--- /dev/null
+From 8b14d85a8b94e3deeadda0afb3cf2afae0119de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 18:54:54 +0200
+Subject: ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions"
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit 8cf4fdac9bdead7bca15fc56fdecdf78d11c3ec6 ]
+
+As specified in section 5.7.2 of the ACPI specification the feature
+group string "3.0 _SCP Extensions" implies that the operating system
+evaluates the _SCP control method with additional parameters.
+
+However the ACPI thermal driver evaluates the _SCP control method
+without those additional parameters, conflicting with the above
+feature group string advertised to the firmware thru _OSI.
+
+Stop advertising support for this feature string to avoid confusing
+the ACPI firmware.
+
+Fixes: e5f660ebef68 ("ACPI / osi: Collect _OSI handling into one single file")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://patch.msgid.link/20250410165456.4173-2-W_Armin@gmx.de
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/osi.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/acpi/osi.c b/drivers/acpi/osi.c
+index d4405e1ca9b97..ae9620757865b 100644
+--- a/drivers/acpi/osi.c
++++ b/drivers/acpi/osi.c
+@@ -42,7 +42,6 @@ static struct acpi_osi_entry
+ osi_setup_entries[OSI_STRING_ENTRIES_MAX] __initdata = {
+ {"Module Device", true},
+ {"Processor Device", true},
+- {"3.0 _SCP Extensions", true},
+ {"Processor Aggregator Device", true},
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 3c677ccb728c1a765a131a260deebdd6caa94f47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 21:43:11 +0300
+Subject: ACPICA: exserial: don't forget to handle FFixedHW opregions for
+ reading
+
+From: Daniil Tatianin <d-tatianin@yandex-team.ru>
+
+[ Upstream commit 0f8af0356a45547683a216e4921006a3c6a6d922 ]
+
+The initial commit that introduced support for FFixedHW operation
+regions did add a special case in the AcpiExReadSerialBus If, but
+forgot to actually handle it inside the switch, so add the missing case
+to prevent reads from failing with AE_AML_INVALID_SPACE_ID.
+
+Link: https://github.com/acpica/acpica/pull/998
+Fixes: ee64b827a9a ("ACPICA: Add support for FFH Opregion special context data")
+Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
+Link: https://patch.msgid.link/20250401184312.599962-1-d-tatianin@yandex-team.ru
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/exserial.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/acpi/acpica/exserial.c b/drivers/acpi/acpica/exserial.c
+index 5241f4c01c765..89a4ac447a2be 100644
+--- a/drivers/acpi/acpica/exserial.c
++++ b/drivers/acpi/acpica/exserial.c
+@@ -201,6 +201,12 @@ acpi_ex_read_serial_bus(union acpi_operand_object *obj_desc,
+ function = ACPI_READ;
+ break;
+
++ case ACPI_ADR_SPACE_FIXED_HARDWARE:
++
++ buffer_length = ACPI_FFH_INPUT_BUFFER_SIZE;
++ function = ACPI_READ;
++ break;
++
+ default:
+ return_ACPI_STATUS(AE_AML_INVALID_SPACE_ID);
+ }
+--
+2.39.5
+
--- /dev/null
+From 074f6981ebf6737377d13daf3d3123a2ab6bd2a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:42 +0930
+Subject: ARM: aspeed: Don't select SRAM
+
+From: Joel Stanley <joel@jms.id.au>
+
+[ Upstream commit e4f59f873c3ffe2a0150e11115a83e2dfb671dbf ]
+
+The ASPEED devices have SRAM, but don't require it for basic function
+(or any function; there's no known users of the driver).
+
+Fixes: 8c2ed9bcfbeb ("arm: Add Aspeed machine")
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Link: https://patch.msgid.link/20250115103942.421429-1-joel@jms.id.au
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-aspeed/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/arch/arm/mach-aspeed/Kconfig b/arch/arm/mach-aspeed/Kconfig
+index 080019aa6fcd8..fcf287edd0e5e 100644
+--- a/arch/arm/mach-aspeed/Kconfig
++++ b/arch/arm/mach-aspeed/Kconfig
+@@ -2,7 +2,6 @@
+ menuconfig ARCH_ASPEED
+ bool "Aspeed BMC architectures"
+ depends on (CPU_LITTLE_ENDIAN && ARCH_MULTI_V5) || ARCH_MULTI_V6 || ARCH_MULTI_V7
+- select SRAM
+ select WATCHDOG
+ select ASPEED_WATCHDOG
+ select MFD_SYSCON
+--
+2.39.5
+
--- /dev/null
+From 798f320f88dae7fc6387c828a8617c851ada7063 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 23:04:46 +0200
+Subject: ARM: dts: at91: at91sam9263: fix NAND chip selects
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit c72ede1c24be689733bcd2233a3a56f2478429c8 ]
+
+NAND did not work on my USB-A9263. I discovered that the offending
+commit converted the PIO bank for chip selects wrongly, so all A9263
+boards need to be fixed.
+
+Fixes: 1004a2977bdc ("ARM: dts: at91: Switch to the new NAND bindings")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20250402210446.5972-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/at91sam9263ek.dts | 2 +-
+ arch/arm/boot/dts/microchip/tny_a9263.dts | 2 +-
+ arch/arm/boot/dts/microchip/usb_a9263.dts | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/boot/dts/microchip/at91sam9263ek.dts b/arch/arm/boot/dts/microchip/at91sam9263ek.dts
+index ce8baff6a9f4e..e42e1a75a715d 100644
+--- a/arch/arm/boot/dts/microchip/at91sam9263ek.dts
++++ b/arch/arm/boot/dts/microchip/at91sam9263ek.dts
+@@ -152,7 +152,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+diff --git a/arch/arm/boot/dts/microchip/tny_a9263.dts b/arch/arm/boot/dts/microchip/tny_a9263.dts
+index 62b7d9f9a926c..c8b6318aaa838 100644
+--- a/arch/arm/boot/dts/microchip/tny_a9263.dts
++++ b/arch/arm/boot/dts/microchip/tny_a9263.dts
+@@ -64,7 +64,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+diff --git a/arch/arm/boot/dts/microchip/usb_a9263.dts b/arch/arm/boot/dts/microchip/usb_a9263.dts
+index 25c643067b2ec..454176ce6d3ff 100644
+--- a/arch/arm/boot/dts/microchip/usb_a9263.dts
++++ b/arch/arm/boot/dts/microchip/usb_a9263.dts
+@@ -84,7 +84,7 @@
+ nand@3 {
+ reg = <0x3 0x0 0x800000>;
+ rb-gpios = <&pioA 22 GPIO_ACTIVE_HIGH>;
+- cs-gpios = <&pioA 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioD 15 GPIO_ACTIVE_HIGH>;
+ nand-bus-width = <8>;
+ nand-ecc-mode = "soft";
+ nand-on-flash-bbt;
+--
+2.39.5
+
--- /dev/null
+From 452f2e13af4a4e0ceb56c4e3812cdba5e0f3bfb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 13:27:43 +0200
+Subject: ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 67ba341e57ab158423818ed33bfa1c40eb0e5e7e ]
+
+Dataflash did not work on my board. After checking schematics and using
+the proper GPIO, it works now. Also, make it active low to avoid:
+
+flash@0 enforce active low on GPIO handle
+
+Fixes: 2432d201468d ("ARM: at91: dt: usb-a9263: add dataflash support")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20250404112742.67416-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/microchip/usb_a9263.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/microchip/usb_a9263.dts b/arch/arm/boot/dts/microchip/usb_a9263.dts
+index 45745915b2e16..25c643067b2ec 100644
+--- a/arch/arm/boot/dts/microchip/usb_a9263.dts
++++ b/arch/arm/boot/dts/microchip/usb_a9263.dts
+@@ -58,7 +58,7 @@
+ };
+
+ spi0: spi@fffa4000 {
+- cs-gpios = <&pioB 15 GPIO_ACTIVE_HIGH>;
++ cs-gpios = <&pioA 5 GPIO_ACTIVE_LOW>;
+ status = "okay";
+ flash@0 {
+ compatible = "atmel,at45", "atmel,dataflash";
+--
+2.39.5
+
--- /dev/null
+From 5dd98d342f40a44469e5e53c88d8612d7b6d4fc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 15:21:59 +0200
+Subject: ARM: dts: qcom: apq8064: add missing clocks to the timer node
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 4b0eb149df58b6750cd8113e5ee5b3ac7cc51743 ]
+
+In order to fix DT schema warning and describe hardware properly, add
+missing sleep clock to the timer node.
+
+Fixes: f335b8af4fd5 ("ARM: dts: qcom: Add initial APQ8064 SoC and IFC6410 board device trees")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-6-bcedd1406790@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
+index 950adb63af701..06251aba80d88 100644
+--- a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
+@@ -343,6 +343,8 @@
+ <1 3 0x301>;
+ reg = <0x0200a000 0x100>;
+ clock-frequency = <27000000>;
++ clocks = <&sleep_clk>;
++ clock-names = "sleep";
+ cpu-offset = <0x80000>;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From b72d85ed076909cb4f279027d2bb5ea70de29051 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 15:22:00 +0200
+Subject: ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon
+ device
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit 325c6a441ae1f8fcb1db9bb945b8bdbd3142141e ]
+
+Follow up the expected way of describing the SFPB hwspinlock and merge
+hwspinlock node into corresponding syscon node, fixing several dt-schema
+warnings.
+
+Fixes: 24a9baf933dc ("ARM: dts: qcom: apq8064: Add hwmutex and SMEM nodes")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250318-fix-nexus-4-v2-7-bcedd1406790@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/qcom/qcom-apq8064.dtsi | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
+index 06251aba80d88..b8f160cfe8e15 100644
+--- a/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
++++ b/arch/arm/boot/dts/qcom/qcom-apq8064.dtsi
+@@ -213,12 +213,6 @@
+ };
+ };
+
+- sfpb_mutex: hwmutex {
+- compatible = "qcom,sfpb-mutex";
+- syscon = <&sfpb_wrapper_mutex 0x604 0x4>;
+- #hwlock-cells = <1>;
+- };
+-
+ smem {
+ compatible = "qcom,smem";
+ memory-region = <&smem_region>;
+@@ -322,9 +316,10 @@
+ pinctrl-0 = <&ps_hold>;
+ };
+
+- sfpb_wrapper_mutex: syscon@1200000 {
+- compatible = "syscon";
+- reg = <0x01200000 0x8000>;
++ sfpb_mutex: hwmutex@1200600 {
++ compatible = "qcom,sfpb-mutex";
++ reg = <0x01200600 0x100>;
++ #hwlock-cells = <1>;
+ };
+
+ intc: interrupt-controller@2000000 {
+--
+2.39.5
+
--- /dev/null
+From a7af8644611a9c5ef980639f098b98690f2bcd50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 18:49:24 +0530
+Subject: arm64: defconfig: mediatek: enable PHY drivers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vignesh Raman <vignesh.raman@collabora.com>
+
+[ Upstream commit f52cd248d844f9451858992f924988ac413fdc7e ]
+
+The mediatek display driver fails to probe on mt8173-elm-hana and
+mt8183-kukui-jacuzzi-juniper-sku16 in v6.14-rc4 due to missing PHY
+configurations.
+
+Commit 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
+stopped selecting the MediaTek PHY drivers, requiring them to be
+explicitly enabled in defconfig.
+
+Enable the following PHY drivers for MediaTek platforms:
+CONFIG_PHY_MTK_HDMI=m for HDMI display
+CONFIG_PHY_MTK_MIPI_DSI=m for DSI display
+CONFIG_PHY_MTK_DP=m for DP display
+
+Fixes: 924d66011f24 ("drm/mediatek: stop selecting foreign drivers")
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Signed-off-by: Vignesh Raman <vignesh.raman@collabora.com>
+Link: https://lore.kernel.org/r/20250512131933.1247830-1-vignesh.raman@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/configs/defconfig | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig
+index 60af93c04b45a..a4fc913d1e494 100644
+--- a/arch/arm64/configs/defconfig
++++ b/arch/arm64/configs/defconfig
+@@ -1412,6 +1412,9 @@ CONFIG_PHY_HISTB_COMBPHY=y
+ CONFIG_PHY_HISI_INNO_USB2=y
+ CONFIG_PHY_MVEBU_CP110_COMPHY=y
+ CONFIG_PHY_MTK_TPHY=y
++CONFIG_PHY_MTK_HDMI=m
++CONFIG_PHY_MTK_MIPI_DSI=m
++CONFIG_PHY_MTK_DP=m
+ CONFIG_PHY_QCOM_EDP=m
+ CONFIG_PHY_QCOM_EUSB2_REPEATER=m
+ CONFIG_PHY_QCOM_PCIE2=m
+--
+2.39.5
+
--- /dev/null
+From 6d95c502d752d9372e75bca9803094510b53a9bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:27 -0500
+Subject: arm64: dts: imx8mm-beacon: Fix RTC capacitive load
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 2e98d456666d63f897ba153210bcef9d78ba0f3a ]
+
+Although not noticeable when used every day, the RTC appears to drift when
+left to sit over time. This is due to the capacitive load not being
+properly set. Fix RTC drift by correcting the capacitive load setting
+from 7000 to 12500, which matches the actual hardware configuration.
+
+Fixes: 593816fa2f35 ("arm64: dts: imx: Add Beacon i.MX8m-Mini development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+index f264102bdb274..8ab0e45f2ad31 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-som.dtsi
+@@ -231,6 +231,7 @@
+ rtc: rtc@51 {
+ compatible = "nxp,pcf85263";
+ reg = <0x51>;
++ quartz-load-femtofarads = <12500>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 66a072bcbb843dcd2ffaa92203ca5467fcc73502 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:30 -0500
+Subject: arm64: dts: imx8mm-beacon: Set SAI5 MCLK direction to output for HDMI
+ audio
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 8c716f80dfe8cd6ed9a2696847cea1affeeff6ff ]
+
+The HDMI bridge chip fails to generate an audio source due to the SAI5
+master clock (MCLK) direction not being set to output. This prevents proper
+clocking of the HDMI audio interface.
+
+Add the `fsl,sai-mclk-direction-output` property to the SAI5 node to ensure
+the MCLK is driven by the SoC, resolving the HDMI sound issue.
+
+Fixes: 8ad7d14d99f3 ("arm64: dts: imx8mm-beacon: Add HDMI video with sound")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts b/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts
+index 905c98cb080d2..a6e6860bf0184 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-kit.dts
+@@ -124,6 +124,7 @@
+ assigned-clock-parents = <&clk IMX8MM_AUDIO_PLL1_OUT>;
+ assigned-clock-rates = <24576000>;
+ #sound-dai-cells = <0>;
++ fsl,sai-mclk-direction-output;
+ status = "okay";
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 914701be8f4551e14c50edec57452509a832095f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:28 -0500
+Subject: arm64: dts: imx8mn-beacon: Fix RTC capacitive load
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit c3f03bec30efd5082b55876846d57b5d17dae7b9 ]
+
+Although not noticeable when used every day, the RTC appears to drift when
+left to sit over time. This is due to the capacitive load not being
+properly set. Fix RTC drift by correcting the capacitive load setting
+from 7000 to 12500, which matches the actual hardware configuration.
+
+Fixes: 36ca3c8ccb53 ("arm64: dts: imx: Add Beacon i.MX8M Nano development kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+index 90073b16536f4..1760062e6ffcf 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-som.dtsi
+@@ -240,6 +240,7 @@
+ rtc: rtc@51 {
+ compatible = "nxp,pcf85263";
+ reg = <0x51>;
++ quartz-load-femtofarads = <12500>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From f84fd0c1bfc57aa2ef7fdd23badb80ad50f2e843 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:31 -0500
+Subject: arm64: dts: imx8mn-beacon: Set SAI5 MCLK direction to output for HDMI
+ audio
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit a747c4dd2a60c4d0179b372032a4b98548135096 ]
+
+The HDMI bridge chip fails to generate an audio source due to the SAI5
+master clock (MCLK) direction not being set to output. This prevents proper
+clocking of the HDMI audio interface.
+
+Add the `fsl,sai-mclk-direction-output` property to the SAI5 node to ensure
+the MCLK is driven by the SoC, resolving the HDMI sound issue.
+
+Fixes: 1d6880ceef43 ("arm64: dts: imx8mn-beacon: Add HDMI video with sound")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts b/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts
+index 35b8d2060cd99..dfa08be33a4f2 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts
++++ b/arch/arm64/boot/dts/freescale/imx8mn-beacon-kit.dts
+@@ -126,6 +126,7 @@
+ assigned-clock-parents = <&clk IMX8MN_AUDIO_PLL1_OUT>;
+ assigned-clock-rates = <24576000>;
+ #sound-dai-cells = <0>;
++ fsl,sai-mclk-direction-output;
+ status = "okay";
+ };
+
+--
+2.39.5
+
--- /dev/null
+From d6803fbf9cfa515637c7d007a265878434fcadc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:01:29 -0500
+Subject: arm64: dts: imx8mp-beacon: Fix RTC capacitive load
+
+From: Adam Ford <aford173@gmail.com>
+
+[ Upstream commit 6821ee17537938e919e8b86a541aae451f73165b ]
+
+Although not noticeable when used every day, the RTC appears to drift when
+left to sit over time. This is due to the capacitive load not being
+properly set. Fix RTC drift by correcting the capacitive load setting
+from 7000 to 12500, which matches the actual hardware configuration.
+
+Fixes: 25a5ccdce767 ("arm64: dts: freescale: Introduce imx8mp-beacon-kit")
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi
+index e5da908047808..24380f8a00850 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mp-beacon-som.dtsi
+@@ -192,6 +192,7 @@
+ rtc: rtc@51 {
+ compatible = "nxp,pcf85263";
+ reg = <0x51>;
++ quartz-load-femtofarads = <12500>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 954da92b7969adb64c14c0e0928192d671d90f7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 11:32:10 -0400
+Subject: arm64: dts: mediatek: mt6357: Drop regulator-fixed compatibles
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit d77e89b7b03fb945b4353f2dcc4a70b34baa7bcb ]
+
+Some of the regulators in the MT6357 PMIC dtsi have compatible set to
+regulator-fixed, even though they don't serve any purpose: all those
+regulators are handled as a whole by the mt6357-regulator driver. In
+fact this is the only dtsi in this family of chips where this is the
+case: mt6359 and mt6358 don't have any such compatibles.
+
+A side-effect caused by this is that the DT kselftest, which is supposed
+to identify nodes with compatibles that can be probed, but haven't,
+shows these nodes as failures.
+
+Remove the useless compatibles to move the dtsi in line with the others
+in its family and fix the DT kselftest failures.
+
+Fixes: 55749bb478f8 ("arm64: dts: mediatek: add mt6357 device-tree")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20250502-mt6357-regulator-fixed-compatibles-removal-v1-1-a582c16743fe@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt6357.dtsi | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt6357.dtsi b/arch/arm64/boot/dts/mediatek/mt6357.dtsi
+index 5fafa842d312f..dca4e5c3d8e21 100644
+--- a/arch/arm64/boot/dts/mediatek/mt6357.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt6357.dtsi
+@@ -60,7 +60,6 @@
+ };
+
+ mt6357_vfe28_reg: ldo-vfe28 {
+- compatible = "regulator-fixed";
+ regulator-name = "vfe28";
+ regulator-min-microvolt = <2800000>;
+ regulator-max-microvolt = <2800000>;
+@@ -75,7 +74,6 @@
+ };
+
+ mt6357_vrf18_reg: ldo-vrf18 {
+- compatible = "regulator-fixed";
+ regulator-name = "vrf18";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+@@ -83,7 +81,6 @@
+ };
+
+ mt6357_vrf12_reg: ldo-vrf12 {
+- compatible = "regulator-fixed";
+ regulator-name = "vrf12";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1200000>;
+@@ -112,7 +109,6 @@
+ };
+
+ mt6357_vcn28_reg: ldo-vcn28 {
+- compatible = "regulator-fixed";
+ regulator-name = "vcn28";
+ regulator-min-microvolt = <2800000>;
+ regulator-max-microvolt = <2800000>;
+@@ -120,7 +116,6 @@
+ };
+
+ mt6357_vcn18_reg: ldo-vcn18 {
+- compatible = "regulator-fixed";
+ regulator-name = "vcn18";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+@@ -142,7 +137,6 @@
+ };
+
+ mt6357_vcamio_reg: ldo-vcamio18 {
+- compatible = "regulator-fixed";
+ regulator-name = "vcamio";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+@@ -175,7 +169,6 @@
+ };
+
+ mt6357_vaux18_reg: ldo-vaux18 {
+- compatible = "regulator-fixed";
+ regulator-name = "vaux18";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+@@ -183,7 +176,6 @@
+ };
+
+ mt6357_vaud28_reg: ldo-vaud28 {
+- compatible = "regulator-fixed";
+ regulator-name = "vaud28";
+ regulator-min-microvolt = <2800000>;
+ regulator-max-microvolt = <2800000>;
+@@ -191,7 +183,6 @@
+ };
+
+ mt6357_vio28_reg: ldo-vio28 {
+- compatible = "regulator-fixed";
+ regulator-name = "vio28";
+ regulator-min-microvolt = <2800000>;
+ regulator-max-microvolt = <2800000>;
+@@ -199,7 +190,6 @@
+ };
+
+ mt6357_vio18_reg: ldo-vio18 {
+- compatible = "regulator-fixed";
+ regulator-name = "vio18";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+--
+2.39.5
+
--- /dev/null
+From b64ee363a23549a41d2e907431d7fc7dec893967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 11:06:15 +0200
+Subject: arm64: dts: mediatek: mt8195: Reparent vdec1/2 and venc1 power
+ domains
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 394f29033324e2317bfd6a7ed99b9a60832b36a2 ]
+
+By hardware, the first and second core of the video decoder IP
+need the VDEC_SOC to be powered up in order to be able to be
+accessed (both internally, by firmware, and externally, by the
+kernel).
+Similarly, for the video encoder IP, the second core needs the
+first core to be powered up in order to be accessible.
+
+Fix that by reparenting the VDEC1/2 power domains to be children
+of VDEC0 (VDEC_SOC), and the VENC1 to be a child of VENC0.
+
+Fixes: 2b515194bf0c ("arm64: dts: mt8195: Add power domains controller")
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20250402090615.25871-3-angelogioacchino.delregno@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8195.dtsi | 50 +++++++++++++-----------
+ 1 file changed, 27 insertions(+), 23 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+index 7ba30209ba9a9..22604d3abde3b 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+@@ -617,22 +617,6 @@
+ #size-cells = <0>;
+ #power-domain-cells = <1>;
+
+- power-domain@MT8195_POWER_DOMAIN_VDEC1 {
+- reg = <MT8195_POWER_DOMAIN_VDEC1>;
+- clocks = <&vdecsys CLK_VDEC_LARB1>;
+- clock-names = "vdec1-0";
+- mediatek,infracfg = <&infracfg_ao>;
+- #power-domain-cells = <0>;
+- };
+-
+- power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
+- reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
+- clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
+- clock-names = "venc1-larb";
+- mediatek,infracfg = <&infracfg_ao>;
+- #power-domain-cells = <0>;
+- };
+-
+ power-domain@MT8195_POWER_DOMAIN_VDOSYS0 {
+ reg = <MT8195_POWER_DOMAIN_VDOSYS0>;
+ clocks = <&topckgen CLK_TOP_CFG_VDO0>,
+@@ -678,15 +662,25 @@
+ clocks = <&vdecsys_soc CLK_VDEC_SOC_LARB1>;
+ clock-names = "vdec0-0";
+ mediatek,infracfg = <&infracfg_ao>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ #power-domain-cells = <0>;
+- };
+
+- power-domain@MT8195_POWER_DOMAIN_VDEC2 {
+- reg = <MT8195_POWER_DOMAIN_VDEC2>;
+- clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
+- clock-names = "vdec2-0";
+- mediatek,infracfg = <&infracfg_ao>;
+- #power-domain-cells = <0>;
++ power-domain@MT8195_POWER_DOMAIN_VDEC1 {
++ reg = <MT8195_POWER_DOMAIN_VDEC1>;
++ clocks = <&vdecsys CLK_VDEC_LARB1>;
++ clock-names = "vdec1-0";
++ mediatek,infracfg = <&infracfg_ao>;
++ #power-domain-cells = <0>;
++ };
++
++ power-domain@MT8195_POWER_DOMAIN_VDEC2 {
++ reg = <MT8195_POWER_DOMAIN_VDEC2>;
++ clocks = <&vdecsys_core1 CLK_VDEC_CORE1_LARB1>;
++ clock-names = "vdec2-0";
++ mediatek,infracfg = <&infracfg_ao>;
++ #power-domain-cells = <0>;
++ };
+ };
+
+ power-domain@MT8195_POWER_DOMAIN_VENC {
+@@ -694,7 +688,17 @@
+ clocks = <&vencsys CLK_VENC_LARB>;
+ clock-names = "venc0-larb";
+ mediatek,infracfg = <&infracfg_ao>;
++ #address-cells = <1>;
++ #size-cells = <0>;
+ #power-domain-cells = <0>;
++
++ power-domain@MT8195_POWER_DOMAIN_VENC_CORE1 {
++ reg = <MT8195_POWER_DOMAIN_VENC_CORE1>;
++ clocks = <&vencsys_core1 CLK_VENC_CORE1_LARB>;
++ clock-names = "venc1-larb";
++ mediatek,infracfg = <&infracfg_ao>;
++ #power-domain-cells = <0>;
++ };
+ };
+
+ power-domain@MT8195_POWER_DOMAIN_VDOSYS1 {
+--
+2.39.5
+
--- /dev/null
+From 1ab31b1d60ec6a6fdbc0c2510e3e83bc614939c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 15:23:39 +0200
+Subject: arm64: dts: mt6359: Add missing 'compatible' property to regulators
+ node
+
+From: Julien Massot <julien.massot@collabora.com>
+
+[ Upstream commit 1fe38d2a19950fa6dbc384ee8967c057aef9faf4 ]
+
+The 'compatible' property is required by the
+'mfd/mediatek,mt6397.yaml' binding. Add it to fix the following
+dtb-check error:
+mediatek/mt8395-radxa-nio-12l.dtb: pmic: regulators:
+'compatible' is a required property
+
+Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
+Signed-off-by: Julien Massot <julien.massot@collabora.com>
+Link: https://lore.kernel.org/r/20250505-mt8395-dtb-errors-v1-3-9c4714dcdcdb@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+index 8e1b8c85c6ede..57af3e7899841 100644
+--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+@@ -18,6 +18,8 @@
+ };
+
+ regulators {
++ compatible = "mediatek,mt6359-regulator";
++
+ mt6359_vs1_buck_reg: buck_vs1 {
+ regulator-name = "vs1";
+ regulator-min-microvolt = <800000>;
+--
+2.39.5
+
--- /dev/null
+From 3da353181dd1cd403eb4e8e8ced1b93e7bcac388 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 10:19:58 +0200
+Subject: arm64: dts: mt6359: Rename RTC node to match binding expectations
+
+From: Julien Massot <julien.massot@collabora.com>
+
+[ Upstream commit cfe035d8662cfbd6edff9bd89c4b516bbb34c350 ]
+
+Rename the node 'mt6359rtc' to 'rtc', as required by the binding.
+
+Fix the following dtb-check error:
+
+mediatek/mt8395-radxa-nio-12l.dtb: pmic: 'mt6359rtc' do not match
+any of the regexes: 'pinctrl-[0-9]+'
+
+Fixes: 3b7d143be4b7 ("arm64: dts: mt6359: add PMIC MT6359 related nodes")
+Signed-off-by: Julien Massot <julien.massot@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20250514-mt8395-dtb-errors-v2-3-d67b9077c59a@collabora.com
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt6359.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt6359.dtsi b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+index 57af3e7899841..779d6dfb55c00 100644
+--- a/arch/arm64/boot/dts/mediatek/mt6359.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt6359.dtsi
+@@ -298,7 +298,7 @@
+ };
+ };
+
+- mt6359rtc: mt6359rtc {
++ mt6359rtc: rtc {
+ compatible = "mediatek,mt6358-rtc";
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From 93d1bcd28027ba8d7ece1d7c3b9934580a78bc83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 18:44:02 +0100
+Subject: arm64: dts: qcom: sc8280xp-x13s: Drop duplicate DMIC supplies
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+[ Upstream commit a2e617f4e6981aa514a569e927f90b0d39bb31b2 ]
+
+The WCD938x codec provides two controls for each of the MIC_BIASn outputs:
+
+ - "MIC BIASn" enables an internal regulator to generate the output
+ with a configurable voltage (qcom,micbiasN-microvolt).
+
+ - "VA MIC BIASn" enables "pull-up mode" that bypasses the internal
+ regulator and directly outputs fixed 1.8V from the VDD_PX pin.
+ This is intended for low-power VA (voice activation) use cases.
+
+The audio-routing setup for the ThinkPad X13s currently specifies both
+as power supplies for the DMICs, but only one of them can be active
+at the same time. In practice, only the internal regulator is used
+with the current setup because the driver prefers it over pull-up mode.
+
+Make this more clear by dropping the redundant routes to the pull-up
+"VA MIC BIASn" supply. There is no functional difference except that we
+skip briefly switching to pull-up mode when shutting down the microphone.
+
+Fixes: 2e498f35c385 ("arm64: dts: qcom: sc8280xp-x13s: fix va dmic dai links and routing")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Link: https://lore.kernel.org/r/20241203-x1e80100-va-mic-bias-v1-1-0dfd4d9b492c@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
+index 5c2894fcfa4a0..5498e84bfead0 100644
+--- a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
++++ b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts
+@@ -985,9 +985,6 @@
+ "VA DMIC0", "MIC BIAS1",
+ "VA DMIC1", "MIC BIAS1",
+ "VA DMIC2", "MIC BIAS3",
+- "VA DMIC0", "VA MIC BIAS1",
+- "VA DMIC1", "VA MIC BIAS1",
+- "VA DMIC2", "VA MIC BIAS3",
+ "TX SWR_ADC1", "ADC2_OUTPUT";
+
+ wcd-playback-dai-link {
+--
+2.39.5
+
--- /dev/null
+From 5324974fb82d4e5fb44eda9af464f666a3610ff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 May 2025 14:51:20 +0300
+Subject: arm64: dts: qcom: sda660-ifc6560: Fix dt-validate warning
+
+From: Alexey Minnekhanov <alexeymin@postmarketos.org>
+
+[ Upstream commit f5110806b41eaa0eb0ab1bf2787876a580c6246c ]
+
+If you remove clocks property, you should remove clock-names, too.
+Fixes warning with dtbs check:
+
+ 'clocks' is a dependency of 'clock-names'
+
+Fixes: 34279d6e3f32c ("arm64: dts: qcom: sdm660: Add initial Inforce IFC6560 board support")
+Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250504115120.1432282-4-alexeymin@postmarketos.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
+index 2ed39d402d3f6..d687cfadee6a1 100644
+--- a/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
++++ b/arch/arm64/boot/dts/qcom/sda660-inforce-ifc6560.dts
+@@ -155,6 +155,7 @@
+ * BAM DMA interconnects support is in place.
+ */
+ /delete-property/ clocks;
++ /delete-property/ clock-names;
+ };
+
+ &blsp1_uart2 {
+@@ -167,6 +168,7 @@
+ * BAM DMA interconnects support is in place.
+ */
+ /delete-property/ clocks;
++ /delete-property/ clock-names;
+ };
+
+ &blsp2_uart1 {
+--
+2.39.5
+
--- /dev/null
+From bd22dacffab05ef97524e2270dca7dabbb0d1f32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 May 2025 14:51:19 +0300
+Subject: arm64: dts: qcom: sdm660-lavender: Add missing USB phy supply
+
+From: Alexey Minnekhanov <alexeymin@postmarketos.org>
+
+[ Upstream commit dbf62a117a1b7f605a98dd1fd1fd6c85ec324ea0 ]
+
+Fixes the following dtbs check error:
+
+ phy@c012000: 'vdda-pll-supply' is a required property
+
+Fixes: e5d3e752b050e ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add USB")
+Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250504115120.1432282-3-alexeymin@postmarketos.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+index ec4245bbfffaf..8221da390e1aa 100644
+--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+@@ -107,6 +107,7 @@
+ status = "okay";
+
+ vdd-supply = <&vreg_l1b_0p925>;
++ vdda-pll-supply = <&vreg_l10a_1p8>;
+ vdda-phy-dpdm-supply = <&vreg_l7b_3p125>;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 0cbc3cd69970f07906e1ec0e280a12c2f83406c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 16:01:01 +0300
+Subject: arm64: dts: qcom: sdm660-xiaomi-lavender: Add missing SD card detect
+ GPIO
+
+From: Alexey Minnekhanov <alexeymin@postmarketos.org>
+
+[ Upstream commit 2eca6af66709de0d1ba14cdf8b6d200a1337a3a2 ]
+
+During initial porting these cd-gpios were missed. Having card detect is
+beneficial because driver does not need to do polling every second and it
+can just use IRQ. SD card detection in U-Boot is also fixed by this.
+
+Fixes: cf85e9aee210 ("arm64: dts: qcom: sdm660-xiaomi-lavender: Add eMMC and SD")
+Signed-off-by: Alexey Minnekhanov <alexeymin@postmarketos.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250415130101.1429281-1-alexeymin@postmarketos.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+index 3c47410ba94c0..ec4245bbfffaf 100644
+--- a/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
++++ b/arch/arm64/boot/dts/qcom/sdm660-xiaomi-lavender.dts
+@@ -404,6 +404,8 @@
+ &sdhc_2 {
+ status = "okay";
+
++ cd-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>;
++
+ vmmc-supply = <&vreg_l5b_2p95>;
+ vqmmc-supply = <&vreg_l2b_2p95>;
+ };
+--
+2.39.5
+
--- /dev/null
+From 2661207af4f01f2c024d27827b25d5783eb0b39b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 19:38:54 +0300
+Subject: arm64: dts: qcom: sdm845-starqltechn: fix usb regulator mistake
+
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+
+[ Upstream commit 242e4126ee007b95765c21a9d74651fdcf221f2b ]
+
+Usb regulator was wrongly pointed to vreg_l1a_0p875.
+However, on starqltechn it's powered from vreg_l5a_0p8.
+
+Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
+Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-3-a5d80375cb66@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+index 6fc30fd1262b8..f3f2b25883d81 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+@@ -135,8 +135,6 @@
+ vdda_sp_sensor:
+ vdda_ufs1_core:
+ vdda_ufs2_core:
+- vdda_usb1_ss_core:
+- vdda_usb2_ss_core:
+ vreg_l1a_0p875: ldo1 {
+ regulator-min-microvolt = <880000>;
+ regulator-max-microvolt = <880000>;
+@@ -157,6 +155,7 @@
+ regulator-initial-mode = <RPMH_REGULATOR_MODE_HPM>;
+ };
+
++ vdda_usb1_ss_core:
+ vdd_wcss_cx:
+ vdd_wcss_mx:
+ vdda_wcss_pll:
+--
+2.39.5
+
--- /dev/null
+From 00bb1f0b3fe181f8d2cfdc2a71d1d2a5d251323d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 19:38:55 +0300
+Subject: arm64: dts: qcom: sdm845-starqltechn: refactor node order
+
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+
+[ Upstream commit cba1dd3d851ebc1b6c5ae4000208a9753320694b ]
+
+Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
+Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
+Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-4-a5d80375cb66@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+index f3f2b25883d81..8a0d63bd594b3 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+@@ -382,8 +382,8 @@
+ };
+
+ &sdhc_2 {
+- pinctrl-names = "default";
+ pinctrl-0 = <&sdc2_clk_state &sdc2_cmd_state &sdc2_data_state &sd_card_det_n_state>;
++ pinctrl-names = "default";
+ cd-gpios = <&tlmm 126 GPIO_ACTIVE_LOW>;
+ vmmc-supply = <&vreg_l21a_2p95>;
+ vqmmc-supply = <&vddpx_2>;
+--
+2.39.5
+
--- /dev/null
+From 4209fd30fbe63122be18dd710f1c0463eb32a6c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 19:38:56 +0300
+Subject: arm64: dts: qcom: sdm845-starqltechn: remove excess reserved gpios
+
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+
+[ Upstream commit fb5fce873b952f8b1c5f7edcabcc8611ef45ea7a ]
+
+Starqltechn has 2 reserved gpio ranges <27 4>, <85 4>.
+<27 4> is spi for eSE(embedded Secure Element).
+<85 4> is spi for fingerprint.
+
+Remove excess reserved gpio regions.
+
+Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
+Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-5-a5d80375cb66@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+index 8a0d63bd594b3..5948b401165ce 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+@@ -418,7 +418,8 @@
+ };
+
+ &tlmm {
+- gpio-reserved-ranges = <0 4>, <27 4>, <81 4>, <85 4>;
++ gpio-reserved-ranges = <27 4>, /* SPI (eSE - embedded Secure Element) */
++ <85 4>; /* SPI (fingerprint reader) */
+
+ sdc2_clk_state: sdc2-clk-state {
+ pins = "sdc2_clk";
+--
+2.39.5
+
--- /dev/null
+From 2f763bc1bb3655f24d1fdca9234bf5ccde848fd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 19:38:53 +0300
+Subject: arm64: dts: qcom: sdm845-starqltechn: remove wifi
+
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+
+[ Upstream commit 2d3dd4b237638853b8a99353401ab8d88a6afb6c ]
+
+Starqltechn has broadcom chip for wifi, so sdm845 wifi part
+can be disabled.
+
+Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
+Fixes: d711b22eee55 ("arm64: dts: qcom: starqltechn: add initial device tree for starqltechn")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20250225-starqltechn_integration_upstream-v9-2-a5d80375cb66@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+index d37a433130b98..6fc30fd1262b8 100644
+--- a/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-samsung-starqltechn.dts
+@@ -418,14 +418,6 @@
+ status = "okay";
+ };
+
+-&wifi {
+- vdd-0.8-cx-mx-supply = <&vreg_l5a_0p8>;
+- vdd-1.8-xo-supply = <&vreg_l7a_1p8>;
+- vdd-1.3-rfa-supply = <&vreg_l17a_1p3>;
+- vdd-3.3-ch0-supply = <&vreg_l25a_3p3>;
+- status = "okay";
+-};
+-
+ &tlmm {
+ gpio-reserved-ranges = <0 4>, <27 4>, <81 4>, <85 4>;
+
+--
+2.39.5
+
--- /dev/null
+From d8c4760ba7717367d7a49223ad038c0590ce609f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Mar 2025 18:27:51 +0800
+Subject: arm64: dts: qcom: sm8250: Fix CPU7 opp table
+
+From: Xilin Wu <wuxilin123@gmail.com>
+
+[ Upstream commit 28f997b89967afdc0855d8aa7538b251fb44f654 ]
+
+There is a typo in cpu7_opp9. Fix it to get rid of the following
+errors.
+
+[ 0.198043] cpu cpu7: Voltage update failed freq=1747200
+[ 0.198052] cpu cpu7: failed to update OPP for freq=1747200
+
+Fixes: 8e0e8016cb79 ("arm64: dts: qcom: sm8250: Add CPU opp tables")
+Signed-off-by: Xilin Wu <wuxilin123@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250308-fix-sm8250-cpufreq-v1-1-8a0226721399@gmail.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+index 21bbffc4e5a28..c9a7d1b75c658 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+@@ -601,7 +601,7 @@
+ };
+
+ cpu7_opp9: opp-1747200000 {
+- opp-hz = /bits/ 64 <1708800000>;
++ opp-hz = /bits/ 64 <1747200000>;
+ opp-peak-kBps = <5412000 42393600>;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From e93169d3a2ef5ff3cf820526808d146dc36aa0d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 18:03:47 +0100
+Subject: arm64: dts: qcom: sm8350: Reenable crypto & cryptobam
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 75eefd474469abf95aa9ef6da8161d69f86b98b4 ]
+
+When num-channels and qcom,num-ees is not provided in devicetree, the
+driver will try to read these values from the registers during probe but
+this fails if the interconnect is not on and then crashes the system.
+
+So we can provide these properties in devicetree (queried after patching
+BAM driver to enable the necessary interconnect) so we can probe
+cryptobam without reading registers and then also use the QCE as
+expected.
+
+Fixes: 4d29db204361 ("arm64: dts: qcom: sm8350: fix BAM DMA crash and reboot")
+Fixes: f1040a7fe8f0 ("arm64: dts: qcom: sm8350: Add Crypto Engine support")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Link: https://lore.kernel.org/r/20250212-bam-dma-fixes-v1-1-f560889e65d8@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8350.dtsi | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+index 5376c0a00fab6..215782b1970df 100644
+--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi
+@@ -1754,11 +1754,11 @@
+ interrupts = <GIC_SPI 272 IRQ_TYPE_LEVEL_HIGH>;
+ #dma-cells = <1>;
+ qcom,ee = <0>;
++ qcom,num-ees = <4>;
++ num-channels = <16>;
+ qcom,controlled-remotely;
+ iommus = <&apps_smmu 0x594 0x0011>,
+ <&apps_smmu 0x596 0x0011>;
+- /* FIXME: Probing BAM DMA causes some abort and system hang */
+- status = "fail";
+ };
+
+ crypto: crypto@1dfa000 {
+@@ -1770,8 +1770,6 @@
+ <&apps_smmu 0x596 0x0011>;
+ interconnects = <&aggre2_noc MASTER_CRYPTO 0 &mc_virt SLAVE_EBI1 0>;
+ interconnect-names = "memory";
+- /* FIXME: dependency BAM DMA is disabled */
+- status = "disabled";
+ };
+
+ ipa: ipa@1e40000 {
+--
+2.39.5
+
--- /dev/null
+From 90dc4c14376c4d8fbc0a5b38d32ee2cd7de9bbaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 06:43:24 +0000
+Subject: arm64: dts: renesas: white-hawk-ard-audio: Fix TPU0 groups
+
+From: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
+
+[ Upstream commit 652eea251dd852f02cef6223f367220acb3d1867 ]
+
+White Hawk ARD audio uses a clock generated by the TPU, but commit
+3d144ef10a44 ("pinctrl: renesas: r8a779g0: Fix TPU suffixes") renamed
+pin group "tpu_to0_a" to "tpu_to0_b". Update DTS accordingly otherwise
+the sound driver does not receive a clock signal.
+
+Fixes: 3d144ef10a448f89 ("pinctrl: renesas: r8a779g0: Fix TPU suffixes")
+Signed-off-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
+Signed-off-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/TYCPR01MB8740608B675365215ADB0374B49CA@TYCPR01MB8740.jpnprd01.prod.outlook.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso b/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso
+index e6f53377ecd90..99f62574bc3c2 100644
+--- a/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso
++++ b/arch/arm64/boot/dts/renesas/r8a779g0-white-hawk-ard-audio-da7212.dtso
+@@ -108,7 +108,7 @@
+ };
+
+ tpu0_pins: tpu0 {
+- groups = "tpu_to0_a";
++ groups = "tpu_to0_b";
+ function = "tpu";
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From 8043b61f48ba73285449b6821892ac20189577aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 17:18:10 +0200
+Subject: arm64: dts: rockchip: disable unrouted USB controllers and PHY on
+ RK3399 Puma with Haikou
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+[ Upstream commit febd8c6ab52c683b447fe22fc740918c86feae43 ]
+
+The u2phy0_host port is the part of the USB PHY0 (namely the
+HOST0_DP/DM lanes) which routes directly to the USB2.0 HOST
+controller[1]. The other lanes of the PHY are routed to the USB3.0 OTG
+controller (dwc3), which we do use.
+
+The HOST0_DP/DM lanes aren't routed on RK3399 Puma so let's simply
+disable the USB2.0 controllers.
+
+USB3 OTG has been known to be unstable on RK3399 Puma Haikou for a
+while, one of the recurring issues being that only USB2 is detected and
+not USB3 in host mode. Reading the justification above and seeing that
+we are keeping u2phy0_host in the Haikou carrierboard DTS probably may
+have bothered you since it should be changed to u2phy0_otg. The issue is
+that if it's switched to that, USB OTG on Haikou is entirely broken. I
+have checked the routing in the Gerber file, the lanes are going to the
+expected ball pins (that is, NOT HOST0_DP/DM).
+u2phy0_host is for sure the wrong part of the PHY to use, but it's the
+only one that works at the moment for that board so keep it until we
+figure out what exactly is broken.
+
+No intended functional change.
+
+[1] https://rockchip.fr/Rockchip%20RK3399%20TRM%20V1.3%20Part2.pdf
+ Chapter 2 USB2.0 PHY
+
+Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+Link: https://lore.kernel.org/r/20250425-onboard_usb_dev-v2-5-4a76a474a010@thaumatec.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+index 115c14c0a3c68..396a6636073b5 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma-haikou.dts
+@@ -251,14 +251,6 @@
+ status = "okay";
+ };
+
+-&usb_host0_ehci {
+- status = "okay";
+-};
+-
+-&usb_host0_ohci {
+- status = "okay";
+-};
+-
+ &vopb {
+ status = "okay";
+ };
+--
+2.39.5
+
--- /dev/null
+From 26d5f51872fd68a3d61141d0bfcefdab393e32d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 23:25:28 +0100
+Subject: arm64: dts: rockchip: Update eMMC for NanoPi R5 series
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 8eca9e979a1efbcc3d090f6eb3f4da621e7c87e0 ]
+
+Add the 3.3v and 1.8v regulators that are connected to
+the eMMC on the R5 series devices, as well as adding the
+eMMC data strobe, and enable eMMC HS200 mode as the
+Foresee FEMDNN0xxG-A3A55 modules support it.
+
+Fixes: c8ec73b05a95d ("arm64: dts: rockchip: create common dtsi for NanoPi R5 series")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Reviewed-by: Diederik de Haas <didi.debian@cknow.org>
+Link: https://lore.kernel.org/r/20250506222531.625157-1-pbrobinson@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi b/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi
+index 93189f8306400..c30354268c8f5 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3568-nanopi-r5s.dtsi
+@@ -486,9 +486,12 @@
+ &sdhci {
+ bus-width = <8>;
+ max-frequency = <200000000>;
++ mmc-hs200-1_8v;
+ non-removable;
+ pinctrl-names = "default";
+- pinctrl-0 = <&emmc_bus8 &emmc_clk &emmc_cmd>;
++ pinctrl-0 = <&emmc_bus8 &emmc_clk &emmc_cmd &emmc_datastrobe>;
++ vmmc-supply = <&vcc_3v3>;
++ vqmmc-supply = <&vcc_1v8>;
+ status = "okay";
+ };
+
+--
+2.39.5
+
--- /dev/null
+From fc96ec29ff9b81e80f99bdbb0428bc4d15fcf08d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 10:37:01 +0530
+Subject: arm64: dts: ti: k3-j721e-common-proc-board: Enable OSPI1 on J721E
+
+From: Prasanth Babu Mantena <p-mantena@ti.com>
+
+[ Upstream commit 6b8deb2ff0d31848c43a73f6044e69ba9276b3ec ]
+
+J721E SoM has MT25QU512AB Serial NOR flash connected to
+OSPI1 controller. Enable ospi1 node in device tree.
+
+Fixes: 73676c480b72 ("arm64: dts: ti: k3-j721e: Enable OSPI nodes at the board level")
+Signed-off-by: Prasanth Babu Mantena <p-mantena@ti.com>
+Link: https://lore.kernel.org/r/20250507050701.3007209-1-p-mantena@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts
+index fe5207ac7d85d..90ae8e948671d 100644
+--- a/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts
++++ b/arch/arm64/boot/dts/ti/k3-j721e-common-proc-board.dts
+@@ -557,6 +557,7 @@
+ &ospi1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&mcu_fss0_ospi1_pins_default>;
++ status = "okay";
+
+ flash@0 {
+ compatible = "jedec,spi-nor";
+--
+2.39.5
+
--- /dev/null
+From 28941fc0d76b4d35e44693206bb909a443b48202 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 17:39:58 +0100
+Subject: arm64/fpsimd: Avoid RES0 bits in the SME trap handler
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 95507570fb2f75544af69760cd5d8f48fc5c7f20 ]
+
+The SME trap handler consumes RES0 bits from the ESR when determining
+the reason for the trap, and depends upon those bits reading as zero.
+This may break in future when those RES0 bits are allocated a meaning
+and stop reading as zero.
+
+For SME traps taken with ESR_ELx.EC == 0b011101, the specific reason for
+the trap is indicated by ESR_ELx.ISS.SMTC ("SME Trap Code"). This field
+occupies bits [2:0] of ESR_ELx.ISS, and as of ARM DDI 0487 L.a, bits
+[24:3] of ESR_ELx.ISS are RES0. ESR_ELx.ISS itself occupies bits [24:0]
+of ESR_ELx.
+
+Extract the SMTC field specifically, matching the way we handle ESR_ELx
+fields elsewhere, and ensuring that the handler is future-proof.
+
+Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250409164010.3480271-2-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/esr.h | 14 ++++++++------
+ arch/arm64/kernel/fpsimd.c | 2 +-
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm64/include/asm/esr.h b/arch/arm64/include/asm/esr.h
+index 1cdae1b4f03be..b04575ea3a355 100644
+--- a/arch/arm64/include/asm/esr.h
++++ b/arch/arm64/include/asm/esr.h
+@@ -366,12 +366,14 @@
+ /*
+ * ISS values for SME traps
+ */
+-
+-#define ESR_ELx_SME_ISS_SME_DISABLED 0
+-#define ESR_ELx_SME_ISS_ILL 1
+-#define ESR_ELx_SME_ISS_SM_DISABLED 2
+-#define ESR_ELx_SME_ISS_ZA_DISABLED 3
+-#define ESR_ELx_SME_ISS_ZT_DISABLED 4
++#define ESR_ELx_SME_ISS_SMTC_MASK GENMASK(2, 0)
++#define ESR_ELx_SME_ISS_SMTC(esr) ((esr) & ESR_ELx_SME_ISS_SMTC_MASK)
++
++#define ESR_ELx_SME_ISS_SMTC_SME_DISABLED 0
++#define ESR_ELx_SME_ISS_SMTC_ILL 1
++#define ESR_ELx_SME_ISS_SMTC_SM_DISABLED 2
++#define ESR_ELx_SME_ISS_SMTC_ZA_DISABLED 3
++#define ESR_ELx_SME_ISS_SMTC_ZT_DISABLED 4
+
+ /* ISS field definitions for MOPS exceptions */
+ #define ESR_ELx_MOPS_ISS_MEM_INST (UL(1) << 24)
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index bd4f6c6ee0f31..9f6ea38f5189f 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1514,7 +1514,7 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs)
+ * If this not a trap due to SME being disabled then something
+ * is being used in the wrong mode, report as SIGILL.
+ */
+- if (ESR_ELx_ISS(esr) != ESR_ELx_SME_ISS_SME_DISABLED) {
++ if (ESR_ELx_SME_ISS_SMTC(esr) != ESR_ELx_SME_ISS_SMTC_SME_DISABLED) {
+ force_signal_inject(SIGILL, ILL_ILLOPC, regs->pc, 0);
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 94fb159cfe4a49e22bbba802c7d055659324b8a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 17:40:02 +0100
+Subject: arm64/fpsimd: Discard stale CPU state when handling SME traps
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit d3eaab3c70905c5467e5c4ea403053d67505adeb ]
+
+The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state
+incorrectly, and a race with preemption can result in a task having
+TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state
+is stale (e.g. with SME traps enabled). This can result in warnings from
+do_sme_acc() where SME traps are not expected while TIF_SME is set:
+
+| /* With TIF_SME userspace shouldn't generate any traps */
+| if (test_and_set_thread_flag(TIF_SME))
+| WARN_ON(1);
+
+This is very similar to the SVE issue we fixed in commit:
+
+ 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps")
+
+The race can occur when the SME trap handler is preempted before and
+after manipulating the saved FPSIMD/SVE/SME state, starting and ending on
+the same CPU, e.g.
+
+| void do_sme_acc(unsigned long esr, struct pt_regs *regs)
+| {
+| // Trap on CPU 0 with TIF_SME clear, SME traps enabled
+| // task->fpsimd_cpu is 0.
+| // per_cpu_ptr(&fpsimd_last_state, 0) is task.
+|
+| ...
+|
+| // Preempted; migrated from CPU 0 to CPU 1.
+| // TIF_FOREIGN_FPSTATE is set.
+|
+| get_cpu_fpsimd_context();
+|
+| /* With TIF_SME userspace shouldn't generate any traps */
+| if (test_and_set_thread_flag(TIF_SME))
+| WARN_ON(1);
+|
+| if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) {
+| unsigned long vq_minus_one =
+| sve_vq_from_vl(task_get_sme_vl(current)) - 1;
+| sme_set_vq(vq_minus_one);
+|
+| fpsimd_bind_task_to_cpu();
+| }
+|
+| put_cpu_fpsimd_context();
+|
+| // Preempted; migrated from CPU 1 to CPU 0.
+| // task->fpsimd_cpu is still 0
+| // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then:
+| // - Stale HW state is reused (with SME traps enabled)
+| // - TIF_FOREIGN_FPSTATE is cleared
+| // - A return to userspace skips HW state restore
+| }
+
+Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set
+by calling fpsimd_flush_task_state() to detach from the saved CPU
+state. This ensures that a subsequent context switch will not reuse the
+stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the
+new state to be reloaded from memory prior to a return to userspace.
+
+Note: this was originallly posted as [1].
+
+Fixes: 8bd7f91c03d8 ("arm64/sme: Implement traps and syscall handling for SME")
+Reported-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/linux-arm-kernel/20241204-arm64-sme-reenable-v2-1-bae87728251d@kernel.org/
+[ Rutland: rewrite commit message ]
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20250409164010.3480271-6-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/fpsimd.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index 9f6ea38f5189f..3d482336c0662 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1538,6 +1538,8 @@ void do_sme_acc(unsigned long esr, struct pt_regs *regs)
+ sme_set_vq(vq_minus_one);
+
+ fpsimd_bind_task_to_cpu();
++ } else {
++ fpsimd_flush_task_state(current);
+ }
+
+ put_cpu_fpsimd_context();
+--
+2.39.5
+
--- /dev/null
+From 8369d80db25588de3132afca856b9c955230b010 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 14:26:21 +0100
+Subject: arm64/fpsimd: Do not discard modified SVE state
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 398edaa12f9cf2be7902f306fc023c20e3ebd3e4 ]
+
+Historically SVE state was discarded deterministically early in the
+syscall entry path, before ptrace is notified of syscall entry. This
+permitted ptrace to modify SVE state before and after the "real" syscall
+logic was executed, with the modified state being retained.
+
+This behaviour was changed by commit:
+
+ 8c845e2731041f0f ("arm64/sve: Leave SVE enabled on syscall if we don't context switch")
+
+That commit was intended to speed up workloads that used SVE by
+opportunistically leaving SVE enabled when returning from a syscall.
+The syscall entry logic was modified to truncate the SVE state without
+disabling userspace access to SVE, and fpsimd_save_user_state() was
+modified to discard userspace SVE state whenever
+in_syscall(current_pt_regs()) is true, i.e. when
+current_pt_regs()->syscallno != NO_SYSCALL.
+
+Leaving SVE enabled opportunistically resulted in a couple of changes to
+userspace visible behaviour which weren't described at the time, but are
+logical consequences of opportunistically leaving SVE enabled:
+
+* Signal handlers can observe the type of saved state in the signal's
+ sve_context record. When the kernel only tracks FPSIMD state, the 'vq'
+ field is 0 and there is no space allocated for register contents. When
+ the kernel tracks SVE state, the 'vq' field is non-zero and the
+ register contents are saved into the record.
+
+ As a result of the above commit, 'vq' (and the presence of SVE
+ register state) is non-deterministically zero or non-zero for a period
+ of time after a syscall. The effective register state is still
+ deterministic.
+
+ Hopefully no-one relies on this being deterministic. In general,
+ handlers for asynchronous events cannot expect a deterministic state.
+
+* Similarly to signal handlers, ptrace requests can observe the type of
+ saved state in the NT_ARM_SVE and NT_ARM_SSVE regsets, as this is
+ exposed in the header flags. As a result of the above commit, this is
+ now in a non-deterministic state after a syscall. The effective
+ register state is still deterministic.
+
+ Hopefully no-one relies on this being deterministic. In general,
+ debuggers would have to handle this changing at arbitrary points
+ during program flow.
+
+Discarding the SVE state within fpsimd_save_user_state() resulted in
+other changes to userspace visible behaviour which are not desirable:
+
+* A ptrace tracer can modify (or create) a tracee's SVE state at syscall
+ entry or syscall exit. As a result of the above commit, the tracee's
+ SVE state can be discarded non-deterministically after modification,
+ rather than being retained as it previously was.
+
+ Note that for co-operative tracer/tracee pairs, the tracer may
+ (re)initialise the tracee's state arbitrarily after the tracee sends
+ itself an initial SIGSTOP via a syscall, so this affects realistic
+ design patterns.
+
+* The current_pt_regs()->syscallno field can be modified via ptrace, and
+ can be altered even when the tracee is not really in a syscall,
+ causing non-deterministic discarding to occur in situations where this
+ was not previously possible.
+
+Further, using current_pt_regs()->syscallno in this way is unsound:
+
+* There are data races between readers and writers of the
+ current_pt_regs()->syscallno field.
+
+ The current_pt_regs()->syscallno field is written in interruptible
+ task context using plain C accesses, and is read in irq/softirq
+ context using plain C accesses. These accesses are subject to data
+ races, with the usual concerns with tearing, etc.
+
+* Writes to current_pt_regs()->syscallno are subject to compiler
+ reordering.
+
+ As current_pt_regs()->syscallno is written with plain C accesses,
+ the compiler is free to move those writes arbitrarily relative to
+ anything which doesn't access the same memory location.
+
+ In theory this could break signal return, where prior to restoring the
+ SVE state, restore_sigframe() calls forget_syscall(). If the write
+ were hoisted after restore of some SVE state, that state could be
+ discarded unexpectedly.
+
+ In practice that reordering cannot happen in the absence of LTO (as
+ cross compilation-unit function calls happen prevent this reordering),
+ and that reordering appears to be unlikely in the presence of LTO.
+
+Additionally, since commit:
+
+ f130ac0ae4412dbe ("arm64: syscall: unmask DAIF earlier for SVCs")
+
+... DAIF is unmasked before el0_svc_common() sets regs->syscallno to the
+real syscall number. Consequently state may be saved in SVE format prior
+to this point.
+
+Considering all of the above, current_pt_regs()->syscallno should not be
+used to infer whether the SVE state can be discarded. Luckily we can
+instead use cpu_fp_state::to_save to track when it is safe to discard
+the SVE state:
+
+* At syscall entry, after the live SVE register state is truncated, set
+ cpu_fp_state::to_save to FP_STATE_FPSIMD to indicate that only the
+ FPSIMD portion is live and needs to be saved.
+
+* At syscall exit, once the task's state is guaranteed to be live, set
+ cpu_fp_state::to_save to FP_STATE_CURRENT to indicate that TIF_SVE
+ must be considered to determine which state needs to be saved.
+
+* Whenever state is modified, it must be saved+flushed prior to
+ manipulation. The state will be truncated if necessary when it is
+ saved, and reloading the state will set fp_state::to_save to
+ FP_STATE_CURRENT, preventing subsequent discarding.
+
+This permits SVE state to be discarded *only* when it is known to have
+been truncated (and the non-FPSIMD portions must be zero), and ensures
+that SVE state is retained after it is explicitly modified.
+
+For backporting, note that this fix depends on the following commits:
+
+* b2482807fbd4 ("arm64/sme: Optimise SME exit on syscall entry")
+* f130ac0ae441 ("arm64: syscall: unmask DAIF earlier for SVCs")
+* 929fa99b1215 ("arm64/fpsimd: signal: Always save+flush state early")
+
+Fixes: 8c845e273104 ("arm64/sve: Leave SVE enabled on syscall if we don't context switch")
+Fixes: f130ac0ae441 ("arm64: syscall: unmask DAIF earlier for SVCs")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20250508132644.1395904-2-mark.rutland@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/fpsimd.h | 3 +++
+ arch/arm64/kernel/entry-common.c | 46 ++++++++++++++++++++++++--------
+ arch/arm64/kernel/fpsimd.c | 15 ++++++-----
+ 3 files changed, 47 insertions(+), 17 deletions(-)
+
+diff --git a/arch/arm64/include/asm/fpsimd.h b/arch/arm64/include/asm/fpsimd.h
+index 7415c63b41874..c4840ea6d137f 100644
+--- a/arch/arm64/include/asm/fpsimd.h
++++ b/arch/arm64/include/asm/fpsimd.h
+@@ -6,6 +6,7 @@
+ #define __ASM_FP_H
+
+ #include <asm/errno.h>
++#include <asm/percpu.h>
+ #include <asm/ptrace.h>
+ #include <asm/processor.h>
+ #include <asm/sigcontext.h>
+@@ -69,6 +70,8 @@ struct cpu_fp_state {
+ enum fp_type to_save;
+ };
+
++DECLARE_PER_CPU(struct cpu_fp_state, fpsimd_last_state);
++
+ extern void fpsimd_bind_state_to_cpu(struct cpu_fp_state *fp_state);
+
+ extern void fpsimd_flush_task_state(struct task_struct *target);
+diff --git a/arch/arm64/kernel/entry-common.c b/arch/arm64/kernel/entry-common.c
+index 0fc94207e69a8..5e8204d250b43 100644
+--- a/arch/arm64/kernel/entry-common.c
++++ b/arch/arm64/kernel/entry-common.c
+@@ -359,20 +359,16 @@ static bool cortex_a76_erratum_1463225_debug_handler(struct pt_regs *regs)
+ * As per the ABI exit SME streaming mode and clear the SVE state not
+ * shared with FPSIMD on syscall entry.
+ */
+-static inline void fp_user_discard(void)
++static inline void fpsimd_syscall_enter(void)
+ {
+- /*
+- * If SME is active then exit streaming mode. If ZA is active
+- * then flush the SVE registers but leave userspace access to
+- * both SVE and SME enabled, otherwise disable SME for the
+- * task and fall through to disabling SVE too. This means
+- * that after a syscall we never have any streaming mode
+- * register state to track, if this changes the KVM code will
+- * need updating.
+- */
++ /* Ensure PSTATE.SM is clear, but leave PSTATE.ZA as-is. */
+ if (system_supports_sme())
+ sme_smstop_sm();
+
++ /*
++ * The CPU is not in streaming mode. If non-streaming SVE is not
++ * supported, there is no SVE state that needs to be discarded.
++ */
+ if (!system_supports_sve())
+ return;
+
+@@ -382,6 +378,33 @@ static inline void fp_user_discard(void)
+ sve_vq_minus_one = sve_vq_from_vl(task_get_sve_vl(current)) - 1;
+ sve_flush_live(true, sve_vq_minus_one);
+ }
++
++ /*
++ * Any live non-FPSIMD SVE state has been zeroed. Allow
++ * fpsimd_save_user_state() to lazily discard SVE state until either
++ * the live state is unbound or fpsimd_syscall_exit() is called.
++ */
++ __this_cpu_write(fpsimd_last_state.to_save, FP_STATE_FPSIMD);
++}
++
++static __always_inline void fpsimd_syscall_exit(void)
++{
++ if (!system_supports_sve())
++ return;
++
++ /*
++ * The current task's user FPSIMD/SVE/SME state is now bound to this
++ * CPU. The fpsimd_last_state.to_save value is either:
++ *
++ * - FP_STATE_FPSIMD, if the state has not been reloaded on this CPU
++ * since fpsimd_syscall_enter().
++ *
++ * - FP_STATE_CURRENT, if the state has been reloaded on this CPU at
++ * any point.
++ *
++ * Reset this to FP_STATE_CURRENT to stop lazy discarding.
++ */
++ __this_cpu_write(fpsimd_last_state.to_save, FP_STATE_CURRENT);
+ }
+
+ UNHANDLED(el1t, 64, sync)
+@@ -673,10 +696,11 @@ static void noinstr el0_svc(struct pt_regs *regs)
+ {
+ enter_from_user_mode(regs);
+ cortex_a76_erratum_1463225_svc_handler();
+- fp_user_discard();
++ fpsimd_syscall_enter();
+ local_daif_restore(DAIF_PROCCTX);
+ do_el0_svc(regs);
+ exit_to_user_mode(regs);
++ fpsimd_syscall_exit();
+ }
+
+ static void noinstr el0_fpac(struct pt_regs *regs, unsigned long esr)
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index b86a506467007..a1e0cc5353fb1 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -119,7 +119,7 @@
+ * whatever is in the FPSIMD registers is not saved to memory, but discarded.
+ */
+
+-static DEFINE_PER_CPU(struct cpu_fp_state, fpsimd_last_state);
++DEFINE_PER_CPU(struct cpu_fp_state, fpsimd_last_state);
+
+ __ro_after_init struct vl_info vl_info[ARM64_VEC_MAX] = {
+ #ifdef CONFIG_ARM64_SVE
+@@ -473,12 +473,15 @@ static void fpsimd_save(void)
+ return;
+
+ /*
+- * If a task is in a syscall the ABI allows us to only
+- * preserve the state shared with FPSIMD so don't bother
+- * saving the full SVE state in that case.
++ * Save SVE state if it is live.
++ *
++ * The syscall ABI discards live SVE state at syscall entry. When
++ * entering a syscall, fpsimd_syscall_enter() sets to_save to
++ * FP_STATE_FPSIMD to allow the SVE state to be lazily discarded until
++ * either new SVE state is loaded+bound or fpsimd_syscall_exit() is
++ * called prior to a return to userspace.
+ */
+- if ((last->to_save == FP_STATE_CURRENT && test_thread_flag(TIF_SVE) &&
+- !in_syscall(current_pt_regs())) ||
++ if ((last->to_save == FP_STATE_CURRENT && test_thread_flag(TIF_SVE)) ||
+ last->to_save == FP_STATE_SVE) {
+ save_sve_regs = true;
+ save_ffr = true;
+--
+2.39.5
+
--- /dev/null
+From 9173bdcc985829b9561aa8755791b84233ac68cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 17:40:06 +0100
+Subject: arm64/fpsimd: Fix merging of FPSIMD state during signal return
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit c94f2f326146a34066a0070ed90b8bc656b1842f ]
+
+For backwards compatibility reasons, when a signal return occurs which
+restores SVE state, the effective lower 128 bits of each of the SVE
+vector registers are restored from the corresponding FPSIMD vector
+register in the FPSIMD signal frame, overriding the values in the SVE
+signal frame. This is intended to be the case regardless of streaming
+mode.
+
+To make this happen, restore_sve_fpsimd_context() uses
+fpsimd_update_current_state() to merge the lower 128 bits from the
+FPSIMD signal frame into the SVE register state. Unfortunately,
+fpsimd_update_current_state() performs this merging dependent upon
+TIF_SVE, which is not always correct for streaming SVE register state:
+
+* When restoring non-streaming SVE register state there is no observable
+ problem, as the signal return code configures TIF_SVE and the saved
+ fp_type to match before calling fpsimd_update_current_state(), which
+ observes either:
+
+ - TIF_SVE set AND fp_type == FP_STATE_SVE
+ - TIF_SVE clear AND fp_type == FP_STATE_FPSIMD
+
+* On systems which have SME but not SVE, TIF_SVE cannot be set. Thus the
+ merging will never happen for the streaming SVE register state.
+
+* On systems which have SVE and SME, TIF_SVE can be set and cleared
+ independently of PSTATE.SM. Thus the merging may or may not happen for
+ streaming SVE register state.
+
+ As TIF_SVE can be cleared non-deterministically during syscalls
+ (including at the start of sigreturn()), the merging may occur
+ non-deterministically from the perspective of userspace.
+
+This logic has been broken since its introduction in commit:
+
+ 85ed24dad2904f7c ("arm64/sme: Implement streaming SVE signal handling")
+
+... at which point both fpsimd_signal_preserve_current_state() and
+fpsimd_update_current_state() only checked TIF SVE. When PSTATE.SM==1
+and TIF_SVE was clear, signal delivery would place stale FPSIMD state
+into the FPSIMD signal frame, and signal return would not merge this
+into the restored register state.
+
+Subsequently, signal delivery was fixed as part of commit:
+
+ 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
+
+... but signal restore was not given a corresponding fix, and when
+TIF_SVE was clear, signal restore would still fail to merge the FPSIMD
+state into the restored SVE register state. The 'Fixes' tag did not
+indicate that this had been broken since its introduction.
+
+Fix this by merging the FPSIMD state dependent upon the saved fp_type,
+matching what we (currently) do during signal delivery.
+
+As described above, when backporting this commit, it will also be
+necessary to backport commit:
+
+ 61da7c8e2a602f66 ("arm64/signal: Don't assume that TIF_SVE means we saved SVE state")
+
+... and prior to commit:
+
+ baa8515281b30861 ("arm64/fpsimd: Track the saved FPSIMD state type separately to TIF_SVE")
+
+... it will be necessary for fpsimd_signal_preserve_current_state() and
+fpsimd_update_current_state() to consider both TIF_SVE and
+thread_sm_enabled(¤t->thread), in place of the saved fp_type.
+
+Fixes: 85ed24dad290 ("arm64/sme: Implement streaming SVE signal handling")
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250409164010.3480271-10-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/fpsimd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/kernel/fpsimd.c b/arch/arm64/kernel/fpsimd.c
+index 3d482336c0662..b86a506467007 100644
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1805,7 +1805,7 @@ void fpsimd_update_current_state(struct user_fpsimd_state const *state)
+ get_cpu_fpsimd_context();
+
+ current->thread.uw.fpsimd_state = *state;
+- if (test_thread_flag(TIF_SVE))
++ if (current->thread.fp_type == FP_STATE_SVE)
+ fpsimd_to_sve(current);
+
+ task_fpsimd_load();
+--
+2.39.5
+
--- /dev/null
+From c458f966fb7a8297c004969eda0e582ec7cd1e47 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 11:47:54 +0000
+Subject: arm64: Support ARM64_VA_BITS=52 when setting ARCH_MMAP_RND_BITS_MAX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kornel Dulęba <korneld@google.com>
+
+[ Upstream commit f101c56447717c595d803894ba0e215f56c6fba4 ]
+
+When the 52-bit virtual addressing was introduced the select like
+ARCH_MMAP_RND_BITS_MAX logic was never updated to account for it.
+Because of that the rnd max bits knob is set to the default value of 18
+when ARM64_VA_BITS=52.
+Fix this by setting ARCH_MMAP_RND_BITS_MAX to the same value that would
+be used if 48-bit addressing was used. Higher values can't used here
+because 52-bit addressing is used only if the caller provides a hint to
+mmap, with a fallback to 48-bit. The knob in question is an upper bound
+for what the user can set in /proc/sys/vm/mmap_rnd_bits, which in turn
+is used to determine how many random bits can be inserted into the base
+address used for mmap allocations. Since 48-bit allocations are legal
+with ARM64_VA_BITS=52, we need to make sure that the base address is
+small enough to facilitate this.
+
+Fixes: b6d00d47e81a ("arm64: mm: Introduce 52-bit Kernel VAs")
+Signed-off-by: Kornel Dulęba <korneld@google.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20250417114754.3238273-1-korneld@google.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 658c6a61ab6fb..4ecba0690938c 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -304,9 +304,9 @@ config ARCH_MMAP_RND_BITS_MAX
+ default 24 if ARM64_VA_BITS=39
+ default 27 if ARM64_VA_BITS=42
+ default 30 if ARM64_VA_BITS=47
+- default 29 if ARM64_VA_BITS=48 && ARM64_64K_PAGES
+- default 31 if ARM64_VA_BITS=48 && ARM64_16K_PAGES
+- default 33 if ARM64_VA_BITS=48
++ default 29 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_64K_PAGES
++ default 31 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52) && ARM64_16K_PAGES
++ default 33 if (ARM64_VA_BITS=48 || ARM64_VA_BITS=52)
+ default 14 if ARM64_64K_PAGES
+ default 16 if ARM64_16K_PAGES
+ default 18
+--
+2.39.5
+
--- /dev/null
+From 4b4541179d9e1c5fd786ca0043f5658f35f2602c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 20:51:47 -0500
+Subject: arm64: tegra: Drop remaining serial clock-names and reset-names
+
+From: Aaron Kling <webgeek1234@gmail.com>
+
+[ Upstream commit 4cd763297c2203c6ba587d7d4a9105f96597b998 ]
+
+The referenced commit only removed some of the names, missing all that
+weren't in use at the time. The commit removes the rest.
+
+Fixes: 71de0a054d0e ("arm64: tegra: Drop serial clock-names and reset-names")
+Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
+Link: https://lore.kernel.org/r/20250428-tegra-serial-fixes-v1-1-4f47c5d85bf6@gmail.com
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/nvidia/tegra186.dtsi | 12 ------------
+ arch/arm64/boot/dts/nvidia/tegra194.dtsi | 12 ------------
+ 2 files changed, 24 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra186.dtsi b/arch/arm64/boot/dts/nvidia/tegra186.dtsi
+index 2b3bb5d0af17b..f0b7949df92c0 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra186.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra186.dtsi
+@@ -621,9 +621,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 113 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA186_CLK_UARTB>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA186_RESET_UARTB>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -633,9 +631,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 115 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA186_CLK_UARTD>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA186_RESET_UARTD>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -645,9 +641,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 116 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA186_CLK_UARTE>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA186_RESET_UARTE>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -657,9 +651,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 117 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA186_CLK_UARTF>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA186_RESET_UARTF>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -1236,9 +1228,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 114 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA186_CLK_UARTC>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA186_RESET_UARTC>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -1248,9 +1238,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 118 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA186_CLK_UARTG>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA186_RESET_UARTG>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+diff --git a/arch/arm64/boot/dts/nvidia/tegra194.dtsi b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
+index 33f92b77cd9d9..c369507747851 100644
+--- a/arch/arm64/boot/dts/nvidia/tegra194.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra194.dtsi
+@@ -766,9 +766,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 115 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA194_CLK_UARTD>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA194_RESET_UARTD>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -778,9 +776,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 116 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA194_CLK_UARTE>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA194_RESET_UARTE>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -790,9 +786,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 117 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA194_CLK_UARTF>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA194_RESET_UARTF>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -817,9 +811,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 207 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA194_CLK_UARTH>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA194_RESET_UARTH>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -1616,9 +1608,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 114 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA194_CLK_UARTC>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA194_RESET_UARTC>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+@@ -1628,9 +1618,7 @@
+ reg-shift = <2>;
+ interrupts = <GIC_SPI 118 IRQ_TYPE_LEVEL_HIGH>;
+ clocks = <&bpmp TEGRA194_CLK_UARTG>;
+- clock-names = "serial";
+ resets = <&bpmp TEGRA194_RESET_UARTG>;
+- reset-names = "serial";
+ status = "disabled";
+ };
+
+--
+2.39.5
+
--- /dev/null
+From f72f37f5d6f14fa8b64fa7e8fe5823889c996ce1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 18 May 2025 20:50:46 +1000
+Subject: ASoC: apple: mca: Constrain channels according to TDM mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Povišer <povik+lin@cutebit.org>
+
+[ Upstream commit e717c661e2d1a660e96c40b0fe9933e23a1d7747 ]
+
+We don't (and can't) configure the hardware correctly if the number of
+channels exceeds the weight of the TDM mask. Report that constraint in
+startup of FE.
+
+Fixes: 3df5d0d97289 ("ASoC: apple: mca: Start new platform driver")
+Signed-off-by: Martin Povišer <povik+lin@cutebit.org>
+Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
+Link: https://patch.msgid.link/20250518-mca-fixes-v1-1-ee1015a695f6@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/apple/mca.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/sound/soc/apple/mca.c b/sound/soc/apple/mca.c
+index ce77934f3eef3..0e96caa607fb8 100644
+--- a/sound/soc/apple/mca.c
++++ b/sound/soc/apple/mca.c
+@@ -464,6 +464,28 @@ static int mca_configure_serdes(struct mca_cluster *cl, int serdes_unit,
+ return -EINVAL;
+ }
+
++static int mca_fe_startup(struct snd_pcm_substream *substream,
++ struct snd_soc_dai *dai)
++{
++ struct mca_cluster *cl = mca_dai_to_cluster(dai);
++ unsigned int mask, nchannels;
++
++ if (cl->tdm_slots) {
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++ mask = cl->tdm_tx_mask;
++ else
++ mask = cl->tdm_rx_mask;
++
++ nchannels = hweight32(mask);
++ } else {
++ nchannels = 2;
++ }
++
++ return snd_pcm_hw_constraint_minmax(substream->runtime,
++ SNDRV_PCM_HW_PARAM_CHANNELS,
++ 1, nchannels);
++}
++
+ static int mca_fe_set_tdm_slot(struct snd_soc_dai *dai, unsigned int tx_mask,
+ unsigned int rx_mask, int slots, int slot_width)
+ {
+@@ -680,6 +702,7 @@ static int mca_fe_hw_params(struct snd_pcm_substream *substream,
+ }
+
+ static const struct snd_soc_dai_ops mca_fe_ops = {
++ .startup = mca_fe_startup,
+ .set_fmt = mca_fe_set_fmt,
+ .set_bclk_ratio = mca_set_bclk_ratio,
+ .set_tdm_slot = mca_fe_set_tdm_slot,
+--
+2.39.5
+
--- /dev/null
+From f065851cf99e505fc6569089f127361c4aaee594 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:10:17 +0200
+Subject: ASoC: codecs: hda: Fix RPM usage count underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit ff0045de4ee0288dec683690f66f2f369b7d3466 ]
+
+RPM manipulation in hda_codec_probe_complete()'s error path is
+superfluous and leads to RPM usage count underflow if the
+build-controls operation fails.
+
+hda_codec_probe_complete() is called in:
+
+1) hda_codec_probe() for all non-HDMI codecs
+2) in card->late_probe() for HDMI codecs
+
+Error path for hda_codec_probe() takes care of bus' RPM already.
+For 2) if late_probe() fails, ASoC performs card cleanup what
+triggers hda_codec_remote() - same treatment is in 1).
+
+Fixes: b5df2a7dca1c ("ASoC: codecs: Add HD-Audio codec driver")
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530141025.2942936-2-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hda.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/hda.c b/sound/soc/codecs/hda.c
+index d57b043d6bfef..42aca0a63c441 100644
+--- a/sound/soc/codecs/hda.c
++++ b/sound/soc/codecs/hda.c
+@@ -150,7 +150,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
+ ret = snd_hda_codec_build_controls(codec);
+ if (ret < 0) {
+ dev_err(&hdev->dev, "unable to create controls %d\n", ret);
+- goto out;
++ return ret;
+ }
+
+ /* Bus suspended codecs as it does not manage their pm */
+@@ -158,7 +158,7 @@ int hda_codec_probe_complete(struct hda_codec *codec)
+ /* rpm was forbidden in snd_hda_codec_device_new() */
+ snd_hda_codec_set_power_save(codec, 2000);
+ snd_hda_codec_register(codec);
+-out:
++
+ /* Complement pm_runtime_get_sync(bus) in probe */
+ pm_runtime_mark_last_busy(bus->dev);
+ pm_runtime_put_autosuspend(bus->dev);
+--
+2.39.5
+
--- /dev/null
+From e75c29db729d47e0dfda83d5c8a57d8b694b851e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:10:18 +0200
+Subject: ASoC: Intel: avs: Fix deadlock when the failing IPC is SET_D0IX
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 9ad1f3cd0d60444c69948854c7e50d2a61b63755 ]
+
+The procedure handling IPC timeouts and EXCEPTION_CAUGHT notification
+shall cancel any D0IX work before proceeding with DSP recovery. If
+SET_D0IX called from delayed_work is the failing IPC the procedure will
+deadlock. Conditionally skip cancelling the work to fix that.
+
+Fixes: 335c4cbd201d ("ASoC: Intel: avs: D0ix power state support")
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530141025.2942936-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/ipc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/avs/ipc.c b/sound/soc/intel/avs/ipc.c
+index 74f676fdfba29..afd472906ede4 100644
+--- a/sound/soc/intel/avs/ipc.c
++++ b/sound/soc/intel/avs/ipc.c
+@@ -169,7 +169,9 @@ static void avs_dsp_exception_caught(struct avs_dev *adev, union avs_notify_msg
+
+ dev_crit(adev->dev, "communication severed, rebooting dsp..\n");
+
+- cancel_delayed_work_sync(&ipc->d0ix_work);
++ /* Avoid deadlock as the exception may be the response to SET_D0IX. */
++ if (current_work() != &ipc->d0ix_work.work)
++ cancel_delayed_work_sync(&ipc->d0ix_work);
+ ipc->in_d0ix = false;
+ /* Re-enabled on recovery completion. */
+ pm_runtime_disable(adev->dev);
+--
+2.39.5
+
--- /dev/null
+From 6b24aad4913f19d987db0d3553bb92b4dbc1767b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:10:23 +0200
+Subject: ASoC: Intel: avs: Verify content returned by parse_int_array()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 93e246b6769bdacb09cfff4ea0f00fe5ab4f0d7a ]
+
+The first element of the returned array stores its length. If it is 0,
+any manipulation beyond the element at index 0 ends with null-ptr-deref.
+
+Fixes: 5a565ba23abe ("ASoC: Intel: avs: Probing and firmware tracing over debugfs")
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530141025.2942936-8-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/debugfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/avs/debugfs.c b/sound/soc/intel/avs/debugfs.c
+index bdd388ec01eaf..26d0c3a5a9542 100644
+--- a/sound/soc/intel/avs/debugfs.c
++++ b/sound/soc/intel/avs/debugfs.c
+@@ -371,7 +371,10 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
+ return ret;
+
+ num_elems = *array;
+- resource_mask = array[1];
++ if (!num_elems) {
++ ret = -EINVAL;
++ goto free_array;
++ }
+
+ /*
+ * Disable if just resource mask is provided - no log priority flags.
+@@ -379,6 +382,7 @@ static ssize_t trace_control_write(struct file *file, const char __user *from, s
+ * Enable input format: mask, prio1, .., prioN
+ * Where 'N' equals number of bits set in the 'mask'.
+ */
++ resource_mask = array[1];
+ if (num_elems == 1) {
+ ret = disable_logs(adev, resource_mask);
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 05a4b7b0af433ade2352dbf68366b78b911c753d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 23:25:12 -0700
+Subject: ASoC: SOF: ipc4-pcm: Adjust pipeline_list->pipelines allocation type
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 00a371adbbfb46db561db85a9d7b53b2363880a1 ]
+
+In preparation for making the kmalloc family of allocators type aware,
+we need to make sure that the returned type from the allocation matches
+the type of the variable being assigned. (Before, the allocator would
+always return "void *", which can be implicitly cast to any pointer type.)
+
+The assigned type is "struct snd_sof_pipeline **", but the returned type
+will be "struct snd_sof_widget **". These are the same size allocation
+(pointer size) but the types don't match. Adjust the allocation type to
+match the assignment.
+
+Signed-off-by: Kees Cook <kees@kernel.org>
+Fixes: 9c04363d222b ("ASoC: SOF: Introduce struct snd_sof_pipeline")
+Acked-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://patch.msgid.link/20250426062511.work.859-kees@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc4-pcm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/ipc4-pcm.c b/sound/soc/sof/ipc4-pcm.c
+index bb5df0d214e36..a29632423ccda 100644
+--- a/sound/soc/sof/ipc4-pcm.c
++++ b/sound/soc/sof/ipc4-pcm.c
+@@ -615,7 +615,8 @@ static int sof_ipc4_pcm_setup(struct snd_sof_dev *sdev, struct snd_sof_pcm *spcm
+
+ /* allocate memory for max number of pipeline IDs */
+ pipeline_list->pipelines = kcalloc(ipc4_data->max_num_pipelines,
+- sizeof(struct snd_sof_widget *), GFP_KERNEL);
++ sizeof(*pipeline_list->pipelines),
++ GFP_KERNEL);
+ if (!pipeline_list->pipelines) {
+ sof_ipc4_pcm_free(sdev, spcm);
+ return -ENOMEM;
+--
+2.39.5
+
--- /dev/null
+From 68d3fa81b9aefbb42961157ecfd1cf8c6ce16077 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Apr 2025 09:15:08 +1000
+Subject: ASoC: tas2764: Enable main IRQs
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit dd50f0e38563f15819059c923bf142200453e003 ]
+
+IRQ handling was added in commit dae191fb957f ("ASoC: tas2764: Add IRQ
+handling") however that same commit masks all interrupts coming from
+the chip. Unmask the "main" interrupts so that we can see and
+deal with a number of errors including clock, voltage, and current.
