--- /dev/null
+From 0060beec0bfa647c4b510df188b1c4673a197839 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Mon, 28 Jul 2025 13:04:29 +0900
+Subject: ata: libata-sata: Add link_power_management_supported sysfs attribute
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 0060beec0bfa647c4b510df188b1c4673a197839 upstream.
+
+A port link power management (LPM) policy can be controlled using the
+link_power_management_policy sysfs host attribute. However, this
+attribute exists also for hosts that do not support LPM and in such
+case, attempting to change the LPM policy for the host (port) will fail
+with -EOPNOTSUPP.
+
+Introduce the new sysfs link_power_management_supported host attribute
+to indicate to the user if a the port and the devices connected to the
+port for the host support LPM, which implies that the
+link_power_management_policy attribute can be used.
+
+Since checking that a port and its devices support LPM is common between
+the new ata_scsi_lpm_supported_show() function and the existing
+ata_scsi_lpm_store() function, the new helper ata_scsi_lpm_supported()
+is introduced.
+
+Fixes: 413e800cadbf ("ata: libata-sata: Disallow changing LPM state if not supported")
+Reported-by: Borah, Chaitanya Kumar <chaitanya.kumar.borah@intel.com>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202507251014.a5becc3b-lkp@intel.com
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ata_piix.c | 1
+ drivers/ata/libahci.c | 1
+ drivers/ata/libata-sata.c | 53 +++++++++++++++++++++++++++++++++++-----------
+ include/linux/libata.h | 1
+ 4 files changed, 44 insertions(+), 12 deletions(-)
+
+--- a/drivers/ata/ata_piix.c
++++ b/drivers/ata/ata_piix.c
+@@ -1089,6 +1089,7 @@ static struct ata_port_operations ich_pa
+ };
+
+ static struct attribute *piix_sidpr_shost_attrs[] = {
++ &dev_attr_link_power_management_supported.attr,
+ &dev_attr_link_power_management_policy.attr,
+ NULL
+ };
+--- a/drivers/ata/libahci.c
++++ b/drivers/ata/libahci.c
+@@ -111,6 +111,7 @@ static DEVICE_ATTR(em_buffer, S_IWUSR |
+ static DEVICE_ATTR(em_message_supported, S_IRUGO, ahci_show_em_supported, NULL);
+
+ static struct attribute *ahci_shost_attrs[] = {
++ &dev_attr_link_power_management_supported.attr,
+ &dev_attr_link_power_management_policy.attr,
+ &dev_attr_em_message_type.attr,
+ &dev_attr_em_message.attr,
+--- a/drivers/ata/libata-sata.c
++++ b/drivers/ata/libata-sata.c
+@@ -900,14 +900,52 @@ static const char *ata_lpm_policy_names[
+ [ATA_LPM_MIN_POWER] = "min_power",
+ };
+
++/*
++ * Check if a port supports link power management.
++ * Must be called with the port locked.
