--- /dev/null
+From 84780f196a86fda8b3026de0e397ce130ddf9a87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 08:39:51 -0700
+Subject: ACPI: APEI: GHES: add TAINT_MACHINE_CHECK on GHES panic path
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 4734c8b46b901cff2feda8b82abc710b65dc31c1 ]
+
+When a GHES (Generic Hardware Error Source) triggers a panic, add the
+TAINT_MACHINE_CHECK taint flag to the kernel. This explicitly marks the
+kernel as tainted due to a machine check event, improving diagnostics
+and post-mortem analysis. The taint is set with LOCKDEP_STILL_OK to
+indicate lockdep remains valid.
+
+At large scale deployment, this helps to quickly determine panics that
+are coming due to hardware failures.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Link: https://patch.msgid.link/20250702-add_tain-v1-1-9187b10914b9@debian.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 22db720b128b..ec364c254112 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -912,6 +912,8 @@ static void __ghes_panic(struct ghes *ghes,
+
+ __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus);
+
++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
++
+ ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx);
+
+ if (!panic_timeout)
+--
+2.39.5
+
--- /dev/null
+From 3652bee1153d203c2a5aace4e6cb16ac035fc078 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 19:42:11 +0800
+Subject: ACPI: APEI: send SIGBUS to current task if synchronous memory error
+ not recovered
+
+From: Shuai Xue <xueshuai@linux.alibaba.com>
+
+[ Upstream commit 79a5ae3c4c5eb7e38e0ebe4d6bf602d296080060 ]
+
+If a synchronous error is detected as a result of user-space process
+triggering a 2-bit uncorrected error, the CPU will take a synchronous
+error exception such as Synchronous External Abort (SEA) on Arm64. The
+kernel will queue a memory_failure() work which poisons the related
+page, unmaps the page, and then sends a SIGBUS to the process, so that
+a system wide panic can be avoided.
+
+However, no memory_failure() work will be queued when abnormal
+synchronous errors occur. These errors can include situations like
+invalid PA, unexpected severity, no memory failure config support,
+invalid GUID section, etc. In such a case, the user-space process will
+trigger SEA again. This loop can potentially exceed the platform
+firmware threshold or even trigger a kernel hard lockup, leading to a
+system reboot.
+
+Fix it by performing a force kill if no memory_failure() work is queued
+for synchronous errors.
+
+Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Reviewed-by: Jane Chu <jane.chu@oracle.com>
+Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
+Link: https://patch.msgid.link/20250714114212.31660-2-xueshuai@linux.alibaba.com
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index 2abf20736702..22db720b128b 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -715,6 +715,17 @@ static bool ghes_do_proc(struct ghes *ghes,
+ }
+ }
+
++ /*
++ * If no memory failure work is queued for abnormal synchronous
++ * errors, do a force kill.
++ */
++ if (sync && !queued) {
++ dev_err(ghes->dev,
++ HW_ERR GHES_PFX "%s:%d: synchronous unrecoverable error (SIGBUS)\n",
++ current->comm, task_pid_nr(current));
++ force_sig(SIGBUS);
++ }
++
+ return queued;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From fc5ae2c844c8ef8d4e774cd146545411bef6dbb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 01:41:04 +0000
+Subject: ACPI: PRM: Reduce unnecessary printing to avoid user confusion
+
+From: Zhu Qiyu <qiyuzhu2@amd.com>
+
+[ Upstream commit 3db5648c4d608b5483470efc1da9780b081242dd ]
+
+Commit 088984c8d54c ("ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM
+handler and context") introduced non-essential printing "Failed to find
+VA for GUID: xxxx, PA: 0x0" which may confuse users to think that
+something wrong is going on while it is not the case.
+
+According to the PRM Spec Section 4.1.2 [1], both static data buffer
+address and ACPI parameter buffer address may be NULL if they are not
+needed, so there is no need to print out the "Failed to find VA ... "
+in those cases.
+
+Link: https://uefi.org/sites/default/files/resources/Platform%20Runtime%20Mechanism%20-%20with%20legal%20notice.pdf # [1]
+Signed-off-by: Zhu Qiyu <qiyuzhu2@amd.com>
+Link: https://patch.msgid.link/20250704014104.82524-1-qiyuzhu2@amd.com
+[ rjw: Edits in new comments, subject and changelog ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/prmt.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/prmt.c b/drivers/acpi/prmt.c
+index a34f7d37877c..eb8f2a1ce138 100644
+--- a/drivers/acpi/prmt.c
++++ b/drivers/acpi/prmt.c
+@@ -85,8 +85,6 @@ static u64 efi_pa_va_lookup(efi_guid_t *guid, u64 pa)
+ }
+ }
+
+- pr_warn("Failed to find VA for GUID: %pUL, PA: 0x%llx", guid, pa);
+-
+ return 0;
+ }
+
+@@ -154,13 +152,37 @@ acpi_parse_prmt(union acpi_subtable_headers *header, const unsigned long end)
+ guid_copy(&th->guid, (guid_t *)handler_info->handler_guid);
+ th->handler_addr =
+ (void *)efi_pa_va_lookup(&th->guid, handler_info->handler_address);
++ /*
++ * Print a warning message if handler_addr is zero which is not expected to
++ * ever happen.
++ */
++ if (unlikely(!th->handler_addr))
++ pr_warn("Failed to find VA of handler for GUID: %pUL, PA: 0x%llx",
++ &th->guid, handler_info->handler_address);
+
+ th->static_data_buffer_addr =
+ efi_pa_va_lookup(&th->guid, handler_info->static_data_buffer_address);
++ /*
++ * According to the PRM specification, static_data_buffer_address can be zero,
++ * so avoid printing a warning message in that case. Otherwise, if the
++ * return value of efi_pa_va_lookup() is zero, print the message.
++ */
++ if (unlikely(!th->static_data_buffer_addr && handler_info->static_data_buffer_address))
++ pr_warn("Failed to find VA of static data buffer for GUID: %pUL, PA: 0x%llx",
++ &th->guid, handler_info->static_data_buffer_address);
+
+ th->acpi_param_buffer_addr =
+ efi_pa_va_lookup(&th->guid, handler_info->acpi_param_buffer_address);
+
++ /*
++ * According to the PRM specification, acpi_param_buffer_address can be zero,
++ * so avoid printing a warning message in that case. Otherwise, if the
++ * return value of efi_pa_va_lookup() is zero, print the message.
++ */
++ if (unlikely(!th->acpi_param_buffer_addr && handler_info->acpi_param_buffer_address))
++ pr_warn("Failed to find VA of acpi param buffer for GUID: %pUL, PA: 0x%llx",
++ &th->guid, handler_info->acpi_param_buffer_address);
++
+ } while (++cur_handler < tm->handler_count && (handler_info = get_next_handler(handler_info)));
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 6cb1afc696b7980955a28038fd0329bb1d8e0014 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 14:42:15 +0200
+Subject: ACPI: processor: fix acpi_object initialization
+
+From: Sebastian Ott <sebott@redhat.com>
+
+[ Upstream commit 13edf7539211d8f7d0068ce3ed143005f1da3547 ]
+
+Initialization of the local acpi_object in acpi_processor_get_info()
+only sets the first 4 bytes to zero and is thus incomplete. This is
+indicated by messages like:
+ acpi ACPI0007:be: Invalid PBLK length [166288104]
+
+Fix this by initializing all 16 bytes of the processor member of that
+union.
+
+Signed-off-by: Sebastian Ott <sebott@redhat.com>
+Link: https://patch.msgid.link/20250703124215.12522-1-sebott@redhat.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpi_processor.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/acpi/acpi_processor.c b/drivers/acpi/acpi_processor.c
+index 7053f1b9fc1d..c0f9cf9768ea 100644
+--- a/drivers/acpi/acpi_processor.c
++++ b/drivers/acpi/acpi_processor.c
+@@ -250,7 +250,7 @@ static inline int acpi_processor_hotadd_init(struct acpi_processor *pr)
+
+ static int acpi_processor_get_info(struct acpi_device *device)
+ {
+- union acpi_object object = { 0 };
++ union acpi_object object = { .processor = { 0 } };
+ struct acpi_buffer buffer = { sizeof(union acpi_object), &object };
+ struct acpi_processor *pr = acpi_driver_data(device);
+ int device_declaration = 0;
+--
+2.39.5
+
--- /dev/null
+From 461b4654603db070c1395367d687f0d88cab03d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:50:12 +0200
+Subject: ALSA: hda/ca0132: Fix buffer overflow in add_tuning_control
+
+From: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
+
+[ Upstream commit a409c60111e6bb98fcabab2aeaa069daa9434ca0 ]
+
+The 'sprintf' call in 'add_tuning_control' may exceed the 44-byte
+buffer if either string argument is too long. This triggers a compiler
+warning.
+Replaced 'sprintf' with 'snprintf' to limit string lengths to prevent
+overflow.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506100642.95jpuMY1-lkp@intel.com/
+Signed-off-by: Lucy Thrun <lucy.thrun@digital-rabbithole.de>
+Link: https://patch.msgid.link/20250610175012.918-3-lucy.thrun@digital-rabbithole.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_ca0132.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c
+index 94b452595f30..851e9231bbbd 100644
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4411,7 +4411,7 @@ static int add_tuning_control(struct hda_codec *codec,
+ }
+ knew.private_value =
+ HDA_COMPOSE_AMP_VAL(nid, 1, 0, type);
+- sprintf(namestr, "%s %s Volume", name, dirstr[dir]);
++ snprintf(namestr, sizeof(namestr), "%s %s Volume", name, dirstr[dir]);
+ return snd_hda_ctl_add(codec, nid, snd_ctl_new1(&knew, codec));
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e4cb227f0189d288974f23ddc568ae8d779fbad6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 15:14:30 +0200
+Subject: ALSA: hda: Disable jack polling at shutdown
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 1adcbdf54f76e1004bdf71df4eb1888c26e7ad06 ]
+
+Although the jack polling is canceled at shutdown in
+snd_hda_codec_shutdown(), it might be still re-triggered when the work
+is being processed at cancel_delayed_work_sync() call. This may
+result in the unexpected hardware access that should have been already
+disabled.
+
+For assuring to stop the jack polling, clear codec->jackpoll_interval
+at shutdown.
+
+Reported-by: Joakim Zhang <joakim.zhang@cixtech.com>
+Closes: https://lore.kernel.org/20250619020844.2974160-4-joakim.zhang@cixtech.com
+Tested-by: Joakim Zhang <joakim.zhang@cixtech.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20250623131437.10670-2-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 2d4b7527b840..80c3084189b0 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -3038,6 +3038,7 @@ void snd_hda_codec_shutdown(struct hda_codec *codec)
+ if (!codec->core.registered)
+ return;
+
++ codec->jackpoll_interval = 0; /* don't poll any longer */
+ cancel_delayed_work_sync(&codec->jackpoll_work);
+ list_for_each_entry(cpcm, &codec->pcm_list_head, list)
+ snd_pcm_suspend_all(cpcm->pcm);
+--
+2.39.5
+
--- /dev/null
+From cf6d016fbfed3f202d3f17c197d95b8b15c1e225 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 15:14:32 +0200
+Subject: ALSA: hda: Handle the jack polling always via a work
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5f7e54b23e4d253eff3b10b12d6fa92d28d7dddc ]
+
+We used to call directly hda_jackpoll_work() from a couple of places
+for updating the jack and notify to user-space, but this makes rather
+the code flow fragile. Namely, because of those direct calls,
+hda_jackpoll_work() uses snd_hda_power_up_pm() and *_down_pm() calls
+instead of the standard snd_hda_power_up() and *_down() calls. The
+latter pair assures the runtime PM resume sync, so it can avoid the
+race against the PM callbacks gracefully, while the former pair may
+continue if called concurrently, hence it may race (by design).
+
+In this patch, we change the call pattern of hda_jackpoll_work(); now
+all callers are replaced with the standard snd_hda_jack_report_sync()
+and the additional schedule_delayed_work().
+
+Since hda_jackpoll_work() is called only from the associated work,
+it's always outside the PM code path, and we can safely use
+snd_hda_power_up() and *_down() there instead. This allows us to
+remove the racy check of power-state in hda_jackpoll_work(), as well
+as the tricky cancel_delayed_work() and rescheduling at
+hda_codec_runtime_suspend().
+
+Reported-by: Joakim Zhang <joakim.zhang@cixtech.com>
+Closes: https://lore.kernel.org/20250619020844.2974160-1-joakim.zhang@cixtech.com
+Tested-by: Joakim Zhang <joakim.zhang@cixtech.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20250623131437.10670-4-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 41 +++++++++++++--------------------------
+ 1 file changed, 14 insertions(+), 27 deletions(-)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index aa6dc00985b5..2d4b7527b840 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -641,24 +641,16 @@ static void hda_jackpoll_work(struct work_struct *work)
+ struct hda_codec *codec =
+ container_of(work, struct hda_codec, jackpoll_work.work);
+
+- /* for non-polling trigger: we need nothing if already powered on */
+- if (!codec->jackpoll_interval && snd_hdac_is_power_on(&codec->core))
++ if (!codec->jackpoll_interval)
+ return;
+
+ /* the power-up/down sequence triggers the runtime resume */
+- snd_hda_power_up_pm(codec);
++ snd_hda_power_up(codec);
+ /* update jacks manually if polling is required, too */
+- if (codec->jackpoll_interval) {
+- snd_hda_jack_set_dirty_all(codec);
+- snd_hda_jack_poll_all(codec);
+- }
+- snd_hda_power_down_pm(codec);
+-
+- if (!codec->jackpoll_interval)
+- return;
+-
+- schedule_delayed_work(&codec->jackpoll_work,
+- codec->jackpoll_interval);
++ snd_hda_jack_set_dirty_all(codec);
++ snd_hda_jack_poll_all(codec);
++ schedule_delayed_work(&codec->jackpoll_work, codec->jackpoll_interval);
++ snd_hda_power_down(codec);
+ }
+
+ /* release all pincfg lists */
+@@ -2920,12 +2912,12 @@ static void hda_call_codec_resume(struct hda_codec *codec)
+ snd_hda_regmap_sync(codec);
+ }
+
+- if (codec->jackpoll_interval)
+- hda_jackpoll_work(&codec->jackpoll_work.work);
+- else
+- snd_hda_jack_report_sync(codec);
++ snd_hda_jack_report_sync(codec);
+ codec->core.dev.power.power_state = PMSG_ON;
+ snd_hdac_leave_pm(&codec->core);
++ if (codec->jackpoll_interval)
++ schedule_delayed_work(&codec->jackpoll_work,
++ codec->jackpoll_interval);
+ }
+
+ static int hda_codec_runtime_suspend(struct device *dev)
+@@ -2937,8 +2929,6 @@ static int hda_codec_runtime_suspend(struct device *dev)
+ if (!codec->card)
+ return 0;
+
+- cancel_delayed_work_sync(&codec->jackpoll_work);
+-
+ state = hda_call_codec_suspend(codec);
+ if (codec->link_down_at_suspend ||
+ (codec_has_clkstop(codec) && codec_has_epss(codec) &&
+@@ -2946,10 +2936,6 @@ static int hda_codec_runtime_suspend(struct device *dev)
+ snd_hdac_codec_link_down(&codec->core);
+ snd_hda_codec_display_power(codec, false);
+
+- if (codec->bus->jackpoll_in_suspend &&
+- (dev->power.power_state.event != PM_EVENT_SUSPEND))
+- schedule_delayed_work(&codec->jackpoll_work,
+- codec->jackpoll_interval);
+ return 0;
+ }
+
+@@ -3118,10 +3104,11 @@ int snd_hda_codec_build_controls(struct hda_codec *codec)
+ if (err < 0)
+ return err;
+
++ snd_hda_jack_report_sync(codec); /* call at the last init point */
+ if (codec->jackpoll_interval)
+- hda_jackpoll_work(&codec->jackpoll_work.work);
+- else
+- snd_hda_jack_report_sync(codec); /* call at the last init point */
++ schedule_delayed_work(&codec->jackpoll_work,
++ codec->jackpoll_interval);
++
+ sync_power_up_states(codec);
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From e689b2305293d1d8362b9bf620feeec24be27045 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 11:52:24 -0700
+Subject: ALSA: intel8x0: Fix incorrect codec index usage in mixer for ICH4
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 87aafc8580acf87fcaf1a7e30ed858d8c8d37d81 ]
+
+code mistakenly used a hardcoded index (codec[1]) instead of
+iterating, over the codec array using the loop variable i.
+Use codec[i] instead of codec[1] to match the loop iteration.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250621185233.4081094-1-alok.a.tiwari@oracle.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/intel8x0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/pci/intel8x0.c b/sound/pci/intel8x0.c
+index ae285c0a629c..f3df6fe2b7f1 100644
+--- a/sound/pci/intel8x0.c
++++ b/sound/pci/intel8x0.c
+@@ -2252,7 +2252,7 @@ static int snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
+ tmp |= chip->ac97_sdin[0] << ICH_DI1L_SHIFT;
+ for (i = 1; i < 4; i++) {
+ if (pcm->r[0].codec[i]) {
+- tmp |= chip->ac97_sdin[pcm->r[0].codec[1]->num] << ICH_DI2L_SHIFT;
++ tmp |= chip->ac97_sdin[pcm->r[0].codec[i]->num] << ICH_DI2L_SHIFT;
+ break;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From dfd3e3eab6e1e91b921817bd5cf6d1a5e7aef7b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 11:44:02 +0200
+Subject: ALSA: pcm: Rewrite recalculate_boundary() to avoid costly loop
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 92f59aeb13252265c20e7aef1379a8080c57e0a2 ]
+
+At the time being recalculate_boundary() is implemented with a
+loop which shows up as costly in a perf profile, as depicted by
+the annotate below:
+
+ 0.00 : c057e934: 3d 40 7f ff lis r10,32767
+ 0.03 : c057e938: 61 4a ff ff ori r10,r10,65535
+ 0.21 : c057e93c: 7d 49 50 50 subf r10,r9,r10
+ 5.39 : c057e940: 7d 3c 4b 78 mr r28,r9
+ 2.11 : c057e944: 55 29 08 3c slwi r9,r9,1
+ 3.04 : c057e948: 7c 09 50 40 cmplw r9,r10
+ 2.47 : c057e94c: 40 81 ff f4 ble c057e940 <snd_pcm_ioctl+0xee0>
+
+Total: 13.2% on that simple loop.
+
+But what the loop does is to multiply the boundary by 2 until it is
+over the wanted border. This can be avoided by using fls() to get the
+boundary value order and shift it by the appropriate number of bits at
+once.
+
+This change provides the following profile:
+
+ 0.04 : c057f6e8: 3d 20 7f ff lis r9,32767
+ 0.02 : c057f6ec: 61 29 ff ff ori r9,r9,65535
+ 0.34 : c057f6f0: 7d 5a 48 50 subf r10,r26,r9
+ 0.23 : c057f6f4: 7c 1a 50 40 cmplw r26,r10
+ 0.02 : c057f6f8: 41 81 00 20 bgt c057f718 <snd_pcm_ioctl+0xf08>
+ 0.26 : c057f6fc: 7f 47 00 34 cntlzw r7,r26
+ 0.09 : c057f700: 7d 48 00 34 cntlzw r8,r10
+ 0.22 : c057f704: 7d 08 38 50 subf r8,r8,r7
+ 0.04 : c057f708: 7f 5a 40 30 slw r26,r26,r8
+ 0.35 : c057f70c: 7c 0a d0 40 cmplw r10,r26
+ 0.13 : c057f710: 40 80 05 f8 bge c057fd08 <snd_pcm_ioctl+0x14f8>
+ 0.00 : c057f714: 57 5a f8 7e srwi r26,r26,1
+
+Total: 1.7% with that loopless alternative.
+
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://patch.msgid.link/4836e2cde653eebaf2709ebe30eec736bb8c67fd.1749202237.git.christophe.leroy@csgroup.eu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/pcm_native.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
+index 31fc20350fd9..f37fd1e48740 100644
+--- a/sound/core/pcm_native.c
++++ b/sound/core/pcm_native.c
+@@ -24,6 +24,7 @@
+ #include <sound/minors.h>
+ #include <linux/uio.h>
+ #include <linux/delay.h>
++#include <linux/bitops.h>
+
+ #include "pcm_local.h"
+
+@@ -3125,13 +3126,23 @@ struct snd_pcm_sync_ptr32 {
+ static snd_pcm_uframes_t recalculate_boundary(struct snd_pcm_runtime *runtime)
+ {
+ snd_pcm_uframes_t boundary;
++ snd_pcm_uframes_t border;
++ int order;
+
+ if (! runtime->buffer_size)
+ return 0;
+- boundary = runtime->buffer_size;
+- while (boundary * 2 <= 0x7fffffffUL - runtime->buffer_size)
+- boundary *= 2;
+- return boundary;
++
++ border = 0x7fffffffUL - runtime->buffer_size;
++ if (runtime->buffer_size > border)
++ return runtime->buffer_size;
++
++ order = __fls(border) - __fls(runtime->buffer_size);
++ boundary = runtime->buffer_size << order;
++
++ if (boundary <= border)
++ return boundary;
++ else
++ return boundary / 2;
+ }
+
+ static int snd_pcm_ioctl_sync_ptr_compat(struct snd_pcm_substream *substream,
+--
+2.39.5
+
--- /dev/null
+From 85229b36130c2706560ab78f12ec97f2e4442fc0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 17:07:42 +0300
+Subject: ALSA: usb-audio: Avoid precedence issues in mixer_quirks macros
+
+From: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+
+[ Upstream commit fd3ab72e42e9871a9902b945a2bf8bb87b49c718 ]
+
+Fix all macro related issues identified by checkpatch.pl:
+
+ CHECK: Macro argument 'x' may be better as '(x)' to avoid precedence issues
+
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20250526-dualsense-alsa-jack-v1-3-1a821463b632@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/mixer_quirks.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
+index be0b3c8ac705..f2cce15be4e2 100644
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -2150,15 +2150,15 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
+ #define SND_RME_CLK_FREQMUL_SHIFT 18
+ #define SND_RME_CLK_FREQMUL_MASK 0x7
+ #define SND_RME_CLK_SYSTEM(x) \
+- ((x >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
++ (((x) >> SND_RME_CLK_SYSTEM_SHIFT) & SND_RME_CLK_SYSTEM_MASK)
+ #define SND_RME_CLK_AES(x) \
+- ((x >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
++ (((x) >> SND_RME_CLK_AES_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ #define SND_RME_CLK_SPDIF(x) \
+- ((x >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
++ (((x) >> SND_RME_CLK_SPDIF_SHIFT) & SND_RME_CLK_AES_SPDIF_MASK)
+ #define SND_RME_CLK_SYNC(x) \
+- ((x >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
++ (((x) >> SND_RME_CLK_SYNC_SHIFT) & SND_RME_CLK_SYNC_MASK)
+ #define SND_RME_CLK_FREQMUL(x) \
+- ((x >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
++ (((x) >> SND_RME_CLK_FREQMUL_SHIFT) & SND_RME_CLK_FREQMUL_MASK)
+ #define SND_RME_CLK_AES_LOCK 0x1
+ #define SND_RME_CLK_AES_SYNC 0x4
+ #define SND_RME_CLK_SPDIF_LOCK 0x2
+@@ -2167,9 +2167,9 @@ static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
+ #define SND_RME_SPDIF_FORMAT_SHIFT 5
+ #define SND_RME_BINARY_MASK 0x1
+ #define SND_RME_SPDIF_IF(x) \
+- ((x >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
++ (((x) >> SND_RME_SPDIF_IF_SHIFT) & SND_RME_BINARY_MASK)
+ #define SND_RME_SPDIF_FORMAT(x) \
+- ((x >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
++ (((x) >> SND_RME_SPDIF_FORMAT_SHIFT) & SND_RME_BINARY_MASK)
+
+ static const u32 snd_rme_rate_table[] = {
+ 32000, 44100, 48000, 50000,
+--
+2.39.5
+
--- /dev/null
+From 7007a83026676d323ed412554d4d13e981c6785c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Apr 2025 18:42:08 -0400
+Subject: apparmor: shift ouid when mediating hard links in userns
+
+From: Gabriel Totev <gabriel.totev@zetier.com>
+
+[ Upstream commit c5bf96d20fd787e4909b755de4705d52f3458836 ]
+
+When using AppArmor profiles inside an unprivileged container,
+the link operation observes an unshifted ouid.
+(tested with LXD and Incus)
+
+For example, root inside container and uid 1000000 outside, with
+`owner /root/link l,` profile entry for ln:
+
+/root$ touch chain && ln chain link
+==> dmesg
+apparmor="DENIED" operation="link" class="file"
+namespace="root//lxd-feet_<var-snap-lxd-common-lxd>" profile="linkit"
+name="/root/link" pid=1655 comm="ln" requested_mask="l" denied_mask="l"
+fsuid=1000000 ouid=0 [<== should be 1000000] target="/root/chain"
+
+Fix by mapping inode uid of old_dentry in aa_path_link() rather than
+using it directly, similarly to how it's mapped in __file_path_perm()
+later in the file.
+
+Signed-off-by: Gabriel Totev <gabriel.totev@zetier.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/file.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/security/apparmor/file.c b/security/apparmor/file.c
+index 6fd21324a097..a51b83cf6968 100644
+--- a/security/apparmor/file.c
++++ b/security/apparmor/file.c
+@@ -436,9 +436,11 @@ int aa_path_link(const struct cred *subj_cred,
+ {
+ struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry };
+ struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry };
++ struct inode *inode = d_backing_inode(old_dentry);
++ vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(target.mnt), inode);
+ struct path_cond cond = {
+- d_backing_inode(old_dentry)->i_uid,
+- d_backing_inode(old_dentry)->i_mode
++ .uid = vfsuid_into_kuid(vfsuid),
++ .mode = inode->i_mode,
+ };
+ char *buffer = NULL, *buffer2 = NULL;
+ struct aa_profile *profile;
+--
+2.39.5
+
--- /dev/null
+From d4c380c216e1d28df580119ba75890c6c21ccebd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jan 2025 21:54:04 +0100
+Subject: apparmor: use the condition in AA_BUG_FMT even with debug disabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Guzik <mjguzik@gmail.com>
+
+[ Upstream commit 67e370aa7f968f6a4f3573ed61a77b36d1b26475 ]
+
+This follows the established practice and fixes a build failure for me:
+security/apparmor/file.c: In function ‘__file_sock_perm’:
+security/apparmor/file.c:544:24: error: unused variable ‘sock’ [-Werror=unused-variable]
+ 544 | struct socket *sock = (struct socket *) file->private_data;
+ | ^~~~
+
+Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/include/lib.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/security/apparmor/include/lib.h b/security/apparmor/include/lib.h
+index 73c8a32c6861..6e88e99da80f 100644
+--- a/security/apparmor/include/lib.h
++++ b/security/apparmor/include/lib.h
+@@ -46,7 +46,11 @@
+ #define AA_BUG_FMT(X, fmt, args...) \
+ WARN((X), "AppArmor WARN %s: (" #X "): " fmt, __func__, ##args)
+ #else
+-#define AA_BUG_FMT(X, fmt, args...) no_printk(fmt, ##args)
++#define AA_BUG_FMT(X, fmt, args...) \
++ do { \
++ BUILD_BUG_ON_INVALID(X); \
++ no_printk(fmt, ##args); \
++ } while (0)
+ #endif
+
+ #define AA_ERROR(fmt, args...) \
+--
+2.39.5
+
--- /dev/null
+From 7ed3c018b35d452e64a5b57a6429c60bc27bf250 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:04:53 +0300
+Subject: ARM: rockchip: fix kernel hang during smp initialization
+
+From: Alexander Kochetkov <al.kochet@gmail.com>
+
+[ Upstream commit 7cdb433bb44cdc87dc5260cdf15bf03cc1cd1814 ]
+
+In order to bring up secondary CPUs main CPU write trampoline
+code to SRAM. The trampoline code is written while secondary
+CPUs are powered on (at least that true for RK3188 CPU).
+Sometimes that leads to kernel hang. Probably because secondary
+CPU execute trampoline code while kernel doesn't expect.
+
+The patch moves SRAM initialization step to the point where all
+secondary CPUs are powered down.
+
+That fixes rarely hangs on RK3188:
+[ 0.091568] CPU0: thread -1, cpu 0, socket 0, mpidr 80000000
+[ 0.091996] rockchip_smp_prepare_cpus: ncores 4
+
+Signed-off-by: Alexander Kochetkov <al.kochet@gmail.com>
+Link: https://lore.kernel.org/r/20250703140453.1273027-1-al.kochet@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-rockchip/platsmp.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/mach-rockchip/platsmp.c b/arch/arm/mach-rockchip/platsmp.c
+index 36915a073c23..f432d22bfed8 100644
+--- a/arch/arm/mach-rockchip/platsmp.c
++++ b/arch/arm/mach-rockchip/platsmp.c
+@@ -279,11 +279,6 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
+ }
+
+ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
+- if (rockchip_smp_prepare_sram(node)) {
+- of_node_put(node);
+- return;
+- }
+-
+ /* enable the SCU power domain */
+ pmu_set_power_domain(PMU_PWRDN_SCU, true);
+
+@@ -316,11 +311,19 @@ static void __init rockchip_smp_prepare_cpus(unsigned int max_cpus)
+ asm ("mrc p15, 1, %0, c9, c0, 2\n" : "=r" (l2ctlr));
+ ncores = ((l2ctlr >> 24) & 0x3) + 1;
+ }
+- of_node_put(node);
+
+ /* Make sure that all cores except the first are really off */
+ for (i = 1; i < ncores; i++)
+ pmu_set_power_domain(0 + i, false);
++
++ if (read_cpuid_part() == ARM_CPU_PART_CORTEX_A9) {
++ if (rockchip_smp_prepare_sram(node)) {
++ of_node_put(node);
++ return;
++ }
++ }
++
++ of_node_put(node);
+ }
+
+ static void __init rk3036_smp_prepare_cpus(unsigned int max_cpus)
+--
+2.39.5
+
--- /dev/null
+From 2068b09fc0190ad5aa0608f125ec62a3a72f401d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 11:11:24 -0500
+Subject: ARM: tegra: Use I/O memcpy to write to IRAM
+
+From: Aaron Kling <webgeek1234@gmail.com>
+
+[ Upstream commit 398e67e0f5ae04b29bcc9cbf342e339fe9d3f6f1 ]
+
+Kasan crashes the kernel trying to check boundaries when using the
+normal memcpy.
+
+Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
+Link: https://lore.kernel.org/r/20250522-mach-tegra-kasan-v1-1-419041b8addb@gmail.com
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-tegra/reset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-tegra/reset.c b/arch/arm/mach-tegra/reset.c
+index d5c805adf7a8..ea706fac6358 100644
+--- a/arch/arm/mach-tegra/reset.c
++++ b/arch/arm/mach-tegra/reset.c
+@@ -63,7 +63,7 @@ static void __init tegra_cpu_reset_handler_enable(void)
+ BUG_ON(is_enabled);
+ BUG_ON(tegra_cpu_reset_handler_size > TEGRA_IRAM_RESET_HANDLER_SIZE);
+
+- memcpy(iram_base, (void *)__tegra_cpu_reset_handler_start,
++ memcpy_toio(iram_base, (void *)__tegra_cpu_reset_handler_start,
+ tegra_cpu_reset_handler_size);
+
+ err = call_firmware_op(set_cpu_boot_addr, 0, reset_address);
+--
+2.39.5
+
--- /dev/null
+From e6e6de20a2a7709c275d7de84ea96aace8da458e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:50:25 -0700
+Subject: arm64: Handle KCOV __init vs inline mismatches
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 65c430906efffee9bd7551d474f01a6b1197df90 ]
+
+GCC appears to have kind of fragile inlining heuristics, in the
+sense that it can change whether or not it inlines something based on
+optimizations. It looks like the kcov instrumentation being added (or in
+this case, removed) from a function changes the optimization results,
+and some functions marked "inline" are _not_ inlined. In that case,
+we end up with __init code calling a function not marked __init, and we
+get the build warnings I'm trying to eliminate in the coming patch that
+adds __no_sanitize_coverage to __init functions:
+
+WARNING: modpost: vmlinux: section mismatch in reference: acpi_get_enable_method+0x1c (section: .text.unlikely) -> acpi_psci_present (section: .init.text)
+
+This problem is somewhat fragile (though using either __always_inline
+or __init will deterministically solve it), but we've tripped over
+this before with GCC and the solution has usually been to just use
+__always_inline and move on.
+
+For arm64 this requires forcing one ACPI function to be inlined with
+__always_inline.
+
+Link: https://lore.kernel.org/r/20250724055029.3623499-1-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/acpi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/acpi.h b/arch/arm64/include/asm/acpi.h
+index a407f9cd549e..c07a58b96329 100644
+--- a/arch/arm64/include/asm/acpi.h
++++ b/arch/arm64/include/asm/acpi.h
+@@ -150,7 +150,7 @@ acpi_set_mailbox_entry(int cpu, struct acpi_madt_generic_interrupt *processor)
+ {}
+ #endif
+
+-static inline const char *acpi_get_enable_method(int cpu)
++static __always_inline const char *acpi_get_enable_method(int cpu)
+ {
+ if (acpi_psci_present())
+ return "psci";
+--
+2.39.5
+
--- /dev/null
+From cdc992eddc1d9894e20583bcb8fa8e66ca742642 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 02:42:01 -0700
+Subject: arm64: Mark kernel as tainted on SAE and SError panic
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit d7ce7e3a84642aadf7c4787f7ec4f58eb163d129 ]
+
+Set TAINT_MACHINE_CHECK when SError or Synchronous External Abort (SEA)
+interrupts trigger a panic to flag potential hardware faults. This
+tainting mechanism aids in debugging and enables correlation of
+hardware-related crashes in large-scale deployments.
+
+This change aligns with similar patches[1] that mark machine check
+events when the system crashes due to hardware errors.
+
+Link: https://lore.kernel.org/all/20250702-add_tain-v1-1-9187b10914b9@debian.org/ [1]
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20250716-vmcore_hw_error-v2-1-f187f7d62aba@debian.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/traps.c | 1 +
+ arch/arm64/mm/fault.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c
+index 8b70759cdbb9..610f8a1099f5 100644
+--- a/arch/arm64/kernel/traps.c
++++ b/arch/arm64/kernel/traps.c
+@@ -953,6 +953,7 @@ void __noreturn panic_bad_stack(struct pt_regs *regs, unsigned long esr, unsigne
+
+ void __noreturn arm64_serror_panic(struct pt_regs *regs, unsigned long esr)
+ {
++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
+ console_verbose();
+
+ pr_crit("SError Interrupt on CPU%d, code 0x%016lx -- %s\n",
+diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
+index 2e5d1e238af9..893b9485b840 100644
+--- a/arch/arm64/mm/fault.c
++++ b/arch/arm64/mm/fault.c
+@@ -753,6 +753,7 @@ static int do_sea(unsigned long far, unsigned long esr, struct pt_regs *regs)
+ */
+ siaddr = untagged_addr(far);
+ }
++ add_taint(TAINT_MACHINE_CHECK, LOCKDEP_STILL_OK);
+ arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 087f9addfbf12b03b2a63006289bc743cd7a454e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 16:21:19 +0200
+Subject: ASoC: codecs: rt5640: Retry DEVICE_ID verification
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xinxin Wan <xinxin.wan@intel.com>
+
+[ Upstream commit 19f971057b2d7b99c80530ec1052b45de236a8da ]
+
+To be more resilient to codec-detection failures when the hardware
+powers on slowly, add retry mechanism to the device verification check.
+Similar pattern is found throughout a number of Realtek codecs. Our
+tests show that 60ms delay is sufficient to address readiness issues on
+rt5640 chip.
+
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Signed-off-by: Xinxin Wan <xinxin.wan@intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250530142120.2944095-3-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5640.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/sound/soc/codecs/rt5640.c b/sound/soc/codecs/rt5640.c
+index 1955d77cffd9..0f250e8e216a 100644
+--- a/sound/soc/codecs/rt5640.c
++++ b/sound/soc/codecs/rt5640.c
+@@ -3016,6 +3016,11 @@ static int rt5640_i2c_probe(struct i2c_client *i2c)
+ }
+
+ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
++ if (val != RT5640_DEVICE_ID) {
++ usleep_range(60000, 100000);
++ regmap_read(rt5640->regmap, RT5640_VENDOR_ID2, &val);
++ }
++
+ if (val != RT5640_DEVICE_ID) {
+ dev_err(&i2c->dev,
+ "Device with ID register %#x is not rt5640/39\n", val);
+--
+2.39.5
+
--- /dev/null
+From 4118e3ab09df98e1be00a893ceae29ac80ffc1ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:42:20 +0300
+Subject: ASoC: core: Check for rtd == NULL in snd_soc_remove_pcm_runtime()
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+[ Upstream commit 2d91cb261cac6d885954b8f5da28b5c176c18131 ]
+
+snd_soc_remove_pcm_runtime() might be called with rtd == NULL which will
+leads to null pointer dereference.
+This was reproduced with topology loading and marking a link as ignore
+due to missing hardware component on the system.
+On module removal the soc_tplg_remove_link() would call
+snd_soc_remove_pcm_runtime() with rtd == NULL since the link was ignored,
+no runtime was created.
+
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://patch.msgid.link/20250619084222.559-3-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
+index 7eea70eea68b..dc95b6f41555 100644
+--- a/sound/soc/soc-core.c
++++ b/sound/soc/soc-core.c
+@@ -1025,6 +1025,9 @@ static int soc_dai_link_sanity_check(struct snd_soc_card *card,
+ void snd_soc_remove_pcm_runtime(struct snd_soc_card *card,
+ struct snd_soc_pcm_runtime *rtd)
+ {
++ if (!rtd)
++ return;
++
+ lockdep_assert_held(&client_mutex);
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 012679f1ef62f987d0405794fa4c4830227e7dab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 17:41:04 +0100
+Subject: ASoC: hdac_hdmi: Rate limit logging on connection and disconnection
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit c4ca928a6db1593802cd945f075a7e21dd0430c1 ]
+
+We currently log parse failures for ELD data and some disconnection events
+as errors without rate limiting. These log messages can be triggered very
+frequently in some situations, especially ELD parsing when there is nothing
+connected to a HDMI port which will generate:
+
+hdmi-audio-codec hdmi-audio-codec.1.auto: HDMI: Unknown ELD version 0
+
+While there's doubtless work that could be done on reducing the number of
+connection notification callbacks it's possible these may be legitimately
+generated by poor quality physical connections so let's use rate limiting
+to mitigate the log spam for the parse errors and lower the severity for
+disconnect logging to debug level.
+
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://patch.msgid.link/20250613-asoc-hdmi-eld-logging-v1-1-76d64154d969@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdac_hdmi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/codecs/hdac_hdmi.c b/sound/soc/codecs/hdac_hdmi.c
+index 8b6b76029694..0ddfb0cb376f 100644
+--- a/sound/soc/codecs/hdac_hdmi.c
++++ b/sound/soc/codecs/hdac_hdmi.c
+@@ -1230,7 +1230,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
+ >> DRM_ELD_VER_SHIFT;
+
+ if (ver != ELD_VER_CEA_861D && ver != ELD_VER_PARTIAL) {
+- dev_err(&hdev->dev, "HDMI: Unknown ELD version %d\n", ver);
++ dev_err_ratelimited(&hdev->dev,
++ "HDMI: Unknown ELD version %d\n", ver);
+ return -EINVAL;
+ }
+
+@@ -1238,7 +1239,8 @@ static int hdac_hdmi_parse_eld(struct hdac_device *hdev,
+ DRM_ELD_MNL_MASK) >> DRM_ELD_MNL_SHIFT;
+
+ if (mnl > ELD_MAX_MNL) {
+- dev_err(&hdev->dev, "HDMI: MNL Invalid %d\n", mnl);
++ dev_err_ratelimited(&hdev->dev,
++ "HDMI: MNL Invalid %d\n", mnl);
+ return -EINVAL;
+ }
+
+@@ -1297,8 +1299,8 @@ static void hdac_hdmi_present_sense(struct hdac_hdmi_pin *pin,
+
+ if (!port->eld.monitor_present || !port->eld.eld_valid) {
+
+- dev_err(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
+- __func__, pin->nid, port->id);
++ dev_dbg(&hdev->dev, "%s: disconnect for pin:port %d:%d\n",
++ __func__, pin->nid, port->id);
+
+ /*
+ * PCMs are not registered during device probe, so don't
+--
+2.39.5
+
--- /dev/null
+From 56df8e87336a472fb1dd0b612f7ea24c3df45ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jul 2025 14:49:06 +0200
+Subject: ASoC: Intel: avs: Fix uninitialized pointer error in probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit 11f74f48c14c1f4fe16541900ea5944c42e30ccf ]
+
+If pcim_request_all_regions() fails, error path operates on
+uninitialized 'bus' pointer. Found out by Coverity static analyzer.
+
+Reviewed-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://patch.msgid.link/20250730124906.351798-1-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/avs/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/avs/core.c b/sound/soc/intel/avs/core.c
+index 63e4356e8caf..8f36cef88fe6 100644
+--- a/sound/soc/intel/avs/core.c
++++ b/sound/soc/intel/avs/core.c
+@@ -415,6 +415,8 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+ adev = devm_kzalloc(dev, sizeof(*adev), GFP_KERNEL);
+ if (!adev)
+ return -ENOMEM;
++ bus = &adev->base.core;
++
+ ret = avs_bus_init(adev, pci, id);
+ if (ret < 0) {
+ dev_err(dev, "failed to init avs bus: %d\n", ret);
+@@ -425,7 +427,6 @@ static int avs_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
+ if (ret < 0)
+ return ret;
+
+- bus = &adev->base.core;
+ bus->addr = pci_resource_start(pci, 0);
+ bus->remap_addr = pci_ioremap_bar(pci, 0);
+ if (!bus->remap_addr) {
+--
+2.39.5
+
--- /dev/null
+From ecce180cbbb27b5f7f1bdec2c1a7f8d282b7f9b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 02:06:48 +0000
+Subject: ASoC: qcom: use drvdata instead of component to keep id
+
+From: Srinivas Kandagatla <srini@kernel.org>
+
+[ Upstream commit 8167f4f42572818fa8153be2b03e4c2120846603 ]
+
+Qcom lpass is using component->id to keep DAI ID (A).
+
+(S) static int lpass_platform_pcmops_open(
+ sruct snd_soc_component *component,
+ struct snd_pcm_substream *substream)
+ { ^^^^^^^^^(B0)
+ ...
+(B1) struct snd_soc_pcm_runtime *soc_runtime = snd_soc_substream_to_rtd(substream);
+(B2) struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(soc_runtime, 0);
+ ...
+(B3) unsigned int dai_id = cpu_dai->driver->id;
+
+(A) component->id = dai_id;
+ ...
+ }
+
+This driver can get dai_id from substream (B0 - B3).
+In this driver, below functions get dai_id from component->id (A).
+
+(X) lpass_platform_pcmops_suspend()
+(Y) lpass_platform_pcmops_resume()
+(Z) lpass_platform_copy()
+
+Here, (Z) can get it from substream (B0 - B3), don't need to use
+component->id (A). On suspend/resume (X)(Y), dai_id can only be obtained
+from component->id (A), because there is no substream (B0) in function
+parameter.
+
+But, component->id (A) itself should not be used for such purpose.
+It is intilialized at snd_soc_component_initialize(), and parsed its ID
+(= component->id) from device name (a).
+
+ int snd_soc_component_initialize(...)
+ {
+ ...
+ if (!component->name) {
+(a) component->name = fmt_single_name(dev, &component->id);
+ ... ^^^^^^^^^^^^^
+ }
+ ...
+ }
+
+Unfortunately, current code is broken to start with.
+
+There are many regmaps that the driver cares about, however its only
+managing one (either dp or i2s) in component suspend/resume path.
+
+I2S regmap is mandatory however other regmaps are setup based on flags
+like "hdmi_port_enable" and "codec_dma_enable".
+
+Correct thing for suspend/resume path to handle is by checking these
+flags, instead of using component->id.
+
+Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
+Suggested-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87a56ouuob.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/qcom/lpass-platform.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/sound/soc/qcom/lpass-platform.c b/sound/soc/qcom/lpass-platform.c
+index f918d9e16dc0..f342bc4b3a14 100644
+--- a/sound/soc/qcom/lpass-platform.c
++++ b/sound/soc/qcom/lpass-platform.c
+@@ -201,7 +201,6 @@ static int lpass_platform_pcmops_open(struct snd_soc_component *component,
+ struct regmap *map;
+ unsigned int dai_id = cpu_dai->driver->id;
+
+- component->id = dai_id;
+ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+@@ -1189,13 +1188,14 @@ static int lpass_platform_pcmops_suspend(struct snd_soc_component *component)
+ {
+ struct lpass_data *drvdata = snd_soc_component_get_drvdata(component);
+ struct regmap *map;
+- unsigned int dai_id = component->id;
+
+- if (dai_id == LPASS_DP_RX)
++ if (drvdata->hdmi_port_enable) {
+ map = drvdata->hdmiif_map;
+- else
+- map = drvdata->lpaif_map;
++ regcache_cache_only(map, true);
++ regcache_mark_dirty(map);
++ }
+
++ map = drvdata->lpaif_map;
+ regcache_cache_only(map, true);
+ regcache_mark_dirty(map);
+
+@@ -1206,14 +1206,19 @@ static int lpass_platform_pcmops_resume(struct snd_soc_component *component)
+ {
+ struct lpass_data *drvdata = snd_soc_component_get_drvdata(component);
+ struct regmap *map;
+- unsigned int dai_id = component->id;
++ int ret;
+
+- if (dai_id == LPASS_DP_RX)
++ if (drvdata->hdmi_port_enable) {
+ map = drvdata->hdmiif_map;
+- else
+- map = drvdata->lpaif_map;
++ regcache_cache_only(map, false);
++ ret = regcache_sync(map);
++ if (ret)
++ return ret;
++ }
+
++ map = drvdata->lpaif_map;
+ regcache_cache_only(map, false);
++
+ return regcache_sync(map);
+ }
+
+@@ -1223,7 +1228,9 @@ static int lpass_platform_copy(struct snd_soc_component *component,
+ unsigned long bytes)
+ {
+ struct snd_pcm_runtime *rt = substream->runtime;
+- unsigned int dai_id = component->id;
++ struct snd_soc_pcm_runtime *soc_runtime = snd_soc_substream_to_rtd(substream);
++ struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(soc_runtime, 0);
++ unsigned int dai_id = cpu_dai->driver->id;
+ int ret = 0;
+
+ void __iomem *dma_buf = (void __iomem *) (rt->dma_area + pos +
+--
+2.39.5
+
--- /dev/null
+From fcfc54934f4adbcf53e4bb6c13775f3c3c03e601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 02:26:39 +0000
+Subject: ASoC: soc-dapm: set bias_level if snd_soc_dapm_set_bias_level() was
+ successed
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit f40ecc2743652c0b0f19935f81baf57c601eb7f0 ]
+
+ASoC has 2 functions to set bias level.
+ (A) snd_soc_dapm_force_bias_level()
+ (B) snd_soc_dapm_set_bias_level()
+
+snd_soc_dapm_force_bias_level() (A) will set dapm->bias_level (a) if
+successed.
+
+(A) int snd_soc_dapm_force_bias_level(...)
+ {
+ ...
+ if (ret == 0)
+(a) dapm->bias_level = level;
+ ...
+ }
+
+snd_soc_dapm_set_bias_level() (B) is also a function that sets bias_level.
+It will call snd_soc_dapm_force_bias_level() (A) inside, but doesn't
+set dapm->bias_level by itself. One note is that (A) might not be called.
+
+(B) static int snd_soc_dapm_set_bias_level(...)
+ {
+ ...
+ ret = snd_soc_card_set_bias_level(...);
+ ...
+ if (dapm != &card->dapm)
+(A) ret = snd_soc_dapm_force_bias_level(...);
+ ...
+ ret = snd_soc_card_set_bias_level_post(...);
+ ...
+ }
+
+dapm->bias_level will be set if (A) was called, but might not be set
+if (B) was called, even though it calles set_bias_level() function.
+
+We should set dapm->bias_level if we calls
+snd_soc_dapm_set_bias_level() (B), too.
+
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87qzyn4g4h.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-dapm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
+index 7729f8f4d5e6..7facb7b2dba1 100644
+--- a/sound/soc/soc-dapm.c
++++ b/sound/soc/soc-dapm.c
+@@ -734,6 +734,10 @@ static int snd_soc_dapm_set_bias_level(struct snd_soc_dapm_context *dapm,
+ out:
+ trace_snd_soc_bias_level_done(card, level);
+
++ /* success */
++ if (ret == 0)
++ snd_soc_dapm_init_bias_level(dapm, level);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 418934a0a8f4954ef710ef0153af5ff1f59c4dd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 21:53:16 +0900
+Subject: ata: libata-sata: Disallow changing LPM state if not supported
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 413e800cadbf67550d76c77c230b2ecd96bce83a ]
+
+Modify ata_scsi_lpm_store() to return an error if a user attempts to set
+a link power management policy for a port that does not support LPM,
+that is, ports flagged with ATA_FLAG_NO_LPM.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20250701125321.69496-6-dlemoal@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-sata.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/ata/libata-sata.c b/drivers/ata/libata-sata.c
+index be72030a500d..9e0a820d6961 100644
+--- a/drivers/ata/libata-sata.c
++++ b/drivers/ata/libata-sata.c
+@@ -817,6 +817,11 @@ static ssize_t ata_scsi_lpm_store(struct device *device,
+
+ spin_lock_irqsave(ap->lock, flags);
+
++ if (ap->flags & ATA_FLAG_NO_LPM) {
++ count = -EOPNOTSUPP;
++ goto out_unlock;
++ }
++
+ ata_for_each_link(link, ap, EDGE) {
+ ata_for_each_dev(dev, &ap->link, ENABLED) {
+ if (dev->horkage & ATA_HORKAGE_NOLPM) {
+--
+2.39.5
+
--- /dev/null
+From 6e4b791079ba72a4d88a983f025823b445818e7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 12:35:47 -0700
+Subject: be2net: Use correct byte order and format string for TCP seq and
+ ack_seq
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 4701ee5044fb3992f1c910630a9673c2dc600ce5 ]
+
+The TCP header fields seq and ack_seq are 32-bit values in network
+byte order as (__be32). these fields were earlier printed using
+ntohs(), which converts only 16-bit values and produces incorrect
+results for 32-bit fields. This patch is changeing the conversion
+to ntohl(), ensuring correct interpretation of these sequence numbers.
+
+Notably, the format specifier is updated from %d to %u to reflect the
+unsigned nature of these fields.
+
+improves the accuracy of debug log messages for TCP sequence and
+acknowledgment numbers during TX timeouts.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250717193552.3648791-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/emulex/benet/be_main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
+index 6bc0fde95f9d..0fda17bc8e23 100644
+--- a/drivers/net/ethernet/emulex/benet/be_main.c
++++ b/drivers/net/ethernet/emulex/benet/be_main.c
+@@ -1465,10 +1465,10 @@ static void be_tx_timeout(struct net_device *netdev, unsigned int txqueue)
+ ntohs(tcphdr->source));
+ dev_info(dev, "TCP dest port %d\n",
+ ntohs(tcphdr->dest));
+- dev_info(dev, "TCP sequence num %d\n",
+- ntohs(tcphdr->seq));
+- dev_info(dev, "TCP ack_seq %d\n",
+- ntohs(tcphdr->ack_seq));
++ dev_info(dev, "TCP sequence num %u\n",
++ ntohl(tcphdr->seq));
++ dev_info(dev, "TCP ack_seq %u\n",
++ ntohl(tcphdr->ack_seq));
+ } else if (ip_hdr(skb)->protocol ==
+ IPPROTO_UDP) {
+ udphdr = udp_hdr(skb);
+--
+2.39.5
+
--- /dev/null
+From d6827cf663434809747875066473dfc9aa11e34a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 22:30:32 -0400
+Subject: better lockdep annotations for simple_recursive_removal()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 2a8061ee5e41034eb14170ec4517b5583dbeff9f ]
+
+We want a class that nests outside of I_MUTEX_NORMAL (for the sake of
+callbacks that might want to lock the victim) and inside I_MUTEX_PARENT
+(so that a variant of that could be used with parent of the victim
+held locked by the caller).
+
+In reality, simple_recursive_removal()
+ * never holds two locks at once
+ * holds the lock on parent of dentry passed to callback
+ * is used only on the trees with fixed topology, so the depths
+are not changing.
+
+So the locking order is actually fine.
+
+AFAICS, the best solution is to assign I_MUTEX_CHILD to the locks
+grabbed by that thing.
+
+Reported-by: syzbot+169de184e9defe7fe709@syzkaller.appspotmail.com
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/libfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/libfs.c b/fs/libfs.c
+index f5566964aa7d..b913ab238cc1 100644
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -610,7 +610,7 @@ void simple_recursive_removal(struct dentry *dentry,
+ struct dentry *victim = NULL, *child;
+ struct inode *inode = this->d_inode;
+
+- inode_lock(inode);
++ inode_lock_nested(inode, I_MUTEX_CHILD);
+ if (d_is_dir(this))
+ inode->i_flags |= S_DEAD;
+ while ((child = find_next_child(this, victim)) == NULL) {
+@@ -622,7 +622,7 @@ void simple_recursive_removal(struct dentry *dentry,
+ victim = this;
+ this = this->d_parent;
+ inode = this->d_inode;
+- inode_lock(inode);
++ inode_lock_nested(inode, I_MUTEX_CHILD);
+ if (simple_positive(victim)) {
+ d_invalidate(victim); // avoid lost mounts
+ if (d_is_dir(victim))
+--
+2.39.5
+
--- /dev/null
+From 151a787c2a340ff50eccdec2cc30bf53c6569091 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Jul 2025 09:14:47 +0000
+Subject: block: avoid possible overflow for chunk_sectors check in
+ blk_stack_limits()
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit 448dfecc7ff807822ecd47a5c052acedca7d09e8 ]
+
+In blk_stack_limits(), we check that the t->chunk_sectors value is a
+multiple of the t->physical_block_size value.
+
+However, by finding the chunk_sectors value in bytes, we may overflow
+the unsigned int which holds chunk_sectors, so change the check to be
+based on sectors.