+
+Fixes: dae191fb957f ("ASoC: tas2764: Add IRQ handling")
+Reviewed-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
+Link: https://patch.msgid.link/20250406-apple-codec-changes-v5-4-50a00ec850a3@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/tas2764.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c
+index 72d6356b89814..054c6f860675a 100644
+--- a/sound/soc/codecs/tas2764.c
++++ b/sound/soc/codecs/tas2764.c
+@@ -542,7 +542,7 @@ static int tas2764_codec_probe(struct snd_soc_component *component)
+ tas2764_reset(tas2764);
+
+ if (tas2764->irq) {
+- ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0xff);
++ ret = snd_soc_component_write(tas2764->component, TAS2764_INT_MASK0, 0x00);
+ if (ret < 0)
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 008bfb26d51a9e9901f78d3937c394bfb37ce209 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 May 2025 23:13:41 +0900
+Subject: ASoC: ti: omap-hdmi: Re-add dai_link->platform to fix card init
+
+From: Yuuki NAGAO <wf.yn386@gmail.com>
+
+[ Upstream commit bae071aa7bcd034054cec91666c80f812adeccd9 ]
+
+The removed dai_link->platform component cause a fail which
+is exposed at runtime. (ex: when a sound tool is used)
+This patch re-adds the dai_link->platform component to have
+a full card registered.
+
+Before this patch:
+$ aplay -l
+**** List of PLAYBACK Hardware Devices ****
+card 1: HDMI [HDMI], device 0: HDMI snd-soc-dummy-dai-0 []
+ Subdevices: 1/1
+ Subdevice #0: subdevice #0
+
+$ speaker-test -D plughw:1,0 -t sine
+speaker-test 1.2.8
+Playback device is plughw:1,0
+Stream parameters are 48000Hz, S16_LE, 1 channels
+Sine wave rate is 440.0000Hz
+Playback open error: -22,Invalid argument
+
+After this patch which restores the platform component:
+$ aplay -l
+**** List of PLAYBACK Hardware Devices ****
+card 0: HDMI [HDMI], device 0: HDMI snd-soc-dummy-dai-0 [HDMI snd-soc-dummy-dai-0]
+ Subdevices: 0/1
+ Subdevice #0: subdevice #0
+
+-> Resolve the playback error.
+
+Fixes: 3b0db249cf8f ("ASoC: ti: remove unnecessary dai_link->platform")
+
+Signed-off-by: Yuuki NAGAO <wf.yn386@gmail.com>
+Link: https://patch.msgid.link/20250531141341.81164-1-wf.yn386@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/ti/omap-hdmi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/ti/omap-hdmi.c b/sound/soc/ti/omap-hdmi.c
+index 0a731b21e5a58..72fabf22a02ee 100644
+--- a/sound/soc/ti/omap-hdmi.c
++++ b/sound/soc/ti/omap-hdmi.c
+@@ -361,17 +361,20 @@ static int omap_hdmi_audio_probe(struct platform_device *pdev)
+ if (!card->dai_link)
+ return -ENOMEM;
+
+- compnent = devm_kzalloc(dev, sizeof(*compnent), GFP_KERNEL);
++ compnent = devm_kzalloc(dev, 2 * sizeof(*compnent), GFP_KERNEL);
+ if (!compnent)
+ return -ENOMEM;
+- card->dai_link->cpus = compnent;
++ card->dai_link->cpus = &compnent[0];
+ card->dai_link->num_cpus = 1;
+ card->dai_link->codecs = &asoc_dummy_dlc;
+ card->dai_link->num_codecs = 1;
++ card->dai_link->platforms = &compnent[1];
++ card->dai_link->num_platforms = 1;
+
+ card->dai_link->name = card->name;
+ card->dai_link->stream_name = card->name;
+ card->dai_link->cpus->dai_name = dev_name(ad->dssdev);
++ card->dai_link->platforms->name = dev_name(ad->dssdev);
+ card->num_links = 1;
+ card->dev = dev;
+
+--
+2.39.5
+
--- /dev/null
+From e891a1c6fd3fe4cf873c277d76423c6d4a8d8b1f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 17:16:47 +0800
+Subject: backlight: pm8941: Add NULL check in wled_configure()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit e12d3e1624a02706cdd3628bbf5668827214fa33 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+wled_configure() does not check for this case, which results in a NULL
+pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: f86b77583d88 ("backlight: pm8941: Convert to using %pOFn instead of device_node.name")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: "Daniel Thompson (RISCstar)" <danielt@kernel.org>
+Link: https://lore.kernel.org/r/20250401091647.22784-1-bsdhenrymartin@gmail.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/backlight/qcom-wled.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
+index 10129095a4c17..b19e5f73de8bb 100644
+--- a/drivers/video/backlight/qcom-wled.c
++++ b/drivers/video/backlight/qcom-wled.c
+@@ -1406,9 +1406,11 @@ static int wled_configure(struct wled *wled)
+ wled->ctrl_addr = be32_to_cpu(*prop_addr);
+
+ rc = of_property_read_string(dev->of_node, "label", &wled->name);
+- if (rc)
++ if (rc) {
+ wled->name = devm_kasprintf(dev, GFP_KERNEL, "%pOFn", dev->of_node);
+-
++ if (!wled->name)
++ return -ENOMEM;
++ }
+ switch (wled->version) {
+ case 3:
+ u32_opts = wled3_opts;
+--
+2.39.5
+
--- /dev/null
+From 3f28339c9c7c431654068ddcd063034c42992784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 14:53:11 -0400
+Subject: Bluetooth: L2CAP: Fix not responding with L2CAP_CR_LE_ENCRYPTION
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 03dba9cea72f977e873e4e60e220fa596959dd8f ]
+
+Depending on the security set the response to L2CAP_LE_CONN_REQ shall be
+just L2CAP_CR_LE_ENCRYPTION if only encryption when BT_SECURITY_MEDIUM
+is selected since that means security mode 2 which doesn't require
+authentication which is something that is covered in the qualification
+test L2CAP/LE/CFC/BV-25-C.
+
+Link: https://github.com/bluez/bluez/issues/1270
+Fixes: 27e2d4c8d28b ("Bluetooth: Add basic LE L2CAP connect request receiving support")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 1c54e812ef1f7..2744ad11687c6 100644
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -4833,7 +4833,8 @@ static int l2cap_le_connect_req(struct l2cap_conn *conn,
+
+ if (!smp_sufficient_security(conn->hcon, pchan->sec_level,
+ SMP_ALLOW_STK)) {
+- result = L2CAP_CR_LE_AUTHENTICATION;
++ result = pchan->sec_level == BT_SECURITY_MEDIUM ?
++ L2CAP_CR_LE_ENCRYPTION : L2CAP_CR_LE_AUTHENTICATION;
+ chan = NULL;
+ goto response_unlock;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9d746ba79f12c51120aa5f633572a4eaec17e3c8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 11:42:30 +0300
+Subject: Bluetooth: MGMT: iterate over mesh commands in mgmt_mesh_foreach()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 3bb88524b7d030160bb3c9b35f928b2778092111 ]
+
+In 'mgmt_mesh_foreach()', iterate over mesh commands
+rather than generic mgmt ones. Compile tested only.
+
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
+index 0115f783bde80..17e32605d9b00 100644
+--- a/net/bluetooth/mgmt_util.c
++++ b/net/bluetooth/mgmt_util.c
+@@ -321,7 +321,7 @@ void mgmt_mesh_foreach(struct hci_dev *hdev,
+ {
+ struct mgmt_mesh_tx *mesh_tx, *tmp;
+
+- list_for_each_entry_safe(mesh_tx, tmp, &hdev->mgmt_pending, list) {
++ list_for_each_entry_safe(mesh_tx, tmp, &hdev->mesh_pending, list) {
+ if (!sk || mesh_tx->sk == sk)
+ cb(mesh_tx, data);
+ }
+--
+2.39.5
+
--- /dev/null
+From d97c3fc7a44cdc5b715247355c57e3b22eb48c5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 04:22:38 +0000
+Subject: bonding: assign random address if device address is same as bond
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 5c3bf6cba7911f470afd748606be5c03a9512fcc ]
+
+This change addresses a MAC address conflict issue in failover scenarios,
+similar to the problem described in commit a951bc1e6ba5 ("bonding: correct
+the MAC address for 'follow' fail_over_mac policy").
+
+In fail_over_mac=follow mode, the bonding driver expects the formerly active
+slave to swap MAC addresses with the newly active slave during failover.
+However, under certain conditions, two slaves may end up with the same MAC
+address, which breaks this policy:
+
+1) ip link set eth0 master bond0
+ -> bond0 adopts eth0's MAC address (MAC0).
+
+2) ip link set eth1 master bond0
+ -> eth1 is added as a backup with its own MAC (MAC1).
+
+3) ip link set eth0 nomaster
+ -> eth0 is released and restores its MAC (MAC0).
+ -> eth1 becomes the active slave, and bond0 assigns MAC0 to eth1.
+
+4) ip link set eth0 master bond0
+ -> eth0 is re-added to bond0, now both eth0 and eth1 have MAC0.
+
+This results in a MAC address conflict and violates the expected behavior
+of the failover policy.
+
+To fix this, we assign a random MAC address to any newly added slave if
+its current MAC address matches that of the bond. The original (permanent)
+MAC address is saved and will be restored when the device is released
+from the bond.
+
+This ensures that each slave has a unique MAC address during failover
+transitions, preserving the integrity of the fail_over_mac=follow policy.
+
+Fixes: 3915c1e8634a ("bonding: Add "follow" option to fail_over_mac")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 25 ++++++++++++++++++-------
+ 1 file changed, 18 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index 56c241246d1af..85ab692571627 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -2040,15 +2040,26 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev,
+ * set the master's mac address to that of the first slave
+ */
+ memcpy(ss.__data, bond_dev->dev_addr, bond_dev->addr_len);
+- ss.ss_family = slave_dev->type;
+- res = dev_set_mac_address(slave_dev, (struct sockaddr *)&ss,
+- extack);
+- if (res) {
+- slave_err(bond_dev, slave_dev, "Error %d calling set_mac_address\n", res);
+- goto err_restore_mtu;
+- }
++ } else if (bond->params.fail_over_mac == BOND_FOM_FOLLOW &&
++ BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP &&
++ memcmp(slave_dev->dev_addr, bond_dev->dev_addr, bond_dev->addr_len) == 0) {
++ /* Set slave to random address to avoid duplicate mac
++ * address in later fail over.
++ */
++ eth_random_addr(ss.__data);
++ } else {
++ goto skip_mac_set;
+ }
+
++ ss.ss_family = slave_dev->type;
++ res = dev_set_mac_address(slave_dev, (struct sockaddr *)&ss, extack);
++ if (res) {
++ slave_err(bond_dev, slave_dev, "Error %d calling set_mac_address\n", res);
++ goto err_restore_mtu;
++ }
++
++skip_mac_set:
++
+ /* set no_addrconf flag before open to prevent IPv6 addrconf */
+ slave_dev->priv_flags |= IFF_NO_ADDRCONF;
+
+--
+2.39.5
+
--- /dev/null
+From 816cfd84f16d0288063f93e01c5a1fb7000029ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 17:44:02 +0200
+Subject: bpf: Allow XDP dev-bound programs to perform XDP_REDIRECT into maps
+
+From: Lorenzo Bianconi <lorenzo@kernel.org>
+
+[ Upstream commit 714070c4cb7a10ff57450a618a936775f3036245 ]
+
+In the current implementation if the program is dev-bound to a specific
+device, it will not be possible to perform XDP_REDIRECT into a DEVMAP
+or CPUMAP even if the program is running in the driver NAPI context and
+it is not attached to any map entry. This seems in contrast with the
+explanation available in bpf_prog_map_compatible routine.
+Fix the issue introducing __bpf_prog_map_compatible utility routine in
+order to avoid bpf_prog_is_dev_bound() check running bpf_check_tail_call()
+at program load time (bpf_prog_select_runtime()).
+Continue forbidding to attach a dev-bound program to XDP maps
+(BPF_MAP_TYPE_PROG_ARRAY, BPF_MAP_TYPE_DEVMAP and BPF_MAP_TYPE_CPUMAP).
+
+Fixes: 3d76a4d3d4e59 ("bpf: XDP metadata RX kfuncs")
+Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 81fd1bb994164..3f140b7527cfc 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2258,8 +2258,8 @@ static unsigned int __bpf_prog_ret0_warn(const void *ctx,
+ }
+ #endif
+
+-bool bpf_prog_map_compatible(struct bpf_map *map,
+- const struct bpf_prog *fp)
++static bool __bpf_prog_map_compatible(struct bpf_map *map,
++ const struct bpf_prog *fp)
+ {
+ enum bpf_prog_type prog_type = resolve_prog_type(fp);
+ bool ret;
+@@ -2268,14 +2268,6 @@ bool bpf_prog_map_compatible(struct bpf_map *map,
+ if (fp->kprobe_override)
+ return false;
+
+- /* XDP programs inserted into maps are not guaranteed to run on
+- * a particular netdev (and can run outside driver context entirely
+- * in the case of devmap and cpumap). Until device checks
+- * are implemented, prohibit adding dev-bound programs to program maps.
+- */
+- if (bpf_prog_is_dev_bound(aux))
+- return false;
+-
+ spin_lock(&map->owner.lock);
+ if (!map->owner.type) {
+ /* There's no owner yet where we could check for
+@@ -2309,6 +2301,19 @@ bool bpf_prog_map_compatible(struct bpf_map *map,
+ return ret;
+ }
+
++bool bpf_prog_map_compatible(struct bpf_map *map, const struct bpf_prog *fp)
++{
++ /* XDP programs inserted into maps are not guaranteed to run on
++ * a particular netdev (and can run outside driver context entirely
++ * in the case of devmap and cpumap). Until device checks
++ * are implemented, prohibit adding dev-bound programs to program maps.
++ */
++ if (bpf_prog_is_dev_bound(fp->aux))
++ return false;
++
++ return __bpf_prog_map_compatible(map, fp);
++}
++
+ static int bpf_check_tail_call(const struct bpf_prog *fp)
+ {
+ struct bpf_prog_aux *aux = fp->aux;
+@@ -2321,7 +2326,7 @@ static int bpf_check_tail_call(const struct bpf_prog *fp)
+ if (!map_type_contains_progs(map))
+ continue;
+
+- if (!bpf_prog_map_compatible(map, fp)) {
++ if (!__bpf_prog_map_compatible(map, fp)) {
+ ret = -EINVAL;
+ goto out;
+ }
+--
+2.39.5
+
--- /dev/null
+From 78567cc32b5d4752312dfc26915f820c751695fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 21:33:58 +0800
+Subject: bpf: Avoid __bpf_prog_ret0_warn when jit fails
+
+From: KaFai Wan <mannkafai@gmail.com>
+
+[ Upstream commit 86bc9c742426a16b52a10ef61f5b721aecca2344 ]
+
+syzkaller reported an issue:
+
+WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
+Modules linked in:
+CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
+RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
+Call Trace:
+ <TASK>
+ bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
+ __bpf_prog_run include/linux/filter.h:718 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105
+ ...
+
+When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.
+This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set
+and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog,
+but jit failed due to FAULT_INJECTION. As a result, incorrectly
+treats the program as valid, when the program runs it calls
+`__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1).
+
+Reported-by: syzbot+0903f6d7f285e41cdf10@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/6816e34e.a70a0220.254cdc.002c.GAE@google.com
+Fixes: fa9dd599b4da ("bpf: get rid of pure_initcall dependency to enable jits")
+Signed-off-by: KaFai Wan <mannkafai@gmail.com>
+Link: https://lore.kernel.org/r/20250526133358.2594176-1-mannkafai@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 3f140b7527cfc..5eaaf95048abc 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2364,7 +2364,7 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
+ /* In case of BPF to BPF calls, verifier did all the prep
+ * work with regards to JITing, etc.
+ */
+- bool jit_needed = false;
++ bool jit_needed = fp->jit_requested;
+
+ if (fp->bpf_func)
+ goto finalize;
+--
+2.39.5
+
--- /dev/null
+From 705f2540a44049354971b3e44fe612ad9990e46b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2025 13:20:14 +0800
+Subject: bpf: fix ktls panic with sockmap
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 54a3ecaeeeae8176da8badbd7d72af1017032c39 ]
+
+[ 2172.936997] ------------[ cut here ]------------
+[ 2172.936999] kernel BUG at lib/iov_iter.c:629!
+......
+[ 2172.944996] PKRU: 55555554
+[ 2172.945155] Call Trace:
+[ 2172.945299] <TASK>
+[ 2172.945428] ? die+0x36/0x90
+[ 2172.945601] ? do_trap+0xdd/0x100
+[ 2172.945795] ? iov_iter_revert+0x178/0x180
+[ 2172.946031] ? iov_iter_revert+0x178/0x180
+[ 2172.946267] ? do_error_trap+0x7d/0x110
+[ 2172.946499] ? iov_iter_revert+0x178/0x180
+[ 2172.946736] ? exc_invalid_op+0x50/0x70
+[ 2172.946961] ? iov_iter_revert+0x178/0x180
+[ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20
+[ 2172.947446] ? iov_iter_revert+0x178/0x180
+[ 2172.947683] ? iov_iter_revert+0x5c/0x180
+[ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840
+[ 2172.948206] tls_sw_sendmsg+0x52/0x80
+[ 2172.948420] ? inet_sendmsg+0x1f/0x70
+[ 2172.948634] __sys_sendto+0x1cd/0x200
+[ 2172.948848] ? find_held_lock+0x2b/0x80
+[ 2172.949072] ? syscall_trace_enter+0x140/0x270
+[ 2172.949330] ? __lock_release.isra.0+0x5e/0x170
+[ 2172.949595] ? find_held_lock+0x2b/0x80
+[ 2172.949817] ? syscall_trace_enter+0x140/0x270
+[ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190
+[ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0
+[ 2172.951036] __x64_sys_sendto+0x24/0x30
+[ 2172.951382] do_syscall_64+0x90/0x170
+......
+
+After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase,
+e.g., when the BPF program executes bpf_msg_push_data().
+
+If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes,
+it will return -ENOSPC and attempt to roll back to the non-zero copy
+logic. However, during rollback, msg->msg_iter is reset, but since
+msg_pl->sg.size has been increased, subsequent executions will exceed the
+actual size of msg_iter.
+'''
+iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size);
+'''
+
+The changes in this commit are based on the following considerations:
+
+1. When cork_bytes is set, rolling back to non-zero copy logic is
+pointless and can directly go to zero-copy logic.
+
+2. We can not calculate the correct number of bytes to revert msg_iter.
+
+Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes
+by the BPF program, it becomes 11-byte data: "abc?de?fgh?".
+Then, we set cork_bytes to 6, which means the first 6 bytes have been
+processed, and the remaining 5 bytes "?fgh?" will be cached until the
+length meets the cork_bytes requirement.
+
+However, some data in "?fgh?" is not within 'sg->msg_iter'
+(but in msg_pl instead), especially the data "?" we pushed.
+
+So it doesn't seem as simple as just reverting through an offset of
+msg_iter.
+
+3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs,
+the user-space send() doesn't return an error, and the returned length is
+the same as the input length parameter, even if some data is cached.
+
+Additionally, I saw that the current non-zero-copy logic for handling
+corking is written as:
+'''
+line 1177
+else if (ret != -EAGAIN) {
+ if (ret == -ENOSPC)
+ ret = 0;
+ goto send_end;
+'''
+
+So it's ok to just return 'copied' without error when a "cork" situation
+occurs.
+
+Fixes: fcb14cb1bdac ("new iov_iter flavour - ITER_UBUF")
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20250219052015.274405-2-jiayuan.chen@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index 6e30fe879d538..bf445a518883a 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -1120,9 +1120,13 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
+ num_async++;
+ else if (ret == -ENOMEM)
+ goto wait_for_memory;
+- else if (ctx->open_rec && ret == -ENOSPC)
++ else if (ctx->open_rec && ret == -ENOSPC) {
++ if (msg_pl->cork_bytes) {
++ ret = 0;
++ goto send_end;
++ }
+ goto rollback_iter;
+- else if (ret != -EAGAIN)
++ } else if (ret != -EAGAIN)
+ goto send_end;
+ }
+ continue;
+--
+2.39.5
+
--- /dev/null
+From f41c17b0c98e6a8c0287552251cb3b81ccbe87da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 19:30:31 +0000
+Subject: bpf: Fix uninitialized values in BPF_{CORE,PROBE}_READ
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit 41d4ce6df3f4945341ec509a840cc002a413b6cc ]
+
+With the latest LLVM bpf selftests build will fail with
+the following error message:
+
+ progs/profiler.inc.h:710:31: error: default initialization of an object of type 'typeof ((parent_task)->real_cred->uid.val)' (aka 'const unsigned int') leaves the object uninitialized and is incompatible with C++ [-Werror,-Wdefault-const-init-unsafe]
+ 710 | proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val);
+ | ^
+ tools/testing/selftests/bpf/tools/include/bpf/bpf_core_read.h:520:35: note: expanded from macro 'BPF_CORE_READ'
+ 520 | ___type((src), a, ##__VA_ARGS__) __r; \
+ | ^
+
+This happens because BPF_CORE_READ (and other macro) declare the
+variable __r using the ___type macro which can inherit const modifier
+from intermediate types.
+
+Fix this by using __typeof_unqual__, when supported. (And when it
+is not supported, the problem shouldn't appear, as older compilers
+haven't complained.)
+
+Fixes: 792001f4f7aa ("libbpf: Add user-space variants of BPF_CORE_READ() family of macros")
+Fixes: a4b09a9ef945 ("libbpf: Add non-CO-RE variants of BPF_CORE_READ() macro family")
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250502193031.3522715-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_core_read.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
+index e2b9e8415c044..b3fc384595a9f 100644
+--- a/tools/lib/bpf/bpf_core_read.h
++++ b/tools/lib/bpf/bpf_core_read.h
+@@ -312,7 +312,13 @@ enum bpf_enum_value_kind {
+ #define ___arrow10(a, b, c, d, e, f, g, h, i, j) a->b->c->d->e->f->g->h->i->j
+ #define ___arrow(...) ___apply(___arrow, ___narg(__VA_ARGS__))(__VA_ARGS__)
+
++#if defined(__clang__) && (__clang_major__ >= 19)
++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
++#elif defined(__GNUC__) && (__GNUC__ >= 14)
++#define ___type(...) __typeof_unqual__(___arrow(__VA_ARGS__))
++#else
+ #define ___type(...) typeof(___arrow(__VA_ARGS__))
++#endif
+
+ #define ___read(read_fn, dst, src_type, src, accessor) \
+ read_fn((void *)(dst), sizeof(*(dst)), &((src_type)(src))->accessor)
+--
+2.39.5
+
--- /dev/null
+From 8255183f7f7e503fbc0875cdbc8bf22a0c1518a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:27:47 +0800
+Subject: bpf: Fix WARN() in get_bpf_raw_tp_regs
+
+From: Tao Chen <chen.dylane@linux.dev>
+
+[ Upstream commit 3880cdbed1c4607e378f58fa924c5d6df900d1d3 ]
+
+syzkaller reported an issue:
+
+WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
+Modules linked in:
+CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861
+RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c
+RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005
+RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003
+R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004
+R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900
+FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline]
+ bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931
+ bpf_prog_ec3b2eefa702d8d3+0x43/0x47
+ bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
+ __bpf_prog_run include/linux/filter.h:718 [inline]
+ bpf_prog_run include/linux/filter.h:725 [inline]
+ __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline]
+ bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405
+ __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47
+ __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47
+ __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
+ trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline]
+ __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35
+ __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline]
+ mmap_read_trylock include/linux/mmap_lock.h:204 [inline]
+ stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157
+ __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483
+ ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline]
+ bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496
+ ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline]
+ bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931
+ bpf_prog_ec3b2eefa702d8d3+0x43/0x47
+
+Tracepoint like trace_mmap_lock_acquire_returned may cause nested call
+as the corner case show above, which will be resolved with more general
+method in the future. As a result, WARN_ON_ONCE will be triggered. As
+Alexei suggested, remove the WARN_ON_ONCE first.
+
+Fixes: 9594dc3c7e71 ("bpf: fix nested bpf tracepoints with per-cpu data")
+Reported-by: syzbot+45b0c89a0fc7ae8dbadc@syzkaller.appspotmail.com
+Suggested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Tao Chen <chen.dylane@linux.dev>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250513042747.757042-1-chen.dylane@linux.dev
+
+Closes: https://lore.kernel.org/bpf/8bc2554d-1052-4922-8832-e0078a033e1d@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 97f660a8ddc73..8903db0b59602 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1834,7 +1834,7 @@ static struct pt_regs *get_bpf_raw_tp_regs(void)
+ struct bpf_raw_tp_regs *tp_regs = this_cpu_ptr(&bpf_raw_tp_regs);
+ int nest_level = this_cpu_inc_return(bpf_raw_tp_nest_level);
+
+- if (WARN_ON_ONCE(nest_level > ARRAY_SIZE(tp_regs->regs))) {
++ if (nest_level > ARRAY_SIZE(tp_regs->regs)) {
+ this_cpu_dec(bpf_raw_tp_nest_level);
+ return ERR_PTR(-EBUSY);
+ }
+--
+2.39.5
+
--- /dev/null
+From 3f2f8cbf3debb754ae758640200bcc47199f558c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 22:17:12 +0800
+Subject: bpf, sockmap: Avoid using sk_socket after free when sending
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 8259eb0e06d8f64c700f5fbdb28a5c18e10de291 ]
+
+The sk->sk_socket is not locked or referenced in backlog thread, and
+during the call to skb_send_sock(), there is a race condition with
+the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)
+will be affected.
+
+Race conditions:
+'''
+CPU0 CPU1
+
+backlog::skb_send_sock
+ sendmsg_unlocked
+ sock_sendmsg
+ sock_sendmsg_nosec
+ close(fd):
+ ...
+ ops->release() -> sock_map_close()
+ sk_socket->ops = NULL
+ free(socket)
+ sock->ops->sendmsg
+ ^
+ panic here
+'''
+
+The ref of psock become 0 after sock_map_close() executed.
+'''
+void sock_map_close()
+{
+ ...
+ if (likely(psock)) {
+ ...
+ // !! here we remove psock and the ref of psock become 0
+ sock_map_remove_links(sk, psock)
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ goto no_psock; <=== Control jumps here via goto
+ ...
+ cancel_delayed_work_sync(&psock->work); <=== not executed
+ sk_psock_put(sk, psock);
+ ...
+}
+'''
+
+Based on the fact that we already wait for the workqueue to finish in
+sock_map_close() if psock is held, we simply increase the psock
+reference count to avoid race conditions.
+
+With this patch, if the backlog thread is running, sock_map_close() will
+wait for the backlog thread to complete and cancel all pending work.
+
+If no backlog running, any pending work that hasn't started by then will
+fail when invoked by sk_psock_get(), as the psock reference count have
+been zeroed, and sk_psock_drop() will cancel all jobs via
+cancel_delayed_work_sync().
+
+In summary, we require synchronization to coordinate the backlog thread
+and close() thread.
+
+The panic I catched:
+'''
+Workqueue: events sk_psock_backlog
+RIP: 0010:sock_sendmsg+0x21d/0x440
+RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
+...
+Call Trace:
+ <TASK>
+ ? die_addr+0x40/0xa0
+ ? exc_general_protection+0x14c/0x230
+ ? asm_exc_general_protection+0x26/0x30
+ ? sock_sendmsg+0x21d/0x440
+ ? sock_sendmsg+0x3e0/0x440
+ ? __pfx_sock_sendmsg+0x10/0x10
+ __skb_send_sock+0x543/0xb70
+ sk_psock_backlog+0x247/0xb80
+...
+'''
+
+Fixes: 4b4647add7d3 ("sock_map: avoid race between sock_map_close and sk_psock_put")
+Reported-by: Michal Luczaj <mhal@rbox.co>
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20250516141713.291150-1-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index c7edf77fd6fde..2076db464e936 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -655,6 +655,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ bool ingress;
+ int ret;
+
++ /* Increment the psock refcnt to synchronize with close(fd) path in
++ * sock_map_close(), ensuring we wait for backlog thread completion
++ * before sk_socket freed. If refcnt increment fails, it indicates
++ * sock_map_close() completed with sk_socket potentially already freed.
++ */
++ if (!sk_psock_get(psock->sk))
++ return;
+ mutex_lock(&psock->work_mutex);
+ while ((skb = skb_peek(&psock->ingress_skb))) {
+ len = skb->len;
+@@ -706,6 +713,7 @@ static void sk_psock_backlog(struct work_struct *work)
+ }
+ end:
+ mutex_unlock(&psock->work_mutex);
++ sk_psock_put(psock->sk, psock);
+ }
+
+ struct sk_psock *sk_psock_init(struct sock *sk, int node)
+--
+2.39.5
+
--- /dev/null
+From ac4356969b4f29b341b7a586c91c60a5ada76818 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 22:21:21 +0800
+Subject: bpf, sockmap: fix duplicated data transmission
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 3b4f14b794287be137ea2c6158765d1ea1e018a4 ]
+
+In the !ingress path under sk_psock_handle_skb(), when sending data to the
+remote under snd_buf limitations, partial skb data might be transmitted.
+
+Although we preserved the partial transmission state (offset/length), the
+state wasn't properly consumed during retries. This caused the retry path
+to resend the entire skb data instead of continuing from the previous
+offset, resulting in data overlap at the receiver side.
+
+Fixes: 405df89dd52c ("bpf, sockmap: Improved check for empty queue")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://lore.kernel.org/r/20250407142234.47591-3-jiayuan.chen@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index b9b941c487c8a..c284c8a3d6792 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -655,11 +655,6 @@ static void sk_psock_backlog(struct work_struct *work)
+ int ret;
+
+ mutex_lock(&psock->work_mutex);
+- if (unlikely(state->len)) {
+- len = state->len;
+- off = state->off;
+- }
+-
+ while ((skb = skb_peek(&psock->ingress_skb))) {
+ len = skb->len;
+ off = 0;
+@@ -669,6 +664,13 @@ static void sk_psock_backlog(struct work_struct *work)
+ off = stm->offset;
+ len = stm->full_len;
+ }
++
++ /* Resume processing from previous partial state */
++ if (unlikely(state->len)) {
++ len = state->len;
++ off = state->off;
++ }
++
+ ingress = skb_bpf_ingress(skb);
+ skb_bpf_redirect_clear(skb);
+ do {
+@@ -696,6 +698,8 @@ static void sk_psock_backlog(struct work_struct *work)
+ len -= ret;
+ } while (len);
+
++ /* The entire skb sent, clear state */
++ sk_psock_skb_state(psock, state, 0, 0);
+ skb = skb_dequeue(&psock->ingress_skb);
+ kfree_skb(skb);
+ }
+--
+2.39.5
+
--- /dev/null
+From 4b9de6a0bd2cf4d5117a4811d7adfdd132742f2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 22:21:22 +0800
+Subject: bpf, sockmap: Fix panic when calling skb_linearize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 5ca2e29f6834c64c0e5a9ccf1278c21fb49b827e ]
+
+The panic can be reproduced by executing the command:
+./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000
+
+Then a kernel panic was captured:
+'''
+[ 657.460555] kernel BUG at net/core/skbuff.c:2178!
+[ 657.462680] Tainted: [W]=WARN
+[ 657.463287] Workqueue: events sk_psock_backlog
+...
+[ 657.469610] <TASK>
+[ 657.469738] ? die+0x36/0x90
+[ 657.469916] ? do_trap+0x1d0/0x270
+[ 657.470118] ? pskb_expand_head+0x612/0xf40
+[ 657.470376] ? pskb_expand_head+0x612/0xf40
+[ 657.470620] ? do_error_trap+0xa3/0x170
+[ 657.470846] ? pskb_expand_head+0x612/0xf40
+[ 657.471092] ? handle_invalid_op+0x2c/0x40
+[ 657.471335] ? pskb_expand_head+0x612/0xf40
+[ 657.471579] ? exc_invalid_op+0x2d/0x40
+[ 657.471805] ? asm_exc_invalid_op+0x1a/0x20
+[ 657.472052] ? pskb_expand_head+0xd1/0xf40
+[ 657.472292] ? pskb_expand_head+0x612/0xf40
+[ 657.472540] ? lock_acquire+0x18f/0x4e0
+[ 657.472766] ? find_held_lock+0x2d/0x110
+[ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10
+[ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470
+[ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10
+[ 657.473826] __pskb_pull_tail+0xfd/0x1d20
+[ 657.474062] ? __kasan_slab_alloc+0x4e/0x90
+[ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510
+[ 657.475392] ? __kasan_kmalloc+0xaa/0xb0
+[ 657.476010] sk_psock_backlog+0x5cf/0xd70
+[ 657.476637] process_one_work+0x858/0x1a20
+'''
+
+The panic originates from the assertion BUG_ON(skb_shared(skb)) in
+skb_linearize(). A previous commit(see Fixes tag) introduced skb_get()
+to avoid race conditions between skb operations in the backlog and skb
+release in the recvmsg path. However, this caused the panic to always
+occur when skb_linearize is executed.
+
+The "--rx-strp 100000" parameter forces the RX path to use the strparser
+module which aggregates data until it reaches 100KB before calling sockmap
+logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize.
+
+To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue.
+
+'''
+sk_psock_backlog:
+ sk_psock_handle_skb
+ skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue'
+ sk_psock_skb_ingress____________
+ ↓
+ |
+ | → sk_psock_skb_ingress_self
+ | sk_psock_skb_ingress_enqueue
+sk_psock_verdict_apply_________________↑ skb_linearize
+'''
+
+Note that for verdict_apply path, the skb_get operation is unnecessary so
+we add 'take_ref' param to control it's behavior.
+
+Fixes: a454d84ee20b ("bpf, sockmap: Fix skb refcnt race after locking changes")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Link: https://lore.kernel.org/r/20250407142234.47591-4-jiayuan.chen@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index c284c8a3d6792..c7edf77fd6fde 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -529,16 +529,22 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ u32 off, u32 len,
+ struct sk_psock *psock,
+ struct sock *sk,
+- struct sk_msg *msg)
++ struct sk_msg *msg,
++ bool take_ref)
+ {
+ int num_sge, copied;
+
++ /* skb_to_sgvec will fail when the total number of fragments in
++ * frag_list and frags exceeds MAX_MSG_FRAGS. For example, the
++ * caller may aggregate multiple skbs.
++ */
+ num_sge = skb_to_sgvec(skb, msg->sg.data, off, len);
+ if (num_sge < 0) {
+ /* skb linearize may fail with ENOMEM, but lets simply try again
+ * later if this happens. Under memory pressure we don't want to
+ * drop the skb. We need to linearize the skb so that the mapping
+ * in skb_to_sgvec can not error.
++ * Note that skb_linearize requires the skb not to be shared.
+ */
+ if (skb_linearize(skb))
+ return -EAGAIN;
+@@ -555,7 +561,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ msg->sg.start = 0;
+ msg->sg.size = copied;
+ msg->sg.end = num_sge;
+- msg->skb = skb;
++ msg->skb = take_ref ? skb_get(skb) : skb;
+
+ sk_psock_queue_msg(psock, msg);
+ sk_psock_data_ready(sk, psock);
+@@ -563,7 +569,7 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
+ }
+
+ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
+- u32 off, u32 len);
++ u32 off, u32 len, bool take_ref);
+
+ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ u32 off, u32 len)
+@@ -577,7 +583,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ * correctly.
+ */
+ if (unlikely(skb->sk == sk))
+- return sk_psock_skb_ingress_self(psock, skb, off, len);
++ return sk_psock_skb_ingress_self(psock, skb, off, len, true);
+ msg = sk_psock_create_ingress_msg(sk, skb);
+ if (!msg)
+ return -EAGAIN;
+@@ -589,7 +595,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ * into user buffers.
+ */
+ skb_set_owner_r(skb, sk);
+- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, true);
+ if (err < 0)
+ kfree(msg);
+ return err;
+@@ -600,7 +606,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb,
+ * because the skb is already accounted for here.
+ */
+ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb,
+- u32 off, u32 len)
++ u32 off, u32 len, bool take_ref)
+ {
+ struct sk_msg *msg = alloc_sk_msg(GFP_ATOMIC);
+ struct sock *sk = psock->sk;
+@@ -609,7 +615,7 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
+ if (unlikely(!msg))
+ return -EAGAIN;
+ skb_set_owner_r(skb, sk);
+- err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg);
++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg, take_ref);
+ if (err < 0)
+ kfree(msg);
+ return err;
+@@ -618,18 +624,13 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb
+ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
+ u32 off, u32 len, bool ingress)
+ {
+- int err = 0;
+-
+ if (!ingress) {
+ if (!sock_writeable(psock->sk))
+ return -EAGAIN;
+ return skb_send_sock(psock->sk, skb, off, len);
+ }
+- skb_get(skb);
+- err = sk_psock_skb_ingress(psock, skb, off, len);
+- if (err < 0)
+- kfree_skb(skb);
+- return err;
++
++ return sk_psock_skb_ingress(psock, skb, off, len);
+ }
+
+ static void sk_psock_skb_state(struct sk_psock *psock,
+@@ -1017,7 +1018,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb,
+ off = stm->offset;
+ len = stm->full_len;
+ }
+- err = sk_psock_skb_ingress_self(psock, skb, off, len);
++ err = sk_psock_skb_ingress_self(psock, skb, off, len, false);
+ }
+ if (err < 0) {
+ spin_lock_bh(&psock->ingress_lock);
+--
+2.39.5
+
--- /dev/null
+From 0119b1c6833d6b2f0ddb9fa80128dcd5ba07adf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 18:56:18 +0930
+Subject: btrfs: scrub: fix a wrong error type when metadata bytenr mismatches
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit f2c19541e421b3235efc515dad88b581f00592ae ]
+
+When the bytenr doesn't match for a metadata tree block, we will report
+it as an csum error, which is incorrect and should be reported as a
+metadata error instead.
+
+Fixes: a3ddbaebc7c9 ("btrfs: scrub: introduce a helper to verify one metadata block")
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/scrub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
+index 97c17025b31e6..7632d652a1257 100644
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -620,7 +620,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr
+ memcpy(on_disk_csum, header->csum, fs_info->csum_size);
+
+ if (logical != btrfs_stack_header_bytenr(header)) {
+- bitmap_set(&stripe->csum_error_bitmap, sector_nr, sectors_per_tree);
++ bitmap_set(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree);
+ bitmap_set(&stripe->error_bitmap, sector_nr, sectors_per_tree);
+ btrfs_warn_rl(fs_info,
+ "tree block %llu mirror %u has bad bytenr, has %llu want %llu",
+--
+2.39.5
+
--- /dev/null
+From dd10d415d959bd76c721ce1723ce15d4a605c9a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 08:37:54 +0930
+Subject: btrfs: scrub: update device stats when an error is detected
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit ec1f3a207cdf314eae4d4ae145f1ffdb829f0652 ]
+
+[BUG]
+Since the migration to the new scrub_stripe interface, scrub no longer
+updates the device stats when hitting an error, no matter if it's a read
+or checksum mismatch error. E.g:
+
+ BTRFS info (device dm-2): scrub: started on devid 1
+ BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
+ BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
+ BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
+ BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
+ BTRFS info (device dm-2): scrub: finished on devid 1 with status: 0
+
+Note there is no line showing the device stats error update.
+
+[CAUSE]
+In the migration to the new scrub_stripe interface, we no longer call
+btrfs_dev_stat_inc_and_print().
+
+[FIX]
+- Introduce a new bitmap for metadata generation errors
+ * A new bitmap
+ @meta_gen_error_bitmap is introduced to record which blocks have
+ metadata generation mismatch errors.
+
+ * A new counter for that bitmap
+ @init_nr_meta_gen_errors, is also introduced to store the number of
+ generation mismatch errors that are found during the initial read.
+
+ This is for the error reporting at scrub_stripe_report_errors().
+
+ * New dedicated error message for unrepaired generation mismatches
+
+ * Update @meta_gen_error_bitmap if a transid mismatch is hit
+
+- Add btrfs_dev_stat_inc_and_print() calls to the following call sites
+ * scrub_stripe_report_errors()
+ * scrub_write_endio()
+ This is only for the write errors.
+
+This means there is a minor behavior change:
+
+- The timing of device stats error message
+ Since we concentrate the error messages at
+ scrub_stripe_report_errors(), the device stats error messages will all
+ show up in one go, after the detailed scrub error messages:
+
+ BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
+ BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
+ BTRFS error (device dm-2): unable to fixup (regular) error at logical 13631488 on dev /dev/mapper/test-scratch1 physical 13631488
+ BTRFS warning (device dm-2): checksum error at logical 13631488 on dev /dev/mapper/test-scratch1, physical 13631488, root 5, inode 257, offset 0, length 4096, links 1 (path: file)
+ BTRFS error (device dm-2): bdev /dev/mapper/test-scratch1 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0
+ BTRFS error (device dm-2): bdev /dev/mapper/test-scratch1 errs: wr 0, rd 0, flush 0, corrupt 2, gen 0
+
+Fixes: e02ee89baa66 ("btrfs: scrub: switch scrub_simple_mirror() to scrub_stripe infrastructure")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/scrub.c | 32 +++++++++++++++++++++++++++++---
+ 1 file changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
+index da49bdb70375b..97c17025b31e6 100644
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -153,12 +153,14 @@ struct scrub_stripe {
+ unsigned int init_nr_io_errors;
+ unsigned int init_nr_csum_errors;
+ unsigned int init_nr_meta_errors;
++ unsigned int init_nr_meta_gen_errors;
+
+ /*
+ * The following error bitmaps are all for the current status.
+ * Every time we submit a new read, these bitmaps may be updated.
+ *
+- * error_bitmap = io_error_bitmap | csum_error_bitmap | meta_error_bitmap;
++ * error_bitmap = io_error_bitmap | csum_error_bitmap |
++ * meta_error_bitmap | meta_generation_bitmap;
+ *
+ * IO and csum errors can happen for both metadata and data.
+ */
+@@ -166,6 +168,7 @@ struct scrub_stripe {
+ unsigned long io_error_bitmap;
+ unsigned long csum_error_bitmap;
+ unsigned long meta_error_bitmap;
++ unsigned long meta_gen_error_bitmap;
+
+ /* For writeback (repair or replace) error reporting. */
+ unsigned long write_error_bitmap;
+@@ -673,7 +676,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr
+ }
+ if (stripe->sectors[sector_nr].generation !=
+ btrfs_stack_header_generation(header)) {
+- bitmap_set(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree);
++ bitmap_set(&stripe->meta_gen_error_bitmap, sector_nr, sectors_per_tree);
+ bitmap_set(&stripe->error_bitmap, sector_nr, sectors_per_tree);
+ btrfs_warn_rl(fs_info,
+ "tree block %llu mirror %u has bad generation, has %llu want %llu",
+@@ -685,6 +688,7 @@ static void scrub_verify_one_metadata(struct scrub_stripe *stripe, int sector_nr
+ bitmap_clear(&stripe->error_bitmap, sector_nr, sectors_per_tree);
+ bitmap_clear(&stripe->csum_error_bitmap, sector_nr, sectors_per_tree);
+ bitmap_clear(&stripe->meta_error_bitmap, sector_nr, sectors_per_tree);
++ bitmap_clear(&stripe->meta_gen_error_bitmap, sector_nr, sectors_per_tree);
+ }
+
+ static void scrub_verify_one_sector(struct scrub_stripe *stripe, int sector_nr)
+@@ -973,8 +977,22 @@ static void scrub_stripe_report_errors(struct scrub_ctx *sctx,
+ if (__ratelimit(&rs) && dev)
+ scrub_print_common_warning("header error", dev, false,
+ stripe->logical, physical);
++ if (test_bit(sector_nr, &stripe->meta_gen_error_bitmap))
++ if (__ratelimit(&rs) && dev)
++ scrub_print_common_warning("generation error", dev, false,
++ stripe->logical, physical);
+ }
+
++ /* Update the device stats. */
++ for (int i = 0; i < stripe->init_nr_io_errors; i++)
++ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_READ_ERRS);
++ for (int i = 0; i < stripe->init_nr_csum_errors; i++)
++ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_CORRUPTION_ERRS);
++ /* Generation mismatch error is based on each metadata, not each block. */
++ for (int i = 0; i < stripe->init_nr_meta_gen_errors;
++ i += (fs_info->nodesize >> fs_info->sectorsize_bits))
++ btrfs_dev_stat_inc_and_print(stripe->dev, BTRFS_DEV_STAT_GENERATION_ERRS);
++
+ spin_lock(&sctx->stat_lock);
+ sctx->stat.data_extents_scrubbed += stripe->nr_data_extents;
+ sctx->stat.tree_extents_scrubbed += stripe->nr_meta_extents;
+@@ -983,7 +1001,8 @@ static void scrub_stripe_report_errors(struct scrub_ctx *sctx,
+ sctx->stat.no_csum += nr_nodatacsum_sectors;
+ sctx->stat.read_errors += stripe->init_nr_io_errors;
+ sctx->stat.csum_errors += stripe->init_nr_csum_errors;
+- sctx->stat.verify_errors += stripe->init_nr_meta_errors;
++ sctx->stat.verify_errors += stripe->init_nr_meta_errors +
++ stripe->init_nr_meta_gen_errors;
+ sctx->stat.uncorrectable_errors +=
+ bitmap_weight(&stripe->error_bitmap, stripe->nr_sectors);
+ sctx->stat.corrected_errors += nr_repaired_sectors;
+@@ -1029,6 +1048,8 @@ static void scrub_stripe_read_repair_worker(struct work_struct *work)
+ stripe->nr_sectors);
+ stripe->init_nr_meta_errors = bitmap_weight(&stripe->meta_error_bitmap,
+ stripe->nr_sectors);
++ stripe->init_nr_meta_gen_errors = bitmap_weight(&stripe->meta_gen_error_bitmap,
++ stripe->nr_sectors);
+
+ if (bitmap_empty(&stripe->init_error_bitmap, stripe->nr_sectors))
+ goto out;
+@@ -1143,6 +1164,9 @@ static void scrub_write_endio(struct btrfs_bio *bbio)
+ bitmap_set(&stripe->write_error_bitmap, sector_nr,
+ bio_size >> fs_info->sectorsize_bits);
+ spin_unlock_irqrestore(&stripe->write_error_lock, flags);
++ for (int i = 0; i < (bio_size >> fs_info->sectorsize_bits); i++)
++ btrfs_dev_stat_inc_and_print(stripe->dev,
++ BTRFS_DEV_STAT_WRITE_ERRS);
+ }
+ bio_put(&bbio->bio);
+
+@@ -1505,10 +1529,12 @@ static void scrub_stripe_reset_bitmaps(struct scrub_stripe *stripe)
+ stripe->init_nr_io_errors = 0;
+ stripe->init_nr_csum_errors = 0;
+ stripe->init_nr_meta_errors = 0;
++ stripe->init_nr_meta_gen_errors = 0;
+ stripe->error_bitmap = 0;
+ stripe->io_error_bitmap = 0;
+ stripe->csum_error_bitmap = 0;
+ stripe->meta_error_bitmap = 0;
++ stripe->meta_gen_error_bitmap = 0;
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From be005992909b81ba7cf3f59480d8d6bfc2bc3f85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 13:58:09 +0300
+Subject: bus: fsl-mc: fix double-free on mc_dev
+
+From: Ioana Ciornei <ioana.ciornei@nxp.com>
+
+[ Upstream commit d694bf8a9acdbd061596f3e7549bc8cb70750a60 ]
+
+The blamed commit tried to simplify how the deallocations are done but,
+in the process, introduced a double-free on the mc_dev variable.
+
+In case the MC device is a DPRC, a new mc_bus is allocated and the
+mc_dev variable is just a reference to one of its fields. In this
+circumstance, on the error path only the mc_bus should be freed.
+
+This commit introduces back the following checkpatch warning which is a
+false-positive.
+
+WARNING: kfree(NULL) is safe and this check is probably not required
++ if (mc_bus)
++ kfree(mc_bus);
+
+Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations")
+Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://lore.kernel.org/r/20250408105814.2837951-2-ioana.ciornei@nxp.com
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bus/fsl-mc/fsl-mc-bus.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c
+index 2f6d5002e43d5..b405ee330af1f 100644
+--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
+@@ -905,8 +905,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc,
+
+ error_cleanup_dev:
+ kfree(mc_dev->regions);
+- kfree(mc_bus);
+- kfree(mc_dev);
++ if (mc_bus)
++ kfree(mc_bus);
++ else
++ kfree(mc_dev);
+
+ return error;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6e281116797eef3e94b8b7644518ea71cfea588c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 15:18:56 -0700
+Subject: calipso: Don't call calipso functions for AF_INET sk.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 6e9f2df1c550ead7cecb3e450af1105735020c92 ]
+
+syzkaller reported a null-ptr-deref in txopt_get(). [0]
+
+The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo,
+so struct ipv6_pinfo was NULL there.
+
+However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6
+is always set in inet6_create(), meaning the socket was not IPv6 one.
+
+The root cause is missing validation in netlbl_conn_setattr().
+
+netlbl_conn_setattr() switches branches based on struct
+sockaddr.sa_family, which is passed from userspace. However,
+netlbl_conn_setattr() does not check if the address family matches
+the socket.
+
+The syzkaller must have called connect() for an IPv6 address on
+an IPv4 socket.
+
+We have a proper validation in tcp_v[46]_connect(), but
+security_socket_connect() is called in the earlier stage.
+
+Let's copy the validation to netlbl_conn_setattr().
+
+[0]:
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI
+KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
+CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:txopt_get include/net/ipv6.h:390 [inline]
+RIP: 0010:
+Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00
+RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212
+RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c
+RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070
+RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e
+R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00
+R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80
+FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0
+PKRU: 80000000
+Call Trace:
+ <TASK>
+ calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557
+ netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177
+ selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569
+ selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline]
+ selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615
+ selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931
+ security_socket_connect+0x50/0xa0 security/security.c:4598
+ __sys_connect_file+0xa4/0x190 net/socket.c:2067
+ __sys_connect+0x12c/0x170 net/socket.c:2088
+ __do_sys_connect net/socket.c:2098 [inline]
+ __se_sys_connect net/socket.c:2095 [inline]
+ __x64_sys_connect+0x73/0xb0 net/socket.c:2095
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f901b61a12d
+Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d
+RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003
+RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000
+ </TASK>
+Modules linked in:
+
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Reported-by: John Cheung <john.cs.hey@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAP=Rh=M1LzunrcQB1fSGauMrJrhL6GGps5cPAKzHJXj6GQV+-g@mail.gmail.com/
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Link: https://patch.msgid.link/20250522221858.91240-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlabel/netlabel_kapi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
+index 27511c90a26f4..75b645c1928db 100644
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -1140,6 +1140,9 @@ int netlbl_conn_setattr(struct sock *sk,
+ break;
+ #if IS_ENABLED(CONFIG_IPV6)
+ case AF_INET6:
++ if (sk->sk_family != AF_INET6)
++ return -EAFNOSUPPORT;
++
+ addr6 = (struct sockaddr_in6 *)addr;
+ entry = netlbl_domhsh_getentry_af6(secattr->domain,
+ &addr6->sin6_addr);
+--
+2.39.5
+
--- /dev/null
+From ba2a2c0c321255db8c88519d6803fb4e9b27a430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Dec 2024 19:55:13 +0100
+Subject: cifs: Fix validation of SMB1 query reparse point response
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 56e84c64fc257a95728ee73165456b025c48d408 ]
+
+Validate the SMB1 query reparse point response per [MS-CIFS] section
+2.2.7.2 NT_TRANSACT_IOCTL.
+
+NT_TRANSACT_IOCTL response contains one word long setup data after which is
+ByteCount member. So check that SetupCount is 1 before trying to read and
+use ByteCount member.
+
+Output setup data contains ReturnedDataLen member which is the output
+length of executed IOCTL command by remote system. So check that output was
+not truncated before transferring over network.
+
+Change MaxSetupCount of NT_TRANSACT_IOCTL request from 4 to 1 as io_rsp
+structure already expects one word long output setup data. This should
+prevent server sending incompatible structure (in case it would be extended
+in future, which is unlikely).
+
+Change MaxParameterCount of NT_TRANSACT_IOCTL request from 2 to 0 as
+NT IOCTL does not have any documented output parameters and this function
+does not parse any output parameters at all.
+
+Fixes: ed3e0a149b58 ("smb: client: implement ->query_reparse_point() for SMB1")
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifssmb.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index b91184ebce02c..c36ab20050c16 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -2738,10 +2738,10 @@ int cifs_query_reparse_point(const unsigned int xid,
+
+ io_req->TotalParameterCount = 0;
+ io_req->TotalDataCount = 0;
+- io_req->MaxParameterCount = cpu_to_le32(2);
++ io_req->MaxParameterCount = cpu_to_le32(0);
+ /* BB find exact data count max from sess structure BB */
+ io_req->MaxDataCount = cpu_to_le32(CIFSMaxBufSize & 0xFFFFFF00);
+- io_req->MaxSetupCount = 4;
++ io_req->MaxSetupCount = 1;
+ io_req->Reserved = 0;
+ io_req->ParameterOffset = 0;
+ io_req->DataCount = 0;
+@@ -2768,6 +2768,22 @@ int cifs_query_reparse_point(const unsigned int xid,
+ goto error;
+ }
+
++ /* SetupCount must be 1, otherwise offset to ByteCount is incorrect. */
++ if (io_rsp->SetupCount != 1) {
++ rc = -EIO;
++ goto error;
++ }
++
++ /*
++ * ReturnedDataLen is output length of executed IOCTL.
++ * DataCount is output length transferred over network.
++ * Check that we have full FSCTL_GET_REPARSE_POINT buffer.
++ */
++ if (data_count != le16_to_cpu(io_rsp->ReturnedDataLen)) {
++ rc = -EIO;
++ goto error;
++ }
++
+ end = 2 + get_bcc(&io_rsp->hdr) + (__u8 *)&io_rsp->ByteCount;
+ start = (__u8 *)&io_rsp->hdr.Protocol + data_offset;
+ if (start >= end) {
+--
+2.39.5
+
--- /dev/null
+From fafcba2148080cf59789206f66e01a98baad4c9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 10:05:13 +0800
+Subject: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 73c46d9a93d071ca69858dea3f569111b03e549e ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+raspberrypi_clk_register() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Link: https://lore.kernel.org/r/20250402020513.42628-1-bsdhenrymartin@gmail.com
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-raspberrypi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
+index 4d411408e4afe..cc4ca336ac13a 100644
+--- a/drivers/clk/bcm/clk-raspberrypi.c
++++ b/drivers/clk/bcm/clk-raspberrypi.c
+@@ -271,6 +271,8 @@ static struct clk_hw *raspberrypi_clk_register(struct raspberrypi_clk *rpi,
+ init.name = devm_kasprintf(rpi->dev, GFP_KERNEL,
+ "fw-clk-%s",
+ rpi_firmware_clk_names[id]);
++ if (!init.name)
++ return ERR_PTR(-ENOMEM);
+ init.ops = &raspberrypi_firmware_clk_ops;
+ init.flags = CLK_GET_RATE_NOCACHE;
+
+--
+2.39.5
+
--- /dev/null
+From 0bd90ce3a1764da0a23a9b03bdb74362cb1af45e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:55 +0200
+Subject: clk: qcom: camcc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit e7b1c13280ad866f3b935f6c658713c41db61635 ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used.
+
+Fixes: 80f5451d9a7c ("clk: qcom: Add camera clock controller driver for SM6350")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-1-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/camcc-sm6350.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/drivers/clk/qcom/camcc-sm6350.c b/drivers/clk/qcom/camcc-sm6350.c
+index acba9f99d960c..eca36bd3ba5c9 100644
+--- a/drivers/clk/qcom/camcc-sm6350.c
++++ b/drivers/clk/qcom/camcc-sm6350.c
+@@ -1694,6 +1694,9 @@ static struct clk_branch camcc_sys_tmr_clk = {
+
+ static struct gdsc bps_gdsc = {
+ .gdscr = 0x6004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "bps_gdsc",
+ },
+@@ -1703,6 +1706,9 @@ static struct gdsc bps_gdsc = {
+
+ static struct gdsc ipe_0_gdsc = {
+ .gdscr = 0x7004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "ipe_0_gdsc",
+ },
+@@ -1712,6 +1718,9 @@ static struct gdsc ipe_0_gdsc = {
+
+ static struct gdsc ife_0_gdsc = {
+ .gdscr = 0x9004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "ife_0_gdsc",
+ },
+@@ -1720,6 +1729,9 @@ static struct gdsc ife_0_gdsc = {
+
+ static struct gdsc ife_1_gdsc = {
+ .gdscr = 0xa004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "ife_1_gdsc",
+ },
+@@ -1728,6 +1740,9 @@ static struct gdsc ife_1_gdsc = {
+
+ static struct gdsc ife_2_gdsc = {
+ .gdscr = 0xb004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "ife_2_gdsc",
+ },
+@@ -1736,6 +1751,9 @@ static struct gdsc ife_2_gdsc = {
+
+ static struct gdsc titan_top_gdsc = {
+ .gdscr = 0x14004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "titan_top_gdsc",
+ },
+--
+2.39.5
+
--- /dev/null
+From 0451e1dde5e8f6348d6d0bc0381f79ff6cf9a70d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:56 +0200
+Subject: clk: qcom: dispcc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit 673989d27123618afab56df1143a75454178b4ae ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used.
+
+Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-2-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/dispcc-sm6350.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/clk/qcom/dispcc-sm6350.c b/drivers/clk/qcom/dispcc-sm6350.c
+index ddacb4f76eca5..ea98a63746f0f 100644
+--- a/drivers/clk/qcom/dispcc-sm6350.c
++++ b/drivers/clk/qcom/dispcc-sm6350.c
+@@ -680,6 +680,9 @@ static struct clk_branch disp_cc_xo_clk = {
+
+ static struct gdsc mdss_gdsc = {
+ .gdscr = 0x1004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "mdss_gdsc",
+ },
+--
+2.39.5
+
--- /dev/null
+From 992185c4c201627e57c848ef1f0d483ab6308fdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:45:12 +0200
+Subject: clk: qcom: gcc-msm8939: Fix mclk0 & mclk1 for 24 MHz
+
+From: Vincent Knecht <vincent.knecht@mailoo.org>
+
+[ Upstream commit 9e7acf70cf6aa7b22f67d911f50a8cd510e8fb00 ]
+
+Fix mclk0 & mclk1 parent map to use correct GPLL6 configuration and
+freq_tbl to use GPLL6 instead of GPLL0 so that they tick at 24 MHz.
+
+Fixes: 1664014e4679 ("clk: qcom: gcc-msm8939: Add MSM8939 Generic Clock Controller")
+Suggested-by: Stephan Gerhold <stephan@gerhold.net>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vincent Knecht <vincent.knecht@mailoo.org>
+Link: https://lore.kernel.org/r/20250414-gcc-msm8939-fixes-mclk-v2-resend2-v2-1-5ddcf572a6de@mailoo.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-msm8939.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/qcom/gcc-msm8939.c b/drivers/clk/qcom/gcc-msm8939.c
+index b45f97c07eeb6..e4a44377b75f7 100644
+--- a/drivers/clk/qcom/gcc-msm8939.c
++++ b/drivers/clk/qcom/gcc-msm8939.c
+@@ -432,7 +432,7 @@ static const struct parent_map gcc_xo_gpll0_gpll1a_gpll6_sleep_map[] = {
+ { P_XO, 0 },
+ { P_GPLL0, 1 },
+ { P_GPLL1_AUX, 2 },
+- { P_GPLL6, 2 },
++ { P_GPLL6, 3 },
+ { P_SLEEP_CLK, 6 },
+ };
+
+@@ -1100,7 +1100,7 @@ static struct clk_rcg2 jpeg0_clk_src = {
+ };
+
+ static const struct freq_tbl ftbl_gcc_camss_mclk0_1_clk[] = {
+- F(24000000, P_GPLL0, 1, 1, 45),
++ F(24000000, P_GPLL6, 1, 1, 45),
+ F(66670000, P_GPLL0, 12, 0, 0),
+ { }
+ };
+--
+2.39.5
+
--- /dev/null
+From a6d68bc6a85c09ac7c23059b1da0e6f355928d84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:57 +0200
+Subject: clk: qcom: gcc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit afdfd829a99e467869e3ca1955fb6c6e337c340a ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used.
+
+Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-3-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-sm6350.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/qcom/gcc-sm6350.c b/drivers/clk/qcom/gcc-sm6350.c
+index 428cd99dcdcbe..4031613c6236f 100644
+--- a/drivers/clk/qcom/gcc-sm6350.c
++++ b/drivers/clk/qcom/gcc-sm6350.c
+@@ -2320,6 +2320,9 @@ static struct clk_branch gcc_video_xo_clk = {
+
+ static struct gdsc usb30_prim_gdsc = {
+ .gdscr = 0x1a004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "usb30_prim_gdsc",
+ },
+@@ -2328,6 +2331,9 @@ static struct gdsc usb30_prim_gdsc = {
+
+ static struct gdsc ufs_phy_gdsc = {
+ .gdscr = 0x3a004,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0xf,
+ .pd = {
+ .name = "ufs_phy_gdsc",
+ },
+--
+2.39.5
+
--- /dev/null
+From 17ddeae5d58a7c85e064540f615b37cfee607d37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 14:12:58 +0200
+Subject: clk: qcom: gpucc-sm6350: Add *_wait_val values for GDSCs
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit d988b0b866c2aeb23aa74022b5bbd463165a7a33 ]
+
+Compared to the msm-4.19 driver the mainline GDSC driver always sets the
+bits for en_rest, en_few & clk_dis, and if those values are not set
+per-GDSC in the respective driver then the default value from the GDSC
+driver is used. The downstream driver only conditionally sets
+clk_dis_wait_val if qcom,clk-dis-wait-val is given in devicetree.
+
+Correct this situation by explicitly setting those values. For all GDSCs
+the reset value of those bits are used, with the exception of
+gpu_cx_gdsc which has an explicit value (qcom,clk-dis-wait-val = <8>).
+
+Fixes: 013804a727a0 ("clk: qcom: Add GPU clock controller driver for SM6350")
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
+Link: https://lore.kernel.org/r/20250425-sm6350-gdsc-val-v1-4-1f252d9c5e4e@fairphone.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gpucc-sm6350.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/clk/qcom/gpucc-sm6350.c b/drivers/clk/qcom/gpucc-sm6350.c
+index 0bcbba2a29436..86c8ad5b55bac 100644
+--- a/drivers/clk/qcom/gpucc-sm6350.c
++++ b/drivers/clk/qcom/gpucc-sm6350.c
+@@ -412,6 +412,9 @@ static struct clk_branch gpu_cc_gx_vsense_clk = {
+ static struct gdsc gpu_cx_gdsc = {
+ .gdscr = 0x106c,
+ .gds_hw_ctrl = 0x1540,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0x8,
+ .pd = {
+ .name = "gpu_cx_gdsc",
+ },
+@@ -422,6 +425,9 @@ static struct gdsc gpu_cx_gdsc = {
+ static struct gdsc gpu_gx_gdsc = {
+ .gdscr = 0x100c,
+ .clamp_io_ctrl = 0x1508,
++ .en_rest_wait_val = 0x2,
++ .en_few_wait_val = 0x2,
++ .clk_dis_wait_val = 0x2,
+ .pd = {
+ .name = "gpu_gx_gdsc",
+ .power_on = gdsc_gx_do_nothing_enable,
+--
+2.39.5
+
--- /dev/null
+From 2d5759b5eed90c3bea8d9988478da4240adcc917 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 17:19:51 +0100
+Subject: coresight: prevent deactivate active config while enabling the config
+
+From: Yeoreum Yun <yeoreum.yun@arm.com>
+
+[ Upstream commit 408c97c4a5e0b634dcd15bf8b8808b382e888164 ]
+
+While enable active config via cscfg_csdev_enable_active_config(),
+active config could be deactivated via configfs' sysfs interface.
+This could make UAF issue in below scenario:
+
+CPU0 CPU1
+(sysfs enable) load module
+ cscfg_load_config_sets()
+ activate config. // sysfs
+ (sys_active_cnt == 1)
+...
+cscfg_csdev_enable_active_config()
+lock(csdev->cscfg_csdev_lock)
+// here load config activate by CPU1
+unlock(csdev->cscfg_csdev_lock)
+
+ deactivate config // sysfs
+ (sys_activec_cnt == 0)
+ cscfg_unload_config_sets()
+ unload module
+
+// access to config_desc which freed
+// while unloading module.
+cscfg_csdev_enable_config
+
+To address this, use cscfg_config_desc's active_cnt as a reference count
+ which will be holded when
+ - activate the config.
+ - enable the activated config.
+and put the module reference when config_active_cnt == 0.
+
+Fixes: f8cce2ff3c04 ("coresight: syscfg: Add API to activate and enable configurations")
+Suggested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
+Reviewed-by: Leo Yan <leo.yan@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250514161951.3427590-4-yeoreum.yun@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../hwtracing/coresight/coresight-config.h | 2 +-
+ .../hwtracing/coresight/coresight-syscfg.c | 49 +++++++++++++------
+ 2 files changed, 35 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-config.h b/drivers/hwtracing/coresight/coresight-config.h
+index 6ba0139757418..84cdde6f0e4db 100644
+--- a/drivers/hwtracing/coresight/coresight-config.h
++++ b/drivers/hwtracing/coresight/coresight-config.h
+@@ -228,7 +228,7 @@ struct cscfg_feature_csdev {
+ * @feats_csdev:references to the device features to enable.
+ */
+ struct cscfg_config_csdev {
+- const struct cscfg_config_desc *config_desc;
++ struct cscfg_config_desc *config_desc;
+ struct coresight_device *csdev;
+ bool enabled;
+ struct list_head node;
+diff --git a/drivers/hwtracing/coresight/coresight-syscfg.c b/drivers/hwtracing/coresight/coresight-syscfg.c
+index 11138a9762b01..30a561d874819 100644
+--- a/drivers/hwtracing/coresight/coresight-syscfg.c
++++ b/drivers/hwtracing/coresight/coresight-syscfg.c
+@@ -867,6 +867,25 @@ void cscfg_csdev_reset_feats(struct coresight_device *csdev)
+ }
+ EXPORT_SYMBOL_GPL(cscfg_csdev_reset_feats);
+
++static bool cscfg_config_desc_get(struct cscfg_config_desc *config_desc)
++{
++ if (!atomic_fetch_inc(&config_desc->active_cnt)) {
++ /* must ensure that config cannot be unloaded in use */
++ if (unlikely(cscfg_owner_get(config_desc->load_owner))) {
++ atomic_dec(&config_desc->active_cnt);
++ return false;
++ }
++ }
++
++ return true;
++}
++
++static void cscfg_config_desc_put(struct cscfg_config_desc *config_desc)
++{
++ if (!atomic_dec_return(&config_desc->active_cnt))
++ cscfg_owner_put(config_desc->load_owner);
++}
++
+ /*
+ * This activate configuration for either perf or sysfs. Perf can have multiple
+ * active configs, selected per event, sysfs is limited to one.
+@@ -890,22 +909,17 @@ static int _cscfg_activate_config(unsigned long cfg_hash)
+ if (config_desc->available == false)
+ return -EBUSY;
+
+- /* must ensure that config cannot be unloaded in use */
+- err = cscfg_owner_get(config_desc->load_owner);
+- if (err)
++ if (!cscfg_config_desc_get(config_desc)) {
++ err = -EINVAL;
+ break;
++ }
++
+ /*
+ * increment the global active count - control changes to
+ * active configurations
+ */
+ atomic_inc(&cscfg_mgr->sys_active_cnt);
+
+- /*
+- * mark the descriptor as active so enable config on a
+- * device instance will use it
+- */
+- atomic_inc(&config_desc->active_cnt);
+-
+ err = 0;
+ dev_dbg(cscfg_device(), "Activate config %s.\n", config_desc->name);
+ break;
+@@ -920,9 +934,8 @@ static void _cscfg_deactivate_config(unsigned long cfg_hash)
+
+ list_for_each_entry(config_desc, &cscfg_mgr->config_desc_list, item) {
+ if ((unsigned long)config_desc->event_ea->var == cfg_hash) {
+- atomic_dec(&config_desc->active_cnt);
+ atomic_dec(&cscfg_mgr->sys_active_cnt);
+- cscfg_owner_put(config_desc->load_owner);
++ cscfg_config_desc_put(config_desc);
+ dev_dbg(cscfg_device(), "Deactivate config %s.\n", config_desc->name);
+ break;
+ }
+@@ -1047,7 +1060,7 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
+ unsigned long cfg_hash, int preset)
+ {
+ struct cscfg_config_csdev *config_csdev_active = NULL, *config_csdev_item;
+- const struct cscfg_config_desc *config_desc;
++ struct cscfg_config_desc *config_desc;
+ unsigned long flags;
+ int err = 0;
+
+@@ -1062,8 +1075,8 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
+ spin_lock_irqsave(&csdev->cscfg_csdev_lock, flags);
+ list_for_each_entry(config_csdev_item, &csdev->config_csdev_list, node) {
+ config_desc = config_csdev_item->config_desc;
+- if ((atomic_read(&config_desc->active_cnt)) &&
+- ((unsigned long)config_desc->event_ea->var == cfg_hash)) {
++ if (((unsigned long)config_desc->event_ea->var == cfg_hash) &&
++ cscfg_config_desc_get(config_desc)) {
+ config_csdev_active = config_csdev_item;
+ csdev->active_cscfg_ctxt = (void *)config_csdev_active;
+ break;
+@@ -1097,7 +1110,11 @@ int cscfg_csdev_enable_active_config(struct coresight_device *csdev,
+ err = -EBUSY;
+ spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
+ }
++
++ if (err)
++ cscfg_config_desc_put(config_desc);
+ }
++
+ return err;
+ }
+ EXPORT_SYMBOL_GPL(cscfg_csdev_enable_active_config);
+@@ -1136,8 +1153,10 @@ void cscfg_csdev_disable_active_config(struct coresight_device *csdev)
+ spin_unlock_irqrestore(&csdev->cscfg_csdev_lock, flags);
+
+ /* true if there was an enabled active config */
+- if (config_csdev)
++ if (config_csdev) {
+ cscfg_csdev_disable_config(config_csdev);
++ cscfg_config_desc_put(config_csdev->config_desc);
++ }
+ }
+ EXPORT_SYMBOL_GPL(cscfg_csdev_disable_active_config);
+
+--
+2.39.5
+
--- /dev/null
+From e477558fe532855aef472a107f7c85b2d07418f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 18:36:40 +0200
+Subject: counter: interrupt-cnt: Protect enable/disable OPs with mutex
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+[ Upstream commit 7351312632e831e51383f48957d47712fae791ef ]
+
+Enable/disable seems to be racy on SMP, consider the following scenario:
+
+CPU0 CPU1
+
+interrupt_cnt_enable_write(true)
+{
+ if (priv->enabled == enable)
+ return 0;
+
+ if (enable) {
+ priv->enabled = true;
+ interrupt_cnt_enable_write(false)
+ {
+ if (priv->enabled == enable)
+ return 0;
+
+ if (enable) {
+ priv->enabled = true;
+ enable_irq(priv->irq);
+ } else {
+ disable_irq(priv->irq)
+ priv->enabled = false;
+ }
+ enable_irq(priv->irq);
+ } else {
+ disable_irq(priv->irq);
+ priv->enabled = false;
+ }
+
+The above would result in priv->enabled == false, but IRQ left enabled.
+Protect both write (above race) and read (to propagate the value on SMP)
+callbacks with a mutex.
+
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/r/20250331163642.2382651-1-alexander.sverdlin@siemens.com
+Signed-off-by: William Breathitt Gray <wbg@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/counter/interrupt-cnt.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/counter/interrupt-cnt.c b/drivers/counter/interrupt-cnt.c
+index 229473855c5b3..bc762ba87a19b 100644
+--- a/drivers/counter/interrupt-cnt.c
++++ b/drivers/counter/interrupt-cnt.c
+@@ -3,12 +3,14 @@
+ * Copyright (c) 2021 Pengutronix, Oleksij Rempel <kernel@pengutronix.de>
+ */
+
++#include <linux/cleanup.h>
+ #include <linux/counter.h>
+ #include <linux/gpio/consumer.h>
+ #include <linux/interrupt.h>
+ #include <linux/irq.h>
+ #include <linux/mod_devicetable.h>
+ #include <linux/module.h>
++#include <linux/mutex.h>
+ #include <linux/platform_device.h>
+ #include <linux/types.h>
+
+@@ -19,6 +21,7 @@ struct interrupt_cnt_priv {
+ struct gpio_desc *gpio;
+ int irq;
+ bool enabled;
++ struct mutex lock;
+ struct counter_signal signals;
+ struct counter_synapse synapses;
+ struct counter_count cnts;
+@@ -41,6 +44,8 @@ static int interrupt_cnt_enable_read(struct counter_device *counter,
+ {
+ struct interrupt_cnt_priv *priv = counter_priv(counter);
+
++ guard(mutex)(&priv->lock);
++
+ *enable = priv->enabled;
+
+ return 0;
+@@ -51,6 +56,8 @@ static int interrupt_cnt_enable_write(struct counter_device *counter,
+ {
+ struct interrupt_cnt_priv *priv = counter_priv(counter);
+
++ guard(mutex)(&priv->lock);
++
+ if (priv->enabled == enable)
+ return 0;
+
+@@ -227,6 +234,8 @@ static int interrupt_cnt_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
++ mutex_init(&priv->lock);
++
+ ret = devm_counter_add(dev, counter);
+ if (ret < 0)
+ return dev_err_probe(dev, ret, "Failed to add counter\n");
+--
+2.39.5
+
--- /dev/null
+From a8878fd5ffdbd82922cb57b1ea17c57cab6fec0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:28:08 +0800
+Subject: crypto: lrw - Only add ecb if it is not already there
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 3d73909bddc2ebb3224a8bc2e5ce00e9df70c15d ]
+
+Only add ecb to the cipher name if it isn't already ecb.
+
+Also use memcmp instead of strncmp since these strings are all
+stored in an array of length CRYPTO_MAX_ALG_NAME.
+
+Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202505151503.d8a6cf10-lkp@intel.com
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/lrw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/lrw.c b/crypto/lrw.c
+index 59260aefed280..5536ec7bf18f1 100644
+--- a/crypto/lrw.c
++++ b/crypto/lrw.c
+@@ -322,7 +322,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
+
+ err = crypto_grab_skcipher(spawn, skcipher_crypto_instance(inst),
+ cipher_name, 0, mask);
+- if (err == -ENOENT) {
++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
+ err = -ENAMETOOLONG;
+ if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
+ cipher_name) >= CRYPTO_MAX_ALG_NAME)
+@@ -356,7 +356,7 @@ static int lrw_create(struct crypto_template *tmpl, struct rtattr **tb)
+ /* Alas we screwed up the naming so we have to mangle the
+ * cipher name.
+ */
+- if (!strncmp(cipher_name, "ecb(", 4)) {
++ if (!memcmp(cipher_name, "ecb(", 4)) {
+ int len;
+
+ len = strscpy(ecb_name, cipher_name + 4, sizeof(ecb_name));
+--
+2.39.5
+
--- /dev/null
+From 7299d3dd9342765b1be7b511aa1a4734fcbe054c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:43:33 +0800
+Subject: crypto: marvell/cesa - Avoid empty transfer descriptor
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1bafd82d9a40cf09c6c40f1c09cc35b7050b1a9f ]
+
+The user may set req->src even if req->nbytes == 0. If there
+is no data to hash from req->src, do not generate an empty TDMA
+descriptor.
+
+Fixes: db509a45339f ("crypto: marvell/cesa - add TDMA support")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/hash.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
+index f150861ceaf69..6815eddc90681 100644
+--- a/drivers/crypto/marvell/cesa/hash.c
++++ b/drivers/crypto/marvell/cesa/hash.c
+@@ -663,7 +663,7 @@ static int mv_cesa_ahash_dma_req_init(struct ahash_request *req)
+ if (ret)
+ goto err_free_tdma;
+
+- if (iter.src.sg) {
++ if (iter.base.len > iter.src.op_offset) {
+ /*
+ * Add all the new data, inserting an operation block and
+ * launch command between each full SRAM block-worth of
+--
+2.39.5
+
--- /dev/null
+From 286d03a79bfb06d0f114e519d8ed6cc80216b297 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:41:31 +0800
+Subject: crypto: marvell/cesa - Handle zero-length skcipher requests
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 8a4e047c6cc07676f637608a9dd675349b5de0a7 ]
+
+Do not access random memory for zero-length skcipher requests.
+Just return 0.
+
+Fixes: f63601fd616a ("crypto: marvell/cesa - add a new driver for Marvell's CESA")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/marvell/cesa/cipher.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/crypto/marvell/cesa/cipher.c b/drivers/crypto/marvell/cesa/cipher.c
+index 0f37dfd42d850..3876e3ce822f4 100644
+--- a/drivers/crypto/marvell/cesa/cipher.c
++++ b/drivers/crypto/marvell/cesa/cipher.c
+@@ -459,6 +459,9 @@ static int mv_cesa_skcipher_queue_req(struct skcipher_request *req,
+ struct mv_cesa_skcipher_req *creq = skcipher_request_ctx(req);
+ struct mv_cesa_engine *engine;
+
++ if (!req->cryptlen)
++ return 0;
++
+ ret = mv_cesa_skcipher_req_init(req, tmpl);
+ if (ret)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 74976dc17baa8589f209cb09df291145c31d40fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 15:45:14 +0300
+Subject: crypto: sun8i-ce-cipher - fix error handling in
+ sun8i_ce_cipher_prepare()
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit f31adc3e356f7350d4a4d68c98d3f60f2f6e26b3 ]
+
+Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare():
+
+1] If dma_map_sg() fails for areq->dst, the device driver would try to free
+ DMA memory it has not allocated in the first place. To fix this, on the
+ "theend_sgs" error path, call dma unmap only if the corresponding dma
+ map was successful.
+
+2] If the dma_map_single() call for the IV fails, the device driver would
+ try to free an invalid DMA memory address on the "theend_iv" path:
+ ------------[ cut here ]------------
+ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address
+ WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90
+ Modules linked in: skcipher_example(O+)
+ CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT
+ Tainted: [O]=OOT_MODULE
+ Hardware name: OrangePi Zero2 (DT)
+ pc : check_unmap+0x123c/0x1b90
+ lr : check_unmap+0x123c/0x1b90
+ ...
+ Call trace:
+ check_unmap+0x123c/0x1b90 (P)
+ debug_dma_unmap_page+0xac/0xc0
+ dma_unmap_page_attrs+0x1f4/0x5fc
+ sun8i_ce_cipher_do_one+0x1bd4/0x1f40
+ crypto_pump_work+0x334/0x6e0
+ kthread_worker_fn+0x21c/0x438
+ kthread+0x374/0x664
+ ret_from_fork+0x10/0x20
+ ---[ end trace 0000000000000000 ]---
+
+To fix this, check for !dma_mapping_error() before calling
+dma_unmap_single() on the "theend_iv" path.
+
+Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+index d2cf9619018b1..70434601f99be 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c
+@@ -275,13 +275,16 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req
+ } else {
+ if (nr_sgs > 0)
+ dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
+- dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
++
++ if (nr_sgd > 0)
++ dma_unmap_sg(ce->dev, areq->dst, nd, DMA_FROM_DEVICE);
+ }
+
+ theend_iv:
+ if (areq->iv && ivsize > 0) {
+- if (rctx->addr_iv)
++ if (!dma_mapping_error(ce->dev, rctx->addr_iv))
+ dma_unmap_single(ce->dev, rctx->addr_iv, rctx->ivlen, DMA_TO_DEVICE);
++
+ offset = areq->cryptlen - ivsize;
+ if (rctx->op_dir & CE_DECRYPTION) {
+ memcpy(areq->iv, chan->backup_iv, ivsize);
+--
+2.39.5
+
--- /dev/null
+From 0a64d3ad40d1fb1eab30a02e509cd3aa228259c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 22:23:16 +0300
+Subject: crypto: sun8i-ce-hash - fix error handling in sun8i_ce_hash_run()
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit ea4dd134ef332bd9e3e734c1ba0a1521f436b678 ]
+
+Rework error handling in sun8i_ce_hash_run() to unmap the dma buffers in
+case of failure. Currently, the dma unmap functions are not called if the
+function errors out at various points.
+
+Fixes: 56f6d5aee88d1 ("crypto: sun8i-ce - support hash algorithms")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 34 ++++++++++++-------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
+index d358334e59811..ebc857ed10e11 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c
+@@ -343,9 +343,8 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ u32 common;
+ u64 byte_count;
+ __le32 *bf;
+- void *buf = NULL;
++ void *buf, *result;
+ int j, i, todo;
+- void *result = NULL;
+ u64 bs;
+ int digestsize;
+ dma_addr_t addr_res, addr_pad;
+@@ -365,14 +364,14 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ buf = kzalloc(bs * 2, GFP_KERNEL | GFP_DMA);
+ if (!buf) {
+ err = -ENOMEM;
+- goto theend;
++ goto err_out;
+ }
+ bf = (__le32 *)buf;
+
+ result = kzalloc(digestsize, GFP_KERNEL | GFP_DMA);
+ if (!result) {
+ err = -ENOMEM;
+- goto theend;
++ goto err_free_buf;
+ }
+
+ flow = rctx->flow;
+@@ -398,7 +397,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ if (nr_sgs <= 0 || nr_sgs > MAX_SG) {
+ dev_err(ce->dev, "Invalid sg number %d\n", nr_sgs);
+ err = -EINVAL;
+- goto theend;
++ goto err_free_result;
+ }
+
+ len = areq->nbytes;
+@@ -411,7 +410,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ if (len > 0) {
+ dev_err(ce->dev, "remaining len %d\n", len);
+ err = -EINVAL;
+- goto theend;
++ goto err_unmap_src;
+ }
+ addr_res = dma_map_single(ce->dev, result, digestsize, DMA_FROM_DEVICE);
+ cet->t_dst[0].addr = cpu_to_le32(addr_res);
+@@ -419,7 +418,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ if (dma_mapping_error(ce->dev, addr_res)) {
+ dev_err(ce->dev, "DMA map dest\n");
+ err = -EINVAL;
+- goto theend;
++ goto err_unmap_src;
+ }
+
+ byte_count = areq->nbytes;
+@@ -441,7 +440,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ }
+ if (!j) {
+ err = -EINVAL;
+- goto theend;
++ goto err_unmap_result;
+ }
+
+ addr_pad = dma_map_single(ce->dev, buf, j * 4, DMA_TO_DEVICE);
+@@ -450,7 +449,7 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ if (dma_mapping_error(ce->dev, addr_pad)) {
+ dev_err(ce->dev, "DMA error on padding SG\n");
+ err = -EINVAL;
+- goto theend;
++ goto err_unmap_result;
+ }
+
+ if (ce->variant->hash_t_dlen_in_bits)
+@@ -463,16 +462,25 @@ int sun8i_ce_hash_run(struct crypto_engine *engine, void *breq)
+ err = sun8i_ce_run_task(ce, flow, crypto_ahash_alg_name(tfm));
+
+ dma_unmap_single(ce->dev, addr_pad, j * 4, DMA_TO_DEVICE);
+- dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
++
++err_unmap_result:
+ dma_unmap_single(ce->dev, addr_res, digestsize, DMA_FROM_DEVICE);
++ if (!err)
++ memcpy(areq->result, result, algt->alg.hash.base.halg.digestsize);
+
++err_unmap_src:
++ dma_unmap_sg(ce->dev, areq->src, ns, DMA_TO_DEVICE);
+
+- memcpy(areq->result, result, algt->alg.hash.base.halg.digestsize);
+-theend:
+- kfree(buf);
++err_free_result:
+ kfree(result);
++
++err_free_buf:
++ kfree(buf);
++
++err_out:
+ local_bh_disable();
+ crypto_finalize_hash_request(engine, breq, err);
+ local_bh_enable();
++
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6dfeb5d069c1e5bbe9ca40b143117a082029191d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 15:06:56 +0300
+Subject: crypto: sun8i-ce - move fallback ahash_request to the end of the
+ struct
+
+From: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+
+[ Upstream commit c822831b426307a6ca426621504d3c7f99765a39 ]
+
+'struct ahash_request' has a flexible array at the end, so it must be the
+last member in a struct, to avoid overwriting other struct members.
+
+Therefore, move 'fallback_req' to the end of the 'sun8i_ce_hash_reqctx'
+struct.
+
+Fixes: 56f6d5aee88d ("crypto: sun8i-ce - support hash algorithms")
+Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+index 93d4985def87a..65cc1278ee155 100644
+--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
++++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h
+@@ -293,8 +293,8 @@ struct sun8i_ce_hash_tfm_ctx {
+ * @flow: the flow to use for this request
+ */
+ struct sun8i_ce_hash_reqctx {
+- struct ahash_request fallback_req;
+ int flow;
++ struct ahash_request fallback_req; // keep at the end
+ };
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 63b0481d048d8708eb3e42ced8343885f826d687 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Apr 2025 13:12:36 +0200
+Subject: crypto: sun8i-ss - do not use sg_dma_len before calling DMA functions
+
+From: Corentin Labbe <clabbe.montjoie@gmail.com>
+
+[ Upstream commit 2dfc7cd74a5e062a5405560447517e7aab1c7341 ]
+
+When testing sun8i-ss with multi_v7_defconfig, all CBC algorithm fail crypto
+selftests.
+This is strange since on sunxi_defconfig, everything was ok.
+The problem was in the IV setup loop which never run because sg_dma_len
+was 0.
