--- /dev/null
+From stable+bounces-164981-greg=kroah.com@vger.kernel.org Mon Jul 28 17:00:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 11:00:44 -0400
+Subject: ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
+To: stable@vger.kernel.org
+Cc: Nathan Chancellor <nathan@kernel.org>, KernelCI bot <bot@kernelci.org>, Masahiro Yamada <masahiroy@kernel.org>, Russell King <rmk+kernel@armlinux.org.uk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250728150044.2341245-1-sashal@kernel.org>
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ]
+
+After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper
+flags and language target"), which updated as-instr to use the
+'assembler-with-cpp' language option, the Kbuild version of as-instr
+always fails internally for arch/arm with
+
+ <command-line>: fatal error: asm/unified.h: No such file or directory
+ compilation terminated.
+
+because '-include' flags are now taken into account by the compiler
+driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not
+found.
+
+This went unnoticed at the time of the Kbuild change because the last
+use of as-instr in Kbuild that arch/arm could reach was removed in 5.7
+by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a
+stable backport of the Kbuild change to before that point exposed this
+potential issue if one were to be reintroduced.
+
+Follow the general pattern of '-include' paths throughout the tree and
+make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can
+be used independently.
+
+Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target")
+Reported-by: KernelCI bot <bot@kernelci.org>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+[ adapted to missing -Wa ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/Makefile
++++ b/arch/arm/Makefile
+@@ -126,7 +126,7 @@ endif
+
+ # Need -Uarm for gcc < 3.x
+ KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm
+-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float
++KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float
+
+ CHECKFLAGS += -D__arm__
+
--- /dev/null
+From a647a524a46736786c95cdb553a070322ca096e3 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Fri, 24 Sep 2021 19:07:04 +0800
+Subject: block: don't call rq_qos_ops->done_bio if the bio isn't tracked
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit a647a524a46736786c95cdb553a070322ca096e3 upstream.
+
+rq_qos framework is only applied on request based driver, so:
+
+1) rq_qos_done_bio() needn't to be called for bio based driver
+
+2) rq_qos_done_bio() needn't to be called for bio which isn't tracked,
+such as bios ended from error handling code.
+
+Especially in bio_endio():
+
+1) request queue is referred via bio->bi_bdev->bd_disk->queue, which
+may be gone since request queue refcount may not be held in above two
+cases
+
+2) q->rq_qos may be freed in blk_cleanup_queue() when calling into
+__rq_qos_done_bio()
+
+Fix the potential kernel panic by not calling rq_qos_ops->done_bio if
+the bio isn't tracked. This way is safe because both ioc_rqos_done_bio()
+and blkcg_iolatency_done_bio() are nop if the bio isn't tracked.
+
+Reported-by: Yu Kuai <yukuai3@huawei.com>
+Cc: tj@kernel.org
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20210924110704.1541818-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ Shivani: Modified to apply on 5.10.y ]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/bio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/bio.c
++++ b/block/bio.c
+@@ -1430,7 +1430,7 @@ again:
+ if (!bio_integrity_endio(bio))
+ return;
+
+- if (bio->bi_disk)
++ if (bio->bi_disk && bio_flagged(bio, BIO_TRACKED))
+ rq_qos_done_bio(bio->bi_disk->queue, bio);
+
+ /*
--- /dev/null
+From f9baa501b4fd6962257853d46ddffbc21f27e344 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 22 Apr 2021 12:08:05 +0100
+Subject: btrfs: fix deadlock when cloning inline extents and using qgroups
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit f9baa501b4fd6962257853d46ddffbc21f27e344 upstream.
+
+There are a few exceptional cases where cloning an inline extent needs to
+copy the inline extent data into a page of the destination inode.
+
+When this happens, we end up starting a transaction while having a dirty
+page for the destination inode and while having the range locked in the
+destination's inode iotree too. Because when reserving metadata space
+for a transaction we may need to flush existing delalloc in case there is
+not enough free space, we have a mechanism in place to prevent a deadlock,
+which was introduced in commit 3d45f221ce627d ("btrfs: fix deadlock when
+cloning inline extent and low on free metadata space").
+
+However when using qgroups, a transaction also reserves metadata qgroup
+space, which can also result in flushing delalloc in case there is not
+enough available space at the moment. When this happens we deadlock, since
+flushing delalloc requires locking the file range in the inode's iotree
+and the range was already locked at the very beginning of the clone
+operation, before attempting to start the transaction.
+
+When this issue happens, stack traces like the following are reported:
+
+ [72747.556262] task:kworker/u81:9 state:D stack: 0 pid: 225 ppid: 2 flags:0x00004000
+ [72747.556268] Workqueue: writeback wb_workfn (flush-btrfs-1142)
+ [72747.556271] Call Trace:
+ [72747.556273] __schedule+0x296/0x760
+ [72747.556277] schedule+0x3c/0xa0
+ [72747.556279] io_schedule+0x12/0x40
+ [72747.556284] __lock_page+0x13c/0x280
+ [72747.556287] ? generic_file_readonly_mmap+0x70/0x70
+ [72747.556325] extent_write_cache_pages+0x22a/0x440 [btrfs]
+ [72747.556331] ? __set_page_dirty_nobuffers+0xe7/0x160
+ [72747.556358] ? set_extent_buffer_dirty+0x5e/0x80 [btrfs]
+ [72747.556362] ? update_group_capacity+0x25/0x210
+ [72747.556366] ? cpumask_next_and+0x1a/0x20
+ [72747.556391] extent_writepages+0x44/0xa0 [btrfs]
+ [72747.556394] do_writepages+0x41/0xd0
+ [72747.556398] __writeback_single_inode+0x39/0x2a0
+ [72747.556403] writeback_sb_inodes+0x1ea/0x440
+ [72747.556407] __writeback_inodes_wb+0x5f/0xc0
+ [72747.556410] wb_writeback+0x235/0x2b0
+ [72747.556414] ? get_nr_inodes+0x35/0x50
+ [72747.556417] wb_workfn+0x354/0x490
+ [72747.556420] ? newidle_balance+0x2c5/0x3e0
+ [72747.556424] process_one_work+0x1aa/0x340
+ [72747.556426] worker_thread+0x30/0x390
+ [72747.556429] ? create_worker+0x1a0/0x1a0
+ [72747.556432] kthread+0x116/0x130
+ [72747.556435] ? kthread_park+0x80/0x80
+ [72747.556438] ret_from_fork+0x1f/0x30
+
+ [72747.566958] Workqueue: btrfs-flush_delalloc btrfs_work_helper [btrfs]
+ [72747.566961] Call Trace:
+ [72747.566964] __schedule+0x296/0x760
+ [72747.566968] ? finish_wait+0x80/0x80
+ [72747.566970] schedule+0x3c/0xa0
+ [72747.566995] wait_extent_bit.constprop.68+0x13b/0x1c0 [btrfs]
+ [72747.566999] ? finish_wait+0x80/0x80
+ [72747.567024] lock_extent_bits+0x37/0x90 [btrfs]
+ [72747.567047] btrfs_invalidatepage+0x299/0x2c0 [btrfs]
+ [72747.567051] ? find_get_pages_range_tag+0x2cd/0x380
+ [72747.567076] __extent_writepage+0x203/0x320 [btrfs]
+ [72747.567102] extent_write_cache_pages+0x2bb/0x440 [btrfs]
+ [72747.567106] ? update_load_avg+0x7e/0x5f0
+ [72747.567109] ? enqueue_entity+0xf4/0x6f0
+ [72747.567134] extent_writepages+0x44/0xa0 [btrfs]