+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20250729091448.1691334-2-john.g.garry@oracle.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-settings.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/blk-settings.c b/block/blk-settings.c
+index 7019b8e204d9..021994f6d2d8 100644
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -634,7 +634,7 @@ int blk_stack_limits(struct queue_limits *t, struct queue_limits *b,
+ }
+
+ /* chunk_sectors a multiple of the physical block size? */
+- if ((t->chunk_sectors << 9) & (t->physical_block_size - 1)) {
++ if (t->chunk_sectors % (t->physical_block_size >> SECTOR_SHIFT)) {
+ t->chunk_sectors = 0;
+ t->misaligned = 1;
+ ret = -1;
+--
+2.39.5
+
--- /dev/null
+From c2fc2e5d6b81ad27f93de3d18226bfcfb1109c0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 20:31:16 +0800
+Subject: Bluetooth: hci_sock: Reset cookie to zero in hci_sock_free_cookie()
+
+From: Zijun Hu <zijun.hu@oss.qualcomm.com>
+
+[ Upstream commit 4d7936e8a5b1fa803f4a631d2da4a80fa4f0f37f ]
+
+Reset cookie value to 0 instead of 0xffffffff in hci_sock_free_cookie()
+since:
+0 : means cookie has not been assigned yet
+0xffffffff: means cookie assignment failure
+
+Also fix generating cookie failure with usage shown below:
+hci_sock_gen_cookie(sk) // generate cookie
+hci_sock_free_cookie(sk) // free cookie
+hci_sock_gen_cookie(sk) // Can't generate cookie any more
+
+Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 69c2ba1e843e..d2613bd3e6db 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -118,7 +118,7 @@ static void hci_sock_free_cookie(struct sock *sk)
+ int id = hci_pi(sk)->cookie;
+
+ if (id) {
+- hci_pi(sk)->cookie = 0xffffffff;
++ hci_pi(sk)->cookie = 0;
+ ida_free(&sock_cookie_ida, id);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From d572d3efbf3b9e703ed222291b49b020d4e47fe5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 12:49:25 +0200
+Subject: bootconfig: Fix unaligned access when building footer
+
+From: Ben Hutchings <benh@debian.org>
+
+[ Upstream commit 6ed5e20466c79e3b3350bae39f678f73cf564b4e ]
+
+Currently we add padding between the bootconfig text and footer to
+ensure that the footer is aligned within the initramfs image.
+However, because only the bootconfig data is held in memory, not the
+full initramfs image, the footer may not be naturally aligned in
+memory.
+
+This can result in an alignment fault (SIGBUS) when writing the footer
+on some architectures, such as sparc.
+
+Build the footer in a struct on the stack before adding it to the
+buffer.
+
+References: https://buildd.debian.org/status/fetch.php?pkg=linux&arch=sparc64&ver=6.16%7Erc7-1%7Eexp1&stamp=1753209801&raw=0
+Link: https://lore.kernel.org/all/aIC-NTw-cdm9ZGFw@decadent.org.uk/
+
+Signed-off-by: Ben Hutchings <benh@debian.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 8a48cc2536f5..dce2d6ffcca5 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -11,6 +11,7 @@
+ #include <string.h>
+ #include <errno.h>
+ #include <endian.h>
++#include <assert.h>
+
+ #include <linux/bootconfig.h>
+
+@@ -359,7 +360,12 @@ static int delete_xbc(const char *path)
+
+ static int apply_xbc(const char *path, const char *xbc_path)
+ {
+- char *buf, *data, *p;
++ struct {
++ uint32_t size;
++ uint32_t csum;
++ char magic[BOOTCONFIG_MAGIC_LEN];
++ } footer;
++ char *buf, *data;
+ size_t total_size;
+ struct stat stat;
+ const char *msg;
+@@ -430,17 +436,13 @@ static int apply_xbc(const char *path, const char *xbc_path)
+ size += pad;
+
+ /* Add a footer */
+- p = data + size;
+- *(uint32_t *)p = htole32(size);
+- p += sizeof(uint32_t);
++ footer.size = htole32(size);
++ footer.csum = htole32(csum);
++ memcpy(footer.magic, BOOTCONFIG_MAGIC, BOOTCONFIG_MAGIC_LEN);
++ static_assert(sizeof(footer) == BOOTCONFIG_FOOTER_SIZE);
++ memcpy(data + size, &footer, BOOTCONFIG_FOOTER_SIZE);
+
+- *(uint32_t *)p = htole32(csum);
+- p += sizeof(uint32_t);
+-
+- memcpy(p, BOOTCONFIG_MAGIC, BOOTCONFIG_MAGIC_LEN);
+- p += BOOTCONFIG_MAGIC_LEN;
+-
+- total_size = p - data;
++ total_size = size + BOOTCONFIG_FOOTER_SIZE;
+
+ ret = write(fd, data, total_size);
+ if (ret < total_size) {
+--
+2.39.5
+
--- /dev/null
+From c24bf18531de3de402408aed54cd3d531e7a97ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 11:30:22 -0700
+Subject: bpf: Make reg_not_null() true for CONST_PTR_TO_MAP
+
+From: Ihor Solodrai <isolodrai@meta.com>
+
+[ Upstream commit 5534e58f2e9bd72b253d033ee0af6e68eb8ac96b ]
+
+When reg->type is CONST_PTR_TO_MAP, it can not be null. However the
+verifier explores the branches under rX == 0 in check_cond_jmp_op()
+even if reg->type is CONST_PTR_TO_MAP, because it was not checked for
+in reg_not_null().
+
+Fix this by adding CONST_PTR_TO_MAP to the set of types that are
+considered non nullable in reg_not_null().
+
+An old "unpriv: cmp map pointer with zero" selftest fails with this
+change, because now early out correctly triggers in
+check_cond_jmp_op(), making the verification to pass.
+
+In practice verifier may allow pointer to null comparison in unpriv,
+since in many cases the relevant branch and comparison op are removed
+as dead code. So change the expected test result to __success_unpriv.
+
+Signed-off-by: Ihor Solodrai <isolodrai@meta.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250609183024.359974-2-isolodrai@meta.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 3 ++-
+ tools/testing/selftests/bpf/progs/verifier_unpriv.c | 2 +-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 1f9ae600e445..7d6ee41f4b4f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -460,7 +460,8 @@ static bool reg_not_null(const struct bpf_reg_state *reg)
+ type == PTR_TO_MAP_KEY ||
+ type == PTR_TO_SOCK_COMMON ||
+ (type == PTR_TO_BTF_ID && is_trusted_reg(reg)) ||
+- type == PTR_TO_MEM;
++ type == PTR_TO_MEM ||
++ type == CONST_PTR_TO_MAP;
+ }
+
+ static bool type_is_ptr_alloc_obj(u32 type)
+diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
+index 7ea535bfbacd..e4ef82a6ee38 100644
+--- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
++++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
+@@ -619,7 +619,7 @@ __naked void pass_pointer_to_tail_call(void)
+
+ SEC("socket")
+ __description("unpriv: cmp map pointer with zero")
+-__success __failure_unpriv __msg_unpriv("R1 pointer comparison")
++__success __success_unpriv
+ __retval(0)
+ __naked void cmp_map_pointer_with_zero(void)
+ {
+--
+2.39.5
+
--- /dev/null
+From fdc8cd8de401f833cb0d3ada1eb6241cad4e3a6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 09:24:42 -0400
+Subject: bpftool: Fix JSON writer resource leak in version command
+
+From: Yuan Chen <chenyuan@kylinos.cn>
+
+[ Upstream commit 85cd83fed8267cde0dd1cea719808aad95ae4de7 ]
+
+When using `bpftool --version -j/-p`, the JSON writer object
+created in do_version() was not properly destroyed after use.
+This caused a memory leak each time the version command was
+executed with JSON output.
+
+Fix: 004b45c0e51a (tools: bpftool: provide JSON output for all possible commands)
+
+Suggested-by: Quentin Monnet <qmo@kernel.org>
+Signed-off-by: Yuan Chen <chenyuan@kylinos.cn>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Reviewed-by: Quentin Monnet <qmo@kernel.org>
+Link: https://lore.kernel.org/bpf/20250617132442.9998-1-chenyuan_fl@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
+index 08d0ac543c67..a0536528dfde 100644
+--- a/tools/bpf/bpftool/main.c
++++ b/tools/bpf/bpftool/main.c
+@@ -534,9 +534,9 @@ int main(int argc, char **argv)
+ usage();
+
+ if (version_requested)
+- return do_version(argc, argv);
+-
+- ret = cmd_select(commands, argc, argv, do_help);
++ ret = do_version(argc, argv);
++ else
++ ret = cmd_select(commands, argc, argv, do_help);
+
+ if (json_output)
+ jsonw_destroy(&json_wtr);
+--
+2.39.5
+
--- /dev/null
+From f78974070a4f5aa66399c48a5a13118f1b41de2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 20:28:11 +0900
+Subject: can: ti_hecc: fix -Woverflow compiler warning
+
+From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+
+[ Upstream commit 7cae4d04717b002cffe41169da3f239c845a0723 ]
+
+Fix below default (W=0) warning:
+
+ drivers/net/can/ti_hecc.c: In function 'ti_hecc_start':
+ drivers/net/can/ti_hecc.c:386:20: warning: conversion from 'long unsigned int' to 'u32' {aka 'unsigned int'} changes value from '18446744073709551599' to '4294967279' [-Woverflow]
+ 386 | mbx_mask = ~BIT(HECC_RX_LAST_MBOX);
+ | ^
+
+Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20250715-can-compile-test-v2-1-f7fd566db86f@wanadoo.fr
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/ti_hecc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/ti_hecc.c b/drivers/net/can/ti_hecc.c
+index 5aab440074c6..ee3e7de5b9bc 100644
+--- a/drivers/net/can/ti_hecc.c
++++ b/drivers/net/can/ti_hecc.c
+@@ -383,7 +383,7 @@ static void ti_hecc_start(struct net_device *ndev)
+ * overflows instead of the hardware silently dropping the
+ * messages.
+ */
+- mbx_mask = ~BIT(HECC_RX_LAST_MBOX);
++ mbx_mask = ~BIT_U32(HECC_RX_LAST_MBOX);
+ hecc_write(priv, HECC_CANOPC, mbx_mask);
+
+ /* Enable interrupts */
+--
+2.39.5
+
--- /dev/null
+From d83ce0ba30e50f60ee3fb7dd59e4a5c57ff2772b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 22:35:20 +0800
+Subject: char: misc: Fix improper and inaccurate error code returned by
+ misc_init()
+
+From: Zijun Hu <zijun.hu@oss.qualcomm.com>
+
+[ Upstream commit 0ef1fe4bc38673db72e39b700b29c50dfcc5a415 ]
+
+misc_init() returns -EIO for __register_chrdev() invocation failure, but:
+
+- -EIO is for I/O error normally, but __register_chrdev() does not do I/O.
+- -EIO can not cover various error codes returned by __register_chrdev().
+
+Fix by returning error code of __register_chrdev().
+
+Signed-off-by: Zijun Hu <zijun.hu@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250620-fix_mischar-v1-3-6c2716bbf1fa@oss.qualcomm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/misc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/misc.c b/drivers/char/misc.c
+index dda466f9181a..30178e20d962 100644
+--- a/drivers/char/misc.c
++++ b/drivers/char/misc.c
+@@ -314,8 +314,8 @@ static int __init misc_init(void)
+ if (err)
+ goto fail_remove;
+
+- err = -EIO;
+- if (__register_chrdev(MISC_MAJOR, 0, MINORMASK + 1, "misc", &misc_fops))
++ err = __register_chrdev(MISC_MAJOR, 0, MINORMASK + 1, "misc", &misc_fops);
++ if (err < 0)
+ goto fail_printk;
+ return 0;
+
+--
+2.39.5
+
--- /dev/null
+From 7bcd498c929b972c0a59e4b4d5005f1102a2a4eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 20:54:11 +0100
+Subject: cifs: Fix calling CIFSFindFirst() for root path without msearch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit b460249b9a1dab7a9f58483e5349d045ad6d585c ]
+
+To query root path (without msearch wildcard) it is needed to
+send pattern '\' instead of '' (empty string).
+
+This allows to use CIFSFindFirst() to query information about root path
+which is being used in followup changes.
+
+This change fixes the stat() syscall called on the root path on the mount.
+It is because stat() syscall uses the cifs_query_path_info() function and
+it can fallback to the CIFSFindFirst() usage with msearch=false.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifssmb.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index 81d425f571e2..91f4e50af1e9 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -3984,6 +3984,12 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
+ pSMB->FileName[name_len] = 0;
+ pSMB->FileName[name_len+1] = 0;
+ name_len += 2;
++ } else if (!searchName[0]) {
++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
++ pSMB->FileName[1] = 0;
++ pSMB->FileName[2] = 0;
++ pSMB->FileName[3] = 0;
++ name_len = 4;
+ }
+ } else {
+ name_len = copy_path_name(pSMB->FileName, searchName);
+@@ -3995,6 +4001,10 @@ CIFSFindFirst(const unsigned int xid, struct cifs_tcon *tcon,
+ pSMB->FileName[name_len] = '*';
+ pSMB->FileName[name_len+1] = 0;
+ name_len += 2;
++ } else if (!searchName[0]) {
++ pSMB->FileName[0] = CIFS_DIR_SEP(cifs_sb);
++ pSMB->FileName[1] = 0;
++ name_len = 2;
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6505904fc2d49a95986f6d3e57c7c4a7f17f9fb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 16:36:08 +0400
+Subject: clk: qcom: ipq5018: keep XO clock always on
+
+From: George Moussalem <george.moussalem@outlook.com>
+
+[ Upstream commit 693a723291d0634eaea24cff2f9d807f3223f204 ]
+
+The XO clock must not be disabled to avoid the kernel trying to disable
+the it. As such, keep the XO clock always on by flagging it as critical.
+
+Signed-off-by: George Moussalem <george.moussalem@outlook.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250516-ipq5018-cmn-pll-v4-1-389a6b30e504@outlook.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-ipq5018.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/gcc-ipq5018.c b/drivers/clk/qcom/gcc-ipq5018.c
+index 3136ba1c2a59..915e84db3c97 100644
+--- a/drivers/clk/qcom/gcc-ipq5018.c
++++ b/drivers/clk/qcom/gcc-ipq5018.c
+@@ -1370,7 +1370,7 @@ static struct clk_branch gcc_xo_clk = {
+ &gcc_xo_clk_src.clkr.hw,
+ },
+ .num_parents = 1,
+- .flags = CLK_SET_RATE_PARENT,
++ .flags = CLK_SET_RATE_PARENT | CLK_IS_CRITICAL,
+ .ops = &clk_branch2_ops,
+ },
+ },
+--
+2.39.5
+
--- /dev/null
+From 4a9359a4f912d7174df41468061c2736b148c3fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 15:37:13 +0800
+Subject: clk: tegra: periph: Fix error handling and resolve unsigned compare
+ warning
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+[ Upstream commit 2dc2ca9000eea2eb749f658196204cb84d4306f7 ]
+
+./drivers/clk/tegra/clk-periph.c:59:5-9: WARNING:
+ Unsigned expression compared with zero: rate < 0
+
+The unsigned long 'rate' variable caused:
+- Incorrect handling of negative errors
+- Compile warning: "Unsigned expression compared with zero"
+
+Fix by changing to long type and adding req->rate cast.
+
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Link: https://lore.kernel.org/r/79c7f01e29876c612e90d6d0157fb1572ca8b3fb.1752046270.git.xiaopei01@kylinos.cn
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/tegra/clk-periph.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/tegra/clk-periph.c b/drivers/clk/tegra/clk-periph.c
+index 0626650a7011..c9fc52a36fce 100644
+--- a/drivers/clk/tegra/clk-periph.c
++++ b/drivers/clk/tegra/clk-periph.c
+@@ -51,7 +51,7 @@ static int clk_periph_determine_rate(struct clk_hw *hw,
+ struct tegra_clk_periph *periph = to_clk_periph(hw);
+ const struct clk_ops *div_ops = periph->div_ops;
+ struct clk_hw *div_hw = &periph->divider.hw;
+- unsigned long rate;
++ long rate;
+
+ __clk_hw_set_clk(div_hw, hw);
+
+@@ -59,7 +59,7 @@ static int clk_periph_determine_rate(struct clk_hw *hw,
+ if (rate < 0)
+ return rate;
+
+- req->rate = rate;
++ req->rate = (unsigned long)rate;
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 9e8ab0636dc9843ddde56dc6f8504d67381d2a53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Jul 2025 05:55:40 +0000
+Subject: cpufreq: CPPC: Mark driver with NEED_UPDATE_LIMITS flag
+
+From: Prashant Malani <pmalani@google.com>
+
+[ Upstream commit 0a1416a49e63c320f6e6c1c8d07e1b58c0d4a3f3 ]
+
+AMU counters on certain CPPC-based platforms tend to yield inaccurate
+delivered performance measurements on systems that are idle/mostly idle.
+This results in an inaccurate frequency being stored by cpufreq in its
+policy structure when the CPU is brought online. [1]
+
+Consequently, if the userspace governor tries to set the frequency to a
+new value, there is a possibility that it would be the erroneous value
+stored earlier. In such a scenario, cpufreq would assume that the
+requested frequency has already been set and return early, resulting in
+the correct/new frequency request never making it to the hardware.
+
+Since the operating frequency is liable to this sort of inconsistency,
+mark the CPPC driver with CPUFREQ_NEED_UPDATE_LIMITS so that it is always
+invoked when a target frequency update is requested.
+
+Link: https://lore.kernel.org/linux-pm/20250619000925.415528-3-pmalani@google.com/ [1]
+Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Prashant Malani <pmalani@google.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://patch.msgid.link/20250722055611.130574-2-pmalani@google.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cppc_cpufreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/cppc_cpufreq.c b/drivers/cpufreq/cppc_cpufreq.c
+index aa34af940cb5..ea32bdf7cc24 100644
+--- a/drivers/cpufreq/cppc_cpufreq.c
++++ b/drivers/cpufreq/cppc_cpufreq.c
+@@ -847,7 +847,7 @@ static struct freq_attr *cppc_cpufreq_attr[] = {
+ };
+
+ static struct cpufreq_driver cppc_cpufreq_driver = {
+- .flags = CPUFREQ_CONST_LOOPS,
++ .flags = CPUFREQ_CONST_LOOPS | CPUFREQ_NEED_UPDATE_LIMITS,
+ .verify = cppc_verify_policy,
+ .target = cppc_cpufreq_set_target,
+ .get = cppc_cpufreq_get_rate,
+--
+2.39.5
+
--- /dev/null
+From 69bc8d38d94ad0d5ee3de83a2b0baa5a5f010231 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 18:41:45 +0800
+Subject: cpufreq: Exit governor when failed to start old governor
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit 0ae204405095abfbc2d694ee0fbb49bcbbe55c57 ]
+
+Detect the result of starting old governor in cpufreq_set_policy(). If it
+fails, exit the governor and clear policy->governor.
+
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://patch.msgid.link/20250709104145.2348017-5-zhenglifeng1@huawei.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
+index cc98d8cf5433..6ee1767ba08f 100644
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -2701,10 +2701,12 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy,
+ pr_debug("starting governor %s failed\n", policy->governor->name);
+ if (old_gov) {
+ policy->governor = old_gov;
+- if (cpufreq_init_governor(policy))
++ if (cpufreq_init_governor(policy)) {
+ policy->governor = NULL;
+- else
+- cpufreq_start_governor(policy);
++ } else if (cpufreq_start_governor(policy)) {
++ cpufreq_exit_governor(policy);
++ policy->governor = NULL;
++ }
+ }
+
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From aa8770cbd152b50b19989b1a2b874edda5054ad6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 18:05:01 +0800
+Subject: crypto: hisilicon/hpre - fix dma unmap sequence
+
+From: Zhiqi Song <songzhiqi1@huawei.com>
+
+[ Upstream commit 982fd1a74de63c388c060e4fa6f7fbd088d6d02e ]
+
+Perform DMA unmapping operations before processing data.
+Otherwise, there may be unsynchronized data accessed by
+the CPU when the SWIOTLB is enabled.
+
+Signed-off-by: Zhiqi Song <songzhiqi1@huawei.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/hpre/hpre_crypto.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/hpre/hpre_crypto.c b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+index 9a1c61be32cc..059319f7a716 100644
+--- a/drivers/crypto/hisilicon/hpre/hpre_crypto.c
++++ b/drivers/crypto/hisilicon/hpre/hpre_crypto.c
+@@ -1482,11 +1482,13 @@ static void hpre_ecdh_cb(struct hpre_ctx *ctx, void *resp)
+ if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
+ atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+
++ /* Do unmap before data processing */
++ hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
++
+ p = sg_virt(areq->dst);
+ memmove(p, p + ctx->key_sz - curve_sz, curve_sz);
+ memmove(p + curve_sz, p + areq->dst_len - curve_sz, curve_sz);
+
+- hpre_ecdh_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+ kpp_request_complete(areq, ret);
+
+ atomic64_inc(&dfx[HPRE_RECV_CNT].value);
+@@ -1796,9 +1798,11 @@ static void hpre_curve25519_cb(struct hpre_ctx *ctx, void *resp)
+ if (overtime_thrhld && hpre_is_bd_timeout(req, overtime_thrhld))
+ atomic64_inc(&dfx[HPRE_OVER_THRHLD_CNT].value);
+
++ /* Do unmap before data processing */
++ hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
++
+ hpre_key_to_big_end(sg_virt(areq->dst), CURVE25519_KEY_SIZE);
+
+- hpre_curve25519_hw_data_clr_all(ctx, req, areq->dst, areq->src);
+ kpp_request_complete(areq, ret);
+
+ atomic64_inc(&dfx[HPRE_RECV_CNT].value);
+--
+2.39.5
+
--- /dev/null
+From 771d915293d0c77b426fc0362edc9a9a4c6ce79b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Jun 2025 13:36:43 +0200
+Subject: crypto: jitter - fix intermediary handling
+
+From: Markus Theil <theil.markus@gmail.com>
+
+[ Upstream commit 735b72568c73875269a6b73ab9543a70f6ac8a9f ]
+
+The intermediary value was included in the wrong
+hash state. While there, adapt to user-space by
+setting the timestamp to 0 if stuck and inserting
+the values nevertheless.
+
+Acked-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Markus Theil <theil.markus@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/jitterentropy-kcapi.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c
+index 7d1463a1562a..dd05faf00571 100644
+--- a/crypto/jitterentropy-kcapi.c
++++ b/crypto/jitterentropy-kcapi.c
+@@ -134,7 +134,7 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl,
+ * Inject the data from the previous loop into the pool. This data is
+ * not considered to contain any entropy, but it stirs the pool a bit.
+ */
+- ret = crypto_shash_update(desc, intermediary, sizeof(intermediary));
++ ret = crypto_shash_update(hash_state_desc, intermediary, sizeof(intermediary));
+ if (ret)
+ goto err;
+
+@@ -147,11 +147,12 @@ int jent_hash_time(void *hash_state, __u64 time, u8 *addtl,
+ * conditioning operation to have an identical amount of input data
+ * according to section 3.1.5.
+ */
+- if (!stuck) {
+- ret = crypto_shash_update(hash_state_desc, (u8 *)&time,
+- sizeof(__u64));
++ if (stuck) {
++ time = 0;
+ }
+
++ ret = crypto_shash_update(hash_state_desc, (u8 *)&time, sizeof(__u64));
++
+ err:
+ shash_desc_zero(desc);
+ memzero_explicit(intermediary, sizeof(intermediary));
+--
+2.39.5
+
--- /dev/null
+From 5301f471d3069da0fa10a5ba3c0c7038e64f1ef8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 15:36:24 +0530
+Subject: crypto: octeontx2 - add timeout for load_fvc completion poll
+
+From: Bharat Bhushan <bbhushan2@marvell.com>
+
+[ Upstream commit 2157e50f65d2030f07ea27ef7ac4cfba772e98ac ]
+
+Adds timeout to exit from possible infinite loop, which polls
+on CPT instruction(load_fvc) completion.
+
+Signed-off-by: Srujana Challa <schalla@marvell.com>
+Signed-off-by: Bharat Bhushan <bbhushan2@marvell.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../crypto/marvell/octeontx2/otx2_cptpf_ucode.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+index 1958b797a421..682e7d80adb8 100644
+--- a/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
++++ b/drivers/crypto/marvell/octeontx2/otx2_cptpf_ucode.c
+@@ -1485,6 +1485,7 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
+ dma_addr_t rptr_baddr;
+ struct pci_dev *pdev;
+ u32 len, compl_rlen;
++ int timeout = 10000;
+ int ret, etype;
+ void *rptr;
+
+@@ -1547,16 +1548,27 @@ int otx2_cpt_discover_eng_capabilities(struct otx2_cptpf_dev *cptpf)
+ etype);
+ otx2_cpt_fill_inst(&inst, &iq_cmd, rptr_baddr);
+ lfs->ops->send_cmd(&inst, 1, &cptpf->lfs.lf[0]);
++ timeout = 10000;
+
+ while (lfs->ops->cpt_get_compcode(result) ==
+- OTX2_CPT_COMPLETION_CODE_INIT)
++ OTX2_CPT_COMPLETION_CODE_INIT) {
+ cpu_relax();
++ udelay(1);
++ timeout--;
++ if (!timeout) {
++ ret = -ENODEV;
++ cptpf->is_eng_caps_discovered = false;
++ dev_warn(&pdev->dev, "Timeout on CPT load_fvc completion poll\n");
++ goto error_no_response;
++ }
++ }
+
+ cptpf->eng_caps[etype].u = be64_to_cpup(rptr);
+ }
+- dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
+ cptpf->is_eng_caps_discovered = true;
+
++error_no_response:
++ dma_unmap_single(&pdev->dev, rptr_baddr, len, DMA_BIDIRECTIONAL);
+ free_result:
+ kfree(result);
+ lf_cleanup:
+--
+2.39.5
+
--- /dev/null
+From 59a0b0ad29c93931bf7d9e96c5cc4332e78f5e69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:24:22 +0200
+Subject: dm-mpath: don't print the "loaded" message if registering fails
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+[ Upstream commit 6e11952a6abc4641dc8ae63f01b318b31b44e8db ]
+
+If dm_register_path_selector, don't print the "version X loaded" message.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-ps-historical-service-time.c | 4 +++-
+ drivers/md/dm-ps-queue-length.c | 4 +++-
+ drivers/md/dm-ps-round-robin.c | 4 +++-
+ drivers/md/dm-ps-service-time.c | 4 +++-
+ 4 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/md/dm-ps-historical-service-time.c b/drivers/md/dm-ps-historical-service-time.c
+index b49e10d76d03..2c8626a83de4 100644
+--- a/drivers/md/dm-ps-historical-service-time.c
++++ b/drivers/md/dm-ps-historical-service-time.c
+@@ -541,8 +541,10 @@ static int __init dm_hst_init(void)
+ {
+ int r = dm_register_path_selector(&hst_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " HST_VERSION " loaded");
+
+diff --git a/drivers/md/dm-ps-queue-length.c b/drivers/md/dm-ps-queue-length.c
+index e305f05ad1e5..eb543e6431e0 100644
+--- a/drivers/md/dm-ps-queue-length.c
++++ b/drivers/md/dm-ps-queue-length.c
+@@ -260,8 +260,10 @@ static int __init dm_ql_init(void)
+ {
+ int r = dm_register_path_selector(&ql_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " QL_VERSION " loaded");
+
+diff --git a/drivers/md/dm-ps-round-robin.c b/drivers/md/dm-ps-round-robin.c
+index 0f04b673597a..62ac820125cb 100644
+--- a/drivers/md/dm-ps-round-robin.c
++++ b/drivers/md/dm-ps-round-robin.c
+@@ -220,8 +220,10 @@ static int __init dm_rr_init(void)
+ {
+ int r = dm_register_path_selector(&rr_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " RR_VERSION " loaded");
+
+diff --git a/drivers/md/dm-ps-service-time.c b/drivers/md/dm-ps-service-time.c
+index 969d31c40272..f8c43aecdb27 100644
+--- a/drivers/md/dm-ps-service-time.c
++++ b/drivers/md/dm-ps-service-time.c
+@@ -341,8 +341,10 @@ static int __init dm_st_init(void)
+ {
+ int r = dm_register_path_selector(&st_ps);
+
+- if (r < 0)
++ if (r < 0) {
+ DMERR("register failed %d", r);
++ return r;
++ }
+
+ DMINFO("version " ST_VERSION " loaded");
+
+--
+2.39.5
+
--- /dev/null
+From 9535e797777e85a439e82c9873f7fc8565456933 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 19:08:52 -0400
+Subject: dm-table: fix checking for rq stackable devices
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit 8ca719b81987be690f197e82fdb030580c0a07f3 ]
+
+Due to the semantics of iterate_devices(), the current code allows a
+request-based dm table as long as it includes one request-stackable
+device. It is supposed to only allow tables where there are no
+non-request-stackable devices.
+
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-table.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
+index bf2ade89c8c2..ed0a5e91968d 100644
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -862,17 +862,17 @@ static bool dm_table_supports_dax(struct dm_table *t,
+ return true;
+ }
+
+-static int device_is_rq_stackable(struct dm_target *ti, struct dm_dev *dev,
+- sector_t start, sector_t len, void *data)
++static int device_is_not_rq_stackable(struct dm_target *ti, struct dm_dev *dev,
++ sector_t start, sector_t len, void *data)
+ {
+ struct block_device *bdev = dev->bdev;
+ struct request_queue *q = bdev_get_queue(bdev);
+
+ /* request-based cannot stack on partitions! */
+ if (bdev_is_partition(bdev))
+- return false;
++ return true;
+
+- return queue_is_mq(q);
++ return !queue_is_mq(q);
+ }
+
+ static int dm_table_determine_type(struct dm_table *t)
+@@ -968,7 +968,7 @@ static int dm_table_determine_type(struct dm_table *t)
+
+ /* Non-request-stackable devices can't be used for request-based dm */
+ if (!ti->type->iterate_devices ||
+- !ti->type->iterate_devices(ti, device_is_rq_stackable, NULL)) {
++ ti->type->iterate_devices(ti, device_is_not_rq_stackable, NULL)) {
+ DMERR("table load rejected: including non-request-stackable devices");
+ return -EINVAL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 7fa908d59ca0028e49f7cef0ceb3fcad1631722b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 09:31:37 +0200
+Subject: dmaengine: stm32-dma: configure next sg only if there are more than 2
+ sgs
+
+From: Amelie Delaunay <amelie.delaunay@foss.st.com>
+
+[ Upstream commit e19bdbaa31082b43dab1d936e20efcebc30aa73d ]
+
+DMA operates in Double Buffer Mode (DBM) when the transfer is cyclic and
+there are at least two periods.
+When DBM is enabled, the DMA toggles between two memory targets (SxM0AR and
+SxM1AR), indicated by the SxSCR.CT bit (Current Target).
+There is no need to update the next memory address if two periods are
+configured, as SxM0AR and SxM1AR are already properly set up before the
+transfer begins in the stm32_dma_start_transfer() function.
+This avoids unnecessary updates to SxM0AR/SxM1AR, thereby preventing
+potential Transfer Errors. Specifically, when the channel is enabled,
+SxM0AR and SxM1AR can only be written if SxSCR.CT=1 and SxSCR.CT=0,
+respectively. Otherwise, a Transfer Error interrupt is triggered, and the
+stream is automatically disabled.
+
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Link: https://lore.kernel.org/r/20250624-stm32_dma_dbm_fix-v1-1-337c40d6c93e@foss.st.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/stm32-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c
+index 9840594a6aaa..3882080cffa6 100644
+--- a/drivers/dma/stm32-dma.c
++++ b/drivers/dma/stm32-dma.c
+@@ -745,7 +745,7 @@ static void stm32_dma_handle_chan_done(struct stm32_dma_chan *chan, u32 scr)
+ /* cyclic while CIRC/DBM disable => post resume reconfiguration needed */
+ if (!(scr & (STM32_DMA_SCR_CIRC | STM32_DMA_SCR_DBM)))
+ stm32_dma_post_resume_reconfigure(chan);
+- else if (scr & STM32_DMA_SCR_DBM)
++ else if (scr & STM32_DMA_SCR_DBM && chan->desc->num_sgs > 2)
+ stm32_dma_configure_next_sg(chan);
+ } else {
+ chan->busy = false;
+--
+2.39.5
+
--- /dev/null
+From fb12be75148f4ad6537c48ad58bbd2fdf0ee3386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 23:24:05 +0200
+Subject: dpaa_eth: don't use fixed_phy_change_carrier
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit d8155c1df5c8b717052567b188455d41fa7a8908 ]
+
+This effectively reverts 6e8b0ff1ba4c ("dpaa_eth: Add change_carrier()
+for Fixed PHYs"). Usage of fixed_phy_change_carrier() requires that
+fixed_phy_register() has been called before, directly or indirectly.
+And that's not the case in this driver.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/7eb189b3-d5fd-4be6-8517-a66671a4e4e3@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+index e7bf70ac9a4c..6b7e1bb5c62d 100644
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+@@ -28,7 +28,6 @@
+ #include <linux/percpu.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/sort.h>
+-#include <linux/phy_fixed.h>
+ #include <linux/bpf.h>
+ #include <linux/bpf_trace.h>
+ #include <soc/fsl/bman.h>
+@@ -3141,7 +3140,6 @@ static const struct net_device_ops dpaa_ops = {
+ .ndo_stop = dpaa_eth_stop,
+ .ndo_tx_timeout = dpaa_tx_timeout,
+ .ndo_get_stats64 = dpaa_get_stats64,
+- .ndo_change_carrier = fixed_phy_change_carrier,
+ .ndo_set_mac_address = dpaa_set_mac_address,
+ .ndo_validate_addr = eth_validate_addr,
+ .ndo_set_rx_mode = dpaa_set_rx_mode,
+--
+2.39.5
+
--- /dev/null
+From 1f21a19bad009591f1a7ffb7e5c0d1c82d77d1cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 11:57:28 +0200
+Subject: drbd: add missing kref_get in handle_write_conflicts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sarah Newman <srn@prgmr.com>
+
+[ Upstream commit 00c9c9628b49e368d140cfa61d7df9b8922ec2a8 ]
+
+With `two-primaries` enabled, DRBD tries to detect "concurrent" writes
+and handle write conflicts, so that even if you write to the same sector
+simultaneously on both nodes, they end up with the identical data once
+the writes are completed.
+
+In handling "superseeded" writes, we forgot a kref_get,
+resulting in a premature drbd_destroy_device and use after free,
+and further to kernel crashes with symptoms.
+
+Relevance: No one should use DRBD as a random data generator, and apparently
+all users of "two-primaries" handle concurrent writes correctly on layer up.
+That is cluster file systems use some distributed lock manager,
+and live migration in virtualization environments stops writes on one node
+before starting writes on the other node.
+
+Which means that other than for "test cases",
+this code path is never taken in real life.
+
+FYI, in DRBD 9, things are handled differently nowadays. We still detect
+"write conflicts", but no longer try to be smart about them.
+We decided to disconnect hard instead: upper layers must not submit concurrent
+writes. If they do, that's their fault.
+
+Signed-off-by: Sarah Newman <srn@prgmr.com>
+Signed-off-by: Lars Ellenberg <lars@linbit.com>
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Link: https://lore.kernel.org/r/20250627095728.800688-1-christoph.boehmwalder@linbit.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_receiver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
+index 0c9f54197768..ac18d36b0ea8 100644
+--- a/drivers/block/drbd/drbd_receiver.c
++++ b/drivers/block/drbd/drbd_receiver.c
+@@ -2500,7 +2500,11 @@ static int handle_write_conflicts(struct drbd_device *device,
+ peer_req->w.cb = superseded ? e_send_superseded :
+ e_send_retry_write;
+ list_add_tail(&peer_req->w.list, &device->done_ee);
+- queue_work(connection->ack_sender, &peer_req->peer_device->send_acks_work);
++ /* put is in drbd_send_acks_wf() */
++ kref_get(&device->kref);
++ if (!queue_work(connection->ack_sender,
++ &peer_req->peer_device->send_acks_work))
++ kref_put(&device->kref, drbd_destroy_device);
+
+ err = -ENOENT;
+ goto out;
+--
+2.39.5
+
--- /dev/null
+From dbf1bcd3eb4e124f33f49c354e335003eccc657e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 22:12:26 -0500
+Subject: drm/amd: Allow printing VanGogh OD SCLK levels without setting dpm to
+ manual
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 2d1ec1e955414e8e8358178011c35afca1a1c0b1 ]
+
+Several other ASICs allow printing OD SCLK levels without setting DPM
+control to manual. When OD is disabled it will show the range the
+hardware supports. When OD is enabled it will show what values have
+been programmed. Adjust VanGogh to work the same.
+
+Cc: Pierre-Loup A. Griffais <pgriffais@valvesoftware.com>
+Reported-by: Vicki Pfau <vi@endrift.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://lore.kernel.org/r/20250609031227.479079-1-superm1@kernel.org
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 37 ++++++++-----------
+ 1 file changed, 15 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+index 454216bd6f1d..4fabecaa2b41 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+@@ -686,7 +686,6 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
+ {
+ DpmClocks_t *clk_table = smu->smu_table.clocks_table;
+ SmuMetrics_t metrics;
+- struct smu_dpm_context *smu_dpm_ctx = &(smu->smu_dpm);
+ int i, idx, size = 0, ret = 0;
+ uint32_t cur_value = 0, value = 0, count = 0;
+ bool cur_value_match_level = false;
+@@ -702,31 +701,25 @@ static int vangogh_print_clk_levels(struct smu_context *smu,
+
+ switch (clk_type) {
+ case SMU_OD_SCLK:
+- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
+- size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
+- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+- (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
+- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+- (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
+- }
++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK");
++ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
++ (smu->gfx_actual_hard_min_freq > 0) ? smu->gfx_actual_hard_min_freq : smu->gfx_default_hard_min_freq);
++ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
++ (smu->gfx_actual_soft_max_freq > 0) ? smu->gfx_actual_soft_max_freq : smu->gfx_default_soft_max_freq);
+ break;
+ case SMU_OD_CCLK:
+- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
+- size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
+- size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
+- (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
+- size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
+- (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
+- }
++ size += sysfs_emit_at(buf, size, "CCLK_RANGE in Core%d:\n", smu->cpu_core_id_select);
++ size += sysfs_emit_at(buf, size, "0: %10uMhz\n",
++ (smu->cpu_actual_soft_min_freq > 0) ? smu->cpu_actual_soft_min_freq : smu->cpu_default_soft_min_freq);
++ size += sysfs_emit_at(buf, size, "1: %10uMhz\n",
++ (smu->cpu_actual_soft_max_freq > 0) ? smu->cpu_actual_soft_max_freq : smu->cpu_default_soft_max_freq);
+ break;
+ case SMU_OD_RANGE:
+- if (smu_dpm_ctx->dpm_level == AMD_DPM_FORCED_LEVEL_MANUAL) {
+- size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
+- size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
+- smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
+- size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
+- smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
+- }
++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE");
++ size += sysfs_emit_at(buf, size, "SCLK: %7uMhz %10uMhz\n",
++ smu->gfx_default_hard_min_freq, smu->gfx_default_soft_max_freq);
++ size += sysfs_emit_at(buf, size, "CCLK: %7uMhz %10uMhz\n",
++ smu->cpu_default_soft_min_freq, smu->cpu_default_soft_max_freq);
+ break;
+ case SMU_SOCCLK:
+ /* the level 3 ~ 6 of socclk use the same frequency for vangogh */
+--
+2.39.5
+
--- /dev/null
+From 1d83bd874a4a0538e536a2fa2bad8f2aa7b541b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jul 2025 08:38:05 -0500
+Subject: drm/amd/display: Avoid configuring PSR granularity if PSR-SU not
+ supported
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit a5ce8695d6d1b40d6960d2d298b579042c158f25 ]
+
+[Why]
+If PSR-SU is disabled on the link, then configuring su_y granularity in
+mod_power_calc_psr_configs() can lead to assertions in
+psr_su_set_dsc_slice_height().
+
+[How]
+Check the PSR version in amdgpu_dm_link_setup_psr() to determine whether
+or not to configure granularity.
+
+Reviewed-by: Sun peng (Leo) Li <sunpeng.li@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c
+index fe96bab7d05d..67972d25366e 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c
+@@ -124,8 +124,10 @@ bool amdgpu_dm_link_setup_psr(struct dc_stream_state *stream)
+ psr_config.allow_multi_disp_optimizations =
+ (amdgpu_dc_feature_mask & DC_PSR_ALLOW_MULTI_DISP_OPT);
+
+- if (!psr_su_set_dsc_slice_height(dc, link, stream, &psr_config))
+- return false;
++ if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1) {
++ if (!psr_su_set_dsc_slice_height(dc, link, stream, &psr_config))
++ return false;
++ }
+
+ ret = dc_link_setup_psr(link, stream, &psr_config, &psr_context);
+
+--
+2.39.5
+
--- /dev/null
+From 82a902beddafac2c06225242eee9d427b3c3415a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 16:06:50 +0800
+Subject: drm/amd/display: Avoid trying AUX transactions on disconnected ports
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+[ Upstream commit deb24e64c8881c462b29e2c69afd9e6669058be5 ]
+
+[Why & How]
+Observe that we try to access DPCD 0x600h of disconnected DP ports.
+In order not to wasting time on retrying these ports, call
+dpcd_write_rx_power_ctrl() after checking its connection status.
+
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/link/link_dpms.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c
+index 9b470812d96a..2ce2d9ff7568 100644
+--- a/drivers/gpu/drm/amd/display/dc/link/link_dpms.c
++++ b/drivers/gpu/drm/amd/display/dc/link/link_dpms.c
+@@ -137,7 +137,8 @@ void link_blank_dp_stream(struct dc_link *link, bool hw_init)
+ }
+ }
+
+- if ((!link->wa_flags.dp_keep_receiver_powered) || hw_init)
++ if (((!link->wa_flags.dp_keep_receiver_powered) || hw_init) &&
++ (link->type != dc_connection_none))
+ dpcd_write_rx_power_ctrl(link, false);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From db13d766616b7e3f6f83ae82a10bd9394a8e89fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Jun 2025 16:37:08 -0400
+Subject: drm/amd/display: Fix 'failed to blank crtc!'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wen Chen <Wen.Chen3@amd.com>
+
+[ Upstream commit 01f60348d8fb6b3fbcdfc7bdde5d669f95b009a4 ]
+
+[why]
+DCN35 is having “DC: failed to blank crtc!” when running HPO
+test cases. It's caused by not having sufficient udelay time.
+
+[how]
+Replace the old wait_for_blank_complete function with fsleep function to
+sleep just until the next frame should come up. This way it doesn't poll
+in case the pixel clock or other clock was bugged or until vactive and
+the vblank are hit again.
+
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Signed-off-by: Wen Chen <Wen.Chen3@amd.com>
+Signed-off-by: Fangzhi Zuo <jerry.zuo@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index f3c682c7fbe6..f0b472e84a53 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -781,7 +781,7 @@ enum dc_status dcn20_enable_stream_timing(
+ return DC_ERROR_UNEXPECTED;
+ }
+
+- hws->funcs.wait_for_blank_complete(pipe_ctx->stream_res.opp);
++ fsleep(stream->timing.v_total * (stream->timing.h_total * 10000u / stream->timing.pix_clk_100hz));
+
+ params.vertical_total_min = stream->adjust.v_total_min;
+ params.vertical_total_max = stream->adjust.v_total_max;
+--
+2.39.5
+
--- /dev/null
+From 592f8161644b035278094e5c059611d9ff693e0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 14:41:46 -0500
+Subject: drm/amd/display: Only finalize atomic_obj if it was initialized
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit b174084b3fe15ad1acc69530e673c1535d2e4f85 ]
+
+[Why]
+If amdgpu_dm failed to initalize before amdgpu_dm_initialize_drm_device()
+completed then freeing atomic_obj will lead to list corruption.
+
+[How]
+Check if atomic_obj state is initialized before trying to free.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index d4edddaa23dd..10c607d84b43 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -4620,7 +4620,8 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev)
+
+ static void amdgpu_dm_destroy_drm_device(struct amdgpu_display_manager *dm)
+ {
+- drm_atomic_private_obj_fini(&dm->atomic_obj);
++ if (dm->atomic_obj.state)
++ drm_atomic_private_obj_fini(&dm->atomic_obj);
+ }
+
+ /******************************************************************************
+--
+2.39.5
+
--- /dev/null
+From d183211052e1ae1a53f163e5ee95dcc0a98840c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 13:07:14 -0400
+Subject: drm/amd/display: Separate set_gsl from set_gsl_source_select
+
+From: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
+
+[ Upstream commit 660a467a5e7366cd6642de61f1aaeaf0d253ee68 ]
+
+[Why/How]
+Separate the checks for set_gsl and set_gsl_source_select, since
+source_select may not be implemented/necessary.
+
+Reviewed-by: Nevenko Stupar <nevenko.stupar@amd.com>
+Signed-off-by: Ilya Bakoulin <Ilya.Bakoulin@amd.com>
+Signed-off-by: Ray Wu <ray.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+index a825fd6c7fa6..f3c682c7fbe6 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c
+@@ -163,14 +163,13 @@ static void dcn20_setup_gsl_group_as_lock(
+ }
+
+ /* at this point we want to program whether it's to enable or disable */
+- if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL &&
+- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL) {
++ if (pipe_ctx->stream_res.tg->funcs->set_gsl != NULL) {
+ pipe_ctx->stream_res.tg->funcs->set_gsl(
+ pipe_ctx->stream_res.tg,
+ &gsl);
+-
+- pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
+- pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
++ if (pipe_ctx->stream_res.tg->funcs->set_gsl_source_select != NULL)
++ pipe_ctx->stream_res.tg->funcs->set_gsl_source_select(
++ pipe_ctx->stream_res.tg, group_idx, enable ? 4 : 0);
+ } else
+ BREAK_TO_DEBUGGER();
+ }
+--
+2.39.5
+
--- /dev/null
+From f365e6e66aede51adc832f2c6143363bef753602 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 13:13:22 -0700
+Subject: drm/msm: use trylock for debugfs
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 0a1ff88ec5b60b41ba830c5bf08b6cd8f45ab411 ]
+
+This resolves a potential deadlock vs msm_gem_vm_close(). Otherwise for
+_NO_SHARE buffers msm_gem_describe() could be trying to acquire the
+shared vm resv, while already holding priv->obj_lock. But _vm_close()
+might drop the last reference to a GEM obj while already holding the vm
+resv, and msm_gem_free_object() needs to grab priv->obj_lock, a locking
+inversion.
+
+OTOH this is only for debugfs and it isn't critical if we undercount by
+skipping a locked obj. So just use trylock() and move along if we can't
+get the lock.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Tested-by: Antonino Maniscalco <antomani103@gmail.com>
+Reviewed-by: Antonino Maniscalco <antomani103@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/661525/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem.c | 3 ++-
+ drivers/gpu/drm/msm/msm_gem.h | 6 ++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c
+index 1113e6b2ec8e..aaf7c338eb96 100644
+--- a/drivers/gpu/drm/msm/msm_gem.c
++++ b/drivers/gpu/drm/msm/msm_gem.c
+@@ -928,7 +928,8 @@ void msm_gem_describe(struct drm_gem_object *obj, struct seq_file *m,
+ uint64_t off = drm_vma_node_start(&obj->vma_node);
+ const char *madv;
+
+- msm_gem_lock(obj);
++ if (!msm_gem_trylock(obj))
++ return;
+
+ stats->all.count++;
+ stats->all.size += obj->size;
+diff --git a/drivers/gpu/drm/msm/msm_gem.h b/drivers/gpu/drm/msm/msm_gem.h
+index 8ddef5443140..631a9aa129bd 100644
+--- a/drivers/gpu/drm/msm/msm_gem.h
++++ b/drivers/gpu/drm/msm/msm_gem.h
+@@ -183,6 +183,12 @@ msm_gem_lock(struct drm_gem_object *obj)
+ dma_resv_lock(obj->resv, NULL);
+ }
+
++static inline bool __must_check
++msm_gem_trylock(struct drm_gem_object *obj)
++{
++ return dma_resv_trylock(obj->resv);
++}
++
+ static inline int
+ msm_gem_lock_interruptible(struct drm_gem_object *obj)
+ {
+--
+2.39.5
+
--- /dev/null
+From 451c766b0dd6bdac510785375db30dcaf520eea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 23:56:22 +0100
+Subject: drm: renesas: rz-du: mipi_dsi: Add min check for VCLK range
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+[ Upstream commit e37a95d01d5acce211da8446fefbd8684c67f516 ]
+
+The VCLK range for Renesas RZ/G2L SoC is 5.803 MHz to 148.5 MHz. Add a
+minimum clock check in the mode_valid callback to ensure that the clock
+value does not fall below the valid range.
+
+Co-developed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Link: https://lore.kernel.org/r/20250609225630.502888-2-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/renesas/rcar-du/rzg2l_mipi_dsi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/renesas/rcar-du/rzg2l_mipi_dsi.c b/drivers/gpu/drm/renesas/rcar-du/rzg2l_mipi_dsi.c
+index 10febea473cd..6cec796dd463 100644
+--- a/drivers/gpu/drm/renesas/rcar-du/rzg2l_mipi_dsi.c
++++ b/drivers/gpu/drm/renesas/rcar-du/rzg2l_mipi_dsi.c
+@@ -585,6 +585,9 @@ rzg2l_mipi_dsi_bridge_mode_valid(struct drm_bridge *bridge,
+ if (mode->clock > 148500)
+ return MODE_CLOCK_HIGH;
+
++ if (mode->clock < 5803)
++ return MODE_CLOCK_LOW;
++
+ return MODE_OK;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 9247847ad144d6e977e13bff3b32c74414d5c27d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 12:27:49 +0100
+Subject: drm/ttm: Respect the shrinker core free target
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+
+[ Upstream commit eac21f8ebeb4f84d703cf41dc3f81d16fa9dc00a ]
+
+Currently the TTM shrinker aborts shrinking as soon as it frees pages from
+any of the page order pools and by doing so it can fail to respect the
+freeing target which was configured by the shrinker core.
+
+We use the wording "can fail" because the number of freed pages will
+depend on the presence of pages in the pools and the order of the pools on
+the LRU list. For example if there are no free pages in the high order
+pools the shrinker core may require multiple passes over the TTM shrinker
+before it will free the default target of 128 pages (assuming there are
+free pages in the low order pools). This inefficiency can be compounded by
+the pool LRU where multiple further calls into the TTM shrinker are
+required to end up looking at the pool with pages.
+
+Improve this by never freeing less than the shrinker core has requested.
+
+At the same time we start reporting the number of scanned pages (freed in
+this case), which prevents the core shrinker from giving up on the TTM
+shrinker too soon and moving on.
+
+v2:
+ * Simplify loop logic. (Christian)
+ * Improve commit message.
+
+Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Link: https://lore.kernel.org/r/20250603112750.34997-2-tvrtko.ursulin@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_pool.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_pool.c b/drivers/gpu/drm/ttm/ttm_pool.c
+index 37c08fac7e7d..80ba34cabca3 100644
+--- a/drivers/gpu/drm/ttm/ttm_pool.c
++++ b/drivers/gpu/drm/ttm/ttm_pool.c
+@@ -615,7 +615,6 @@ void ttm_pool_fini(struct ttm_pool *pool)
+ }
+ EXPORT_SYMBOL(ttm_pool_fini);
+
+-/* As long as pages are available make sure to release at least one */
+ static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
+ struct shrink_control *sc)
+ {
+@@ -623,9 +622,12 @@ static unsigned long ttm_pool_shrinker_scan(struct shrinker *shrink,
+
+ do
+ num_freed += ttm_pool_shrink();
+- while (!num_freed && atomic_long_read(&allocated_pages));
++ while (num_freed < sc->nr_to_scan &&
++ atomic_long_read(&allocated_pages));
+
+- return num_freed;
++ sc->nr_scanned = num_freed;
++
++ return num_freed ?: SHRINK_STOP;
+ }
+
+ /* Return the number of pages available or SHRINK_EMPTY if we have none */
+--
+2.39.5
+
--- /dev/null
+From cf587df40dd27a8b06f510b922d15c5ae3b8a582 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 17:11:54 +0800
+Subject: drm/ttm: Should to return the evict error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Emily Deng <Emily.Deng@amd.com>
+
+[ Upstream commit 4e16a9a00239db5d819197b9a00f70665951bf50 ]
+
+For the evict fail case, the evict error should be returned.
+
+v2: Consider ENOENT case.
+
+v3: Abort directly when the eviction failed for some reason (except for -ENOENT)
+ and not wait for the move to finish
+
+Signed-off-by: Emily Deng <Emily.Deng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Link: https://lore.kernel.org/r/20250603091154.3472646-1-Emily.Deng@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/ttm/ttm_resource.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/ttm/ttm_resource.c b/drivers/gpu/drm/ttm/ttm_resource.c
+index 46ff9c75bb12..8f2423a15c71 100644
+--- a/drivers/gpu/drm/ttm/ttm_resource.c
++++ b/drivers/gpu/drm/ttm/ttm_resource.c
+@@ -437,6 +437,9 @@ int ttm_resource_manager_evict_all(struct ttm_device *bdev,
+ }
+ spin_unlock(&bdev->lru_lock);
+
++ if (ret && ret != -ENOENT)
++ return ret;
++
+ spin_lock(&man->move_lock);
+ fence = dma_fence_get(man->move);
+ spin_unlock(&man->move_lock);
+--
+2.39.5
+
--- /dev/null
+From ecba0fe447763a0e2e10f519d07c85968f72b57b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Jul 2025 10:37:53 +0530
+Subject: EDAC/synopsys: Clear the ECC counters on init
+
+From: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+
+[ Upstream commit b1dc7f097b78eb8d25b071ead2384b07a549692b ]
+
+Clear the ECC error and counter registers during initialization/probe to avoid
+reporting stale errors that may have occurred before EDAC registration.
+
+For that, unify the Zynq and ZynqMP ECC state reading paths and simplify the
+code.
+
+ [ bp: Massage commit message.
