--- /dev/null
+From stable+bounces-187851-greg=kroah.com@vger.kernel.org Sat Oct 18 18:14:47 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 12:14:33 -0400
+Subject: blk-crypto: fix missing blktrace bio split events
+To: stable@vger.kernel.org
+Cc: Yu Kuai <yukuai3@huawei.com>, Bart Van Assche <bvanassche@acm.org>, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018161433.836920-1-sashal@kernel.org>
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 06d712d297649f48ebf1381d19bd24e942813b37 ]
+
+trace_block_split() is missing, resulting in blktrace inability to catch
+BIO split events and making it harder to analyze the BIO sequence.
+
+Cc: stable@vger.kernel.org
+Fixes: 488f6682c832 ("block: blk-crypto-fallback for Inline Encryption")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+[ added queue parameter to trace_block_split() call ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-crypto-fallback.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/block/blk-crypto-fallback.c
++++ b/block/blk-crypto-fallback.c
+@@ -18,6 +18,7 @@
+ #include <linux/mempool.h>
+ #include <linux/module.h>
+ #include <linux/random.h>
++#include <trace/events/block.h>
+
+ #include "blk-crypto-internal.h"
+
+@@ -227,7 +228,9 @@ static bool blk_crypto_split_bio_if_need
+ bio->bi_status = BLK_STS_RESOURCE;
+ return false;
+ }
++
+ bio_chain(split_bio, bio);
++ trace_block_split(bio->bi_disk->queue, split_bio, bio->bi_iter.bi_sector);
+ submit_bio_noacct(bio);
+ *bio_ptr = split_bio;
+ }
--- /dev/null
+From stable+bounces-187846-greg=kroah.com@vger.kernel.org Sat Oct 18 18:03:06 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 12:01:58 -0400
+Subject: btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
+To: stable@vger.kernel.org
+Cc: Anderson Nascimento <anderson@allelesecurity.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018160158.831532-1-sashal@kernel.org>
+
+From: Anderson Nascimento <anderson@allelesecurity.com>
+
+[ Upstream commit dff4f9ff5d7f289e4545cc936362e01ed3252742 ]
+
+The function btrfs_encode_fh() does not properly account for the three
+cases it handles.
+
+Before writing to the file handle (fh), the function only returns to the
+user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or
+BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes).
+
+However, when a parent exists and the root ID of the parent and the
+inode are different, the function writes BTRFS_FID_SIZE_CONNECTABLE_ROOT
+(10 dwords, 40 bytes).
+
+If *max_len is not large enough, this write goes out of bounds because
+BTRFS_FID_SIZE_CONNECTABLE_ROOT is greater than
+BTRFS_FID_SIZE_CONNECTABLE originally returned.
+
+This results in an 8-byte out-of-bounds write at
+fid->parent_root_objectid = parent_root_id.
+
+A previous attempt to fix this issue was made but was lost.
+
+https://lore.kernel.org/all/4CADAEEC020000780001B32C@vpn.id2.novell.com/
+
+Although this issue does not seem to be easily triggerable, it is a
+potential memory corruption bug that should be fixed. This patch
+resolves the issue by ensuring the function returns the appropriate size
+for all three cases and validates that *max_len is large enough before
+writing any data.
