
+riscv and s390 take memory hotplug lock, while dumping kernel page table
+via the sysfs interface /sys/kernel/debug/kernel_page_tables.
+
+Similar race condition exists while checking for pages that might have
+been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
+which in turn calls ptdump_check_wx(). Instead of solving this race
+condition again, let's just move the memory hotplug lock inside generic
+ptdump_check_wx() which will benefit both the scenarios.
+
+Drop get_online_mems() and put_online_mems() combination from all existing
+platform ptdump code paths.
+
+Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
+Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/ptdump_debugfs.c | 3 ---
+ arch/s390/mm/dump_pagetables.c | 2 --
+ mm/ptdump.c | 2 ++
+ 3 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/mm/ptdump_debugfs.c
++++ b/arch/arm64/mm/ptdump_debugfs.c
+@@ -1,6 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/debugfs.h>
+-#include <linux/memory_hotplug.h>
+ #include <linux/seq_file.h>
+
+ #include <asm/ptdump.h>
+@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *
+ {
+ struct ptdump_info *info = m->private;
+
+- get_online_mems();
+ ptdump_walk(m, info);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/arch/s390/mm/dump_pagetables.c
++++ b/arch/s390/mm/dump_pagetables.c
+@@ -227,11 +227,9 @@ static int ptdump_show(struct seq_file *
+ .marker = address_markers,
+ };
+
+- get_online_mems();
+ mutex_lock(&cpa_mutex);
+ ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
+ mutex_unlock(&cpa_mutex);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/mm/ptdump.c
++++ b/mm/ptdump.c
+@@ -144,6 +144,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ {
+ const struct ptdump_range *range = st->range;
+
++ get_online_mems();
+ mmap_write_lock(mm);
+ while (range->start != range->end) {
+ walk_page_range_novma(mm, range->start, range->end,
+@@ -151,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ range++;
+ }
+ mmap_write_unlock(mm);
++ put_online_mems();
+
+ /* Flush out the last page */
+ st->note_page(st, 0, -1, 0);
--- /dev/null
+From stable+bounces-169819-greg=kroah.com@vger.kernel.org Fri Aug 15 22:04:58 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:03:37 -0400
+Subject: net: enetc: fix device and OF node leak at probe
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Vladimir Oltean <vladimir.oltean@nxp.com>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815200337.201844-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed ]
+
+Make sure to drop the references to the IERB OF node and platform device
+taken by of_parse_phandle() and of_find_device_by_node() during probe.
+
+Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block")
+Cc: stable@vger.kernel.org # 5.13
+Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+@@ -1206,6 +1206,7 @@ static int enetc_pf_register_with_ierb(s
+ struct device_node *node = pdev->dev.of_node;
+ struct platform_device *ierb_pdev;
+ struct device_node *ierb_node;
++ int ret;
+
+ /* Don't register with the IERB if the PF itself is disabled */
+ if (!node || !of_device_is_available(node))
+@@ -1213,16 +1214,25 @@ static int enetc_pf_register_with_ierb(s
+
+ ierb_node = of_find_compatible_node(NULL, NULL,
+ "fsl,ls1028a-enetc-ierb");
+- if (!ierb_node || !of_device_is_available(ierb_node))
++ if (!ierb_node)
+ return -ENODEV;
+
++ if (!of_device_is_available(ierb_node)) {
++ of_node_put(ierb_node);
++ return -ENODEV;
++ }
++
+ ierb_pdev = of_find_device_by_node(ierb_node);
+ of_node_put(ierb_node);
+
+ if (!ierb_pdev)
+ return -EPROBE_DEFER;
+
+- return enetc_ierb_register_pf(ierb_pdev, pdev);
++ ret = enetc_ierb_register_pf(ierb_pdev, pdev);
++
++ put_device(&ierb_pdev->dev);
++
++ return ret;
+ }
+
+ static int enetc_pf_probe(struct pci_dev *pdev,
--- /dev/null
+From stable+bounces-171781-greg=kroah.com@vger.kernel.org Tue Aug 19 14:15:39 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 08:15:30 -0400
+Subject: net/sched: ets: use old 'nbands' while purging unused classes
+To: stable@vger.kernel.org
+Cc: Davide Caratti <dcaratti@redhat.com>, Li Shuang <shuali@redhat.com>, Petr Machata <petrm@nvidia.com>, Ivan Vecera <ivecera@redhat.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819121530.461591-3-sashal@kernel.org>
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ]
+
+Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
+after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
+we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
+the cleanup should be done with the old one. The problem is here since my
+first attempts to fix ets_qdisc_change(), but it surfaced again after the
+recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
+assigning a new value of 'q->nbands', so that all purge operations find a
+consistent configuration:
+
+ - old 'q->nbands' because it's needed by ets_class_find()
+ - old 'q->nstrict' because it's needed by ets_class_is_strict()
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
+ Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
+ RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
+ Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
+ RSP: 0018:ffffba186009f400 EFLAGS: 00010202
+ RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
+ R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
+ R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
+ FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ets_class_qlen_notify+0x65/0x90 [sch_ets]
+ qdisc_tree_reduce_backlog+0x74/0x110
+ ets_qdisc_change+0x630/0xa40 [sch_ets]
+ __tc_modify_qdisc.constprop.0+0x216/0x7f0
+ tc_modify_qdisc+0x7c/0x120
+ rtnetlink_rcv_msg+0x145/0x3f0
+ netlink_rcv_skb+0x53/0x100
+ netlink_unicast+0x245/0x390
+ netlink_sendmsg+0x21b/0x470
+ ____sys_sendmsg+0x39d/0x3d0
+ ___sys_sendmsg+0x9a/0xe0
+ __sys_sendmsg+0x7a/0xd0
+ do_syscall_64+0x7d/0x160
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f2155114084
+ Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
+ RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
+ RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
+ RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
+ R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
+ R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
+ </TASK>
+
+ [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
+ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty")
+Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list")
+Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
+Reported-by: Li Shuang <shuali@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-108026
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Co-developed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -664,6 +664,12 @@ static int ets_qdisc_change(struct Qdisc
+
+ sch_tree_lock(sch);
+
++ for (i = nbands; i < oldbands; i++) {
++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
++ list_del_init(&q->classes[i].alist);
++ qdisc_purge_queue(q->classes[i].qdisc);
++ }
++
+ WRITE_ONCE(q->nbands, nbands);
+ for (i = nstrict; i < q->nstrict; i++) {
+ if (q->classes[i].qdisc->q.qlen) {
+@@ -671,11 +677,6 @@ static int ets_qdisc_change(struct Qdisc
+ q->classes[i].deficit = quanta[i];
+ }
+ }
+- for (i = q->nbands; i < oldbands; i++) {
+- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+- list_del_init(&q->classes[i].alist);
+- qdisc_purge_queue(q->classes[i].qdisc);
+- }
+ WRITE_ONCE(q->nstrict, nstrict);
+ memcpy(q->prio2band, priomap, sizeof(priomap));
+
--- /dev/null
+From stable+bounces-171779-greg=kroah.com@vger.kernel.org Tue Aug 19 14:15:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 08:15:28 -0400
+Subject: net/sched: sch_ets: properly init all active DRR list handles
+To: stable@vger.kernel.org
+Cc: Davide Caratti <dcaratti@redhat.com>, Cong Wang <cong.wang@bytedance.com>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819121530.461591-1-sashal@kernel.org>
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 454d3e1ae057a1e09a15905b06b860f60d6c14d0 ]
+
+leaf classes of ETS qdiscs are served in strict priority or deficit round
+robin (DRR), depending on the value of 'nstrict'. Since this value can be
+changed while traffic is running, we need to be sure that the active list
+of DRR classes can be updated at any time, so:
+
+1) call INIT_LIST_HEAD(&alist) on all leaf classes in .init(), before the
+ first packet hits any of them.
+2) ensure that 'alist' is not overwritten with zeros when a leaf class is
+ no more strict priority nor DRR (i.e. array elements beyond 'nbands').