+ [72747.567137] ? enqueue_task_fair+0x93/0x6f0
+ [72747.567140] do_writepages+0x41/0xd0
+ [72747.567144] __filemap_fdatawrite_range+0xc7/0x100
+ [72747.567167] btrfs_run_delalloc_work+0x17/0x40 [btrfs]
+ [72747.567195] btrfs_work_helper+0xc2/0x300 [btrfs]
+ [72747.567200] process_one_work+0x1aa/0x340
+ [72747.567202] worker_thread+0x30/0x390
+ [72747.567205] ? create_worker+0x1a0/0x1a0
+ [72747.567208] kthread+0x116/0x130
+ [72747.567211] ? kthread_park+0x80/0x80
+ [72747.567214] ret_from_fork+0x1f/0x30
+
+ [72747.569686] task:fsstress state:D stack: 0 pid:841421 ppid:841417 flags:0x00000000
+ [72747.569689] Call Trace:
+ [72747.569691] __schedule+0x296/0x760
+ [72747.569694] schedule+0x3c/0xa0
+ [72747.569721] try_flush_qgroup+0x95/0x140 [btrfs]
+ [72747.569725] ? finish_wait+0x80/0x80
+ [72747.569753] btrfs_qgroup_reserve_data+0x34/0x50 [btrfs]
+ [72747.569781] btrfs_check_data_free_space+0x5f/0xa0 [btrfs]
+ [72747.569804] btrfs_buffered_write+0x1f7/0x7f0 [btrfs]
+ [72747.569810] ? path_lookupat.isra.48+0x97/0x140
+ [72747.569833] btrfs_file_write_iter+0x81/0x410 [btrfs]
+ [72747.569836] ? __kmalloc+0x16a/0x2c0
+ [72747.569839] do_iter_readv_writev+0x160/0x1c0
+ [72747.569843] do_iter_write+0x80/0x1b0
+ [72747.569847] vfs_writev+0x84/0x140
+ [72747.569869] ? btrfs_file_llseek+0x38/0x270 [btrfs]
+ [72747.569873] do_writev+0x65/0x100
+ [72747.569876] do_syscall_64+0x33/0x40
+ [72747.569879] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+ [72747.569899] task:fsstress state:D stack: 0 pid:841424 ppid:841417 flags:0x00004000
+ [72747.569903] Call Trace:
+ [72747.569906] __schedule+0x296/0x760
+ [72747.569909] schedule+0x3c/0xa0
+ [72747.569936] try_flush_qgroup+0x95/0x140 [btrfs]
+ [72747.569940] ? finish_wait+0x80/0x80
+ [72747.569967] __btrfs_qgroup_reserve_meta+0x36/0x50 [btrfs]
+ [72747.569989] start_transaction+0x279/0x580 [btrfs]
+ [72747.570014] clone_copy_inline_extent+0x332/0x490 [btrfs]
+ [72747.570041] btrfs_clone+0x5b7/0x7a0 [btrfs]
+ [72747.570068] ? lock_extent_bits+0x64/0x90 [btrfs]
+ [72747.570095] btrfs_clone_files+0xfc/0x150 [btrfs]
+ [72747.570122] btrfs_remap_file_range+0x3d8/0x4a0 [btrfs]
+ [72747.570126] do_clone_file_range+0xed/0x200
+ [72747.570131] vfs_clone_file_range+0x37/0x110
+ [72747.570134] ioctl_file_clone+0x7d/0xb0
+ [72747.570137] do_vfs_ioctl+0x138/0x630
+ [72747.570140] __x64_sys_ioctl+0x62/0xc0
+ [72747.570143] do_syscall_64+0x33/0x40
+ [72747.570146] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+So fix this by skipping the flush of delalloc for an inode that is
+flagged with BTRFS_INODE_NO_DELALLOC_FLUSH, meaning it is currently under
+such a special case of cloning an inline extent, when flushing delalloc
+during qgroup metadata reservation.
+
+The special cases for cloning inline extents were added in kernel 5.7 by
+by commit 05a5a7621ce66c ("Btrfs: implement full reflink support for
+inline extents"), while having qgroup metadata space reservation flushing
+delalloc when low on space was added in kernel 5.9 by commit
+c53e9653605dbf ("btrfs: qgroup: try to flush qgroup space when we get
+-EDQUOT"). So use a "Fixes:" tag for the later commit to ease stable
+kernel backports.
+
+Reported-by: Wang Yugui <wangyugui@e16-tech.com>
+Link: https://lore.kernel.org/linux-btrfs/20210421083137.31E3.409509F4@e16-tech.com/
+Fixes: c53e9653605dbf ("btrfs: qgroup: try to flush qgroup space when we get -EDQUOT")
+CC: stable@vger.kernel.org # 5.9+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ Shivani: Modified to apply on 5.10.y, Passed false to
+ btrfs_start_delalloc_flush() in fs/btrfs/transaction.c file to
+ maintain the default behaviour ]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.h | 2 +-
+ fs/btrfs/inode.c | 4 ++--
+ fs/btrfs/ioctl.c | 2 +-
+ fs/btrfs/qgroup.c | 2 +-
+ fs/btrfs/send.c | 4 ++--
+ fs/btrfs/transaction.c | 2 +-
+ 6 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -3013,7 +3013,7 @@ int btrfs_truncate_inode_items(struct bt
+ struct inode *inode, u64 new_size,
+ u32 min_type);
+
+-int btrfs_start_delalloc_snapshot(struct btrfs_root *root);
++int btrfs_start_delalloc_snapshot(struct btrfs_root *root, bool in_reclaim_context);
+ int btrfs_start_delalloc_roots(struct btrfs_fs_info *fs_info, u64 nr,
+ bool in_reclaim_context);
+ int btrfs_set_extent_delalloc(struct btrfs_inode *inode, u64 start, u64 end,
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9566,7 +9566,7 @@ out:
+ return ret;
+ }
+
+-int btrfs_start_delalloc_snapshot(struct btrfs_root *root)
++int btrfs_start_delalloc_snapshot(struct btrfs_root *root, bool in_reclaim_context)
+ {
+ struct writeback_control wbc = {
+ .nr_to_write = LONG_MAX,
+@@ -9579,7 +9579,7 @@ int btrfs_start_delalloc_snapshot(struct
+ if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state))
+ return -EROFS;
+
+- return start_delalloc_inodes(root, &wbc, true, false);
++ return start_delalloc_inodes(root, &wbc, true, in_reclaim_context);
+ }
+
+ int btrfs_start_delalloc_roots(struct btrfs_fs_info *fs_info, u64 nr,
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -1030,7 +1030,7 @@ static noinline int btrfs_mksnapshot(con
+ */
+ btrfs_drew_read_lock(&root->snapshot_lock);
+
+- ret = btrfs_start_delalloc_snapshot(root);
++ ret = btrfs_start_delalloc_snapshot(root, false);
+ if (ret)
+ goto out;
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -3704,7 +3704,7 @@ static int try_flush_qgroup(struct btrfs
+ return 0;
+ }
+
+- ret = btrfs_start_delalloc_snapshot(root);
++ ret = btrfs_start_delalloc_snapshot(root, true);
+ if (ret < 0)
+ goto out;
+ btrfs_wait_ordered_extents(root, U64_MAX, 0, (u64)-1);
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -7207,7 +7207,7 @@ static int flush_delalloc_roots(struct s
+ int i;
+
+ if (root) {
+- ret = btrfs_start_delalloc_snapshot(root);
++ ret = btrfs_start_delalloc_snapshot(root, false);
+ if (ret)
+ return ret;
+ btrfs_wait_ordered_extents(root, U64_MAX, 0, U64_MAX);
+@@ -7215,7 +7215,7 @@ static int flush_delalloc_roots(struct s
+
+ for (i = 0; i < sctx->clone_roots_cnt; i++) {
+ root = sctx->clone_roots[i].root;
+- ret = btrfs_start_delalloc_snapshot(root);
++ ret = btrfs_start_delalloc_snapshot(root, false);
+ if (ret)
+ return ret;
+ btrfs_wait_ordered_extents(root, U64_MAX, 0, U64_MAX);
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -2045,7 +2045,7 @@ static inline int btrfs_start_delalloc_f
+ list_for_each_entry(pending, head, list) {
+ int ret;
+
+- ret = btrfs_start_delalloc_snapshot(pending->root);
++ ret = btrfs_start_delalloc_snapshot(pending->root, false);
+ if (ret)
+ return ret;
+ }
--- /dev/null
+From prvs=308dc1d81=wanjay@amazon.com Fri Aug 8 20:05:43 2025
+From: Jay Wang <wanjay@amazon.com>
+Date: Fri, 8 Aug 2025 18:05:37 +0000
+Subject: dma-buf: insert memory barrier before updating num_fences
+To: <stable@vger.kernel.org>
+Cc: <gregkh@linuxfoundation.org>, <christian.koenig@amd.com>, <hjeong.choi@samsung.com>
+Message-ID: <20250808180537.26649-1-wanjay@amazon.com>
+
+From: Hyejeong Choi <hjeong.choi@samsung.com>
+
+commit 72c7d62583ebce7baeb61acce6057c361f73be4a upstream.
+
+smp_store_mb() inserts memory barrier after storing operation.
+It is different with what the comment is originally aiming so Null
+pointer dereference can be happened if memory update is reordered.
