--- /dev/null
+From stable+bounces-164977-greg=kroah.com@vger.kernel.org Mon Jul 28 16:51:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 10:51:25 -0400
+Subject: ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS
+To: stable@vger.kernel.org
+Cc: Nathan Chancellor <nathan@kernel.org>, KernelCI bot <bot@kernelci.org>, Masahiro Yamada <masahiroy@kernel.org>, Russell King <rmk+kernel@armlinux.org.uk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250728145125.2340542-1-sashal@kernel.org>
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 87c4e1459e80bf65066f864c762ef4dc932fad4b ]
+
+After commit d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper
+flags and language target"), which updated as-instr to use the
+'assembler-with-cpp' language option, the Kbuild version of as-instr
+always fails internally for arch/arm with
+
+ <command-line>: fatal error: asm/unified.h: No such file or directory
+ compilation terminated.
+
+because '-include' flags are now taken into account by the compiler
+driver and as-instr does not have '$(LINUXINCLUDE)', so unified.h is not
+found.
+
+This went unnoticed at the time of the Kbuild change because the last
+use of as-instr in Kbuild that arch/arm could reach was removed in 5.7
+by commit 541ad0150ca4 ("arm: Remove 32bit KVM host support") but a
+stable backport of the Kbuild change to before that point exposed this
+potential issue if one were to be reintroduced.
+
+Follow the general pattern of '-include' paths throughout the tree and
+make unified.h absolute using '$(srctree)' to ensure KBUILD_AFLAGS can
+be used independently.
+
+Closes: https://lore.kernel.org/CACo-S-1qbCX4WAVFA63dWfHtrRHZBTyyr2js8Lx=Az03XHTTHg@mail.gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: d5c8d6e0fa61 ("kbuild: Update assembler calls to use proper flags and language target")
+Reported-by: KernelCI bot <bot@kernelci.org>
+Reviewed-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+[ adapted to missing -Wa ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/Makefile
++++ b/arch/arm/Makefile
+@@ -133,7 +133,7 @@ endif
+
+ # Need -Uarm for gcc < 3.x
+ KBUILD_CFLAGS +=$(CFLAGS_ABI) $(CFLAGS_ISA) $(arch-y) $(tune-y) $(call cc-option,-mshort-load-bytes,$(call cc-option,-malignment-traps,)) -msoft-float -Uarm
+-KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include asm/unified.h -msoft-float
++KBUILD_AFLAGS +=$(CFLAGS_ABI) $(AFLAGS_ISA) $(arch-y) $(tune-y) -include $(srctree)/arch/arm/include/asm/unified.h -msoft-float
+
+ CHECKFLAGS += -D__arm__
+
--- /dev/null
+From stable+bounces-165060-greg=kroah.com@vger.kernel.org Tue Jul 29 14:24:51 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 08:24:21 -0400
+Subject: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
+To: stable@vger.kernel.org
+Cc: Ada Couprie Diaz <ada.coupriediaz@arm.com>, Cristian Prundeanu <cpru@amazon.com>, Will Deacon <will@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250729122421.2688525-1-sashal@kernel.org>
+
+From: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+
+[ Upstream commit d42e6c20de6192f8e4ab4cf10be8c694ef27e8cb ]
+
+`cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change
+to different stacks along with the Shadow Call Stack if it is enabled.
+Those two stack changes cannot be done atomically and both functions
+can be interrupted by SErrors or Debug Exceptions which, though unlikely,
+is very much broken : if interrupted, we can end up with mismatched stacks
+and Shadow Call Stack leading to clobbered stacks.
+
+In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task,
+but x18 stills points to the old task's SCS. When the interrupt handler
+tries to save the task's SCS pointer, it will save the old task
+SCS pointer (x18) into the new task struct (pointed to by SP_EL0),
+clobbering it.
+
+In `call_on_irq_stack()`, it can happen when switching from the task stack
+to the IRQ stack and when switching back. In both cases, we can be
+interrupted when the SCS pointer points to the IRQ SCS, but SP points to
+the task stack. The nested interrupt handler pushes its return addresses
+on the IRQ SCS. It then detects that SP points to the task stack,
+calls `call_on_irq_stack()` and clobbers the task SCS pointer with
+the IRQ SCS pointer, which it will also use !
+
+This leads to tasks returning to addresses on the wrong SCS,
+or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK
+or FPAC if enabled.
+
+This is possible on a default config, but unlikely.
+However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and
+instead the GIC is responsible for filtering what interrupts the CPU
+should receive based on priority.
+Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU
+even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very*
+frequently depending on the system configuration and workload, leading
+to unpredictable kernel panics.
+
+Completely mask DAIF in `cpu_switch_to()` and restore it when returning.
+Do the same in `call_on_irq_stack()`, but restore and mask around
+the branch.
+Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency
+of behaviour between all configurations.
+
+Introduce and use an assembly macro for saving and masking DAIF,
+as the existing one saves but only masks IF.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ada Couprie Diaz <ada.coupriediaz@arm.com>
+Reported-by: Cristian Prundeanu <cpru@amazon.com>
+Fixes: 59b37fe52f49 ("arm64: Stash shadow stack pointer in the task struct on interrupt")
+Tested-by: Cristian Prundeanu <cpru@amazon.com>
+Acked-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20250718142814.133329-1-ada.coupriediaz@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+[ removed duplicate save_and_disable_daif macro ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/entry.S | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -827,6 +827,7 @@ SYM_CODE_END(__bp_harden_el1_vectors)
+ *
+ */
+ SYM_FUNC_START(cpu_switch_to)
++ save_and_disable_daif x11
+ mov x10, #THREAD_CPU_CONTEXT
+ add x8, x0, x10
+ mov x9, sp
+@@ -850,6 +851,7 @@ SYM_FUNC_START(cpu_switch_to)
+ ptrauth_keys_install_kernel x1, x8, x9, x10
+ scs_save x0
+ scs_load_current
++ restore_irq x11
+ ret
+ SYM_FUNC_END(cpu_switch_to)
+ NOKPROBE(cpu_switch_to)
+@@ -876,6 +878,7 @@ NOKPROBE(ret_from_fork)
+ * Calls func(regs) using this CPU's irq stack and shadow irq stack.
+ */
+ SYM_FUNC_START(call_on_irq_stack)
++ save_and_disable_daif x9
+ #ifdef CONFIG_SHADOW_CALL_STACK
+ get_current_task x16
+ scs_save x16
+@@ -890,8 +893,10 @@ SYM_FUNC_START(call_on_irq_stack)
+
+ /* Move to the new stack and call the function there */
+ add sp, x16, #IRQ_STACK_SIZE
++ restore_irq x9
+ blr x1
+
++ save_and_disable_daif x9
+ /*
+ * Restore the SP from the FP, and restore the FP and LR from the frame
+ * record.
+@@ -899,6 +904,7 @@ SYM_FUNC_START(call_on_irq_stack)
+ mov sp, x29
+ ldp x29, x30, [sp], #16
+ scs_load_current
++ restore_irq x9
+ ret
+ SYM_FUNC_END(call_on_irq_stack)
+ NOKPROBE(call_on_irq_stack)
--- /dev/null
+From stable+bounces-172201-greg=kroah.com@vger.kernel.org Thu Aug 21 18:54:54 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:52:24 -0400
+Subject: ata: Fix SATA_MOBILE_LPM_POLICY description in Kconfig
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Hannes Reinecke <hare@suse.de>, Niklas Cassel <cassel@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821165224.842834-1-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit ed62a62a18bc144f73eadf866ae46842e8f6606e ]
+
+Improve the description of the possible default SATA link power
+management policies and add the missing description for policy 5.
+No functional changes.
+
+Fixes: a5ec5a7bfd1f ("ata: ahci: Support state with min power but Partial low power state")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/Kconfig | 33 +++++++++++++++++++++++++--------
+ 1 file changed, 25 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/Kconfig
++++ b/drivers/ata/Kconfig
+@@ -117,7 +117,7 @@ config SATA_AHCI
+
+ config SATA_MOBILE_LPM_POLICY
+ int "Default SATA Link Power Management policy for low power chipsets"
+- range 0 4
++ range 0 5
+ default 0
+ depends on SATA_AHCI
+ help
+@@ -126,15 +126,32 @@ config SATA_MOBILE_LPM_POLICY
+ chipsets are typically found on most laptops but desktops and
+ servers now also widely use chipsets supporting low power modes.
+
+- The value set has the following meanings:
++ Each policy combines power saving states and features:
++ - Partial: The Phy logic is powered but is in a reduced power
++ state. The exit latency from this state is no longer than
++ 10us).
++ - Slumber: The Phy logic is powered but is in an even lower power
++ state. The exit latency from this state is potentially
++ longer, but no longer than 10ms.
++ - DevSleep: The Phy logic may be powered down. The exit latency from
++ this state is no longer than 20 ms, unless otherwise
++ specified by DETO in the device Identify Device Data log.
++ - HIPM: Host Initiated Power Management (host automatically
++ transitions to partial and slumber).
++ - DIPM: Device Initiated Power Management (device automatically
++ transitions to partial and slumber).
++
++ The possible values for the default SATA link power management
++ policies are:
+ 0 => Keep firmware settings
+- 1 => Maximum performance
+- 2 => Medium power
+- 3 => Medium power with Device Initiated PM enabled
+- 4 => Minimum power
++ 1 => No power savings (maximum performance)
++ 2 => HIPM (Partial)
++ 3 => HIPM (Partial) and DIPM (Partial and Slumber)
++ 4 => HIPM (Partial and DevSleep) and DIPM (Partial and Slumber)
++ 5 => HIPM (Slumber and DevSleep) and DIPM (Partial and Slumber)
+
+- Note "Minimum power" is known to cause issues, including disk
+- corruption, with some disks and should not be used.
++ Excluding the value 0, higher values represent policies with higher
++ power savings.
+
+ config SATA_AHCI_PLATFORM
+ tristate "Platform AHCI SATA support"
--- /dev/null
+From stable+bounces-169843-greg=kroah.com@vger.kernel.org Sat Aug 16 05:48:12 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 23:47:58 -0400
+Subject: block: Make REQ_OP_ZONE_FINISH a write operation
+To: stable@vger.kernel.org
+Cc: Damien Le Moal <dlemoal@kernel.org>, Bart Van Assche <bvanassche@acm.org>, Johannes Thumshirn <johannes.thumshirn@wdc.com>, Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250816034758.666065-2-sashal@kernel.org>
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 3f66ccbaaef3a0c5bd844eab04e3207b4061c546 ]
+
+REQ_OP_ZONE_FINISH is defined as "12", which makes
+op_is_write(REQ_OP_ZONE_FINISH) return false, despite the fact that a
+zone finish operation is an operation that modifies a zone (transition
+it to full) and so should be considered as a write operation (albeit
+one that does not transfer any data to the device).
+
+Fix this by redefining REQ_OP_ZONE_FINISH to be an odd number (13), and
+redefine REQ_OP_ZONE_RESET and REQ_OP_ZONE_RESET_ALL using sequential
+odd numbers from that new value.
+
+Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250625093327.548866-2-dlemoal@kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/blk_types.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -375,11 +375,11 @@ enum req_op {
+ /* Close a zone */
+ REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11,
+ /* Transition a zone to full */
+- REQ_OP_ZONE_FINISH = (__force blk_opf_t)12,
++ REQ_OP_ZONE_FINISH = (__force blk_opf_t)13,
+ /* reset a zone write pointer */
+- REQ_OP_ZONE_RESET = (__force blk_opf_t)13,
++ REQ_OP_ZONE_RESET = (__force blk_opf_t)15,
+ /* reset all the zone present on the device */
+- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)15,
++ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17,
+
+ /* Driver private requests */
+ REQ_OP_DRV_IN = (__force blk_opf_t)34,
--- /dev/null
+From stable+bounces-169842-greg=kroah.com@vger.kernel.org Sat Aug 16 05:49:42 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 23:47:57 -0400
+Subject: block: reject invalid operation in submit_bio_noacct
+To: stable@vger.kernel.org
+Cc: Christoph Hellwig <hch@lst.de>, Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250816034758.666065-1-sashal@kernel.org>
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 1c042f8d4bc342b7985b1de3d76836f1a1083b65 ]
+
+submit_bio_noacct allows completely invalid operations, or operations
+that are not supported in the bio path. Extent the existing switch
+statement to rejcect all invalid types.
+
+Move the code point for REQ_OP_ZONE_APPEND so that it's not right in the
+middle of the zone management operations and the switch statement can
+follow the numerical order of the operations.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20231221070538.1112446-1-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Stable-dep-of: 3f66ccbaaef3 ("block: Make REQ_OP_ZONE_FINISH a write operation")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-core.c | 26 +++++++++++++++++++++-----
+ include/linux/blk_types.h | 8 ++++----
+ 2 files changed, 25 insertions(+), 9 deletions(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -755,6 +755,15 @@ void submit_bio_noacct(struct bio *bio)
+ bio_clear_polled(bio);
+
+ switch (bio_op(bio)) {
++ case REQ_OP_READ:
++ case REQ_OP_WRITE:
++ break;
++ case REQ_OP_FLUSH:
++ /*
++ * REQ_OP_FLUSH can't be submitted through bios, it is only
++ * synthetized in struct request by the flush state machine.
++ */
++ goto not_supported;
+ case REQ_OP_DISCARD:
+ if (!bdev_max_discard_sectors(bdev))
+ goto not_supported;
+@@ -768,6 +777,10 @@ void submit_bio_noacct(struct bio *bio)
+ if (status != BLK_STS_OK)
+ goto end_io;
+ break;
++ case REQ_OP_WRITE_ZEROES:
++ if (!q->limits.max_write_zeroes_sectors)
++ goto not_supported;
++ break;
+ case REQ_OP_ZONE_RESET:
+ case REQ_OP_ZONE_OPEN:
+ case REQ_OP_ZONE_CLOSE:
+@@ -779,12 +792,15 @@ void submit_bio_noacct(struct bio *bio)
+ if (!bdev_is_zoned(bio->bi_bdev) || !blk_queue_zone_resetall(q))
+ goto not_supported;
+ break;
+- case REQ_OP_WRITE_ZEROES:
+- if (!q->limits.max_write_zeroes_sectors)
+- goto not_supported;
+- break;
++ case REQ_OP_DRV_IN:
++ case REQ_OP_DRV_OUT:
++ /*
++ * Driver private operations are only used with passthrough
++ * requests.
++ */
++ fallthrough;
+ default:
+- break;
++ goto not_supported;
+ }
+
+ if (blk_throtl_bio(bio))
+--- a/include/linux/blk_types.h
++++ b/include/linux/blk_types.h
+@@ -366,6 +366,8 @@ enum req_op {
+ REQ_OP_DISCARD = (__force blk_opf_t)3,
+ /* securely erase sectors */
+ REQ_OP_SECURE_ERASE = (__force blk_opf_t)5,
++ /* write data at the current zone write pointer */
++ REQ_OP_ZONE_APPEND = (__force blk_opf_t)7,
+ /* write the zero filled sector many times */
+ REQ_OP_WRITE_ZEROES = (__force blk_opf_t)9,
+ /* Open a zone */
+@@ -374,12 +376,10 @@ enum req_op {
+ REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11,
+ /* Transition a zone to full */
+ REQ_OP_ZONE_FINISH = (__force blk_opf_t)12,
+- /* write data at the current zone write pointer */
+- REQ_OP_ZONE_APPEND = (__force blk_opf_t)13,
+ /* reset a zone write pointer */
+- REQ_OP_ZONE_RESET = (__force blk_opf_t)15,
++ REQ_OP_ZONE_RESET = (__force blk_opf_t)13,
+ /* reset all the zone present on the device */
+- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17,
++ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)15,
+
+ /* Driver private requests */
+ REQ_OP_DRV_IN = (__force blk_opf_t)34,
--- /dev/null
+From stable+bounces-171707-greg=kroah.com@vger.kernel.org Tue Aug 19 03:36:30 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 21:34:31 -0400
+Subject: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root()
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Daniel Vacek <neelx@suse.com>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819013431.249337-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 33e8f24b52d2796b8cfb28c19a1a7dd6476323a8 ]
+
+If we find an unexpected generation for the extent buffer we are cloning
+at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the
+transaction, meaning we allow to persist metadata with an unexpected
+generation. Instead of warning only, abort the transaction and return
+-EUCLEAN.