+
+Link: https://lore.kernel.org/netdev/YS%2FoZ+f0Nr8eQkzH@dcaratti.users.ipa.redhat.com
+Suggested-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -666,7 +666,6 @@ static int ets_qdisc_change(struct Qdisc
+
+ q->nbands = nbands;
+ for (i = nstrict; i < q->nstrict; i++) {
+- INIT_LIST_HEAD(&q->classes[i].alist);
+ if (q->classes[i].qdisc->q.qlen) {
+ list_add_tail(&q->classes[i].alist, &q->active);
+ q->classes[i].deficit = quanta[i];
+@@ -694,7 +693,11 @@ static int ets_qdisc_change(struct Qdisc
+ ets_offload_change(sch);
+ for (i = q->nbands; i < oldbands; i++) {
+ qdisc_put(q->classes[i].qdisc);
+- memset(&q->classes[i], 0, sizeof(q->classes[i]));
++ q->classes[i].qdisc = NULL;
++ q->classes[i].quantum = 0;
++ q->classes[i].deficit = 0;
++ memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats));
++ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
+ }
+ return 0;
+ }
+@@ -703,7 +706,7 @@ static int ets_qdisc_init(struct Qdisc *
+ struct netlink_ext_ack *extack)
+ {
+ struct ets_sched *q = qdisc_priv(sch);
+- int err;
++ int err, i;
+
+ if (!opt)
+ return -EINVAL;
+@@ -713,6 +716,9 @@ static int ets_qdisc_init(struct Qdisc *
+ return err;
+
+ INIT_LIST_HEAD(&q->active);
++ for (i = 0; i < TCQ_ETS_MAX_BANDS; i++)
++ INIT_LIST_HEAD(&q->classes[i].alist);
++
+ return ets_qdisc_change(sch, opt, extack);
+ }
+
--- /dev/null
+From stable+bounces-171780-greg=kroah.com@vger.kernel.org Tue Aug 19 14:15:38 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 08:15:29 -0400
+Subject: net_sched: sch_ets: implement lockless ets_dump()
+To: stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, Simon Horman <horms@kernel.org>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819121530.461591-2-sashal@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ]
+
+Instead of relying on RTNL, ets_dump() can use READ_ONCE()
+annotations, paired with WRITE_ONCE() ones in ets_change().
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -664,7 +664,7 @@ static int ets_qdisc_change(struct Qdisc
+
+ sch_tree_lock(sch);
+
+- q->nbands = nbands;
++ WRITE_ONCE(q->nbands, nbands);
+ for (i = nstrict; i < q->nstrict; i++) {
+ if (q->classes[i].qdisc->q.qlen) {
+ list_add_tail(&q->classes[i].alist, &q->active);
+@@ -676,11 +676,11 @@ static int ets_qdisc_change(struct Qdisc
+ list_del_init(&q->classes[i].alist);
+ qdisc_purge_queue(q->classes[i].qdisc);
+ }
+- q->nstrict = nstrict;
++ WRITE_ONCE(q->nstrict, nstrict);
+ memcpy(q->prio2band, priomap, sizeof(priomap));
+
+ for (i = 0; i < q->nbands; i++)
+- q->classes[i].quantum = quanta[i];
++ WRITE_ONCE(q->classes[i].quantum, quanta[i]);
+
+ for (i = oldbands; i < q->nbands; i++) {
+ q->classes[i].qdisc = queues[i];
+@@ -694,7 +694,7 @@ static int ets_qdisc_change(struct Qdisc
+ for (i = q->nbands; i < oldbands; i++) {
+ qdisc_put(q->classes[i].qdisc);
+ q->classes[i].qdisc = NULL;
+- q->classes[i].quantum = 0;
++ WRITE_ONCE(q->classes[i].quantum, 0);
+ q->classes[i].deficit = 0;
+ memset(&q->classes[i].bstats, 0, sizeof(q->classes[i].bstats));
+ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
+@@ -751,6 +751,7 @@ static int ets_qdisc_dump(struct Qdisc *
+ struct ets_sched *q = qdisc_priv(sch);
+ struct nlattr *opts;
+ struct nlattr *nest;
++ u8 nbands, nstrict;
+ int band;
+ int prio;
+ int err;
+@@ -763,21 +764,22 @@ static int ets_qdisc_dump(struct Qdisc *
+ if (!opts)
+ goto nla_err;
+
+- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands))
++ nbands = READ_ONCE(q->nbands);
++ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands))
+ goto nla_err;
+
+- if (q->nstrict &&
+- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict))
++ nstrict = READ_ONCE(q->nstrict);
++ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict))
+ goto nla_err;
+
+- if (q->nbands > q->nstrict) {
++ if (nbands > nstrict) {
+ nest = nla_nest_start(skb, TCA_ETS_QUANTA);
+ if (!nest)
+ goto nla_err;
+
+- for (band = q->nstrict; band < q->nbands; band++) {
++ for (band = nstrict; band < nbands; band++) {
+ if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND,
+- q->classes[band].quantum))
++ READ_ONCE(q->classes[band].quantum)))
+ goto nla_err;
+ }
+
+@@ -789,7 +791,8 @@ static int ets_qdisc_dump(struct Qdisc *
+ goto nla_err;
+
+ for (prio = 0; prio <= TC_PRIO_MAX; prio++) {
+- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio]))
++ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND,
++ READ_ONCE(q->prio2band[prio])))
+ goto nla_err;
+ }
+
--- /dev/null
+From stable+bounces-169817-greg=kroah.com@vger.kernel.org Fri Aug 15 22:04:08 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:03:29 -0400
+Subject: NFS: Create an nfs4_server_set_init_caps() function
+To: stable@vger.kernel.org
+Cc: Anna Schumaker <Anna.Schumaker@Netapp.com>, Trond Myklebust <trond.myklebust@hammerspace.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815200330.201734-1-sashal@kernel.org>
+
+From: Anna Schumaker <Anna.Schumaker@Netapp.com>
+
+[ Upstream commit 01dde76e471229e3437a2686c572f4980b2c483e ]
+
+And call it before doing an FSINFO probe to reset to the baseline
+capabilities before probing.
+
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Stable-dep-of: b01f21cacde9 ("NFS: Fix the setting of capabilities when automounting a new filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/internal.h | 1 +
+ fs/nfs/nfs4client.c | 33 +++++++++++++++++++--------------
+ fs/nfs/nfs4proc.c | 2 ++
+ 3 files changed, 22 insertions(+), 14 deletions(-)
+
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -219,6 +219,7 @@ extern struct nfs_client *
+ nfs4_find_client_sessionid(struct net *, const struct sockaddr *,
+ struct nfs4_sessionid *, u32);
+ extern struct nfs_server *nfs_create_server(struct fs_context *);
++extern void nfs4_server_set_init_caps(struct nfs_server *);
+ extern struct nfs_server *nfs4_create_server(struct fs_context *);
+ extern struct nfs_server *nfs4_create_referral_server(struct fs_context *);
+ extern int nfs4_update_server(struct nfs_server *server, const char *hostname,
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -1065,6 +1065,24 @@ static void nfs4_session_limit_xasize(st
+ #endif
+ }
+
++void nfs4_server_set_init_caps(struct nfs_server *server)
++{
++ /* Set the basic capabilities */
++ server->caps |= server->nfs_client->cl_mvops->init_caps;
++ if (server->flags & NFS_MOUNT_NORDIRPLUS)
++ server->caps &= ~NFS_CAP_READDIRPLUS;
++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
++ server->caps &= ~NFS_CAP_READ_PLUS;
++
++ /*
++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
++ * authentication.
++ */
++ if (nfs4_disable_idmapping &&
++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
++ server->caps |= NFS_CAP_UIDGID_NOMAP;
++}
++
+ static int nfs4_server_common_setup(struct nfs_server *server,
+ struct nfs_fh *mntfh, bool auth_probe)
+ {
+@@ -1084,20 +1102,7 @@ static int nfs4_server_common_setup(stru
+ if (error < 0)
+ goto out;
+
+- /* Set the basic capabilities */
+- server->caps |= server->nfs_client->cl_mvops->init_caps;
+- if (server->flags & NFS_MOUNT_NORDIRPLUS)
+- server->caps &= ~NFS_CAP_READDIRPLUS;
+- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
+- server->caps &= ~NFS_CAP_READ_PLUS;
+- /*
+- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+- * authentication.