+
+Signed-off-by: Hyejeong Choi <hjeong.choi@samsung.com>
+Fixes: a590d0fdbaa5 ("dma-buf: Update reservation shared_count after adding the new fence")
+CC: stable@vger.kernel.org
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Link: https://lore.kernel.org/r/20250513020638.GA2329653@au1-maretx-p37.eng.sarc.samsung.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[Conflict resolved by applying changes from dma_resv_add_fence() in the original fix to dma_resv_add_shared_fence() in current code base]
+Signed-off-by: Jay Wang <wanjay@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/dma-resv.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma-buf/dma-resv.c
++++ b/drivers/dma-buf/dma-resv.c
+@@ -290,8 +290,9 @@ void dma_resv_add_shared_fence(struct dm
+
+ replace:
+ RCU_INIT_POINTER(fobj->shared[i], fence);
+- /* pointer update must be visible before we extend the shared_count */
+- smp_store_mb(fobj->shared_count, count);
++ /* fence update must be visible before we extend the shared_count */
++ smp_wmb();
++ fobj->shared_count = count;
+
+ write_seqcount_end(&obj->seq);
+ dma_fence_put(old);
--- /dev/null
+From stable+bounces-165029-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 00:28:53 -0400
+Subject: dpaa2-eth: Fix device reference count leak in MAC endpoint handling
+To: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>, Ioana Ciornei <ioana.ciornei@nxp.com>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729042853.2357022-4-sashal@kernel.org>
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit ee9f3a81ab08dfe0538dbd1746f81fd4d5147fdc ]
+
+The fsl_mc_get_endpoint() function uses device_find_child() for
+localization, which implicitly calls get_device() to increment the
+device's reference count before returning the pointer. However, the
+caller dpaa2_eth_connect_mac() fails to properly release this
+reference in multiple scenarios. We should call put_device() to
+decrement reference count properly.
+
+As comment of device_find_child() says, 'NOTE: you will need to drop
+the reference with put_device() after use'.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Tested-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250717022309.3339976-2-make24@iscas.ac.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -4138,12 +4138,19 @@ static int dpaa2_eth_connect_mac(struct
+ if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER)
+ return PTR_ERR(dpmac_dev);
+
+- if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type)
++ if (IS_ERR(dpmac_dev))
+ return 0;
+
++ if (dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type) {
++ err = 0;
++ goto out_put_device;
++ }
++
+ mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL);
+- if (!mac)
+- return -ENOMEM;
++ if (!mac) {
++ err = -ENOMEM;
++ goto out_put_device;
++ }
+
+ mac->mc_dev = dpmac_dev;
+ mac->mc_io = priv->mc_io;
+@@ -4169,6 +4176,8 @@ err_close_mac:
+ priv->mac = NULL;
+ err_free_mac:
+ kfree(mac);
++out_put_device:
++ put_device(&dpmac_dev->dev);
+ return err;
+ }
+
--- /dev/null
+From stable+bounces-165028-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 00:28:52 -0400
+Subject: dpaa2-eth: retry the probe when the MAC is not yet discovered on the bus
+To: stable@vger.kernel.org
+Cc: Ioana Ciornei <ioana.ciornei@nxp.com>, Andrew Lunn <andrew@lunn.ch>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729042853.2357022-3-sashal@kernel.org>
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit 47325da28ef137fa04a0e5d6d244e9635184bf5e ]
+
+The fsl_mc_get_endpoint() function now returns -EPROBE_DEFER when the
+dpmac device was not yet discovered by the fsl-mc bus. When this
+happens, pass the error code up so that we can retry the probe at a
+later time.
+
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: ee9f3a81ab08 ("dpaa2-eth: Fix device reference count leak in MAC endpoint handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -4134,7 +4134,11 @@ static int dpaa2_eth_connect_mac(struct
+
+ dpni_dev = to_fsl_mc_device(priv->net_dev->dev.parent);
+ dpmac_dev = fsl_mc_get_endpoint(dpni_dev);
+- if (IS_ERR_OR_NULL(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type)
++
++ if (PTR_ERR(dpmac_dev) == -EPROBE_DEFER)
++ return PTR_ERR(dpmac_dev);
++
++ if (IS_ERR(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type)
+ return 0;
+
+ mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL);
--- /dev/null
+From stable+bounces-165027-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 00:28:51 -0400
+Subject: dpaa2-mac: export MAC counters even when in TYPE_FIXED
+To: stable@vger.kernel.org
+Cc: Ioana Ciornei <ioana.ciornei@nxp.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729042853.2357022-2-sashal@kernel.org>
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit d87e606373f641c58d5e8e4c48b3216fd9d1c78a ]
+
+If the network interface object is connected to a MAC of TYPE_FIXED, the
+link status management is handled exclusively by the firmware. This does
+not mean that the driver cannot access the MAC counters and export them
+in ethtool.
+
+For this to happen, we open the attached dpmac device and keep a pointer
+to it in priv->mac. Because of this, all the checks in the driver of the
+following form 'if (priv->mac)' have to be updated to actually check
+the dpmac attribute and not rely on the presence of a non-NULL value.
+
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: ee9f3a81ab08 ("dpaa2-eth: Fix device reference count leak in MAC endpoint handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 37 +++++++++----------
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h | 13 ++++++
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c | 16 ++++----
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c | 26 -------------
+ 4 files changed, 39 insertions(+), 53 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -1765,7 +1765,7 @@ static int dpaa2_eth_link_state_update(s
+ /* When we manage the MAC/PHY using phylink there is no need
+ * to manually update the netif_carrier.
+ */
+- if (priv->mac)
++ if (dpaa2_eth_is_type_phy(priv))
+ goto out;
+
+ /* Chech link state; speed / duplex changes are not treated yet */
+@@ -1804,7 +1804,7 @@ static int dpaa2_eth_open(struct net_dev
+ priv->dpbp_dev->obj_desc.id, priv->bpid);
+ }
+
+- if (!priv->mac) {
++ if (!dpaa2_eth_is_type_phy(priv)) {
+ /* We'll only start the txqs when the link is actually ready;
+ * make sure we don't race against the link up notification,
+ * which may come immediately after dpni_enable();
+@@ -1826,7 +1826,7 @@ static int dpaa2_eth_open(struct net_dev
+ goto enable_err;
+ }