+
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Daniel Vacek <neelx@suse.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -237,7 +237,14 @@ int btrfs_copy_root(struct btrfs_trans_h
+
+ write_extent_buffer_fsid(cow, fs_info->fs_devices->metadata_uuid);
+
+- WARN_ON(btrfs_header_generation(buf) > trans->transid);
++ if (unlikely(btrfs_header_generation(buf) > trans->transid)) {
++ btrfs_tree_unlock(cow);
++ free_extent_buffer(cow);
++ ret = -EUCLEAN;
++ btrfs_abort_transaction(trans, ret);
++ return ret;
++ }
++
+ if (new_root_objectid == BTRFS_TREE_RELOC_OBJECTID)
+ ret = btrfs_inc_ref(trans, root, cow, 1);
+ else
--- /dev/null
+From stable+bounces-164821-greg=kroah.com@vger.kernel.org Sat Jul 26 04:25:14 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 22:25:03 -0400
+Subject: btrfs: fix qgroup reservation leak on failure to allocate ordered extent
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Boris Burkov <boris@bur.io>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250726022503.2023611-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1f2889f5594a2bc4c6a52634c4a51b93e785def5 ]
+
+If we fail to allocate an ordered extent for a COW write we end up leaking
+a qgroup data reservation since we called btrfs_qgroup_release_data() but
+we didn't call btrfs_qgroup_free_refroot() (which would happen when
+running the respective data delayed ref created by ordered extent
+completion or when finishing the ordered extent in case an error happened).
+
+So make sure we call btrfs_qgroup_free_refroot() if we fail to allocate an
+ordered extent for a COW write.
+
+Fixes: 7dbeaad0af7d ("btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ adjust to code movements ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ordered-data.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/ordered-data.c
++++ b/fs/btrfs/ordered-data.c
+@@ -173,9 +173,10 @@ int btrfs_add_ordered_extent(struct btrf
+ struct btrfs_ordered_extent *entry;
+ int ret;
+ u64 qgroup_rsv = 0;
++ const bool is_nocow = (flags &
++ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC)));
+
+- if (flags &
+- ((1 << BTRFS_ORDERED_NOCOW) | (1 << BTRFS_ORDERED_PREALLOC))) {
++ if (is_nocow) {
+ /* For nocow write, we can release the qgroup rsv right now */
+ ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv);
+ if (ret < 0)
+@@ -191,8 +192,13 @@ int btrfs_add_ordered_extent(struct btrf
+ return ret;
+ }
+ entry = kmem_cache_zalloc(btrfs_ordered_extent_cache, GFP_NOFS);
+- if (!entry)
++ if (!entry) {
++ if (!is_nocow)
++ btrfs_qgroup_free_refroot(inode->root->fs_info,
++ btrfs_root_id(inode->root),
++ qgroup_rsv, BTRFS_QGROUP_RSV_DATA);
+ return -ENOMEM;
++ }
+
+ entry->file_offset = file_offset;
+ entry->num_bytes = num_bytes;
--- /dev/null
+From stable+bounces-171772-greg=kroah.com@vger.kernel.org Tue Aug 19 13:59:43 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 07:55:40 -0400
+Subject: btrfs: populate otime when logging an inode item
+To: stable@vger.kernel.org
+Cc: Qu Wenruo <wqu@suse.com>, Filipe Manana <fdmanana@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819115540.449133-1-sashal@kernel.org>
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 1ef94169db0958d6de39f9ea6e063ce887342e2d ]
+
+[TEST FAILURE WITH EXPERIMENTAL FEATURES]
+When running test case generic/508, the test case will fail with the new
+btrfs shutdown support:
+
+generic/508 - output mismatch (see /home/adam/xfstests/results//generic/508.out.bad)
+# --- tests/generic/508.out 2022-05-11 11:25:30.806666664 +0930
+# +++ /home/adam/xfstests/results//generic/508.out.bad 2025-07-02 14:53:22.401824212 +0930
+# @@ -1,2 +1,6 @@
+# QA output created by 508
+# Silence is golden
+# +Before:
+# +After : stat.btime = Thu Jan 1 09:30:00 1970
+# +Before:
+# +After : stat.btime = Wed Jul 2 14:53:22 2025
+# ...
+# (Run 'diff -u /home/adam/xfstests/tests/generic/508.out /home/adam/xfstests/results//generic/508.out.bad' to see the entire diff)
+Ran: generic/508
+Failures: generic/508
+Failed 1 of 1 tests
+
+Please note that the test case requires shutdown support, thus the test
+case will be skipped using the current upstream kernel, as it doesn't
+have shutdown ioctl support.
+
+[CAUSE]
+The direct cause the 0 time stamp in the log tree:
+
+leaf 30507008 items 2 free space 16057 generation 9 owner TREE_LOG
+leaf 30507008 flags 0x1(WRITTEN) backref revision 1
+checksum stored e522548d
+checksum calced e522548d
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 9 transid 9 size 0 nbytes 0
+ block group 0 mode 100644 links 1 uid 0 gid 0 rdev 0
+ sequence 1 flags 0x0(none)
+ atime 1751432947.492000000 (2025-07-02 14:39:07)
+ ctime 1751432947.492000000 (2025-07-02 14:39:07)
+ mtime 1751432947.492000000 (2025-07-02 14:39:07)
+ otime 0.0 (1970-01-01 09:30:00) <<<
+
+But the old fs tree has all the correct time stamp:
+
+btrfs-progs v6.12
+fs tree key (FS_TREE ROOT_ITEM 0)
+leaf 30425088 items 2 free space 16061 generation 5 owner FS_TREE
+leaf 30425088 flags 0x1(WRITTEN) backref revision 1
+checksum stored 48f6c57e
+checksum calced 48f6c57e
+fs uuid 57d45451-481e-43e4-aa93-289ad707a3a0
+chunk uuid d52bd3fd-5163-4337-98a7-7986993ad398
+ item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
+ generation 3 transid 0 size 0 nbytes 16384
+ block group 0 mode 40755 links 1 uid 0 gid 0 rdev 0
+ sequence 0 flags 0x0(none)
+ atime 1751432947.0 (2025-07-02 14:39:07)
+ ctime 1751432947.0 (2025-07-02 14:39:07)
+ mtime 1751432947.0 (2025-07-02 14:39:07)
+ otime 1751432947.0 (2025-07-02 14:39:07) <<<
+
+The root cause is that fill_inode_item() in tree-log.c is only
+populating a/c/m time, not the otime (or btime in statx output).
+
+Part of the reason is that, the vfs inode only has a/c/m time, no native
+btime support yet.
+
+[FIX]
+Thankfully btrfs has its otime stored in btrfs_inode::i_otime_sec and
+btrfs_inode::i_otime_nsec.
+
+So what we really need is just fill the otime time stamp in
+fill_inode_item() of tree-log.c
+
+There is another fill_inode_item() in inode.c, which is doing the proper
+otime population.
+
+Fixes: 94edf4ae43a5 ("Btrfs: don't bother committing delayed inode updates when fsyncing")
+CC: stable@vger.kernel.org
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ timespec changes in older tree ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-log.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4210,6 +4210,11 @@ static void fill_inode_item(struct btrfs
+ btrfs_set_token_timespec_nsec(&token, &item->ctime,
+ inode->i_ctime.tv_nsec);
+
++ btrfs_set_token_timespec_sec(&token, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_sec);
++ btrfs_set_token_timespec_nsec(&token, &item->otime,
++ BTRFS_I(inode)->i_otime.tv_nsec);
++
+ /*
+ * We do not need to set the nbytes field, in fact during a fast fsync
+ * its value may not even be correct, since a fast fsync does not wait
--- /dev/null
+From stable+bounces-171685-greg=kroah.com@vger.kernel.org Tue Aug 19 02:17:01 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 20:16:51 -0400
+Subject: btrfs: qgroup: fix race between quota disable and quota rescan ioctl
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, cen zhang <zzzccc427@gmail.com>, Boris Burkov <boris@bur.io>, Qu Wenruo <wqu@suse.com>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819001651.204498-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e1249667750399a48cafcf5945761d39fa584edf ]
+
+There's a race between a task disabling quotas and another running the
+rescan ioctl that can result in a use-after-free of qgroup records from
+the fs_info->qgroup_tree rbtree.
+
+This happens as follows:
+
+1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();
+
+2) Task B enters btrfs_quota_disable() and calls
+ btrfs_qgroup_wait_for_completion(), which does nothing because at that
+ point fs_info->qgroup_rescan_running is false (it wasn't set yet by
+ task A);
+
+3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups
+ from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;
+
+4) Task A enters qgroup_rescan_zero_tracking() which starts iterating
+ the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,
+ but task B is freeing qgroup records from that tree without holding
+ the lock, resulting in a use-after-free.
+
+Fix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().
+Also at btrfs_qgroup_rescan() don't start the rescan worker if quotas
+were already disabled.
+
+Reported-by: cen zhang <zzzccc427@gmail.com>
+Link: https://lore.kernel.org/linux-btrfs/CAFRLqsV+cMDETFuzqdKSHk_FDm6tneea45krsHqPD6B3FetLpQ@mail.gmail.com/
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ Check for BTRFS_FS_QUOTA_ENABLED, instead of btrfs_qgroup_full_accounting() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/qgroup.c | 31 ++++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -573,22 +573,30 @@ bool btrfs_check_quota_leak(struct btrfs
+
+ /*
+ * This is called from close_ctree() or open_ctree() or btrfs_quota_disable(),
+- * first two are in single-threaded paths.And for the third one, we have set
+- * quota_root to be null with qgroup_lock held before, so it is safe to clean
+- * up the in-memory structures without qgroup_lock held.
++ * first two are in single-threaded paths.
+ */
+ void btrfs_free_qgroup_config(struct btrfs_fs_info *fs_info)
+ {
+ struct rb_node *n;
+ struct btrfs_qgroup *qgroup;
+
++ /*
++ * btrfs_quota_disable() can be called concurrently with
++ * btrfs_qgroup_rescan() -> qgroup_rescan_zero_tracking(), so take the
++ * lock.
++ */
++ spin_lock(&fs_info->qgroup_lock);
+ while ((n = rb_first(&fs_info->qgroup_tree))) {
+ qgroup = rb_entry(n, struct btrfs_qgroup, node);
+ rb_erase(n, &fs_info->qgroup_tree);
+ __del_qgroup_rb(fs_info, qgroup);
++ spin_unlock(&fs_info->qgroup_lock);
+ btrfs_sysfs_del_one_qgroup(fs_info, qgroup);
+ kfree(qgroup);
++ spin_lock(&fs_info->qgroup_lock);
+ }
++ spin_unlock(&fs_info->qgroup_lock);
++
+ /*
+ * We call btrfs_free_qgroup_config() when unmounting
+ * filesystem and disabling quota, so we set qgroup_ulist
+@@ -3597,12 +3605,21 @@ btrfs_qgroup_rescan(struct btrfs_fs_info
+ qgroup_rescan_zero_tracking(fs_info);
+
+ mutex_lock(&fs_info->qgroup_rescan_lock);
+- fs_info->qgroup_rescan_running = true;
+- btrfs_queue_work(fs_info->qgroup_rescan_workers,
+- &fs_info->qgroup_rescan_work);
++ /*
++ * The rescan worker is only for full accounting qgroups, check if it's
++ * enabled as it is pointless to queue it otherwise. A concurrent quota
++ * disable may also have just cleared BTRFS_FS_QUOTA_ENABLED.
++ */
++ if (test_bit(BTRFS_FS_QUOTA_ENABLED, &fs_info->flags)) {
++ fs_info->qgroup_rescan_running = true;
++ btrfs_queue_work(fs_info->qgroup_rescan_workers,
++ &fs_info->qgroup_rescan_work);
++ } else {
++ ret = -ENOTCONN;
++ }
+ mutex_unlock(&fs_info->qgroup_rescan_lock);
+
+- return 0;
++ return ret;
+ }
+
+ int btrfs_qgroup_wait_for_completion(struct btrfs_fs_info *fs_info,
--- /dev/null
+From stable+bounces-171741-greg=kroah.com@vger.kernel.org Tue Aug 19 05:18:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 23:18:42 -0400
+Subject: btrfs: send: use fallocate for hole punching with send stream v2
+To: stable@vger.kernel.org
+Cc: Filipe Manana <fdmanana@suse.com>, Boris Burkov <boris@bur.io>, David Sterba <dsterba@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819031842.309897-1-sashal@kernel.org>
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 005b0a0c24e1628313e951516b675109a92cacfe ]
+
+Currently holes are sent as writes full of zeroes, which results in
+unnecessarily using disk space at the receiving end and increasing the
+stream size.
+
+In some cases we avoid sending writes of zeroes, like during a full
+send operation where we just skip writes for holes.
+
+But for some cases we fill previous holes with writes of zeroes too, like
+in this scenario:
+
+1) We have a file with a hole in the range [2M, 3M), we snapshot the
+ subvolume and do a full send. The range [2M, 3M) stays as a hole at
+ the receiver since we skip sending write commands full of zeroes;
+
+2) We punch a hole for the range [3M, 4M) in our file, so that now it
+ has a 2M hole in the range [2M, 4M), and snapshot the subvolume.
+ Now if we do an incremental send, we will send write commands full
+ of zeroes for the range [2M, 4M), removing the hole for [2M, 3M) at
+ the receiver.
+
+We could improve cases such as this last one by doing additional
+comparisons of file extent items (or their absence) between the parent
+and send snapshots, but that's a lot of code to add plus additional CPU
+and IO costs.
+
+Since the send stream v2 already has a fallocate command and btrfs-progs
+implements a callback to execute fallocate since the send stream v2
+support was added to it, update the kernel to use fallocate for punching
+holes for V2+ streams.
+
+Test coverage is provided by btrfs/284 which is a version of btrfs/007
+that exercises send stream v2 instead of v1, using fsstress with random
+operations and fssum to verify file contents.
+
+Link: https://github.com/kdave/btrfs-progs/issues/1001
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+[ Replaced get_cur_inode_path() with fs_path_alloc() and get_cur_path() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -4,6 +4,7 @@
+ */
+
+ #include <linux/bsearch.h>
++#include <linux/falloc.h>
+ #include <linux/fs.h>
+ #include <linux/file.h>
+ #include <linux/sort.h>
+@@ -5231,6 +5232,36 @@ out:
+ return ret;
+ }
+
++static int send_fallocate(struct send_ctx *sctx, u32 mode, u64 offset, u64 len)
++{
++ struct fs_path *p;
++ int ret;
++
++ p = fs_path_alloc();
++ if (!p)
++ return -ENOMEM;
++
++ ret = get_cur_path(sctx, sctx->cur_ino, sctx->cur_inode_gen, p);
++ if (ret < 0)
++ goto out;
++
++ ret = begin_cmd(sctx, BTRFS_SEND_C_FALLOCATE);
++ if (ret < 0)
++ goto out;
++
++ TLV_PUT_PATH(sctx, BTRFS_SEND_A_PATH, p);
++ TLV_PUT_U32(sctx, BTRFS_SEND_A_FALLOCATE_MODE, mode);
++ TLV_PUT_U64(sctx, BTRFS_SEND_A_FILE_OFFSET, offset);
++ TLV_PUT_U64(sctx, BTRFS_SEND_A_SIZE, len);
++
++ ret = send_cmd(sctx);
++
++tlv_put_failure:
++out:
++ fs_path_free(p);
++ return ret;
++}
++
+ static int send_hole(struct send_ctx *sctx, u64 end)
+ {
+ struct fs_path *p = NULL;
+@@ -5239,6 +5270,14 @@ static int send_hole(struct send_ctx *sc
+ int ret = 0;
+
+ /*
++ * Starting with send stream v2 we have fallocate and can use it to
++ * punch holes instead of sending writes full of zeroes.
++ */
++ if (proto_cmd_ok(sctx, BTRFS_SEND_C_FALLOCATE))
++ return send_fallocate(sctx, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE,
++ offset, end - offset);
++
++ /*
+ * A hole that starts at EOF or beyond it. Since we do not yet support
+ * fallocate (for extent preallocation and hole punching), sending a
+ * write of zeroes starting at EOF or beyond would later require issuing
--- /dev/null
+From stable+bounces-171637-greg=kroah.com@vger.kernel.org Mon Aug 18 20:41:41 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 14:40:33 -0400
+Subject: cifs: reset iface weights when we cannot find a candidate
+To: stable@vger.kernel.org
+Cc: Shyam Prasad N <sprasad@microsoft.com>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818184033.23573-1-sashal@kernel.org>
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+[ Upstream commit 9d5eff7821f6d70f7d1b4d8a60680fba4de868a7 ]
+
+We now do a weighted selection of server interfaces when allocating
+new channels. The weights are decided based on the speed advertised.
+The fulfilled weight for an interface is a counter that is used to
+track the interface selection. It should be reset back to zero once
+all interfaces fulfilling their weight.
+
+In cifs_chan_update_iface, this reset logic was missing. As a result
+when the server interface list changes, the client may not be able
+to find a new candidate for other channels after all interfaces have
+been fulfilled.