+
+Fixes: be6e8dc0ba84 ("NFS support for btrfs - v3")
+CC: stable@vger.kernel.org # 3.0+
+Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ replaced btrfs_root_id() calls with direct ->root->root_key.objectid access ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/export.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/export.c
++++ b/fs/btrfs/export.c
+@@ -22,7 +22,11 @@ static int btrfs_encode_fh(struct inode
+ int type;
+
+ if (parent && (len < BTRFS_FID_SIZE_CONNECTABLE)) {
+- *max_len = BTRFS_FID_SIZE_CONNECTABLE;
++ if (BTRFS_I(inode)->root->root_key.objectid !=
++ BTRFS_I(parent)->root->root_key.objectid)
++ *max_len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
++ else
++ *max_len = BTRFS_FID_SIZE_CONNECTABLE;
+ return FILEID_INVALID;
+ } else if (len < BTRFS_FID_SIZE_NON_CONNECTABLE) {
+ *max_len = BTRFS_FID_SIZE_NON_CONNECTABLE;
+@@ -44,6 +48,8 @@ static int btrfs_encode_fh(struct inode
+ parent_root_id = BTRFS_I(parent)->root->root_key.objectid;
+
+ if (parent_root_id != fid->root_objectid) {
++ if (*max_len < BTRFS_FID_SIZE_CONNECTABLE_ROOT)
++ return FILEID_INVALID;
+ fid->parent_root_objectid = parent_root_id;
+ len = BTRFS_FID_SIZE_CONNECTABLE_ROOT;
+ type = FILEID_BTRFS_WITH_PARENT_ROOT;
--- /dev/null
+From stable+bounces-187843-greg=kroah.com@vger.kernel.org Sat Oct 18 16:55:00 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 10:54:52 -0400
+Subject: bus: mhi: host: Do not use uninitialized 'dev' pointer in mhi_init_irq_setup()
+To: stable@vger.kernel.org
+Cc: Adam Xue <zxue@semtech.com>, Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>, Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018145452.792939-1-sashal@kernel.org>
+
+From: Adam Xue <zxue@semtech.com>
+
+[ Upstream commit d0856a6dff57f95cc5d2d74e50880f01697d0cc4 ]
+
+In mhi_init_irq_setup, the device pointer used for dev_err() was not
+initialized. Use the pointer from mhi_cntrl instead.
+
+Fixes: b0fc0167f254 ("bus: mhi: core: Allow shared IRQ for event rings")
+Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations")
+Signed-off-by: Adam Xue <zxue@semtech.com>
+[mani: reworded subject/description and CCed stable]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250905174118.38512-1-zxue@semtech.com
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/init.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/mhi/host/init.c
++++ b/drivers/bus/mhi/host/init.c
+@@ -147,7 +147,6 @@ void mhi_deinit_free_irq(struct mhi_cont
+ int mhi_init_irq_setup(struct mhi_controller *mhi_cntrl)
+ {
+ struct mhi_event *mhi_event = mhi_cntrl->mhi_event;
+- struct device *dev = &mhi_cntrl->mhi_dev->dev;
+ int i, ret;
+
+ /* Setup BHI_INTVEC IRQ */
+@@ -163,7 +162,7 @@ int mhi_init_irq_setup(struct mhi_contro
+ continue;
+
+ if (mhi_event->irq >= mhi_cntrl->nr_irqs) {
+- dev_err(dev, "irq %d not available for event ring\n",
++ dev_err(mhi_cntrl->cntrl_dev, "irq %d not available for event ring\n",
+ mhi_event->irq);
+ ret = -EINVAL;
+ goto error_request;
+@@ -174,7 +173,7 @@ int mhi_init_irq_setup(struct mhi_contro
+ IRQF_SHARED | IRQF_NO_SUSPEND,
+ "mhi", mhi_event);
+ if (ret) {
+- dev_err(dev, "Error requesting irq:%d for ev:%d\n",
++ dev_err(mhi_cntrl->cntrl_dev, "Error requesting irq:%d for ev:%d\n",
+ mhi_cntrl->irq[mhi_event->irq], i);
+ goto error_request;
+ }
--- /dev/null
+From stable+bounces-187840-greg=kroah.com@vger.kernel.org Sat Oct 18 15:52:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Oct 2025 09:51:55 -0400
+Subject: drm/exynos: exynos7_drm_decon: remove ctx->suspended
+To: stable@vger.kernel.org
+Cc: Kaustabh Chakraborty <kauschluss@disroot.org>, Inki Dae <inki.dae@samsung.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251018135155.712293-1-sashal@kernel.org>
+
+From: Kaustabh Chakraborty <kauschluss@disroot.org>
+
+[ Upstream commit e1361a4f1be9cb69a662c6d7b5ce218007d6e82b ]
+
+Condition guards are found to be redundant, as the call flow is properly
+managed now, as also observed in the Exynos5433 DECON driver. Since
+state checking is no longer necessary, remove it.
+
+This also fixes an issue which prevented decon_commit() from
+decon_atomic_enable() due to an incorrect state change setting.
