--- /dev/null
+From 03bcbbb3995ba5df43af9aba45334e35f2dfe27b Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Tue, 20 May 2025 09:14:00 +0200
+Subject: dummycon: Trigger redraw when switching consoles with deferred takeover
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 03bcbbb3995ba5df43af9aba45334e35f2dfe27b upstream.
+
+Signal vt subsystem to redraw console when switching to dummycon
+with deferred takeover enabled. Makes the console switch to fbcon
+and displays the available output.
+
+With deferred takeover enabled, dummycon acts as the placeholder
+until the first output to the console happens. At that point, fbcon
+takes over. If the output happens while dummycon is not active, it
+cannot inform fbcon. This is the case if the vt subsystem runs in
+graphics mode.
+
+A typical graphical boot starts plymouth, a display manager and a
+compositor; all while leaving out dummycon. Switching to a text-mode
+console leaves the console with dummycon even if a getty terminal
+has been started.
+
+Returning true from dummycon's con_switch helper signals the vt
+subsystem to redraw the screen. If there's output available dummycon's
+con_putc{s} helpers trigger deferred takeover of fbcon, which sets a
+display mode and displays the output. If no output is available,
+dummycon remains active.
+
+v2:
+- make the comment slightly more verbose (Javier)
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reported-by: Andrei Borzenkov <arvidjaar@gmail.com>
+Closes: https://bugzilla.suse.com/show_bug.cgi?id=1242191
+Tested-by: Andrei Borzenkov <arvidjaar@gmail.com>
+Acked-by: Javier Martinez Canillas <javierm@redhat.com>
+Fixes: 83d83bebf401 ("console/fbcon: Add support for deferred console takeover")
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: linux-fbdev@vger.kernel.org
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v4.19+
+Link: https://lore.kernel.org/r/20250520071418.8462-1-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/console/dummycon.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/drivers/video/console/dummycon.c
++++ b/drivers/video/console/dummycon.c
+@@ -85,6 +85,15 @@ static bool dummycon_blank(struct vc_dat
+ /* Redraw, so that we get putc(s) for output done while blanked */
+ return true;
+ }
++
++static bool dummycon_switch(struct vc_data *vc)
++{
++ /*
++ * Redraw, so that we get putc(s) for output done while switched
++ * away. Informs deferred consoles to take over the display.
++ */
++ return true;
++}
+ #else
+ static void dummycon_putc(struct vc_data *vc, u16 c, unsigned int y,
+ unsigned int x) { }
+@@ -95,6 +104,10 @@ static bool dummycon_blank(struct vc_dat
+ {
+ return false;
+ }
++static bool dummycon_switch(struct vc_data *vc)
++{
++ return false;
++}
+ #endif
+
+ static const char *dummycon_startup(void)
+@@ -123,11 +136,6 @@ static bool dummycon_scroll(struct vc_da
+ {
+ return false;
+ }
+-
+-static bool dummycon_switch(struct vc_data *vc)
+-{
+- return false;
+-}
+
+ /*
+ * The console `switch' structure for the dummy console
--- /dev/null
+From c553aa1b03719400a30d9387477190d4743fc1de Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Tue, 22 Apr 2025 15:12:27 -0500
+Subject: iio: adc: ad7173: fix compiling without gpiolib
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit c553aa1b03719400a30d9387477190d4743fc1de upstream.
+
+Fix compiling the ad7173 driver when CONFIG_GPIOLIB is not set by
+selecting GPIOLIB to be always enabled and remove the #if.
+
+Commit 031bdc8aee01 ("iio: adc: ad7173: add calibration support") placed
+unrelated code in the middle of the #if IS_ENABLED(CONFIG_GPIOLIB) block
+which caused the reported compile error.