+
+- if (priv->mac)
++ if (dpaa2_eth_is_type_phy(priv))
+ phylink_start(priv->mac->phylink);
+
+ return 0;
+@@ -1900,11 +1900,11 @@ static int dpaa2_eth_stop(struct net_dev
+ int dpni_enabled = 0;
+ int retries = 10;
+
+- if (!priv->mac) {
++ if (dpaa2_eth_is_type_phy(priv)) {
++ phylink_stop(priv->mac->phylink);
++ } else {
+ netif_tx_stop_all_queues(net_dev);
+ netif_carrier_off(net_dev);
+- } else {
+- phylink_stop(priv->mac->phylink);
+ }
+
+ /* On dpni_disable(), the MC firmware will:
+@@ -2192,7 +2192,7 @@ static int dpaa2_eth_ioctl(struct net_de
+ if (cmd == SIOCSHWTSTAMP)
+ return dpaa2_eth_ts_ioctl(dev, rq, cmd);
+
+- if (priv->mac)
++ if (dpaa2_eth_is_type_phy(priv))
+ return phylink_mii_ioctl(priv->mac->phylink, rq, cmd);
+
+ return -EOPNOTSUPP;
+@@ -4137,9 +4137,6 @@ static int dpaa2_eth_connect_mac(struct
+ if (IS_ERR_OR_NULL(dpmac_dev) || dpmac_dev->dev.type != &fsl_mc_bus_dpmac_type)
+ return 0;
+
+- if (dpaa2_mac_is_type_fixed(dpmac_dev, priv->mc_io))
+- return 0;
+-
+ mac = kzalloc(sizeof(struct dpaa2_mac), GFP_KERNEL);
+ if (!mac)
+ return -ENOMEM;
+@@ -4151,18 +4148,21 @@ static int dpaa2_eth_connect_mac(struct
+ err = dpaa2_mac_open(mac);
+ if (err)
+ goto err_free_mac;
++ priv->mac = mac;
+
+- err = dpaa2_mac_connect(mac);
+- if (err) {
+- netdev_err(priv->net_dev, "Error connecting to the MAC endpoint\n");
+- goto err_close_mac;
++ if (dpaa2_eth_is_type_phy(priv)) {
++ err = dpaa2_mac_connect(mac);
++ if (err) {
++ netdev_err(priv->net_dev, "Error connecting to the MAC endpoint\n");
++ goto err_close_mac;
++ }
+ }
+- priv->mac = mac;
+
+ return 0;
+
+ err_close_mac:
+ dpaa2_mac_close(mac);
++ priv->mac = NULL;
+ err_free_mac:
+ kfree(mac);
+ return err;
+@@ -4170,10 +4170,9 @@ err_free_mac:
+
+ static void dpaa2_eth_disconnect_mac(struct dpaa2_eth_priv *priv)
+ {
+- if (!priv->mac)
+- return;
++ if (dpaa2_eth_is_type_phy(priv))
++ dpaa2_mac_disconnect(priv->mac);
+
+- dpaa2_mac_disconnect(priv->mac);
+ dpaa2_mac_close(priv->mac);
+ kfree(priv->mac);
+ priv->mac = NULL;
+@@ -4203,7 +4202,7 @@ static irqreturn_t dpni_irq0_handler_thr
+ dpaa2_eth_update_tx_fqids(priv);
+
+ rtnl_lock();
+- if (priv->mac)
++ if (dpaa2_eth_has_mac(priv))
+ dpaa2_eth_disconnect_mac(priv);
+ else
+ dpaa2_eth_connect_mac(priv);
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.h
+@@ -705,6 +705,19 @@ static inline unsigned int dpaa2_eth_rx_
+ return priv->tx_data_offset - DPAA2_ETH_RX_HWA_SIZE;
+ }
+
++static inline bool dpaa2_eth_is_type_phy(struct dpaa2_eth_priv *priv)
++{
++ if (priv->mac && priv->mac->attr.link_type == DPMAC_LINK_TYPE_PHY)
++ return true;
++
++ return false;
++}
++
++static inline bool dpaa2_eth_has_mac(struct dpaa2_eth_priv *priv)
++{
++ return priv->mac ? true : false;
++}
++
+ int dpaa2_eth_set_hash(struct net_device *net_dev, u64 flags);
+ int dpaa2_eth_set_cls(struct net_device *net_dev, u64 key);
+ int dpaa2_eth_cls_key_size(u64 key);
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-ethtool.c
+@@ -85,7 +85,7 @@ static int dpaa2_eth_nway_reset(struct n
+ {
+ struct dpaa2_eth_priv *priv = netdev_priv(net_dev);
+
+- if (priv->mac)
++ if (dpaa2_eth_is_type_phy(priv))
+ return phylink_ethtool_nway_reset(priv->mac->phylink);
+
+ return -EOPNOTSUPP;
+@@ -97,7 +97,7 @@ dpaa2_eth_get_link_ksettings(struct net_
+ {
+ struct dpaa2_eth_priv *priv = netdev_priv(net_dev);
+
+- if (priv->mac)
++ if (dpaa2_eth_is_type_phy(priv))
+ return phylink_ethtool_ksettings_get(priv->mac->phylink,
+ link_settings);
+
+@@ -115,7 +115,7 @@ dpaa2_eth_set_link_ksettings(struct net_
+ {
+ struct dpaa2_eth_priv *priv = netdev_priv(net_dev);
+
+- if (!priv->mac)
++ if (!dpaa2_eth_is_type_phy(priv))
+ return -ENOTSUPP;
+
+ return phylink_ethtool_ksettings_set(priv->mac->phylink, link_settings);
+@@ -127,7 +127,7 @@ static void dpaa2_eth_get_pauseparam(str
+ struct dpaa2_eth_priv *priv = netdev_priv(net_dev);
+ u64 link_options = priv->link_state.options;
+
+- if (priv->mac) {
++ if (dpaa2_eth_is_type_phy(priv)) {
+ phylink_ethtool_get_pauseparam(priv->mac->phylink, pause);
+ return;
+ }
+@@ -150,7 +150,7 @@ static int dpaa2_eth_set_pauseparam(stru
+ return -EOPNOTSUPP;
+ }
+
+- if (priv->mac)
++ if (dpaa2_eth_is_type_phy(priv))
+ return phylink_ethtool_set_pauseparam(priv->mac->phylink,
+ pause);
+ if (pause->autoneg)
+@@ -198,7 +198,7 @@ static void dpaa2_eth_get_strings(struct
+ strlcpy(p, dpaa2_ethtool_extras[i], ETH_GSTRING_LEN);
+ p += ETH_GSTRING_LEN;
+ }
+- if (priv->mac)
++ if (dpaa2_eth_has_mac(priv))
+ dpaa2_mac_get_strings(p);
+ break;
+ }
+@@ -211,7 +211,7 @@ static int dpaa2_eth_get_sset_count(stru
+
+ switch (sset) {
+ case ETH_SS_STATS: /* ethtool_get_stats(), ethtool_get_drvinfo() */
+- if (priv->mac)
++ if (dpaa2_eth_has_mac(priv))
+ num_ss_stats += dpaa2_mac_get_sset_count();
+ return num_ss_stats;
+ default:
+@@ -311,7 +311,7 @@ static void dpaa2_eth_get_ethtool_stats(
+ }
+ *(data + i++) = buf_cnt;
+
+- if (priv->mac)
++ if (dpaa2_eth_has_mac(priv))
+ dpaa2_mac_get_ethtool_stats(priv->mac, data + i);
+ }
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
+@@ -228,32 +228,6 @@ static const struct phylink_mac_ops dpaa
+ .mac_link_down = dpaa2_mac_link_down,
+ };
+
+-bool dpaa2_mac_is_type_fixed(struct fsl_mc_device *dpmac_dev,
+- struct fsl_mc_io *mc_io)
+-{
+- struct dpmac_attr attr;
+- bool fixed = false;
+- u16 mc_handle = 0;
+- int err;
+-
+- err = dpmac_open(mc_io, 0, dpmac_dev->obj_desc.id,
+- &mc_handle);
+- if (err || !mc_handle)
+- return false;
+-
+- err = dpmac_get_attributes(mc_io, 0, mc_handle, &attr);
+- if (err)
+- goto out;
+-
+- if (attr.link_type == DPMAC_LINK_TYPE_FIXED)
+- fixed = true;
+-
+-out:
+- dpmac_close(mc_io, 0, mc_handle);
+-
+- return fixed;
+-}
+-
+ static int dpaa2_pcs_create(struct dpaa2_mac *mac,
+ struct device_node *dpmac_node, int id)
+ {
--- /dev/null
+From stable+bounces-165026-greg=kroah.com@vger.kernel.org Tue Jul 29 06:29:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 00:28:50 -0400
+Subject: dpaa2-mac: split up initializing the MAC object from connecting to it
+To: stable@vger.kernel.org
+Cc: Ioana Ciornei <ioana.ciornei@nxp.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729042853.2357022-1-sashal@kernel.org>
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit 095dca16d92f32150314ef47ea150ed83c5aacd9 ]
+
+Split up the initialization phase of the dpmac object from actually
+configuring the phylink instance, connecting to it and configuring the
+MAC. This is done so that even though the dpni object is connected to a
+dpmac which has link management handled by the firmware we are still
+able to export the MAC counters.