+
+Fixes: a6d8fb54a515 ("cifs: distribute channels across interfaces based on speed")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ Kept both int rc and int retry variables ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/sess.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -292,6 +292,7 @@ cifs_chan_update_iface(struct cifs_ses *
+ struct cifs_server_iface *last_iface = NULL;
+ struct sockaddr_storage ss;
+ int rc = 0;
++ int retry = 0;
+
+ spin_lock(&ses->chan_lock);
+ chan_index = cifs_ses_get_chan_index(ses, server);
+@@ -320,6 +321,7 @@ cifs_chan_update_iface(struct cifs_ses *
+ return 0;
+ }
+
++try_again:
+ last_iface = list_last_entry(&ses->iface_list, struct cifs_server_iface,
+ iface_head);
+ iface_min_speed = last_iface->speed;
+@@ -358,6 +360,13 @@ cifs_chan_update_iface(struct cifs_ses *
+
+ if (list_entry_is_head(iface, &ses->iface_list, iface_head)) {
+ rc = 1;
++ list_for_each_entry(iface, &ses->iface_list, iface_head)
++ iface->weight_fulfilled = 0;
++
++ /* see if it can be satisfied in second attempt */
++ if (!retry++)
++ goto try_again;
++
+ iface = NULL;
+ cifs_dbg(FYI, "unable to find a suitable iface\n");
+ }
--- /dev/null
+From stable+bounces-165094-greg=kroah.com@vger.kernel.org Tue Jul 29 17:53:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 11:53:49 -0400
+Subject: drm/sched: Remove optimization that causes hang when killing dependent jobs
+To: stable@vger.kernel.org
+Cc: "Lin.Cao" <lincao12@amd.com>, "Christian König" <christian.koenig@amd.com>, "Philipp Stanner" <phasta@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250729155349.2739128-1-sashal@kernel.org>
+
+From: "Lin.Cao" <lincao12@amd.com>
+
+[ Upstream commit 15f77764e90a713ee3916ca424757688e4f565b9 ]
+
+When application A submits jobs and application B submits a job with a
+dependency on A's fence, the normal flow wakes up the scheduler after
+processing each job. However, the optimization in
+drm_sched_entity_add_dependency_cb() uses a callback that only clears
+dependencies without waking up the scheduler.
+
+When application A is killed before its jobs can run, the callback gets
+triggered but only clears the dependency without waking up the scheduler,
+causing the scheduler to enter sleep state and application B to hang.
+
+Remove the optimization by deleting drm_sched_entity_clear_dep() and its
+usage, ensuring the scheduler is always woken up when dependencies are
+cleared.
+
+Fixes: 777dbd458c89 ("drm/amdgpu: drop a dummy wakeup scheduler")
+Cc: stable@vger.kernel.org # v4.6+
+Signed-off-by: Lin.Cao <lincao12@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://lore.kernel.org/r/20250717084453.921097-1-lincao12@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/scheduler/sched_entity.c | 21 ++-------------------
+ 1 file changed, 2 insertions(+), 19 deletions(-)
+
+--- a/drivers/gpu/drm/scheduler/sched_entity.c
++++ b/drivers/gpu/drm/scheduler/sched_entity.c
+@@ -327,17 +327,6 @@ void drm_sched_entity_destroy(struct drm
+ }
+ EXPORT_SYMBOL(drm_sched_entity_destroy);
+
+-/* drm_sched_entity_clear_dep - callback to clear the entities dependency */
+-static void drm_sched_entity_clear_dep(struct dma_fence *f,
+- struct dma_fence_cb *cb)
+-{
+- struct drm_sched_entity *entity =
+- container_of(cb, struct drm_sched_entity, cb);
+-
+- entity->dependency = NULL;
+- dma_fence_put(f);
+-}
+-
+ /*
+ * drm_sched_entity_clear_dep - callback to clear the entities dependency and
+ * wake up scheduler
+@@ -348,7 +337,8 @@ static void drm_sched_entity_wakeup(stru
+ struct drm_sched_entity *entity =
+ container_of(cb, struct drm_sched_entity, cb);
+
+- drm_sched_entity_clear_dep(f, cb);
++ entity->dependency = NULL;
++ dma_fence_put(f);
+ drm_sched_wakeup(entity->rq->sched);
+ }
+
+@@ -401,13 +391,6 @@ static bool drm_sched_entity_add_depende
+ fence = dma_fence_get(&s_fence->scheduled);
+ dma_fence_put(entity->dependency);
+ entity->dependency = fence;
+- if (!dma_fence_add_callback(fence, &entity->cb,
+- drm_sched_entity_clear_dep))
+- return true;
+-
+- /* Ignore it when it is already scheduled */
+- dma_fence_put(fence);
+- return false;
+ }
+
+ if (!dma_fence_add_callback(entity->dependency, &entity->cb,
--- /dev/null
+From stable+bounces-164650-greg=kroah.com@vger.kernel.org Thu Jul 24 19:09:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 13:09:12 -0400
+Subject: f2fs: fix to do sanity check on ino and xnid
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724170912.1405261-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 061cf3a84bde038708eb0f1d065b31b7c2456533 ]
+
+syzbot reported a f2fs bug as below:
+
+INFO: task syz-executor140:5308 blocked for more than 143 seconds.
+ Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006
+Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5378 [inline]
+ __schedule+0x190e/0x4c90 kernel/sched/core.c:6765
+ __schedule_loop kernel/sched/core.c:6842 [inline]
+ schedule+0x14b/0x320 kernel/sched/core.c:6857
+ io_schedule+0x8d/0x110 kernel/sched/core.c:7690
+ folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317
+ __folio_lock mm/filemap.c:1664 [inline]
+ folio_lock include/linux/pagemap.h:1163 [inline]
+ __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917
+ pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87
+ find_get_page_flags include/linux/pagemap.h:842 [inline]
+ f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776
+ __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463
+ read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306
+ lookup_all_xattrs fs/f2fs/xattr.c:355 [inline]
+ f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533
+ __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179
+ f2fs_acl_create fs/f2fs/acl.c:375 [inline]
+ f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418
+ f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539
+ f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666
+ f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765
+ f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808
+ f2fs_add_link fs/f2fs/f2fs.h:3616 [inline]
+ f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766
+ vfs_mknod+0x36d/0x3b0 fs/namei.c:4191
+ unix_bind_bsd net/unix/af_unix.c:1286 [inline]
+ unix_bind+0x563/0xe30 net/unix/af_unix.c:1379
+ __sys_bind_socket net/socket.c:1817 [inline]
+ __sys_bind+0x1e4/0x290 net/socket.c:1848
+ __do_sys_bind net/socket.c:1853 [inline]
+ __se_sys_bind net/socket.c:1851 [inline]
+ __x64_sys_bind+0x7a/0x90 net/socket.c:1851
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Let's dump and check metadata of corrupted inode, it shows its xattr_nid
+is the same to its i_ino.
+
+dump.f2fs -i 3 chaseyu.img.raw
+i_xattr_nid [0x 3 : 3]
+
+So that, during mknod in the corrupted directory, it tries to get and
+lock inode page twice, result in deadlock.
+
+- f2fs_mknod
+ - f2fs_add_inline_entry
+ - f2fs_get_inode_page --- lock dir's inode page
+ - f2fs_init_acl
+ - f2fs_acl_create(dir,..)
+ - __f2fs_get_acl
+ - f2fs_getxattr
+ - lookup_all_xattrs
+ - __get_node_page --- try to lock dir's inode page
+
+In order to fix this, let's add sanity check on ino and xnid.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+cc448dcdc7ae0b4e4ffa@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-f2fs-devel/67e06150.050a0220.21942d.0005.GAE@google.com
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ add set_sbi_flag(sbi, SBI_NEED_FSCK) to match error handling pattern ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -210,6 +210,13 @@ static bool sanity_check_inode(struct in
+ return false;
+ }
+
++ if (ino_of_node(node_page) == fi->i_xattr_nid) {
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ f2fs_warn(sbi, "%s: corrupted inode i_ino=%lx, xnid=%x, run fsck to fix.",
++ __func__, inode->i_ino, fi->i_xattr_nid);
++ return false;
++ }
++
+ if (f2fs_sb_has_flexible_inline_xattr(sbi)
+ && !f2fs_has_extra_attr(inode)) {
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
--- /dev/null
+From stable+bounces-169828-greg=kroah.com@vger.kernel.org Sat Aug 16 00:10:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 18:07:29 -0400
+Subject: fscrypt: Don't use problematic non-inline crypto engines
+To: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@kernel.org>, Ard Biesheuvel <ardb@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815220729.247859-1-sashal@kernel.org>
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+[ Upstream commit b41c1d8d07906786c60893980d52688f31d114a6 ]
+
+Make fscrypt no longer use Crypto API drivers for non-inline crypto
+engines, even when the Crypto API prioritizes them over CPU-based code
+(which unfortunately it often does). These drivers tend to be really
+problematic, especially for fscrypt's workload. This commit has no
+effect on inline crypto engines, which are different and do work well.
+
+Specifically, exclude drivers that have CRYPTO_ALG_KERN_DRIVER_ONLY or
+CRYPTO_ALG_ALLOCATES_MEMORY set. (Later, CRYPTO_ALG_ASYNC should be
+excluded too. That's omitted for now to keep this commit backportable,
+since until recently some CPU-based code had CRYPTO_ALG_ASYNC set.)
+
+There are two major issues with these drivers: bugs and performance.
+
+First, these drivers tend to be buggy. They're fundamentally much more
+error-prone and harder to test than the CPU-based code. They often
+don't get tested before kernel releases, and even if they do, the crypto
+self-tests don't properly test these drivers. Released drivers have
+en/decrypted or hashed data incorrectly. These bugs cause issues for
+fscrypt users who often didn't even want to use these drivers, e.g.:
+
+- https://github.com/google/fscryptctl/issues/32
+- https://github.com/google/fscryptctl/issues/9
+- https://lore.kernel.org/r/PH0PR02MB731916ECDB6C613665863B6CFFAA2@PH0PR02MB7319.namprd02.prod.outlook.com
+
+These drivers have also similarly caused issues for dm-crypt users,
+including data corruption and deadlocks. Since Linux v5.10, dm-crypt
+has disabled most of them by excluding CRYPTO_ALG_ALLOCATES_MEMORY.
+
+Second, these drivers tend to be *much* slower than the CPU-based code.
+This may seem counterintuitive, but benchmarks clearly show it. There's
+a *lot* of overhead associated with going to a hardware driver, off the
+CPU, and back again. To prove this, I gathered as many systems with
+this type of crypto engine as I could, and I measured synchronous
+encryption of 4096-byte messages (which matches fscrypt's workload):
+
+Intel Emerald Rapids server:
+ AES-256-XTS:
+ xts-aes-vaes-avx512 16171 MB/s [CPU-based, Vector AES]
+ qat_aes_xts 289 MB/s [Offload, Intel QuickAssist]
+
+Qualcomm SM8650 HDK:
+ AES-256-XTS:
+ xts-aes-ce 4301 MB/s [CPU-based, ARMv8 Crypto Extensions]
+ xts-aes-qce 73 MB/s [Offload, Qualcomm Crypto Engine]
+
+i.MX 8M Nano LPDDR4 EVK:
+ AES-256-XTS:
+ xts-aes-ce 647 MB/s [CPU-based, ARMv8 Crypto Extensions]
+ xts(ecb-aes-caam) 20 MB/s [Offload, CAAM]
+ AES-128-CBC-ESSIV:
+ essiv(cbc-aes-caam,sha256-lib) 23 MB/s [Offload, CAAM]
+
+STM32MP157F-DK2:
+ AES-256-XTS:
+ xts-aes-neonbs 13.2 MB/s [CPU-based, ARM NEON]
+ xts(stm32-ecb-aes) 3.1 MB/s [Offload, STM32 crypto engine]
+ AES-128-CBC-ESSIV:
+ essiv(cbc-aes-neonbs,sha256-lib)
+ 14.7 MB/s [CPU-based, ARM NEON]
+ essiv(stm32-cbc-aes,sha256-lib)
+ 3.2 MB/s [Offload, STM32 crypto engine]
+ Adiantum:
+ adiantum(xchacha12-arm,aes-arm,nhpoly1305-neon)
+ 52.8 MB/s [CPU-based, ARM scalar + NEON]
+
+So, there was no case in which the crypto engine was even *close* to
+being faster. On the first three, which have AES instructions in the
+CPU, the CPU was 30 to 55 times faster (!). Even on STM32MP157F-DK2
+which has a Cortex-A7 CPU that doesn't have AES instructions, AES was
+over 4 times faster on the CPU. And Adiantum encryption, which is what
+actually should be used on CPUs like that, was over 17 times faster.
+
+Other justifications that have been given for these non-inline crypto
+engines (almost always coming from the hardware vendors, not actual
+users) don't seem very plausible either:
+
+ - The crypto engine throughput could be improved by processing
+ multiple requests concurrently. Currently irrelevant to fscrypt,
+ since it doesn't do that. This would also be complex, and unhelpful
+ in many cases. 2 of the 4 engines I tested even had only one queue.
+
+ - Some of the engines, e.g. STM32, support hardware keys. Also
+ currently irrelevant to fscrypt, since it doesn't support these.
+ Interestingly, the STM32 driver itself doesn't support this either.
+
+ - Free up CPU for other tasks and/or reduce energy usage. Not very
+ plausible considering the "short" message length, driver overhead,
+ and scheduling overhead. There's just very little time for the CPU
+ to do something else like run another task or enter low-power state,
+ before the message finishes and it's time to process the next one.
+
+ - Some of these engines resist power analysis and electromagnetic
+ attacks, while the CPU-based crypto generally does not. In theory,
+ this sounds great. In practice, if this benefit requires the use of
+ an off-CPU offload that massively regresses performance and has a
+ low-quality, buggy driver, the price for this hardening (which is
+ not relevant to most fscrypt users, and tends to be incomplete) is
+ just too high. Inline crypto engines are much more promising here,
+ as are on-CPU solutions like RISC-V High Assurance Cryptography.
+
+Fixes: b30ab0e03407 ("ext4 crypto: add ext4 encryption facilities")
+Cc: stable@vger.kernel.org
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Link: https://lore.kernel.org/r/20250704070322.20692-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+[ Drop some documentation changes ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/crypto/fscrypt_private.h | 17 +++++++++++++++++
+ fs/crypto/hkdf.c | 2 +-
+ fs/crypto/keysetup.c | 3 ++-
+ fs/crypto/keysetup_v1.c | 3 ++-
+ 4 files changed, 22 insertions(+), 3 deletions(-)
+
+--- a/fs/crypto/fscrypt_private.h
++++ b/fs/crypto/fscrypt_private.h
+@@ -27,6 +27,23 @@
+ */
+ #define FSCRYPT_MIN_KEY_SIZE 16
+
++/*
++ * This mask is passed as the third argument to the crypto_alloc_*() functions
++ * to prevent fscrypt from using the Crypto API drivers for non-inline crypto
++ * engines. Those drivers have been problematic for fscrypt. fscrypt users
++ * have reported hangs and even incorrect en/decryption with these drivers.
++ * Since going to the driver, off CPU, and back again is really slow, such
++ * drivers can be over 50 times slower than the CPU-based code for fscrypt's
++ * workload. Even on platforms that lack AES instructions on the CPU, using the
++ * offloads has been shown to be slower, even staying with AES. (Of course,
++ * Adiantum is faster still, and is the recommended option on such platforms...)
++ *
++ * Note that fscrypt also supports inline crypto engines. Those don't use the
++ * Crypto API and work much better than the old-style (non-inline) engines.
++ */
++#define FSCRYPT_CRYPTOAPI_MASK \
++ (CRYPTO_ALG_ALLOCATES_MEMORY | CRYPTO_ALG_KERN_DRIVER_ONLY)
++
+ #define FSCRYPT_CONTEXT_V1 1
+ #define FSCRYPT_CONTEXT_V2 2
+
+--- a/fs/crypto/hkdf.c
++++ b/fs/crypto/hkdf.c
+@@ -72,7 +72,7 @@ int fscrypt_init_hkdf(struct fscrypt_hkd
+ u8 prk[HKDF_HASHLEN];
+ int err;
+
+- hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, 0);
++ hmac_tfm = crypto_alloc_shash(HKDF_HMAC_ALG, 0, FSCRYPT_CRYPTOAPI_MASK);
+ if (IS_ERR(hmac_tfm)) {
+ fscrypt_err(NULL, "Error allocating " HKDF_HMAC_ALG ": %ld",
+ PTR_ERR(hmac_tfm));
+--- a/fs/crypto/keysetup.c
++++ b/fs/crypto/keysetup.c
+@@ -88,7 +88,8 @@ fscrypt_allocate_skcipher(struct fscrypt
+ struct crypto_skcipher *tfm;
+ int err;
+
+- tfm = crypto_alloc_skcipher(mode->cipher_str, 0, 0);
++ tfm = crypto_alloc_skcipher(mode->cipher_str, 0,
++ FSCRYPT_CRYPTOAPI_MASK);
+ if (IS_ERR(tfm)) {
+ if (PTR_ERR(tfm) == -ENOENT) {
+ fscrypt_warn(inode,
+--- a/fs/crypto/keysetup_v1.c
++++ b/fs/crypto/keysetup_v1.c
+@@ -52,7 +52,8 @@ static int derive_key_aes(const u8 *mast
+ struct skcipher_request *req = NULL;
+ DECLARE_CRYPTO_WAIT(wait);
+ struct scatterlist src_sg, dst_sg;
+- struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
++ struct crypto_skcipher *tfm =
++ crypto_alloc_skcipher("ecb(aes)", 0, FSCRYPT_CRYPTOAPI_MASK);
+
+ if (IS_ERR(tfm)) {
+ res = PTR_ERR(tfm);
--- /dev/null
+From stable+bounces-164641-greg=kroah.com@vger.kernel.org Thu Jul 24 18:27:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 12:27:07 -0400
+Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724162707.1368528-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ]
+
+The OFFSET calculation in the prox_read_raw() was incorrectly using the
+unit exponent, which is intended for SCALE calculations.