+
+However, later commit 7530ed2aaa3f ("iio: adc: ad7173: add openwire
+detection support for single conversions") makes use of the gpio regmap
+even when we aren't providing gpio controller support. So it makes more
+sense to always enable GPIOLIB rather than trying to make it optional.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202504220824.HVrTVov1-lkp@intel.com/
+Fixes: 031bdc8aee01 ("iio: adc: ad7173: add calibration support")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250422-iio-adc-ad7173-fix-compile-without-gpiolib-v1-1-295f2c990754@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/Kconfig | 5 +++--
+ drivers/iio/adc/ad7173.c | 15 +--------------
+ 2 files changed, 4 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/iio/adc/Kconfig b/drivers/iio/adc/Kconfig
+index 6529df1a498c..ba746754a816 100644
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -129,8 +129,9 @@ config AD7173
+ tristate "Analog Devices AD7173 driver"
+ depends on SPI_MASTER
+ select AD_SIGMA_DELTA
+- select GPIO_REGMAP if GPIOLIB
+- select REGMAP_SPI if GPIOLIB
++ select GPIOLIB
++ select GPIO_REGMAP
++ select REGMAP_SPI
+ help
+ Say yes here to build support for Analog Devices AD7173 and similar ADC
+ Currently supported models:
+diff --git a/drivers/iio/adc/ad7173.c b/drivers/iio/adc/ad7173.c
+index 69de5886474c..b3e6bd2a55d7 100644
+--- a/drivers/iio/adc/ad7173.c
++++ b/drivers/iio/adc/ad7173.c
+@@ -230,10 +230,8 @@ struct ad7173_state {
+ unsigned long long *config_cnts;
+ struct clk *ext_clk;
+ struct clk_hw int_clk_hw;
+-#if IS_ENABLED(CONFIG_GPIOLIB)
+ struct regmap *reg_gpiocon_regmap;
+ struct gpio_regmap *gpio_regmap;
+-#endif
+ };
+
+ static unsigned int ad4115_sinc5_data_rates[] = {
+@@ -288,8 +286,6 @@ static const char *const ad7173_clk_sel[] = {
+ "ext-clk", "xtal"
+ };
+
+-#if IS_ENABLED(CONFIG_GPIOLIB)
+-
+ static const struct regmap_range ad7173_range_gpio[] = {
+ regmap_reg_range(AD7173_REG_GPIO, AD7173_REG_GPIO),
+ };
+@@ -543,12 +539,6 @@ static int ad7173_gpio_init(struct ad7173_state *st)
+
+ return 0;
+ }
+-#else
+-static int ad7173_gpio_init(struct ad7173_state *st)
+-{
+- return 0;
+-}
+-#endif /* CONFIG_GPIOLIB */
+
+ static struct ad7173_state *ad_sigma_delta_to_ad7173(struct ad_sigma_delta *sd)
+ {
+@@ -1797,10 +1787,7 @@ static int ad7173_probe(struct spi_device *spi)
+ if (ret)
+ return ret;
+
+- if (IS_ENABLED(CONFIG_GPIOLIB))
+- return ad7173_gpio_init(st);
+-
+- return 0;
++ return ad7173_gpio_init(st);
+ }
+
+ static const struct of_device_id ad7173_of_match[] = {
+--
+2.50.0
+
--- /dev/null
+From 3f5fd1717ae9497215f22aa748fc2c09df88b0e3 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Fri, 2 May 2025 10:04:30 -0500
+Subject: iio: adc: ad7606: fix raw read for 18-bit chips
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 3f5fd1717ae9497215f22aa748fc2c09df88b0e3 upstream.
+
+Fix 18-bit raw read for 18-bit chips by applying a mask to the value
+we receive from the SPI controller.
+
+SPI controllers either return 1, 2 or 4 bytes per word depending on the
+bits_per_word. For 16-bit chips, there was no problem since they raw
+data fit exactly in the 2 bytes received from the SPI controller. But
+now that we have 18-bit chips and we are using bits_per_word = 18, we
+cannot assume that the extra bits in the 32-bit word are always zero.
+In fact, with the AXI SPI Engine controller, these bits are not always
+zero which caused the raw values to read 10s of 1000s of volts instead
+of the correct value. Therefore, we need to mask the value we receive
+from the SPI controller to ensure that only the 18 bits of real data
+are used.