+
+Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV")
+Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+index 7fa359725ec75..9b18fb46a2c89 100644
+--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
++++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+@@ -141,7 +141,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq)
+
+ /* we need to copy all IVs from source in case DMA is bi-directionnal */
+ while (sg && len) {
+- if (sg_dma_len(sg) == 0) {
++ if (sg->length == 0) {
+ sg = sg_next(sg);
+ continue;
+ }
+--
+2.39.5
+
--- /dev/null
+From 0c5823706a0cb53fd8ba3a11675bccd22b3b7a4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:34:04 +0800
+Subject: crypto: xts - Only add ecb if it is not already there
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 270b6f13454cb7f2f7058c50df64df409c5dcf55 ]
+
+Only add ecb to the cipher name if it isn't already ecb.
+
+Also use memcmp instead of strncmp since these strings are all
+stored in an array of length CRYPTO_MAX_ALG_NAME.
+
+Fixes: f1c131b45410 ("crypto: xts - Convert to skcipher")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/xts.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/xts.c b/crypto/xts.c
+index 038f60dd512d9..97fd0fb8757c2 100644
+--- a/crypto/xts.c
++++ b/crypto/xts.c
+@@ -363,7 +363,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
+
+ err = crypto_grab_skcipher(&ctx->spawn, skcipher_crypto_instance(inst),
+ cipher_name, 0, mask);
+- if (err == -ENOENT) {
++ if (err == -ENOENT && memcmp(cipher_name, "ecb(", 4)) {
+ err = -ENAMETOOLONG;
+ if (snprintf(name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
+ cipher_name) >= CRYPTO_MAX_ALG_NAME)
+@@ -397,7 +397,7 @@ static int xts_create(struct crypto_template *tmpl, struct rtattr **tb)
+ /* Alas we screwed up the naming so we have to mangle the
+ * cipher name.
+ */
+- if (!strncmp(cipher_name, "ecb(", 4)) {
++ if (!memcmp(cipher_name, "ecb(", 4)) {
+ int len;
+
+ len = strscpy(name, cipher_name + 4, sizeof(name));
+--
+2.39.5
+
--- /dev/null
+From 4c27ea8acf09d294d79c7905d2358dd7b9d09e57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 15:49:38 -0400
+Subject: dm: don't change md if dm_table_set_restrictions() fails
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit 9eb7109a5bfc5b8226e9517e9f3cc6d414391884 ]
+
+__bind was changing the disk capacity, geometry and mempools of the
+mapped device before calling dm_table_set_restrictions() which could
+fail, forcing dm to drop the new table. Failing here would leave the
+device using the old table but with the wrong capacity and mempools.
+
+Move dm_table_set_restrictions() earlier in __bind(). Since it needs the
+capacity to be set, save the old version and restore it on failure.
+
+Fixes: bb37d77239af2 ("dm: introduce zone append emulation")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Tested-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index 9ea868bd0d129..d154c89305fbe 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2195,21 +2195,29 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ struct queue_limits *limits)
+ {
+ struct dm_table *old_map;
+- sector_t size;
++ sector_t size, old_size;
+ int ret;
+
+ lockdep_assert_held(&md->suspend_lock);
+
+ size = dm_table_get_size(t);
+
++ old_size = dm_get_size(md);
++ set_capacity(md->disk, size);
++
++ ret = dm_table_set_restrictions(t, md->queue, limits);
++ if (ret) {
++ set_capacity(md->disk, old_size);
++ old_map = ERR_PTR(ret);
++ goto out;
++ }
++
+ /*
+ * Wipe any geometry if the size of the table changed.
+ */
+- if (size != dm_get_size(md))
++ if (size != old_size)
+ memset(&md->geometry, 0, sizeof(md->geometry));
+
+- set_capacity(md->disk, size);
+-
+ dm_table_event_callback(t, event_callback, md);
+
+ if (dm_table_request_based(t)) {
+@@ -2242,12 +2250,6 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ t->mempools = NULL;
+ }
+
+- ret = dm_table_set_restrictions(t, md->queue, limits);
+- if (ret) {
+- old_map = ERR_PTR(ret);
+- goto out;
+- }
+-
+ old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
+ rcu_assign_pointer(md->map, (void *)t);
+ md->immutable_target_type = dm_table_get_immutable_target_type(t);
+--
+2.39.5
+
--- /dev/null
+From 4e0240927875b0127b1ce3725477fbf2705d3bb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Apr 2025 19:47:36 -0400
+Subject: dm-flakey: error all IOs when num_features is absent
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit 40ed054f39bc99eac09871c33198e501f4acdf24 ]
+
+dm-flakey would error all IOs if num_features was 0, but if it was
+absent, dm-flakey would never error any IO. Fix this so that no
+num_features works the same as num_features set to 0.
+
+Fixes: aa7d7bc99fed7 ("dm flakey: add an "error_reads" option")
+Reported-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-flakey.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
+index dc491dc771d71..aeb9ecaf9a207 100644
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -53,8 +53,8 @@ struct per_bio_data {
+ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
+ struct dm_target *ti)
+ {
+- int r;
+- unsigned int argc;
++ int r = 0;
++ unsigned int argc = 0;
+ const char *arg_name;
+
+ static const struct dm_arg _args[] = {
+@@ -65,14 +65,13 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
+ {0, PROBABILITY_BASE, "Invalid random corrupt argument"},
+ };
+
+- /* No feature arguments supplied. */
+- if (!as->argc)
+- return 0;
+-
+- r = dm_read_arg_group(_args, as, &argc, &ti->error);
+- if (r)
++ if (as->argc && (r = dm_read_arg_group(_args, as, &argc, &ti->error)))
+ return r;
+
++ /* No feature arguments supplied. */
++ if (!argc)
++ goto error_all_io;
++
+ while (argc) {
+ arg_name = dm_shift_arg(as);
+ argc--;
+@@ -217,6 +216,7 @@ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
+ if (!fc->corrupt_bio_byte && !test_bit(ERROR_READS, &fc->flags) &&
+ !test_bit(DROP_WRITES, &fc->flags) && !test_bit(ERROR_WRITES, &fc->flags) &&
+ !fc->random_read_corrupt && !fc->random_write_corrupt) {
++error_all_io:
+ set_bit(ERROR_WRITES, &fc->flags);
+ set_bit(ERROR_READS, &fc->flags);
+ }
+--
+2.39.5
+
--- /dev/null
+From aef679ebd36d66e04f7d7cc38a5c7d1801ba4a89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Apr 2025 19:47:38 -0400
+Subject: dm-flakey: make corrupting read bios work
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit 13e79076c89f6e96a6cca8f6df38b40d025907b4 ]
+
+dm-flakey corrupts the read bios in the endio function. However, the
+corrupt_bio_* functions checked bio_has_data() to see if there was data
+to corrupt. Since this was the endio function, there was no data left to
+complete, so bio_has_data() was always false. Fix this by saving a copy
+of the bio's bi_iter in flakey_map(), and using this to initialize the
+iter for corrupting the read bios. This patch also skips cloning the bio
+for write bios with no data.
+
+Reported-by: Kent Overstreet <kent.overstreet@linux.dev>
+Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature")
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-flakey.c | 54 ++++++++++++++++++++++--------------------
+ 1 file changed, 28 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
+index aeb9ecaf9a207..ada679f4fca67 100644
+--- a/drivers/md/dm-flakey.c
++++ b/drivers/md/dm-flakey.c
+@@ -47,7 +47,8 @@ enum feature_flag_bits {
+ };
+
+ struct per_bio_data {
+- bool bio_submitted;
++ bool bio_can_corrupt;
++ struct bvec_iter saved_iter;
+ };
+
+ static int parse_features(struct dm_arg_set *as, struct flakey_c *fc,
+@@ -339,7 +340,8 @@ static void flakey_map_bio(struct dm_target *ti, struct bio *bio)
+ }
+
+ static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte,
+- unsigned char corrupt_bio_value)
++ unsigned char corrupt_bio_value,
++ struct bvec_iter start)
+ {
+ struct bvec_iter iter;
+ struct bio_vec bvec;
+@@ -348,7 +350,7 @@ static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte,
+ * Overwrite the Nth byte of the bio's data, on whichever page
+ * it falls.
+ */
+- bio_for_each_segment(bvec, bio, iter) {
++ __bio_for_each_segment(bvec, bio, iter, start) {
+ if (bio_iter_len(bio, iter) > corrupt_bio_byte) {
+ unsigned char *segment = bvec_kmap_local(&bvec);
+ segment[corrupt_bio_byte] = corrupt_bio_value;
+@@ -357,36 +359,31 @@ static void corrupt_bio_common(struct bio *bio, unsigned int corrupt_bio_byte,
+ "(rw=%c bi_opf=%u bi_sector=%llu size=%u)\n",
+ bio, corrupt_bio_value, corrupt_bio_byte,
+ (bio_data_dir(bio) == WRITE) ? 'w' : 'r', bio->bi_opf,
+- (unsigned long long)bio->bi_iter.bi_sector,
+- bio->bi_iter.bi_size);
++ (unsigned long long)start.bi_sector,
++ start.bi_size);
+ break;
+ }
+ corrupt_bio_byte -= bio_iter_len(bio, iter);
+ }
+ }
+
+-static void corrupt_bio_data(struct bio *bio, struct flakey_c *fc)
++static void corrupt_bio_data(struct bio *bio, struct flakey_c *fc,
++ struct bvec_iter start)
+ {
+ unsigned int corrupt_bio_byte = fc->corrupt_bio_byte - 1;
+
+- if (!bio_has_data(bio))
+- return;
+-
+- corrupt_bio_common(bio, corrupt_bio_byte, fc->corrupt_bio_value);
++ corrupt_bio_common(bio, corrupt_bio_byte, fc->corrupt_bio_value, start);
+ }
+
+-static void corrupt_bio_random(struct bio *bio)
++static void corrupt_bio_random(struct bio *bio, struct bvec_iter start)
+ {
+ unsigned int corrupt_byte;
+ unsigned char corrupt_value;
+
+- if (!bio_has_data(bio))
+- return;
+-
+- corrupt_byte = get_random_u32() % bio->bi_iter.bi_size;
++ corrupt_byte = get_random_u32() % start.bi_size;
+ corrupt_value = get_random_u8();
+
+- corrupt_bio_common(bio, corrupt_byte, corrupt_value);
++ corrupt_bio_common(bio, corrupt_byte, corrupt_value, start);
+ }
+
+ static void clone_free(struct bio *clone)
+@@ -481,7 +478,7 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
+ unsigned int elapsed;
+ struct per_bio_data *pb = dm_per_bio_data(bio, sizeof(struct per_bio_data));
+
+- pb->bio_submitted = false;
++ pb->bio_can_corrupt = false;
+
+ if (op_is_zone_mgmt(bio_op(bio)))
+ goto map_bio;
+@@ -490,10 +487,11 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
+ elapsed = (jiffies - fc->start_time) / HZ;
+ if (elapsed % (fc->up_interval + fc->down_interval) >= fc->up_interval) {
+ bool corrupt_fixed, corrupt_random;
+- /*
+- * Flag this bio as submitted while down.
+- */
+- pb->bio_submitted = true;
++
++ if (bio_has_data(bio)) {
++ pb->bio_can_corrupt = true;
++ pb->saved_iter = bio->bi_iter;
++ }
+
+ /*
+ * Error reads if neither corrupt_bio_byte or drop_writes or error_writes are set.
+@@ -516,6 +514,8 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
+ return DM_MAPIO_SUBMITTED;
+ }
+
++ if (!pb->bio_can_corrupt)
++ goto map_bio;
+ /*
+ * Corrupt matching writes.
+ */
+@@ -535,9 +535,11 @@ static int flakey_map(struct dm_target *ti, struct bio *bio)
+ struct bio *clone = clone_bio(ti, fc, bio);
+ if (clone) {
+ if (corrupt_fixed)
+- corrupt_bio_data(clone, fc);
++ corrupt_bio_data(clone, fc,
++ clone->bi_iter);
+ if (corrupt_random)
+- corrupt_bio_random(clone);
++ corrupt_bio_random(clone,
++ clone->bi_iter);
+ submit_bio(clone);
+ return DM_MAPIO_SUBMITTED;
+ }
+@@ -559,21 +561,21 @@ static int flakey_end_io(struct dm_target *ti, struct bio *bio,
+ if (op_is_zone_mgmt(bio_op(bio)))
+ return DM_ENDIO_DONE;
+
+- if (!*error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
++ if (!*error && pb->bio_can_corrupt && (bio_data_dir(bio) == READ)) {
+ if (fc->corrupt_bio_byte) {
+ if ((fc->corrupt_bio_rw == READ) &&
+ all_corrupt_bio_flags_match(bio, fc)) {
+ /*
+ * Corrupt successful matching READs while in down state.
+ */
+- corrupt_bio_data(bio, fc);
++ corrupt_bio_data(bio, fc, pb->saved_iter);
+ }
+ }
+ if (fc->random_read_corrupt) {
+ u64 rnd = get_random_u64();
+ u32 rem = do_div(rnd, PROBABILITY_BASE);
+ if (rem < fc->random_read_corrupt)
+- corrupt_bio_random(bio);
++ corrupt_bio_random(bio, pb->saved_iter);
+ }
+ if (test_bit(ERROR_READS, &fc->flags)) {
+ /*
+--
+2.39.5
+
--- /dev/null
+From 58e59207bbd3764607c210d0fda27e7250b83c9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 15:49:39 -0400
+Subject: dm: free table mempools if not used in __bind
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit e8819e7f03470c5b468720630d9e4e1d5b99159e ]
+
+With request-based dm, the mempools don't need reloading when switching
+tables, but the unused table mempools are not freed until the active
+table is finally freed. Free them immediately if they are not needed.
+
+Fixes: 29dec90a0f1d9 ("dm: fix bio_set allocation")
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Tested-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/dm.c b/drivers/md/dm.c
+index d154c89305fbe..44424554e6b52 100644
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -2235,10 +2235,10 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ * requests in the queue may refer to bio from the old bioset,
+ * so you must walk through the queue to unprep.
+ */
+- if (!md->mempools) {
++ if (!md->mempools)
+ md->mempools = t->mempools;
+- t->mempools = NULL;
+- }
++ else
++ dm_free_md_mempools(t->mempools);
+ } else {
+ /*
+ * The md may already have mempools that need changing.
+@@ -2247,8 +2247,8 @@ static struct dm_table *__bind(struct mapped_device *md, struct dm_table *t,
+ */
+ dm_free_md_mempools(md->mempools);
+ md->mempools = t->mempools;
+- t->mempools = NULL;
+ }
++ t->mempools = NULL;
+
+ old_map = rcu_dereference_protected(md->map, lockdep_is_held(&md->suspend_lock));
+ rcu_assign_pointer(md->map, (void *)t);
+--
+2.39.5
+
--- /dev/null
+From 920b75cc47765f955c0f692e4a964b88d1c22c50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 10:39:00 +0800
+Subject: dmaengine: ti: Add NULL check in udma_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit fd447415e74bccd7362f760d4ea727f8e1ebfe91 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+udma_probe() does not check for this case, which results in a NULL
+pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 25dcb5dd7b7c ("dmaengine: ti: New driver for K3 UDMA")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Nathan Lynch <nathan.lynch@amd.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@gmail.com>
+Link: https://lore.kernel.org/r/20250402023900.43440-1-bsdhenrymartin@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/k3-udma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
+index 418e1774af1e5..d99cf81358c54 100644
+--- a/drivers/dma/ti/k3-udma.c
++++ b/drivers/dma/ti/k3-udma.c
+@@ -5537,7 +5537,8 @@ static int udma_probe(struct platform_device *pdev)
+ uc->config.dir = DMA_MEM_TO_MEM;
+ uc->name = devm_kasprintf(dev, GFP_KERNEL, "%s chan%d",
+ dev_name(dev), i);
+-
++ if (!uc->name)
++ return -ENOMEM;
+ vchan_init(&uc->vc, &ud->ddev);
+ /* Use custom vchan completion handling */
+ tasklet_setup(&uc->vc.task, udma_vchan_complete);
+--
+2.39.5
+
--- /dev/null
+From f587324bf5fc46f3706a5276c655ad15cda221c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 12:27:08 -0400
+Subject: do_change_type(): refuse to operate on unmounted/not ours mounts
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 12f147ddd6de7382dad54812e65f3f08d05809fc ]
+
+Ensure that propagation settings can only be changed for mounts located
+in the caller's mount namespace. This change aligns permission checking
+with the rest of mount(2).
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Fixes: 07b20889e305 ("beginning of the shared-subtree proper")
+Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 4d8afd0e1eb8f..eab9185e22858 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2557,6 +2557,10 @@ static int do_change_type(struct path *path, int ms_flags)
+ return -EINVAL;
+
+ namespace_lock();
++ if (!check_mnt(mnt)) {
++ err = -EINVAL;
++ goto out_unlock;
++ }
+ if (type == MS_SHARED) {
+ err = invent_group_ids(mnt, recurse);
+ if (err)
+--
+2.39.5
+
--- /dev/null
+From b0666b39999b4355987b9dc28f40e531d4b7c8b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 15:53:51 +0800
+Subject: driver: net: ethernet: mtk_star_emac: fix suspend/resume issue
+
+From: Yanqing Wang <ot_yanqing.wang@mediatek.com>
+
+[ Upstream commit ba99c627aac85bc746fb4a6e2d79edb3ad100326 ]
+
+Identify the cause of the suspend/resume hang: netif_carrier_off()
+is called during link state changes and becomes stuck while
+executing linkwatch_work().
+
+To resolve this issue, call netif_device_detach() during the Ethernet
+suspend process to temporarily detach the network device from the
+kernel and prevent the suspend/resume hang.
+
+Fixes: 8c7bd5a454ff ("net: ethernet: mtk-star-emac: new driver")
+Signed-off-by: Yanqing Wang <ot_yanqing.wang@mediatek.com>
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Signed-off-by: Biao Huang <biao.huang@mediatek.com>
+Link: https://patch.msgid.link/20250528075351.593068-1-macpaul.lin@mediatek.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_star_emac.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_star_emac.c b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+index c2ab87828d858..5eb7a97e7eb17 100644
+--- a/drivers/net/ethernet/mediatek/mtk_star_emac.c
++++ b/drivers/net/ethernet/mediatek/mtk_star_emac.c
+@@ -1468,6 +1468,8 @@ static __maybe_unused int mtk_star_suspend(struct device *dev)
+ if (netif_running(ndev))
+ mtk_star_disable(ndev);
+
++ netif_device_detach(ndev);
++
+ clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
+
+ return 0;
+@@ -1492,6 +1494,8 @@ static __maybe_unused int mtk_star_resume(struct device *dev)
+ clk_bulk_disable_unprepare(MTK_STAR_NCLKS, priv->clks);
+ }
+
++ netif_device_attach(ndev);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 8c0b16389d280931b57df5119f0a9effd0461e26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 12:04:35 +0800
+Subject: drm/amd/pp: Fix potential NULL pointer dereference in
+ atomctrl_initialize_mc_reg_table
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 820116a39f96bdc7d426c33a804b52f53700a919 ]
+
+The function atomctrl_initialize_mc_reg_table() and
+atomctrl_initialize_mc_reg_table_v2_2() does not check the return
+value of smu_atom_get_data_table(). If smu_atom_get_data_table()
+fails to retrieve vram_info, it returns NULL which is later
+dereferenced.
+
+Fixes: b3892e2bb519 ("drm/amd/pp: Use atombios api directly in powerplay (v2)")
+Fixes: 5f92b48cf62c ("drm/amd/pm: add mc register table initialization")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+index 1fbd23922082a..7e37354a03411 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+@@ -144,6 +144,10 @@ int atomctrl_initialize_mc_reg_table(
+ vram_info = (ATOM_VRAM_INFO_HEADER_V2_1 *)
+ smu_atom_get_data_table(hwmgr->adev,
+ GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
++ if (!vram_info) {
++ pr_err("Could not retrieve the VramInfo table!");
++ return -EINVAL;
++ }
+
+ if (module_index >= vram_info->ucNumOfVRAMModule) {
+ pr_err("Invalid VramInfo table.");
+@@ -181,6 +185,10 @@ int atomctrl_initialize_mc_reg_table_v2_2(
+ vram_info = (ATOM_VRAM_INFO_HEADER_V2_2 *)
+ smu_atom_get_data_table(hwmgr->adev,
+ GetIndexIntoMasterTable(DATA, VRAM_Info), &size, &frev, &crev);
++ if (!vram_info) {
++ pr_err("Could not retrieve the VramInfo table!");
++ return -EINVAL;
++ }
+
+ if (module_index >= vram_info->ucNumOfVRAMModule) {
+ pr_err("Invalid VramInfo table.");
+--
+2.39.5
+
--- /dev/null
+From d5ea468944fc070a02113cb364b5db972c3d2d1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Apr 2025 08:48:16 +0200
+Subject: drm/bridge: lt9611uxc: Fix an error handling path in
+ lt9611uxc_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b848cd418aebdb313364b4843f41fae82281a823 ]
+
+If lt9611uxc_audio_init() fails, some resources still need to be released
+before returning the error code.
+
+Use the existing error handling path.
+
+Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/f167608e392c6b4d7d7f6e45e3c21878feb60cbd.1744958833.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
+index c41ffd0bc0494..d458a4f37ac8f 100644
+--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
++++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c
+@@ -962,7 +962,11 @@ static int lt9611uxc_probe(struct i2c_client *client)
+ }
+ }
+
+- return lt9611uxc_audio_init(dev, lt9611uxc);
++ ret = lt9611uxc_audio_init(dev, lt9611uxc);
++ if (ret)
++ goto err_remove_bridge;
++
++ return 0;
+
+ err_remove_bridge:
+ free_irq(client->irq, lt9611uxc);
+--
+2.39.5
+
--- /dev/null
+From 2c195c47a86e0aaf36b106e57e5143b974a15ab7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 12:47:38 +0200
+Subject: drm/mediatek: Fix kobject put for component sub-drivers
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 80805b62ea5b95eda54c225b989f929ca0691ab0 ]
+
+In function mtk_drm_get_all_drm_priv(), this driver is incrementing
+the refcount for the sub-drivers of mediatek-drm with a call to
+device_find_child() when taking a reference to all of those child
+devices.
+
+When the component bind fails multiple times this results in a
+refcount_t overflow, as the reference count is never decremented:
+fix that by adding a call to put_device() for all of the mmsys
+devices in a loop, in error cases of mtk_drm_bind() and in the
+mtk_drm_unbind() callback.
+
+Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-3-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+index 108cab35ce485..32d66fa75b7c4 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -635,6 +635,10 @@ static int mtk_drm_bind(struct device *dev)
+ for (i = 0; i < private->data->mmsys_dev_num; i++)
+ private->all_drm_private[i]->drm = NULL;
+ err_put_dev:
++ for (i = 0; i < private->data->mmsys_dev_num; i++) {
++ /* For device_find_child in mtk_drm_get_all_priv() */
++ put_device(private->all_drm_private[i]->dev);
++ }
+ put_device(private->mutex_dev);
+ return ret;
+ }
+@@ -642,6 +646,7 @@ static int mtk_drm_bind(struct device *dev)
+ static void mtk_drm_unbind(struct device *dev)
+ {
+ struct mtk_drm_private *private = dev_get_drvdata(dev);
++ int i;
+
+ /* for multi mmsys dev, unregister drm dev in mmsys master */
+ if (private->drm_master) {
+@@ -649,6 +654,10 @@ static void mtk_drm_unbind(struct device *dev)
+ mtk_drm_kms_deinit(private->drm);
+ drm_dev_put(private->drm);
+
++ for (i = 0; i < private->data->mmsys_dev_num; i++) {
++ /* For device_find_child in mtk_drm_get_all_priv() */
++ put_device(private->all_drm_private[i]->dev);
++ }
+ put_device(private->mutex_dev);
+ }
+ private->mtk_drm_bound = false;
+--
+2.39.5
+
--- /dev/null
+From 0c4b63b6a3c593f246c11f695fc45d52d3dc86e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 12:47:37 +0200
+Subject: drm/mediatek: mtk_drm_drv: Fix kobject put for mtk_mutex device ptr
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 22918591fb747a6d16801e74a170cf98e886f83b ]
+
+This driver is taking a kobject for mtk_mutex only once per mmsys
+device for each drm-mediatek driver instance, differently from the
+behavior with other components, but it is decrementing the kobj's
+refcount in a loop and once per mmsys: this is not right and will
+result in a refcount_t underflow warning when mediatek-drm returns
+multiple probe deferrals in one boot (or when manually bound and
+unbound).
+
+Besides that, the refcount for mutex_dev was not decremented for
+error cases in mtk_drm_bind(), causing another refcount_t warning
+but this time for overflow, when the failure happens not during
+driver bind but during component bind.
+
+In order to fix one of the reasons why this is happening, remove
+the put_device(xx->mutex_dev) loop from the mtk_drm_kms_init()'s
+put_mutex_dev label (and drop the label) and add a single call to
+correctly free the single incremented refcount of mutex_dev to
+the mtk_drm_unbind() function to fix the refcount_t underflow.
+
+Moreover, add the same call to the error cases in mtk_drm_bind()
+to fix the refcount_t overflow.
+
+Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-2-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+index 8b41a07c3641f..108cab35ce485 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -431,7 +431,7 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+
+ ret = drmm_mode_config_init(drm);
+ if (ret)
+- goto put_mutex_dev;
++ return ret;
+
+ drm->mode_config.min_width = 64;
+ drm->mode_config.min_height = 64;
+@@ -450,7 +450,7 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+ drm->dev_private = private->all_drm_private[i];
+ ret = component_bind_all(private->all_drm_private[i]->dev, drm);
+ if (ret)
+- goto put_mutex_dev;
++ return ret;
+ }
+
+ /*
+@@ -532,9 +532,6 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+ err_component_unbind:
+ for (i = 0; i < private->data->mmsys_dev_num; i++)
+ component_unbind_all(private->all_drm_private[i]->dev, drm);
+-put_mutex_dev:
+- for (i = 0; i < private->data->mmsys_dev_num; i++)
+- put_device(private->all_drm_private[i]->mutex_dev);
+
+ return ret;
+ }
+@@ -608,8 +605,10 @@ static int mtk_drm_bind(struct device *dev)
+ return 0;
+
+ drm = drm_dev_alloc(&mtk_drm_driver, dev);
+- if (IS_ERR(drm))
+- return PTR_ERR(drm);
++ if (IS_ERR(drm)) {
++ ret = PTR_ERR(drm);
++ goto err_put_dev;
++ }
+
+ private->drm_master = true;
+ drm->dev_private = private;
+@@ -635,6 +634,8 @@ static int mtk_drm_bind(struct device *dev)
+ drm_dev_put(drm);
+ for (i = 0; i < private->data->mmsys_dev_num; i++)
+ private->all_drm_private[i]->drm = NULL;
++err_put_dev:
++ put_device(private->mutex_dev);
+ return ret;
+ }
+
+@@ -647,6 +648,8 @@ static void mtk_drm_unbind(struct device *dev)
+ drm_dev_unregister(private->drm);
+ mtk_drm_kms_deinit(private->drm);
+ drm_dev_put(private->drm);
++
++ put_device(private->mutex_dev);
+ }
+ private->mtk_drm_bound = false;
+ private->drm_master = false;
+--
+2.39.5
+
--- /dev/null
+From 9f3be2d920e24096b886e1dffa589431397ba46c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 12:47:39 +0200
+Subject: drm/mediatek: mtk_drm_drv: Unbind secondary mmsys components on err
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 94c933716567084bfb9e79dcd81eb2b2308e84e1 ]
+
+When calling component_bind_all(), if a component that is included
+in the list fails, all of those that have been successfully bound
+will be unbound, but this driver has two components lists for two
+actual devices, as in, each mmsys instance has its own components
+list.
+
+In case mmsys0 (or actually vdosys0) is able to bind all of its
+components, but the secondary one fails, all of the components of
+the first are kept bound, while the ones of mmsys1/vdosys1 are
+correctly cleaned up.
+
+This is not right because, in case of a failure, the components
+are re-bound for all of the mmsys/vdosys instances without caring
+about the ones that were previously left in a bound state.
+
+Fix that by calling component_unbind_all() on all of the previous
+component masters that succeeded binding all subdevices when any
+of the other masters errors out.
+
+Fixes: 1ef7ed48356c ("drm/mediatek: Modify mediatek-drm for mt8195 multi mmsys support")
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20250403104741.71045-4-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_drm_drv.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+index 32d66fa75b7c4..ef4fa70119de1 100644
+--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+@@ -449,8 +449,11 @@ static int mtk_drm_kms_init(struct drm_device *drm)
+ for (i = 0; i < private->data->mmsys_dev_num; i++) {
+ drm->dev_private = private->all_drm_private[i];
+ ret = component_bind_all(private->all_drm_private[i]->dev, drm);
+- if (ret)
++ if (ret) {
++ while (--i >= 0)
++ component_unbind_all(private->all_drm_private[i]->dev, drm);
+ return ret;
++ }
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From bd518a9105862c312dc3e811be8e74a066129c75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Nov 2023 12:24:24 +0000
+Subject: drm: rcar-du: Fix memory leak in rcar_du_vsps_init()
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 91e3bf09a90bb4340c0c3c51396e7531555efda4 ]
+
+The rcar_du_vsps_init() doesn't free the np allocated by
+of_parse_phandle_with_fixed_args() for the non-error case.
+
+Fix memory leak for the non-error case.
+
+While at it, replace the label 'error'->'done' as it applies to non-error
+case as well and update the error check condition for rcar_du_vsp_init()
+to avoid breakage in future, if it returns positive value.
+
+Fixes: 3e81374e2014 ("drm: rcar-du: Support multiple sources from the same VSP")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Link: https://lore.kernel.org/r/20231116122424.80136-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c b/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c
+index 70d8ad065bfa1..4c8fe83dd6101 100644
+--- a/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c
++++ b/drivers/gpu/drm/renesas/rcar-du/rcar_du_kms.c
+@@ -705,7 +705,7 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
+ ret = of_parse_phandle_with_fixed_args(np, vsps_prop_name,
+ cells, i, &args);
+ if (ret < 0)
+- goto error;
++ goto done;
+
+ /*
+ * Add the VSP to the list or update the corresponding existing
+@@ -743,13 +743,11 @@ static int rcar_du_vsps_init(struct rcar_du_device *rcdu)
+ vsp->dev = rcdu;
+
+ ret = rcar_du_vsp_init(vsp, vsps[i].np, vsps[i].crtcs_mask);
+- if (ret < 0)
+- goto error;
++ if (ret)
++ goto done;
+ }
+
+- return 0;
+-
+-error:
++done:
+ for (i = 0; i < ARRAY_SIZE(vsps); ++i)
+ of_node_put(vsps[i].np);
+
+--
+2.39.5
+
--- /dev/null
+From 916699429bcd850512b3564432e95af385eef19e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 11:21:35 +0000
+Subject: drm/tegra: rgb: Fix the unbound reference count
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit 3c3642335065c3bde0742b0edc505b6ea8fdc2b3 ]
+
+The of_get_child_by_name() increments the refcount in tegra_dc_rgb_probe,
+but the driver does not decrement the refcount during unbind. Fix the
+unbound reference count using devm_add_action_or_reset() helper.
+
+Fixes: d8f4a9eda006 ("drm: Add NVIDIA Tegra20 support")
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20250205112137.36055-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tegra/rgb.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/tegra/rgb.c b/drivers/gpu/drm/tegra/rgb.c
+index d6424abd3c45d..8930460ba6282 100644
+--- a/drivers/gpu/drm/tegra/rgb.c
++++ b/drivers/gpu/drm/tegra/rgb.c
+@@ -190,6 +190,11 @@ static const struct drm_encoder_helper_funcs tegra_rgb_encoder_helper_funcs = {
+ .atomic_check = tegra_rgb_encoder_atomic_check,
+ };
+
++static void tegra_dc_of_node_put(void *data)
++{
++ of_node_put(data);
++}
++
+ int tegra_dc_rgb_probe(struct tegra_dc *dc)
+ {
+ struct device_node *np;
+@@ -197,7 +202,14 @@ int tegra_dc_rgb_probe(struct tegra_dc *dc)
+ int err;
+
+ np = of_get_child_by_name(dc->dev->of_node, "rgb");
+- if (!np || !of_device_is_available(np))
++ if (!np)
++ return -ENODEV;
++
++ err = devm_add_action_or_reset(dc->dev, tegra_dc_of_node_put, np);
++ if (err < 0)
++ return err;
++
++ if (!of_device_is_available(np))
+ return -ENODEV;
+
+ rgb = devm_kzalloc(dc->dev, sizeof(*rgb), GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From 80e78f28e6fc13b09406ab754ad6292717d17a74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 15:33:30 +0200
+Subject: drm/vc4: tests: Use return instead of assert
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxime Ripard <mripard@kernel.org>
+
+[ Upstream commit 9e26a3740cc08ef8bcdc5e5d824792cd677affce ]
+
+The vc4_mock_atomic_add_output() and vc4_mock_atomic_del_output() assert
+that the functions they are calling didn't fail. Since some of them can
+return EDEADLK, we can't properly deal with it.
+
+Since both functions are expected to return an int, and all caller check
+the return value, let's just properly propagate the errors when they
+occur.
+
+Fixes: f759f5b53f1c ("drm/vc4: tests: Introduce a mocking infrastructure")
+Fixes: 76ec18dc5afa ("drm/vc4: tests: Add unit test suite for the PV muxing")
+Reviewed-by: Maíra Canal <mcanal@igalia.com>
+Link: https://lore.kernel.org/r/20250403-drm-vc4-kunit-failures-v2-1-e09195cc8840@kernel.org
+Signed-off-by: Maxime Ripard <mripard@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vc4/tests/vc4_mock_output.c | 36 ++++++++++++++-------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
+index e70d7c3076acf..f0ddc223c1f83 100644
+--- a/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
++++ b/drivers/gpu/drm/vc4/tests/vc4_mock_output.c
+@@ -75,24 +75,30 @@ int vc4_mock_atomic_add_output(struct kunit *test,
+ int ret;
+
+ encoder = vc4_find_encoder_by_type(drm, type);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, encoder);
++ if (!encoder)
++ return -ENODEV;
+
+ crtc = vc4_find_crtc_for_encoder(test, drm, encoder);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc);
++ if (!crtc)
++ return -ENODEV;
+
+ output = encoder_to_vc4_dummy_output(encoder);
+ conn = &output->connector;
+ conn_state = drm_atomic_get_connector_state(state, conn);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, conn_state);
++ if (IS_ERR(conn_state))
++ return PTR_ERR(conn_state);
+
+ ret = drm_atomic_set_crtc_for_connector(conn_state, crtc);
+- KUNIT_EXPECT_EQ(test, ret, 0);
++ if (ret)
++ return ret;
+
+ crtc_state = drm_atomic_get_crtc_state(state, crtc);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc_state);
++ if (IS_ERR(crtc_state))
++ return PTR_ERR(crtc_state);
+
+ ret = drm_atomic_set_mode_for_crtc(crtc_state, &default_mode);
+- KUNIT_EXPECT_EQ(test, ret, 0);
++ if (ret)
++ return ret;
+
+ crtc_state->active = true;
+
+@@ -113,26 +119,32 @@ int vc4_mock_atomic_del_output(struct kunit *test,
+ int ret;
+
+ encoder = vc4_find_encoder_by_type(drm, type);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, encoder);
++ if (!encoder)
++ return -ENODEV;
+
+ crtc = vc4_find_crtc_for_encoder(test, drm, encoder);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc);
++ if (!crtc)
++ return -ENODEV;
+
+ crtc_state = drm_atomic_get_crtc_state(state, crtc);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, crtc_state);
++ if (IS_ERR(crtc_state))
++ return PTR_ERR(crtc_state);
+
+ crtc_state->active = false;
+
+ ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
+- KUNIT_ASSERT_EQ(test, ret, 0);
++ if (ret)
++ return ret;
+
+ output = encoder_to_vc4_dummy_output(encoder);
+ conn = &output->connector;
+ conn_state = drm_atomic_get_connector_state(state, conn);
+- KUNIT_ASSERT_NOT_ERR_OR_NULL(test, conn_state);
++ if (IS_ERR(conn_state))
++ return PTR_ERR(conn_state);
+
+ ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
+- KUNIT_ASSERT_EQ(test, ret, 0);
++ if (ret)
++ return ret;
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 06f178c0cc96a34cc736a68e068e7eb3e1f75f7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 23:14:32 -0700
+Subject: drm/vkms: Adjust vkms_state->active_planes allocation type
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 258aebf100540d36aba910f545d4d5ddf4ecaf0b ]
+
+In preparation for making the kmalloc family of allocators type aware,
+we need to make sure that the returned type from the allocation matches
+the type of the variable being assigned. (Before, the allocator would
+always return "void *", which can be implicitly cast to any pointer type.)
+
+The assigned type is "struct vkms_plane_state **", but the returned type
+will be "struct drm_plane **". These are the same size (pointer size), but
+the types don't match. Adjust the allocation type to match the assignment.
+
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Fixes: 8b1865873651 ("drm/vkms: totally reworked crc data tracking")
+Link: https://lore.kernel.org/r/20250426061431.work.304-kees@kernel.org
+Signed-off-by: Louis Chauvet <contact@louischauvet.fr>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vkms/vkms_crtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c
+index 61e500b8c9da2..894c484f99e95 100644
+--- a/drivers/gpu/drm/vkms/vkms_crtc.c
++++ b/drivers/gpu/drm/vkms/vkms_crtc.c
+@@ -201,7 +201,7 @@ static int vkms_crtc_atomic_check(struct drm_crtc *crtc,
+ i++;
+ }
+
+- vkms_state->active_planes = kcalloc(i, sizeof(plane), GFP_KERNEL);
++ vkms_state->active_planes = kcalloc(i, sizeof(*vkms_state->active_planes), GFP_KERNEL);
+ if (!vkms_state->active_planes)
+ return -ENOMEM;
+ vkms_state->num_active_planes = i;
+--
+2.39.5
+
--- /dev/null
+From 95bb4b52c2a3fa7aa3f46268066319f13a6ad6de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Feb 2025 14:06:33 -0600
+Subject: drm/vmwgfx: Add seqno waiter for sync_files
+
+From: Ian Forbes <ian.forbes@broadcom.com>
+
+[ Upstream commit 0039a3b35b10d9c15d3d26320532ab56cc566750 ]
+
+Because sync_files are passive waiters they do not participate in
+the processing of fences like the traditional vmw_fence_wait IOCTL.
+If userspace exclusively uses sync_files for synchronization then
+nothing in the kernel actually processes fence updates as interrupts
+for fences are masked and ignored if the kernel does not indicate to the
+SVGA device that there are active waiters.
+
+This oversight results in a bug where the entire GUI can freeze waiting
+on a sync_file that will never be signalled as we've masked the interrupts
+to signal its completion. This bug is incredibly racy as any process which
+interacts with the fencing code via the 3D stack can process the stuck
+fences on behalf of the stuck process causing it to run again. Even a
+simple app like eglinfo is enough to resume the stuck process. Usually
+this bug is seen at a login screen like GDM because there are no other
+3D apps running.
+
+By adding a seqno waiter we re-enable interrupt based processing of the
+dma_fences associated with the sync_file which is signalled as part of a
+dma_fence_callback.
+
+This has likely been broken since it was initially added to the kernel in
+2017 but has gone unnoticed until mutter recently started using sync_files
+heavily over the course of 2024 as part of their explicit sync support.
+
+Fixes: c906965dee22 ("drm/vmwgfx: Add export fence to file descriptor support")
+Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250228200633.642417-1-ian.forbes@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 26 +++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+index 5fef0b31c1179..b129ce873af3f 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+@@ -4083,6 +4083,23 @@ static int vmw_execbuf_tie_context(struct vmw_private *dev_priv,
+ return 0;
+ }
+
++/*
++ * DMA fence callback to remove a seqno_waiter
++ */
++struct seqno_waiter_rm_context {
++ struct dma_fence_cb base;
++ struct vmw_private *dev_priv;
++};
++
++static void seqno_waiter_rm_cb(struct dma_fence *f, struct dma_fence_cb *cb)
++{
++ struct seqno_waiter_rm_context *ctx =
++ container_of(cb, struct seqno_waiter_rm_context, base);
++
++ vmw_seqno_waiter_remove(ctx->dev_priv);
++ kfree(ctx);
++}
++
+ int vmw_execbuf_process(struct drm_file *file_priv,
+ struct vmw_private *dev_priv,
+ void __user *user_commands, void *kernel_commands,
+@@ -4263,6 +4280,15 @@ int vmw_execbuf_process(struct drm_file *file_priv,
+ } else {
+ /* Link the fence with the FD created earlier */
+ fd_install(out_fence_fd, sync_file->file);
++ struct seqno_waiter_rm_context *ctx =
++ kmalloc(sizeof(*ctx), GFP_KERNEL);
++ ctx->dev_priv = dev_priv;
++ vmw_seqno_waiter_add(dev_priv);
++ if (dma_fence_add_callback(&fence->base, &ctx->base,
++ seqno_waiter_rm_cb) < 0) {
++ vmw_seqno_waiter_remove(dev_priv);
++ kfree(ctx);
++ }
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e630ce2fddc926b78b8083da971015942390e715 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 17:47:27 +0100
+Subject: dt-bindings: vendor-prefixes: Add Liontron name
+
+From: Andre Przywara <andre.przywara@arm.com>
+
+[ Upstream commit 9baa27a2e9fc746143ab686b6dbe2d515284a4c5 ]
+
+Liontron is a company based in Shenzen, China, making industrial
+development boards and embedded computers, mostly using Rockchip and
+Allwinner SoCs.
+
+Add their name to the list of vendors.
+
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Link: https://patch.msgid.link/20250505164729.18175-2-andre.przywara@arm.com
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/vendor-prefixes.yaml | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/Documentation/devicetree/bindings/vendor-prefixes.yaml b/Documentation/devicetree/bindings/vendor-prefixes.yaml
+index dc275ab60e534..7376a924e9aca 100644
+--- a/Documentation/devicetree/bindings/vendor-prefixes.yaml
++++ b/Documentation/devicetree/bindings/vendor-prefixes.yaml
+@@ -773,6 +773,8 @@ patternProperties:
+ description: Linux-specific binding
+ "^linx,.*":
+ description: Linx Technologies
++ "^liontron,.*":
++ description: Shenzhen Liontron Technology Co., Ltd
+ "^liteon,.*":
+ description: LITE-ON Technology Corp.
+ "^litex,.*":
+--
+2.39.5
+
--- /dev/null
+From 84322f90a9bb5a8a7400be6afde5587c0d85c78b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 23:07:18 +0800
+Subject: EDAC/skx_common: Fix general protection fault
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 20d2d476b3ae18041be423671a8637ed5ffd6958 ]
+
+After loading i10nm_edac (which automatically loads skx_edac_common), if
+unload only i10nm_edac, then reload it and perform error injection testing,
+a general protection fault may occur:
+
+ mce: [Hardware Error]: Machine check events logged
+ Oops: general protection fault ...
+ ...
+ Workqueue: events mce_gen_pool_process
+ RIP: 0010:string+0x53/0xe0
+ ...
+ Call Trace:
+ <TASK>
+ ? die_addr+0x37/0x90
+ ? exc_general_protection+0x1e7/0x3f0
+ ? asm_exc_general_protection+0x26/0x30
+ ? string+0x53/0xe0
+ vsnprintf+0x23e/0x4c0
+ snprintf+0x4d/0x70
+ skx_adxl_decode+0x16a/0x330 [skx_edac_common]
+ skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common]
+ skx_mce_check_error+0x17/0x20 [skx_edac_common]
+ ...
+
+The issue arose was because the variable 'adxl_component_count' (inside
+skx_edac_common), which counts the ADXL components, was not reset. During
+the reloading of i10nm_edac, the count was incremented by the actual number
+of ADXL components again, resulting in a count that was double the real
+number of ADXL components. This led to an out-of-bounds reference to the
+ADXL component array, causing the general protection fault above.
+
+Fix this issue by resetting the 'adxl_component_count' in adxl_put(),
+which is called during the unloading of {skx,i10nm}_edac.
+
+Fixes: 123b15863550 ("EDAC, i10nm: make skx_common.o a separate module")
+Reported-by: Feng Xu <feng.f.xu@intel.com>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Feng Xu <feng.f.xu@intel.com>
+Link: https://lore.kernel.org/r/20250417150724.1170168-2-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/skx_common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/edac/skx_common.c b/drivers/edac/skx_common.c
+index d47f0055217e4..9e43aed72bd9f 100644
+--- a/drivers/edac/skx_common.c
++++ b/drivers/edac/skx_common.c
+@@ -115,6 +115,7 @@ EXPORT_SYMBOL_GPL(skx_adxl_get);
+
+ void skx_adxl_put(void)
+ {
++ adxl_component_count = 0;
+ kfree(adxl_values);
+ kfree(adxl_msg);
+ }
+--
+2.39.5
+
--- /dev/null
+From 40b0c77e942e10c36207bb77cf074c0602bfeae7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 23:07:19 +0800
+Subject: EDAC/{skx_common,i10nm}: Fix the loss of saved RRL for HBM pseudo
+ channel 0
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit eeed3e03f4261e5e381a72ae099ff00ccafbb437 ]
+
+When enabling the retry_rd_err_log (RRL) feature during the loading of the
+i10nm_edac driver with the module parameter retry_rd_err_log=2 (Linux RRL
+control mode), the default values of the control bits of RRL are saved so
+that they can be restored during the unloading of the driver.
+
+In the current code, the RRL of pseudo channel 1 of HBM overwrites pseudo
+channel 0 during the loading of the driver, resulting in the loss of saved
+RRL for pseudo channel 0. This causes the RRL of pseudo channel 0 of HBM to
+be wrongly restored with the values from pseudo channel 1 when unloading
+the driver.
+
+Fix this issue by creating two separate groups of RRL control registers
+per channel to save default RRL settings of two {sub-,pseudo-}channels.
+
+Fixes: acd4cf68fefe ("EDAC/i10nm: Retrieve and print retry_rd_err_log registers for HBM")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Feng Xu <feng.f.xu@intel.com>
+Link: https://lore.kernel.org/r/20250417150724.1170168-3-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/i10nm_base.c | 35 +++++++++++++++++++----------------
+ drivers/edac/skx_common.h | 11 ++++++++---
+ 2 files changed, 27 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c
+index 67a46abe07da9..068597e8fce95 100644
+--- a/drivers/edac/i10nm_base.c
++++ b/drivers/edac/i10nm_base.c
+@@ -99,7 +99,7 @@ static u32 offsets_demand2_spr[] = {0x22c70, 0x22d80, 0x22f18, 0x22d58, 0x22c64,
+ static u32 offsets_demand_spr_hbm0[] = {0x2a54, 0x2a60, 0x2b10, 0x2a58, 0x2a5c, 0x0ee0};
+ static u32 offsets_demand_spr_hbm1[] = {0x2e54, 0x2e60, 0x2f10, 0x2e58, 0x2e5c, 0x0fb0};
+
+-static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable,
++static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable, u32 *rrl_ctl,
+ u32 *offsets_scrub, u32 *offsets_demand,
+ u32 *offsets_demand2)
+ {
+@@ -112,10 +112,10 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable
+
+ if (enable) {
+ /* Save default configurations */
+- imc->chan[chan].retry_rd_err_log_s = s;
+- imc->chan[chan].retry_rd_err_log_d = d;
++ rrl_ctl[0] = s;
++ rrl_ctl[1] = d;
+ if (offsets_demand2)
+- imc->chan[chan].retry_rd_err_log_d2 = d2;
++ rrl_ctl[2] = d2;
+
+ s &= ~RETRY_RD_ERR_LOG_NOOVER_UC;
+ s |= RETRY_RD_ERR_LOG_EN;
+@@ -129,25 +129,25 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable
+ }
+ } else {
+ /* Restore default configurations */
+- if (imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_UC)
++ if (rrl_ctl[0] & RETRY_RD_ERR_LOG_UC)
+ s |= RETRY_RD_ERR_LOG_UC;
+- if (imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_NOOVER)
++ if (rrl_ctl[0] & RETRY_RD_ERR_LOG_NOOVER)
+ s |= RETRY_RD_ERR_LOG_NOOVER;
+- if (!(imc->chan[chan].retry_rd_err_log_s & RETRY_RD_ERR_LOG_EN))
++ if (!(rrl_ctl[0] & RETRY_RD_ERR_LOG_EN))
+ s &= ~RETRY_RD_ERR_LOG_EN;
+- if (imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_UC)
++ if (rrl_ctl[1] & RETRY_RD_ERR_LOG_UC)
+ d |= RETRY_RD_ERR_LOG_UC;
+- if (imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_NOOVER)
++ if (rrl_ctl[1] & RETRY_RD_ERR_LOG_NOOVER)
+ d |= RETRY_RD_ERR_LOG_NOOVER;
+- if (!(imc->chan[chan].retry_rd_err_log_d & RETRY_RD_ERR_LOG_EN))
++ if (!(rrl_ctl[1] & RETRY_RD_ERR_LOG_EN))
+ d &= ~RETRY_RD_ERR_LOG_EN;
+
+ if (offsets_demand2) {
+- if (imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_UC)
++ if (rrl_ctl[2] & RETRY_RD_ERR_LOG_UC)
+ d2 |= RETRY_RD_ERR_LOG_UC;
+- if (!(imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_NOOVER))
++ if (!(rrl_ctl[2] & RETRY_RD_ERR_LOG_NOOVER))
+ d2 &= ~RETRY_RD_ERR_LOG_NOOVER;
+- if (!(imc->chan[chan].retry_rd_err_log_d2 & RETRY_RD_ERR_LOG_EN))
++ if (!(rrl_ctl[2] & RETRY_RD_ERR_LOG_EN))
+ d2 &= ~RETRY_RD_ERR_LOG_EN;
+ }
+ }
+@@ -161,6 +161,7 @@ static void __enable_retry_rd_err_log(struct skx_imc *imc, int chan, bool enable
+ static void enable_retry_rd_err_log(bool enable)
+ {
+ int i, j, imc_num, chan_num;
++ struct skx_channel *chan;
+ struct skx_imc *imc;
+ struct skx_dev *d;
+
+@@ -175,8 +176,9 @@ static void enable_retry_rd_err_log(bool enable)
+ if (!imc->mbase)
+ continue;
+
++ chan = d->imc[i].chan;
+ for (j = 0; j < chan_num; j++)
+- __enable_retry_rd_err_log(imc, j, enable,
++ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[0],
+ res_cfg->offsets_scrub,
+ res_cfg->offsets_demand,
+ res_cfg->offsets_demand2);
+@@ -190,12 +192,13 @@ static void enable_retry_rd_err_log(bool enable)
+ if (!imc->mbase || !imc->hbm_mc)
+ continue;
+
++ chan = d->imc[i].chan;
+ for (j = 0; j < chan_num; j++) {
+- __enable_retry_rd_err_log(imc, j, enable,
++ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[0],
+ res_cfg->offsets_scrub_hbm0,
+ res_cfg->offsets_demand_hbm0,
+ NULL);
+- __enable_retry_rd_err_log(imc, j, enable,
++ __enable_retry_rd_err_log(imc, j, enable, chan[j].rrl_ctl[1],
+ res_cfg->offsets_scrub_hbm1,
+ res_cfg->offsets_demand_hbm1,
+ NULL);
+diff --git a/drivers/edac/skx_common.h b/drivers/edac/skx_common.h
+index 5acfef8fd3d36..2ea4d1d1fbef2 100644
+--- a/drivers/edac/skx_common.h
++++ b/drivers/edac/skx_common.h
+@@ -80,6 +80,9 @@
+ */
+ #define MCACOD_EXT_MEM_ERR 0x280
+
++/* Max RRL register sets per {,sub-,pseudo-}channel. */
++#define NUM_RRL_SET 3
++
+ /*
+ * Each cpu socket contains some pci devices that provide global
+ * information, and also some that are local to each of the two
+@@ -118,9 +121,11 @@ struct skx_dev {
+ struct skx_channel {
+ struct pci_dev *cdev;
+ struct pci_dev *edev;
+- u32 retry_rd_err_log_s;
+- u32 retry_rd_err_log_d;
+- u32 retry_rd_err_log_d2;
++ /*
++ * Two groups of RRL control registers per channel to save default RRL
++ * settings of two {sub-,pseudo-}channels in Linux RRL control mode.
++ */
++ u32 rrl_ctl[2][NUM_RRL_SET];
+ struct skx_dimm {
+ u8 close_pg;
+ u8 bank_xor_enable;
+--
+2.39.5
+
--- /dev/null
+From 03e9450e95073a720fde2eca89dc9c258d588704 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 00:31:11 +0800
+Subject: efi/libstub: Describe missing 'out' parameter in efi_load_initrd
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit c8e1927e7f7d63721e32ec41d27ccb0eb1a1b0fc ]
+
+The function efi_load_initrd() had a documentation warning due to
+the missing description for the 'out' parameter. Add the parameter
+description to the kernel-doc comment to resolve the warning and
+improve API documentation.
+
+Fixes the following compiler warning:
+drivers/firmware/efi/libstub/efi-stub-helper.c:611: warning: Function parameter or struct member 'out' not described in 'efi_load_initrd'
+
+Fixes: f4dc7fffa987 ("efi: libstub: unify initrd loading between architectures")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/efi/libstub/efi-stub-helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
+index 3dc2f9aaf08db..492d09b6048bd 100644
+--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
++++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
+@@ -561,6 +561,7 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image,
+ * @image: EFI loaded image protocol
+ * @soft_limit: preferred address for loading the initrd
+ * @hard_limit: upper limit address for loading the initrd
++ * @out: pointer to store the address of the initrd table
+ *
+ * Return: status code
+ */
+--
+2.39.5
+
--- /dev/null
+From e0dcaa7ef16ce18d74059854028e8793b538f0f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:52:36 +0800
+Subject: f2fs: clean up w/ fscrypt_is_bounce_page()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 0c708e35cf26449ca317fcbfc274704660b6d269 ]
+
+Just cleanup, no logic changes.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index acd0764b0286c..5a3fa2f887a79 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -54,7 +54,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
+ struct inode *inode;
+ struct f2fs_sb_info *sbi;
+
+- if (!mapping)
++ if (fscrypt_is_bounce_page(page))
+ return false;
+
+ inode = mapping->host;
+--
+2.39.5
+
--- /dev/null
+From 0266c6984b891a7d560c08264ecceb5dfff344e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 16:45:49 +0800
+Subject: f2fs: fix to correct check conditions in f2fs_cross_rename
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 9883494c45a13dc88d27dde4f988c04823b42a2f ]
+
+Should be "old_dir" here.
+
+Fixes: 5c57132eaf52 ("f2fs: support project quota")
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 58ab04aff6bff..4d6f0a6365fe1 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -1102,7 +1102,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+ if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(new_dir)->i_projid,
+ F2FS_I(old_inode)->i_projid)) ||
+- (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
++ (is_inode_flag_set(old_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(old_dir)->i_projid,
+ F2FS_I(new_inode)->i_projid)))
+ return -EXDEV;
+--
+2.39.5
+
--- /dev/null
+From 50b3b499fb5578c9f9155a008cac6d0b591e9c48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 18:52:37 +0800
+Subject: f2fs: fix to detect gcing page in f2fs_is_cp_guaranteed()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit aa1be8dd64163eca4dde7fd2557eb19927a06a47 ]
+
+Jan Prusakowski reported a f2fs bug as below:
+
+f2fs/007 will hang kernel during testing w/ below configs:
+
+kernel 6.12.18 (from pixel-kernel/android16-6.12)
+export MKFS_OPTIONS="-O encrypt -O extra_attr -O project_quota -O quota"
+export F2FS_MOUNT_OPTIONS="test_dummy_encryption,discard,fsync_mode=nobarrier,reserve_root=32768,checkpoint_merge,atgc"
+
+cat /proc/<umount_proc_id>/stack
+f2fs_wait_on_all_pages+0xa3/0x130
+do_checkpoint+0x40c/0x5d0
+f2fs_write_checkpoint+0x258/0x550
+kill_f2fs_super+0x14f/0x190
+deactivate_locked_super+0x30/0xb0
+cleanup_mnt+0xba/0x150
+task_work_run+0x59/0xa0
+syscall_exit_to_user_mode+0x12d/0x130
+do_syscall_64+0x57/0x110
+entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+cat /sys/kernel/debug/f2fs/status
+
+ - IO_W (CP: -256, Data: 256, Flush: ( 0 0 1), Discard: ( 0 0)) cmd: 0 undiscard: 0
+
+CP IOs reference count becomes negative.
+
+The root cause is:
+
+After 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block
+migration"), we will tag page w/ gcing flag for raw page of cluster
+during its migration.
+
+However, if the inode is both encrypted and compressed, during
+ioc_decompress(), it will tag page w/ gcing flag, and it increase
+F2FS_WB_DATA reference count:
+- f2fs_write_multi_page
+ - f2fs_write_raw_page
+ - f2fs_write_single_page
+ - do_write_page
+ - f2fs_submit_page_write
+ - WB_DATA_TYPE(bio_page, fio->compressed_page)
+ : bio_page is encrypted, so mapping is NULL, and fio->compressed_page
+ is NULL, it returns F2FS_WB_DATA
+ - inc_page_count(.., F2FS_WB_DATA)
+
+Then, during end_io(), it decrease F2FS_WB_CP_DATA reference count:
+- f2fs_write_end_io
+ - f2fs_compress_write_end_io
+ - fscrypt_pagecache_folio
+ : get raw page from encrypted page
+ - WB_DATA_TYPE(&folio->page, false)
+ : raw page has gcing flag, it returns F2FS_WB_CP_DATA
+ - dec_page_count(.., F2FS_WB_CP_DATA)
+
+In order to fix this issue, we need to detect gcing flag in raw page
+in f2fs_is_cp_guaranteed().
+
+Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
+Reported-by: Jan Prusakowski <jprusakowski@google.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/data.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
+index 5a3fa2f887a79..a123bb26acd8b 100644
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -55,7 +55,7 @@ bool f2fs_is_cp_guaranteed(struct page *page)
+ struct f2fs_sb_info *sbi;
+
+ if (fscrypt_is_bounce_page(page))
+- return false;
++ return page_private_gcing(fscrypt_pagecache_page(page));
+
+ inode = mapping->host;
+ sbi = F2FS_I_SB(inode);
+--
+2.39.5
+
--- /dev/null
+From 4fa2e6a2b84e2c6935b8c4c1ee2d36bd77b38c7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 20:22:08 +0800
+Subject: f2fs: fix to do sanity check on sbi->total_valid_block_count
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 05872a167c2cab80ef186ef23cc34a6776a1a30c ]
+
+syzbot reported a f2fs bug as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/f2fs.h:2521!
+RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521
+Call Trace:
+ f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695
+ truncate_dnode+0x417/0x740 fs/f2fs/node.c:973
+ truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014
+ f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197
+ f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810
+ f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838
+ f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888
+ f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112
+ notify_change+0xbca/0xe90 fs/attr.c:552
+ do_truncate+0x222/0x310 fs/open.c:65
+ handle_truncate fs/namei.c:3466 [inline]
+ do_open fs/namei.c:3849 [inline]
+ path_openat+0x2e4f/0x35d0 fs/namei.c:4004
+ do_filp_open+0x284/0x4e0 fs/namei.c:4031
+ do_sys_openat2+0x12b/0x1d0 fs/open.c:1429
+ do_sys_open fs/open.c:1444 [inline]
+ __do_sys_creat fs/open.c:1522 [inline]
+ __se_sys_creat fs/open.c:1516 [inline]
+ __x64_sys_creat+0x124/0x170 fs/open.c:1516
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94
+
+The reason is: in fuzzed image, sbi->total_valid_block_count is
+inconsistent w/ mapped blocks indexed by inode, so, we should
+not trigger panic for such case, instead, let's print log and
+set fsck flag.
+
+Fixes: 39a53e0ce0df ("f2fs: add superblock and major in-memory structure")
+Reported-by: syzbot+8b376a77b2f364097fbe@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/67f3c0b2.050a0220.396535.0547.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 5f6f159be456e..911c4c64d729d 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -2474,8 +2474,14 @@ static inline void dec_valid_block_count(struct f2fs_sb_info *sbi,
+ blkcnt_t sectors = count << F2FS_LOG_SECTORS_PER_BLOCK;
+
+ spin_lock(&sbi->stat_lock);
+- f2fs_bug_on(sbi, sbi->total_valid_block_count < (block_t) count);
+- sbi->total_valid_block_count -= (block_t)count;
++ if (unlikely(sbi->total_valid_block_count < count)) {
++ f2fs_warn(sbi, "Inconsistent total_valid_block_count:%u, ino:%lu, count:%u",
++ sbi->total_valid_block_count, inode->i_ino, count);
++ sbi->total_valid_block_count = 0;
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ } else {
++ sbi->total_valid_block_count -= count;
++ }
+ if (sbi->reserved_blocks &&
+ sbi->current_reserved_blocks < sbi->reserved_blocks)
+ sbi->current_reserved_blocks = min(sbi->reserved_blocks,
+--
+2.39.5
+
--- /dev/null
+From 964f8d61421087d4b82355848d96437cdf04d011 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 16:45:48 +0800
+Subject: f2fs: use d_inode(dentry) cleanup dentry->d_inode
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit a6c397a31f58a1d577c2c8d04b624e9baa31951c ]
+
+no logic changes.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/namei.c | 8 ++++----
+ fs/f2fs/super.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c
+index 2e08e1fdf485c..58ab04aff6bff 100644
+--- a/fs/f2fs/namei.c
++++ b/fs/f2fs/namei.c
+@@ -411,7 +411,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir,
+
+ if (is_inode_flag_set(dir, FI_PROJ_INHERIT) &&
+ (!projid_eq(F2FS_I(dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)))
++ F2FS_I(inode)->i_projid)))
+ return -EXDEV;
+
+ err = f2fs_dquot_initialize(dir);
+@@ -905,7 +905,7 @@ static int f2fs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
+
+ if (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ (!projid_eq(F2FS_I(new_dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)))
++ F2FS_I(old_inode)->i_projid)))
+ return -EXDEV;
+
+ /*
+@@ -1101,10 +1101,10 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry,
+
+ if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(new_dir)->i_projid,
+- F2FS_I(old_dentry->d_inode)->i_projid)) ||
++ F2FS_I(old_inode)->i_projid)) ||
+ (is_inode_flag_set(new_dir, FI_PROJ_INHERIT) &&
+ !projid_eq(F2FS_I(old_dir)->i_projid,
+- F2FS_I(new_dentry->d_inode)->i_projid)))
++ F2FS_I(new_inode)->i_projid)))
+ return -EXDEV;
+
+ err = f2fs_dquot_initialize(old_dir);
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 4cc87921aac3e..6b3cafbe98672 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1849,9 +1849,9 @@ static int f2fs_statfs(struct dentry *dentry, struct kstatfs *buf)
+ buf->f_fsid = u64_to_fsid(id);
+
+ #ifdef CONFIG_QUOTA
+- if (is_inode_flag_set(dentry->d_inode, FI_PROJ_INHERIT) &&
++ if (is_inode_flag_set(d_inode(dentry), FI_PROJ_INHERIT) &&
+ sb_has_quota_limits_enabled(sb, PRJQUOTA)) {
+- f2fs_statfs_project(sb, F2FS_I(dentry->d_inode)->i_projid, buf);
++ f2fs_statfs_project(sb, F2FS_I(d_inode(dentry))->i_projid, buf);
+ }
+ #endif
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 33276ec42fd8041d94cbb2f92e338d702fe7ba69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 23:35:58 +0300
+Subject: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod()
+
+From: Sergey Shtylyov <s.shtylyov@omp.ru>
+
+[ Upstream commit 3f6dae09fc8c306eb70fdfef70726e1f154e173a ]
+
+In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000,
+cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's
+then passed to fb_cvt_hperiod(), where it's used as a divider -- division
+by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to
+avoid such overflow...
+
+Found by Linux Verification Center (linuxtesting.org) with the Svace static
+analysis tool.
+
+Fixes: 96fe6a2109db ("[PATCH] fbdev: Add VESA Coordinated Video Timings (CVT) support")
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbcvt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/core/fbcvt.c b/drivers/video/fbdev/core/fbcvt.c
+index 64843464c6613..cd3821bd82e56 100644
+--- a/drivers/video/fbdev/core/fbcvt.c
++++ b/drivers/video/fbdev/core/fbcvt.c
+@@ -312,7 +312,7 @@ int fb_find_mode_cvt(struct fb_videomode *mode, int margins, int rb)
+ cvt.f_refresh = cvt.refresh;
+ cvt.interlace = 1;
+
+- if (!cvt.xres || !cvt.yres || !cvt.refresh) {
++ if (!cvt.xres || !cvt.yres || !cvt.refresh || cvt.f_refresh > INT_MAX) {
+ printk(KERN_INFO "fbcvt: Invalid input parameters\n");
+ return 1;
+ }
+--
+2.39.5
+
--- /dev/null
+From fc522f411d8ba173d1a66e0a849521ef57fde7a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 23:17:12 +0800
+Subject: firmware: psci: Fix refcount leak in psci_dt_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 7ff37d29fd5c27617b9767e1b8946d115cf93a1e ]
+
+Fix a reference counter leak in psci_dt_init() where of_node_put(np) was
+missing after of_find_matching_node_and_match() when np is unavailable.
+
+Fixes: d09a0011ec0d ("drivers: psci: Allow PSCI node to be disabled")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20250318151712.28763-1-linmq006@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/psci/psci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/psci/psci.c b/drivers/firmware/psci/psci.c
+index 2328ca58bba61..d6701d81cf680 100644
+--- a/drivers/firmware/psci/psci.c
++++ b/drivers/firmware/psci/psci.c
+@@ -759,8 +759,10 @@ int __init psci_dt_init(void)
+
+ np = of_find_matching_node_and_match(NULL, psci_of_match, &matched_np);
+
+- if (!np || !of_device_is_available(np))
++ if (!np || !of_device_is_available(np)) {
++ of_node_put(np);
+ return -ENODEV;
++ }
+
+ init_fn = (psci_initcall_t)matched_np->data;
+ ret = init_fn(np);
+--
+2.39.5
+
--- /dev/null
+From 4739403e45d2186ceb958da36ea55824d5394484 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 12:57:57 +0800
+Subject: firmware: SDEI: Allow sdei initialization without ACPI_APEI_GHES
+
+From: Huang Yiwei <quic_hyiwei@quicinc.com>
+
+[ Upstream commit 59529bbe642de4eb2191a541d9b4bae7eb73862e ]
+
+SDEI usually initialize with the ACPI table, but on platforms where
+ACPI is not used, the SDEI feature can still be used to handle
+specific firmware calls or other customized purposes. Therefore, it
+is not necessary for ARM_SDE_INTERFACE to depend on ACPI_APEI_GHES.
+
+In commit dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES
+in acpi_init()"), to make APEI ready earlier, sdei_init was moved
+into acpi_ghes_init instead of being a standalone initcall, adding
+ACPI_APEI_GHES dependency to ARM_SDE_INTERFACE. This restricts the
+flexibility and usability of SDEI.
+
+This patch corrects the dependency in Kconfig and splits sdei_init()
+into two separate functions: sdei_init() and acpi_sdei_init().
+sdei_init() will be called by arch_initcall and will only initialize
+the platform driver, while acpi_sdei_init() will initialize the
+device from acpi_ghes_init() when ACPI is ready. This allows the
+initialization of SDEI without ACPI_APEI_GHES enabled.
+
+Fixes: dc4e8c07e9e2 ("ACPI: APEI: explicit init of HEST and GHES in apci_init()")
+Cc: Shuai Xue <xueshuai@linux.alibaba.com>
+Signed-off-by: Huang Yiwei <quic_hyiwei@quicinc.com>
+Reviewed-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://lore.kernel.org/r/20250507045757.2658795-1-quic_hyiwei@quicinc.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/Kconfig | 1 +
+ drivers/acpi/apei/ghes.c | 2 +-
+ drivers/firmware/Kconfig | 1 -
+ drivers/firmware/arm_sdei.c | 11 ++++++++---
+ include/linux/arm_sdei.h | 4 ++--
+ 5 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig
+index 6b18f8bc7be35..71e0d64a7792e 100644
+--- a/drivers/acpi/apei/Kconfig
++++ b/drivers/acpi/apei/Kconfig
+@@ -23,6 +23,7 @@ config ACPI_APEI_GHES
+ select ACPI_HED
+ select IRQ_WORK
+ select GENERIC_ALLOCATOR
++ select ARM_SDE_INTERFACE if ARM64
+ help
+ Generic Hardware Error Source provides a way to report
+ platform hardware errors (such as that from chipset). It
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 3aadc632d7dd5..2abf20736702c 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -1523,7 +1523,7 @@ void __init acpi_ghes_init(void)
+ {
+ int rc;
+
+- sdei_init();
++ acpi_sdei_init();
+
+ if (acpi_disabled)
+ return;
+diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig
+index 3f2f22e47bfa1..8ecffdce94b16 100644
+--- a/drivers/firmware/Kconfig
++++ b/drivers/firmware/Kconfig
+@@ -40,7 +40,6 @@ config ARM_SCPI_POWER_DOMAIN
+ config ARM_SDE_INTERFACE
+ bool "ARM Software Delegated Exception Interface (SDEI)"
+ depends on ARM64
+- depends on ACPI_APEI_GHES
+ help
+ The Software Delegated Exception Interface (SDEI) is an ARM
+ standard for registering callbacks from the platform firmware
+diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
+index 3e8051fe82965..71e2a9a89f6ad 100644
+--- a/drivers/firmware/arm_sdei.c
++++ b/drivers/firmware/arm_sdei.c
+@@ -1062,13 +1062,12 @@ static bool __init sdei_present_acpi(void)
+ return true;
+ }
+
+-void __init sdei_init(void)
++void __init acpi_sdei_init(void)
+ {
+ struct platform_device *pdev;
+ int ret;
+
+- ret = platform_driver_register(&sdei_driver);
+- if (ret || !sdei_present_acpi())
++ if (!sdei_present_acpi())
+ return;
+
+ pdev = platform_device_register_simple(sdei_driver.driver.name,
+@@ -1081,6 +1080,12 @@ void __init sdei_init(void)
+ }
+ }
+
++static int __init sdei_init(void)
++{
++ return platform_driver_register(&sdei_driver);
++}
++arch_initcall(sdei_init);
++
+ int sdei_event_handler(struct pt_regs *regs,
+ struct sdei_registered_event *arg)
+ {
+diff --git a/include/linux/arm_sdei.h b/include/linux/arm_sdei.h
+index 255701e1251b4..f652a5028b590 100644
+--- a/include/linux/arm_sdei.h
++++ b/include/linux/arm_sdei.h
+@@ -46,12 +46,12 @@ int sdei_unregister_ghes(struct ghes *ghes);
+ /* For use by arch code when CPU hotplug notifiers are not appropriate. */
+ int sdei_mask_local_cpu(void);
+ int sdei_unmask_local_cpu(void);
+-void __init sdei_init(void);
++void __init acpi_sdei_init(void);
+ void sdei_handler_abort(void);
+ #else
+ static inline int sdei_mask_local_cpu(void) { return 0; }
+ static inline int sdei_unmask_local_cpu(void) { return 0; }
+-static inline void sdei_init(void) { }
++static inline void acpi_sdei_init(void) { }
+ static inline void sdei_handler_abort(void) { }
+ #endif /* CONFIG_ARM_SDE_INTERFACE */
+
+--
+2.39.5
+
--- /dev/null
+From 2150f81939bd0299854bd4cfb2c1837a8b5cd725 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 17:57:27 -0400
+Subject: fix propagation graph breakage by MOVE_MOUNT_SET_GROUP move_mount(2)
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit d8cc0362f918d020ca1340d7694f07062dc30f36 ]
+
+9ffb14ef61ba "move_mount: allow to add a mount into an existing group"
+breaks assertions on ->mnt_share/->mnt_slave. For once, the data structures
+in question are actually documented.
+
+Documentation/filesystem/sharedsubtree.rst:
+ All vfsmounts in a peer group have the same ->mnt_master. If it is
+ non-NULL, they form a contiguous (ordered) segment of slave list.
+
+do_set_group() puts a mount into the same place in propagation graph
+as the old one. As the result, if old mount gets events from somewhere
+and is not a pure event sink, new one needs to be placed next to the
+old one in the slave list the old one's on. If it is a pure event
+sink, we only need to make sure the new one doesn't end up in the
+middle of some peer group.
+
+"move_mount: allow to add a mount into an existing group" ends up putting
+the new one in the beginning of list; that's definitely not going to be
+in the middle of anything, so that's fine for case when old is not marked
+shared. In case when old one _is_ marked shared (i.e. is not a pure event
+sink), that breaks the assumptions of propagation graph iterators.
+
+Put the new mount next to the old one on the list - that does the right thing
+in "old is marked shared" case and is just as correct as the current behaviour
+if old is not marked shared (kudos to Pavel for pointing that out - my original
+suggested fix changed behaviour in the "nor marked" case, which complicated
+things for no good reason).
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Fixes: 9ffb14ef61ba ("move_mount: allow to add a mount into an existing group")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index 7942a33451ba0..4d8afd0e1eb8f 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -2995,7 +2995,7 @@ static int do_set_group(struct path *from_path, struct path *to_path)
+ if (IS_MNT_SLAVE(from)) {
+ struct mount *m = from->mnt_master;
+
+- list_add(&to->mnt_slave, &m->mnt_slave_list);
++ list_add(&to->mnt_slave, &from->mnt_slave);
+ to->mnt_master = m;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e1fc3052ac9ec7e7a53b0be5259a02ca22776141 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Apr 2025 16:37:37 +0100
+Subject: fpga: fix potential null pointer deref in
+ fpga_mgr_test_img_load_sgt()
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+[ Upstream commit 6ebf1982038af12f3588417e4fd0417d2551da28 ]
+
+fpga_mgr_test_img_load_sgt() allocates memory for sgt using
+kunit_kzalloc() however it does not check if the allocation failed.
+It then passes sgt to sg_alloc_table(), which passes it to
+__sg_alloc_table(). This function calls memset() on sgt in an attempt to
+zero it out. If the allocation fails then sgt will be NULL and the
+memset will trigger a NULL pointer dereference.
+
+Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL().
+
+Reviewed-by: Marco Pagani <marco.pagani@linux.dev>
+Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager")
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Acked-by: Xu Yilun <yilun.xu@intel.com>
+Link: https://lore.kernel.org/r/20250422153737.5264-1-qasdev00@gmail.com
+Signed-off-by: Xu Yilun <yilun.xu@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/fpga/tests/fpga-mgr-test.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/fpga/tests/fpga-mgr-test.c b/drivers/fpga/tests/fpga-mgr-test.c
+index 6acec55b60ce9..bfe25c0c0c1c3 100644
+--- a/drivers/fpga/tests/fpga-mgr-test.c
++++ b/drivers/fpga/tests/fpga-mgr-test.c
+@@ -253,6 +253,7 @@ static void fpga_mgr_test_img_load_sgt(struct kunit *test)
+ img_buf = init_test_buffer(test, IMAGE_SIZE);
+
+ sgt = kunit_kzalloc(test, sizeof(*sgt), GFP_KERNEL);
++ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, sgt);
+ ret = sg_alloc_table(sgt, 1, GFP_KERNEL);
+ KUNIT_ASSERT_EQ(test, ret, 0);
+ sg_init_one(sgt->sgl, img_buf, IMAGE_SIZE);
+--
+2.39.5
+
--- /dev/null
+From f4ac427dd4cbf86d2370f8c05d31b8369ff90040 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 13:42:18 +0000
+Subject: fs/ntfs3: handle hdr_first_de() return value
+
+From: Andrey Vatoropin <a.vatoropin@crpt.ru>
+
+[ Upstream commit af5cab0e5b6f8edb0be51a9f47f3f620e0b4fd70 ]
+
+The hdr_first_de() function returns a pointer to a struct NTFS_DE. This
+pointer may be NULL. To handle the NULL error effectively, it is important
+to implement an error handler. This will help manage potential errors
+consistently.
+
+Additionally, error handling for the return value already exists at other
+points where this function is called.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
+Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/index.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
+index 28aae6ea1e615..191b91ffadbb2 100644
+--- a/fs/ntfs3/index.c
++++ b/fs/ntfs3/index.c
+@@ -2184,6 +2184,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
+
+ e = hdr_first_de(&n->index->ihdr);
+ fnd_push(fnd, n, e);
++ if (!e) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ if (!de_is_last(e)) {
+ /*
+@@ -2205,6 +2209,10 @@ static int indx_get_entry_to_replace(struct ntfs_index *indx,
+
+ n = fnd->nodes[level];
+ te = hdr_first_de(&n->index->ihdr);
++ if (!te) {
++ err = -EINVAL;
++ goto out;
++ }
+ /* Copy the candidate entry into the replacement entry buffer. */
+ re = kmalloc(le16_to_cpu(te->size) + sizeof(u64), GFP_NOFS);
+ if (!re) {
+--
+2.39.5
+
--- /dev/null
+From f91a7063b6027e990401eaaed81f35a40001f1f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Apr 2025 16:40:58 +0200
+Subject: gfs2: gfs2_create_inode error handling fix
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit af4044fd0b77e915736527dd83011e46e6415f01 ]
+
+When gfs2_create_inode() finds a directory, make sure to return -EISDIR.
+
+Fixes: 571a4b57975a ("GFS2: bugger off early if O_CREAT open finds a directory")
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
+index 29085643ad104..1cb5ce63fbf69 100644
+--- a/fs/gfs2/inode.c
++++ b/fs/gfs2/inode.c
+@@ -658,7 +658,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
+ if (!IS_ERR(inode)) {
+ if (S_ISDIR(inode->i_mode)) {
+ iput(inode);
+- inode = ERR_PTR(-EISDIR);
++ inode = NULL;
++ error = -EISDIR;
+ goto fail_gunlock;
+ }
+ d_instantiate(dentry, inode);
+--
+2.39.5
+
--- /dev/null
+From 85cc655d2680ca50b866a296a228254d1a044b49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 03:34:29 -0700
+Subject: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 12c331b29c7397ac3b03584e12902990693bc248 ]
+
+gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo()
+did not check for this case before dereferencing the returned pointer.
+
+Add a missing NULL check to prevent a potential NULL pointer
+dereference when allocation fails.
+
+This improves robustness in low-memory scenarios.
+
+Fixes: a57e5de476be ("gve: DQO: Add TX path")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Mina Almasry <almasrymina@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_tx_dqo.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+index 89b62b8d16e14..857749fef37cf 100644
+--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c
++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c
+@@ -716,6 +716,9 @@ static int gve_tx_add_skb_dqo(struct gve_tx_ring *tx,
+ s16 completion_tag;
+
+ pkt = gve_alloc_pending_packet(tx);
++ if (!pkt)
++ return -ENOMEM;
++
+ pkt->skb = skb;
+ completion_tag = pkt - tx->dqo.pending_packets;
+
+--
+2.39.5
+
--- /dev/null
+From 1e39d3f3dbe112d4233d46a0f68d5c82cc261f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 06:08:16 -0700
+Subject: gve: Fix RX_BUFFERS_POSTED stat to report per-queue fill_cnt
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit f41a94aade120dc60322865f363cee7865f2df01 ]
+
+Previously, the RX_BUFFERS_POSTED stat incorrectly reported the
+fill_cnt from RX queue 0 for all queues, resulting in inaccurate
+per-queue statistics.
+Fix this by correctly indexing priv->rx[idx].fill_cnt for each RX queue.
+
+Fixes: 24aeb56f2d38 ("gve: Add Gvnic stats AQ command and ethtool show/set-priv-flags.")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250527130830.1812903-1-alok.a.tiwari@oracle.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c
+index 8cd098fe88ef2..b4745d94cbbdb 100644
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -1992,7 +1992,7 @@ void gve_handle_report_stats(struct gve_priv *priv)
+ };
+ stats[stats_idx++] = (struct stats) {
+ .stat_name = cpu_to_be32(RX_BUFFERS_POSTED),
+- .value = cpu_to_be64(priv->rx[0].fill_cnt),
++ .value = cpu_to_be64(priv->rx[idx].fill_cnt),
+ .queue_id = cpu_to_be32(idx),
+ };
+ }
+--
+2.39.5
+
--- /dev/null
+From ab6cada83e19179d4be64728dd8d634dd82ec8eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 16:11:51 +0800
+Subject: hisi_acc_vfio_pci: add eq and aeq interruption restore
+
+From: Longfang Liu <liulongfang@huawei.com>
+
+[ Upstream commit 3495cec0787721ba7a9d5c19d0bbb66d182de584 ]
+
+In order to ensure that the task packets of the accelerator
+device are not lost during the migration process, it is necessary
+to send an EQ and AEQ command to the device after the live migration
+is completed and to update the completion position of the task queue.
+
+Let the device recheck the completed tasks data and if there are
+uncollected packets, device resend a task completion interrupt
+to the software.
+
+Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
+Signed-off-by: Longfang Liu <liulongfang@huawei.com>
+Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Link: https://lore.kernel.org/r/20250510081155.55840-3-liulongfang@huawei.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+index d09e7d295625d..521f969e1c608 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+@@ -470,6 +470,19 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ return 0;
+ }
+
++static void vf_qm_xeqc_save(struct hisi_qm *qm,
++ struct hisi_acc_vf_migration_file *migf)
++{
++ struct acc_vf_data *vf_data = &migf->vf_data;
++ u16 eq_head, aeq_head;
++
++ eq_head = vf_data->qm_eqc_dw[0] & 0xFFFF;
++ qm_db(qm, 0, QM_DOORBELL_CMD_EQ, eq_head, 0);
++
++ aeq_head = vf_data->qm_aeqc_dw[0] & 0xFFFF;
++ qm_db(qm, 0, QM_DOORBELL_CMD_AEQ, aeq_head, 0);
++}
++
+ static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ struct hisi_acc_vf_migration_file *migf)
+ {
+@@ -566,6 +579,9 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ }
+
+ migf->total_length = sizeof(struct acc_vf_data);
++ /* Save eqc and aeqc interrupt information */
++ vf_qm_xeqc_save(vf_qm, migf);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 37dc2ba3b3fe17c94ba67824a1af681458acf506 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 16:11:54 +0800
+Subject: hisi_acc_vfio_pci: bugfix live migration function without VF device
+ driver
+
+From: Longfang Liu <liulongfang@huawei.com>
+
+[ Upstream commit 2777a40998deb36f96b6afc48bd397cf58a4edf0 ]
+
+If the VF device driver is not loaded in the Guest OS and we attempt to
+perform device data migration, the address of the migrated data will
+be NULL.
+The live migration recovery operation on the destination side will
+access a null address value, which will cause access errors.
+
+Therefore, live migration of VMs without added VF device drivers
+does not require device data migration.
+In addition, when the queue address data obtained by the destination
+is empty, device queue recovery processing will not be performed.
+
+Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
+Signed-off-by: Longfang Liu <liulongfang@huawei.com>
+Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Link: https://lore.kernel.org/r/20250510081155.55840-6-liulongfang@huawei.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 22 +++++++++++++------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+index 521f969e1c608..712b178c42aae 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+@@ -426,13 +426,6 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ return -EINVAL;
+ }
+
+- ret = qm_write_regs(vf_qm, QM_VF_STATE, &vf_data->vf_qm_state, 1);
+- if (ret) {
+- dev_err(dev, "failed to write QM_VF_STATE\n");
+- return ret;
+- }
+-
+- hisi_acc_vdev->vf_qm_state = vf_data->vf_qm_state;
+ hisi_acc_vdev->match_done = true;
+ return 0;
+ }
+@@ -498,6 +491,20 @@ static int vf_qm_load_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ if (migf->total_length < sizeof(struct acc_vf_data))
+ return -EINVAL;
+
++ if (!vf_data->eqe_dma || !vf_data->aeqe_dma ||
++ !vf_data->sqc_dma || !vf_data->cqc_dma) {
++ dev_info(dev, "resume dma addr is NULL!\n");
++ hisi_acc_vdev->vf_qm_state = QM_NOT_READY;
++ return 0;
++ }
++
++ ret = qm_write_regs(qm, QM_VF_STATE, &vf_data->vf_qm_state, 1);
++ if (ret) {
++ dev_err(dev, "failed to write QM_VF_STATE\n");
++ return -EINVAL;
++ }
++ hisi_acc_vdev->vf_qm_state = vf_data->vf_qm_state;
++
+ qm->eqe_dma = vf_data->eqe_dma;
+ qm->aeqe_dma = vf_data->aeqe_dma;
+ qm->sqc_dma = vf_data->sqc_dma;
+@@ -1397,6 +1404,7 @@ static int hisi_acc_vfio_pci_migrn_init_dev(struct vfio_device *core_vdev)
+ hisi_acc_vdev->vf_id = pci_iov_vf_id(pdev) + 1;
+ hisi_acc_vdev->pf_qm = pf_qm;
+ hisi_acc_vdev->vf_dev = pdev;
++ hisi_acc_vdev->vf_qm_state = QM_NOT_READY;
+ mutex_init(&hisi_acc_vdev->state_mutex);
+
+ core_vdev->migration_flags = VFIO_MIGRATION_STOP_COPY | VFIO_MIGRATION_PRE_COPY;
+--
+2.39.5
+
--- /dev/null
+From fdfb73679b45a4fbec8ccca2af838c46803dda83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 16:11:50 +0800
+Subject: hisi_acc_vfio_pci: fix XQE dma address error
+
+From: Longfang Liu <liulongfang@huawei.com>
+
+[ Upstream commit 8bb7170c5a055ea17c6857c256ee73c10ff872eb ]
+
+The dma addresses of EQE and AEQE are wrong after migration and
+results in guest kernel-mode encryption services failure.