+
+Remove the incorrect OFFSET calculation and set it to a fixed value of 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ adapted prox_attr array access to single structure member access ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -103,8 +103,7 @@ static int prox_read_raw(struct iio_dev
+ ret_type = prox_state->scale_precision;
+ break;
+ case IIO_CHAN_INFO_OFFSET:
+- *val = hid_sensor_convert_exponent(
+- prox_state->prox_attr.unit_expo);
++ *val = 0;
+ ret_type = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SAMP_FREQ:
--- /dev/null
+From stable+bounces-164642-greg=kroah.com@vger.kernel.org Thu Jul 24 18:38:01 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 12:33:24 -0400
+Subject: iio: hid-sensor-prox: Restore lost scale assignments
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724163324.1369864-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ]
+
+The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision`
+were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not
+correct issue"), but due to a merge conflict in
+commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of
+https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"),
+these assignments were lost.
+
+Add back lost assignments and replace `st->prox_attr` with
+`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add
+support for more channels") changed `prox_attr` to an array.
+
+Cc: stable@vger.kernel.org # 5.13+
+Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ changed st->prox_attr[0] array access to st->prox_attr single struct member ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -222,6 +222,11 @@ static int prox_parse_report(struct plat
+ dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index,
+ st->prox_attr.report_id);
+
++ st->scale_precision = hid_sensor_format_scale(hsdev->usage,
++ &st->prox_attr,
++ &st->scale_pre_decml,
++ &st->scale_post_decml);
++
+ return ret;
+ }
+
--- /dev/null
+From stable+bounces-171813-greg=kroah.com@vger.kernel.org Tue Aug 19 17:19:35 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 11:16:16 -0400
+Subject: media: venus: Fix OOB read due to missing payload bound check
+To: stable@vger.kernel.org
+Cc: Vedang Nagar <quic_vnagar@quicinc.com>, Vikash Garodia <quic_vgarodia@quicinc.com>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Dikshita Agarwal <quic_dikshita@quicinc.com>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819151616.535142-2-sashal@kernel.org>
+
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+
+[ Upstream commit 06d6770ff0d8cc8dfd392329a8cc03e2a83e7289 ]
+
+Currently, The event_seq_changed() handler processes a variable number
+of properties sent by the firmware. The number of properties is indicated
+by the firmware and used to iterate over the payload. However, the
+payload size is not being validated against the actual message length.
+
+This can lead to out-of-bounds memory access if the firmware provides a
+property count that exceeds the data available in the payload. Such a
+condition can result in kernel crashes or potential information leaks if
+memory beyond the buffer is accessed.
+
+Fix this by properly validating the remaining size of the payload before
+each property access and updating bounds accordingly as properties are
+parsed.
+
+This ensures that property parsing is safely bounded within the received
+message buffer and protects against malformed or malicious firmware
+behavior.
+
+Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
+Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_msgs.c | 83 ++++++++++++++++++---------
+ 1 file changed, 58 insertions(+), 25 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
+@@ -33,8 +33,9 @@ static void event_seq_changed(struct ven
+ struct hfi_buffer_requirements *bufreq;
+ struct hfi_extradata_input_crop *crop;
+ struct hfi_dpb_counts *dpb_count;
++ u32 ptype, rem_bytes;
++ u32 size_read = 0;
+ u8 *data_ptr;
+- u32 ptype;
+
+ inst->error = HFI_ERR_NONE;
+
+@@ -44,86 +45,118 @@ static void event_seq_changed(struct ven
+ break;
+ default:
+ inst->error = HFI_ERR_SESSION_INVALID_PARAMETER;
+- goto done;
++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
++ return;
+ }
+
+ event.event_type = pkt->event_data1;
+
+ num_properties_changed = pkt->event_data2;
+- if (!num_properties_changed) {
+- inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
+- goto done;
+- }
++ if (!num_properties_changed)
++ goto error;
+
+ data_ptr = (u8 *)&pkt->ext_event_data[0];
++ rem_bytes = pkt->shdr.hdr.size - sizeof(*pkt);
++
+ do {
++ if (rem_bytes < sizeof(u32))
++ goto error;
+ ptype = *((u32 *)data_ptr);
++
++ data_ptr += sizeof(u32);
++ rem_bytes -= sizeof(u32);
++
+ switch (ptype) {
+ case HFI_PROPERTY_PARAM_FRAME_SIZE:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_framesize))
++ goto error;
++
+ frame_sz = (struct hfi_framesize *)data_ptr;
+ event.width = frame_sz->width;
+ event.height = frame_sz->height;
+- data_ptr += sizeof(*frame_sz);
++ size_read = sizeof(struct hfi_framesize);
+ break;
+ case HFI_PROPERTY_PARAM_PROFILE_LEVEL_CURRENT:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_profile_level))
++ goto error;
++
+ profile_level = (struct hfi_profile_level *)data_ptr;
+ event.profile = profile_level->profile;
+ event.level = profile_level->level;
+- data_ptr += sizeof(*profile_level);
++ size_read = sizeof(struct hfi_profile_level);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_PIXEL_BITDEPTH:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_bit_depth))
++ goto error;
++
+ pixel_depth = (struct hfi_bit_depth *)data_ptr;
+ event.bit_depth = pixel_depth->bit_depth;
+- data_ptr += sizeof(*pixel_depth);
++ size_read = sizeof(struct hfi_bit_depth);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_PIC_STRUCT:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_pic_struct))
++ goto error;
++
+ pic_struct = (struct hfi_pic_struct *)data_ptr;
+ event.pic_struct = pic_struct->progressive_only;
+- data_ptr += sizeof(*pic_struct);
++ size_read = sizeof(struct hfi_pic_struct);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_COLOUR_SPACE:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_colour_space))
++ goto error;
++
+ colour_info = (struct hfi_colour_space *)data_ptr;
+ event.colour_space = colour_info->colour_space;
+- data_ptr += sizeof(*colour_info);
++ size_read = sizeof(struct hfi_colour_space);
+ break;
+ case HFI_PROPERTY_CONFIG_VDEC_ENTROPY:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(u32))
++ goto error;
++
+ event.entropy_mode = *(u32 *)data_ptr;
+- data_ptr += sizeof(u32);
++ size_read = sizeof(u32);
+ break;
+ case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_buffer_requirements))
++ goto error;
++
+ bufreq = (struct hfi_buffer_requirements *)data_ptr;
+ event.buf_count = hfi_bufreq_get_count_min(bufreq, ver);
+- data_ptr += sizeof(*bufreq);
++ size_read = sizeof(struct hfi_buffer_requirements);
+ break;
+ case HFI_INDEX_EXTRADATA_INPUT_CROP:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_extradata_input_crop))
++ goto error;
++
+ crop = (struct hfi_extradata_input_crop *)data_ptr;
+ event.input_crop.left = crop->left;
+ event.input_crop.top = crop->top;
+ event.input_crop.width = crop->width;
+ event.input_crop.height = crop->height;
+- data_ptr += sizeof(*crop);
++ size_read = sizeof(struct hfi_extradata_input_crop);
+ break;
+ case HFI_PROPERTY_PARAM_VDEC_DPB_COUNTS:
+- data_ptr += sizeof(u32);
++ if (rem_bytes < sizeof(struct hfi_dpb_counts))
++ goto error;
++
+ dpb_count = (struct hfi_dpb_counts *)data_ptr;
+ event.buf_count = dpb_count->fw_min_cnt;
+- data_ptr += sizeof(*dpb_count);
++ size_read = sizeof(struct hfi_dpb_counts);
+ break;
+ default:
++ size_read = 0;
+ break;
+ }
++ data_ptr += size_read;
++ rem_bytes -= size_read;
+ num_properties_changed--;
+ } while (num_properties_changed > 0);
+
+-done:
++ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
++ return;
++
++error:
++ inst->error = HFI_ERR_SESSION_INSUFFICIENT_RESOURCES;
+ inst->ops->event_notify(inst, EVT_SYS_EVENT_CHANGE, &event);
+ }
+
--- /dev/null
+From stable+bounces-171812-greg=kroah.com@vger.kernel.org Tue Aug 19 17:16:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 11:16:15 -0400
+Subject: media: venus: Introduce accessors for remapped hfi_buffer_reqs members
+To: stable@vger.kernel.org
+Cc: Konrad Dybcio <konrad.dybcio@linaro.org>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Stanimir Varbanov <stanimir.k.varbanov@gmail.com>, Hans Verkuil <hverkuil-cisco@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819151616.535142-1-sashal@kernel.org>
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+[ Upstream commit bbfc89e6f67ccb1ddefc3e8a284248bcfea58544 ]
+
+Currently we have macros to access these, but they don't provide a
+way to override the remapped fields. Replace the macros with actual
+get/set pairs to fix that.
+
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Stable-dep-of: 06d6770ff0d8 ("media: venus: Fix OOB read due to missing payload bound check")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/helpers.c | 2
+ drivers/media/platform/qcom/venus/hfi_helper.h | 61 +++++++++++++++++++++----
+ drivers/media/platform/qcom/venus/hfi_msgs.c | 2
+ drivers/media/platform/qcom/venus/vdec.c | 8 +--
+ drivers/media/platform/qcom/venus/vdec_ctrls.c | 2
+ drivers/media/platform/qcom/venus/venc.c | 4 -
+ drivers/media/platform/qcom/venus/venc_ctrls.c | 2
+ 7 files changed, 63 insertions(+), 18 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/helpers.c
++++ b/drivers/media/platform/qcom/venus/helpers.c
+@@ -189,7 +189,7 @@ int venus_helper_alloc_dpb_bufs(struct v
+ if (ret)
+ return ret;
+
+- count = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
++ count = hfi_bufreq_get_count_min(&bufreq, ver);
+
+ for (i = 0; i < count; i++) {
+ buf = kzalloc(sizeof(*buf), GFP_KERNEL);
+--- a/drivers/media/platform/qcom/venus/hfi_helper.h
++++ b/drivers/media/platform/qcom/venus/hfi_helper.h
+@@ -1150,14 +1150,6 @@ struct hfi_buffer_display_hold_count_act
+ u32 hold_count;
+ };
+
+-/* HFI 4XX reorder the fields, use these macros */
+-#define HFI_BUFREQ_HOLD_COUNT(bufreq, ver) \
+- ((ver) == HFI_VERSION_4XX ? 0 : (bufreq)->hold_count)
+-#define HFI_BUFREQ_COUNT_MIN(bufreq, ver) \
+- ((ver) == HFI_VERSION_4XX ? (bufreq)->hold_count : (bufreq)->count_min)
+-#define HFI_BUFREQ_COUNT_MIN_HOST(bufreq, ver) \
+- ((ver) == HFI_VERSION_4XX ? (bufreq)->count_min : 0)
+-
+ struct hfi_buffer_requirements {
+ u32 type;
+ u32 size;
+@@ -1169,6 +1161,59 @@ struct hfi_buffer_requirements {
+ u32 alignment;
+ };
+
++/* On HFI 4XX, some of the struct members have been swapped. */
++static inline u32 hfi_bufreq_get_hold_count(struct hfi_buffer_requirements *req,
++ u32 ver)
++{
++ if (ver == HFI_VERSION_4XX)
++ return 0;
++
++ return req->hold_count;
++};
++
++static inline u32 hfi_bufreq_get_count_min(struct hfi_buffer_requirements *req,
++ u32 ver)
++{
++ if (ver == HFI_VERSION_4XX)
++ return req->hold_count;
++
++ return req->count_min;
++};
++
++static inline u32 hfi_bufreq_get_count_min_host(struct hfi_buffer_requirements *req,
++ u32 ver)
++{
++ if (ver == HFI_VERSION_4XX)
++ return req->count_min;
++
++ return 0;
++};
++
++static inline void hfi_bufreq_set_hold_count(struct hfi_buffer_requirements *req,
++ u32 ver, u32 val)
++{
++ if (ver == HFI_VERSION_4XX)
++ return;
++
++ req->hold_count = val;
++};
++
++static inline void hfi_bufreq_set_count_min(struct hfi_buffer_requirements *req,
++ u32 ver, u32 val)
++{
++ if (ver == HFI_VERSION_4XX)
++ req->hold_count = val;
++
++ req->count_min = val;
++};
++
++static inline void hfi_bufreq_set_count_min_host(struct hfi_buffer_requirements *req,
++ u32 ver, u32 val)
++{
++ if (ver == HFI_VERSION_4XX)
++ req->count_min = val;
++};
++
+ struct hfi_data_payload {
+ u32 size;
+ u8 data[1];
+--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
+@@ -99,7 +99,7 @@ static void event_seq_changed(struct ven
+ case HFI_PROPERTY_CONFIG_BUFFER_REQUIREMENTS:
+ data_ptr += sizeof(u32);
+ bufreq = (struct hfi_buffer_requirements *)data_ptr;
+- event.buf_count = HFI_BUFREQ_COUNT_MIN(bufreq, ver);
++ event.buf_count = hfi_bufreq_get_count_min(bufreq, ver);
+ data_ptr += sizeof(*bufreq);
+ break;
+ case HFI_INDEX_EXTRADATA_INPUT_CROP:
+--- a/drivers/media/platform/qcom/venus/vdec.c
++++ b/drivers/media/platform/qcom/venus/vdec.c
+@@ -864,13 +864,13 @@ static int vdec_num_buffers(struct venus
+ if (ret)
+ return ret;
+
+- *in_num = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
++ *in_num = hfi_bufreq_get_count_min(&bufreq, ver);
+
+ ret = venus_helper_get_bufreq(inst, HFI_BUFFER_OUTPUT, &bufreq);
+ if (ret)
+ return ret;
+
+- *out_num = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
++ *out_num = hfi_bufreq_get_count_min(&bufreq, ver);
+
+ return 0;
+ }
+@@ -984,14 +984,14 @@ static int vdec_verify_conf(struct venus
+ return ret;
+
+ if (inst->num_output_bufs < bufreq.count_actual ||
+- inst->num_output_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
++ inst->num_output_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
+ return -EINVAL;
+
+ ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
+ if (ret)
+ return ret;
+
+- if (inst->num_input_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
++ if (inst->num_input_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
+ return -EINVAL;
+
+ return 0;
+--- a/drivers/media/platform/qcom/venus/vdec_ctrls.c
++++ b/drivers/media/platform/qcom/venus/vdec_ctrls.c
+@@ -79,7 +79,7 @@ static int vdec_op_g_volatile_ctrl(struc
+ case V4L2_CID_MIN_BUFFERS_FOR_CAPTURE:
+ ret = venus_helper_get_bufreq(inst, HFI_BUFFER_OUTPUT, &bufreq);
+ if (!ret)
+- ctrl->val = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
++ ctrl->val = hfi_bufreq_get_count_min(&bufreq, ver);
+ break;
+ default:
+ return -EINVAL;
+--- a/drivers/media/platform/qcom/venus/venc.c
++++ b/drivers/media/platform/qcom/venus/venc.c
+@@ -1176,7 +1176,7 @@ static int venc_verify_conf(struct venus
+ return ret;
+
+ if (inst->num_output_bufs < bufreq.count_actual ||
+- inst->num_output_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
++ inst->num_output_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
+ return -EINVAL;
+
+ ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
+@@ -1184,7 +1184,7 @@ static int venc_verify_conf(struct venus
+ return ret;
+
+ if (inst->num_input_bufs < bufreq.count_actual ||
+- inst->num_input_bufs < HFI_BUFREQ_COUNT_MIN(&bufreq, ver))
++ inst->num_input_bufs < hfi_bufreq_get_count_min(&bufreq, ver))
+ return -EINVAL;
+
+ return 0;
+--- a/drivers/media/platform/qcom/venus/venc_ctrls.c
++++ b/drivers/media/platform/qcom/venus/venc_ctrls.c
+@@ -358,7 +358,7 @@ static int venc_op_g_volatile_ctrl(struc
+ case V4L2_CID_MIN_BUFFERS_FOR_OUTPUT:
+ ret = venus_helper_get_bufreq(inst, HFI_BUFFER_INPUT, &bufreq);
+ if (!ret)
+- ctrl->val = HFI_BUFREQ_COUNT_MIN(&bufreq, ver);
++ ctrl->val = hfi_bufreq_get_count_min(&bufreq, ver);
+ break;
+ default:
+ return -EINVAL;
--- /dev/null
+From stable+bounces-171807-greg=kroah.com@vger.kernel.org Tue Aug 19 16:51:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 10:49:44 -0400
+Subject: mm/ptdump: take the memory hotplug lock inside ptdump_walk_pgd()
+To: stable@vger.kernel.org
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>, David Hildenbrand <david@redhat.com>, Dev Jain <dev.jain@arm.com>, Alexander Gordeev <agordeev@linux.ibm.com>, Catalin Marinas <catalin.marinas@arm.com>, Will Deacon <will@kernel.org>, Ryan Roberts <ryan.roberts@arm.com>, Paul Walmsley <paul.walmsley@sifive.com>, Palmer Dabbelt <palmer@dabbelt.com>, Gerald Schaefer <gerald.schaefer@linux.ibm.com>, Heiko Carstens <hca@linux.ibm.com>, Vasily Gorbik <gor@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Sven Schnelle <svens@linux.ibm.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819144944.523881-1-sashal@kernel.org>
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 59305202c67fea50378dcad0cc199dbc13a0e99a ]
+
+Memory hot remove unmaps and tears down various kernel page table regions
+as required. The ptdump code can race with concurrent modifications of
+the kernel page tables. When leaf entries are modified concurrently, the
+dump code may log stale or inconsistent information for a VA range, but
+this is otherwise not harmful.