+
+Fixes: f3838e934dff ("iio: adc: ad7606: add support for AD7606C-{16,18} parts")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250502-iio-adc-ad7606-fix-raw-read-for-18-bit-chips-v1-1-06caa92d8f11@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7606.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index 703556eb7257..8ed65a35b486 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -727,17 +727,16 @@ static int ad7606_scan_direct(struct iio_dev *indio_dev, unsigned int ch,
+ goto error_ret;
+
+ chan = &indio_dev->channels[ch + 1];
+- if (chan->scan_type.sign == 'u') {
+- if (realbits > 16)
+- *val = st->data.buf32[ch];
+- else
+- *val = st->data.buf16[ch];
+- } else {
+- if (realbits > 16)
+- *val = sign_extend32(st->data.buf32[ch], realbits - 1);
+- else
+- *val = sign_extend32(st->data.buf16[ch], realbits - 1);
+- }
++
++ if (realbits > 16)
++ *val = st->data.buf32[ch];
++ else
++ *val = st->data.buf16[ch];
++
++ *val &= GENMASK(realbits - 1, 0);
++
++ if (chan->scan_type.sign == 's')
++ *val = sign_extend32(*val, realbits - 1);
+
+ error_ret:
+ if (!st->gpio_convst) {
+--
+2.50.0
+
--- /dev/null
+From 89944d88f8795c6c89b9514cb365998145511cd4 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Mon, 28 Apr 2025 20:55:34 -0500
+Subject: iio: adc: ad7606_spi: fix reg write value mask
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 89944d88f8795c6c89b9514cb365998145511cd4 upstream.
+
+Fix incorrect value mask for register write. Register values are 8-bit,
+not 9. If this function was called with a value > 0xFF and an even addr,
+it would cause writing to the next register.
+
+Fixes: f2a22e1e172f ("iio: adc: ad7606: Add support for software mode for ad7616")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Angelo Dureghello <adureghello@baylibre.com>
+Link: https://patch.msgid.link/20250428-iio-adc-ad7606_spi-fix-write-value-mask-v1-1-a2d5e85a809f@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7606_spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ad7606_spi.c
++++ b/drivers/iio/adc/ad7606_spi.c
+@@ -155,7 +155,7 @@ static int ad7606_spi_reg_write(struct a
+ struct spi_device *spi = to_spi_device(st->dev);
+
+ st->d16[0] = cpu_to_be16((st->bops->rd_wr_cmd(addr, 1) << 8) |
+- (val & 0x1FF));
++ (val & 0xFF));
+
+ return spi_write(spi, &st->d16[0], sizeof(st->d16[0]));
+ }
--- /dev/null
+From 7cdfbc0113d087348b8e65dd79276d0f57b89a10 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Mon, 5 May 2025 13:28:40 -0500
+Subject: iio: adc: ad7944: mask high bits on direct read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 7cdfbc0113d087348b8e65dd79276d0f57b89a10 upstream.
+
+Apply a mask to the raw value received over the SPI bus for unsigned
+direct reads. As we found recently, SPI controllers may not set unused
+bits to 0 when reading with bits_per_word != {8,16,32}. The ad7944 uses
+bits_per_word of 14 and 18, so we need to mask the value to be sure we
+returning the correct value to userspace during a direct read.
+
+Fixes: d1efcf8871db ("iio: adc: ad7944: add driver for AD7944/AD7985/AD7986")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20250505-iio-adc-ad7944-max-high-bits-on-direct-read-v1-1-b173facceefe@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7944.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/adc/ad7944.c
++++ b/drivers/iio/adc/ad7944.c
+@@ -377,6 +377,8 @@ static int ad7944_single_conversion(stru
+
+ if (chan->scan_type.sign == 's')
+ *val = sign_extend32(*val, chan->scan_type.realbits - 1);
++ else
++ *val &= GENMASK(chan->scan_type.realbits - 1, 0);
+
+ return IIO_VAL_INT;
+ }
--- /dev/null
+From 3c5dfea39a245b2dad869db24e2830aa299b1cf2 Mon Sep 17 00:00:00 2001
+From: Arthur-Prince <r2.arthur.prince@gmail.com>
+Date: Wed, 30 Apr 2025 16:07:37 -0300
+Subject: iio: adc: ti-ads1298: Kconfig: add kfifo dependency to fix module build
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arthur-Prince <r2.arthur.prince@gmail.com>
+
+commit 3c5dfea39a245b2dad869db24e2830aa299b1cf2 upstream.