++ */
++static bool ata_scsi_lpm_supported(struct ata_port *ap)
++{
++ struct ata_link *link;
++ struct ata_device *dev;
++
++ if (ap->flags & ATA_FLAG_NO_LPM)
++ return false;
++
++ ata_for_each_link(link, ap, EDGE) {
++ ata_for_each_dev(dev, &ap->link, ENABLED) {
++ if (dev->quirks & ATA_QUIRK_NOLPM)
++ return false;
++ }
++ }
++
++ return true;
++}
++
++static ssize_t ata_scsi_lpm_supported_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ struct Scsi_Host *shost = class_to_shost(dev);
++ struct ata_port *ap = ata_shost_to_port(shost);
++ unsigned long flags;
++ bool supported;
++
++ spin_lock_irqsave(ap->lock, flags);
++ supported = ata_scsi_lpm_supported(ap);
++ spin_unlock_irqrestore(ap->lock, flags);
++
++ return sysfs_emit(buf, "%d\n", supported);
++}
++DEVICE_ATTR(link_power_management_supported, S_IRUGO,
++ ata_scsi_lpm_supported_show, NULL);
++EXPORT_SYMBOL_GPL(dev_attr_link_power_management_supported);
++
+ static ssize_t ata_scsi_lpm_store(struct device *device,
+ struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct Scsi_Host *shost = class_to_shost(device);
+ struct ata_port *ap = ata_shost_to_port(shost);
+- struct ata_link *link;
+- struct ata_device *dev;
+ enum ata_lpm_policy policy;
+ unsigned long flags;
+
+@@ -924,20 +962,11 @@ static ssize_t ata_scsi_lpm_store(struct
+
+ spin_lock_irqsave(ap->lock, flags);
+
+- if (ap->flags & ATA_FLAG_NO_LPM) {
++ if (!ata_scsi_lpm_supported(ap)) {
+ count = -EOPNOTSUPP;
+ goto out_unlock;
+ }
+
+- ata_for_each_link(link, ap, EDGE) {
+- ata_for_each_dev(dev, &ap->link, ENABLED) {
+- if (dev->quirks & ATA_QUIRK_NOLPM) {
+- count = -EOPNOTSUPP;
+- goto out_unlock;
+- }
+- }
+- }
+-
+ ap->target_lpm_policy = policy;
+ ata_port_schedule_eh(ap);
+ out_unlock:
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -534,6 +534,7 @@ typedef void (*ata_postreset_fn_t)(struc
+
+ extern struct device_attribute dev_attr_unload_heads;
+ #ifdef CONFIG_SATA_HOST
++extern struct device_attribute dev_attr_link_power_management_supported;
+ extern struct device_attribute dev_attr_link_power_management_policy;
+ extern struct device_attribute dev_attr_ncq_prio_supported;
+ extern struct device_attribute dev_attr_ncq_prio_enable;
--- /dev/null
+From 675f940576351bb049f5677615140b9d0a7712d0 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Thu, 17 Jul 2025 19:35:39 +0900
+Subject: dm: split write BIOs on zone boundaries when zone append is not emulated
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 675f940576351bb049f5677615140b9d0a7712d0 upstream.
+
+Commit 2df7168717b7 ("dm: Always split write BIOs to zoned device
+limits") updates the device-mapper driver to perform splits for the
+write BIOs. However, it did not address the cases where DM targets do
+not emulate zone append, such as in the cases of dm-linear or dm-flakey.
+For these targets, when the write BIOs span across zone boundaries, they
+trigger WARN_ON_ONCE(bio_straddles_zones(bio)) in
+blk_zone_wplug_handle_write(). This results in I/O errors. The errors
+are reproduced by running blktests test case zbd/004 using zoned
+dm-linear or dm-flakey devices.
+
+To avoid the I/O errors, handle the write BIOs regardless whether DM
+targets emulate zone append or not, so that all write BIOs are split at
+zone boundaries. For that purpose, drop the check for zone append
+emulation in dm_zone_bio_needs_split(). Its argument 'md' is no longer
+used then drop it also.
+
+Fixes: 2df7168717b7 ("dm: Always split write BIOs to zoned device limits")
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
+Link: https://lore.kernel.org/r/20250717103539.37279-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+--- a/drivers/md/dm.c
++++ b/drivers/md/dm.c
+@@ -1776,8 +1776,7 @@ static void init_clone_info(struct clone
+ }
+
+ #ifdef CONFIG_BLK_DEV_ZONED
+-static inline bool dm_zone_bio_needs_split(struct mapped_device *md,
+- struct bio *bio)
++static inline bool dm_zone_bio_needs_split(struct bio *bio)
+ {
+ /*
+ * Special case the zone operations that cannot or should not be split.
+@@ -1793,13 +1792,11 @@ static inline bool dm_zone_bio_needs_spl
+ }
+
+ /*
+- * Mapped devices that require zone append emulation will use the block
+- * layer zone write plugging. In such case, we must split any large BIO
+- * to the mapped device limits to avoid potential deadlocks with queue
+- * freeze operations.