+Comparing the definition of hardware registers, we found that
+there was an error when the data read from the register was
+combined into an address. Therefore, the address combination
+sequence needs to be corrected.
+
+Even after fixing the above problem, we still have an issue
+where the Guest from an old kernel can get migrated to
+new kernel and may result in wrong data.
+
+In order to ensure that the address is correct after migration,
+if an old magic number is detected, the dma address needs to be
+updated.
+
+Fixes: b0eed085903e ("hisi_acc_vfio_pci: Add support for VFIO live migration")
+Signed-off-by: Longfang Liu <liulongfang@huawei.com>
+Reviewed-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Link: https://lore.kernel.org/r/20250510081155.55840-2-liulongfang@huawei.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vfio/pci/hisilicon/hisi_acc_vfio_pci.c | 41 ++++++++++++++++---
+ .../vfio/pci/hisilicon/hisi_acc_vfio_pci.h | 14 ++++++-
+ 2 files changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+index 4d27465c8f1a8..d09e7d295625d 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.c
+@@ -350,6 +350,32 @@ static int vf_qm_func_stop(struct hisi_qm *qm)
+ return hisi_qm_mb(qm, QM_MB_CMD_PAUSE_QM, 0, 0, 0);
+ }
+
++static int vf_qm_version_check(struct acc_vf_data *vf_data, struct device *dev)
++{
++ switch (vf_data->acc_magic) {
++ case ACC_DEV_MAGIC_V2:
++ if (vf_data->major_ver != ACC_DRV_MAJOR_VER) {
++ dev_info(dev, "migration driver version<%u.%u> not match!\n",
++ vf_data->major_ver, vf_data->minor_ver);
++ return -EINVAL;
++ }
++ break;
++ case ACC_DEV_MAGIC_V1:
++ /* Correct dma address */
++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
++ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
++ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
++ break;
++ default:
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ struct hisi_acc_vf_migration_file *migf)
+ {
+@@ -363,7 +389,8 @@ static int vf_qm_check_match(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ if (migf->total_length < QM_MATCH_SIZE || hisi_acc_vdev->match_done)
+ return 0;
+
+- if (vf_data->acc_magic != ACC_DEV_MAGIC) {
++ ret = vf_qm_version_check(vf_data, dev);
++ if (ret) {
+ dev_err(dev, "failed to match ACC_DEV_MAGIC\n");
+ return -EINVAL;
+ }
+@@ -418,7 +445,9 @@ static int vf_qm_get_match_data(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ int vf_id = hisi_acc_vdev->vf_id;
+ int ret;
+
+- vf_data->acc_magic = ACC_DEV_MAGIC;
++ vf_data->acc_magic = ACC_DEV_MAGIC_V2;
++ vf_data->major_ver = ACC_DRV_MAJOR_VER;
++ vf_data->minor_ver = ACC_DRV_MINOR_VER;
+ /* Save device id */
+ vf_data->dev_id = hisi_acc_vdev->vf_dev->device;
+
+@@ -516,12 +545,12 @@ static int vf_qm_state_save(struct hisi_acc_vf_core_device *hisi_acc_vdev,
+ return -EINVAL;
+
+ /* Every reg is 32 bit, the dma address is 64 bit. */
+- vf_data->eqe_dma = vf_data->qm_eqc_dw[1];
++ vf_data->eqe_dma = vf_data->qm_eqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->eqe_dma <<= QM_XQC_ADDR_OFFSET;
+- vf_data->eqe_dma |= vf_data->qm_eqc_dw[0];
+- vf_data->aeqe_dma = vf_data->qm_aeqc_dw[1];
++ vf_data->eqe_dma |= vf_data->qm_eqc_dw[QM_XQC_ADDR_LOW];
++ vf_data->aeqe_dma = vf_data->qm_aeqc_dw[QM_XQC_ADDR_HIGH];
+ vf_data->aeqe_dma <<= QM_XQC_ADDR_OFFSET;
+- vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[0];
++ vf_data->aeqe_dma |= vf_data->qm_aeqc_dw[QM_XQC_ADDR_LOW];
+
+ /* Through SQC_BT/CQC_BT to get sqc and cqc address */
+ ret = qm_get_sqc(vf_qm, &vf_data->sqc_dma);
+diff --git a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
+index dcabfeec6ca19..f1d8fe86b6eb2 100644
+--- a/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
++++ b/drivers/vfio/pci/hisilicon/hisi_acc_vfio_pci.h
+@@ -38,6 +38,9 @@
+ #define QM_REG_ADDR_OFFSET 0x0004
+
+ #define QM_XQC_ADDR_OFFSET 32U
++#define QM_XQC_ADDR_LOW 0x1
++#define QM_XQC_ADDR_HIGH 0x2
++
+ #define QM_VF_AEQ_INT_MASK 0x0004
+ #define QM_VF_EQ_INT_MASK 0x000c
+ #define QM_IFC_INT_SOURCE_V 0x0020
+@@ -49,10 +52,15 @@
+ #define QM_EQC_DW0 0X8000
+ #define QM_AEQC_DW0 0X8020
+
++#define ACC_DRV_MAJOR_VER 1
++#define ACC_DRV_MINOR_VER 0
++
++#define ACC_DEV_MAGIC_V1 0XCDCDCDCDFEEDAACC
++#define ACC_DEV_MAGIC_V2 0xAACCFEEDDECADEDE
++
+ struct acc_vf_data {
+ #define QM_MATCH_SIZE offsetofend(struct acc_vf_data, qm_rsv_state)
+ /* QM match information */
+-#define ACC_DEV_MAGIC 0XCDCDCDCDFEEDAACC
+ u64 acc_magic;
+ u32 qp_num;
+ u32 dev_id;
+@@ -60,7 +68,9 @@ struct acc_vf_data {
+ u32 qp_base;
+ u32 vf_qm_state;
+ /* QM reserved match information */
+- u32 qm_rsv_state[3];
++ u16 major_ver;
++ u16 minor_ver;
++ u32 qm_rsv_state[2];
+
+ /* QM RW regs */
+ u32 aeq_int_mask;
+--
+2.39.5
+
--- /dev/null
+From d2aecbab3f5f4a575c04de5575ddecc4ada56cac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 23:26:54 +0300
+Subject: hwmon: (asus-ec-sensors) check sensor index in read_string()
+
+From: Alexei Safin <a.safin@rosa.ru>
+
+[ Upstream commit 25be318324563c63cbd9cb53186203a08d2f83a1 ]
+
+Prevent a potential invalid memory access when the requested sensor
+is not found.
+
+find_ec_sensor_index() may return a negative value (e.g. -ENOENT),
+but its result was used without checking, which could lead to
+undefined behavior when passed to get_sensor_info().
+
+Add a proper check to return -EINVAL if sensor_index is negative.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: d0ddfd241e57 ("hwmon: (asus-ec-sensors) add driver for ASUS EC")
+Signed-off-by: Alexei Safin <a.safin@rosa.ru>
+Link: https://lore.kernel.org/r/20250424202654.5902-1-a.safin@rosa.ru
+[groeck: Return error code returned from find_ec_sensor_index]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/asus-ec-sensors.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hwmon/asus-ec-sensors.c b/drivers/hwmon/asus-ec-sensors.c
+index f20b864c1bb20..ce2f14a62754e 100644
+--- a/drivers/hwmon/asus-ec-sensors.c
++++ b/drivers/hwmon/asus-ec-sensors.c
+@@ -888,6 +888,10 @@ static int asus_ec_hwmon_read_string(struct device *dev,
+ {
+ struct ec_sensors_data *state = dev_get_drvdata(dev);
+ int sensor_index = find_ec_sensor_index(state, type, channel);
++
++ if (sensor_index < 0)
++ return sensor_index;
++
+ *str = get_sensor_info(state, sensor_index)->label;
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 1dd3747f7c84149ac00d0e4b941194ae333834dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 17:56:12 +0000
+Subject: IB/cm: use rwlock for MAD agent lock
+
+From: Jacob Moroni <jmoroni@google.com>
+
+[ Upstream commit 4dab26bed543584577b64b36aadb8b5b165bf44f ]
+
+In workloads where there are many processes establishing connections using
+RDMA CM in parallel (large scale MPI), there can be heavy contention for
+mad_agent_lock in cm_alloc_msg.
+
+This contention can occur while inside of a spin_lock_irq region, leading
+to interrupts being disabled for extended durations on many
+cores. Furthermore, it leads to the serialization of rdma_create_ah calls,
+which has negative performance impacts for NICs which are capable of
+processing multiple address handle creations in parallel.
+
+The end result is the machine becoming unresponsive, hung task warnings,
+netdev TX timeouts, etc.
+
+Since the lock appears to be only for protection from cm_remove_one, it
+can be changed to a rwlock to resolve these issues.
+
+Reproducer:
+
+Server:
+ for i in $(seq 1 512); do
+ ucmatose -c 32 -p $((i + 5000)) &
+ done
+
+Client:
+ for i in $(seq 1 512); do
+ ucmatose -c 32 -p $((i + 5000)) -s 10.2.0.52 &
+ done
+
+Fixes: 76039ac9095f ("IB/cm: Protect cm_dev, cm_ports and mad_agent with kref and lock")
+Link: https://patch.msgid.link/r/20250220175612.2763122-1-jmoroni@google.com
+Signed-off-by: Jacob Moroni <jmoroni@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cm.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
+index 07fb8d3c037f0..d45e3909dafe1 100644
+--- a/drivers/infiniband/core/cm.c
++++ b/drivers/infiniband/core/cm.c
+@@ -166,7 +166,7 @@ struct cm_port {
+ struct cm_device {
+ struct kref kref;
+ struct list_head list;
+- spinlock_t mad_agent_lock;
++ rwlock_t mad_agent_lock;
+ struct ib_device *ib_device;
+ u8 ack_delay;
+ int going_down;
+@@ -284,7 +284,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
+ if (!cm_id_priv->av.port)
+ return ERR_PTR(-EINVAL);
+
+- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ mad_agent = cm_id_priv->av.port->mad_agent;
+ if (!mad_agent) {
+ m = ERR_PTR(-EINVAL);
+@@ -315,7 +315,7 @@ static struct ib_mad_send_buf *cm_alloc_msg(struct cm_id_private *cm_id_priv)
+ m->context[0] = cm_id_priv;
+
+ out:
+- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ return m;
+ }
+
+@@ -1294,10 +1294,10 @@ static __be64 cm_form_tid(struct cm_id_private *cm_id_priv)
+ if (!cm_id_priv->av.port)
+ return cpu_to_be64(low_tid);
+
+- spin_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_lock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ if (cm_id_priv->av.port->mad_agent)
+ hi_tid = ((u64)cm_id_priv->av.port->mad_agent->hi_tid) << 32;
+- spin_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
++ read_unlock(&cm_id_priv->av.port->cm_dev->mad_agent_lock);
+ return cpu_to_be64(hi_tid | low_tid);
+ }
+
+@@ -4374,7 +4374,7 @@ static int cm_add_one(struct ib_device *ib_device)
+ return -ENOMEM;
+
+ kref_init(&cm_dev->kref);
+- spin_lock_init(&cm_dev->mad_agent_lock);
++ rwlock_init(&cm_dev->mad_agent_lock);
+ cm_dev->ib_device = ib_device;
+ cm_dev->ack_delay = ib_device->attrs.local_ca_ack_delay;
+ cm_dev->going_down = 0;
+@@ -4490,9 +4490,9 @@ static void cm_remove_one(struct ib_device *ib_device, void *client_data)
+ * The above ensures no call paths from the work are running,
+ * the remaining paths all take the mad_agent_lock.
+ */
+- spin_lock(&cm_dev->mad_agent_lock);
++ write_lock(&cm_dev->mad_agent_lock);
+ port->mad_agent = NULL;
+- spin_unlock(&cm_dev->mad_agent_lock);
++ write_unlock(&cm_dev->mad_agent_lock);
+ ib_unregister_mad_agent(mad_agent);
+ ib_port_unregister_client_groups(ib_device, i,
+ cm_counter_groups);
+--
+2.39.5
+
--- /dev/null
+From 3b407d0aef852f1507ae61d83407010c30c8d1ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:55:28 +0200
+Subject: ice: create new Tx scheduler nodes for new queues only
+
+From: Michal Kubiak <michal.kubiak@intel.com>
+
+[ Upstream commit 6fa2942578472c9cab13a8fc1dae0d830193e0a1 ]
+
+The current implementation of the Tx scheduler tree attempts
+to create nodes for all Tx queues, ignoring the fact that some
+queues may already exist in the tree. For example, if the VSI
+already has 128 Tx queues and the user requests for 16 new queues,
+the Tx scheduler will compute the tree for 272 queues (128 existing
+queues + 144 new queues), instead of 144 queues (128 existing queues
+and 16 new queues).
+Fix that by modifying the node count calculation algorithm to skip
+the queues that already exist in the tree.
+
+Fixes: 5513b920a4f7 ("ice: Update Tx scheduler tree for VSI multi-Tx queue support")
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sched.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
+index 908bcd0738033..e40a5f9a893d5 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sched.c
++++ b/drivers/net/ethernet/intel/ice/ice_sched.c
+@@ -1614,16 +1614,16 @@ ice_sched_get_agg_node(struct ice_port_info *pi, struct ice_sched_node *tc_node,
+ /**
+ * ice_sched_calc_vsi_child_nodes - calculate number of VSI child nodes
+ * @hw: pointer to the HW struct
+- * @num_qs: number of queues
++ * @num_new_qs: number of new queues that will be added to the tree
+ * @num_nodes: num nodes array
+ *
+ * This function calculates the number of VSI child nodes based on the
+ * number of queues.
+ */
+ static void
+-ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_qs, u16 *num_nodes)
++ice_sched_calc_vsi_child_nodes(struct ice_hw *hw, u16 num_new_qs, u16 *num_nodes)
+ {
+- u16 num = num_qs;
++ u16 num = num_new_qs;
+ u8 i, qgl, vsil;
+
+ qgl = ice_sched_get_qgrp_layer(hw);
+@@ -1873,8 +1873,9 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
+ return status;
+ }
+
+- if (new_numqs)
+- ice_sched_calc_vsi_child_nodes(hw, new_numqs, new_num_nodes);
++ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
++ new_num_nodes);
++
+ /* Keep the max number of queue configuration all the time. Update the
+ * tree only if number of queues > previous number of queues. This may
+ * leave some extra nodes in the tree if number of queues < previous
+--
+2.39.5
+
--- /dev/null
+From 84f1e7e2a4f97605132692b038fe66cb8c270a70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:55:29 +0200
+Subject: ice: fix rebuilding the Tx scheduler tree for large queue counts
+
+From: Michal Kubiak <michal.kubiak@intel.com>
+
+[ Upstream commit 73145e6d81070d34a21431c9e0d7aaf2f29ca048 ]
+
+The current implementation of the Tx scheduler allows the tree to be
+rebuilt as the user adds more Tx queues to the VSI. In such a case,
+additional child nodes are added to the tree to support the new number
+of queues.
+Unfortunately, this algorithm does not take into account that the limit
+of the VSI support node may be exceeded, so an additional node in the
+VSI layer may be required to handle all the requested queues.
+
+Such a scenario occurs when adding XDP Tx queues on machines with many
+CPUs. Although the driver still respects the queue limit returned by
+the FW, the Tx scheduler was unable to add those queues to its tree
+and returned one of the errors below.
+
+Such a scenario occurs when adding XDP Tx queues on machines with many
+CPUs (e.g. at least 321 CPUs, if there is already 128 Tx/Rx queue pairs).
+Although the driver still respects the queue limit returned by the FW,
+the Tx scheduler was unable to add those queues to its tree and returned
+the following errors:
+
+ Failed VSI LAN queue config for XDP, error: -5
+or:
+ Failed to set LAN Tx queue context, error: -22
+
+Fix this problem by extending the tree rebuild algorithm to check if the
+current VSI node can support the requested number of queues. If it
+cannot, create as many additional VSI support nodes as necessary to
+handle all the required Tx queues. Symmetrically, adjust the VSI node
+removal algorithm to remove all nodes associated with the given VSI.
+Also, make the search for the next free VSI node more restrictive. That is,
+add queue group nodes only to the VSI support nodes that have a matching
+VSI handle.
+Finally, fix the comment describing the tree update algorithm to better
+reflect the current scenario.
+
+Fixes: b0153fdd7e8a ("ice: update VSI config dynamically")
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_sched.c | 170 +++++++++++++++++----
+ 1 file changed, 142 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
+index e40a5f9a893d5..c2de166f05515 100644
+--- a/drivers/net/ethernet/intel/ice/ice_sched.c
++++ b/drivers/net/ethernet/intel/ice/ice_sched.c
+@@ -84,6 +84,27 @@ ice_sched_find_node_by_teid(struct ice_sched_node *start_node, u32 teid)
+ return NULL;
+ }
+
++/**
++ * ice_sched_find_next_vsi_node - find the next node for a given VSI
++ * @vsi_node: VSI support node to start search with
++ *
++ * Return: Next VSI support node, or NULL.
++ *
++ * The function returns a pointer to the next node from the VSI layer
++ * assigned to the given VSI, or NULL if there is no such a node.
++ */
++static struct ice_sched_node *
++ice_sched_find_next_vsi_node(struct ice_sched_node *vsi_node)
++{
++ unsigned int vsi_handle = vsi_node->vsi_handle;
++
++ while ((vsi_node = vsi_node->sibling) != NULL)
++ if (vsi_node->vsi_handle == vsi_handle)
++ break;
++
++ return vsi_node;
++}
++
+ /**
+ * ice_aqc_send_sched_elem_cmd - send scheduling elements cmd
+ * @hw: pointer to the HW struct
+@@ -1096,8 +1117,10 @@ ice_sched_add_nodes_to_layer(struct ice_port_info *pi,
+ if (parent->num_children < max_child_nodes) {
+ new_num_nodes = max_child_nodes - parent->num_children;
+ } else {
+- /* This parent is full, try the next sibling */
+- parent = parent->sibling;
++ /* This parent is full,
++ * try the next available sibling.
++ */
++ parent = ice_sched_find_next_vsi_node(parent);
+ /* Don't modify the first node TEID memory if the
+ * first node was added already in the above call.
+ * Instead send some temp memory for all other
+@@ -1538,12 +1561,23 @@ ice_sched_get_free_qparent(struct ice_port_info *pi, u16 vsi_handle, u8 tc,
+ /* get the first queue group node from VSI sub-tree */
+ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
+ while (qgrp_node) {
++ struct ice_sched_node *next_vsi_node;
++
+ /* make sure the qgroup node is part of the VSI subtree */
+ if (ice_sched_find_node_in_subtree(pi->hw, vsi_node, qgrp_node))
+ if (qgrp_node->num_children < max_children &&
+ qgrp_node->owner == owner)
+ break;
+ qgrp_node = qgrp_node->sibling;
++ if (qgrp_node)
++ continue;
++
++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
++ if (!next_vsi_node)
++ break;
++
++ vsi_node = next_vsi_node;
++ qgrp_node = ice_sched_get_first_node(pi, vsi_node, qgrp_layer);
+ }
+
+ /* Select the best queue group */
+@@ -1789,7 +1823,11 @@ ice_sched_add_vsi_support_nodes(struct ice_port_info *pi, u16 vsi_handle,
+ if (!parent)
+ return -EIO;
+
+- if (i == vsil)
++ /* Do not modify the VSI handle for already existing VSI nodes,
++ * (if no new VSI node was added to the tree).
++ * Assign the VSI handle only to newly added VSI nodes.
++ */
++ if (i == vsil && num_added)
+ parent->vsi_handle = vsi_handle;
+ }
+
+@@ -1822,6 +1860,41 @@ ice_sched_add_vsi_to_topo(struct ice_port_info *pi, u16 vsi_handle, u8 tc)
+ num_nodes);
+ }
+
++/**
++ * ice_sched_recalc_vsi_support_nodes - recalculate VSI support nodes count
++ * @hw: pointer to the HW struct
++ * @vsi_node: pointer to the leftmost VSI node that needs to be extended
++ * @new_numqs: new number of queues that has to be handled by the VSI
++ * @new_num_nodes: pointer to nodes count table to modify the VSI layer entry
++ *
++ * This function recalculates the number of supported nodes that need to
++ * be added after adding more Tx queues for a given VSI.
++ * The number of new VSI support nodes that shall be added will be saved
++ * to the @new_num_nodes table for the VSI layer.
++ */
++static void
++ice_sched_recalc_vsi_support_nodes(struct ice_hw *hw,
++ struct ice_sched_node *vsi_node,
++ unsigned int new_numqs, u16 *new_num_nodes)
++{
++ u32 vsi_nodes_cnt = 1;
++ u32 max_queue_cnt = 1;
++ u32 qgl, vsil;
++
++ qgl = ice_sched_get_qgrp_layer(hw);
++ vsil = ice_sched_get_vsi_layer(hw);
++
++ for (u32 i = vsil; i <= qgl; i++)
++ max_queue_cnt *= hw->max_children[i];
++
++ while ((vsi_node = ice_sched_find_next_vsi_node(vsi_node)) != NULL)
++ vsi_nodes_cnt++;
++
++ if (new_numqs > (max_queue_cnt * vsi_nodes_cnt))
++ new_num_nodes[vsil] = DIV_ROUND_UP(new_numqs, max_queue_cnt) -
++ vsi_nodes_cnt;
++}
++
+ /**
+ * ice_sched_update_vsi_child_nodes - update VSI child nodes
+ * @pi: port information structure
+@@ -1873,16 +1946,25 @@ ice_sched_update_vsi_child_nodes(struct ice_port_info *pi, u16 vsi_handle,
+ return status;
+ }
+
++ ice_sched_recalc_vsi_support_nodes(hw, vsi_node,
++ new_numqs, new_num_nodes);
+ ice_sched_calc_vsi_child_nodes(hw, new_numqs - prev_numqs,
+ new_num_nodes);
+
+- /* Keep the max number of queue configuration all the time. Update the
+- * tree only if number of queues > previous number of queues. This may
++ /* Never decrease the number of queues in the tree. Update the tree
++ * only if number of queues > previous number of queues. This may
+ * leave some extra nodes in the tree if number of queues < previous
+ * number but that wouldn't harm anything. Removing those extra nodes
+ * may complicate the code if those nodes are part of SRL or
+ * individually rate limited.
++ * Also, add the required VSI support nodes if the existing ones cannot
++ * handle the requested new number of queues.
+ */
++ status = ice_sched_add_vsi_support_nodes(pi, vsi_handle, tc_node,
++ new_num_nodes);
++ if (status)
++ return status;
++
+ status = ice_sched_add_vsi_child_nodes(pi, vsi_handle, tc_node,
+ new_num_nodes, owner);
+ if (status)
+@@ -2023,6 +2105,58 @@ static bool ice_sched_is_leaf_node_present(struct ice_sched_node *node)
+ return (node->info.data.elem_type == ICE_AQC_ELEM_TYPE_LEAF);
+ }
+
++/**
++ * ice_sched_rm_vsi_subtree - remove all nodes assigned to a given VSI
++ * @pi: port information structure
++ * @vsi_node: pointer to the leftmost node of the VSI to be removed
++ * @owner: LAN or RDMA
++ * @tc: TC number
++ *
++ * Return: Zero in case of success, or -EBUSY if the VSI has leaf nodes in TC.
++ *
++ * This function removes all the VSI support nodes associated with a given VSI
++ * and its LAN or RDMA children nodes from the scheduler tree.
++ */
++static int
++ice_sched_rm_vsi_subtree(struct ice_port_info *pi,
++ struct ice_sched_node *vsi_node, u8 owner, u8 tc)
++{
++ u16 vsi_handle = vsi_node->vsi_handle;
++ bool all_vsi_nodes_removed = true;
++ int j = 0;
++
++ while (vsi_node) {
++ struct ice_sched_node *next_vsi_node;
++
++ if (ice_sched_is_leaf_node_present(vsi_node)) {
++ ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", tc);
++ return -EBUSY;
++ }
++ while (j < vsi_node->num_children) {
++ if (vsi_node->children[j]->owner == owner)
++ ice_free_sched_node(pi, vsi_node->children[j]);
++ else
++ j++;
++ }
++
++ next_vsi_node = ice_sched_find_next_vsi_node(vsi_node);
++
++ /* remove the VSI if it has no children */
++ if (!vsi_node->num_children)
++ ice_free_sched_node(pi, vsi_node);
++ else
++ all_vsi_nodes_removed = false;
++
++ vsi_node = next_vsi_node;
++ }
++
++ /* clean up aggregator related VSI info if any */
++ if (all_vsi_nodes_removed)
++ ice_sched_rm_agg_vsi_info(pi, vsi_handle);
++
++ return 0;
++}
++
+ /**
+ * ice_sched_rm_vsi_cfg - remove the VSI and its children nodes
+ * @pi: port information structure
+@@ -2049,7 +2183,6 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
+
+ ice_for_each_traffic_class(i) {
+ struct ice_sched_node *vsi_node, *tc_node;
+- u8 j = 0;
+
+ tc_node = ice_sched_get_tc_node(pi, i);
+ if (!tc_node)
+@@ -2059,31 +2192,12 @@ ice_sched_rm_vsi_cfg(struct ice_port_info *pi, u16 vsi_handle, u8 owner)
+ if (!vsi_node)
+ continue;
+
+- if (ice_sched_is_leaf_node_present(vsi_node)) {
+- ice_debug(pi->hw, ICE_DBG_SCHED, "VSI has leaf nodes in TC %d\n", i);
+- status = -EBUSY;
++ status = ice_sched_rm_vsi_subtree(pi, vsi_node, owner, i);
++ if (status)
+ goto exit_sched_rm_vsi_cfg;
+- }
+- while (j < vsi_node->num_children) {
+- if (vsi_node->children[j]->owner == owner) {
+- ice_free_sched_node(pi, vsi_node->children[j]);
+
+- /* reset the counter again since the num
+- * children will be updated after node removal
+- */
+- j = 0;
+- } else {
+- j++;
+- }
+- }
+- /* remove the VSI if it has no children */
+- if (!vsi_node->num_children) {
+- ice_free_sched_node(pi, vsi_node);
+- vsi_ctx->sched.vsi_node[i] = NULL;
++ vsi_ctx->sched.vsi_node[i] = NULL;
+
+- /* clean up aggregator related VSI info if any */
+- ice_sched_rm_agg_vsi_info(pi, vsi_handle);
+- }
+ if (owner == ICE_SCHED_NODE_OWNER_LAN)
+ vsi_ctx->sched.max_lanq[i] = 0;
+ else
+--
+2.39.5
+
--- /dev/null
+From 9cdd7d188e06882e5b882103ad54c4cb4c1a9cca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:55:27 +0200
+Subject: ice: fix Tx scheduler error handling in XDP callback
+
+From: Michal Kubiak <michal.kubiak@intel.com>
+
+[ Upstream commit 0153f36041b8e52019ebfa8629c13bf8f9b0a951 ]
+
+When the XDP program is loaded, the XDP callback adds new Tx queues.
+This means that the callback must update the Tx scheduler with the new
+queue number. In the event of a Tx scheduler failure, the XDP callback
+should also fail and roll back any changes previously made for XDP
+preparation.
+
+The previous implementation had a bug that not all changes made by the
+XDP callback were rolled back. This caused the crash with the following
+call trace:
+
+[ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5
+[ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI
+[ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary)
+[ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022
+[ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice]
+
+[...]
+
+[ +0.002715] Call Trace:
+[ +0.002452] <IRQ>
+[ +0.002021] ? __die_body.cold+0x19/0x29
+[ +0.003922] ? die_addr+0x3c/0x60
+[ +0.003319] ? exc_general_protection+0x17c/0x400
+[ +0.004707] ? asm_exc_general_protection+0x26/0x30
+[ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice]
+[ +0.004835] ice_napi_poll+0x665/0x680 [ice]
+[ +0.004320] __napi_poll+0x28/0x190
+[ +0.003500] net_rx_action+0x198/0x360
+[ +0.003752] ? update_rq_clock+0x39/0x220
+[ +0.004013] handle_softirqs+0xf1/0x340
+[ +0.003840] ? sched_clock_cpu+0xf/0x1f0
+[ +0.003925] __irq_exit_rcu+0xc2/0xe0
+[ +0.003665] common_interrupt+0x85/0xa0
+[ +0.003839] </IRQ>
+[ +0.002098] <TASK>
+[ +0.002106] asm_common_interrupt+0x26/0x40
+[ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690
+
+Fix this by performing the missing unmapping of XDP queues from
+q_vectors and setting the XDP rings pointer back to NULL after all those
+queues are released.
+Also, add an immediate exit from the XDP callback in case of ring
+preparation failure.
+
+Fixes: efc2214b6047 ("ice: Add support for XDP")
+Reviewed-by: Dawid Osuchowski <dawid.osuchowski@linux.intel.com>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Jesse Brandeburg <jbrandeburg@cloudflare.com>
+Tested-by: Saritha Sanigani <sarithax.sanigani@intel.com> (A Contingent Worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_main.c | 47 ++++++++++++++++-------
+ 1 file changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c
+index 0ae7bdfff83fb..e1a68fb5e9fff 100644
+--- a/drivers/net/ethernet/intel/ice/ice_main.c
++++ b/drivers/net/ethernet/intel/ice/ice_main.c
+@@ -2650,6 +2650,27 @@ static void ice_vsi_assign_bpf_prog(struct ice_vsi *vsi, struct bpf_prog *prog)
+ bpf_prog_put(old_prog);
+ }
+
++/**
++ * ice_unmap_xdp_rings - Unmap XDP rings from interrupt vectors
++ * @vsi: the VSI with XDP rings being unmapped
++ */
++static void ice_unmap_xdp_rings(struct ice_vsi *vsi)
++{
++ int v_idx;
++
++ ice_for_each_q_vector(vsi, v_idx) {
++ struct ice_q_vector *q_vector = vsi->q_vectors[v_idx];
++ struct ice_tx_ring *ring;
++
++ ice_for_each_tx_ring(ring, q_vector->tx)
++ if (!ring->tx_buf || !ice_ring_is_xdp(ring))
++ break;
++
++ /* restore the value of last node prior to XDP setup */
++ q_vector->tx.tx_ring = ring;
++ }
++}
++
+ /**
+ * ice_prepare_xdp_rings - Allocate, configure and setup Tx rings for XDP
+ * @vsi: VSI to bring up Tx rings used by XDP
+@@ -2749,7 +2770,7 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog,
+ if (status) {
+ dev_err(dev, "Failed VSI LAN queue config for XDP, error: %d\n",
+ status);
+- goto clear_xdp_rings;
++ goto unmap_xdp_rings;
+ }
+
+ /* assign the prog only when it's not already present on VSI;
+@@ -2765,6 +2786,8 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog,
+ ice_vsi_assign_bpf_prog(vsi, prog);
+
+ return 0;
++unmap_xdp_rings:
++ ice_unmap_xdp_rings(vsi);
+ clear_xdp_rings:
+ ice_for_each_xdp_txq(vsi, i)
+ if (vsi->xdp_rings[i]) {
+@@ -2781,6 +2804,8 @@ int ice_prepare_xdp_rings(struct ice_vsi *vsi, struct bpf_prog *prog,
+ mutex_unlock(&pf->avail_q_mutex);
+
+ devm_kfree(dev, vsi->xdp_rings);
++ vsi->xdp_rings = NULL;
++
+ return -ENOMEM;
+ }
+
+@@ -2796,7 +2821,7 @@ int ice_destroy_xdp_rings(struct ice_vsi *vsi, enum ice_xdp_cfg cfg_type)
+ {
+ u16 max_txqs[ICE_MAX_TRAFFIC_CLASS] = { 0 };
+ struct ice_pf *pf = vsi->back;
+- int i, v_idx;
++ int i;
+
+ /* q_vectors are freed in reset path so there's no point in detaching
+ * rings
+@@ -2804,17 +2829,7 @@ int ice_destroy_xdp_rings(struct ice_vsi *vsi, enum ice_xdp_cfg cfg_type)
+ if (cfg_type == ICE_XDP_CFG_PART)
+ goto free_qmap;
+
+- ice_for_each_q_vector(vsi, v_idx) {
+- struct ice_q_vector *q_vector = vsi->q_vectors[v_idx];
+- struct ice_tx_ring *ring;
+-
+- ice_for_each_tx_ring(ring, q_vector->tx)
+- if (!ring->tx_buf || !ice_ring_is_xdp(ring))
+- break;
+-
+- /* restore the value of last node prior to XDP setup */
+- q_vector->tx.tx_ring = ring;
+- }
++ ice_unmap_xdp_rings(vsi);
+
+ free_qmap:
+ mutex_lock(&pf->avail_q_mutex);
+@@ -2956,11 +2971,14 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog,
+ xdp_ring_err = ice_vsi_determine_xdp_res(vsi);
+ if (xdp_ring_err) {
+ NL_SET_ERR_MSG_MOD(extack, "Not enough Tx resources for XDP");
++ goto resume_if;
+ } else {
+ xdp_ring_err = ice_prepare_xdp_rings(vsi, prog,
+ ICE_XDP_CFG_FULL);
+- if (xdp_ring_err)
++ if (xdp_ring_err) {
+ NL_SET_ERR_MSG_MOD(extack, "Setting up XDP Tx resources failed");
++ goto resume_if;
++ }
+ }
+ xdp_features_set_redirect_target(vsi->netdev, true);
+ /* reallocate Rx queues that are used for zero-copy */
+@@ -2978,6 +2996,7 @@ ice_xdp_setup_prog(struct ice_vsi *vsi, struct bpf_prog *prog,
+ NL_SET_ERR_MSG_MOD(extack, "Freeing XDP Rx resources failed");
+ }
+
++resume_if:
+ if (if_running)
+ ret = ice_up(vsi);
+
+--
+2.39.5
+
--- /dev/null
+From 36b2fdb32342f6790ecdb26b2bc91b93f825f11d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 12:52:47 +0100
+Subject: iio: adc: ad7124: Fix 3dB filter frequency reading
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 8712e4986e7ce42a14c762c4c350f290989986a5 ]
+
+The sinc4 filter has a factor 0.23 between Output Data Rate and f_{3dB}
+and for sinc3 the factor is 0.272 according to the data sheets for
+ad7124-4 (Rev. E.) and ad7124-8 (Rev. F).
+
+Fixes: cef2760954cf ("iio: adc: ad7124: add 3db filter")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: Marcelo Schmitt <marcelo.schmitt@analog.com>
+Link: https://patch.msgid.link/20250317115247.3735016-6-u.kleine-koenig@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7124.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
+index 0e6baf017bfd1..f631351eef97b 100644
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -300,9 +300,9 @@ static int ad7124_get_3db_filter_freq(struct ad7124_state *st,
+
+ switch (st->channels[channel].cfg.filter_type) {
+ case AD7124_SINC3_FILTER:
+- return DIV_ROUND_CLOSEST(fadc * 230, 1000);
++ return DIV_ROUND_CLOSEST(fadc * 272, 1000);
+ case AD7124_SINC4_FILTER:
+- return DIV_ROUND_CLOSEST(fadc * 262, 1000);
++ return DIV_ROUND_CLOSEST(fadc * 230, 1000);
+ default:
+ return -EINVAL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 31c33e21671f81ae147e8d22affa74276826e61e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:27 -0400
+Subject: iio: filter: admv8818: fix band 4, state 15
+
+From: Sam Winchenbach <swinchenbach@arka.org>
+
+[ Upstream commit ef0ce24f590ac075d5eda11f2d6434b303333ed6 ]
+
+Corrects the upper range of LPF Band 4 from 18.5 GHz to 18.85 GHz per
+the ADMV8818 datasheet
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-3-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index d85b7d3de8660..3d8740caa1455 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -103,7 +103,7 @@ static const unsigned long long freq_range_lpf[4][2] = {
+ {2050000000ULL, 3850000000ULL},
+ {3350000000ULL, 7250000000ULL},
+ {7000000000, 13000000000},
+- {12550000000, 18500000000}
++ {12550000000, 18850000000}
+ };
+
+ static const struct regmap_config admv8818_regmap_config = {
+--
+2.39.5
+
--- /dev/null
+From fad2b70093eb5914bb5da7a4f4fea39bccc46e0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:28 -0400
+Subject: iio: filter: admv8818: fix integer overflow
+
+From: Sam Winchenbach <swinchenbach@arka.org>
+
+[ Upstream commit fb6009a28d77edec4eb548b5875dae8c79b88467 ]
+
+HZ_PER_MHZ is only unsigned long. This math overflows, leading to
+incorrect results.
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-4-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index 3d8740caa1455..cd3aff9a2f7bf 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -154,7 +154,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+ }
+
+ /* Close HPF frequency gap between 12 and 12.5 GHz */
+- if (freq >= 12000 * HZ_PER_MHZ && freq <= 12500 * HZ_PER_MHZ) {
++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
+ hpf_band = 3;
+ hpf_step = 15;
+ }
+--
+2.39.5
+
--- /dev/null
+From 123d3d870932118e51162e1f80a1265918809f42 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:29 -0400
+Subject: iio: filter: admv8818: fix range calculation
+
+From: Sam Winchenbach <swinchenbach@arka.org>
+
+[ Upstream commit d542db7095d322bfcdc8e306db6f8c48358c9619 ]
+
+Search for the minimum error while ensuring that the LPF corner
+frequency is greater than the target, and the HPF corner frequency
+is lower than the target
+
+This fixes issues where the range calculations were suboptimal.
+
+Add two new DTS properties to set the margin between the input frequency
+and the calculated corner frequency
+
+Below is a generated table of the differences between the old algorithm
+and the new. This is a sweep from 0 to 20 GHz in 10 MHz steps.
+=== HPF ===
+freq = 1750 MHz, 3db: bypass => 1750 MHz
+freq = 3400 MHz, 3db: 3310 => 3400 MHz
+freq = 3410 MHz, 3db: 3310 => 3400 MHz
+freq = 3420 MHz, 3db: 3310 => 3400 MHz
+freq = 3660 MHz, 3db: 3550 => 3656 MHz
+freq = 6600 MHz, 3db: 6479 => 6600 MHz
+freq = 6610 MHz, 3db: 6479 => 6600 MHz
+freq = 6620 MHz, 3db: 6479 => 6600 MHz
+freq = 6630 MHz, 3db: 6479 => 6600 MHz
+freq = 6640 MHz, 3db: 6479 => 6600 MHz
+freq = 6650 MHz, 3db: 6479 => 6600 MHz
+freq = 6660 MHz, 3db: 6479 => 6600 MHz
+freq = 6670 MHz, 3db: 6479 => 6600 MHz
+freq = 6680 MHz, 3db: 6479 => 6600 MHz
+freq = 6690 MHz, 3db: 6479 => 6600 MHz
+freq = 6700 MHz, 3db: 6479 => 6600 MHz
+freq = 6710 MHz, 3db: 6479 => 6600 MHz
+freq = 6720 MHz, 3db: 6479 => 6600 MHz
+freq = 6730 MHz, 3db: 6479 => 6600 MHz
+freq = 6960 MHz, 3db: 6736 => 6960 MHz
+freq = 6970 MHz, 3db: 6736 => 6960 MHz
+freq = 6980 MHz, 3db: 6736 => 6960 MHz
+freq = 6990 MHz, 3db: 6736 => 6960 MHz
+freq = 7320 MHz, 3db: 7249 => 7320 MHz
+freq = 7330 MHz, 3db: 7249 => 7320 MHz
+freq = 7340 MHz, 3db: 7249 => 7320 MHz
+freq = 7350 MHz, 3db: 7249 => 7320 MHz
+freq = 7360 MHz, 3db: 7249 => 7320 MHz
+freq = 7370 MHz, 3db: 7249 => 7320 MHz
+freq = 7380 MHz, 3db: 7249 => 7320 MHz
+freq = 7390 MHz, 3db: 7249 => 7320 MHz
+freq = 7400 MHz, 3db: 7249 => 7320 MHz
+freq = 7410 MHz, 3db: 7249 => 7320 MHz
+freq = 7420 MHz, 3db: 7249 => 7320 MHz
+freq = 7430 MHz, 3db: 7249 => 7320 MHz
+freq = 7440 MHz, 3db: 7249 => 7320 MHz
+freq = 7450 MHz, 3db: 7249 => 7320 MHz
+freq = 7460 MHz, 3db: 7249 => 7320 MHz
+freq = 7470 MHz, 3db: 7249 => 7320 MHz
+freq = 7480 MHz, 3db: 7249 => 7320 MHz
+freq = 7490 MHz, 3db: 7249 => 7320 MHz
+freq = 7500 MHz, 3db: 7249 => 7320 MHz
+freq = 12500 MHz, 3db: 12000 => 12500 MHz
+
+=== LPF ===
+freq = 2050 MHz, 3db: bypass => 2050 MHz
+freq = 2170 MHz, 3db: 2290 => 2170 MHz
+freq = 2290 MHz, 3db: 2410 => 2290 MHz
+freq = 2410 MHz, 3db: 2530 => 2410 MHz
+freq = 2530 MHz, 3db: 2650 => 2530 MHz
+freq = 2650 MHz, 3db: 2770 => 2650 MHz
+freq = 2770 MHz, 3db: 2890 => 2770 MHz
+freq = 2890 MHz, 3db: 3010 => 2890 MHz
+freq = 3010 MHz, 3db: 3130 => 3010 MHz
+freq = 3130 MHz, 3db: 3250 => 3130 MHz
+freq = 3250 MHz, 3db: 3370 => 3250 MHz
+freq = 3260 MHz, 3db: 3370 => 3350 MHz
+freq = 3270 MHz, 3db: 3370 => 3350 MHz
+freq = 3280 MHz, 3db: 3370 => 3350 MHz
+freq = 3290 MHz, 3db: 3370 => 3350 MHz
+freq = 3300 MHz, 3db: 3370 => 3350 MHz
+freq = 3310 MHz, 3db: 3370 => 3350 MHz
+freq = 3320 MHz, 3db: 3370 => 3350 MHz
+freq = 3330 MHz, 3db: 3370 => 3350 MHz
+freq = 3340 MHz, 3db: 3370 => 3350 MHz
+freq = 3350 MHz, 3db: 3370 => 3350 MHz
+freq = 3370 MHz, 3db: 3490 => 3370 MHz
+freq = 3490 MHz, 3db: 3610 => 3490 MHz
+freq = 3610 MHz, 3db: 3730 => 3610 MHz
+freq = 3730 MHz, 3db: 3850 => 3730 MHz
+freq = 3850 MHz, 3db: 3870 => 3850 MHz
+freq = 3870 MHz, 3db: 4130 => 3870 MHz
+freq = 4130 MHz, 3db: 4390 => 4130 MHz
+freq = 4390 MHz, 3db: 4650 => 4390 MHz
+freq = 4650 MHz, 3db: 4910 => 4650 MHz
+freq = 4910 MHz, 3db: 5170 => 4910 MHz
+freq = 5170 MHz, 3db: 5430 => 5170 MHz
+freq = 5430 MHz, 3db: 5690 => 5430 MHz
+freq = 5690 MHz, 3db: 5950 => 5690 MHz
+freq = 5950 MHz, 3db: 6210 => 5950 MHz
+freq = 6210 MHz, 3db: 6470 => 6210 MHz
+freq = 6470 MHz, 3db: 6730 => 6470 MHz
+freq = 6730 MHz, 3db: 6990 => 6730 MHz
+freq = 6990 MHz, 3db: 7250 => 6990 MHz
+freq = 7000 MHz, 3db: 7250 => 7000 MHz
+freq = 7250 MHz, 3db: 7400 => 7250 MHz
+freq = 7400 MHz, 3db: 7800 => 7400 MHz
+freq = 7800 MHz, 3db: 8200 => 7800 MHz
+freq = 8200 MHz, 3db: 8600 => 8200 MHz
+freq = 8600 MHz, 3db: 9000 => 8600 MHz
+freq = 9000 MHz, 3db: 9400 => 9000 MHz
+freq = 9400 MHz, 3db: 9800 => 9400 MHz
+freq = 9800 MHz, 3db: 10200 => 9800 MHz
+freq = 10200 MHz, 3db: 10600 => 10200 MHz
+freq = 10600 MHz, 3db: 11000 => 10600 MHz
+freq = 11000 MHz, 3db: 11400 => 11000 MHz
+freq = 11400 MHz, 3db: 11800 => 11400 MHz
+freq = 11800 MHz, 3db: 12200 => 11800 MHz
+freq = 12200 MHz, 3db: 12600 => 12200 MHz
+freq = 12210 MHz, 3db: 12600 => 12550 MHz
+freq = 12220 MHz, 3db: 12600 => 12550 MHz
+freq = 12230 MHz, 3db: 12600 => 12550 MHz
+freq = 12240 MHz, 3db: 12600 => 12550 MHz
+freq = 12250 MHz, 3db: 12600 => 12550 MHz
+freq = 12260 MHz, 3db: 12600 => 12550 MHz
+freq = 12270 MHz, 3db: 12600 => 12550 MHz
+freq = 12280 MHz, 3db: 12600 => 12550 MHz
+freq = 12290 MHz, 3db: 12600 => 12550 MHz
+freq = 12300 MHz, 3db: 12600 => 12550 MHz
+freq = 12310 MHz, 3db: 12600 => 12550 MHz
+freq = 12320 MHz, 3db: 12600 => 12550 MHz
+freq = 12330 MHz, 3db: 12600 => 12550 MHz
+freq = 12340 MHz, 3db: 12600 => 12550 MHz
+freq = 12350 MHz, 3db: 12600 => 12550 MHz
+freq = 12360 MHz, 3db: 12600 => 12550 MHz
+freq = 12370 MHz, 3db: 12600 => 12550 MHz
+freq = 12380 MHz, 3db: 12600 => 12550 MHz
+freq = 12390 MHz, 3db: 12600 => 12550 MHz
+freq = 12400 MHz, 3db: 12600 => 12550 MHz
+freq = 12410 MHz, 3db: 12600 => 12550 MHz
+freq = 12420 MHz, 3db: 12600 => 12550 MHz
+freq = 12430 MHz, 3db: 12600 => 12550 MHz
+freq = 12440 MHz, 3db: 12600 => 12550 MHz
+freq = 12450 MHz, 3db: 12600 => 12550 MHz
+freq = 12460 MHz, 3db: 12600 => 12550 MHz
+freq = 12470 MHz, 3db: 12600 => 12550 MHz
+freq = 12480 MHz, 3db: 12600 => 12550 MHz
+freq = 12490 MHz, 3db: 12600 => 12550 MHz
+freq = 12500 MHz, 3db: 12600 => 12550 MHz
+freq = 12510 MHz, 3db: 12600 => 12550 MHz
+freq = 12520 MHz, 3db: 12600 => 12550 MHz
+freq = 12530 MHz, 3db: 12600 => 12550 MHz
+freq = 12540 MHz, 3db: 12600 => 12550 MHz
+freq = 12550 MHz, 3db: 12600 => 12550 MHz
+freq = 12600 MHz, 3db: 13000 => 12600 MHz
+freq = 12610 MHz, 3db: 13000 => 12970 MHz
+freq = 12620 MHz, 3db: 13000 => 12970 MHz
+freq = 12630 MHz, 3db: 13000 => 12970 MHz
+freq = 12640 MHz, 3db: 13000 => 12970 MHz
+freq = 12650 MHz, 3db: 13000 => 12970 MHz
+freq = 12660 MHz, 3db: 13000 => 12970 MHz
+freq = 12670 MHz, 3db: 13000 => 12970 MHz
+freq = 12680 MHz, 3db: 13000 => 12970 MHz
+freq = 12690 MHz, 3db: 13000 => 12970 MHz
+freq = 12700 MHz, 3db: 13000 => 12970 MHz
+freq = 12710 MHz, 3db: 13000 => 12970 MHz
+freq = 12720 MHz, 3db: 13000 => 12970 MHz
+freq = 12730 MHz, 3db: 13000 => 12970 MHz
+freq = 12740 MHz, 3db: 13000 => 12970 MHz
+freq = 12750 MHz, 3db: 13000 => 12970 MHz
+freq = 12760 MHz, 3db: 13000 => 12970 MHz
+freq = 12770 MHz, 3db: 13000 => 12970 MHz
+freq = 12780 MHz, 3db: 13000 => 12970 MHz
+freq = 12790 MHz, 3db: 13000 => 12970 MHz
+freq = 12800 MHz, 3db: 13000 => 12970 MHz
+freq = 12810 MHz, 3db: 13000 => 12970 MHz
+freq = 12820 MHz, 3db: 13000 => 12970 MHz
+freq = 12830 MHz, 3db: 13000 => 12970 MHz
+freq = 12840 MHz, 3db: 13000 => 12970 MHz
+freq = 12850 MHz, 3db: 13000 => 12970 MHz
+freq = 12860 MHz, 3db: 13000 => 12970 MHz
+freq = 12870 MHz, 3db: 13000 => 12970 MHz
+freq = 12880 MHz, 3db: 13000 => 12970 MHz
+freq = 12890 MHz, 3db: 13000 => 12970 MHz
+freq = 12900 MHz, 3db: 13000 => 12970 MHz
+freq = 12910 MHz, 3db: 13000 => 12970 MHz
+freq = 12920 MHz, 3db: 13000 => 12970 MHz
+freq = 12930 MHz, 3db: 13000 => 12970 MHz
+freq = 12940 MHz, 3db: 13000 => 12970 MHz
+freq = 12950 MHz, 3db: 13000 => 12970 MHz
+freq = 12960 MHz, 3db: 13000 => 12970 MHz
+freq = 12970 MHz, 3db: 13000 => 12970 MHz
+freq = 13000 MHz, 3db: 13390 => 13000 MHz
+freq = 13390 MHz, 3db: 13810 => 13390 MHz
+freq = 13810 MHz, 3db: 14230 => 13810 MHz
+freq = 14230 MHz, 3db: 14650 => 14230 MHz
+freq = 14650 MHz, 3db: 15070 => 14650 MHz
+freq = 15070 MHz, 3db: 15490 => 15070 MHz
+freq = 15490 MHz, 3db: 15910 => 15490 MHz
+freq = 15910 MHz, 3db: 16330 => 15910 MHz
+freq = 16330 MHz, 3db: 16750 => 16330 MHz
+freq = 16750 MHz, 3db: 17170 => 16750 MHz
+freq = 17170 MHz, 3db: 17590 => 17170 MHz
+freq = 17590 MHz, 3db: 18010 => 17590 MHz
+freq = 18010 MHz, 3db: 18430 => 18010 MHz
+freq = 18430 MHz, 3db: 18850 => 18430 MHz
+freq = 18850 MHz, 3db: bypass => 18850 MHz
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-5-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 205 +++++++++++++++++++++++++---------
+ 1 file changed, 152 insertions(+), 53 deletions(-)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index cd3aff9a2f7bf..380e119b3cf54 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -14,6 +14,7 @@
+ #include <linux/mod_devicetable.h>
+ #include <linux/mutex.h>
+ #include <linux/notifier.h>
++#include <linux/property.h>
+ #include <linux/regmap.h>
+ #include <linux/spi/spi.h>
+ #include <linux/units.h>
+@@ -70,6 +71,16 @@
+ #define ADMV8818_HPF_WR0_MSK GENMASK(7, 4)
+ #define ADMV8818_LPF_WR0_MSK GENMASK(3, 0)
+
++#define ADMV8818_BAND_BYPASS 0
++#define ADMV8818_BAND_MIN 1
++#define ADMV8818_BAND_MAX 4
++#define ADMV8818_BAND_CORNER_LOW 0
++#define ADMV8818_BAND_CORNER_HIGH 1
++
++#define ADMV8818_STATE_MIN 0
++#define ADMV8818_STATE_MAX 15
++#define ADMV8818_NUM_STATES 16
++
+ enum {
+ ADMV8818_BW_FREQ,
+ ADMV8818_CENTER_FREQ
+@@ -90,16 +101,20 @@ struct admv8818_state {
+ struct mutex lock;
+ unsigned int filter_mode;
+ u64 cf_hz;
++ u64 lpf_margin_hz;
++ u64 hpf_margin_hz;
+ };
+
+-static const unsigned long long freq_range_hpf[4][2] = {
++static const unsigned long long freq_range_hpf[5][2] = {
++ {0ULL, 0ULL}, /* bypass */
+ {1750000000ULL, 3550000000ULL},
+ {3400000000ULL, 7250000000ULL},
+ {6600000000, 12000000000},
+ {12500000000, 19900000000}
+ };
+
+-static const unsigned long long freq_range_lpf[4][2] = {
++static const unsigned long long freq_range_lpf[5][2] = {
++ {U64_MAX, U64_MAX}, /* bypass */
+ {2050000000ULL, 3850000000ULL},
+ {3350000000ULL, 7250000000ULL},
+ {7000000000, 13000000000},
+@@ -121,44 +136,59 @@ static const char * const admv8818_modes[] = {
+
+ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+ {
+- unsigned int hpf_step = 0, hpf_band = 0, i, j;
+- u64 freq_step;
+- int ret;
++ int band, state, ret;
++ unsigned int hpf_state = ADMV8818_STATE_MIN, hpf_band = ADMV8818_BAND_BYPASS;
++ u64 freq_error, min_freq_error, freq_corner, freq_step;
+
+- if (freq < freq_range_hpf[0][0])
++ if (freq < freq_range_hpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW])
+ goto hpf_write;
+
+- if (freq > freq_range_hpf[3][1]) {
+- hpf_step = 15;
+- hpf_band = 4;
+-
++ if (freq >= freq_range_hpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH]) {
++ hpf_state = ADMV8818_STATE_MAX;
++ hpf_band = ADMV8818_BAND_MAX;
+ goto hpf_write;
+ }
+
+- for (i = 0; i < 4; i++) {
+- freq_step = div_u64((freq_range_hpf[i][1] -
+- freq_range_hpf[i][0]), 15);
++ /* Close HPF frequency gap between 12 and 12.5 GHz */
++ if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
++ hpf_state = ADMV8818_STATE_MAX;
++ hpf_band = 3;
++ goto hpf_write;
++ }
+
+- if (freq > freq_range_hpf[i][0] &&
+- (freq < freq_range_hpf[i][1] + freq_step)) {
+- hpf_band = i + 1;
++ min_freq_error = U64_MAX;
++ for (band = ADMV8818_BAND_MIN; band <= ADMV8818_BAND_MAX; band++) {
++ /*
++ * This (and therefore all other ranges) have a corner
++ * frequency higher than the target frequency.
++ */
++ if (freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] > freq)
++ break;
+
+- for (j = 1; j <= 16; j++) {
+- if (freq < (freq_range_hpf[i][0] + (freq_step * j))) {
+- hpf_step = j - 1;
+- break;
+- }
++ freq_step = freq_range_hpf[band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW];
++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
++
++ for (state = ADMV8818_STATE_MIN; state <= ADMV8818_STATE_MAX; state++) {
++ freq_corner = freq_range_hpf[band][ADMV8818_BAND_CORNER_LOW] +
++ freq_step * state;
++
++ /*
++ * This (and therefore all other states) have a corner
++ * frequency higher than the target frequency.
++ */
++ if (freq_corner > freq)
++ break;
++
++ freq_error = freq - freq_corner;
++ if (freq_error < min_freq_error) {
++ min_freq_error = freq_error;
++ hpf_state = state;
++ hpf_band = band;
+ }
+- break;
+ }
+ }
+
+- /* Close HPF frequency gap between 12 and 12.5 GHz */
+- if (freq >= 12000ULL * HZ_PER_MHZ && freq < 12500ULL * HZ_PER_MHZ) {
+- hpf_band = 3;
+- hpf_step = 15;
+- }
+-
+ hpf_write:
+ ret = regmap_update_bits(st->regmap, ADMV8818_REG_WR0_SW,
+ ADMV8818_SW_IN_SET_WR0_MSK |
+@@ -170,7 +200,7 @@ static int __admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+
+ return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
+ ADMV8818_HPF_WR0_MSK,
+- FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_step));
++ FIELD_PREP(ADMV8818_HPF_WR0_MSK, hpf_state));
+ }
+
+ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+@@ -186,31 +216,52 @@ static int admv8818_hpf_select(struct admv8818_state *st, u64 freq)
+
+ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+ {
+- unsigned int lpf_step = 0, lpf_band = 0, i, j;
+- u64 freq_step;
+- int ret;
++ int band, state, ret;
++ unsigned int lpf_state = ADMV8818_STATE_MIN, lpf_band = ADMV8818_BAND_BYPASS;
++ u64 freq_error, min_freq_error, freq_corner, freq_step;
+
+- if (freq > freq_range_lpf[3][1])
++ if (freq > freq_range_lpf[ADMV8818_BAND_MAX][ADMV8818_BAND_CORNER_HIGH])
+ goto lpf_write;
+
+- if (freq < freq_range_lpf[0][0]) {
+- lpf_band = 1;
+-
++ if (freq < freq_range_lpf[ADMV8818_BAND_MIN][ADMV8818_BAND_CORNER_LOW]) {
++ lpf_state = ADMV8818_STATE_MIN;
++ lpf_band = ADMV8818_BAND_MIN;
+ goto lpf_write;
+ }
+
+- for (i = 0; i < 4; i++) {
+- if (freq > freq_range_lpf[i][0] && freq < freq_range_lpf[i][1]) {
+- lpf_band = i + 1;
+- freq_step = div_u64((freq_range_lpf[i][1] - freq_range_lpf[i][0]), 15);
++ min_freq_error = U64_MAX;
++ for (band = ADMV8818_BAND_MAX; band >= ADMV8818_BAND_MIN; --band) {
++ /*
++ * At this point the highest corner frequency of
++ * all remaining ranges is below the target.
++ * LPF corner should be >= the target.
++ */
++ if (freq > freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH])
++ break;
++
++ freq_step = freq_range_lpf[band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW];
++ freq_step = div_u64(freq_step, ADMV8818_NUM_STATES - 1);
++
++ for (state = ADMV8818_STATE_MAX; state >= ADMV8818_STATE_MIN; --state) {
+
+- for (j = 0; j <= 15; j++) {
+- if (freq < (freq_range_lpf[i][0] + (freq_step * j))) {
+- lpf_step = j;
+- break;
+- }
++ freq_corner = freq_range_lpf[band][ADMV8818_BAND_CORNER_LOW] +
++ state * freq_step;
++
++ /*
++ * At this point all other states in range will
++ * place the corner frequency below the target
++ * LPF corner should >= the target.
++ */
++ if (freq > freq_corner)
++ break;
++
++ freq_error = freq_corner - freq;
++ if (freq_error < min_freq_error) {
++ min_freq_error = freq_error;
++ lpf_state = state;
++ lpf_band = band;
+ }
+- break;
+ }
+ }
+
+@@ -225,7 +276,7 @@ static int __admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+
+ return regmap_update_bits(st->regmap, ADMV8818_REG_WR0_FILTER,
+ ADMV8818_LPF_WR0_MSK,
+- FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_step));
++ FIELD_PREP(ADMV8818_LPF_WR0_MSK, lpf_state));
+ }
+
+ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+@@ -242,16 +293,28 @@ static int admv8818_lpf_select(struct admv8818_state *st, u64 freq)
+ static int admv8818_rfin_band_select(struct admv8818_state *st)
+ {
+ int ret;
++ u64 hpf_corner_target, lpf_corner_target;
+
+ st->cf_hz = clk_get_rate(st->clkin);
+
++ /* Check for underflow */
++ if (st->cf_hz > st->hpf_margin_hz)
++ hpf_corner_target = st->cf_hz - st->hpf_margin_hz;
++ else
++ hpf_corner_target = 0;
++
++ /* Check for overflow */
++ lpf_corner_target = st->cf_hz + st->lpf_margin_hz;
++ if (lpf_corner_target < st->cf_hz)
++ lpf_corner_target = U64_MAX;
++
+ mutex_lock(&st->lock);
+
+- ret = __admv8818_hpf_select(st, st->cf_hz);
++ ret = __admv8818_hpf_select(st, hpf_corner_target);
+ if (ret)
+ goto exit;
+
+- ret = __admv8818_lpf_select(st, st->cf_hz);
++ ret = __admv8818_lpf_select(st, lpf_corner_target);
+ exit:
+ mutex_unlock(&st->lock);
+ return ret;
+@@ -278,8 +341,11 @@ static int __admv8818_read_hpf_freq(struct admv8818_state *st, u64 *hpf_freq)
+
+ hpf_state = FIELD_GET(ADMV8818_HPF_WR0_MSK, data);
+
+- *hpf_freq = div_u64(freq_range_hpf[hpf_band - 1][1] - freq_range_hpf[hpf_band - 1][0], 15);
+- *hpf_freq = freq_range_hpf[hpf_band - 1][0] + (*hpf_freq * hpf_state);
++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW];
++ *hpf_freq = div_u64(*hpf_freq, ADMV8818_NUM_STATES - 1);
++ *hpf_freq = freq_range_hpf[hpf_band][ADMV8818_BAND_CORNER_LOW] +
++ (*hpf_freq * hpf_state);
+
+ return ret;
+ }
+@@ -316,8 +382,11 @@ static int __admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
+
+ lpf_state = FIELD_GET(ADMV8818_LPF_WR0_MSK, data);
+
+- *lpf_freq = div_u64(freq_range_lpf[lpf_band - 1][1] - freq_range_lpf[lpf_band - 1][0], 15);
+- *lpf_freq = freq_range_lpf[lpf_band - 1][0] + (*lpf_freq * lpf_state);
++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_HIGH] -
++ freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW];
++ *lpf_freq = div_u64(*lpf_freq, ADMV8818_NUM_STATES - 1);
++ *lpf_freq = freq_range_lpf[lpf_band][ADMV8818_BAND_CORNER_LOW] +
++ (*lpf_freq * lpf_state);
+
+ return ret;
+ }
+@@ -641,6 +710,32 @@ static int admv8818_clk_setup(struct admv8818_state *st)
+ return devm_add_action_or_reset(&spi->dev, admv8818_clk_notifier_unreg, st);
+ }
+
++static int admv8818_read_properties(struct admv8818_state *st)
++{
++ struct spi_device *spi = st->spi;
++ u32 mhz;
++ int ret;
++
++ ret = device_property_read_u32(&spi->dev, "adi,lpf-margin-mhz", &mhz);
++ if (ret == 0)
++ st->lpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
++ else if (ret == -EINVAL)
++ st->lpf_margin_hz = 0;
++ else
++ return ret;
++
++
++ ret = device_property_read_u32(&spi->dev, "adi,hpf-margin-mhz", &mhz);
++ if (ret == 0)
++ st->hpf_margin_hz = (u64)mhz * HZ_PER_MHZ;
++ else if (ret == -EINVAL)
++ st->hpf_margin_hz = 0;
++ else if (ret < 0)
++ return ret;
++
++ return 0;
++}
++
+ static int admv8818_probe(struct spi_device *spi)
+ {
+ struct iio_dev *indio_dev;
+@@ -672,6 +767,10 @@ static int admv8818_probe(struct spi_device *spi)
+
+ mutex_init(&st->lock);
+
++ ret = admv8818_read_properties(st);
++ if (ret)
++ return ret;
++
+ ret = admv8818_init(st);
+ if (ret)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 17eccce00433541ef09e74609699ad598d90016d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 13:48:31 -0400
+Subject: iio: filter: admv8818: Support frequencies >= 2^32
+
+From: Brian Pellegrino <bpellegrino@arka.org>
+
+[ Upstream commit 9016776f1301627de78a633bda7c898425a56572 ]
+
+This patch allows writing u64 values to the ADMV8818's high and low-pass
+filter frequencies. It includes the following changes:
+
+- Rejects negative frequencies in admv8818_write_raw.
+- Adds a write_raw_get_fmt function to admv8818's iio_info, returning
+ IIO_VAL_INT_64 for the high and low-pass filter 3dB frequency channels.
+
+Fixes: f34fe888ad05 ("iio:filter:admv8818: add support for ADMV8818")
+Signed-off-by: Brian Pellegrino <bpellegrino@arka.org>
+Signed-off-by: Sam Winchenbach <swinchenbach@arka.org>
+Link: https://patch.msgid.link/20250328174831.227202-7-sam.winchenbach@framepointer.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/filter/admv8818.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/iio/filter/admv8818.c b/drivers/iio/filter/admv8818.c
+index 380e119b3cf54..cc8ce0fe74e7c 100644
+--- a/drivers/iio/filter/admv8818.c
++++ b/drivers/iio/filter/admv8818.c
+@@ -402,6 +402,19 @@ static int admv8818_read_lpf_freq(struct admv8818_state *st, u64 *lpf_freq)
+ return ret;
+ }
+
++static int admv8818_write_raw_get_fmt(struct iio_dev *indio_dev,
++ struct iio_chan_spec const *chan,
++ long mask)
++{
++ switch (mask) {
++ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
++ case IIO_CHAN_INFO_HIGH_PASS_FILTER_3DB_FREQUENCY:
++ return IIO_VAL_INT_64;
++ default:
++ return -EINVAL;
++ }
++}
++
+ static int admv8818_write_raw(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *chan,
+ int val, int val2, long info)
+@@ -410,6 +423,9 @@ static int admv8818_write_raw(struct iio_dev *indio_dev,
+
+ u64 freq = ((u64)val2 << 32 | (u32)val);
+
++ if ((s64)freq < 0)
++ return -EINVAL;
++
+ switch (info) {
+ case IIO_CHAN_INFO_LOW_PASS_FILTER_3DB_FREQUENCY:
+ return admv8818_lpf_select(st, freq);
+@@ -571,6 +587,7 @@ static int admv8818_set_mode(struct iio_dev *indio_dev,
+
+ static const struct iio_info admv8818_info = {
+ .write_raw = admv8818_write_raw,
++ .write_raw_get_fmt = admv8818_write_raw_get_fmt,
+ .read_raw = admv8818_read_raw,
+ .debugfs_reg_access = &admv8818_reg_access,
+ };
+--
+2.39.5
+
--- /dev/null
+From d1c9519dcd834eaa4505a45147b2844022d89c71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 10:08:37 -0300
+Subject: iommu: Protect against overflow in iommu_pgsize()
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+[ Upstream commit e586e22974d2b7acbef3c6c3e01b2d5ce69efe33 ]
+
+On a 32 bit system calling:
+ iommu_map(0, 0x40000000)
+
+When using the AMD V1 page table type with a domain->pgsize of 0xfffff000
+causes iommu_pgsize() to miscalculate a result of:
+ size=0x40000000 count=2
+
+count should be 1. This completely corrupts the mapping process.
+
+This is because the final test to adjust the pagesize malfunctions when
+the addition overflows. Use check_add_overflow() to prevent this.
+
+Fixes: b1d99dc5f983 ("iommu: Hook up '->unmap_pages' driver callback")
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/0-v1-3ad28fc2e3a3+163327-iommu_overflow_pgsize_jgg@nvidia.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/iommu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
+index f2b3a4e2e54fc..3fa5699b9ff19 100644
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -2382,6 +2382,7 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
+ unsigned int pgsize_idx, pgsize_idx_next;
+ unsigned long pgsizes;
+ size_t offset, pgsize, pgsize_next;
++ size_t offset_end;
+ unsigned long addr_merge = paddr | iova;
+
+ /* Page sizes supported by the hardware and small enough for @size */
+@@ -2422,7 +2423,8 @@ static size_t iommu_pgsize(struct iommu_domain *domain, unsigned long iova,
+ * If size is big enough to accommodate the larger page, reduce
+ * the number of smaller pages.
+ */
+- if (offset + pgsize_next <= size)
++ if (!check_add_overflow(offset, pgsize_next, &offset_end) &&
++ offset_end <= size)
+ size = offset;
+
+ out_set_count:
+--
+2.39.5
+
--- /dev/null
+From 619d7cf4ef2eaa5dfcbfe2639a5088a64b20ede0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 15:10:44 +0200
+Subject: iommu: remove duplicate selection of DMAR_TABLE
+
+From: Rolf Eike Beer <eb@emlix.com>
+
+[ Upstream commit 9548feff840a05d61783e6316d08ed37e115f3b1 ]
+
+This is already done in intel/Kconfig.
+
+Fixes: 70bad345e622 ("iommu: Fix compilation without CONFIG_IOMMU_INTEL")
+Signed-off-by: Rolf Eike Beer <eb@emlix.com>
+Reviewed-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/2232605.Mh6RI2rZIc@devpool92.emlix.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
+index d57c5adf932e3..20aa5ed80aa38 100644
+--- a/drivers/iommu/Kconfig
++++ b/drivers/iommu/Kconfig
+@@ -191,7 +191,6 @@ source "drivers/iommu/iommufd/Kconfig"
+ config IRQ_REMAP
+ bool "Support for Interrupt Remapping"
+ depends on X86_64 && X86_IO_APIC && PCI_MSI && ACPI
+- select DMAR_TABLE if INTEL_IOMMU
+ help
+ Supports Interrupt remapping for IO-APIC and MSI devices.
+ To use x2apic mode in the CPU's which support x2APIC enhancements or
+--
+2.39.5
+
--- /dev/null
+From 7f1ca240a153d11e48ef99398f7d6b68efcbe02c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 14:12:00 +0200
+Subject: kernfs: Relax constraint in draining guard
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michal Koutný <mkoutny@suse.com>
+
+[ Upstream commit 071d8e4c2a3b0999a9b822e2eb8854784a350f8a ]
+
+The active reference lifecycle provides the break/unbreak mechanism but
+the active reference is not truly active after unbreak -- callers don't
+use it afterwards but it's important for proper pairing of kn->active
+counting. Assuming this mechanism is in place, the WARN check in
+kernfs_should_drain_open_files() is too sensitive -- it may transiently
+catch those (rightful) callers between
+kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen
+Ridong:
+
+ kernfs_remove_by_name_ns kernfs_get_active // active=1
+ __kernfs_remove // active=0x80000002
+ kernfs_drain ...
+ wait_event
+ //waiting (active == 0x80000001)
+ kernfs_break_active_protection
+ // active = 0x80000001
+ // continue
+ kernfs_unbreak_active_protection
+ // active = 0x80000002
+ ...
+ kernfs_should_drain_open_files
+ // warning occurs
+ kernfs_put_active
+
+To avoid the false positives (mind panic_on_warn) remove the check altogether.
+(This is meant as quick fix, I think active reference break/unbreak may be
+simplified with larger rework.)
+
+Fixes: bdb2fd7fc56e1 ("kernfs: Skip kernfs_drain_open_files() more aggressively")
+Link: https://lore.kernel.org/r/kmmrseckjctb4gxcx2rdminrjnq2b4ipf7562nvfd432ld5v5m@2byj5eedkb2o/
+
+Cc: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Michal Koutný <mkoutny@suse.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20250505121201.879823-1-mkoutny@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/kernfs/dir.c | 5 +++--
+ fs/kernfs/file.c | 3 ++-
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
+index b068ed32d7b32..f6e2a4523f7e6 100644
+--- a/fs/kernfs/dir.c
++++ b/fs/kernfs/dir.c
+@@ -1560,8 +1560,9 @@ void kernfs_break_active_protection(struct kernfs_node *kn)
+ * invoked before finishing the kernfs operation. Note that while this
+ * function restores the active reference, it doesn't and can't actually
+ * restore the active protection - @kn may already or be in the process of
+- * being removed. Once kernfs_break_active_protection() is invoked, that
+- * protection is irreversibly gone for the kernfs operation instance.
++ * being drained and removed. Once kernfs_break_active_protection() is
++ * invoked, that protection is irreversibly gone for the kernfs operation
++ * instance.
+ *
+ * While this function may be called at any point after
+ * kernfs_break_active_protection() is invoked, its most useful location
+diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
+index 332d08d2fe0d5..6b90fea6cca20 100644
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -820,8 +820,9 @@ bool kernfs_should_drain_open_files(struct kernfs_node *kn)
+ /*
+ * @kn being deactivated guarantees that @kn->attr.open can't change
+ * beneath us making the lockless test below safe.
++ * Callers post kernfs_unbreak_active_protection may be counted in
++ * kn->active by now, do not WARN_ON because of them.
+ */
+- WARN_ON_ONCE(atomic_read(&kn->active) != KN_DEACTIVATED_BIAS);
+
+ rcu_read_lock();
+ on = rcu_dereference(kn->attr.open);
+--
+2.39.5
+
--- /dev/null
+From 5553503d0feeb9753672e27f27068ba16e24b7a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 13:59:57 +0800
+Subject: ktls, sockmap: Fix missing uncharge operation
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit 79f0c39ae7d3dc628c01b02f23ca5d01f9875040 ]
+
+When we specify apply_bytes, we divide the msg into multiple segments,
+each with a length of 'send', and every time we send this part of the data
+using tcp_bpf_sendmsg_redir(), we use sk_msg_return_zero() to uncharge the
+memory of the specified 'send' size.
+
+However, if the first segment of data fails to send, for example, the
+peer's buffer is full, we need to release all of the msg. When releasing
+the msg, we haven't uncharged the memory of the subsequent segments.
+
+This modification does not make significant logical changes, but only
+fills in the missing uncharge places.
+
+This issue has existed all along, until it was exposed after we added the
+apply test in test_sockmap:
+commit 3448ad23b34e ("selftests/bpf: Add apply_bytes test to test_txmsg_redir_wait_sndmem in test_sockmap")
+
+Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling")
+Reported-by: Cong Wang <xiyou.wangcong@gmail.com>
+Closes: https://lore.kernel.org/bpf/aAmIi0vlycHtbXeb@pop-os.localdomain/T/#t
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
+Link: https://lore.kernel.org/r/20250425060015.6968-2-jiayuan.chen@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_sw.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
+index bf445a518883a..4a9a3aed5d6d4 100644
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -908,6 +908,13 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
+ &msg_redir, send, flags);
+ lock_sock(sk);
+ if (err < 0) {
++ /* Regardless of whether the data represented by
++ * msg_redir is sent successfully, we have already
++ * uncharged it via sk_msg_return_zero(). The
++ * msg->sg.size represents the remaining unprocessed
++ * data, which needs to be uncharged here.
++ */
++ sk_mem_uncharge(sk, msg->sg.size);
+ *copied -= sk_msg_free_nocharge(sk, &msg_redir);
+ msg->sg.size = 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 2281c03f1578058ab648efcab6dd6a9d521edb37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 08:20:49 +0000
+Subject: kunit: Fix wrong parameter to kunit_deactivate_static_stub()
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit 772e50a76ee664e75581624f512df4e45582605a ]
+
+kunit_deactivate_static_stub() accepts real_fn_addr instead of
+replacement_addr. In the case, it always passes NULL to
+kunit_deactivate_static_stub().
+
+Fix it.
+
+Link: https://lore.kernel.org/r/20250520082050.2254875-1-tzungbi@kernel.org
+Fixes: e047c5eaa763 ("kunit: Expose 'static stub' API to redirect functions")
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Reviewed-by: David Gow <davidgow@google.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kunit/static_stub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/kunit/static_stub.c b/lib/kunit/static_stub.c
+index 92b2cccd5e763..484fd85251b41 100644
+--- a/lib/kunit/static_stub.c
++++ b/lib/kunit/static_stub.c
+@@ -96,7 +96,7 @@ void __kunit_activate_static_stub(struct kunit *test,
+
+ /* If the replacement address is NULL, deactivate the stub. */
+ if (!replacement_addr) {
+- kunit_deactivate_static_stub(test, replacement_addr);
++ kunit_deactivate_static_stub(test, real_fn_addr);
+ return;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ca86e534ebe7fbff0fbdfdfb0ff9380a4bec1d26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 17:50:14 +0200
+Subject: libbpf: Fix buffer overflow in bpf_object__init_prog
+
+From: Viktor Malik <vmalik@redhat.com>
+
+[ Upstream commit ee684de5c1b0ac01821320826baec7da93f3615b ]
+
+As shown in [1], it is possible to corrupt a BPF ELF file such that
+arbitrary BPF instructions are loaded by libbpf. This can be done by
+setting a symbol (BPF program) section offset to a large (unsigned)
+number such that <section start + symbol offset> overflows and points
+before the section data in the memory.
+
+Consider the situation below where:
+- prog_start = sec_start + symbol_offset <-- size_t overflow here
+- prog_end = prog_start + prog_size
+
+ prog_start sec_start prog_end sec_end
+ | | | |
+ v v v v
+ .....................|################################|............
+
+The report in [1] also provides a corrupted BPF ELF which can be used as
+a reproducer:
+
+ $ readelf -S crash
+ Section Headers:
+ [Nr] Name Type Address Offset
+ Size EntSize Flags Link Info Align
+ ...
+ [ 2] uretprobe.mu[...] PROGBITS 0000000000000000 00000040
+ 0000000000000068 0000000000000000 AX 0 0 8
+
+ $ readelf -s crash
+ Symbol table '.symtab' contains 8 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+ ...
+ 6: ffffffffffffffb8 104 FUNC GLOBAL DEFAULT 2 handle_tp
+
+Here, the handle_tp prog has section offset ffffffffffffffb8, i.e. will
+point before the actual memory where section 2 is allocated.
+
+This is also reported by AddressSanitizer:
+
+ =================================================================
+ ==1232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c7302fe0000 at pc 0x7fc3046e4b77 bp 0x7ffe64677cd0 sp 0x7ffe64677490
+ READ of size 104 at 0x7c7302fe0000 thread T0
+ #0 0x7fc3046e4b76 in memcpy (/lib64/libasan.so.8+0xe4b76)
+ #1 0x00000040df3e in bpf_object__init_prog /src/libbpf/src/libbpf.c:856
+ #2 0x00000040df3e in bpf_object__add_programs /src/libbpf/src/libbpf.c:928
+ #3 0x00000040df3e in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3930
+ #4 0x00000040df3e in bpf_object_open /src/libbpf/src/libbpf.c:8067
+ #5 0x00000040f176 in bpf_object__open_file /src/libbpf/src/libbpf.c:8090
+ #6 0x000000400c16 in main /poc/poc.c:8
+ #7 0x7fc3043d25b4 in __libc_start_call_main (/lib64/libc.so.6+0x35b4)
+ #8 0x7fc3043d2667 in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x3667)
+ #9 0x000000400b34 in _start (/poc/poc+0x400b34)
+
+ 0x7c7302fe0000 is located 64 bytes before 104-byte region [0x7c7302fe0040,0x7c7302fe00a8)
+ allocated by thread T0 here:
+ #0 0x7fc3046e716b in malloc (/lib64/libasan.so.8+0xe716b)
+ #1 0x7fc3045ee600 in __libelf_set_rawdata_wrlock (/lib64/libelf.so.1+0xb600)
+ #2 0x7fc3045ef018 in __elf_getdata_rdlock (/lib64/libelf.so.1+0xc018)
+ #3 0x00000040642f in elf_sec_data /src/libbpf/src/libbpf.c:3740
+
+The problem here is that currently, libbpf only checks that the program
+end is within the section bounds. There used to be a check
+`while (sec_off < sec_sz)` in bpf_object__add_programs, however, it was
+removed by commit 6245947c1b3c ("libbpf: Allow gaps in BPF program
+sections to support overriden weak functions").
+
+Add a check for detecting the overflow of `sec_off + prog_sz` to
+bpf_object__init_prog to fix this issue.
+
+[1] https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+
+Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions")
+Reported-by: lmarch2 <2524158037@qq.com>
+Signed-off-by: Viktor Malik <vmalik@redhat.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
+Link: https://github.com/lmarch2/poc/blob/main/libbpf/libbpf.md
+Link: https://lore.kernel.org/bpf/20250415155014.397603-1-vmalik@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index fa2abe56e845d..ca764ed3aaa91 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -838,7 +838,7 @@ bpf_object__add_programs(struct bpf_object *obj, Elf_Data *sec_data,
+ return -LIBBPF_ERRNO__FORMAT;
+ }
+
+- if (sec_off + prog_sz > sec_sz) {
++ if (sec_off + prog_sz > sec_sz || sec_off + prog_sz < sec_off) {
+ pr_warn("sec '%s': program at offset %zu crosses section boundary\n",
+ sec_name, sec_off);
+ return -LIBBPF_ERRNO__FORMAT;
+--
+2.39.5
+
--- /dev/null
+From 08f2711236711d8a162d6da5f0d6085ee7ab878d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 00:39:01 +0800
+Subject: libbpf: Remove sample_period init in perf_buffer
+
+From: Tao Chen <chen.dylane@linux.dev>
+
+[ Upstream commit 64821d25f05ac468d435e61669ae745ce5a633ea ]
+
+It seems that sample_period is not used in perf buffer. Actually, only
+wakeup_events are meaningful to enable events aggregation for wakeup notification.
+Remove sample_period setting code to avoid confusion.
+
+Fixes: fb84b8224655 ("libbpf: add perf buffer API")
+Signed-off-by: Tao Chen <chen.dylane@linux.dev>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/bpf/20250423163901.2983689-1-chen.dylane@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index ca764ed3aaa91..18e96375dc319 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -12453,7 +12453,6 @@ struct perf_buffer *perf_buffer__new(int map_fd, size_t page_cnt,
+ attr.config = PERF_COUNT_SW_BPF_OUTPUT;
+ attr.type = PERF_TYPE_SOFTWARE;
+ attr.sample_type = PERF_SAMPLE_RAW;
+- attr.sample_period = sample_period;
+ attr.wakeup_events = sample_period;
+
+ p.attr = &attr;
+--
+2.39.5
+
--- /dev/null
+From 960c7facd5a5dfccabef8cc72a635843cc0a6e10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Apr 2025 12:08:20 +0000
+Subject: libbpf: Use proper errno value in linker
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit 358b1c0f56ebb6996fcec7dcdcf6bae5dcbc8b6c ]
+
+Return values of the linker_append_sec_data() and the
+linker_append_elf_relos() functions are propagated all the
+way up to users of libbpf API. In some error cases these
+functions return -1 which will be seen as -EPERM from user's
+point of view. Instead, return a more reasonable -EINVAL.
+
+Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250430120820.2262053-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/linker.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
+index a3a190d13db8a..e1b3136643aa8 100644
+--- a/tools/lib/bpf/linker.c
++++ b/tools/lib/bpf/linker.c
+@@ -1187,7 +1187,7 @@ static int linker_append_sec_data(struct bpf_linker *linker, struct src_obj *obj
+ } else {
+ if (!secs_match(dst_sec, src_sec)) {
+ pr_warn("ELF sections %s are incompatible\n", src_sec->sec_name);
+- return -1;
++ return -EINVAL;
+ }
+
+ /* "license" and "version" sections are deduped */
+@@ -2034,7 +2034,7 @@ static int linker_append_elf_relos(struct bpf_linker *linker, struct src_obj *ob
+ }
+ } else if (!secs_match(dst_sec, src_sec)) {
+ pr_warn("sections %s are not compatible\n", src_sec->sec_name);
+- return -1;
++ return -EINVAL;
+ }
+
+ /* shdr->sh_link points to SYMTAB */
+--
+2.39.5
+
--- /dev/null
+From 2fefe169ceae0c20e0f0a01b8774667b04c849f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 18:20:11 +0000
+Subject: libbpf: Use proper errno value in nlattr
+
+From: Anton Protopopov <a.s.protopopov@gmail.com>
+
+[ Upstream commit fd5fd538a1f4b34cee6823ba0ddda2f7a55aca96 ]
+
+Return value of the validate_nla() function can be propagated all the
+way up to users of libbpf API. In case of error this libbpf version
+of validate_nla returns -1 which will be seen as -EPERM from user's
+point of view. Instead, return a more reasonable -EINVAL.