+
+Add dependency to Kconfig’s ti-ads1298 because compiling it as a module
+failed with an undefined kfifo symbol.
+
+Fixes: 00ef7708fa60 ("iio: adc: ti-ads1298: Add driver")
+Signed-off-by: Arthur-Prince <r2.arthur.prince@gmail.com>
+Co-developed-by: Mariana Valério <mariana.valerio2@hotmail.com>
+Signed-off-by: Mariana Valério <mariana.valerio2@hotmail.com>
+Link: https://patch.msgid.link/20250430191131.120831-1-r2.arthur.prince@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -1546,6 +1546,7 @@ config TI_ADS1298
+ tristate "Texas Instruments ADS1298"
+ depends on SPI
+ select IIO_BUFFER
++ select IIO_KFIFO_BUF
+ help
+ If you say yes here you get support for Texas Instruments ADS1298
+ medical ADC chips
--- /dev/null
+From e2f820014239df9360064079ae93f838ff3b7f8c Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Fri, 2 May 2025 11:37:26 +0200
+Subject: iio: imu: inv_icm42600: Fix temperature calculation
+
+From: Sean Nyekjaer <sean@geanix.com>
+
+commit e2f820014239df9360064079ae93f838ff3b7f8c upstream.
+
+>From the documentation:
+"offset to be added to <type>[Y]_raw prior toscaling by <type>[Y]_scale"
+Offset should be applied before multiplying scale, so divide offset by
+scale to make this correct.
+
+Fixes: bc3eb0207fb5 ("iio: imu: inv_icm42600: add temperature sensor support")
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Acked-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Link: https://patch.msgid.link/20250502-imu-v1-1-129b8391a4e3@geanix.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_temp.c
+@@ -67,16 +67,18 @@ int inv_icm42600_temp_read_raw(struct ii
+ return IIO_VAL_INT;
+ /*
+ * T°C = (temp / 132.48) + 25
+- * Tm°C = 1000 * ((temp * 100 / 13248) + 25)
++ * Tm°C = 1000 * ((temp / 132.48) + 25)
++ * Tm°C = 7.548309 * temp + 25000
++ * Tm°C = (temp + 3312) * 7.548309
+ * scale: 100000 / 13248 ~= 7.548309
+- * offset: 25000
++ * offset: 3312
+ */
+ case IIO_CHAN_INFO_SCALE:
+ *val = 7;
+ *val2 = 548309;
+ return IIO_VAL_INT_PLUS_MICRO;
+ case IIO_CHAN_INFO_OFFSET:
+- *val = 25000;
++ *val = 3312;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
--- /dev/null
+From 2c7f023219966777be0687e15b57689894304cd3 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 28 May 2025 13:45:44 -0600
+Subject: io_uring/net: only consider msg_inq if larger than 1
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 2c7f023219966777be0687e15b57689894304cd3 upstream.
+
+Currently retry and general validity of msg_inq is gated on it being
+larger than zero, but it's entirely possible for this to be slightly
+inaccurate. In particular, if FIN is received, it'll return 1.
+
+Just use larger than 1 as the check. This covers both the FIN case, and
+at the same time, it doesn't make much sense to retry a recv immediately
+if there's even just a single 1 byte of valid data in the socket.
+
+Leave the SOCK_NONEMPTY flagging when larger than 0 still, as an app may
+use that for the final receive.
+
+Cc: stable@vger.kernel.org
+Reported-by: Christian Mazakas <christian.mazakas@gmail.com>
+Fixes: 7c71a0af81ba ("io_uring/net: improve recv bundles")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -840,7 +840,7 @@ static inline bool io_recv_finish(struct
+ * If more is available AND it was a full transfer, retry and
+ * append to this one
+ */
+- if (!sr->retry && kmsg->msg.msg_inq > 0 && this_ret > 0 &&
++ if (!sr->retry && kmsg->msg.msg_inq > 1 && this_ret > 0 &&
+ !iov_iter_count(&kmsg->msg.msg_iter)) {
+ req->cqe.flags = cflags & ~CQE_F_MASK;
+ sr->len = kmsg->msg.msg_inq;
+@@ -1077,7 +1077,7 @@ static int io_recv_buf_select(struct io_
+ arg.mode |= KBUF_MODE_FREE;
+ }
+
+- if (kmsg->msg.msg_inq > 0)
++ if (kmsg->msg.msg_inq > 1)
+ arg.max_len = min_not_zero(sr->len, kmsg->msg.msg_inq);
+
+ ret = io_buffers_peek(req, &arg);
--- /dev/null
+From 2b12d06c37fd3a394376f42f026a7478d826ed63 Mon Sep 17 00:00:00 2001
+From: Pu Lehui <pulehui@huawei.com>
+Date: Thu, 29 May 2025 15:56:47 +0000
+Subject: mm: fix uprobe pte be overwritten when expanding vma
+
+From: Pu Lehui <pulehui@huawei.com>
+
+commit 2b12d06c37fd3a394376f42f026a7478d826ed63 upstream.