+ Fix an -Wsometimes-uninitialized warning as reported by
+ Reported-by: kernel test robot <lkp@intel.com>
+ Closes: https://lore.kernel.org/oe-kbuild-all/202507141048.obUv3ZUm-lkp@intel.com ]
+
+Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250713050753.7042-1-shubhrajyoti.datta@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/synopsys_edac.c | 97 +++++++++++++++++-------------------
+ 1 file changed, 46 insertions(+), 51 deletions(-)
+
+diff --git a/drivers/edac/synopsys_edac.c b/drivers/edac/synopsys_edac.c
+index 6ddc90d7ba7c..f8aaada42d3f 100644
+--- a/drivers/edac/synopsys_edac.c
++++ b/drivers/edac/synopsys_edac.c
+@@ -332,20 +332,26 @@ struct synps_edac_priv {
+ #endif
+ };
+
++enum synps_platform_type {
++ ZYNQ,
++ ZYNQMP,
++ SYNPS,
++};
++
+ /**
+ * struct synps_platform_data - synps platform data structure.
++ * @platform: Identifies the target hardware platform
+ * @get_error_info: Get EDAC error info.
+ * @get_mtype: Get mtype.
+ * @get_dtype: Get dtype.
+- * @get_ecc_state: Get ECC state.
+ * @get_mem_info: Get EDAC memory info
+ * @quirks: To differentiate IPs.
+ */
+ struct synps_platform_data {
++ enum synps_platform_type platform;
+ int (*get_error_info)(struct synps_edac_priv *priv);
+ enum mem_type (*get_mtype)(const void __iomem *base);
+ enum dev_type (*get_dtype)(const void __iomem *base);
+- bool (*get_ecc_state)(void __iomem *base);
+ #ifdef CONFIG_EDAC_DEBUG
+ u64 (*get_mem_info)(struct synps_edac_priv *priv);
+ #endif
+@@ -720,51 +726,38 @@ static enum dev_type zynqmp_get_dtype(const void __iomem *base)
+ return dt;
+ }
+
+-/**
+- * zynq_get_ecc_state - Return the controller ECC enable/disable status.
+- * @base: DDR memory controller base address.
+- *
+- * Get the ECC enable/disable status of the controller.
+- *
+- * Return: true if enabled, otherwise false.
+- */
+-static bool zynq_get_ecc_state(void __iomem *base)
++static bool get_ecc_state(struct synps_edac_priv *priv)
+ {
++ u32 ecctype, clearval;
+ enum dev_type dt;
+- u32 ecctype;
+-
+- dt = zynq_get_dtype(base);
+- if (dt == DEV_UNKNOWN)
+- return false;
+
+- ecctype = readl(base + SCRUB_OFST) & SCRUB_MODE_MASK;
+- if ((ecctype == SCRUB_MODE_SECDED) && (dt == DEV_X2))
+- return true;
+-
+- return false;
+-}
+-
+-/**
+- * zynqmp_get_ecc_state - Return the controller ECC enable/disable status.
+- * @base: DDR memory controller base address.
+- *
+- * Get the ECC enable/disable status for the controller.
+- *
+- * Return: a ECC status boolean i.e true/false - enabled/disabled.
+- */
+-static bool zynqmp_get_ecc_state(void __iomem *base)
+-{
+- enum dev_type dt;
+- u32 ecctype;
+-
+- dt = zynqmp_get_dtype(base);
+- if (dt == DEV_UNKNOWN)
+- return false;
+-
+- ecctype = readl(base + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
+- if ((ecctype == SCRUB_MODE_SECDED) &&
+- ((dt == DEV_X2) || (dt == DEV_X4) || (dt == DEV_X8)))
+- return true;
++ if (priv->p_data->platform == ZYNQ) {
++ dt = zynq_get_dtype(priv->baseaddr);
++ if (dt == DEV_UNKNOWN)
++ return false;
++
++ ecctype = readl(priv->baseaddr + SCRUB_OFST) & SCRUB_MODE_MASK;
++ if (ecctype == SCRUB_MODE_SECDED && dt == DEV_X2) {
++ clearval = ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_UE_ERR;
++ writel(clearval, priv->baseaddr + ECC_CTRL_OFST);
++ writel(0x0, priv->baseaddr + ECC_CTRL_OFST);
++ return true;
++ }
++ } else {
++ dt = zynqmp_get_dtype(priv->baseaddr);
++ if (dt == DEV_UNKNOWN)
++ return false;
++
++ ecctype = readl(priv->baseaddr + ECC_CFG0_OFST) & SCRUB_MODE_MASK;
++ if (ecctype == SCRUB_MODE_SECDED &&
++ (dt == DEV_X2 || dt == DEV_X4 || dt == DEV_X8)) {
++ clearval = readl(priv->baseaddr + ECC_CLR_OFST) |
++ ECC_CTRL_CLR_CE_ERR | ECC_CTRL_CLR_CE_ERRCNT |
++ ECC_CTRL_CLR_UE_ERR | ECC_CTRL_CLR_UE_ERRCNT;
++ writel(clearval, priv->baseaddr + ECC_CLR_OFST);
++ return true;
++ }
++ }
+
+ return false;
+ }
+@@ -934,18 +927,18 @@ static int setup_irq(struct mem_ctl_info *mci,
+ }
+
+ static const struct synps_platform_data zynq_edac_def = {
++ .platform = ZYNQ,
+ .get_error_info = zynq_get_error_info,
+ .get_mtype = zynq_get_mtype,
+ .get_dtype = zynq_get_dtype,
+- .get_ecc_state = zynq_get_ecc_state,
+ .quirks = 0,
+ };
+
+ static const struct synps_platform_data zynqmp_edac_def = {
++ .platform = ZYNQMP,
+ .get_error_info = zynqmp_get_error_info,
+ .get_mtype = zynqmp_get_mtype,
+ .get_dtype = zynqmp_get_dtype,
+- .get_ecc_state = zynqmp_get_ecc_state,
+ #ifdef CONFIG_EDAC_DEBUG
+ .get_mem_info = zynqmp_get_mem_info,
+ #endif
+@@ -957,10 +950,10 @@ static const struct synps_platform_data zynqmp_edac_def = {
+ };
+
+ static const struct synps_platform_data synopsys_edac_def = {
++ .platform = SYNPS,
+ .get_error_info = zynqmp_get_error_info,
+ .get_mtype = zynqmp_get_mtype,
+ .get_dtype = zynqmp_get_dtype,
+- .get_ecc_state = zynqmp_get_ecc_state,
+ .quirks = (DDR_ECC_INTR_SUPPORT | DDR_ECC_INTR_SELF_CLEAR
+ #ifdef CONFIG_EDAC_DEBUG
+ | DDR_ECC_DATA_POISON_SUPPORT
+@@ -1392,10 +1385,6 @@ static int mc_probe(struct platform_device *pdev)
+ if (!p_data)
+ return -ENODEV;
+
+- if (!p_data->get_ecc_state(baseaddr)) {
+- edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
+- return -ENXIO;
+- }
+
+ layers[0].type = EDAC_MC_LAYER_CHIP_SELECT;
+ layers[0].size = SYNPS_EDAC_NR_CSROWS;
+@@ -1415,6 +1404,12 @@ static int mc_probe(struct platform_device *pdev)
+ priv = mci->pvt_info;
+ priv->baseaddr = baseaddr;
+ priv->p_data = p_data;
++ if (!get_ecc_state(priv)) {
++ edac_printk(KERN_INFO, EDAC_MC, "ECC not enabled\n");
++ rc = -ENODEV;
++ goto free_edac_mc;
++ }
++
+ spin_lock_init(&priv->reglock);
+
+ mc_init(mci, pdev);
+--
+2.39.5
+
--- /dev/null
+From 72d7dcb9febf176d25f14a241ae1956d331e5648 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 11:47:30 +0200
+Subject: et131x: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit d61f6cb6f6ef3c70d2ccc0d9c85c508cb8017da9 ]
+
+The DMA map functions can fail and should be tested for errors.
+If the mapping fails, unmap and return an error.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Acked-by: Mark Einon <mark.einon@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250716094733.28734-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/agere/et131x.c | 36 +++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/drivers/net/ethernet/agere/et131x.c b/drivers/net/ethernet/agere/et131x.c
+index 3d9220f9c9fe..294dbe2c3797 100644
+--- a/drivers/net/ethernet/agere/et131x.c
++++ b/drivers/net/ethernet/agere/et131x.c
+@@ -2459,6 +2459,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ skb->data,
+ skb_headlen(skb),
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ dma_addr))
++ return -ENOMEM;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2468,6 +2472,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ skb->data,
+ skb_headlen(skb) / 2,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ dma_addr))
++ return -ENOMEM;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2478,6 +2486,10 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ skb_headlen(skb) / 2,
+ skb_headlen(skb) / 2,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ dma_addr))
++ goto unmap_first_out;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2489,6 +2501,9 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ 0,
+ desc[frag].len_vlan,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev, dma_addr))
++ goto unmap_out;
++
+ desc[frag].addr_lo = lower_32_bits(dma_addr);
+ desc[frag].addr_hi = upper_32_bits(dma_addr);
+ frag++;
+@@ -2578,6 +2593,27 @@ static int nic_send_packet(struct et131x_adapter *adapter, struct tcb *tcb)
+ &adapter->regs->global.watchdog_timer);
+ }
+ return 0;
++
++unmap_out:
++ // Unmap the body of the packet with map_page
++ while (--i) {
++ frag--;
++ dma_addr = desc[frag].addr_lo;
++ dma_addr |= (u64)desc[frag].addr_hi << 32;
++ dma_unmap_page(&adapter->pdev->dev, dma_addr,
++ desc[frag].len_vlan, DMA_TO_DEVICE);
++ }
++
++unmap_first_out:
++ // Unmap the header with map_single
++ while (frag--) {
++ dma_addr = desc[frag].addr_lo;
++ dma_addr |= (u64)desc[frag].addr_hi << 32;
++ dma_unmap_single(&adapter->pdev->dev, dma_addr,
++ desc[frag].len_vlan, DMA_TO_DEVICE);
++ }
++
++ return -ENOMEM;
+ }
+
+ static int send_packet(struct sk_buff *skb, struct et131x_adapter *adapter)
+--
+2.39.5
+
--- /dev/null
+From a4c572b611acc1dd78e75e82b49ab32133226788 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:00:49 +0800
+Subject: exfat: add cluster chain loop check for dir
+
+From: Yuezhang Mo <Yuezhang.Mo@sony.com>
+
+[ Upstream commit 99f9a97dce39ad413c39b92c90393bbd6778f3fd ]
+
+An infinite loop may occur if the following conditions occur due to
+file system corruption.
+
+(1) Condition for exfat_count_dir_entries() to loop infinitely.
+ - The cluster chain includes a loop.
+ - There is no UNUSED entry in the cluster chain.
+
+(2) Condition for exfat_create_upcase_table() to loop infinitely.
+ - The cluster chain of the root directory includes a loop.
+ - There are no UNUSED entry and up-case table entry in the cluster
+ chain of the root directory.
+
+(3) Condition for exfat_load_bitmap() to loop infinitely.
+ - The cluster chain of the root directory includes a loop.
+ - There are no UNUSED entry and bitmap entry in the cluster chain
+ of the root directory.
+
+(4) Condition for exfat_find_dir_entry() to loop infinitely.
+ - The cluster chain includes a loop.
+ - The unused directory entries were exhausted by some operation.
+
+(5) Condition for exfat_check_dir_empty() to loop infinitely.
+ - The cluster chain includes a loop.
+ - The unused directory entries were exhausted by some operation.
+ - All files and sub-directories under the directory are deleted.
+
+This commit adds checks to break the above infinite loop.
+
+Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exfat/dir.c | 12 ++++++++++++
+ fs/exfat/fatent.c | 10 ++++++++++
+ fs/exfat/namei.c | 5 +++++
+ fs/exfat/super.c | 32 +++++++++++++++++++++-----------
+ 4 files changed, 48 insertions(+), 11 deletions(-)
+
+diff --git a/fs/exfat/dir.c b/fs/exfat/dir.c
+index f4f81e349cef..6139a57fde70 100644
+--- a/fs/exfat/dir.c
++++ b/fs/exfat/dir.c
+@@ -994,6 +994,7 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
+ struct exfat_hint_femp candi_empty;
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+ int num_entries = exfat_calc_num_entries(p_uniname);
++ unsigned int clu_count = 0;
+
+ if (num_entries < 0)
+ return num_entries;
+@@ -1131,6 +1132,10 @@ int exfat_find_dir_entry(struct super_block *sb, struct exfat_inode_info *ei,
+ } else {
+ if (exfat_get_next_cluster(sb, &clu.dir))
+ return -EIO;
++
++ /* break if the cluster chain includes a loop */
++ if (unlikely(++clu_count > EXFAT_DATA_CLUSTER_COUNT(sbi)))
++ goto not_found;
+ }
+ }
+
+@@ -1214,6 +1219,7 @@ int exfat_count_dir_entries(struct super_block *sb, struct exfat_chain *p_dir)
+ int i, count = 0;
+ int dentries_per_clu;
+ unsigned int entry_type;
++ unsigned int clu_count = 0;
+ struct exfat_chain clu;
+ struct exfat_dentry *ep;
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+@@ -1246,6 +1252,12 @@ int exfat_count_dir_entries(struct super_block *sb, struct exfat_chain *p_dir)
+ } else {
+ if (exfat_get_next_cluster(sb, &(clu.dir)))
+ return -EIO;
++
++ if (unlikely(++clu_count > sbi->used_clusters)) {
++ exfat_fs_error(sb, "FAT or bitmap is corrupted");
++ return -EIO;
++ }
++
+ }
+ }
+
+diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
+index 24e1e05f9f34..407880901ee3 100644
+--- a/fs/exfat/fatent.c
++++ b/fs/exfat/fatent.c
+@@ -461,5 +461,15 @@ int exfat_count_num_clusters(struct super_block *sb,
+ }
+
+ *ret_count = count;
++
++ /*
++ * since exfat_count_used_clusters() is not called, sbi->used_clusters
++ * cannot be used here.
++ */
++ if (unlikely(i == sbi->num_clusters && clu != EXFAT_EOF_CLUSTER)) {
++ exfat_fs_error(sb, "The cluster chain has a loop");
++ return -EIO;
++ }
++
+ return 0;
+ }
+diff --git a/fs/exfat/namei.c b/fs/exfat/namei.c
+index f340e96b499f..4657f893dea7 100644
+--- a/fs/exfat/namei.c
++++ b/fs/exfat/namei.c
+@@ -893,6 +893,7 @@ static int exfat_check_dir_empty(struct super_block *sb,
+ {
+ int i, dentries_per_clu;
+ unsigned int type;
++ unsigned int clu_count = 0;
+ struct exfat_chain clu;
+ struct exfat_dentry *ep;
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+@@ -929,6 +930,10 @@ static int exfat_check_dir_empty(struct super_block *sb,
+ } else {
+ if (exfat_get_next_cluster(sb, &(clu.dir)))
+ return -EIO;
++
++ /* break if the cluster chain includes a loop */
++ if (unlikely(++clu_count > EXFAT_DATA_CLUSTER_COUNT(sbi)))
++ break;
+ }
+ }
+
+diff --git a/fs/exfat/super.c b/fs/exfat/super.c
+index 2778bd9b631e..5affc11d1461 100644
+--- a/fs/exfat/super.c
++++ b/fs/exfat/super.c
+@@ -327,13 +327,12 @@ static void exfat_hash_init(struct super_block *sb)
+ INIT_HLIST_HEAD(&sbi->inode_hashtable[i]);
+ }
+
+-static int exfat_read_root(struct inode *inode)
++static int exfat_read_root(struct inode *inode, struct exfat_chain *root_clu)
+ {
+ struct super_block *sb = inode->i_sb;
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+ struct exfat_inode_info *ei = EXFAT_I(inode);
+- struct exfat_chain cdir;
+- int num_subdirs, num_clu = 0;
++ int num_subdirs;
+
+ exfat_chain_set(&ei->dir, sbi->root_dir, 0, ALLOC_FAT_CHAIN);
+ ei->entry = -1;
+@@ -346,12 +345,9 @@ static int exfat_read_root(struct inode *inode)
+ ei->hint_stat.clu = sbi->root_dir;
+ ei->hint_femp.eidx = EXFAT_HINT_NONE;
+
+- exfat_chain_set(&cdir, sbi->root_dir, 0, ALLOC_FAT_CHAIN);
+- if (exfat_count_num_clusters(sb, &cdir, &num_clu))
+- return -EIO;
+- i_size_write(inode, num_clu << sbi->cluster_size_bits);
++ i_size_write(inode, EXFAT_CLU_TO_B(root_clu->size, sbi));
+
+- num_subdirs = exfat_count_dir_entries(sb, &cdir);
++ num_subdirs = exfat_count_dir_entries(sb, root_clu);
+ if (num_subdirs < 0)
+ return -EIO;
+ set_nlink(inode, num_subdirs + EXFAT_MIN_SUBDIR);
+@@ -567,7 +563,8 @@ static int exfat_verify_boot_region(struct super_block *sb)
+ }
+
+ /* mount the file system volume */
+-static int __exfat_fill_super(struct super_block *sb)
++static int __exfat_fill_super(struct super_block *sb,
++ struct exfat_chain *root_clu)
+ {
+ int ret;
+ struct exfat_sb_info *sbi = EXFAT_SB(sb);
+@@ -584,6 +581,18 @@ static int __exfat_fill_super(struct super_block *sb)
+ goto free_bh;
+ }
+
++ /*
++ * Call exfat_count_num_cluster() before searching for up-case and
++ * bitmap directory entries to avoid infinite loop if they are missing
++ * and the cluster chain includes a loop.
++ */
++ exfat_chain_set(root_clu, sbi->root_dir, 0, ALLOC_FAT_CHAIN);
++ ret = exfat_count_num_clusters(sb, root_clu, &root_clu->size);
++ if (ret) {
++ exfat_err(sb, "failed to count the number of clusters in root");
++ goto free_bh;
++ }
++
+ ret = exfat_create_upcase_table(sb);
+ if (ret) {
+ exfat_err(sb, "failed to load upcase table");
+@@ -618,6 +627,7 @@ static int exfat_fill_super(struct super_block *sb, struct fs_context *fc)
+ struct exfat_sb_info *sbi = sb->s_fs_info;
+ struct exfat_mount_options *opts = &sbi->options;
+ struct inode *root_inode;
++ struct exfat_chain root_clu;
+ int err;
+
+ if (opts->allow_utime == (unsigned short)-1)
+@@ -636,7 +646,7 @@ static int exfat_fill_super(struct super_block *sb, struct fs_context *fc)
+ sb->s_time_min = EXFAT_MIN_TIMESTAMP_SECS;
+ sb->s_time_max = EXFAT_MAX_TIMESTAMP_SECS;
+
+- err = __exfat_fill_super(sb);
++ err = __exfat_fill_super(sb, &root_clu);
+ if (err) {
+ exfat_err(sb, "failed to recognize exfat type");
+ goto check_nls_io;
+@@ -671,7 +681,7 @@ static int exfat_fill_super(struct super_block *sb, struct fs_context *fc)
+
+ root_inode->i_ino = EXFAT_ROOT_INO;
+ inode_set_iversion(root_inode, 1);
+- err = exfat_read_root(root_inode);
++ err = exfat_read_root(root_inode, &root_clu);
+ if (err) {
+ exfat_err(sb, "failed to initialize root inode");
+ goto put_inode;
+--
+2.39.5
+
--- /dev/null
+From 0551dacfb80cc66a4ff51ef51f44d7338c7fb05d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 11:18:38 -0400
+Subject: ext2: Handle fiemap on empty files to prevent EINVAL
+
+From: Wei Gao <wegao@suse.com>
+
+[ Upstream commit a099b09a3342a0b28ea330e405501b5b4d0424b4 ]
+
+Previously, ext2_fiemap would unconditionally apply "len = min_t(u64, len,
+i_size_read(inode));", When inode->i_size was 0 (for an empty file), this
+would reduce the requested len to 0. Passing len = 0 to iomap_fiemap could
+then result in an -EINVAL error, even for valid queries on empty files.
+
+Link: https://github.com/linux-test-project/ltp/issues/1246
+Signed-off-by: Wei Gao <wegao@suse.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250613152402.3432135-1-wegao@suse.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext2/inode.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
+index 314b415ee518..6ff1f8f29a3c 100644
+--- a/fs/ext2/inode.c
++++ b/fs/ext2/inode.c
+@@ -895,9 +895,19 @@ int ext2_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo,
+ u64 start, u64 len)
+ {
+ int ret;
++ loff_t i_size;
+
+ inode_lock(inode);
+- len = min_t(u64, len, i_size_read(inode));
++ i_size = i_size_read(inode);
++ /*
++ * iomap_fiemap() returns EINVAL for 0 length. Make sure we don't trim
++ * length to 0 but still trim the range as much as possible since
++ * ext2_get_blocks() iterates unmapped space block by block which is
++ * slow.
++ */
++ if (i_size == 0)
++ i_size = 1;
++ len = min_t(u64, len, i_size);
+ ret = iomap_fiemap(inode, fieinfo, start, len, &ext2_iomap_ops);
+ inode_unlock(inode);
+
+--
+2.39.5
+
--- /dev/null
+From bfebbdb1205c074a03035bd6dd96e4b32b28445b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:54:34 -0400
+Subject: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+[ Upstream commit 099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 ]
+
+A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data()
+when an inode had the INLINE_DATA_FL flag set but was missing the
+system.data extended attribute.
+
+Since this can happen due to a maiciouly fuzzed file system, we
+shouldn't BUG, but rather, report it as a corrupted file system.
+
+Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii
+ext4_create_inline_data() and ext4_inline_data_truncate().
+
+Reported-by: syzbot+544248a761451c0df72f@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index c85647a0ba09..5fa1dd58ac42 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -298,7 +298,11 @@ static int ext4_create_inline_data(handle_t *handle,
+ if (error)
+ goto out;
+
+- BUG_ON(!is.s.not_found);
++ if (!is.s.not_found) {
++ EXT4_ERROR_INODE(inode, "unexpected inline data xattr");
++ error = -EFSCORRUPTED;
++ goto out;
++ }
+
+ error = ext4_xattr_ibody_set(handle, inode, &i, &is);
+ if (error) {
+@@ -349,7 +353,11 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
+ if (error)
+ goto out;
+
+- BUG_ON(is.s.not_found);
++ if (is.s.not_found) {
++ EXT4_ERROR_INODE(inode, "missing inline data xattr");
++ error = -EFSCORRUPTED;
++ goto out;
++ }
+
+ len -= EXT4_MIN_INLINE_DATA_SIZE;
+ value = kzalloc(len, GFP_NOFS);
+@@ -1966,7 +1974,12 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
+ if ((err = ext4_xattr_ibody_find(inode, &i, &is)) != 0)
+ goto out_error;
+
+- BUG_ON(is.s.not_found);
++ if (is.s.not_found) {
++ EXT4_ERROR_INODE(inode,
++ "missing inline data xattr");
++ err = -EFSCORRUPTED;
++ goto out_error;
++ }
+
+ value_len = le32_to_cpu(is.s.here->e_value_size);
+ value = kmalloc(value_len, GFP_NOFS);
+--
+2.39.5
+
--- /dev/null
+From b802a56367d6fa7ebe9f0b745b0c6ddf468df213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 16:06:09 +0000
+Subject: f2fs: check the generic conditions first
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+[ Upstream commit e23ab8028de0d92df5921a570f5212c0370db3b5 ]
+
+Let's return errors caught by the generic checks. This fixes generic/494 where
+it expects to see EBUSY by setattr_prepare instead of EINVAL by f2fs for active
+swapfile.
+
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 8f0cb7c7eede..031015823acb 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -991,6 +991,18 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ if (unlikely(f2fs_cp_error(F2FS_I_SB(inode))))
+ return -EIO;
+
++ err = setattr_prepare(idmap, dentry, attr);
++ if (err)
++ return err;
++
++ err = fscrypt_prepare_setattr(dentry, attr);
++ if (err)
++ return err;
++
++ err = fsverity_prepare_setattr(dentry, attr);
++ if (err)
++ return err;
++
+ if (unlikely(IS_IMMUTABLE(inode)))
+ return -EPERM;
+
+@@ -1008,18 +1020,6 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ return -EINVAL;
+ }
+
+- err = setattr_prepare(idmap, dentry, attr);
+- if (err)
+- return err;
+-
+- err = fscrypt_prepare_setattr(dentry, attr);
+- if (err)
+- return err;
+-
+- err = fsverity_prepare_setattr(dentry, attr);
+- if (err)
+- return err;
+-
+ if (is_quota_modification(idmap, inode, attr)) {
+ err = f2fs_dquot_initialize(inode);
+ if (err)
+--
+2.39.5
+
--- /dev/null
+From c81f61ef8b6c3f1737d37f87d6adf811779eb914 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:07:04 +0800
+Subject: fbdev: fix potential buffer overflow in do_register_framebuffer()
+
+From: Yongzhen Zhang <zhangyongzhen@kylinos.cn>
+
+[ Upstream commit 523b84dc7ccea9c4d79126d6ed1cf9033cf83b05 ]
+
+The current implementation may lead to buffer overflow when:
+1. Unregistration creates NULL gaps in registered_fb[]
+2. All array slots become occupied despite num_registered_fb < FB_MAX
+3. The registration loop exceeds array bounds
+
+Add boundary check to prevent registered_fb[FB_MAX] access.
+
+Signed-off-by: Yongzhen Zhang <zhangyongzhen@kylinos.cn>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/core/fbmem.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
+index 52bd3af54369..942b942f6bf9 100644
+--- a/drivers/video/fbdev/core/fbmem.c
++++ b/drivers/video/fbdev/core/fbmem.c
+@@ -943,6 +943,9 @@ static int do_register_framebuffer(struct fb_info *fb_info)
+ if (!registered_fb[i])
+ break;
+
++ if (i >= FB_MAX)
++ return -ENXIO;
++
+ if (!fb_info->modelist.prev || !fb_info->modelist.next)
+ INIT_LIST_HEAD(&fb_info->modelist);
+
+--
+2.39.5
+
--- /dev/null
+From 5128e45018621d066d603a43551ef95e8da893b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 15:31:16 +0200
+Subject: firmware: tegra: Fix IVC dependency problems
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 78eb18020a88a4eed15f5af7700ed570642ff8f1 ]
+
+The IVC code is library code that other drivers need to select if they
+need that library. However, if the symbol is user-selectable this can
+lead to conflicts.
+
+Fix this by making the symbol only selectable for COMPILE_TEST and add
+a select TEGRA_IVC to TEGRA_BPMP, which is currently the only user.
+
+Link: https://lore.kernel.org/r/20250506133118.1011777-10-thierry.reding@gmail.com
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/tegra/Kconfig | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/firmware/tegra/Kconfig b/drivers/firmware/tegra/Kconfig
+index cde1ab8bd9d1..91f2320c0d0f 100644
+--- a/drivers/firmware/tegra/Kconfig
++++ b/drivers/firmware/tegra/Kconfig
+@@ -2,7 +2,7 @@
+ menu "Tegra firmware driver"
+
+ config TEGRA_IVC
+- bool "Tegra IVC protocol"
++ bool "Tegra IVC protocol" if COMPILE_TEST
+ depends on ARCH_TEGRA
+ help
+ IVC (Inter-VM Communication) protocol is part of the IPC
+@@ -13,8 +13,9 @@ config TEGRA_IVC
+
+ config TEGRA_BPMP
+ bool "Tegra BPMP driver"
+- depends on ARCH_TEGRA && TEGRA_HSP_MBOX && TEGRA_IVC
++ depends on ARCH_TEGRA && TEGRA_HSP_MBOX
+ depends on !CPU_BIG_ENDIAN
++ select TEGRA_IVC
+ help
+ BPMP (Boot and Power Management Processor) is designed to off-loading
+ the PM functions which include clock/DVFS/thermal/power from the CPU.
+--
+2.39.5
+
--- /dev/null
+From 94489e7ffbc3c5a60834832d4615e437820b72bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 May 2024 08:48:58 -0600
+Subject: fix locking in efi_secret_unlink()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 2c58d42de71f9c73e40afacc9d062892d2cc8862 ]
+
+We used to need securityfs_remove() to undo simple_pin_fs() done when
+the file had been created and to drop the second extra reference
+taken at the same time. Now that neither is needed (or done by
+securityfs_remove()), we can simply call simple_unlink() and be done
+with that - the broken games with locking had been there only for the
+sake of securityfs_remove().
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virt/coco/efi_secret/efi_secret.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/virt/coco/efi_secret/efi_secret.c b/drivers/virt/coco/efi_secret/efi_secret.c
+index e700a5ef7043..d996feb0509a 100644
+--- a/drivers/virt/coco/efi_secret/efi_secret.c
++++ b/drivers/virt/coco/efi_secret/efi_secret.c
+@@ -136,15 +136,7 @@ static int efi_secret_unlink(struct inode *dir, struct dentry *dentry)
+ if (s->fs_files[i] == dentry)
+ s->fs_files[i] = NULL;
+
+- /*
+- * securityfs_remove tries to lock the directory's inode, but we reach
+- * the unlink callback when it's already locked
+- */
+- inode_unlock(dir);
+- securityfs_remove(dentry);
+- inode_lock(dir);
+-
+- return 0;
++ return simple_unlink(inode, dentry);
+ }
+
+ static const struct inode_operations efi_secret_dir_inode_operations = {
+--
+2.39.5
+
--- /dev/null
+From f8e04efad80177e444b37020a9fac87b5c1c43ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 13:16:16 +0800
+Subject: fs/ntfs3: Add sanity check for file name
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit e841ecb139339602bc1853f5f09daa5d1ea920a2 ]
+
+The length of the file name should be smaller than the directory entry size.
+
+Reported-by: syzbot+598057afa0f49e62bd23@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=598057afa0f49e62bd23
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/dir.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
+index e1b856ecce61..6b93c909bdc9 100644
+--- a/fs/ntfs3/dir.c
++++ b/fs/ntfs3/dir.c
+@@ -304,6 +304,9 @@ static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
+ if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
+ return true;
+
++ if (fname->name_len + sizeof(struct NTFS_DE) > le16_to_cpu(e->size))
++ return true;
++
+ name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
+ PATH_MAX);
+ if (name_len <= 0) {
+--
+2.39.5
+
--- /dev/null
+From a331781e45f7c7d2423e703b30a9c51a6fcddff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 15:35:34 +0800
+Subject: fs/ntfs3: correctly create symlink for relative path
+
+From: Rong Zhang <ulin0208@gmail.com>
+
+[ Upstream commit b1e9d89408f402858c00103f9831b25ffa0994d3 ]
+
+After applying this patch, could correctly create symlink:
+
+ln -s "relative/path/to/file" symlink
+
+Signed-off-by: Rong Zhang <ulin0208@gmail.com>
+[almaz.alexandrovich@paragon-software.com: added cpu_to_le32 macro to
+rs->Flags assignment]
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/inode.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
+index af7c0cbba74e..0150a2210209 100644
+--- a/fs/ntfs3/inode.c
++++ b/fs/ntfs3/inode.c
+@@ -1130,10 +1130,10 @@ int inode_write_data(struct inode *inode, const void *data, size_t bytes)
+ * Number of bytes for REPARSE_DATA_BUFFER(IO_REPARSE_TAG_SYMLINK)
+ * for unicode string of @uni_len length.
+ */
+-static inline u32 ntfs_reparse_bytes(u32 uni_len)
++static inline u32 ntfs_reparse_bytes(u32 uni_len, bool is_absolute)
+ {
+ /* Header + unicode string + decorated unicode string. */
+- return sizeof(short) * (2 * uni_len + 4) +
++ return sizeof(short) * (2 * uni_len + (is_absolute ? 4 : 0)) +
+ offsetof(struct REPARSE_DATA_BUFFER,
+ SymbolicLinkReparseBuffer.PathBuffer);
+ }
+@@ -1146,8 +1146,11 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+ struct REPARSE_DATA_BUFFER *rp;
+ __le16 *rp_name;
+ typeof(rp->SymbolicLinkReparseBuffer) *rs;
++ bool is_absolute;
+
+- rp = kzalloc(ntfs_reparse_bytes(2 * size + 2), GFP_NOFS);
++ is_absolute = (strlen(symname) > 1 && symname[1] == ':');
++
++ rp = kzalloc(ntfs_reparse_bytes(2 * size + 2, is_absolute), GFP_NOFS);
+ if (!rp)
+ return ERR_PTR(-ENOMEM);
+
+@@ -1162,7 +1165,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+ goto out;
+
+ /* err = the length of unicode name of symlink. */
+- *nsize = ntfs_reparse_bytes(err);
++ *nsize = ntfs_reparse_bytes(err, is_absolute);
+
+ if (*nsize > sbi->reparse.max_size) {
+ err = -EFBIG;
+@@ -1182,7 +1185,7 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+
+ /* PrintName + SubstituteName. */
+ rs->SubstituteNameOffset = cpu_to_le16(sizeof(short) * err);
+- rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + 8);
++ rs->SubstituteNameLength = cpu_to_le16(sizeof(short) * err + (is_absolute ? 8 : 0));
+ rs->PrintNameLength = rs->SubstituteNameOffset;
+
+ /*
+@@ -1190,16 +1193,18 @@ ntfs_create_reparse_buffer(struct ntfs_sb_info *sbi, const char *symname,
+ * parse this path.
+ * 0-absolute path 1- relative path (SYMLINK_FLAG_RELATIVE).
+ */
+- rs->Flags = 0;
++ rs->Flags = cpu_to_le32(is_absolute ? 0 : SYMLINK_FLAG_RELATIVE);
+
+- memmove(rp_name + err + 4, rp_name, sizeof(short) * err);
++ memmove(rp_name + err + (is_absolute ? 4 : 0), rp_name, sizeof(short) * err);
+
+- /* Decorate SubstituteName. */
+- rp_name += err;
+- rp_name[0] = cpu_to_le16('\\');
+- rp_name[1] = cpu_to_le16('?');
+- rp_name[2] = cpu_to_le16('?');
+- rp_name[3] = cpu_to_le16('\\');
++ if (is_absolute) {
++ /* Decorate SubstituteName. */
++ rp_name += err;
++ rp_name[0] = cpu_to_le16('\\');
++ rp_name[1] = cpu_to_le16('?');
++ rp_name[2] = cpu_to_le16('?');
++ rp_name[3] = cpu_to_le16('\\');
++ }
+
+ return rp;
+ out:
+--
+2.39.5
+
--- /dev/null
+From be8841e10335e5e00271d100bd9e9c02e9368aaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 20:05:59 +0330
+Subject: fs/orangefs: use snprintf() instead of sprintf()
+
+From: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+
+[ Upstream commit cdfa1304657d6f23be8fd2bb0516380a3c89034e ]
+
+sprintf() is discouraged for use with bounded destination buffers
+as it does not prevent buffer overflows when the formatted output
+exceeds the destination buffer size. snprintf() is a safer
+alternative as it limits the number of bytes written and ensures
+NUL-termination.
+
+Replace sprintf() with snprintf() for copying the debug string
+into a temporary buffer, using ORANGEFS_MAX_DEBUG_STRING_LEN as
+the maximum size to ensure safe formatting and prevent memory
+corruption in edge cases.
+
+EDIT: After this patch sat on linux-next for a few days, Dan
+Carpenter saw it and suggested that I use scnprintf instead of
+snprintf. I made the change and retested.
+
+Signed-off-by: Amir Mohammad Jahangirzad <a.jahangirzad@gmail.com>
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index b57140ebfad0..cd4bfd92ebd6 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -354,7 +354,7 @@ static ssize_t orangefs_debug_read(struct file *file,
+ goto out;
+
+ mutex_lock(&orangefs_debug_lock);
+- sprintf_ret = sprintf(buf, "%s", (char *)file->private_data);
++ sprintf_ret = scnprintf(buf, ORANGEFS_MAX_DEBUG_STRING_LEN, "%s", (char *)file->private_data);
+ mutex_unlock(&orangefs_debug_lock);
+
+ read_ret = simple_read_from_buffer(ubuf, count, ppos, buf, sprintf_ret);
+--
+2.39.5
+
--- /dev/null
+From 57e070bfd21bb71a160df01164c0d9ee0960aac5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 16:21:15 +0100
+Subject: gfs2: Set .migrate_folio in gfs2_{rgrp,meta}_aops
+
+From: Andrew Price <anprice@redhat.com>
+
+[ Upstream commit 5c8f12cf1e64e0e8e6cb80b0c935389973e8be8d ]
+
+Clears up the warning added in 7ee3647243e5 ("migrate: Remove call to
+->writepage") that occurs in various xfstests, causing "something found
+in dmesg" failures.
+
+[ 341.136573] gfs2_meta_aops does not implement migrate_folio
+[ 341.136953] WARNING: CPU: 1 PID: 36 at mm/migrate.c:944 move_to_new_folio+0x2f8/0x300
+
+Signed-off-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/meta_io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/gfs2/meta_io.c b/fs/gfs2/meta_io.c
+index 1f42eae112fb..b1a368fc089f 100644
+--- a/fs/gfs2/meta_io.c
++++ b/fs/gfs2/meta_io.c
+@@ -93,6 +93,7 @@ const struct address_space_operations gfs2_meta_aops = {
+ .invalidate_folio = block_invalidate_folio,
+ .writepage = gfs2_aspace_writepage,
+ .release_folio = gfs2_release_folio,
++ .migrate_folio = buffer_migrate_folio_norefs,
+ };
+
+ const struct address_space_operations gfs2_rgrp_aops = {
+@@ -100,6 +101,7 @@ const struct address_space_operations gfs2_rgrp_aops = {
+ .invalidate_folio = block_invalidate_folio,
+ .writepage = gfs2_aspace_writepage,
+ .release_folio = gfs2_release_folio,
++ .migrate_folio = buffer_migrate_folio_norefs,
+ };
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From cb3cb48ed2f0a426795d36ca08c011ccc9a46c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jul 2025 09:50:15 +0200
+Subject: gpio: tps65912: check the return value of regmap_update_bits()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit a0b2a6bbff8c26aafdecd320f38f52c341d5cafa ]
+
+regmap_update_bits() can fail, check its return value like we do
+elsewhere in the driver.
+
+Link: https://lore.kernel.org/r/20250707-gpiochip-set-rv-gpio-round4-v1-2-35668aaaf6d2@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-tps65912.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-tps65912.c b/drivers/gpio/gpio-tps65912.c
+index fab771cb6a87..bac757c191c2 100644
+--- a/drivers/gpio/gpio-tps65912.c
++++ b/drivers/gpio/gpio-tps65912.c
+@@ -49,10 +49,13 @@ static int tps65912_gpio_direction_output(struct gpio_chip *gc,
+ unsigned offset, int value)
+ {
+ struct tps65912_gpio *gpio = gpiochip_get_data(gc);
++ int ret;
+
+ /* Set the initial value */
+- regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
+- GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
++ ret = regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
++ GPIO_SET_MASK, value ? GPIO_SET_MASK : 0);
++ if (ret)
++ return ret;
+
+ return regmap_update_bits(gpio->tps->regmap, TPS65912_GPIO1 + offset,
+ GPIO_CFG_MASK, GPIO_CFG_MASK);
+--
+2.39.5
+
--- /dev/null
+From 25e8962702199bf4b6ab77e14da9a16cb2835b95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 08:41:39 +0200
+Subject: gpio: wcd934x: check the return value of regmap_update_bits()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+[ Upstream commit ff0f0d7c6587e38c308be9905e36f86e98fb9c1f ]
+
+regmap_update_bits() can fail so check its return value in
+wcd_gpio_direction_output() for consistency with the rest of the code
+and propagate any errors.
+
+Link: https://lore.kernel.org/r/20250709-gpiochip-set-rv-gpio-remaining-v1-2-b8950f69618d@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-wcd934x.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-wcd934x.c b/drivers/gpio/gpio-wcd934x.c
+index 2bba27b13947..cfa7b0a50c8e 100644
+--- a/drivers/gpio/gpio-wcd934x.c
++++ b/drivers/gpio/gpio-wcd934x.c
+@@ -46,9 +46,12 @@ static int wcd_gpio_direction_output(struct gpio_chip *chip, unsigned int pin,
+ int val)
+ {
+ struct wcd_gpio_data *data = gpiochip_get_data(chip);
++ int ret;
+
+- regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
+- WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
++ ret = regmap_update_bits(data->map, WCD_REG_DIR_CTL_OFFSET,
++ WCD_PIN_MASK(pin), WCD_PIN_MASK(pin));
++ if (ret)
++ return ret;
+
+ return regmap_update_bits(data->map, WCD_REG_VAL_CTL_OFFSET,
+ WCD_PIN_MASK(pin),
+--
+2.39.5
+
--- /dev/null
+From d40d70baf64c35fb03aefa4a8b557243710c1f32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 22:45:01 -0700
+Subject: gve: Return error for unknown admin queue command
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit b11344f63fdd9e8c5121148a6965b41079071dd2 ]
+
+In gve_adminq_issue_cmd(), return -EINVAL instead of 0 when an unknown
+admin queue command opcode is encountered.
+
+This prevents the function from silently succeeding on invalid input
+and prevents undefined behavior by ensuring the function fails gracefully
+when an unrecognized opcode is provided.
+
+These changes improve error handling.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://patch.msgid.link/20250616054504.1644770-2-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_adminq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_adminq.c b/drivers/net/ethernet/google/gve/gve_adminq.c
+index 79db7a6d42bc..9c50febb4271 100644
+--- a/drivers/net/ethernet/google/gve/gve_adminq.c
++++ b/drivers/net/ethernet/google/gve/gve_adminq.c
+@@ -431,6 +431,7 @@ static int gve_adminq_issue_cmd(struct gve_priv *priv,
+ break;
+ default:
+ dev_err(&priv->pdev->dev, "unknown AQ command opcode %d\n", opcode);
++ return -EINVAL;
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 16fd3fbf55cd1325c0c3e480e14b22dccb7a81a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 14:36:57 -0700
+Subject: hfs: fix general protection fault in hfs_find_init()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 736a0516a16268995f4898eded49bfef077af709 ]
+
+The hfs_find_init() method can trigger the crash
+if tree pointer is NULL:
+
+[ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI
+[ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
+[ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full)
+[ 45.750250][ T9787] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 45.751983][ T9787] RIP: 0010:hfs_find_init+0x86/0x230
+[ 45.752834][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc
+[ 45.755574][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202
+[ 45.756432][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09
+[ 45.757457][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8
+[ 45.758282][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000
+[ 45.758943][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004
+[ 45.759619][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000
+[ 45.760293][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000
+[ 45.761050][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 45.761606][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0
+[ 45.762286][ T9787] Call Trace:
+[ 45.762570][ T9787] <TASK>
+[ 45.762824][ T9787] hfs_ext_read_extent+0x190/0x9d0
+[ 45.763269][ T9787] ? submit_bio_noacct_nocheck+0x2dd/0xce0
+[ 45.763766][ T9787] ? __pfx_hfs_ext_read_extent+0x10/0x10
+[ 45.764250][ T9787] hfs_get_block+0x55f/0x830
+[ 45.764646][ T9787] block_read_full_folio+0x36d/0x850
+[ 45.765105][ T9787] ? __pfx_hfs_get_block+0x10/0x10
+[ 45.765541][ T9787] ? const_folio_flags+0x5b/0x100
+[ 45.765972][ T9787] ? __pfx_hfs_read_folio+0x10/0x10
+[ 45.766415][ T9787] filemap_read_folio+0xbe/0x290
+[ 45.766840][ T9787] ? __pfx_filemap_read_folio+0x10/0x10
+[ 45.767325][ T9787] ? __filemap_get_folio+0x32b/0xbf0
+[ 45.767780][ T9787] do_read_cache_folio+0x263/0x5c0
+[ 45.768223][ T9787] ? __pfx_hfs_read_folio+0x10/0x10
+[ 45.768666][ T9787] read_cache_page+0x5b/0x160
+[ 45.769070][ T9787] hfs_btree_open+0x491/0x1740
+[ 45.769481][ T9787] hfs_mdb_get+0x15e2/0x1fb0
+[ 45.769877][ T9787] ? __pfx_hfs_mdb_get+0x10/0x10
+[ 45.770316][ T9787] ? find_held_lock+0x2b/0x80
+[ 45.770731][ T9787] ? lockdep_init_map_type+0x5c/0x280
+[ 45.771200][ T9787] ? lockdep_init_map_type+0x5c/0x280
+[ 45.771674][ T9787] hfs_fill_super+0x38e/0x720
+[ 45.772092][ T9787] ? __pfx_hfs_fill_super+0x10/0x10
+[ 45.772549][ T9787] ? snprintf+0xbe/0x100
+[ 45.772931][ T9787] ? __pfx_snprintf+0x10/0x10
+[ 45.773350][ T9787] ? do_raw_spin_lock+0x129/0x2b0
+[ 45.773796][ T9787] ? find_held_lock+0x2b/0x80
+[ 45.774215][ T9787] ? set_blocksize+0x40a/0x510
+[ 45.774636][ T9787] ? sb_set_blocksize+0x176/0x1d0
+[ 45.775087][ T9787] ? setup_bdev_super+0x369/0x730
+[ 45.775533][ T9787] get_tree_bdev_flags+0x384/0x620
+[ 45.775985][ T9787] ? __pfx_hfs_fill_super+0x10/0x10
+[ 45.776453][ T9787] ? __pfx_get_tree_bdev_flags+0x10/0x10
+[ 45.776950][ T9787] ? bpf_lsm_capable+0x9/0x10
+[ 45.777365][ T9787] ? security_capable+0x80/0x260
+[ 45.777803][ T9787] vfs_get_tree+0x8e/0x340
+[ 45.778203][ T9787] path_mount+0x13de/0x2010
+[ 45.778604][ T9787] ? kmem_cache_free+0x2b0/0x4c0
+[ 45.779052][ T9787] ? __pfx_path_mount+0x10/0x10
+[ 45.779480][ T9787] ? getname_flags.part.0+0x1c5/0x550
+[ 45.779954][ T9787] ? putname+0x154/0x1a0
+[ 45.780335][ T9787] __x64_sys_mount+0x27b/0x300
+[ 45.780758][ T9787] ? __pfx___x64_sys_mount+0x10/0x10
+[ 45.781232][ T9787] do_syscall_64+0xc9/0x480
+[ 45.781631][ T9787] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 45.782149][ T9787] RIP: 0033:0x7ffb7265b6ca
+[ 45.782539][ T9787] Code: 48 8b 0d c9 17 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48
+[ 45.784212][ T9787] RSP: 002b:00007ffc0c10cfb8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
+[ 45.784935][ T9787] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffb7265b6ca
+[ 45.785626][ T9787] RDX: 0000200000000240 RSI: 0000200000000280 RDI: 00007ffc0c10d100
+[ 45.786316][ T9787] RBP: 00007ffc0c10d190 R08: 00007ffc0c10d000 R09: 0000000000000000
+[ 45.787011][ T9787] R10: 0000000000000048 R11: 0000000000000206 R12: 0000560246733250
+[ 45.787697][ T9787] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 45.788393][ T9787] </TASK>
+[ 45.788665][ T9787] Modules linked in:
+[ 45.789058][ T9787] ---[ end trace 0000000000000000 ]---
+[ 45.789554][ T9787] RIP: 0010:hfs_find_init+0x86/0x230
+[ 45.790028][ T9787] Code: c1 ea 03 80 3c 02 00 0f 85 9a 01 00 00 4c 8d 6b 40 48 c7 45 18 00 00 00 00 48 b8 00 00 00 00 00 fc
+[ 45.792364][ T9787] RSP: 0018:ffffc90015157668 EFLAGS: 00010202
+[ 45.793155][ T9787] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff819a4d09
+[ 45.794123][ T9787] RDX: 0000000000000008 RSI: ffffffff819acd3a RDI: ffffc900151576e8
+[ 45.795105][ T9787] RBP: ffffc900151576d0 R08: 0000000000000005 R09: 0000000000000000
+[ 45.796135][ T9787] R10: 0000000080000000 R11: 0000000000000001 R12: 0000000000000004
+[ 45.797114][ T9787] R13: 0000000000000040 R14: ffff88802c50814a R15: 0000000000000000
+[ 45.798024][ T9787] FS: 00007ffb72734540(0000) GS:ffff8880cec64000(0000) knlGS:0000000000000000
+[ 45.799019][ T9787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 45.799822][ T9787] CR2: 00007f9bd8225000 CR3: 000000010979a000 CR4: 00000000000006f0
+[ 45.800747][ T9787] Kernel panic - not syncing: Fatal exception
+
+The hfs_fill_super() calls hfs_mdb_get() method that tries
+to construct Extents Tree and Catalog Tree:
+
+HFS_SB(sb)->ext_tree = hfs_btree_open(sb, HFS_EXT_CNID, hfs_ext_keycmp);
+if (!HFS_SB(sb)->ext_tree) {
+ pr_err("unable to open extent tree\n");
+ goto out;
+}
+HFS_SB(sb)->cat_tree = hfs_btree_open(sb, HFS_CAT_CNID, hfs_cat_keycmp);
+if (!HFS_SB(sb)->cat_tree) {
+ pr_err("unable to open catalog tree\n");
+ goto out;
+}
+
+However, hfs_btree_open() calls read_mapping_page() that
+calls hfs_get_block(). And this method calls hfs_ext_read_extent():
+
+static int hfs_ext_read_extent(struct inode *inode, u16 block)
+{
+ struct hfs_find_data fd;
+ int res;
+
+ if (block >= HFS_I(inode)->cached_start &&
+ block < HFS_I(inode)->cached_start + HFS_I(inode)->cached_blocks)
+ return 0;
+
+ res = hfs_find_init(HFS_SB(inode->i_sb)->ext_tree, &fd);
+ if (!res) {
+ res = __hfs_ext_cache_extent(&fd, inode, block);
+ hfs_find_exit(&fd);
+ }
+ return res;
+}
+
+The problem here that hfs_find_init() is trying to use
+HFS_SB(inode->i_sb)->ext_tree that is not initialized yet.
+It will be initailized when hfs_btree_open() finishes
+the execution.
+
+The patch adds checking of tree pointer in hfs_find_init()
+and it reworks the logic of hfs_btree_open() by reading
+the b-tree's header directly from the volume. The read_mapping_page()
+is exchanged on filemap_grab_folio() that grab the folio from
+mapping. Then, sb_bread() extracts the b-tree's header
+content and copy it into the folio.
+
+Reported-by: Wenzhi Wang <wenzhi.wang@uwaterloo.ca>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Link: https://lore.kernel.org/r/20250710213657.108285-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bfind.c | 3 +++
+ fs/hfs/btree.c | 57 +++++++++++++++++++++++++++++++++++++++----------
+ fs/hfs/extent.c | 2 +-
+ fs/hfs/hfs_fs.h | 1 +
+ 4 files changed, 51 insertions(+), 12 deletions(-)
+
+diff --git a/fs/hfs/bfind.c b/fs/hfs/bfind.c
+index ef9498a6e88a..34e9804e0f36 100644
+--- a/fs/hfs/bfind.c
++++ b/fs/hfs/bfind.c
+@@ -16,6 +16,9 @@ int hfs_find_init(struct hfs_btree *tree, struct hfs_find_data *fd)
+ {
+ void *ptr;
+
++ if (!tree || !fd)
++ return -EINVAL;
++
+ fd->tree = tree;
+ fd->bnode = NULL;
+ ptr = kmalloc(tree->max_key_len * 2 + 4, GFP_KERNEL);
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index 2fa4b1f8cc7f..e86e1e235658 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -21,8 +21,12 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
+ struct hfs_btree *tree;
+ struct hfs_btree_header_rec *head;
+ struct address_space *mapping;
+- struct page *page;
++ struct folio *folio;
++ struct buffer_head *bh;
+ unsigned int size;
++ u16 dblock;
++ sector_t start_block;
++ loff_t offset;
+
+ tree = kzalloc(sizeof(*tree), GFP_KERNEL);
+ if (!tree)
+@@ -75,12 +79,40 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
+ unlock_new_inode(tree->inode);
+
+ mapping = tree->inode->i_mapping;
+- page = read_mapping_page(mapping, 0, NULL);
+- if (IS_ERR(page))
++ folio = filemap_grab_folio(mapping, 0);
++ if (IS_ERR(folio))
+ goto free_inode;
+
++ folio_zero_range(folio, 0, folio_size(folio));
++
++ dblock = hfs_ext_find_block(HFS_I(tree->inode)->first_extents, 0);
++ start_block = HFS_SB(sb)->fs_start + (dblock * HFS_SB(sb)->fs_div);
++
++ size = folio_size(folio);
++ offset = 0;
++ while (size > 0) {
++ size_t len;
++
++ bh = sb_bread(sb, start_block);
++ if (!bh) {
++ pr_err("unable to read tree header\n");
++ goto put_folio;
++ }
++
++ len = min_t(size_t, folio_size(folio), sb->s_blocksize);
++ memcpy_to_folio(folio, offset, bh->b_data, sb->s_blocksize);
++
++ brelse(bh);
++
++ start_block++;
++ offset += len;
++ size -= len;
++ }
++
++ folio_mark_uptodate(folio);
++
+ /* Load the header */
+- head = (struct hfs_btree_header_rec *)(kmap_local_page(page) +
++ head = (struct hfs_btree_header_rec *)(kmap_local_folio(folio, 0) +
+ sizeof(struct hfs_bnode_desc));
+ tree->root = be32_to_cpu(head->root);
+ tree->leaf_count = be32_to_cpu(head->leaf_count);
+@@ -95,22 +127,22 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
+
+ size = tree->node_size;
+ if (!is_power_of_2(size))
+- goto fail_page;
++ goto fail_folio;
+ if (!tree->node_count)
+- goto fail_page;
++ goto fail_folio;
+ switch (id) {
+ case HFS_EXT_CNID:
+ if (tree->max_key_len != HFS_MAX_EXT_KEYLEN) {
+ pr_err("invalid extent max_key_len %d\n",
+ tree->max_key_len);
+- goto fail_page;
++ goto fail_folio;
+ }
+ break;
+ case HFS_CAT_CNID:
+ if (tree->max_key_len != HFS_MAX_CAT_KEYLEN) {
+ pr_err("invalid catalog max_key_len %d\n",
+ tree->max_key_len);
+- goto fail_page;
++ goto fail_folio;
+ }
+ break;
+ default:
+@@ -121,12 +153,15 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
+ tree->pages_per_bnode = (tree->node_size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+
+ kunmap_local(head);
+- put_page(page);
++ folio_unlock(folio);
++ folio_put(folio);
+ return tree;
+
+-fail_page:
++fail_folio:
+ kunmap_local(head);
+- put_page(page);
++put_folio:
++ folio_unlock(folio);
++ folio_put(folio);
+ free_inode:
+ tree->inode->i_mapping->a_ops = &hfs_aops;
+ iput(tree->inode);
+diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
+index 6d1878b99b30..941c92525815 100644
+--- a/fs/hfs/extent.c
++++ b/fs/hfs/extent.c
+@@ -71,7 +71,7 @@ int hfs_ext_keycmp(const btree_key *key1, const btree_key *key2)
+ *
+ * Find a block within an extent record
+ */
+-static u16 hfs_ext_find_block(struct hfs_extent *ext, u16 off)
++u16 hfs_ext_find_block(struct hfs_extent *ext, u16 off)
+ {
+ int i;
+ u16 count;
+diff --git a/fs/hfs/hfs_fs.h b/fs/hfs/hfs_fs.h
+index 49d02524e667..f1402d71b092 100644
+--- a/fs/hfs/hfs_fs.h
++++ b/fs/hfs/hfs_fs.h
+@@ -190,6 +190,7 @@ extern const struct inode_operations hfs_dir_inode_operations;
+
+ /* extent.c */
+ extern int hfs_ext_keycmp(const btree_key *, const btree_key *);
++extern u16 hfs_ext_find_block(struct hfs_extent *ext, u16 off);
+ extern int hfs_free_fork(struct super_block *, struct hfs_cat_file *, int);
+ extern int hfs_ext_write_extent(struct inode *);
+ extern int hfs_extend_file(struct inode *);
+--
+2.39.5
+
--- /dev/null
+From 64b75a780b5d872c335b60dd4d8876baa3d30e4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 17:12:11 -0700
+Subject: hfs: fix not erasing deleted b-tree node issue
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit d3ed6d6981f4756f145766753c872482bc3b28d3 ]
+
+The generic/001 test of xfstests suite fails and corrupts
+the HFS volume:
+
+sudo ./check generic/001
+FSTYP -- hfs
+PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2>
+MKFS_OPTIONS -- /dev/loop51
+MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
+
+generic/001 32s ... _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent
+(see /home/slavad/XFSTESTS-2/xfstests-dev/results//generic/001.full for details)
+
+Ran: generic/001
+Failures: generic/001
+Failed 1 of 1 tests
+
+fsck.hfs -d -n ./test-image.bin
+** ./test-image.bin (NO WRITE)
+ Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
+ Executing fsck_hfs (version 540.1-Linux).