+
+Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP")
+Suggested-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250510182011.2246631-1-a.s.protopopov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/nlattr.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c
+index 975e265eab3bf..06663f9ea581f 100644
+--- a/tools/lib/bpf/nlattr.c
++++ b/tools/lib/bpf/nlattr.c
+@@ -63,16 +63,16 @@ static int validate_nla(struct nlattr *nla, int maxtype,
+ minlen = nla_attr_minlen[pt->type];
+
+ if (libbpf_nla_len(nla) < minlen)
+- return -1;
++ return -EINVAL;
+
+ if (pt->maxlen && libbpf_nla_len(nla) > pt->maxlen)
+- return -1;
++ return -EINVAL;
+
+ if (pt->type == LIBBPF_NLA_STRING) {
+ char *data = libbpf_nla_data(nla);
+
+ if (data[libbpf_nla_len(nla) - 1] != '\0')
+- return -1;
++ return -EINVAL;
+ }
+
+ return 0;
+@@ -118,19 +118,18 @@ int libbpf_nla_parse(struct nlattr *tb[], int maxtype, struct nlattr *head,
+ if (policy) {
+ err = validate_nla(nla, maxtype, policy);
+ if (err < 0)
+- goto errout;
++ return err;
+ }
+
+- if (tb[type])
++ if (tb[type]) {
+ pr_warn("Attribute of type %#x found multiple times in message, "
+ "previous attribute is being ignored.\n", type);
++ }
+
+ tb[type] = nla;
+ }
+
+- err = 0;
+-errout:
+- return err;
++ return 0;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 4ba530168a3ce64dfbc547e01a1999ba0e7f1477 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 10:07:26 +1000
+Subject: m68k: mac: Fix macintosh_config for Mac II
+
+From: Finn Thain <fthain@linux-m68k.org>
+
+[ Upstream commit 52ae3f5da7e5adbe3d1319573b55dac470abb83c ]
+
+When booted on my Mac II, the kernel prints this:
+
+ Detected Macintosh model: 6
+ Apple Macintosh Unknown
+
+The catch-all entry ("Unknown") is mac_data_table[0] which is only needed
+in the unlikely event that the bootinfo model ID can't be matched.
+When model ID is 6, the search should begin and end at mac_data_table[1].
+Fix the off-by-one error that causes this problem.
+
+Cc: Joshua Thompson <funaho@jurai.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Finn Thain <fthain@linux-m68k.org>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/d0f30a551064ca4810b1c48d5a90954be80634a9.1745453246.git.fthain@linux-m68k.org
+Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/m68k/mac/config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/m68k/mac/config.c b/arch/m68k/mac/config.c
+index 382f656c29eae..9f5603e01a688 100644
+--- a/arch/m68k/mac/config.c
++++ b/arch/m68k/mac/config.c
+@@ -801,7 +801,7 @@ static void __init mac_identify(void)
+ }
+
+ macintosh_config = mac_data_table;
+- for (m = macintosh_config; m->ident != -1; m++) {
++ for (m = &mac_data_table[1]; m->ident != -1; m++) {
+ if (m->ident == model) {
+ macintosh_config = m;
+ break;
+--
+2.39.5
+
--- /dev/null
+From 0c5f14c3c4248d71da00308afbaaf25ed0a375dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 10:40:33 +0100
+Subject: media: rkvdec: Fix frame size enumeration
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit f270005b99fa19fee9a6b4006e8dee37c10f1944 ]
+
+The VIDIOC_ENUM_FRAMESIZES ioctl should return all frame sizes (i.e.
+width and height in pixels) that the device supports for the given pixel
+format.
+
+It doesn't make a lot of sense to return the frame-sizes in a stepwise
+manner, which is used to enforce hardware alignments requirements for
+CAPTURE buffers, for coded formats.
+
+Instead, applications should receive an indication, about the maximum
+supported frame size for that hardware decoder, via a continuous
+frame-size enumeration.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Suggested-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/rkvdec/rkvdec.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
+index ac398b5a97360..a1d941b0be00b 100644
+--- a/drivers/staging/media/rkvdec/rkvdec.c
++++ b/drivers/staging/media/rkvdec/rkvdec.c
+@@ -213,8 +213,14 @@ static int rkvdec_enum_framesizes(struct file *file, void *priv,
+ if (!fmt)
+ return -EINVAL;
+
+- fsize->type = V4L2_FRMSIZE_TYPE_STEPWISE;
+- fsize->stepwise = fmt->frmsize;
++ fsize->type = V4L2_FRMSIZE_TYPE_CONTINUOUS;
++ fsize->stepwise.min_width = 1;
++ fsize->stepwise.max_width = fmt->frmsize.max_width;
++ fsize->stepwise.step_width = 1;
++ fsize->stepwise.min_height = 1;
++ fsize->stepwise.max_height = fmt->frmsize.max_height;
++ fsize->stepwise.step_height = 1;
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 79cd9ed5f7f2e8edcc31f2319664adc303356e81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 17:00:34 +0200
+Subject: mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in
+ exynos_lpass_remove()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit b70b84556eeca5262d290e8619fe0af5b7664a52 ]
+
+exynos_lpass_disable() is called twice in the remove function. Remove
+one of these calls.
+
+Fixes: 90f447170c6f ("mfd: exynos-lpass: Add runtime PM support")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/74d69e8de10308c9855db6d54155a3de4b11abfd.1745247209.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/exynos-lpass.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/mfd/exynos-lpass.c b/drivers/mfd/exynos-lpass.c
+index 1506d8d352b19..5e39d91b728fc 100644
+--- a/drivers/mfd/exynos-lpass.c
++++ b/drivers/mfd/exynos-lpass.c
+@@ -141,7 +141,6 @@ static int exynos_lpass_remove(struct platform_device *pdev)
+ {
+ struct exynos_lpass *lpass = platform_get_drvdata(pdev);
+
+- exynos_lpass_disable(lpass);
+ pm_runtime_disable(&pdev->dev);
+ if (!pm_runtime_status_suspended(&pdev->dev))
+ exynos_lpass_disable(lpass);
+--
+2.39.5
+
--- /dev/null
+From 303c5134a5e41a382c51f6ed428bd4d358d452fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Apr 2025 18:16:32 +0200
+Subject: mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE
+
+From: Alexey Gladkov <legion@kernel.org>
+
+[ Upstream commit 59d60c16ed41475f3b5f7b605e75fbf8e3628720 ]
+
+The name used in the macro does not exist.
+
+drivers/mfd/stmpe-spi.c:132:26: error: use of undeclared identifier 'stmpe_id'
+ 132 | MODULE_DEVICE_TABLE(spi, stmpe_id);
+
+Fixes: e789995d5c61 ("mfd: Add support for STMPE SPI interface")
+Signed-off-by: Alexey Gladkov <legion@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/79d5a847303e45a46098f2d827d3d8a249a32be3.1745591072.git.legion@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/stmpe-spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/stmpe-spi.c b/drivers/mfd/stmpe-spi.c
+index 792236f56399a..b9cc85ea2c401 100644
+--- a/drivers/mfd/stmpe-spi.c
++++ b/drivers/mfd/stmpe-spi.c
+@@ -129,7 +129,7 @@ static const struct spi_device_id stmpe_spi_id[] = {
+ { "stmpe2403", STMPE2403 },
+ { }
+ };
+-MODULE_DEVICE_TABLE(spi, stmpe_id);
++MODULE_DEVICE_TABLE(spi, stmpe_spi_id);
+
+ static struct spi_driver stmpe_spi_driver = {
+ .driver = {
+--
+2.39.5
+
--- /dev/null
+From 1a4003d8219984e70686641286fc96b4279d3069 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:45:48 +0800
+Subject: MIPS: Loongson64: Add missing '#interrupt-cells' for loongson64c_ls7a
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit 6d223b8ffcd1593d032b71875def2daa71c53111 ]
+
+Similar to commit 98a9e2ac3755 ("MIPS: Loongson64: DTS: Fix msi node for ls7a").
+
+Fix follow warnings:
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts:28.31-36.4: Warning (interrupt_provider): /bus@10000000/msi-controller@2ff00000: Missing '#interrupt-cells' in interrupt provider
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider'
+
+Fixes: 24af105962c8 ("MIPS: Loongson64: DeviceTree for LS7A PCH")
+Tested-by: WangYuli <wangyuli@uniontech.com>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+index c7ea4f1c0bb21..6c277ab83d4b9 100644
+--- a/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
++++ b/arch/mips/boot/dts/loongson/loongson64c_4core_ls7a.dts
+@@ -29,6 +29,7 @@
+ compatible = "loongson,pch-msi-1.0";
+ reg = <0 0x2ff00000 0 0x8>;
+ interrupt-controller;
++ #interrupt-cells = <1>;
+ msi-controller;
+ loongson,msi-base-vec = <64>;
+ loongson,msi-num-vecs = <64>;
+--
+2.39.5
+
--- /dev/null
+From 26695dc0064ad5a6c92590df83e2aae3a1019d62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 00:39:06 +0300
+Subject: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret
+
+From: Mikhail Arkhipov <m.arhipov@rosa.ru>
+
+[ Upstream commit d95846350aac72303036a70c4cdc69ae314aa26d ]
+
+If ctx->steps is zero, the loop processing ECC steps is skipped,
+and the variable ret remains uninitialized. It is later checked
+and returned, which leads to undefined behavior and may cause
+unpredictable results in user space or kernel crashes.
+
+This scenario can be triggered in edge cases such as misconfigured
+geometry, ECC engine misuse, or if ctx->steps is not validated
+after initialization.
+
+Initialize ret to zero before the loop to ensure correct and safe
+behavior regardless of the ctx->steps value.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 48e6633a9fa2 ("mtd: nand: mxic-ecc: Add Macronix external ECC engine support")
+Signed-off-by: Mikhail Arkhipov <m.arhipov@rosa.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/ecc-mxic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/nand/ecc-mxic.c b/drivers/mtd/nand/ecc-mxic.c
+index 47e10945b8d27..63cb206269dd9 100644
+--- a/drivers/mtd/nand/ecc-mxic.c
++++ b/drivers/mtd/nand/ecc-mxic.c
+@@ -614,7 +614,7 @@ static int mxic_ecc_finish_io_req_external(struct nand_device *nand,
+ {
+ struct mxic_ecc_engine *mxic = nand_to_mxic(nand);
+ struct mxic_ecc_ctx *ctx = nand_to_ecc_ctx(nand);
+- int nents, step, ret;
++ int nents, step, ret = 0;
+
+ if (req->mode == MTD_OPS_RAW)
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From e9603f6631b4727161b8be587190d70ef9e5bfac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 21:39:52 +0200
+Subject: net: dsa: b53: allow RGMII for bcm63xx RGMII ports
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 5ea0d42c1980e6d10e5cb56a78021db5bfcebaaf ]
+
+Add RGMII to supported interfaces for BCM63xx RGMII ports so they can be
+actually used in RGMII mode.
+
+Without this, phylink will fail to configure them:
+
+[ 3.580000] b53-switch 10700000.switch GbE3 (uninitialized): validation of rgmii with support 0000000,00000000,00000000,000062ff and advertisement 0000000,00000000,00000000,000062ff failed: -EINVAL
+[ 3.600000] b53-switch 10700000.switch GbE3 (uninitialized): failed to connect to PHY: -EINVAL
+[ 3.610000] b53-switch 10700000.switch GbE3 (uninitialized): error -22 setting up PHY for tree 0, switch 0, port 4
+
+Fixes: ce3bf94871f7 ("net: dsa: b53: add support for BCM63xx RGMIIs")
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Link: https://patch.msgid.link/20250602193953.1010487-5-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 7ca42170d8666..004d2c988ff09 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1377,6 +1377,10 @@ static void b53_phylink_get_caps(struct dsa_switch *ds, int port,
+ __set_bit(PHY_INTERFACE_MODE_MII, config->supported_interfaces);
+ __set_bit(PHY_INTERFACE_MODE_REVMII, config->supported_interfaces);
+
++ /* BCM63xx RGMII ports support RGMII */
++ if (is63xx(dev) && in_range(port, B53_63XX_RGMII0, 4))
++ phy_interface_set_rgmii(config->supported_interfaces);
++
+ config->mac_capabilities = MAC_ASYM_PAUSE | MAC_SYM_PAUSE |
+ MAC_10 | MAC_100;
+
+--
+2.39.5
+
--- /dev/null
+From 5370d420e8dba72d635dfca9b930094c7ca2bfc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 21:39:50 +0200
+Subject: net: dsa: b53: do not enable RGMII delay on bcm63xx
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 4af523551d876ab8b8057d1e5303a860fd736fcb ]
+
+bcm63xx's RGMII ports are always in MAC mode, never in PHY mode, so we
+shouldn't enable any delays and let the PHY handle any delays as
+necessary.
+
+This fixes using RGMII ports with normal PHYs like BCM54612E, which will
+handle the delay in the PHY.
+
+Fixes: ce3bf94871f7 ("net: dsa: b53: add support for BCM63xx RGMIIs")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250602193953.1010487-3-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index d2ff2c2fcbbfc..7ca42170d8666 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1237,24 +1237,7 @@ static void b53_adjust_63xx_rgmii(struct dsa_switch *ds, int port,
+ off = B53_RGMII_CTRL_P(port);
+
+ b53_read8(dev, B53_CTRL_PAGE, off, &rgmii_ctrl);
+-
+- switch (interface) {
+- case PHY_INTERFACE_MODE_RGMII_ID:
+- rgmii_ctrl |= (RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC);
+- break;
+- case PHY_INTERFACE_MODE_RGMII_RXID:
+- rgmii_ctrl &= ~(RGMII_CTRL_DLL_TXC);
+- rgmii_ctrl |= RGMII_CTRL_DLL_RXC;
+- break;
+- case PHY_INTERFACE_MODE_RGMII_TXID:
+- rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC);
+- rgmii_ctrl |= RGMII_CTRL_DLL_TXC;
+- break;
+- case PHY_INTERFACE_MODE_RGMII:
+- default:
+- rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC);
+- break;
+- }
++ rgmii_ctrl &= ~(RGMII_CTRL_DLL_RXC | RGMII_CTRL_DLL_TXC);
+
+ if (port != dev->imp_port) {
+ if (is63268(dev))
+--
+2.39.5
+
--- /dev/null
+From 4bd21d818dcdf7ac94fa40a1017ea91bab1e89d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 14:44:06 +0200
+Subject: net: dsa: tag_brcm: legacy: fix pskb_may_pull length
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit efdddc4484859082da6c7877ed144c8121c8ea55 ]
+
+BRCM_LEG_PORT_ID was incorrectly used for pskb_may_pull length.
+The correct check is BRCM_LEG_TAG_LEN + VLAN_HLEN, or 10 bytes.
+
+Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags")
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529124406.2513779-1-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/dsa/tag_brcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/dsa/tag_brcm.c b/net/dsa/tag_brcm.c
+index cacdafb41200e..146c1dbd15a93 100644
+--- a/net/dsa/tag_brcm.c
++++ b/net/dsa/tag_brcm.c
+@@ -257,7 +257,7 @@ static struct sk_buff *brcm_leg_tag_rcv(struct sk_buff *skb,
+ int source_port;
+ u8 *brcm_tag;
+
+- if (unlikely(!pskb_may_pull(skb, BRCM_LEG_PORT_ID)))
++ if (unlikely(!pskb_may_pull(skb, BRCM_LEG_TAG_LEN + VLAN_HLEN)))
+ return NULL;
+
+ brcm_tag = dsa_etype_header_pos_rx(skb);
+--
+2.39.5
+
--- /dev/null
+From 6bc7933214feb67e0ec69e745251d831e33ccff2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 12:28:05 +0200
+Subject: net: Fix checksum update for ILA adj-transport
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit 6043b794c7668c19dabc4a93c75b924a19474d59 ]
+
+During ILA address translations, the L4 checksums can be handled in
+different ways. One of them, adj-transport, consist in parsing the
+transport layer and updating any found checksum. This logic relies on
+inet_proto_csum_replace_by_diff and produces an incorrect skb->csum when
+in state CHECKSUM_COMPLETE.
+
+This bug can be reproduced with a simple ILA to SIR mapping, assuming
+packets are received with CHECKSUM_COMPLETE:
+
+ $ ip a show dev eth0
+ 14: eth0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
+ link/ether 62:ae:35:9e:0f:8d brd ff:ff:ff:ff:ff:ff link-netnsid 0
+ inet6 3333:0:0:1::c078/64 scope global
+ valid_lft forever preferred_lft forever
+ inet6 fd00:10:244:1::c078/128 scope global nodad
+ valid_lft forever preferred_lft forever
+ inet6 fe80::60ae:35ff:fe9e:f8d/64 scope link proto kernel_ll
+ valid_lft forever preferred_lft forever
+ $ ip ila add loc_match fd00:10:244:1 loc 3333:0:0:1 \
+ csum-mode adj-transport ident-type luid dev eth0
+
+Then I hit [fd00:10:244:1::c078]:8000 with a server listening only on
+[3333:0:0:1::c078]:8000. With the bug, the SYN packet is dropped with
+SKB_DROP_REASON_TCP_CSUM after inet_proto_csum_replace_by_diff changed
+skb->csum. The translation and drop are visible on pwru [1] traces:
+
+ IFACE TUPLE FUNC
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ipv6_rcv
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) ip6_rcv_core
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) nf_hook_slow
+ eth0:9 [fd00:10:244:3::3d8]:51420->[fd00:10:244:1::c078]:8000(tcp) inet_proto_csum_replace_by_diff
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_early_demux
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_route_input
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_input_finish
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ip6_protocol_deliver_rcu
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) raw6_local_deliver
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) ipv6_raw_deliver
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) tcp_v6_rcv
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) __skb_checksum_complete
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skb_reason(SKB_DROP_REASON_TCP_CSUM)
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_head_state
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_release_data
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) skb_free_head
+ eth0:9 [fd00:10:244:3::3d8]:51420->[3333:0:0:1::c078]:8000(tcp) kfree_skbmem
+
+This is happening because inet_proto_csum_replace_by_diff is updating
+skb->csum when it shouldn't. The L4 checksum is updated such that it
+"cancels" the IPv6 address change in terms of checksum computation, so
+the impact on skb->csum is null.
+
+Note this would be different for an IPv4 packet since three fields
+would be updated: the IPv4 address, the IP checksum, and the L4
+checksum. Two would cancel each other and skb->csum would still need
+to be updated to take the L4 checksum change into account.
+
+This patch fixes it by passing an ipv6 flag to
+inet_proto_csum_replace_by_diff, to skip the skb->csum update if we're
+in the IPv6 case. Note the behavior of the only other user of
+inet_proto_csum_replace_by_diff, the BPF subsystem, is left as is in
+this patch and fixed in the subsequent patch.
+
+With the fix, using the reproduction from above, I can confirm
+skb->csum is not touched by inet_proto_csum_replace_by_diff and the TCP
+SYN proceeds to the application after the ILA translation.
+
+Link: https://github.com/cilium/pwru [1]
+Fixes: 65d7ab8de582 ("net: Identifier Locator Addressing module")
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://patch.msgid.link/b5539869e3550d46068504feb02d37653d939c0b.1748509484.git.paul.chaignon@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/checksum.h | 2 +-
+ net/core/filter.c | 2 +-
+ net/core/utils.c | 4 ++--
+ net/ipv6/ila/ila_common.c | 6 +++---
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/include/net/checksum.h b/include/net/checksum.h
+index 1338cb92c8e72..28b101f26636e 100644
+--- a/include/net/checksum.h
++++ b/include/net/checksum.h
+@@ -158,7 +158,7 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
+ const __be32 *from, const __be32 *to,
+ bool pseudohdr);
+ void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
+- __wsum diff, bool pseudohdr);
++ __wsum diff, bool pseudohdr, bool ipv6);
+
+ static __always_inline
+ void inet_proto_csum_replace2(__sum16 *sum, struct sk_buff *skb,
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 5143c8a9e52ca..e92f3a9017bb4 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -1987,7 +1987,7 @@ BPF_CALL_5(bpf_l4_csum_replace, struct sk_buff *, skb, u32, offset,
+ if (unlikely(from != 0))
+ return -EINVAL;
+
+- inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo);
++ inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo, false);
+ break;
+ case 2:
+ inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo);
+diff --git a/net/core/utils.c b/net/core/utils.c
+index c994e95172acf..5895d034bf279 100644
+--- a/net/core/utils.c
++++ b/net/core/utils.c
+@@ -473,11 +473,11 @@ void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
+ EXPORT_SYMBOL(inet_proto_csum_replace16);
+
+ void inet_proto_csum_replace_by_diff(__sum16 *sum, struct sk_buff *skb,
+- __wsum diff, bool pseudohdr)
++ __wsum diff, bool pseudohdr, bool ipv6)
+ {
+ if (skb->ip_summed != CHECKSUM_PARTIAL) {
+ csum_replace_by_diff(sum, diff);
+- if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
++ if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr && !ipv6)
+ skb->csum = ~csum_sub(diff, skb->csum);
+ } else if (pseudohdr) {
+ *sum = ~csum_fold(csum_add(diff, csum_unfold(*sum)));
+diff --git a/net/ipv6/ila/ila_common.c b/net/ipv6/ila/ila_common.c
+index 95e9146918cc6..b8d43ed4689db 100644
+--- a/net/ipv6/ila/ila_common.c
++++ b/net/ipv6/ila/ila_common.c
+@@ -86,7 +86,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
+
+ diff = get_csum_diff(ip6h, p);
+ inet_proto_csum_replace_by_diff(&th->check, skb,
+- diff, true);
++ diff, true, true);
+ }
+ break;
+ case NEXTHDR_UDP:
+@@ -97,7 +97,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
+ if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) {
+ diff = get_csum_diff(ip6h, p);
+ inet_proto_csum_replace_by_diff(&uh->check, skb,
+- diff, true);
++ diff, true, true);
+ if (!uh->check)
+ uh->check = CSUM_MANGLED_0;
+ }
+@@ -111,7 +111,7 @@ static void ila_csum_adjust_transport(struct sk_buff *skb,
+
+ diff = get_csum_diff(ip6h, p);
+ inet_proto_csum_replace_by_diff(&ih->icmp6_cksum, skb,
+- diff, true);
++ diff, true, true);
+ }
+ break;
+ }
+--
+2.39.5
+
--- /dev/null
+From 7f5ffb33f61661cfdc3d267787ff4643038c6c0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 09:26:08 +0800
+Subject: net: fix udp gso skb_segment after pull from frag_list
+
+From: Shiming Cheng <shiming.cheng@mediatek.com>
+
+[ Upstream commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72 ]
+
+Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after
+pull from frag_list") detected invalid geometry in frag_list skbs and
+redirects them from skb_segment_list to more robust skb_segment. But some
+packets with modified geometry can also hit bugs in that code. We don't
+know how many such cases exist. Addressing each one by one also requires
+touching the complex skb_segment code, which risks introducing bugs for
+other types of skbs. Instead, linearize all these packets that fail the
+basic invariants on gso fraglist skbs. That is more robust.
+
+If only part of the fraglist payload is pulled into head_skb, it will
+always cause exception when splitting skbs by skb_segment. For detailed
+call stack information, see below.
+
+Valid SKB_GSO_FRAGLIST skbs
+- consist of two or more segments
+- the head_skb holds the protocol headers plus first gso_size
+- one or more frag_list skbs hold exactly one segment
+- all but the last must be gso_size
+
+Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
+modify fraglist skbs, breaking these invariants.
+
+In extreme cases they pull one part of data into skb linear. For UDP,
+this causes three payloads with lengths of (11,11,10) bytes were
+pulled tail to become (12,10,10) bytes.
+
+The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because
+payload was pulled into head_skb, it needs to be linearized before pass
+to regular skb_segment.
+
+ skb_segment+0xcd0/0xd14
+ __udp_gso_segment+0x334/0x5f4
+ udp4_ufo_fragment+0x118/0x15c
+ inet_gso_segment+0x164/0x338
+ skb_mac_gso_segment+0xc4/0x13c
+ __skb_gso_segment+0xc4/0x124
+ validate_xmit_skb+0x9c/0x2c0
+ validate_xmit_skb_list+0x4c/0x80
+ sch_direct_xmit+0x70/0x404
+ __dev_queue_xmit+0x64c/0xe5c
+ neigh_resolve_output+0x178/0x1c4
+ ip_finish_output2+0x37c/0x47c
+ __ip_finish_output+0x194/0x240
+ ip_finish_output+0x20/0xf4
+ ip_output+0x100/0x1a0
+ NF_HOOK+0xc4/0x16c
+ ip_forward+0x314/0x32c
+ ip_rcv+0x90/0x118
+ __netif_receive_skb+0x74/0x124
+ process_backlog+0xe8/0x1a4
+ __napi_poll+0x5c/0x1f8
+ net_rx_action+0x154/0x314
+ handle_softirqs+0x154/0x4b8
+
+ [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278!
+ [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+ [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000
+ [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000
+ [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)
+ [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14
+ [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14
+ [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770
+
+Fixes: a1e40ac5b5e9 ("gso: fix udp gso fraglist segmentation after pull from frag_list")
+Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp_offload.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
+index 132cfc3b2c847..3870b59f54004 100644
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -332,6 +332,7 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
+ bool copy_dtor;
+ __sum16 check;
+ __be16 newlen;
++ int ret = 0;
+
+ mss = skb_shinfo(gso_skb)->gso_size;
+ if (gso_skb->len <= sizeof(*uh) + mss)
+@@ -354,6 +355,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
+ if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size)
+ return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+
++ ret = __skb_linearize(gso_skb);
++ if (ret)
++ return ERR_PTR(ret);
++
+ /* Setup csum, as fraglist skips this in udp4_gro_receive. */
+ gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head;
+ gso_skb->csum_offset = offsetof(struct udphdr, check);
+--
+2.39.5
+
--- /dev/null
+From 84ac328ce6fa6f1040ea03dcbbf228883125c994 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 11:00:47 +0530
+Subject: net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy
+
+From: Thangaraj Samynathan <thangaraj.s@microchip.com>
+
+[ Upstream commit 68927eb52d0af04863584930db06075d2610e194 ]
+
+rename the function to lan743x_hw_reset_phy to better describe it
+operation.
+
+Fixes: 23f0703c125be ("lan743x: Add main source files for new lan743x driver")
+Signed-off-by: Thangaraj Samynathan <thangaraj.s@microchip.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250526053048.287095-2-thangaraj.s@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/microchip/lan743x_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c
+index f971d60484f06..781440d5756f3 100644
+--- a/drivers/net/ethernet/microchip/lan743x_main.c
++++ b/drivers/net/ethernet/microchip/lan743x_main.c
+@@ -1373,7 +1373,7 @@ static int lan743x_mac_set_mtu(struct lan743x_adapter *adapter, int new_mtu)
+ }
+
+ /* PHY */
+-static int lan743x_phy_reset(struct lan743x_adapter *adapter)
++static int lan743x_hw_reset_phy(struct lan743x_adapter *adapter)
+ {
+ u32 data;
+
+@@ -1407,7 +1407,7 @@ static void lan743x_phy_update_flowcontrol(struct lan743x_adapter *adapter,
+
+ static int lan743x_phy_init(struct lan743x_adapter *adapter)
+ {
+- return lan743x_phy_reset(adapter);
++ return lan743x_hw_reset_phy(adapter);
+ }
+
+ static void lan743x_phy_link_status_change(struct net_device *netdev)
+--
+2.39.5
+
--- /dev/null
+From cf3ec00aa142e8415490d0eaf0876d9c4be7998f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 14:41:59 +0200
+Subject: net: lan966x: Fix 1-step timestamping over ipv4 or ipv6
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 57ee9584fd8606deef66d7b65fa4dcf94f6843aa ]
+
+When enabling 1-step timestamping for ptp frames that are over udpv4 or
+udpv6 then the inserted timestamp is added at the wrong offset in the
+frame, meaning that will modify the frame at the wrong place, so the
+frame will be malformed.
+To fix this, the HW needs to know which kind of frame it is to know
+where to insert the timestamp. For that there is a field in the IFH that
+says the PDU_TYPE, which can be NONE which is the default value,
+IPV4 or IPV6. Therefore make sure to set the PDU_TYPE so the HW knows
+where to insert the timestamp.
+Like I mention before the issue is not seen with L2 frames because by
+default the PDU_TYPE has a value of 0, which represents the L2 frames.
+
+Fixes: 77eecf25bd9d2f ("net: lan966x: Update extraction/injection for timestamping")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250521124159.2713525-1-horatiu.vultur@microchip.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/microchip/lan966x/lan966x_main.c | 6 +++
+ .../ethernet/microchip/lan966x/lan966x_main.h | 5 ++
+ .../ethernet/microchip/lan966x/lan966x_ptp.c | 49 ++++++++++++++-----
+ 3 files changed, 47 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+index c3f6c10bc2393..05f6c92275830 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+@@ -353,6 +353,11 @@ static void lan966x_ifh_set_rew_op(void *ifh, u64 rew_op)
+ lan966x_ifh_set(ifh, rew_op, IFH_POS_REW_CMD, IFH_WID_REW_CMD);
+ }
+
++static void lan966x_ifh_set_oam_type(void *ifh, u64 oam_type)
++{
++ lan966x_ifh_set(ifh, oam_type, IFH_POS_PDU_TYPE, IFH_WID_PDU_TYPE);
++}
++
+ static void lan966x_ifh_set_timestamp(void *ifh, u64 timestamp)
+ {
+ lan966x_ifh_set(ifh, timestamp, IFH_POS_TIMESTAMP, IFH_WID_TIMESTAMP);
+@@ -380,6 +385,7 @@ static netdev_tx_t lan966x_port_xmit(struct sk_buff *skb,
+ return err;
+
+ lan966x_ifh_set_rew_op(ifh, LAN966X_SKB_CB(skb)->rew_op);
++ lan966x_ifh_set_oam_type(ifh, LAN966X_SKB_CB(skb)->pdu_type);
+ lan966x_ifh_set_timestamp(ifh, LAN966X_SKB_CB(skb)->ts_id);
+ }
+
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+index caa9e0533c96b..b65d58a1552b5 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+@@ -74,6 +74,10 @@
+ #define IFH_REW_OP_ONE_STEP_PTP 0x3
+ #define IFH_REW_OP_TWO_STEP_PTP 0x4
+
++#define IFH_PDU_TYPE_NONE 0
++#define IFH_PDU_TYPE_IPV4 7
++#define IFH_PDU_TYPE_IPV6 8
++
+ #define FDMA_RX_DCB_MAX_DBS 1
+ #define FDMA_TX_DCB_MAX_DBS 1
+ #define FDMA_DCB_INFO_DATAL(x) ((x) & GENMASK(15, 0))
+@@ -306,6 +310,7 @@ struct lan966x_phc {
+
+ struct lan966x_skb_cb {
+ u8 rew_op;
++ u8 pdu_type;
+ u16 ts_id;
+ unsigned long jiffies;
+ };
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
+index 63905bb5a63a8..87e5e81d40dc6 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_ptp.c
+@@ -322,34 +322,55 @@ void lan966x_ptp_hwtstamp_get(struct lan966x_port *port,
+ *cfg = phc->hwtstamp_config;
+ }
+
+-static int lan966x_ptp_classify(struct lan966x_port *port, struct sk_buff *skb)
++static void lan966x_ptp_classify(struct lan966x_port *port, struct sk_buff *skb,
++ u8 *rew_op, u8 *pdu_type)
+ {
+ struct ptp_header *header;
+ u8 msgtype;
+ int type;
+
+- if (port->ptp_tx_cmd == IFH_REW_OP_NOOP)
+- return IFH_REW_OP_NOOP;
++ if (port->ptp_tx_cmd == IFH_REW_OP_NOOP) {
++ *rew_op = IFH_REW_OP_NOOP;
++ *pdu_type = IFH_PDU_TYPE_NONE;
++ return;
++ }
+
+ type = ptp_classify_raw(skb);
+- if (type == PTP_CLASS_NONE)
+- return IFH_REW_OP_NOOP;
++ if (type == PTP_CLASS_NONE) {
++ *rew_op = IFH_REW_OP_NOOP;
++ *pdu_type = IFH_PDU_TYPE_NONE;
++ return;
++ }
+
+ header = ptp_parse_header(skb, type);
+- if (!header)
+- return IFH_REW_OP_NOOP;
++ if (!header) {
++ *rew_op = IFH_REW_OP_NOOP;
++ *pdu_type = IFH_PDU_TYPE_NONE;
++ return;
++ }
+
+- if (port->ptp_tx_cmd == IFH_REW_OP_TWO_STEP_PTP)
+- return IFH_REW_OP_TWO_STEP_PTP;
++ if (type & PTP_CLASS_L2)
++ *pdu_type = IFH_PDU_TYPE_NONE;
++ if (type & PTP_CLASS_IPV4)
++ *pdu_type = IFH_PDU_TYPE_IPV4;
++ if (type & PTP_CLASS_IPV6)
++ *pdu_type = IFH_PDU_TYPE_IPV6;
++
++ if (port->ptp_tx_cmd == IFH_REW_OP_TWO_STEP_PTP) {
++ *rew_op = IFH_REW_OP_TWO_STEP_PTP;
++ return;
++ }
+
+ /* If it is sync and run 1 step then set the correct operation,
+ * otherwise run as 2 step
+ */
+ msgtype = ptp_get_msgtype(header, type);
+- if ((msgtype & 0xf) == 0)
+- return IFH_REW_OP_ONE_STEP_PTP;
++ if ((msgtype & 0xf) == 0) {
++ *rew_op = IFH_REW_OP_ONE_STEP_PTP;
++ return;
++ }
+
+- return IFH_REW_OP_TWO_STEP_PTP;
++ *rew_op = IFH_REW_OP_TWO_STEP_PTP;
+ }
+
+ static void lan966x_ptp_txtstamp_old_release(struct lan966x_port *port)
+@@ -374,10 +395,12 @@ int lan966x_ptp_txtstamp_request(struct lan966x_port *port,
+ {
+ struct lan966x *lan966x = port->lan966x;
+ unsigned long flags;
++ u8 pdu_type;
+ u8 rew_op;
+
+- rew_op = lan966x_ptp_classify(port, skb);
++ lan966x_ptp_classify(port, skb, &rew_op, &pdu_type);
+ LAN966X_SKB_CB(skb)->rew_op = rew_op;
++ LAN966X_SKB_CB(skb)->pdu_type = pdu_type;
+
+ if (rew_op != IFH_REW_OP_TWO_STEP_PTP)
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From b6c6f0b87b01203f500c4e12f805720c9d27651d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 11:36:19 +0200
+Subject: net: lan966x: Make sure to insert the vlan tags also in host mode
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 27eab4c644236a9324084a70fe79e511cbd07393 ]
+
+When running these commands on DUT (and similar at the other end)
+ip link set dev eth0 up
+ip link add link eth0 name eth0.10 type vlan id 10
+ip addr add 10.0.0.1/24 dev eth0.10
+ip link set dev eth0.10 up
+ping 10.0.0.2
+
+The ping will fail.
+
+The reason why is failing is because, the network interfaces for lan966x
+have a flag saying that the HW can insert the vlan tags into the
+frames(NETIF_F_HW_VLAN_CTAG_TX). Meaning that the frames that are
+transmitted don't have the vlan tag inside the skb data, but they have
+it inside the skb. We already get that vlan tag and put it in the IFH
+but the problem is that we don't configure the HW to rewrite the frame
+when the interface is in host mode.
+The fix consists in actually configuring the HW to insert the vlan tag
+if it is different than 0.
+
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Fixes: 6d2c186afa5d ("net: lan966x: Add vlan support.")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250528093619.3738998-1-horatiu.vultur@microchip.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/microchip/lan966x/lan966x_main.c | 1 +
+ .../ethernet/microchip/lan966x/lan966x_main.h | 1 +
+ .../microchip/lan966x/lan966x_switchdev.c | 1 +
+ .../ethernet/microchip/lan966x/lan966x_vlan.c | 21 +++++++++++++++++++
+ 4 files changed, 24 insertions(+)
+
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+index 05f6c92275830..b424e75fd40c4 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c
+@@ -881,6 +881,7 @@ static int lan966x_probe_port(struct lan966x *lan966x, u32 p,
+ lan966x_vlan_port_set_vlan_aware(port, 0);
+ lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
+ lan966x_vlan_port_apply(port);
++ lan966x_vlan_port_rew_host(port);
+
+ return 0;
+ }
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+index b65d58a1552b5..5a16d76eb000d 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.h
+@@ -549,6 +549,7 @@ void lan966x_vlan_port_apply(struct lan966x_port *port);
+ bool lan966x_vlan_cpu_member_cpu_vlan_mask(struct lan966x *lan966x, u16 vid);
+ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
+ bool vlan_aware);
++void lan966x_vlan_port_rew_host(struct lan966x_port *port);
+ int lan966x_vlan_port_set_vid(struct lan966x_port *port,
+ u16 vid,
+ bool pvid,
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
+index 1c88120eb291a..bcb4db76b75cd 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_switchdev.c
+@@ -297,6 +297,7 @@ static void lan966x_port_bridge_leave(struct lan966x_port *port,
+ lan966x_vlan_port_set_vlan_aware(port, false);
+ lan966x_vlan_port_set_vid(port, HOST_PVID, false, false);
+ lan966x_vlan_port_apply(port);
++ lan966x_vlan_port_rew_host(port);
+ }
+
+ int lan966x_port_changeupper(struct net_device *dev,
+diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
+index 3c44660128dae..ffb245fb7d678 100644
+--- a/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_vlan.c
+@@ -149,6 +149,27 @@ void lan966x_vlan_port_set_vlan_aware(struct lan966x_port *port,
+ port->vlan_aware = vlan_aware;
+ }
+
++/* When the interface is in host mode, the interface should not be vlan aware
++ * but it should insert all the tags that it gets from the network stack.
++ * The tags are not in the data of the frame but actually in the skb and the ifh
++ * is configured already to get this tag. So what we need to do is to update the
++ * rewriter to insert the vlan tag for all frames which have a vlan tag
++ * different than 0.
++ */
++void lan966x_vlan_port_rew_host(struct lan966x_port *port)
++{
++ struct lan966x *lan966x = port->lan966x;
++ u32 val;
++
++ /* Tag all frames except when VID=0*/
++ val = REW_TAG_CFG_TAG_CFG_SET(2);
++
++ /* Update only some bits in the register */
++ lan_rmw(val,
++ REW_TAG_CFG_TAG_CFG,
++ lan966x, REW_TAG_CFG(port->chip_port));
++}
++
+ void lan966x_vlan_port_apply(struct lan966x_port *port)
+ {
+ struct lan966x *lan966x = port->lan966x;
+--
+2.39.5
+
--- /dev/null
+From e97ef6350cb057e0512f9f3598124835eb347756 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 11:11:09 +0300
+Subject: net/mlx4_en: Prevent potential integer overflow calculating Hz
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 54d34165b4f786d7fea8412a18fb4a54c1eab623 ]
+
+The "freq" variable is in terms of MHz and "max_val_cycles" is in terms
+of Hz. The fact that "max_val_cycles" is a u64 suggests that support
+for high frequency is intended but the "freq_khz * 1000" would overflow
+the u32 type if we went above 4GHz. Use unsigned long long type for the
+mutliplication to prevent that.
+
+Fixes: 31c128b66e5b ("net/mlx4_en: Choose time-stamping shift value according to HW frequency")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/aDbFHe19juIJKjsb@stanley.mountain
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx4/en_clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx4/en_clock.c b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+index 9e3b761820881..2d5b86207e079 100644
+--- a/drivers/net/ethernet/mellanox/mlx4/en_clock.c
++++ b/drivers/net/ethernet/mellanox/mlx4/en_clock.c
+@@ -249,7 +249,7 @@ static const struct ptp_clock_info mlx4_en_ptp_clock_info = {
+ static u32 freq_to_shift(u16 freq)
+ {
+ u32 freq_khz = freq * 1000;
+- u64 max_val_cycles = freq_khz * 1000 * MLX4_EN_WRAP_AROUND_SEC;
++ u64 max_val_cycles = freq_khz * 1000ULL * MLX4_EN_WRAP_AROUND_SEC;
+ u64 max_val_cycles_rounded = 1ULL << fls64(max_val_cycles - 1);
+ /* calculate max possible multiplier in order to fit in 64bit */
+ u64 max_mul = div64_u64(ULLONG_MAX, max_val_cycles_rounded);
+--
+2.39.5
+
--- /dev/null
+From 8d0ea62126066c34e0176a135f830180c53ca0cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 18:23:08 -0700
+Subject: net: ncsi: Fix GCPS 64-bit member variables
+
+From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+
+[ Upstream commit e8a1bd8344054ce27bebf59f48e3f6bc10bc419b ]
+
+Correct Get Controller Packet Statistics (GCPS) 64-bit wide member
+variables, as per DSP0222 v1.0.0 and forward specs. The Driver currently
+collects these stats, but they are yet to be exposed to the user.
+Therefore, no user impact.
+
+Statistics fixes:
+Total Bytes Received (byte range 28..35)
+Total Bytes Transmitted (byte range 36..43)
+Total Unicast Packets Received (byte range 44..51)
+Total Multicast Packets Received (byte range 52..59)
+Total Broadcast Packets Received (byte range 60..67)
+Total Unicast Packets Transmitted (byte range 68..75)
+Total Multicast Packets Transmitted (byte range 76..83)
+Total Broadcast Packets Transmitted (byte range 84..91)
+Valid Bytes Received (byte range 204..11)
+
+Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+Reviewed-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250410012309.1343-1-kalavakunta.hari.prasad@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 21 ++++++++++-----------
+ net/ncsi/ncsi-pkt.h | 23 +++++++++++------------
+ net/ncsi/ncsi-rsp.c | 21 ++++++++++-----------
+ 3 files changed, 31 insertions(+), 34 deletions(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index 4e0842df5234e..2c260f33b55cc 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -143,16 +143,15 @@ struct ncsi_channel_vlan_filter {
+ };
+
+ struct ncsi_channel_stats {
+- u32 hnc_cnt_hi; /* Counter cleared */
+- u32 hnc_cnt_lo; /* Counter cleared */
+- u32 hnc_rx_bytes; /* Rx bytes */
+- u32 hnc_tx_bytes; /* Tx bytes */
+- u32 hnc_rx_uc_pkts; /* Rx UC packets */
+- u32 hnc_rx_mc_pkts; /* Rx MC packets */
+- u32 hnc_rx_bc_pkts; /* Rx BC packets */
+- u32 hnc_tx_uc_pkts; /* Tx UC packets */
+- u32 hnc_tx_mc_pkts; /* Tx MC packets */
+- u32 hnc_tx_bc_pkts; /* Tx BC packets */
++ u64 hnc_cnt; /* Counter cleared */
++ u64 hnc_rx_bytes; /* Rx bytes */
++ u64 hnc_tx_bytes; /* Tx bytes */
++ u64 hnc_rx_uc_pkts; /* Rx UC packets */
++ u64 hnc_rx_mc_pkts; /* Rx MC packets */
++ u64 hnc_rx_bc_pkts; /* Rx BC packets */
++ u64 hnc_tx_uc_pkts; /* Tx UC packets */
++ u64 hnc_tx_mc_pkts; /* Tx MC packets */
++ u64 hnc_tx_bc_pkts; /* Tx BC packets */
+ u32 hnc_fcs_err; /* FCS errors */
+ u32 hnc_align_err; /* Alignment errors */
+ u32 hnc_false_carrier; /* False carrier detection */
+@@ -181,7 +180,7 @@ struct ncsi_channel_stats {
+ u32 hnc_tx_1023_frames; /* Tx 512-1023 bytes frames */
+ u32 hnc_tx_1522_frames; /* Tx 1024-1522 bytes frames */
+ u32 hnc_tx_9022_frames; /* Tx 1523-9022 bytes frames */
+- u32 hnc_rx_valid_bytes; /* Rx valid bytes */
++ u64 hnc_rx_valid_bytes; /* Rx valid bytes */
+ u32 hnc_rx_runt_pkts; /* Rx error runt packets */
+ u32 hnc_rx_jabber_pkts; /* Rx error jabber packets */
+ u32 ncsi_rx_cmds; /* Rx NCSI commands */
+diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h
+index f2f3b5c1b9412..24edb27379724 100644
+--- a/net/ncsi/ncsi-pkt.h
++++ b/net/ncsi/ncsi-pkt.h
+@@ -252,16 +252,15 @@ struct ncsi_rsp_gp_pkt {
+ /* Get Controller Packet Statistics */
+ struct ncsi_rsp_gcps_pkt {
+ struct ncsi_rsp_pkt_hdr rsp; /* Response header */
+- __be32 cnt_hi; /* Counter cleared */
+- __be32 cnt_lo; /* Counter cleared */
+- __be32 rx_bytes; /* Rx bytes */
+- __be32 tx_bytes; /* Tx bytes */
+- __be32 rx_uc_pkts; /* Rx UC packets */
+- __be32 rx_mc_pkts; /* Rx MC packets */
+- __be32 rx_bc_pkts; /* Rx BC packets */
+- __be32 tx_uc_pkts; /* Tx UC packets */
+- __be32 tx_mc_pkts; /* Tx MC packets */
+- __be32 tx_bc_pkts; /* Tx BC packets */
++ __be64 cnt; /* Counter cleared */
++ __be64 rx_bytes; /* Rx bytes */
++ __be64 tx_bytes; /* Tx bytes */
++ __be64 rx_uc_pkts; /* Rx UC packets */
++ __be64 rx_mc_pkts; /* Rx MC packets */
++ __be64 rx_bc_pkts; /* Rx BC packets */
++ __be64 tx_uc_pkts; /* Tx UC packets */
++ __be64 tx_mc_pkts; /* Tx MC packets */
++ __be64 tx_bc_pkts; /* Tx BC packets */
+ __be32 fcs_err; /* FCS errors */
+ __be32 align_err; /* Alignment errors */
+ __be32 false_carrier; /* False carrier detection */
+@@ -290,11 +289,11 @@ struct ncsi_rsp_gcps_pkt {
+ __be32 tx_1023_frames; /* Tx 512-1023 bytes frames */
+ __be32 tx_1522_frames; /* Tx 1024-1522 bytes frames */
+ __be32 tx_9022_frames; /* Tx 1523-9022 bytes frames */
+- __be32 rx_valid_bytes; /* Rx valid bytes */
++ __be64 rx_valid_bytes; /* Rx valid bytes */
+ __be32 rx_runt_pkts; /* Rx error runt packets */
+ __be32 rx_jabber_pkts; /* Rx error jabber packets */
+ __be32 checksum; /* Checksum */
+-};
++} __packed __aligned(4);
+
+ /* Get NCSI Statistics */
+ struct ncsi_rsp_gns_pkt {
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index 4a8ce2949faea..8668888c5a2f9 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -926,16 +926,15 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
+
+ /* Update HNC's statistics */
+ ncs = &nc->stats;
+- ncs->hnc_cnt_hi = ntohl(rsp->cnt_hi);
+- ncs->hnc_cnt_lo = ntohl(rsp->cnt_lo);
+- ncs->hnc_rx_bytes = ntohl(rsp->rx_bytes);
+- ncs->hnc_tx_bytes = ntohl(rsp->tx_bytes);
+- ncs->hnc_rx_uc_pkts = ntohl(rsp->rx_uc_pkts);
+- ncs->hnc_rx_mc_pkts = ntohl(rsp->rx_mc_pkts);
+- ncs->hnc_rx_bc_pkts = ntohl(rsp->rx_bc_pkts);
+- ncs->hnc_tx_uc_pkts = ntohl(rsp->tx_uc_pkts);
+- ncs->hnc_tx_mc_pkts = ntohl(rsp->tx_mc_pkts);
+- ncs->hnc_tx_bc_pkts = ntohl(rsp->tx_bc_pkts);
++ ncs->hnc_cnt = be64_to_cpu(rsp->cnt);
++ ncs->hnc_rx_bytes = be64_to_cpu(rsp->rx_bytes);
++ ncs->hnc_tx_bytes = be64_to_cpu(rsp->tx_bytes);
++ ncs->hnc_rx_uc_pkts = be64_to_cpu(rsp->rx_uc_pkts);
++ ncs->hnc_rx_mc_pkts = be64_to_cpu(rsp->rx_mc_pkts);
++ ncs->hnc_rx_bc_pkts = be64_to_cpu(rsp->rx_bc_pkts);
++ ncs->hnc_tx_uc_pkts = be64_to_cpu(rsp->tx_uc_pkts);
++ ncs->hnc_tx_mc_pkts = be64_to_cpu(rsp->tx_mc_pkts);
++ ncs->hnc_tx_bc_pkts = be64_to_cpu(rsp->tx_bc_pkts);
+ ncs->hnc_fcs_err = ntohl(rsp->fcs_err);
+ ncs->hnc_align_err = ntohl(rsp->align_err);
+ ncs->hnc_false_carrier = ntohl(rsp->false_carrier);
+@@ -964,7 +963,7 @@ static int ncsi_rsp_handler_gcps(struct ncsi_request *nr)
+ ncs->hnc_tx_1023_frames = ntohl(rsp->tx_1023_frames);
+ ncs->hnc_tx_1522_frames = ntohl(rsp->tx_1522_frames);
+ ncs->hnc_tx_9022_frames = ntohl(rsp->tx_9022_frames);
+- ncs->hnc_rx_valid_bytes = ntohl(rsp->rx_valid_bytes);
++ ncs->hnc_rx_valid_bytes = be64_to_cpu(rsp->rx_valid_bytes);
+ ncs->hnc_rx_runt_pkts = ntohl(rsp->rx_runt_pkts);
+ ncs->hnc_rx_jabber_pkts = ntohl(rsp->rx_jabber_pkts);
+
+--
+2.39.5
+
--- /dev/null
+From 82c6e785a1acf4ce4e354e667f56ab086a9af3c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 03:41:43 +0000
+Subject: net: openvswitch: Fix the dead loop of MPLS parse
+
+From: Faicker Mo <faicker.mo@zenlayer.com>
+
+[ Upstream commit 0bdc924bfb319fb10d1113cbf091fc26fb7b1f99 ]
+
+The unexpected MPLS packet may not end with the bottom label stack.
+When there are many stacks, The label count value has wrapped around.
+A dead loop occurs, soft lockup/CPU stuck finally.
+
+stack backtrace:
+UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26
+index -1 is out of range for type '__be32 [3]'
+CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu
+Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021
+Call Trace:
+ <IRQ>
+ show_stack+0x52/0x5c
+ dump_stack_lvl+0x4a/0x63
+ dump_stack+0x10/0x16
+ ubsan_epilogue+0x9/0x36
+ __ubsan_handle_out_of_bounds.cold+0x44/0x49
+ key_extract_l3l4+0x82a/0x840 [openvswitch]
+ ? kfree_skbmem+0x52/0xa0
+ key_extract+0x9c/0x2b0 [openvswitch]
+ ovs_flow_key_extract+0x124/0x350 [openvswitch]
+ ovs_vport_receive+0x61/0xd0 [openvswitch]
+ ? kernel_init_free_pages.part.0+0x4a/0x70
+ ? get_page_from_freelist+0x353/0x540
+ netdev_port_receive+0xc4/0x180 [openvswitch]
+ ? netdev_port_receive+0x180/0x180 [openvswitch]
+ netdev_frame_hook+0x1f/0x40 [openvswitch]
+ __netif_receive_skb_core.constprop.0+0x23a/0xf00
+ __netif_receive_skb_list_core+0xfa/0x240
+ netif_receive_skb_list_internal+0x18e/0x2a0
+ napi_complete_done+0x7a/0x1c0
+ bnxt_poll+0x155/0x1c0 [bnxt_en]
+ __napi_poll+0x30/0x180
+ net_rx_action+0x126/0x280
+ ? bnxt_msix+0x67/0x80 [bnxt_en]
+ handle_softirqs+0xda/0x2d0
+ irq_exit_rcu+0x96/0xc0
+ common_interrupt+0x8e/0xa0
+ </IRQ>
+
+Fixes: fbdcdd78da7c ("Change in Openvswitch to support MPLS label depth of 3 in ingress direction")
+Signed-off-by: Faicker Mo <faicker.mo@zenlayer.com>
+Acked-by: Ilya Maximets <i.maximets@ovn.org>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/259D3404-575D-4A6D-B263-1DF59A67CF89@zenlayer.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/flow.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
+index 8a848ce72e291..b80bd3a907739 100644
+--- a/net/openvswitch/flow.c
++++ b/net/openvswitch/flow.c
+@@ -788,7 +788,7 @@ static int key_extract_l3l4(struct sk_buff *skb, struct sw_flow_key *key)
+ memset(&key->ipv4, 0, sizeof(key->ipv4));
+ }
+ } else if (eth_p_mpls(key->eth.type)) {
+- u8 label_count = 1;
++ size_t label_count = 1;
+
+ memset(&key->mpls, 0, sizeof(key->mpls));
+ skb_set_inner_network_header(skb, skb->mac_len);
+--
+2.39.5
+
--- /dev/null
+From bd409ef863dbf76279dfdaf129878ebe28054d5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 16:37:59 +0800
+Subject: net: phy: clear phydev->devlink when the link is deleted
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit 0795b05a59b1371b18ffbf09d385296b12e9f5d5 ]
+
+There is a potential crash issue when disabling and re-enabling the
+network port. When disabling the network port, phy_detach() calls
+device_link_del() to remove the device link, but it does not clear
+phydev->devlink, so phydev->devlink is not a NULL pointer. Then the
+network port is re-enabled, but if phy_attach_direct() fails before
+calling device_link_add(), the code jumps to the "error" label and
+calls phy_detach(). Since phydev->devlink retains the old value from
+the previous attach/detach cycle, device_link_del() uses the old value,
+which accesses a NULL pointer and causes a crash. The simplified crash
+log is as follows.
+
+[ 24.702421] Call trace:
+[ 24.704856] device_link_put_kref+0x20/0x120
+[ 24.709124] device_link_del+0x30/0x48
+[ 24.712864] phy_detach+0x24/0x168
+[ 24.716261] phy_attach_direct+0x168/0x3a4
+[ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c
+[ 24.725140] phylink_of_phy_connect+0x1c/0x34
+
+Therefore, phydev->devlink needs to be cleared when the device link is
+deleted.
+
+Fixes: bc66fa87d4fd ("net: phy: Add link between phy dev and mac dev")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250523083759.3741168-1-wei.fang@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/phy_device.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
+index ec2a3d16b1a2d..cde0e80474a1d 100644
+--- a/drivers/net/phy/phy_device.c
++++ b/drivers/net/phy/phy_device.c
+@@ -1806,8 +1806,10 @@ void phy_detach(struct phy_device *phydev)
+ struct module *ndev_owner = NULL;
+ struct mii_bus *bus;
+
+- if (phydev->devlink)
++ if (phydev->devlink) {
+ device_link_del(phydev->devlink);
++ phydev->devlink = NULL;
++ }
+
+ if (phydev->sysfs_links) {
+ if (dev)
+--
+2.39.5
+
--- /dev/null
+From 5d82412ca0b160077b449944efdea65b7aee9d66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 13:21:47 +0200
+Subject: net: phy: fix up const issues in to_mdio_device() and to_phy_device()
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[ Upstream commit e9cb929670a1e98b592b30f03f06e9e20110f318 ]
+
+Both to_mdio_device() and to_phy_device() "throw away" the const pointer
+attribute passed to them and return a non-const pointer, which generally
+is not a good thing overall. Fix this up by using container_of_const()
+which was designed for this very problem.
+
+Cc: Alexander Lobakin <alobakin@pm.me>
+Cc: Andrew Lunn <andrew@lunn.ch>
+Cc: Heiner Kallweit <hkallweit1@gmail.com>
+Cc: Russell King <linux@armlinux.org.uk>
+Fixes: 7eab14de73a8 ("mdio, phy: fix -Wshadow warnings triggered by nested container_of()")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/2025052246-conduit-glory-8fc9@gregkh
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mdio.h | 5 +----
+ include/linux/phy.h | 5 +----
+ 2 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/include/linux/mdio.h b/include/linux/mdio.h
+index 8fa23bdcedbf9..0bca1a960853f 100644
+--- a/include/linux/mdio.h
++++ b/include/linux/mdio.h
+@@ -44,10 +44,7 @@ struct mdio_device {
+ unsigned int reset_deassert_delay;
+ };
+
+-static inline struct mdio_device *to_mdio_device(const struct device *dev)
+-{
+- return container_of(dev, struct mdio_device, dev);
+-}
++#define to_mdio_device(__dev) container_of_const(__dev, struct mdio_device, dev)
+
+ /* struct mdio_driver_common: Common to all MDIO drivers */
+ struct mdio_driver_common {
+diff --git a/include/linux/phy.h b/include/linux/phy.h
+index 5aa30ee998104..a57e799b1de18 100644
+--- a/include/linux/phy.h
++++ b/include/linux/phy.h
+@@ -766,10 +766,7 @@ struct phy_device {
+ /* Generic phy_device::dev_flags */
+ #define PHY_F_NO_IRQ 0x80000000
+
+-static inline struct phy_device *to_phy_device(const struct device *dev)
+-{
+- return container_of(to_mdio_device(dev), struct phy_device, mdio);
+-}
++#define to_phy_device(__dev) container_of_const(to_mdio_device(__dev), struct phy_device, mdio)
+
+ /**
+ * struct phy_tdr_config - Configuration of a TDR raw test
+--
+2.39.5
+
--- /dev/null
+From 8324ed66657333cd3a3b084bb9c1ccf23de805d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 13:57:22 +0200
+Subject: net: phy: mscc: Fix memory leak when using one step timestamping
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 846992645b25ec4253167e3f931e4597eb84af56 ]
+
+Fix memory leak when running one-step timestamping. When running
+one-step sync timestamping, the HW is configured to insert the TX time
+into the frame, so there is no reason to keep the skb anymore. As in
+this case the HW will never generate an interrupt to say that the frame
+was timestamped, then the frame will never released.
+Fix this by freeing the frame in case of one-step timestamping.
+
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250522115722.2827199-1-horatiu.vultur@microchip.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index cf728bfd83e22..af44b01f3d383 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -1165,18 +1165,24 @@ static void vsc85xx_txtstamp(struct mii_timestamper *mii_ts,
+ container_of(mii_ts, struct vsc8531_private, mii_ts);
+
+ if (!vsc8531->ptp->configured)
+- return;
++ goto out;
+
+- if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF) {
+- kfree_skb(skb);
+- return;
+- }
++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_OFF)
++ goto out;
++
++ if (vsc8531->ptp->tx_type == HWTSTAMP_TX_ONESTEP_SYNC)
++ if (ptp_msg_is_sync(skb, type))
++ goto out;
+
+ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+
+ mutex_lock(&vsc8531->ts_lock);
+ __skb_queue_tail(&vsc8531->ptp->tx_queue, skb);
+ mutex_unlock(&vsc8531->ts_lock);
++ return;
++
++out:
++ kfree_skb(skb);
+ }
+
+ static bool vsc85xx_rxtstamp(struct mii_timestamper *mii_ts,
+--
+2.39.5
+
--- /dev/null
+From 571b639193c88f0d922dc43417b29a6adba52f75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 10:27:16 +0200
+Subject: net: phy: mscc: Stop clearing the the UDPv4 checksum for L2 frames
+
+From: Horatiu Vultur <horatiu.vultur@microchip.com>
+
+[ Upstream commit 57a92d14659df3e7e7e0052358c8cc68bbbc3b5e ]
+
+We have noticed that when PHY timestamping is enabled, L2 frames seems
+to be modified by changing two 2 bytes with a value of 0. The place were
+these 2 bytes seems to be random(or I couldn't find a pattern). In most
+of the cases the userspace can ignore these frames but if for example
+those 2 bytes are in the correction field there is nothing to do. This
+seems to happen when configuring the HW for IPv4 even that the flow is
+not enabled.
+These 2 bytes correspond to the UDPv4 checksum and once we don't enable
+clearing the checksum when using L2 frames then the frame doesn't seem
+to be changed anymore.
+
+Fixes: 7d272e63e0979d ("net: phy: mscc: timestamping and PHC support")
+Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
+Link: https://patch.msgid.link/20250523082716.2935895-1-horatiu.vultur@microchip.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/mscc/mscc_ptp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/mscc/mscc_ptp.c b/drivers/net/phy/mscc/mscc_ptp.c
+index af44b01f3d383..7e7ce79eadffb 100644
+--- a/drivers/net/phy/mscc/mscc_ptp.c
++++ b/drivers/net/phy/mscc/mscc_ptp.c
+@@ -943,7 +943,9 @@ static int vsc85xx_ip1_conf(struct phy_device *phydev, enum ts_blk blk,
+ /* UDP checksum offset in IPv4 packet
+ * according to: https://tools.ietf.org/html/rfc768
+ */
+- val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26) | IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
++ val |= IP1_NXT_PROT_UDP_CHKSUM_OFF(26);
++ if (enable)
++ val |= IP1_NXT_PROT_UDP_CHKSUM_CLEAR;
+ vsc85xx_ts_write_csr(phydev, blk, MSCC_ANA_IP1_NXT_PROT_UDP_CHKSUM,
+ val);
+
+--
+2.39.5
+
--- /dev/null
+From c66735a8e3922a3217962ab4a458d8af777c904e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 11:07:23 +0200
+Subject: net: stmmac: make sure that ptp_rate is not 0 before configuring
+ timestamping
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alexis Lothoré <alexis.lothore@bootlin.com>
+
+[ Upstream commit 030ce919e114a111e83b7976ecb3597cefd33f26 ]
+
+The stmmac platform drivers that do not open-code the clk_ptp_rate value
+after having retrieved the default one from the device-tree can end up
+with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will
+eventually propagate up to PTP initialization when bringing up the
+interface, leading to a divide by 0:
+
+ Division by zero in kernel.
+ CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22
+ Hardware name: STM32 (Device Tree Support)
+ Call trace:
+ unwind_backtrace from show_stack+0x18/0x1c
+ show_stack from dump_stack_lvl+0x6c/0x8c
+ dump_stack_lvl from Ldiv0_64+0x8/0x18
+ Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4
+ stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c
+ stmmac_hw_setup from __stmmac_open+0x18c/0x434
+ __stmmac_open from stmmac_open+0x3c/0xbc
+ stmmac_open from __dev_open+0xf4/0x1ac
+ __dev_open from __dev_change_flags+0x1cc/0x224
+ __dev_change_flags from dev_change_flags+0x24/0x60
+ dev_change_flags from ip_auto_config+0x2e8/0x11a0
+ ip_auto_config from do_one_initcall+0x84/0x33c
+ do_one_initcall from kernel_init_freeable+0x1b8/0x214
+ kernel_init_freeable from kernel_init+0x24/0x140
+ kernel_init from ret_from_fork+0x14/0x28
+ Exception stack(0xe0815fb0 to 0xe0815ff8)
+
+Prevent this division by 0 by adding an explicit check and error log
+about the actual issue. While at it, remove the same check from
+stmmac_ptp_register, which then becomes duplicate
+
+Fixes: 19d857c9038e ("stmmac: Fix calculations for ptp counters when clock input = 50Mhz.")
+Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
+Reviewed-by: Yanteng Si <si.yanteng@linux.dev>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-1-d73340a794d5@bootlin.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++
+ drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index d3d5c01f6dcba..615d25a0e46be 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -842,6 +842,11 @@ int stmmac_init_tstamp_counter(struct stmmac_priv *priv, u32 systime_flags)
+ if (!(priv->dma_cap.time_stamp || priv->dma_cap.atime_stamp))
+ return -EOPNOTSUPP;
+
++ if (!priv->plat->clk_ptp_rate) {
++ netdev_err(priv->dev, "Invalid PTP clock rate");
++ return -EINVAL;
++ }
++
+ stmmac_config_hw_tstamping(priv, priv->ptpaddr, systime_flags);
+ priv->systime_flags = systime_flags;
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+index a04bb2e42c4ee..80ecbd73333d9 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+@@ -295,7 +295,7 @@ void stmmac_ptp_register(struct stmmac_priv *priv)
+
+ /* Calculate the clock domain crossing (CDC) error if necessary */
+ priv->plat->cdc_error_adj = 0;
+- if (priv->plat->has_gmac4 && priv->plat->clk_ptp_rate)
++ if (priv->plat->has_gmac4)
+ priv->plat->cdc_error_adj = (2 * NSEC_PER_SEC) / priv->plat->clk_ptp_rate;
+
+ stmmac_ptp_clock_ops.n_per_out = priv->dma_cap.pps_out_num;
+--
+2.39.5
+
--- /dev/null
+From 4f97605f7e4b797a2508953dee36fb57db73cb78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 13:56:23 +0200
+Subject: net: stmmac: platform: guarantee uniqueness of bus_id
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+[ Upstream commit eb7fd7aa35bfcc1e1fda4ecc42ccfcb526cdc780 ]
+
+bus_id is currently derived from the ethernetX alias. If one is missing
+for the device, 0 is used. If ethernet0 points to another stmmac device
+or if there are 2+ stmmac devices without an ethernet alias, then bus_id
+will be 0 for all of those.
+
+This is an issue because the bus_id is used to generate the mdio bus id
+(new_bus->id in drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+stmmac_mdio_register) and this needs to be unique.
+
+This allows to avoid needing to define ethernet aliases for devices with
+multiple stmmac controllers (such as the Rockchip RK3588) for multiple
+stmmac devices to probe properly.
+
+Obviously, the bus_id isn't guaranteed to be stable across reboots if no
+alias is set for the device but that is easily fixed by simply adding an
+alias if this is desired.
+
+Fixes: 25c83b5c2e82 ("dt:net:stmmac: Add support to dwmac version 3.610 and 3.710")
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250527-stmmac-mdio-bus_id-v2-1-a5ca78454e3c@cherry.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index 4d570efd9d4bb..6c684f6ee84be 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -419,6 +419,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ struct device_node *np = pdev->dev.of_node;
+ struct plat_stmmacenet_data *plat;
+ struct stmmac_dma_cfg *dma_cfg;
++ static int bus_id = -ENODEV;
+ int phy_mode;
+ void *ret;
+ int rc;
+@@ -454,8 +455,14 @@ stmmac_probe_config_dt(struct platform_device *pdev, u8 *mac)
+ of_property_read_u32(np, "max-speed", &plat->max_speed);
+
+ plat->bus_id = of_alias_get_id(np, "ethernet");
+- if (plat->bus_id < 0)
+- plat->bus_id = 0;
++ if (plat->bus_id < 0) {
++ if (bus_id < 0)
++ bus_id = of_alias_get_highest_id("ethernet");
++ /* No ethernet alias found, init at -1 so first bus_id is 0 */
++ if (bus_id < 0)
++ bus_id = -1;
++ plat->bus_id = ++bus_id;
++ }
+
+ /* Default to phy auto-detection */
+ plat->phy_addr = -1;
+--
+2.39.5
+
--- /dev/null
+From c68636623848e7e35f7313f4ec010824e75282d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 16:35:44 +0000
+Subject: net: tipc: fix refcount warning in tipc_aead_encrypt
+
+From: Charalampos Mitrodimas <charmitro@posteo.net>
+
+[ Upstream commit f29ccaa07cf3d35990f4d25028cc55470d29372b ]
+
+syzbot reported a refcount warning [1] caused by calling get_net() on
+a network namespace that is being destroyed (refcount=0). This happens
+when a TIPC discovery timer fires during network namespace cleanup.
+
+The recently added get_net() call in commit e279024617134 ("net/tipc:
+fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to
+hold a reference to the network namespace. However, if the namespace
+is already being destroyed, its refcount might be zero, leading to the
+use-after-free warning.
+
+Replace get_net() with maybe_get_net(), which safely checks if the
+refcount is non-zero before incrementing it. If the namespace is being
+destroyed, return -ENODEV early, after releasing the bearer reference.
+
+[1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
+
+Reported-by: syzbot+f0c4a4aba757549ae26c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2
+Fixes: e27902461713 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done")
+Signed-off-by: Charalampos Mitrodimas <charmitro@posteo.net>
+Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>
+Link: https://patch.msgid.link/20250527-net-tipc-warning-v2-1-df3dc398a047@posteo.net
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index 8584893b47851..79f91b6ca8c84 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -818,7 +818,11 @@ static int tipc_aead_encrypt(struct tipc_aead *aead, struct sk_buff *skb,
+ }
+
+ /* Get net to avoid freed tipc_crypto when delete namespace */
+- get_net(aead->crypto->net);
++ if (!maybe_get_net(aead->crypto->net)) {
++ tipc_bearer_put(b);
++ rc = -ENODEV;
++ goto exit;
++ }
+
+ /* Now, do encrypt */
+ rc = crypto_aead_encrypt(req);
+--
+2.39.5
+
--- /dev/null
+From 1fbe74b7817b2df1fc5ceab4b190c14926c70a5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 May 2025 14:32:39 +0300
+Subject: net: usb: aqc111: fix error handling of usbnet read calls
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 405b0d610745fb5e84fc2961d9b960abb9f3d107 ]
+
+Syzkaller, courtesy of syzbot, identified an error (see report [1]) in
+aqc111 driver, caused by incomplete sanitation of usb read calls'
+results. This problem is quite similar to the one fixed in commit
+920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
+
+For instance, usbnet_read_cmd() may read fewer than 'size' bytes,
+even if the caller expected the full amount, and aqc111_read_cmd()
+will not check its result properly. As [1] shows, this may lead
+to MAC address in aqc111_bind() being only partly initialized,
+triggering KMSAN warnings.
+
+Fix the issue by verifying that the number of bytes read is
+as expected and not less.
+
+[1] Partial syzbot report:
+BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
+BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
+ is_valid_ether_addr include/linux/etherdevice.h:208 [inline]
+ usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+ call_driver_probe drivers/base/dd.c:-1 [inline]
+ really_probe+0x4d1/0xd90 drivers/base/dd.c:658
+ __driver_probe_device+0x268/0x380 drivers/base/dd.c:800
+...
+
+Uninit was stored to memory at:
+ dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582
+ __dev_addr_set include/linux/netdevice.h:4874 [inline]
+ eth_hw_addr_set include/linux/etherdevice.h:325 [inline]
+ aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+...
+
+Uninit was stored to memory at:
+ ether_addr_copy include/linux/etherdevice.h:305 [inline]
+ aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]
+ aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+ usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396
+ call_driver_probe drivers/base/dd.c:-1 [inline]
+...
+
+Local variable buf.i created at:
+ aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]
+ aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713
+ usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
+
+Reported-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3b6b9ff7b80430020c7b
+Tested-by: syzbot+3b6b9ff7b80430020c7b@syzkaller.appspotmail.com
+Fixes: df2d59a2ab6c ("net: usb: aqc111: Add support for getting and setting of MAC address")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20250520113240.2369438-1-n.zhandarovich@fintech.ru
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/aqc111.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/aqc111.c b/drivers/net/usb/aqc111.c
+index 284375f662f1e..04d5573123bec 100644
+--- a/drivers/net/usb/aqc111.c
++++ b/drivers/net/usb/aqc111.c
+@@ -30,10 +30,13 @@ static int aqc111_read_cmd_nopm(struct usbnet *dev, u8 cmd, u16 value,
+ ret = usbnet_read_cmd_nopm(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, value, index, data, size);
+
+- if (unlikely(ret < 0))
++ if (unlikely(ret < size)) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ netdev_warn(dev->net,
+ "Failed to read(0x%x) reg index 0x%04x: %d\n",
+ cmd, index, ret);
++ }
+
+ return ret;
+ }
+@@ -46,10 +49,13 @@ static int aqc111_read_cmd(struct usbnet *dev, u8 cmd, u16 value,
+ ret = usbnet_read_cmd(dev, cmd, USB_DIR_IN | USB_TYPE_VENDOR |
+ USB_RECIP_DEVICE, value, index, data, size);
+
+- if (unlikely(ret < 0))
++ if (unlikely(ret < size)) {
++ ret = ret < 0 ? ret : -ENODATA;
++
+ netdev_warn(dev->net,
+ "Failed to read(0x%x) reg index 0x%04x: %d\n",
+ cmd, index, ret);
++ }
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From 4985d5be7ef5120441cb8954f06b2b809cfaa0c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 11:16:48 +0800
+Subject: net: wwan: t7xx: Fix napi rx poll issue
+
+From: Jinjian Song <jinjian.song@fibocom.com>
+
+[ Upstream commit 905fe0845bb27e4eed2ca27ea06e6c4847f1b2b1 ]
+
+When driver handles the napi rx polling requests, the netdev might
+have been released by the dellink logic triggered by the disconnect
+operation on user plane. However, in the logic of processing skb in
+polling, an invalid netdev is still being used, which causes a panic.
+
+BUG: kernel NULL pointer dereference, address: 00000000000000f1
+Oops: 0000 [#1] PREEMPT SMP NOPTI
+RIP: 0010:dev_gro_receive+0x3a/0x620
+[...]
+Call Trace:
+ <IRQ>
+ ? __die_body+0x68/0xb0
+ ? page_fault_oops+0x379/0x3e0
+ ? exc_page_fault+0x4f/0xa0
+ ? asm_exc_page_fault+0x22/0x30
+ ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)]
+ ? dev_gro_receive+0x3a/0x620
+ napi_gro_receive+0xad/0x170
+ t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)]
+ t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)]
+ net_rx_action+0x103/0x470
+ irq_exit_rcu+0x13a/0x310
+ sysvec_apic_timer_interrupt+0x56/0x90
+ </IRQ>
+
+Fixes: 5545b7b9f294 ("net: wwan: t7xx: Add NAPI support")
+Signed-off-by: Jinjian Song <jinjian.song@fibocom.com>
+Link: https://patch.msgid.link/20250530031648.5592-1-jinjian.song@fibocom.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/t7xx/t7xx_netdev.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wwan/t7xx/t7xx_netdev.c b/drivers/net/wwan/t7xx/t7xx_netdev.c
+index 3ef4a8a4f8fdb..d879424093b78 100644
+--- a/drivers/net/wwan/t7xx/t7xx_netdev.c
++++ b/drivers/net/wwan/t7xx/t7xx_netdev.c
+@@ -296,7 +296,7 @@ static int t7xx_ccmni_wwan_newlink(void *ctxt, struct net_device *dev, u32 if_id
+ ccmni->ctlb = ctlb;
+ ccmni->dev = dev;
+ atomic_set(&ccmni->usage, 0);
+- ctlb->ccmni_inst[if_id] = ccmni;
++ WRITE_ONCE(ctlb->ccmni_inst[if_id], ccmni);
+
+ ret = register_netdevice(dev);
+ if (ret)
+@@ -318,6 +318,7 @@ static void t7xx_ccmni_wwan_dellink(void *ctxt, struct net_device *dev, struct l
+ if (WARN_ON(ctlb->ccmni_inst[if_id] != ccmni))
+ return;
+
++ WRITE_ONCE(ctlb->ccmni_inst[if_id], NULL);
+ unregister_netdevice(dev);
+ }
+
+@@ -413,7 +414,7 @@ static void t7xx_ccmni_recv_skb(struct t7xx_ccmni_ctrl *ccmni_ctlb, struct sk_bu
+
+ skb_cb = T7XX_SKB_CB(skb);
+ netif_id = skb_cb->netif_idx;
+- ccmni = ccmni_ctlb->ccmni_inst[netif_id];
++ ccmni = READ_ONCE(ccmni_ctlb->ccmni_inst[netif_id]);
+ if (!ccmni) {
+ dev_kfree_skb(skb);
+ return;
+@@ -435,7 +436,7 @@ static void t7xx_ccmni_recv_skb(struct t7xx_ccmni_ctrl *ccmni_ctlb, struct sk_bu
+
+ static void t7xx_ccmni_queue_tx_irq_notify(struct t7xx_ccmni_ctrl *ctlb, int qno)
+ {
+- struct t7xx_ccmni *ccmni = ctlb->ccmni_inst[0];
++ struct t7xx_ccmni *ccmni = READ_ONCE(ctlb->ccmni_inst[0]);
+ struct netdev_queue *net_queue;
+
+ if (netif_running(ccmni->dev) && atomic_read(&ccmni->usage) > 0) {
+@@ -447,7 +448,7 @@ static void t7xx_ccmni_queue_tx_irq_notify(struct t7xx_ccmni_ctrl *ctlb, int qno
+
+ static void t7xx_ccmni_queue_tx_full_notify(struct t7xx_ccmni_ctrl *ctlb, int qno)
+ {
+- struct t7xx_ccmni *ccmni = ctlb->ccmni_inst[0];
++ struct t7xx_ccmni *ccmni = READ_ONCE(ctlb->ccmni_inst[0]);
+ struct netdev_queue *net_queue;
+
+ if (atomic_read(&ccmni->usage) > 0) {
+@@ -465,7 +466,7 @@ static void t7xx_ccmni_queue_state_notify(struct t7xx_pci_dev *t7xx_dev,
+ if (ctlb->md_sta != MD_STATE_READY)
+ return;
+
+- if (!ctlb->ccmni_inst[0]) {
++ if (!READ_ONCE(ctlb->ccmni_inst[0])) {
+ dev_warn(&t7xx_dev->pdev->dev, "No netdev registered yet\n");
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 5edb0dafd9eed1d0cf0c4fdb19349f83f024f990 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 17:29:53 +0800
+Subject: netfilter: bridge: Move specific fragmented packet to slow_path
+ instead of dropping it
+
+From: Huajian Yang <huajianyang@asrmicro.com>
+
+[ Upstream commit aa04c6f45b9224b949aa35d4fa5f8d0ba07b23d4 ]
+
+The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for
+fragmented packets.
+
+The original bridge does not know that it is a fragmented packet and
+forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function
+nf_br_ip_fragment and br_ip6_fragment will check the headroom.
+
+In original br_forward, insufficient headroom of skb may indeed exist,
+but there's still a way to save the skb in the device driver after
+dev_queue_xmit.So droping the skb will change the original bridge
+forwarding in some cases.
+
+Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
+Signed-off-by: Huajian Yang <huajianyang@asrmicro.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------
+ net/ipv6/netfilter.c | 12 ++++++------
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
+index 4fbfbafdfa027..4b4a396d97225 100644
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@ -60,19 +60,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
+ struct ip_fraglist_iter iter;
+ struct sk_buff *frag;
+
+- if (first_len - hlen > mtu ||
+- skb_headroom(skb) < ll_rs)
++ if (first_len - hlen > mtu)
+ goto blackhole;
+
+- if (skb_cloned(skb))
++ if (skb_cloned(skb) ||
++ skb_headroom(skb) < ll_rs)
+ goto slow_path;
+
+ skb_walk_frags(skb, frag) {
+- if (frag->len > mtu ||
+- skb_headroom(frag) < hlen + ll_rs)
++ if (frag->len > mtu)
+ goto blackhole;
+
+- if (skb_shared(frag))
++ if (skb_shared(frag) ||
++ skb_headroom(frag) < hlen + ll_rs)
+ goto slow_path;
+ }
+
+diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
+index 7c4af48d529e1..606aae4e78a9a 100644
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -163,20 +163,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+ struct ip6_fraglist_iter iter;
+ struct sk_buff *frag2;
+
+- if (first_len - hlen > mtu ||
+- skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
++ if (first_len - hlen > mtu)
+ goto blackhole;
+
+- if (skb_cloned(skb))
++ if (skb_cloned(skb) ||
++ skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
+ goto slow_path;
+
+ skb_walk_frags(skb, frag2) {
+- if (frag2->len > mtu ||
+- skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
++ if (frag2->len > mtu)
+ goto blackhole;
+
+ /* Partially cloned skb? */
+- if (skb_shared(frag2))
++ if (skb_shared(frag2) ||
++ skb_headroom(frag2) < (hlen + hroom + sizeof(struct frag_hdr)))
+ goto slow_path;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 2b9c992097d9a4d0ab40a4696ae6bf1908e4a333 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 12:34:02 +0200
+Subject: netfilter: nf_nat: also check reverse tuple to obtain clashing entry
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 50d9ce9679dd50df2dc51ada717fa875bc248fad ]
+
+The logic added in the blamed commit was supposed to only omit nat source
+port allocation if neither the existing nor the new entry are subject to
+NAT.
+
+However, its not enough to lookup the conntrack based on the proposed
+tuple, we must also check the reverse direction.
+
+Otherwise there are esoteric cases where the collision is in the reverse
+direction because that colliding connection has a port rewrite, but the
+new entry doesn't. In this case, we only check the new entry and then
+erronously conclude that no clash exists anymore.
+
+ The existing (udp) tuple is:
+ a:p -> b:P, with nat translation to s:P, i.e. pure daddr rewrite,
+ reverse tuple in conntrack table is s:P -> a:p.
+
+When another UDP packet is sent directly to s, i.e. a:p->s:P, this is
+correctly detected as a colliding entry: tuple is taken by existing reply
+tuple in reverse direction.
+
+But the colliding conntrack is only searched for with unreversed
+direction, and we can't find such entry matching a:p->s:P.
+
+The incorrect conclusion is that the clashing entry has timed out and
+that no port address translation is required.
+
+Such conntrack will then be discarded at nf_confirm time because the
+proposed reverse direction clashes with an existing mapping in the
+conntrack table.
+
+Search for the reverse tuple too, this will then check the NAT bits of
+the colliding entry and triggers port reallocation.
+
+Followp patch extends nft_nat.sh selftest to cover this scenario.
+
+The IPS_SEQ_ADJUST change is also a bug fix:
+Instead of checking for SEQ_ADJ this tested for SEEN_REPLY and ASSURED
+by accident -- _BIT is only for use with the test_bit() API.
+
+This bug has little consequence in practice, because the sequence number
+adjustments are only useful for TCP which doesn't support clash resolution.
+
+The existing test case (conntrack_reverse_clash.sh) exercise a race
+condition path (parallel conntrack creation on different CPUs), so
+the colliding entries have neither SEEN_REPLY nor ASSURED set.
+
+Thanks to Yafang Shao and Shaun Brady for an initial investigation
+of this bug.
+
+Fixes: d8f84a9bc7c4 ("netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash")
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1795
+Reported-by: Yafang Shao <laoar.shao@gmail.com>
+Reported-by: Shaun Brady <brady.1345@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Tested-by: Yafang Shao <laoar.shao@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_nat_core.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
+index ccca6e3848bcc..9df883d79acc9 100644
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -248,7 +248,7 @@ static noinline bool
+ nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple,
+ const struct nf_conn *ignored_ct)
+ {
+- static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST_BIT;
++ static const unsigned long uses_nat = IPS_NAT_MASK | IPS_SEQ_ADJUST;
+ const struct nf_conntrack_tuple_hash *thash;
+ const struct nf_conntrack_zone *zone;
+ struct nf_conn *ct;
+@@ -287,8 +287,14 @@ nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple,
+ zone = nf_ct_zone(ignored_ct);
+
+ thash = nf_conntrack_find_get(net, zone, tuple);
+- if (unlikely(!thash)) /* clashing entry went away */
+- return false;
++ if (unlikely(!thash)) {
++ struct nf_conntrack_tuple reply;
++
++ nf_ct_invert_tuple(&reply, tuple);
++ thash = nf_conntrack_find_get(net, zone, &reply);
++ if (!thash) /* clashing entry went away */
++ return false;
++ }
+
+ ct = nf_ct_tuplehash_to_ctrack(thash);
+
+--
+2.39.5
+
--- /dev/null
+From 3a3713c3ae6972773c49941a1618bcc406f0a281 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 14:20:44 +0200
+Subject: netfilter: nf_set_pipapo_avx2: fix initial map fill
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit ea77c397bff8b6d59f6d83dae1425b08f465e8b5 ]
+
+If the first field doesn't cover the entire start map, then we must zero
+out the remainder, else we leak those bits into the next match round map.
+
+The early fix was incomplete and did only fix up the generic C
+implementation.
+
+A followup patch adds a test case to nft_concat_range.sh.
+
+Fixes: 791a615b7ad2 ("netfilter: nf_set_pipapo: fix initial map fill")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_pipapo_avx2.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
+index c15db28c5ebc4..be7c16c79f711 100644
+--- a/net/netfilter/nft_set_pipapo_avx2.c
++++ b/net/netfilter/nft_set_pipapo_avx2.c
+@@ -1113,6 +1113,25 @@ bool nft_pipapo_avx2_estimate(const struct nft_set_desc *desc, u32 features,
+ return true;
+ }
+
++/**
++ * pipapo_resmap_init_avx2() - Initialise result map before first use
++ * @m: Matching data, including mapping table
++ * @res_map: Result map
++ *
++ * Like pipapo_resmap_init() but do not set start map bits covered by the first field.
++ */
++static inline void pipapo_resmap_init_avx2(const struct nft_pipapo_match *m, unsigned long *res_map)
++{
++ const struct nft_pipapo_field *f = m->f;
++ int i;
++
++ /* Starting map doesn't need to be set to all-ones for this implementation,
++ * but we do need to zero the remaining bits, if any.
++ */
++ for (i = f->bsize; i < m->bsize_max; i++)
++ res_map[i] = 0ul;
++}
++
+ /**
+ * nft_pipapo_avx2_lookup() - Lookup function for AVX2 implementation
+ * @net: Network namespace
+@@ -1171,7 +1190,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
+ res = scratch->map + (map_index ? m->bsize_max : 0);
+ fill = scratch->map + (map_index ? 0 : m->bsize_max);
+
+- /* Starting map doesn't need to be set for this implementation */
++ pipapo_resmap_init_avx2(m, res);
+
+ nft_pipapo_avx2_prepare();
+
+--
+2.39.5
+
--- /dev/null
+From 8f892155b5ceec471314bb315947a5ecfd95aea8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:38:47 +0200
+Subject: netfilter: nf_tables: nft_fib_ipv6: fix VRF ipv4/ipv6 result
+ discrepancy
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 8b53f46eb430fe5b42d485873b85331d2de2c469 ]
+
+With a VRF, ipv4 and ipv6 FIB expression behave differently.