+
+Patch series "Fix uprobe pte be overwritten when expanding vma".
+
+
+This patch (of 4):
+
+We encountered a BUG alert triggered by Syzkaller as follows:
+ BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1
+
+And we can reproduce it with the following steps:
+1. register uprobe on file at zero offset
+2. mmap the file at zero offset:
+ addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0);
+3. mremap part of vma1 to new vma2:
+ addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE);
+4. mremap back to orig addr1:
+ mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1);
+
+In step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2
+with range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1
+to vma2, then unmap the vma1 range [addr1, addr1 + 4096].
+
+In step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the
+addr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096,
+addr1 + 8192] still maps the file, it will take vma_merge_new_range to
+expand the range, and then do uprobe_mmap in vma_complete. Since the
+merged vma pgoff is also zero offset, it will install uprobe anon page to
+the merged vma. However, the upcomming move_page_tables step, which use
+set_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite
+the newly uprobe pte in the merged vma, and lead that pte to be orphan.
+
+Since the uprobe pte will be remapped to the merged vma, we can remove the
+unnecessary uprobe_mmap upon merged vma.
+
+This problem was first found in linux-6.6.y and also exists in the
+community syzkaller:
+https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/
+
+Link: https://lkml.kernel.org/r/20250529155650.4017699-1-pulehui@huaweicloud.com
+Link: https://lkml.kernel.org/r/20250529155650.4017699-2-pulehui@huaweicloud.com
+Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints")
+Signed-off-by: Pu Lehui <pulehui@huawei.com>
+Suggested-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vma.c | 20 +++++++++++++++++---
+ mm/vma.h | 7 +++++++
+ 2 files changed, 24 insertions(+), 3 deletions(-)
+
+--- a/mm/vma.c
++++ b/mm/vma.c
+@@ -144,6 +144,9 @@ static void init_multi_vma_prep(struct v
+ vp->file = vma->vm_file;
+ if (vp->file)
+ vp->mapping = vma->vm_file->f_mapping;
++
++ if (vmg && vmg->skip_vma_uprobe)
++ vp->skip_vma_uprobe = true;
+ }
+
+ /*
+@@ -333,10 +336,13 @@ static void vma_complete(struct vma_prep
+
+ if (vp->file) {
+ i_mmap_unlock_write(vp->mapping);
+- uprobe_mmap(vp->vma);
+
+- if (vp->adj_next)
+- uprobe_mmap(vp->adj_next);
++ if (!vp->skip_vma_uprobe) {
++ uprobe_mmap(vp->vma);
++
++ if (vp->adj_next)
++ uprobe_mmap(vp->adj_next);
++ }
+ }
+
+ if (vp->remove) {
+@@ -1783,6 +1789,14 @@ struct vm_area_struct *copy_vma(struct v
+ faulted_in_anon_vma = false;
+ }
+
++ /*
++ * If the VMA we are copying might contain a uprobe PTE, ensure
++ * that we do not establish one upon merge. Otherwise, when mremap()
++ * moves page tables, it will orphan the newly created PTE.