+** Checking HFS volume.
+ The volume name is untitled
+** Checking extents overflow file.
+** Checking catalog file.
+ Unused node is not erased (node = 2)
+ Unused node is not erased (node = 4)
+<skipped>
+ Unused node is not erased (node = 253)
+ Unused node is not erased (node = 254)
+ Unused node is not erased (node = 255)
+ Unused node is not erased (node = 256)
+** Checking catalog hierarchy.
+** Checking volume bitmap.
+** Checking volume information.
+ Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000
+ CBTStat = 0x0004 CatStat = 0x00000000
+** The volume untitled was found corrupt and needs to be repaired.
+ volume type is HFS
+ primary MDB is at block 2 0x02
+ alternate MDB is at block 20971518 0x13ffffe
+ primary VHB is at block 0 0x00
+ alternate VHB is at block 0 0x00
+ sector size = 512 0x200
+ VolumeObject flags = 0x19
+ total sectors for volume = 20971520 0x1400000
+ total sectors for embedded volume = 0 0x00
+
+This patch adds logic of clearing the deleted b-tree node.
+
+sudo ./check generic/001
+FSTYP -- hfs
+PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.15.0-rc2+ #3 SMP PREEMPT_DYNAMIC Fri Apr 25 17:13:00 PDT 2025
+MKFS_OPTIONS -- /dev/loop51
+MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
+
+generic/001 9s ... 32s
+Ran: generic/001
+Passed all 1 tests
+
+fsck.hfs -d -n ./test-image.bin
+** ./test-image.bin (NO WRITE)
+ Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
+ Executing fsck_hfs (version 540.1-Linux).
+** Checking HFS volume.
+ The volume name is untitled
+** Checking extents overflow file.
+** Checking catalog file.
+** Checking catalog hierarchy.
+** Checking volume bitmap.
+** Checking volume information.
+** The volume untitled appears to be OK.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Link: https://lore.kernel.org/r/20250430001211.1912533-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bnode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
+index 1dac5d9c055f..e8cd1a31f247 100644
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -574,6 +574,7 @@ void hfs_bnode_put(struct hfs_bnode *node)
+ if (test_bit(HFS_BNODE_DELETED, &node->flags)) {
+ hfs_bnode_unhash(node);
+ spin_unlock(&tree->hash_lock);
++ hfs_bnode_clear(node, 0, tree->node_size);
+ hfs_bmap_free(node);
+ hfs_bnode_free(node);
+ return;
+--
+2.39.5
+
--- /dev/null
+From 29a8e76663dda6788a8299d507af418f342ca096 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 14:49:12 -0700
+Subject: hfs: fix slab-out-of-bounds in hfs_bnode_read()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit a431930c9bac518bf99d6b1da526a7f37ddee8d8 ]
+
+This patch introduces is_bnode_offset_valid() method that checks
+the requested offset value. Also, it introduces
+check_and_correct_requested_length() method that checks and
+correct the requested length (if it is necessary). These methods
+are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(),
+hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent
+the access out of allocated memory and triggering the crash.
+
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250703214912.244138-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfs/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+
+diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
+index cb823a8a6ba9..1dac5d9c055f 100644
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -15,6 +15,48 @@
+
+ #include "btree.h"
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+ {
+ struct page *page;
+@@ -22,6 +64,20 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+ int bytes_read;
+ int bytes_to_read;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagenum = off >> PAGE_SHIFT;
+ off &= ~PAGE_MASK; /* compute page offset for the first page */
+@@ -80,6 +136,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
+ {
+ struct page *page;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ page = node->page[0];
+
+@@ -104,6 +174,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
+ {
+ struct page *page;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ page = node->page[0];
+
+@@ -119,6 +203,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
+ hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(src_node, src, len);
++ len = check_and_correct_requested_length(dst_node, dst, len);
++
+ src += src_node->page_offset;
+ dst += dst_node->page_offset;
+ src_page = src_node->page[0];
+@@ -136,6 +224,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
+ hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(node, src, len);
++ len = check_and_correct_requested_length(node, dst, len);
++
+ src += node->page_offset;
+ dst += node->page_offset;
+ page = node->page[0];
+--
+2.39.5
+
--- /dev/null
+From 94343c06d13aeaea40cf168525070bdc1d2e7fed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 14:17:56 +0900
+Subject: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit c7c6363ca186747ebc2df10c8a1a51e66e0e32d9 ]
+
+When the volume header contains erroneous values that do not reflect
+the actual state of the filesystem, hfsplus_fill_super() assumes that
+the attributes file is not yet created, which later results in hitting
+BUG_ON() when hfsplus_create_attributes_file() is called. Replace this
+BUG_ON() with -EIO error with a message to suggest running fsck tool.
+
+Reported-by: syzbot <syzbot+1107451c16b9eb9d29e6@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=1107451c16b9eb9d29e6
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/7b587d24-c8a1-4413-9b9a-00a33fbd849f@I-love.SAKURA.ne.jp
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/xattr.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
+index f7f9d0889df3..d5fd8e068486 100644
+--- a/fs/hfsplus/xattr.c
++++ b/fs/hfsplus/xattr.c
+@@ -172,7 +172,11 @@ static int hfsplus_create_attributes_file(struct super_block *sb)
+ return PTR_ERR(attr_file);
+ }
+
+- BUG_ON(i_size_read(attr_file) != 0);
++ if (i_size_read(attr_file) != 0) {
++ err = -EIO;
++ pr_err("detected inconsistent attributes file, running fsck.hfsplus is recommended.\n");
++ goto end_attr_file_creation;
++ }
+
+ hip = HFSPLUS_I(attr_file);
+
+--
+2.39.5
+
--- /dev/null
+From ae02c56a4bbb03baa3661ea214b13356de551bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 14:48:04 -0700
+Subject: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit c80aa2aaaa5e69d5219c6af8ef7e754114bd08d2 ]
+
+The hfsplus_bnode_read() method can trigger the issue:
+
+[ 174.852007][ T9784] ==================================================================
+[ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360
+[ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784
+[ 174.854059][ T9784]
+[ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: repro Not tainted 6.16.0-rc3 #7 PREEMPT(full)
+[ 174.854281][ T9784] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 174.854286][ T9784] Call Trace:
+[ 174.854289][ T9784] <TASK>
+[ 174.854292][ T9784] dump_stack_lvl+0x10e/0x1f0
+[ 174.854305][ T9784] print_report+0xd0/0x660
+[ 174.854315][ T9784] ? __virt_addr_valid+0x81/0x610
+[ 174.854323][ T9784] ? __phys_addr+0xe8/0x180
+[ 174.854330][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
+[ 174.854337][ T9784] kasan_report+0xc6/0x100
+[ 174.854346][ T9784] ? hfsplus_bnode_read+0x2f4/0x360
+[ 174.854354][ T9784] hfsplus_bnode_read+0x2f4/0x360
+[ 174.854362][ T9784] hfsplus_bnode_dump+0x2ec/0x380
+[ 174.854370][ T9784] ? __pfx_hfsplus_bnode_dump+0x10/0x10
+[ 174.854377][ T9784] ? hfsplus_bnode_write_u16+0x83/0xb0
+[ 174.854385][ T9784] ? srcu_gp_start+0xd0/0x310
+[ 174.854393][ T9784] ? __mark_inode_dirty+0x29e/0xe40
+[ 174.854402][ T9784] hfsplus_brec_remove+0x3d2/0x4e0
+[ 174.854411][ T9784] __hfsplus_delete_attr+0x290/0x3a0
+[ 174.854419][ T9784] ? __pfx_hfs_find_1st_rec_by_cnid+0x10/0x10
+[ 174.854427][ T9784] ? __pfx___hfsplus_delete_attr+0x10/0x10
+[ 174.854436][ T9784] ? __asan_memset+0x23/0x50
+[ 174.854450][ T9784] hfsplus_delete_all_attrs+0x262/0x320
+[ 174.854459][ T9784] ? __pfx_hfsplus_delete_all_attrs+0x10/0x10
+[ 174.854469][ T9784] ? rcu_is_watching+0x12/0xc0
+[ 174.854476][ T9784] ? __mark_inode_dirty+0x29e/0xe40
+[ 174.854483][ T9784] hfsplus_delete_cat+0x845/0xde0
+[ 174.854493][ T9784] ? __pfx_hfsplus_delete_cat+0x10/0x10
+[ 174.854507][ T9784] hfsplus_unlink+0x1ca/0x7c0
+[ 174.854516][ T9784] ? __pfx_hfsplus_unlink+0x10/0x10
+[ 174.854525][ T9784] ? down_write+0x148/0x200
+[ 174.854532][ T9784] ? __pfx_down_write+0x10/0x10
+[ 174.854540][ T9784] vfs_unlink+0x2fe/0x9b0
+[ 174.854549][ T9784] do_unlinkat+0x490/0x670
+[ 174.854557][ T9784] ? __pfx_do_unlinkat+0x10/0x10
+[ 174.854565][ T9784] ? __might_fault+0xbc/0x130
+[ 174.854576][ T9784] ? getname_flags.part.0+0x1c5/0x550
+[ 174.854584][ T9784] __x64_sys_unlink+0xc5/0x110
+[ 174.854592][ T9784] do_syscall_64+0xc9/0x480
+[ 174.854600][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 174.854608][ T9784] RIP: 0033:0x7f6fdf4c3167
+[ 174.854614][ T9784] Code: f0 ff ff 73 01 c3 48 8b 0d 26 0d 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 08
+[ 174.854622][ T9784] RSP: 002b:00007ffcb948bca8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
+[ 174.854630][ T9784] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6fdf4c3167
+[ 174.854636][ T9784] RDX: 00007ffcb948bcc0 RSI: 00007ffcb948bcc0 RDI: 00007ffcb948bd50
+[ 174.854641][ T9784] RBP: 00007ffcb948cd90 R08: 0000000000000001 R09: 00007ffcb948bb40
+[ 174.854645][ T9784] R10: 00007f6fdf564fc0 R11: 0000000000000206 R12: 0000561e1bc9c2d0
+[ 174.854650][ T9784] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 174.854658][ T9784] </TASK>
+[ 174.854661][ T9784]
+[ 174.879281][ T9784] Allocated by task 9784:
+[ 174.879664][ T9784] kasan_save_stack+0x20/0x40
+[ 174.880082][ T9784] kasan_save_track+0x14/0x30
+[ 174.880500][ T9784] __kasan_kmalloc+0xaa/0xb0
+[ 174.880908][ T9784] __kmalloc_noprof+0x205/0x550
+[ 174.881337][ T9784] __hfs_bnode_create+0x107/0x890
+[ 174.881779][ T9784] hfsplus_bnode_find+0x2d0/0xd10
+[ 174.882222][ T9784] hfsplus_brec_find+0x2b0/0x520
+[ 174.882659][ T9784] hfsplus_delete_all_attrs+0x23b/0x320
+[ 174.883144][ T9784] hfsplus_delete_cat+0x845/0xde0
+[ 174.883595][ T9784] hfsplus_rmdir+0x106/0x1b0
+[ 174.884004][ T9784] vfs_rmdir+0x206/0x690
+[ 174.884379][ T9784] do_rmdir+0x2b7/0x390
+[ 174.884751][ T9784] __x64_sys_rmdir+0xc5/0x110
+[ 174.885167][ T9784] do_syscall_64+0xc9/0x480
+[ 174.885568][ T9784] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 174.886083][ T9784]
+[ 174.886293][ T9784] The buggy address belongs to the object at ffff88810b5fc600
+[ 174.886293][ T9784] which belongs to the cache kmalloc-192 of size 192
+[ 174.887507][ T9784] The buggy address is located 40 bytes to the right of
+[ 174.887507][ T9784] allocated 152-byte region [ffff88810b5fc600, ffff88810b5fc698)
+[ 174.888766][ T9784]
+[ 174.888976][ T9784] The buggy address belongs to the physical page:
+[ 174.889533][ T9784] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b5fc
+[ 174.890295][ T9784] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
+[ 174.890927][ T9784] page_type: f5(slab)
+[ 174.891284][ T9784] raw: 057ff00000000000 ffff88801b4423c0 ffffea000426dc80 dead000000000002
+[ 174.892032][ T9784] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
+[ 174.892774][ T9784] page dumped because: kasan: bad access detected
+[ 174.893327][ T9784] page_owner tracks the page as allocated
+[ 174.893825][ T9784] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NO1
+[ 174.895373][ T9784] post_alloc_hook+0x1c0/0x230
+[ 174.895801][ T9784] get_page_from_freelist+0xdeb/0x3b30
+[ 174.896284][ T9784] __alloc_frozen_pages_noprof+0x25c/0x2460
+[ 174.896810][ T9784] alloc_pages_mpol+0x1fb/0x550
+[ 174.897242][ T9784] new_slab+0x23b/0x340
+[ 174.897614][ T9784] ___slab_alloc+0xd81/0x1960
+[ 174.898028][ T9784] __slab_alloc.isra.0+0x56/0xb0
+[ 174.898468][ T9784] __kmalloc_noprof+0x2b0/0x550
+[ 174.898896][ T9784] usb_alloc_urb+0x73/0xa0
+[ 174.899289][ T9784] usb_control_msg+0x1cb/0x4a0
+[ 174.899718][ T9784] usb_get_string+0xab/0x1a0
+[ 174.900133][ T9784] usb_string_sub+0x107/0x3c0
+[ 174.900549][ T9784] usb_string+0x307/0x670
+[ 174.900933][ T9784] usb_cache_string+0x80/0x150
+[ 174.901355][ T9784] usb_new_device+0x1d0/0x19d0
+[ 174.901786][ T9784] register_root_hub+0x299/0x730
+[ 174.902231][ T9784] page last free pid 10 tgid 10 stack trace:
+[ 174.902757][ T9784] __free_frozen_pages+0x80c/0x1250
+[ 174.903217][ T9784] vfree.part.0+0x12b/0xab0
+[ 174.903645][ T9784] delayed_vfree_work+0x93/0xd0
+[ 174.904073][ T9784] process_one_work+0x9b5/0x1b80
+[ 174.904519][ T9784] worker_thread+0x630/0xe60
+[ 174.904927][ T9784] kthread+0x3a8/0x770
+[ 174.905291][ T9784] ret_from_fork+0x517/0x6e0
+[ 174.905709][ T9784] ret_from_fork_asm+0x1a/0x30
+[ 174.906128][ T9784]
+[ 174.906338][ T9784] Memory state around the buggy address:
+[ 174.906828][ T9784] ffff88810b5fc580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 174.907528][ T9784] ffff88810b5fc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 174.908222][ T9784] >ffff88810b5fc680: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 174.908917][ T9784] ^
+[ 174.909481][ T9784] ffff88810b5fc700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 174.910432][ T9784] ffff88810b5fc780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ 174.911401][ T9784] ==================================================================
+
+The reason of the issue that code doesn't check the correctness
+of the requested offset and length. As a result, incorrect value
+of offset or/and length could result in access out of allocated
+memory.
+
+This patch introduces is_bnode_offset_valid() method that checks
+the requested offset value. Also, it introduces
+check_and_correct_requested_length() method that checks and
+correct the requested length (if it is necessary). These methods
+are used in hfsplus_bnode_read(), hfsplus_bnode_write(),
+hfsplus_bnode_clear(), hfsplus_bnode_copy(), and hfsplus_bnode_move()
+with the goal to prevent the access out of allocated memory
+and triggering the crash.
+
+Reported-by: Kun Hu <huk23@m.fudan.edu.cn>
+Reported-by: Jiaji Qin <jjtan24@m.fudan.edu.cn>
+Reported-by: Shuoran Bai <baishuoran@hrbeu.edu.cn>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Link: https://lore.kernel.org/r/20250703214804.244077-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/bnode.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 92 insertions(+)
+
+diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
+index 079ea80534f7..14f4995588ff 100644
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -18,12 +18,68 @@
+ #include "hfsplus_fs.h"
+ #include "hfsplus_raw.h"
+
++static inline
++bool is_bnode_offset_valid(struct hfs_bnode *node, int off)
++{
++ bool is_valid = off < node->tree->node_size;
++
++ if (!is_valid) {
++ pr_err("requested invalid offset: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off);
++ }
++
++ return is_valid;
++}
++
++static inline
++int check_and_correct_requested_length(struct hfs_bnode *node, int off, int len)
++{
++ unsigned int node_size;
++
++ if (!is_bnode_offset_valid(node, off))
++ return 0;
++
++ node_size = node->tree->node_size;
++
++ if ((off + len) > node_size) {
++ int new_len = (int)node_size - off;
++
++ pr_err("requested length has been corrected: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, "
++ "requested_len %d, corrected_len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len, new_len);
++
++ return new_len;
++ }
++
++ return len;
++}
++
+ /* Copy a specified range of bytes from the raw data of a node */
+ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+ {
+ struct page **pagep;
+ int l;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ off &= ~PAGE_MASK;
+@@ -81,6 +137,20 @@ void hfs_bnode_write(struct hfs_bnode *node, void *buf, int off, int len)
+ struct page **pagep;
+ int l;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ off &= ~PAGE_MASK;
+@@ -109,6 +179,20 @@ void hfs_bnode_clear(struct hfs_bnode *node, int off, int len)
+ struct page **pagep;
+ int l;
+
++ if (!is_bnode_offset_valid(node, off))
++ return;
++
++ if (len == 0) {
++ pr_err("requested zero length: "
++ "NODE: id %u, type %#x, height %u, "
++ "node_size %u, offset %d, len %d\n",
++ node->this, node->type, node->height,
++ node->tree->node_size, off, len);
++ return;
++ }
++
++ len = check_and_correct_requested_length(node, off, len);
++
+ off += node->page_offset;
+ pagep = node->page + (off >> PAGE_SHIFT);
+ off &= ~PAGE_MASK;
+@@ -133,6 +217,10 @@ void hfs_bnode_copy(struct hfs_bnode *dst_node, int dst,
+ hfs_dbg(BNODE_MOD, "copybytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(src_node, src, len);
++ len = check_and_correct_requested_length(dst_node, dst, len);
++
+ src += src_node->page_offset;
+ dst += dst_node->page_offset;
+ src_page = src_node->page + (src >> PAGE_SHIFT);
+@@ -187,6 +275,10 @@ void hfs_bnode_move(struct hfs_bnode *node, int dst, int src, int len)
+ hfs_dbg(BNODE_MOD, "movebytes: %u,%u,%u\n", dst, src, len);
+ if (!len)
+ return;
++
++ len = check_and_correct_requested_length(node, src, len);
++ len = check_and_correct_requested_length(node, dst, len);
++
+ src += node->page_offset;
+ dst += node->page_offset;
+ if (dst > src) {
+--
+2.39.5
+
--- /dev/null
+From 00cdc2b72cab729a85a0ddd75b66ad71cb168938 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:08:30 -0700
+Subject: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
+
+From: Viacheslav Dubeyko <slava@dubeyko.com>
+
+[ Upstream commit 94458781aee6045bd3d0ad4b80b02886b9e2219b ]
+
+The hfsplus_readdir() method is capable to crash by calling
+hfsplus_uni2asc():
+
+[ 667.121659][ T9805] ==================================================================
+[ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10
+[ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805
+[ 667.124578][ T9805]
+[ 667.124876][ T9805] CPU: 3 UID: 0 PID: 9805 Comm: repro Not tainted 6.16.0-rc3 #1 PREEMPT(full)
+[ 667.124886][ T9805] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 667.124890][ T9805] Call Trace:
+[ 667.124893][ T9805] <TASK>
+[ 667.124896][ T9805] dump_stack_lvl+0x10e/0x1f0
+[ 667.124911][ T9805] print_report+0xd0/0x660
+[ 667.124920][ T9805] ? __virt_addr_valid+0x81/0x610
+[ 667.124928][ T9805] ? __phys_addr+0xe8/0x180
+[ 667.124934][ T9805] ? hfsplus_uni2asc+0x902/0xa10
+[ 667.124942][ T9805] kasan_report+0xc6/0x100
+[ 667.124950][ T9805] ? hfsplus_uni2asc+0x902/0xa10
+[ 667.124959][ T9805] hfsplus_uni2asc+0x902/0xa10
+[ 667.124966][ T9805] ? hfsplus_bnode_read+0x14b/0x360
+[ 667.124974][ T9805] hfsplus_readdir+0x845/0xfc0
+[ 667.124984][ T9805] ? __pfx_hfsplus_readdir+0x10/0x10
+[ 667.124994][ T9805] ? stack_trace_save+0x8e/0xc0
+[ 667.125008][ T9805] ? iterate_dir+0x18b/0xb20
+[ 667.125015][ T9805] ? trace_lock_acquire+0x85/0xd0
+[ 667.125022][ T9805] ? lock_acquire+0x30/0x80
+[ 667.125029][ T9805] ? iterate_dir+0x18b/0xb20
+[ 667.125037][ T9805] ? down_read_killable+0x1ed/0x4c0
+[ 667.125044][ T9805] ? putname+0x154/0x1a0
+[ 667.125051][ T9805] ? __pfx_down_read_killable+0x10/0x10
+[ 667.125058][ T9805] ? apparmor_file_permission+0x239/0x3e0
+[ 667.125069][ T9805] iterate_dir+0x296/0xb20
+[ 667.125076][ T9805] __x64_sys_getdents64+0x13c/0x2c0
+[ 667.125084][ T9805] ? __pfx___x64_sys_getdents64+0x10/0x10
+[ 667.125091][ T9805] ? __x64_sys_openat+0x141/0x200
+[ 667.125126][ T9805] ? __pfx_filldir64+0x10/0x10
+[ 667.125134][ T9805] ? do_user_addr_fault+0x7fe/0x12f0
+[ 667.125143][ T9805] do_syscall_64+0xc9/0x480
+[ 667.125151][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 667.125158][ T9805] RIP: 0033:0x7fa8753b2fc9
+[ 667.125164][ T9805] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 48
+[ 667.125172][ T9805] RSP: 002b:00007ffe96f8e0f8 EFLAGS: 00000217 ORIG_RAX: 00000000000000d9
+[ 667.125181][ T9805] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa8753b2fc9
+[ 667.125185][ T9805] RDX: 0000000000000400 RSI: 00002000000063c0 RDI: 0000000000000004
+[ 667.125190][ T9805] RBP: 00007ffe96f8e110 R08: 00007ffe96f8e110 R09: 00007ffe96f8e110
+[ 667.125195][ T9805] R10: 0000000000000000 R11: 0000000000000217 R12: 0000556b1e3b4260
+[ 667.125199][ T9805] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 667.125207][ T9805] </TASK>
+[ 667.125210][ T9805]
+[ 667.145632][ T9805] Allocated by task 9805:
+[ 667.145991][ T9805] kasan_save_stack+0x20/0x40
+[ 667.146352][ T9805] kasan_save_track+0x14/0x30
+[ 667.146717][ T9805] __kasan_kmalloc+0xaa/0xb0
+[ 667.147065][ T9805] __kmalloc_noprof+0x205/0x550
+[ 667.147448][ T9805] hfsplus_find_init+0x95/0x1f0
+[ 667.147813][ T9805] hfsplus_readdir+0x220/0xfc0
+[ 667.148174][ T9805] iterate_dir+0x296/0xb20
+[ 667.148549][ T9805] __x64_sys_getdents64+0x13c/0x2c0
+[ 667.148937][ T9805] do_syscall_64+0xc9/0x480
+[ 667.149291][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 667.149809][ T9805]
+[ 667.150030][ T9805] The buggy address belongs to the object at ffff88802592f000
+[ 667.150030][ T9805] which belongs to the cache kmalloc-2k of size 2048
+[ 667.151282][ T9805] The buggy address is located 0 bytes to the right of
+[ 667.151282][ T9805] allocated 1036-byte region [ffff88802592f000, ffff88802592f40c)
+[ 667.152580][ T9805]
+[ 667.152798][ T9805] The buggy address belongs to the physical page:
+[ 667.153373][ T9805] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25928
+[ 667.154157][ T9805] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ 667.154916][ T9805] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
+[ 667.155631][ T9805] page_type: f5(slab)
+[ 667.155997][ T9805] raw: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
+[ 667.156770][ T9805] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
+[ 667.157536][ T9805] head: 00fff00000000040 ffff88801b442f00 0000000000000000 dead000000000001
+[ 667.158317][ T9805] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
+[ 667.159088][ T9805] head: 00fff00000000003 ffffea0000964a01 00000000ffffffff 00000000ffffffff
+[ 667.159865][ T9805] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
+[ 667.160643][ T9805] page dumped because: kasan: bad access detected
+[ 667.161216][ T9805] page_owner tracks the page as allocated
+[ 667.161732][ T9805] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN9
+[ 667.163566][ T9805] post_alloc_hook+0x1c0/0x230
+[ 667.164003][ T9805] get_page_from_freelist+0xdeb/0x3b30
+[ 667.164503][ T9805] __alloc_frozen_pages_noprof+0x25c/0x2460
+[ 667.165040][ T9805] alloc_pages_mpol+0x1fb/0x550
+[ 667.165489][ T9805] new_slab+0x23b/0x340
+[ 667.165872][ T9805] ___slab_alloc+0xd81/0x1960
+[ 667.166313][ T9805] __slab_alloc.isra.0+0x56/0xb0
+[ 667.166767][ T9805] __kmalloc_cache_noprof+0x255/0x3e0
+[ 667.167255][ T9805] psi_cgroup_alloc+0x52/0x2d0
+[ 667.167693][ T9805] cgroup_mkdir+0x694/0x1210
+[ 667.168118][ T9805] kernfs_iop_mkdir+0x111/0x190
+[ 667.168568][ T9805] vfs_mkdir+0x59b/0x8d0
+[ 667.168956][ T9805] do_mkdirat+0x2ed/0x3d0
+[ 667.169353][ T9805] __x64_sys_mkdir+0xef/0x140
+[ 667.169784][ T9805] do_syscall_64+0xc9/0x480
+[ 667.170195][ T9805] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 667.170730][ T9805] page last free pid 1257 tgid 1257 stack trace:
+[ 667.171304][ T9805] __free_frozen_pages+0x80c/0x1250
+[ 667.171770][ T9805] vfree.part.0+0x12b/0xab0
+[ 667.172182][ T9805] delayed_vfree_work+0x93/0xd0
+[ 667.172612][ T9805] process_one_work+0x9b5/0x1b80
+[ 667.173067][ T9805] worker_thread+0x630/0xe60
+[ 667.173486][ T9805] kthread+0x3a8/0x770
+[ 667.173857][ T9805] ret_from_fork+0x517/0x6e0
+[ 667.174278][ T9805] ret_from_fork_asm+0x1a/0x30
+[ 667.174703][ T9805]
+[ 667.174917][ T9805] Memory state around the buggy address:
+[ 667.175411][ T9805] ffff88802592f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 667.176114][ T9805] ffff88802592f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 667.176830][ T9805] >ffff88802592f400: 00 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 667.177547][ T9805] ^
+[ 667.177933][ T9805] ffff88802592f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 667.178640][ T9805] ffff88802592f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 667.179350][ T9805] ==================================================================
+
+The hfsplus_uni2asc() method operates by struct hfsplus_unistr:
+
+struct hfsplus_unistr {
+ __be16 length;
+ hfsplus_unichr unicode[HFSPLUS_MAX_STRLEN];
+} __packed;
+
+where HFSPLUS_MAX_STRLEN is 255 bytes. The issue happens if length
+of the structure instance has value bigger than 255 (for example,
+65283). In such case, pointer on unicode buffer is going beyond of
+the allocated memory.
+
+The patch fixes the issue by checking the length value of
+hfsplus_unistr instance and using 255 value in the case if length
+value is bigger than HFSPLUS_MAX_STRLEN. Potential reason of such
+situation could be a corruption of Catalog File b-tree's node.
+
+Reported-by: Wenzhi Wang <wenzhi.wang@uwaterloo.ca>
+Signed-off-by: Liu Shixin <liushixin2@huawei.com>
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+cc: Yangtao Li <frank.li@vivo.com>
+cc: linux-fsdevel@vger.kernel.org
+Reviewed-by: Yangtao Li <frank.li@vivo.com>
+Link: https://lore.kernel.org/r/20250710230830.110500-1-slava@dubeyko.com
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/hfsplus/unicode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c
+index 73342c925a4b..36b6cf2a3abb 100644
+--- a/fs/hfsplus/unicode.c
++++ b/fs/hfsplus/unicode.c
+@@ -132,7 +132,14 @@ int hfsplus_uni2asc(struct super_block *sb,
+
+ op = astr;
+ ip = ustr->unicode;
++
+ ustrlen = be16_to_cpu(ustr->length);
++ if (ustrlen > HFSPLUS_MAX_STRLEN) {
++ ustrlen = HFSPLUS_MAX_STRLEN;
++ pr_err("invalid length %u has been corrected to %d\n",
++ be16_to_cpu(ustr->length), ustrlen);
++ }
++
+ len = *len_p;
+ ce1 = NULL;
+ compose = !test_bit(HFSPLUS_SB_NODECOMPOSE, &HFSPLUS_SB(sb)->flags);
+--
+2.39.5
+
--- /dev/null
+From e15e4943dd37a09a44f895185c415d39d8bd1c71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 14:31:25 +0300
+Subject: hwmon: (emc2305) Set initial PWM minimum value during probe based on
+ thermal state
+
+From: Florin Leotescu <florin.leotescu@nxp.com>
+
+[ Upstream commit 0429415a084a15466e87d504e8c2a502488184a5 ]
+
+Prevent the PWM value from being set to minimum when thermal zone
+temperature exceeds any trip point during driver probe. Otherwise, the
+PWM fan speed will remains at minimum speed and not respond to
+temperature changes.
+
+Signed-off-by: Florin Leotescu <florin.leotescu@nxp.com>
+Link: https://lore.kernel.org/r/20250603113125.3175103-5-florin.leotescu@oss.nxp.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/emc2305.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/emc2305.c b/drivers/hwmon/emc2305.c
+index 29f0e4945f19..840acd5260f4 100644
+--- a/drivers/hwmon/emc2305.c
++++ b/drivers/hwmon/emc2305.c
+@@ -303,6 +303,12 @@ static int emc2305_set_single_tz(struct device *dev, int idx)
+ dev_err(dev, "Failed to register cooling device %s\n", emc2305_fan_name[idx]);
+ return PTR_ERR(data->cdev_data[cdev_idx].cdev);
+ }
++
++ if (data->cdev_data[cdev_idx].cur_state > 0)
++ /* Update pwm when temperature is above trips */
++ pwm = EMC2305_PWM_STATE2DUTY(data->cdev_data[cdev_idx].cur_state,
++ data->max_state, EMC2305_FAN_MAX);
++
+ /* Set minimal PWM speed. */
+ if (data->pwm_separate) {
+ ret = emc2305_set_pwm(dev, pwm, cdev_idx);
+@@ -316,10 +322,10 @@ static int emc2305_set_single_tz(struct device *dev, int idx)
+ }
+ }
+ data->cdev_data[cdev_idx].cur_state =
+- EMC2305_PWM_DUTY2STATE(data->pwm_min[cdev_idx], data->max_state,
++ EMC2305_PWM_DUTY2STATE(pwm, data->max_state,
+ EMC2305_FAN_MAX);
+ data->cdev_data[cdev_idx].last_hwmon_state =
+- EMC2305_PWM_DUTY2STATE(data->pwm_min[cdev_idx], data->max_state,
++ EMC2305_PWM_DUTY2STATE(pwm, data->max_state,
+ EMC2305_FAN_MAX);
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From d3a5abc23b951180adf01b96a01c117f68f79e3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Aug 2025 07:15:54 +0800
+Subject: i2c: Force DLL0945 touchpad i2c freq to 100khz
+
+From: fangzhong.zhou <myth5@myth5.com>
+
+[ Upstream commit 0b7c9528facdb5a73ad78fea86d2e95a6c48dbc4 ]
+
+This patch fixes an issue where the touchpad cursor movement becomes
+slow on the Dell Precision 5560. Force the touchpad freq to 100khz
+as a workaround.
+
+Tested on Dell Precision 5560 with 6.14 to 6.14.6. Cursor movement
+is now smooth and responsive.
+
+Signed-off-by: fangzhong.zhou <myth5@myth5.com>
+[wsa: kept sorting and removed unnecessary parts from commit msg]
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index d2499f302b50..f43067f6797e 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -370,6 +370,7 @@ static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = {
+ * the device works without issues on Windows at what is expected to be
+ * a 400KHz frequency. The root cause of the issue is not known.
+ */
++ { "DLL0945", 0 },
+ { "ELAN06FA", 0 },
+ {}
+ };
+--
+2.39.5
+
--- /dev/null
+From e1a7bc103ab198bb049a841194bb70697ef1a2da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 14:00:47 +0200
+Subject: i3c: add missing include to internal header
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 3b661ca549b9e5bb11d0bc97ada6110aac3282d2 ]
+
+LKP found a random config which failed to build because IO accessors
+were not defined:
+
+ In file included from drivers/i3c/master.c:21:
+ drivers/i3c/internals.h: In function 'i3c_writel_fifo':
+>> drivers/i3c/internals.h:35:9: error: implicit declaration of function 'writesl' [-Werror=implicit-function-declaration]
+
+Add the proper header to where the IO accessors are used.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202507150208.BZDzzJ5E-lkp@intel.com/
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250717120046.9022-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/internals.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/i3c/internals.h b/drivers/i3c/internals.h
+index 908a807badaf..e267ea5ec5b9 100644
+--- a/drivers/i3c/internals.h
++++ b/drivers/i3c/internals.h
+@@ -9,6 +9,7 @@
+ #define I3C_INTERNALS_H
+
+ #include <linux/i3c/master.h>
++#include <linux/io.h>
+
+ extern struct bus_type i3c_bus_type;
+
+--
+2.39.5
+
--- /dev/null
+From e43b8c6bf63f04bdf46d63e4c514e925d4ce6f75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 22:44:32 +0200
+Subject: i3c: don't fail if GETHDRCAP is unsupported
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 447270cdb41b1c8c3621bb14b93a6749f942556e ]
+
+'I3C_BCR_HDR_CAP' is still spec v1.0 and has been renamed to 'advanced
+capabilities' in v1.1 onwards. The ST pressure sensor LPS22DF does not
+have HDR, but has the 'advanced cap' bit set. The core still wants to
+get additional information using the CCC 'GETHDRCAP' (or GETCAPS in v1.1
+onwards). Not all controllers support this CCC and will notify the upper
+layers about it. For instantiating the device, we can ignore this
+unsupported CCC as standard communication will work. Without this patch,
+the device will not be instantiated at all.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250704204524.6124-1-wsa+renesas@sang-engineering.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
+index 33254bc338b9..7e526da11524 100644
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -1398,7 +1398,7 @@ static int i3c_master_retrieve_dev_info(struct i3c_dev_desc *dev)
+
+ if (dev->info.bcr & I3C_BCR_HDR_CAP) {
+ ret = i3c_master_gethdrcap_locked(master, &dev->info);
+- if (ret)
++ if (ret && ret != -ENOTSUPP)
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 74f61a67777542fbe87ba61d9357e18941ccb3a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Jun 2025 12:11:07 +0200
+Subject: i3c: master: Initialize ret in i3c_i2c_notifier_call()
+
+From: Jorge Marques <jorge.marques@analog.com>
+
+[ Upstream commit 290ce8b2d0745e45a3155268184523a8c75996f1 ]
+
+Set ret to -EINVAL if i3c_i2c_notifier_call() receives an invalid
+action, resolving uninitialized warning.
+
+Signed-off-by: Jorge Marques <jorge.marques@analog.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250622-i3c-master-ret-uninitialized-v1-1-aabb5625c932@analog.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
+index 7e526da11524..b6995e767850 100644
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -2430,6 +2430,8 @@ static int i3c_i2c_notifier_call(struct notifier_block *nb, unsigned long action
+ case BUS_NOTIFY_DEL_DEVICE:
+ ret = i3c_master_i2c_detach(adap, client);
+ break;
++ default:
++ ret = -EINVAL;
+ }
+ i3c_bus_maintenance_unlock(&master->bus);
+
+--
+2.39.5
+
--- /dev/null
+From f1e0eb29574f332d3e7487cb13fbfda65629819c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 16:35:21 -0300
+Subject: iio: adc: ad7768-1: Ensure SYNC_IN pulse minimum timing requirement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Santos <Jonathan.Santos@analog.com>
+
+[ Upstream commit 7e54d932873d91a55d1b89b7389876d78aeeab32 ]
+
+The SYNC_IN pulse width must be at least 1.5 x Tmclk, corresponding to
+~2.5 µs at the lowest supported MCLK frequency. Add a 3 µs delay to
+ensure reliable synchronization timing even for the worst-case scenario.
+
+Signed-off-by: Jonathan Santos <Jonathan.Santos@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/d3ee92a533cd1207cf5c5cc4d7bdbb5c6c267f68.1749063024.git.Jonathan.Santos@analog.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7768-1.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
+index 967f06cd3f94..e147eaf1a3b1 100644
+--- a/drivers/iio/adc/ad7768-1.c
++++ b/drivers/iio/adc/ad7768-1.c
+@@ -203,6 +203,24 @@ static int ad7768_spi_reg_write(struct ad7768_state *st,
+ return spi_write(st->spi, st->data.d8, 2);
+ }
+
++static int ad7768_send_sync_pulse(struct ad7768_state *st)
++{
++ /*
++ * The datasheet specifies a minimum SYNC_IN pulse width of 1.5 × Tmclk,
++ * where Tmclk is the MCLK period. The supported MCLK frequencies range
++ * from 0.6 MHz to 17 MHz, which corresponds to a minimum SYNC_IN pulse
++ * width of approximately 2.5 µs in the worst-case scenario (0.6 MHz).
++ *
++ * Add a delay to ensure the pulse width is always sufficient to
++ * trigger synchronization.
++ */
++ gpiod_set_value_cansleep(st->gpio_sync_in, 1);
++ fsleep(3);
++ gpiod_set_value_cansleep(st->gpio_sync_in, 0);
++
++ return 0;
++}
++
+ static int ad7768_set_mode(struct ad7768_state *st,
+ enum ad7768_conv_mode mode)
+ {
+@@ -288,10 +306,7 @@ static int ad7768_set_dig_fil(struct ad7768_state *st,
+ return ret;
+
+ /* A sync-in pulse is required every time the filter dec rate changes */
+- gpiod_set_value(st->gpio_sync_in, 1);
+- gpiod_set_value(st->gpio_sync_in, 0);
+-
+- return 0;
++ return ad7768_send_sync_pulse(st);
+ }
+
+ static int ad7768_set_freq(struct ad7768_state *st,
+--
+2.39.5
+
--- /dev/null
+From 4adf601eb7d30e7d3c6113dc0978b646c84501e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 16:37:49 -0500
+Subject: iio: adc: ad_sigma_delta: don't overallocate scan buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 5a2f15c5a8e017d0951e6dc62aa7b5b634f56881 ]
+
+Fix overallocating the size of the scan buffer by converting bits to
+bytes. The size is meant to be in bytes, so scanbits needs to be
+divided by 8.
+
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20250701-iio-adc-ad7173-add-spi-offload-support-v3-1-42abb83e3dac@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
+index 533667eefe41..71e775a10a91 100644
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -378,7 +378,7 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev)
+ return ret;
+ }
+
+- samples_buf_size = ALIGN(slot * indio_dev->channels[0].scan_type.storagebits, 8);
++ samples_buf_size = ALIGN(slot * indio_dev->channels[0].scan_type.storagebits / 8, 8);
+ samples_buf_size += sizeof(int64_t);
+ samples_buf = devm_krealloc(&sigma_delta->spi->dev, sigma_delta->samples_buf,
+ samples_buf_size, GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From f73e1ae0611eb7a5b03bac66c119a5a6433ac3f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 11:26:55 +0200
+Subject: imx8m-blk-ctrl: set ISI panic write hurry level
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Hałasa <khalasa@piap.pl>
+
+[ Upstream commit c01fba0b4869cada5403fffff416cd1675dba078 ]
+
+Apparently, ISI needs cache settings similar to LCDIF.
+Otherwise we get artefacts in the image.
+Tested on i.MX8MP.
+
+Signed-off-by: Krzysztof Hałasa <khalasa@piap.pl>
+Link: https://lore.kernel.org/r/m3ldr69lsw.fsf@t19.piap.pl
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pmdomain/imx/imx8m-blk-ctrl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/pmdomain/imx/imx8m-blk-ctrl.c b/drivers/pmdomain/imx/imx8m-blk-ctrl.c
+index cc5ef6e2f0a8..0dfaf1d14035 100644
+--- a/drivers/pmdomain/imx/imx8m-blk-ctrl.c
++++ b/drivers/pmdomain/imx/imx8m-blk-ctrl.c
+@@ -664,6 +664,11 @@ static const struct imx8m_blk_ctrl_data imx8mn_disp_blk_ctl_dev_data = {
+ #define LCDIF_1_RD_HURRY GENMASK(15, 13)
+ #define LCDIF_0_RD_HURRY GENMASK(12, 10)
+
++#define ISI_CACHE_CTRL 0x50
++#define ISI_V_WR_HURRY GENMASK(28, 26)
++#define ISI_U_WR_HURRY GENMASK(25, 23)
++#define ISI_Y_WR_HURRY GENMASK(22, 20)
++
+ static int imx8mp_media_power_notifier(struct notifier_block *nb,
+ unsigned long action, void *data)
+ {
+@@ -693,6 +698,11 @@ static int imx8mp_media_power_notifier(struct notifier_block *nb,
+ regmap_set_bits(bc->regmap, LCDIF_ARCACHE_CTRL,
+ FIELD_PREP(LCDIF_1_RD_HURRY, 7) |
+ FIELD_PREP(LCDIF_0_RD_HURRY, 7));
++ /* Same here for ISI */
++ regmap_set_bits(bc->regmap, ISI_CACHE_CTRL,
++ FIELD_PREP(ISI_V_WR_HURRY, 7) |
++ FIELD_PREP(ISI_U_WR_HURRY, 7) |
++ FIELD_PREP(ISI_Y_WR_HURRY, 7));
+ }
+
+ return NOTIFY_OK;
+--
+2.39.5
+
--- /dev/null
+From 01f9bfaccc2e5f3288b91af32f2be836a76c5e2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 14:46:43 -0700
+Subject: ionic: clean dbpage in de-init
+
+From: Shannon Nelson <shannon.nelson@amd.com>
+
+[ Upstream commit c9080abea1e69b8b1408ec7dec0acdfdc577a3e2 ]
+
+Since the kern_dbpage gets set up in ionic_lif_init() and that
+function's error path will clean it if needed, the kern_dbpage
+on teardown should be cleaned in ionic_lif_deinit(), not in
+ionic_lif_free(). As it is currently we get a double call
+to iounmap() on kern_dbpage if the PCI ionic fails setting up
+the lif. One example of this is when firmware isn't responding
+to AdminQ requests and ionic's first AdminQ call fails to
+setup the NotifyQ.
+
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Joe Damato <joe@dama.to>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index bc7c5cd38596..1ac7a40fcc43 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -3394,10 +3394,6 @@ void ionic_lif_free(struct ionic_lif *lif)
+ lif->info = NULL;
+ lif->info_pa = 0;
+
+- /* unmap doorbell page */
+- ionic_bus_unmap_dbpage(lif->ionic, lif->kern_dbpage);
+- lif->kern_dbpage = NULL;
+-
+ mutex_destroy(&lif->config_lock);
+ mutex_destroy(&lif->queue_lock);
+
+@@ -3423,6 +3419,9 @@ void ionic_lif_deinit(struct ionic_lif *lif)
+ ionic_lif_qcq_deinit(lif, lif->notifyqcq);
+ ionic_lif_qcq_deinit(lif, lif->adminqcq);
+
++ ionic_bus_unmap_dbpage(lif->ionic, lif->kern_dbpage);
++ lif->kern_dbpage = NULL;
++
+ ionic_lif_reset(lif);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 37120b974f4f6bc2ed29413142e4d7b83e17e8b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 19:06:26 -0500
+Subject: ipmi: Fix strcpy source and destination the same
+
+From: Corey Minyard <corey@minyard.net>
+
+[ Upstream commit 8ffcb7560b4a15faf821df95e3ab532b2b020f8c ]
+
+The source and destination of some strcpy operations was the same.
+Split out the part of the operations that needed to be done for those
+particular calls so the unnecessary copy wasn't done.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202506140756.EFXXvIP4-lkp@intel.com/
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 59 ++++++++++++++++++++++---------
+ 1 file changed, 42 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c
+index 9a459257489f..ca149ca8ccd6 100644
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -1190,14 +1190,8 @@ static struct ipmi_smi_watcher smi_watcher = {
+ .smi_gone = ipmi_smi_gone
+ };
+
+-static int action_op(const char *inval, char *outval)
++static int action_op_set_val(const char *inval)
+ {
+- if (outval)
+- strcpy(outval, action);
+-
+- if (!inval)
+- return 0;
+-
+ if (strcmp(inval, "reset") == 0)
+ action_val = WDOG_TIMEOUT_RESET;
+ else if (strcmp(inval, "none") == 0)
+@@ -1208,18 +1202,26 @@ static int action_op(const char *inval, char *outval)
+ action_val = WDOG_TIMEOUT_POWER_DOWN;
+ else
+ return -EINVAL;
+- strcpy(action, inval);
+ return 0;
+ }
+
+-static int preaction_op(const char *inval, char *outval)
++static int action_op(const char *inval, char *outval)
+ {
++ int rv;
++
+ if (outval)
+- strcpy(outval, preaction);
++ strcpy(outval, action);
+
+ if (!inval)
+ return 0;
++ rv = action_op_set_val(inval);
++ if (!rv)
++ strcpy(action, inval);
++ return rv;
++}
+
++static int preaction_op_set_val(const char *inval)
++{
+ if (strcmp(inval, "pre_none") == 0)
+ preaction_val = WDOG_PRETIMEOUT_NONE;
+ else if (strcmp(inval, "pre_smi") == 0)
+@@ -1232,18 +1234,26 @@ static int preaction_op(const char *inval, char *outval)
+ preaction_val = WDOG_PRETIMEOUT_MSG_INT;
+ else
+ return -EINVAL;
+- strcpy(preaction, inval);
+ return 0;
+ }
+
+-static int preop_op(const char *inval, char *outval)
++static int preaction_op(const char *inval, char *outval)
+ {
++ int rv;
++
+ if (outval)
+- strcpy(outval, preop);
++ strcpy(outval, preaction);
+
+ if (!inval)
+ return 0;
++ rv = preaction_op_set_val(inval);
++ if (!rv)
++ strcpy(preaction, inval);
++ return 0;
++}
+
++static int preop_op_set_val(const char *inval)
++{
+ if (strcmp(inval, "preop_none") == 0)
+ preop_val = WDOG_PREOP_NONE;
+ else if (strcmp(inval, "preop_panic") == 0)
+@@ -1252,7 +1262,22 @@ static int preop_op(const char *inval, char *outval)
+ preop_val = WDOG_PREOP_GIVE_DATA;
+ else
+ return -EINVAL;
+- strcpy(preop, inval);
++ return 0;
++}
++
++static int preop_op(const char *inval, char *outval)
++{
++ int rv;
++
++ if (outval)
++ strcpy(outval, preop);
++
++ if (!inval)
++ return 0;
++
++ rv = preop_op_set_val(inval);
++ if (!rv)
++ strcpy(preop, inval);
+ return 0;
+ }
+
+@@ -1289,18 +1314,18 @@ static int __init ipmi_wdog_init(void)
+ {
+ int rv;
+
+- if (action_op(action, NULL)) {
++ if (action_op_set_val(action)) {
+ action_op("reset", NULL);
+ pr_info("Unknown action '%s', defaulting to reset\n", action);
+ }
+
+- if (preaction_op(preaction, NULL)) {
++ if (preaction_op_set_val(preaction)) {
+ preaction_op("pre_none", NULL);
+ pr_info("Unknown preaction '%s', defaulting to none\n",
+ preaction);
+ }
+
+- if (preop_op(preop, NULL)) {
++ if (preop_op_set_val(preop)) {
+ preop_op("preop_none", NULL);
+ pr_info("Unknown preop '%s', defaulting to none\n", preop);
+ }
+--
+2.39.5
+
--- /dev/null
+From 8aeed84e0bae77b79ae2ea127970f4767b09cdc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 05:57:26 -0700
+Subject: ipmi: Use dev_warn_ratelimited() for incorrect message warnings
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit ec50ec378e3fd83bde9b3d622ceac3509a60b6b5 ]
+
+During BMC firmware upgrades on live systems, the ipmi_msghandler
+generates excessive "BMC returned incorrect response" warnings
+while the BMC is temporarily offline. This can flood system logs
+in large deployments.
+
+Replace dev_warn() with dev_warn_ratelimited() to throttle these
+warnings and prevent log spam during BMC maintenance operations.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Message-ID: <20250710-ipmi_ratelimit-v1-1-6d417015ebe9@debian.org>
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
+index db8f1dadaa9f..96f175bd6d9f 100644
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -4618,10 +4618,10 @@ static int handle_one_recv_msg(struct ipmi_smi *intf,
+ * The NetFN and Command in the response is not even
+ * marginally correct.
+ */
+- dev_warn(intf->si_dev,
+- "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
+- (msg->data[0] >> 2) | 1, msg->data[1],
+- msg->rsp[0] >> 2, msg->rsp[1]);
++ dev_warn_ratelimited(intf->si_dev,
++ "BMC returned incorrect response, expected netfn %x cmd %x, got netfn %x cmd %x\n",
++ (msg->data[0] >> 2) | 1, msg->data[1],
++ msg->rsp[0] >> 2, msg->rsp[1]);
+
+ goto return_unspecified;
+ }
+--
+2.39.5
+
--- /dev/null
+From e9eec5533c7186f411fd5ef32ae59cbc7cc82db5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 16:01:20 -0700
+Subject: ipv6: mcast: Check inet6_dev->dead under idev->mc_lock in
+ __ipv6_dev_mc_inc().
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit dbd40f318cf2f59759bd170c401adc20ba360a3e ]
+
+Since commit 63ed8de4be81 ("mld: add mc_lock for protecting
+per-interface mld data"), every multicast resource is protected
+by inet6_dev->mc_lock.
+
+RTNL is unnecessary in terms of protection but still needed for
+synchronisation between addrconf_ifdown() and __ipv6_dev_mc_inc().
+
+Once we removed RTNL, there would be a race below, where we could
+add a multicast address to a dead inet6_dev.
+
+ CPU1 CPU2
+ ==== ====
+ addrconf_ifdown() __ipv6_dev_mc_inc()
+ if (idev->dead) <-- false
+ dead = true return -ENODEV;
+ ipv6_mc_destroy_dev() / ipv6_mc_down()
+ mutex_lock(&idev->mc_lock)
+ ...
+ mutex_unlock(&idev->mc_lock)
+ mutex_lock(&idev->mc_lock)
+ ...
+ mutex_unlock(&idev->mc_lock)
+
+The race window can be easily closed by checking inet6_dev->dead
+under inet6_dev->mc_lock in __ipv6_dev_mc_inc() as addrconf_ifdown()
+will acquire it after marking inet6_dev dead.
+
+Let's check inet6_dev->dead under mc_lock in __ipv6_dev_mc_inc().
+
+Note that now __ipv6_dev_mc_inc() no longer depends on RTNL and
+we can remove ASSERT_RTNL() there and the RTNL comment above
+addrconf_join_solict().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250702230210.3115355-4-kuni1840@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 7 +++----
+ net/ipv6/mcast.c | 11 +++++------
+ 2 files changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index f6188bd9f55b..1c3b0ba289fb 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -2193,13 +2193,12 @@ void addrconf_dad_failure(struct sk_buff *skb, struct inet6_ifaddr *ifp)
+ in6_ifa_put(ifp);
+ }
+
+-/* Join to solicited addr multicast group.