++ * When mapped devices use the block layer zone write plugging, we must
++ * split any large BIO to the mapped device limits to not submit BIOs
++ * that span zone boundaries and to avoid potential deadlocks with
++ * queue freeze operations.
+ */
+- if (!dm_emulate_zone_append(md))
+- return false;
+ return bio_needs_zone_write_plugging(bio) || bio_straddles_zones(bio);
+ }
+
+@@ -1923,8 +1920,7 @@ static blk_status_t __send_zone_reset_al
+ }
+
+ #else
+-static inline bool dm_zone_bio_needs_split(struct mapped_device *md,
+- struct bio *bio)
++static inline bool dm_zone_bio_needs_split(struct bio *bio)
+ {
+ return false;
+ }
+@@ -1951,7 +1947,7 @@ static void dm_split_and_process_bio(str
+
+ is_abnormal = is_abnormal_io(bio);
+ if (static_branch_unlikely(&zoned_enabled)) {
+- need_split = is_abnormal || dm_zone_bio_needs_split(md, bio);
++ need_split = is_abnormal || dm_zone_bio_needs_split(bio);
+ } else {
+ need_split = is_abnormal;
+ }
--- /dev/null
+From 2d418e4fd9f1eca7dfce80de86dd702d36a06a25 Mon Sep 17 00:00:00 2001
+From: Ivan Lipski <ivan.lipski@amd.com>
+Date: Thu, 17 Jul 2025 13:58:35 -0400
+Subject: drm/amd/display: Allow DCN301 to clear update flags
+
+From: Ivan Lipski <ivan.lipski@amd.com>
+
+commit 2d418e4fd9f1eca7dfce80de86dd702d36a06a25 upstream.
+
+[Why & How]
+Not letting DCN301 to clear after surface/stream update results
+in artifacts when switching between active overlay planes. The issue
+is known and has been solved initially. See below:
+(https://gitlab.freedesktop.org/drm/amd/-/issues/3441)
+
+Fixes: f354556e29f4 ("drm/amd/display: limit clear_update_flags t dcn32 and above")
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -5439,7 +5439,8 @@ bool dc_update_planes_and_stream(struct
+ else
+ ret = update_planes_and_stream_v2(dc, srf_updates,
+ surface_count, stream, stream_update);
+- if (ret && dc->ctx->dce_version >= DCN_VERSION_3_2)
++ if (ret && (dc->ctx->dce_version >= DCN_VERSION_3_2 ||
++ dc->ctx->dce_version == DCN_VERSION_3_01))
+ clear_update_flags(srf_updates, surface_count, stream);
+
+ return ret;
--- /dev/null
+From 62d6b81e8bd207ad44eff39d1a0fe17f0df510a5 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 9 Jul 2025 09:01:01 +0200
+Subject: firmware: arm_scmi: Convert to SYSTEM_SLEEP_PM_OPS
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 62d6b81e8bd207ad44eff39d1a0fe17f0df510a5 upstream.
+
+The old SET_SYSTEM_SLEEP_PM_OPS() macro leads to a warning about an
+unused function:
+
+ | drivers/firmware/arm_scmi/scmi_power_control.c:363:12: error:
+ | 'scmi_system_power_resume' defined but not used [-Werror=unused-function]
+ | static int scmi_system_power_resume(struct device *dev)
+
+The proper way to do this these days is to use SYSTEM_SLEEP_PM_OPS()
+and pm_sleep_ptr().