+
+ fib daddr . iif oif
+
+Will return the input interface name for ipv4, but the real device
+for ipv6. Example:
+
+If VRF device name is tvrf and real (incoming) device is veth0.
+First round is ok, both ipv4 and ipv6 will yield 'veth0'.
+
+But in the second round (incoming device will be set to "tvrf"), ipv4
+will yield "tvrf" whereas ipv6 returns "veth0" for the second round too.
+
+This makes ipv6 behave like ipv4.
+
+A followup patch will add a test case for this, without this change
+it will fail with:
+ get element inet t fibif6iif { tvrf . dead:1::99 . tvrf }
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ FAIL: did not find tvrf . dead:1::99 . tvrf in fibif6iif
+
+Alternatively we could either not do anything at all or change
+ipv4 to also return the lower/real device, however, nft (userspace)
+doc says "iif: if fib lookup provides a route then check its output
+interface is identical to the packets input interface." which is what
+the nft fib ipv4 behaviour is.
+
+Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nft_fib_ipv6.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
+index c9f1634b3838a..a89ce0fbfe4b1 100644
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -158,6 +158,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ {
+ const struct nft_fib *priv = nft_expr_priv(expr);
+ int noff = skb_network_offset(pkt->skb);
++ const struct net_device *found = NULL;
+ const struct net_device *oif = NULL;
+ u32 *dest = ®s->data[priv->dreg];
+ struct ipv6hdr *iph, _iph;
+@@ -202,11 +203,15 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
+ if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
+ goto put_rt_err;
+
+- if (oif && oif != rt->rt6i_idev->dev &&
+- l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
+- goto put_rt_err;
++ if (!oif) {
++ found = rt->rt6i_idev->dev;
++ } else {
++ if (oif == rt->rt6i_idev->dev ||
++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == oif->ifindex)
++ found = oif;
++ }
+
+- nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);
++ nft_fib_store_result(dest, priv, found);
+ put_rt_err:
+ ip6_rt_put(rt);
+ }
+--
+2.39.5
+
--- /dev/null
+From 60466f5e85c15e63e66b120c48ea3ce96a6c8684 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 15:49:30 +0000
+Subject: netfilter: nft_quota: match correctly when the quota just depleted
+
+From: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+
+[ Upstream commit bfe7cfb65c753952735c3eed703eba9a8b96a18d ]
+
+The xt_quota compares skb length with remaining quota, but the nft_quota
+compares it with consumed bytes.
+
+The xt_quota can match consumed bytes up to quota at maximum. But the
+nft_quota break match when consumed bytes equal to quota.
+
+i.e., nft_quota match consumed bytes in [0, quota - 1], not [0, quota].
+
+Fixes: 795595f68d6c ("netfilter: nft_quota: dump consumed quota")
+Signed-off-by: Zhongqiu Duan <dzq.aishenghu0@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_quota.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c
+index 9b2d7463d3d32..df0798da2329b 100644
+--- a/net/netfilter/nft_quota.c
++++ b/net/netfilter/nft_quota.c
+@@ -19,10 +19,16 @@ struct nft_quota {
+ };
+
+ static inline bool nft_overquota(struct nft_quota *priv,
+- const struct sk_buff *skb)
++ const struct sk_buff *skb,
++ bool *report)
+ {
+- return atomic64_add_return(skb->len, priv->consumed) >=
+- atomic64_read(&priv->quota);
++ u64 consumed = atomic64_add_return(skb->len, priv->consumed);
++ u64 quota = atomic64_read(&priv->quota);
++
++ if (report)
++ *report = consumed >= quota;
++
++ return consumed > quota;
+ }
+
+ static inline bool nft_quota_invert(struct nft_quota *priv)
+@@ -34,7 +40,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+ {
+- if (nft_overquota(priv, pkt->skb) ^ nft_quota_invert(priv))
++ if (nft_overquota(priv, pkt->skb, NULL) ^ nft_quota_invert(priv))
+ regs->verdict.code = NFT_BREAK;
+ }
+
+@@ -51,13 +57,13 @@ static void nft_quota_obj_eval(struct nft_object *obj,
+ const struct nft_pktinfo *pkt)
+ {
+ struct nft_quota *priv = nft_obj_data(obj);
+- bool overquota;
++ bool overquota, report;
+
+- overquota = nft_overquota(priv, pkt->skb);
++ overquota = nft_overquota(priv, pkt->skb, &report);
+ if (overquota ^ nft_quota_invert(priv))
+ regs->verdict.code = NFT_BREAK;
+
+- if (overquota &&
++ if (report &&
+ !test_and_set_bit(NFT_QUOTA_DEPLETED_BIT, &priv->flags))
+ nft_obj_notify(nft_net(pkt), obj->key.table, obj, 0, 0,
+ NFT_MSG_NEWOBJ, 0, nft_pf(pkt), 0, GFP_ATOMIC);
+--
+2.39.5
+
--- /dev/null
+From e3d5e89cf4cb13240f4f69ed44843cf4d8298a0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:41:08 +0200
+Subject: netfilter: nft_tunnel: fix geneve_opt dump
+
+From: Fernando Fernandez Mancera <fmancera@suse.de>
+
+[ Upstream commit 22a9613de4c29d7d0770bfb8a5a9d73eb8df7dad ]
+
+When dumping a nft_tunnel with more than one geneve_opt configured the
+netlink attribute hierarchy should be as follow:
+
+ NFTA_TUNNEL_KEY_OPTS
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ | |
+ | |--NFTA_TUNNEL_KEY_GENEVE_CLASS
+ | |--NFTA_TUNNEL_KEY_GENEVE_TYPE
+ | |--NFTA_TUNNEL_KEY_GENEVE_DATA
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ | |
+ | |--NFTA_TUNNEL_KEY_GENEVE_CLASS
+ | |--NFTA_TUNNEL_KEY_GENEVE_TYPE
+ | |--NFTA_TUNNEL_KEY_GENEVE_DATA
+ |
+ |--NFTA_TUNNEL_KEY_OPTS_GENEVE
+ ...
+
+Otherwise, userspace tools won't be able to fetch the geneve options
+configured correctly.
+
+Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tunnel.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index d499eb3f4f297..3e3ae29dde335 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -617,10 +617,10 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ struct geneve_opt *opt;
+ int offset = 0;
+
+- inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
+- if (!inner)
+- goto failure;
+ while (opts->len > offset) {
++ inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
++ if (!inner)
++ goto failure;
+ opt = (struct geneve_opt *)(opts->u.data + offset);
+ if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
+ opt->opt_class) ||
+@@ -630,8 +630,8 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ opt->length * 4, opt->opt_data))
+ goto inner_failure;
+ offset += sizeof(*opt) + opt->length * 4;
++ nla_nest_end(skb, inner);
+ }
+- nla_nest_end(skb, inner);
+ }
+ nla_nest_end(skb, nest);
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 93f47bda0ca1d751a8129a3dd82bf5c2c326cd62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 21:05:32 +0800
+Subject: nfs: clear SB_RDONLY before getting superblock
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 8cd9b785943c57a136536250da80ba1eb6f8eb18 ]
+
+As described in the link, commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when
+mounting nfs") removed the check for the ro flag when determining whether
+to share the superblock, which caused issues when mounting different
+subdirectories under the same export directory via NFSv3. However, this
+change did not affect NFSv4.
+
+For NFSv3:
+1) A single superblock is created for the initial mount.
+2) When mounted read-only, this superblock carries the SB_RDONLY flag.
+3) Before commit 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs"):
+Subsequent rw mounts would not share the existing ro superblock due to
+flag mismatch, creating a new superblock without SB_RDONLY.
+After the commit:
+ The SB_RDONLY flag is ignored during superblock comparison, and this leads
+ to sharing the existing superblock even for rw mounts.
+ Ultimately results in write operations being rejected at the VFS layer.
+
+For NFSv4:
+1) Multiple superblocks are created and the last one will be kept.
+2) The actually used superblock for ro mounts doesn't carry SB_RDONLY flag.
+Therefore, commit 52cb7f8f1778 doesn't affect NFSv4 mounts.
+
+Clear SB_RDONLY before getting superblock when NFS_MOUNT_UNSHARED is not
+set to fix it.
+
+Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs")
+Closes: https://lore.kernel.org/all/12d7ea53-1202-4e21-a7ef-431c94758ce5@app.fastmail.com/T/
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index e1bcad5906ae7..59bf4b2c0f86e 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1277,8 +1277,17 @@ int nfs_get_tree_common(struct fs_context *fc)
+ if (IS_ERR(server))
+ return PTR_ERR(server);
+
++ /*
++ * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a
++ * superblock among each filesystem that mounts sub-directories
++ * belonging to a single exported root path.
++ * To prevent interference between different filesystems, the
++ * SB_RDONLY flag should be removed from the superblock.
++ */
+ if (server->flags & NFS_MOUNT_UNSHARED)
+ compare_super = NULL;
++ else
++ fc->sb_flags &= ~SB_RDONLY;
+
+ /* -o noac implies -o sync */
+ if (server->flags & NFS_MOUNT_NOAC)
+--
+2.39.5
+
--- /dev/null
+From 3af1bbb868e817b47a2643edcb7e4452050cb115 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 21:05:33 +0800
+Subject: nfs: ignore SB_RDONLY when remounting nfs
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a ]
+
+In some scenarios, when mounting NFS, more than one superblock may be
+created. The final superblock used is the last one created, but only the
+first superblock carries the ro flag passed from user space. If a ro flag
+is added to the superblock via remount, it will trigger the issue
+described in Link[1].
+
+Link[2] attempted to address this by marking the superblock as ro during
+the initial mount. However, this introduced a new problem in scenarios
+where multiple mount points share the same superblock:
+[root@a ~]# mount /dev/sdb /mnt/sdb
+[root@a ~]# echo "/mnt/sdb *(rw,no_root_squash)" > /etc/exports
+[root@a ~]# echo "/mnt/sdb/test_dir2 *(ro,no_root_squash)" >> /etc/exports
+[root@a ~]# systemctl restart nfs-server
+[root@a ~]# mount -t nfs -o rw 127.0.0.1:/mnt/sdb/test_dir1 /mnt/test_mp1
+[root@a ~]# mount | grep nfs4
+127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (rw,relatime,...
+[root@a ~]# mount -t nfs -o ro 127.0.0.1:/mnt/sdb/test_dir2 /mnt/test_mp2
+[root@a ~]# mount | grep nfs4
+127.0.0.1:/mnt/sdb/test_dir1 on /mnt/test_mp1 type nfs4 (ro,relatime,...
+127.0.0.1:/mnt/sdb/test_dir2 on /mnt/test_mp2 type nfs4 (ro,relatime,...
+[root@a ~]#
+
+When mounting the second NFS, the shared superblock is marked as ro,
+causing the previous NFS mount to become read-only.
+
+To resolve both issues, the ro flag is no longer applied to the superblock
+during remount. Instead, the ro flag on the mount is used to control
+whether the mount point is read-only.
+
+Fixes: 281cad46b34d ("NFS: Create a submount rpc_op")
+Link[1]: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/
+Link[2]: https://lore.kernel.org/all/20241130035818.1459775-1-lilingfeng3@huawei.com/
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index 59bf4b2c0f86e..4e72ee57fc8fc 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -1020,6 +1020,16 @@ int nfs_reconfigure(struct fs_context *fc)
+
+ sync_filesystem(sb);
+
++ /*
++ * The SB_RDONLY flag has been removed from the superblock during
++ * mounts to prevent interference between different filesystems.
++ * Similarly, it is also necessary to ignore the SB_RDONLY flag
++ * during reconfiguration; otherwise, it may also result in the
++ * creation of redundant superblocks when mounting a directory with
++ * different rw and ro flags multiple times.
++ */
++ fc->sb_flags_mask &= ~SB_RDONLY;
++
+ /*
+ * Userspace mount programs that send binary options generally send
+ * them populated with default values. We have no way to know which
+--
+2.39.5
+
--- /dev/null
+From 754ebca4f9fa63407636bd75e3f9fff8905bd15a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 02:37:07 +0900
+Subject: nilfs2: add pointer check for nilfs_direct_propagate()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+[ Upstream commit f43f02429295486059605997bc43803527d69791 ]
+
+Patch series "nilfs2: improve sanity checks in dirty state propagation".
+
+This fixes one missed check for block mapping anomalies and one improper
+return of an error code during a preparation step for log writing, thereby
+improving checking for filesystem corruption on writeback.
+
+This patch (of 2):
+
+In nilfs_direct_propagate(), the printer get from nilfs_direct_get_ptr()
+need to be checked to ensure it is not an invalid pointer.
+
+If the pointer value obtained by nilfs_direct_get_ptr() is
+NILFS_BMAP_INVALID_PTR, means that the metadata (in this case, i_bmap in
+the nilfs_inode_info struct) that should point to the data block at the
+buffer head of the argument is corrupted and the data block is orphaned,
+meaning that the file system has lost consistency.
+
+Add a value check and return -EINVAL when it is an invalid pointer.
+
+Link: https://lkml.kernel.org/r/20250428173808.6452-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20250428173808.6452-2-konishi.ryusuke@gmail.com
+Fixes: 36a580eb489f ("nilfs2: direct block mapping")
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/direct.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/nilfs2/direct.c b/fs/nilfs2/direct.c
+index 893ab36824cc2..2d8dc6b35b547 100644
+--- a/fs/nilfs2/direct.c
++++ b/fs/nilfs2/direct.c
+@@ -273,6 +273,9 @@ static int nilfs_direct_propagate(struct nilfs_bmap *bmap,
+ dat = nilfs_bmap_get_dat(bmap);
+ key = nilfs_bmap_data_get_key(bmap, bh);
+ ptr = nilfs_direct_get_ptr(bmap, key);
++ if (ptr == NILFS_BMAP_INVALID_PTR)
++ return -EINVAL;
++
+ if (!buffer_nilfs_volatile(bh)) {
+ oldreq.pr_entry_nr = ptr;
+ newreq.pr_entry_nr = ptr;
+--
+2.39.5
+
--- /dev/null
+From da5b17180f73c0ddc9c2d9a024b93b6dd6975c80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 02:37:08 +0900
+Subject: nilfs2: do not propagate ENOENT error from nilfs_btree_propagate()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 8e39fbb1edbb4ec9d7c1124f403877fc167fcecd ]
+
+In preparation for writing logs, in nilfs_btree_propagate(), which makes
+parent and ancestor node blocks dirty starting from a modified data block
+or b-tree node block, if the starting block does not belong to the b-tree,
+i.e. is isolated, nilfs_btree_do_lookup() called within the function
+fails with -ENOENT.
+
+In this case, even though -ENOENT is an internal code, it is propagated to
+the log writer via nilfs_bmap_propagate() and may be erroneously returned
+to system calls such as fsync().
+
+Fix this issue by changing the error code to -EINVAL in this case, and
+having the bmap layer detect metadata corruption and convert the error
+code appropriately.
+
+Link: https://lkml.kernel.org/r/20250428173808.6452-3-konishi.ryusuke@gmail.com
+Fixes: 1f5abe7e7dbc ("nilfs2: replace BUG_ON and BUG calls triggerable from ioctl")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index dbd27a44632fa..5e70a3478afe0 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -2094,11 +2094,13 @@ static int nilfs_btree_propagate(struct nilfs_bmap *btree,
+
+ ret = nilfs_btree_do_lookup(btree, path, key, NULL, level + 1, 0);
+ if (ret < 0) {
+- if (unlikely(ret == -ENOENT))
++ if (unlikely(ret == -ENOENT)) {
+ nilfs_crit(btree->b_inode->i_sb,
+ "writing node/leaf block does not appear in b-tree (ino=%lu) at key=%llu, level=%d",
+ btree->b_inode->i_ino,
+ (unsigned long long)key, level);
++ ret = -EINVAL;
++ }
+ goto out;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f1b8e8ea1484248997289cacb97227ba4b0913e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 09:56:27 +0300
+Subject: ocfs2: fix possible memory leak in ocfs2_finish_quota_recovery
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit cdc3ed3035d0fe934aa1d9b78ce256752fd3bb7d ]
+
+If ocfs2_finish_quota_recovery() exits due to an error before passing all
+rc_list elements to ocfs2_recover_local_quota_file() then it can lead to a
+memory leak as rc_list may still contain elements that have to be freed.
+
+Release all memory allocated by ocfs2_add_recovery_chunk() using
+ocfs2_free_quota_recovery() instead of kfree().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Link: https://lkml.kernel.org/r/20250402065628.706359-2-m.masimov@mt-integration.ru
+Fixes: 2205363dce74 ("ocfs2: Implement quota recovery")
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/quota_local.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
+index 0ca8975a1df47..c7bda48b5fb21 100644
+--- a/fs/ocfs2/quota_local.c
++++ b/fs/ocfs2/quota_local.c
+@@ -671,7 +671,7 @@ int ocfs2_finish_quota_recovery(struct ocfs2_super *osb,
+ break;
+ }
+ out:
+- kfree(rec);
++ ocfs2_free_quota_recovery(rec);
+ return status;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 2d9793f0205c4746fd438d22bbe511c4b20a2d20 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 17:28:42 +0530
+Subject: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback
+
+From: Hariprasad Kelam <hkelam@marvell.com>
+
+[ Upstream commit 67af4ec948e8ce3ea53a9cf614d01fddf172e56d ]
+
+This patch addresses below issues,
+
+1. Active traffic on the leaf node must be stopped before its send queue
+ is reassigned to the parent. This patch resolves the issue by marking
+ the node as 'Inner'.
+
+2. During a system reboot, the interface receives TC_HTB_LEAF_DEL
+ and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues.
+ In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue
+ is reassigned to the parent, the current logic still attempts to update
+ the real number of queues, leadning to below warnings
+
+ New queues can't be registered after device unregistration.
+ WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714
+ netdev_queue_update_kobjects+0x1e4/0x200
+
+Fixes: 5e6808b4c68d ("octeontx2-pf: Add support for HTB offload")
+Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250522115842.1499666-1-hkelam@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/qos.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
+index 37db19584c143..92861f102590f 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/qos.c
+@@ -1560,6 +1560,7 @@ static int otx2_qos_leaf_del_last(struct otx2_nic *pfvf, u16 classid, bool force
+ if (!node->is_static)
+ dwrr_del_node = true;
+
++ WRITE_ONCE(node->qid, OTX2_QOS_QID_INNER);
+ /* destroy the leaf node */
+ otx2_qos_disable_sq(pfvf, qid);
+ otx2_qos_destroy_node(pfvf, node);
+@@ -1604,9 +1605,6 @@ static int otx2_qos_leaf_del_last(struct otx2_nic *pfvf, u16 classid, bool force
+ }
+ kfree(new_cfg);
+
+- /* update tx_real_queues */
+- otx2_qos_update_tx_netdev_queues(pfvf);
+-
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c80b58815a44f6a8eb79a4e8f8bca2db28dba9f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Jun 2025 14:02:26 -0400
+Subject: path_overmount(): avoid false negatives
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 5f31c549382bcddbbd754c72c5433b19420d485d ]
+
+Holding namespace_sem is enough to make sure that result remains valid.
+It is *not* enough to avoid false negatives from __lookup_mnt(). Mounts
+can be unhashed outside of namespace_sem (stuck children getting detached
+on final mntput() of lazy-umounted mount) and having an unrelated mount
+removed from the hash chain while we traverse it may end up with false
+negative from __lookup_mnt(). We need to sample and recheck the seqlock
+component of mount_lock...
+
+Bug predates the introduction of path_overmount() - it had come from
+the code in finish_automount() that got abstracted into that helper.
+
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Fixes: 26df6034fdb2 ("fix automount/automount race properly")
+Fixes: 6ac392815628 ("fs: allow to mount beneath top mount")
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/namespace.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/fs/namespace.c b/fs/namespace.c
+index ef3b2ae2957ec..7942a33451ba0 100644
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -3020,18 +3020,25 @@ static int do_set_group(struct path *from_path, struct path *to_path)
+ * Check if path is overmounted, i.e., if there's a mount on top of
+ * @path->mnt with @path->dentry as mountpoint.
+ *
+- * Context: This function expects namespace_lock() to be held.
++ * Context: namespace_sem must be held at least shared.
++ * MUST NOT be called under lock_mount_hash() (there one should just
++ * call __lookup_mnt() and check if it returns NULL).
+ * Return: If path is overmounted true is returned, false if not.
+ */
+ static inline bool path_overmounted(const struct path *path)
+ {
++ unsigned seq = read_seqbegin(&mount_lock);
++ bool no_child;
++
+ rcu_read_lock();
+- if (unlikely(__lookup_mnt(path->mnt, path->dentry))) {
+- rcu_read_unlock();
+- return true;
+- }
++ no_child = !__lookup_mnt(path->mnt, path->dentry);
+ rcu_read_unlock();
+- return false;
++ if (need_seqretry(&mount_lock, seq)) {
++ read_seqlock_excl(&mount_lock);
++ no_child = !__lookup_mnt(path->mnt, path->dentry);
++ read_sequnlock_excl(&mount_lock);
++ }
++ return unlikely(!no_child);
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 0177ff981623c3ea0d56680c6888a488e120b9a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 10:17:11 +0100
+Subject: PCI: apple: Use gpiod_set_value_cansleep in probe flow
+
+From: Hector Martin <marcan@marcan.st>
+
+[ Upstream commit 7334364f9de79a9a236dd0243ba574b8d2876e89 ]
+
+We're allowed to sleep here, so tell the GPIO core by using
+gpiod_set_value_cansleep instead of gpiod_set_value.
+
+Fixes: 1e33888fbe44 ("PCI: apple: Add initial hardware bring-up")
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Signed-off-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Tested-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Alyssa Rosenzweig <alyssa@rosenzweig.io>
+Link: https://patch.msgid.link/20250401091713.2765724-12-maz@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-apple.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-apple.c b/drivers/pci/controller/pcie-apple.c
+index f7a248393a8f1..7e6bd63a6425e 100644
+--- a/drivers/pci/controller/pcie-apple.c
++++ b/drivers/pci/controller/pcie-apple.c
+@@ -541,7 +541,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
+ rmw_set(PORT_APPCLK_EN, port->base + PORT_APPCLK);
+
+ /* Assert PERST# before setting up the clock */
+- gpiod_set_value(reset, 1);
++ gpiod_set_value_cansleep(reset, 1);
+
+ ret = apple_pcie_setup_refclk(pcie, port);
+ if (ret < 0)
+@@ -552,7 +552,7 @@ static int apple_pcie_setup_port(struct apple_pcie *pcie,
+
+ /* Deassert PERST# */
+ rmw_set(PORT_PERST_OFF, port->base + PORT_PERST);
+- gpiod_set_value(reset, 0);
++ gpiod_set_value_cansleep(reset, 0);
+
+ /* Wait for 100ms after PERST# deassertion (PCIe r5.0, 6.6.1) */
+ msleep(100);
+--
+2.39.5
+
--- /dev/null
+From c9de3ba94e26bf17ddd4f0bd27628174978c078a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Apr 2025 21:30:58 +0800
+Subject: PCI: cadence: Fix runtime atomic count underflow
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit 8805f32a96d3b97cef07999fa6f52112678f7e65 ]
+
+If the call to pci_host_probe() in cdns_pcie_host_setup() fails, PM
+runtime count is decremented in the error path using pm_runtime_put_sync().
+But the runtime count is not incremented by this driver, but only by the
+callers (cdns_plat_pcie_probe/j721e_pcie_probe). And the callers also
+decrement the runtime PM count in their error path. So this leads to the
+below warning from the PM core:
+
+ "runtime PM usage count underflow!"
+
+So fix it by getting rid of pm_runtime_put_sync() in the error path and
+directly return the errno.
+
+Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://patch.msgid.link/20250419133058.162048-1-18255117159@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/cadence/pcie-cadence-host.c | 11 +----------
+ 1 file changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/drivers/pci/controller/cadence/pcie-cadence-host.c b/drivers/pci/controller/cadence/pcie-cadence-host.c
+index 8af95e9da7cec..741e10a575ec7 100644
+--- a/drivers/pci/controller/cadence/pcie-cadence-host.c
++++ b/drivers/pci/controller/cadence/pcie-cadence-host.c
+@@ -570,14 +570,5 @@ int cdns_pcie_host_setup(struct cdns_pcie_rc *rc)
+ if (!bridge->ops)
+ bridge->ops = &cdns_pcie_host_ops;
+
+- ret = pci_host_probe(bridge);
+- if (ret < 0)
+- goto err_init;
+-
+- return 0;
+-
+- err_init:
+- pm_runtime_put_sync(dev);
+-
+- return ret;
++ return pci_host_probe(bridge);
+ }
+--
+2.39.5
+
--- /dev/null
+From 9c5a8b0c6733b74de944ac98e3373499fa2e7881 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 18:21:07 -0500
+Subject: PCI/DPC: Initialize aer_err_info before using it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit a424b598e6a6c1e69a2bb801d6fd16e805ab2c38 ]
+
+Previously the struct aer_err_info "info" was allocated on the stack
+without being initialized, so it contained junk except for the fields we
+explicitly set later.
+
+Initialize "info" at declaration so it starts as all zeros.
+
+Fixes: 8aefa9b0d910 ("PCI/DPC: Print AER status in DPC event handling")
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://patch.msgid.link/20250522232339.1525671-2-helgaas@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/dpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pcie/dpc.c b/drivers/pci/pcie/dpc.c
+index a5cec2a4e057d..3c3ecb9cf57af 100644
+--- a/drivers/pci/pcie/dpc.c
++++ b/drivers/pci/pcie/dpc.c
+@@ -263,7 +263,7 @@ static int dpc_get_aer_uncorrect_severity(struct pci_dev *dev,
+ void dpc_process_error(struct pci_dev *pdev)
+ {
+ u16 cap = pdev->dpc_cap, status, source, reason, ext_reason;
+- struct aer_err_info info;
++ struct aer_err_info info = {};
+
+ pci_read_config_word(pdev, cap + PCI_EXP_DPC_STATUS, &status);
+ pci_read_config_word(pdev, cap + PCI_EXP_DPC_SOURCE_ID, &source);
+--
+2.39.5
+
--- /dev/null
+From ef5fe48ce5082a4ffe6ae9e21e850e1865c27125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 23:31:32 -0500
+Subject: PCI: Explicitly put devices into D0 when initializing
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 4d4c10f763d7808fbade28d83d237411603bca05 ]
+
+AMD BIOS team has root caused an issue that NVMe storage failed to come
+back from suspend to a lack of a call to _REG when NVMe device was probed.
+
+112a7f9c8edbf ("PCI/ACPI: Call _REG when transitioning D-states") added
+support for calling _REG when transitioning D-states, but this only works
+if the device actually "transitions" D-states.
+
+967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
+added support for runtime PM on PCI devices, but never actually
+'explicitly' sets the device to D0.
+
+To make sure that devices are in D0 and that platform methods such as
+_REG are called, explicitly set all devices into D0 during initialization.
+
+Fixes: 967577b062417 ("PCI/PM: Keep runtime PM enabled for unbound PCI devices")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Denis Benato <benato.denis96@gmail.com>
+Tested-By: Yijun Shen <Yijun_Shen@Dell.com>
+Tested-By: David Perry <david.perry@amd.com>
+Reviewed-by: Rafael J. Wysocki <rafael@kernel.org>
+Link: https://patch.msgid.link/20250424043232.1848107-1-superm1@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci-driver.c | 6 ------
+ drivers/pci/pci.c | 13 ++++++++++---
+ drivers/pci/pci.h | 1 +
+ 3 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/pci/pci-driver.c b/drivers/pci/pci-driver.c
+index 9c59bf03d6579..258ba97d07242 100644
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -564,12 +564,6 @@ static void pci_pm_default_resume(struct pci_dev *pci_dev)
+ pci_enable_wake(pci_dev, PCI_D0, false);
+ }
+
+-static void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
+-{
+- pci_power_up(pci_dev);
+- pci_update_current_state(pci_dev, PCI_D0);
+-}
+-
+ static void pci_pm_default_resume_early(struct pci_dev *pci_dev)
+ {
+ pci_pm_power_up_and_verify_state(pci_dev);
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 503304aba9eac..89c6b161f80c9 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3227,6 +3227,12 @@ void pci_d3cold_disable(struct pci_dev *dev)
+ }
+ EXPORT_SYMBOL_GPL(pci_d3cold_disable);
+
++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev)
++{
++ pci_power_up(pci_dev);
++ pci_update_current_state(pci_dev, PCI_D0);
++}
++
+ /**
+ * pci_pm_init - Initialize PM functions of given PCI device
+ * @dev: PCI device to handle.
+@@ -3237,9 +3243,6 @@ void pci_pm_init(struct pci_dev *dev)
+ u16 status;
+ u16 pmc;
+
+- pm_runtime_forbid(&dev->dev);
+- pm_runtime_set_active(&dev->dev);
+- pm_runtime_enable(&dev->dev);
+ device_enable_async_suspend(&dev->dev);
+ dev->wakeup_prepared = false;
+
+@@ -3301,6 +3304,10 @@ void pci_pm_init(struct pci_dev *dev)
+ pci_read_config_word(dev, PCI_STATUS, &status);
+ if (status & PCI_STATUS_IMM_READY)
+ dev->imm_ready = 1;
++ pci_pm_power_up_and_verify_state(dev);
++ pm_runtime_forbid(&dev->dev);
++ pm_runtime_set_active(&dev->dev);
++ pm_runtime_enable(&dev->dev);
+ }
+
+ static unsigned long pci_ea_flags(struct pci_dev *dev, u8 prop)
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index d69a17947ffce..a621ba243c25e 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -92,6 +92,7 @@ void pci_dev_adjust_pme(struct pci_dev *dev);
+ void pci_dev_complete_resume(struct pci_dev *pci_dev);
+ void pci_config_pm_runtime_get(struct pci_dev *dev);
+ void pci_config_pm_runtime_put(struct pci_dev *dev);
++void pci_pm_power_up_and_verify_state(struct pci_dev *pci_dev);
+ void pci_pm_init(struct pci_dev *dev);
+ void pci_ea_init(struct pci_dev *dev);
+ void pci_msi_init(struct pci_dev *dev);
+--
+2.39.5
+
--- /dev/null
+From b1d702e432fe4e49f706f0d4aadc0567deec338f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 10:15:06 +1000
+Subject: PCI: Print the actual delay time in
+ pci_bridge_wait_for_secondary_bus()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+
+[ Upstream commit d24eba726aadf8778f2907dd42281c6380b0ccaa ]
+
+Print the delay amount that pcie_wait_for_link_delay() is invoked with
+instead of the hardcoded 1000ms value in the debug info print.
+
+Fixes: 7b3ba09febf4 ("PCI/PM: Shorten pci_bridge_wait_for_secondary_bus() wait time for slow links")
+Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://patch.msgid.link/20250414001505.21243-2-wilfred.opensource@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 095fa1910d36d..503304aba9eac 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5221,7 +5221,7 @@ int pci_bridge_wait_for_secondary_bus(struct pci_dev *dev, char *reset_type)
+ delay);
+ if (!pcie_wait_for_link_delay(dev, true, delay)) {
+ /* Did not train, no need to wait any further */
+- pci_info(dev, "Data Link Layer Link Active not set in 1000 msec\n");
++ pci_info(dev, "Data Link Layer Link Active not set in %d msec\n", delay);
+ return -ENOTTY;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b65e77c93aa31240289be4058bf183eb9353ad4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 12:02:03 +0530
+Subject: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id()
+ in meson_ddr_pmu_create()
+
+From: Anand Moon <linux.amoon@gmail.com>
+
+[ Upstream commit 097469a2b0f12b91b4f27b9e9e4f2c46484cde30 ]
+
+The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses
+smp_processor_id(), which assumes disabled preemption. This leads to kernel
+warnings during module loading because meson_ddr_pmu_create() can be called
+in a preemptible context.
+
+Following kernel warning and stack trace:
+[ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289
+[ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38
+[ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0
+[ 31.745181] [ T2289] Tainted: [W]=WARN
+[ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT)
+[ 31.745188] [ T2289] Call trace:
+[ 31.745191] [ T2289] show_stack+0x28/0x40 (C)
+[ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198
+[ 31.745205] [ T2289] dump_stack+0x20/0x50
+[ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0
+[ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38
+[ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]
+[ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]
+[ 31.745246] [ T2289] platform_probe+0x98/0xe0
+[ 31.745254] [ T2289] really_probe+0x144/0x3f8
+[ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180
+[ 31.745261] [ T2289] driver_probe_device+0x54/0x268
+[ 31.745264] [ T2289] __driver_attach+0x11c/0x288
+[ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160
+[ 31.745274] [ T2289] driver_attach+0x34/0x50
+[ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0
+[ 31.745281] [ T2289] driver_register+0x78/0x120
+[ 31.745285] [ T2289] __platform_driver_register+0x30/0x48
+[ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd]
+[ 31.745298] [ T2289] do_one_initcall+0x11c/0x438
+[ 31.745303] [ T2289] do_init_module+0x68/0x228
+[ 31.745311] [ T2289] load_module+0x118c/0x13a8
+[ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390
+[ 31.745320] [ T2289] invoke_syscall+0x74/0x108
+[ 31.745326] [ T2289] el0_svc_common+0x90/0xf8
+[ 31.745330] [ T2289] do_el0_svc+0x2c/0x48
+[ 31.745333] [ T2289] el0_svc+0x60/0x150
+[ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118
+[ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0
+
+Changes replaces smp_processor_id() with raw_smp_processor_id() to
+ensure safe CPU ID retrieval in preemptible contexts.
+
+Cc: Jiucheng Xu <jiucheng.xu@amlogic.com>
+Fixes: 2016e2113d35 ("perf/amlogic: Add support for Amlogic meson G12 SoC DDR PMU driver")
+Signed-off-by: Anand Moon <linux.amoon@gmail.com>
+Link: https://lore.kernel.org/r/20250407063206.5211-1-linux.amoon@gmail.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/amlogic/meson_ddr_pmu_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/amlogic/meson_ddr_pmu_core.c b/drivers/perf/amlogic/meson_ddr_pmu_core.c
+index bbc7285fd934a..5f8699612a9ad 100644
+--- a/drivers/perf/amlogic/meson_ddr_pmu_core.c
++++ b/drivers/perf/amlogic/meson_ddr_pmu_core.c
+@@ -510,7 +510,7 @@ int meson_ddr_pmu_create(struct platform_device *pdev)
+
+ fmt_attr_fill(pmu->info.hw_info->fmt_attr);
+
+- pmu->cpu = smp_processor_id();
++ pmu->cpu = raw_smp_processor_id();
+
+ name = devm_kasprintf(&pdev->dev, GFP_KERNEL, DDR_PERF_DEV_NAME);
+ if (!name)
+--
+2.39.5
+
--- /dev/null
+From dfc5e81bebaf4b85c4874cb3859ef2ee11f202a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 11:37:20 -0300
+Subject: perf build: Warn when libdebuginfod devel files are not available
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 4fce4b91fd1aabb326c46e237eb4b19ab72598f8 ]
+
+While working on 'perf version --build-options' I noticed that:
+
+ $ perf version --build-options
+ perf version 6.15.rc1.g312a07a00d31
+ aio: [ on ] # HAVE_AIO_SUPPORT
+ bpf: [ on ] # HAVE_LIBBPF_SUPPORT
+ bpf_skeletons: [ on ] # HAVE_BPF_SKEL
+ debuginfod: [ OFF ] # HAVE_DEBUGINFOD_SUPPORT
+ <SNIP>
+
+And looking at tools/perf/Makefile.config I also noticed that it is not
+opt-in, meaning we will attempt to build with it in all normal cases.
+
+So add the usual warning at build time to let the user know that
+something recommended is missing, now we see:
+
+ Makefile.config:563: No elfutils/debuginfod.h found, no debuginfo server support, please install elfutils-debuginfod-client-devel or equivalent
+
+And after following the recommendation:
+
+ $ perf check feature debuginfod
+ debuginfod: [ on ] # HAVE_DEBUGINFOD_SUPPORT
+ $ ldd ~/bin/perf | grep debuginfo
+ libdebuginfod.so.1 => /lib64/libdebuginfod.so.1 (0x00007fee5cf5f000)
+ $
+
+With this feature on several perf tools will fetch what is needed and
+not require all the contents of the debuginfo packages, for instance:
+
+ # rpm -qa | grep kernel-debuginfo
+ # pahole --running_kernel_vmlinux
+ pahole: couldn't find a vmlinux that matches the running kernel
+ HINT: Maybe you're inside a container or missing a debuginfo package?
+ #
+ # perf trace -e open* perf probe --vars icmp_rcv
+ 0.000 ( 0.005 ms): perf/97391 openat(dfd: CWD, filename: "/etc/ld.so.cache", flags: RDONLY|CLOEXEC) = 3
+ 0.014 ( 0.004 ms): perf/97391 openat(dfd: CWD, filename: "/lib64/libm.so.6", flags: RDONLY|CLOEXEC) = 3
+ <SNIP>
+ 32130.100 ( 0.008 ms): perf/97391 openat(dfd: CWD, filename: "/root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo") = 3
+ <SNIP>
+ Available variables at icmp_rcv
+ @<icmp_rcv+0>
+ struct sk_buff* skb
+ <SNIP>
+ #
+ # pahole --running_kernel_vmlinux
+ /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ # file /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa3c82b4a13f9c0e0301bebb20fe958c4db6f362, with debug_info, not stripped
+ # ls -la /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ -r--------. 1 root root 475401512 Mar 27 21:00 /root/.cache/debuginfod_client/aa3c82b4a13f9c0e0301bebb20fe958c4db6f362/debuginfo
+ #
+
+Then, cached:
+
+ # perf stat --null perf probe --vars icmp_rcv
+ Available variables at icmp_rcv
+ @<icmp_rcv+0>
+ struct sk_buff* skb
+
+ Performance counter stats for 'perf probe --vars icmp_rcv':
+
+ 0.671389041 seconds time elapsed
+
+ 0.519176000 seconds user
+ 0.150860000 seconds sys
+
+Fixes: c7a14fdcb3fa7736 ("perf build-ids: Fall back to debuginfod query if debuginfo not found")
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Dmitriy Vyukov <dvyukov@google.com>
+Cc: Howard Chu <howardchu95@gmail.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Frank Ch. Eigler <fche@redhat.com>
+Link: https://lore.kernel.org/r/Z_dkNDj9EPFwPqq1@gmail.com
+[ Folded patch from Ingo to have the debian/ubuntu devel package added build warning message ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/Makefile.config | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/Makefile.config b/tools/perf/Makefile.config
+index d66b52407e19c..9da9f878f50f7 100644
+--- a/tools/perf/Makefile.config
++++ b/tools/perf/Makefile.config
+@@ -554,6 +554,8 @@ ifndef NO_LIBELF
+ ifeq ($(feature-libdebuginfod), 1)
+ CFLAGS += -DHAVE_DEBUGINFOD_SUPPORT
+ EXTLIBS += -ldebuginfod
++ else
++ $(warning No elfutils/debuginfod.h found, no debuginfo server support, please install libdebuginfod-dev/elfutils-debuginfod-client-devel or equivalent)
+ endif
+ endif
+
+--
+2.39.5
+
--- /dev/null
+From 064e589d7dbcf91e92591dfe392aa3b9ff522fe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Apr 2025 22:16:35 +0800
+Subject: perf/core: Fix broken throttling when max_samples_per_tick=1
+
+From: Qing Wang <wangqing7171@gmail.com>
+
+[ Upstream commit f51972e6f8b9a737b2b3eb588069acb538fa72de ]
+
+According to the throttling mechanism, the pmu interrupts number can not
+exceed the max_samples_per_tick in one tick. But this mechanism is
+ineffective when max_samples_per_tick=1, because the throttling check is
+skipped during the first interrupt and only performed when the second
+interrupt arrives.
+
+Perhaps this bug may cause little influence in one tick, but if in a
+larger time scale, the problem can not be underestimated.
+
+When max_samples_per_tick = 1:
+Allowed-interrupts-per-second max-samples-per-second default-HZ ARCH
+200 100 100 X86
+500 250 250 ARM64
+...
+Obviously, the pmu interrupt number far exceed the user's expect.
+
+Fixes: e050e3f0a71b ("perf: Fix broken interrupt rate throttling")
+Signed-off-by: Qing Wang <wangqing7171@gmail.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lkml.kernel.org/r/20250405141635.243786-3-wangqing7171@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 5dd6424e62fa8..6460f79280ed2 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -9553,14 +9553,14 @@ __perf_event_account_interrupt(struct perf_event *event, int throttle)
+ hwc->interrupts = 1;
+ } else {
+ hwc->interrupts++;
+- if (unlikely(throttle &&
+- hwc->interrupts > max_samples_per_tick)) {
+- __this_cpu_inc(perf_throttled_count);
+- tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
+- hwc->interrupts = MAX_INTERRUPTS;
+- perf_log_throttle(event, 0);
+- ret = 1;
+- }
++ }
++
++ if (unlikely(throttle && hwc->interrupts >= max_samples_per_tick)) {
++ __this_cpu_inc(perf_throttled_count);
++ tick_dep_set_cpu(smp_processor_id(), TICK_DEP_BIT_PERF_EVENTS);
++ hwc->interrupts = MAX_INTERRUPTS;
++ perf_log_throttle(event, 0);
++ ret = 1;
+ }
+
+ if (event->attr.freq) {
+--
+2.39.5
+
--- /dev/null
+From c23e8e0a0e2ed0f8f1d73be8f4abd7b1820d6280 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 12:39:30 +0300
+Subject: perf intel-pt: Fix PEBS-via-PT data_src
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit e00eac6b5b6d956f38d8880c44bf7fd9954063c3 ]
+
+The Fixes commit did not add support for decoding PEBS-via-PT data_src.
+Fix by adding support.
+
+PEBS-via-PT is a feature of some E-core processors, starting with
+processors based on Tremont microarchitecture. Because the kernel only
+supports Intel PT features that are on all processors, there is no support
+for PEBS-via-PT on hybrids.
+
+Currently that leaves processors based on Tremont, Gracemont and Crestmont,
+however there are no events on Tremont that produce data_src information,
+and for Gracemont and Crestmont there are only:
+
+ mem-loads event=0xd0,umask=0x5,ldlat=3
+ mem-stores event=0xd0,umask=0x6
+
+Affected processors include Alder Lake N (Gracemont), Sierra Forest
+(Crestmont) and Grand Ridge (Crestmont).
+
+Example:
+
+ # perf record -d -e intel_pt/branch=0/ -e mem-loads/aux-output/pp uname
+
+ Before:
+
+ # perf.before script --itrace=o -Fdata_src
+ 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
+ 0 |OP No|LVL N/A|SNP N/A|TLB N/A|LCK No|BLK N/A
+
+ After:
+
+ # perf script --itrace=o -Fdata_src
+ 10268100142 |OP LOAD|LVL L1 hit|SNP None|TLB L1 or L2 hit|LCK No|BLK N/A
+ 10450100442 |OP LOAD|LVL L2 hit|SNP None|TLB L2 miss|LCK No|BLK N/A
+
+Fixes: 975846eddf907297 ("perf intel-pt: Add memory information to synthesized PEBS sample")
+Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20250512093932.79854-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 205 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 202 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index 4db9a098f5926..e9f97c0c33582 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -127,6 +127,7 @@ struct intel_pt {
+
+ bool single_pebs;
+ bool sample_pebs;
++ int pebs_data_src_fmt;
+ struct evsel *pebs_evsel;
+
+ u64 evt_sample_type;
+@@ -175,6 +176,7 @@ enum switch_state {
+ struct intel_pt_pebs_event {
+ struct evsel *evsel;
+ u64 id;
++ int data_src_fmt;
+ };
+
+ struct intel_pt_queue {
+@@ -2232,7 +2234,146 @@ static void intel_pt_add_lbrs(struct branch_stack *br_stack,
+ }
+ }
+
+-static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel, u64 id)
++#define P(a, b) PERF_MEM_S(a, b)
++#define OP_LH (P(OP, LOAD) | P(LVL, HIT))
++#define LEVEL(x) P(LVLNUM, x)
++#define REM P(REMOTE, REMOTE)
++#define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS))
++
++#define PERF_PEBS_DATA_SOURCE_GRT_MAX 0x10
++#define PERF_PEBS_DATA_SOURCE_GRT_MASK (PERF_PEBS_DATA_SOURCE_GRT_MAX - 1)
++
++/* Based on kernel __intel_pmu_pebs_data_source_grt() and pebs_data_source */
++static const u64 pebs_data_source_grt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP Hit */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP Fwd */
++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, HIT), /* RAM hit|SNP Hit */
++ OP_LH | P(LVL, REM_RAM1) | REM | LEVEL(L3) | P(SNOOP, HIT), /* Remote L3 hit|SNP Hit */
++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | SNOOP_NONE_MISS, /* RAM hit|SNP None or Miss */
++ OP_LH | P(LVL, REM_RAM1) | LEVEL(RAM) | REM | SNOOP_NONE_MISS, /* Remote RAM hit|SNP None or Miss */
++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
++};
++
++/* Based on kernel __intel_pmu_pebs_data_source_cmt() and pebs_data_source */
++static const u64 pebs_data_source_cmt[PERF_PEBS_DATA_SOURCE_GRT_MAX] = {
++ P(OP, LOAD) | P(LVL, MISS) | LEVEL(L3) | P(SNOOP, NA), /* L3 miss|SNP N/A */
++ OP_LH | P(LVL, L1) | LEVEL(L1) | P(SNOOP, NONE), /* L1 hit|SNP None */
++ OP_LH | P(LVL, LFB) | LEVEL(LFB) | P(SNOOP, NONE), /* LFB/MAB hit|SNP None */
++ OP_LH | P(LVL, L2) | LEVEL(L2) | P(SNOOP, NONE), /* L2 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, NONE), /* L3 hit|SNP None */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, MISS), /* L3 hit|SNP Hit */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HIT), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOPX, FWD), /* L3 hit|SNP HitM */
++ OP_LH | P(LVL, L3) | LEVEL(L3) | P(SNOOP, HITM), /* L3 hit|SNP Fwd */
++ OP_LH | P(LVL, REM_CCE1) | REM | LEVEL(L3) | P(SNOOP, HITM), /* Remote L3 hit|SNP HitM */
++ OP_LH | P(LVL, LOC_RAM) | LEVEL(RAM) | P(SNOOP, NONE), /* RAM hit|SNP Hit */
++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, NONE), /* Remote L3 hit|SNP Hit */
++ OP_LH | LEVEL(RAM) | REM | P(SNOOPX, FWD), /* RAM hit|SNP None or Miss */
++ OP_LH | LEVEL(RAM) | REM | P(SNOOP, HITM), /* Remote RAM hit|SNP None or Miss */
++ OP_LH | P(LVL, IO) | LEVEL(NA) | P(SNOOP, NONE), /* I/O hit|SNP None */
++ OP_LH | P(LVL, UNC) | LEVEL(NA) | P(SNOOP, NONE), /* Uncached hit|SNP None */
++};
++
++/* Based on kernel pebs_set_tlb_lock() */
++static inline void pebs_set_tlb_lock(u64 *val, bool tlb, bool lock)
++{
++ /*
++ * TLB access
++ * 0 = did not miss 2nd level TLB
++ * 1 = missed 2nd level TLB
++ */
++ if (tlb)
++ *val |= P(TLB, MISS) | P(TLB, L2);
++ else
++ *val |= P(TLB, HIT) | P(TLB, L1) | P(TLB, L2);
++
++ /* locked prefix */
++ if (lock)
++ *val |= P(LOCK, LOCKED);
++}
++
++/* Based on kernel __grt_latency_data() */
++static u64 intel_pt_grt_latency_data(u8 dse, bool tlb, bool lock, bool blk,
++ const u64 *pebs_data_source)
++{
++ u64 val;
++
++ dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK;
++ val = pebs_data_source[dse];
++
++ pebs_set_tlb_lock(&val, tlb, lock);
++
++ if (blk)
++ val |= P(BLK, DATA);
++ else
++ val |= P(BLK, NA);
++
++ return val;
++}
++
++/* Default value for data source */
++#define PERF_MEM_NA (PERF_MEM_S(OP, NA) |\
++ PERF_MEM_S(LVL, NA) |\
++ PERF_MEM_S(SNOOP, NA) |\
++ PERF_MEM_S(LOCK, NA) |\
++ PERF_MEM_S(TLB, NA) |\
++ PERF_MEM_S(LVLNUM, NA))
++
++enum DATA_SRC_FORMAT {
++ DATA_SRC_FORMAT_ERR = -1,
++ DATA_SRC_FORMAT_NA = 0,
++ DATA_SRC_FORMAT_GRT = 1,
++ DATA_SRC_FORMAT_CMT = 2,
++};
++
++/* Based on kernel grt_latency_data() and cmt_latency_data */
++static u64 intel_pt_get_data_src(u64 mem_aux_info, int data_src_fmt)
++{
++ switch (data_src_fmt) {
++ case DATA_SRC_FORMAT_GRT: {
++ union {
++ u64 val;
++ struct {
++ unsigned int dse:4;
++ unsigned int locked:1;
++ unsigned int stlb_miss:1;
++ unsigned int fwd_blk:1;
++ unsigned int reserved:25;
++ };
++ } x = {.val = mem_aux_info};
++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
++ pebs_data_source_grt);
++ }
++ case DATA_SRC_FORMAT_CMT: {
++ union {
++ u64 val;
++ struct {
++ unsigned int dse:5;
++ unsigned int locked:1;
++ unsigned int stlb_miss:1;
++ unsigned int fwd_blk:1;
++ unsigned int reserved:24;
++ };
++ } x = {.val = mem_aux_info};
++ return intel_pt_grt_latency_data(x.dse, x.stlb_miss, x.locked, x.fwd_blk,
++ pebs_data_source_cmt);
++ }
++ default:
++ return PERF_MEM_NA;
++ }
++}
++
++static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evsel *evsel,
++ u64 id, int data_src_fmt)
+ {
+ const struct intel_pt_blk_items *items = &ptq->state->items;
+ struct perf_sample sample = { .ip = 0, };
+@@ -2350,6 +2491,18 @@ static int intel_pt_do_synth_pebs_sample(struct intel_pt_queue *ptq, struct evse
+ }
+ }
+
++ if (sample_type & PERF_SAMPLE_DATA_SRC) {
++ if (items->has_mem_aux_info && data_src_fmt) {
++ if (data_src_fmt < 0) {
++ pr_err("Intel PT missing data_src info\n");
++ return -1;
++ }
++ sample.data_src = intel_pt_get_data_src(items->mem_aux_info, data_src_fmt);
++ } else {
++ sample.data_src = PERF_MEM_NA;
++ }
++ }
++
+ if (sample_type & PERF_SAMPLE_TRANSACTION && items->has_tsx_aux_info) {
+ u64 ax = items->has_rax ? items->rax : 0;
+ /* Refer kernel's intel_hsw_transaction() */
+@@ -2368,9 +2521,10 @@ static int intel_pt_synth_single_pebs_sample(struct intel_pt_queue *ptq)
+ {
+ struct intel_pt *pt = ptq->pt;
+ struct evsel *evsel = pt->pebs_evsel;
++ int data_src_fmt = pt->pebs_data_src_fmt;
+ u64 id = evsel->core.id[0];
+
+- return intel_pt_do_synth_pebs_sample(ptq, evsel, id);
++ return intel_pt_do_synth_pebs_sample(ptq, evsel, id, data_src_fmt);
+ }
+
+ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+@@ -2395,7 +2549,7 @@ static int intel_pt_synth_pebs_sample(struct intel_pt_queue *ptq)
+ hw_id);
+ return intel_pt_synth_single_pebs_sample(ptq);
+ }
+- err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id);
++ err = intel_pt_do_synth_pebs_sample(ptq, pe->evsel, pe->id, pe->data_src_fmt);
+ if (err)
+ return err;
+ }
+@@ -3355,6 +3509,49 @@ static int intel_pt_process_itrace_start(struct intel_pt *pt,
+ event->itrace_start.tid);
+ }
+
++/*
++ * Events with data_src are identified by L1_Hit_Indication
++ * refer https://github.com/intel/perfmon
++ */
++static int intel_pt_data_src_fmt(struct intel_pt *pt, struct evsel *evsel)
++{
++ struct perf_env *env = pt->machine->env;
++ int fmt = DATA_SRC_FORMAT_NA;
++
++ if (!env->cpuid)
++ return DATA_SRC_FORMAT_ERR;
++
++ /*
++ * PEBS-via-PT is only supported on E-core non-hybrid. Of those only
++ * Gracemont and Crestmont have data_src. Check for:
++ * Alderlake N (Gracemont)
++ * Sierra Forest (Crestmont)
++ * Grand Ridge (Crestmont)
++ */
++
++ if (!strncmp(env->cpuid, "GenuineIntel,6,190,", 19))
++ fmt = DATA_SRC_FORMAT_GRT;
++
++ if (!strncmp(env->cpuid, "GenuineIntel,6,175,", 19) ||
++ !strncmp(env->cpuid, "GenuineIntel,6,182,", 19))
++ fmt = DATA_SRC_FORMAT_CMT;
++
++ if (fmt == DATA_SRC_FORMAT_NA)
++ return fmt;
++
++ /*
++ * Only data_src events are:
++ * mem-loads event=0xd0,umask=0x5
++ * mem-stores event=0xd0,umask=0x6
++ */
++ if (evsel->core.attr.type == PERF_TYPE_RAW &&
++ ((evsel->core.attr.config & 0xffff) == 0x5d0 ||
++ (evsel->core.attr.config & 0xffff) == 0x6d0))
++ return fmt;
++
++ return DATA_SRC_FORMAT_NA;
++}
++
+ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
+ union perf_event *event,
+ struct perf_sample *sample)
+@@ -3375,6 +3572,7 @@ static int intel_pt_process_aux_output_hw_id(struct intel_pt *pt,
+
+ ptq->pebs[hw_id].evsel = evsel;
+ ptq->pebs[hw_id].id = sample->id;
++ ptq->pebs[hw_id].data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
+
+ return 0;
+ }
+@@ -3946,6 +4144,7 @@ static void intel_pt_setup_pebs_events(struct intel_pt *pt)
+ }
+ pt->single_pebs = true;
+ pt->sample_pebs = true;
++ pt->pebs_data_src_fmt = intel_pt_data_src_fmt(pt, evsel);
+ pt->pebs_evsel = evsel;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 43345cd5f00c2649ea19a1e1d2bf7420e5d9282d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 06:08:10 +0000
+Subject: perf record: Fix incorrect --user-regs comments
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+[ Upstream commit a4a859eb6704a8aa46aa1cec5396c8d41383a26b ]
+
+The comment of "--user-regs" option is not correct, fix it.
+
+"on interrupt," -> "in user space,"
+
+Fixes: 84c417422798c897 ("perf record: Support direct --user-regs arguments")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250403060810.196028-1-dapeng1.mi@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-record.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
+index b94ae33a343c2..81f77c0505fde 100644
+--- a/tools/perf/builtin-record.c
++++ b/tools/perf/builtin-record.c
+@@ -3427,7 +3427,7 @@ static struct option __record_options[] = {
+ "sample selected machine registers on interrupt,"
+ " use '-I?' to list register names", parse_intr_regs),
+ OPT_CALLBACK_OPTARG(0, "user-regs", &record.opts.sample_user_regs, NULL, "any register",
+- "sample selected machine registers on interrupt,"
++ "sample selected machine registers in user space,"
+ " use '--user-regs=?' to list register names", parse_user_regs),
+ OPT_BOOLEAN(0, "running-time", &record.opts.running_time,
+ "Record running/enabled time of read (:S) events"),
+--
+2.39.5
+
--- /dev/null
+From 2ba7fead456fece29cb57b7345c5c75ab06594d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 12:39:32 +0300
+Subject: perf scripts python: exported-sql-viewer.py: Fix pattern matching
+ with Python 3
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 17e548405a81665fd14cee960db7d093d1396400 ]
+
+The script allows the user to enter patterns to find symbols.
+
+The pattern matching characters are converted for use in SQL.
+
+For PostgreSQL the conversion involves using the Python maketrans()
+method which is slightly different in Python 3 compared with Python 2.
+
+Fix to work in Python 3.
+
+Fixes: beda0e725e5f06ac ("perf script python: Add Python3 support to exported-sql-viewer.py")
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Tony Jones <tonyj@suse.de>
+Link: https://lore.kernel.org/r/20250512093932.79854-4-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/scripts/python/exported-sql-viewer.py | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/scripts/python/exported-sql-viewer.py b/tools/perf/scripts/python/exported-sql-viewer.py
+index 13f2d8a816109..99742013676b3 100755
+--- a/tools/perf/scripts/python/exported-sql-viewer.py
++++ b/tools/perf/scripts/python/exported-sql-viewer.py
+@@ -680,7 +680,10 @@ class CallGraphModelBase(TreeModel):
+ s = value.replace("%", "\%")
+ s = s.replace("_", "\_")
+ # Translate * and ? into SQL LIKE pattern characters % and _
+- trans = string.maketrans("*?", "%_")
++ if sys.version_info[0] == 3:
++ trans = str.maketrans("*?", "%_")
++ else:
++ trans = string.maketrans("*?", "%_")
+ match = " LIKE '" + str(s).translate(trans) + "'"
+ else:
+ match = " GLOB '" + str(value) + "'"
+--
+2.39.5
+
--- /dev/null
+From 67d2c2b32423c4822944a09e9ccf0fe5a11e1575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 18:27:59 +0100
+Subject: perf tests switch-tracking: Fix timestamp comparison
+
+From: Leo Yan <leo.yan@arm.com>
+
+[ Upstream commit 628e124404b3db5e10e17228e680a2999018ab33 ]
+
+The test might fail on the Arm64 platform with the error:
+
+ # perf test -vvv "Track with sched_switch"
+ Missing sched_switch events
+ #
+
+The issue is caused by incorrect handling of timestamp comparisons. The
+comparison result, a signed 64-bit value, was being directly cast to an
+int, leading to incorrect sorting for sched events.
+
+The case does not fail everytime, usually I can trigger the failure
+after run 20 ~ 30 times:
+
+ # while true; do perf test "Track with sched_switch"; done
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : FAILED!
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : FAILED!
+ 106: Track with sched_switch : Ok
+ 106: Track with sched_switch : Ok
+
+I used cross compiler to build Perf tool on my host machine and tested on
+Debian / Juno board. Generally, I think this issue is not very specific
+to GCC versions. As both internal CI and my local env can reproduce the
+issue.
+
+My Host Build compiler:
+
+ # aarch64-linux-gnu-gcc --version
+ aarch64-linux-gnu-gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
+
+Juno Board:
+
+ # lsb_release -a
+ No LSB modules are available.
+ Distributor ID: Debian
+ Description: Debian GNU/Linux 12 (bookworm)
+ Release: 12
+ Codename: bookworm
+
+Fix this by explicitly returning 0, 1, or -1 based on whether the result
+is zero, positive, or negative.
+
+Fixes: d44bc558297222d9 ("perf tests: Add a test for tracking with sched_switch")
+Reviewed-by: Ian Rogers <irogers@google.com>
+Signed-off-by: Leo Yan <leo.yan@arm.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20250331172759.115604-1-leo.yan@arm.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/switch-tracking.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/tests/switch-tracking.c b/tools/perf/tests/switch-tracking.c
+index e52b031bedc5a..2c7bdf4fd55ed 100644
+--- a/tools/perf/tests/switch-tracking.c
++++ b/tools/perf/tests/switch-tracking.c
+@@ -258,7 +258,7 @@ static int compar(const void *a, const void *b)
+ const struct event_node *nodeb = b;
+ s64 cmp = nodea->event_time - nodeb->event_time;
+
+- return cmp;
++ return cmp < 0 ? -1 : (cmp > 0 ? 1 : 0);
+ }
+
+ static int process_events(struct evlist *evlist,
+--
+2.39.5
+
--- /dev/null
+From 474933041f761dc20021d1692e95816cd6bb94a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 12:04:12 -0400
+Subject: perf trace: Always print return value for syscalls returning a pid
+
+From: Anubhav Shelat <ashelat@redhat.com>
+
+[ Upstream commit c7a48ea9b919e2fa0e4a1d9938fdb03e9afe276c ]
+
+The syscalls that were consistently observed were set_robust_list and
+rseq. This is because perf cannot find their child process.
+
+This change ensures that the return value is always printed.
+
+Before:
+ 0.256 ( 0.001 ms): set_robust_list(head: 0x7f09c77dba20, len: 24) =
+ 0.259 ( 0.001 ms): rseq(rseq: 0x7f09c77dc0e0, rseq_len: 32, sig: 1392848979) =
+After:
+ 0.270 ( 0.002 ms): set_robust_list(head: 0x7f0bb14a6a20, len: 24) = 0
+ 0.273 ( 0.002 ms): rseq(rseq: 0x7f0bb14a70e0, rseq_len: 32, sig: 1392848979) = 0
+
+Committer notes:
+
+As discussed in the thread in the Link: tag below, these two don't
+return a pid, but for syscalls returning one, we need to print the
+result and if we manage to find the children in 'perf trace' data
+structures, then print its name as well.
+
+Fixes: 11c8e39f5133aed9 ("perf trace: Infrastructure to show COMM strings for syscalls returning PIDs")
+Reviewed-by: Howard Chu <howardchu95@gmail.com>
+Signed-off-by: Anubhav Shelat <ashelat@redhat.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Michael Petlan <mpetlan@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250403160411.159238-2-ashelat@redhat.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 908509df007ba..7ee3285af10c9 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -2586,8 +2586,8 @@ errno_print: {
+ else if (sc->fmt->errpid) {
+ struct thread *child = machine__find_thread(trace->host, ret, ret);
+
++ fprintf(trace->output, "%ld", ret);
+ if (child != NULL) {
+- fprintf(trace->output, "%ld", ret);
+ if (thread__comm_set(child))
+ fprintf(trace->output, " (%s)", thread__comm_str(child));
+ thread__put(child);
+--
+2.39.5
+
--- /dev/null
+From 4a58f3ee7db362d889bac06f09adbc23ad0b778f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 22:42:13 -0700
+Subject: perf trace: Fix leaks of 'struct thread' in set_filter_loop_pids()
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 30d20fb1f84ad5c92706fe2c6cbb2d4cc293e671 ]
+
+I've found some leaks from 'perf trace -a'.
+
+It seems there are more leaks but this is what I can find for now.
+
+Fixes: 082ab9a18e532864 ("perf trace: Filter out 'sshd' in the tracer ancestry in syswide tracing")
+Reviewed-by: Howard Chu <howardchu95@gmail.com>
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250403054213.7021-1-namhyung@kernel.org
+[ split from a larget patch ]
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 12bdbf3ecc6ae..908509df007ba 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -3589,10 +3589,13 @@ static int trace__set_filter_loop_pids(struct trace *trace)
+ if (!strcmp(thread__comm_str(parent), "sshd") ||
+ strstarts(thread__comm_str(parent), "gnome-terminal")) {
+ pids[nr++] = thread__tid(parent);
++ thread__put(parent);
+ break;
+ }
++ thread__put(thread);
+ thread = parent;
+ }
++ thread__put(thread);
+
+ err = evlist__append_tp_filter_pids(trace->evlist, nr, pids);
+ if (!err && trace->filter_pids.map)
+--
+2.39.5
+
--- /dev/null
+From 828e793cb0d2af0c99c557e0f0c5f2fd238e022a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 21:58:19 -0300
+Subject: perf ui browser hists: Set actions->thread before calling
+ do_zoom_thread()
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 1741189d843a1d5ef38538bc52a3760e2e46cb2e ]
+
+In 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct
+perf_hpp_list") it assumes that act->thread is set prior to calling
+do_zoom_thread().
+
+This doesn't happen when we use ESC or the Left arrow key to Zoom out of
+a specific thread, making this operation not to work and we get stuck
+into the thread zoom.
+
+In 6422184b087ff435 ("perf hists browser: Simplify zooming code using
+pstack_peek()") it says no need to set actions->thread, and at that
+point that was true, but in 7cecb7fe8388d5c3 a actions->thread == NULL
+check was added before the zoom out of thread could kick in.
+
+We can zoom out using the alternative 't' thread zoom toggle hotkey to
+finally set actions->thread before calling do_zoom_thread() and zoom
+out, but lets also fix the ESC/Zoom out of thread case.
+
+Fixes: 7cecb7fe8388d5c3 ("perf hists: Move sort__has_comm into struct perf_hpp_list")
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Ingo Molnar <mingo@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/Z_TYux5fUg2pW-pF@gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/ui/browsers/hists.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/ui/browsers/hists.c b/tools/perf/ui/browsers/hists.c
+index bb59d27642ccf..a53a0257a4bca 100644
+--- a/tools/perf/ui/browsers/hists.c
++++ b/tools/perf/ui/browsers/hists.c
+@@ -3239,10 +3239,10 @@ static int evsel__hists_browse(struct evsel *evsel, int nr_events, const char *h
+ /*
+ * No need to set actions->dso here since
+ * it's just to remove the current filter.
+- * Ditto for thread below.
+ */
+ do_zoom_dso(browser, actions);
+ } else if (top == &browser->hists->thread_filter) {
++ actions->thread = thread;
+ do_zoom_thread(browser, actions);
+ } else if (top == &browser->hists->socket_filter) {
+ do_zoom_socket(browser, actions);
+--
+2.39.5
+
--- /dev/null
+From a72ee52b73e8b0e08b3760b129741e5ec743e8b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 07:50:50 -0500
+Subject: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit d14402a38c2d868cacb1facaf9be908ca6558e59 ]
+
+The qmp_usb_iomap() helper function currently returns the raw result of
+devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return
+a NULL pointer and the caller only checks error pointers with IS_ERR(),
+NULL could bypass the check and lead to an invalid dereference.
+
+Fix the issue by checking if devm_ioremap() returns NULL. When it does,
+qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM),
+ensuring safe and consistent error handling.
+
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Fixes: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral")
+CC: Johan Hovold <johan@kernel.org>
+CC: Krzysztof Kozlowski <krzk@kernel.org>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250414125050.2118619-1-chenyuan0y@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+index c697d01b2a2a1..5072bca0af7c5 100644
+--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+@@ -2044,12 +2044,16 @@ static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np,
+ int index, bool exclusive)
+ {
+ struct resource res;
++ void __iomem *mem;
+
+ if (!exclusive) {
+ if (of_address_to_resource(np, index, &res))
+ return IOMEM_ERR_PTR(-EINVAL);
+
+- return devm_ioremap(dev, res.start, resource_size(&res));
++ mem = devm_ioremap(dev, res.start, resource_size(&res));
++ if (!mem)
++ return IOMEM_ERR_PTR(-ENOMEM);
++ return mem;
+ }
+
+ return devm_of_iomap(dev, np, index, NULL);
+--
+2.39.5
+
--- /dev/null
+From 6c1de531eca1c67b7901a8c6774216b902987c6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 23:08:07 +0300
+Subject: pinctrl: at91: Fix possible out-of-boundary access
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 762ef7d1e6eefad9896560bfcb9bcf7f1b6df9c1 ]
+
+at91_gpio_probe() doesn't check that given OF alias is not available or
+something went wrong when trying to get it. This might have consequences
+when accessing gpio_chips array with that value as an index. Note, that
+BUG() can be compiled out and hence won't actually perform the required
+checks.
+
+Fixes: 6732ae5cb47c ("ARM: at91: add pinctrl support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Closes: https://lore.kernel.org/r/202505052343.UHF1Zo93-lkp@intel.com/
+Link: https://lore.kernel.org/20250508200807.1384558-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-at91.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
+index d7b66928a4e50..3c09f743b68c2 100644
+--- a/drivers/pinctrl/pinctrl-at91.c
++++ b/drivers/pinctrl/pinctrl-at91.c
+@@ -1825,12 +1825,16 @@ static int at91_gpio_probe(struct platform_device *pdev)
+ struct at91_gpio_chip *at91_chip = NULL;
+ struct gpio_chip *chip;
+ struct pinctrl_gpio_range *range;
++ int alias_idx;
+ int ret = 0;
+ int irq, i;
+- int alias_idx = of_alias_get_id(np, "gpio");
+ uint32_t ngpio;
+ char **names;
+
++ alias_idx = of_alias_get_id(np, "gpio");
++ if (alias_idx < 0)
++ return alias_idx;
++
+ BUG_ON(alias_idx >= ARRAY_SIZE(gpio_chips));
+ if (gpio_chips[alias_idx])
+ return dev_err_probe(dev, -EBUSY, "%d slot is occupied.\n", alias_idx);
+--
+2.39.5
+
--- /dev/null
+From 96c60b1ac8bbab1dd9802034ef3620db85e85dd5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 18:19:27 +0200
+Subject: PM: sleep: Fix power.is_suspended cleanup for direct-complete devices
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit d46c4c839c20a599a0eb8d73708ce401f9c7d06d ]
+
+Commit 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete
+set on errors") caused power.is_suspended to be set for devices with
+power.direct_complete set, but it forgot to ensure the clearing of that
+flag for them in device_resume(), so power.is_suspended is still set for
+them during the next system suspend-resume cycle.
+
+If that cycle is aborted in dpm_suspend(), the subsequent invocation of
+dpm_resume() will trigger a device_resume() call for every device and
+because power.is_suspended is set for the devices in question, they will
+not be skipped by device_resume() as expected which causes scary error
+messages to be logged (as appropriate).
+
+To address this issue, move the clearing of power.is_suspended in
+device_resume() immediately after the power.is_suspended check so it
+will be always cleared for all devices processed by that function.
+
+Fixes: 03f1444016b7 ("PM: sleep: Fix handling devices with direct_complete set on errors")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4280
+Reported-and-tested-by: Chris Bainbridge <chris.bainbridge@gmail.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/4990586.GXAFRqVoOG@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 343d3c966e7a7..baa31194cf20d 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -897,6 +897,8 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ if (!dev->power.is_suspended)
+ goto Complete;
+
++ dev->power.is_suspended = false;
++
+ if (dev->power.direct_complete) {
+ /* Match the pm_runtime_disable() in __device_suspend(). */
+ pm_runtime_enable(dev);
+@@ -952,7 +954,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+
+ End:
+ error = dpm_run_callback(callback, dev, state, info);
+- dev->power.is_suspended = false;
+
+ device_unlock(dev);
+ dpm_watchdog_clear(&wd);
+--
+2.39.5
+
--- /dev/null
+From 58d70e1d90a1db930d456077a3bc5f83f7556e31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 14:51:47 +0200
+Subject: PM: sleep: Print PM debug messages during hibernation
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 1b17d4525bca3916644c41e01522df8fa0f8b90b ]
+
+Commit cdb8c100d8a4 ("include/linux/suspend.h: Only show pm_pr_dbg
+messages at suspend/resume") caused PM debug messages to only be
+printed during system-wide suspend and resume in progress, but it
+forgot about hibernation.
+
+Address this by adding a check for hibernation in progress to
+pm_debug_messages_should_print().
+
+Fixes: cdb8c100d8a4 ("include/linux/suspend.h: Only show pm_pr_dbg messages at suspend/resume")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/4998903.GXAFRqVoOG@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/hibernate.c | 5 +++++
+ kernel/power/main.c | 3 ++-
+ kernel/power/power.h | 4 ++++
+ 3 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index c2fc58938dee5..76dcf2e28427f 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -80,6 +80,11 @@ void hibernate_release(void)
+ atomic_inc(&hibernate_atomic);
+ }
+
++bool hibernation_in_progress(void)
++{
++ return !atomic_read(&hibernate_atomic);
++}
++
+ bool hibernation_available(void)
+ {
+ return nohibernate == 0 &&
+diff --git a/kernel/power/main.c b/kernel/power/main.c
+index f6425ae3e8b05..a3543bd2d25af 100644
+--- a/kernel/power/main.c
++++ b/kernel/power/main.c
+@@ -585,7 +585,8 @@ bool pm_debug_messages_on __read_mostly;
+
+ bool pm_debug_messages_should_print(void)
+ {
+- return pm_debug_messages_on && pm_suspend_target_state != PM_SUSPEND_ON;
++ return pm_debug_messages_on && (hibernation_in_progress() ||
++ pm_suspend_target_state != PM_SUSPEND_ON);
+ }
+ EXPORT_SYMBOL_GPL(pm_debug_messages_should_print);
+
+diff --git a/kernel/power/power.h b/kernel/power/power.h
+index a98f95e309a33..62a7cb452a4be 100644
+--- a/kernel/power/power.h
++++ b/kernel/power/power.h
+@@ -66,10 +66,14 @@ extern void enable_restore_image_protection(void);
+ static inline void enable_restore_image_protection(void) {}
+ #endif /* CONFIG_STRICT_KERNEL_RWX */
+
++extern bool hibernation_in_progress(void);
++
+ #else /* !CONFIG_HIBERNATION */
+
+ static inline void hibernate_reserved_size_init(void) {}
+ static inline void hibernate_image_size_init(void) {}
++
++static inline bool hibernation_in_progress(void) { return false; }
+ #endif /* !CONFIG_HIBERNATION */
+
+ #define power_attr(_name) \
+--
+2.39.5
+
--- /dev/null
+From 18dc4349a89e151561c144d3f9994105b07540c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 17:26:51 +0800
+Subject: PM: wakeup: Delete space in the end of string shown by
+ pm_show_wakelocks()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit f0050a3e214aa941b78ad4caf122a735a24d81a6 ]
+
+pm_show_wakelocks() is called to generate a string when showing
+attributes /sys/power/wake_(lock|unlock), but the string ends
+with an unwanted space that was added back by mistake by commit
+c9d967b2ce40 ("PM: wakeup: simplify the output logic of
+pm_show_wakelocks()").
+
+Remove the unwanted space.
+
+Fixes: c9d967b2ce40 ("PM: wakeup: simplify the output logic of pm_show_wakelocks()")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://patch.msgid.link/20250505-fix_power-v1-1-0f7f2c2f338c@quicinc.com
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/wakelock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/power/wakelock.c b/kernel/power/wakelock.c
+index 52571dcad768b..4e941999a53ba 100644
+--- a/kernel/power/wakelock.c
++++ b/kernel/power/wakelock.c
+@@ -49,6 +49,9 @@ ssize_t pm_show_wakelocks(char *buf, bool show_active)
+ len += sysfs_emit_at(buf, len, "%s ", wl->name);
+ }
+
++ if (len > 0)
++ --len;
++
+ len += sysfs_emit_at(buf, len, "\n");
+
+ mutex_unlock(&wakelocks_lock);
+--
+2.39.5
+
--- /dev/null
+From 8ecff178fe5e23d2a083f3d67af7c0bfc1b6b9b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 08:38:09 +0300
+Subject: power: reset: at91-reset: Optimize at91_reset()
+
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+
+[ Upstream commit 62d48983f215bf1dd48665913318101fa3414dcf ]
+
+This patch adds a small optimization to the low-level at91_reset()
+function, which includes:
+- Removes the extra branch, since the following store operations
+ already have proper condition checks.
+- Removes the definition of the clobber register r4, since it is
+ no longer used in the code.
+
+Fixes: fcd0532fac2a ("power: reset: at91-reset: make at91sam9g45_restart() generic")
+Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
+Reviewed-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20250307053809.20245-1-eagle.alexander923@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/reset/at91-reset.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
+index aa9b012d3d00b..bafe4cc6fafdc 100644
+--- a/drivers/power/reset/at91-reset.c
++++ b/drivers/power/reset/at91-reset.c
+@@ -129,12 +129,11 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
+ " str %4, [%0, %6]\n\t"
+ /* Disable SDRAM1 accesses */
+ "1: tst %1, #0\n\t"
+- " beq 2f\n\t"
+ " strne %3, [%1, #" __stringify(AT91_DDRSDRC_RTR) "]\n\t"
+ /* Power down SDRAM1 */
+ " strne %4, [%1, %6]\n\t"
+ /* Reset CPU */
+- "2: str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
++ " str %5, [%2, #" __stringify(AT91_RSTC_CR) "]\n\t"
+
+ " b .\n\t"
+ :
+@@ -145,7 +144,7 @@ static int at91_reset(struct notifier_block *this, unsigned long mode,
+ "r" cpu_to_le32(AT91_DDRSDRC_LPCB_POWER_DOWN),
+ "r" (reset->data->reset_args),
+ "r" (reset->ramc_lpr)
+- : "r4");
++ );
+
+ return NOTIFY_DONE;
+ }
+--
+2.39.5
+
--- /dev/null
+From 1e32b16d6dda86a7ac10d9c7c87d3ebbd9b136c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 10:20:54 -0600
+Subject: powerpc/crash: Fix non-smp kexec preparation
+
+From: Eddie James <eajames@linux.ibm.com>
+
+[ Upstream commit 882b25af265de8e05c66f72b9a29f6047102958f ]
+
+In non-smp configurations, crash_kexec_prepare is never called in
+the crash shutdown path. One result of this is that the crashing_cpu
+variable is never set, preventing crash_save_cpu from storing the
+NT_PRSTATUS elf note in the core dump.
+
+Fixes: c7255058b543 ("powerpc/crash: save cpu register data in crash_smp_send_stop()")
+Signed-off-by: Eddie James <eajames@linux.ibm.com>
+Reviewed-by: Hari Bathini <hbathini@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250211162054.857762-1-eajames@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kexec/crash.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kexec/crash.c b/arch/powerpc/kexec/crash.c
+index ef5c2d25ec397..61552bbb1ea8a 100644
+--- a/arch/powerpc/kexec/crash.c
++++ b/arch/powerpc/kexec/crash.c
+@@ -356,7 +356,10 @@ void default_machine_crash_shutdown(struct pt_regs *regs)
+ if (TRAP(regs) == INTERRUPT_SYSTEM_RESET)
+ is_via_system_reset = 1;
+
+- crash_smp_send_stop();
++ if (IS_ENABLED(CONFIG_SMP))
++ crash_smp_send_stop();
++ else
++ crash_kexec_prepare();
+
+ crash_save_cpu(regs, crashing_cpu);
+
+--
+2.39.5
+
--- /dev/null
+From e93cc0bed5e755eed066d9c59648963e178815fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 12:53:05 +0200
+Subject: powerpc: do not build ppc_save_regs.o always
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+[ Upstream commit 497b7794aef03d525a5be05ae78dd7137c6861a5 ]
+
+The Fixes commit below tried to add CONFIG_PPC_BOOK3S to one of the
+conditions to enable the build of ppc_save_regs.o. But it failed to do
+so, in fact. The commit omitted to add a dollar sign.
+
+Therefore, ppc_save_regs.o is built always these days (as
+"(CONFIG_PPC_BOOK3S)" is never an empty string).
+
+Fix this by adding the missing dollar sign.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Fixes: fc2a5a6161a2 ("powerpc/64s: ppc_save_regs is now needed for all 64s builds")
+Acked-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250417105305.397128-1-jirislaby@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
+index 2919433be3557..b7629122680b1 100644
+--- a/arch/powerpc/kernel/Makefile
++++ b/arch/powerpc/kernel/Makefile
+@@ -165,7 +165,7 @@ endif
+
+ obj64-$(CONFIG_PPC_TRANSACTIONAL_MEM) += tm.o
+
+-ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)(CONFIG_PPC_BOOK3S),)
++ifneq ($(CONFIG_XMON)$(CONFIG_KEXEC_CORE)$(CONFIG_PPC_BOOK3S),)
+ obj-y += ppc_save_regs.o
+ endif
+
+--
+2.39.5
+
--- /dev/null
+From ecbc5520157132ebf57d10ee9d3c88235c376f3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 15:18:28 -0700
+Subject: randstruct: gcc-plugin: Fix attribute addition
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit f39f18f3c3531aa802b58a20d39d96e82eb96c14 ]
+
+Based on changes in the 2021 public version of the randstruct
+out-of-tree GCC plugin[1], more carefully update the attributes on
+resulting decls, to avoid tripping checks in GCC 15's
+comptypes_check_enum_int() when it has been configured with
+"--enable-checking=misc":
+
+arch/arm64/kernel/kexec_image.c:132:14: internal compiler error: in comptypes_check_enum_int, at c/c-typeck.cc:1519
+ 132 | const struct kexec_file_ops kexec_image_ops = {
+ | ^~~~~~~~~~~~~~
+ internal_error(char const*, ...), at gcc/gcc/diagnostic-global-context.cc:517
+ fancy_abort(char const*, int, char const*), at gcc/gcc/diagnostic.cc:1803
+ comptypes_check_enum_int(tree_node*, tree_node*, bool*), at gcc/gcc/c/c-typeck.cc:1519
+ ...
+
+Link: https://archive.org/download/grsecurity/grsecurity-3.1-5.10.41-202105280954.patch.gz [1]
+Reported-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
+Closes: https://github.com/KSPP/linux/issues/367
+Closes: https://lore.kernel.org/lkml/20250530000646.104457-1-thiago.bauermann@linaro.org/
+Reported-by: Ingo Saitz <ingo@hannover.ccc.de>
+Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104745
+Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
+Tested-by: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
+Link: https://lore.kernel.org/r/20250530221824.work.623-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/gcc-common.h | 32 +++++++++++++++++++
+ scripts/gcc-plugins/randomize_layout_plugin.c | 22 ++++++-------
+ 2 files changed, 43 insertions(+), 11 deletions(-)
+
+diff --git a/scripts/gcc-plugins/gcc-common.h b/scripts/gcc-plugins/gcc-common.h
+index 1ae39b9f4a95e..90e83d62adb54 100644
+--- a/scripts/gcc-plugins/gcc-common.h
++++ b/scripts/gcc-plugins/gcc-common.h
+@@ -128,6 +128,38 @@ static inline tree build_const_char_string(int len, const char *str)
+ return cstr;
+ }
+
++static inline void __add_type_attr(tree type, const char *attr, tree args)
++{
++ tree oldattr;
++
++ if (type == NULL_TREE)
++ return;
++ oldattr = lookup_attribute(attr, TYPE_ATTRIBUTES(type));
++ if (oldattr != NULL_TREE) {
++ gcc_assert(TREE_VALUE(oldattr) == args || TREE_VALUE(TREE_VALUE(oldattr)) == TREE_VALUE(args));
++ return;
++ }
++
++ TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
++ TYPE_ATTRIBUTES(type) = tree_cons(get_identifier(attr), args, TYPE_ATTRIBUTES(type));
++}
++
++static inline void add_type_attr(tree type, const char *attr, tree args)
++{
++ tree main_variant = TYPE_MAIN_VARIANT(type);
++
++ __add_type_attr(TYPE_CANONICAL(type), attr, args);
++ __add_type_attr(TYPE_CANONICAL(main_variant), attr, args);
++ __add_type_attr(main_variant, attr, args);
++
++ for (type = TYPE_NEXT_VARIANT(main_variant); type; type = TYPE_NEXT_VARIANT(type)) {
++ if (!lookup_attribute(attr, TYPE_ATTRIBUTES(type)))
++ TYPE_ATTRIBUTES(type) = TYPE_ATTRIBUTES(main_variant);
++
++ __add_type_attr(TYPE_CANONICAL(type), attr, args);
++ }
++}
++
+ #define PASS_INFO(NAME, REF, ID, POS) \
+ struct register_pass_info NAME##_pass_info = { \
+ .pass = make_##NAME##_pass(), \
+diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
+index bb8c6631971db..e70eef049ada6 100644
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c
+@@ -77,6 +77,9 @@ static tree handle_randomize_layout_attr(tree *node, tree name, tree args, int f
+
+ if (TYPE_P(*node)) {
+ type = *node;
++ } else if (TREE_CODE(*node) == FIELD_DECL) {
++ *no_add_attrs = false;
++ return NULL_TREE;
+ } else {
+ gcc_assert(TREE_CODE(*node) == TYPE_DECL);
+ type = TREE_TYPE(*node);
+@@ -352,15 +355,14 @@ static int relayout_struct(tree type)
+ TREE_CHAIN(newtree[i]) = newtree[i+1];
+ TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+
++ add_type_attr(type, "randomize_performed", NULL_TREE);
++ add_type_attr(type, "designated_init", NULL_TREE);
++ if (has_flexarray)
++ add_type_attr(type, "has_flexarray", NULL_TREE);
++
+ main_variant = TYPE_MAIN_VARIANT(type);
+- for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
++ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant))
+ TYPE_FIELDS(variant) = newtree[0];
+- TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
+- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+- TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+- if (has_flexarray)
+- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("has_flexarray"), NULL_TREE, TYPE_ATTRIBUTES(type));
+- }
+
+ /*
+ * force a re-layout of the main variant
+@@ -428,10 +430,8 @@ static void randomize_type(tree type)
+ if (lookup_attribute("randomize_layout", TYPE_ATTRIBUTES(TYPE_MAIN_VARIANT(type))) || is_pure_ops_struct(type))
+ relayout_struct(type);
+
+- for (variant = TYPE_MAIN_VARIANT(type); variant; variant = TYPE_NEXT_VARIANT(variant)) {
+- TYPE_ATTRIBUTES(type) = copy_list(TYPE_ATTRIBUTES(type));
+- TYPE_ATTRIBUTES(type) = tree_cons(get_identifier("randomize_considered"), NULL_TREE, TYPE_ATTRIBUTES(type));
+- }
++ add_type_attr(type, "randomize_considered", NULL_TREE);
++
+ #ifdef __DEBUG_PLUGIN
+ fprintf(stderr, "Marking randomize_considered on struct %s\n", ORIG_TYPE_NAME(type));
+ #ifdef __DEBUG_VERBOSE
+--
+2.39.5
+
--- /dev/null
+From 5ee383ccb0edcdad4ff898ab176d4d0ddb4874b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Apr 2025 00:37:52 -0700
+Subject: randstruct: gcc-plugin: Remove bogus void member
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit e136a4062174a9a8d1c1447ca040ea81accfa6a8 ]
+
+When building the randomized replacement tree of struct members, the
+randstruct GCC plugin would insert, as the first member, a 0-sized void
+member. This appears as though it was done to catch non-designated
+("unnamed") static initializers, which wouldn't be stable since they
+depend on the original struct layout order.