+
+But when intermediate levels of kernel page table are freed, the dump code
+will continue to use memory that has been freed and potentially
+reallocated for another purpose. In such cases, the ptdump code may
+dereference bogus addresses, leading to a number of potential problems.
+
+To avoid the above mentioned race condition, platforms such as arm64,
+riscv and s390 take memory hotplug lock, while dumping kernel page table
+via the sysfs interface /sys/kernel/debug/kernel_page_tables.
+
+Similar race condition exists while checking for pages that might have
+been marked W+X via /sys/kernel/debug/kernel_page_tables/check_wx_pages
+which in turn calls ptdump_check_wx(). Instead of solving this race
+condition again, let's just move the memory hotplug lock inside generic
+ptdump_check_wx() which will benefit both the scenarios.
+
+Drop get_online_mems() and put_online_mems() combination from all existing
+platform ptdump code paths.
+
+Link: https://lkml.kernel.org/r/20250620052427.2092093-1-anshuman.khandual@arm.com
+Fixes: bbd6ec605c0f ("arm64/mm: Enable memory hot remove")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Dev Jain <dev.jain@arm.com>
+Acked-by: Alexander Gordeev <agordeev@linux.ibm.com> [s390]
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/ptdump_debugfs.c | 3 ---
+ arch/s390/mm/dump_pagetables.c | 2 --
+ mm/ptdump.c | 2 ++
+ 3 files changed, 2 insertions(+), 5 deletions(-)
+
+--- a/arch/arm64/mm/ptdump_debugfs.c
++++ b/arch/arm64/mm/ptdump_debugfs.c
+@@ -1,6 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0
+ #include <linux/debugfs.h>
+-#include <linux/memory_hotplug.h>
+ #include <linux/seq_file.h>
+
+ #include <asm/ptdump.h>
+@@ -9,9 +8,7 @@ static int ptdump_show(struct seq_file *
+ {
+ struct ptdump_info *info = m->private;
+
+- get_online_mems();
+ ptdump_walk(m, info);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/arch/s390/mm/dump_pagetables.c
++++ b/arch/s390/mm/dump_pagetables.c
+@@ -249,11 +249,9 @@ static int ptdump_show(struct seq_file *
+ .marker = address_markers,
+ };
+
+- get_online_mems();
+ mutex_lock(&cpa_mutex);
+ ptdump_walk_pgd(&st.ptdump, &init_mm, NULL);
+ mutex_unlock(&cpa_mutex);
+- put_online_mems();
+ return 0;
+ }
+ DEFINE_SHOW_ATTRIBUTE(ptdump);
+--- a/mm/ptdump.c
++++ b/mm/ptdump.c
+@@ -152,6 +152,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ {
+ const struct ptdump_range *range = st->range;
+
++ get_online_mems();
+ mmap_write_lock(mm);
+ while (range->start != range->end) {
+ walk_page_range_novma(mm, range->start, range->end,
+@@ -159,6 +160,7 @@ void ptdump_walk_pgd(struct ptdump_state
+ range++;
+ }
+ mmap_write_unlock(mm);
++ put_online_mems();
+
+ /* Flush out the last page */
+ st->note_page(st, 0, -1, 0);
--- /dev/null
+From 0bef512012b1cd8820f0c9ec80e5f8ceb43fdd59 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Mon, 12 Feb 2024 14:07:00 +0000
+Subject: net: add netdev_lockdep_set_classes() to virtual drivers
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 0bef512012b1cd8820f0c9ec80e5f8ceb43fdd59 upstream.
+
+Based on a syzbot report, it appears many virtual
+drivers do not yet use netdev_lockdep_set_classes(),
+triggerring lockdep false positives.
+
+WARNING: possible recursive locking detected
+6.8.0-rc4-next-20240212-syzkaller #0 Not tainted
+
+syz-executor.0/19016 is trying to acquire lock:
+ ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
+ ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
+ ffff8880162cb298 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
+
+but task is already holding lock:
+ ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
+ ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
+ ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ lock(_xmit_ETHER#2);
+ lock(_xmit_ETHER#2);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+9 locks held by syz-executor.0/19016:
+ #0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
+ #0: ffffffff8f385208 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x82c/0x1040 net/core/rtnetlink.c:6603
+ #1: ffffc90000a08c00 ((&in_dev->mr_ifc_timer)){+.-.}-{0:0}, at: call_timer_fn+0xc0/0x600 kernel/time/timer.c:1697
+ #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
+ #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
+ #2: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228
+ #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
+ #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
+ #3: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284
+ #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
+ #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
+ #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline]
+ #4: ffff8880416e3258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325
+ #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
+ #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4452 [inline]
+ #5: ffff8880223db4d8 (_xmit_ETHER#2){+.-.}-{2:2}, at: sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
+ #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
+ #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
+ #6: ffffffff8e131520 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x45f/0x1360 net/ipv4/ip_output.c:228
+ #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
+ #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:802 [inline]
+ #7: ffffffff8e131580 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x2c4/0x3b10 net/core/dev.c:4284
+ #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
+ #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
+ #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3771 [inline]
+ #8: ffff888014d9d258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock){+...}-{2:2}, at: __dev_queue_xmit+0x1262/0x3b10 net/core/dev.c:4325
+
+stack backtrace:
+CPU: 1 PID: 19016 Comm: syz-executor.0 Not tainted 6.8.0-rc4-next-20240212-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
+ check_deadlock kernel/locking/lockdep.c:3062 [inline]
+ validate_chain+0x15c1/0x58e0 kernel/locking/lockdep.c:3856
+ __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
+ lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
+ __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
+ _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
+ spin_lock include/linux/spinlock.h:351 [inline]
+ __netif_tx_lock include/linux/netdevice.h:4452 [inline]
+ sch_direct_xmit+0x1c4/0x5f0 net/sched/sch_generic.c:340
+ __dev_xmit_skb net/core/dev.c:3784 [inline]
+ __dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325
+ neigh_output include/net/neighbour.h:542 [inline]
+ ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235
+ iptunnel_xmit+0x540/0x9b0 net/ipv4/ip_tunnel_core.c:82
+ ip_tunnel_xmit+0x20ee/0x2960 net/ipv4/ip_tunnel.c:831
+ erspan_xmit+0x9de/0x1460 net/ipv4/ip_gre.c:720
+ __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
+ netdev_start_xmit include/linux/netdevice.h:5003 [inline]
+ xmit_one net/core/dev.c:3555 [inline]
+ dev_hard_start_xmit+0x242/0x770 net/core/dev.c:3571
+ sch_direct_xmit+0x2b6/0x5f0 net/sched/sch_generic.c:342
+ __dev_xmit_skb net/core/dev.c:3784 [inline]
+ __dev_queue_xmit+0x1912/0x3b10 net/core/dev.c:4325
+ neigh_output include/net/neighbour.h:542 [inline]
+ ip_finish_output2+0xe66/0x1360 net/ipv4/ip_output.c:235
+ igmpv3_send_cr net/ipv4/igmp.c:723 [inline]
+ igmp_ifc_timer_expire+0xb71/0xd90 net/ipv4/igmp.c:813
+ call_timer_fn+0x17e/0x600 kernel/time/timer.c:1700
+ expire_timers kernel/time/timer.c:1751 [inline]
+ __run_timers+0x621/0x830 kernel/time/timer.c:2038
+ run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2051
+ __do_softirq+0x2bc/0x943 kernel/softirq.c:554
+ invoke_softirq kernel/softirq.c:428 [inline]
+ __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
+ irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1076 [inline]
+ sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1076
+ </IRQ>
+ <TASK>
+ asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
+ RIP: 0010:resched_offsets_ok kernel/sched/core.c:10127 [inline]
+ RIP: 0010:__might_resched+0x16f/0x780 kernel/sched/core.c:10142
+Code: 00 4c 89 e8 48 c1 e8 03 48 ba 00 00 00 00 00 fc ff df 48 89 44 24 38 0f b6 04 10 84 c0 0f 85 87 04 00 00 41 8b 45 00 c1 e0 08 <01> d8 44 39 e0 0f 85 d6 00 00 00 44 89 64 24 1c 48 8d bc 24 a0 00
+RSP: 0018:ffffc9000ee069e0 EFLAGS: 00000246
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8880296a9e00
+RDX: dffffc0000000000 RSI: ffff8880296a9e00 RDI: ffffffff8bfe8fa0
+RBP: ffffc9000ee06b00 R08: ffffffff82326877 R09: 1ffff11002b5ad1b
+R10: dffffc0000000000 R11: ffffed1002b5ad1c R12: 0000000000000000
+R13: ffff8880296aa23c R14: 000000000000062a R15: 1ffff92001dc0d44
+ down_write+0x19/0x50 kernel/locking/rwsem.c:1578
+ kernfs_activate fs/kernfs/dir.c:1403 [inline]
+ kernfs_add_one+0x4af/0x8b0 fs/kernfs/dir.c:819
+ __kernfs_create_file+0x22e/0x2e0 fs/kernfs/file.c:1056
+ sysfs_add_file_mode_ns+0x24a/0x310 fs/sysfs/file.c:307
+ create_files fs/sysfs/group.c:64 [inline]
+ internal_create_group+0x4f4/0xf20 fs/sysfs/group.c:152
+ internal_create_groups fs/sysfs/group.c:192 [inline]
+ sysfs_create_groups+0x56/0x120 fs/sysfs/group.c:218
+ create_dir lib/kobject.c:78 [inline]
+ kobject_add_internal+0x472/0x8d0 lib/kobject.c:240
+ kobject_add_varg lib/kobject.c:374 [inline]
+ kobject_init_and_add+0x124/0x190 lib/kobject.c:457
+ netdev_queue_add_kobject net/core/net-sysfs.c:1706 [inline]
+ netdev_queue_update_kobjects+0x1f3/0x480 net/core/net-sysfs.c:1758
+ register_queue_kobjects net/core/net-sysfs.c:1819 [inline]
+ netdev_register_kobject+0x265/0x310 net/core/net-sysfs.c:2059
+ register_netdevice+0x1191/0x19c0 net/core/dev.c:10298
+ bond_newlink+0x3b/0x90 drivers/net/bonding/bond_netlink.c:576
+ rtnl_newlink_create net/core/rtnetlink.c:3506 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3726 [inline]
+ rtnl_newlink+0x158f/0x20a0 net/core/rtnetlink.c:3739
+ rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6606
+ netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
+ netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
+ netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
+ netlink_sendmsg+0xa3c/0xd70 net/netlink/af_netlink.c:1908
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:745
+ __sys_sendto+0x3a4/0x4f0 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0xde/0x100 net/socket.c:2199
+ do_syscall_64+0xfb/0x240
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+RIP: 0033:0x7fc3fa87fa9c
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240212140700.2795436-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sumanth Gavini <sumanth.gavini@yahoo.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dummy.c | 1 +
+ drivers/net/geneve.c | 1 +
+ drivers/net/loopback.c | 1 +
+ drivers/net/veth.c | 1 +
+ drivers/net/vxlan/vxlan_core.c | 1 +
+ net/ipv4/ip_tunnel.c | 1 +
+ net/ipv6/ip6_gre.c | 2 ++
+ net/ipv6/ip6_tunnel.c | 1 +
+ net/ipv6/ip6_vti.c | 1 +
+ net/ipv6/sit.c | 1 +
+ 10 files changed, 11 insertions(+)
+
+--- a/drivers/net/dummy.c
++++ b/drivers/net/dummy.c
+@@ -71,6 +71,7 @@ static int dummy_dev_init(struct net_dev
+ if (!dev->lstats)
+ return -ENOMEM;
+
++ netdev_lockdep_set_classes(dev);
+ return 0;
+ }
+
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -349,6 +349,7 @@ static int geneve_init(struct net_device
+ gro_cells_destroy(&geneve->gro_cells);
+ return err;
+ }
++ netdev_lockdep_set_classes(dev);
+ return 0;
+ }
+
+--- a/drivers/net/loopback.c
++++ b/drivers/net/loopback.c
+@@ -144,6 +144,7 @@ static int loopback_dev_init(struct net_
+ dev->lstats = netdev_alloc_pcpu_stats(struct pcpu_lstats);
+ if (!dev->lstats)
+ return -ENOMEM;
++ netdev_lockdep_set_classes(dev);
+ return 0;
+ }
+
+--- a/drivers/net/veth.c
++++ b/drivers/net/veth.c
+@@ -1373,6 +1373,7 @@ static void veth_free_queues(struct net_
+
+ static int veth_dev_init(struct net_device *dev)
+ {
++ netdev_lockdep_set_classes(dev);
+ return veth_alloc_queues(dev);
+ }
+
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -2998,6 +2998,7 @@ static int vxlan_init(struct net_device
+ if (err)
+ goto err_free_percpu;
+
++ netdev_lockdep_set_classes(dev);
+ return 0;
+
+ err_free_percpu:
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -1298,6 +1298,7 @@ int ip_tunnel_init(struct net_device *de
+
+ if (tunnel->collect_md)
+ netif_keep_dst(dev);
++ netdev_lockdep_set_classes(dev);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(ip_tunnel_init);
+--- a/net/ipv6/ip6_gre.c
++++ b/net/ipv6/ip6_gre.c
+@@ -1537,6 +1537,7 @@ static int ip6gre_tunnel_init_common(str
+ ip6gre_tnl_init_features(dev);
+
+ netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL);
++ netdev_lockdep_set_classes(dev);
+ return 0;
+
+ cleanup_dst_cache_init:
+@@ -1929,6 +1930,7 @@ static int ip6erspan_tap_init(struct net
+ ip6erspan_tnl_link_config(tunnel, 1);
+
+ netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL);
++ netdev_lockdep_set_classes(dev);
+ return 0;
+
+ cleanup_dst_cache_init:
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -1902,6 +1902,7 @@ ip6_tnl_dev_init_gen(struct net_device *
+ dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len - t_hlen;
+
+ netdev_hold(dev, &t->dev_tracker, GFP_KERNEL);
++ netdev_lockdep_set_classes(dev);
+ return 0;
+
+ destroy_dst:
+--- a/net/ipv6/ip6_vti.c
++++ b/net/ipv6/ip6_vti.c
+@@ -937,6 +937,7 @@ static inline int vti6_dev_init_gen(stru
+ if (!dev->tstats)
+ return -ENOMEM;
+ netdev_hold(dev, &t->dev_tracker, GFP_KERNEL);
++ netdev_lockdep_set_classes(dev);
+ return 0;
+ }
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -1460,6 +1460,7 @@ static int ipip6_tunnel_init(struct net_
+ return err;
+ }
+ netdev_hold(dev, &tunnel->dev_tracker, GFP_KERNEL);
++ netdev_lockdep_set_classes(dev);
+ return 0;
+ }
+
--- /dev/null
+From stable+bounces-169816-greg=kroah.com@vger.kernel.org Fri Aug 15 21:54:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Aug 2025 15:54:16 -0400
+Subject: net: enetc: fix device and OF node leak at probe
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Vladimir Oltean <vladimir.oltean@nxp.com>, Simon Horman <horms@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250815195416.198795-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 70458f8a6b44daf3ad39f0d9b6d1097c8a7780ed ]
+
+Make sure to drop the references to the IERB OF node and platform device
+taken by of_parse_phandle() and of_find_device_by_node() during probe.