+
+Fixes: 96976c3d9aff ("drm/exynos: Add DECON driver")
+Cc: stable@vger.kernel.org
+Suggested-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Kaustabh Chakraborty <kauschluss@disroot.org>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/exynos/exynos7_drm_decon.c | 36 -----------------------------
+ 1 file changed, 36 deletions(-)
+
+--- a/drivers/gpu/drm/exynos/exynos7_drm_decon.c
++++ b/drivers/gpu/drm/exynos/exynos7_drm_decon.c
+@@ -51,7 +51,6 @@ struct decon_context {
+ void __iomem *regs;
+ unsigned long irq_flags;
+ bool i80_if;
+- bool suspended;
+ wait_queue_head_t wait_vsync_queue;
+ atomic_t wait_vsync_event;
+
+@@ -85,9 +84,6 @@ static void decon_wait_for_vblank(struct
+ {
+ struct decon_context *ctx = crtc->ctx;
+
+- if (ctx->suspended)
+- return;
+-
+ atomic_set(&ctx->wait_vsync_event, 1);
+
+ /*
+@@ -155,9 +151,6 @@ static void decon_commit(struct exynos_d
+ struct drm_display_mode *mode = &crtc->base.state->adjusted_mode;
+ u32 val, clkdiv;
+
+- if (ctx->suspended)
+- return;
+-
+ /* nothing to do if we haven't set the mode yet */
+ if (mode->htotal == 0 || mode->vtotal == 0)
+ return;
+@@ -219,9 +212,6 @@ static int decon_enable_vblank(struct ex
+ struct decon_context *ctx = crtc->ctx;
+ u32 val;
+
+- if (ctx->suspended)
+- return -EPERM;
+-
+ if (!test_and_set_bit(0, &ctx->irq_flags)) {
+ val = readl(ctx->regs + VIDINTCON0);
+
+@@ -244,9 +234,6 @@ static void decon_disable_vblank(struct
+ struct decon_context *ctx = crtc->ctx;
+ u32 val;
+
+- if (ctx->suspended)
+- return;
+-
+ if (test_and_clear_bit(0, &ctx->irq_flags)) {
+ val = readl(ctx->regs + VIDINTCON0);
+
+@@ -369,9 +356,6 @@ static void decon_atomic_begin(struct ex
+ struct decon_context *ctx = crtc->ctx;
+ int i;
+
+- if (ctx->suspended)
+- return;
+-
+ for (i = 0; i < WINDOWS_NR; i++)
+ decon_shadow_protect_win(ctx, i, true);
+ }
+@@ -391,9 +375,6 @@ static void decon_update_plane(struct ex
+ unsigned int cpp = fb->format->cpp[0];
+ unsigned int pitch = fb->pitches[0];
+
+- if (ctx->suspended)
+- return;
+-
+ /*
+ * SHADOWCON/PRTCON register is used for enabling timing.
+ *
+@@ -481,9 +462,6 @@ static void decon_disable_plane(struct e
+ unsigned int win = plane->index;
+ u32 val;
+
+- if (ctx->suspended)
+- return;
+-
+ /* protect windows */
+ decon_shadow_protect_win(ctx, win, true);
+
+@@ -502,9 +480,6 @@ static void decon_atomic_flush(struct ex
+ struct decon_context *ctx = crtc->ctx;
+ int i;
+
+- if (ctx->suspended)
+- return;
+-
+ for (i = 0; i < WINDOWS_NR; i++)
+ decon_shadow_protect_win(ctx, i, false);
+ exynos_crtc_handle_event(crtc);
+@@ -531,9 +506,6 @@ static void decon_atomic_enable(struct e
+ {
+ struct decon_context *ctx = crtc->ctx;
+
+- if (!ctx->suspended)
+- return;
+-
+ pm_runtime_get_sync(ctx->dev);
+
+ decon_init(ctx);
+@@ -543,8 +515,6 @@ static void decon_atomic_enable(struct e
+ decon_enable_vblank(ctx->crtc);
+
+ decon_commit(ctx->crtc);
+-
+- ctx->suspended = false;
+ }
+
+ static void decon_atomic_disable(struct exynos_drm_crtc *crtc)
+@@ -552,9 +522,6 @@ static void decon_atomic_disable(struct
+ struct decon_context *ctx = crtc->ctx;
+ int i;
+
+- if (ctx->suspended)
+- return;
+-
+ /*
+ * We need to make sure that all windows are disabled before we
+ * suspend that connector. Otherwise we might try to scan from
+@@ -564,8 +531,6 @@ static void decon_atomic_disable(struct
+ decon_disable_plane(crtc, &ctx->planes[i]);
+
+ pm_runtime_put_sync(ctx->dev);
+-
+- ctx->suspended = true;
+ }
+
+ static const struct exynos_drm_crtc_ops decon_crtc_ops = {