+- */
+- if (nfs4_disable_idmapping &&
+- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+- server->caps |= NFS_CAP_UIDGID_NOMAP;
+-
++ nfs4_server_set_init_caps(server);
+
+ /* Probe the root fh to retrieve its FSID and filehandle */
+ error = nfs4_get_rootfh(server, mntfh, auth_probe);
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3968,6 +3968,8 @@ int nfs4_server_capabilities(struct nfs_
+ .interruptible = true,
+ };
+ int err;
++
++ nfs4_server_set_init_caps(server);
+ do {
+ err = nfs4_handle_exception(server,
+ _nfs4_server_capabilities(server, fhandle),
--- /dev/null
+From stable+bounces-169818-greg=kroah.com@vger.kernel.org Fri Aug 15 22:04:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 16:03:30 -0400
+Subject: NFS: Fix the setting of capabilities when automounting a new filesystem
+To: stable@vger.kernel.org
+Cc: Trond Myklebust <trond.myklebust@hammerspace.com>, Benjamin Coddington <bcodding@redhat.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815200330.201734-2-sashal@kernel.org>
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit b01f21cacde9f2878492cf318fee61bf4ccad323 ]
+
+Capabilities cannot be inherited when we cross into a new filesystem.
+They need to be reset to the minimal defaults, and then probed for
+again.
+
+Fixes: 54ceac451598 ("NFS: Share NFS superblocks per-protocol per-server per-FSID")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/client.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
+ fs/nfs/internal.h | 2 +-
+ fs/nfs/nfs4client.c | 20 +-------------------
+ fs/nfs/nfs4proc.c | 2 +-
+ 4 files changed, 45 insertions(+), 23 deletions(-)
+
+--- a/fs/nfs/client.c
++++ b/fs/nfs/client.c
+@@ -661,6 +661,44 @@ struct nfs_client *nfs_init_client(struc
+ }
+ EXPORT_SYMBOL_GPL(nfs_init_client);
+
++static void nfs4_server_set_init_caps(struct nfs_server *server)
++{
++#if IS_ENABLED(CONFIG_NFS_V4)
++ /* Set the basic capabilities */
++ server->caps = server->nfs_client->cl_mvops->init_caps;
++ if (server->flags & NFS_MOUNT_NORDIRPLUS)
++ server->caps &= ~NFS_CAP_READDIRPLUS;
++ if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
++ server->caps &= ~NFS_CAP_READ_PLUS;
++
++ /*
++ * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
++ * authentication.
++ */
++ if (nfs4_disable_idmapping &&
++ server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
++ server->caps |= NFS_CAP_UIDGID_NOMAP;
++#endif
++}
++
++void nfs_server_set_init_caps(struct nfs_server *server)
++{
++ switch (server->nfs_client->rpc_ops->version) {
++ case 2:
++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
++ break;
++ case 3:
++ server->caps = NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
++ if (!(server->flags & NFS_MOUNT_NORDIRPLUS))
++ server->caps |= NFS_CAP_READDIRPLUS;
++ break;
++ default:
++ nfs4_server_set_init_caps(server);
++ break;
++ }
++}
++EXPORT_SYMBOL_GPL(nfs_server_set_init_caps);
++
+ /*
+ * Create a version 2 or 3 client
+ */
+@@ -699,7 +737,6 @@ static int nfs_init_server(struct nfs_se
+ /* Initialise the client representation from the mount data */
+ server->flags = ctx->flags;
+ server->options = ctx->options;
+- server->caps |= NFS_CAP_HARDLINKS | NFS_CAP_SYMLINKS;
+
+ switch (clp->rpc_ops->version) {
+ case 2:
+@@ -735,6 +772,8 @@ static int nfs_init_server(struct nfs_se
+ if (error < 0)
+ goto error;
+
++ nfs_server_set_init_caps(server);
++
+ /* Preserve the values of mount_server-related mount options */
+ if (ctx->mount_server.addrlen) {
+ memcpy(&server->mountd_address, &ctx->mount_server.address,
+@@ -884,7 +923,6 @@ void nfs_server_copy_userdata(struct nfs
+ target->acregmax = source->acregmax;
+ target->acdirmin = source->acdirmin;
+ target->acdirmax = source->acdirmax;
+- target->caps = source->caps;
+ target->options = source->options;
+ target->auth_info = source->auth_info;
+ target->port = source->port;
+@@ -1095,6 +1133,8 @@ struct nfs_server *nfs_clone_server(stru
+ if (error < 0)
+ goto out_free_server;
+
++ nfs_server_set_init_caps(server);
++
+ /* probe the filesystem info for this server filesystem */
+ error = nfs_probe_fsinfo(server, fh, fattr_fsinfo);
+ if (error < 0)
+--- a/fs/nfs/internal.h
++++ b/fs/nfs/internal.h
+@@ -219,7 +219,7 @@ extern struct nfs_client *
+ nfs4_find_client_sessionid(struct net *, const struct sockaddr *,
+ struct nfs4_sessionid *, u32);
+ extern struct nfs_server *nfs_create_server(struct fs_context *);
+-extern void nfs4_server_set_init_caps(struct nfs_server *);
++extern void nfs_server_set_init_caps(struct nfs_server *);
+ extern struct nfs_server *nfs4_create_server(struct fs_context *);
+ extern struct nfs_server *nfs4_create_referral_server(struct fs_context *);
+ extern int nfs4_update_server(struct nfs_server *server, const char *hostname,
+--- a/fs/nfs/nfs4client.c
++++ b/fs/nfs/nfs4client.c
+@@ -1065,24 +1065,6 @@ static void nfs4_session_limit_xasize(st
+ #endif
+ }
+
+-void nfs4_server_set_init_caps(struct nfs_server *server)
+-{
+- /* Set the basic capabilities */
+- server->caps |= server->nfs_client->cl_mvops->init_caps;
+- if (server->flags & NFS_MOUNT_NORDIRPLUS)
+- server->caps &= ~NFS_CAP_READDIRPLUS;
+- if (server->nfs_client->cl_proto == XPRT_TRANSPORT_RDMA)
+- server->caps &= ~NFS_CAP_READ_PLUS;
+-
+- /*
+- * Don't use NFS uid/gid mapping if we're using AUTH_SYS or lower
+- * authentication.
+- */
+- if (nfs4_disable_idmapping &&
+- server->client->cl_auth->au_flavor == RPC_AUTH_UNIX)
+- server->caps |= NFS_CAP_UIDGID_NOMAP;
+-}
+-
+ static int nfs4_server_common_setup(struct nfs_server *server,
+ struct nfs_fh *mntfh, bool auth_probe)
+ {
+@@ -1102,7 +1084,7 @@ static int nfs4_server_common_setup(stru
+ if (error < 0)
+ goto out;
+
+- nfs4_server_set_init_caps(server);
++ nfs_server_set_init_caps(server);
+
+ /* Probe the root fh to retrieve its FSID and filehandle */
+ error = nfs4_get_rootfh(server, mntfh, auth_probe);
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3969,7 +3969,7 @@ int nfs4_server_capabilities(struct nfs_
+ };
+ int err;
+
+- nfs4_server_set_init_caps(server);
++ nfs_server_set_init_caps(server);
+ do {
+ err = nfs4_handle_exception(server,
+ _nfs4_server_capabilities(server, fhandle),
--- /dev/null
+From stable+bounces-169873-greg=kroah.com@vger.kernel.org Sun Aug 17 04:26:02 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Aug 2025 22:25:53 -0400
+Subject: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
+To: stable@vger.kernel.org
+Cc: Lukas Wunner <lukas@wunner.de>, Laurent Bigonville <bigon@bigon.be>, Mario Limonciello <mario.limonciello@amd.com>, Bjorn Helgaas <bhelgaas@google.com>, "Rafael J. Wysocki" <rafael@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817022553.1336244-1-sashal@kernel.org>
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ]
+
+pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and
+pcie_portdrv_remove() to determine whether runtime power management shall
+be enabled (on probe) or disabled (on remove) on a PCIe port.