+
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: ee9f3a81ab08 ("dpaa2-eth: Fix device reference count leak in MAC endpoint handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 ++++
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c | 69 ++++++++++++++---------
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h | 5 +
+ 3 files changed, 59 insertions(+), 29 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -4148,15 +4148,24 @@ static int dpaa2_eth_connect_mac(struct
+ mac->mc_io = priv->mc_io;
+ mac->net_dev = priv->net_dev;
+
++ err = dpaa2_mac_open(mac);
++ if (err)
++ goto err_free_mac;
++
+ err = dpaa2_mac_connect(mac);
+ if (err) {
+ netdev_err(priv->net_dev, "Error connecting to the MAC endpoint\n");
+- kfree(mac);
+- return err;
++ goto err_close_mac;
+ }
+ priv->mac = mac;
+
+ return 0;
++
++err_close_mac:
++ dpaa2_mac_close(mac);
++err_free_mac:
++ kfree(mac);
++ return err;
+ }
+
+ static void dpaa2_eth_disconnect_mac(struct dpaa2_eth_priv *priv)
+@@ -4165,6 +4174,7 @@ static void dpaa2_eth_disconnect_mac(str
+ return;
+
+ dpaa2_mac_disconnect(priv->mac);
++ dpaa2_mac_close(priv->mac);
+ kfree(priv->mac);
+ priv->mac = NULL;
+ }
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
+@@ -302,36 +302,20 @@ static void dpaa2_pcs_destroy(struct dpa
+
+ int dpaa2_mac_connect(struct dpaa2_mac *mac)
+ {
+- struct fsl_mc_device *dpmac_dev = mac->mc_dev;
+ struct net_device *net_dev = mac->net_dev;
+ struct device_node *dpmac_node;
+ struct phylink *phylink;
+- struct dpmac_attr attr;
+ int err;
+
+- err = dpmac_open(mac->mc_io, 0, dpmac_dev->obj_desc.id,
+- &dpmac_dev->mc_handle);
+- if (err || !dpmac_dev->mc_handle) {
+- netdev_err(net_dev, "dpmac_open() = %d\n", err);
+- return -ENODEV;
+- }
+-
+- err = dpmac_get_attributes(mac->mc_io, 0, dpmac_dev->mc_handle, &attr);
+- if (err) {
+- netdev_err(net_dev, "dpmac_get_attributes() = %d\n", err);
+- goto err_close_dpmac;
+- }
+-
+- mac->if_link_type = attr.link_type;
++ mac->if_link_type = mac->attr.link_type;
+
+- dpmac_node = dpaa2_mac_get_node(attr.id);
++ dpmac_node = dpaa2_mac_get_node(mac->attr.id);
+ if (!dpmac_node) {
+- netdev_err(net_dev, "No dpmac@%d node found.\n", attr.id);
+- err = -ENODEV;
+- goto err_close_dpmac;
++ netdev_err(net_dev, "No dpmac@%d node found.\n", mac->attr.id);
++ return -ENODEV;
+ }
+
+- err = dpaa2_mac_get_if_mode(dpmac_node, attr);
++ err = dpaa2_mac_get_if_mode(dpmac_node, mac->attr);
+ if (err < 0) {
+ err = -EINVAL;
+ goto err_put_node;
+@@ -351,9 +335,9 @@ int dpaa2_mac_connect(struct dpaa2_mac *
+ goto err_put_node;
+ }
+
+- if (attr.link_type == DPMAC_LINK_TYPE_PHY &&
+- attr.eth_if != DPMAC_ETH_IF_RGMII) {
+- err = dpaa2_pcs_create(mac, dpmac_node, attr.id);
++ if (mac->attr.link_type == DPMAC_LINK_TYPE_PHY &&
++ mac->attr.eth_if != DPMAC_ETH_IF_RGMII) {
++ err = dpaa2_pcs_create(mac, dpmac_node, mac->attr.id);
+ if (err)
+ goto err_put_node;
+ }
+@@ -389,8 +373,7 @@ err_pcs_destroy:
+ dpaa2_pcs_destroy(mac);
+ err_put_node:
+ of_node_put(dpmac_node);
+-err_close_dpmac:
+- dpmac_close(mac->mc_io, 0, dpmac_dev->mc_handle);
++
+ return err;
+ }
+
+@@ -402,8 +385,40 @@ void dpaa2_mac_disconnect(struct dpaa2_m
+ phylink_disconnect_phy(mac->phylink);
+ phylink_destroy(mac->phylink);
+ dpaa2_pcs_destroy(mac);
++}
++
++int dpaa2_mac_open(struct dpaa2_mac *mac)
++{
++ struct fsl_mc_device *dpmac_dev = mac->mc_dev;
++ struct net_device *net_dev = mac->net_dev;
++ int err;
+
+- dpmac_close(mac->mc_io, 0, mac->mc_dev->mc_handle);
++ err = dpmac_open(mac->mc_io, 0, dpmac_dev->obj_desc.id,
++ &dpmac_dev->mc_handle);
++ if (err || !dpmac_dev->mc_handle) {
++ netdev_err(net_dev, "dpmac_open() = %d\n", err);
++ return -ENODEV;
++ }
++
++ err = dpmac_get_attributes(mac->mc_io, 0, dpmac_dev->mc_handle,
++ &mac->attr);
++ if (err) {
++ netdev_err(net_dev, "dpmac_get_attributes() = %d\n", err);
++ goto err_close_dpmac;
++ }
++
++ return 0;
++
++err_close_dpmac:
++ dpmac_close(mac->mc_io, 0, dpmac_dev->mc_handle);
++ return err;
++}
++
++void dpaa2_mac_close(struct dpaa2_mac *mac)
++{
++ struct fsl_mc_device *dpmac_dev = mac->mc_dev;
++
++ dpmac_close(mac->mc_io, 0, dpmac_dev->mc_handle);
+ }
+
+ static char dpaa2_mac_ethtool_stats[][ETH_GSTRING_LEN] = {
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.h
+@@ -17,6 +17,7 @@ struct dpaa2_mac {
+ struct dpmac_link_state state;
+ struct net_device *net_dev;
+ struct fsl_mc_io *mc_io;
++ struct dpmac_attr attr;
+
+ struct phylink_config phylink_config;
+ struct phylink *phylink;
+@@ -28,6 +29,10 @@ struct dpaa2_mac {
+ bool dpaa2_mac_is_type_fixed(struct fsl_mc_device *dpmac_dev,
+ struct fsl_mc_io *mc_io);
+
++int dpaa2_mac_open(struct dpaa2_mac *mac);
++
++void dpaa2_mac_close(struct dpaa2_mac *mac);
++
+ int dpaa2_mac_connect(struct dpaa2_mac *mac);
+
+ void dpaa2_mac_disconnect(struct dpaa2_mac *mac);
--- /dev/null
+From 3RnuJaA4KBq0VfNNPZNaWNeeRfTbbTYR.PbZTeRTXUYVahkSbhaQNgVba.beT@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:15 2025
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Tue, 29 Jul 2025 18:53:59 -0700
+Subject: mm: drop the assumption that VM_SHARED always implies writable
+To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Alexander Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>, Andrew Morton <akpm@linux-foundation.org>, David Hildenbrand <david@redhat.com>, "Liam R. Howlett" <Liam.Howlett@oracle.com>, Vlastimil Babka <vbabka@suse.cz>, Mike Rapoport <rppt@kernel.org>, Suren Baghdasaryan <surenb@google.com>, Michal Hocko <mhocko@suse.com>, Kees Cook <kees@kernel.org>, Ingo Molnar <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>, Juri Lelli <juri.lelli@redhat.com>, Vincent Guittot <vincent.guittot@linaro.org>, Dietmar Eggemann <dietmar.eggemann@arm.com>, Steven Rostedt <rostedt@goodmis.org>, Ben Segall <bsegall@google.com>, Mel Gorman <mgorman@suse.de>, Valentin Schneider <vschneid@redhat.com>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, Jann Horn <jannh@google.com>, Pedro Falcato <pfalcato@suse.de>
+Cc: aliceryhl@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" <isaacmanjarres@google.com>, kernel-team@android.com, Lorenzo Stoakes <lstoakes@gmail.com>, Andy Lutomirski <luto@kernel.org>, Hugh Dickins <hughd@google.com>, Mike Kravetz <mike.kravetz@oracle.com>, Muchun Song <muchun.song@linux.dev>, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org
+Message-ID: <20250730015406.32569-2-isaacmanjarres@google.com>
+
+From: Lorenzo Stoakes <lstoakes@gmail.com>
+
+[ Upstream commit e8e17ee90eaf650c855adb0a3e5e965fd6692ff1 ]
+
+Patch series "permit write-sealed memfd read-only shared mappings", v4.
+
+The man page for fcntl() describing memfd file seals states the following
+about F_SEAL_WRITE:-
+
+ Furthermore, trying to create new shared, writable memory-mappings via
+ mmap(2) will also fail with EPERM.
+
+With emphasis on 'writable'. In turns out in fact that currently the
+kernel simply disallows all new shared memory mappings for a memfd with
+F_SEAL_WRITE applied, rendering this documentation inaccurate.
+
+This matters because users are therefore unable to obtain a shared mapping
+to a memfd after write sealing altogether, which limits their usefulness.
+This was reported in the discussion thread [1] originating from a bug
+report [2].
+
+This is a product of both using the struct address_space->i_mmap_writable
+atomic counter to determine whether writing may be permitted, and the
+kernel adjusting this counter when any VM_SHARED mapping is performed and
+more generally implicitly assuming VM_SHARED implies writable.
+
+It seems sensible that we should only update this mapping if VM_MAYWRITE
+is specified, i.e. whether it is possible that this mapping could at any
+point be written to.
+
+If we do so then all we need to do to permit write seals to function as
+documented is to clear VM_MAYWRITE when mapping read-only. It turns out
+this functionality already exists for F_SEAL_FUTURE_WRITE - we can
+therefore simply adapt this logic to do the same for F_SEAL_WRITE.
+
+We then hit a chicken and egg situation in mmap_region() where the check
+for VM_MAYWRITE occurs before we are able to clear this flag. To work
+around this, perform this check after we invoke call_mmap(), with careful
+consideration of error paths.
+
+Thanks to Andy Lutomirski for the suggestion!
+
+[1]:https://lore.kernel.org/all/20230324133646.16101dfa666f253c4715d965@linux-foundation.org/
+[2]:https://bugzilla.kernel.org/show_bug.cgi?id=217238
+
+This patch (of 3):
+
+There is a general assumption that VMAs with the VM_SHARED flag set are
+writable. If the VM_MAYWRITE flag is not set, then this is simply not the
+case.