+@@ -687,7 +652,6 @@ static int decon_probe(struct platform_d
+ return -ENOMEM;
+
+ ctx->dev = dev;
+- ctx->suspended = true;
+
+ i80_if_timings = of_get_child_by_name(dev->of_node, "i80-if-timings");
+ if (i80_if_timings)
--- /dev/null
+From stable+bounces-187719-greg=kroah.com@vger.kernel.org Sat Oct 18 01:18:34 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:18:23 -0400
+Subject: media: lirc: Fix error handling in lirc_register()
+To: stable@vger.kernel.org
+Cc: Ma Ke <make24@iscas.ac.cn>, Sean Young <sean@mess.org>, Hans Verkuil <hverkuil+cisco@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017231823.30098-2-sashal@kernel.org>
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit 4f4098c57e139ad972154077fb45c3e3141555dd ]
+
+When cdev_device_add() failed, calling put_device() to explicitly
+release dev->lirc_dev. Otherwise, it could cause the fault of the
+reference count.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: a6ddd4fecbb0 ("media: lirc: remove last remnants of lirc kapi")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/lirc_dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/rc/lirc_dev.c
++++ b/drivers/media/rc/lirc_dev.c
+@@ -747,11 +747,11 @@ int lirc_register(struct rc_dev *dev)
+
+ cdev_init(&dev->lirc_cdev, &lirc_fops);
+
++ get_device(&dev->dev);
++
+ err = cdev_device_add(&dev->lirc_cdev, &dev->lirc_dev);
+ if (err)
+- goto out_ida;
+-
+- get_device(&dev->dev);
++ goto out_put_device;
+
+ switch (dev->driver_type) {
+ case RC_DRIVER_SCANCODE:
+@@ -775,7 +775,8 @@ int lirc_register(struct rc_dev *dev)
+
+ return 0;
+
+-out_ida:
++out_put_device:
++ put_device(&dev->lirc_dev);
+ ida_free(&lirc_ida, minor);
+ return err;
+ }
--- /dev/null
+From stable+bounces-187718-greg=kroah.com@vger.kernel.org Sat Oct 18 01:18:31 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 19:18:22 -0400
+Subject: media: rc: Directly use ida_free()
+To: stable@vger.kernel.org
+Cc: keliu <liuke94@huawei.com>, Sean Young <sean@mess.org>, Mauro Carvalho Chehab <mchehab@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017231823.30098-1-sashal@kernel.org>
+
+From: keliu <liuke94@huawei.com>
+
+[ Upstream commit cd54ff938091d890edf78e6555ec30c63dcd2eb5 ]
+
+Use ida_alloc() and ida_free() instead of the deprecated
+ida_simple_get() and ida_simple_remove().
+
+Signed-off-by: keliu <liuke94@huawei.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Stable-dep-of: 4f4098c57e13 ("media: lirc: Fix error handling in lirc_register()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/lirc_dev.c | 6 +++---
+ drivers/media/rc/rc-main.c | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/rc/lirc_dev.c
++++ b/drivers/media/rc/lirc_dev.c
+@@ -731,7 +731,7 @@ int lirc_register(struct rc_dev *dev)
+ const char *rx_type, *tx_type;
+ int err, minor;
+
+- minor = ida_simple_get(&lirc_ida, 0, RC_DEV_MAX, GFP_KERNEL);
++ minor = ida_alloc_max(&lirc_ida, RC_DEV_MAX - 1, GFP_KERNEL);
+ if (minor < 0)
+ return minor;
+
+@@ -776,7 +776,7 @@ int lirc_register(struct rc_dev *dev)
+ return 0;
+
+ out_ida:
+- ida_simple_remove(&lirc_ida, minor);
++ ida_free(&lirc_ida, minor);
+ return err;
+ }
+
+@@ -794,7 +794,7 @@ void lirc_unregister(struct rc_dev *dev)
+ spin_unlock_irqrestore(&dev->lirc_fh_lock, flags);
+
+ cdev_device_del(&dev->lirc_cdev, &dev->lirc_dev);
+- ida_simple_remove(&lirc_ida, MINOR(dev->lirc_dev.devt));
++ ida_free(&lirc_ida, MINOR(dev->lirc_dev.devt));
+ }
+
+ int __init lirc_dev_init(void)
+--- a/drivers/media/rc/rc-main.c
++++ b/drivers/media/rc/rc-main.c