+- * caller must hold RTNL */
++/* Join to solicited addr multicast group. */
+ void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr)
+ {
+ struct in6_addr maddr;
+
+- if (dev->flags&(IFF_LOOPBACK|IFF_NOARP))
++ if (READ_ONCE(dev->flags) & (IFF_LOOPBACK | IFF_NOARP))
+ return;
+
+ addrconf_addr_solict_mult(addr, &maddr);
+@@ -3834,7 +3833,7 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister)
+ * Do not dev_put!
+ */
+ if (unregister) {
+- idev->dead = 1;
++ WRITE_ONCE(idev->dead, 1);
+
+ /* protected by rtnl_lock */
+ RCU_INIT_POINTER(dev->ip6_ptr, NULL);
+diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
+index e153dac47a53..160b452f75e7 100644
+--- a/net/ipv6/mcast.c
++++ b/net/ipv6/mcast.c
+@@ -906,23 +906,22 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev,
+ static int __ipv6_dev_mc_inc(struct net_device *dev,
+ const struct in6_addr *addr, unsigned int mode)
+ {
+- struct ifmcaddr6 *mc;
+ struct inet6_dev *idev;
+-
+- ASSERT_RTNL();
++ struct ifmcaddr6 *mc;
+
+ /* we need to take a reference on idev */
+ idev = in6_dev_get(dev);
+-
+ if (!idev)
+ return -EINVAL;
+
+- if (idev->dead) {
++ mutex_lock(&idev->mc_lock);
++
++ if (READ_ONCE(idev->dead)) {
++ mutex_unlock(&idev->mc_lock);
+ in6_dev_put(idev);
+ return -ENODEV;
+ }
+
+- mutex_lock(&idev->mc_lock);
+ for_each_mc_mclock(idev, mc) {
+ if (ipv6_addr_equal(&mc->mca_addr, addr)) {
+ mc->mca_users++;
+--
+2.39.5
+
--- /dev/null
+From 9c434b7be15ec2bdd293928e36b0f76b73b12bb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 14:48:43 +0800
+Subject: jfs: Regular file corruption check
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 2d04df8116426b6c7b9f8b9b371250f666a2a2fb ]
+
+The reproducer builds a corrupted file on disk with a negative i_size value.
+Add a check when opening this file to avoid subsequent operation failures.
+
+Reported-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=630f6d40b3ccabc8e96e
+Tested-by: syzbot+630f6d40b3ccabc8e96e@syzkaller.appspotmail.com
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/file.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/jfs/file.c b/fs/jfs/file.c
+index 01b6912e60f8..742cadd1f37e 100644
+--- a/fs/jfs/file.c
++++ b/fs/jfs/file.c
+@@ -44,6 +44,9 @@ static int jfs_open(struct inode *inode, struct file *file)
+ {
+ int rc;
+
++ if (S_ISREG(inode->i_mode) && inode->i_size < 0)
++ return -EIO;
++
+ if ((rc = dquot_file_open(inode, file)))
+ return rc;
+
+--
+2.39.5
+
--- /dev/null
+From ff2bc2db144dfff7619da76d2a107e5413500193 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 11:05:34 +0800
+Subject: jfs: truncate good inode pages when hard link is 0
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 2d91b3765cd05016335cd5df5e5c6a29708ec058 ]
+
+The fileset value of the inode copy from the disk by the reproducer is
+AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its
+inode pages are not truncated. This causes the bugon to be triggered when
+executing clear_inode() because nrpages is greater than 0.
+
+Reported-by: syzbot+6e516bb515d93230bc7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6e516bb515d93230bc7b
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c
+index 920d58a1566b..66c38ef5e571 100644
+--- a/fs/jfs/inode.c
++++ b/fs/jfs/inode.c
+@@ -145,9 +145,9 @@ void jfs_evict_inode(struct inode *inode)
+ if (!inode->i_nlink && !is_bad_inode(inode)) {
+ dquot_initialize(inode);
+
++ truncate_inode_pages_final(&inode->i_data);
+ if (JFS_IP(inode)->fileset == FILESYSTEM_I) {
+ struct inode *ipimap = JFS_SBI(inode->i_sb)->ipimap;
+- truncate_inode_pages_final(&inode->i_data);
+
+ if (test_cflag(COMMIT_Freewmap, inode))
+ jfs_free_zero_link(inode);
+--
+2.39.5
+
--- /dev/null
+From c4f95f04a8e9ad610455324a1ebe532180854301 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 00:13:51 +0200
+Subject: jfs: upper bound check of tree index in dbAllocAG
+
+From: Arnaud Lecomte <contact@arnaud-lcm.com>
+
+[ Upstream commit c214006856ff52a8ff17ed8da52d50601d54f9ce ]
+
+When computing the tree index in dbAllocAG, we never check if we are
+out of bounds realative to the size of the stree.
+This could happen in a scenario where the filesystem metadata are
+corrupted.
+
+Reported-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=cffd18309153948f3c3e
+Tested-by: syzbot+cffd18309153948f3c3e@syzkaller.appspotmail.com
+Signed-off-by: Arnaud Lecomte <contact@arnaud-lcm.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 5a877261c3fe..cdfa699cd7c8 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -1389,6 +1389,12 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int l2nb, s64 * results)
+ (1 << (L2LPERCTL - (bmp->db_agheight << 1))) / bmp->db_agwidth;
+ ti = bmp->db_agstart + bmp->db_agwidth * (agno & (agperlev - 1));
+
++ if (ti < 0 || ti >= le32_to_cpu(dcp->nleafs)) {
++ jfs_error(bmp->db_ipbmap->i_sb, "Corrupt dmapctl page\n");
++ release_metapage(mp);
++ return -EIO;
++ }
++
+ /* dmap control page trees fan-out by 4 and a single allocation
+ * group may be described by 1 or 2 subtrees within the ag level
+ * dmap control page, depending upon the ag size. examine the ag's
+--
+2.39.5
+
--- /dev/null
+From 7ea91a3a1732abb093b8f952aa40a77719f42790 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 00:05:20 +0900
+Subject: kconfig: gconf: avoid hardcoding model2 in
+ on_treeview2_cursor_changed()
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit cae9cdbcd9af044810bcceeb43a87accca47c71d ]
+
+The on_treeview2_cursor_changed() handler is connected to both the left
+and right tree views, but it hardcodes model2 (the GtkTreeModel of the
+right tree view). This is incorrect. Get the associated model from the
+view.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/gconf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
+index 9e52c7360e55..a9f78e167e2e 100644
+--- a/scripts/kconfig/gconf.c
++++ b/scripts/kconfig/gconf.c
+@@ -974,13 +974,14 @@ on_treeview2_key_press_event(GtkWidget * widget,
+ void
+ on_treeview2_cursor_changed(GtkTreeView * treeview, gpointer user_data)
+ {
++ GtkTreeModel *model = gtk_tree_view_get_model(treeview);
+ GtkTreeSelection *selection;
+ GtkTreeIter iter;
+ struct menu *menu;
+
+ selection = gtk_tree_view_get_selection(treeview);
+- if (gtk_tree_selection_get_selected(selection, &model2, &iter)) {
+- gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
++ if (gtk_tree_selection_get_selected(selection, &model, &iter)) {
++ gtk_tree_model_get(model, &iter, COL_MENU, &menu, -1);
+ text_insert_help(menu);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From e6cc48a497791dd1e9b189c18e404dbe5f0969bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 00:04:55 +0900
+Subject: kconfig: gconf: fix potential memory leak in renderer_edited()
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit f72ed4c6a375e52a3f4b75615e4a89d29d8acea7 ]
+
+If gtk_tree_model_get_iter() fails, gtk_tree_path_free() is not called.
+
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/gconf.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/gconf.c b/scripts/kconfig/gconf.c
+index a9f78e167e2e..2b99d18e703d 100644
+--- a/scripts/kconfig/gconf.c
++++ b/scripts/kconfig/gconf.c
+@@ -780,7 +780,7 @@ static void renderer_edited(GtkCellRendererText * cell,
+ struct symbol *sym;
+
+ if (!gtk_tree_model_get_iter(model2, &iter, path))
+- return;
++ goto free;
+
+ gtk_tree_model_get(model2, &iter, COL_MENU, &menu, -1);
+ sym = menu->sym;
+@@ -792,6 +792,7 @@ static void renderer_edited(GtkCellRendererText * cell,
+
+ update_tree(&rootmenu, NULL);
+
++free:
+ gtk_tree_path_free(path);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From dd01872302417b9aba6c7cd46fbc0d8c9d80565c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2013 00:53:32 +0100
+Subject: kconfig: lxdialog: fix 'space' to (de)select options
+
+From: Yann E. MORIN <yann.morin.1998@free.fr>
+
+[ Upstream commit 694174f94ebeeb5ec5cc0e9de9b40c82057e1d95 ]
+
+In case a menu has comment without letters/numbers (eg. characters
+matching the regexp '^[^[:alpha:][:digit:]]+$', for example - or *),
+hitting space will cycle through those comments, rather than
+selecting/deselecting the currently-highlighted option.
+
+This is the behaviour of hitting any letter/digit: jump to the next
+option which prompt starts with that letter. The only letters that
+do not behave as such are 'y' 'm' and 'n'. Prompts that start with
+one of those three letters are instead matched on the first letter
+that is not 'y', 'm' or 'n'.
+
+Fix that by treating 'space' as we treat y/m/n, ie. as an action key,
+not as shortcut to jump to prompt.
+
+Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+Signed-off-by: Cherniaev Andrei <dungeonlords789@naver.com>
+[masahiro: took from Buildroot, adjusted the commit subject]
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/lxdialog/menubox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/kconfig/lxdialog/menubox.c b/scripts/kconfig/lxdialog/menubox.c
+index 0e333284e947..6bb8a320a4cb 100644
+--- a/scripts/kconfig/lxdialog/menubox.c
++++ b/scripts/kconfig/lxdialog/menubox.c
+@@ -264,7 +264,7 @@ int dialog_menu(const char *title, const char *prompt,
+ if (key < 256 && isalpha(key))
+ key = tolower(key);
+
+- if (strchr("ynmh", key))
++ if (strchr("ynmh ", key))
+ i = max_choice;
+ else {
+ for (i = choice + 1; i < max_choice; i++) {
+--
+2.39.5
+
--- /dev/null
+From 7a01d7f0b0b6469ec37d708ca46768ea2d3671c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 27 Jul 2025 22:14:33 +0530
+Subject: kconfig: lxdialog: replace strcpy() with strncpy() in inputbox.c
+
+From: Suchit Karunakaran <suchitkarunakaran@gmail.com>
+
+[ Upstream commit 5ac726653a1029a2eccba93bbe59e01fc9725828 ]
+
+strcpy() performs no bounds checking and can lead to buffer overflows if
+the input string exceeds the destination buffer size. This patch replaces
+it with strncpy(), and null terminates the input string.
+
+Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com>
+Reviewed-by: Nicolas Schier <nicolas.schier@linux.dev>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/lxdialog/inputbox.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/scripts/kconfig/lxdialog/inputbox.c b/scripts/kconfig/lxdialog/inputbox.c
+index 1dcfb288ee63..327b60cdb8da 100644
+--- a/scripts/kconfig/lxdialog/inputbox.c
++++ b/scripts/kconfig/lxdialog/inputbox.c
+@@ -39,8 +39,10 @@ int dialog_inputbox(const char *title, const char *prompt, int height, int width
+
+ if (!init)
+ instr[0] = '\0';
+- else
+- strcpy(instr, init);
++ else {
++ strncpy(instr, init, sizeof(dialog_input_result) - 1);
++ instr[sizeof(dialog_input_result) - 1] = '\0';
++ }
+
+ do_resize:
+ if (getmaxy(stdscr) <= (height - INPUTBOX_HEIGTH_MIN))
+--
+2.39.5
+
--- /dev/null
+From a74cdaf93dc8b8d4292ed08eef1b80d0d62d60a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 00:36:54 +0530
+Subject: kconfig: nconf: Ensure null termination where strncpy is used
+
+From: Shankari Anand <shankari.ak0208@gmail.com>
+
+[ Upstream commit f468992936894c9ce3b1659cf38c230d33b77a16 ]
+
+strncpy() does not guarantee null-termination if the source string is
+longer than the destination buffer.
+
+Ensure the buffer is explicitly null-terminated to prevent potential
+string overflows or undefined behavior.
+
+Signed-off-by: Shankari Anand <shankari.ak0208@gmail.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Nicolas Schier <n.schier@avm.de>
+Acked-by: Nicolas Schier <n.schier@avm.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/kconfig/nconf.c | 2 ++
+ scripts/kconfig/nconf.gui.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
+index 8cd72fe25974..7a17c94a1594 100644
+--- a/scripts/kconfig/nconf.c
++++ b/scripts/kconfig/nconf.c
+@@ -591,6 +591,8 @@ static void item_add_str(const char *fmt, ...)
+ tmp_str,
+ sizeof(k_menu_items[index].str));
+
++ k_menu_items[index].str[sizeof(k_menu_items[index].str) - 1] = '\0';
++
+ free_item(curses_menu_items[index]);
+ curses_menu_items[index] = new_item(
+ k_menu_items[index].str,
+diff --git a/scripts/kconfig/nconf.gui.c b/scripts/kconfig/nconf.gui.c
+index 25a7263ef3c8..5f13a0a7fb0b 100644
+--- a/scripts/kconfig/nconf.gui.c
++++ b/scripts/kconfig/nconf.gui.c
+@@ -349,6 +349,7 @@ int dialog_inputbox(WINDOW *main_window,
+ x = (columns-win_cols)/2;
+
+ strncpy(result, init, *result_len);
++ result[*result_len - 1] = '\0';
+
+ /* create the windows */
+ win = newwin(win_lines, win_cols, y, x);
+--
+2.39.5
+
--- /dev/null
+From 102a6acfd11d042c99dea326c71e9efa957b6bff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 16:25:33 +0100
+Subject: kselftest/arm64: Specify SVE data when testing VL set in sve-ptrace
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit 9e8ebfe677f9101bbfe1f75d548a5aec581e8213 ]
+
+Since f916dd32a943 ("arm64/fpsimd: ptrace: Mandate SVE payload for
+streaming-mode state") we reject attempts to write to the streaming mode
+regset even if there is no register data supplied, causing the tests for
+setting vector lengths and setting SVE_VL_INHERIT in sve-ptrace to
+spuriously fail. Set the flag to avoid the issue, we still support not
+supplying register data.
+
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20250609-kselftest-arm64-ssve-fixups-v2-3-998fcfa6f240@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/arm64/fp/sve-ptrace.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/arm64/fp/sve-ptrace.c b/tools/testing/selftests/arm64/fp/sve-ptrace.c
+index c6228176dd1a..408fb1c5c2f8 100644
+--- a/tools/testing/selftests/arm64/fp/sve-ptrace.c
++++ b/tools/testing/selftests/arm64/fp/sve-ptrace.c
+@@ -168,7 +168,7 @@ static void ptrace_set_get_inherit(pid_t child, const struct vec_type *type)
+ memset(&sve, 0, sizeof(sve));
+ sve.size = sizeof(sve);
+ sve.vl = sve_vl_from_vq(SVE_VQ_MIN);
+- sve.flags = SVE_PT_VL_INHERIT;
++ sve.flags = SVE_PT_VL_INHERIT | SVE_PT_REGS_SVE;
+ ret = set_sve(child, type, &sve);
+ if (ret != 0) {
+ ksft_test_result_fail("Failed to set %s SVE_PT_VL_INHERIT\n",
+@@ -233,6 +233,7 @@ static void ptrace_set_get_vl(pid_t child, const struct vec_type *type,
+ /* Set the VL by doing a set with no register payload */
+ memset(&sve, 0, sizeof(sve));
+ sve.size = sizeof(sve);
++ sve.flags = SVE_PT_REGS_SVE;
+ sve.vl = vl;
+ ret = set_sve(child, type, &sve);
+ if (ret != 0) {
+--
+2.39.5
+
--- /dev/null
+From 9c9a74d1b6e4a0ef1419e69e3c8d5faffaf40f4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 16:18:44 -0400
+Subject: ktest.pl: Prevent recursion of default variable options
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 61f7e318e99d3b398670518dd3f4f8510d1800fc ]
+
+If a default variable contains itself, do not recurse on it.
+
+For example:
+
+ ADD_CONFIG := ${CONFIG_DIR}/temp_config
+ DEFAULTS
+ ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
+
+The above works because the temp variable ADD_CONFIG (is a temp because it
+is created with ":=") is already defined, it will be substituted in the
+variable option. But if it gets commented out:
+
+ # ADD_CONFIG := ${CONFIG_DIR}/temp_config
+ DEFAULTS
+ ADD_CONFIG = ${CONFIG_DIR}/default_config ${ADD_CONFIG}
+
+Then the above will go into a recursive loop where ${ADD_CONFIG} will
+get replaced with the current definition of ADD_CONFIG which contains the
+${ADD_CONFIG} and that will also try to get converted. ktest.pl will error
+after 100 attempts of recursion and fail.
+
+When replacing a variable with the default variable, if the default
+variable contains itself, do not replace it.
+
+Cc: "John Warthog9 Hawley" <warthog9@kernel.org>
+Cc: Dhaval Giani <dhaval.giani@gmail.com>
+Cc: Greg KH <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/20250718202053.732189428@kernel.org
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/ktest/ktest.pl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
+index 331601575743..a8979280b505 100755
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -1358,7 +1358,10 @@ sub __eval_option {
+ # If a variable contains itself, use the default var
+ if (($var eq $name) && defined($opt{$var})) {
+ $o = $opt{$var};
+- $retval = "$retval$o";
++ # Only append if the default doesn't contain itself
++ if ($o !~ m/\$\{$var\}/) {
++ $retval = "$retval$o";
++ }
+ } elsif (defined($opt{$o})) {
+ $o = $opt{$o};
+ $retval = "$retval$o";
+--
+2.39.5
+
--- /dev/null
+From 98acbd3190602148b094d5eccfc7c9cf7355e47a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 12:23:54 +0200
+Subject: leds: leds-lp50xx: Handle reg to get correct multi_index
+
+From: Johan Adolfsson <johan.adolfsson@axis.com>
+
+[ Upstream commit 2e84a5e5374232e6f356ce5c079a5658d7e4af2c ]
+
+mc_subled used for multi_index needs well defined array indexes,
+to guarantee the desired result, use reg for that.
+
+If devicetree child nodes is processed in random or reverse order
+you may end up with multi_index "blue green red" instead of the expected
+"red green blue".
+If user space apps uses multi_index to deduce how to control the leds
+they would most likely be broken without this patch if devicetree
+processing is reversed (which it appears to be).
+
+arch/arm/boot/dts/aspeed/aspeed-bmc-facebook-fuji.dts has reg set
+but I don't see how it can have worked without this change.
+
+If reg is not set, an error is returned,
+If reg is out of range, an error is returned.
+reg within led child nodes starts with 0, to map to the iout in each bank.
+
+Signed-off-by: Johan Adolfsson <johan.adolfsson@axis.com>
+Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Link: https://lore.kernel.org/r/20250617-led-fix-v7-1-cdbe8efc88fa@axis.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-lp50xx.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c
+index 68c4d9967d68..182a590b0267 100644
+--- a/drivers/leds/leds-lp50xx.c
++++ b/drivers/leds/leds-lp50xx.c
+@@ -486,6 +486,7 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
+ }
+
+ fwnode_for_each_child_node(child, led_node) {
++ int multi_index;
+ ret = fwnode_property_read_u32(led_node, "color",
+ &color_id);
+ if (ret) {
+@@ -493,8 +494,16 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
+ dev_err(priv->dev, "Cannot read color\n");
+ goto child_out;
+ }
++ ret = fwnode_property_read_u32(led_node, "reg", &multi_index);
++ if (ret != 0) {
++ dev_err(priv->dev, "reg must be set\n");
++ return -EINVAL;
++ } else if (multi_index >= LP50XX_LEDS_PER_MODULE) {
++ dev_err(priv->dev, "reg %i out of range\n", multi_index);
++ return -EINVAL;
++ }
+
+- mc_led_info[num_colors].color_index = color_id;
++ mc_led_info[multi_index].color_index = color_id;
+ num_colors++;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 94f0c71367ee93a9a10e621277734e948879f196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 18:32:03 +0200
+Subject: loop: Avoid updating block size under exclusive owner
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 7e49538288e523427beedd26993d446afef1a6fb ]
+
+Syzbot came up with a reproducer where a loop device block size is
+changed underneath a mounted filesystem. This causes a mismatch between
+the block device block size and the block size stored in the superblock
+causing confusion in various places such as fs/buffer.c. The particular
+issue triggered by syzbot was a warning in __getblk_slow() due to
+requested buffer size not matching block device block size.
+
+Fix the problem by getting exclusive hold of the loop device to change
+its block size. This fails if somebody (such as filesystem) has already
+an exclusive ownership of the block device and thus prevents modifying
+the loop device under some exclusive owner which doesn't expect it.
+
+Reported-by: syzbot+01ef7a8da81a975e1ccd@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Tested-by: syzbot+01ef7a8da81a975e1ccd@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20250711163202.19623-2-jack@suse.cz
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/loop.c | 38 ++++++++++++++++++++++++++++++--------
+ 1 file changed, 30 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 455e2a2b149f..ed004e1610dd 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -1472,19 +1472,36 @@ static int loop_set_dio(struct loop_device *lo, unsigned long arg)
+ return error;
+ }
+
+-static int loop_set_block_size(struct loop_device *lo, unsigned long arg)
++static int loop_set_block_size(struct loop_device *lo, blk_mode_t mode,
++ struct block_device *bdev, unsigned long arg)
+ {
+ int err = 0;
+
+- if (lo->lo_state != Lo_bound)
+- return -ENXIO;
++ /*
++ * If we don't hold exclusive handle for the device, upgrade to it
++ * here to avoid changing device under exclusive owner.
++ */
++ if (!(mode & BLK_OPEN_EXCL)) {
++ err = bd_prepare_to_claim(bdev, loop_set_block_size, NULL);
++ if (err)
++ return err;
++ }
++
++ err = mutex_lock_killable(&lo->lo_mutex);
++ if (err)
++ goto abort_claim;
++
++ if (lo->lo_state != Lo_bound) {
++ err = -ENXIO;
++ goto unlock;
++ }
+
+ err = blk_validate_block_size(arg);
+ if (err)
+ return err;
+
+ if (lo->lo_queue->limits.logical_block_size == arg)
+- return 0;
++ goto unlock;
+
+ sync_blockdev(lo->lo_device);
+ invalidate_bdev(lo->lo_device);
+@@ -1496,6 +1513,11 @@ static int loop_set_block_size(struct loop_device *lo, unsigned long arg)
+ loop_update_dio(lo);
+ blk_mq_unfreeze_queue(lo->lo_queue);
+
++unlock:
++ mutex_unlock(&lo->lo_mutex);
++abort_claim:
++ if (!(mode & BLK_OPEN_EXCL))
++ bd_abort_claiming(bdev, loop_set_block_size);
+ return err;
+ }
+
+@@ -1514,9 +1536,6 @@ static int lo_simple_ioctl(struct loop_device *lo, unsigned int cmd,
+ case LOOP_SET_DIRECT_IO:
+ err = loop_set_dio(lo, arg);
+ break;
+- case LOOP_SET_BLOCK_SIZE:
+- err = loop_set_block_size(lo, arg);
+- break;
+ default:
+ err = -EINVAL;
+ }
+@@ -1571,9 +1590,12 @@ static int lo_ioctl(struct block_device *bdev, blk_mode_t mode,
+ break;
+ case LOOP_GET_STATUS64:
+ return loop_get_status64(lo, argp);
++ case LOOP_SET_BLOCK_SIZE:
++ if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN))
++ return -EPERM;
++ return loop_set_block_size(lo, mode, bdev, arg);
+ case LOOP_SET_CAPACITY:
+ case LOOP_SET_DIRECT_IO:
+- case LOOP_SET_BLOCK_SIZE:
+ if (!(mode & BLK_OPEN_WRITE) && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+ fallthrough;
+--
+2.39.5
+
--- /dev/null
+From fa738623105e2dd4865274dc8525856feaec3ae9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:31:06 +0800
+Subject: md: call del_gendisk in control path
+
+From: Xiao Ni <xni@redhat.com>
+
+[ Upstream commit 9e59d609763f70a992a8f3808dabcce60f14eb5c ]
+
+Now del_gendisk and put_disk are called asynchronously in workqueue work.
+The asynchronous way has a problem that the device node can still exist
+after mdadm --stop command returns in a short window. So udev rule can
+open this device node and create the struct mddev in kernel again. So put
+del_gendisk in control path and still leave put_disk in md_kobj_release
+to avoid uaf of gendisk.
+
+Function del_gendisk can't be called with reconfig_mutex. If it's called
+with reconfig mutex, a deadlock can happen. del_gendisk waits all sysfs
+files access to finish and sysfs file access waits reconfig mutex. So
+put del_gendisk after releasing reconfig mutex.
+
+But there is still a window that sysfs can be accessed between mddev_unlock
+and del_gendisk. So some actions (add disk, change level, .e.g) can happen
+which lead unexpected results. MD_DELETED is used to resolve this problem.
+MD_DELETED is set before releasing reconfig mutex and it should be checked
+for these sysfs access which need reconfig mutex. For sysfs access which
+don't need reconfig mutex, del_gendisk will wait them to finish.
+
+But it doesn't need to do this in function mddev_lock_nointr. There are
+ten places that call it.
+* Five of them are in dm raid which we don't need to care. MD_DELETED is
+only used for md raid.
+* stop_sync_thread, md_do_sync and md_start_sync are related sync request,
+and it needs to wait sync thread to finish before stopping an array.
+* md_ioctl: md_open is called before md_ioctl, so ->openers is added. It
+will fail to stop the array. So it doesn't need to check MD_DELETED here
+* md_set_readonly:
+It needs to call mddev_set_closing_and_sync_blockdev when setting readonly
+or read_auto. So it will fail to stop the array too because MD_CLOSING is
+already set.
+
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Link: https://lore.kernel.org/linux-raid/20250611073108.25463-2-xni@redhat.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 33 +++++++++++++++++++++++----------
+ drivers/md/md.h | 26 ++++++++++++++++++++++++--
+ 2 files changed, 47 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index b086cbf24086..8e3939c0d2ed 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -639,9 +639,6 @@ static void __mddev_put(struct mddev *mddev)
+ mddev->ctime || mddev->hold_active)
+ return;
+
+- /* Array is not configured at all, and not held active, so destroy it */
+- set_bit(MD_DELETED, &mddev->flags);
+-
+ /*
+ * Call queue_work inside the spinlock so that flush_workqueue() after
+ * mddev_find will succeed in waiting for the work to be done.
+@@ -837,6 +834,16 @@ void mddev_unlock(struct mddev *mddev)
+ kobject_del(&rdev->kobj);
+ export_rdev(rdev, mddev);
+ }
++
++ /* Call del_gendisk after release reconfig_mutex to avoid
++ * deadlock (e.g. call del_gendisk under the lock and an
++ * access to sysfs files waits the lock)
++ * And MD_DELETED is only used for md raid which is set in
++ * do_md_stop. dm raid only uses md_stop to stop. So dm raid
++ * doesn't need to check MD_DELETED when getting reconfig lock
++ */
++ if (test_bit(MD_DELETED, &mddev->flags))
++ del_gendisk(mddev->gendisk);
+ }
+ EXPORT_SYMBOL_GPL(mddev_unlock);
+
+@@ -5616,19 +5623,30 @@ md_attr_store(struct kobject *kobj, struct attribute *attr,
+ struct md_sysfs_entry *entry = container_of(attr, struct md_sysfs_entry, attr);
+ struct mddev *mddev = container_of(kobj, struct mddev, kobj);
+ ssize_t rv;
++ struct kernfs_node *kn = NULL;
+
+ if (!entry->store)
+ return -EIO;
+ if (!capable(CAP_SYS_ADMIN))
+ return -EACCES;
++
++ if (entry->store == array_state_store && cmd_match(page, "clear"))
++ kn = sysfs_break_active_protection(kobj, attr);
++
+ spin_lock(&all_mddevs_lock);
+ if (!mddev_get(mddev)) {
+ spin_unlock(&all_mddevs_lock);
++ if (kn)
++ sysfs_unbreak_active_protection(kn);
+ return -EBUSY;
+ }
+ spin_unlock(&all_mddevs_lock);
+ rv = entry->store(mddev, page, length);
+ mddev_put(mddev);
++
++ if (kn)
++ sysfs_unbreak_active_protection(kn);
++
+ return rv;
+ }
+
+@@ -5636,12 +5654,6 @@ static void md_kobj_release(struct kobject *ko)
+ {
+ struct mddev *mddev = container_of(ko, struct mddev, kobj);
+
+- if (mddev->sysfs_state)
+- sysfs_put(mddev->sysfs_state);
+- if (mddev->sysfs_level)
+- sysfs_put(mddev->sysfs_level);
+-
+- del_gendisk(mddev->gendisk);
+ put_disk(mddev->gendisk);
+ }
+
+@@ -6531,8 +6543,9 @@ static int do_md_stop(struct mddev *mddev, int mode,
+ mddev->bitmap_info.offset = 0;
+
+ export_array(mddev);
+-
+ md_clean(mddev);
++ set_bit(MD_DELETED, &mddev->flags);
++
+ if (mddev->hold_active == UNTIL_STOP)
+ mddev->hold_active = 0;
+ }
+diff --git a/drivers/md/md.h b/drivers/md/md.h
+index 46995558d3bd..0a7c9122db50 100644
+--- a/drivers/md/md.h
++++ b/drivers/md/md.h
+@@ -589,11 +589,26 @@ static inline bool is_md_suspended(struct mddev *mddev)
+
+ static inline int __must_check mddev_lock(struct mddev *mddev)
+ {
+- return mutex_lock_interruptible(&mddev->reconfig_mutex);
++ int ret;
++
++ ret = mutex_lock_interruptible(&mddev->reconfig_mutex);
++
++ /* MD_DELETED is set in do_md_stop with reconfig_mutex.
++ * So check it here.
++ */
++ if (!ret && test_bit(MD_DELETED, &mddev->flags)) {
++ ret = -ENODEV;
++ mutex_unlock(&mddev->reconfig_mutex);
++ }
++
++ return ret;
+ }
+
+ /* Sometimes we need to take the lock in a situation where
+ * failure due to interrupts is not acceptable.
++ * It doesn't need to check MD_DELETED here, the owner which
++ * holds the lock here can't be stopped. And all paths can't
++ * call this function after do_md_stop.
+ */
+ static inline void mddev_lock_nointr(struct mddev *mddev)
+ {
+@@ -602,7 +617,14 @@ static inline void mddev_lock_nointr(struct mddev *mddev)
+
+ static inline int mddev_trylock(struct mddev *mddev)
+ {
+- return mutex_trylock(&mddev->reconfig_mutex);
++ int ret;
++
++ ret = mutex_trylock(&mddev->reconfig_mutex);
++ if (!ret && test_bit(MD_DELETED, &mddev->flags)) {
++ ret = -ENODEV;
++ mutex_unlock(&mddev->reconfig_mutex);
++ }
++ return ret;
+ }
+ extern void mddev_unlock(struct mddev *mddev);
+
+--
+2.39.5
+
--- /dev/null
+From 174a8480dbfd01286a99af0ec605fed5a5919d60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 13:11:57 +0530
+Subject: md: dm-zoned-target: Initialize return variable r to avoid
+ uninitialized use
+
+From: Purva Yeshi <purvayeshi550@gmail.com>
+
+[ Upstream commit 487767bff572d46f7c37ad846c4078f6d6c9cc55 ]
+
+Fix Smatch-detected error:
+drivers/md/dm-zoned-target.c:1073 dmz_iterate_devices()
+error: uninitialized symbol 'r'.
+
+Smatch detects a possible use of the uninitialized variable 'r' in
+dmz_iterate_devices() because if dmz->nr_ddevs is zero, the loop is
+skipped and 'r' is returned without being set, leading to undefined
+behavior.
+
+Initialize 'r' to 0 before the loop. This ensures that if there are no
+devices to iterate over, the function still returns a defined value.
+
+Signed-off-by: Purva Yeshi <purvayeshi550@gmail.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-zoned-target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-zoned-target.c b/drivers/md/dm-zoned-target.c
+index b487f7acc860..36e55a5bcb0d 100644
+--- a/drivers/md/dm-zoned-target.c
++++ b/drivers/md/dm-zoned-target.c
+@@ -1062,7 +1062,7 @@ static int dmz_iterate_devices(struct dm_target *ti,
+ struct dmz_target *dmz = ti->private;
+ unsigned int zone_nr_sectors = dmz_zone_nr_sectors(dmz->metadata);
+ sector_t capacity;
+- int i, r;
++ int i, r = 0;
+
+ for (i = 0; i < dmz->nr_ddevs; i++) {
+ capacity = dmz->dev[i].capacity & ~(zone_nr_sectors - 1);
+--
+2.39.5
+
--- /dev/null
+From c365a20552d7d7a9eb03cbefd91176c004e24340 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:31:07 +0800
+Subject: md: Don't clear MD_CLOSING until mddev is freed
+
+From: Xiao Ni <xni@redhat.com>
+
+[ Upstream commit 5f286f33553d600e6c2fb5a23dd6afcf99b3ebac ]
+
+UNTIL_STOP is used to avoid mddev is freed on the last close before adding
+disks to mddev. And it should be cleared when stopping an array which is
+mentioned in commit efeb53c0e572 ("md: Allow md devices to be created by
+name."). So reset ->hold_active to 0 in md_clean.
+
+And MD_CLOSING should be kept until mddev is freed to avoid reopen.
+
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Xiao Ni <xni@redhat.com>
+Link: https://lore.kernel.org/linux-raid/20250611073108.25463-3-xni@redhat.com
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 8e3939c0d2ed..6a3b5b131111 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -6265,15 +6265,10 @@ static void md_clean(struct mddev *mddev)
+ mddev->persistent = 0;
+ mddev->level = LEVEL_NONE;
+ mddev->clevel[0] = 0;
+- /*
+- * Don't clear MD_CLOSING, or mddev can be opened again.
+- * 'hold_active != 0' means mddev is still in the creation
+- * process and will be used later.
+- */
+- if (mddev->hold_active)
+- mddev->flags = 0;
+- else
+- mddev->flags &= BIT_ULL_MASK(MD_CLOSING);
++ /* if UNTIL_STOP is set, it's cleared here */
++ mddev->hold_active = 0;
++ /* Don't clear MD_CLOSING, or mddev can be opened again. */
++ mddev->flags &= BIT_ULL_MASK(MD_CLOSING);
+ mddev->sb_flags = 0;
+ mddev->ro = MD_RDWR;
+ mddev->metadata_type[0] = 0;
+@@ -6545,9 +6540,6 @@ static int do_md_stop(struct mddev *mddev, int mode,
+ export_array(mddev);
+ md_clean(mddev);
+ set_bit(MD_DELETED, &mddev->flags);
+-
+- if (mddev->hold_active == UNTIL_STOP)
+- mddev->hold_active = 0;
+ }
+ md_new_event();
+ sysfs_notify_dirent_safe(mddev->sysfs_state);
+--
+2.39.5
+
--- /dev/null
+From a036de632cd4e177ec5fcaaabc0115bacc2d0d77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 21:32:31 -0400
+Subject: media: dvb-frontends: dib7090p: fix null-ptr-deref in
+ dib7090p_rw_on_apb()
+
+From: Alex Guo <alexguo1023@gmail.com>
+
+[ Upstream commit ce5cac69b2edac3e3246fee03e8f4c2a1075238b ]
+
+In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and
+msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing
+msg[0].buf[2] without sanity check, null pointer deref would happen. We add
+check on msg[0].len to prevent crash. Similar issue occurs when access
+msg[1].buf[0] and msg[1].buf[1].
+
+Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Alex Guo <alexguo1023@gmail.com>
+Link: https://lore.kernel.org/r/20250616013231.730221-1-alexguo1023@gmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib7000p.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c
+index 444fe1c4bf2d..f94660dd9df0 100644
+--- a/drivers/media/dvb-frontends/dib7000p.c
++++ b/drivers/media/dvb-frontends/dib7000p.c
+@@ -2261,8 +2261,12 @@ static int dib7090p_rw_on_apb(struct i2c_adapter *i2c_adap,
+ u16 word;
+
+ if (num == 1) { /* write */
++ if (msg[0].len < 3)
++ return -EOPNOTSUPP;
+ dib7000p_write_word(state, apb_address, ((msg[0].buf[1] << 8) | (msg[0].buf[2])));
+ } else {
++ if (msg[1].len < 2)
++ return -EOPNOTSUPP;
+ word = dib7000p_read_word(state, apb_address);
+ msg[1].buf[0] = (word >> 8) & 0xff;
+ msg[1].buf[1] = (word) & 0xff;
+--
+2.39.5
+
--- /dev/null
+From 81c03efd8d1e8f8f609eceffaf648de3826a22e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Jun 2025 21:33:53 -0400
+Subject: media: dvb-frontends: w7090p: fix null-ptr-deref in
+ w7090p_tuner_write_serpar and w7090p_tuner_read_serpar
+
+From: Alex Guo <alexguo1023@gmail.com>
+
+[ Upstream commit ed0234c8458b3149f15e496b48a1c9874dd24a1b ]
+
+In w7090p_tuner_write_serpar, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add
+check on msg[0].len to prevent crash.
+
+Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
+
+Signed-off-by: Alex Guo <alexguo1023@gmail.com>
+Link: https://lore.kernel.org/r/20250616013353.738790-1-alexguo1023@gmail.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib7000p.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/dvb-frontends/dib7000p.c b/drivers/media/dvb-frontends/dib7000p.c
+index f94660dd9df0..e561c7cc35bf 100644
+--- a/drivers/media/dvb-frontends/dib7000p.c
++++ b/drivers/media/dvb-frontends/dib7000p.c
+@@ -2198,6 +2198,8 @@ static int w7090p_tuner_write_serpar(struct i2c_adapter *i2c_adap, struct i2c_ms
+ struct dib7000p_state *state = i2c_get_adapdata(i2c_adap);
+ u8 n_overflow = 1;
+ u16 i = 1000;
++ if (msg[0].len < 3)
++ return -EOPNOTSUPP;
+ u16 serpar_num = msg[0].buf[0];
+
+ while (n_overflow == 1 && i) {
+@@ -2217,6 +2219,8 @@ static int w7090p_tuner_read_serpar(struct i2c_adapter *i2c_adap, struct i2c_msg
+ struct dib7000p_state *state = i2c_get_adapdata(i2c_adap);
+ u8 n_overflow = 1, n_empty = 1;
+ u16 i = 1000;
++ if (msg[0].len < 1 || msg[1].len < 2)
++ return -EOPNOTSUPP;
+ u16 serpar_num = msg[0].buf[0];
+ u16 read_word;
+
+--
+2.39.5
+
--- /dev/null
+From 8cd80d54439bafafff428a0a986ffb5023a3ae70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 19:37:15 +0100
+Subject: media: tc358743: Check I2C succeeded during probe
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 303d81635e1d9c949b370215cc94526ed81f2e3d ]
+
+The probe for the TC358743 reads the CHIPID register from
+the device and compares it to the expected value of 0.
+If the I2C request fails then that also returns 0, so
+the driver loads thinking that the device is there.
+
+Generally I2C communications are reliable so there is
+limited need to check the return value on every transfer,
+therefore only amend the one read during probe to check
+for I2C errors.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index c81dd4183404..f516651e95cf 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -110,7 +110,7 @@ static inline struct tc358743_state *to_state(struct v4l2_subdev *sd)
+
+ /* --------------- I2C --------------- */
+
+-static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
++static int i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+ {
+ struct tc358743_state *state = to_state(sd);
+ struct i2c_client *client = state->i2c_client;
+@@ -136,6 +136,7 @@ static void i2c_rd(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+ v4l2_err(sd, "%s: reading register 0x%x from 0x%x failed: %d\n",
+ __func__, reg, client->addr, err);
+ }
++ return err != ARRAY_SIZE(msgs);
+ }
+
+ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+@@ -192,15 +193,24 @@ static void i2c_wr(struct v4l2_subdev *sd, u16 reg, u8 *values, u32 n)
+ }
+ }
+
+-static noinline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
++static noinline u32 i2c_rdreg_err(struct v4l2_subdev *sd, u16 reg, u32 n,
++ int *err)
+ {
++ int error;
+ __le32 val = 0;
+
+- i2c_rd(sd, reg, (u8 __force *)&val, n);
++ error = i2c_rd(sd, reg, (u8 __force *)&val, n);
++ if (err)
++ *err = error;
+
+ return le32_to_cpu(val);
+ }
+
++static inline u32 i2c_rdreg(struct v4l2_subdev *sd, u16 reg, u32 n)
++{
++ return i2c_rdreg_err(sd, reg, n, NULL);
++}
++
+ static noinline void i2c_wrreg(struct v4l2_subdev *sd, u16 reg, u32 val, u32 n)
+ {
+ __le32 raw = cpu_to_le32(val);
+@@ -229,6 +239,13 @@ static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg)
+ return i2c_rdreg(sd, reg, 2);
+ }
+
++static int i2c_rd16_err(struct v4l2_subdev *sd, u16 reg, u16 *value)
++{
++ int err;
++ *value = i2c_rdreg_err(sd, reg, 2, &err);
++ return err;
++}
++
+ static void i2c_wr16(struct v4l2_subdev *sd, u16 reg, u16 val)
+ {
+ i2c_wrreg(sd, reg, val, 2);
+@@ -2021,6 +2038,7 @@ static int tc358743_probe(struct i2c_client *client)
+ struct tc358743_platform_data *pdata = client->dev.platform_data;
+ struct v4l2_subdev *sd;
+ u16 irq_mask = MASK_HDMI_MSK | MASK_CSI_MSK;
++ u16 chipid;
+ int err;
+
+ if (!i2c_check_functionality(client->adapter, I2C_FUNC_SMBUS_BYTE_DATA))
+@@ -2052,7 +2070,8 @@ static int tc358743_probe(struct i2c_client *client)
+ sd->flags |= V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS;
+
+ /* i2c access */
+- if ((i2c_rd16(sd, CHIPID) & MASK_CHIPID) != 0) {
++ if (i2c_rd16_err(sd, CHIPID, &chipid) ||
++ (chipid & MASK_CHIPID) != 0) {
+ v4l2_info(sd, "not a TC358743 on address 0x%x\n",
+ client->addr << 1);
+ return -ENODEV;
+--
+2.39.5
+
--- /dev/null
+From 14d462685efac2f1a3830ec59d4549e78cda7c74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 19:37:14 +0100
+Subject: media: tc358743: Increase FIFO trigger level to 374
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 86addd25314a1e77dbdcfddfeed0bab2f27da0e2 ]
+
+The existing fixed value of 16 worked for UYVY 720P60 over
+2 lanes at 594MHz, or UYVY 1080P60 over 4 lanes. (RGB888
+1080P60 needs 6 lanes at 594MHz).
+It doesn't allow for lower resolutions to work as the FIFO
+underflows.
+
+374 is required for 1080P24 or 1080P30 UYVY over 2 lanes @
+972Mbit/s, but >374 means that the FIFO underflows on 1080P50
+UYVY over 2 lanes @ 972Mbit/s.
+
+Whilst it would be nice to compute it, the required information
+isn't published by Toshiba.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index a70a3287fb8f..8a1a33862ba7 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1939,8 +1939,19 @@ static int tc358743_probe_of(struct tc358743_state *state)
+ state->pdata.refclk_hz = clk_get_rate(refclk);
+ state->pdata.ddc5v_delay = DDC5V_DELAY_100_MS;
+ state->pdata.enable_hdcp = false;
+- /* A FIFO level of 16 should be enough for 2-lane 720p60 at 594 MHz. */
+- state->pdata.fifo_level = 16;
++ /*
++ * Ideally the FIFO trigger level should be set based on the input and
++ * output data rates, but the calculations required are buried in
++ * Toshiba's register settings spreadsheet.
++ * A value of 16 works with a 594Mbps data rate for 720p60 (using 2
++ * lanes) and 1080p60 (using 4 lanes), but fails when the data rate
++ * is increased, or a lower pixel clock is used that result in CSI
++ * reading out faster than the data is arriving.
++ *
++ * A value of 374 works with both those modes at 594Mbps, and with most
++ * modes on 972Mbps.
++ */
++ state->pdata.fifo_level = 374;
+ /*
+ * The PLL input clock is obtained by dividing refclk by pll_prd.
+ * It must be between 6 MHz and 40 MHz, lower frequency is better.
+--
+2.39.5
+
--- /dev/null
+From a9c7ebea5315689412ecdf4cf4e9724faa2b38b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 19:37:16 +0100
+Subject: media: tc358743: Return an appropriate colorspace from
+ tc358743_set_fmt
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+[ Upstream commit 377cc006a364dfdab2f3f221cfad63a9265200b8 ]
+
+When calling tc358743_set_fmt, the code was calling tc358743_get_fmt
+to choose a valid format. However that sets the colorspace
+based on information read back from the chip, not the colour
+format requested.
+
+The result was that if you called try or set format for UYVY
+when the current format was RGB3 then you would get told SRGB,
+and try RGB3 when current was UYVY and you would get told
+SMPTE170M.
+
+The value programmed in the VI_REP register for the colorspace
+is always set by this driver, therefore there is no need to read
+back the value, and never set to REC709.
+Return the colorspace based on the format set/tried instead.
+
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358743.c | 44 ++++++++++++++----------------------
+ 1 file changed, 17 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
+index f516651e95cf..a70a3287fb8f 100644
+--- a/drivers/media/i2c/tc358743.c
++++ b/drivers/media/i2c/tc358743.c
+@@ -1668,12 +1668,23 @@ static int tc358743_enum_mbus_code(struct v4l2_subdev *sd,
+ return 0;
+ }
+
++static u32 tc358743_g_colorspace(u32 code)
++{
++ switch (code) {
++ case MEDIA_BUS_FMT_RGB888_1X24:
++ return V4L2_COLORSPACE_SRGB;
++ case MEDIA_BUS_FMT_UYVY8_1X16:
++ return V4L2_COLORSPACE_SMPTE170M;
++ default:
++ return 0;
++ }
++}
++
+ static int tc358743_get_fmt(struct v4l2_subdev *sd,
+ struct v4l2_subdev_state *sd_state,
+ struct v4l2_subdev_format *format)
+ {
+ struct tc358743_state *state = to_state(sd);
+- u8 vi_rep = i2c_rd8(sd, VI_REP);
+
+ if (format->pad != 0)
+ return -EINVAL;
+@@ -1683,23 +1694,7 @@ static int tc358743_get_fmt(struct v4l2_subdev *sd,
+ format->format.height = state->timings.bt.height;
+ format->format.field = V4L2_FIELD_NONE;
+
+- switch (vi_rep & MASK_VOUT_COLOR_SEL) {
+- case MASK_VOUT_COLOR_RGB_FULL:
+- case MASK_VOUT_COLOR_RGB_LIMITED:
+- format->format.colorspace = V4L2_COLORSPACE_SRGB;
+- break;
+- case MASK_VOUT_COLOR_601_YCBCR_LIMITED:
+- case MASK_VOUT_COLOR_601_YCBCR_FULL:
+- format->format.colorspace = V4L2_COLORSPACE_SMPTE170M;
+- break;
+- case MASK_VOUT_COLOR_709_YCBCR_FULL:
+- case MASK_VOUT_COLOR_709_YCBCR_LIMITED:
+- format->format.colorspace = V4L2_COLORSPACE_REC709;
+- break;
+- default:
+- format->format.colorspace = 0;
+- break;
+- }
++ format->format.colorspace = tc358743_g_colorspace(format->format.code);
+
+ return 0;
+ }
+@@ -1713,19 +1708,14 @@ static int tc358743_set_fmt(struct v4l2_subdev *sd,
+ u32 code = format->format.code; /* is overwritten by get_fmt */
+ int ret = tc358743_get_fmt(sd, sd_state, format);
+
+- format->format.code = code;
++ if (code == MEDIA_BUS_FMT_RGB888_1X24 ||
++ code == MEDIA_BUS_FMT_UYVY8_1X16)
++ format->format.code = code;
++ format->format.colorspace = tc358743_g_colorspace(format->format.code);
+
+ if (ret)
+ return ret;
+
+- switch (code) {
+- case MEDIA_BUS_FMT_RGB888_1X24:
+- case MEDIA_BUS_FMT_UYVY8_1X16:
+- break;
+- default:
+- return -EINVAL;
+- }
+-
+ if (format->which == V4L2_SUBDEV_FORMAT_TRY)
+ return 0;
+
+--
+2.39.5
+
--- /dev/null
+From f781fa99423caac3e4be98a70aeec6dd37d6a981 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 10:09:54 +0200
+Subject: media: usb: hdpvr: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit b5ae5a79825ba8037b0be3ef677a24de8c063abf ]
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/hdpvr/hdpvr-i2c.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/usb/hdpvr/hdpvr-i2c.c b/drivers/media/usb/hdpvr/hdpvr-i2c.c
+index 070559b01b01..54956a8ff15e 100644
+--- a/drivers/media/usb/hdpvr/hdpvr-i2c.c
++++ b/drivers/media/usb/hdpvr/hdpvr-i2c.c
+@@ -165,10 +165,16 @@ static const struct i2c_algorithm hdpvr_algo = {
+ .functionality = hdpvr_functionality,
+ };
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks hdpvr_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ static const struct i2c_adapter hdpvr_i2c_adapter_template = {
+ .name = "Hauppauge HD PVR I2C",
+ .owner = THIS_MODULE,
+ .algo = &hdpvr_algo,
++ .quirks = &hdpvr_quirks,
+ };
+
+ static int hdpvr_activate_ir(struct hdpvr_device *dev)
+--
+2.39.5
+
--- /dev/null
+From 9bf7068c45d8bd4b69c2633e0423bcf363e2ad09 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 14:18:03 +0800
+Subject: media: uvcvideo: Fix bandwidth issue for Alcor camera
+
+From: chenchangcheng <chenchangcheng@kylinos.cn>
+
+[ Upstream commit 9764401bf6f8a20eb11c2e78470f20fee91a9ea7 ]
+
+Some broken device return wrong dwMaxPayloadTransferSize fields as
+follows:
+
+[ 218.632537] uvcvideo: Device requested 2752512 B/frame bandwidth.
+[ 218.632598] uvcvideo: No fast enough alt setting for requested bandwidth.
+
+When dwMaxPayloadTransferSize is greater than maxpsize, it will prevent
+the camera from starting. So use the bandwidth of maxpsize.
+
+Signed-off-by: chenchangcheng <chenchangcheng@kylinos.cn>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20250510061803.811433-1-ccc194101@163.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
+index 9572fdfe74f2..83abca42c5f1 100644
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -258,6 +258,15 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
+
+ ctrl->dwMaxPayloadTransferSize = bandwidth;
+ }
++
++ if (stream->intf->num_altsetting > 1 &&
++ ctrl->dwMaxPayloadTransferSize > stream->maxpsize) {
++ dev_warn_ratelimited(&stream->intf->dev,
++ "UVC non compliance: the max payload transmission size (%u) exceeds the size of the ep max packet (%u). Using the max size.\n",
++ ctrl->dwMaxPayloadTransferSize,
++ stream->maxpsize);
++ ctrl->dwMaxPayloadTransferSize = stream->maxpsize;
++ }
+ }
+
+ static size_t uvc_video_ctrl_size(struct uvc_streaming *stream)
+--
+2.39.5
+
--- /dev/null
+From eea2167fd52cf20bd160f33a250ac4979bf7536b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 10:37:45 +0200
+Subject: media: v4l2-common: Reduce warnings about missing V4L2_CID_LINK_FREQ
+ control
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+[ Upstream commit 5a0abb8909b9dcf347fce1d201ac6686ac33fd64 ]
+
+When operating a pipeline with a missing V4L2_CID_LINK_FREQ control this
+two line warning is printed each time the pipeline is started. Reduce
+this excessive logging by only warning once for the missing control.
+
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/v4l2-common.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/v4l2-core/v4l2-common.c b/drivers/media/v4l2-core/v4l2-common.c
+index 3a4b15a98e02..b37507e09339 100644
+--- a/drivers/media/v4l2-core/v4l2-common.c
++++ b/drivers/media/v4l2-core/v4l2-common.c
+@@ -487,10 +487,10 @@ s64 v4l2_get_link_freq(struct v4l2_ctrl_handler *handler, unsigned int mul,
+
+ freq = div_u64(v4l2_ctrl_g_ctrl_int64(ctrl) * mul, div);
+
+- pr_warn("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
+- __func__);
+- pr_warn("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
+- __func__);
++ pr_warn_once("%s: Link frequency estimated using pixel rate: result might be inaccurate\n",
++ __func__);
++ pr_warn_once("%s: Consider implementing support for V4L2_CID_LINK_FREQ in the transmitter driver\n",
++ __func__);
+ }
+
+ return freq > 0 ? freq : -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From d1594a0188ea87803c135073e52ff6b3b07839ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 10:50:52 +0200
+Subject: mei: bus: Check for still connected devices in
+ mei_cl_bus_dev_release()
+
+From: Hans de Goede <hansg@kernel.org>
+
+[ Upstream commit 35e8a426b16adbecae7a4e0e3c00fc8d0273db53 ]
+
+mei_cl_bus_dev_release() also frees the mei-client (struct mei_cl)
+belonging to the device being released.
+
+If there are bugs like the just fixed bug in the ACE/CSI2 mei drivers,
+the mei-client being freed might still be part of the mei_device's
+file_list and iterating over this list after the freeing will then trigger
+a use-afer-free bug.
+
+Add a check to mei_cl_bus_dev_release() to make sure that the to-be-freed
+mei-client is not on the mei_device's file_list.