++ */
++ if (vma->vm_file)
++ vmg.skip_vma_uprobe = true;
++
+ new_vma = find_vma_prev(mm, addr, &vmg.prev);
+ if (new_vma && new_vma->vm_start < addr + len)
+ return NULL; /* should never get here */
+--- a/mm/vma.h
++++ b/mm/vma.h
+@@ -19,6 +19,8 @@ struct vma_prepare {
+ struct vm_area_struct *insert;
+ struct vm_area_struct *remove;
+ struct vm_area_struct *remove2;
++
++ bool skip_vma_uprobe :1;
+ };
+
+ struct unlink_vma_file_batch {
+@@ -120,6 +122,11 @@ struct vma_merge_struct {
+ */
+ bool give_up_on_oom :1;
+
++ /*
++ * If set, skip uprobe_mmap upon merged vma.
++ */
++ bool skip_vma_uprobe :1;
++
+ /* Internal flags set during merge process: */
+
+ /*
--- /dev/null
+From 1013af4f585fccc4d3e5c5824d174de2257f7d6d Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 27 May 2025 23:23:54 +0200
+Subject: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
+
+From: Jann Horn <jannh@google.com>
+
+commit 1013af4f585fccc4d3e5c5824d174de2257f7d6d upstream.
+
+huge_pmd_unshare() drops a reference on a page table that may have
+previously been shared across processes, potentially turning it into a
+normal page table used in another process in which unrelated VMAs can
+afterwards be installed.
+
+If this happens in the middle of a concurrent gup_fast(), gup_fast() could
+end up walking the page tables of another process. While I don't see any
+way in which that immediately leads to kernel memory corruption, it is
+really weird and unexpected.
+
+Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(),
+just like we do in khugepaged when removing page tables for a THP
+collapse.
+
+Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-2-1329349bad1a@google.com
+Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-2-f4136f5ec58a@google.com
+Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -7628,6 +7628,13 @@ int huge_pmd_unshare(struct mm_struct *m
+ return 0;
+
+ pud_clear(pud);
++ /*
++ * Once our caller drops the rmap lock, some other process might be
++ * using this page table as a normal, non-hugetlb page table.
++ * Wait for pending gup_fast() in other threads to finish before letting
++ * that happen.
++ */
++ tlb_remove_table_sync_one();
+ ptdesc_pmd_pts_dec(virt_to_ptdesc(ptep));
+ mm_dec_nr_pmds(mm);
+ return 1;
--- /dev/null
+From 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 27 May 2025 23:23:53 +0200
+Subject: mm/hugetlb: unshare page tables during VMA split, not before
+
+From: Jann Horn <jannh@google.com>
+
+commit 081056dc00a27bccb55ccc3c6f230a3d5fd3f7e0 upstream.
+
+Currently, __split_vma() triggers hugetlb page table unsharing through
+vm_ops->may_split(). This happens before the VMA lock and rmap locks are
+taken - which is too early, it allows racing VMA-locked page faults in our
+process and racing rmap walks from other processes to cause page tables to
+be shared again before we actually perform the split.
+
+Fix it by explicitly calling into the hugetlb unshare logic from
+__split_vma() in the same place where THP splitting also happens. At that
+point, both the VMA and the rmap(s) are write-locked.
+
+An annoying detail is that we can now call into the helper
+hugetlb_unshare_pmds() from two different locking contexts:
+
+1. from hugetlb_split(), holding:
+ - mmap lock (exclusively)
+ - VMA lock
+ - file rmap lock (exclusively)
+2. hugetlb_unshare_all_pmds(), which I think is designed to be able to
+ call us with only the mmap lock held (in shared mode), but currently
+ only runs while holding mmap lock (exclusively) and VMA lock
+
+Backporting note:
+This commit fixes a racy protection that was introduced in commit
+b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that
+commit claimed to fix an issue introduced in 5.13, but it should actually
+also go all the way back.