+
+Fixes: 9a0658d3991e ("firmware: arm_scmi: power_control: Ensure SCMI_SYSPOWER_IDLE is set early during resume")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Peng Fan <peng.fan@nxp.com>
+Message-Id: <20250709070107.1388512-1-arnd@kernel.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/scmi_power_control.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/scmi_power_control.c
++++ b/drivers/firmware/arm_scmi/scmi_power_control.c
+@@ -369,7 +369,7 @@ static int scmi_system_power_resume(stru
+ }
+
+ static const struct dev_pm_ops scmi_system_power_pmops = {
+- SET_SYSTEM_SLEEP_PM_OPS(NULL, scmi_system_power_resume)
++ SYSTEM_SLEEP_PM_OPS(NULL, scmi_system_power_resume)
+ };
+
+ static const struct scmi_device_id scmi_id_table[] = {
+@@ -380,7 +380,7 @@ MODULE_DEVICE_TABLE(scmi, scmi_id_table)
+
+ static struct scmi_driver scmi_system_power_driver = {
+ .driver = {
+- .pm = &scmi_system_power_pmops,
++ .pm = pm_sleep_ptr(&scmi_system_power_pmops),
+ },
+ .name = "scmi-system-power",
+ .probe = scmi_syspower_probe,
--- /dev/null
+From 825aea662b492571877b32aeeae13689fd9fbee4 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 7 Jul 2025 16:46:30 -0600
+Subject: io_uring/rw: cast rw->flags assignment to rwf_t
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 825aea662b492571877b32aeeae13689fd9fbee4 upstream.
+
+kernel test robot reports that a recent change of the sqe->rw_flags
+field throws a sparse warning on 32-bit archs:
+
+>> io_uring/rw.c:291:19: sparse: sparse: incorrect type in assignment (different base types) @@ expected restricted __kernel_rwf_t [usertype] flags @@ got unsigned int @@
+ io_uring/rw.c:291:19: sparse: expected restricted __kernel_rwf_t [usertype] flags
+ io_uring/rw.c:291:19: sparse: got unsigned int
+
+Force cast it to rwf_t to silence that new sparse warning.
+
+Fixes: cf73d9970ea4 ("io_uring: don't use int for ABI")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202507032211.PwSNPNSP-lkp@intel.com/
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/rw.c
++++ b/io_uring/rw.c
+@@ -288,7 +288,7 @@ static int __io_prep_rw(struct io_kiocb
+
+ rw->addr = READ_ONCE(sqe->addr);
+ rw->len = READ_ONCE(sqe->len);
+- rw->flags = READ_ONCE(sqe->rw_flags);
++ rw->flags = (__force rwf_t) READ_ONCE(sqe->rw_flags);
+
+ attr_type_mask = READ_ONCE(sqe->attr_type_mask);
+ if (attr_type_mask) {
--- /dev/null
+From 6bbd3411ff87df1ca38ff32d36eb5dc673ca8021 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 21 Jul 2025 10:56:21 +0100
+Subject: io_uring/zcrx: don't leak pages on account failure
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 6bbd3411ff87df1ca38ff32d36eb5dc673ca8021 upstream.
+
+Someone needs to release pinned pages in io_import_umem() if accounting
+fails. Assign them to the area but return an error, the following
+io_zcrx_free_area() will clean them up.
+
+Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/e19f283a912f200c0d427e376cb789fc3f3d69bc.1753091564.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/zcrx.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/io_uring/zcrx.c
++++ b/io_uring/zcrx.c
+@@ -187,15 +187,13 @@ static int io_import_umem(struct io_zcrx
+
+ mem->account_pages = io_count_account_pages(pages, nr_pages);
+ ret = io_account_mem(ifq->ctx, mem->account_pages);
+- if (ret < 0) {
++ if (ret < 0)
+ mem->account_pages = 0;
+- return ret;
+- }
+
+ mem->pages = pages;
+ mem->nr_folios = nr_pages;
+ mem->size = area_reg->len;
+- return 0;
++ return ret;
+ }
+
+ static void io_release_area_mem(struct io_zcrx_mem *mem)
--- /dev/null
+From 720df2310b89cf76c1dc1a05902536282506f8bf Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 21 Jul 2025 10:56:20 +0100
+Subject: io_uring/zcrx: fix null ifq on area destruction
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 720df2310b89cf76c1dc1a05902536282506f8bf upstream.