+
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250623085052.12347-11-hansg@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/mei/bus.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
+index 2e65ce6bdec7..b94cf7393fad 100644
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -1269,10 +1269,16 @@ static void mei_dev_bus_put(struct mei_device *bus)
+ static void mei_cl_bus_dev_release(struct device *dev)
+ {
+ struct mei_cl_device *cldev = to_mei_cl_device(dev);
++ struct mei_device *mdev = cldev->cl->dev;
++ struct mei_cl *cl;
+
+ mei_cl_flush_queues(cldev->cl, NULL);
+ mei_me_cl_put(cldev->me_cl);
+ mei_dev_bus_put(cldev->bus);
++
++ list_for_each_entry(cl, &mdev->file_list, link)
++ WARN_ON(cl == cldev->cl);
++
+ kfree(cldev->cl);
+ kfree(cldev);
+ }
+--
+2.39.5
+
--- /dev/null
+From d02fc8e4ee410a60029c47111affc787146b9ad7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 01:32:07 +0800
+Subject: mfd: axp20x: Set explicit ID for AXP313 regulator
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+[ Upstream commit 88828c7e940dd45d139ad4a39d702b23840a37c5 ]
+
+On newer boards featuring the A523 SoC, the AXP323 (related to the
+AXP313) is paired with the AXP717 and serves as a secondary PMIC
+providing additional regulator outputs. However the MFD cells are all
+registered with PLATFORM_DEVID_NONE, which causes the regulator cells
+to conflict with each other.
+
+Commit e37ec3218870 ("mfd: axp20x: Allow multiple regulators") attempted
+to fix this by switching to PLATFORM_DEVID_AUTO so that the device names
+would all be different, however that broke IIO channel mapping, which is
+also tied to the device names. As a result the change was later reverted.
+
+Instead, here we attempt to make sure the AXP313/AXP323 regulator cell
+does not conflict by explicitly giving it an ID number. This was
+previously done for the AXP809+AXP806 pair used with the A80 SoC.
+
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Link: https://lore.kernel.org/r/20250619173207.3367126-1-wens@kernel.org
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/axp20x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/axp20x.c b/drivers/mfd/axp20x.c
+index 87603eeaa277..2b85da0fcf27 100644
+--- a/drivers/mfd/axp20x.c
++++ b/drivers/mfd/axp20x.c
+@@ -936,7 +936,8 @@ static const struct mfd_cell axp152_cells[] = {
+ };
+
+ static struct mfd_cell axp313a_cells[] = {
+- MFD_CELL_NAME("axp20x-regulator"),
++ /* AXP323 is sometimes paired with AXP717 as sub-PMIC */
++ MFD_CELL_BASIC("axp20x-regulator", NULL, NULL, 0, 1),
+ MFD_CELL_RES("axp313a-pek", axp313a_pek_resources),
+ };
+
+--
+2.39.5
+
--- /dev/null
+From b3b28ac493c9a61cf44d811d30a8764a82e0c85c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 13:28:26 +0200
+Subject: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit e9f4a6b3421e936c3ee9d74710243897d74dbaa2 ]
+
+Not all tasks have an ABI associated or vDSO mapped,
+for example kthreads never do.
+If such a task ever ends up calling stack_top(), it will derefence the
+NULL ABI pointer and crash.
+
+This can for example happen when using kunit:
+
+ mips_stack_top+0x28/0xc0
+ arch_pick_mmap_layout+0x190/0x220
+ kunit_vm_mmap_init+0xf8/0x138
+ __kunit_add_resource+0x40/0xa8
+ kunit_vm_mmap+0x88/0xd8
+ usercopy_test_init+0xb8/0x240
+ kunit_try_run_case+0x5c/0x1a8
+ kunit_generic_run_threadfn_adapter+0x28/0x50
+ kthread+0x118/0x240
+ ret_from_kernel_thread+0x14/0x1c
+
+Only dereference the ABI point if it is set.
+
+The GIC page is also included as it is specific to the vDSO.
+Also move the randomization adjustment into the same conditional.
+
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: David Gow <davidgow@google.com>
+Reviewed-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/process.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
+index b630604c577f..02aa6a04a21d 100644
+--- a/arch/mips/kernel/process.c
++++ b/arch/mips/kernel/process.c
+@@ -690,18 +690,20 @@ unsigned long mips_stack_top(void)
+ }
+
+ /* Space for the VDSO, data page & GIC user page */
+- top -= PAGE_ALIGN(current->thread.abi->vdso->size);
+- top -= PAGE_SIZE;
+- top -= mips_gic_present() ? PAGE_SIZE : 0;
++ if (current->thread.abi) {
++ top -= PAGE_ALIGN(current->thread.abi->vdso->size);
++ top -= PAGE_SIZE;
++ top -= mips_gic_present() ? PAGE_SIZE : 0;
++
++ /* Space to randomize the VDSO base */
++ if (current->flags & PF_RANDOMIZE)
++ top -= VDSO_RANDOMIZE_SIZE;
++ }
+
+ /* Space for cache colour alignment */
+ if (cpu_has_dc_aliases)
+ top -= shm_align_mask + 1;
+
+- /* Space to randomize the VDSO base */
+- if (current->flags & PF_RANDOMIZE)
+- top -= VDSO_RANDOMIZE_SIZE;
+-
+ return top;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e58c22bf5a02a2385c9d46fbdc73dc24d420f957 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 22:53:23 +0800
+Subject: MIPS: lantiq: falcon: sysctrl: fix request memory check logic
+
+From: Shiji Yang <yangshiji66@outlook.com>
+
+[ Upstream commit 9c9a7ff9882fc6ba7d2f4050697e8bb80383e8dc ]
+
+request_mem_region() will return NULL instead of error code
+when the memory request fails. Therefore, we should check if
+the return value is non-zero instead of less than zero. In
+this way, this patch also fixes the build warnings:
+
+arch/mips/lantiq/falcon/sysctrl.c:214:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
+ 214 | res_status.name) < 0) ||
+ | ^
+arch/mips/lantiq/falcon/sysctrl.c:216:47: error: ordered comparison of pointer with integer zero [-Werror=extra]
+ 216 | res_ebu.name) < 0) ||
+ | ^
+arch/mips/lantiq/falcon/sysctrl.c:219:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
+ 219 | res_sys[0].name) < 0) ||
+ | ^
+arch/mips/lantiq/falcon/sysctrl.c:222:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
+ 222 | res_sys[1].name) < 0) ||
+ | ^
+arch/mips/lantiq/falcon/sysctrl.c:225:50: error: ordered comparison of pointer with integer zero [-Werror=extra]
+ 225 | res_sys[2].name) < 0))
+ |
+
+Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/lantiq/falcon/sysctrl.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c
+index 1187729d8cbb..357543996ee6 100644
+--- a/arch/mips/lantiq/falcon/sysctrl.c
++++ b/arch/mips/lantiq/falcon/sysctrl.c
+@@ -214,19 +214,16 @@ void __init ltq_soc_init(void)
+ of_node_put(np_syseth);
+ of_node_put(np_sysgpe);
+
+- if ((request_mem_region(res_status.start, resource_size(&res_status),
+- res_status.name) < 0) ||
+- (request_mem_region(res_ebu.start, resource_size(&res_ebu),
+- res_ebu.name) < 0) ||
+- (request_mem_region(res_sys[0].start,
+- resource_size(&res_sys[0]),
+- res_sys[0].name) < 0) ||
+- (request_mem_region(res_sys[1].start,
+- resource_size(&res_sys[1]),
+- res_sys[1].name) < 0) ||
+- (request_mem_region(res_sys[2].start,
+- resource_size(&res_sys[2]),
+- res_sys[2].name) < 0))
++ if ((!request_mem_region(res_status.start, resource_size(&res_status),
++ res_status.name)) ||
++ (!request_mem_region(res_ebu.start, resource_size(&res_ebu),
++ res_ebu.name)) ||
++ (!request_mem_region(res_sys[0].start, resource_size(&res_sys[0]),
++ res_sys[0].name)) ||
++ (!request_mem_region(res_sys[1].start, resource_size(&res_sys[1]),
++ res_sys[1].name)) ||
++ (!request_mem_region(res_sys[2].start, resource_size(&res_sys[2]),
++ res_sys[2].name)))
+ pr_err("Failed to request core resources");
+
+ status_membase = ioremap(res_status.start,
+--
+2.39.5
+
--- /dev/null
+From cdd670f4bdb59142ad1200eb9c7182c5e53f01fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 21:06:32 +0800
+Subject: MIPS: vpe-mt: add missing prototypes for vpe_{alloc,start,stop,free}
+
+From: Shiji Yang <yangshiji66@outlook.com>
+
+[ Upstream commit 844615dd0f2d95c018ec66b943e08af22b62aff3 ]
+
+These functions are exported but their prototypes are not defined.
+This patch adds the missing function prototypes to fix the following
+compilation warnings:
+
+arch/mips/kernel/vpe-mt.c:180:7: error: no previous prototype for 'vpe_alloc' [-Werror=missing-prototypes]
+ 180 | void *vpe_alloc(void)
+ | ^~~~~~~~~
+arch/mips/kernel/vpe-mt.c:198:5: error: no previous prototype for 'vpe_start' [-Werror=missing-prototypes]
+ 198 | int vpe_start(void *vpe, unsigned long start)
+ | ^~~~~~~~~
+arch/mips/kernel/vpe-mt.c:208:5: error: no previous prototype for 'vpe_stop' [-Werror=missing-prototypes]
+ 208 | int vpe_stop(void *vpe)
+ | ^~~~~~~~
+arch/mips/kernel/vpe-mt.c:229:5: error: no previous prototype for 'vpe_free' [-Werror=missing-prototypes]
+ 229 | int vpe_free(void *vpe)
+ | ^~~~~~~~
+
+Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/vpe.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h
+index 61fd4d0aeda4..c0769dc4b853 100644
+--- a/arch/mips/include/asm/vpe.h
++++ b/arch/mips/include/asm/vpe.h
+@@ -119,4 +119,12 @@ void cleanup_tc(struct tc *tc);
+
+ int __init vpe_module_init(void);
+ void __exit vpe_module_exit(void);
++
++#ifdef CONFIG_MIPS_VPE_LOADER_MT
++void *vpe_alloc(void);
++int vpe_start(void *vpe, unsigned long start);
++int vpe_stop(void *vpe);
++int vpe_free(void *vpe);
++#endif /* CONFIG_MIPS_VPE_LOADER_MT */
++
+ #endif /* _ASM_VPE_H */
+--
+2.39.5
+
--- /dev/null
+From 1e023f47a7b85b75fe95b1e0917116f84d52664f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 13:16:23 +0200
+Subject: mmc: rtsx_usb_sdmmc: Fix error-path in sd_set_power_mode()
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+[ Upstream commit 47a255f7d2eabee06cfbf5b1c2379749442fd01d ]
+
+In the error path of sd_set_power_mode() we don't update host->power_mode,
+which could lead to an imbalance of the runtime PM usage count. Fix this by
+always updating host->power_mode.
+
+Reviewed-by: Avri Altman <avri.altman@sandisk.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Acked-by: Ricky Wu <ricky_wu@realtek.com>
+Link: https://lore.kernel.org/r/20250610111633.504366-2-ulf.hansson@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/rtsx_usb_sdmmc.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c
+index ded9b6849e35..90ea92bbdb2c 100644
+--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
+@@ -1032,9 +1032,7 @@ static int sd_set_power_mode(struct rtsx_usb_sdmmc *host,
+ err = sd_power_on(host);
+ }
+
+- if (!err)
+- host->power_mode = power_mode;
+-
++ host->power_mode = power_mode;
+ return err;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 889950e9598eac01811de41e6c80aefc0e2811eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 15:36:59 +0530
+Subject: mmc: sdhci-msm: Ensure SD card power isn't ON when card removed
+
+From: Sarthak Garg <quic_sartgarg@quicinc.com>
+
+[ Upstream commit db58532188ebf51d52b1d7693d9e94c76b926e9f ]
+
+Many mobile phones feature multi-card tray designs, where the same
+tray is used for both SD and SIM cards. If the SD card is placed
+at the outermost location in the tray, the SIM card may come in
+contact with SD card power-supply while removing the tray, possibly
+resulting in SIM damage.
+
+To prevent that, make sure the SD card is really inserted by reading
+the Card Detect pin state. If it's not, turn off the power in
+sdhci_msm_check_power_status() and also set the BUS_FAIL power state
+on the controller as part of pwr_irq handling for BUS_ON request.
+
+Signed-off-by: Sarthak Garg <quic_sartgarg@quicinc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250701100659.3310386-1-quic_sartgarg@quicinc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index 82808cc373f6..c2144a3efb30 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -1564,6 +1564,7 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
++ struct mmc_host *mmc = host->mmc;
+ bool done = false;
+ u32 val = SWITCHABLE_SIGNALING_VOLTAGE;
+ const struct sdhci_msm_offset *msm_offset =
+@@ -1621,6 +1622,12 @@ static void sdhci_msm_check_power_status(struct sdhci_host *host, u32 req_type)
+ "%s: pwr_irq for req: (%d) timed out\n",
+ mmc_hostname(host->mmc), req_type);
+ }
++
++ if ((req_type & REQ_BUS_ON) && mmc->card && !mmc->ops->get_cd(mmc)) {
++ sdhci_writeb(host, 0, SDHCI_POWER_CONTROL);
++ host->pwr = 0;
++ }
++
+ pr_debug("%s: %s: request %d done\n", mmc_hostname(host->mmc),
+ __func__, req_type);
+ }
+@@ -1679,6 +1686,13 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq)
+ udelay(10);
+ }
+
++ if ((irq_status & CORE_PWRCTL_BUS_ON) && mmc->card &&
++ !mmc->ops->get_cd(mmc)) {
++ msm_host_writel(msm_host, CORE_PWRCTL_BUS_FAIL, host,
++ msm_offset->core_pwrctl_ctl);
++ return;
++ }
++
+ /* Handle BUS ON/OFF*/
+ if (irq_status & CORE_PWRCTL_BUS_ON) {
+ pwr_state = REQ_BUS_ON;
+--
+2.39.5
+
--- /dev/null
+From a06fe62a8c83876d51216760c48347a75a3622e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 16:32:32 +0200
+Subject: module: Prevent silent truncation of module name in delete_module(2)
+
+From: Petr Pavlu <petr.pavlu@suse.com>
+
+[ Upstream commit a6323bd4e611567913e23df5b58f2d4e4da06789 ]
+
+Passing a module name longer than MODULE_NAME_LEN to the delete_module
+syscall results in its silent truncation. This really isn't much of
+a problem in practice, but it could theoretically lead to the removal of an
+incorrect module. It is more sensible to return ENAMETOOLONG or ENOENT in
+such a case.
+
+Update the syscall to return ENOENT, as documented in the delete_module(2)
+man page to mean "No module by that name exists." This is appropriate
+because a module with a name longer than MODULE_NAME_LEN cannot be loaded
+in the first place.
+
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Reviewed-by: Daniel Gomez <da.gomez@samsung.com>
+Link: https://lore.kernel.org/r/20250630143535.267745-2-petr.pavlu@suse.com
+Signed-off-by: Daniel Gomez <da.gomez@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/module/main.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/module/main.c b/kernel/module/main.c
+index 9711ad14825b..627680e568fc 100644
+--- a/kernel/module/main.c
++++ b/kernel/module/main.c
+@@ -701,14 +701,16 @@ SYSCALL_DEFINE2(delete_module, const char __user *, name_user,
+ struct module *mod;
+ char name[MODULE_NAME_LEN];
+ char buf[MODULE_FLAGS_BUF_SIZE];
+- int ret, forced = 0;
++ int ret, len, forced = 0;
+
+ if (!capable(CAP_SYS_MODULE) || modules_disabled)
+ return -EPERM;
+
+- if (strncpy_from_user(name, name_user, MODULE_NAME_LEN-1) < 0)
+- return -EFAULT;
+- name[MODULE_NAME_LEN-1] = '\0';
++ len = strncpy_from_user(name, name_user, MODULE_NAME_LEN);
++ if (len == 0 || len == MODULE_NAME_LEN)
++ return -ENOENT;
++ if (len < 0)
++ return len;
+
+ audit_log_kern_module(name);
+
+--
+2.39.5
+
--- /dev/null
+From ecb3e25c2cec59f8119d9d4caf3534f8b9604841 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 16:13:34 +0200
+Subject: neighbour: add support for NUD_PERMANENT proxy entries
+
+From: Nicolas Escande <nico.escande@gmail.com>
+
+[ Upstream commit c7d78566bbd30544a0618a6ffbc97bc0ddac7035 ]
+
+As discussesd before in [0] proxy entries (which are more configuration
+than runtime data) should stay when the link (carrier) goes does down.
+This is what happens for regular neighbour entries.
+
+So lets fix this by:
+ - storing in proxy entries the fact that it was added as NUD_PERMANENT
+ - not removing NUD_PERMANENT proxy entries when the carrier goes down
+ (same as how it's done in neigh_flush_dev() for regular neigh entries)
+
+[0]: https://lore.kernel.org/netdev/c584ef7e-6897-01f3-5b80-12b53f7b4bf4@kernel.org/
+
+Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
+Link: https://patch.msgid.link/20250617141334.3724863-1-nico.escande@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/neighbour.h | 1 +
+ net/core/neighbour.c | 12 +++++++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/neighbour.h b/include/net/neighbour.h
+index 0d28172193fa..d775906a65c7 100644
+--- a/include/net/neighbour.h
++++ b/include/net/neighbour.h
+@@ -180,6 +180,7 @@ struct pneigh_entry {
+ netdevice_tracker dev_tracker;
+ u32 flags;
+ u8 protocol;
++ bool permanent;
+ u32 key[];
+ };
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index 1e2e60ffe766..e6b36df482bc 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -55,7 +55,8 @@ static void __neigh_notify(struct neighbour *n, int type, int flags,
+ u32 pid);
+ static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid);
+ static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
+- struct net_device *dev);
++ struct net_device *dev,
++ bool skip_perm);
+
+ #ifdef CONFIG_PROC_FS
+ static const struct seq_operations neigh_stat_seq_ops;
+@@ -444,7 +445,7 @@ static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
+ {
+ write_lock_bh(&tbl->lock);
+ neigh_flush_dev(tbl, dev, skip_perm);
+- pneigh_ifdown_and_unlock(tbl, dev);
++ pneigh_ifdown_and_unlock(tbl, dev, skip_perm);
+ pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL,
+ tbl->family);
+ if (skb_queue_empty_lockless(&tbl->proxy_queue))
+@@ -845,7 +846,8 @@ int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey,
+ }
+
+ static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
+- struct net_device *dev)
++ struct net_device *dev,
++ bool skip_perm)
+ {
+ struct pneigh_entry *n, **np, *freelist = NULL;
+ u32 h;
+@@ -853,12 +855,15 @@ static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
+ for (h = 0; h <= PNEIGH_HASHMASK; h++) {
+ np = &tbl->phash_buckets[h];
+ while ((n = *np) != NULL) {
++ if (skip_perm && n->permanent)
++ goto skip;
+ if (!dev || n->dev == dev) {
+ *np = n->next;
+ n->next = freelist;
+ freelist = n;
+ continue;
+ }
++skip:
+ np = &n->next;
+ }
+ }
+@@ -2033,6 +2038,7 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
+ pn = pneigh_lookup(tbl, net, dst, dev, 1);
+ if (pn) {
+ pn->flags = ndm_flags;
++ pn->permanent = !!(ndm->ndm_state & NUD_PERMANENT);
+ if (protocol)
+ pn->protocol = protocol;
+ err = 0;
+--
+2.39.5
+
--- /dev/null
+From 843aa3cb83c1b5244a6870d6851d95b16c74aad0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 11:57:25 +0200
+Subject: net: ag71xx: Add missing check after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 96a1e15e60216b52da0e6da5336b6d7f5b0188b0 ]
+
+The DMA map functions can fail and should be tested for errors.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250716095733.37452-3-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/ag71xx.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/atheros/ag71xx.c b/drivers/net/ethernet/atheros/ag71xx.c
+index 009e0b3066fa..baf12ae0b8c4 100644
+--- a/drivers/net/ethernet/atheros/ag71xx.c
++++ b/drivers/net/ethernet/atheros/ag71xx.c
+@@ -1234,6 +1234,11 @@ static bool ag71xx_fill_rx_buf(struct ag71xx *ag, struct ag71xx_buf *buf,
+ buf->rx.rx_buf = data;
+ buf->rx.dma_addr = dma_map_single(&ag->pdev->dev, data, ag->rx_buf_size,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(&ag->pdev->dev, buf->rx.dma_addr)) {
++ skb_free_frag(data);
++ buf->rx.rx_buf = NULL;
++ return false;
++ }
+ desc->data = (u32)buf->rx.dma_addr + offset;
+ return true;
+ }
+@@ -1532,6 +1537,10 @@ static netdev_tx_t ag71xx_hard_start_xmit(struct sk_buff *skb,
+
+ dma_addr = dma_map_single(&ag->pdev->dev, skb->data, skb->len,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&ag->pdev->dev, dma_addr)) {
++ netif_dbg(ag, tx_err, ndev, "DMA mapping error\n");
++ goto err_drop;
++ }
+
+ i = ring->curr & ring_mask;
+ desc = ag71xx_ring_desc(ring, i);
+--
+2.39.5
+
--- /dev/null
+From 3be3d3f4753e3a2d1d4066ccb233685e55b0a274 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 22:15:28 -0700
+Subject: net: atlantic: add set_power to fw_ops for atl2 to fix wol
+
+From: Eric Work <work.eric@gmail.com>
+
+[ Upstream commit fad9cf216597a71936ac87143d1618fbbcf97cbe ]
+
+Aquantia AQC113(C) using ATL2FW doesn't properly prepare the NIC for
+enabling wake-on-lan. The FW operation `set_power` was only implemented
+for `hw_atl` and not `hw_atl2`. Implement the `set_power` functionality
+for `hw_atl2`.
+
+Tested with both AQC113 and AQC113C devices. Confirmed you can shutdown
+the system and wake from S5 using magic packets. NIC was previously
+powered off when entering S5. If the NIC was configured for WOL by the
+Windows driver, loading the atlantic driver would disable WOL.
+
+Partially cherry-picks changes from commit,
+https://github.com/Aquantia/AQtion/commit/37bd5cc
+
+Attributing original authors from Marvell for the referenced commit.
+
+Closes: https://github.com/Aquantia/AQtion/issues/70
+Co-developed-by: Igor Russkikh <irusskikh@marvell.com>
+Co-developed-by: Mark Starovoitov <mstarovoitov@marvell.com>
+Co-developed-by: Dmitry Bogdanov <dbogdanov@marvell.com>
+Co-developed-by: Pavel Belous <pbelous@marvell.com>
+Co-developed-by: Nikita Danilov <ndanilov@marvell.com>
+Signed-off-by: Eric Work <work.eric@gmail.com>
+Reviewed-by: Igor Russkikh <irusskikh@marvell.com>
+Link: https://patch.msgid.link/20250629051535.5172-1-work.eric@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
+ .../atlantic/hw_atl2/hw_atl2_utils_fw.c | 39 +++++++++++++++++++
+ 2 files changed, 41 insertions(+)
+
+diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
+index dbd284660135..7f616abd3db2 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
++++ b/drivers/net/ethernet/aquantia/atlantic/aq_hw.h
+@@ -113,6 +113,8 @@ struct aq_stats_s {
+ #define AQ_HW_POWER_STATE_D0 0U
+ #define AQ_HW_POWER_STATE_D3 3U
+
++#define AQ_FW_WAKE_ON_LINK_RTPM BIT(10)
++
+ #define AQ_HW_FLAG_STARTED 0x00000004U
+ #define AQ_HW_FLAG_STOPPING 0x00000008U
+ #define AQ_HW_FLAG_RESETTING 0x00000010U
+diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
+index 52e2070a4a2f..7370e3f76b62 100644
+--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
++++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c
+@@ -462,6 +462,44 @@ static int aq_a2_fw_get_mac_temp(struct aq_hw_s *self, int *temp)
+ return aq_a2_fw_get_phy_temp(self, temp);
+ }
+
++static int aq_a2_fw_set_wol_params(struct aq_hw_s *self, const u8 *mac, u32 wol)
++{
++ struct mac_address_aligned_s mac_address;
++ struct link_control_s link_control;
++ struct wake_on_lan_s wake_on_lan;
++
++ memcpy(mac_address.aligned.mac_address, mac, ETH_ALEN);
++ hw_atl2_shared_buffer_write(self, mac_address, mac_address);
++
++ memset(&wake_on_lan, 0, sizeof(wake_on_lan));
++
++ if (wol & WAKE_MAGIC)
++ wake_on_lan.wake_on_magic_packet = 1U;
++
++ if (wol & (WAKE_PHY | AQ_FW_WAKE_ON_LINK_RTPM))
++ wake_on_lan.wake_on_link_up = 1U;
++
++ hw_atl2_shared_buffer_write(self, sleep_proxy, wake_on_lan);
++
++ hw_atl2_shared_buffer_get(self, link_control, link_control);
++ link_control.mode = AQ_HOST_MODE_SLEEP_PROXY;
++ hw_atl2_shared_buffer_write(self, link_control, link_control);
++
++ return hw_atl2_shared_buffer_finish_ack(self);
++}
++
++static int aq_a2_fw_set_power(struct aq_hw_s *self, unsigned int power_state,
++ const u8 *mac)
++{
++ u32 wol = self->aq_nic_cfg->wol;
++ int err = 0;
++
++ if (wol)
++ err = aq_a2_fw_set_wol_params(self, mac, wol);
++
++ return err;
++}
++
+ static int aq_a2_fw_set_eee_rate(struct aq_hw_s *self, u32 speed)
+ {
+ struct link_options_s link_options;
+@@ -605,6 +643,7 @@ const struct aq_fw_ops aq_a2_fw_ops = {
+ .set_state = aq_a2_fw_set_state,
+ .update_link_status = aq_a2_fw_update_link_status,
+ .update_stats = aq_a2_fw_update_stats,
++ .set_power = aq_a2_fw_set_power,
+ .get_mac_temp = aq_a2_fw_get_mac_temp,
+ .get_phy_temp = aq_a2_fw_get_phy_temp,
+ .set_eee_rate = aq_a2_fw_set_eee_rate,
+--
+2.39.5
+
--- /dev/null
+From ce845a70856a2ed013b255636e86642fa93bd373 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:59 +0200
+Subject: net: dsa: b53: fix b53_imp_vlan_setup for BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit c00df1018791185ea398f78af415a2a0aaa0c79c ]
+
+CPU port should be B53_CPU_PORT instead of B53_CPU_PORT_25 for
+B53_PVLAN_PORT_MASK register.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-14-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 004d2c988ff0..e82554cedbfc 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -507,6 +507,10 @@ void b53_imp_vlan_setup(struct dsa_switch *ds, int cpu_port)
+ unsigned int i;
+ u16 pvlan;
+
++ /* BCM5325 CPU port is at 8 */
++ if ((is5325(dev) || is5365(dev)) && cpu_port == B53_CPU_PORT_25)
++ cpu_port = B53_CPU_PORT;
++
+ /* Enable the IMP port to be in the same VLAN as the other ports
+ * on a per-port basis such that we only have Port i and IMP in
+ * the same VLAN.
+--
+2.39.5
+
--- /dev/null
+From aff5e7d6ac77788ec48d2096570a185d1363789f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:54 +0200
+Subject: net: dsa: b53: fix IP_MULTICAST_CTRL on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 044d5ce2788b165798bfd173548e61bf7b6baf4d ]
+
+BCM5325 doesn't implement B53_UC_FWD_EN, B53_MC_FWD_EN or B53_IPMC_FWD_EN.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-9-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 18 +++++++++++-------
+ drivers/net/dsa/b53/b53_regs.h | 1 +
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 6378e3f0f1fe..b00bac468677 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -344,14 +344,18 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
+ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
+ mgmt |= B53_MII_DUMB_FWDG_EN;
+ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
+- }
+
+- /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
+- * frames should be flooded or not.
+- */
+- b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
+- mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
+- b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
++ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
++ * frames should be flooded or not.
++ */
++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
++ mgmt |= B53_UC_FWD_EN | B53_MC_FWD_EN | B53_IPMC_FWD_EN;
++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
++ } else {
++ b53_read8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, &mgmt);
++ mgmt |= B53_IP_MCAST_25;
++ b53_write8(dev, B53_CTRL_PAGE, B53_IP_MULTICAST_CTRL, mgmt);
++ }
+ }
+
+ static void b53_enable_vlan(struct b53_device *dev, int port, bool enable,
+diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
+index 390290ddb1ea..3179fe58de6b 100644
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -104,6 +104,7 @@
+
+ /* IP Multicast control (8 bit) */
+ #define B53_IP_MULTICAST_CTRL 0x21
++#define B53_IP_MCAST_25 BIT(0)
+ #define B53_IPMC_FWD_EN BIT(1)
+ #define B53_UC_FWD_EN BIT(6)
+ #define B53_MC_FWD_EN BIT(7)
+--
+2.39.5
+
--- /dev/null
+From 3e30fc4701044431bf998c7b407542cdeabec796 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:55 +0200
+Subject: net: dsa: b53: prevent DIS_LEARNING access on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 800728abd9f83bda4de62a30ce62a8b41c242020 ]
+
+BCM5325 doesn't implement DIS_LEARNING register so we should avoid reading
+or writing it.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-10-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 9e4d66b8ad39..5daefb60885e 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -561,6 +561,9 @@ static void b53_port_set_learning(struct b53_device *dev, int port,
+ {
+ u16 reg;
+
++ if (is5325(dev))
++ return;
++
+ b53_read16(dev, B53_CTRL_PAGE, B53_DIS_LEARNING, ®);
+ if (learning)
+ reg &= ~BIT(port);
+@@ -2062,7 +2065,13 @@ int b53_br_flags_pre(struct dsa_switch *ds, int port,
+ struct switchdev_brport_flags flags,
+ struct netlink_ext_ack *extack)
+ {
+- if (flags.mask & ~(BR_FLOOD | BR_MCAST_FLOOD | BR_LEARNING))
++ struct b53_device *dev = ds->priv;
++ unsigned long mask = (BR_FLOOD | BR_MCAST_FLOOD);
++
++ if (!is5325(dev))
++ mask |= BR_LEARNING;
++
++ if (flags.mask & ~mask)
+ return -EINVAL;
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From c034d4aa0771986a9cd5936ad6feb3615277cc9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:57 +0200
+Subject: net: dsa: b53: prevent GMII_PORT_OVERRIDE_CTRL access on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 37883bbc45a8555d6eca88d3a9730504d2dac86c ]
+
+BCM5325 doesn't implement GMII_PORT_OVERRIDE_CTRL register so we should
+avoid reading or writing it.
+PORT_OVERRIDE_RX_FLOW and PORT_OVERRIDE_TX_FLOW aren't defined on BCM5325
+and we should use PORT_OVERRIDE_LP_FLOW_25 instead.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-12-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 21 +++++++++++++++++----
+ drivers/net/dsa/b53/b53_regs.h | 1 +
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index e82554cedbfc..9e4d66b8ad39 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -1167,6 +1167,8 @@ static void b53_force_link(struct b53_device *dev, int port, int link)
+ if (port == dev->imp_port) {
+ off = B53_PORT_OVERRIDE_CTRL;
+ val = PORT_OVERRIDE_EN;
++ } else if (is5325(dev)) {
++ return;
+ } else {
+ off = B53_GMII_PORT_OVERRIDE_CTRL(port);
+ val = GMII_PO_EN;
+@@ -1191,6 +1193,8 @@ static void b53_force_port_config(struct b53_device *dev, int port,
+ if (port == dev->imp_port) {
+ off = B53_PORT_OVERRIDE_CTRL;
+ val = PORT_OVERRIDE_EN;
++ } else if (is5325(dev)) {
++ return;
+ } else {
+ off = B53_GMII_PORT_OVERRIDE_CTRL(port);
+ val = GMII_PO_EN;
+@@ -1221,10 +1225,19 @@ static void b53_force_port_config(struct b53_device *dev, int port,
+ return;
+ }
+
+- if (rx_pause)
+- reg |= PORT_OVERRIDE_RX_FLOW;
+- if (tx_pause)
+- reg |= PORT_OVERRIDE_TX_FLOW;
++ if (rx_pause) {
++ if (is5325(dev))
++ reg |= PORT_OVERRIDE_LP_FLOW_25;
++ else
++ reg |= PORT_OVERRIDE_RX_FLOW;
++ }
++
++ if (tx_pause) {
++ if (is5325(dev))
++ reg |= PORT_OVERRIDE_LP_FLOW_25;
++ else
++ reg |= PORT_OVERRIDE_TX_FLOW;
++ }
+
+ b53_write8(dev, B53_CTRL_PAGE, off, reg);
+ }
+diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
+index bfbcb66bef66..390290ddb1ea 100644
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -92,6 +92,7 @@
+ #define PORT_OVERRIDE_SPEED_10M (0 << PORT_OVERRIDE_SPEED_S)
+ #define PORT_OVERRIDE_SPEED_100M (1 << PORT_OVERRIDE_SPEED_S)
+ #define PORT_OVERRIDE_SPEED_1000M (2 << PORT_OVERRIDE_SPEED_S)
++#define PORT_OVERRIDE_LP_FLOW_25 BIT(3) /* BCM5325 only */
+ #define PORT_OVERRIDE_RV_MII_25 BIT(4) /* BCM5325 only */
+ #define PORT_OVERRIDE_RX_FLOW BIT(4)
+ #define PORT_OVERRIDE_TX_FLOW BIT(5)
+--
+2.39.5
+
--- /dev/null
+From d0b3fe8efcfee2ffc9d4b00183c4abb26ac43aba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Jun 2025 09:59:53 +0200
+Subject: net: dsa: b53: prevent SWITCH_CTRL access on BCM5325
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Álvaro Fernández Rojas <noltari@gmail.com>
+
+[ Upstream commit 22ccaaca43440e90a3b68d2183045b42247dc4be ]
+
+BCM5325 doesn't implement SWITCH_CTRL register so we should avoid reading
+or writing it.
+
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
+Link: https://patch.msgid.link/20250614080000.1884236-8-noltari@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 5daefb60885e..6378e3f0f1fe 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -339,11 +339,12 @@ static void b53_set_forwarding(struct b53_device *dev, int enable)
+
+ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_MODE, mgmt);
+
+- /* Include IMP port in dumb forwarding mode
+- */
+- b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
+- mgmt |= B53_MII_DUMB_FWDG_EN;
+- b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
++ if (!is5325(dev)) {
++ /* Include IMP port in dumb forwarding mode */
++ b53_read8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, &mgmt);
++ mgmt |= B53_MII_DUMB_FWDG_EN;
++ b53_write8(dev, B53_CTRL_PAGE, B53_SWITCH_CTRL, mgmt);
++ }
+
+ /* Look at B53_UC_FWD_EN and B53_MC_FWD_EN to decide whether
+ * frames should be flooded or not.
+--
+2.39.5
+
--- /dev/null
+From b52cc588ed623b63016f51ea531e06d31d30201d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 15:44:02 +0200
+Subject: net: fec: allow disable coalescing
+
+From: Jonas Rebmann <jre@pengutronix.de>
+
+[ Upstream commit b7ad21258f9e9a7f58b19595d5ceed2cde3bed68 ]
+
+In the current implementation, IP coalescing is always enabled and
+cannot be disabled.
+
+As setting maximum frames to 0 or 1, or setting delay to zero implies
+immediate delivery of single packets/IRQs, disable coalescing in
+hardware in these cases.
+
+This also guarantees that coalescing is never enabled with ICFT or ICTT
+set to zero, a configuration that could lead to unpredictable behaviour
+according to i.MX8MP reference manual.
+
+Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
+Reviewed-by: Wei Fang <wei.fang@nxp.com>
+Link: https://patch.msgid.link/20250626-fec_deactivate_coalescing-v2-1-0b217f2e80da@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 34 +++++++++++------------
+ 1 file changed, 16 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 291c88a76a27..2a8b5429df59 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3069,27 +3069,25 @@ static int fec_enet_us_to_itr_clock(struct net_device *ndev, int us)
+ static void fec_enet_itr_coal_set(struct net_device *ndev)
+ {
+ struct fec_enet_private *fep = netdev_priv(ndev);
+- int rx_itr, tx_itr;
++ u32 rx_itr = 0, tx_itr = 0;
++ int rx_ictt, tx_ictt;
+
+- /* Must be greater than zero to avoid unpredictable behavior */
+- if (!fep->rx_time_itr || !fep->rx_pkts_itr ||
+- !fep->tx_time_itr || !fep->tx_pkts_itr)
+- return;
+-
+- /* Select enet system clock as Interrupt Coalescing
+- * timer Clock Source
+- */
+- rx_itr = FEC_ITR_CLK_SEL;
+- tx_itr = FEC_ITR_CLK_SEL;
++ rx_ictt = fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr);
++ tx_ictt = fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr);
+
+- /* set ICFT and ICTT */
+- rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
+- rx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->rx_time_itr));
+- tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
+- tx_itr |= FEC_ITR_ICTT(fec_enet_us_to_itr_clock(ndev, fep->tx_time_itr));
++ if (rx_ictt > 0 && fep->rx_pkts_itr > 1) {
++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
++ rx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
++ rx_itr |= FEC_ITR_ICFT(fep->rx_pkts_itr);
++ rx_itr |= FEC_ITR_ICTT(rx_ictt);
++ }
+
+- rx_itr |= FEC_ITR_EN;
+- tx_itr |= FEC_ITR_EN;
++ if (tx_ictt > 0 && fep->tx_pkts_itr > 1) {
++ /* Enable with enet system clock as Interrupt Coalescing timer Clock Source */
++ tx_itr = FEC_ITR_EN | FEC_ITR_CLK_SEL;
++ tx_itr |= FEC_ITR_ICFT(fep->tx_pkts_itr);
++ tx_itr |= FEC_ITR_ICTT(tx_ictt);
++ }
+
+ writel(tx_itr, fep->hwp + FEC_TXIC0);
+ writel(rx_itr, fep->hwp + FEC_RXIC0);
+--
+2.39.5
+
--- /dev/null
+From 833bae09dbe78b77e5051b0926d2aa7bfd2e64a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:27:13 +0200
+Subject: net: ipv4: fix incorrect MTU in broadcast routes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oscar Maes <oscmaes92@gmail.com>
+
+[ Upstream commit 9e30ecf23b1b8f091f7d08b27968dea83aae7908 ]
+
+Currently, __mkroute_output overrules the MTU value configured for
+broadcast routes.
+
+This buggy behaviour can be reproduced with:
+
+ip link set dev eth1 mtu 9000
+ip route del broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2
+ip route add broadcast 192.168.0.255 dev eth1 proto kernel scope link src 192.168.0.2 mtu 1500
+
+The maximum packet size should be 1500, but it is actually 8000:
+
+ping -b 192.168.0.255 -s 8000
+
+Fix __mkroute_output to allow MTU values to be configured for
+for broadcast routes (to support a mixed-MTU local-area-network).
+
+Signed-off-by: Oscar Maes <oscmaes92@gmail.com>
+Link: https://patch.msgid.link/20250710142714.12986-1-oscmaes92@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 6ee77f7f9114..8672ebbace98 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -2560,7 +2560,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
+ do_cache = true;
+ if (type == RTN_BROADCAST) {
+ flags |= RTCF_BROADCAST | RTCF_LOCAL;
+- fi = NULL;
+ } else if (type == RTN_MULTICAST) {
+ flags |= RTCF_MULTICAST | RTCF_LOCAL;
+ if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
+--
+2.39.5
+
--- /dev/null
+From 7d9a9427bb56d579b24ea438d5a158fe38cabe49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 16:55:55 +0800
+Subject: net: mctp: Prevent duplicate binds
+
+From: Matt Johnston <matt@codeconstruct.com.au>
+
+[ Upstream commit 3954502377ec05a1b37e2dc9bef0bacd4bbd71b2 ]
+
+Disallow bind() calls that have the same arguments as existing bound
+sockets. Previously multiple sockets could bind() to the same
+type/local address, with an arbitrary socket receiving matched messages.
+
+This is only a partial fix, a future commit will define precedence order
+for MCTP_ADDR_ANY versus specific EID bind(), which are allowed to exist
+together.
+
+Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250710-mctp-bind-v4-2-8ec2f6460c56@codeconstruct.com.au
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/af_mctp.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/net/mctp/af_mctp.c b/net/mctp/af_mctp.c
+index 8032cfba22d1..5f9592fb57ad 100644
+--- a/net/mctp/af_mctp.c
++++ b/net/mctp/af_mctp.c
+@@ -73,7 +73,6 @@ static int mctp_bind(struct socket *sock, struct sockaddr *addr, int addrlen)
+
+ lock_sock(sk);
+
+- /* TODO: allow rebind */
+ if (sk_hashed(sk)) {
+ rc = -EADDRINUSE;
+ goto out_release;
+@@ -549,15 +548,36 @@ static void mctp_sk_close(struct sock *sk, long timeout)
+ static int mctp_sk_hash(struct sock *sk)
+ {
+ struct net *net = sock_net(sk);
++ struct sock *existing;
++ struct mctp_sock *msk;
++ int rc;
++
++ msk = container_of(sk, struct mctp_sock, sk);
+
+ /* Bind lookup runs under RCU, remain live during that. */
+ sock_set_flag(sk, SOCK_RCU_FREE);
+
+ mutex_lock(&net->mctp.bind_lock);
++
++ /* Prevent duplicate binds. */
++ sk_for_each(existing, &net->mctp.binds) {
++ struct mctp_sock *mex =
++ container_of(existing, struct mctp_sock, sk);
++
++ if (mex->bind_type == msk->bind_type &&
++ mex->bind_addr == msk->bind_addr &&
++ mex->bind_net == msk->bind_net) {
++ rc = -EADDRINUSE;
++ goto out;
++ }
++ }
++
+ sk_add_node_rcu(sk, &net->mctp.binds);
+- mutex_unlock(&net->mctp.bind_lock);
++ rc = 0;
+
+- return 0;
++out:
++ mutex_unlock(&net->mctp.bind_lock);
++ return rc;
+ }
+
+ static void mctp_sk_unhash(struct sock *sk)
+--
+2.39.5
+
--- /dev/null
+From b9bc9d7c8c5d55c4aa48e60b8cb9f747556d09ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jul 2025 17:17:49 +0300
+Subject: net/mlx5e: Properly access RCU protected qdisc_sleeping variable
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 2a601b2d35623065d31ebaf697b07502d54878c9 ]
+
+qdisc_sleeping variable is declared as "struct Qdisc __rcu" and
+as such needs proper annotation while accessing it.
+
+Without rtnl_dereference(), the following error is generated by sparse:
+
+drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: warning:
+ incorrect type in initializer (different address spaces)
+drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: expected
+ struct Qdisc *qdisc
+drivers/net/ethernet/mellanox/mlx5/core/en/qos.c:377:40: got struct
+ Qdisc [noderef] __rcu *qdisc_sleeping
+
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/1752675472-201445-4-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/qos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
+index d9acc37afe1c..74729bf168b1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/qos.c
+@@ -362,7 +362,7 @@ void mlx5e_reactivate_qos_sq(struct mlx5e_priv *priv, u16 qid, struct netdev_que
+ void mlx5e_reset_qdisc(struct net_device *dev, u16 qid)
+ {
+ struct netdev_queue *dev_queue = netdev_get_tx_queue(dev, qid);
+- struct Qdisc *qdisc = dev_queue->qdisc_sleeping;
++ struct Qdisc *qdisc = rtnl_dereference(dev_queue->qdisc_sleeping);
+
+ if (!qdisc)
+ return;
+--
+2.39.5
+
--- /dev/null
+From a4836d5ccadd924668f944a12064843ab0e36c59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 12:33:38 -0700
+Subject: net: ncsi: Fix buffer overflow in fetching version id
+
+From: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+
+[ Upstream commit 8e16170ae972c7fed132bc928914a2ffb94690fc ]
+
+In NC-SI spec v1.2 section 8.4.44.2, the firmware name doesn't
+need to be null terminated while its size occupies the full size
+of the field. Fix the buffer overflow issue by adding one
+additional byte for null terminator.
+
+Signed-off-by: Hari Kalavakunta <kalavakunta.hari.prasad@gmail.com>
+Reviewed-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250610193338.1368-1-kalavakunta.hari.prasad@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 2 +-
+ net/ncsi/ncsi-rsp.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index 2c260f33b55c..ad1f671ffc37 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -110,7 +110,7 @@ struct ncsi_channel_version {
+ u8 update; /* NCSI version update */
+ char alpha1; /* NCSI version alpha1 */
+ char alpha2; /* NCSI version alpha2 */
+- u8 fw_name[12]; /* Firmware name string */
++ u8 fw_name[12 + 1]; /* Firmware name string */
+ u32 fw_version; /* Firmware version */
+ u16 pci_ids[4]; /* PCI identification */
+ u32 mf_id; /* Manufacture ID */
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index 8668888c5a2f..d5ed80731e89 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -775,6 +775,7 @@ static int ncsi_rsp_handler_gvi(struct ncsi_request *nr)
+ ncv->alpha1 = rsp->alpha1;
+ ncv->alpha2 = rsp->alpha2;
+ memcpy(ncv->fw_name, rsp->fw_name, 12);
++ ncv->fw_name[12] = '\0';
+ ncv->fw_version = ntohl(rsp->fw_version);
+ for (i = 0; i < ARRAY_SIZE(ncv->pci_ids); i++)
+ ncv->pci_ids[i] = ntohs(rsp->pci_ids[i]);
+--
+2.39.5
+
--- /dev/null
+From 1f4c1fe3aa790bce1215d4c1c27597c105030f51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 06:40:21 +0100
+Subject: net: phy: micrel: Add ksz9131_resume()
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit f25a7eaa897f21396e99f90809af82ca553c9d14 ]
+
+The Renesas RZ/G3E SMARC EVK uses KSZ9131RNXC phy. On deep power state,
+PHY loses the power and on wakeup the rgmii delays are not reconfigured
+causing it to fail.
+
+Replace the callback kszphy_resume()->ksz9131_resume() for reconfiguring
+the rgmii_delay when it exits from PM suspend state.
+
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250711054029.48536-1-biju.das.jz@bp.renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/micrel.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
+index d4017c442201..6a114883ed8c 100644
+--- a/drivers/net/phy/micrel.c
++++ b/drivers/net/phy/micrel.c
+@@ -4722,6 +4722,14 @@ static int lan8841_suspend(struct phy_device *phydev)
+ return genphy_suspend(phydev);
+ }
+
++static int ksz9131_resume(struct phy_device *phydev)
++{
++ if (phydev->suspended && phy_interface_is_rgmii(phydev))
++ ksz9131_config_rgmii_delay(phydev);
++
++ return kszphy_resume(phydev);
++}
++
+ static struct phy_driver ksphy_driver[] = {
+ {
+ .phy_id = PHY_ID_KS8737,
+@@ -4968,7 +4976,7 @@ static struct phy_driver ksphy_driver[] = {
+ .get_strings = kszphy_get_strings,
+ .get_stats = kszphy_get_stats,
+ .suspend = kszphy_suspend,
+- .resume = kszphy_resume,
++ .resume = ksz9131_resume,
+ .cable_test_start = ksz9x31_cable_test_start,
+ .cable_test_get_status = ksz9x31_cable_test_get_status,
+ .get_features = ksz9477_get_features,
+--
+2.39.5
+
--- /dev/null
+From 809bdac76eff3b41bcbc74938e662a596ac8dafd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Jul 2025 17:29:16 +0200
+Subject: net: phy: smsc: add proper reset flags for LAN8710A
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Buday Csaba <buday.csaba@prolan.hu>
+
+[ Upstream commit 57ec5a8735dc5dccd1ee68afdb1114956a3fce0d ]
+
+According to the LAN8710A datasheet (Rev. B, section 3.8.5.1), a hardware
+reset is required after power-on, and the reference clock (REF_CLK) must be
+established before asserting reset.
+
+Signed-off-by: Buday Csaba <buday.csaba@prolan.hu>
+Cc: Csókás Bence <csokas.bence@prolan.hu>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250728152916.46249-2-csokas.bence@prolan.hu
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/phy/smsc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/phy/smsc.c b/drivers/net/phy/smsc.c
+index 4ca813c00947..5f9bb0ebe455 100644
+--- a/drivers/net/phy/smsc.c
++++ b/drivers/net/phy/smsc.c
+@@ -786,6 +786,7 @@ static struct phy_driver smsc_phy_driver[] = {
+
+ /* PHY_BASIC_FEATURES */
+
++ .flags = PHY_RST_AFTER_CLK_EN,
+ .probe = smsc_phy_probe,
+
+ /* basic functions */
+--
+2.39.5
+
--- /dev/null
+From 2b1221897587cea3b6c622011aa580f22d7459d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 17:38:13 +0800
+Subject: net: thunderbolt: Enable end-to-end flow control also in transmit
+
+From: zhangjianrong <zhangjianrong5@huawei.com>
+
+[ Upstream commit a8065af3346ebd7c76ebc113451fb3ba94cf7769 ]
+
+According to USB4 specification, if E2E flow control is disabled for
+the Transmit Descriptor Ring, the Host Interface Adapter Layer shall
+not require any credits to be available before transmitting a Tunneled
+Packet from this Transmit Descriptor Ring, so e2e flow control should
+be enabled in both directions.
+
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/20250624153805.GC2824380@black.fi.intel.com
+Signed-off-by: zhangjianrong <zhangjianrong5@huawei.com>
+Link: https://patch.msgid.link/20250628093813.647005-1-zhangjianrong5@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/thunderbolt/main.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/thunderbolt/main.c b/drivers/net/thunderbolt/main.c
+index 0a53ec293d04..643cf67840b5 100644
+--- a/drivers/net/thunderbolt/main.c
++++ b/drivers/net/thunderbolt/main.c
+@@ -924,8 +924,12 @@ static int tbnet_open(struct net_device *dev)
+
+ netif_carrier_off(dev);
+
+- ring = tb_ring_alloc_tx(xd->tb->nhi, -1, TBNET_RING_SIZE,
+- RING_FLAG_FRAME);
++ flags = RING_FLAG_FRAME;
++ /* Only enable full E2E if the other end supports it too */
++ if (tbnet_e2e && net->svc->prtcstns & TBNET_E2E)
++ flags |= RING_FLAG_E2E;
++
++ ring = tb_ring_alloc_tx(xd->tb->nhi, -1, TBNET_RING_SIZE, flags);
+ if (!ring) {
+ netdev_err(dev, "failed to allocate Tx ring\n");
+ return -ENOMEM;
+@@ -944,11 +948,6 @@ static int tbnet_open(struct net_device *dev)
+ sof_mask = BIT(TBIP_PDF_FRAME_START);
+ eof_mask = BIT(TBIP_PDF_FRAME_END);
+
+- flags = RING_FLAG_FRAME;
+- /* Only enable full E2E if the other end supports it too */
+- if (tbnet_e2e && net->svc->prtcstns & TBNET_E2E)
+- flags |= RING_FLAG_E2E;
+-
+ ring = tb_ring_alloc_rx(xd->tb->nhi, -1, TBNET_RING_SIZE, flags,
+ net->tx_ring.ring->hop, sof_mask,
+ eof_mask, tbnet_start_poll, net);
+--
+2.39.5
+
--- /dev/null
+From f099a176034670f94f7db049cc8a9b848f189ca0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 17:49:20 +0800
+Subject: net: thunderbolt: Fix the parameter passing of
+ tb_xdomain_enable_paths()/tb_xdomain_disable_paths()
+
+From: zhangjianrong <zhangjianrong5@huawei.com>
+
+[ Upstream commit 8ec31cb17cd355cea25cdb8496d9b3fbf1321647 ]
+
+According to the description of tb_xdomain_enable_paths(), the third
+parameter represents the transmit ring and the fifth parameter represents
+the receive ring. tb_xdomain_disable_paths() is the same case.
+
+[Jakub] Mika says: it works now because both rings ->hop is the same
+
+Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Link: https://lore.kernel.org/20250625051149.GD2824380@black.fi.intel.com
+Signed-off-by: zhangjianrong <zhangjianrong5@huawei.com>
+Link: https://patch.msgid.link/20250628094920.656658-1-zhangjianrong5@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/thunderbolt/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/thunderbolt/main.c b/drivers/net/thunderbolt/main.c
+index 643cf67840b5..dcaa62377808 100644
+--- a/drivers/net/thunderbolt/main.c
++++ b/drivers/net/thunderbolt/main.c
+@@ -396,9 +396,9 @@ static void tbnet_tear_down(struct tbnet *net, bool send_logout)
+
+ ret = tb_xdomain_disable_paths(net->xd,
+ net->local_transmit_path,
+- net->rx_ring.ring->hop,
++ net->tx_ring.ring->hop,
+ net->remote_transmit_path,
+- net->tx_ring.ring->hop);
++ net->rx_ring.ring->hop);
+ if (ret)
+ netdev_warn(net->dev, "failed to disable DMA paths\n");
+
+@@ -662,9 +662,9 @@ static void tbnet_connected_work(struct work_struct *work)
+ goto err_free_rx_buffers;
+
+ ret = tb_xdomain_enable_paths(net->xd, net->local_transmit_path,
+- net->rx_ring.ring->hop,
++ net->tx_ring.ring->hop,
+ net->remote_transmit_path,
+- net->tx_ring.ring->hop);
++ net->rx_ring.ring->hop);
+ if (ret) {
+ netdev_err(net->dev, "failed to enable DMA paths\n");
+ goto err_free_tx_buffers;
+--
+2.39.5
+
--- /dev/null
+From 05a9bdd7f72fb7384b086678bc0204f49bed5432 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 07:05:30 -0700
+Subject: net: thunderx: Fix format-truncation warning in bgx_acpi_match_id()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 53d20606c40678d425cc03f0978c614dca51f25e ]
+
+The buffer bgx_sel used in snprintf() was too small to safely hold
+the formatted string "BGX%d" for all valid bgx_id values. This caused
+a -Wformat-truncation warning with `Werror` enabled during build.
+
+Increase the buffer size from 5 to 7 and use `sizeof(bgx_sel)` in
+snprintf() to ensure safety and suppress the warning.