+
+[jannh@google.com: v2]
+ Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-1-1329349bad1a@google.com
+Link: https://lkml.kernel.org/r/20250528-hugetlb-fixes-splitrace-v2-0-1329349bad1a@google.com
+Link: https://lkml.kernel.org/r/20250527-hugetlb-fixes-splitrace-v1-1-f4136f5ec58a@google.com
+Fixes: 39dde65c9940 ("[PATCH] shared page table for hugetlb page")
+Signed-off-by: Jann Horn <jannh@google.com>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org> [b30c14cd6102: hugetlb: unshare some PMDs when splitting VMAs]
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h | 3 +
+ mm/hugetlb.c | 60 ++++++++++++++++++++++++++++-----------
+ mm/vma.c | 7 ++++
+ tools/testing/vma/vma_internal.h | 2 +
+ 4 files changed, 56 insertions(+), 16 deletions(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -276,6 +276,7 @@ bool is_hugetlb_entry_migration(pte_t pt
+ bool is_hugetlb_entry_hwpoisoned(pte_t pte);
+ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma);
+ void fixup_hugetlb_reservations(struct vm_area_struct *vma);
++void hugetlb_split(struct vm_area_struct *vma, unsigned long addr);
+
+ #else /* !CONFIG_HUGETLB_PAGE */
+
+@@ -473,6 +474,8 @@ static inline void fixup_hugetlb_reserva
+ {
+ }
+
++static inline void hugetlb_split(struct vm_area_struct *vma, unsigned long addr) {}
++
+ #endif /* !CONFIG_HUGETLB_PAGE */
+
+ #ifndef pgd_write
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -120,7 +120,7 @@ static void hugetlb_vma_lock_free(struct
+ static void hugetlb_vma_lock_alloc(struct vm_area_struct *vma);
+ static void __hugetlb_vma_unlock_write_free(struct vm_area_struct *vma);
+ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+- unsigned long start, unsigned long end);
++ unsigned long start, unsigned long end, bool take_locks);
+ static struct resv_map *vma_resv_map(struct vm_area_struct *vma);
+
+ static void hugetlb_free_folio(struct folio *folio)
+@@ -5426,26 +5426,40 @@ static int hugetlb_vm_op_split(struct vm
+ {
+ if (addr & ~(huge_page_mask(hstate_vma(vma))))
+ return -EINVAL;
++ return 0;
++}
+
++void hugetlb_split(struct vm_area_struct *vma, unsigned long addr)
++{
+ /*
+ * PMD sharing is only possible for PUD_SIZE-aligned address ranges
+ * in HugeTLB VMAs. If we will lose PUD_SIZE alignment due to this
+ * split, unshare PMDs in the PUD_SIZE interval surrounding addr now.
++ * This function is called in the middle of a VMA split operation, with
++ * MM, VMA and rmap all write-locked to prevent concurrent page table
++ * walks (except hardware and gup_fast()).
+ */
++ vma_assert_write_locked(vma);
++ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
++
+ if (addr & ~PUD_MASK) {
+- /*
+- * hugetlb_vm_op_split is called right before we attempt to
+- * split the VMA. We will need to unshare PMDs in the old and
+- * new VMAs, so let's unshare before we split.
+- */
+ unsigned long floor = addr & PUD_MASK;
+ unsigned long ceil = floor + PUD_SIZE;
+
+- if (floor >= vma->vm_start && ceil <= vma->vm_end)
+- hugetlb_unshare_pmds(vma, floor, ceil);
++ if (floor >= vma->vm_start && ceil <= vma->vm_end) {
++ /*
++ * Locking:
++ * Use take_locks=false here.
++ * The file rmap lock is already held.
++ * The hugetlb VMA lock can't be taken when we already
++ * hold the file rmap lock, and we don't need it because
++ * its purpose is to synchronize against concurrent page
++ * table walks, which are not possible thanks to the
++ * locks held by our caller.
++ */
++ hugetlb_unshare_pmds(vma, floor, ceil, /* take_locks = */ false);
++ }
+ }
+-
+- return 0;
+ }
+
+ static unsigned long hugetlb_vm_op_pagesize(struct vm_area_struct *vma)
+@@ -7884,9 +7898,16 @@ void move_hugetlb_state(struct folio *ol
+ spin_unlock_irq(&hugetlb_lock);
+ }
+
++/*
++ * If @take_locks is false, the caller must ensure that no concurrent page table
++ * access can happen (except for gup_fast() and hardware page walks).
++ * If @take_locks is true, we take the hugetlb VMA lock (to lock out things like
++ * concurrent page fault handling) and the file rmap lock.