+
+Update those checks which affect the struct address_space->i_mmap_writable
+field to explicitly test for this by introducing
+[vma_]is_shared_maywrite() helper functions.
+
+This remains entirely conservative, as the lack of VM_MAYWRITE guarantees
+that the VMA cannot be written to.
+
+Link: https://lkml.kernel.org/r/cover.1697116581.git.lstoakes@gmail.com
+Link: https://lkml.kernel.org/r/d978aefefa83ec42d18dfa964ad180dbcde34795.1697116581.git.lstoakes@gmail.com
+Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
+Suggested-by: Andy Lutomirski <luto@kernel.org>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org
+[isaacmanjarres: resolved merge conflicts due to
+due to refactoring that happened in upstream commit
+5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")]
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/fs.h | 4 ++--
+ include/linux/mm.h | 11 +++++++++++
+ kernel/fork.c | 2 +-
+ mm/filemap.c | 2 +-
+ mm/madvise.c | 2 +-
+ mm/mmap.c | 6 +++---
+ 6 files changed, 19 insertions(+), 8 deletions(-)
+
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -436,7 +436,7 @@ int pagecache_write_end(struct file *, s
+ * @host: Owner, either the inode or the block_device.
+ * @i_pages: Cached pages.
+ * @gfp_mask: Memory allocation flags to use for allocating pages.
+- * @i_mmap_writable: Number of VM_SHARED mappings.
++ * @i_mmap_writable: Number of VM_SHARED, VM_MAYWRITE mappings.
+ * @nr_thps: Number of THPs in the pagecache (non-shmem only).
+ * @i_mmap: Tree of private and shared mappings.
+ * @i_mmap_rwsem: Protects @i_mmap and @i_mmap_writable.
+@@ -535,7 +535,7 @@ static inline int mapping_mapped(struct
+
+ /*
+ * Might pages of this file have been modified in userspace?
+- * Note that i_mmap_writable counts all VM_SHARED vmas: do_mmap
++ * Note that i_mmap_writable counts all VM_SHARED, VM_MAYWRITE vmas: do_mmap
+ * marks vma as VM_SHARED if it is shared, and the file was opened for
+ * writing i.e. vma may be mprotected writable even if now readonly.
+ *
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -666,6 +666,17 @@ static inline bool vma_is_accessible(str
+ return vma->vm_flags & VM_ACCESS_FLAGS;
+ }
+
++static inline bool is_shared_maywrite(vm_flags_t vm_flags)
++{
++ return (vm_flags & (VM_SHARED | VM_MAYWRITE)) ==
++ (VM_SHARED | VM_MAYWRITE);
++}
++
++static inline bool vma_is_shared_maywrite(struct vm_area_struct *vma)
++{
++ return is_shared_maywrite(vma->vm_flags);
++}
++
+ #ifdef CONFIG_SHMEM
+ /*
+ * The vma_is_shmem is not inline because it is used only by slow
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -561,7 +561,7 @@ static __latent_entropy int dup_mmap(str
+ if (tmp->vm_flags & VM_DENYWRITE)
+ put_write_access(inode);
+ i_mmap_lock_write(mapping);
+- if (tmp->vm_flags & VM_SHARED)
++ if (vma_is_shared_maywrite(tmp))
+ mapping_allow_writable(mapping);
+ flush_dcache_mmap_lock(mapping);
+ /* insert tmp into the share list, just after mpnt */
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2959,7 +2959,7 @@ int generic_file_mmap(struct file * file
+ */
+ int generic_file_readonly_mmap(struct file *file, struct vm_area_struct *vma)
+ {
+- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_MAYWRITE))
++ if (vma_is_shared_maywrite(vma))
+ return -EINVAL;
+ return generic_file_mmap(file, vma);
+ }
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -848,7 +848,7 @@ static long madvise_remove(struct vm_are
+ return -EINVAL;
+ }
+
+- if ((vma->vm_flags & (VM_SHARED|VM_WRITE)) != (VM_SHARED|VM_WRITE))
++ if (!vma_is_shared_maywrite(vma))
+ return -EACCES;
+
+ offset = (loff_t)(start - vma->vm_start)
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -144,7 +144,7 @@ static void __remove_shared_vm_struct(st
+ {
+ if (vma->vm_flags & VM_DENYWRITE)
+ allow_write_access(file);
+- if (vma->vm_flags & VM_SHARED)
++ if (vma_is_shared_maywrite(vma))
+ mapping_unmap_writable(mapping);
+
+ flush_dcache_mmap_lock(mapping);
+@@ -663,7 +663,7 @@ static void __vma_link_file(struct vm_ar
+
+ if (vma->vm_flags & VM_DENYWRITE)
+ put_write_access(file_inode(file));
+- if (vma->vm_flags & VM_SHARED)
++ if (vma_is_shared_maywrite(vma))
+ mapping_allow_writable(mapping);
+
+ flush_dcache_mmap_lock(mapping);
+@@ -2942,7 +2942,7 @@ unsigned long mmap_region(struct file *f
+ return -EINVAL;
+
+ /* Map writable and ensure this isn't a sealed memfd. */
+- if (file && (vm_flags & VM_SHARED)) {
++ if (file && is_shared_maywrite(vm_flags)) {
+ int error = mapping_map_writable(file->f_mapping);
+
+ if (error)
--- /dev/null
+From 3TXuJaA4KBrQcmUUWgUhdUllYmaiiafY.WigalYaebfchorZiohXUncih.ila@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:21 2025
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Tue, 29 Jul 2025 18:54:01 -0700
+Subject: mm: reinstate ability to map write-sealed memfd mappings read-only
+To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Hugh Dickins <hughd@google.com>, Baolin Wang <baolin.wang@linux.alibaba.com>, Andrew Morton <akpm@linux-foundation.org>, David Hildenbrand <david@redhat.com>, "Liam R. Howlett" <Liam.Howlett@oracle.com>, Vlastimil Babka <vbabka@suse.cz>, Mike Rapoport <rppt@kernel.org>, Suren Baghdasaryan <surenb@google.com>, Michal Hocko <mhocko@suse.com>, Jann Horn <jannh@google.com>, Pedro Falcato <pfalcato@suse.de>
+Cc: aliceryhl@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" <isaacmanjarres@google.com>, kernel-team@android.com, Julian Orth <ju.orth@gmail.com>, "Liam R. Howlett" <Liam.Howlett@Oracle.com>, Linus Torvalds <torvalds@linux-foundation.org>, Shuah Khan <shuah@kernel.org>, linux-mm@kvack.org, linux-kernel@vger.kernel.org
+Message-ID: <20250730015406.32569-4-isaacmanjarres@google.com>
+
+From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+
+[ Upstream commit 8ec396d05d1b737c87311fb7311f753b02c2a6b1 ]
+
+Patch series "mm: reinstate ability to map write-sealed memfd mappings
+read-only".
+
+In commit 158978945f31 ("mm: perform the mapping_map_writable() check
+after call_mmap()") (and preceding changes in the same series) it became
+possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
+
+Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
+behaviour") unintentionally undid this logic by moving the
+mapping_map_writable() check before the shmem_mmap() hook is invoked,
+thereby regressing this change.
+
+This series reworks how we both permit write-sealed mappings being mapped
+read-only and disallow mprotect() from undoing the write-seal, fixing this
+regression.
+
+We also add a regression test to ensure that we do not accidentally
+regress this in future.
+
+Thanks to Julian Orth for reporting this regression.
+
+This patch (of 2):
+
+In commit 158978945f31 ("mm: perform the mapping_map_writable() check
+after call_mmap()") (and preceding changes in the same series) it became
+possible to mmap() F_SEAL_WRITE sealed memfd mappings read-only.
+
+This was previously unnecessarily disallowed, despite the man page
+documentation indicating that it would be, thereby limiting the usefulness
+of F_SEAL_WRITE logic.
+
+We fixed this by adapting logic that existed for the F_SEAL_FUTURE_WRITE
+seal (one which disallows future writes to the memfd) to also be used for
+F_SEAL_WRITE.
+
+For background - the F_SEAL_FUTURE_WRITE seal clears VM_MAYWRITE for a
+read-only mapping to disallow mprotect() from overriding the seal - an
+operation performed by seal_check_write(), invoked from shmem_mmap(), the
+f_op->mmap() hook used by shmem mappings.
+
+By extending this to F_SEAL_WRITE and critically - checking
+mapping_map_writable() to determine if we may map the memfd AFTER we
+invoke shmem_mmap() - the desired logic becomes possible. This is because
+mapping_map_writable() explicitly checks for VM_MAYWRITE, which we will
+have cleared.
+
+Commit 5de195060b2e ("mm: resolve faulty mmap_region() error path
+behaviour") unintentionally undid this logic by moving the
+mapping_map_writable() check before the shmem_mmap() hook is invoked,
+thereby regressing this change.