+
+Dan reports that ifq can be null when infering arguments for
+io_unaccount_mem() from io_zcrx_free_area(). Fix it by always setting a
+correct ifq.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Closes: https://lore.kernel.org/r/202507180628.gBxrOgqr-lkp@intel.com/
+Fixes: 262ab205180d2 ("io_uring/zcrx: account area memory")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/20670d163bb90dba2a81a4150f1125603cefb101.1753091564.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/zcrx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/io_uring/zcrx.c
++++ b/io_uring/zcrx.c
+@@ -394,8 +394,7 @@ static void io_free_rbuf_ring(struct io_
+
+ static void io_zcrx_free_area(struct io_zcrx_area *area)
+ {
+- if (area->ifq)
+- io_zcrx_unmap_area(area->ifq, area);
++ io_zcrx_unmap_area(area->ifq, area);
+ io_release_area_mem(&area->mem);
+
+ if (area->mem.account_pages)
+@@ -428,6 +427,7 @@ static int io_zcrx_create_area(struct io
+ area = kzalloc(sizeof(*area), GFP_KERNEL);
+ if (!area)
+ goto err;
++ area->ifq = ifq;
+
+ ret = io_import_area(ifq, &area->mem, area_reg);
+ if (ret)
+@@ -462,7 +462,6 @@ static int io_zcrx_create_area(struct io
+ }
+
+ area->free_count = nr_iovs;
+- area->ifq = ifq;
+ /* we're only supporting one area per ifq for now */
+ area->area_id = 0;
+ area_reg->rq_area_token = (u64)area->area_id << IORING_ZCRX_AREA_SHIFT;
--- /dev/null
+From 9f7488f24c7571d349d938061e0ede7a39b65d6b Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 6 Aug 2025 16:53:18 +0200
+Subject: irqchip/mvebu-gicp: Use resource_size() for ioremap()
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 9f7488f24c7571d349d938061e0ede7a39b65d6b upstream.
+
+0-day reported an off by one in the ioremap() sizing:
+
+ drivers/irqchip/irq-mvebu-gicp.c:240:45-48: WARNING:
+ Suspicious code. resource_size is maybe missing with gicp -> res
+
+Convert it to resource_size(), which does the right thing.
+
+Fixes: 3c3d7dbab2c7 ("irqchip/mvebu-gicp: Clear pending interrupts on init")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Closes: https://lore.kernel.org/oe-kbuild-all/202508062150.mtFQMTXc-lkp@intel.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-mvebu-gicp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-mvebu-gicp.c
++++ b/drivers/irqchip/irq-mvebu-gicp.c
+@@ -237,7 +237,7 @@ static int mvebu_gicp_probe(struct platf
+ return -ENODEV;
+ }
+
+- base = ioremap(gicp->res->start, gicp->res->end - gicp->res->start);
++ base = ioremap(gicp->res->start, resource_size(gicp->res));
+ if (IS_ERR(base)) {
+ dev_err(&pdev->dev, "ioremap() failed. Unable to clear pending interrupts.\n");
+ } else {
--- /dev/null
+From 1df1fc845d221eb646539836dbf509eb96b41afd Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Wed, 30 Jul 2025 15:33:21 +0800
+Subject: md: fix create on open mddev lifetime regression
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 1df1fc845d221eb646539836dbf509eb96b41afd upstream.