+
+Fixes: e7d48e5fbf30 ("net: enetc: add a mini driver for the Integrated Endpoint Register Block")
+Cc: stable@vger.kernel.org # 5.13
+Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250725171213.880-3-johan@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/freescale/enetc/enetc_pf.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/freescale/enetc/enetc_pf.c
++++ b/drivers/net/ethernet/freescale/enetc/enetc_pf.c
+@@ -1207,6 +1207,7 @@ static int enetc_pf_register_with_ierb(s
+ struct device_node *node = pdev->dev.of_node;
+ struct platform_device *ierb_pdev;
+ struct device_node *ierb_node;
++ int ret;
+
+ /* Don't register with the IERB if the PF itself is disabled */
+ if (!node || !of_device_is_available(node))
+@@ -1214,16 +1215,25 @@ static int enetc_pf_register_with_ierb(s
+
+ ierb_node = of_find_compatible_node(NULL, NULL,
+ "fsl,ls1028a-enetc-ierb");
+- if (!ierb_node || !of_device_is_available(ierb_node))
++ if (!ierb_node)
+ return -ENODEV;
+
++ if (!of_device_is_available(ierb_node)) {
++ of_node_put(ierb_node);
++ return -ENODEV;
++ }
++
+ ierb_pdev = of_find_device_by_node(ierb_node);
+ of_node_put(ierb_node);
+
+ if (!ierb_pdev)
+ return -EPROBE_DEFER;
+
+- return enetc_ierb_register_pf(ierb_pdev, pdev);
++ ret = enetc_ierb_register_pf(ierb_pdev, pdev);
++
++ put_device(&ierb_pdev->dev);
++
++ return ret;
+ }
+
+ static int enetc_pf_probe(struct pci_dev *pdev,
--- /dev/null
+From stable+bounces-171770-greg=kroah.com@vger.kernel.org Tue Aug 19 13:54:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 07:52:23 -0400
+Subject: net/sched: ets: use old 'nbands' while purging unused classes
+To: stable@vger.kernel.org
+Cc: Davide Caratti <dcaratti@redhat.com>, Li Shuang <shuali@redhat.com>, Petr Machata <petrm@nvidia.com>, Ivan Vecera <ivecera@redhat.com>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819115223.446888-2-sashal@kernel.org>
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+[ Upstream commit 87c6efc5ce9c126ae4a781bc04504b83780e3650 ]
+
+Shuang reported sch_ets test-case [1] crashing in ets_class_qlen_notify()
+after recent changes from Lion [2]. The problem is: in ets_qdisc_change()
+we purge unused DWRR queues; the value of 'q->nbands' is the new one, and
+the cleanup should be done with the old one. The problem is here since my
+first attempts to fix ets_qdisc_change(), but it surfaced again after the
+recent qdisc len accounting fixes. Fix it purging idle DWRR queues before
+assigning a new value of 'q->nbands', so that all purge operations find a
+consistent configuration:
+
+ - old 'q->nbands' because it's needed by ets_class_find()
+ - old 'q->nstrict' because it's needed by ets_class_is_strict()
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP NOPTI
+ CPU: 62 UID: 0 PID: 39457 Comm: tc Kdump: loaded Not tainted 6.12.0-116.el10.x86_64 #1 PREEMPT(voluntary)
+ Hardware name: Dell Inc. PowerEdge R640/06DKY5, BIOS 2.12.2 07/09/2021
+ RIP: 0010:__list_del_entry_valid_or_report+0x4/0x80
+ Code: ff 4c 39 c7 0f 84 39 19 8e ff b8 01 00 00 00 c3 cc cc cc cc 66 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <48> 8b 17 48 8b 4f 08 48 85 d2 0f 84 56 19 8e ff 48 85 c9 0f 84 ab
+ RSP: 0018:ffffba186009f400 EFLAGS: 00010202
+ RAX: 00000000000000d6 RBX: 0000000000000000 RCX: 0000000000000004
+ RDX: ffff9f0fa29b69c0 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffffffffc12c2400 R08: 0000000000000008 R09: 0000000000000004
+ R10: ffffffffffffffff R11: 0000000000000004 R12: 0000000000000000
+ R13: ffff9f0f8cfe0000 R14: 0000000000100005 R15: 0000000000000000
+ FS: 00007f2154f37480(0000) GS:ffff9f269c1c0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 00000001530be001 CR4: 00000000007726f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ets_class_qlen_notify+0x65/0x90 [sch_ets]
+ qdisc_tree_reduce_backlog+0x74/0x110
+ ets_qdisc_change+0x630/0xa40 [sch_ets]
+ __tc_modify_qdisc.constprop.0+0x216/0x7f0
+ tc_modify_qdisc+0x7c/0x120
+ rtnetlink_rcv_msg+0x145/0x3f0
+ netlink_rcv_skb+0x53/0x100
+ netlink_unicast+0x245/0x390
+ netlink_sendmsg+0x21b/0x470
+ ____sys_sendmsg+0x39d/0x3d0
+ ___sys_sendmsg+0x9a/0xe0
+ __sys_sendmsg+0x7a/0xd0
+ do_syscall_64+0x7d/0x160
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f2155114084
+ Code: 89 02 b8 ff ff ff ff eb bb 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 25 f0 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 89 54 24 1c 48 89
+ RSP: 002b:00007fff1fd7a988 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000560ec063e5e0 RCX: 00007f2155114084
+ RDX: 0000000000000000 RSI: 00007fff1fd7a9f0 RDI: 0000000000000003
+ RBP: 00007fff1fd7aa60 R08: 0000000000000010 R09: 000000000000003f
+ R10: 0000560ee9b3a010 R11: 0000000000000202 R12: 00007fff1fd7aae0
+ R13: 000000006891ccde R14: 0000560ec063e5e0 R15: 00007fff1fd7aad0
+ </TASK>
+
+ [1] https://lore.kernel.org/netdev/e08c7f4a6882f260011909a868311c6e9b54f3e4.1639153474.git.dcaratti@redhat.com/
+ [2] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/
+
+Cc: stable@vger.kernel.org
+Fixes: 103406b38c60 ("net/sched: Always pass notifications when child class becomes empty")
+Fixes: c062f2a0b04d ("net/sched: sch_ets: don't remove idle classes from the round-robin list")
+Fixes: dcc68b4d8084 ("net: sch_ets: Add a new Qdisc")
+Reported-by: Li Shuang <shuali@redhat.com>
+Closes: https://issues.redhat.com/browse/RHEL-108026
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Co-developed-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Ivan Vecera <ivecera@redhat.com>
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Link: https://patch.msgid.link/7928ff6d17db47a2ae7cc205c44777b1f1950545.1755016081.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -651,6 +651,12 @@ static int ets_qdisc_change(struct Qdisc
+
+ sch_tree_lock(sch);
+
++ for (i = nbands; i < oldbands; i++) {
++ if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
++ list_del_init(&q->classes[i].alist);
++ qdisc_purge_queue(q->classes[i].qdisc);
++ }
++
+ WRITE_ONCE(q->nbands, nbands);
+ for (i = nstrict; i < q->nstrict; i++) {
+ if (q->classes[i].qdisc->q.qlen) {
+@@ -658,11 +664,6 @@ static int ets_qdisc_change(struct Qdisc
+ q->classes[i].deficit = quanta[i];
+ }
+ }
+- for (i = q->nbands; i < oldbands; i++) {
+- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+- list_del_init(&q->classes[i].alist);
+- qdisc_purge_queue(q->classes[i].qdisc);
+- }
+ WRITE_ONCE(q->nstrict, nstrict);
+ memcpy(q->prio2band, priomap, sizeof(priomap));
+
--- /dev/null
+From stable+bounces-171769-greg=kroah.com@vger.kernel.org Tue Aug 19 13:54:27 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Aug 2025 07:52:22 -0400
+Subject: net_sched: sch_ets: implement lockless ets_dump()
+To: stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, Simon Horman <horms@kernel.org>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819115223.446888-1-sashal@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c5f1dde7f731e7bf2e7c169ca42cb4989fc2f8b9 ]
+
+Instead of relying on RTNL, ets_dump() can use READ_ONCE()
+annotations, paired with WRITE_ONCE() ones in ets_change().
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 87c6efc5ce9c ("net/sched: ets: use old 'nbands' while purging unused classes")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_ets.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/net/sched/sch_ets.c
++++ b/net/sched/sch_ets.c
+@@ -651,7 +651,7 @@ static int ets_qdisc_change(struct Qdisc
+
+ sch_tree_lock(sch);
+
+- q->nbands = nbands;
++ WRITE_ONCE(q->nbands, nbands);
+ for (i = nstrict; i < q->nstrict; i++) {
+ if (q->classes[i].qdisc->q.qlen) {
+ list_add_tail(&q->classes[i].alist, &q->active);
+@@ -663,11 +663,11 @@ static int ets_qdisc_change(struct Qdisc
+ list_del_init(&q->classes[i].alist);
+ qdisc_purge_queue(q->classes[i].qdisc);
+ }
+- q->nstrict = nstrict;
++ WRITE_ONCE(q->nstrict, nstrict);
+ memcpy(q->prio2band, priomap, sizeof(priomap));
+
+ for (i = 0; i < q->nbands; i++)
+- q->classes[i].quantum = quanta[i];
++ WRITE_ONCE(q->classes[i].quantum, quanta[i]);
+
+ for (i = oldbands; i < q->nbands; i++) {
+ q->classes[i].qdisc = queues[i];
+@@ -681,7 +681,7 @@ static int ets_qdisc_change(struct Qdisc
+ for (i = q->nbands; i < oldbands; i++) {
+ qdisc_put(q->classes[i].qdisc);
+ q->classes[i].qdisc = NULL;
+- q->classes[i].quantum = 0;
++ WRITE_ONCE(q->classes[i].quantum, 0);
+ q->classes[i].deficit = 0;
+ gnet_stats_basic_sync_init(&q->classes[i].bstats);
+ memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
+@@ -738,6 +738,7 @@ static int ets_qdisc_dump(struct Qdisc *
+ struct ets_sched *q = qdisc_priv(sch);
+ struct nlattr *opts;
+ struct nlattr *nest;
++ u8 nbands, nstrict;
+ int band;
+ int prio;
+ int err;
+@@ -750,21 +751,22 @@ static int ets_qdisc_dump(struct Qdisc *
+ if (!opts)
+ goto nla_err;
+
+- if (nla_put_u8(skb, TCA_ETS_NBANDS, q->nbands))
++ nbands = READ_ONCE(q->nbands);
++ if (nla_put_u8(skb, TCA_ETS_NBANDS, nbands))
+ goto nla_err;
+
+- if (q->nstrict &&
+- nla_put_u8(skb, TCA_ETS_NSTRICT, q->nstrict))
++ nstrict = READ_ONCE(q->nstrict);
++ if (nstrict && nla_put_u8(skb, TCA_ETS_NSTRICT, nstrict))
+ goto nla_err;
+
+- if (q->nbands > q->nstrict) {
++ if (nbands > nstrict) {
+ nest = nla_nest_start(skb, TCA_ETS_QUANTA);
+ if (!nest)
+ goto nla_err;
+
+- for (band = q->nstrict; band < q->nbands; band++) {
++ for (band = nstrict; band < nbands; band++) {
+ if (nla_put_u32(skb, TCA_ETS_QUANTA_BAND,
+- q->classes[band].quantum))
++ READ_ONCE(q->classes[band].quantum)))
+ goto nla_err;
+ }
+
+@@ -776,7 +778,8 @@ static int ets_qdisc_dump(struct Qdisc *
+ goto nla_err;
+
+ for (prio = 0; prio <= TC_PRIO_MAX; prio++) {
+- if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND, q->prio2band[prio]))
++ if (nla_put_u8(skb, TCA_ETS_PRIOMAP_BAND,
++ READ_ONCE(q->prio2band[prio])))
+ goto nla_err;
+ }
+
--- /dev/null
+From stable+bounces-169871-greg=kroah.com@vger.kernel.org Sun Aug 17 03:48:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Aug 2025 21:47:59 -0400
+Subject: PCI/ACPI: Fix runtime PM ref imbalance on Hot-Plug Capable ports
+To: stable@vger.kernel.org
+Cc: Lukas Wunner <lukas@wunner.de>, Laurent Bigonville <bigon@bigon.be>, Mario Limonciello <mario.limonciello@amd.com>, Bjorn Helgaas <bhelgaas@google.com>, "Rafael J. Wysocki" <rafael@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817014759.1328597-1-sashal@kernel.org>
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit 6cff20ce3b92ffbf2fc5eb9e5a030b3672aa414a ]
+
+pci_bridge_d3_possible() is called from both pcie_portdrv_probe() and
+pcie_portdrv_remove() to determine whether runtime power management shall
+be enabled (on probe) or disabled (on remove) on a PCIe port.
+
+The underlying assumption is that pci_bridge_d3_possible() always returns
+the same value, else a runtime PM reference imbalance would occur. That
+assumption is not given if the PCIe port is inaccessible on remove due to
+hot-unplug: pci_bridge_d3_possible() calls pciehp_is_native(), which
+accesses Config Space to determine whether the port is Hot-Plug Capable.
+An inaccessible port returns "all ones", which is converted to "all
+zeroes" by pcie_capability_read_dword(). Hence the port no longer seems
+Hot-Plug Capable on remove even though it was on probe.
+
+The resulting runtime PM ref imbalance causes warning messages such as:
+
+ pcieport 0000:02:04.0: Runtime PM usage count underflow!
+
+Avoid the Config Space access (and thus the runtime PM ref imbalance) by
+caching the Hot-Plug Capable bit in struct pci_dev.
+
+The struct already contains an "is_hotplug_bridge" flag, which however is
+not only set on Hot-Plug Capable PCIe ports, but also Conventional PCI
+Hot-Plug bridges and ACPI slots. The flag identifies bridges which are
+allocated additional MMIO and bus number resources to allow for hierarchy
+expansion.
+
+The kernel is somewhat sloppily using "is_hotplug_bridge" in a number of
+places to identify Hot-Plug Capable PCIe ports, even though the flag
+encompasses other devices. Subsequent commits replace these occurrences
+with the new flag to clearly delineate Hot-Plug Capable PCIe ports from
+other kinds of hotplug bridges.
+
+Document the existing "is_hotplug_bridge" and the new "is_pciehp" flag
+and document the (non-obvious) requirement that pci_bridge_d3_possible()
+always returns the same value across the entire lifetime of a bridge,
+including its hot-removal.
+
+Fixes: 5352a44a561d ("PCI: pciehp: Make pciehp_is_native() stricter")
+Reported-by: Laurent Bigonville <bigon@bigon.be>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220216
+Reported-by: Mario Limonciello <mario.limonciello@amd.com>
+Closes: https://lore.kernel.org/r/20250609020223.269407-3-superm1@kernel.org/
+Link: https://lore.kernel.org/all/20250620025535.3425049-3-superm1@kernel.org/T/#u
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Rafael J. Wysocki <rafael@kernel.org>
+Cc: stable@vger.kernel.org # v4.18+
+Link: https://patch.msgid.link/fe5dcc3b2e62ee1df7905d746bde161eb1b3291c.1752390101.git.lukas@wunner.de
+[ changed "recent enough PCIe ports" comment to "some PCIe ports" ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-acpi.c | 4 +---
+ drivers/pci/pci.c | 8 ++++++--
+ drivers/pci/probe.c | 2 +-
+ include/linux/pci.h | 10 +++++++++-
+ 4 files changed, 17 insertions(+), 7 deletions(-)
+
+--- a/drivers/pci/pci-acpi.c
++++ b/drivers/pci/pci-acpi.c
+@@ -793,13 +793,11 @@ int pci_acpi_program_hp_params(struct pc
+ bool pciehp_is_native(struct pci_dev *bridge)
+ {
+ const struct pci_host_bridge *host;
+- u32 slot_cap;
+
+ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
+ return false;
+
+- pcie_capability_read_dword(bridge, PCI_EXP_SLTCAP, &slot_cap);
+- if (!(slot_cap & PCI_EXP_SLTCAP_HPC))
++ if (!bridge->is_pciehp)
+ return false;
+
+ if (pcie_ports_native)
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -3019,8 +3019,12 @@ static const struct dmi_system_id bridge
+ * pci_bridge_d3_possible - Is it possible to put the bridge into D3
+ * @bridge: Bridge to check
+ *
+- * This function checks if it is possible to move the bridge to D3.