+@@ -1897,7 +1897,7 @@ int rc_register_device(struct rc_dev *de
+ if (!dev)
+ return -EINVAL;
+
+- minor = ida_simple_get(&rc_ida, 0, RC_DEV_MAX, GFP_KERNEL);
++ minor = ida_alloc_max(&rc_ida, RC_DEV_MAX - 1, GFP_KERNEL);
+ if (minor < 0)
+ return minor;
+
+@@ -1980,7 +1980,7 @@ out_rx_free:
+ out_raw:
+ ir_raw_event_free(dev);
+ out_minor:
+- ida_simple_remove(&rc_ida, minor);
++ ida_free(&rc_ida, minor);
+ return rc;
+ }
+ EXPORT_SYMBOL_GPL(rc_register_device);
+@@ -2040,7 +2040,7 @@ void rc_unregister_device(struct rc_dev
+
+ device_del(&dev->dev);
+
+- ida_simple_remove(&rc_ida, dev->minor);
++ ida_free(&rc_ida, dev->minor);
+
+ if (!dev->managed_alloc)
+ rc_free_device(dev);
jbd2-ensure-that-all-ongoing-i-o-complete-before-freeing-blocks.patch
ext4-detect-invalid-inline_data-extents-flag-combination.patch
pwm-berlin-fix-wrong-register-in-suspend-resume.patch
+blk-crypto-fix-missing-blktrace-bio-split-events.patch
+btrfs-avoid-potential-out-of-bounds-in-btrfs_encode_fh.patch
+bus-mhi-host-do-not-use-uninitialized-dev-pointer-in-mhi_init_irq_setup.patch
+drm-exynos-exynos7_drm_decon-remove-ctx-suspended.patch
+media-rc-directly-use-ida_free.patch
+media-lirc-fix-error-handling-in-lirc_register.patch
+xen-events-update-virq_to_irq-on-migration.patch
--- /dev/null
+From stable+bounces-186348-greg=kroah.com@vger.kernel.org Fri Oct 17 16:54:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Oct 2025 10:50:07 -0400
+Subject: xen/events: Update virq_to_irq on migration
+To: stable@vger.kernel.org
+Cc: Jason Andryuk <jason.andryuk@amd.com>, Juergen Gross <jgross@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251017145007.4008799-1-sashal@kernel.org>
+
+From: Jason Andryuk <jason.andryuk@amd.com>
+
+[ Upstream commit 3fcc8e146935415d69ffabb5df40ecf50e106131 ]
+
+VIRQs come in 3 flavors, per-VPU, per-domain, and global, and the VIRQs
+are tracked in per-cpu virq_to_irq arrays.
+
+Per-domain and global VIRQs must be bound on CPU 0, and
+bind_virq_to_irq() sets the per_cpu virq_to_irq at registration time
+Later, the interrupt can migrate, and info->cpu is updated. When
+calling __unbind_from_irq(), the per-cpu virq_to_irq is cleared for a
+different cpu. If bind_virq_to_irq() is called again with CPU 0, the
+stale irq is returned. There won't be any irq_info for the irq, so
+things break.
+
+Make xen_rebind_evtchn_to_cpu() update the per_cpu virq_to_irq mappings
+to keep them update to date with the current cpu. This ensures the
+correct virq_to_irq is cleared in __unbind_from_irq().
+
+Fixes: e46cdb66c8fc ("xen: event channels")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250828003604.8949-4-jason.andryuk@amd.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/events/events_base.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -1746,9 +1746,20 @@ static int xen_rebind_evtchn_to_cpu(stru
+ * virq or IPI channel, which don't actually need to be rebound. Ignore
+ * it, but don't do the xenlinux-level rebind in that case.
+ */
+- if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0)
++ if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_vcpu, &bind_vcpu) >= 0) {
++ int old_cpu = info->cpu;
++
+ bind_evtchn_to_cpu(evtchn, tcpu);
+
++ if (info->type == IRQT_VIRQ) {
++ int virq = info->u.virq;
++ int irq = per_cpu(virq_to_irq, old_cpu)[virq];
++
++ per_cpu(virq_to_irq, old_cpu)[virq] = -1;
++ per_cpu(virq_to_irq, tcpu)[virq] = irq;
++ }
++ }
++
+ do_unmask(info, EVT_MASK_REASON_TEMPORARY);
+
+ return 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