+
+Commit 9e59d609763f ("md: call del_gendisk in control path") moves
+setting MD_DELETED from __mddev_put() to do_md_stop(), however, for the
+case create on open, mddev can be freed without do_md_stop():
+
+1) open
+
+md_probe
+ md_alloc_and_put
+ md_alloc
+ mddev_alloc
+ atomic_set(&mddev->active, 1);
+ mddev->hold_active = UNTIL_IOCTL
+ mddev_put
+ atomic_dec_and_test(&mddev->active)
+ if (mddev->hold_active)
+ -> active is 0, hold_active is set
+md_open
+ mddev_get
+ atomic_inc(&mddev->active);
+
+2) ioctl that is not STOP_ARRAY, for example, GET_ARRAY_INFO:
+
+md_ioctl
+ mddev->hold_active = 0
+
+3) close
+
+md_release
+ mddev_put(mddev);
+ atomic_dec_and_lock(&mddev->active, &all_mddevs_lock)
+ __mddev_put
+ -> hold_active is cleared, mddev will be freed
+ queue_work(md_misc_wq, &mddev->del_work)
+
+Now that MD_DELETED is not set, before mddev is freed by
+mddev_delayed_delete(), md_open can still succeed and break mddev
+lifetime, causing mddev->kobj refcount underflow or mddev uaf
+problem.
+
+Fix this problem by setting MD_DELETED before queuing del_work.
+
+Reported-by: syzbot+9921e319bd6168140b40@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68894408.a00a0220.26d0e1.0012.GAE@google.com/
+Reported-by: syzbot+fa3a12519f0d3fd4ec16@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68894408.a00a0220.26d0e1.0013.GAE@google.com/
+Fixes: 9e59d609763f ("md: call del_gendisk in control path")
+Link: https://lore.kernel.org/linux-raid/20250730073321.2583158-1-yukuai1@huaweicloud.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Xiao Ni <xni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -637,6 +637,12 @@ static void __mddev_put(struct mddev *md
+ return;
+
+ /*
++ * If array is freed by stopping array, MD_DELETED is set by
++ * do_md_stop(), MD_DELETED is still set here in case mddev is freed
++ * directly by closing a mddev that is created by create_on_open.
++ */
++ set_bit(MD_DELETED, &mddev->flags);
++ /*
+ * Call queue_work inside the spinlock so that flush_workqueue() after
+ * mddev_find will succeed in waiting for the work to be done.
+ */
--- /dev/null
+From 61399e0c5410567ef60cb1cda34cca42903842e3 Mon Sep 17 00:00:00 2001
+From: Frederic Weisbecker <frederic@kernel.org>
+Date: Fri, 8 Aug 2025 19:03:22 +0200
+Subject: rcu: Fix racy re-initialization of irq_work causing hangs
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+commit 61399e0c5410567ef60cb1cda34cca42903842e3 upstream.
+
+RCU re-initializes the deferred QS irq work everytime before attempting
+to queue it. However there are situations where the irq work is
+attempted to be queued even though it is already queued. In that case
+re-initializing messes-up with the irq work queue that is about to be
+handled.
+
+The chances for that to happen are higher when the architecture doesn't
+support self-IPIs and irq work are then all lazy, such as with the
+following sequence:
+
+1) rcu_read_unlock() is called when IRQs are disabled and there is a
+ grace period involving blocked tasks on the node. The irq work
+ is then initialized and queued.
+
+2) The related tasks are unblocked and the CPU quiescent state
+ is reported. rdp->defer_qs_iw_pending is reset to DEFER_QS_IDLE,
+ allowing the irq work to be requeued in the future (note the previous
+ one hasn't fired yet).
+
+3) A new grace period starts and the node has blocked tasks.
+
+4) rcu_read_unlock() is called when IRQs are disabled again. The irq work
+ is re-initialized (but it's queued! and its node is cleared) and
+ requeued. Which means it's requeued to itself.
+
+5) The irq work finally fires with the tick. But since it was requeued
+ to itself, it loops and hangs.
+
+Fix this with initializing the irq work only once before the CPU boots.