+
+The underlying assumption is that pci_bridge_d3_possible() always returns
+the same value, else a runtime PM reference imbalance would occur. That
+assumption is not given if the PCIe port is inaccessible on remove due to
+hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which
+accesses Config Space to determine whether the port is Hot-Plug Capable.
+An inaccessible port returns "all ones", which is converted to "all
+zeroes" by pcie_capability_read_dword(). Hence the port no longer seems
+Hot-Plug Capable on remove even though it was on probe.
+
+The resulting runtime PM ref imbalance causes warning messages such as:
+
+ pcieport 0000:02:04.0: Runtime PM usage count underflow!
+
+Avoid the Config Space access (and thus the runtime PM ref imbalance) by
+caching the Hot-Plug Capable bit in struct pci_dev.
+
+The struct already contains an "is_hotplug_bridge" flag, which however is
+not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI
+Hot-Plug bridges and ACPI slots. The flag identifies bridges which are
+allocated additional MMIO and bus number resources to allow for hierarchy
+expansion.
+
+The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of
+places to identify Hot-Plug Capable PCIe ports, even though the flag
+encompasses other devices. Subsequent commits replace these occurrences
+with the new flag to clearly delineate Hot-Plug Capable PCIe ports from
+other kinds of hotplug bridges.
+
+Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag
+and document the (non-obvious) requirement that pci_bridge_d3_possible()
+always returns the same value across the entire lifetime of a bridge,
+including its hot-removal.
+
+Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter")
+Reported-by: Laurent Bigonville <bigon@bigon.be>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216
+Reported-by: Mario Limonciello <mario.limonciello@amd.com>
+Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/
+Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Rafael J. Wysocki <rafael@kernel.org>
+Cc: stable@vger.kernel.org # v4.18+
+Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de
+[ changed "recent enough PCIe ports" comment to "some PCIe ports" ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-acpi.c | 4 +---
+ drivers/pci/pci.c | 8 ++++++--
+ drivers/pci/probe.c | 2 +-
+ include/linux/pci.h | 10 +++++++++-
+ 4 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/pci/pci-acpi.c
++++ b/drivers/pci/pci-acpi.c
+@@ -792,13 +792,11 @@ int pci_acpi_program_hp_params(struct pc
+ bool pciehp_is_native(struct pci_dev *bridge)
+ {
+ const struct pci_host_bridge *host;
+- u32 slot_cap;
+
+ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
+ return false;
+
+- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap);
+- if (!(slot_cap & PCI_EXP_SLTCAP_HPC))
++ if (!bridge->is_pciehp)
+ return false;
+
+ if (pcie_ports_native)
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -2921,8 +2921,12 @@ static const struct dmi_system_id bridge
+ * pci_bridge_d3_possible - Is it possible to put the bridge into D3
+ * @bridge: Bridge to check
+ *
+- * This function checks if it is possible to move the bridge to D3.
+- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt.
++ * Currently we only allow D3 for some PCIe ports and for Thunderbolt.
++ *
++ * Return: Whether it is possible to move the bridge to D3.
++ *
++ * The return value is guaranteed to be constant across the entire lifetime
++ * of the bridge, including its hot-removal.
+ */
+ bool pci_bridge_d3_possible(struct pci_dev *bridge)
+ {
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1590,7 +1590,7 @@ void set_pcie_hotplug_bridge(struct pci_
+
+ pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32);
+ if (reg32 & PCI_EXP_SLTCAP_HPC)
+- pdev->is_hotplug_bridge = 1;
++ pdev->is_hotplug_bridge = pdev->is_pciehp = 1;
+ }
+
+ static void set_pcie_thunderbolt(struct pci_dev *dev)
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -317,7 +317,14 @@ struct pci_sriov;
+ struct pci_p2pdma;
+ struct rcec_ea;
+
+-/* The pci_dev structure describes PCI devices */
++/* struct pci_dev - describes a PCI device
++ *
++ * @is_hotplug_bridge: Hotplug bridge of any kind (e.g. PCIe Hot-Plug Capable,
++ * Conventional PCI Hot-Plug, ACPI slot).
++ * Such bridges are allocated additional MMIO and bus
++ * number resources to allow for hierarchy expansion.
++ * @is_pciehp: PCIe Hot-Plug Capable bridge.
++ */
+ struct pci_dev {
+ struct list_head bus_list; /* Node in per-bus list */
+ struct pci_bus *bus; /* Bus this device is on */
+@@ -440,6 +447,7 @@ struct pci_dev {
+ unsigned int is_physfn:1;
+ unsigned int is_virtfn:1;
+ unsigned int is_hotplug_bridge:1;
++ unsigned int is_pciehp:1;
+ unsigned int shpc_managed:1; /* SHPC owned by shpchp */
+ unsigned int is_thunderbolt:1; /* Thunderbolt controller */
+ /*
--- /dev/null
+From stable+bounces-172164-greg=kroah.com@vger.kernel.org Thu Aug 21 17:14:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 11:08:41 -0400
+Subject: platform/chrome: cros_ec: Make cros_ec_unregister() return void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Guenter Roeck" <groeck@chromium.org>, "Lee Jones" <lee.jones@linaro.org>, "Mark Brown" <broonie@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250821150844.754065-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit afb0a80e63d67e957b5d0eb4ade301aff6e13c8c ]
+
+Up to now cros_ec_unregister() returns zero unconditionally. Make it
+return void instead which makes it easier to see in the callers that
+there is no error to handle.
+
+Also the return value of i2c, platform and spi remove callbacks is
+ignored anyway.
+
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20211020071753.wltjslmimb6wtlp5@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Acked-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20220123175201.34839-5-u.kleine-koenig@pengutronix.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c | 4 +---
+ drivers/platform/chrome/cros_ec.h | 2 +-
+ drivers/platform/chrome/cros_ec_i2c.c | 4 +++-
+ drivers/platform/chrome/cros_ec_lpc.c | 4 +++-
+ drivers/platform/chrome/cros_ec_spi.c | 4 +++-
+ 5 files changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -306,13 +306,11 @@ EXPORT_SYMBOL(cros_ec_register);
+ *
+ * Return: 0 on success or negative error code.
+ */
+-int cros_ec_unregister(struct cros_ec_device *ec_dev)
++void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
+ if (ec_dev->pd)
+ platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->ec);
+-
+- return 0;
+ }
+ EXPORT_SYMBOL(cros_ec_unregister);
+
+--- a/drivers/platform/chrome/cros_ec.h
++++ b/drivers/platform/chrome/cros_ec.h
+@@ -11,7 +11,7 @@
+ #include <linux/interrupt.h>
+
+ int cros_ec_register(struct cros_ec_device *ec_dev);
+-int cros_ec_unregister(struct cros_ec_device *ec_dev);
++void cros_ec_unregister(struct cros_ec_device *ec_dev);
+
+ int cros_ec_suspend(struct cros_ec_device *ec_dev);
+ int cros_ec_resume(struct cros_ec_device *ec_dev);
+--- a/drivers/platform/chrome/cros_ec_i2c.c
++++ b/drivers/platform/chrome/cros_ec_i2c.c
+@@ -313,7 +313,9 @@ static int cros_ec_i2c_remove(struct i2c
+ {
+ struct cros_ec_device *ec_dev = i2c_get_clientdata(client);
+
+- return cros_ec_unregister(ec_dev);
++ cros_ec_unregister(ec_dev);
++
++ return 0;
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+--- a/drivers/platform/chrome/cros_ec_lpc.c
++++ b/drivers/platform/chrome/cros_ec_lpc.c
+@@ -439,7 +439,9 @@ static int cros_ec_lpc_remove(struct pla
+ acpi_remove_notify_handler(adev->handle, ACPI_ALL_NOTIFY,
+ cros_ec_lpc_acpi_notify);
+
+- return cros_ec_unregister(ec_dev);
++ cros_ec_unregister(ec_dev);
++
++ return 0;
+ }
+
+ static const struct acpi_device_id cros_ec_lpc_acpi_device_ids[] = {
+--- a/drivers/platform/chrome/cros_ec_spi.c
++++ b/drivers/platform/chrome/cros_ec_spi.c
+@@ -790,7 +790,9 @@ static int cros_ec_spi_remove(struct spi
+ {
+ struct cros_ec_device *ec_dev = spi_get_drvdata(spi);
+
+- return cros_ec_unregister(ec_dev);
++ cros_ec_unregister(ec_dev);
++
++ return 0;
+ }
+
+ #ifdef CONFIG_PM_SLEEP
--- /dev/null
+From stable+bounces-172166-greg=kroah.com@vger.kernel.org Thu Aug 21 17:14:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 11:08:43 -0400
+Subject: platform/chrome: cros_ec: remove unneeded label and if-condition
+To: stable@vger.kernel.org
+Cc: Tzung-Bi Shih <tzungbi@kernel.org>, Guenter Roeck <groeck@chromium.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821150844.754065-3-sashal@kernel.org>
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ]
+
+Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the
+beginning of cros_ec_register(). Also, platform_device_unregister()
+takes care if the given platform_device is NULL.