+
+Build warning:
+ CC drivers/net/ethernet/cavium/thunder/thunder_bgx.o
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function
+‘bgx_acpi_match_id’:
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:27: error: ‘%d’
+directive output may be truncated writing between 1 and 3 bytes into a
+region of size 2 [-Werror=format-truncation=]
+ snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+ ^~
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:23: note:
+directive argument in the range [0, 255]
+ snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+ ^~~~~~~
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1434:2: note:
+‘snprintf’ output between 5 and 7 bytes into a destination of size 5
+ snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
+
+compiler warning due to insufficient snprintf buffer size.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250711140532.2463602-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cavium/thunder/thunder_bgx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+index a317feb8decb..087d4c2b3efd 100644
+--- a/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
++++ b/drivers/net/ethernet/cavium/thunder/thunder_bgx.c
+@@ -1427,9 +1427,9 @@ static acpi_status bgx_acpi_match_id(acpi_handle handle, u32 lvl,
+ {
+ struct acpi_buffer string = { ACPI_ALLOCATE_BUFFER, NULL };
+ struct bgx *bgx = context;
+- char bgx_sel[5];
++ char bgx_sel[7];
+
+- snprintf(bgx_sel, 5, "BGX%d", bgx->bgx_id);
++ snprintf(bgx_sel, sizeof(bgx_sel), "BGX%d", bgx->bgx_id);
+ if (ACPI_FAILURE(acpi_get_name(handle, ACPI_SINGLE_NAME, &string))) {
+ pr_warn("Invalid link device\n");
+ return AE_OK;
+--
+2.39.5
+
--- /dev/null
+From e7e22554f812d16e80161e67d8d0ba55ab2be446 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 14:06:17 +0200
+Subject: net: usb: cdc-ncm: check for filtering capability
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 61c3e8940f2d8b5bfeaeec4bedc2f3e7d873abb3 ]
+
+If the decice does not support filtering, filtering
+must not be used and all packets delivered for the
+upper layers to sort.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://patch.msgid.link/20250717120649.2090929-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/cdc_ncm.c | 20 ++++++++++++++++----
+ include/linux/usb/cdc_ncm.h | 1 +
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index db05622f1f70..d9792fd515a9 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -893,6 +893,10 @@ int cdc_ncm_bind_common(struct usbnet *dev, struct usb_interface *intf, u8 data_
+ }
+ }
+
++ if (ctx->func_desc)
++ ctx->filtering_supported = !!(ctx->func_desc->bmNetworkCapabilities
++ & USB_CDC_NCM_NCAP_ETH_FILTER);
++
+ iface_no = ctx->data->cur_altsetting->desc.bInterfaceNumber;
+
+ /* Device-specific flags */
+@@ -1898,6 +1902,14 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
+ }
+ }
+
++static void cdc_ncm_update_filter(struct usbnet *dev)
++{
++ struct cdc_ncm_ctx *ctx = (struct cdc_ncm_ctx *)dev->data[0];
++
++ if (ctx->filtering_supported)
++ usbnet_cdc_update_filter(dev);
++}
++
+ static const struct driver_info cdc_ncm_info = {
+ .description = "CDC NCM (NO ZLP)",
+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+@@ -1908,7 +1920,7 @@ static const struct driver_info cdc_ncm_info = {
+ .status = cdc_ncm_status,
+ .rx_fixup = cdc_ncm_rx_fixup,
+ .tx_fixup = cdc_ncm_tx_fixup,
+- .set_rx_mode = usbnet_cdc_update_filter,
++ .set_rx_mode = cdc_ncm_update_filter,
+ };
+
+ /* Same as cdc_ncm_info, but with FLAG_SEND_ZLP */
+@@ -1922,7 +1934,7 @@ static const struct driver_info cdc_ncm_zlp_info = {
+ .status = cdc_ncm_status,
+ .rx_fixup = cdc_ncm_rx_fixup,
+ .tx_fixup = cdc_ncm_tx_fixup,
+- .set_rx_mode = usbnet_cdc_update_filter,
++ .set_rx_mode = cdc_ncm_update_filter,
+ };
+
+ /* Same as cdc_ncm_info, but with FLAG_WWAN */
+@@ -1936,7 +1948,7 @@ static const struct driver_info wwan_info = {
+ .status = cdc_ncm_status,
+ .rx_fixup = cdc_ncm_rx_fixup,
+ .tx_fixup = cdc_ncm_tx_fixup,
+- .set_rx_mode = usbnet_cdc_update_filter,
++ .set_rx_mode = cdc_ncm_update_filter,
+ };
+
+ /* Same as wwan_info, but with FLAG_NOARP */
+@@ -1950,7 +1962,7 @@ static const struct driver_info wwan_noarp_info = {
+ .status = cdc_ncm_status,
+ .rx_fixup = cdc_ncm_rx_fixup,
+ .tx_fixup = cdc_ncm_tx_fixup,
+- .set_rx_mode = usbnet_cdc_update_filter,
++ .set_rx_mode = cdc_ncm_update_filter,
+ };
+
+ static const struct usb_device_id cdc_devs[] = {
+diff --git a/include/linux/usb/cdc_ncm.h b/include/linux/usb/cdc_ncm.h
+index 2d207cb4837d..4ac082a63173 100644
+--- a/include/linux/usb/cdc_ncm.h
++++ b/include/linux/usb/cdc_ncm.h
+@@ -119,6 +119,7 @@ struct cdc_ncm_ctx {
+ u32 timer_interval;
+ u32 max_ndp_size;
+ u8 is_ndp16;
++ u8 filtering_supported;
+ union {
+ struct usb_cdc_ncm_ndp16 *delayed_ndp16;
+ struct usb_cdc_ncm_ndp32 *delayed_ndp32;
+--
+2.39.5
+
--- /dev/null
+From b2b9ffeec9d10d8f71e65c5382432f7787ca4ba6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 16:26:24 +0300
+Subject: net: vlan: Make is_vlan_dev() a stub when VLAN is not configured
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 2de1ba0887e5d3bf02d7c212f380039b34e10aa3 ]
+
+Add a stub implementation of is_vlan_dev() that returns false when
+VLAN support is not compiled in (CONFIG_VLAN_8021Q=n).
+
+This allows us to compile-out VLAN-dependent dead code when it is not
+needed.
+
+This also resolves the following compilation error when:
+* CONFIG_VLAN_8021Q=n
+* CONFIG_OBJTOOL=y
+* CONFIG_OBJTOOL_WERROR=y
+
+drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.o: error: objtool: parse_mirred.isra.0+0x370: mlx5e_tc_act_vlan_add_push_action() missing __noreturn in .c/.h or NORETURN() in noreturns.h
+
+The error occurs because objtool cannot determine that unreachable BUG()
+(which doesn't return) calls in VLAN code paths are actually dead code
+when VLAN support is disabled.
+
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Link: https://patch.msgid.link/20250616132626.1749331-2-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/if_vlan.h | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
+index 430749a0f362..a6b46f0eab16 100644
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -79,11 +79,6 @@ static inline struct vlan_ethhdr *skb_vlan_eth_hdr(const struct sk_buff *skb)
+ /* found in socket.c */
+ extern void vlan_ioctl_set(int (*hook)(struct net *, void __user *));
+
+-static inline bool is_vlan_dev(const struct net_device *dev)
+-{
+- return dev->priv_flags & IFF_802_1Q_VLAN;
+-}
+-
+ #define skb_vlan_tag_present(__skb) (!!(__skb)->vlan_all)
+ #define skb_vlan_tag_get(__skb) ((__skb)->vlan_tci)
+ #define skb_vlan_tag_get_id(__skb) ((__skb)->vlan_tci & VLAN_VID_MASK)
+@@ -199,6 +194,11 @@ struct vlan_dev_priv {
+ #endif
+ };
+
++static inline bool is_vlan_dev(const struct net_device *dev)
++{
++ return dev->priv_flags & IFF_802_1Q_VLAN;
++}
++
+ static inline struct vlan_dev_priv *vlan_dev_priv(const struct net_device *dev)
+ {
+ return netdev_priv(dev);
+@@ -236,6 +236,11 @@ extern void vlan_vids_del_by_dev(struct net_device *dev,
+ extern bool vlan_uses_dev(const struct net_device *dev);
+
+ #else
++static inline bool is_vlan_dev(const struct net_device *dev)
++{
++ return false;
++}
++
+ static inline struct net_device *
+ __vlan_find_dev_deep_rcu(struct net_device *real_dev,
+ __be16 vlan_proto, u16 vlan_id)
+--
+2.39.5
+
--- /dev/null
+From 9ff65e3da4c274aa7e3972cbc49228ebb38826f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 16:26:25 +0300
+Subject: net: vlan: Replace BUG() with WARN_ON_ONCE() in vlan_dev_* stubs
+
+From: Gal Pressman <gal@nvidia.com>
+
+[ Upstream commit 60a8b1a5d0824afda869f18dc0ecfe72f8dfda42 ]
+
+When CONFIG_VLAN_8021Q=n, a set of stub helpers are used, three of these
+helpers use BUG() unconditionally.
+
+This code should not be reached, as callers of these functions should
+always check for is_vlan_dev() first, but the usage of BUG() is not
+recommended, replace it with WARN_ON() instead.
+
+Reviewed-by: Alex Lazar <alazar@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Gal Pressman <gal@nvidia.com>
+Link: https://patch.msgid.link/20250616132626.1749331-3-gal@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/if_vlan.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
+index a6b46f0eab16..272d9ad73960 100644
+--- a/include/linux/if_vlan.h
++++ b/include/linux/if_vlan.h
+@@ -258,19 +258,19 @@ vlan_for_each(struct net_device *dev,
+
+ static inline struct net_device *vlan_dev_real_dev(const struct net_device *dev)
+ {
+- BUG();
++ WARN_ON_ONCE(1);
+ return NULL;
+ }
+
+ static inline u16 vlan_dev_vlan_id(const struct net_device *dev)
+ {
+- BUG();
++ WARN_ON_ONCE(1);
+ return 0;
+ }
+
+ static inline __be16 vlan_dev_vlan_proto(const struct net_device *dev)
+ {
+- BUG();
++ WARN_ON_ONCE(1);
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From c47ac61f717bfbc91bff1a9a40c0129a48c7262b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 17:52:38 +0000
+Subject: netmem: fix skb_frag_address_safe with unreadable skbs
+
+From: Mina Almasry <almasrymina@google.com>
+
+[ Upstream commit 4672aec56d2e8edabcb74c3e2320301d106a377e ]
+
+skb_frag_address_safe() needs a check that the
+skb_frag_page exists check similar to skb_frag_address().
+
+Cc: ap420073@gmail.com
+
+Signed-off-by: Mina Almasry <almasrymina@google.com>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250619175239.3039329-1-almasrymina@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 7b7222b4f611..3a558a3c2cca 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -3556,7 +3556,13 @@ static inline void *skb_frag_address(const skb_frag_t *frag)
+ */
+ static inline void *skb_frag_address_safe(const skb_frag_t *frag)
+ {
+- void *ptr = page_address(skb_frag_page(frag));
++ struct page *page = skb_frag_page(frag);
++ void *ptr;
++
++ if (!page)
++ return NULL;
++
++ ptr = page_address(page);
+ if (unlikely(!ptr))
+ return NULL;
+
+--
+2.39.5
+
--- /dev/null
+From b1084964cf7d0fea669647b660313ce1e3290e6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 12:16:27 -0700
+Subject: nvme-pci: try function level reset on init failure
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 5b2c214a95942f7997d1916a4c44017becbc3cac ]
+
+NVMe devices from multiple vendors appear to get stuck in a reset state
+that we can't get out of with an NVMe level Controller Reset. The kernel
+would report these with messages that look like:
+
+ Device not ready; aborting reset, CSTS=0x1
+
+These have historically required a power cycle to make them usable
+again, but in many cases, a PCIe FLR is sufficient to restart operation
+without a power cycle. Try it if the initial controller reset fails
+during any nvme reset attempt.
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 97ab91a479d1..136dba6221d8 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1755,8 +1755,28 @@ static int nvme_pci_configure_admin_queue(struct nvme_dev *dev)
+ * might be pointing at!
+ */
+ result = nvme_disable_ctrl(&dev->ctrl, false);
+- if (result < 0)
+- return result;
++ if (result < 0) {
++ struct pci_dev *pdev = to_pci_dev(dev->dev);
++
++ /*
++ * The NVMe Controller Reset method did not get an expected
++ * CSTS.RDY transition, so something with the device appears to
++ * be stuck. Use the lower level and bigger hammer PCIe
++ * Function Level Reset to attempt restoring the device to its
++ * initial state, and try again.
++ */
++ result = pcie_reset_flr(pdev, false);
++ if (result < 0)
++ return result;
++
++ pci_restore_state(pdev);
++ result = nvme_disable_ctrl(&dev->ctrl, false);
++ if (result < 0)
++ return result;
++
++ dev_info(dev->ctrl.device,
++ "controller reset completed after pcie flr\n");
++ }
+
+ result = nvme_alloc_queue(dev, 0, NVME_AQ_DEPTH);
+ if (result)
+--
+2.39.5
+
--- /dev/null
+From 9a2441ea485cebdea06e802b1720b580e3a9747b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 12:43:39 -0700
+Subject: perf/cxlpmu: Remove unintended newline from IRQ name format string
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 3e870815ccf5bc75274158f0b5e234fce6f93229 ]
+
+The IRQ name format string used in devm_kasprintf() mistakenly included
+a newline character "\n".
+This could lead to confusing log output or misformatted names in sysfs
+or debug messages.
+
+This fix removes the newline to ensure proper IRQ naming.
+
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
+Link: https://lore.kernel.org/r/20250624194350.109790-3-alok.a.tiwari@oracle.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/cxl_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/perf/cxl_pmu.c b/drivers/perf/cxl_pmu.c
+index 308c9969642e..c03df0f52889 100644
+--- a/drivers/perf/cxl_pmu.c
++++ b/drivers/perf/cxl_pmu.c
+@@ -881,7 +881,7 @@ static int cxl_pmu_probe(struct device *dev)
+ return rc;
+ irq = rc;
+
+- irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_overflow\n", dev_name);
++ irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_overflow", dev_name);
+ if (!irq_name)
+ return -ENOMEM;
+
+--
+2.39.5
+
--- /dev/null
+From 89c5feb36ce424eacc78e8cdbdf5ac315e5a01b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 19:25:28 -0300
+Subject: phy: rockchip-pcie: Properly disable TEST_WRITE strobe signal
+
+From: Geraldo Nascimento <geraldogabriel@gmail.com>
+
+[ Upstream commit 25facbabc3fc33c794ad09d73f73268c0f8cbc7d ]
+
+pcie_conf is used to touch TEST_WRITE strobe signal. This signal should
+be enabled, a little time waited, and then disabled. Current code clearly
+was copy-pasted and never disables the strobe signal. Adjust the define.
+While at it, remove PHY_CFG_RD_MASK which has been unused since
+64cdc0360811 ("phy: rockchip-pcie: remove unused phy_rd_cfg function").
+
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
+Link: https://lore.kernel.org/r/d514d5d5627680caafa8b7548cbdfee4307f5440.1751322015.git.geraldogabriel@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/rockchip/phy-rockchip-pcie.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/phy/rockchip/phy-rockchip-pcie.c b/drivers/phy/rockchip/phy-rockchip-pcie.c
+index 8234b83fdd88..cbf3c140a138 100644
+--- a/drivers/phy/rockchip/phy-rockchip-pcie.c
++++ b/drivers/phy/rockchip/phy-rockchip-pcie.c
+@@ -31,9 +31,8 @@
+ #define PHY_CFG_ADDR_SHIFT 1
+ #define PHY_CFG_DATA_MASK 0xf
+ #define PHY_CFG_ADDR_MASK 0x3f
+-#define PHY_CFG_RD_MASK 0x3ff
+ #define PHY_CFG_WR_ENABLE 1
+-#define PHY_CFG_WR_DISABLE 1
++#define PHY_CFG_WR_DISABLE 0
+ #define PHY_CFG_WR_SHIFT 0
+ #define PHY_CFG_WR_MASK 1
+ #define PHY_CFG_PLL_LOCK 0x10
+--
+2.39.5
+
--- /dev/null
+From a0139dd4b738bafd6c0ad7b52e180a41f3f06221 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 16:30:39 +0200
+Subject: pinctrl: stm32: Manage irq affinity settings
+
+From: Cheick Traore <cheick.traore@foss.st.com>
+
+[ Upstream commit 4c5cc2f65386e22166ce006efe515c667aa075e4 ]
+
+Trying to set the affinity of the interrupts associated to stm32
+pinctrl results in a write error.
+
+Fill struct irq_chip::irq_set_affinity to use the default helper
+function.
+
+Signed-off-by: Cheick Traore <cheick.traore@foss.st.com>
+Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
+Link: https://lore.kernel.org/20250610143042.295376-3-antonio.borneo@foss.st.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/stm32/pinctrl-stm32.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
+index 84121b125d90..67c2791ee246 100644
+--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
+@@ -418,6 +418,7 @@ static struct irq_chip stm32_gpio_irq_chip = {
+ .irq_set_wake = irq_chip_set_wake_parent,
+ .irq_request_resources = stm32_gpio_irq_request_resources,
+ .irq_release_resources = stm32_gpio_irq_release_resources,
++ .irq_set_affinity = IS_ENABLED(CONFIG_SMP) ? irq_chip_set_affinity_parent : NULL,
+ };
+
+ static int stm32_gpio_domain_translate(struct irq_domain *d,
+--
+2.39.5
+
--- /dev/null
+From 2f3c0d6330fb4455ad4100d19151c4bbf9fb3052 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 17:37:47 +0200
+Subject: platform/chrome: cros_ec_typec: Defer probe on missing EC parent
+
+From: Tomasz Michalec <tmichalec@google.com>
+
+[ Upstream commit 8866f4e557eba43e991f99711515217a95f62d2e ]
+
+If cros_typec_probe is called before EC device is registered,
+cros_typec_probe will fail. It may happen when cros-ec-typec.ko is
+loaded before EC bus layer module (e.g. cros_ec_lpcs.ko,
+cros_ec_spi.ko).
+
+Return -EPROBE_DEFER when cros_typec_probe doesn't get EC device, so
+the probe function can be called again after EC device is registered.
+
+Signed-off-by: Tomasz Michalec <tmichalec@google.com>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Link: https://lore.kernel.org/r/20250610153748.1858519-1-tmichalec@google.com
+Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/chrome/cros_ec_typec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c
+index 66fdc6fa73ec..76807ceb313a 100644
+--- a/drivers/platform/chrome/cros_ec_typec.c
++++ b/drivers/platform/chrome/cros_ec_typec.c
+@@ -1179,8 +1179,8 @@ static int cros_typec_probe(struct platform_device *pdev)
+
+ typec->ec = dev_get_drvdata(pdev->dev.parent);
+ if (!typec->ec) {
+- dev_err(dev, "couldn't find parent EC device\n");
+- return -ENODEV;
++ dev_warn(dev, "couldn't find parent EC device\n");
++ return -EPROBE_DEFER;
+ }
+
+ platform_set_drvdata(pdev, typec);
+--
+2.39.5
+
--- /dev/null
+From 310aaa17dd57bc36019ea3f5219491871b5ab360 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 12:23:05 -0500
+Subject: platform/x86/amd: pmc: Add Lenovo Yoga 6 13ALC6 to pmc quirk list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 4ff3aeb664f7dfe824ba91ffb0b203397a8d431e ]
+
+The Lenovo Yoga 6 13ACL6 82ND has a similar BIOS problem as other Lenovo
+laptops from that vintage that causes a rather long resume from suspend.
+
+Add it to the quirk list that manipulates the scratch register to avoid
+the issue.
+
+Reported-by: Adam Berglund <adam.f.berglund@hotmail.com>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4434
+Tested-by: Adam Berglund <adam.f.berglund@hotmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Link: https://lore.kernel.org/r/20250718172307.1928744-1-superm1@kernel.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index 7ed12c1d3b34..04686ae1e976 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -189,6 +189,15 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "82XQ"),
+ }
+ },
++ /* https://gitlab.freedesktop.org/drm/amd/-/issues/4434 */
++ {
++ .ident = "Lenovo Yoga 6 13ALC6",
++ .driver_data = &quirk_s2idle_bug,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "82ND"),
++ }
++ },
+ /* https://gitlab.freedesktop.org/drm/amd/-/issues/2684 */
+ {
+ .ident = "HP Laptop 15s-eq2xxx",
+--
+2.39.5
+
--- /dev/null
+From e231879ed6d90eae34c55851240a82276f14aaf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 May 2025 11:18:37 -0700
+Subject: platform/x86: thinkpad_acpi: Handle KCOV __init vs inline mismatches
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 6418a8504187dc7f5b6f9d0649c03e362cb0664b ]
+
+When KCOV is enabled all functions get instrumented, unless the
+__no_sanitize_coverage attribute is used. To prepare for
+__no_sanitize_coverage being applied to __init functions[1], we have
+to handle differences in how GCC's inline optimizations get resolved.
+For thinkpad_acpi routines, this means forcing two functions to be
+inline with __always_inline.
+
+Link: https://lore.kernel.org/lkml/20250523043935.2009972-11-kees@kernel.org/ [1]
+Signed-off-by: Kees Cook <kees@kernel.org>
+Link: https://lore.kernel.org/r/20250529181831.work.439-kees@kernel.org
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 8de0d3232e48..88364a5502e6 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -537,12 +537,12 @@ static unsigned long __init tpacpi_check_quirks(
+ return 0;
+ }
+
+-static inline bool __pure __init tpacpi_is_lenovo(void)
++static __always_inline bool __pure __init tpacpi_is_lenovo(void)
+ {
+ return thinkpad_id.vendor == PCI_VENDOR_ID_LENOVO;
+ }
+
+-static inline bool __pure __init tpacpi_is_ibm(void)
++static __always_inline bool __pure __init tpacpi_is_ibm(void)
+ {
+ return thinkpad_id.vendor == PCI_VENDOR_ID_IBM;
+ }
+--
+2.39.5
+
--- /dev/null
+From 38f26ac1a5a8f400d4ae9b7da691c025b8cc058c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 17:53:54 +0530
+Subject: pm: cpupower: Fix the snapshot-order of tsc,mperf, clock in
+ mperf_stop()
+
+From: Gautham R. Shenoy <gautham.shenoy@amd.com>
+
+[ Upstream commit cda7ac8ce7de84cf32a3871ba5f318aa3b79381e ]
+
+In the function mperf_start(), mperf_monitor snapshots the time, tsc
+and finally the aperf,mperf MSRs. However, this order of snapshotting
+in is reversed in mperf_stop(). As a result, the C0 residency (which
+is computed as delta_mperf * 100 / delta_tsc) is under-reported on
+CPUs that is 100% busy.
+
+Fix this by snapshotting time, tsc and then aperf,mperf in
+mperf_stop() in the same order as in mperf_start().
+
+Link: https://lore.kernel.org/r/20250612122355.19629-2-gautham.shenoy@amd.com
+Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/utils/idle_monitor/mperf_monitor.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+index 08a399b0be28..6ab9139f16af 100644
+--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+@@ -240,9 +240,9 @@ static int mperf_stop(void)
+ int cpu;
+
+ for (cpu = 0; cpu < cpu_count; cpu++) {
+- mperf_measure_stats(cpu);
+- mperf_get_tsc(&tsc_at_measure_end[cpu]);
+ clock_gettime(CLOCK_REALTIME, &time_end[cpu]);
++ mperf_get_tsc(&tsc_at_measure_end[cpu]);
++ mperf_measure_stats(cpu);
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From afbe2050cd28d24fdb29310d81b747fff2d3b71f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 11:00:17 +0800
+Subject: PM / devfreq: governor: Replace sscanf() with kstrtoul() in
+ set_freq_store()
+
+From: Lifeng Zheng <zhenglifeng1@huawei.com>
+
+[ Upstream commit 914cc799b28f17d369d5b4db3b941957d18157e8 ]
+
+Replace sscanf() with kstrtoul() in set_freq_store() and check the result
+to avoid invalid input.
+
+Signed-off-by: Lifeng Zheng <zhenglifeng1@huawei.com>
+Link: https://lore.kernel.org/lkml/20250421030020.3108405-2-zhenglifeng1@huawei.com/
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/devfreq/governor_userspace.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c
+index d69672ccacc4..8d057cea09d5 100644
+--- a/drivers/devfreq/governor_userspace.c
++++ b/drivers/devfreq/governor_userspace.c
+@@ -9,6 +9,7 @@
+ #include <linux/slab.h>
+ #include <linux/device.h>
+ #include <linux/devfreq.h>
++#include <linux/kstrtox.h>
+ #include <linux/pm.h>
+ #include <linux/mutex.h>
+ #include <linux/module.h>
+@@ -39,10 +40,13 @@ static ssize_t set_freq_store(struct device *dev, struct device_attribute *attr,
+ unsigned long wanted;
+ int err = 0;
+
++ err = kstrtoul(buf, 0, &wanted);
++ if (err)
++ return err;
++
+ mutex_lock(&devfreq->lock);
+ data = devfreq->governor_data;
+
+- sscanf(buf, "%lu", &wanted);
+ data->user_frequency = wanted;
+ data->valid = true;
+ err = update_devfreq(devfreq);
+--
+2.39.5
+
--- /dev/null
+From 22c6f2e0fe2a98f9c08768a926608e8d5613416c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 21:16:05 +0200
+Subject: PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 89d9cec3b1e9c49bae9375a2db6dc49bc7468af0 ]
+
+Clear power.needs_force_resume in pm_runtime_reinit() in case it has
+been set by pm_runtime_force_suspend() invoked from a driver remove
+callback.
+
+Suggested-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://patch.msgid.link/9495163.CDJkKcVGEf@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/runtime.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index 0d43bf5b6cec..d89439e3605a 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1754,6 +1754,11 @@ void pm_runtime_reinit(struct device *dev)
+ pm_runtime_put(dev->parent);
+ }
+ }
++ /*
++ * Clear power.needs_force_resume in case it has been set by
++ * pm_runtime_force_suspend() invoked from a driver remove callback.
++ */
++ dev->power.needs_force_resume = false;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From b0b1b98d13ff7419b64490e5a114df5c3cbc1798 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 11:23:45 +0800
+Subject: PM: sleep: console: Fix the black screen issue
+
+From: tuhaowen <tuhaowen@uniontech.com>
+
+[ Upstream commit 4266e8fa56d3d982bf451d382a410b9db432015c ]
+
+When the computer enters sleep status without a monitor
+connected, the system switches the console to the virtual
+terminal tty63(SUSPEND_CONSOLE).
+
+If a monitor is subsequently connected before waking up,
+the system skips the required VT restoration process
+during wake-up, leaving the console on tty63 instead of
+switching back to tty1.
+
+To fix this issue, a global flag vt_switch_done is introduced
+to record whether the system has successfully switched to
+the suspend console via vt_move_to_console() during suspend.
+
+If the switch was completed, vt_switch_done is set to 1.
+Later during resume, this flag is checked to ensure that
+the original console is restored properly by calling
+vt_move_to_console(orig_fgconsole, 0).
+
+This prevents scenarios where the resume logic skips console
+restoration due to incorrect detection of the console state,
+especially when a monitor is reconnected before waking up.
+
+Signed-off-by: tuhaowen <tuhaowen@uniontech.com>
+Link: https://patch.msgid.link/20250611032345.29962-1-tuhaowen@uniontech.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/console.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/console.c b/kernel/power/console.c
+index fcdf0e14a47d..19c48aa5355d 100644
+--- a/kernel/power/console.c
++++ b/kernel/power/console.c
+@@ -16,6 +16,7 @@
+ #define SUSPEND_CONSOLE (MAX_NR_CONSOLES-1)
+
+ static int orig_fgconsole, orig_kmsg;
++static bool vt_switch_done;
+
+ static DEFINE_MUTEX(vt_switch_mutex);
+
+@@ -136,17 +137,21 @@ void pm_prepare_console(void)
+ if (orig_fgconsole < 0)
+ return;
+
++ vt_switch_done = true;
++
+ orig_kmsg = vt_kmsg_redirect(SUSPEND_CONSOLE);
+ return;
+ }
+
+ void pm_restore_console(void)
+ {
+- if (!pm_vt_switch())
++ if (!pm_vt_switch() && !vt_switch_done)
+ return;
+
+ if (orig_fgconsole >= 0) {
+ vt_move_to_console(orig_fgconsole, 0);
+ vt_kmsg_redirect(orig_kmsg);
+ }
++
++ vt_switch_done = false;
+ }
+--
+2.39.5
+
--- /dev/null
+From d6cba578923e4b9f2444d3e84d7f5a5c16f74375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Jul 2025 16:32:21 +0300
+Subject: pNFS: Fix disk addr range check in block/scsi layout
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 7db6e66663681abda54f81d5916db3a3b8b1a13d ]
+
+At the end of the isect translation, disc_addr represents the physical
+disk offset. Thus, end calculated from disk_addr is also a physical disk
+offset. Therefore, range checking should be done using map->disk_offset,
+not map->start.
+
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250702133226.212537-1-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/blocklayout.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/blocklayout.c b/fs/nfs/blocklayout/blocklayout.c
+index 6be13e0ec170..e498aade8c47 100644
+--- a/fs/nfs/blocklayout/blocklayout.c
++++ b/fs/nfs/blocklayout/blocklayout.c
+@@ -149,8 +149,8 @@ do_add_page_to_bio(struct bio *bio, int npg, enum req_op op, sector_t isect,
+
+ /* limit length to what the device mapping allows */
+ end = disk_addr + *len;
+- if (end >= map->start + map->len)
+- *len = map->start + map->len - disk_addr;
++ if (end >= map->disk_offset + map->len)
++ *len = map->disk_offset + map->len - disk_addr;
+
+ retry:
+ if (!bio) {
+--
+2.39.5
+
--- /dev/null
+From 50bc2f07546738dc233c8674d5ba5f3560a2d601 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 15:21:48 +0300
+Subject: pNFS: Fix stripe mapping in block/scsi layout
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 81438498a285759f31e843ac4800f82a5ce6521f ]
+
+Because of integer division, we need to carefully calculate the
+disk offset. Consider the example below for a stripe of 6 volumes,
+a chunk size of 4096, and an offset of 70000.
+
+chunk = div_u64(offset, dev->chunk_size) = 70000 / 4096 = 17
+offset = chunk * dev->chunk_size = 17 * 4096 = 69632
+disk_offset_wrong = div_u64(offset, dev->nr_children) = 69632 / 6 = 11605
+disk_chunk = div_u64(chunk, dev->nr_children) = 17 / 6 = 2
+disk_offset = disk_chunk * dev->chunk_size = 2 * 4096 = 8192
+
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250701122341.199112-1-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/dev.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
+index 65cbb5607a5f..61ee0b6c0fba 100644
+--- a/fs/nfs/blocklayout/dev.c
++++ b/fs/nfs/blocklayout/dev.c
+@@ -199,10 +199,11 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
+ struct pnfs_block_dev *child;
+ u64 chunk;
+ u32 chunk_idx;
++ u64 disk_chunk;
+ u64 disk_offset;
+
+ chunk = div_u64(offset, dev->chunk_size);
+- div_u64_rem(chunk, dev->nr_children, &chunk_idx);
++ disk_chunk = div_u64_rem(chunk, dev->nr_children, &chunk_idx);
+
+ if (chunk_idx >= dev->nr_children) {
+ dprintk("%s: invalid chunk idx %d (%lld/%lld)\n",
+@@ -215,7 +216,7 @@ static bool bl_map_stripe(struct pnfs_block_dev *dev, u64 offset,
+ offset = chunk * dev->chunk_size;
+
+ /* disk offset of the stripe */
+- disk_offset = div_u64(offset, dev->nr_children);
++ disk_offset = disk_chunk * dev->chunk_size;
+
+ child = &dev->children[chunk_idx];
+ child->map(child, disk_offset, map);
+--
+2.39.5
+
--- /dev/null
+From 502262785be2e836dcd40921e3fc71afa24ae9d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 21:35:26 +0300
+Subject: pNFS: Fix uninited ptr deref in block/scsi layout
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit 9768797c219326699778fba9cd3b607b2f1e7950 ]
+
+The error occurs on the third attempt to encode extents. When function
+ext_tree_prepare_commit() reallocates a larger buffer to retry encoding
+extents, the "layoutupdate_pages" page array is initialized only after the
+retry loop. But ext_tree_free_commitdata() is called on every iteration
+and tries to put pages in the array, thus dereferencing uninitialized
+pointers.
+
+An additional problem is that there is no limit on the maximum possible
+buffer_size. When there are too many extents, the client may create a
+layoutcommit that is larger than the maximum possible RPC size accepted
+by the server.
+
+During testing, we observed two typical scenarios. First, one memory page
+for extents is enough when we work with small files, append data to the
+end of the file, or preallocate extents before writing. But when we fill
+a new large file without preallocating, the number of extents can be huge,
+and counting the number of written extents in ext_tree_encode_commit()
+does not help much. Since this number increases even more between
+unlocking and locking of ext_tree, the reallocated buffer may not be
+large enough again and again.
+
+Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250630183537.196479-2-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/blocklayout/extent_tree.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/blocklayout/extent_tree.c b/fs/nfs/blocklayout/extent_tree.c
+index 8f7cff7a4293..0add0f329816 100644
+--- a/fs/nfs/blocklayout/extent_tree.c
++++ b/fs/nfs/blocklayout/extent_tree.c
+@@ -552,6 +552,15 @@ static int ext_tree_encode_commit(struct pnfs_block_layout *bl, __be32 *p,
+ return ret;
+ }
+
++/**
++ * ext_tree_prepare_commit - encode extents that need to be committed
++ * @arg: layout commit data
++ *
++ * Return values:
++ * %0: Success, all required extents are encoded
++ * %-ENOSPC: Some extents are encoded, but not all, due to RPC size limit
++ * %-ENOMEM: Out of memory, extents not encoded
++ */
+ int
+ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ {
+@@ -568,12 +577,12 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ start_p = page_address(arg->layoutupdate_page);
+ arg->layoutupdate_pages = &arg->layoutupdate_page;
+
+-retry:
+- ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size, &count, &arg->lastbytewritten);
++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
++ &count, &arg->lastbytewritten);
+ if (unlikely(ret)) {
+ ext_tree_free_commitdata(arg, buffer_size);
+
+- buffer_size = ext_tree_layoutupdate_size(bl, count);
++ buffer_size = NFS_SERVER(arg->inode)->wsize;
+ count = 0;
+
+ arg->layoutupdate_pages =
+@@ -588,7 +597,8 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ return -ENOMEM;
+ }
+
+- goto retry;
++ ret = ext_tree_encode_commit(bl, start_p + 1, buffer_size,
++ &count, &arg->lastbytewritten);
+ }
+
+ *start_p = cpu_to_be32(count);
+@@ -608,7 +618,7 @@ ext_tree_prepare_commit(struct nfs4_layoutcommit_args *arg)
+ }
+
+ dprintk("%s found %zu ranges\n", __func__, count);
+- return 0;
++ return ret;
+ }
+
+ void
+--
+2.39.5
+
--- /dev/null
+From 9217cd8ef632904ffa6250774fdbad42a50c354a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 21:35:29 +0300
+Subject: pNFS: Handle RPC size limit for layoutcommits
+
+From: Sergey Bashirov <sergeybashirov@gmail.com>
+
+[ Upstream commit d897d81671bc4615c80f4f3bd5e6b218f59df50c ]
+
+When there are too many block extents for a layoutcommit, they may not
+all fit into the maximum-sized RPC. This patch allows the generic pnfs
+code to properly handle -ENOSPC returned by the block/scsi layout driver
+and trigger additional layoutcommits if necessary.
+
+Co-developed-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Konstantin Evtushenko <koevtushenko@yandex.com>
+Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250630183537.196479-5-sergeybashirov@gmail.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 79d1ffdcbebd..b40c20bd364b 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -3216,6 +3216,7 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
+ struct nfs_inode *nfsi = NFS_I(inode);
+ loff_t end_pos;
+ int status;
++ bool mark_as_dirty = false;
+
+ if (!pnfs_layoutcommit_outstanding(inode))
+ return 0;
+@@ -3267,19 +3268,23 @@ pnfs_layoutcommit_inode(struct inode *inode, bool sync)
+ if (ld->prepare_layoutcommit) {
+ status = ld->prepare_layoutcommit(&data->args);
+ if (status) {
+- put_cred(data->cred);
++ if (status != -ENOSPC)
++ put_cred(data->cred);
+ spin_lock(&inode->i_lock);
+ set_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags);
+ if (end_pos > nfsi->layout->plh_lwb)
+ nfsi->layout->plh_lwb = end_pos;
+- goto out_unlock;
++ if (status != -ENOSPC)
++ goto out_unlock;
++ spin_unlock(&inode->i_lock);
++ mark_as_dirty = true;
+ }
+ }
+
+
+ status = nfs4_proc_layoutcommit(data, sync);
+ out:
+- if (status)
++ if (status || mark_as_dirty)
+ mark_inode_dirty_sync(inode);
+ dprintk("<-- %s status %d\n", __func__, status);
+ return status;
+--
+2.39.5
+
--- /dev/null
+From 4c5242618c72182f0cbed3ba5b9c53d6c6afdf4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 13:14:22 +0300
+Subject: power: supply: qcom_battmgr: Add lithium-polymer entry
+
+From: Abel Vesa <abel.vesa@linaro.org>
+
+[ Upstream commit 202ac22b8e2e015e6c196fd8113f3d2a62dd1afc ]
+
+On some Dell XPS 13 (9345) variants, the battery used is lithium-polymer
+based. Currently, this is reported as unknown technology due to the entry
+missing.
+
+[ 4083.135325] Unknown battery technology 'LIP'
+
+Add another check for lithium-polymer in the technology parsing callback
+and return that instead of unknown.
+
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250523-psy-qcom-battmgr-add-lipo-entry-v1-1-938c20a43a25@linaro.org
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/qcom_battmgr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/power/supply/qcom_battmgr.c b/drivers/power/supply/qcom_battmgr.c
+index 5b3681b9100c..190e8a4cfa97 100644
+--- a/drivers/power/supply/qcom_battmgr.c
++++ b/drivers/power/supply/qcom_battmgr.c
+@@ -977,6 +977,8 @@ static unsigned int qcom_battmgr_sc8280xp_parse_technology(const char *chemistry
+ {
+ if (!strncmp(chemistry, "LIO", BATTMGR_CHEMISTRY_LEN))
+ return POWER_SUPPLY_TECHNOLOGY_LION;
++ if (!strncmp(chemistry, "LIP", BATTMGR_CHEMISTRY_LEN))
++ return POWER_SUPPLY_TECHNOLOGY_LIPO;
+
+ pr_err("Unknown battery technology '%s'\n", chemistry);
+ return POWER_SUPPLY_TECHNOLOGY_UNKNOWN;
+--
+2.39.5
+
--- /dev/null
+From 2cf92cb277d8d4df891c016438a5fc71fa00b439 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 16:29:11 +0200
+Subject: (powerpc/512) Fix possible `dma_unmap_single()` on uninitialized
+ pointer
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 760b9b4f6de9a33ca56a05f950cabe82138d25bd ]
+
+If the device configuration fails (if `dma_dev->device_config()`),
+`sg_dma_address(&sg)` is not initialized and the jump to `err_dma_prep`
+leads to calling `dma_unmap_single()` on `sg_dma_address(&sg)`.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250610142918.169540-2-fourier.thomas@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
+index 4a25b6b48615..f1e353fc6594 100644
+--- a/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
++++ b/arch/powerpc/platforms/512x/mpc512x_lpbfifo.c
+@@ -240,10 +240,8 @@ static int mpc512x_lpbfifo_kick(void)
+ dma_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+
+ /* Make DMA channel work with LPB FIFO data register */
+- if (dma_dev->device_config(lpbfifo.chan, &dma_conf)) {
+- ret = -EINVAL;
+- goto err_dma_prep;
+- }
++ if (dma_dev->device_config(lpbfifo.chan, &dma_conf))
++ return -EINVAL;
+
+ sg_init_table(&sg, 1);
+
+--
+2.39.5
+
--- /dev/null
+From 6e05dae86f1192e00bcf2fa5f903f041031fb60b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 09:55:55 +0200
+Subject: powerpc: floppy: Add missing checks after DMA map
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit cf183c1730f2634245da35e9b5d53381b787d112 ]
+
+The DMA map functions can fail and should be tested for errors.
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250620075602.12575-1-fourier.thomas@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/floppy.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/floppy.h b/arch/powerpc/include/asm/floppy.h
+index f8ce178b43b7..34abf8bea2cc 100644
+--- a/arch/powerpc/include/asm/floppy.h
++++ b/arch/powerpc/include/asm/floppy.h
+@@ -144,9 +144,12 @@ static int hard_dma_setup(char *addr, unsigned long size, int mode, int io)
+ bus_addr = 0;
+ }
+
+- if (!bus_addr) /* need to map it */
++ if (!bus_addr) { /* need to map it */
+ bus_addr = dma_map_single(&isa_bridge_pcidev->dev, addr, size,
+ dir);
++ if (dma_mapping_error(&isa_bridge_pcidev->dev, bus_addr))
++ return -ENOMEM;
++ }
+
+ /* remember this one as prev */
+ prev_addr = addr;
+--
+2.39.5
+
--- /dev/null
+From 9eca092f310cd70009843783d5641d5934414ded Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 10:12:59 -0400
+Subject: powerpc/thp: tracing: Hide hugepage events under CONFIG_PPC_BOOK3S_64
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit 43cf0e05089afe23dac74fa6e1e109d49f2903c4 ]
+
+The events hugepage_set_pmd, hugepage_set_pud, hugepage_update_pmd and
+hugepage_update_pud are only called when CONFIG_PPC_BOOK3S_64 is defined.
+As each event can take up to 5K regardless if they are used or not, it's
+best not to define them when they are not used. Add #ifdef around these
+events when they are not used.
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/20250612101259.0ad43e48@batman.local.home
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/thp.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/trace/events/thp.h b/include/trace/events/thp.h
+index f50048af5fcc..c8fe879d5828 100644
+--- a/include/trace/events/thp.h
++++ b/include/trace/events/thp.h
+@@ -8,6 +8,7 @@
+ #include <linux/types.h>
+ #include <linux/tracepoint.h>
+
++#ifdef CONFIG_PPC_BOOK3S_64
+ DECLARE_EVENT_CLASS(hugepage_set,
+
+ TP_PROTO(unsigned long addr, unsigned long pte),
+@@ -66,6 +67,7 @@ DEFINE_EVENT(hugepage_update, hugepage_update_pud,
+ TP_PROTO(unsigned long addr, unsigned long pud, unsigned long clr, unsigned long set),
+ TP_ARGS(addr, pud, clr, set)
+ );
++#endif /* CONFIG_PPC_BOOK3S_64 */
+
+ DECLARE_EVENT_CLASS(migration_pmd,
+
+--
+2.39.5
+
--- /dev/null
+From a4c0cfd2356c6a86ac5f383c49e4466be2855d18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 May 2025 05:33:55 +0000
+Subject: pps: clients: gpio: fix interrupt handling order in remove path
+
+From: Eliav Farber <farbere@amazon.com>
+
+[ Upstream commit 6bca1e955830808dc90e0506b2951b4256b81bbb ]
+
+The interrupt handler in pps_gpio_probe() is registered after calling
+pps_register_source() using devm_request_irq(). However, in the
+corresponding remove function, pps_unregister_source() is called before
+the IRQ is freed, since devm-managed resources are released after the
+remove function completes.
+
+This creates a potential race condition where an interrupt may occur
+after the PPS source is unregistered but before the handler is removed,
+possibly leading to a kernel panic.
+
+To prevent this, switch from devm-managed IRQ registration to manual
+management by using request_irq() and calling free_irq() explicitly in
+the remove path before unregistering the PPS source. This ensures the
+interrupt handler is safely removed before deactivating the PPS source.
+
+Signed-off-by: Eliav Farber <farbere@amazon.com>
+Link: https://lore.kernel.org/r/20250527053355.37185-1-farbere@amazon.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pps/clients/pps-gpio.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pps/clients/pps-gpio.c b/drivers/pps/clients/pps-gpio.c
+index bf3b6f1aa984..41e1fdbcda16 100644
+--- a/drivers/pps/clients/pps-gpio.c
++++ b/drivers/pps/clients/pps-gpio.c
+@@ -206,8 +206,8 @@ static int pps_gpio_probe(struct platform_device *pdev)
+ }
+
+ /* register IRQ interrupt handler */
+- ret = devm_request_irq(dev, data->irq, pps_gpio_irq_handler,
+- get_irqf_trigger_flags(data), data->info.name, data);
++ ret = request_irq(data->irq, pps_gpio_irq_handler,
++ get_irqf_trigger_flags(data), data->info.name, data);
+ if (ret) {
+ pps_unregister_source(data->pps);
+ dev_err(dev, "failed to acquire IRQ %d\n", data->irq);
+@@ -224,6 +224,7 @@ static int pps_gpio_remove(struct platform_device *pdev)
+ {
+ struct pps_gpio_device_data *data = platform_get_drvdata(pdev);
+
++ free_irq(data->irq, data);
+ pps_unregister_source(data->pps);
+ del_timer_sync(&data->echo_timer);
+ /* reset echo pin in any case */
+--
+2.39.5
+
--- /dev/null
+From db6267970c571e28163c72a7edfe708b454d4daa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 10:15:46 -0700
+Subject: ptp: Use ratelimite for freerun error message
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit e9a7795e75b78b56997fb0070c18d6e1057b6462 ]
+
+Replace pr_err() with pr_err_ratelimited() in ptp_clock_settime() to
+prevent log flooding when the physical clock is free running, which
+happens on some of my hosts. This ensures error messages are
+rate-limited and improves kernel log readability.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250613-ptp-v1-1-ee44260ce9e2@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
+index b7fc260ed43b..0682bb340221 100644
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -79,7 +79,7 @@ static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp
+ struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock);
+
+ if (ptp_clock_freerun(ptp)) {
+- pr_err("ptp: physical clock is free running\n");
++ pr_err_ratelimited("ptp: physical clock is free running\n");
+ return -EBUSY;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From fbf5743da50b1e9737ac8c728fbf95942cf18815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Jul 2025 10:22:19 -0400
+Subject: rcu: Fix rcu_read_unlock() deadloop due to IRQ work
+
+From: Joel Fernandes <joelagnelf@nvidia.com>
+
+[ Upstream commit b41642c87716bbd09797b1e4ea7d904f06c39b7b ]
+
+During rcu_read_unlock_special(), if this happens during irq_exit(), we
+can lockup if an IPI is issued. This is because the IPI itself triggers
+the irq_exit() path causing a recursive lock up.
+
+This is precisely what Xiongfeng found when invoking a BPF program on
+the trace_tick_stop() tracepoint As shown in the trace below. Fix by
+managing the irq_work state correctly.
+
+irq_exit()
+ __irq_exit_rcu()
+ /* in_hardirq() returns false after this */
+ preempt_count_sub(HARDIRQ_OFFSET)
+ tick_irq_exit()
+ tick_nohz_irq_exit()
+ tick_nohz_stop_sched_tick()
+ trace_tick_stop() /* a bpf prog is hooked on this trace point */
+ __bpf_trace_tick_stop()
+ bpf_trace_run2()
+ rcu_read_unlock_special()
+ /* will send a IPI to itself */
+ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu);
+
+A simple reproducer can also be obtained by doing the following in
+tick_irq_exit(). It will hang on boot without the patch:
+
+ static inline void tick_irq_exit(void)
+ {
+ + rcu_read_lock();
+ + WRITE_ONCE(current->rcu_read_unlock_special.b.need_qs, true);
+ + rcu_read_unlock();
+ +
+
+Reported-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Closes: https://lore.kernel.org/all/9acd5f9f-6732-7701-6880-4b51190aa070@huawei.com/
+Tested-by: Qi Xi <xiqi2@huawei.com>
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Reviewed-by: "Paul E. McKenney" <paulmck@kernel.org>
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+[neeraj: Apply Frederic's suggested fix for PREEMPT_RT]
+Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.h | 13 ++++++++++++-
+ kernel/rcu/tree_plugin.h | 37 ++++++++++++++++++++++++++-----------
+ 2 files changed, 38 insertions(+), 12 deletions(-)
+
+diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h
+index ac8cc756920d..08f5d019c6ce 100644
+--- a/kernel/rcu/tree.h
++++ b/kernel/rcu/tree.h
+@@ -175,6 +175,17 @@ struct rcu_snap_record {
+ unsigned long jiffies; /* Track jiffies value */
+ };
+
++/*
++ * An IRQ work (deferred_qs_iw) is used by RCU to get the scheduler's attention.
++ * to report quiescent states at the soonest possible time.
++ * The request can be in one of the following states:
++ * - DEFER_QS_IDLE: An IRQ work is yet to be scheduled.
++ * - DEFER_QS_PENDING: An IRQ work was scheduled but either not yet run, or it
++ * ran and we still haven't reported a quiescent state.
++ */
++#define DEFER_QS_IDLE 0
++#define DEFER_QS_PENDING 1
++
+ /* Per-CPU data for read-copy update. */
+ struct rcu_data {
+ /* 1) quiescent-state and grace-period handling : */
+@@ -192,7 +203,7 @@ struct rcu_data {
+ /* during and after the last grace */
+ /* period it is aware of. */
+ struct irq_work defer_qs_iw; /* Obtain later scheduler attention. */
+- bool defer_qs_iw_pending; /* Scheduler attention pending? */
++ int defer_qs_iw_pending; /* Scheduler attention pending? */
+ struct work_struct strict_work; /* Schedule readers for strict GPs. */
+
+ /* 2) batch handling */
+diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
+index de727f2568bf..771e8cbb10d7 100644
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -474,13 +474,16 @@ rcu_preempt_deferred_qs_irqrestore(struct task_struct *t, unsigned long flags)
+ struct rcu_node *rnp;
+ union rcu_special special;
+
++ rdp = this_cpu_ptr(&rcu_data);
++ if (rdp->defer_qs_iw_pending == DEFER_QS_PENDING)
++ rdp->defer_qs_iw_pending = DEFER_QS_IDLE;
++
+ /*
+ * If RCU core is waiting for this CPU to exit its critical section,
+ * report the fact that it has exited. Because irqs are disabled,
+ * t->rcu_read_unlock_special cannot change.
+ */
+ special = t->rcu_read_unlock_special;
+- rdp = this_cpu_ptr(&rcu_data);
+ if (!special.s && !rdp->cpu_no_qs.b.exp) {
+ local_irq_restore(flags);
+ return;
+@@ -617,7 +620,23 @@ static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp)
+
+ rdp = container_of(iwp, struct rcu_data, defer_qs_iw);
+ local_irq_save(flags);
+- rdp->defer_qs_iw_pending = false;
++
++ /*
++ * If the IRQ work handler happens to run in the middle of RCU read-side
++ * critical section, it could be ineffective in getting the scheduler's
++ * attention to report a deferred quiescent state (the whole point of the
++ * IRQ work). For this reason, requeue the IRQ work.
++ *
++ * Basically, we want to avoid following situation:
++ * 1. rcu_read_unlock() queues IRQ work (state -> DEFER_QS_PENDING)
++ * 2. CPU enters new rcu_read_lock()
++ * 3. IRQ work runs but cannot report QS due to rcu_preempt_depth() > 0
++ * 4. rcu_read_unlock() does not re-queue work (state still PENDING)
++ * 5. Deferred QS reporting does not happen.
++ */
++ if (rcu_preempt_depth() > 0)
++ WRITE_ONCE(rdp->defer_qs_iw_pending, DEFER_QS_IDLE);
++
+ local_irq_restore(flags);
+ }
+
+@@ -664,17 +683,13 @@ static void rcu_read_unlock_special(struct task_struct *t)
+ set_tsk_need_resched(current);
+ set_preempt_need_resched();
+ if (IS_ENABLED(CONFIG_IRQ_WORK) && irqs_were_disabled &&
+- expboost && !rdp->defer_qs_iw_pending && cpu_online(rdp->cpu)) {
++ expboost && rdp->defer_qs_iw_pending != DEFER_QS_PENDING &&
++ cpu_online(rdp->cpu)) {
+ // Get scheduler to re-evaluate and call hooks.
+ // If !IRQ_WORK, FQS scan will eventually IPI.
+- if (IS_ENABLED(CONFIG_RCU_STRICT_GRACE_PERIOD) &&
+- IS_ENABLED(CONFIG_PREEMPT_RT))
+- rdp->defer_qs_iw = IRQ_WORK_INIT_HARD(
+- rcu_preempt_deferred_qs_handler);
+- else
+- init_irq_work(&rdp->defer_qs_iw,
+- rcu_preempt_deferred_qs_handler);
+- rdp->defer_qs_iw_pending = true;
++ rdp->defer_qs_iw =
++ IRQ_WORK_INIT_HARD(rcu_preempt_deferred_qs_handler);
++ rdp->defer_qs_iw_pending = DEFER_QS_PENDING;
+ irq_work_queue_on(&rdp->defer_qs_iw, rdp->cpu);
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From d5e9f46f2bff1880054a5cc3b3a17cae3297f5ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 16:49:53 -0700
+Subject: rcu: Protect ->defer_qs_iw_pending from data race
+
+From: Paul E. McKenney <paulmck@kernel.org>
+
+[ Upstream commit 90c09d57caeca94e6f3f87c49e96a91edd40cbfd ]
+
+On kernels built with CONFIG_IRQ_WORK=y, when rcu_read_unlock() is
+invoked within an interrupts-disabled region of code [1], it will invoke
+rcu_read_unlock_special(), which uses an irq-work handler to force the
+system to notice when the RCU read-side critical section actually ends.
+That end won't happen until interrupts are enabled at the soonest.
+
+In some kernels, such as those booted with rcutree.use_softirq=y, the
+irq-work handler is used unconditionally.