++ */
+ static void hugetlb_unshare_pmds(struct vm_area_struct *vma,
+ unsigned long start,
+- unsigned long end)
++ unsigned long end,
++ bool take_locks)
+ {
+ struct hstate *h = hstate_vma(vma);
+ unsigned long sz = huge_page_size(h);
+@@ -7910,8 +7931,12 @@ static void hugetlb_unshare_pmds(struct
+ mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, mm,
+ start, end);
+ mmu_notifier_invalidate_range_start(&range);
+- hugetlb_vma_lock_write(vma);
+- i_mmap_lock_write(vma->vm_file->f_mapping);
++ if (take_locks) {
++ hugetlb_vma_lock_write(vma);
++ i_mmap_lock_write(vma->vm_file->f_mapping);
++ } else {
++ i_mmap_assert_write_locked(vma->vm_file->f_mapping);
++ }
+ for (address = start; address < end; address += PUD_SIZE) {
+ ptep = hugetlb_walk(vma, address, sz);
+ if (!ptep)
+@@ -7921,8 +7946,10 @@ static void hugetlb_unshare_pmds(struct
+ spin_unlock(ptl);
+ }
+ flush_hugetlb_tlb_range(vma, start, end);
+- i_mmap_unlock_write(vma->vm_file->f_mapping);
+- hugetlb_vma_unlock_write(vma);
++ if (take_locks) {
++ i_mmap_unlock_write(vma->vm_file->f_mapping);
++ hugetlb_vma_unlock_write(vma);
++ }
+ /*
+ * No need to call mmu_notifier_arch_invalidate_secondary_tlbs(), see
+ * Documentation/mm/mmu_notifier.rst.
+@@ -7937,7 +7964,8 @@ static void hugetlb_unshare_pmds(struct
+ void hugetlb_unshare_all_pmds(struct vm_area_struct *vma)
+ {
+ hugetlb_unshare_pmds(vma, ALIGN(vma->vm_start, PUD_SIZE),
+- ALIGN_DOWN(vma->vm_end, PUD_SIZE));
++ ALIGN_DOWN(vma->vm_end, PUD_SIZE),
++ /* take_locks = */ true);
+ }
+
+ /*
+--- a/mm/vma.c
++++ b/mm/vma.c
+@@ -516,7 +516,14 @@ __split_vma(struct vma_iterator *vmi, st
+ init_vma_prep(&vp, vma);
+ vp.insert = new;
+ vma_prepare(&vp);
++
++ /*
++ * Get rid of huge pages and shared page tables straddling the split
++ * boundary.
++ */
+ vma_adjust_trans_huge(vma, vma->vm_start, addr, NULL);
++ if (is_vm_hugetlb_page(vma))
++ hugetlb_split(vma, addr);
+
+ if (new_below) {
+ vma->vm_start = addr;
+--- a/tools/testing/vma/vma_internal.h
++++ b/tools/testing/vma/vma_internal.h
+@@ -793,6 +793,8 @@ static inline void vma_adjust_trans_huge
+ (void)next;
+ }
+
++static inline void hugetlb_split(struct vm_area_struct *, unsigned long) {}
++
+ static inline void vma_iter_free(struct vma_iterator *vmi)
+ {
+ mas_destroy(&vmi->mas);
accel-ivpu-trigger-device-recovery-on-engine-reset-resume-failure.patch
accel-ivpu-use-dma_resv_lock-instead-of-a-custom-mutex.patch
accel-ivpu-fix-warning-in-ivpu_gem_bo_free.patch
+io_uring-net-only-consider-msg_inq-if-larger-than-1.patch
+dummycon-trigger-redraw-when-switching-consoles-with-deferred-takeover.patch
+mm-fix-uprobe-pte-be-overwritten-when-expanding-vma.patch
+mm-hugetlb-unshare-page-tables-during-vma-split-not-before.patch
+mm-hugetlb-fix-huge_pmd_unshare-vs-gup-fast-race.patch
+iio-imu-inv_icm42600-fix-temperature-calculation.patch
+iio-adc-ad7944-mask-high-bits-on-direct-read.patch
+iio-adc-ti-ads1298-kconfig-add-kfifo-dependency-to-fix-module-build.patch
+iio-adc-ad7606_spi-fix-reg-write-value-mask.patch
+iio-adc-ad7173-fix-compiling-without-gpiolib.patch
+iio-adc-ad7606-fix-raw-read-for-18-bit-chips.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