+
+Remove the unneeded goto-label and if-condition.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -207,7 +207,7 @@ int cros_ec_register(struct cros_ec_devi
+ err = cros_ec_query_all(ec_dev);
+ if (err) {
+ dev_err(dev, "Cannot identify the EC: error %d\n", err);
+- goto destroy_mutex;
++ goto exit;
+ }
+
+ if (ec_dev->irq > 0) {
+@@ -219,7 +219,7 @@ int cros_ec_register(struct cros_ec_devi
+ if (err) {
+ dev_err(dev, "Failed to request IRQ %d: %d",
+ ec_dev->irq, err);
+- goto destroy_mutex;
++ goto exit;
+ }
+ }
+
+@@ -231,7 +231,7 @@ int cros_ec_register(struct cros_ec_devi
+ dev_err(ec_dev->dev,
+ "Failed to create CrOS EC platform device\n");
+ err = PTR_ERR(ec_dev->ec);
+- goto destroy_mutex;
++ goto exit;
+ }
+
+ if (ec_dev->max_passthru) {
+@@ -297,7 +297,6 @@ int cros_ec_register(struct cros_ec_devi
+ exit:
+ platform_device_unregister(ec_dev->ec);
+ platform_device_unregister(ec_dev->pd);
+-destroy_mutex:
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
+ return err;
+@@ -314,8 +313,7 @@ EXPORT_SYMBOL(cros_ec_register);
+ */
+ void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
+- if (ec_dev->pd)
+- platform_device_unregister(ec_dev->pd);
++ platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->ec);
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
--- /dev/null
+From stable+bounces-172167-greg=kroah.com@vger.kernel.org Thu Aug 21 17:14:27 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 11:08:44 -0400
+Subject: platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()
+To: stable@vger.kernel.org
+Cc: Tzung-Bi Shih <tzungbi@kernel.org>, Benson Leung <bleung@chromium.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821150844.754065-4-sashal@kernel.org>
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ]
+
+The blocking notifier is registered in cros_ec_register(); however, it
+isn't unregistered in cros_ec_unregister().
+
+Fix it.
+
+Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -313,6 +313,9 @@ EXPORT_SYMBOL(cros_ec_register);
+ */
+ void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
++ if (ec_dev->mkbp_event_supported)
++ blocking_notifier_chain_unregister(&ec_dev->event_notifier,
++ &ec_dev->notifier_ready);
+ platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->ec);
+ mutex_destroy(&ec_dev->lock);
--- /dev/null
+From stable+bounces-172165-greg=kroah.com@vger.kernel.org Thu Aug 21 17:15:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 11:08:42 -0400
+Subject: platform/chrome: cros_ec: Use per-device lockdep key
+To: stable@vger.kernel.org
+Cc: Chen-Yu Tsai <wenst@chromium.org>, Tzung-Bi Shih <tzungbi@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821150844.754065-2-sashal@kernel.org>
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ]
+
+Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to
+the following lock sequences:
+
+1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock)
+2. lock(&ec_dev->lock); lock(prepare_lock);
+
+The actual dependency chains are much longer. The shortened version
+looks somewhat like:
+
+1. cros-ec-rpmsg on mtk-scp
+ ec_dev->lock -> prepare_lock
+2. In rt5682_i2c_probe() on native I2C bus:
+ prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock
+3. In rt5682_i2c_probe() on native I2C bus:
+ regmap->lock -> i2c_adapter->bus_lock
+4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec:
+ i2c_adapter->bus_lock -> ec_dev->lock
+
+While lockdep is correct that the shared lockdep classes have a circular
+dependency, it is bogus because
+
+ a) 2+3 happen on a native I2C bus
+ b) 4 happens on the actual EC on ChromeOS devices
+ c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just
+ happens to expose a cros-ec interface, but does not have an
+ i2c-cros-ec-tunnel I2C bus
+
+In short, the "dependencies" are actually on different devices.
+
+Setup a per-device lockdep key for cros_ec devices so lockdep can tell
+the two instances apart. This helps with getting rid of the bogus
+lockdep warning. For ChromeOS devices that only have one cros-ec
+instance this doesn't change anything.
+
+Also add a missing mutex_destroy, just to make the teardown complete.
+
+[1] This is likely the per I2C bus lock with shared lockdep class
+
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c | 14 +++++++++++---
+ include/linux/platform_data/cros_ec_proto.h | 4 ++++
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -200,12 +200,14 @@ int cros_ec_register(struct cros_ec_devi
+ if (!ec_dev->dout)
+ return -ENOMEM;
+
++ lockdep_register_key(&ec_dev->lockdep_key);
+ mutex_init(&ec_dev->lock);
++ lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key);
+
+ err = cros_ec_query_all(ec_dev);
+ if (err) {
+ dev_err(dev, "Cannot identify the EC: error %d\n", err);
+- return err;
++ goto destroy_mutex;
+ }
+
+ if (ec_dev->irq > 0) {
+@@ -217,7 +219,7 @@ int cros_ec_register(struct cros_ec_devi
+ if (err) {
+ dev_err(dev, "Failed to request IRQ %d: %d",
+ ec_dev->irq, err);
+- return err;
++ goto destroy_mutex;
+ }
+ }
+
+@@ -228,7 +230,8 @@ int cros_ec_register(struct cros_ec_devi
+ if (IS_ERR(ec_dev->ec)) {
+ dev_err(ec_dev->dev,
+ "Failed to create CrOS EC platform device\n");
+- return PTR_ERR(ec_dev->ec);
++ err = PTR_ERR(ec_dev->ec);
++ goto destroy_mutex;
+ }
+
+ if (ec_dev->max_passthru) {
+@@ -294,6 +297,9 @@ int cros_ec_register(struct cros_ec_devi
+ exit:
+ platform_device_unregister(ec_dev->ec);
+ platform_device_unregister(ec_dev->pd);
++destroy_mutex:
++ mutex_destroy(&ec_dev->lock);
++ lockdep_unregister_key(&ec_dev->lockdep_key);
+ return err;
+ }
+ EXPORT_SYMBOL(cros_ec_register);
+@@ -311,6 +317,8 @@ void cros_ec_unregister(struct cros_ec_d
+ if (ec_dev->pd)
+ platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->ec);
++ mutex_destroy(&ec_dev->lock);
++ lockdep_unregister_key(&ec_dev->lockdep_key);
+ }
+ EXPORT_SYMBOL(cros_ec_unregister);
+
+--- a/include/linux/platform_data/cros_ec_proto.h
++++ b/include/linux/platform_data/cros_ec_proto.h
+@@ -9,6 +9,7 @@
+ #define __LINUX_CROS_EC_PROTO_H
+
+ #include <linux/device.h>
++#include <linux/lockdep_types.h>
+ #include <linux/mutex.h>
+ #include <linux/notifier.h>
+
+@@ -114,6 +115,8 @@ struct cros_ec_command {
+ * command. The caller should check msg.result for the EC's result
+ * code.
+ * @pkt_xfer: Send packet to EC and get response.
++ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is
++ * not enabled.
+ * @lock: One transaction at a time.