+
+We reinstate this functionality by moving the check out of shmem_mmap()
+and instead performing it in do_mmap() at the point at which VMA flags are
+being determined, which seems in any case to be a more appropriate place
+in which to make this determination.
+
+In order to achieve this we rework memfd seal logic to allow us access to
+this information using existing logic and eliminate the clearing of
+VM_MAYWRITE from seal_check_write() which we are performing in do_mmap()
+instead.
+
+Link: https://lkml.kernel.org/r/99fc35d2c62bd2e05571cf60d9f8b843c56069e0.1732804776.git.lorenzo.stoakes@oracle.com
+Fixes: 5de195060b2e ("mm: resolve faulty mmap_region() error path behaviour")
+Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Reported-by: Julian Orth <ju.orth@gmail.com>
+Closes: https://lore.kernel.org/all/CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZxrYpQ@mail.gmail.com/
+Cc: Jann Horn <jannh@google.com>
+Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/memfd.h | 14 ++++++++++++
+ include/linux/mm.h | 58 ++++++++++++++++++++++++++++++++++----------------
+ mm/memfd.c | 2 -
+ mm/mmap.c | 4 +++
+ 4 files changed, 59 insertions(+), 19 deletions(-)
+
+--- a/include/linux/memfd.h
++++ b/include/linux/memfd.h
+@@ -6,11 +6,25 @@
+
+ #ifdef CONFIG_MEMFD_CREATE
+ extern long memfd_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
++unsigned int *memfd_file_seals_ptr(struct file *file);
+ #else
+ static inline long memfd_fcntl(struct file *f, unsigned int c, unsigned long a)
+ {
+ return -EINVAL;
+ }
++
++static inline unsigned int *memfd_file_seals_ptr(struct file *file)
++{
++ return NULL;
++}
+ #endif
+
++/* Retrieve memfd seals associated with the file, if any. */
++static inline unsigned int memfd_file_seals(struct file *file)
++{
++ unsigned int *sealsp = memfd_file_seals_ptr(file);
++
++ return sealsp ? *sealsp : 0;
++}
++
+ #endif /* __LINUX_MEMFD_H */
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -3200,6 +3200,37 @@ unsigned long wp_shared_mapping_range(st
+
+ extern int sysctl_nr_trim_pages;
+
++static inline bool is_write_sealed(int seals)
++{
++ return seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE);
++}
++
++/**
++ * is_readonly_sealed - Checks whether write-sealed but mapped read-only,
++ * in which case writes should be disallowing moving
++ * forwards.
++ * @seals: the seals to check
++ * @vm_flags: the VMA flags to check
++ *
++ * Returns whether readonly sealed, in which case writess should be disallowed
++ * going forward.
++ */
++static inline bool is_readonly_sealed(int seals, vm_flags_t vm_flags)
++{
++ /*
++ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
++ * MAP_SHARED and read-only, take care to not allow mprotect to
++ * revert protections on such mappings. Do this only for shared
++ * mappings. For private mappings, don't need to mask
++ * VM_MAYWRITE as we still want them to be COW-writable.
++ */
++ if (is_write_sealed(seals) &&
++ ((vm_flags & (VM_SHARED | VM_WRITE)) == VM_SHARED))
++ return true;
++
++ return false;
++}
++
+ /**
+ * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
+ * handle them.
+@@ -3211,24 +3242,15 @@ extern int sysctl_nr_trim_pages;
+ */
+ static inline int seal_check_write(int seals, struct vm_area_struct *vma)
+ {
+- if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
+- /*
+- * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+- * write seals are active.
+- */
+- if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+- return -EPERM;
+-
+- /*
+- * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+- * MAP_SHARED and read-only, take care to not allow mprotect to
+- * revert protections on such mappings. Do this only for shared
+- * mappings. For private mappings, don't need to mask
+- * VM_MAYWRITE as we still want them to be COW-writable.
+- */
+- if (vma->vm_flags & VM_SHARED)
+- vma->vm_flags &= ~(VM_MAYWRITE);
+- }
++ if (!is_write_sealed(seals))
++ return 0;
++
++ /*
++ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
++ * write seals are active.
++ */
++ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
++ return -EPERM;
+
+ return 0;
+ }
+--- a/mm/memfd.c
++++ b/mm/memfd.c
+@@ -133,7 +133,7 @@ static int memfd_wait_for_pins(struct ad
+ return error;
+ }
+
+-static unsigned int *memfd_file_seals_ptr(struct file *file)
++unsigned int *memfd_file_seals_ptr(struct file *file)
+ {
+ if (shmem_file(file))
+ return &SHMEM_I(file_inode(file))->seals;
+--- a/mm/mmap.c
++++ b/mm/mmap.c
+@@ -47,6 +47,7 @@
+ #include <linux/pkeys.h>
+ #include <linux/oom.h>
+ #include <linux/sched/mm.h>
++#include <linux/memfd.h>
+
+ #include <linux/uaccess.h>
+ #include <asm/cacheflush.h>
+@@ -1488,6 +1489,7 @@ unsigned long do_mmap(struct file *file,
+
+ if (file) {
+ struct inode *inode = file_inode(file);
++ unsigned int seals = memfd_file_seals(file);
+ unsigned long flags_mask;
+
+ if (!file_mmap_ok(file, inode, pgoff, len))
+@@ -1532,6 +1534,8 @@ unsigned long do_mmap(struct file *file,
+ vm_flags |= VM_SHARED | VM_MAYSHARE;
+ if (!(file->f_mode & FMODE_WRITE))
+ vm_flags &= ~(VM_MAYWRITE | VM_SHARED);
++ else if (is_readonly_sealed(seals, vm_flags))
++ vm_flags &= ~VM_MAYWRITE;
+ fallthrough;
+ case MAP_PRIVATE:
+ if (!(file->f_mode & FMODE_READ))
--- /dev/null
+From 3SXuJaA4KBrAYiQQScQdZQhhUiWeeWbU.SecWhUWaXbYdknVekdTQjYed.ehW@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:18 2025
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Tue, 29 Jul 2025 18:54:00 -0700
+Subject: mm: update memfd seal write check to include F_SEAL_WRITE
+To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Muchun Song <muchun.song@linux.dev>, Oscar Salvador <osalvador@suse.de>, David Hildenbrand <david@redhat.com>, Andrew Morton <akpm@linux-foundation.org>, "Liam R. Howlett" <Liam.Howlett@oracle.com>, Vlastimil Babka <vbabka@suse.cz>, Mike Rapoport <rppt@kernel.org>, Suren Baghdasaryan <surenb@google.com>, Michal Hocko <mhocko@suse.com>, Hugh Dickins <hughd@google.com>, Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: aliceryhl@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" <isaacmanjarres@google.com>, kernel-team@android.com, Lorenzo Stoakes <lstoakes@gmail.com>, Jan Kara <jack@suse.cz>, Alexander Viro <viro@zeniv.linux.org.uk>, Andy Lutomirski <luto@kernel.org>, Christian Brauner <brauner@kernel.org>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, Mike Kravetz <mike.kravetz@oracle.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org
+Message-ID: <20250730015406.32569-3-isaacmanjarres@google.com>
+
+From: Lorenzo Stoakes <lstoakes@gmail.com>
+
+[ Upstream commit 28464bbb2ddc199433383994bcb9600c8034afa1 ]
+
+The seal_check_future_write() function is called by shmem_mmap() or
+hugetlbfs_file_mmap() to disallow any future writable mappings of an memfd
+sealed this way.
+
+The F_SEAL_WRITE flag is not checked here, as that is handled via the
+mapping->i_mmap_writable mechanism and so any attempt at a mapping would
+fail before this could be run.
+
+However we intend to change this, meaning this check can be performed for
+F_SEAL_WRITE mappings also.
+
+The logic here is equally applicable to both flags, so update this
+function to accommodate both and rename it accordingly.
+
+Link: https://lkml.kernel.org/r/913628168ce6cce77df7d13a63970bae06a526e0.1697116581.git.lstoakes@gmail.com
+Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hugetlbfs/inode.c | 2 +-
+ include/linux/mm.h | 15 ++++++++-------
+ mm/shmem.c | 2 +-
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -148,7 +148,7 @@ static int hugetlbfs_file_mmap(struct fi
+ vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
+ vma->vm_ops = &hugetlb_vm_ops;
+
+- ret = seal_check_future_write(info->seals, vma);
++ ret = seal_check_write(info->seals, vma);
+ if (ret)
+ return ret;
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -3201,25 +3201,26 @@ unsigned long wp_shared_mapping_range(st
+ extern int sysctl_nr_trim_pages;
+
+ /**
+- * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it
++ * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
++ * handle them.