+
+This was accomplished by having the side-effect of the "void member"
+tripping an assert in GCC internals (count_type_elements) if the member
+list ever needed to be counted (e.g. for figuring out the order of members
+during a non-designated initialization), which would catch impossible type
+(void) in the struct:
+
+security/landlock/fs.c: In function ‘hook_file_ioctl_common’:
+security/landlock/fs.c:1745:61: internal compiler error: in count_type_elements, at expr.cc:7075
+ 1745 | .u.op = &(struct lsm_ioctlop_audit) {
+ | ^
+
+static HOST_WIDE_INT
+count_type_elements (const_tree type, bool for_ctor_p)
+{
+ switch (TREE_CODE (type))
+...
+ case VOID_TYPE:
+ default:
+ gcc_unreachable ();
+ }
+}
+
+However this is a redundant safety measure since randstruct uses the
+__designated_initializer attribute both internally and within the
+__randomized_layout attribute macro so that this would be enforced
+by the compiler directly even when randstruct was not enabled (via
+-Wdesignated-init).
+
+A recent change in Landlock ended up tripping the same member counting
+routine when using a full-struct copy initializer as part of an anonymous
+initializer. This, however, is a false positive as the initializer is
+copying between identical structs (and hence identical layouts). The
+"path" member is "struct path", a randomized struct, and is being copied
+to from another "struct path", the "f_path" member:
+
+ landlock_log_denial(landlock_cred(file->f_cred), &(struct landlock_request) {
+ .type = LANDLOCK_REQUEST_FS_ACCESS,
+ .audit = {
+ .type = LSM_AUDIT_DATA_IOCTL_OP,
+ .u.op = &(struct lsm_ioctlop_audit) {
+ .path = file->f_path,
+ .cmd = cmd,
+ },
+ },
+ ...
+
+As can be seen with the coming randstruct KUnit test, there appears to
+be no behavioral problems with this kind of initialization when the void
+member is removed from the randstruct GCC plugin, so remove it.
+
+Reported-by: "Dr. David Alan Gilbert" <linux@treblig.org>
+Closes: https://lore.kernel.org/lkml/Z_PRaKx7q70MKgCA@gallifrey/
+Reported-by: Mark Brown <broonie@kernel.org>
+Closes: https://lore.kernel.org/lkml/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/
+Reported-by: WangYuli <wangyuli@uniontech.com>
+Closes: https://lore.kernel.org/lkml/337D5D4887277B27+3c677db3-a8b9-47f0-93a4-7809355f1381@uniontech.com/
+Fixes: 313dd1b62921 ("gcc-plugins: Add the randstruct plugin")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/gcc-plugins/randomize_layout_plugin.c | 18 +-----------------
+ 1 file changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/scripts/gcc-plugins/randomize_layout_plugin.c b/scripts/gcc-plugins/randomize_layout_plugin.c
+index 746ff2d272f25..bb8c6631971db 100644
+--- a/scripts/gcc-plugins/randomize_layout_plugin.c
++++ b/scripts/gcc-plugins/randomize_layout_plugin.c
+@@ -348,29 +348,13 @@ static int relayout_struct(tree type)
+
+ shuffle(type, (tree *)newtree, shuffle_length);
+
+- /*
+- * set up a bogus anonymous struct field designed to error out on unnamed struct initializers
+- * as gcc provides no other way to detect such code
+- */
+- list = make_node(FIELD_DECL);
+- TREE_CHAIN(list) = newtree[0];
+- TREE_TYPE(list) = void_type_node;
+- DECL_SIZE(list) = bitsize_zero_node;
+- DECL_NONADDRESSABLE_P(list) = 1;
+- DECL_FIELD_BIT_OFFSET(list) = bitsize_zero_node;
+- DECL_SIZE_UNIT(list) = size_zero_node;
+- DECL_FIELD_OFFSET(list) = size_zero_node;
+- DECL_CONTEXT(list) = type;
+- // to satisfy the constify plugin
+- TREE_READONLY(list) = 1;
+-
+ for (i = 0; i < num_fields - 1; i++)
+ TREE_CHAIN(newtree[i]) = newtree[i+1];
+ TREE_CHAIN(newtree[num_fields - 1]) = NULL_TREE;
+
+ main_variant = TYPE_MAIN_VARIANT(type);
+ for (variant = main_variant; variant; variant = TYPE_NEXT_VARIANT(variant)) {
+- TYPE_FIELDS(variant) = list;
++ TYPE_FIELDS(variant) = newtree[0];
+ TYPE_ATTRIBUTES(variant) = copy_list(TYPE_ATTRIBUTES(variant));
+ TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("randomize_performed"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+ TYPE_ATTRIBUTES(variant) = tree_cons(get_identifier("designated_init"), NULL_TREE, TYPE_ATTRIBUTES(variant));
+--
+2.39.5
+
--- /dev/null
+From c232cb7217550ad793b26cac3242687b21e155ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Feb 2025 16:41:09 +0800
+Subject: rcu/cpu_stall_cputime: fix the hardirq count for x86 architecture
+
+From: Yongliang Gao <leonylgao@tencent.com>
+
+[ Upstream commit da6b85598af30e9fec34d82882d7e1e39f3da769 ]
+
+When counting the number of hardirqs in the x86 architecture,
+it is essential to add arch_irq_stat_cpu to ensure accuracy.
+
+For example, a CPU loop within the rcu_read_lock function.
+
+Before:
+[ 70.910184] rcu: INFO: rcu_preempt self-detected stall on CPU
+[ 70.910436] rcu: 3-....: (4999 ticks this GP) idle=***
+[ 70.910711] rcu: hardirqs softirqs csw/system
+[ 70.910870] rcu: number: 0 657 0
+[ 70.911024] rcu: cputime: 0 0 2498 ==> 2498(ms)
+[ 70.911278] rcu: (t=5001 jiffies g=3677 q=29 ncpus=8)
+
+After:
+[ 68.046132] rcu: INFO: rcu_preempt self-detected stall on CPU
+[ 68.046354] rcu: 2-....: (4999 ticks this GP) idle=***
+[ 68.046628] rcu: hardirqs softirqs csw/system
+[ 68.046793] rcu: number: 2498 663 0
+[ 68.046951] rcu: cputime: 0 0 2496 ==> 2496(ms)
+[ 68.047244] rcu: (t=5000 jiffies g=3825 q=4 ncpus=8)
+
+Fixes: be42f00b73a0 ("rcu: Add RCU stall diagnosis information")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202501090842.SfI6QPGS-lkp@intel.com/
+Signed-off-by: Yongliang Gao <leonylgao@tencent.com>
+Reviewed-by: Neeraj Upadhyay <Neeraj.Upadhyay@amd.com>
+Link: https://lore.kernel.org/r/20250216084109.3109837-1-leonylgao@gmail.com
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 10 +++++++---
+ kernel/rcu/tree.h | 2 +-
+ kernel/rcu/tree_stall.h | 4 ++--
+ 3 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index fda08520c75c5..1fb3b7a0ed5d2 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -754,6 +754,10 @@ static int dyntick_save_progress_counter(struct rcu_data *rdp)
+ return 0;
+ }
+
++#ifndef arch_irq_stat_cpu
++#define arch_irq_stat_cpu(cpu) 0
++#endif
++
+ /*
+ * Returns positive if the specified CPU has passed through a quiescent state
+ * by virtue of being in or having passed through an dynticks idle state since
+@@ -889,9 +893,9 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp)
+ rsrp->cputime_irq = kcpustat_field(kcsp, CPUTIME_IRQ, cpu);
+ rsrp->cputime_softirq = kcpustat_field(kcsp, CPUTIME_SOFTIRQ, cpu);
+ rsrp->cputime_system = kcpustat_field(kcsp, CPUTIME_SYSTEM, cpu);
+- rsrp->nr_hardirqs = kstat_cpu_irqs_sum(rdp->cpu);
+- rsrp->nr_softirqs = kstat_cpu_softirqs_sum(rdp->cpu);
+- rsrp->nr_csw = nr_context_switches_cpu(rdp->cpu);
++ rsrp->nr_hardirqs = kstat_cpu_irqs_sum(cpu) + arch_irq_stat_cpu(cpu);
++ rsrp->nr_softirqs = kstat_cpu_softirqs_sum(cpu);
++ rsrp->nr_csw = nr_context_switches_cpu(cpu);
+ rsrp->jiffies = jiffies;
+ rsrp->gp_seq = rdp->gp_seq;
+ }
+diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h
+index 9eb43b501ff5c..ac8cc756920dd 100644
+--- a/kernel/rcu/tree.h
++++ b/kernel/rcu/tree.h
+@@ -169,7 +169,7 @@ struct rcu_snap_record {
+ u64 cputime_irq; /* Accumulated cputime of hard irqs */
+ u64 cputime_softirq;/* Accumulated cputime of soft irqs */
+ u64 cputime_system; /* Accumulated cputime of kernel tasks */
+- unsigned long nr_hardirqs; /* Accumulated number of hard irqs */
++ u64 nr_hardirqs; /* Accumulated number of hard irqs */
+ unsigned int nr_softirqs; /* Accumulated number of soft irqs */
+ unsigned long long nr_csw; /* Accumulated number of task switches */
+ unsigned long jiffies; /* Track jiffies value */
+diff --git a/kernel/rcu/tree_stall.h b/kernel/rcu/tree_stall.h
+index 11a1fac3a5898..aab91040b83b1 100644
+--- a/kernel/rcu/tree_stall.h
++++ b/kernel/rcu/tree_stall.h
+@@ -452,8 +452,8 @@ static void print_cpu_stat_info(int cpu)
+ rsr.cputime_system = kcpustat_field(kcsp, CPUTIME_SYSTEM, cpu);
+
+ pr_err("\t hardirqs softirqs csw/system\n");
+- pr_err("\t number: %8ld %10d %12lld\n",
+- kstat_cpu_irqs_sum(cpu) - rsrp->nr_hardirqs,
++ pr_err("\t number: %8lld %10d %12lld\n",
++ kstat_cpu_irqs_sum(cpu) + arch_irq_stat_cpu(cpu) - rsrp->nr_hardirqs,
+ kstat_cpu_softirqs_sum(cpu) - rsrp->nr_softirqs,
+ nr_context_switches_cpu(cpu) - rsrp->nr_csw);
+ pr_err("\tcputime: %8lld %10lld %12lld ==> %d(ms)\n",
+--
+2.39.5
+
--- /dev/null
+From 8b524ac1b0dc2ca4233ccdd6e81e9eaf143cc2ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 14:36:02 +0300
+Subject: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work
+
+From: Jack Morgenstein <jackm@nvidia.com>
+
+[ Upstream commit 92a251c3df8ea1991cd9fe00f1ab0cfce18d7711 ]
+
+The cited commit fixed a crash when cma_netevent_callback was called for
+a cma_id while work on that id from a previous call had not yet started.
+The work item was re-initialized in the second call, which corrupted the
+work item currently in the work queue.
+
+However, it left a problem when queue_work fails (because the item is
+still pending in the work queue from a previous call). In this case,
+cma_id_put (which is called in the work handler) is therefore not
+called. This results in a userspace process hang (zombie process).
+
+Fix this by calling cma_id_put() if queue_work fails.
+
+Fixes: 45f5dcdd0497 ("RDMA/cma: Fix workqueue crash in cma_netevent_work_handler")
+Link: https://patch.msgid.link/r/4f3640b501e48d0166f312a64fdadf72b059bd04.1747827103.git.leon@kernel.org
+Signed-off-by: Jack Morgenstein <jackm@nvidia.com>
+Signed-off-by: Feng Liu <feliu@nvidia.com>
+Reviewed-by: Vlad Dumitrescu <vdumitrescu@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/cma.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
+index 348527cf1e7bf..a5ceae2e075ad 100644
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -5215,7 +5215,8 @@ static int cma_netevent_callback(struct notifier_block *self,
+ neigh->ha, ETH_ALEN))
+ continue;
+ cma_id_get(current_id);
+- queue_work(cma_wq, ¤t_id->id.net_work);
++ if (!queue_work(cma_wq, ¤t_id->id.net_work))
++ cma_id_put(current_id);
+ }
+ out:
+ spin_unlock_irqrestore(&id_table_lock, flags);
+--
+2.39.5
+
--- /dev/null
+From 2a818fdb2f6fc54e19276358f9fae0126f7b506c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 21:27:49 +0800
+Subject: RDMA/hns: Include hnae3.h in hns_roce_hw_v2.h
+
+From: Junxian Huang <huangjunxian6@hisilicon.com>
+
+[ Upstream commit 2b11d33de23262cb20d1dcb24b586dbb8f54d463 ]
+
+hns_roce_hw_v2.h has a direct dependency on hnae3.h due to the
+inline function hns_roce_write64(), but it doesn't include this
+header currently. This leads to that files including
+hns_roce_hw_v2.h must also include hnae3.h to avoid compilation
+errors, even if they themselves don't really rely on hnae3.h.
+This doesn't make sense, hns_roce_hw_v2.h should include hnae3.h
+directly.
+
+Fixes: d3743fa94ccd ("RDMA/hns: Fix the chip hanging caused by sending doorbell during reset")
+Signed-off-by: Junxian Huang <huangjunxian6@hisilicon.com>
+Link: https://patch.msgid.link/20250421132750.1363348-6-huangjunxian6@hisilicon.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hns/hns_roce_ah.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 1 +
+ drivers/infiniband/hw/hns/hns_roce_main.c | 1 -
+ drivers/infiniband/hw/hns/hns_roce_restrack.c | 1 -
+ 5 files changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_ah.c b/drivers/infiniband/hw/hns/hns_roce_ah.c
+index 3df032ddda189..e99890e0c8c37 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_ah.c
++++ b/drivers/infiniband/hw/hns/hns_roce_ah.c
+@@ -33,7 +33,6 @@
+ #include <linux/pci.h>
+ #include <rdma/ib_addr.h>
+ #include <rdma/ib_cache.h>
+-#include "hnae3.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hw_v2.h"
+
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+index aded0a7f42838..9d23d4b5c1285 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+@@ -42,7 +42,6 @@
+ #include <rdma/ib_umem.h>
+ #include <rdma/uverbs_ioctl.h>
+
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_cmd.h"
+diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+index b8e17721f6fde..7875283eb9d63 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.h
+@@ -34,6 +34,7 @@
+ #define _HNS_ROCE_HW_V2_H
+
+ #include <linux/bitops.h>
++#include "hnae3.h"
+
+ #define HNS_ROCE_V2_MAX_RC_INL_INN_SZ 32
+ #define HNS_ROCE_V2_MTT_ENTRY_SZ 64
+diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
+index a7e4c951f8fe4..5f39a25064d10 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_main.c
++++ b/drivers/infiniband/hw/hns/hns_roce_main.c
+@@ -37,7 +37,6 @@
+ #include <rdma/ib_smi.h>
+ #include <rdma/ib_user_verbs.h>
+ #include <rdma/ib_cache.h>
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hem.h"
+diff --git a/drivers/infiniband/hw/hns/hns_roce_restrack.c b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+index 081a01de30553..1fb5e24683647 100644
+--- a/drivers/infiniband/hw/hns/hns_roce_restrack.c
++++ b/drivers/infiniband/hw/hns/hns_roce_restrack.c
+@@ -4,7 +4,6 @@
+ #include <rdma/rdma_cm.h>
+ #include <rdma/restrack.h>
+ #include <uapi/rdma/rdma_netlink.h>
+-#include "hnae3.h"
+ #include "hns_roce_common.h"
+ #include "hns_roce_device.h"
+ #include "hns_roce_hw_v2.h"
+--
+2.39.5
+
--- /dev/null
+From 54b91c3bc9d671561a9da5f76f7488fba32ee155 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 14:34:07 +0300
+Subject: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 5d2ea5aebbb2f3ebde4403f9c55b2b057e5dd2d6 ]
+
+Upon RQ destruction if the firmware command fails which is the
+last resource to be destroyed some SW resources were already cleaned
+regardless of the failure.
+
+Now properly rollback the object to its original state upon such failure.
+
+In order to avoid a use-after free in case someone tries to destroy the
+object again, which results in the following kernel trace:
+refcount_t: underflow; use-after-free.
+WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148
+Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE)
+CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : refcount_warn_saturate+0xf4/0x148
+lr : refcount_warn_saturate+0xf4/0x148
+sp : ffff80008b81b7e0
+x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001
+x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00
+x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000
+x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006
+x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f
+x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78
+x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90
+x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff
+x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000
+x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600
+Call trace:
+ refcount_warn_saturate+0xf4/0x148
+ mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib]
+ mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib]
+ mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib]
+ ib_destroy_wq_user+0x30/0xc0 [ib_core]
+ uverbs_free_wq+0x28/0x58 [ib_uverbs]
+ destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs]
+ uverbs_destroy_uobject+0x48/0x240 [ib_uverbs]
+ __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs]
+ uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs]
+ ib_uverbs_close+0x2c/0x100 [ib_uverbs]
+ __fput+0xd8/0x2f0
+ __fput_sync+0x50/0x70
+ __arm64_sys_close+0x40/0x90
+ invoke_syscall.constprop.0+0x74/0xd0
+ do_el0_svc+0x48/0xe8
+ el0_svc+0x44/0x1d0
+ el0t_64_sync_handler+0x120/0x130
+ el0t_64_sync+0x1a4/0x1a8
+
+Fixes: e2013b212f9f ("net/mlx5_core: Add RQ and SQ event handling")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Link: https://patch.msgid.link/3181433ccdd695c63560eeeb3f0c990961732101.1745839855.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/qpc.c | 30 ++++++++++++++++++++++++++++--
+ include/linux/mlx5/driver.h | 1 +
+ 2 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/qpc.c b/drivers/infiniband/hw/mlx5/qpc.c
+index d9cf6982d645e..9de9bea1025e2 100644
+--- a/drivers/infiniband/hw/mlx5/qpc.c
++++ b/drivers/infiniband/hw/mlx5/qpc.c
+@@ -21,8 +21,10 @@ mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn)
+ spin_lock_irqsave(&table->lock, flags);
+
+ common = radix_tree_lookup(&table->tree, rsn);
+- if (common)
++ if (common && !common->invalid)
+ refcount_inc(&common->refcount);
++ else
++ common = NULL;
+
+ spin_unlock_irqrestore(&table->lock, flags);
+
+@@ -178,6 +180,18 @@ static int create_resource_common(struct mlx5_ib_dev *dev,
+ return 0;
+ }
+
++static void modify_resource_common_state(struct mlx5_ib_dev *dev,
++ struct mlx5_core_qp *qp,
++ bool invalid)
++{
++ struct mlx5_qp_table *table = &dev->qp_table;
++ unsigned long flags;
++
++ spin_lock_irqsave(&table->lock, flags);
++ qp->common.invalid = invalid;
++ spin_unlock_irqrestore(&table->lock, flags);
++}
++
+ static void destroy_resource_common(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *qp)
+ {
+@@ -604,8 +618,20 @@ int mlx5_core_create_rq_tracked(struct mlx5_ib_dev *dev, u32 *in, int inlen,
+ int mlx5_core_destroy_rq_tracked(struct mlx5_ib_dev *dev,
+ struct mlx5_core_qp *rq)
+ {
++ int ret;
++
++ /* The rq destruction can be called again in case it fails, hence we
++ * mark the common resource as invalid and only once FW destruction
++ * is completed successfully we actually destroy the resources.
++ */
++ modify_resource_common_state(dev, rq, true);
++ ret = destroy_rq_tracked(dev, rq->qpn, rq->uid);
++ if (ret) {
++ modify_resource_common_state(dev, rq, false);
++ return ret;
++ }
+ destroy_resource_common(dev, rq);
+- return destroy_rq_tracked(dev, rq->qpn, rq->uid);
++ return 0;
+ }
+
+ static void destroy_sq_tracked(struct mlx5_ib_dev *dev, u32 sqn, u16 uid)
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 69d844b34da0d..696a2227869fb 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -390,6 +390,7 @@ struct mlx5_core_rsc_common {
+ enum mlx5_res_type res;
+ refcount_t refcount;
+ struct completion free;
++ bool invalid;
+ };
+
+ struct mlx5_uars_page {
+--
+2.39.5
+
--- /dev/null
+From 4dfb0d57f8318a5ad59a2eb58a3a5a7b2e18f20e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 11:14:35 +0530
+Subject: remoteproc: k3-r5: Drop check performed in
+ k3_r5_rproc_{mbox_callback/kick}
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+[ Upstream commit 9995dbfc2235efabdb3759606d522e1a7ec3bdcb ]
+
+Commit f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during
+probe routine") introduced a check in the "k3_r5_rproc_mbox_callback()"
+and "k3_r5_rproc_kick()" callbacks, causing them to exit if the remote
+core's state is "RPROC_DETACHED". However, the "__rproc_attach()"
+function that is responsible for attaching to a remote core, updates
+the state of the remote core to "RPROC_ATTACHED" only after invoking
+"rproc_start_subdevices()".
+
+The "rproc_start_subdevices()" function triggers the probe of the Virtio
+RPMsg devices associated with the remote core, which require that the
+"k3_r5_rproc_kick()" and "k3_r5_rproc_mbox_callback()" callbacks are
+functional. Hence, drop the check in the callbacks.
+
+Fixes: f3f11cfe8907 ("remoteproc: k3-r5: Acquire mailbox handle during probe routine")
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Beleswar Padhi <b-padhi@ti.com>
+Tested-by: Judith Mendez <jm@ti.com>
+Reviewed-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20250513054510.3439842-2-b-padhi@ti.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/ti_k3_r5_remoteproc.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c
+index 5491b1b17ca36..37005640c784c 100644
+--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c
++++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c
+@@ -194,10 +194,6 @@ static void k3_r5_rproc_mbox_callback(struct mbox_client *client, void *data)
+ const char *name = kproc->rproc->name;
+ u32 msg = omap_mbox_message(data);
+
+- /* Do not forward message from a detached core */
+- if (kproc->rproc->state == RPROC_DETACHED)
+- return;
+-
+ dev_dbg(dev, "mbox msg: 0x%x\n", msg);
+
+ switch (msg) {
+@@ -233,10 +229,6 @@ static void k3_r5_rproc_kick(struct rproc *rproc, int vqid)
+ mbox_msg_t msg = (mbox_msg_t)vqid;
+ int ret;
+
+- /* Do not forward message to a detached core */
+- if (kproc->rproc->state == RPROC_DETACHED)
+- return;
+-
+ /* send the index of the triggered virtqueue in the mailbox payload */
+ ret = mbox_send_message(kproc->mbox, (void *)msg);
+ if (ret < 0)
+--
+2.39.5
+
--- /dev/null
+From b741e15ad3d58dd9ed2ce6722fc99c4ed67387f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 13:59:51 +0300
+Subject: remoteproc: qcom_wcnss_iris: Add missing put_device() on error in
+ probe
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 0cb4b1b97041d8a1f773425208ded253c1cb5869 ]
+
+The device_del() call matches with the device_add() but we also need
+to call put_device() to trigger the qcom_iris_release().
+
+Fixes: 1fcef985c8bd ("remoteproc: qcom: wcnss: Fix race with iris probe")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/4604f7e0-3217-4095-b28a-3ff8b5afad3a@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_wcnss_iris.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/remoteproc/qcom_wcnss_iris.c b/drivers/remoteproc/qcom_wcnss_iris.c
+index dd36fd077911a..1e197f7734742 100644
+--- a/drivers/remoteproc/qcom_wcnss_iris.c
++++ b/drivers/remoteproc/qcom_wcnss_iris.c
+@@ -197,6 +197,7 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
+
+ err_device_del:
+ device_del(&iris->dev);
++ put_device(&iris->dev);
+
+ return ERR_PTR(ret);
+ }
+@@ -204,4 +205,5 @@ struct qcom_iris *qcom_iris_probe(struct device *parent, bool *use_48mhz_xo)
+ void qcom_iris_remove(struct qcom_iris *iris)
+ {
+ device_del(&iris->dev);
++ put_device(&iris->dev);
+ }
+--
+2.39.5
+
--- /dev/null
+From edac68802186d50aa6669557b737197d33b11517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 12:47:28 +0200
+Subject: RISC-V: KVM: lock the correct mp_state during reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Radim Krčmář <rkrcmar@ventanamicro.com>
+
+[ Upstream commit 7917be170928189fefad490d1a1237fdfa6b856f ]
+
+Currently, the kvm_riscv_vcpu_sbi_system_reset() function locks
+vcpu->arch.mp_state_lock when updating tmp->arch.mp_state.mp_state
+which is incorrect hence fix it.
+
+Fixes: 2121cadec45a ("RISCV: KVM: Introduce mp_state_lock to avoid lock inversion")
+Signed-off-by: Radim Krčmář <rkrcmar@ventanamicro.com>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Link: https://lore.kernel.org/r/20250523104725.2894546-4-rkrcmar@ventanamicro.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu_sbi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/kvm/vcpu_sbi.c b/arch/riscv/kvm/vcpu_sbi.c
+index be43278109f4e..a71d33cd81d3d 100644
+--- a/arch/riscv/kvm/vcpu_sbi.c
++++ b/arch/riscv/kvm/vcpu_sbi.c
+@@ -103,9 +103,9 @@ void kvm_riscv_vcpu_sbi_system_reset(struct kvm_vcpu *vcpu,
+ struct kvm_vcpu *tmp;
+
+ kvm_for_each_vcpu(i, tmp, vcpu->kvm) {
+- spin_lock(&vcpu->arch.mp_state_lock);
++ spin_lock(&tmp->arch.mp_state_lock);
+ WRITE_ONCE(tmp->arch.mp_state.mp_state, KVM_MP_STATE_STOPPED);
+- spin_unlock(&vcpu->arch.mp_state_lock);
++ spin_unlock(&tmp->arch.mp_state_lock);
+ }
+ kvm_make_all_cpus_request(vcpu->kvm, KVM_REQ_SLEEP);
+
+--
+2.39.5
+
--- /dev/null
+From b01961880ab7bf7d07f5a3127742836d1e13eee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 20:22:05 +0300
+Subject: rpmsg: qcom_smd: Fix uninitialized return variable in
+ __qcom_smd_send()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 5de775df3362090a6e90046d1f2d83fe62489aa0 ]
+
+The "ret" variable isn't initialized if we don't enter the loop. For
+example, if "channel->state" is not SMD_CHANNEL_OPENED.
+
+Fixes: 33e3820dda88 ("rpmsg: smd: Use spinlock in tx path")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/aAkhvV0nSbrsef1P@stanley.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_smd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
+index 43f601c84b4fc..79d35ab43729e 100644
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -746,7 +746,7 @@ static int __qcom_smd_send(struct qcom_smd_channel *channel, const void *data,
+ __le32 hdr[5] = { cpu_to_le32(len), };
+ int tlen = sizeof(hdr) + len;
+ unsigned long flags;
+- int ret;
++ int ret = 0;
+
+ /* Word aligned channels only accept word size aligned data */
+ if (channel->info_word && len % 4)
+--
+2.39.5
+
--- /dev/null
+From 5309ff061601a7ed718d08ab440f784d92da1f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 16:44:16 +0800
+Subject: rtc: loongson: Add missing alarm notifications for ACPI RTC events
+
+From: Liu Dalin <liudalin@kylinsec.com.cn>
+
+[ Upstream commit 5af9f1fa576874b24627d4c05e3a84672204c200 ]
+
+When an application sets and enables an alarm on Loongson RTC devices,
+the alarm notification fails to propagate to userspace because the
+ACPI event handler omits calling rtc_update_irq().
+
+As a result, processes waiting via select() or poll() on RTC device
+files fail to receive alarm notifications.
+
+The ACPI interrupt is also triggered multiple times. In loongson_rtc_handler,
+we need to clear TOY_MATCH0_REG to resolve this issue.
+
+Fixes: 09471d8f5b39 ("rtc: loongson: clear TOY_MATCH0_REG in loongson_rtc_isr()")
+Fixes: 1b733a9ebc3d ("rtc: Add rtc driver for the Loongson family chips")
+Signed-off-by: Liu Dalin <liudalin@kylinsec.com.cn>
+Reviewed-by: Binbin Zhou <zhoubinbin@loongson.cn>
+Link: https://lore.kernel.org/r/20250509084416.7979-1-liudalin@kylinsec.com.cn
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-loongson.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/rtc/rtc-loongson.c b/drivers/rtc/rtc-loongson.c
+index 90e9d97a86b48..c9d5b91a6544d 100644
+--- a/drivers/rtc/rtc-loongson.c
++++ b/drivers/rtc/rtc-loongson.c
+@@ -129,6 +129,14 @@ static u32 loongson_rtc_handler(void *id)
+ {
+ struct loongson_rtc_priv *priv = (struct loongson_rtc_priv *)id;
+
++ rtc_update_irq(priv->rtcdev, 1, RTC_AF | RTC_IRQF);
++
++ /*
++ * The TOY_MATCH0_REG should be cleared 0 here,
++ * otherwise the interrupt cannot be cleared.
++ */
++ regmap_write(priv->regmap, TOY_MATCH0_REG, 0);
++
+ spin_lock(&priv->lock);
+ /* Disable RTC alarm wakeup and interrupt */
+ writel(readl(priv->pm_base + PM1_EN_REG) & ~RTC_EN,
+--
+2.39.5
+
--- /dev/null
+From 3317d9201184f76d6b900c4f0f01fbc896606182 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 14:42:56 +0100
+Subject: rtc: sh: assign correct interrupts with DT
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 8f2efdbc303fe7baa83843d3290dd6ea5ba3276c ]
+
+The DT bindings for this driver define the interrupts in the order as
+they are numbered in the interrupt controller. The old platform_data,
+however, listed them in a different order. So, for DT based platforms,
+they are mixed up. Assign them specifically for DT, so we can keep the
+bindings stable. After the fix, 'rtctest' passes again on the Renesas
+Genmai board (RZ-A1 / R7S72100).
+
+Fixes: dab5aec64bf5 ("rtc: sh: add support for rza series")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Link: https://lore.kernel.org/r/20250227134256.9167-11-wsa+renesas@sang-engineering.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-sh.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/rtc/rtc-sh.c b/drivers/rtc/rtc-sh.c
+index cd146b5741431..341b1b776e1a3 100644
+--- a/drivers/rtc/rtc-sh.c
++++ b/drivers/rtc/rtc-sh.c
+@@ -485,9 +485,15 @@ static int __init sh_rtc_probe(struct platform_device *pdev)
+ return -ENOENT;
+ }
+
+- rtc->periodic_irq = ret;
+- rtc->carry_irq = platform_get_irq(pdev, 1);
+- rtc->alarm_irq = platform_get_irq(pdev, 2);
++ if (!pdev->dev.of_node) {
++ rtc->periodic_irq = ret;
++ rtc->carry_irq = platform_get_irq(pdev, 1);
++ rtc->alarm_irq = platform_get_irq(pdev, 2);
++ } else {
++ rtc->alarm_irq = ret;
++ rtc->periodic_irq = platform_get_irq(pdev, 1);
++ rtc->carry_irq = platform_get_irq(pdev, 2);
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_IO, 0);
+ if (!res)
+--
+2.39.5
+
--- /dev/null
+From 0c4e435bc2fc1a19fbf264f9a5a553ba44c0758e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 14:26:15 +0200
+Subject: s390/bpf: Store backchain even for leaf progs
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+[ Upstream commit 5f55f2168432298f5a55294831ab6a76a10cb3c3 ]
+
+Currently a crash in a leaf prog (caused by a bug) produces the
+following call trace:
+
+ [<000003ff600ebf00>] bpf_prog_6df0139e1fbf2789_fentry+0x20/0x78
+ [<0000000000000000>] 0x0
+
+This is because leaf progs do not store backchain. Fix by making all
+progs do it. This is what GCC and Clang-generated code does as well.
+Now the call trace looks like this:
+
+ [<000003ff600eb0f2>] bpf_prog_6df0139e1fbf2789_fentry+0x2a/0x80
+ [<000003ff600ed096>] bpf_trampoline_201863462940+0x96/0xf4
+ [<000003ff600e3a40>] bpf_prog_05f379658fdd72f2_classifier_0+0x58/0xc0
+ [<000003ffe0aef070>] bpf_test_run+0x210/0x390
+ [<000003ffe0af0dc2>] bpf_prog_test_run_skb+0x25a/0x668
+ [<000003ffe038a90e>] __sys_bpf+0xa46/0xdb0
+ [<000003ffe038ad0c>] __s390x_sys_bpf+0x44/0x50
+ [<000003ffe0defea8>] __do_syscall+0x150/0x280
+ [<000003ffe0e01d5c>] system_call+0x74/0x98
+
+Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend")
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250512122717.54878-1-iii@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 62ee557d4b499..a40c7ff91caf0 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -587,17 +587,15 @@ static void bpf_jit_prologue(struct bpf_jit *jit, struct bpf_prog *fp,
+ }
+ /* Setup stack and backchain */
+ if (is_first_pass(jit) || (jit->seen & SEEN_STACK)) {
+- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
+- /* lgr %w1,%r15 (backchain) */
+- EMIT4(0xb9040000, REG_W1, REG_15);
++ /* lgr %w1,%r15 (backchain) */
++ EMIT4(0xb9040000, REG_W1, REG_15);
+ /* la %bfp,STK_160_UNUSED(%r15) (BPF frame pointer) */
+ EMIT4_DISP(0x41000000, BPF_REG_FP, REG_15, STK_160_UNUSED);
+ /* aghi %r15,-STK_OFF */
+ EMIT4_IMM(0xa70b0000, REG_15, -(STK_OFF + stack_depth));
+- if (is_first_pass(jit) || (jit->seen & SEEN_FUNC))
+- /* stg %w1,152(%r15) (backchain) */
+- EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
+- REG_15, 152);
++ /* stg %w1,152(%r15) (backchain) */
++ EMIT6_DISP_LH(0xe3000000, 0x0024, REG_W1, REG_0,
++ REG_15, 152);
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 526ff3b2615698eb51f2afa5ac348d1bf100cd7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 16:08:44 +0800
+Subject: scsi: hisi_sas: Call I_T_nexus after soft reset for SATA disk
+
+From: Yihang Li <liyihang9@huawei.com>
+
+[ Upstream commit e4d953ca557e02edd3aed7390043e1b8ad1c9723 ]
+
+In commit 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe
+I_T nexus reset failure"), if the softreset fails upon certain
+conditions, the PHY connected to the disk is disabled directly. Manual
+recovery is required, which is inconvenient for users in actual use.
+
+In addition, SATA disks do not support simultaneous connection of multiple
+hosts. Therefore, when multiple controllers are connected to a SATA disk
+at the same time, the controller which is connected later failed to issue
+an ATA softreset to the SATA disk. As a result, the PHY associated with
+the disk is disabled and cannot be automatically recovered.
+
+Now that, we will not focus on the execution result of softreset. No
+matter whether the execution is successful or not, we will directly carry
+out I_T_nexus_reset.
+
+Fixes: 21c7e972475e ("scsi: hisi_sas: Disable SATA disk phy for severe I_T nexus reset failure")
+Signed-off-by: Yihang Li <liyihang9@huawei.com>
+Link: https://lore.kernel.org/r/20250414080845.1220997-4-liyihang9@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 29 +++++----------------------
+ 1 file changed, 5 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index 7e64661d215bd..3ad58250bf6b2 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -1844,33 +1844,14 @@ static int hisi_sas_I_T_nexus_reset(struct domain_device *device)
+ }
+ hisi_sas_dereg_device(hisi_hba, device);
+
+- rc = hisi_sas_debug_I_T_nexus_reset(device);
+- if (rc == TMF_RESP_FUNC_COMPLETE && dev_is_sata(device)) {
+- struct sas_phy *local_phy;
+-
++ if (dev_is_sata(device)) {
+ rc = hisi_sas_softreset_ata_disk(device);
+- switch (rc) {
+- case -ECOMM:
+- rc = -ENODEV;
+- break;
+- case TMF_RESP_FUNC_FAILED:
+- case -EMSGSIZE:
+- case -EIO:
+- local_phy = sas_get_local_phy(device);
+- rc = sas_phy_enable(local_phy, 0);
+- if (!rc) {
+- local_phy->enabled = 0;
+- dev_err(dev, "Disabled local phy of ATA disk %016llx due to softreset fail (%d)\n",
+- SAS_ADDR(device->sas_addr), rc);
+- rc = -ENODEV;
+- }
+- sas_put_local_phy(local_phy);
+- break;
+- default:
+- break;
+- }
++ if (rc == TMF_RESP_FUNC_FAILED)
++ dev_err(dev, "ata disk %016llx reset (%d)\n",
++ SAS_ADDR(device->sas_addr), rc);
+ }
+
++ rc = hisi_sas_debug_I_T_nexus_reset(device);
+ if ((rc == TMF_RESP_FUNC_COMPLETE) || (rc == -ENODEV))
+ hisi_sas_release_task(hisi_hba, device);
+
+--
+2.39.5
+
--- /dev/null
+From 22efe1daa18ec699c105c80e1f20e04fd6201303 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 15:41:57 -0700
+Subject: scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit d8720235d5b5cad86c1f07f65117ef2a96f8bec7 ]
+
+Recent fixes to the randstruct GCC plugin allowed it to notice
+that this structure is entirely function pointers and is therefore
+subject to randomization, but doing so requires that it always use
+designated initializers. Explicitly specify the "common" member as being
+initialized. Silences:
+
+drivers/scsi/qedf/qedf_main.c:702:9: error: positional initialization of field in 'struct' declared with 'designated_init' attribute [-Werror=designated-init]
+ 702 | {
+ | ^
+
+Fixes: 035f7f87b729 ("randstruct: Enable Clang support")
+Link: https://lore.kernel.org/r/20250502224156.work.617-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c
+index 9a81d14aef6b9..17b19b39699a3 100644
+--- a/drivers/scsi/qedf/qedf_main.c
++++ b/drivers/scsi/qedf/qedf_main.c
+@@ -699,7 +699,7 @@ static u32 qedf_get_login_failures(void *cookie)
+ }
+
+ static struct qed_fcoe_cb_ops qedf_cb_ops = {
+- {
++ .common = {
+ .link_update = qedf_link_update,
+ .bw_update = qedf_bw_update,
+ .schedule_recovery_handler = qedf_schedule_recovery_handler,
+--
+2.39.5
+
--- /dev/null
+From d2b6f9795a975c3559692ca839e3516ee296690a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 16:38:12 +0800
+Subject: scsi: ufs: mcq: Delete ufshcd_release_scsi_cmd() in
+ ufshcd_mcq_abort()
+
+From: ping.gao <ping.gao@samsung.com>
+
+[ Upstream commit 53755903b9357e69b2dd6a02fafbb1e30c741895 ]
+
+After UFS_ABORT_TASK has been processed successfully, the host will
+generate MCQ IRQ for ABORT TAG with response OCS_ABORTED. This results in
+ufshcd_compl_one_cqe() calling ufshcd_release_scsi_cmd().
+
+But ufshcd_mcq_abort() already calls ufshcd_release_scsi_cmd(), resulting
+in __ufshcd_release() being called twice. This means
+hba->clk_gating.active_reqs will be decreased twice, making it go
+negative.
+
+Delete ufshcd_release_scsi_cmd() in ufshcd_mcq_abort().
+
+Fixes: f1304d442077 ("scsi: ufs: mcq: Added ufshcd_mcq_abort()")
+Signed-off-by: ping.gao <ping.gao@samsung.com>
+Link: https://lore.kernel.org/r/20250516083812.3894396-1-ping.gao@samsung.com
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufs-mcq.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/drivers/ufs/core/ufs-mcq.c b/drivers/ufs/core/ufs-mcq.c
+index 411109a5ebbff..14864cfc24223 100644
+--- a/drivers/ufs/core/ufs-mcq.c
++++ b/drivers/ufs/core/ufs-mcq.c
+@@ -629,7 +629,6 @@ int ufshcd_mcq_abort(struct scsi_cmnd *cmd)
+ int tag = scsi_cmd_to_rq(cmd)->tag;
+ struct ufshcd_lrb *lrbp = &hba->lrb[tag];
+ struct ufs_hw_queue *hwq;
+- unsigned long flags;
+ int err;
+
+ /* Skip task abort in case previous aborts failed and report failure */
+@@ -668,10 +667,5 @@ int ufshcd_mcq_abort(struct scsi_cmnd *cmd)
+ return FAILED;
+ }
+
+- spin_lock_irqsave(&hwq->cq_lock, flags);
+- if (ufshcd_cmd_inflight(lrbp->cmd))
+- ufshcd_release_scsi_cmd(hba, lrbp);
+- spin_unlock_irqrestore(&hwq->cq_lock, flags);
+-
+ return SUCCESS;
+ }
+--
+2.39.5
+
--- /dev/null
+From a24e9036f690e743bd36c0248cecbf9faddc279a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 21:08:12 +0530
+Subject: scsi: ufs: qcom: Prevent calling phy_exit() before phy_init()
+
+From: Nitin Rawat <quic_nitirawa@quicinc.com>
+
+[ Upstream commit 7831003165d37ecb7b33843fcee05cada0359a82 ]
+
+Prevent calling phy_exit() before phy_init() to avoid abnormal power
+count and the following warning during boot up.
+
+[5.146763] phy phy-1d80000.phy.0: phy_power_on was called before phy_init
+
+Fixes: 7bac65687510 ("scsi: ufs: qcom: Power off the PHY if it was already powered on in ufs_qcom_power_up_sequence()")
+Signed-off-by: Nitin Rawat <quic_nitirawa@quicinc.com>
+Link: https://lore.kernel.org/r/20250526153821.7918-2-quic_nitirawa@quicinc.com
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/host/ufs-qcom.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c
+index c6417ef074a47..c94824c999ccd 100644
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -453,10 +453,9 @@ static int ufs_qcom_power_up_sequence(struct ufs_hba *hba)
+ dev_warn(hba->dev, "%s: host reset returned %d\n",
+ __func__, ret);
+
+- if (phy->power_count) {
++ if (phy->power_count)
+ phy_power_off(phy);
+- phy_exit(phy);
+- }
++
+
+ /* phy initialization - calibrate the phy */
+ ret = phy_init(phy);
+--
+2.39.5
+
--- /dev/null
+From 30676dc99f7a2de93af3728bfa309f27655f7055 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 14:32:52 +0300
+Subject: seg6: Fix validation of nexthop addresses
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 7632fedb266d93ed0ed9f487133e6c6314a9b2d1 ]
+
+The kernel currently validates that the length of the provided nexthop
+address does not exceed the specified length. This can lead to the
+kernel reading uninitialized memory if user space provided a shorter
+length than the specified one.
+
+Fix by validating that the provided length exactly matches the specified
+one.
+
+Fixes: d1df6fd8a1d2 ("ipv6: sr: define core operations for seg6local lightweight tunnel")
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250604113252.371528-1-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6_local.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
+index c434940131b1d..7f295b9c13744 100644
+--- a/net/ipv6/seg6_local.c
++++ b/net/ipv6/seg6_local.c
+@@ -1638,10 +1638,8 @@ static const struct nla_policy seg6_local_policy[SEG6_LOCAL_MAX + 1] = {
+ [SEG6_LOCAL_SRH] = { .type = NLA_BINARY },
+ [SEG6_LOCAL_TABLE] = { .type = NLA_U32 },
+ [SEG6_LOCAL_VRFTABLE] = { .type = NLA_U32 },
+- [SEG6_LOCAL_NH4] = { .type = NLA_BINARY,
+- .len = sizeof(struct in_addr) },
+- [SEG6_LOCAL_NH6] = { .type = NLA_BINARY,
+- .len = sizeof(struct in6_addr) },
++ [SEG6_LOCAL_NH4] = NLA_POLICY_EXACT_LEN(sizeof(struct in_addr)),
++ [SEG6_LOCAL_NH6] = NLA_POLICY_EXACT_LEN(sizeof(struct in6_addr)),
+ [SEG6_LOCAL_IIF] = { .type = NLA_U32 },
+ [SEG6_LOCAL_OIF] = { .type = NLA_U32 },
+ [SEG6_LOCAL_BPF] = { .type = NLA_NESTED },
+--
+2.39.5
+
--- /dev/null
+From f29b47711f6c4fe305d7461905bb4e8d1d04c4c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 15:26:33 +0530
+Subject: selftests/bpf: Fix bpf_nf selftest failure
+
+From: Saket Kumar Bhaskar <skb99@linux.ibm.com>
+
+[ Upstream commit 967e8def1100cb4b08c28a54d27ce69563fdf281 ]
+
+For systems with missing iptables-legacy tool this selftest fails.
+
+Add check to find if iptables-legacy tool is available and skip the
+test if the tool is missing.
+
+Fixes: de9c8d848d90 ("selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test")
+Signed-off-by: Saket Kumar Bhaskar <skb99@linux.ibm.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250409095633.33653-1-skb99@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/bpf_nf.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
+index b30ff6b3b81ae..f80660c00a1a7 100644
+--- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
++++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c
+@@ -63,6 +63,12 @@ static void test_bpf_nf_ct(int mode)
+ .repeat = 1,
+ );
+
++ if (SYS_NOFAIL("iptables-legacy --version")) {
++ fprintf(stdout, "Missing required iptables-legacy tool\n");
++ test__skip();
++ return;
++ }
++
+ skel = test_bpf_nf__open_and_load();
+ if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load"))
+ return;
+--
+2.39.5
+
--- /dev/null
+From d856483156032586ce92b406f78cf7602d494d41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Apr 2025 09:40:58 +0000
+Subject: selftests/seccomp: fix syscall_restart test for arm compat
+
+From: Neill Kapron <nkapron@google.com>
+
+[ Upstream commit 797002deed03491215a352ace891749b39741b69 ]
+
+The inconsistencies in the systcall ABI between arm and arm-compat can
+can cause a failure in the syscall_restart test due to the logic
+attempting to work around the differences. The 'machine' field for an
+ARM64 device running in compat mode can report 'armv8l' or 'armv8b'
+which matches with the string 'arm' when only examining the first three
+characters of the string.
+
+This change adds additional validation to the workaround logic to make
+sure we only take the arm path when running natively, not in arm-compat.
+
+Fixes: 256d0afb11d6 ("selftests/seccomp: build and pass on arm64")
+Signed-off-by: Neill Kapron <nkapron@google.com>
+Link: https://lore.kernel.org/r/20250427094103.3488304-2-nkapron@google.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/seccomp/seccomp_bpf.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c
+index cacf6507f6905..15325ca35f1e2 100644
+--- a/tools/testing/selftests/seccomp/seccomp_bpf.c
++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c
+@@ -3154,12 +3154,15 @@ TEST(syscall_restart)
+ ret = get_syscall(_metadata, child_pid);
+ #if defined(__arm__)
+ /*
+- * FIXME:
+ * - native ARM registers do NOT expose true syscall.
+ * - compat ARM registers on ARM64 DO expose true syscall.
++ * - values of utsbuf.machine include 'armv8l' or 'armb8b'
++ * for ARM64 running in compat mode.
+ */
+ ASSERT_EQ(0, uname(&utsbuf));
+- if (strncmp(utsbuf.machine, "arm", 3) == 0) {
++ if ((strncmp(utsbuf.machine, "arm", 3) == 0) &&
++ (strncmp(utsbuf.machine, "armv8l", 6) != 0) &&
++ (strncmp(utsbuf.machine, "armv8b", 6) != 0)) {
+ EXPECT_EQ(__NR_nanosleep, ret);
+ } else
+ #endif
+--
+2.39.5
+
--- /dev/null
+From b8caddff520c6a5e460e73bf99a5105d8a5468c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 15:03:39 +0800
+Subject: serial: Fix potential null-ptr-deref in mlb_usio_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 86bcae88c9209e334b2f8c252f4cc66beb261886 ]
+
+devm_ioremap() can return NULL on error. Currently, mlb_usio_probe()
+does not check for this case, which could result in a NULL pointer
+dereference.
+
+Add NULL check after devm_ioremap() to prevent this issue.
+
+Fixes: ba44dc043004 ("serial: Add Milbeaut serial control")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://lore.kernel.org/r/20250403070339.64990-1-bsdhenrymartin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/milbeaut_usio.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/milbeaut_usio.c b/drivers/tty/serial/milbeaut_usio.c
+index 70a910085e937..9de3883a4e0b0 100644
+--- a/drivers/tty/serial/milbeaut_usio.c
++++ b/drivers/tty/serial/milbeaut_usio.c
+@@ -522,7 +522,10 @@ static int mlb_usio_probe(struct platform_device *pdev)
+ }
+ port->membase = devm_ioremap(&pdev->dev, res->start,
+ resource_size(res));
+-
++ if (!port->membase) {
++ ret = -ENOMEM;
++ goto failed;
++ }
+ ret = platform_get_irq_byname(pdev, "rx");
+ mlb_usio_irq[index][RX] = ret;
+
+--
+2.39.5
+
dt-bindings-usb-cypress-hx3-add-support-for-all-variants.patch
dt-bindings-phy-imx8mq-usb-fix-fsl-phy-tx-vboost-level-microvolt-property.patch
revert-drm-amd-display-more-liberal-vmin-vmax-update-for-freesync.patch
+tools-x86-kcpuid-fix-error-handling.patch
+x86-idle-remove-mfences-for-x86_bug_clflush_monitor-.patch
+crypto-sun8i-ce-hash-fix-error-handling-in-sun8i_ce_.patch
+gfs2-gfs2_create_inode-error-handling-fix.patch
+perf-core-fix-broken-throttling-when-max_samples_per.patch
+crypto-sun8i-ce-cipher-fix-error-handling-in-sun8i_c.patch
+crypto-sun8i-ss-do-not-use-sg_dma_len-before-calling.patch
+powerpc-do-not-build-ppc_save_regs.o-always.patch
+powerpc-crash-fix-non-smp-kexec-preparation.patch
+x86-microcode-amd-do-not-return-error-when-microcode.patch
+x86-cpu-sanitize-cpuid-0x80000000-output.patch
+crypto-marvell-cesa-handle-zero-length-skcipher-requ.patch
+crypto-marvell-cesa-avoid-empty-transfer-descriptor.patch
+btrfs-scrub-update-device-stats-when-an-error-is-det.patch
+btrfs-scrub-fix-a-wrong-error-type-when-metadata-byt.patch
+rcu-cpu_stall_cputime-fix-the-hardirq-count-for-x86-.patch
+crypto-lrw-only-add-ecb-if-it-is-not-already-there.patch
+crypto-xts-only-add-ecb-if-it-is-not-already-there.patch
+crypto-sun8i-ce-move-fallback-ahash_request-to-the-e.patch
+kunit-fix-wrong-parameter-to-kunit_deactivate_static.patch
+acpica-exserial-don-t-forget-to-handle-ffixedhw-opre.patch
+tools-nolibc-types.h-fix-mismatched-parenthesis-in-m.patch
+asoc-tas2764-enable-main-irqs.patch
+edac-skx_common-fix-general-protection-fault.patch
+edac-skx_common-i10nm-fix-the-loss-of-saved-rrl-for-.patch
+tools-nolibc-fix-integer-overflow-in-i-64-toa_r-and.patch
+spi-tegra210-quad-fix-x1_x2_x4-encoding-and-support-.patch
+spi-tegra210-quad-remove-redundant-error-handling-co.patch
+spi-tegra210-quad-modify-chip-select-cs-deactivation.patch
+power-reset-at91-reset-optimize-at91_reset.patch
+asoc-sof-ipc4-pcm-adjust-pipeline_list-pipelines-all.patch
+pm-wakeup-delete-space-in-the-end-of-string-shown-by.patch
+x86-mtrr-check-if-fixed-range-mtrrs-exist-in-mtrr_sa.patch
+pm-sleep-print-pm-debug-messages-during-hibernation.patch
+acpi-osi-stop-advertising-support-for-3.0-_scp-exten.patch
+spi-sh-msiof-fix-maximum-dma-transfer-size.patch
+asoc-apple-mca-constrain-channels-according-to-tdm-m.patch
+drm-vmwgfx-add-seqno-waiter-for-sync_files.patch
+drm-vc4-tests-use-return-instead-of-assert.patch
+drm-amd-pp-fix-potential-null-pointer-dereference-in.patch
+media-rkvdec-fix-frame-size-enumeration.patch
+arm64-fpsimd-avoid-res0-bits-in-the-sme-trap-handler.patch
+arm64-fpsimd-discard-stale-cpu-state-when-handling-s.patch
+arm64-fpsimd-fix-merging-of-fpsimd-state-during-sign.patch
+drm-bridge-lt9611uxc-fix-an-error-handling-path-in-l.patch
+fs-ntfs3-handle-hdr_first_de-return-value.patch
+watchdog-exar-shorten-identity-name-to-fit-correctly.patch
+m68k-mac-fix-macintosh_config-for-mac-ii.patch
+firmware-psci-fix-refcount-leak-in-psci_dt_init.patch
+arm64-support-arm64_va_bits-52-when-setting-arch_mma.patch
+selftests-seccomp-fix-syscall_restart-test-for-arm-c.patch
+drm-rcar-du-fix-memory-leak-in-rcar_du_vsps_init.patch
+drm-vkms-adjust-vkms_state-active_planes-allocation-.patch
+drm-tegra-rgb-fix-the-unbound-reference-count.patch
+firmware-sdei-allow-sdei-initialization-without-acpi.patch
+arm64-fpsimd-do-not-discard-modified-sve-state.patch
+scsi-qedf-use-designated-initializer-for-struct-qed_.patch
+perf-amlogic-replace-smp_processor_id-with-raw_smp_p.patch
+drm-mediatek-mtk_drm_drv-fix-kobject-put-for-mtk_mut.patch
+drm-mediatek-fix-kobject-put-for-component-sub-drive.patch
+drm-mediatek-mtk_drm_drv-unbind-secondary-mmsys-comp.patch
+xen-x86-fix-initial-memory-balloon-target.patch
+wifi-ath11k-fix-node-corruption-in-ar-arvifs-list.patch
+ib-cm-use-rwlock-for-mad-agent-lock.patch
+selftests-bpf-fix-bpf_nf-selftest-failure.patch
+bpf-fix-ktls-panic-with-sockmap.patch
+bpf-sockmap-fix-duplicated-data-transmission.patch
+bpf-sockmap-fix-panic-when-calling-skb_linearize.patch
+wifi-ath12k-fix-wmi-tag-for-eht-rate-in-peer-assoc.patch
+f2fs-fix-to-do-sanity-check-on-sbi-total_valid_block.patch
+net-ncsi-fix-gcps-64-bit-member-variables.patch
+libbpf-fix-buffer-overflow-in-bpf_object__init_prog.patch
+xfrm-use-xdo.dev-instead-of-xdo.real_dev.patch
+wifi-rtw88-sdio-map-mgmt-frames-to-queue-tx_desc_qse.patch
+wifi-rtw88-sdio-call-rtw_sdio_indicate_tx_status-unc.patch
+wifi-rtw88-do-not-ignore-hardware-read-error-during-.patch
+wifi-ath12k-add-msdu-length-validation-for-tkip-mic-.patch
+wifi-ath12k-fix-node-corruption-in-ar-arvifs-list.patch
+rdma-hns-include-hnae3.h-in-hns_roce_hw_v2.h.patch
+scsi-hisi_sas-call-i_t_nexus-after-soft-reset-for-sa.patch
+libbpf-remove-sample_period-init-in-perf_buffer.patch
+use-thread-safe-function-pointer-in-libbpf_print.patch
+iommu-protect-against-overflow-in-iommu_pgsize.patch
+bonding-assign-random-address-if-device-address-is-s.patch
+f2fs-clean-up-w-fscrypt_is_bounce_page.patch
+f2fs-fix-to-detect-gcing-page-in-f2fs_is_cp_guarante.patch
+libbpf-use-proper-errno-value-in-linker.patch
+bpf-allow-xdp-dev-bound-programs-to-perform-xdp_redi.patch
+netfilter-bridge-move-specific-fragmented-packet-to-.patch
+netfilter-nft_quota-match-correctly-when-the-quota-j.patch
+rdma-mlx5-fix-error-flow-upon-firmware-failure-for-r.patch
+bpf-fix-uninitialized-values-in-bpf_-core-probe-_rea.patch
+tracing-move-histogram-trigger-variables-from-stack-.patch
+clk-qcom-camcc-sm6350-add-_wait_val-values-for-gdscs.patch
+clk-qcom-dispcc-sm6350-add-_wait_val-values-for-gdsc.patch
+clk-qcom-gcc-sm6350-add-_wait_val-values-for-gdscs.patch
+clk-qcom-gpucc-sm6350-add-_wait_val-values-for-gdscs.patch
+clk-bcm-rpi-add-null-check-in-raspberrypi_clk_regist.patch
+efi-libstub-describe-missing-out-parameter-in-efi_lo.patch
+tracing-rename-event_trigger_alloc-to-trigger_data_a.patch
+tracing-fix-error-handling-in-event_trigger_parse.patch
+ktls-sockmap-fix-missing-uncharge-operation.patch
+libbpf-use-proper-errno-value-in-nlattr.patch
+pinctrl-at91-fix-possible-out-of-boundary-access.patch
+bpf-fix-warn-in-get_bpf_raw_tp_regs.patch
+clk-qcom-gcc-msm8939-fix-mclk0-mclk1-for-24-mhz.patch
+s390-bpf-store-backchain-even-for-leaf-progs.patch
+wifi-rtw88-fix-the-para-buffer-size-to-avoid-reading.patch
+iommu-remove-duplicate-selection-of-dmar_table.patch
+wifi-ath12k-fix-memory-leak-in-ath12k_service_ready_.patch
+hisi_acc_vfio_pci-fix-xqe-dma-address-error.patch
+hisi_acc_vfio_pci-add-eq-and-aeq-interruption-restor.patch
+hisi_acc_vfio_pci-bugfix-live-migration-function-wit.patch
+wifi-ath9k_htc-abort-software-beacon-handling-if-dis.patch
+scsi-ufs-mcq-delete-ufshcd_release_scsi_cmd-in-ufshc.patch
+kernfs-relax-constraint-in-draining-guard.patch
+wifi-mt76-mt7915-fix-null-ptr-deref-in-mt7915_mmio_w.patch
+wifi-mt76-mt7996-set-eht-max-ampdu-length-capability.patch
+wifi-mt76-mt7996-fix-rx-buffer-size-of-mcu-event.patch
+netfilter-nf_tables-nft_fib_ipv6-fix-vrf-ipv4-ipv6-r.patch
+vfio-type1-fix-error-unwind-in-migration-dirty-bitma.patch
+bluetooth-mgmt-iterate-over-mesh-commands-in-mgmt_me.patch
+bpf-sockmap-avoid-using-sk_socket-after-free-when-se.patch
+netfilter-nft_tunnel-fix-geneve_opt-dump.patch
+risc-v-kvm-lock-the-correct-mp_state-during-reset.patch
+net-usb-aqc111-fix-error-handling-of-usbnet-read-cal.patch
+rdma-cma-fix-hang-when-cma_netevent_callback-fails-t.patch
+net-lan966x-fix-1-step-timestamping-over-ipv4-or-ipv.patch
+bpf-avoid-__bpf_prog_ret0_warn-when-jit-fails.patch
+net-phy-clear-phydev-devlink-when-the-link-is-delete.patch
+net-phy-fix-up-const-issues-in-to_mdio_device-and-to.patch
+net-lan743x-rename-lan743x_reset_phy-to-lan743x_hw_r.patch
+net-phy-mscc-fix-memory-leak-when-using-one-step-tim.patch
+octeontx2-pf-qos-refactor-tc_htb_leaf_del_last-callb.patch
+calipso-don-t-call-calipso-functions-for-af_inet-sk.patch
+net-openvswitch-fix-the-dead-loop-of-mpls-parse.patch
+net-phy-mscc-stop-clearing-the-the-udpv4-checksum-fo.patch
+f2fs-use-d_inode-dentry-cleanup-dentry-d_inode.patch
+f2fs-fix-to-correct-check-conditions-in-f2fs_cross_r.patch
+arm64-dts-qcom-sdm845-starqltechn-remove-wifi.patch
+arm64-dts-qcom-sdm845-starqltechn-fix-usb-regulator-.patch
+arm64-dts-qcom-sdm845-starqltechn-refactor-node-orde.patch
+arm64-dts-qcom-sdm845-starqltechn-remove-excess-rese.patch
+arm64-dts-qcom-sm8350-reenable-crypto-cryptobam.patch
+arm64-dts-qcom-sm8250-fix-cpu7-opp-table.patch
+arm64-dts-qcom-sc8280xp-x13s-drop-duplicate-dmic-sup.patch
+arm-dts-at91-usb_a9263-fix-gpio-for-dataflash-chip-s.patch
+arm-dts-at91-at91sam9263-fix-nand-chip-selects.patch
+arm64-dts-mediatek-mt8195-reparent-vdec1-2-and-venc1.patch
+arm64-dts-qcom-sdm660-xiaomi-lavender-add-missing-sd.patch
+arm64-dts-imx8mm-beacon-fix-rtc-capacitive-load.patch
+arm64-dts-imx8mn-beacon-fix-rtc-capacitive-load.patch
+arm64-dts-imx8mp-beacon-fix-rtc-capacitive-load.patch
+arm64-dts-imx8mm-beacon-set-sai5-mclk-direction-to-o.patch
+arm64-dts-imx8mn-beacon-set-sai5-mclk-direction-to-o.patch
+arm64-dts-mediatek-mt6357-drop-regulator-fixed-compa.patch
+arm64-dts-mt6359-add-missing-compatible-property-to-.patch
+arm64-dts-qcom-sdm660-lavender-add-missing-usb-phy-s.patch
+arm64-dts-qcom-sda660-ifc6560-fix-dt-validate-warnin.patch
+arm64-dts-rockchip-update-emmc-for-nanopi-r5-series.patch
+arm64-tegra-drop-remaining-serial-clock-names-and-re.patch
+arm64-dts-ti-k3-j721e-common-proc-board-enable-ospi1.patch
+squashfs-check-return-result-of-sb_min_blocksize.patch
+ocfs2-fix-possible-memory-leak-in-ocfs2_finish_quota.patch
+nilfs2-add-pointer-check-for-nilfs_direct_propagate.patch
+nilfs2-do-not-propagate-enoent-error-from-nilfs_btre.patch
+bus-fsl-mc-fix-double-free-on-mc_dev.patch
+dt-bindings-vendor-prefixes-add-liontron-name.patch
+arm-dts-qcom-apq8064-add-missing-clocks-to-the-timer.patch
+arm-dts-qcom-apq8064-merge-hw-splinlock-into-corresp.patch
+arm64-defconfig-mediatek-enable-phy-drivers.patch
+arm64-dts-rockchip-disable-unrouted-usb-controllers-.patch
+arm64-dts-renesas-white-hawk-ard-audio-fix-tpu0-grou.patch
+arm64-dts-mt6359-rename-rtc-node-to-match-binding-ex.patch
+arm-aspeed-don-t-select-sram.patch
+soc-aspeed-lpc-fix-impossible-judgment-condition.patch
+soc-aspeed-add-null-check-in-aspeed_lpc_enable_snoop.patch
+fbdev-core-fbcvt-avoid-division-by-0-in-fb_cvt_hperi.patch
+randstruct-gcc-plugin-remove-bogus-void-member.patch
+randstruct-gcc-plugin-fix-attribute-addition.patch
+perf-build-warn-when-libdebuginfod-devel-files-are-n.patch
+perf-ui-browser-hists-set-actions-thread-before-call.patch
+dm-don-t-change-md-if-dm_table_set_restrictions-fail.patch
+dm-free-table-mempools-if-not-used-in-__bind.patch
+backlight-pm8941-add-null-check-in-wled_configure.patch
+mtd-nand-ecc-mxic-fix-use-of-uninitialized-variable-.patch
+hwmon-asus-ec-sensors-check-sensor-index-in-read_str.patch
+dm-flakey-error-all-ios-when-num_features-is-absent.patch
+dm-flakey-make-corrupting-read-bios-work.patch
+perf-trace-fix-leaks-of-struct-thread-in-set_filter_.patch
+perf-intel-pt-fix-pebs-via-pt-data_src.patch
+perf-scripts-python-exported-sql-viewer.py-fix-patte.patch
+remoteproc-qcom_wcnss_iris-add-missing-put_device-on.patch
+remoteproc-k3-r5-drop-check-performed-in-k3_r5_rproc.patch
+rpmsg-qcom_smd-fix-uninitialized-return-variable-in-.patch
+mfd-exynos-lpass-avoid-calling-exynos_lpass_disable-.patch
+mfd-stmpe-spi-correct-the-name-used-in-module_device.patch
+perf-tests-switch-tracking-fix-timestamp-comparison.patch
+perf-record-fix-incorrect-user-regs-comments.patch
+perf-trace-always-print-return-value-for-syscalls-re.patch
+nfs-clear-sb_rdonly-before-getting-superblock.patch
+nfs-ignore-sb_rdonly-when-remounting-nfs.patch
+cifs-fix-validation-of-smb1-query-reparse-point-resp.patch
+rtc-sh-assign-correct-interrupts-with-dt.patch
+pci-print-the-actual-delay-time-in-pci_bridge_wait_f.patch
+pci-cadence-fix-runtime-atomic-count-underflow.patch
+pci-apple-use-gpiod_set_value_cansleep-in-probe-flow.patch
+pci-explicitly-put-devices-into-d0-when-initializing.patch
+phy-qcom-qmp-usb-fix-an-null-vs-is_err-bug.patch
+dmaengine-ti-add-null-check-in-udma_probe.patch
+pci-dpc-initialize-aer_err_info-before-using-it.patch
+rtc-loongson-add-missing-alarm-notifications-for-acp.patch
+usb-renesas_usbhs-reorder-clock-handling-and-power-m.patch
+serial-fix-potential-null-ptr-deref-in-mlb_usio_prob.patch
+thunderbolt-fix-a-logic-error-in-wake-on-connect.patch
+iio-filter-admv8818-fix-band-4-state-15.patch
+iio-filter-admv8818-fix-integer-overflow.patch
+iio-filter-admv8818-fix-range-calculation.patch
+iio-filter-admv8818-support-frequencies-2-32.patch
+iio-adc-ad7124-fix-3db-filter-frequency-reading.patch
+mips-loongson64-add-missing-interrupt-cells-for-loon.patch
+counter-interrupt-cnt-protect-enable-disable-ops-wit.patch
+fpga-fix-potential-null-pointer-deref-in-fpga_mgr_te.patch
+coresight-prevent-deactivate-active-config-while-ena.patch
+vt-remove-vt_resize-and-vt_resizex-from-vt_compat_io.patch
+net-stmmac-platform-guarantee-uniqueness-of-bus_id.patch
+gve-fix-rx_buffers_posted-stat-to-report-per-queue-f.patch
+net-tipc-fix-refcount-warning-in-tipc_aead_encrypt.patch
+driver-net-ethernet-mtk_star_emac-fix-suspend-resume.patch
+net-mlx4_en-prevent-potential-integer-overflow-calcu.patch
+net-lan966x-make-sure-to-insert-the-vlan-tags-also-i.patch
+spi-bcm63xx-spi-fix-shared-reset.patch
+spi-bcm63xx-hsspi-fix-shared-reset.patch
+bluetooth-l2cap-fix-not-responding-with-l2cap_cr_le_.patch
+ice-fix-tx-scheduler-error-handling-in-xdp-callback.patch
+ice-create-new-tx-scheduler-nodes-for-new-queues-onl.patch
+ice-fix-rebuilding-the-tx-scheduler-tree-for-large-q.patch
+net-dsa-tag_brcm-legacy-fix-pskb_may_pull-length.patch
+net-stmmac-make-sure-that-ptp_rate-is-not-0-before-c.patch
+net-fix-checksum-update-for-ila-adj-transport.patch
+net-fix-udp-gso-skb_segment-after-pull-from-frag_lis.patch
+net-wwan-t7xx-fix-napi-rx-poll-issue.patch
+vmxnet3-correctly-report-gso-type-for-udp-tunnels.patch
+pm-sleep-fix-power.is_suspended-cleanup-for-direct-c.patch
+gve-add-missing-null-check-for-gve_alloc_pending_pac.patch
+netfilter-nf_set_pipapo_avx2-fix-initial-map-fill.patch
+netfilter-nf_nat-also-check-reverse-tuple-to-obtain-.patch
+net-dsa-b53-do-not-enable-rgmii-delay-on-bcm63xx.patch
+net-dsa-b53-allow-rgmii-for-bcm63xx-rgmii-ports.patch
+wireguard-device-enable-threaded-napi.patch
+seg6-fix-validation-of-nexthop-addresses.patch
+scsi-ufs-qcom-prevent-calling-phy_exit-before-phy_in.patch
+asoc-codecs-hda-fix-rpm-usage-count-underflow.patch
+asoc-intel-avs-fix-deadlock-when-the-failing-ipc-is-.patch
+asoc-intel-avs-verify-content-returned-by-parse_int_.patch
+asoc-ti-omap-hdmi-re-add-dai_link-platform-to-fix-ca.patch
+path_overmount-avoid-false-negatives.patch
+fix-propagation-graph-breakage-by-move_mount_set_gro.patch
+do_change_type-refuse-to-operate-on-unmounted-not-ou.patch
--- /dev/null
+From 93f10945e20ba5aea23f838c032254f6f6ecd140 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:44 +0930
+Subject: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit f1706e0e1a74b095cbc60375b9b1e6205f5f4c98 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+aspeed_lpc_enable_snoop() does not check for this case, which results in a
+NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://patch.msgid.link/20250401074647.21300-1-bsdhenrymartin@gmail.com
+[arj: Fix Fixes: tag to use subject from 3772e5da4454]
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+index 8cb3a0b4692cf..0f2ffee321dd9 100644
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -200,11 +200,15 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ lpc_snoop->chan[channel].miscdev.minor = MISC_DYNAMIC_MINOR;
+ lpc_snoop->chan[channel].miscdev.name =
+ devm_kasprintf(dev, GFP_KERNEL, "%s%d", DEVICE_NAME, channel);
++ if (!lpc_snoop->chan[channel].miscdev.name) {
++ rc = -ENOMEM;
++ goto err_free_fifo;
++ }
+ lpc_snoop->chan[channel].miscdev.fops = &snoop_fops;
+ lpc_snoop->chan[channel].miscdev.parent = dev;
+ rc = misc_register(&lpc_snoop->chan[channel].miscdev);
+ if (rc)
+- return rc;
++ goto err_free_fifo;
+
+ /* Enable LPC snoop channel at requested port */
+ switch (channel) {
+@@ -221,7 +225,8 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ hicrb_en = HICRB_ENSNP1D;
+ break;
+ default:
+- return -EINVAL;
++ rc = -EINVAL;
++ goto err_misc_deregister;
+ }
+
+ regmap_update_bits(lpc_snoop->regmap, HICR5, hicr5_en, hicr5_en);
+@@ -231,6 +236,12 @@ static int aspeed_lpc_enable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ regmap_update_bits(lpc_snoop->regmap, HICRB,
+ hicrb_en, hicrb_en);
+
++ return 0;
++
++err_misc_deregister:
++ misc_deregister(&lpc_snoop->chan[channel].miscdev);
++err_free_fifo:
++ kfifo_free(&lpc_snoop->chan[channel].fifo);
+ return rc;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From bd858daf34d6ce9303d6caedc662acaf22f67b82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 16:00:43 +0930
+Subject: soc: aspeed: lpc: Fix impossible judgment condition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit d9f0a97e859bdcef51f9c187b1eb712eb13fd3ff ]
+
+smatch error:
+drivers/soc/aspeed/aspeed-lpc-snoop.c:169
+aspeed_lpc_snoop_config_irq() warn: platform_get_irq() does not return zero
+
+platform_get_irq() return non-zero IRQ number or negative error code,
+change '!lpc_snoop->irq' to 'lpc_snoop->irq < 0' to fix this.
+
+Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20231027020703.1231875-1-suhui@nfschina.com
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/aspeed/aspeed-lpc-snoop.c b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+index 773dbcbc03a6c..8cb3a0b4692cf 100644
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -166,7 +166,7 @@ static int aspeed_lpc_snoop_config_irq(struct aspeed_lpc_snoop *lpc_snoop,
+ int rc;
+
+ lpc_snoop->irq = platform_get_irq(pdev, 0);
+- if (!lpc_snoop->irq)
++ if (lpc_snoop->irq < 0)
+ return -ENODEV;
+
+ rc = devm_request_irq(dev, lpc_snoop->irq,
+--
+2.39.5
+
--- /dev/null
+From d8d262ee6ea3264e414a6e1abe4606bdda5d98b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 15:09:15 +0200
+Subject: spi: bcm63xx-hsspi: fix shared reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 3d6d84c8f2f66d3fd6a43a1e2ce8e6b54c573960 ]
+
+Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
+and HSSPI controllers, so reset shouldn't be exclusive.
+
+Fixes: 0eeadddbf09a ("spi: bcm63xx-hsspi: add reset support")
+Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529130915.2519590-3-noltari@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx-hsspi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c
+index 1ca857c2a4aa3..8df12efeea21c 100644
+--- a/drivers/spi/spi-bcm63xx-hsspi.c
++++ b/drivers/spi/spi-bcm63xx-hsspi.c
+@@ -745,7 +745,7 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev)
+ if (IS_ERR(clk))
+ return PTR_ERR(clk);
+
+- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
++ reset = devm_reset_control_get_optional_shared(dev, NULL);
+ if (IS_ERR(reset))
+ return PTR_ERR(reset);
+
+--
+2.39.5
+
--- /dev/null
+From 5f72fcd51d3b9dc3631612b852bf1c84de8ea88e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 15:09:14 +0200
+Subject: spi: bcm63xx-spi: fix shared reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 5ad20e3d8cfe3b2e42bbddc7e0ebaa74479bb589 ]
+
+Some bmips SoCs (bcm6362, bcm63268) share the same SPI reset for both SPI
+and HSSPI controllers, so reset shouldn't be exclusive.
+
+Fixes: 38807adeaf1e ("spi: bcm63xx-spi: add reset support")
+Reported-by: Jonas Gorski <jonas.gorski@gmail.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250529130915.2519590-2-noltari@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-bcm63xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-bcm63xx.c b/drivers/spi/spi-bcm63xx.c
+index ef3a7226db125..a95badb7b7114 100644
+--- a/drivers/spi/spi-bcm63xx.c
++++ b/drivers/spi/spi-bcm63xx.c
+@@ -523,7 +523,7 @@ static int bcm63xx_spi_probe(struct platform_device *pdev)
+ return PTR_ERR(clk);
+ }
+
+- reset = devm_reset_control_get_optional_exclusive(dev, NULL);
++ reset = devm_reset_control_get_optional_shared(dev, NULL);
+ if (IS_ERR(reset))
+ return PTR_ERR(reset);
+
+--
+2.39.5
+
--- /dev/null
+From 71008b1fe8d180f7a98c559afac5f5284be4de91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 15:32:06 +0200
+Subject: spi: sh-msiof: Fix maximum DMA transfer size
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 0941d5166629cb766000530945e54b4e49680c68 ]
+
+The maximum amount of data to transfer in a single DMA request is
+calculated from the FIFO sizes (which is technically not 100% correct,
+but a simplification, as it is limited by the maximum word count values
+in the Transmit and Control Data Registers). However, in case there is
+both data to transmit and to receive, the transmit limit is overwritten
+by the receive limit.
+
+Fix this by using the minimum applicable FIFO size instead. Move the
+calculation outside the loop, so it is not repeated for each individual
+DMA transfer.
+
+As currently tx_fifo_size is always equal to rx_fifo_size, this bug had
+no real impact.
+
+Fixes: fe78d0b7691c0274 ("spi: sh-msiof: Fix FIFO size to 64 word from 256 word")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/d9961767a97758b2614f2ee8afe1bd56dc900a60.1747401908.git.geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sh-msiof.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c
+index 6f12e4fb2e2e1..65c11909659c6 100644
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -918,6 +918,7 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
+ void *rx_buf = t->rx_buf;
+ unsigned int len = t->len;
+ unsigned int bits = t->bits_per_word;
++ unsigned int max_wdlen = 256;
+ unsigned int bytes_per_word;
+ unsigned int words;
+ int n;
+@@ -931,17 +932,17 @@ static int sh_msiof_transfer_one(struct spi_controller *ctlr,
+ if (!spi_controller_is_target(p->ctlr))
+ sh_msiof_spi_set_clk_regs(p, t);
+
++ if (tx_buf)
++ max_wdlen = min(max_wdlen, p->tx_fifo_size);
++ if (rx_buf)
++ max_wdlen = min(max_wdlen, p->rx_fifo_size);
++
+ while (ctlr->dma_tx && len > 15) {
+ /*
+ * DMA supports 32-bit words only, hence pack 8-bit and 16-bit
+ * words, with byte resp. word swapping.
+ */
+- unsigned int l = 0;
+-
+- if (tx_buf)
+- l = min(round_down(len, 4), p->tx_fifo_size * 4);
+- if (rx_buf)
+- l = min(round_down(len, 4), p->rx_fifo_size * 4);
++ unsigned int l = min(round_down(len, 4), max_wdlen * 4);
+
+ if (bits <= 8) {
+ copy32 = copy_bswap32;
+--
+2.39.5
+
--- /dev/null
+From b763c4e9639eeaddb6728a145ab6311763ab7720 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:06:01 +0000
+Subject: spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
+
+From: Vishwaroop A <va@nvidia.com>
+
+[ Upstream commit dcb06c638a1174008a985849fa30fc0da7d08904 ]
+
+This patch corrects the QSPI_COMMAND_X1_X2_X4 and QSPI_ADDRESS_X1_X2_X4
+macros to properly encode the bus width for x1, x2, and x4 transfers.
+Although these macros were previously incorrect, they were not being
+used in the driver, so no functionality was affected.
+
+The patch updates tegra_qspi_cmd_config() and tegra_qspi_addr_config()
+function calls to use the actual bus width from the transfer, instead of
+hardcoding it to 0 (which implied x1 mode). This change enables proper
+support for x1, x2, and x4 data transfers by correctly configuring the
+interface width for commands and addresses.
+
+These modifications improve the QSPI driver's flexibility and prepare it
+for future use cases that may require different bus widths for commands
+and addresses.
+
+Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
+Signed-off-by: Vishwaroop A <va@nvidia.com>
+Link: https://patch.msgid.link/20250416110606.2737315-2-va@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index e3c236025a7b3..78b3a021e915e 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -134,7 +134,7 @@
+ #define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0)
+
+ #define QSPI_CMB_SEQ_CMD_CFG 0x1a0
+-#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13)
++#define QSPI_COMMAND_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
+ #define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13)
+ #define QSPI_COMMAND_SDR_DDR BIT(12)
+ #define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0)
+@@ -147,7 +147,7 @@
+ #define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0)
+
+ #define QSPI_CMB_SEQ_ADDR_CFG 0x1ac
+-#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13)
++#define QSPI_ADDRESS_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
+ #define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13)
+ #define QSPI_ADDRESS_SDR_DDR BIT(12)
+ #define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0)
+@@ -1036,10 +1036,6 @@ static u32 tegra_qspi_addr_config(bool is_ddr, u8 bus_width, u8 len)
+ {
+ u32 addr_config = 0;
+
+- /* Extract Address configuration and value */
+- is_ddr = 0; //Only SDR mode supported
+- bus_width = 0; //X1 mode
+-
+ if (is_ddr)
+ addr_config |= QSPI_ADDRESS_SDR_DDR;
+ else
+@@ -1079,13 +1075,13 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+ switch (transfer_phase) {
+ case CMD_TRANSFER:
+ /* X1 SDR mode */
+- cmd_config = tegra_qspi_cmd_config(false, 0,
++ cmd_config = tegra_qspi_cmd_config(false, xfer->tx_nbits,
+ xfer->len);
+ cmd_value = *((const u8 *)(xfer->tx_buf));
+ break;
+ case ADDR_TRANSFER:
+ /* X1 SDR mode */
+- addr_config = tegra_qspi_addr_config(false, 0,
++ addr_config = tegra_qspi_addr_config(false, xfer->tx_nbits,
+ xfer->len);
+ address_value = *((const u32 *)(xfer->tx_buf));
+ break;
+--
+2.39.5
+
--- /dev/null
+From 45589c5a4da9e04554a6bd8dd1ca2b804937764d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:06:03 +0000
+Subject: spi: tegra210-quad: modify chip select (CS) deactivation
+
+From: Vishwaroop A <va@nvidia.com>
+
+[ Upstream commit d8966b65413390d1b5b706886987caac05fbe024 ]
+
+Modify the chip select (CS) deactivation and inter-transfer delay
+execution only during the DATA_TRANSFER phase when the cs_change
+flag is not set. This ensures proper CS handling and timing between
+transfers while eliminating redundant operations.
+
+Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
+Signed-off-by: Vishwaroop A <va@nvidia.com>
+Link: https://patch.msgid.link/20250416110606.2737315-4-va@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index 7a74164cd9548..e9afebd724237 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -1159,16 +1159,16 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+ ret = -EIO;
+ goto exit;
+ }
+- if (!xfer->cs_change) {
+- tegra_qspi_transfer_end(spi);
+- spi_transfer_delay_exec(xfer);
+- }
+ break;
+ default:
+ ret = -EINVAL;
+ goto exit;
+ }
+ msg->actual_length += xfer->len;
++ if (!xfer->cs_change && transfer_phase == DATA_TRANSFER) {
++ tegra_qspi_transfer_end(spi);
++ spi_transfer_delay_exec(xfer);
++ }
+ transfer_phase++;
+ }
+ ret = 0;
+--
+2.39.5
+
--- /dev/null
+From ef1be6f0a1385a5aad4d24f9a9dfc6910946acff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 11:06:02 +0000
+Subject: spi: tegra210-quad: remove redundant error handling code
+
+From: Vishwaroop A <va@nvidia.com>
+
+[ Upstream commit 400d9f1a27cc2fceabdb1ed93eaf0b89b6d32ba5 ]
+
+Remove unnecessary error handling code that terminated transfers and
+executed delay on errors. This code was redundant as error handling is
+already done at a higher level in the SPI core.
+
+Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
+Signed-off-by: Vishwaroop A <va@nvidia.com>
+Link: https://patch.msgid.link/20250416110606.2737315-3-va@nvidia.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index 78b3a021e915e..7a74164cd9548 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -1175,10 +1175,6 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+
+ exit:
+ msg->status = ret;
+- if (ret < 0) {
+- tegra_qspi_transfer_end(spi);
+- spi_transfer_delay_exec(xfer);
+- }
+
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From cdad01642df30ea5ba8299fba5dfaf47e61acf82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 03:47:47 +0100
+Subject: Squashfs: check return result of sb_min_blocksize
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 734aa85390ea693bb7eaf2240623d41b03705c84 ]
+
+Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.
+
+Syzkaller forks multiple processes which after mounting the Squashfs
+filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000).
+Now if this ioctl occurs at the same time another process is in the
+process of mounting a Squashfs filesystem on /dev/loop0, the failure
+occurs. When this happens the following code in squashfs_fill_super()
+fails.
+
+----
+msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
+msblk->devblksize_log2 = ffz(~msblk->devblksize);
+----
+
+sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.
+
+As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2
+is set to 64.
+
+This subsequently causes the
+
+UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36
+shift exponent 64 is too large for 64-bit type 'u64' (aka
+'unsigned long long')
+
+This commit adds a check for a 0 return by sb_min_blocksize().
+
+Link: https://lkml.kernel.org/r/20250409024747.876480-1-phillip@squashfs.org.uk
+Fixes: 0aa666190509 ("Squashfs: super block operations")
+Reported-by: syzbot+65761fc25a137b9c8c6e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67f0dd7a.050a0220.0a13.0230.GAE@google.com/
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
+index 22e812808e5cf..3a27d4268b3c4 100644
+--- a/fs/squashfs/super.c
++++ b/fs/squashfs/super.c
+@@ -202,6 +202,11 @@ static int squashfs_fill_super(struct super_block *sb, struct fs_context *fc)
+ msblk->panic_on_errors = (opts->errors == Opt_errors_panic);
+
+ msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE);
++ if (!msblk->devblksize) {
++ errorf(fc, "squashfs: unable to set blocksize\n");
++ return -EINVAL;
++ }
++
+ msblk->devblksize_log2 = ffz(~msblk->devblksize);
+
+ mutex_init(&msblk->meta_index_mutex);
+--
+2.39.5
+
--- /dev/null
+From 27fe7f1efb901b4e8a427869ffe7022be0541d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 10:14:44 -0500
+Subject: thunderbolt: Fix a logic error in wake on connect
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 1a760d10ded372d113a0410c42be246315bbc2ff ]
+
+commit a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect
+on USB4 ports") introduced a sysfs file to control wake up policy
+for a given USB4 port that defaulted to disabled.