+ * @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is
+ * the maximum supported version of the MKBP host event
+@@ -159,6 +162,7 @@ struct cros_ec_device {
+ struct cros_ec_command *msg);
+ int (*pkt_xfer)(struct cros_ec_device *ec,
+ struct cros_ec_command *msg);
++ struct lock_class_key lockdep_key;
+ struct mutex lock;
+ u8 mkbp_event_supported;
+ bool host_sleep_v1;
mm-update-memfd-seal-write-check-to-include-f_seal_write.patch
mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch
selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch
+ice-fix-a-null-pointer-dereference-in-ice_copy_and_init_pkg.patch
+drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch
+arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch
+arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch
+f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch
+iio-hid-sensor-prox-restore-lost-scale-assignments.patch
+iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch
+x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch
+usb-hub-avoid-warm-port-reset-during-usb3-disconnect.patch
+usb-hub-don-t-try-to-recover-devices-lost-during-warm-reset.patch
+smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch
+x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch
+alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch
+smb-server-fix-extension-string-in-ksmbd_extract_shortname.patch
+hv_netvsc-fix-panic-during-namespace-deletion-with-vf.patch
+usb-typec-fusb302-cache-pd-rx-state.patch
+pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch
+block-make-req_op_zone_finish-a-write-operation.patch
+net-enetc-fix-device-and-of-node-leak-at-probe.patch
+nfs-create-an-nfs4_server_set_init_caps-function.patch
+nfs-fix-the-setting-of-capabilities-when-automounting-a-new-filesystem.patch
+mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch
+usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch
+usb-musb-omap2430-fix-device-leak-at-unbind.patch
+ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch
+bus-mhi-host-detect-events-pointing-to-unexpected-tres.patch
+usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch
+platform-chrome-cros_ec-make-cros_ec_unregister-return-void.patch
+platform-chrome-cros_ec-use-per-device-lockdep-key.patch
+platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch
+platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch
+net-sched-sch_ets-properly-init-all-active-drr-list-handles.patch
+net_sched-sch_ets-implement-lockless-ets_dump.patch
+net-sched-ets-use-old-nbands-while-purging-unused-classes.patch
+kvm-vmx-flush-shadow-vmcs-on-emergency-reboot.patch
+btrfs-populate-otime-when-logging-an-inode-item.patch
--- /dev/null
+From stable+bounces-164306-greg=kroah.com@vger.kernel.org Wed Jul 23 00:00:22 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 17:58:19 -0400
+Subject: smb: client: fix use-after-free in crypt_message when using async crypto
+To: stable@vger.kernel.org
+Cc: Wang Zhaolong <wangzhaolong@huaweicloud.com>, Paulo Alcantara <pc@manguebit.org>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722215819.981600-1-sashal@kernel.org>
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+[ Upstream commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 ]
+
+The CVE-2024-50047 fix removed asynchronous crypto handling from
+crypt_message(), assuming all crypto operations are synchronous.
+However, when hardware crypto accelerators are used, this can cause
+use-after-free crashes:
+
+ crypt_message()
+ // Allocate the creq buffer containing the req
+ creq = smb2_get_aead_req(..., &req);
+
+ // Async encryption returns -EINPROGRESS immediately
+ rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
+
+ // Free creq while async operation is still in progress
+ kvfree_sensitive(creq, ...);
+
+Hardware crypto modules often implement async AEAD operations for
+performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,
+the operation completes asynchronously. Without crypto_wait_req(),
+the function immediately frees the request buffer, leading to crashes
+when the driver later accesses the freed memory.
+
+This results in a use-after-free condition when the hardware crypto
+driver later accesses the freed request structure, leading to kernel
+crashes with NULL pointer dereferences.
+
+The issue occurs because crypto_alloc_aead() with mask=0 doesn't
+guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in
+the mask, async implementations can be selected.
+
+Fix by restoring the async crypto handling:
+- DECLARE_CRYPTO_WAIT(wait) for completion tracking
+- aead_request_set_callback() for async completion notification
+- crypto_wait_req() to wait for operation completion
+
+This ensures the request buffer isn't freed until the crypto operation
+completes, whether synchronous or asynchronous, while preserving the
+CVE-2024-50047 fix.
+
+Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
+Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -4552,6 +4552,7 @@ crypt_message(struct TCP_Server_Info *se
+ u8 key[SMB3_ENC_DEC_KEY_SIZE];
+ struct aead_request *req;
+ u8 *iv;
++ DECLARE_CRYPTO_WAIT(wait);
+ unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
+ void *creq;
+
+@@ -4600,7 +4601,11 @@ crypt_message(struct TCP_Server_Info *se
+ aead_request_set_crypt(req, sg, sg, crypt_len, iv);
+ aead_request_set_ad(req, assoc_data_len);
+
+- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
++ crypto_req_done, &wait);
++
++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)
++ : crypto_aead_decrypt(req), &wait);
+
+ if (!rc && enc)
+ memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
--- /dev/null
+From stable+bounces-169391-greg=kroah.com@vger.kernel.org Wed Aug 13 15:32:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 09:32:18 -0400
+Subject: smb: server: Fix extension string in ksmbd_extract_shortname()
+To: stable@vger.kernel.org
+Cc: Thorsten Blum <thorsten.blum@linux.dev>, Namjae Jeon <linkinjeon@kernel.org>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813133218.2035014-1-sashal@kernel.org>
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+[ Upstream commit 8e7d178d06e8937454b6d2f2811fa6a15656a214 ]
+
+In ksmbd_extract_shortname(), strscpy() is incorrectly called with the
+length of the source string (excluding the NUL terminator) rather than
+the size of the destination buffer. This results in "__" being copied
+to 'extension' rather than "___" (two underscores instead of three).
+
+Use the destination buffer size instead to ensure that the string "___"
+(three underscores) is copied correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ksmbd/smb_common.c
++++ b/fs/ksmbd/smb_common.c
+@@ -508,7 +508,7 @@ int ksmbd_extract_shortname(struct ksmbd
+
+ p = strrchr(longname, '.');
+ if (p == longname) { /*name starts with a dot*/
+- strscpy(extension, "___", strlen("___"));
++ strscpy(extension, "___", sizeof(extension));
+ } else {
+ if (p) {
+ p++;
--- /dev/null
+From sashal@kernel.org Thu Aug 21 19:55:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 13:55:11 -0400
+Subject: usb: dwc3: imx8mp: fix device leak at unbind
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Li Jun <jun.li@nxp.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821175511.873013-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ]
+
+Make sure to drop the reference to the dwc3 device taken by
+of_find_device_by_node() on probe errors and on driver unbind.
+
+Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver")
+Cc: stable@vger.kernel.org # 5.12
+Cc: Li Jun <jun.li@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-imx8mp.c
++++ b/drivers/usb/dwc3/dwc3-imx8mp.c
+@@ -183,7 +183,7 @@ static int dwc3_imx8mp_probe(struct plat
+ IRQF_ONESHOT, dev_name(dev), dwc3_imx);
+ if (err) {
+ dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err);
+- goto depopulate;
++ goto put_dwc3;
+ }
+
+ device_set_wakeup_capable(dev, true);
+@@ -191,6 +191,8 @@ static int dwc3_imx8mp_probe(struct plat
+
+ return 0;
+
++put_dwc3:
++ put_device(&dwc3_imx->dwc3->dev);
+ depopulate:
+ of_platform_depopulate(dev);
+ err_node_put:
+@@ -211,6 +213,8 @@ static int dwc3_imx8mp_remove(struct pla
+ struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev);
+ struct device *dev = &pdev->dev;
+
++ put_device(&dwc3_imx->dwc3->dev);
++
+ pm_runtime_get_sync(dev);
+ of_platform_depopulate(dev);
+
--- /dev/null
+From stable+bounces-164316-greg=kroah.com@vger.kernel.org Wed Jul 23 01:14:54 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 19:14:42 -0400
+Subject: usb: hub: avoid warm port reset during USB3 disconnect
+To: stable@vger.kernel.org
+Cc: Mathias Nyman <mathias.nyman@linux.intel.com>, Mark Pearson <markpearson@lenovo.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250722231443.999927-1-sashal@kernel.org>
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit f59f93cd1d720809466c7fd5aa16a236156c672b ]
+
+During disconnect USB-3 ports often go via SS.Inactive link error state
+before the missing terminations are noticed, and link finally goes to
+RxDetect state
+
+Avoid immediately warm-resetting ports in SS.Inactive state.