+ * @seals: the seals to check
+ * @vma: the vma to operate on
+ *
+- * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on
+- * the vma flags. Return 0 if check pass, or <0 for errors.
++ * Check whether F_SEAL_WRITE or F_SEAL_FUTURE_WRITE are set; if so, do proper
++ * check/handling on the vma flags. Return 0 if check pass, or <0 for errors.
+ */
+-static inline int seal_check_future_write(int seals, struct vm_area_struct *vma)
++static inline int seal_check_write(int seals, struct vm_area_struct *vma)
+ {
+- if (seals & F_SEAL_FUTURE_WRITE) {
++ if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
+ /*
+ * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+- * "future write" seal active.
++ * write seals are active.
+ */
+ if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+ return -EPERM;
+
+ /*
+- * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as
++ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
+ * MAP_SHARED and read-only, take care to not allow mprotect to
+ * revert protections on such mappings. Do this only for shared
+ * mappings. For private mappings, don't need to mask
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -2263,7 +2263,7 @@ static int shmem_mmap(struct file *file,
+ struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+ int ret;
+
+- ret = seal_check_future_write(info->seals, vma);
++ ret = seal_check_write(info->seals, vma);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 4225fea1cb28370086e17e82c0f69bec2779dca0 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Wed, 20 Oct 2021 16:18:34 +0800
+Subject: ptp: Fix possible memory leak in ptp_clock_register()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 4225fea1cb28370086e17e82c0f69bec2779dca0 upstream.
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff88800906c618 (size 8):
+ comm "i2c-idt82p33931", pid 4421, jiffies 4294948083 (age 13.188s)
+ hex dump (first 8 bytes):
+ 70 74 70 30 00 00 00 00 ptp0....
+ backtrace:
+ [<00000000312ed458>] __kmalloc_track_caller+0x19f/0x3a0
+ [<0000000079f6e2ff>] kvasprintf+0xb5/0x150
+ [<0000000026aae54f>] kvasprintf_const+0x60/0x190
+ [<00000000f323a5f7>] kobject_set_name_vargs+0x56/0x150
+ [<000000004e35abdd>] dev_set_name+0xc0/0x100
+ [<00000000f20cfe25>] ptp_clock_register+0x9f4/0xd30 [ptp]
+ [<000000008bb9f0de>] idt82p33_probe.cold+0x8b6/0x1561 [ptp_idt82p33]
+
+When posix_clock_register() returns an error, the name allocated
+in dev_set_name() will be leaked, the put_device() should be used
+to give up the device reference, then the name will be freed in
+kobject_cleanup() and other memory will be freed in ptp_clock_release().
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: a33121e5487b ("ptp: fix the race between the release of ptp_clock and cdev")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[ Shivani: Modified to apply on 5.10.y, Removed kfree(ptp->vclock_index) in
+ the ptach, since vclock_index is introduced in later versions ]
+Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ptp/ptp_clock.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -283,15 +283,20 @@ struct ptp_clock *ptp_clock_register(str
+ /* Create a posix clock and link it to the device. */
+ err = posix_clock_register(&ptp->clock, &ptp->dev);
+ if (err) {
++ if (ptp->pps_source)
++ pps_unregister_source(ptp->pps_source);
++
++ if (ptp->kworker)
++ kthread_destroy_worker(ptp->kworker);
++
++ put_device(&ptp->dev);
++
+ pr_err("failed to create posix clock\n");
+- goto no_clock;
++ return ERR_PTR(err);
+ }
+
+ return ptp;
+
+-no_clock:
+- if (ptp->pps_source)
+- pps_unregister_source(ptp->pps_source);
+ no_pps:
+ ptp_cleanup_pin_groups(ptp);
+ no_pin_groups:
--- /dev/null
+From 3T3uJaA4KBrYeoWWYiWjfWnnaockkcha.YkicnacgdhejqtbkqjZWpekj.knc@flex--isaacmanjarres.bounces.google.com Wed Jul 30 03:54:24 2025
+From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
+Date: Tue, 29 Jul 2025 18:54:02 -0700
+Subject: selftests/memfd: add test for mapping write-sealed memfd read-only
+To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Shuah Khan <shuah@kernel.org>
+Cc: aliceryhl@google.com, surenb@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" <isaacmanjarres@google.com>, kernel-team@android.com, Jann Horn <jannh@google.com>, Julian Orth <ju.orth@gmail.com>, "Liam R. Howlett" <Liam.Howlett@Oracle.com>, Linus Torvalds <torvalds@linux-foundation.org>, Vlastimil Babka <vbabka@suse.cz>, Andrew Morton <akpm@linux-foundation.org>, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
+Message-ID: <20250730015406.32569-5-isaacmanjarres@google.com>
+
+From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+
+[ Upstream commit ea0916e01d0b0f2cce1369ac1494239a79827270 ]
+
+Now we have reinstated the ability to map F_SEAL_WRITE mappings read-only,
+assert that we are able to do this in a test to ensure that we do not
+regress this again.
+
+Link: https://lkml.kernel.org/r/a6377ec470b14c0539b4600cf8fa24bf2e4858ae.1732804776.git.lorenzo.stoakes@oracle.com
+Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Julian Orth <ju.orth@gmail.com>
+Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/memfd/memfd_test.c | 43 +++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+--- a/tools/testing/selftests/memfd/memfd_test.c
++++ b/tools/testing/selftests/memfd/memfd_test.c
+@@ -186,6 +186,24 @@ static void *mfd_assert_mmap_shared(int
+ return p;
+ }
+
++static void *mfd_assert_mmap_read_shared(int fd)
++{
++ void *p;
++
++ p = mmap(NULL,
++ mfd_def_size,
++ PROT_READ,
++ MAP_SHARED,
++ fd,
++ 0);
++ if (p == MAP_FAILED) {
++ printf("mmap() failed: %m\n");
++ abort();
++ }
++
++ return p;
++}
++
+ static void *mfd_assert_mmap_private(int fd)
+ {
+ void *p;
+@@ -802,6 +820,30 @@ static void test_seal_future_write(void)
+ close(fd);
+ }
+
++static void test_seal_write_map_read_shared(void)
++{
++ int fd;
++ void *p;
++
++ printf("%s SEAL-WRITE-MAP-READ\n", memfd_str);
++
++ fd = mfd_assert_new("kern_memfd_seal_write_map_read",
++ mfd_def_size,
++ MFD_CLOEXEC | MFD_ALLOW_SEALING);
++
++ mfd_assert_add_seals(fd, F_SEAL_WRITE);
++ mfd_assert_has_seals(fd, F_SEAL_WRITE);
++
++ p = mfd_assert_mmap_read_shared(fd);
++
++ mfd_assert_read(fd);
++ mfd_assert_read_shared(fd);
++ mfd_fail_write(fd);
++
++ munmap(p, mfd_def_size);
++ close(fd);
++}
++
+ /*
+ * Test SEAL_SHRINK
+ * Test whether SEAL_SHRINK actually prevents shrinking
+@@ -1056,6 +1098,7 @@ int main(int argc, char **argv)
+
+ test_seal_write();
+ test_seal_future_write();
++ test_seal_write_map_read_shared();
+ test_seal_shrink();
+ test_seal_grow();
+ test_seal_resize();
usb-cdc-acm-do-not-log-successful-probe-on-later-errors.patch
cdc-acm-fix-race-between-initial-clearing-halt-and-open.patch
comedi-fail-comedi_insnlist-ioctl-if-n_insns-is-too-large.patch
+ptp-fix-possible-memory-leak-in-ptp_clock_register.patch
+block-don-t-call-rq_qos_ops-done_bio-if-the-bio-isn-t-tracked.patch
+btrfs-fix-deadlock-when-cloning-inline-extents-and-using-qgroups.patch
+arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch
+dpaa2-mac-split-up-initializing-the-mac-object-from-connecting-to-it.patch
+dpaa2-mac-export-mac-counters-even-when-in-type_fixed.patch
+dpaa2-eth-retry-the-probe-when-the-mac-is-not-yet-discovered-on-the-bus.patch
+dpaa2-eth-fix-device-reference-count-leak-in-mac-endpoint-handling.patch
+mm-drop-the-assumption-that-vm_shared-always-implies-writable.patch
+mm-update-memfd-seal-write-check-to-include-f_seal_write.patch
+mm-reinstate-ability-to-map-write-sealed-memfd-mappings-read-only.patch
+selftests-memfd-add-test-for-mapping-write-sealed-memfd-read-only.patch
+dma-buf-insert-memory-barrier-before-updating-num_fences.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