+
+However when testing commit 4bfeea6ec1c02 ("thunderbolt: Use wake
+on connect and disconnect over suspend") I found that it was working
+even without making changes to the power/wakeup file (which defaults
+to disabled). This is because of a logic error doing a bitwise or
+of the wake-on-connect flag with device_may_wakeup() which should
+have been a logical AND.
+
+Adjust the logic so that policy is only applied when wakeup is
+actually enabled.
+
+Fixes: a5cfc9d65879c ("thunderbolt: Add wake on connect/disconnect on USB4 ports")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/usb4.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thunderbolt/usb4.c b/drivers/thunderbolt/usb4.c
+index 8db9bd32f4738..e445516290f91 100644
+--- a/drivers/thunderbolt/usb4.c
++++ b/drivers/thunderbolt/usb4.c
+@@ -442,10 +442,10 @@ int usb4_switch_set_wake(struct tb_switch *sw, unsigned int flags)
+ bool configured = val & PORT_CS_19_PC;
+ usb4 = port->usb4;
+
+- if (((flags & TB_WAKE_ON_CONNECT) |
++ if (((flags & TB_WAKE_ON_CONNECT) &&
+ device_may_wakeup(&usb4->dev)) && !configured)
+ val |= PORT_CS_19_WOC;
+- if (((flags & TB_WAKE_ON_DISCONNECT) |
++ if (((flags & TB_WAKE_ON_DISCONNECT) &&
+ device_may_wakeup(&usb4->dev)) && configured)
+ val |= PORT_CS_19_WOD;
+ if ((flags & TB_WAKE_ON_USB4) && configured)
+--
+2.39.5
+
--- /dev/null
+From b7207c846d79eb4c687518d0ef619166d6648a9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Apr 2025 12:46:22 +0200
+Subject: tools/nolibc: fix integer overflow in i{64,}toa_r() and
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 4d231a7df1a85c7572b67a4666cb73adb977fbf6 ]
+
+In twos complement the most negative number can not be negated.
+
+Fixes: b1c21e7d99cd ("tools/nolibc/stdlib: add i64toa() and u64toa()")
+Fixes: 66c397c4d2e1 ("tools/nolibc/stdlib: replace the ltoa() function with more efficient ones")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20250419-nolibc-ubsan-v2-5-060b8a016917@weissschuh.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/stdlib.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/include/nolibc/stdlib.h b/tools/include/nolibc/stdlib.h
+index 5be9d3c7435a8..6bf62f5048faa 100644
+--- a/tools/include/nolibc/stdlib.h
++++ b/tools/include/nolibc/stdlib.h
+@@ -274,7 +274,7 @@ int itoa_r(long in, char *buffer)
+ int len = 0;
+
+ if (in < 0) {
+- in = -in;
++ in = -(unsigned long)in;
+ *(ptr++) = '-';
+ len++;
+ }
+@@ -410,7 +410,7 @@ int i64toa_r(int64_t in, char *buffer)
+ int len = 0;
+
+ if (in < 0) {
+- in = -in;
++ in = -(uint64_t)in;
+ *(ptr++) = '-';
+ len++;
+ }
+--
+2.39.5
+
--- /dev/null
+From cee6e0da0f81b1230e4f30af35a053bce5699726 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 15:36:24 +0800
+Subject: tools/nolibc/types.h: fix mismatched parenthesis in minor()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jemmy Wong <jemmywong512@gmail.com>
+
+[ Upstream commit 9c138ac9392228835b520fd4dbb07e636b34a867 ]
+
+Fix an imbalance where opening parentheses exceed closing ones.
+
+Fixes: eba6d00d38e7c ("tools/nolibc/types: move makedev to types.h and make it a macro")
+Signed-off-by: Jemmy Wong <jemmywong512@gmail.com>
+Acked-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20250411073624.22153-1-jemmywong512@gmail.com
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/include/nolibc/types.h b/tools/include/nolibc/types.h
+index 8cfc4c860fa44..053ffa222ffcb 100644
+--- a/tools/include/nolibc/types.h
++++ b/tools/include/nolibc/types.h
+@@ -222,7 +222,7 @@ struct stat {
+ /* WARNING, it only deals with the 4096 first majors and 256 first minors */
+ #define makedev(major, minor) ((dev_t)((((major) & 0xfff) << 8) | ((minor) & 0xff)))
+ #define major(dev) ((unsigned int)(((dev) >> 8) & 0xfff))
+-#define minor(dev) ((unsigned int)(((dev) & 0xff))
++#define minor(dev) ((unsigned int)((dev) & 0xff))
+
+ #ifndef offsetof
+ #define offsetof(TYPE, FIELD) ((size_t) &((TYPE *)0)->FIELD)
+--
+2.39.5
+
--- /dev/null
+From a8315e7f1106c036b2b6270431b6b922384b2d59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 15:20:22 +0100
+Subject: tools/x86/kcpuid: Fix error handling
+
+From: Ahmed S. Darwish <darwi@linutronix.de>
+
+[ Upstream commit 116edfe173d0c59ec2aa87fb91f2f31d477b61b3 ]
+
+Error handling in kcpuid is unreliable. On malloc() failures, the code
+prints an error then just goes on. The error messages are also printed
+to standard output instead of standard error.
+
+Use err() and errx() from <err.h> to direct all error messages to
+standard error and automatically exit the program. Use err() to include
+the errno information, and errx() otherwise. Use warnx() for warnings.
+
+While at it, alphabetically reorder the header includes.
+
+[ mingo: Fix capitalization in the help text while at it. ]
+
+Fixes: c6b2f240bf8d ("tools/x86: Add a kcpuid tool to show raw CPU features")
+Reported-by: Remington Brasga <rbrasga@uci.edu>
+Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lore.kernel.org/r/20250324142042.29010-2-darwi@linutronix.de
+Closes: https://lkml.kernel.org/r/20240926223557.2048-1-rbrasga@uci.edu
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/arch/x86/kcpuid/kcpuid.c | 47 +++++++++++++++++-----------------
+ 1 file changed, 23 insertions(+), 24 deletions(-)
+
+diff --git a/tools/arch/x86/kcpuid/kcpuid.c b/tools/arch/x86/kcpuid/kcpuid.c
+index b7965dfff33a9..8c2644f3497e6 100644
+--- a/tools/arch/x86/kcpuid/kcpuid.c
++++ b/tools/arch/x86/kcpuid/kcpuid.c
+@@ -1,11 +1,12 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #define _GNU_SOURCE
+
+-#include <stdio.h>
++#include <err.h>
++#include <getopt.h>
+ #include <stdbool.h>
++#include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+-#include <getopt.h>
+
+ #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+ #define min(a, b) (((a) < (b)) ? (a) : (b))
+@@ -156,14 +157,14 @@ static bool cpuid_store(struct cpuid_range *range, u32 f, int subleaf,
+ if (!func->leafs) {
+ func->leafs = malloc(sizeof(struct subleaf));
+ if (!func->leafs)
+- perror("malloc func leaf");
++ err(EXIT_FAILURE, NULL);
+
+ func->nr = 1;
+ } else {
+ s = func->nr;
+ func->leafs = realloc(func->leafs, (s + 1) * sizeof(*leaf));
+ if (!func->leafs)
+- perror("realloc f->leafs");
++ err(EXIT_FAILURE, NULL);
+
+ func->nr++;
+ }
+@@ -222,7 +223,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax)
+
+ range = malloc(sizeof(struct cpuid_range));
+ if (!range)
+- perror("malloc range");
++ err(EXIT_FAILURE, NULL);
+
+ if (input_eax & 0x80000000)
+ range->is_ext = true;
+@@ -231,7 +232,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax)
+
+ range->funcs = malloc(sizeof(struct cpuid_func) * idx_func);
+ if (!range->funcs)
+- perror("malloc range->funcs");
++ err(EXIT_FAILURE, NULL);
+
+ range->nr = idx_func;
+ memset(range->funcs, 0, sizeof(struct cpuid_func) * idx_func);
+@@ -387,8 +388,8 @@ static int parse_line(char *line)
+ return 0;
+
+ err_exit:
+- printf("Warning: wrong line format:\n");
+- printf("\tline[%d]: %s\n", flines, line);
++ warnx("Wrong line format:\n"
++ "\tline[%d]: %s", flines, line);
+ return -1;
+ }
+
+@@ -410,10 +411,8 @@ static void parse_text(void)
+ file = fopen("./cpuid.csv", "r");
+ }
+
+- if (!file) {
+- printf("Fail to open '%s'\n", filename);
+- return;
+- }
++ if (!file)
++ err(EXIT_FAILURE, "%s", filename);
+
+ while (1) {
+ ret = getline(&line, &len, file);
+@@ -521,7 +520,7 @@ static inline struct cpuid_func *index_to_func(u32 index)
+ func_idx = index & 0xffff;
+
+ if ((func_idx + 1) > (u32)range->nr) {
+- printf("ERR: invalid input index (0x%x)\n", index);
++ warnx("Invalid input index (0x%x)", index);
+ return NULL;
+ }
+ return &range->funcs[func_idx];
+@@ -553,7 +552,7 @@ static void show_info(void)
+ return;
+ }
+
+- printf("ERR: invalid input subleaf (0x%x)\n", user_sub);
++ warnx("Invalid input subleaf (0x%x)", user_sub);
+ }
+
+ show_func(func);
+@@ -584,15 +583,15 @@ static void setup_platform_cpuid(void)
+
+ static void usage(void)
+ {
+- printf("kcpuid [-abdfhr] [-l leaf] [-s subleaf]\n"
+- "\t-a|--all Show both bit flags and complex bit fields info\n"
+- "\t-b|--bitflags Show boolean flags only\n"
+- "\t-d|--detail Show details of the flag/fields (default)\n"
+- "\t-f|--flags Specify the cpuid csv file\n"
+- "\t-h|--help Show usage info\n"
+- "\t-l|--leaf=index Specify the leaf you want to check\n"
+- "\t-r|--raw Show raw cpuid data\n"
+- "\t-s|--subleaf=sub Specify the subleaf you want to check\n"
++ warnx("kcpuid [-abdfhr] [-l leaf] [-s subleaf]\n"
++ "\t-a|--all Show both bit flags and complex bit fields info\n"
++ "\t-b|--bitflags Show boolean flags only\n"
++ "\t-d|--detail Show details of the flag/fields (default)\n"
++ "\t-f|--flags Specify the CPUID CSV file\n"
++ "\t-h|--help Show usage info\n"
++ "\t-l|--leaf=index Specify the leaf you want to check\n"
++ "\t-r|--raw Show raw CPUID data\n"
++ "\t-s|--subleaf=sub Specify the subleaf you want to check"
+ );
+ }
+
+@@ -643,7 +642,7 @@ static int parse_options(int argc, char *argv[])
+ user_sub = strtoul(optarg, NULL, 0);
+ break;
+ default:
+- printf("%s: Invalid option '%c'\n", argv[0], optopt);
++ warnx("Invalid option '%c'", optopt);
+ return -1;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 71150ce72df7c24ca121652b2783213d2c5dd590 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 10:53:07 -0400
+Subject: tracing: Fix error handling in event_trigger_parse()
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit c5dd28e7fb4f63475b50df4f58311df92939d011 ]
+
+According to trigger_data_alloc() doc, trigger_data_free() should be
+used to free an event_trigger_data object. This fixes a mismatch introduced
+when kzalloc was replaced with trigger_data_alloc without updating
+the corresponding deallocation calls.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Link: https://lore.kernel.org/20250507145455.944453325@goodmis.org
+Link: https://lore.kernel.org/20250318112737.4174-1-linmq006@gmail.com
+Fixes: e1f187d09e11 ("tracing: Have existing event_command.parse() implementations use helpers")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+[ SDR: Changed event_trigger_alloc/free() to trigger_data_alloc/free() ]
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_trigger.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
+index 4c92def8b1143..fe079ff82ef1b 100644
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -1000,7 +1000,7 @@ event_trigger_parse(struct event_command *cmd_ops,
+
+ if (remove) {
+ event_trigger_unregister(cmd_ops, file, glob+1, trigger_data);
+- kfree(trigger_data);
++ trigger_data_free(trigger_data);
+ ret = 0;
+ goto out;
+ }
+@@ -1027,7 +1027,7 @@ event_trigger_parse(struct event_command *cmd_ops,
+
+ out_free:
+ event_trigger_reset_filter(cmd_ops, trigger_data);
+- kfree(trigger_data);
++ trigger_data_free(trigger_data);
+ goto out;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From df21b401b8097fec75257f8796899e6a4c82149a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 12:38:51 -0400
+Subject: tracing: Move histogram trigger variables from stack to per CPU
+ structure
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 7ab0fc61ce73040f89b12d76a8279995ec283541 ]
+
+The histogram trigger has three somewhat large arrays on the kernel stack:
+
+ unsigned long entries[HIST_STACKTRACE_DEPTH];
+ u64 var_ref_vals[TRACING_MAP_VARS_MAX];
+ char compound_key[HIST_KEY_SIZE_MAX];
+
+Checking the function event_hist_trigger() stack frame size, it currently
+uses 816 bytes for its stack frame due to these variables!
+
+Instead, allocate a per CPU structure that holds these arrays for each
+context level (normal, softirq, irq and NMI). That is, each CPU will have
+4 of these structures. This will be allocated when the first histogram
+trigger is enabled and freed when the last is disabled. When the
+histogram callback triggers, it will request this structure. The request
+will disable preemption, get the per CPU structure at the index of the
+per CPU variable, and increment that variable.
+
+The callback will use the arrays in this structure to perform its work and
+then release the structure. That in turn will simply decrement the per CPU
+index and enable preemption.
+
+Moving the variables from the kernel stack to the per CPU structure brings
+the stack frame of event_hist_trigger() down to just 112 bytes.
+
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Link: https://lore.kernel.org/20250407123851.74ea8d58@gandalf.local.home
+Fixes: 067fe038e70f6 ("tracing: Add variable reference handling to hist triggers")
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_hist.c | 120 +++++++++++++++++++++++++++----
+ 1 file changed, 105 insertions(+), 15 deletions(-)
+
+diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
+index e6f9cbc622c75..29fcd8787344f 100644
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -5257,17 +5257,94 @@ hist_trigger_actions(struct hist_trigger_data *hist_data,
+ }
+ }
+
++/*
++ * The hist_pad structure is used to save information to create
++ * a histogram from the histogram trigger. It's too big to store
++ * on the stack, so when the histogram trigger is initialized
++ * a percpu array of 4 hist_pad structures is allocated.
++ * This will cover every context from normal, softirq, irq and NMI
++ * in the very unlikely event that a tigger happens at each of
++ * these contexts and interrupts a currently active trigger.
++ */
++struct hist_pad {
++ unsigned long entries[HIST_STACKTRACE_DEPTH];
++ u64 var_ref_vals[TRACING_MAP_VARS_MAX];
++ char compound_key[HIST_KEY_SIZE_MAX];
++};
++
++static struct hist_pad __percpu *hist_pads;
++static DEFINE_PER_CPU(int, hist_pad_cnt);
++static refcount_t hist_pad_ref;
++
++/* One hist_pad for every context (normal, softirq, irq, NMI) */
++#define MAX_HIST_CNT 4
++
++static int alloc_hist_pad(void)
++{
++ lockdep_assert_held(&event_mutex);
++
++ if (refcount_read(&hist_pad_ref)) {
++ refcount_inc(&hist_pad_ref);
++ return 0;
++ }
++
++ hist_pads = __alloc_percpu(sizeof(struct hist_pad) * MAX_HIST_CNT,
++ __alignof__(struct hist_pad));
++ if (!hist_pads)
++ return -ENOMEM;
++
++ refcount_set(&hist_pad_ref, 1);
++ return 0;
++}
++
++static void free_hist_pad(void)
++{
++ lockdep_assert_held(&event_mutex);
++
++ if (!refcount_dec_and_test(&hist_pad_ref))
++ return;
++
++ free_percpu(hist_pads);
++ hist_pads = NULL;
++}
++
++static struct hist_pad *get_hist_pad(void)
++{
++ struct hist_pad *hist_pad;
++ int cnt;
++
++ if (WARN_ON_ONCE(!hist_pads))
++ return NULL;
++
++ preempt_disable();
++
++ hist_pad = per_cpu_ptr(hist_pads, smp_processor_id());
++
++ if (this_cpu_read(hist_pad_cnt) == MAX_HIST_CNT) {
++ preempt_enable();
++ return NULL;
++ }
++
++ cnt = this_cpu_inc_return(hist_pad_cnt) - 1;
++
++ return &hist_pad[cnt];
++}
++
++static void put_hist_pad(void)
++{
++ this_cpu_dec(hist_pad_cnt);
++ preempt_enable();
++}
++
+ static void event_hist_trigger(struct event_trigger_data *data,
+ struct trace_buffer *buffer, void *rec,
+ struct ring_buffer_event *rbe)
+ {
+ struct hist_trigger_data *hist_data = data->private_data;
+ bool use_compound_key = (hist_data->n_keys > 1);
+- unsigned long entries[HIST_STACKTRACE_DEPTH];
+- u64 var_ref_vals[TRACING_MAP_VARS_MAX];
+- char compound_key[HIST_KEY_SIZE_MAX];
+ struct tracing_map_elt *elt = NULL;
+ struct hist_field *key_field;
++ struct hist_pad *hist_pad;
+ u64 field_contents;
+ void *key = NULL;
+ unsigned int i;
+@@ -5275,12 +5352,18 @@ static void event_hist_trigger(struct event_trigger_data *data,
+ if (unlikely(!rbe))
+ return;
+
+- memset(compound_key, 0, hist_data->key_size);
++ hist_pad = get_hist_pad();
++ if (!hist_pad)
++ return;
++
++ memset(hist_pad->compound_key, 0, hist_data->key_size);
+
+ for_each_hist_key_field(i, hist_data) {
+ key_field = hist_data->fields[i];
+
+ if (key_field->flags & HIST_FIELD_FL_STACKTRACE) {
++ unsigned long *entries = hist_pad->entries;
++
+ memset(entries, 0, HIST_STACKTRACE_SIZE);
+ if (key_field->field) {
+ unsigned long *stack, n_entries;
+@@ -5304,26 +5387,31 @@ static void event_hist_trigger(struct event_trigger_data *data,
+ }
+
+ if (use_compound_key)
+- add_to_key(compound_key, key, key_field, rec);
++ add_to_key(hist_pad->compound_key, key, key_field, rec);
+ }
+
+ if (use_compound_key)
+- key = compound_key;
++ key = hist_pad->compound_key;
+
+ if (hist_data->n_var_refs &&
+- !resolve_var_refs(hist_data, key, var_ref_vals, false))
+- return;
++ !resolve_var_refs(hist_data, key, hist_pad->var_ref_vals, false))
++ goto out;
+
+ elt = tracing_map_insert(hist_data->map, key);
+ if (!elt)
+- return;
++ goto out;
+
+- hist_trigger_elt_update(hist_data, elt, buffer, rec, rbe, var_ref_vals);
++ hist_trigger_elt_update(hist_data, elt, buffer, rec, rbe, hist_pad->var_ref_vals);
+
+- if (resolve_var_refs(hist_data, key, var_ref_vals, true))
+- hist_trigger_actions(hist_data, elt, buffer, rec, rbe, key, var_ref_vals);
++ if (resolve_var_refs(hist_data, key, hist_pad->var_ref_vals, true)) {
++ hist_trigger_actions(hist_data, elt, buffer, rec, rbe,
++ key, hist_pad->var_ref_vals);
++ }
+
+ hist_poll_wakeup();
++
++ out:
++ put_hist_pad();
+ }
+
+ static void hist_trigger_stacktrace_print(struct seq_file *m,
+@@ -6168,6 +6256,9 @@ static int event_hist_trigger_init(struct event_trigger_data *data)
+ {
+ struct hist_trigger_data *hist_data = data->private_data;
+
++ if (alloc_hist_pad() < 0)
++ return -ENOMEM;
++
+ if (!data->ref && hist_data->attrs->name)
+ save_named_trigger(hist_data->attrs->name, data);
+
+@@ -6212,6 +6303,7 @@ static void event_hist_trigger_free(struct event_trigger_data *data)
+
+ destroy_hist_data(hist_data);
+ }
++ free_hist_pad();
+ }
+
+ static struct event_trigger_ops event_hist_trigger_ops = {
+@@ -6227,9 +6319,7 @@ static int event_hist_trigger_named_init(struct event_trigger_data *data)
+
+ save_named_trigger(data->named_data->name, data);
+
+- event_hist_trigger_init(data->named_data);
+-
+- return 0;
++ return event_hist_trigger_init(data->named_data);
+ }
+
+ static void event_hist_trigger_named_free(struct event_trigger_data *data)
+--
+2.39.5
+
--- /dev/null
+From 86b42761bb1ebbbf09cf66fcaae5380a40ca5a69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 10:53:06 -0400
+Subject: tracing: Rename event_trigger_alloc() to trigger_data_alloc()
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit f2947c4b7d0f235621c5daf78aecfbd6e22c05e5 ]
+
+The function event_trigger_alloc() creates an event_trigger_data
+descriptor and states that it needs to be freed via event_trigger_free().
+This is incorrect, it needs to be freed by trigger_data_free() as
+event_trigger_free() adds ref counting.
+
+Rename event_trigger_alloc() to trigger_data_alloc() and state that it
+needs to be freed via trigger_data_free(). This naming convention
+was introducing bugs.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Link: https://lore.kernel.org/20250507145455.776436410@goodmis.org
+Fixes: 86599dbe2c527 ("tracing: Add helper functions to simplify event_command.parse() callback handling")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace.h | 8 +++-----
+ kernel/trace/trace_events_hist.c | 2 +-
+ kernel/trace/trace_events_trigger.c | 16 ++++++++--------
+ 3 files changed, 12 insertions(+), 14 deletions(-)
+
+diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
+index faf892aecdf49..e3afb830fbcc7 100644
+--- a/kernel/trace/trace.h
++++ b/kernel/trace/trace.h
+@@ -1643,6 +1643,9 @@ extern int event_enable_register_trigger(char *glob,
+ extern void event_enable_unregister_trigger(char *glob,
+ struct event_trigger_data *test,
+ struct trace_event_file *file);
++extern struct event_trigger_data *
++trigger_data_alloc(struct event_command *cmd_ops, char *cmd, char *param,
++ void *private_data);
+ extern void trigger_data_free(struct event_trigger_data *data);
+ extern int event_trigger_init(struct event_trigger_data *data);
+ extern int trace_event_trigger_enable_disable(struct trace_event_file *file,
+@@ -1669,11 +1672,6 @@ extern bool event_trigger_check_remove(const char *glob);
+ extern bool event_trigger_empty_param(const char *param);
+ extern int event_trigger_separate_filter(char *param_and_filter, char **param,
+ char **filter, bool param_required);
+-extern struct event_trigger_data *
+-event_trigger_alloc(struct event_command *cmd_ops,
+- char *cmd,
+- char *param,
+- void *private_data);
+ extern int event_trigger_parse_num(char *trigger,
+ struct event_trigger_data *trigger_data);
+ extern int event_trigger_set_filter(struct event_command *cmd_ops,
+diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
+index 29fcd8787344f..88985aefb71ff 100644
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -6806,7 +6806,7 @@ static int event_hist_trigger_parse(struct event_command *cmd_ops,
+ return PTR_ERR(hist_data);
+ }
+
+- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, hist_data);
++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, hist_data);
+ if (!trigger_data) {
+ ret = -ENOMEM;
+ goto out_free;
+diff --git a/kernel/trace/trace_events_trigger.c b/kernel/trace/trace_events_trigger.c
+index 2c233c0d38fa9..4c92def8b1143 100644
+--- a/kernel/trace/trace_events_trigger.c
++++ b/kernel/trace/trace_events_trigger.c
+@@ -809,7 +809,7 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
+ }
+
+ /**
+- * event_trigger_alloc - allocate and init event_trigger_data for a trigger
++ * trigger_data_alloc - allocate and init event_trigger_data for a trigger
+ * @cmd_ops: The event_command operations for the trigger
+ * @cmd: The cmd string
+ * @param: The param string
+@@ -820,14 +820,14 @@ int event_trigger_separate_filter(char *param_and_filter, char **param,
+ * trigger_ops to assign to the event_trigger_data. @private_data can
+ * also be passed in and associated with the event_trigger_data.
+ *
+- * Use event_trigger_free() to free an event_trigger_data object.
++ * Use trigger_data_free() to free an event_trigger_data object.
+ *
+ * Return: The trigger_data object success, NULL otherwise
+ */
+-struct event_trigger_data *event_trigger_alloc(struct event_command *cmd_ops,
+- char *cmd,
+- char *param,
+- void *private_data)
++struct event_trigger_data *trigger_data_alloc(struct event_command *cmd_ops,
++ char *cmd,
++ char *param,
++ void *private_data)
+ {
+ struct event_trigger_data *trigger_data;
+ struct event_trigger_ops *trigger_ops;
+@@ -994,7 +994,7 @@ event_trigger_parse(struct event_command *cmd_ops,
+ return ret;
+
+ ret = -ENOMEM;
+- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, file);
++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, file);
+ if (!trigger_data)
+ goto out;
+
+@@ -1787,7 +1787,7 @@ int event_enable_trigger_parse(struct event_command *cmd_ops,
+ enable_data->enable = enable;
+ enable_data->file = event_enable_file;
+
+- trigger_data = event_trigger_alloc(cmd_ops, cmd, param, enable_data);
++ trigger_data = trigger_data_alloc(cmd_ops, cmd, param, enable_data);
+ if (!trigger_data) {
+ kfree(enable_data);
+ goto out;
+--
+2.39.5
+
--- /dev/null
+From 80b465bb8c74b007f9a2af8a4b5f2866e8485baf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 11:50:02 +0100
+Subject: usb: renesas_usbhs: Reorder clock handling and power management in
+ probe
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit ffb34a60ce86656ba12d46e91f1ccc71dd221251 ]
+
+Reorder the initialization sequence in `usbhs_probe()` to enable runtime
+PM before accessing registers, preventing potential crashes due to
+uninitialized clocks.
+
+Currently, in the probe path, registers are accessed before enabling the
+clocks, leading to a synchronous external abort on the RZ/V2H SoC.
+The problematic call flow is as follows:
+
+ usbhs_probe()
+ usbhs_sys_clock_ctrl()
+ usbhs_bset()
+ usbhs_write()
+ iowrite16() <-- Register access before enabling clocks
+
+Since `iowrite16()` is performed without ensuring the required clocks are
+enabled, this can lead to access errors. To fix this, enable PM runtime
+early in the probe function and ensure clocks are acquired before register
+access, preventing crashes like the following on RZ/V2H:
+
+[13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP
+[13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6
+[13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98
+[13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT)
+[13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs]
+[13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs]
+[13.321138] sp : ffff8000827e3850
+[13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0
+[13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025
+[13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010
+[13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff
+[13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce
+[13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000
+[13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750
+[13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c
+[13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000
+[13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080
+[13.395574] Call trace:
+[13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P)
+[13.403076] platform_probe+0x68/0xdc
+[13.406738] really_probe+0xbc/0x2c0
+[13.410306] __driver_probe_device+0x78/0x120
+[13.414653] driver_probe_device+0x3c/0x154
+[13.418825] __driver_attach+0x90/0x1a0
+[13.422647] bus_for_each_dev+0x7c/0xe0
+[13.426470] driver_attach+0x24/0x30
+[13.430032] bus_add_driver+0xe4/0x208
+[13.433766] driver_register+0x68/0x130
+[13.437587] __platform_driver_register+0x24/0x30
+[13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs]
+[13.448450] do_one_initcall+0x60/0x1d4
+[13.452276] do_init_module+0x54/0x1f8
+[13.456014] load_module+0x1754/0x1c98
+[13.459750] init_module_from_file+0x88/0xcc
+[13.464004] __arm64_sys_finit_module+0x1c4/0x328
+[13.468689] invoke_syscall+0x48/0x104
+[13.472426] el0_svc_common.constprop.0+0xc0/0xe0
+[13.477113] do_el0_svc+0x1c/0x28
+[13.480415] el0_svc+0x30/0xcc
+[13.483460] el0t_64_sync_handler+0x10c/0x138
+[13.487800] el0t_64_sync+0x198/0x19c
+[13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084)
+[13.497522] ---[ end trace 0000000000000000 ]---
+
+Fixes: f1407d5c66240 ("usb: renesas_usbhs: Add Renesas USBHS common code")
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20250407105002.107181-4-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/renesas_usbhs/common.c | 50 +++++++++++++++++++++++-------
+ 1 file changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/renesas_usbhs/common.c b/drivers/usb/renesas_usbhs/common.c
+index 205820544f6f9..b720899725e53 100644
+--- a/drivers/usb/renesas_usbhs/common.c
++++ b/drivers/usb/renesas_usbhs/common.c
+@@ -674,10 +674,29 @@ static int usbhs_probe(struct platform_device *pdev)
+ INIT_DELAYED_WORK(&priv->notify_hotplug_work, usbhsc_notify_hotplug);
+ spin_lock_init(usbhs_priv_to_lock(priv));
+
++ /*
++ * Acquire clocks and enable power management (PM) early in the
++ * probe process, as the driver accesses registers during
++ * initialization. Ensure the device is active before proceeding.
++ */
++ pm_runtime_enable(dev);
++
++ ret = usbhsc_clk_get(dev, priv);
++ if (ret)
++ goto probe_pm_disable;
++
++ ret = pm_runtime_resume_and_get(dev);
++ if (ret)
++ goto probe_clk_put;
++
++ ret = usbhsc_clk_prepare_enable(priv);
++ if (ret)
++ goto probe_pm_put;
++
+ /* call pipe and module init */
+ ret = usbhs_pipe_probe(priv);
+ if (ret < 0)
+- return ret;
++ goto probe_clk_dis_unprepare;
+
+ ret = usbhs_fifo_probe(priv);
+ if (ret < 0)
+@@ -694,10 +713,6 @@ static int usbhs_probe(struct platform_device *pdev)
+ if (ret)
+ goto probe_fail_rst;
+
+- ret = usbhsc_clk_get(dev, priv);
+- if (ret)
+- goto probe_fail_clks;
+-
+ /*
+ * deviece reset here because
+ * USB device might be used in boot loader.
+@@ -710,7 +725,7 @@ static int usbhs_probe(struct platform_device *pdev)
+ if (ret) {
+ dev_warn(dev, "USB function not selected (GPIO)\n");
+ ret = -ENOTSUPP;
+- goto probe_end_mod_exit;
++ goto probe_assert_rest;
+ }
+ }
+
+@@ -724,14 +739,19 @@ static int usbhs_probe(struct platform_device *pdev)
+ ret = usbhs_platform_call(priv, hardware_init, pdev);
+ if (ret < 0) {
+ dev_err(dev, "platform init failed.\n");
+- goto probe_end_mod_exit;
++ goto probe_assert_rest;
+ }
+
+ /* reset phy for connection */
+ usbhs_platform_call(priv, phy_reset, pdev);
+
+- /* power control */
+- pm_runtime_enable(dev);
++ /*
++ * Disable the clocks that were enabled earlier in the probe path,
++ * and let the driver handle the clocks beyond this point.
++ */
++ usbhsc_clk_disable_unprepare(priv);
++ pm_runtime_put(dev);
++
+ if (!usbhs_get_dparam(priv, runtime_pwctrl)) {
+ usbhsc_power_ctrl(priv, 1);
+ usbhs_mod_autonomy_mode(priv);
+@@ -748,9 +768,7 @@ static int usbhs_probe(struct platform_device *pdev)
+
+ return ret;
+
+-probe_end_mod_exit:
+- usbhsc_clk_put(priv);
+-probe_fail_clks:
++probe_assert_rest:
+ reset_control_assert(priv->rsts);
+ probe_fail_rst:
+ usbhs_mod_remove(priv);
+@@ -758,6 +776,14 @@ static int usbhs_probe(struct platform_device *pdev)
+ usbhs_fifo_remove(priv);
+ probe_end_pipe_exit:
+ usbhs_pipe_remove(priv);
++probe_clk_dis_unprepare:
++ usbhsc_clk_disable_unprepare(priv);
++probe_pm_put:
++ pm_runtime_put(dev);
++probe_clk_put:
++ usbhsc_clk_put(priv);
++probe_pm_disable:
++ pm_runtime_disable(dev);
+
+ dev_info(dev, "probe failed (%d)\n", ret);
+
+--
+2.39.5
+
--- /dev/null
+From 9cc1df8cad8528b476ab1dac0a1289ab0fcb1848 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 18:14:57 -0400
+Subject: Use thread-safe function pointer in libbpf_print
+
+From: Jonathan Wiepert <jonathan.wiepert@gmail.com>
+
+[ Upstream commit 91dbac4076537b464639953c055c460d2bdfc7ea ]
+
+This patch fixes a thread safety bug where libbpf_print uses the
+global variable storing the print function pointer rather than the local
+variable that had the print function set via __atomic_load_n.
+
+Fixes: f1cb927cdb62 ("libbpf: Ensure print callback usage is thread-safe")
+Signed-off-by: Jonathan Wiepert <jonathan.wiepert@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
+Link: https://lore.kernel.org/bpf/20250424221457.793068-1-jonathan.wiepert@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 18e96375dc319..5dc2e55553358 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -246,7 +246,7 @@ void libbpf_print(enum libbpf_print_level level, const char *format, ...)
+ old_errno = errno;
+
+ va_start(args, format);
+- __libbpf_pr(level, format, args);
++ print_fn(level, format, args);
+ va_end(args);
+
+ errno = old_errno;
+--
+2.39.5
+
--- /dev/null
+From 7fad00847910df97eb70e4a673894cd3b6ce572d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 May 2025 11:46:47 +0800
+Subject: vfio/type1: Fix error unwind in migration dirty bitmap allocation
+
+From: Li RongQing <lirongqing@baidu.com>
+
+[ Upstream commit 4518e5a60c7fbf0cdff393c2681db39d77b4f87e ]
+
+When setting up dirty page tracking at the vfio IOMMU backend for
+device migration, if an error is encountered allocating a tracking
+bitmap, the unwind loop fails to free previously allocated tracking
+bitmaps. This occurs because the wrong loop index is used to
+generate the tracking object. This results in unintended memory
+usage for the life of the current DMA mappings where bitmaps were
+successfully allocated.
+
+Use the correct loop index to derive the tracking object for
+freeing during unwind.
+
+Fixes: d6a4c185660c ("vfio iommu: Implementation of ioctl for dirty pages tracking")
+Signed-off-by: Li RongQing <lirongqing@baidu.com>
+Link: https://lore.kernel.org/r/20250521034647.2877-1-lirongqing@baidu.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index eacd6ec04de5a..5fe7aed3672ee 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -294,7 +294,7 @@ static int vfio_dma_bitmap_alloc_all(struct vfio_iommu *iommu, size_t pgsize)
+ struct rb_node *p;
+
+ for (p = rb_prev(n); p; p = rb_prev(p)) {
+- struct vfio_dma *dma = rb_entry(n,
++ struct vfio_dma *dma = rb_entry(p,
+ struct vfio_dma, node);
+
+ vfio_dma_bitmap_free(dma);
+--
+2.39.5
+
--- /dev/null
+From e0207e0b4950dcbea29c52f8cf67feab3192ceed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 15:27:00 +0000
+Subject: vmxnet3: correctly report gso type for UDP tunnels
+
+From: Ronak Doshi <ronak.doshi@broadcom.com>
+
+[ Upstream commit 982d30c30eaa2ec723df42e3bf526c014c1dbb88 ]
+
+Commit 3d010c8031e3 ("udp: do not accept non-tunnel GSO skbs landing
+in a tunnel") added checks in linux stack to not accept non-tunnel
+GRO packets landing in a tunnel. This exposed an issue in vmxnet3
+which was not correctly reporting GRO packets for tunnel packets.
+
+This patch fixes this issue by setting correct GSO type for the
+tunnel packets.
+
+Currently, vmxnet3 does not support reporting inner fields for LRO
+tunnel packets. The issue is not seen for egress drivers that do not
+use skb inner fields. The workaround is to enable tnl-segmentation
+offload on the egress interfaces if the driver supports it. This
+problem pre-exists this patch fix and can be addressed as a separate
+future patch.
+
+Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
+Signed-off-by: Ronak Doshi <ronak.doshi@broadcom.com>
+Acked-by: Guolin Yang <guolin.yang@broadcom.com>
+Link: https://patch.msgid.link/20250530152701.70354-1-ronak.doshi@broadcom.com
+[pabeni@redhat.com: dropped the changelog]
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vmxnet3/vmxnet3_drv.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
+index beebe09eb88ff..afd78324f3aa3 100644
+--- a/drivers/net/vmxnet3/vmxnet3_drv.c
++++ b/drivers/net/vmxnet3/vmxnet3_drv.c
+@@ -1499,6 +1499,30 @@ vmxnet3_get_hdr_len(struct vmxnet3_adapter *adapter, struct sk_buff *skb,
+ return (hlen + (hdr.tcp->doff << 2));
+ }
+
++static void
++vmxnet3_lro_tunnel(struct sk_buff *skb, __be16 ip_proto)
++{
++ struct udphdr *uh = NULL;
++
++ if (ip_proto == htons(ETH_P_IP)) {
++ struct iphdr *iph = (struct iphdr *)skb->data;
++
++ if (iph->protocol == IPPROTO_UDP)
++ uh = (struct udphdr *)(iph + 1);
++ } else {
++ struct ipv6hdr *iph = (struct ipv6hdr *)skb->data;
++
++ if (iph->nexthdr == IPPROTO_UDP)
++ uh = (struct udphdr *)(iph + 1);
++ }
++ if (uh) {
++ if (uh->check)
++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL_CSUM;
++ else
++ skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_TUNNEL;
++ }
++}
++
+ static int
+ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ struct vmxnet3_adapter *adapter, int quota)
+@@ -1803,6 +1827,8 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx_queue *rq,
+ if (segCnt != 0 && mss != 0) {
+ skb_shinfo(skb)->gso_type = rcd->v4 ?
+ SKB_GSO_TCPV4 : SKB_GSO_TCPV6;
++ if (encap_lro)
++ vmxnet3_lro_tunnel(skb, skb->protocol);
+ skb_shinfo(skb)->gso_size = mss;
+ skb_shinfo(skb)->gso_segs = segCnt;
+ } else if ((segCnt != 0 || skb->len > mtu) && !encap_lro) {
+--
+2.39.5
+
--- /dev/null
+From c049bae306e029da511a32e736477bfa917cfe39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 11:30:52 -0400
+Subject: vt: remove VT_RESIZE and VT_RESIZEX from vt_compat_ioctl()
+
+From: Nicolas Pitre <npitre@baylibre.com>
+
+[ Upstream commit c4c7ead7b86c1e7f11c64915b7e5bb6d2e242691 ]
+
+They are listed amon those cmd values that "treat 'arg' as an integer"
+which is wrong. They should instead fall into the default case. Probably
+nobody ever relied on that code since 2009 but still.
+
+Fixes: e92166517e3c ("tty: handle VT specific compat ioctls in vt driver")
+Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/pr214s15-36r8-6732-2pop-159nq85o48r7@syhkavp.arg
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index 8c685b5014044..5b21b60547da1 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -1105,8 +1105,6 @@ long vt_compat_ioctl(struct tty_struct *tty,
+ case VT_WAITACTIVE:
+ case VT_RELDISP:
+ case VT_DISALLOCATE:
+- case VT_RESIZE:
+- case VT_RESIZEX:
+ return vt_ioctl(tty, cmd, arg);
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From b20317f0c6d46a3cc9cae96647a3db2f8befe4ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 15:52:49 -0700
+Subject: watchdog: exar: Shorten identity name to fit correctly
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 8e28276a569addb8a2324439ae473848ee52b056 ]
+
+The static initializer for struct watchdog_info::identity is too long
+and gets initialized without a trailing NUL byte. Since the length
+of "identity" is part of UAPI and tied to ioctls, just shorten
+the name of the device. Avoids the warning seen with GCC 15's
+-Wunterminated-string-initialization option:
+
+drivers/watchdog/exar_wdt.c:224:27: warning: initializer-string for array of 'unsigned char' truncates NUL terminator but destination lacks 'nonstring' attribute (33 chars into 32 available) [-Wunterminated-string-initialization]
+ 224 | .identity = "Exar/MaxLinear XR28V38x Watchdog",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fixes: 81126222bd3a ("watchdog: Exar/MaxLinear XR28V38x driver")
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250415225246.work.458-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/exar_wdt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/exar_wdt.c b/drivers/watchdog/exar_wdt.c
+index 7c61ff3432711..c2e3bb08df899 100644
+--- a/drivers/watchdog/exar_wdt.c
++++ b/drivers/watchdog/exar_wdt.c
+@@ -221,7 +221,7 @@ static const struct watchdog_info exar_wdt_info = {
+ .options = WDIOF_KEEPALIVEPING |
+ WDIOF_SETTIMEOUT |
+ WDIOF_MAGICCLOSE,
+- .identity = "Exar/MaxLinear XR28V38x Watchdog",
++ .identity = "Exar XR28V38x Watchdog",
+ };
+
+ static const struct watchdog_ops exar_wdt_ops = {
+--
+2.39.5
+
--- /dev/null
+From 051e0b365a93f61c91fb4c7683555243a795c62b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Mar 2025 13:31:45 +0800
+Subject: wifi: ath11k: fix node corruption in ar->arvifs list
+
+From: Stone Zhang <quic_stonez@quicinc.com>
+
+[ Upstream commit 31e98e277ae47f56632e4d663b1d4fd12ba33ea8 ]
+
+In current WLAN recovery code flow, ath11k_core_halt() only
+reinitializes the "arvifs" list head. This will cause the
+list node immediately following the list head to become an
+invalid list node. Because the prev of that node still points
+to the list head "arvifs", but the next of the list head "arvifs"
+no longer points to that list node.
+
+When a WLAN recovery occurs during the execution of a vif
+removal, and it happens before the spin_lock_bh(&ar->data_lock)
+in ath11k_mac_op_remove_interface(), list_del() will detect the
+previously mentioned situation, thereby triggering a kernel panic.
+
+The fix is to remove and reinitialize all vif list nodes from the
+list head "arvifs" during WLAN halt. The reinitialization is to make
+the list nodes valid, ensuring that the list_del() in
+ath11k_mac_op_remove_interface() can execute normally.
+
+Call trace:
+__list_del_entry_valid_or_report+0xb8/0xd0
+ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k]
+drv_remove_interface+0x48/0x194 [mac80211]
+ieee80211_do_stop+0x6e0/0x844 [mac80211]
+ieee80211_stop+0x44/0x17c [mac80211]
+__dev_close_many+0xac/0x150
+__dev_change_flags+0x194/0x234
+dev_change_flags+0x24/0x6c
+devinet_ioctl+0x3a0/0x670
+inet_ioctl+0x200/0x248
+sock_do_ioctl+0x60/0x118
+sock_ioctl+0x274/0x35c
+__arm64_sys_ioctl+0xac/0xf0
+invoke_syscall+0x48/0x114
+...
+
+Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Stone Zhang <quic_stonez@quicinc.com>
+Link: https://patch.msgid.link/20250320053145.3445187-1-quic_stonez@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
+index fc7c4564a715c..f9870ba651d8f 100644
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -1742,6 +1742,7 @@ static int ath11k_core_reconfigure_on_crash(struct ath11k_base *ab)
+ void ath11k_core_halt(struct ath11k *ar)
+ {
+ struct ath11k_base *ab = ar->ab;
++ struct list_head *pos, *n;
+
+ lockdep_assert_held(&ar->conf_mutex);
+
+@@ -1756,7 +1757,12 @@ void ath11k_core_halt(struct ath11k *ar)
+
+ rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL);
+ synchronize_rcu();
+- INIT_LIST_HEAD(&ar->arvifs);
++
++ spin_lock_bh(&ar->data_lock);
++ list_for_each_safe(pos, n, &ar->arvifs)
++ list_del_init(pos);
++ spin_unlock_bh(&ar->data_lock);
++
+ idr_init(&ar->txmgmt_idr);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d44115a41007951c79d916e4a4c62810108d8062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 07:49:03 +0530
+Subject: wifi: ath12k: Add MSDU length validation for TKIP MIC error
+
+From: P Praneesh <quic_ppranees@quicinc.com>
+
+[ Upstream commit 763216fe6c5df95d122c71ef34c342427c987820 ]
+
+In the WBM error path, while processing TKIP MIC errors, MSDU length
+is fetched from the hal_rx_desc's msdu_end. This MSDU length is
+directly passed to skb_put() without validation. In stress test
+scenarios, the WBM error ring may receive invalid descriptors, which
+could lead to an invalid MSDU length.
+
+To fix this, add a check to drop the skb when the calculated MSDU
+length is greater than the skb size.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Signed-off-by: Nithyanantham Paramasivam <nithyanantham.paramasivam@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250416021903.3178962-1-nithyanantham.paramasivam@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/dp_rx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
+index 8d9315038a75e..56dda76d066c3 100644
+--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
+@@ -3683,6 +3683,15 @@ static bool ath12k_dp_rx_h_tkip_mic_err(struct ath12k *ar, struct sk_buff *msdu,
+
+ l3pad_bytes = ath12k_dp_rx_h_l3pad(ab, desc);
+ msdu_len = ath12k_dp_rx_h_msdu_len(ab, desc);
++
++ if ((hal_rx_desc_sz + l3pad_bytes + msdu_len) > DP_RX_BUFFER_SIZE) {
++ ath12k_dbg(ab, ATH12K_DBG_DATA,
++ "invalid msdu len in tkip mic err %u\n", msdu_len);
++ ath12k_dbg_dump(ab, ATH12K_DBG_DATA, NULL, "", desc,
++ sizeof(*desc));
++ return true;
++ }
++
+ skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len);
+ skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes);
+
+--
+2.39.5
+
--- /dev/null
+From 53a5b6fec4e1c633e974acbf41af485aceb705d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Apr 2025 10:25:38 +0530
+Subject: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event
+
+From: Rajat Soni <quic_rajson@quicinc.com>
+
+[ Upstream commit 89142d34d5602c7447827beb181fa06eb08b9d5c ]
+
+Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps
+is not freed in the failure case, causing a memory leak. The following
+trace is observed in kmemleak:
+
+unreferenced object 0xffff8b3eb5789c00 (size 1024):
+ comm "softirq", pid 0, jiffies 4294942577
+ hex dump (first 32 bytes):
+ 00 00 00 00 01 00 00 00 00 00 00 00 7b 00 00 10 ............{...
+ 01 00 00 00 00 00 00 00 01 00 00 00 1f 38 00 00 .............8..
+ backtrace (crc 44e1c357):
+ __kmalloc_noprof+0x30b/0x410
+ ath12k_wmi_mac_phy_caps_parse+0x84/0x100 [ath12k]
+ ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]
+ ath12k_wmi_svc_rdy_ext_parse+0x308/0x4c0 [ath12k]
+ ath12k_wmi_tlv_iter+0x5e/0x140 [ath12k]
+ ath12k_service_ready_ext_event.isra.0+0x44/0xd0 [ath12k]
+ ath12k_wmi_op_rx+0x2eb/0xd70 [ath12k]
+ ath12k_htc_rx_completion_handler+0x1f4/0x330 [ath12k]
+ ath12k_ce_recv_process_cb+0x218/0x300 [ath12k]
+ ath12k_pci_ce_workqueue+0x1b/0x30 [ath12k]
+ process_one_work+0x219/0x680
+ bh_worker+0x198/0x1f0
+ tasklet_action+0x13/0x30
+ handle_softirqs+0xca/0x460
+ __irq_exit_rcu+0xbe/0x110
+ irq_exit_rcu+0x9/0x30
+
+Free svc_rdy_ext.mac_phy_caps in the error case to fix this memory leak.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Rajat Soni <quic_rajson@quicinc.com>
+Signed-off-by: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
+Link: https://patch.msgid.link/20250430-wmi-mem-leak-v1-1-fcc9b49c2ddc@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index a96bf261a3f75..a0ac2f350934f 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -4128,6 +4128,7 @@ static int ath12k_service_ready_ext_event(struct ath12k_base *ab,
+ return 0;
+
+ err:
++ kfree(svc_rdy_ext.mac_phy_caps);
+ ath12k_wmi_free_dbring_caps(ab);
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From f2493050f86f165fd33b7b45957970c1e0bb4967 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 07:47:24 +0530
+Subject: wifi: ath12k: fix node corruption in ar->arvifs list
+
+From: Maharaja Kennadyrajan <maharaja.kennadyrajan@oss.qualcomm.com>
+
+[ Upstream commit 823435bd23108d6f8be89ea2d025c0e2e3769c51 ]
+
+In current WLAN recovery code flow, ath12k_core_halt() only reinitializes
+the "arvifs" list head. This will cause the list node immediately following
+the list head to become an invalid list node. Because the prev of that node
+still points to the list head "arvifs", but the next of the list head
+"arvifs" no longer points to that list node.
+
+When a WLAN recovery occurs during the execution of a vif removal, and it
+happens before the spin_lock_bh(&ar->data_lock) in
+ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned
+situation, thereby triggering a kernel panic.
+
+The fix is to remove and reinitialize all vif list nodes from the list head
+"arvifs" during WLAN halt. The reinitialization is to make the list nodes
+valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute
+normally.
+
+Call trace:
+__list_del_entry_valid_or_report+0xd4/0x100 (P)
+ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k]
+ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k]
+cfg80211_wiphy_work+0xfc/0x100
+process_one_work+0x164/0x2d0
+worker_thread+0x254/0x380
+kthread+0xfc/0x100
+ret_from_fork+0x10/0x20
+
+The change is mostly copied from the ath11k patch:
+https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
+Signed-off-by: Maharaja Kennadyrajan <maharaja.kennadyrajan@oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250416021724.2162519-1-maharaja.kennadyrajan@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/core.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
+index 3df8059d55129..1b07a183aaedc 100644
+--- a/drivers/net/wireless/ath/ath12k/core.c
++++ b/drivers/net/wireless/ath/ath12k/core.c
+@@ -657,6 +657,7 @@ static int ath12k_core_reconfigure_on_crash(struct ath12k_base *ab)
+
+ void ath12k_core_halt(struct ath12k *ar)
+ {
++ struct list_head *pos, *n;
+ struct ath12k_base *ab = ar->ab;
+
+ lockdep_assert_held(&ar->conf_mutex);
+@@ -671,7 +672,12 @@ void ath12k_core_halt(struct ath12k *ar)
+
+ rcu_assign_pointer(ab->pdevs_active[ar->pdev_idx], NULL);
+ synchronize_rcu();
+- INIT_LIST_HEAD(&ar->arvifs);
++
++ spin_lock_bh(&ar->data_lock);
++ list_for_each_safe(pos, n, &ar->arvifs)
++ list_del_init(pos);
++ spin_unlock_bh(&ar->data_lock);
++
+ idr_init(&ar->txmgmt_idr);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5305f31cf0c0d933355a5fd12101351f2ea3d288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 20:53:41 +0530
+Subject: wifi: ath12k: Fix WMI tag for EHT rate in peer assoc
+
+From: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
+
+[ Upstream commit 1a0e65750b55d2cf5de4a9bf7d6d55718784bdb7 ]
+
+Incorrect WMI tag is used for EHT rate update from host to firmware
+while encoding peer assoc WMI.
+
+Correct the WMI tag used for EHT rate update from WMI_TAG_HE_RATE_SET
+to the proper tag. This ensures firmware does not mistakenly update HE rate during parsing.
+
+Found during code review. Compile tested only.
+
+Fixes: 5b70ec6036c1 ("wifi: ath12k: add WMI support for EHT peer")
+Signed-off-by: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250409152341.944628-1-ramya.gnanasekar@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index d87d5980325e8..a96bf261a3f75 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -2066,7 +2066,7 @@ int ath12k_wmi_send_peer_assoc_cmd(struct ath12k *ar,
+
+ for (i = 0; i < arg->peer_eht_mcs_count; i++) {
+ eht_mcs = ptr;
+- eht_mcs->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_HE_RATE_SET,
++ eht_mcs->tlv_header = ath12k_wmi_tlv_cmd_hdr(WMI_TAG_EHT_RATE_SET,
+ sizeof(*eht_mcs));
+
+ eht_mcs->rx_mcs_set = cpu_to_le32(arg->peer_eht_rx_mcs_set[i]);
+--
+2.39.5
+
--- /dev/null
+From ecd2ac0808ce355b2fc29914600a0a24ff3be573 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 13:22:16 +0200
+Subject: wifi: ath9k_htc: Abort software beacon handling if disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@toke.dk>
+
+[ Upstream commit ac4e317a95a1092b5da5b9918b7118759342641c ]
+
+A malicious USB device can send a WMI_SWBA_EVENTID event from an
+ath9k_htc-managed device before beaconing has been enabled. This causes
+a device-by-zero error in the driver, leading to either a crash or an
+out of bounds read.
+
+Prevent this by aborting the handling in ath9k_htc_swba() if beacons are
+not enabled.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Closes: https://lore.kernel.org/r/88967.1743099372@localhost
+Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots")
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_drv_beacon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+index 533471e694007..18c7654bc539d 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv,
+ struct ath_common *common = ath9k_hw_common(priv->ah);
+ int slot;
+
++ if (!priv->cur_beacon_conf.enable_beacon)
++ return;
++
+ if (swba->beacon_pending != 0) {
+ priv->beacon.bmisscnt++;
+ if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
+--
+2.39.5
+
--- /dev/null
+From df786bea6142338b4650f9eb6e8621c14b22711f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 14:19:00 +0800
+Subject: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit efb95439c1477bbc955cacd0179c35e7861b437c ]
+
+devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init()
+does not check for this case, which results in a NULL pointer
+dereference.
+
+Prevent null pointer dereference in mt7915_mmio_wed_init().
+
+Fixes: 4f831d18d12d ("wifi: mt76: mt7915: enable WED RX support")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://patch.msgid.link/20250407061900.85317-1-bsdhenrymartin@gmail.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/mmio.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c b/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c
+index 7db436d908a39..f4850c6daeb72 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mmio.c
+@@ -755,6 +755,9 @@ int mt7915_mmio_wed_init(struct mt7915_dev *dev, void *pdev_ptr,
+ wed->wlan.base = devm_ioremap(dev->mt76.dev,
+ pci_resource_start(pci_dev, 0),
+ pci_resource_len(pci_dev, 0));
++ if (!wed->wlan.base)
++ return -ENOMEM;
++
+ wed->wlan.phy_base = pci_resource_start(pci_dev, 0);
+ wed->wlan.wpdma_int = pci_resource_start(pci_dev, 0) +
+ MT_INT_WED_SOURCE_CSR;
+@@ -782,6 +785,9 @@ int mt7915_mmio_wed_init(struct mt7915_dev *dev, void *pdev_ptr,
+ wed->wlan.bus_type = MTK_WED_BUS_AXI;
+ wed->wlan.base = devm_ioremap(dev->mt76.dev, res->start,
+ resource_size(res));
++ if (!wed->wlan.base)
++ return -ENOMEM;
++
+ wed->wlan.phy_base = res->start;
+ wed->wlan.wpdma_int = res->start + MT_INT_SOURCE_CSR;
+ wed->wlan.wpdma_mask = res->start + MT_INT_MASK_CSR;
+--
+2.39.5
+
--- /dev/null
+From 1b57c22973cadeb8f21c871d21dec0cd896b7b54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 11:29:50 +0800
+Subject: wifi: mt76: mt7996: fix RX buffer size of MCU event
+
+From: Shayne Chen <shayne.chen@mediatek.com>
+
+[ Upstream commit 42cb27af34de4acf680606fad2c1f2932110591f ]
+
+Some management frames are first processed by the firmware and then
+passed to the driver through the MCU event rings. In CONNAC3, event rings
+do not support scatter-gather and have a size limitation of 2048 bytes.
+If a packet sized between 1728 and 2048 bytes arrives from an event ring,
+the ring will hang because the driver attempts to use scatter-gather to
+process it.
+
+To fix this, include the size of struct skb_shared_info in the MCU RX
+buffer size to prevent scatter-gather from being used for event skb in
+mt76_dma_rx_fill_buf().
+
+Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
+Co-developed-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20250515032952.1653494-7-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/dma.c | 4 ++--
+ drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 3 +++
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/dma.c b/drivers/net/wireless/mediatek/mt76/mt7996/dma.c
+index 586e247a1e064..04c9fd0e6b002 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/dma.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/dma.c
+@@ -300,7 +300,7 @@ int mt7996_dma_init(struct mt7996_dev *dev)
+ ret = mt76_queue_alloc(dev, &dev->mt76.q_rx[MT_RXQ_MCU],
+ MT_RXQ_ID(MT_RXQ_MCU),
+ MT7996_RX_MCU_RING_SIZE,
+- MT_RX_BUF_SIZE,
++ MT7996_RX_MCU_BUF_SIZE,
+ MT_RXQ_RING_BASE(MT_RXQ_MCU));
+ if (ret)
+ return ret;
+@@ -309,7 +309,7 @@ int mt7996_dma_init(struct mt7996_dev *dev)
+ ret = mt76_queue_alloc(dev, &dev->mt76.q_rx[MT_RXQ_MCU_WA],
+ MT_RXQ_ID(MT_RXQ_MCU_WA),
+ MT7996_RX_MCU_RING_SIZE_WA,
+- MT_RX_BUF_SIZE,
++ MT7996_RX_MCU_BUF_SIZE,
+ MT_RXQ_RING_BASE(MT_RXQ_MCU_WA));
+ if (ret)
+ return ret;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+index 25bb365612314..7d2074e2b635e 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+@@ -27,6 +27,9 @@
+ #define MT7996_RX_RING_SIZE 1536
+ #define MT7996_RX_MCU_RING_SIZE 512
+ #define MT7996_RX_MCU_RING_SIZE_WA 1024
++/* scatter-gather of mcu event is not supported in connac3 */
++#define MT7996_RX_MCU_BUF_SIZE (2048 + \
++ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
+
+ #define MT7996_FIRMWARE_WA "mediatek/mt7996/mt7996_wa.bin"
+ #define MT7996_FIRMWARE_WM "mediatek/mt7996/mt7996_wm.bin"
+--
+2.39.5
+
--- /dev/null
+From 1ea1fe1230e4dd5db2b46e0e9a875bf5cea60212 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 11:29:46 +0800
+Subject: wifi: mt76: mt7996: set EHT max ampdu length capability
+
+From: Peter Chiu <chui-hao.chiu@mediatek.com>
+
+[ Upstream commit 8b2f574845e33d02e7fbad2d3192a8b717567afa ]
+
+Set the max AMPDU length in the EHT MAC CAP. Without this patch, the
+peer station cannot obtain the correct capability, which prevents
+achieving peak throughput on the 2 GHz band.
+
+Fixes: 1816ad9381e0 ("wifi: mt76: mt7996: add max mpdu len capability")
+Signed-off-by: Peter Chiu <chui-hao.chiu@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20250515032952.1653494-3-shayne.chen@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/init.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/init.c b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+index 0a701dcb8a92c..375a3d6f4b384 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/init.c
+@@ -735,6 +735,9 @@ mt7996_init_eht_caps(struct mt7996_phy *phy, enum nl80211_band band,
+ u8_encode_bits(IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_11454,
+ IEEE80211_EHT_MAC_CAP0_MAX_MPDU_LEN_MASK);
+
++ eht_cap_elem->mac_cap_info[1] |=
++ IEEE80211_EHT_MAC_CAP1_MAX_AMPDU_LEN_MASK;
++
+ eht_cap_elem->phy_cap_info[0] =
+ IEEE80211_EHT_PHY_CAP0_NDP_4_EHT_LFT_32_GI |
+ IEEE80211_EHT_PHY_CAP0_SU_BEAMFORMER |
+--
+2.39.5
+
--- /dev/null
+From 363f3308982ede82833bb305904e81839658a5c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 12:07:20 +0300
+Subject: wifi: rtw88: do not ignore hardware read error during DPK
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 20d3c19bd8f9b498173c198eadf54580c8caa336 ]
+
+In 'rtw8822c_dpk_cal_coef1()', do not ignore error returned
+by 'check_hw_ready()' but issue a warning to denote possible
+DPK issue. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 5227c2ee453d ("rtw88: 8822c: add SW DPK support")
+Suggested-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250415090720.194048-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+index 3fe5c70ce731b..f9b2527fbeee5 100644
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c
+@@ -3991,7 +3991,8 @@ static void rtw8822c_dpk_cal_coef1(struct rtw_dev *rtwdev)
+ rtw_write32(rtwdev, REG_NCTL0, 0x00001148);
+ rtw_write32(rtwdev, REG_NCTL0, 0x00001149);
+
+- check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55);
++ if (!check_hw_ready(rtwdev, 0x2d9c, MASKBYTE0, 0x55))
++ rtw_warn(rtwdev, "DPK stuck, performance may be suboptimal");
+
+ rtw_write8(rtwdev, 0x1b10, 0x0);
+ rtw_write32_mask(rtwdev, REG_NCTL0, BIT_SUBPAGE, 0x0000000c);
+--
+2.39.5
+
--- /dev/null
+From 7f86254326233c9578b4f9e41e872c72ac29e386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:13:04 +0000
+Subject: wifi: rtw88: fix the 'para' buffer size to avoid reading out of
+ bounds
+
+From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+
+[ Upstream commit 4c2c372de2e108319236203cce6de44d70ae15cd ]
+
+Set the size to 6 instead of 2, since 'para' array is passed to
+'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads
+5 bytes:
+
+void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data)
+{
+ ...
+ SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data);
+ SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1));
+ ...
+ SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4));
+
+Detected using the static analysis tool - Svace.
+Fixes: 4136214f7c46 ("rtw88: add BT co-existence support")
+Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250513121304.124141-1-aleksei.kodanev@bell-sw.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/coex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
+index d35f26919806a..c45c7b596ffe9 100644
+--- a/drivers/net/wireless/realtek/rtw88/coex.c
++++ b/drivers/net/wireless/realtek/rtw88/coex.c
+@@ -309,7 +309,7 @@ static void rtw_coex_tdma_timer_base(struct rtw_dev *rtwdev, u8 type)
+ {
+ struct rtw_coex *coex = &rtwdev->coex;
+ struct rtw_coex_stat *coex_stat = &coex->stat;
+- u8 para[2] = {0};
++ u8 para[6] = {};
+ u8 times;
+ u16 tbtt_interval = coex_stat->wl_beacon_interval;
+
+--
+2.39.5
+
--- /dev/null
+From bd97d004da1433f64c3e41d06d050e1543d7e5a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 15:42:16 +0000
+Subject: wifi: rtw88: sdio: call rtw_sdio_indicate_tx_status unconditionally
+
+From: Zhen XIN <zhen.xin@nokia-sbell.com>
+
+[ Upstream commit fc5f5a0ec463ae6a07850428bd3082947e01d276 ]
+
+The rtw88-sdio do not work in AP mode due to the lack of TX status report
+for management frames.
+
+Make the invocation of rtw_sdio_indicate_tx_status unconditional and cover
+all packet queues
+
+Tested-on: rtl8723ds
+
+Fixes: 65371a3f14e7 ("wifi: rtw88: sdio: Add HCI implementation for SDIO based chipsets")
+Signed-off-by: Zhen XIN <zhen.xin@nokia-sbell.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250410154217.1849977-2-zhen.xin@nokia-sbell.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/sdio.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
+index 4df04579e2e7a..832a427279b40 100644
+--- a/drivers/net/wireless/realtek/rtw88/sdio.c
++++ b/drivers/net/wireless/realtek/rtw88/sdio.c
+@@ -1223,10 +1223,7 @@ static void rtw_sdio_process_tx_queue(struct rtw_dev *rtwdev,
+ return;
+ }
+
+- if (queue <= RTW_TX_QUEUE_VO)
+- rtw_sdio_indicate_tx_status(rtwdev, skb);
+- else
+- dev_kfree_skb_any(skb);
++ rtw_sdio_indicate_tx_status(rtwdev, skb);
+ }
+
+ static void rtw_sdio_tx_handler(struct work_struct *work)
+--
+2.39.5
+
--- /dev/null
+From b8fa7c2aa74f7ec768d0b01af23d970b3885146d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 15:42:17 +0000
+Subject: wifi: rtw88: sdio: map mgmt frames to queue TX_DESC_QSEL_MGMT
+
+From: Zhen XIN <zhen.xin@nokia-sbell.com>
+
+[ Upstream commit b2effcdc237979dcc533d446a792fc54fd0e1213 ]
+
+The rtw88-sdio do not work in AP mode due to the lack of TX status report
+for management frames.
+
+Map the management frames to queue TX_DESC_QSEL_MGMT, which enables the
+chip to generate TX reports for these frames
+
+Tested-on: rtl8723ds
+
+Fixes: 65371a3f14e7 ("wifi: rtw88: sdio: Add HCI implementation for SDIO based chipsets")
+Signed-off-by: Zhen XIN <zhen.xin@nokia-sbell.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250410154217.1849977-3-zhen.xin@nokia-sbell.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw88/sdio.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
+index 9043569935796..4df04579e2e7a 100644
+--- a/drivers/net/wireless/realtek/rtw88/sdio.c
++++ b/drivers/net/wireless/realtek/rtw88/sdio.c
+@@ -718,10 +718,7 @@ static u8 rtw_sdio_get_tx_qsel(struct rtw_dev *rtwdev, struct sk_buff *skb,
+ case RTW_TX_QUEUE_H2C:
+ return TX_DESC_QSEL_H2C;
+ case RTW_TX_QUEUE_MGMT:
+- if (rtw_chip_wcpu_11n(rtwdev))
+- return TX_DESC_QSEL_HIGH;
+- else
+- return TX_DESC_QSEL_MGMT;
++ return TX_DESC_QSEL_MGMT;
+ case RTW_TX_QUEUE_HI0:
+ return TX_DESC_QSEL_HIGH;
+ default:
+--
+2.39.5
+
--- /dev/null
+From f31a28ac330d19870d9f273e696cacf74a49c952 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 14:06:16 +0200
+Subject: wireguard: device: enable threaded NAPI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirco Barone <mirco.barone@polito.it>
+
+[ Upstream commit db9ae3b6b43c79b1ba87eea849fd65efa05b4b2e ]
+
+Enable threaded NAPI by default for WireGuard devices in response to low
+performance behavior that we observed when multiple tunnels (and thus
+multiple wg devices) are deployed on a single host. This affects any
+kind of multi-tunnel deployment, regardless of whether the tunnels share
+the same endpoints or not (i.e., a VPN concentrator type of gateway
+would also be affected).
+
+The problem is caused by the fact that, in case of a traffic surge that
+involves multiple tunnels at the same time, the polling of the NAPI
+instance of all these wg devices tends to converge onto the same core,
+causing underutilization of the CPU and bottlenecking performance.
+
+This happens because NAPI polling is hosted by default in softirq
+context, but the WireGuard driver only raises this softirq after the rx
+peer queue has been drained, which doesn't happen during high traffic.
+In this case, the softirq already active on a core is reused instead of
+raising a new one.
+
+As a result, once two or more tunnel softirqs have been scheduled on
+the same core, they remain pinned there until the surge ends.
+
+In our experiments, this almost always leads to all tunnel NAPIs being
+handled on a single core shortly after a surge begins, limiting
+scalability to less than 3× the performance of a single tunnel, despite
+plenty of unused CPU cores being available.
+
+The proposed mitigation is to enable threaded NAPI for all WireGuard
+devices. This moves the NAPI polling context to a dedicated per-device
+kernel thread, allowing the scheduler to balance the load across all
+available cores.
+
+On our 32-core gateways, enabling threaded NAPI yields a ~4× performance
+improvement with 16 tunnels, increasing throughput from ~13 Gbps to
+~48 Gbps. Meanwhile, CPU usage on the receiver (which is the bottleneck)
+jumps from 20% to 100%.
+
+We have found no performance regressions in any scenario we tested.
+Single-tunnel throughput remains unchanged.
+
+More details are available in our Netdev paper.
+
+Link: https://netdevconf.info/0x18/docs/netdev-0x18-paper23-talk-paper.pdf
+Signed-off-by: Mirco Barone <mirco.barone@polito.it>
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://patch.msgid.link/20250605120616.2808744-1-Jason@zx2c4.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireguard/device.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c
+index deb9636b0ecf8..f98e0f027a054 100644
+--- a/drivers/net/wireguard/device.c
++++ b/drivers/net/wireguard/device.c
+@@ -369,6 +369,7 @@ static int wg_newlink(struct net *src_net, struct net_device *dev,
+ if (ret < 0)
+ goto err_free_handshake_queue;
+
++ dev_set_threaded(dev, true);
+ ret = register_netdevice(dev);
+ if (ret < 0)
+ goto err_uninit_ratelimiter;
+--
+2.39.5
+
--- /dev/null
+From 223d68a4c55e8d41d74950685923362bb35db14d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 07:04:13 +0200
+Subject: x86/cpu: Sanitize CPUID(0x80000000) output
+
+From: Ahmed S. Darwish <darwi@linutronix.de>
+
+[ Upstream commit cc663ba3fe383a628a812f893cc98aafff39ab04 ]
+
+CPUID(0x80000000).EAX returns the max extended CPUID leaf available. On
+x86-32 machines without an extended CPUID range, a CPUID(0x80000000)
+query will just repeat the output of the last valid standard CPUID leaf
+on the CPU; i.e., a garbage values. Current tip:x86/cpu code protects against
+this by doing:
+
+ eax = cpuid_eax(0x80000000);
+ c->extended_cpuid_level = eax;
+
+ if ((eax & 0xffff0000) == 0x80000000) {
+ // CPU has an extended CPUID range. Check for 0x80000001
+ if (eax >= 0x80000001) {
+ cpuid(0x80000001, ...);
+ }
+ }
+
+This is correct so far. Afterwards though, the same possibly broken EAX
+value is used to check the availability of other extended CPUID leaves:
+
+ if (c->extended_cpuid_level >= 0x80000007)
+ ...
+ if (c->extended_cpuid_level >= 0x80000008)
+ ...
+ if (c->extended_cpuid_level >= 0x8000000a)
+ ...
+ if (c->extended_cpuid_level >= 0x8000001f)
+ ...
+
+which is invalid. Fix this by immediately setting the CPU's max extended
+CPUID leaf to zero if CPUID(0x80000000).EAX doesn't indicate a valid
+CPUID extended range.
+
+While at it, add a comment, similar to kernel/head_32.S, clarifying the
+CPUID(0x80000000) sanity check.
+
+References: 8a50e5135af0 ("x86-32: Use symbolic constants, safer CPUID when enabling EFER.NX")
+Fixes: 3da99c977637 ("x86: make (early)_identify_cpu more the same between 32bit and 64 bit")
+Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: John Ogness <john.ogness@linutronix.de>
+Cc: x86-cpuid@lists.linux.dev
+Link: https://lore.kernel.org/r/20250506050437.10264-3-darwi@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/common.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 067e31fb9e165..b6e43dad577a3 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1066,17 +1066,18 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
+ c->x86_capability[CPUID_D_1_EAX] = eax;
+ }
+
+- /* AMD-defined flags: level 0x80000001 */
++ /*
++ * Check if extended CPUID leaves are implemented: Max extended
++ * CPUID leaf must be in the 0x80000001-0x8000ffff range.
++ */
+ eax = cpuid_eax(0x80000000);
+- c->extended_cpuid_level = eax;
++ c->extended_cpuid_level = ((eax & 0xffff0000) == 0x80000000) ? eax : 0;
+
+- if ((eax & 0xffff0000) == 0x80000000) {
+- if (eax >= 0x80000001) {
+- cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
++ if (c->extended_cpuid_level >= 0x80000001) {
++ cpuid(0x80000001, &eax, &ebx, &ecx, &edx);
+
+- c->x86_capability[CPUID_8000_0001_ECX] = ecx;
+- c->x86_capability[CPUID_8000_0001_EDX] = edx;
+- }
++ c->x86_capability[CPUID_8000_0001_ECX] = ecx;
++ c->x86_capability[CPUID_8000_0001_EDX] = edx;
+ }
+
+ if (c->extended_cpuid_level >= 0x80000007) {
+--
+2.39.5
+
--- /dev/null
+From e8348ceb038b16c75625bb90d0aca05808c7b574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 18:24:58 +0100
+Subject: x86/idle: Remove MFENCEs for X86_BUG_CLFLUSH_MONITOR in
+ mwait_idle_with_hints() and prefer_mwait_c1_over_halt()
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+
+[ Upstream commit 1f13c60d84e880df6698441026e64f84c7110c49 ]
+
+The following commit, 12 years ago:
+
+ 7e98b7192046 ("x86, idle: Use static_cpu_has() for CLFLUSH workaround, add barriers")
+
+added barriers around the CLFLUSH in mwait_idle_with_hints(), justified with:
+
+ ... and add memory barriers around it since the documentation is explicit
+ that CLFLUSH is only ordered with respect to MFENCE.
+
+This also triggered, 11 years ago, the same adjustment in:
+
+ f8e617f45829 ("sched/idle/x86: Optimize unnecessary mwait_idle() resched IPIs")
+
+during development, although it failed to get the static_cpu_has_bug() treatment.
+
+X86_BUG_CLFLUSH_MONITOR (a.k.a the AAI65 errata) is specific to Intel CPUs,
+and the SDM currently states:
+
+ Executions of the CLFLUSH instruction are ordered with respect to each
+ other and with respect to writes, locked read-modify-write instructions,
+ and fence instructions[1].
+
+With footnote 1 reading:
+
+ Earlier versions of this manual specified that executions of the CLFLUSH
+ instruction were ordered only by the MFENCE instruction. All processors
+ implementing the CLFLUSH instruction also order it relative to the other
+ operations enumerated above.
+
+i.e. The SDM was incorrect at the time, and barriers should not have been
+inserted. Double checking the original AAI65 errata (not available from
+intel.com any more) shows no mention of barriers either.
+
+Note: If this were a general codepath, the MFENCEs would be needed, because
+ AMD CPUs of the same vintage do sport otherwise-unordered CLFLUSHs.
+
+Remove the unnecessary barriers. Furthermore, use a plain alternative(),
+rather than static_cpu_has_bug() and/or no optimisation. The workaround
+is a single instruction.
+
+Use an explicit %rax pointer rather than a general memory operand, because
+MONITOR takes the pointer implicitly in the same way.
+
+[ mingo: Cleaned up the commit a bit. ]
+
+Fixes: 7e98b7192046 ("x86, idle: Use static_cpu_has() for CLFLUSH workaround, add barriers")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Dave Hansen <dave.hansen@intel.com>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Link: https://lore.kernel.org/r/20250402172458.1378112-1-andrew.cooper3@citrix.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/mwait.h | 9 +++------
+ arch/x86/kernel/process.c | 9 +++------
+ 2 files changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/arch/x86/include/asm/mwait.h b/arch/x86/include/asm/mwait.h
+index bae83810505bf..a541411d9226e 100644
+--- a/arch/x86/include/asm/mwait.h
++++ b/arch/x86/include/asm/mwait.h
+@@ -108,13 +108,10 @@ static __always_inline void __sti_mwait(unsigned long eax, unsigned long ecx)
+ static __always_inline void mwait_idle_with_hints(unsigned long eax, unsigned long ecx)
+ {
+ if (static_cpu_has_bug(X86_BUG_MONITOR) || !current_set_polling_and_test()) {
+- if (static_cpu_has_bug(X86_BUG_CLFLUSH_MONITOR)) {
+- mb();
+- clflush((void *)¤t_thread_info()->flags);
+- mb();
+- }
++ const void *addr = ¤t_thread_info()->flags;
+
+- __monitor((void *)¤t_thread_info()->flags, 0, 0);
++ alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr));
++ __monitor(addr, 0, 0);
+
+ if (!need_resched()) {
+ if (ecx & 1) {
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index 419353904173f..8a398acfdea2e 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -923,13 +923,10 @@ static int prefer_mwait_c1_over_halt(const struct cpuinfo_x86 *c)
+ static __cpuidle void mwait_idle(void)
+ {
+ if (!current_set_polling_and_test()) {
+- if (this_cpu_has(X86_BUG_CLFLUSH_MONITOR)) {
+- mb(); /* quirk */
+- clflush((void *)¤t_thread_info()->flags);
+- mb(); /* quirk */
+- }
++ const void *addr = ¤t_thread_info()->flags;
+
+- __monitor((void *)¤t_thread_info()->flags, 0, 0);
++ alternative_input("", "clflush (%[addr])", X86_BUG_CLFLUSH_MONITOR, [addr] "a" (addr));
++ __monitor(addr, 0, 0);
+ if (!need_resched()) {
+ __sti_mwait(0, 0);
+ raw_local_irq_disable();
+--
+2.39.5
+
--- /dev/null
+From 0e0d89e4d3db7a9b341e6ba38b217ac10ba58e7b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Apr 2025 05:34:24 +0000
+Subject: x86/microcode/AMD: Do not return error when microcode update is not
+ necessary
+
+From: Annie Li <jiayanli@google.com>
+
+[ Upstream commit b43dc4ab097859c24e2a6993119c927cffc856aa ]
+
+After
+
+ 6f059e634dcd("x86/microcode: Clarify the late load logic"),
+
+if the load is up-to-date, the AMD side returns UCODE_OK which leads to
+load_late_locked() returning -EBADFD.
+
+Handle UCODE_OK in the switch case to avoid this error.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 6f059e634dcd ("x86/microcode: Clarify the late load logic")
+Signed-off-by: Annie Li <jiayanli@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250430053424.77438-1-jiayanli@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/microcode/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
+index 5b47c320f17a6..fc539346599cb 100644
+--- a/arch/x86/kernel/cpu/microcode/core.c
++++ b/arch/x86/kernel/cpu/microcode/core.c
+@@ -703,6 +703,8 @@ static int load_late_locked(void)
+ return load_late_stop_cpus(true);
+ case UCODE_NFOUND:
+ return -ENOENT;
++ case UCODE_OK:
++ return 0;
+ default:
+ return -EBADFD;
+ }
+--
+2.39.5
+
--- /dev/null
+From 2d93580488fcf84dcee9e830926eca20c51ce65b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 17:06:33 +0000
+Subject: x86/mtrr: Check if fixed-range MTRRs exist in
+ mtrr_save_fixed_ranges()
+
+From: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+
+[ Upstream commit 824c6384e8d9275d4ec7204f3f79a4ac6bc10379 ]
+
+When suspending, save_processor_state() calls mtrr_save_fixed_ranges()
+to save fixed-range MTRRs.
+
+On platforms without fixed-range MTRRs like the ACRN hypervisor which
+has removed fixed-range MTRR emulation, accessing these MSRs will
+trigger an unchecked MSR access error. Make sure fixed-range MTRRs are
+supported before access to prevent such error.
+
+Since mtrr_state.have_fixed is only set when MTRRs are present and
+enabled, checking the CPU feature flag in mtrr_save_fixed_ranges() is
+unnecessary.
+
+Fixes: 3ebad5905609 ("[PATCH] x86: Save and restore the fixed-range MTRRs of the BSP when suspending")
+Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250509170633.3411169-2-jiaqing.zhao@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
+index 2d6aa5d2e3d77..6839440a4b31e 100644
+--- a/arch/x86/kernel/cpu/mtrr/generic.c
++++ b/arch/x86/kernel/cpu/mtrr/generic.c
+@@ -582,7 +582,7 @@ static void get_fixed_ranges(mtrr_type *frs)
+
+ void mtrr_save_fixed_ranges(void *info)
+ {
+- if (boot_cpu_has(X86_FEATURE_MTRR))
++ if (mtrr_state.have_fixed)
+ get_fixed_ranges(mtrr_state.fixed_ranges);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d072271982dc0c0d1306e48210fcdbd4861ceed6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 10:04:26 +0200
+Subject: xen/x86: fix initial memory balloon target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+[ Upstream commit 74287971dbb3fe322bb316afd9e7fb5807e23bee ]
+
+When adding extra memory regions as ballooned pages also adjust the balloon
+target, otherwise when the balloon driver is started it will populate
+memory to match the target value and consume all the extra memory regions
+added.
+
+This made the usage of the Xen `dom0_mem=,max:` command line parameter for
+dom0 not work as expected, as the target won't be adjusted and when the
+balloon is started it will populate memory straight to the 'max:' value.
+It would equally affect domUs that have memory != maxmem.
+
+Kernels built with CONFIG_XEN_UNPOPULATED_ALLOC are not affected, because
+the extra memory regions are consumed by the unpopulated allocation driver,
+and then balloon_add_regions() becomes a no-op.
+
+Reported-by: John <jw@nuclearfallout.net>
+Fixes: 87af633689ce ('x86/xen: fix balloon target initialization for PVH dom0')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Message-ID: <20250514080427.28129-1-roger.pau@citrix.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/balloon.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
+index b0b52fa8fba6d..204ec1bcbd526 100644
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -696,15 +696,18 @@ static int __init balloon_add_regions(void)
+
+ /*
+ * Extra regions are accounted for in the physmap, but need
+- * decreasing from current_pages to balloon down the initial
+- * allocation, because they are already accounted for in
+- * total_pages.
++ * decreasing from current_pages and target_pages to balloon
++ * down the initial allocation, because they are already
++ * accounted for in total_pages.
+ */
+- if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) {
++ pages = extra_pfn_end - start_pfn;
++ if (pages >= balloon_stats.current_pages ||
++ pages >= balloon_stats.target_pages) {
+ WARN(1, "Extra pages underflow current target");
+ return -ERANGE;
+ }
+- balloon_stats.current_pages -= extra_pfn_end - start_pfn;
++ balloon_stats.current_pages -= pages;
++ balloon_stats.target_pages -= pages;
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From ac045ff49d646888ccf7a6b8f1a75cafbb6e6c3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 10:49:54 +0300
+Subject: xfrm: Use xdo.dev instead of xdo.real_dev
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit 25ac138f58e7d5c8bffa31e8891418d2819180c4 ]
+
+The policy offload struct was reused from the state offload and
+real_dev was copied from dev, but it was never set to anything else.
+Simplify the code by always using xdo.dev for policies.
+
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 2 +-
+ net/xfrm/xfrm_device.c | 2 --
+ net/xfrm/xfrm_state.c | 2 --
+ 3 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+index 463c23ae0ad1e..5161bf51fa110 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+@@ -1093,7 +1093,7 @@ mlx5e_ipsec_build_accel_pol_attrs(struct mlx5e_ipsec_pol_entry *pol_entry,
+ static int mlx5e_xfrm_add_policy(struct xfrm_policy *x,
+ struct netlink_ext_ack *extack)
+ {
+- struct net_device *netdev = x->xdo.real_dev;
++ struct net_device *netdev = x->xdo.dev;
+ struct mlx5e_ipsec_pol_entry *pol_entry;
+ struct mlx5e_priv *priv;
+ int err;
+diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
+index 04dc0c8a83707..7188d3592dde4 100644
+--- a/net/xfrm/xfrm_device.c
++++ b/net/xfrm/xfrm_device.c
+@@ -371,7 +371,6 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
+
+ xdo->dev = dev;
+ netdev_tracker_alloc(dev, &xdo->dev_tracker, GFP_ATOMIC);
+- xdo->real_dev = dev;
+ xdo->type = XFRM_DEV_OFFLOAD_PACKET;
+ switch (dir) {
+ case XFRM_POLICY_IN:
+@@ -393,7 +392,6 @@ int xfrm_dev_policy_add(struct net *net, struct xfrm_policy *xp,
+ err = dev->xfrmdev_ops->xdo_dev_policy_add(xp, extack);
+ if (err) {
+ xdo->dev = NULL;
+- xdo->real_dev = NULL;
+ xdo->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
+ xdo->dir = 0;
+ netdev_put(dev, &xdo->dev_tracker);
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index 86029cf5358c7..d2bd5bddfb05d 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1326,7 +1326,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ xso->type = XFRM_DEV_OFFLOAD_PACKET;
+ xso->dir = xdo->dir;
+ xso->dev = xdo->dev;
+- xso->real_dev = xdo->real_dev;
+ xso->flags = XFRM_DEV_OFFLOAD_FLAG_ACQ;
+ netdev_hold(xso->dev, &xso->dev_tracker, GFP_ATOMIC);
+ error = xso->dev->xfrmdev_ops->xdo_dev_state_add(x, NULL);
+@@ -1334,7 +1333,6 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
+ xso->dir = 0;
+ netdev_put(xso->dev, &xso->dev_tracker);
+ xso->dev = NULL;
+- xso->real_dev = NULL;
+ xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
+ x->km.state = XFRM_STATE_DEAD;
+ to_put = x;
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