+Let ports settle for a while and re-read the link status a few times 20ms
+apart to see if the ports transitions out of SS.Inactive.
+
+According to USB 3.x spec 7.5.2, a port in SS.Inactive should
+automatically check for missing far-end receiver termination every
+12 ms (SSInactiveQuietTimeout)
+
+The futile multiple warm reset retries of a disconnected device takes
+a lot of time, also the resetting of a removed devices has caused cases
+where the reset bit got stuck for a long time on xHCI roothub.
+This lead to issues in detecting new devices connected to the same port
+shortly after.
+
+Tested-by: Mark Pearson <markpearson@lenovo.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211210111653.1378381-1-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 2521106fc732 ("usb: hub: Don't try to recover devices lost during warm reset.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2857,6 +2857,8 @@ static unsigned hub_is_wusb(struct usb_h
+ #define PORT_INIT_TRIES 4
+ #endif /* CONFIG_USB_FEW_INIT_RETRIES */
+
++#define DETECT_DISCONNECT_TRIES 5
++
+ #define HUB_ROOT_RESET_TIME 60 /* times are in msec */
+ #define HUB_SHORT_RESET_TIME 10
+ #define HUB_BH_RESET_TIME 50
+@@ -5681,6 +5683,7 @@ static void port_event(struct usb_hub *h
+ struct usb_device *udev = port_dev->child;
+ struct usb_device *hdev = hub->hdev;
+ u16 portstatus, portchange;
++ int i = 0;
+
+ connect_change = test_bit(port1, hub->change_bits);
+ clear_bit(port1, hub->event_bits);
+@@ -5757,17 +5760,27 @@ static void port_event(struct usb_hub *h
+ connect_change = 1;
+
+ /*
+- * Warm reset a USB3 protocol port if it's in
+- * SS.Inactive state.
+- */
+- if (hub_port_warm_reset_required(hub, port1, portstatus)) {
+- dev_dbg(&port_dev->dev, "do warm reset\n");
+- if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
++ * Avoid trying to recover a USB3 SS.Inactive port with a warm reset if
++ * the device was disconnected. A 12ms disconnect detect timer in
++ * SS.Inactive state transitions the port to RxDetect automatically.
++ * SS.Inactive link error state is common during device disconnect.
++ */
++ while (hub_port_warm_reset_required(hub, port1, portstatus)) {
++ if ((i++ < DETECT_DISCONNECT_TRIES) && udev) {
++ u16 unused;
++
++ msleep(20);
++ hub_port_status(hub, port1, &portstatus, &unused);
++ dev_dbg(&port_dev->dev, "Wait for inactive link disconnect detect\n");
++ continue;
++ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
+ || udev->state == USB_STATE_NOTATTACHED) {
++ dev_dbg(&port_dev->dev, "do warm reset, port only\n");
+ if (hub_port_reset(hub, port1, NULL,
+ HUB_BH_RESET_TIME, true) < 0)
+ hub_port_disable(hub, port1, 1);
+ } else {
++ dev_dbg(&port_dev->dev, "do warm reset, full device\n");
+ usb_unlock_port(port_dev);
+ usb_lock_device(udev);
+ usb_reset_device(udev);
+@@ -5775,6 +5788,7 @@ static void port_event(struct usb_hub *h
+ usb_lock_port(port_dev);
+ connect_change = 0;
+ }
++ break;
+ }
+
+ if (connect_change)
--- /dev/null
+From stable+bounces-164317-greg=kroah.com@vger.kernel.org Wed Jul 23 01:14:55 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 19:14:43 -0400
+Subject: usb: hub: Don't try to recover devices lost during warm reset.
+To: stable@vger.kernel.org
+Cc: "Mathias Nyman" <mathias.nyman@linux.intel.com>, "Łukasz Bartosik" <ukaszb@chromium.org>, "Alan Stern" <stern@rowland.harvard.edu>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250722231443.999927-2-sashal@kernel.org>
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+[ Upstream commit 2521106fc732b0b75fd3555c689b1ed1d29d273c ]
+
+Hub driver warm-resets ports in SS.Inactive or Compliance mode to
+recover a possible connected device. The port reset code correctly
+detects if a connection is lost during reset, but hub driver
+port_event() fails to take this into account in some cases.
+port_event() ends up using stale values and assumes there is a
+connected device, and will try all means to recover it, including
+power-cycling the port.
+
+Details:
+This case was triggered when xHC host was suspended with DbC (Debug
+Capability) enabled and connected. DbC turns one xHC port into a simple
+usb debug device, allowing debugging a system with an A-to-A USB debug
+cable.
+
+xhci DbC code disables DbC when xHC is system suspended to D3, and
+enables it back during resume.
+We essentially end up with two hosts connected to each other during
+suspend, and, for a short while during resume, until DbC is enabled back.
+The suspended xHC host notices some activity on the roothub port, but
+can't train the link due to being suspended, so xHC hardware sets a CAS
+(Cold Attach Status) flag for this port to inform xhci host driver that
+the port needs to be warm reset once xHC resumes.
+
+CAS is xHCI specific, and not part of USB specification, so xhci driver
+tells usb core that the port has a connection and link is in compliance
+mode. Recovery from complinace mode is similar to CAS recovery.
+
+xhci CAS driver support that fakes a compliance mode connection was added
+in commit 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
+
+Once xHCI resumes and DbC is enabled back, all activity on the xHC
+roothub host side port disappears. The hub driver will anyway think
+port has a connection and link is in compliance mode, and hub driver
+will try to recover it.
+
+The port power-cycle during recovery seems to cause issues to the active
+DbC connection.
+
+Fix this by clearing connect_change flag if hub_port_reset() returns
+-ENOTCONN, thus avoiding the whole unnecessary port recovery and
+initialization attempt.
+
+Cc: stable@vger.kernel.org
+Fixes: 8bea2bd37df0 ("usb: Add support for root hub port status CAS")
+Tested-by: Łukasz Bartosik <ukaszb@chromium.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20250623133947.3144608-1-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hub.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -5684,6 +5684,7 @@ static void port_event(struct usb_hub *h
+ struct usb_device *hdev = hub->hdev;
+ u16 portstatus, portchange;
+ int i = 0;
++ int err;
+
+ connect_change = test_bit(port1, hub->change_bits);
+ clear_bit(port1, hub->event_bits);
+@@ -5776,8 +5777,11 @@ static void port_event(struct usb_hub *h
+ } else if (!udev || !(portstatus & USB_PORT_STAT_CONNECTION)
+ || udev->state == USB_STATE_NOTATTACHED) {
+ dev_dbg(&port_dev->dev, "do warm reset, port only\n");
+- if (hub_port_reset(hub, port1, NULL,
+- HUB_BH_RESET_TIME, true) < 0)
++ err = hub_port_reset(hub, port1, NULL,
++ HUB_BH_RESET_TIME, true);
++ if (!udev && err == -ENOTCONN)
++ connect_change = 0;
++ else if (err < 0)
+ hub_port_disable(hub, port1, 1);
+ } else {
+ dev_dbg(&port_dev->dev, "do warm reset, full device\n");
--- /dev/null
+From sashal@kernel.org Thu Aug 21 17:10:01 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 11:09:56 -0400
+Subject: usb: musb: omap2430: Convert to platform remove callback returning void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250821150957.756147-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is (mostly) ignored
+and this typically results in resource leaks. To improve here there is a
+quest to make the remove callback return void. In the first step of this
+quest all drivers are converted to .remove_new() which already returns
+void.
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -435,14 +435,12 @@ err0:
+ return ret;
+ }
+
+-static int omap2430_remove(struct platform_device *pdev)
++static void omap2430_remove(struct platform_device *pdev)
+ {
+ struct omap2430_glue *glue = platform_get_drvdata(pdev);
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
+-
+- return 0;
+ }
+
+ #ifdef CONFIG_PM
+@@ -574,7 +572,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl
+
+ static struct platform_driver omap2430_driver = {
+ .probe = omap2430_probe,
+- .remove = omap2430_remove,
++ .remove_new = omap2430_remove,
+ .driver = {
+ .name = "musb-omap2430",
+ .pm = DEV_PM_OPS,
--- /dev/null
+From sashal@kernel.org Thu Aug 21 17:10:02 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 11:09:57 -0400
+Subject: usb: musb: omap2430: fix device leak at unbind
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Roger Quadros <rogerq@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821150957.756147-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ]
+
+Make sure to drop the reference to the control device taken by
+of_find_device_by_node() during probe when the driver is unbound.