+- * Currently we only allow D3 for recent enough PCIe ports and Thunderbolt.
++ * Currently we only allow D3 for some PCIe ports and for Thunderbolt.
++ *
++ * Return: Whether it is possible to move the bridge to D3.
++ *
++ * The return value is guaranteed to be constant across the entire lifetime
++ * of the bridge, including its hot-removal.
+ */
+ bool pci_bridge_d3_possible(struct pci_dev *bridge)
+ {
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1592,7 +1592,7 @@ void set_pcie_hotplug_bridge(struct pci_
+
+ pcie_capability_read_dword(pdev, PCI_EXP_SLTCAP, ®32);
+ if (reg32 & PCI_EXP_SLTCAP_HPC)
+- pdev->is_hotplug_bridge = 1;
++ pdev->is_hotplug_bridge = pdev->is_pciehp = 1;
+ }
+
+ static void set_pcie_thunderbolt(struct pci_dev *dev)
+--- a/include/linux/pci.h
++++ b/include/linux/pci.h
+@@ -317,7 +317,14 @@ struct pci_sriov;
+ struct pci_p2pdma;
+ struct rcec_ea;
+
+-/* The pci_dev structure describes PCI devices */
++/* struct pci_dev - describes a PCI device
++ *
++ * @is_hotplug_bridge: Hotplug bridge of any kind (e.g. PCIe Hot-Plug Capable,
++ * Conventional PCI Hot-Plug, ACPI slot).
++ * Such bridges are allocated additional MMIO and bus
++ * number resources to allow for hierarchy expansion.
++ * @is_pciehp: PCIe Hot-Plug Capable bridge.
++ */
+ struct pci_dev {
+ struct list_head bus_list; /* Node in per-bus list */
+ struct pci_bus *bus; /* Bus this device is on */
+@@ -438,6 +445,7 @@ struct pci_dev {
+ unsigned int is_physfn:1;
+ unsigned int is_virtfn:1;
+ unsigned int is_hotplug_bridge:1;
++ unsigned int is_pciehp:1;
+ unsigned int shpc_managed:1; /* SHPC owned by shpchp */
+ unsigned int is_thunderbolt:1; /* Thunderbolt controller */
+ /*
--- /dev/null
+From stable+bounces-164558-greg=kroah.com@vger.kernel.org Thu Jul 24 06:11:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 00:11:50 -0400
+Subject: perf/x86/intel: Fix crash in icl_update_topdown_event()
+To: stable@vger.kernel.org
+Cc: Kan Liang <kan.liang@linux.intel.com>, Vince Weaver <vincent.weaver@maine.edu>, Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724041150.1296795-1-sashal@kernel.org>
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ]
+
+The perf_fuzzer found a hard-lockup crash on a RaptorLake machine:
+
+ Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000
+ CPU: 23 UID: 0 PID: 0 Comm: swapper/23
+ Tainted: [W]=WARN
+ Hardware name: Dell Inc. Precision 9660/0VJ762
+ RIP: 0010:native_read_pmc+0x7/0x40
+ Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...
+ RSP: 000:fffb03100273de8 EFLAGS: 00010046
+ ....
+ Call Trace:
+ <TASK>
+ icl_update_topdown_event+0x165/0x190
+ ? ktime_get+0x38/0xd0
+ intel_pmu_read_event+0xf9/0x210
+ __perf_event_read+0xf9/0x210
+
+CPUs 16-23 are E-core CPUs that don't support the perf metrics feature.
+The icl_update_topdown_event() should not be invoked on these CPUs.
+
+It's a regression of commit:
+
+ f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")
+
+The bug introduced by that commit is that the is_topdown_event() function
+is mistakenly used to replace the is_topdown_count() call to check if the
+topdown functions for the perf metrics feature should be invoked.
+
+Fix it.
+
+Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")
+Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Cc: stable@vger.kernel.org # v6.15+
+Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com
+[ omitted PEBS check ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -2703,7 +2703,7 @@ static void intel_pmu_read_event(struct
+ if (pmu_enabled)
+ intel_pmu_disable_all();
+
+- if (is_topdown_event(event))
++ if (is_topdown_count(event))
+ static_call(intel_pmu_update_topdown_event)(event);
+ else
+ intel_pmu_drain_pebs_buffer();
--- /dev/null
+From stable+bounces-172083-greg=kroah.com@vger.kernel.org Thu Aug 21 15:32:25 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 09:27:18 -0400
+Subject: platform/chrome: cros_ec: remove unneeded label and if-condition
+To: stable@vger.kernel.org
+Cc: Tzung-Bi Shih <tzungbi@kernel.org>, Guenter Roeck <groeck@chromium.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821132719.713502-2-sashal@kernel.org>
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit 554ec02c97254962bbb0a8776c3160d294fc7e51 ]
+
+Both `ec_dev->ec` and `ec_dev->pd` are initialized to NULL at the
+beginning of cros_ec_register(). Also, platform_device_unregister()
+takes care if the given platform_device is NULL.
+
+Remove the unneeded goto-label and if-condition.
+
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Link: https://lore.kernel.org/r/20230308031247.2866401-1-tzungbi@kernel.org
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -205,7 +205,7 @@ int cros_ec_register(struct cros_ec_devi
+ err = cros_ec_query_all(ec_dev);
+ if (err) {
+ dev_err(dev, "Cannot identify the EC: error %d\n", err);
+- goto destroy_mutex;
++ goto exit;
+ }
+
+ if (ec_dev->irq > 0) {
+@@ -217,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi
+ if (err) {
+ dev_err(dev, "Failed to request IRQ %d: %d\n",
+ ec_dev->irq, err);
+- goto destroy_mutex;
++ goto exit;
+ }
+ }
+
+@@ -229,7 +229,7 @@ int cros_ec_register(struct cros_ec_devi
+ dev_err(ec_dev->dev,
+ "Failed to create CrOS EC platform device\n");
+ err = PTR_ERR(ec_dev->ec);
+- goto destroy_mutex;
++ goto exit;
+ }
+
+ if (ec_dev->max_passthru) {
+@@ -295,7 +295,6 @@ int cros_ec_register(struct cros_ec_devi
+ exit:
+ platform_device_unregister(ec_dev->ec);
+ platform_device_unregister(ec_dev->pd);
+-destroy_mutex:
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
+ return err;
+@@ -312,8 +311,7 @@ EXPORT_SYMBOL(cros_ec_register);
+ */
+ void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
+- if (ec_dev->pd)
+- platform_device_unregister(ec_dev->pd);
++ platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->ec);
+ mutex_destroy(&ec_dev->lock);
+ lockdep_unregister_key(&ec_dev->lockdep_key);
--- /dev/null
+From stable+bounces-172084-greg=kroah.com@vger.kernel.org Thu Aug 21 15:31:24 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 09:27:19 -0400
+Subject: platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()
+To: stable@vger.kernel.org
+Cc: Tzung-Bi Shih <tzungbi@kernel.org>, Benson Leung <bleung@chromium.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821132719.713502-3-sashal@kernel.org>
+
+From: Tzung-Bi Shih <tzungbi@kernel.org>
+
+[ Upstream commit e2374953461947eee49f69b3e3204ff080ef31b1 ]
+
+The blocking notifier is registered in cros_ec_register(); however, it
+isn't unregistered in cros_ec_unregister().
+
+Fix it.
+
+Fixes: 42cd0ab476e2 ("platform/chrome: cros_ec: Query EC protocol version if EC transitions between RO/RW")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Link: https://lore.kernel.org/r/20250722120513.234031-1-tzungbi@kernel.org
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -311,6 +311,9 @@ EXPORT_SYMBOL(cros_ec_register);
+ */
+ void cros_ec_unregister(struct cros_ec_device *ec_dev)
+ {
++ if (ec_dev->mkbp_event_supported)
++ blocking_notifier_chain_unregister(&ec_dev->event_notifier,
++ &ec_dev->notifier_ready);
+ platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->ec);
+ mutex_destroy(&ec_dev->lock);
--- /dev/null
+From stable+bounces-172082-greg=kroah.com@vger.kernel.org Thu Aug 21 15:31:16 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 09:27:17 -0400
+Subject: platform/chrome: cros_ec: Use per-device lockdep key
+To: stable@vger.kernel.org
+Cc: Chen-Yu Tsai <wenst@chromium.org>, Tzung-Bi Shih <tzungbi@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821132719.713502-1-sashal@kernel.org>
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 961a325becd9a142ae5c8b258e5c2f221f8bfac8 ]
+
+Lockdep reports a bogus possible deadlock on MT8192 Chromebooks due to
+the following lock sequences:
+
+1. lock(i2c_register_adapter) [1]; lock(&ec_dev->lock)
+2. lock(&ec_dev->lock); lock(prepare_lock);
+
+The actual dependency chains are much longer. The shortened version
+looks somewhat like:
+
+1. cros-ec-rpmsg on mtk-scp
+ ec_dev->lock -> prepare_lock
+2. In rt5682_i2c_probe() on native I2C bus:
+ prepare_lock -> regmap->lock -> (possibly) i2c_adapter->bus_lock
+3. In rt5682_i2c_probe() on native I2C bus:
+ regmap->lock -> i2c_adapter->bus_lock
+4. In sbs_probe() on i2c-cros-ec-tunnel I2C bus attached on cros-ec:
+ i2c_adapter->bus_lock -> ec_dev->lock
+
+While lockdep is correct that the shared lockdep classes have a circular
+dependency, it is bogus because
+
+ a) 2+3 happen on a native I2C bus
+ b) 4 happens on the actual EC on ChromeOS devices
+ c) 1 happens on the SCP coprocessor on MediaTek Chromebooks that just
+ happens to expose a cros-ec interface, but does not have an
+ i2c-cros-ec-tunnel I2C bus
+
+In short, the "dependencies" are actually on different devices.
+
+Setup a per-device lockdep key for cros_ec devices so lockdep can tell
+the two instances apart. This helps with getting rid of the bogus
+lockdep warning. For ChromeOS devices that only have one cros-ec
+instance this doesn't change anything.
+
+Also add a missing mutex_destroy, just to make the teardown complete.
+
+[1] This is likely the per I2C bus lock with shared lockdep class
+
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Link: https://lore.kernel.org/r/20230111074146.2624496-1-wenst@chromium.org
+Stable-dep-of: e23749534619 ("platform/chrome: cros_ec: Unregister notifier in cros_ec_unregister()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/chrome/cros_ec.c | 14 +++++++++++---
+ include/linux/platform_data/cros_ec_proto.h | 4 ++++
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/drivers/platform/chrome/cros_ec.c
++++ b/drivers/platform/chrome/cros_ec.c
+@@ -198,12 +198,14 @@ int cros_ec_register(struct cros_ec_devi
+ if (!ec_dev->dout)
+ return -ENOMEM;
+
++ lockdep_register_key(&ec_dev->lockdep_key);
+ mutex_init(&ec_dev->lock);
++ lockdep_set_class(&ec_dev->lock, &ec_dev->lockdep_key);
+
+ err = cros_ec_query_all(ec_dev);
+ if (err) {
+ dev_err(dev, "Cannot identify the EC: error %d\n", err);
+- return err;
++ goto destroy_mutex;
+ }
+
+ if (ec_dev->irq > 0) {
+@@ -215,7 +217,7 @@ int cros_ec_register(struct cros_ec_devi
+ if (err) {
+ dev_err(dev, "Failed to request IRQ %d: %d\n",
+ ec_dev->irq, err);
+- return err;
++ goto destroy_mutex;
+ }
+ }
+
+@@ -226,7 +228,8 @@ int cros_ec_register(struct cros_ec_devi
+ if (IS_ERR(ec_dev->ec)) {
+ dev_err(ec_dev->dev,
+ "Failed to create CrOS EC platform device\n");
+- return PTR_ERR(ec_dev->ec);
++ err = PTR_ERR(ec_dev->ec);
++ goto destroy_mutex;
+ }
+
+ if (ec_dev->max_passthru) {
+@@ -292,6 +295,9 @@ int cros_ec_register(struct cros_ec_devi
+ exit:
+ platform_device_unregister(ec_dev->ec);
+ platform_device_unregister(ec_dev->pd);
++destroy_mutex:
++ mutex_destroy(&ec_dev->lock);
++ lockdep_unregister_key(&ec_dev->lockdep_key);
+ return err;
+ }
+ EXPORT_SYMBOL(cros_ec_register);
+@@ -309,6 +315,8 @@ void cros_ec_unregister(struct cros_ec_d
+ if (ec_dev->pd)
+ platform_device_unregister(ec_dev->pd);
+ platform_device_unregister(ec_dev->ec);
++ mutex_destroy(&ec_dev->lock);
++ lockdep_unregister_key(&ec_dev->lockdep_key);
+ }
+ EXPORT_SYMBOL(cros_ec_unregister);
+
+--- a/include/linux/platform_data/cros_ec_proto.h
++++ b/include/linux/platform_data/cros_ec_proto.h
+@@ -9,6 +9,7 @@
+ #define __LINUX_CROS_EC_PROTO_H
+
+ #include <linux/device.h>
++#include <linux/lockdep_types.h>
+ #include <linux/mutex.h>
+ #include <linux/notifier.h>
+
+@@ -116,6 +117,8 @@ struct cros_ec_command {
+ * command. The caller should check msg.result for the EC's result
+ * code.
+ * @pkt_xfer: Send packet to EC and get response.
++ * @lockdep_key: Lockdep class for each instance. Unused if CONFIG_LOCKDEP is
++ * not enabled.
+ * @lock: One transaction at a time.
+ * @mkbp_event_supported: 0 if MKBP not supported. Otherwise its value is
+ * the maximum supported version of the MKBP host event
+@@ -160,6 +163,7 @@ struct cros_ec_device {
+ struct cros_ec_command *msg);
+ int (*pkt_xfer)(struct cros_ec_device *ec,
+ struct cros_ec_command *msg);
++ struct lock_class_key lockdep_key;
+ struct mutex lock;
+ u8 mkbp_event_supported;
+ bool host_sleep_v1;
acpi-pfr_update-fix-the-driver-update-version-check.patch
mptcp-drop-skb-if-mptcp-skb-extension-allocation-fails.patch
mptcp-pm-kernel-flush-do-not-reset-add_addr-limit.patch
+f2fs-fix-to-do-sanity-check-on-ino-and-xnid.patch
+iio-hid-sensor-prox-restore-lost-scale-assignments.patch
+iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch
+perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch
+x86-mce-amd-add-default-names-for-mca-banks-and-blocks.patch
+net-add-netdev_lockdep_set_classes-to-virtual-drivers.patch
+btrfs-fix-qgroup-reservation-leak-on-failure-to-allocate-ordered-extent.patch
+arm-9448-1-use-an-absolute-path-to-unified.h-in-kbuild_aflags.patch
+arm64-entry-mask-daif-in-cpu_switch_to-call_on_irq_stack.patch
+drm-sched-remove-optimization-that-causes-hang-when-killing-dependent-jobs.patch
+net-enetc-fix-device-and-of-node-leak-at-probe.patch
+fscrypt-don-t-use-problematic-non-inline-crypto-engines.patch
+block-reject-invalid-operation-in-submit_bio_noacct.patch
+block-make-req_op_zone_finish-a-write-operation.patch
+pci-acpi-fix-runtime-pm-ref-imbalance-on-hot-plug-capable-ports.patch
+smb-client-let-send_done-cleanup-before-calling-smbd_disconnect_rdma_connection.patch
+cifs-reset-iface-weights-when-we-cannot-find-a-candidate.patch
+usb-typec-fusb302-cache-pd-rx-state.patch
+btrfs-qgroup-fix-race-between-quota-disable-and-quota-rescan-ioctl.patch
+btrfs-abort-transaction-on-unexpected-eb-generation-at-btrfs_copy_root.patch
+xfs-fully-decouple-xfs_ibulk-flags-from-xfs_iwalk-flags.patch
+btrfs-send-use-fallocate-for-hole-punching-with-send-stream-v2.patch
+net_sched-sch_ets-implement-lockless-ets_dump.patch
+net-sched-ets-use-old-nbands-while-purging-unused-classes.patch
+mm-ptdump-take-the-memory-hotplug-lock-inside-ptdump_walk_pgd.patch
+media-venus-introduce-accessors-for-remapped-hfi_buffer_reqs-members.patch
+media-venus-fix-oob-read-due-to-missing-payload-bound-check.patch
+usb-musb-omap2430-convert-to-platform-remove-callback-returning-void.patch
+usb-musb-omap2430-fix-device-leak-at-unbind.patch
+platform-chrome-cros_ec-use-per-device-lockdep-key.patch
+platform-chrome-cros_ec-remove-unneeded-label-and-if-condition.patch
+platform-chrome-cros_ec-unregister-notifier-in-cros_ec_unregister.patch
+usb-dwc3-imx8mp-fix-device-leak-at-unbind.patch
+ata-fix-sata_mobile_lpm_policy-description-in-kconfig.patch
+btrfs-populate-otime-when-logging-an-inode-item.patch
--- /dev/null
+From stable+bounces-169889-greg=kroah.com@vger.kernel.org Sun Aug 17 15:51:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Aug 2025 09:51:13 -0400
+Subject: smb: client: let send_done() cleanup before calling smbd_disconnect_rdma_connection()
+To: stable@vger.kernel.org
+Cc: Stefan Metzmacher <metze@samba.org>, Steve French <smfrench@gmail.com>, Tom Talpey <tom@talpey.com>, Long Li <longli@microsoft.com>, linux-cifs@vger.kernel.org, samba-technical@lists.samba.org, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250817135113.1474958-1-sashal@kernel.org>
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit 5349ae5e05fa37409fd48a1eb483b199c32c889b ]
+
+We should call ib_dma_unmap_single() and mempool_free() before calling
+smbd_disconnect_rdma_connection().