+
+Fixes: b41642c87716 ("rcu: Fix rcu_read_unlock() deadloop due to IRQ work")
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202508071303.c1134cce-lkp@intel.com
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/rcu/tree.c | 2 ++
+ kernel/rcu/tree.h | 1 +
+ kernel/rcu/tree_plugin.h | 8 ++++++--
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -4233,6 +4233,8 @@ int rcutree_prepare_cpu(unsigned int cpu
+ rdp->rcu_iw_gp_seq = rdp->gp_seq - 1;
+ trace_rcu_grace_period(rcu_state.name, rdp->gp_seq, TPS("cpuonl"));
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
++
++ rcu_preempt_deferred_qs_init(rdp);
+ rcu_spawn_rnp_kthreads(rnp);
+ rcu_spawn_cpu_nocb_kthread(cpu);
+ ASSERT_EXCLUSIVE_WRITER(rcu_state.n_online_cpus);
+--- a/kernel/rcu/tree.h
++++ b/kernel/rcu/tree.h
+@@ -488,6 +488,7 @@ static int rcu_print_task_exp_stall(stru
+ static void rcu_preempt_check_blocked_tasks(struct rcu_node *rnp);
+ static void rcu_flavor_sched_clock_irq(int user);
+ static void dump_blkd_tasks(struct rcu_node *rnp, int ncheck);
++static void rcu_preempt_deferred_qs_init(struct rcu_data *rdp);
+ static void rcu_initiate_boost(struct rcu_node *rnp, unsigned long flags);
+ static void rcu_preempt_boost_start_gp(struct rcu_node *rnp);
+ static bool rcu_is_callbacks_kthread(struct rcu_data *rdp);
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -699,8 +699,6 @@ static void rcu_read_unlock_special(stru
+ cpu_online(rdp->cpu)) {
+ // Get scheduler to re-evaluate and call hooks.
+ // If !IRQ_WORK, FQS scan will eventually IPI.
+- rdp->defer_qs_iw =
+- IRQ_WORK_INIT_HARD(rcu_preempt_deferred_qs_handler);
+ rdp->defer_qs_iw_pending = DEFER_QS_PENDING;
+ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu);
+ }
+@@ -840,6 +838,10 @@ dump_blkd_tasks(struct rcu_node *rnp, in
+ }
+ }
+
++static void rcu_preempt_deferred_qs_init(struct rcu_data *rdp)
++{
++ rdp->defer_qs_iw = IRQ_WORK_INIT_HARD(rcu_preempt_deferred_qs_handler);
++}
+ #else /* #ifdef CONFIG_PREEMPT_RCU */
+
+ /*
+@@ -1039,6 +1041,8 @@ dump_blkd_tasks(struct rcu_node *rnp, in
+ WARN_ON_ONCE(!list_empty(&rnp->blkd_tasks));
+ }
+
++static void rcu_preempt_deferred_qs_init(struct rcu_data *rdp) { }
++
+ #endif /* #else #ifdef CONFIG_PREEMPT_RCU */
+
+ /*
kvm-nvmx-check-vmcs12-guest_ia32_debugctl-on-nested-vm-enter.patch
kvm-vmx-wrap-all-accesses-to-ia32_debugctl-with-getter-setter-apis.patch
kvm-vmx-preserve-host-s-debugctlmsr_freeze_in_smm-while-running-the-guest.patch
+ata-libata-sata-add-link_power_management_supported-sysfs-attribute.patch
+io_uring-rw-cast-rw-flags-assignment-to-rwf_t.patch
+firmware-arm_scmi-convert-to-system_sleep_pm_ops.patch
+drm-amd-display-allow-dcn301-to-clear-update-flags.patch
+md-fix-create-on-open-mddev-lifetime-regression.patch
+rcu-fix-racy-re-initialization-of-irq_work-causing-hangs.patch
+irqchip-mvebu-gicp-use-resource_size-for-ioremap.patch
+dm-split-write-bios-on-zone-boundaries-when-zone-append-is-not-emulated.patch
+io_uring-zcrx-fix-null-ifq-on-area-destruction.patch
+io_uring-zcrx-don-t-leak-pages-on-account-failure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