+
+Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Removed populate_irqs-related goto changes ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -406,13 +406,13 @@ static int omap2430_probe(struct platfor
+ ARRAY_SIZE(musb_resources));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add resources\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ ret = platform_device_add_data(musb, pdata, sizeof(*pdata));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add platform_data\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ pm_runtime_enable(glue->dev);
+@@ -427,7 +427,9 @@ static int omap2430_probe(struct platfor
+
+ err3:
+ pm_runtime_disable(glue->dev);
+-
++err_put_control_otghs:
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ err2:
+ platform_device_put(musb);
+
+@@ -441,6 +443,8 @@ static void omap2430_remove(struct platf
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ }
+
+ #ifdef CONFIG_PM
--- /dev/null
+From stable+bounces-171665-greg=kroah.com@vger.kernel.org Tue Aug 19 00:46:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 18:46:47 -0400
+Subject: usb: typec: fusb302: cache PD RX state
+To: stable@vger.kernel.org
+Cc: Sebastian Reichel <sebastian.reichel@collabora.com>, stable <stable@kernel.org>, Heikki Krogerus <heikki.krogerus@linux.intel.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818224647.124559-1-sashal@kernel.org>
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ]
+
+This patch fixes a race condition communication error, which ends up in
+PD hard resets when losing the race. Some systems, like the Radxa ROCK
+5B are powered through USB-C without any backup power source and use a
+FUSB302 chip to do the PD negotiation. This means it is quite important
+to avoid hard resets, since that effectively kills the system's
+power-supply.
+
+I've found the following race condition while debugging unplanned power
+loss during booting the board every now and then:
+
+1. lots of TCPM/FUSB302/PD initialization stuff
+2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here)
+3. the remote PD source does not send anything, so TCPM does a SOFT RESET
+4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time
+ (tcpm_set_pd_rx is enabled again, even though it is still on)
+
+At this point I've seen broken CRC good messages being send by the
+FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like
+messages are being lost and things generally going haywire with one of
+the two sides doing a hard reset once a broken CRC good message was send
+to the bus.
+
+I think the system is running into a race condition, that the FIFOs are
+being cleared and/or the automatic good CRC message generation flag is
+being updated while a message is already arriving.
+
+Let's avoid this by caching the PD RX enabled state, as we have already
+processed anything in the FIFOs and are in a good state. As a side
+effect that this also optimizes I2C bus usage :)
+
+As far as I can tell the problem theoretically also exists when TCPM
+enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less
+critical for the following reason:
+
+On devices like the ROCK 5B, which are powered through a TCPM backed
+USB-C port, the bootloader must have done some prior PD communication
+(initial communication must happen within 5 seconds after plugging the
+USB-C plug). This means the first time the kernel TCPM state machine
+reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages
+actively. On other devices a hard reset simply adds some extra delay and
+things should be good afterwards.
+
+Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ replaced str_on_off(on) with ternary operator ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/fusb302.c
++++ b/drivers/usb/typec/tcpm/fusb302.c
+@@ -103,6 +103,7 @@ struct fusb302_chip {
+ bool vconn_on;
+ bool vbus_on;
+ bool charge_on;
++ bool pd_rx_on;
+ bool vbus_present;
+ enum typec_cc_polarity cc_polarity;
+ enum typec_cc_status cc1;
+@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ int ret = 0;
+
+ mutex_lock(&chip->lock);
++ if (chip->pd_rx_on == on) {
++ fusb302_log(chip, "pd is already %s", on ? "on" : "off");
++ goto done;
++ }
++
+ ret = fusb302_pd_rx_flush(chip);
+ if (ret < 0) {
+ fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret);
+@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ on ? "on" : "off", ret);
+ goto done;
+ }
++
++ chip->pd_rx_on = on;
+ fusb302_log(chip, "pd := %s", on ? "on" : "off");
+ done:
+ mutex_unlock(&chip->lock);
--- /dev/null
+From stable+bounces-169434-greg=kroah.com@vger.kernel.org Wed Aug 13 18:05:56 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Aug 2025 11:59:47 -0400
+Subject: x86/fpu: Delay instruction pointer fixup until after warning
+To: stable@vger.kernel.org
+Cc: Dave Hansen <dave.hansen@linux.intel.com>, Chao Gao <chao.gao@intel.com>, Alison Schofield <alison.schofield@intel.com>, Peter Zijlstra <peterz@infradead.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250813155947.2053690-1-sashal@kernel.org>
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+[ Upstream commit 1cec9ac2d071cfd2da562241aab0ef701355762a ]
+
+Right now, if XRSTOR fails a console message like this is be printed:
+
+ Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers.
+
+However, the text location (...+0x9a in this case) is the instruction
+*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump
+also points one instruction late.
+
+The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and
+keep on running after returning from the #GP handler. But it does this
+fixup before warning.
+
+The resulting warning output is nonsensical because it looks like the
+non-FPU-related instruction is #GP'ing.
+
+Do not fix up RIP until after printing the warning. Do this by using
+the more generic and standard ex_handler_default().
+
+Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Chao Gao <chao.gao@intel.com>
+Acked-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com
+[ Replace fpu_reset_from_exception_fixup() with __restore_fpregs_from_fpstate() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/extable.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/extable.c
++++ b/arch/x86/mm/extable.c
+@@ -60,13 +60,12 @@ static bool ex_handler_fault(const struc
+ static bool ex_handler_fprestore(const struct exception_table_entry *fixup,
+ struct pt_regs *regs)
+ {
+- regs->ip = ex_fixup_addr(fixup);
+-
+ WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.",
+ (void *)instruction_pointer(regs));
+
+ __restore_fpregs_from_fpstate(&init_fpstate, xfeatures_mask_fpstate());
+- return true;
++
++ return ex_handler_default(fixup, regs);
+ }
+
+ static bool ex_handler_uaccess(const struct exception_table_entry *fixup,
--- /dev/null
+From stable+bounces-164362-greg=kroah.com@vger.kernel.org Wed Jul 23 05:57:32 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 23:57:21 -0400
+Subject: x86/mce/amd: Add default names for MCA banks and blocks
+To: stable@vger.kernel.org
+Cc: Yazen Ghannam <yazen.ghannam@amd.com>, Borislav Petkov <bp@alien8.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250723035721.1044134-1-sashal@kernel.org>
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ]
+
+Ensure that sysfs init doesn't fail for new/unrecognized bank types or if
+a bank has additional blocks available.
+
+Most MCA banks have a single thresholding block, so the block takes the same
+name as the bank.
+
+Unified Memory Controllers (UMCs) are a special case where there are two
+blocks and each has a unique name.
+
+However, the microarchitecture allows for five blocks. Any new MCA bank types
+with more than one block will be missing names for the extra blocks. The MCE
+sysfs will fail to initialize in this case.
+
+Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems")
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mce/amd.c
++++ b/arch/x86/kernel/cpu/mce/amd.c
+@@ -1228,13 +1228,20 @@ static const char *get_name(unsigned int
+ }
+
+ bank_type = smca_get_bank_type(bank);
+- if (bank_type >= N_SMCA_BANK_TYPES)
+- return NULL;
+
+ if (b && bank_type == SMCA_UMC) {
+ if (b->block < ARRAY_SIZE(smca_umc_block_names))
+ return smca_umc_block_names[b->block];
+- return NULL;
++ }
++
++ if (b && b->block) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block);
++ return buf_mcatype;
++ }
++
++ if (bank_type >= N_SMCA_BANK_TYPES) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank);
++ return buf_mcatype;
+ }
+
+ if (smca_banks[bank].hwid->count == 1)
projects / thirdparty / kernel / stable-queue.git / commitdiff