+
+And smbd_disconnect_rdma_connection() needs to be the last function to
+call as all other state might already be gone after it returns.
+
+Cc: Steve French <smfrench@gmail.com>
+Cc: Tom Talpey <tom@talpey.com>
+Cc: Long Li <longli@microsoft.com>
+Cc: linux-cifs@vger.kernel.org
+Cc: samba-technical@lists.samba.org
+Fixes: f198186aa9bb ("CIFS: SMBD: Establish SMB Direct connection")
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ Replaced `info` with `request->info` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smbdirect.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/fs/smb/client/smbdirect.c
++++ b/fs/smb/client/smbdirect.c
+@@ -273,18 +273,21 @@ static void send_done(struct ib_cq *cq,
+ log_rdma_send(INFO, "smbd_request 0x%p completed wc->status=%d\n",
+ request, wc->status);
+
+- if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
+- log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
+- wc->status, wc->opcode);
+- smbd_disconnect_rdma_connection(request->info);
+- }
+-
+ for (i = 0; i < request->num_sge; i++)
+ ib_dma_unmap_single(request->info->id->device,
+ request->sge[i].addr,
+ request->sge[i].length,
+ DMA_TO_DEVICE);
+
++ if (wc->status != IB_WC_SUCCESS || wc->opcode != IB_WC_SEND) {
++ struct smbd_connection *info = request->info;
++ log_rdma_send(ERR, "wc->status=%d wc->opcode=%d\n",
++ wc->status, wc->opcode);
++ mempool_free(request, info->request_mempool);
++ smbd_disconnect_rdma_connection(info);
++ return;
++ }
++
+ if (atomic_dec_and_test(&request->info->send_pending))
+ wake_up(&request->info->wait_send_pending);
+
--- /dev/null
+From stable+bounces-172200-greg=kroah.com@vger.kernel.org Thu Aug 21 18:54:51 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 12:52:17 -0400
+Subject: usb: dwc3: imx8mp: fix device leak at unbind
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Li Jun <jun.li@nxp.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821165217.842711-1-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 086a0e516f7b3844e6328a5c69e2708b66b0ce18 ]
+
+Make sure to drop the reference to the dwc3 device taken by
+of_find_device_by_node() on probe errors and on driver unbind.
+
+Fixes: 6dd2565989b4 ("usb: dwc3: add imx8mp dwc3 glue layer driver")
+Cc: stable@vger.kernel.org # 5.12
+Cc: Li Jun <jun.li@nxp.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724091910.21092-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/dwc3-imx8mp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/dwc3-imx8mp.c
++++ b/drivers/usb/dwc3/dwc3-imx8mp.c
+@@ -243,7 +243,7 @@ static int dwc3_imx8mp_probe(struct plat
+ IRQF_ONESHOT, dev_name(dev), dwc3_imx);
+ if (err) {
+ dev_err(dev, "failed to request IRQ #%d --> %d\n", irq, err);
+- goto depopulate;
++ goto put_dwc3;
+ }
+
+ device_set_wakeup_capable(dev, true);
+@@ -251,6 +251,8 @@ static int dwc3_imx8mp_probe(struct plat
+
+ return 0;
+
++put_dwc3:
++ put_device(&dwc3_imx->dwc3->dev);
+ depopulate:
+ of_platform_depopulate(dev);
+ err_node_put:
+@@ -271,6 +273,8 @@ static int dwc3_imx8mp_remove(struct pla
+ struct dwc3_imx8mp *dwc3_imx = platform_get_drvdata(pdev);
+ struct device *dev = &pdev->dev;
+
++ put_device(&dwc3_imx->dwc3->dev);
++
+ pm_runtime_get_sync(dev);
+ of_platform_depopulate(dev);
+
--- /dev/null
+From sashal@kernel.org Thu Aug 21 15:32:47 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 09:32:42 -0400
+Subject: usb: musb: omap2430: Convert to platform remove callback returning void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250821133244.715359-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit cb020bf52253327fe382e10bcae02a4f1da33c04 ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is (mostly) ignored
+and this typically results in resource leaks. To improve here there is a
+quest to make the remove callback return void. In the first step of this
+quest all drivers are converted to .remove_new() which already returns
+void.
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20230405141009.3400693-8-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 1473e9e7679b ("usb: musb: omap2430: fix device leak at unbind")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -471,14 +471,12 @@ err0:
+ return ret;
+ }
+
+-static int omap2430_remove(struct platform_device *pdev)
++static void omap2430_remove(struct platform_device *pdev)
+ {
+ struct omap2430_glue *glue = platform_get_drvdata(pdev);
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
+-
+- return 0;
+ }
+
+ #ifdef CONFIG_PM
+@@ -610,7 +608,7 @@ MODULE_DEVICE_TABLE(of, omap2430_id_tabl
+
+ static struct platform_driver omap2430_driver = {
+ .probe = omap2430_probe,
+- .remove = omap2430_remove,
++ .remove_new = omap2430_remove,
+ .driver = {
+ .name = "musb-omap2430",
+ .pm = DEV_PM_OPS,
--- /dev/null
+From sashal@kernel.org Thu Aug 21 15:32:48 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Aug 2025 09:32:43 -0400
+Subject: usb: musb: omap2430: fix device leak at unbind
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan@kernel.org>, Roger Quadros <rogerq@kernel.org>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250821133244.715359-2-sashal@kernel.org>
+
+From: Johan Hovold <johan@kernel.org>
+
+[ Upstream commit 1473e9e7679bd4f5a62d1abccae894fb86de280f ]
+
+Make sure to drop the reference to the control device taken by
+of_find_device_by_node() during probe when the driver is unbound.
+
+Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()")
+Cc: stable@vger.kernel.org # 3.13
+Cc: Roger Quadros <rogerq@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20250724091910.21092-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/omap2430.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/musb/omap2430.c
++++ b/drivers/usb/musb/omap2430.c
+@@ -400,7 +400,7 @@ static int omap2430_probe(struct platfor
+ ret = platform_device_add_resources(musb, pdev->resource, pdev->num_resources);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add resources\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ if (populate_irqs) {
+@@ -413,7 +413,7 @@ static int omap2430_probe(struct platfor
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!res) {
+ ret = -EINVAL;
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ musb_res[i].start = res->start;
+@@ -441,14 +441,14 @@ static int omap2430_probe(struct platfor
+ ret = platform_device_add_resources(musb, musb_res, i);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add IRQ resources\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+ }
+
+ ret = platform_device_add_data(musb, pdata, sizeof(*pdata));
+ if (ret) {
+ dev_err(&pdev->dev, "failed to add platform_data\n");
+- goto err2;
++ goto err_put_control_otghs;
+ }
+
+ pm_runtime_enable(glue->dev);
+@@ -463,7 +463,9 @@ static int omap2430_probe(struct platfor
+
+ err3:
+ pm_runtime_disable(glue->dev);
+-
++err_put_control_otghs:
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ err2:
+ platform_device_put(musb);
+
+@@ -477,6 +479,8 @@ static void omap2430_remove(struct platf
+
+ platform_device_unregister(glue->musb);
+ pm_runtime_disable(glue->dev);
++ if (!IS_ERR(glue->control_otghs))
++ put_device(glue->control_otghs);
+ }
+
+ #ifdef CONFIG_PM
--- /dev/null
+From sashal@kernel.org Mon Aug 18 22:30:30 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 16:30:26 -0400
+Subject: usb: typec: fusb302: cache PD RX state
+To: stable@vger.kernel.org
+Cc: Sebastian Reichel <sebastian.reichel@collabora.com>, stable <stable@kernel.org>, Heikki Krogerus <heikki.krogerus@linux.intel.com>, Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250818203026.76749-1-sashal@kernel.org>
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit 1e61f6ab08786d66a11cfc51e13d6f08a6b06c56 ]
+
+This patch fixes a race condition communication error, which ends up in
+PD hard resets when losing the race. Some systems, like the Radxa ROCK
+5B are powered through USB-C without any backup power source and use a
+FUSB302 chip to do the PD negotiation. This means it is quite important
+to avoid hard resets, since that effectively kills the system's
+power-supply.
+
+I've found the following race condition while debugging unplanned power
+loss during booting the board every now and then:
+
+1. lots of TCPM/FUSB302/PD initialization stuff
+2. TCPM ends up in SNK_WAIT_CAPABILITIES (tcpm_set_pd_rx is enabled here)
+3. the remote PD source does not send anything, so TCPM does a SOFT RESET
+4. TCPM ends up in SNK_WAIT_CAPABILITIES for the second time
+ (tcpm_set_pd_rx is enabled again, even though it is still on)
+
+At this point I've seen broken CRC good messages being send by the
+FUSB302 with a logic analyzer sniffing the CC lines. Also it looks like
+messages are being lost and things generally going haywire with one of
+the two sides doing a hard reset once a broken CRC good message was send
+to the bus.
+
+I think the system is running into a race condition, that the FIFOs are
+being cleared and/or the automatic good CRC message generation flag is
+being updated while a message is already arriving.
+
+Let's avoid this by caching the PD RX enabled state, as we have already
+processed anything in the FIFOs and are in a good state. As a side
+effect that this also optimizes I2C bus usage :)
+
+As far as I can tell the problem theoretically also exists when TCPM
+enters SNK_WAIT_CAPABILITIES the first time, but I believe this is less
+critical for the following reason:
+
+On devices like the ROCK 5B, which are powered through a TCPM backed
+USB-C port, the bootloader must have done some prior PD communication
+(initial communication must happen within 5 seconds after plugging the
+USB-C plug). This means the first time the kernel TCPM state machine
+reaches SNK_WAIT_CAPABILITIES, the remote side is not sending messages
+actively. On other devices a hard reset simply adds some extra delay and
+things should be good afterwards.
+
+Fixes: c034a43e72dda ("staging: typec: Fairchild FUSB302 Type-c chip driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250704-fusb302-race-condition-fix-v1-1-239012c0e27a@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/fusb302.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/typec/tcpm/fusb302.c
++++ b/drivers/usb/typec/tcpm/fusb302.c
+@@ -103,6 +103,7 @@ struct fusb302_chip {
+ bool vconn_on;
+ bool vbus_on;
+ bool charge_on;
++ bool pd_rx_on;
+ bool vbus_present;
+ enum typec_cc_polarity cc_polarity;
+ enum typec_cc_status cc1;
+@@ -841,6 +842,11 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ int ret = 0;
+
+ mutex_lock(&chip->lock);
++ if (chip->pd_rx_on == on) {
++ fusb302_log(chip, "pd is already %s", str_on_off(on));
++ goto done;
++ }
++
+ ret = fusb302_pd_rx_flush(chip);
+ if (ret < 0) {
+ fusb302_log(chip, "cannot flush pd rx buffer, ret=%d", ret);
+@@ -863,6 +869,8 @@ static int tcpm_set_pd_rx(struct tcpc_de
+ on ? "on" : "off", ret);
+ goto done;
+ }
++
++ chip->pd_rx_on = on;
+ fusb302_log(chip, "pd := %s", on ? "on" : "off");
+ done:
+ mutex_unlock(&chip->lock);
--- /dev/null
+From stable+bounces-164358-greg=kroah.com@vger.kernel.org Wed Jul 23 04:30:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 22:30:16 -0400
+Subject: x86/mce/amd: Add default names for MCA banks and blocks
+To: stable@vger.kernel.org
+Cc: Yazen Ghannam <yazen.ghannam@amd.com>, Borislav Petkov <bp@alien8.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250723023016.1031080-1-sashal@kernel.org>
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit d66e1e90b16055d2f0ee76e5384e3f119c3c2773 ]
+
+Ensure that sysfs init doesn't fail for new/unrecognized bank types or if
+a bank has additional blocks available.
+
+Most MCA banks have a single thresholding block, so the block takes the same
+name as the bank.
+
+Unified Memory Controllers (UMCs) are a special case where there are two
+blocks and each has a unique name.
+
+However, the microarchitecture allows for five blocks. Any new MCA bank types
+with more than one block will be missing names for the extra blocks. The MCE
+sysfs will fail to initialize in this case.
+
+Fixes: 87a6d4091bd7 ("x86/mce/AMD: Update sysfs bank names for SMCA systems")
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250624-wip-mca-updates-v4-3-236dd74f645f@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mce/amd.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mce/amd.c
++++ b/arch/x86/kernel/cpu/mce/amd.c
+@@ -1052,13 +1052,20 @@ static const char *get_name(unsigned int
+ }
+
+ bank_type = smca_get_bank_type(cpu, bank);
+- if (bank_type >= N_SMCA_BANK_TYPES)
+- return NULL;
+
+ if (b && bank_type == SMCA_UMC) {
+ if (b->block < ARRAY_SIZE(smca_umc_block_names))
+ return smca_umc_block_names[b->block];
+- return NULL;
++ }
++
++ if (b && b->block) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_block_%u", b->block);
++ return buf_mcatype;
++ }
++
++ if (bank_type >= N_SMCA_BANK_TYPES) {
++ snprintf(buf_mcatype, MAX_MCATYPE_NAME_LEN, "th_bank_%u", bank);
++ return buf_mcatype;
+ }
+
+ if (per_cpu(smca_bank_counts, cpu)[bank_type] == 1)
--- /dev/null
+From stable+bounces-171740-greg=kroah.com@vger.kernel.org Tue Aug 19 05:06:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Aug 2025 23:06:06 -0400
+Subject: xfs: fully decouple XFS_IBULK* flags from XFS_IWALK* flags
+To: stable@vger.kernel.org
+Cc: Christoph Hellwig <hch@lst.de>, cen zhang <zzzccc427@gmail.com>, "Darrick J. Wong" <djwong@kernel.org>, Carlos Maiolino <cem@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250819030606.304788-1-sashal@kernel.org>
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit d2845519b0723c5d5a0266cbf410495f9b8fd65c ]
+
+Fix up xfs_inumbers to now pass in the XFS_IBULK* flags into the flags
+argument to xfs_inobt_walk, which expects the XFS_IWALK* flags.
+
+Currently passing the wrong flags works for non-debug builds because
+the only XFS_IWALK* flag has the same encoding as the corresponding
+XFS_IBULK* flag, but in debug builds it can trigger an assert that no
+incorrect flag is passed. Instead just extra the relevant flag.
+
+Fixes: 5b35d922c52798 ("xfs: Decouple XFS_IBULK flags from XFS_IWALK flags")
+Cc: <stable@vger.kernel.org> # v5.19
+Reported-by: cen zhang <zzzccc427@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/xfs_itable.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_itable.c
++++ b/fs/xfs/xfs_itable.c
+@@ -422,11 +422,15 @@ xfs_inumbers(
+ .breq = breq,
+ };
+ struct xfs_trans *tp;
++ unsigned int iwalk_flags = 0;
+ int error = 0;
+
+ if (xfs_bulkstat_already_done(breq->mp, breq->startino))
+ return 0;
+
++ if (breq->flags & XFS_IBULK_SAME_AG)
++ iwalk_flags |= XFS_IWALK_SAME_AG;
++
+ /*
+ * Grab an empty transaction so that we can use its recursive buffer
+ * locking abilities to detect cycles in the inobt without deadlocking.
+@@ -435,7 +439,7 @@ xfs_inumbers(
+ if (error)
+ goto out;
+
+- error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags,
++ error = xfs_inobt_walk(breq->mp, tp, breq->startino, iwalk_flags,
+ xfs_inumbers_walk, breq->icount, &ic);
+ xfs_trans_cancel(tp);
+ out:
projects / thirdparty / kernel / stable-queue.git / commitdiff