+
+The per-CPU rcu_data structure's ->defer_qs_iw_pending field is
+updated by the irq-work handler and is both read and updated by
+rcu_read_unlock_special(). This resulted in the following KCSAN splat:
+
+------------------------------------------------------------------------
+
+BUG: KCSAN: data-race in rcu_preempt_deferred_qs_handler / rcu_read_unlock_special
+
+read to 0xffff96b95f42d8d8 of 1 bytes by task 90 on cpu 8:
+ rcu_read_unlock_special+0x175/0x260
+ __rcu_read_unlock+0x92/0xa0
+ rt_spin_unlock+0x9b/0xc0
+ __local_bh_enable+0x10d/0x170
+ __local_bh_enable_ip+0xfb/0x150
+ rcu_do_batch+0x595/0xc40
+ rcu_cpu_kthread+0x4e9/0x830
+ smpboot_thread_fn+0x24d/0x3b0
+ kthread+0x3bd/0x410
+ ret_from_fork+0x35/0x40
+ ret_from_fork_asm+0x1a/0x30
+
+write to 0xffff96b95f42d8d8 of 1 bytes by task 88 on cpu 8:
+ rcu_preempt_deferred_qs_handler+0x1e/0x30
+ irq_work_single+0xaf/0x160
+ run_irq_workd+0x91/0xc0
+ smpboot_thread_fn+0x24d/0x3b0
+ kthread+0x3bd/0x410
+ ret_from_fork+0x35/0x40
+ ret_from_fork_asm+0x1a/0x30
+
+no locks held by irq_work/8/88.
+irq event stamp: 200272
+hardirqs last enabled at (200272): [<ffffffffb0f56121>] finish_task_switch+0x131/0x320
+hardirqs last disabled at (200271): [<ffffffffb25c7859>] __schedule+0x129/0xd70
+softirqs last enabled at (0): [<ffffffffb0ee093f>] copy_process+0x4df/0x1cc0
+softirqs last disabled at (0): [<0000000000000000>] 0x0
+
+------------------------------------------------------------------------
+
+The problem is that irq-work handlers run with interrupts enabled, which
+means that rcu_preempt_deferred_qs_handler() could be interrupted,
+and that interrupt handler might contain an RCU read-side critical
+section, which might invoke rcu_read_unlock_special(). In the strict
+KCSAN mode of operation used by RCU, this constitutes a data race on
+the ->defer_qs_iw_pending field.
+
+This commit therefore disables interrupts across the portion of the
+rcu_preempt_deferred_qs_handler() that updates the ->defer_qs_iw_pending
+field. This suffices because this handler is not a fast path.
+
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Neeraj Upadhyay (AMD) <neeraj.upadhyay@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree_plugin.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
+index 94b715139f52..de727f2568bf 100644
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -612,10 +612,13 @@ notrace void rcu_preempt_deferred_qs(struct task_struct *t)
+ */
+ static void rcu_preempt_deferred_qs_handler(struct irq_work *iwp)
+ {
++ unsigned long flags;
+ struct rcu_data *rdp;
+
+ rdp = container_of(iwp, struct rcu_data, defer_qs_iw);
++ local_irq_save(flags);
+ rdp->defer_qs_iw_pending = false;
++ local_irq_restore(flags);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 831ab9c13a86b551f69de12aff368b446de76fce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:33:26 +0200
+Subject: RDMA/core: reduce stack using in nldev_stat_get_doit()
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 43163f4c30f94d2103c948a247cdf2cda5068ca7 ]
+
+In the s390 defconfig, gcc-10 and earlier end up inlining three functions
+into nldev_stat_get_doit(), and each of them uses some 600 bytes of stack.
+
+The result is a function with an overly large stack frame and a warning:
+
+drivers/infiniband/core/nldev.c:2466:1: error: the frame size of 1720 bytes is larger than 1280 bytes [-Werror=frame-larger-than=]
+
+Mark the three functions noinline_for_stack to prevent this, ensuring
+that only one copy of the nlattr array is on the stack of each function.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250620113335.3776965-1-arnd@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/nldev.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
+index 6d1dbc978759..a94723a12bb4 100644
+--- a/drivers/infiniband/core/nldev.c
++++ b/drivers/infiniband/core/nldev.c
+@@ -1412,10 +1412,11 @@ static const struct nldev_fill_res_entry fill_entries[RDMA_RESTRACK_MAX] = {
+
+ };
+
+-static int res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+- struct netlink_ext_ack *extack,
+- enum rdma_restrack_type res_type,
+- res_fill_func_t fill_func)
++static noinline_for_stack int
++res_get_common_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct netlink_ext_ack *extack,
++ enum rdma_restrack_type res_type,
++ res_fill_func_t fill_func)
+ {
+ const struct nldev_fill_res_entry *fe = &fill_entries[res_type];
+ struct nlattr *tb[RDMA_NLDEV_ATTR_MAX];
+@@ -2153,10 +2154,10 @@ static int nldev_stat_del_doit(struct sk_buff *skb, struct nlmsghdr *nlh,
+ return ret;
+ }
+
+-static int stat_get_doit_default_counter(struct sk_buff *skb,
+- struct nlmsghdr *nlh,
+- struct netlink_ext_ack *extack,
+- struct nlattr *tb[])
++static noinline_for_stack int
++stat_get_doit_default_counter(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct netlink_ext_ack *extack,
++ struct nlattr *tb[])
+ {
+ struct rdma_hw_stats *stats;
+ struct nlattr *table_attr;
+@@ -2246,8 +2247,9 @@ static int stat_get_doit_default_counter(struct sk_buff *skb,
+ return ret;
+ }
+
+-static int stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
+- struct netlink_ext_ack *extack, struct nlattr *tb[])
++static noinline_for_stack int
++stat_get_doit_qp(struct sk_buff *skb, struct nlmsghdr *nlh,
++ struct netlink_ext_ack *extack, struct nlattr *tb[])
+
+ {
+ static enum rdma_nl_counter_mode mode;
+--
+2.39.5
+
--- /dev/null
+From ab289052943ccfdf75dd4f856a90f50594ad22df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jun 2025 15:39:38 -0400
+Subject: RDMA: hfi1: fix possible divide-by-zero in find_hw_thread_mask()
+
+From: Yury Norov [NVIDIA] <yury.norov@gmail.com>
+
+[ Upstream commit 59f7d2138591ef8f0e4e4ab5f1ab674e8181ad3a ]
+
+The function divides number of online CPUs by num_core_siblings, and
+later checks the divider by zero. This implies a possibility to get
+and divide-by-zero runtime error. Fix it by moving the check prior to
+division. This also helps to save one indentation level.
+
+Signed-off-by: Yury Norov [NVIDIA] <yury.norov@gmail.com>
+Link: https://patch.msgid.link/20250604193947.11834-3-yury.norov@gmail.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/affinity.c | 44 +++++++++++++++------------
+ 1 file changed, 24 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c
+index bbc957c578e1..e5db39f4720d 100644
+--- a/drivers/infiniband/hw/hfi1/affinity.c
++++ b/drivers/infiniband/hw/hfi1/affinity.c
+@@ -964,31 +964,35 @@ static void find_hw_thread_mask(uint hw_thread_no, cpumask_var_t hw_thread_mask,
+ struct hfi1_affinity_node_list *affinity)
+ {
+ int possible, curr_cpu, i;
+- uint num_cores_per_socket = node_affinity.num_online_cpus /
++ uint num_cores_per_socket;
++
++ cpumask_copy(hw_thread_mask, &affinity->proc.mask);
++
++ if (affinity->num_core_siblings == 0)
++ return;
++
++ num_cores_per_socket = node_affinity.num_online_cpus /
+ affinity->num_core_siblings /
+ node_affinity.num_online_nodes;
+
+- cpumask_copy(hw_thread_mask, &affinity->proc.mask);
+- if (affinity->num_core_siblings > 0) {
+- /* Removing other siblings not needed for now */
+- possible = cpumask_weight(hw_thread_mask);
+- curr_cpu = cpumask_first(hw_thread_mask);
+- for (i = 0;
+- i < num_cores_per_socket * node_affinity.num_online_nodes;
+- i++)
+- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+-
+- for (; i < possible; i++) {
+- cpumask_clear_cpu(curr_cpu, hw_thread_mask);
+- curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+- }
++ /* Removing other siblings not needed for now */
++ possible = cpumask_weight(hw_thread_mask);
++ curr_cpu = cpumask_first(hw_thread_mask);
++ for (i = 0;
++ i < num_cores_per_socket * node_affinity.num_online_nodes;
++ i++)
++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+
+- /* Identifying correct HW threads within physical cores */
+- cpumask_shift_left(hw_thread_mask, hw_thread_mask,
+- num_cores_per_socket *
+- node_affinity.num_online_nodes *
+- hw_thread_no);
++ for (; i < possible; i++) {
++ cpumask_clear_cpu(curr_cpu, hw_thread_mask);
++ curr_cpu = cpumask_next(curr_cpu, hw_thread_mask);
+ }
++
++ /* Identifying correct HW threads within physical cores */
++ cpumask_shift_left(hw_thread_mask, hw_thread_mask,
++ num_cores_per_socket *
++ node_affinity.num_online_nodes *
++ hw_thread_no);
+ }
+
+ int hfi1_get_proc_affinity(int node)
+--
+2.39.5
+
--- /dev/null
+From 3fc0fb98e92837fcb2c051449ab982a1cb058de3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 14:25:11 -0300
+Subject: remoteproc: imx_rproc: skip clock enable when M-core is managed by
+ the SCU
+
+From: Hiago De Franco <hiago.franco@toradex.com>
+
+[ Upstream commit 496deecb020d14ba89ba7084fbc3024f91687023 ]
+
+For the i.MX8X and i.MX8 family SoCs, when the Cortex-M core is powered
+up and started by the Cortex-A core using the bootloader (e.g., via the
+U-Boot bootaux command), both M-core and Linux run within the same SCFW
+(System Controller Firmware) partition. With that, Linux has permission
+to control the M-core.
+
+But once the M-core is started by the bootloader, the SCFW automatically
+enables its clock and sets the clock rate. If Linux later attempts to
+enable the same clock via clk_prepare_enable(), the SCFW returns a
+'LOCKED' error, as the clock is already configured by the SCFW. This
+causes the probe function in imx_rproc.c to fail, leading to the M-core
+power domain being shut down while the core is still running. This
+results in a fault from the SCU (System Controller Unit) and triggers a
+system reset.
+
+To address this issue, ignore handling the clk for i.MX8X and i.MX8
+M-core, as SCFW already takes care of enabling and configuring the
+clock.
+
+Suggested-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Hiago De Franco <hiago.franco@toradex.com>
+Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Link: https://lore.kernel.org/r/20250629172512.14857-3-hiagofranco@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/imx_rproc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c
+index 610a69928dff..251f9840d85b 100644
+--- a/drivers/remoteproc/imx_rproc.c
++++ b/drivers/remoteproc/imx_rproc.c
+@@ -1088,8 +1088,8 @@ static int imx_rproc_clk_enable(struct imx_rproc *priv)
+ struct device *dev = priv->dev;
+ int ret;
+
+- /* Remote core is not under control of Linux */
+- if (dcfg->method == IMX_RPROC_NONE)
++ /* Remote core is not under control of Linux or it is managed by SCU API */
++ if (dcfg->method == IMX_RPROC_NONE || dcfg->method == IMX_RPROC_SCU_API)
+ return 0;
+
+ priv->clk = devm_clk_get(dev, NULL);
+--
+2.39.5
+
--- /dev/null
+From 6aa7ae4726a23d176dcd69166ee30da52ef04878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 18:52:58 +0100
+Subject: reset: brcmstb: Enable reset drivers for ARCH_BCM2835
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+[ Upstream commit 1d99f92f71b6b4b2eee776562c991428490f71ef ]
+
+The BRCMSTB and BRCMSTB_RESCAL reset drivers are also
+used in the BCM2712, AKA the RPi5. The RPi platforms
+have typically used the ARCH_BCM2835, and the PCIe
+support for this SoC can use this config which depends
+on these drivers so enable building them when just that
+arch option is enabled to ensure the platform works as
+expected.
+
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20250630175301.846082-1-pbrobinson@gmail.com
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/Kconfig | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/reset/Kconfig b/drivers/reset/Kconfig
+index ccd59ddd7610..9f25eb3aec25 100644
+--- a/drivers/reset/Kconfig
++++ b/drivers/reset/Kconfig
+@@ -51,8 +51,8 @@ config RESET_BERLIN
+
+ config RESET_BRCMSTB
+ tristate "Broadcom STB reset controller"
+- depends on ARCH_BRCMSTB || COMPILE_TEST
+- default ARCH_BRCMSTB
++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
++ default ARCH_BRCMSTB || ARCH_BCM2835
+ help
+ This enables the reset controller driver for Broadcom STB SoCs using
+ a SUN_TOP_CTRL_SW_INIT style controller.
+@@ -60,11 +60,11 @@ config RESET_BRCMSTB
+ config RESET_BRCMSTB_RESCAL
+ tristate "Broadcom STB RESCAL reset controller"
+ depends on HAS_IOMEM
+- depends on ARCH_BRCMSTB || COMPILE_TEST
+- default ARCH_BRCMSTB
++ depends on ARCH_BRCMSTB || ARCH_BCM2835 || COMPILE_TEST
++ default ARCH_BRCMSTB || ARCH_BCM2835
+ help
+ This enables the RESCAL reset controller for SATA, PCIe0, or PCIe1 on
+- BCM7216.
++ BCM7216 or the BCM2712.
+
+ config RESET_HSDK
+ bool "Synopsys HSDK Reset Driver"
+--
+2.39.5
+
--- /dev/null
+From 9c51cd614b147a69e4c9fbd175070a0b30a156e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 11:14:16 -0700
+Subject: rtc: ds1307: handle oscillator stop flag (OSF) for ds1341
+
+From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+
+[ Upstream commit 523923cfd5d622b8f4ba893fdaf29fa6adeb8c3e ]
+
+In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
+kernel time as long as rtc_read_time() succeeds. In some power loss
+situations, our supercapacitor-backed DS1342 RTC comes up with either an
+unpredictable future time or the default 01/01/00 from the datasheet.
+The oscillator stop flag (OSF) is set in these scenarios due to the
+power loss and can be used to determine the validity of the RTC data.
+
+This change expands the oscillator stop flag (OSF) handling that has
+already been implemented for some chips to the ds1341 chip (DS1341 and
+DS1342 share a datasheet). This handling manages the validity of the RTC
+data in .read_time and .set_time based on the OSF.
+
+Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+Reviewed-by: Tyler Hicks <code@tyhicks.com>
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/1749665656-30108-3-git-send-email-meaganlloyd@linux.microsoft.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index e14981383c01..ae115c3fcf19 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -274,6 +274,13 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t)
+ if (tmp & DS1340_BIT_OSF)
+ return -EINVAL;
+ break;
++ case ds_1341:
++ ret = regmap_read(ds1307->regmap, DS1337_REG_STATUS, &tmp);
++ if (ret)
++ return ret;
++ if (tmp & DS1337_BIT_OSF)
++ return -EINVAL;
++ break;
+ case ds_1388:
+ ret = regmap_read(ds1307->regmap, DS1388_REG_FLAG, &tmp);
+ if (ret)
+@@ -372,6 +379,10 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t)
+ regmap_update_bits(ds1307->regmap, DS1340_REG_FLAG,
+ DS1340_BIT_OSF, 0);
+ break;
++ case ds_1341:
++ regmap_update_bits(ds1307->regmap, DS1337_REG_STATUS,
++ DS1337_BIT_OSF, 0);
++ break;
+ case ds_1388:
+ regmap_update_bits(ds1307->regmap, DS1388_REG_FLAG,
+ DS1388_BIT_OSF, 0);
+--
+2.39.5
+
--- /dev/null
+From 58a0c6237dbee097a0bdae661e30034f04c63a75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 11:14:15 -0700
+Subject: rtc: ds1307: remove clear of oscillator stop flag (OSF) in probe
+
+From: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+
+[ Upstream commit 48458654659c9c2e149c211d86637f1592470da5 ]
+
+In using CONFIG_RTC_HCTOSYS, rtc_hctosys() will sync the RTC time to the
+kernel time as long as rtc_read_time() succeeds. In some power loss
+situations, our supercapacitor-backed DS1342 RTC comes up with either an
+unpredictable future time or the default 01/01/00 from the datasheet.
+The oscillator stop flag (OSF) is set in these scenarios due to the
+power loss and can be used to determine the validity of the RTC data.
+
+Some chip types in the ds1307 driver already have OSF handling to
+determine whether .read_time provides valid RTC data or returns -EINVAL.
+
+This change removes the clear of the OSF in .probe as the OSF needs to
+be preserved to expand the OSF handling to the ds1341 chip type (note
+that DS1341 and DS1342 share a datasheet).
+
+Signed-off-by: Meagan Lloyd <meaganlloyd@linux.microsoft.com>
+Reviewed-by: Tyler Hicks <code@tyhicks.com>
+Acked-by: Rodolfo Giometti <giometti@enneenne.com>
+Link: https://lore.kernel.org/r/1749665656-30108-2-git-send-email-meaganlloyd@linux.microsoft.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-ds1307.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
+index ae115c3fcf19..74aad2b12460 100644
+--- a/drivers/rtc/rtc-ds1307.c
++++ b/drivers/rtc/rtc-ds1307.c
+@@ -1819,10 +1819,8 @@ static int ds1307_probe(struct i2c_client *client)
+ regmap_write(ds1307->regmap, DS1337_REG_CONTROL,
+ regs[0]);
+
+- /* oscillator fault? clear flag, and warn */
++ /* oscillator fault? warn */
+ if (regs[1] & DS1337_BIT_OSF) {
+- regmap_write(ds1307->regmap, DS1337_REG_STATUS,
+- regs[1] & ~DS1337_BIT_OSF);
+ dev_warn(ds1307->dev, "SET TIME!\n");
+ }
+ break;
+--
+2.39.5
+
--- /dev/null
+From ac5abcd9eaa3989da3cd5d39d2af0d6f74ac890a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:50:27 +0200
+Subject: s390/stp: Remove udelay from stp_sync_clock()
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit b367017cdac21781a74eff4e208d3d38e1f38d3f ]
+
+When an stp sync check is handled on a system with multiple
+cpus each cpu gets a machine check but only the first one
+actually handles the sync operation. All other CPUs spin
+waiting for the first one to finish with a short udelay().
+But udelay can't be used here as the first CPU modifies tod_clock_base
+before performing the sync op. During this timeframe
+get_tod_clock_monotonic() might return a non-monotonic time.
+
+The time spent waiting should be very short and udelay is a busy loop
+anyways, therefore simply remove the udelay.
+
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/time.c b/arch/s390/kernel/time.c
+index d34d3548c046..086d3e3ffdea 100644
+--- a/arch/s390/kernel/time.c
++++ b/arch/s390/kernel/time.c
+@@ -579,7 +579,7 @@ static int stp_sync_clock(void *data)
+ atomic_dec(&sync->cpus);
+ /* Wait for in_sync to be set. */
+ while (READ_ONCE(sync->in_sync) == 0)
+- __udelay(1);
++ ;
+ }
+ if (sync->in_sync != 1)
+ /* Didn't work. Clear per-cpu in sync bit again. */
+--
+2.39.5
+
--- /dev/null
+From 4a1185da229686b1438e20db4cbf808088125de0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 09:42:29 +0200
+Subject: s390/time: Use monotonic clock in get_cycles()
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit 09e7e29d2b49ba84bcefb3dc1657726d2de5bb24 ]
+
+Otherwise the code might not work correctly when the clock
+is changed.
+
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/timex.h | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/arch/s390/include/asm/timex.h b/arch/s390/include/asm/timex.h
+index 4d646659a5f5..f7a44af12c2f 100644
+--- a/arch/s390/include/asm/timex.h
++++ b/arch/s390/include/asm/timex.h
+@@ -192,13 +192,6 @@ static inline unsigned long get_tod_clock_fast(void)
+ asm volatile("stckf %0" : "=Q" (clk) : : "cc");
+ return clk;
+ }
+-
+-static inline cycles_t get_cycles(void)
+-{
+- return (cycles_t) get_tod_clock() >> 2;
+-}
+-#define get_cycles get_cycles
+-
+ int get_phys_clock(unsigned long *clock);
+ void init_cpu_timer(void);
+
+@@ -226,6 +219,12 @@ static inline unsigned long get_tod_clock_monotonic(void)
+ return tod;
+ }
+
++static inline cycles_t get_cycles(void)
++{
++ return (cycles_t)get_tod_clock_monotonic() >> 2;
++}
++#define get_cycles get_cycles
++
+ /**
+ * tod_to_ns - convert a TOD format value to nanoseconds
+ * @todval: to be converted TOD format value
+--
+2.39.5
+
--- /dev/null
+From f2850904e47f5fc4a5f0236d5d9dd11608fbabdb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 07:39:10 -0700
+Subject: sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails
+
+From: Chris Mason <clm@fb.com>
+
+[ Upstream commit 155213a2aed42c85361bf4f5c817f5cb68951c3b ]
+
+schbench (https://github.com/masoncl/schbench.git) is showing a
+regression from previous production kernels that bisected down to:
+
+sched/fair: Remove sysctl_sched_migration_cost condition (c5b0a7eefc)
+
+The schbench command line was:
+
+schbench -L -m 4 -M auto -t 256 -n 0 -r 0 -s 0
+
+This creates 4 message threads pinned to CPUs 0-3, and 256x4 worker
+threads spread across the rest of the CPUs. Neither the worker threads
+or the message threads do any work, they just wake each other up and go
+back to sleep as soon as possible.
+
+The end result is the first 4 CPUs are pegged waking up those 1024
+workers, and the rest of the CPUs are constantly banging in and out of
+idle. If I take a v6.9 Linus kernel and revert that one commit,
+performance goes from 3.4M RPS to 5.4M RPS.
+
+schedstat shows there are ~100x more new idle balance operations, and
+profiling shows the worker threads are spending ~20% of their CPU time
+on new idle balance. schedstats also shows that almost all of these new
+idle balance attemps are failing to find busy groups.
+
+The fix used here is to crank up the cost of the newidle balance whenever it
+fails. Since we don't want sd->max_newidle_lb_cost to grow out of
+control, this also changes update_newidle_cost() to use
+sysctl_sched_migration_cost as the upper limit on max_newidle_lb_cost.
+
+Signed-off-by: Chris Mason <clm@fb.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Vincent Guittot <vincent.guittot@linaro.org>
+Link: https://lkml.kernel.org/r/20250626144017.1510594-2-clm@fb.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/fair.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
+index 6ce3028e6e85..1cf43e91ae9d 100644
+--- a/kernel/sched/fair.c
++++ b/kernel/sched/fair.c
+@@ -11697,8 +11697,14 @@ static inline bool update_newidle_cost(struct sched_domain *sd, u64 cost)
+ /*
+ * Track max cost of a domain to make sure to not delay the
+ * next wakeup on the CPU.
++ *
++ * sched_balance_newidle() bumps the cost whenever newidle
++ * balance fails, and we don't want things to grow out of
++ * control. Use the sysctl_sched_migration_cost as the upper
++ * limit, plus a litle extra to avoid off by ones.
+ */
+- sd->max_newidle_lb_cost = cost;
++ sd->max_newidle_lb_cost =
++ min(cost, sysctl_sched_migration_cost + 200);
+ sd->last_decay_max_lb_cost = jiffies;
+ } else if (time_after(jiffies, sd->last_decay_max_lb_cost + HZ)) {
+ /*
+@@ -12384,10 +12390,17 @@ static int newidle_balance(struct rq *this_rq, struct rq_flags *rf)
+
+ t1 = sched_clock_cpu(this_cpu);
+ domain_cost = t1 - t0;
+- update_newidle_cost(sd, domain_cost);
+-
+ curr_cost += domain_cost;
+ t0 = t1;
++
++ /*
++ * Failing newidle means it is not effective;
++ * bump the cost so we end up doing less of it.
++ */
++ if (!pulled_task)
++ domain_cost = (3 * sd->max_newidle_lb_cost) / 2;
++
++ update_newidle_cost(sd, domain_cost);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From bbf26ca1820b36392ccafff272ef375c03224af0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 11:15:35 +0000
+Subject: scsi: aacraid: Stop using PCI_IRQ_AFFINITY
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit dafeaf2c03e71255438ffe5a341d94d180e6c88e ]
+
+When PCI_IRQ_AFFINITY is set for calling pci_alloc_irq_vectors(), it
+means interrupts are spread around the available CPUs. It also means that
+the interrupts become managed, which means that an interrupt is shutdown
+when all the CPUs in the interrupt affinity mask go offline.
+
+Using managed interrupts in this way means that we should ensure that
+completions should not occur on HW queues where the associated interrupt
+is shutdown. This is typically achieved by ensuring only CPUs which are
+online can generate IO completion traffic to the HW queue which they are
+mapped to (so that they can also serve completion interrupts for that HW
+queue).
+
+The problem in the driver is that a CPU can generate completions to a HW
+queue whose interrupt may be shutdown, as the CPUs in the HW queue
+interrupt affinity mask may be offline. This can cause IOs to never
+complete and hang the system. The driver maintains its own CPU <-> HW
+queue mapping for submissions, see aac_fib_vector_assign(), but this does
+not reflect the CPU <-> HW queue interrupt affinity mapping.
+
+Commit 9dc704dcc09e ("scsi: aacraid: Reply queue mapping to CPUs based on
+IRQ affinity") tried to remedy this issue may mapping CPUs properly to HW
+queue interrupts. However this was later reverted in commit c5becf57dd56
+("Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ
+affinity") - it seems that there were other reports of hangs. I guess
+that this was due to some implementation issue in the original commit or
+maybe a HW issue.
+
+Fix the very original hang by just not using managed interrupts by not
+setting PCI_IRQ_AFFINITY. In this way, all CPUs will be in each HW queue
+affinity mask, so should not create completion problems if any CPUs go
+offline.
+
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20250715111535.499853-1-john.g.garry@oracle.com
+Closes: https://lore.kernel.org/linux-scsi/20250618192427.3845724-1-jmeneghi@redhat.com/
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Tested-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/aacraid/comminit.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
+index 0f64b0244303..31b95e6c96c5 100644
+--- a/drivers/scsi/aacraid/comminit.c
++++ b/drivers/scsi/aacraid/comminit.c
+@@ -481,8 +481,7 @@ void aac_define_int_mode(struct aac_dev *dev)
+ pci_find_capability(dev->pdev, PCI_CAP_ID_MSIX)) {
+ min_msix = 2;
+ i = pci_alloc_irq_vectors(dev->pdev,
+- min_msix, msi_count,
+- PCI_IRQ_MSIX | PCI_IRQ_AFFINITY);
++ min_msix, msi_count, PCI_IRQ_MSIX);
+ if (i > 0) {
+ dev->msi_enabled = 1;
+ msi_count = i;
+--
+2.39.5
+
--- /dev/null
+From c154250f4dc23a5f032cc3c35ac5d4ba14744362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 19:58:24 +0800
+Subject: scsi: bfa: Double-free fix
+
+From: jackysliu <1972843537@qq.com>
+
+[ Upstream commit add4c4850363d7c1b72e8fce9ccb21fdd2cf5dc9 ]
+
+When the bfad_im_probe() function fails during initialization, the memory
+pointed to by bfad->im is freed without setting bfad->im to NULL.
+
+Subsequently, during driver uninstallation, when the state machine enters
+the bfad_sm_stopping state and calls the bfad_im_probe_undo() function,
+it attempts to free the memory pointed to by bfad->im again, thereby
+triggering a double-free vulnerability.
+
+Set bfad->im to NULL if probing fails.
+
+Signed-off-by: jackysliu <1972843537@qq.com>
+Link: https://lore.kernel.org/r/tencent_3BB950D6D2D470976F55FC879206DE0B9A09@qq.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bfa/bfad_im.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/bfa/bfad_im.c b/drivers/scsi/bfa/bfad_im.c
+index a9d3d8562d3c..0ec76d1cb6fb 100644
+--- a/drivers/scsi/bfa/bfad_im.c
++++ b/drivers/scsi/bfa/bfad_im.c
+@@ -706,6 +706,7 @@ bfad_im_probe(struct bfad_s *bfad)
+
+ if (bfad_thread_workq(bfad) != BFA_STATUS_OK) {
+ kfree(im);
++ bfad->im = NULL;
+ return BFA_STATUS_FAILED;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 2944fbc1b36a11d5864b97174bc61d7d9fa5e5c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 11:46:49 +0530
+Subject: scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit 37c4e72b0651e7697eb338cd1fb09feef472cc1a ]
+
+sas_user_scan() did not fully process wildcard channel scans
+(SCAN_WILD_CARD) when a transport-specific user_scan() callback was
+present. Only channel 0 would be scanned via user_scan(), while the
+remaining channels were skipped, potentially missing devices.
+
+user_scan() invokes updated sas_user_scan() for channel 0, and if
+successful, iteratively scans remaining channels (1 to
+shost->max_channel) via scsi_scan_host_selected(). This ensures complete
+wildcard scanning without affecting transport-specific scanning behavior.
+
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250624061649.17990-1-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_scan.c | 2 +-
+ drivers/scsi/scsi_transport_sas.c | 60 ++++++++++++++++++++++++-------
+ 2 files changed, 49 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
+index cead0fbbe5db..8ee74dddef16 100644
+--- a/drivers/scsi/scsi_scan.c
++++ b/drivers/scsi/scsi_scan.c
+@@ -1851,7 +1851,7 @@ int scsi_scan_host_selected(struct Scsi_Host *shost, unsigned int channel,
+
+ return 0;
+ }
+-
++EXPORT_SYMBOL(scsi_scan_host_selected);
+ static void scsi_sysfs_add_devices(struct Scsi_Host *shost)
+ {
+ struct scsi_device *sdev;
+diff --git a/drivers/scsi/scsi_transport_sas.c b/drivers/scsi/scsi_transport_sas.c
+index 7fdd2b61fe85..7b4c4752e216 100644
+--- a/drivers/scsi/scsi_transport_sas.c
++++ b/drivers/scsi/scsi_transport_sas.c
+@@ -40,6 +40,8 @@
+ #include <scsi/scsi_transport_sas.h>
+
+ #include "scsi_sas_internal.h"
++#include "scsi_priv.h"
++
+ struct sas_host_attrs {
+ struct list_head rphy_list;
+ struct mutex lock;
+@@ -1681,32 +1683,66 @@ int scsi_is_sas_rphy(const struct device *dev)
+ }
+ EXPORT_SYMBOL(scsi_is_sas_rphy);
+
+-
+-/*
+- * SCSI scan helper
+- */
+-
+-static int sas_user_scan(struct Scsi_Host *shost, uint channel,
+- uint id, u64 lun)
++static void scan_channel_zero(struct Scsi_Host *shost, uint id, u64 lun)
+ {
+ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
+ struct sas_rphy *rphy;
+
+- mutex_lock(&sas_host->lock);
+ list_for_each_entry(rphy, &sas_host->rphy_list, list) {
+ if (rphy->identify.device_type != SAS_END_DEVICE ||
+ rphy->scsi_target_id == -1)
+ continue;
+
+- if ((channel == SCAN_WILD_CARD || channel == 0) &&
+- (id == SCAN_WILD_CARD || id == rphy->scsi_target_id)) {
++ if (id == SCAN_WILD_CARD || id == rphy->scsi_target_id) {
+ scsi_scan_target(&rphy->dev, 0, rphy->scsi_target_id,
+ lun, SCSI_SCAN_MANUAL);
+ }
+ }
+- mutex_unlock(&sas_host->lock);
++}
+
+- return 0;
++/*
++ * SCSI scan helper
++ */
++
++static int sas_user_scan(struct Scsi_Host *shost, uint channel,
++ uint id, u64 lun)
++{
++ struct sas_host_attrs *sas_host = to_sas_host_attrs(shost);
++ int res = 0;
++ int i;
++
++ switch (channel) {
++ case 0:
++ mutex_lock(&sas_host->lock);
++ scan_channel_zero(shost, id, lun);
++ mutex_unlock(&sas_host->lock);
++ break;
++
++ case SCAN_WILD_CARD:
++ mutex_lock(&sas_host->lock);
++ scan_channel_zero(shost, id, lun);
++ mutex_unlock(&sas_host->lock);
++
++ for (i = 1; i <= shost->max_channel; i++) {
++ res = scsi_scan_host_selected(shost, i, id, lun,
++ SCSI_SCAN_MANUAL);
++ if (res)
++ goto exit_scan;
++ }
++ break;
++
++ default:
++ if (channel < shost->max_channel) {
++ res = scsi_scan_host_selected(shost, channel, id, lun,
++ SCSI_SCAN_MANUAL);
++ } else {
++ res = -EINVAL;
++ }
++ break;
++ }
++
++exit_scan:
++ return res;
+ }
+
+
+--
+2.39.5
+
--- /dev/null
+From 1d755e0dd9175f53b482141da067ac3e459c7900 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 16:53:29 +0530
+Subject: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is
+ allocated
+
+From: Showrya M N <showrya@chelsio.com>
+
+[ Upstream commit 3ea3a256ed81f95ab0f3281a0e234b01a9cae605 ]
+
+In case of an ib_fast_reg_mr allocation failure during iSER setup, the
+machine hits a panic because iscsi_conn->dd_data is initialized
+unconditionally, even when no memory is allocated (dd_size == 0). This
+leads invalid pointer dereference during connection teardown.
+
+Fix by setting iscsi_conn->dd_data only if memory is actually allocated.
+
+Panic trace:
+------------
+ iser: iser_create_fastreg_desc: Failed to allocate ib_fast_reg_mr err=-12
+ iser: iser_alloc_rx_descriptors: failed allocating rx descriptors / data buffers
+ BUG: unable to handle page fault for address: fffffffffffffff8
+ RIP: 0010:swake_up_locked.part.5+0xa/0x40
+ Call Trace:
+ complete+0x31/0x40
+ iscsi_iser_conn_stop+0x88/0xb0 [ib_iser]
+ iscsi_stop_conn+0x66/0xc0 [scsi_transport_iscsi]
+ iscsi_if_stop_conn+0x14a/0x150 [scsi_transport_iscsi]
+ iscsi_if_rx+0x1135/0x1834 [scsi_transport_iscsi]
+ ? netlink_lookup+0x12f/0x1b0
+ ? netlink_deliver_tap+0x2c/0x200
+ netlink_unicast+0x1ab/0x280
+ netlink_sendmsg+0x257/0x4f0
+ ? _copy_from_user+0x29/0x60
+ sock_sendmsg+0x5f/0x70
+
+Signed-off-by: Showrya M N <showrya@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Link: https://lore.kernel.org/r/20250627112329.19763-1-showrya@chelsio.com
+Reviewed-by: Chris Leech <cleech@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libiscsi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
+index 0fda8905eabd..916c07648460 100644
+--- a/drivers/scsi/libiscsi.c
++++ b/drivers/scsi/libiscsi.c
+@@ -3184,7 +3184,8 @@ iscsi_conn_setup(struct iscsi_cls_session *cls_session, int dd_size,
+ return NULL;
+ conn = cls_conn->dd_data;
+
+- conn->dd_data = cls_conn->dd_data + sizeof(*conn);
++ if (dd_size)
++ conn->dd_data = cls_conn->dd_data + sizeof(*conn);
+ conn->session = session;
+ conn->cls_conn = cls_conn;
+ conn->c_stage = ISCSI_CONN_INITIAL_STAGE;
+--
+2.39.5
+
--- /dev/null
+From 9f6980db6057e17185f52a72a7e30fce3b27bc28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 12:21:28 -0700
+Subject: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport
+ structure
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 6698796282e828733cde3329c887b4ae9e5545e9 ]
+
+If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the
+resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may
+occur before sli4_hba.hdwqs are allocated. This may result in a null
+pointer dereference when attempting to take the abts_io_buf_list_lock for
+the first hardware queue. Fix by adding a null ptr check on
+phba->sli4_hba.hdwq and early return because this situation means there
+must have been an error during port initialization.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20250618192138.124116-4-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_scsi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
+index 070654cc9292..dcbb2432c978 100644
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -390,6 +390,10 @@ lpfc_sli4_vport_delete_fcp_xri_aborted(struct lpfc_vport *vport)
+ if (!(vport->cfg_enable_fc4_type & LPFC_ENABLE_FCP))
+ return;
+
++ /* may be called before queues established if hba_setup fails */
++ if (!phba->sli4_hba.hdwq)
++ return;
++
+ spin_lock_irqsave(&phba->hbalock, iflag);
+ for (idx = 0; idx < phba->cfg_hdw_queue; idx++) {
+ qp = &phba->sli4_hba.hdwq[idx];
+--
+2.39.5
+
--- /dev/null
+From 0695c2ece67e09dd978a7d8087e9ac9cd2e63fde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 14:27:46 +0900
+Subject: scsi: mpi3mr: Correctly handle ATA device errors
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 04caad5a7ba86e830d04750417a15bad8ac2613c ]
+
+With the ATA error model, an NCQ command failure always triggers an abort
+(termination) of all NCQ commands queued on the device. In such case, the
+SAT or the host must handle the failed command according to the command
+sense data and immediately retry all other NCQ commands that were aborted
+due to the failed NCQ command.
+
+For SAS HBAs controlled by the mpi3mr driver, NCQ command aborts are not
+handled by the HBA SAT and sent back to the host, with an ioc log
+information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code
+PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function
+mpi3mr_process_op_reply_desc() always forces a retry of commands
+terminated with the status MPI3_IOCSTATUS_SCSI_IOC_TERMINATED using the
+SCSI result DID_SOFT_ERROR, regardless of the ioc_loginfo for the
+command. This correctly forces the retry of collateral NCQ abort
+commands, but with the retry counter for the command being incremented.
+If a command to an ATA device is subject to too many retries due to other
+NCQ commands failing (e.g. read commands trying to access unreadable
+sectors), the collateral NCQ abort commands may be terminated with an
+error as they run out of retries. This violates the SAT specification and
+causes hard-to-debug command errors.
+
+Solve this issue by modifying the handling of the
+MPI3_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an
+ATA device and if the command ioc_loginfo indicates an NCQ collateral
+abort. If that is the case, force the command retry using the SCSI result
+DID_IMM_RETRY to avoid incrementing the command retry count.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20250606052747.742998-2-dlemoal@kernel.org
+Tested-by: Yafang Shao <laoar.shao@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr_os.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c
+index 7880675a68db..7417c8b74d9a 100644
+--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
+@@ -49,6 +49,13 @@ static void mpi3mr_send_event_ack(struct mpi3mr_ioc *mrioc, u8 event,
+
+ #define MPI3_EVENT_WAIT_FOR_DEVICES_TO_REFRESH (0xFFFE)
+
++/*
++ * SAS Log info code for a NCQ collateral abort after an NCQ error:
++ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR
++ * See: drivers/message/fusion/lsi/mpi_log_sas.h
++ */
++#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000
++
+ /**
+ * mpi3mr_host_tag_for_scmd - Get host tag for a scmd
+ * @mrioc: Adapter instance reference
+@@ -3270,7 +3277,18 @@ void mpi3mr_process_op_reply_desc(struct mpi3mr_ioc *mrioc,
+ scmd->result = DID_NO_CONNECT << 16;
+ break;
+ case MPI3_IOCSTATUS_SCSI_IOC_TERMINATED:
+- scmd->result = DID_SOFT_ERROR << 16;
++ if (ioc_loginfo == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) {
++ /*
++ * This is a ATA NCQ command aborted due to another NCQ
++ * command failure. We must retry this command
++ * immediately but without incrementing its retry
++ * counter.
++ */
++ WARN_ON_ONCE(xfer_count != 0);
++ scmd->result = DID_IMM_RETRY << 16;
++ } else {
++ scmd->result = DID_SOFT_ERROR << 16;
++ }
+ break;
+ case MPI3_IOCSTATUS_SCSI_TASK_TERMINATED:
+ case MPI3_IOCSTATUS_SCSI_EXT_TERMINATED:
+--
+2.39.5
+
--- /dev/null
+From 28da8b31fc449c22479cb67ad91527c9545af57e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 14:27:47 +0900
+Subject: scsi: mpt3sas: Correctly handle ATA device errors
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 15592a11d5a5c8411ac8494ec49736b658f6fbff ]
+
+With the ATA error model, an NCQ command failure always triggers an abort
+(termination) of all NCQ commands queued on the device. In such case, the
+SAT or the host must handle the failed command according to the command
+sense data and immediately retry all other NCQ commands that were aborted
+due to the failed NCQ command.
+
+For SAS HBAs controlled by the mpt3sas driver, NCQ command aborts are not
+handled by the HBA SAT and sent back to the host, with an ioc log
+information equal to 0x31080000 (IOC_LOGINFO_PREFIX_PL with the PL code
+PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR). The function
+_scsih_io_done() always forces a retry of commands terminated with the
+status MPI2_IOCSTATUS_SCSI_IOC_TERMINATED using the SCSI result
+DID_SOFT_ERROR, regardless of the log_info for the command. This
+correctly forces the retry of collateral NCQ abort commands, but with the
+retry counter for the command being incremented. If a command to an ATA
+device is subject to too many retries due to other NCQ commands failing
+(e.g. read commands trying to access unreadable sectors), the collateral
+NCQ abort commands may be terminated with an error as they run out of
+retries. This violates the SAT specification and causes hard-to-debug
+command errors.
+
+Solve this issue by modifying the handling of the
+MPI2_IOCSTATUS_SCSI_IOC_TERMINATED status to check if a command is for an
+ATA device and if the command loginfo indicates an NCQ collateral
+abort. If that is the case, force the command retry using the SCSI result
+DID_IMM_RETRY to avoid incrementing the command retry count.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20250606052747.742998-3-dlemoal@kernel.org
+Tested-by: Yafang Shao <laoar.shao@gmail.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_scsih.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+index 0afa485fb300..7bef42a2fb57 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+@@ -196,6 +196,14 @@ struct sense_info {
+ #define MPT3SAS_PORT_ENABLE_COMPLETE (0xFFFD)
+ #define MPT3SAS_ABRT_TASK_SET (0xFFFE)
+ #define MPT3SAS_REMOVE_UNRESPONDING_DEVICES (0xFFFF)
++
++/*
++ * SAS Log info code for a NCQ collateral abort after an NCQ error:
++ * IOC_LOGINFO_PREFIX_PL | PL_LOGINFO_CODE_SATA_NCQ_FAIL_ALL_CMDS_AFTR_ERR
++ * See: drivers/message/fusion/lsi/mpi_log_sas.h
++ */
++#define IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR 0x31080000
++
+ /**
+ * struct fw_event_work - firmware event struct
+ * @list: link list framework
+@@ -5824,6 +5832,17 @@ _scsih_io_done(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, u32 reply)
+ scmd->result = DID_TRANSPORT_DISRUPTED << 16;
+ goto out;
+ }
++ if (log_info == IOC_LOGINFO_SATA_NCQ_FAIL_AFTER_ERR) {
++ /*
++ * This is a ATA NCQ command aborted due to another NCQ
++ * command failure. We must retry this command
++ * immediately but without incrementing its retry
++ * counter.
++ */
++ WARN_ON_ONCE(xfer_cnt != 0);
++ scmd->result = DID_IMM_RETRY << 16;
++ break;
++ }
+ if (log_info == 0x31110630) {
+ if (scmd->retries > 2) {
+ scmd->result = DID_NO_CONNECT << 16;
+--
+2.39.5
+
--- /dev/null
+From 8d5b648298bdb41eef3c76c29eda8caad6af147c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 15:37:38 +0200
+Subject: scsi: target: core: Generate correct identifiers for PR OUT transport
+ IDs
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 6e0f6aa44b68335df404a2df955055f416b5f2aa ]
+
+Fix target_parse_pr_out_transport_id() to return a string representing
+the transport ID in a human-readable format (e.g., naa.xxxxxxxx...) for
+various SCSI protocol types (SAS, FCP, SRP, SBP).
+
+Previously, the function returned a pointer to the raw binary buffer,
+which was incorrectly compared against human-readable strings, causing
+comparisons to fail. Now, the function writes a properly formatted
+string into a buffer provided by the caller. The output format depends
+on the transport protocol:
+
+* SAS: 64-bit identifier, "naa." prefix.
+* FCP: 64-bit identifier, colon separated values.
+* SBP: 64-bit identifier, no prefix.
+* SRP: 128-bit identifier, "0x" prefix.
+* iSCSI: IQN string.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20250714133738.11054-1-mlombard@redhat.com
+Reviewed-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_fabric_lib.c | 63 +++++++++++++++++++------
+ drivers/target/target_core_internal.h | 4 +-
+ drivers/target/target_core_pr.c | 18 +++----
+ 3 files changed, 60 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/target/target_core_fabric_lib.c b/drivers/target/target_core_fabric_lib.c
+index 6600ae44f29d..d3ab251ba049 100644
+--- a/drivers/target/target_core_fabric_lib.c
++++ b/drivers/target/target_core_fabric_lib.c
+@@ -257,11 +257,41 @@ static int iscsi_get_pr_transport_id_len(
+ return len;
+ }
+
+-static char *iscsi_parse_pr_out_transport_id(
++static void sas_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ char hex[17] = {};
++
++ bin2hex(hex, buf + 4, 8);
++ snprintf(i_str, TRANSPORT_IQN_LEN, "naa.%s", hex);
++}
++
++static void srp_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ char hex[33] = {};
++
++ bin2hex(hex, buf + 8, 16);
++ snprintf(i_str, TRANSPORT_IQN_LEN, "0x%s", hex);
++}
++
++static void fcp_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ snprintf(i_str, TRANSPORT_IQN_LEN, "%8phC", buf + 8);
++}
++
++static void sbp_parse_pr_out_transport_id(char *buf, char *i_str)
++{
++ char hex[17] = {};
++
++ bin2hex(hex, buf + 8, 8);
++ snprintf(i_str, TRANSPORT_IQN_LEN, "%s", hex);
++}
++
++static bool iscsi_parse_pr_out_transport_id(
+ struct se_portal_group *se_tpg,
+ char *buf,
+ u32 *out_tid_len,
+- char **port_nexus_ptr)
++ char **port_nexus_ptr,
++ char *i_str)
+ {
+ char *p;
+ int i;
+@@ -282,7 +312,7 @@ static char *iscsi_parse_pr_out_transport_id(
+ if ((format_code != 0x00) && (format_code != 0x40)) {
+ pr_err("Illegal format code: 0x%02x for iSCSI"
+ " Initiator Transport ID\n", format_code);
+- return NULL;
++ return false;
+ }
+ /*
+ * If the caller wants the TransportID Length, we set that value for the
+@@ -306,7 +336,7 @@ static char *iscsi_parse_pr_out_transport_id(
+ pr_err("Unable to locate \",i,0x\" separator"
+ " for Initiator port identifier: %s\n",
+ &buf[4]);
+- return NULL;
++ return false;
+ }
+ *p = '\0'; /* Terminate iSCSI Name */
+ p += 5; /* Skip over ",i,0x" separator */
+@@ -339,7 +369,8 @@ static char *iscsi_parse_pr_out_transport_id(
+ } else
+ *port_nexus_ptr = NULL;
+
+- return &buf[4];
++ strscpy(i_str, &buf[4], TRANSPORT_IQN_LEN);
++ return true;
+ }
+
+ int target_get_pr_transport_id_len(struct se_node_acl *nacl,
+@@ -387,33 +418,35 @@ int target_get_pr_transport_id(struct se_node_acl *nacl,
+ }
+ }
+
+-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+- char *buf, u32 *out_tid_len, char **port_nexus_ptr)
++bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
++ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str)
+ {
+- u32 offset;
+-
+ switch (tpg->proto_id) {
+ case SCSI_PROTOCOL_SAS:
+ /*
+ * Assume the FORMAT CODE 00b from spc4r17, 7.5.4.7 TransportID
+ * for initiator ports using SCSI over SAS Serial SCSI Protocol.
+ */
+- offset = 4;
++ sas_parse_pr_out_transport_id(buf, i_str);
+ break;
+- case SCSI_PROTOCOL_SBP:
+ case SCSI_PROTOCOL_SRP:
++ srp_parse_pr_out_transport_id(buf, i_str);
++ break;
+ case SCSI_PROTOCOL_FCP:
+- offset = 8;
++ fcp_parse_pr_out_transport_id(buf, i_str);
++ break;
++ case SCSI_PROTOCOL_SBP:
++ sbp_parse_pr_out_transport_id(buf, i_str);
+ break;
+ case SCSI_PROTOCOL_ISCSI:
+ return iscsi_parse_pr_out_transport_id(tpg, buf, out_tid_len,
+- port_nexus_ptr);
++ port_nexus_ptr, i_str);
+ default:
+ pr_err("Unknown proto_id: 0x%02x\n", tpg->proto_id);
+- return NULL;
++ return false;
+ }
+
+ *port_nexus_ptr = NULL;
+ *out_tid_len = 24;
+- return buf + offset;
++ return true;
+ }
+diff --git a/drivers/target/target_core_internal.h b/drivers/target/target_core_internal.h
+index 408be26d2e9b..20aab1f50565 100644
+--- a/drivers/target/target_core_internal.h
++++ b/drivers/target/target_core_internal.h
+@@ -103,8 +103,8 @@ int target_get_pr_transport_id_len(struct se_node_acl *nacl,
+ int target_get_pr_transport_id(struct se_node_acl *nacl,
+ struct t10_pr_registration *pr_reg, int *format_code,
+ unsigned char *buf);
+-const char *target_parse_pr_out_transport_id(struct se_portal_group *tpg,
+- char *buf, u32 *out_tid_len, char **port_nexus_ptr);
++bool target_parse_pr_out_transport_id(struct se_portal_group *tpg,
++ char *buf, u32 *out_tid_len, char **port_nexus_ptr, char *i_str);
+
+ /* target_core_hba.c */
+ struct se_hba *core_alloc_hba(const char *, u32, u32);
+diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
+index a9eb6a3e8383..624d2f68bf38 100644
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1477,11 +1477,12 @@ core_scsi3_decode_spec_i_port(
+ LIST_HEAD(tid_dest_list);
+ struct pr_transport_id_holder *tidh_new, *tidh, *tidh_tmp;
+ unsigned char *buf, *ptr, proto_ident;
+- const unsigned char *i_str = NULL;
++ unsigned char i_str[TRANSPORT_IQN_LEN];
+ char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN];
+ sense_reason_t ret;
+ u32 tpdl, tid_len = 0;
+ u32 dest_rtpi = 0;
++ bool tid_found;
+
+ /*
+ * Allocate a struct pr_transport_id_holder and setup the
+@@ -1570,9 +1571,9 @@ core_scsi3_decode_spec_i_port(
+ dest_rtpi = tmp_lun->lun_tpg->tpg_rtpi;
+
+ iport_ptr = NULL;
+- i_str = target_parse_pr_out_transport_id(tmp_tpg,
+- ptr, &tid_len, &iport_ptr);
+- if (!i_str)
++ tid_found = target_parse_pr_out_transport_id(tmp_tpg,
++ ptr, &tid_len, &iport_ptr, i_str);
++ if (!tid_found)
+ continue;
+ /*
+ * Determine if this SCSI device server requires that
+@@ -3152,13 +3153,14 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
+ struct t10_pr_registration *pr_reg, *pr_res_holder, *dest_pr_reg;
+ struct t10_reservation *pr_tmpl = &dev->t10_pr;
+ unsigned char *buf;
+- const unsigned char *initiator_str;
++ unsigned char initiator_str[TRANSPORT_IQN_LEN];
+ char *iport_ptr = NULL, i_buf[PR_REG_ISID_ID_LEN] = { };
+ u32 tid_len, tmp_tid_len;
+ int new_reg = 0, type, scope, matching_iname;
+ sense_reason_t ret;
+ unsigned short rtpi;
+ unsigned char proto_ident;
++ bool tid_found;
+
+ if (!se_sess || !se_lun) {
+ pr_err("SPC-3 PR: se_sess || struct se_lun is NULL!\n");
+@@ -3277,9 +3279,9 @@ core_scsi3_emulate_pro_register_and_move(struct se_cmd *cmd, u64 res_key,
+ ret = TCM_INVALID_PARAMETER_LIST;
+ goto out;
+ }
+- initiator_str = target_parse_pr_out_transport_id(dest_se_tpg,
+- &buf[24], &tmp_tid_len, &iport_ptr);
+- if (!initiator_str) {
++ tid_found = target_parse_pr_out_transport_id(dest_se_tpg,
++ &buf[24], &tmp_tid_len, &iport_ptr, initiator_str);
++ if (!tid_found) {
+ pr_err("SPC-3 PR REGISTER_AND_MOVE: Unable to locate"
+ " initiator_str from Transport ID\n");
+ ret = TCM_INVALID_PARAMETER_LIST;
+--
+2.39.5
+
--- /dev/null
+From 447af12743c24b93bcbc2ccc0bf85e44a582918a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 23:38:01 -0400
+Subject: securityfs: don't pin dentries twice, once is enough...
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 27cd1bf1240d482e4f02ca4f9812e748f3106e4f ]
+
+incidentally, securityfs_recursive_remove() is broken without that -
+it leaks dentries, since simple_recursive_removal() does not expect
+anything of that sort. It could be worked around by dput() in
+remove_one() callback, but it's easier to just drop that double-get
+stuff.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/inode.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/security/inode.c b/security/inode.c
+index 3aa75fffa8c9..a90b043695d9 100644
+--- a/security/inode.c
++++ b/security/inode.c
+@@ -159,7 +159,6 @@ static struct dentry *securityfs_create_dentry(const char *name, umode_t mode,
+ inode->i_fop = fops;
+ }
+ d_instantiate(dentry, inode);
+- dget(dentry);
+ inode_unlock(dir);
+ return dentry;
+
+@@ -306,7 +305,6 @@ void securityfs_remove(struct dentry *dentry)
+ simple_rmdir(dir, dentry);
+ else
+ simple_unlink(dir, dentry);
+- dput(dentry);
+ }
+ inode_unlock(dir);
+ simple_release_fs(&mount, &mount_count);
+--
+2.39.5
+
--- /dev/null
+From c645e34ef4fac9b9c4fde46fc722d37318015878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 18:36:26 -0700
+Subject: selftests/bpf: Fix a user_ringbuf failure with arm64 64KB page size
+
+From: Yonghong Song <yonghong.song@linux.dev>
+
+[ Upstream commit bbc7bd658ddc662083639b9e9a280b90225ecd9a ]
+
+The ringbuf max_entries must be PAGE_ALIGNED. See kernel function
+ringbuf_map_alloc(). So for arm64 64KB page size, adjust max_entries
+properly.
+
+Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20250607013626.1553001-1-yonghong.song@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/user_ringbuf.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
+index dfff6feac12c..7e9a508c1571 100644
+--- a/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
++++ b/tools/testing/selftests/bpf/prog_tests/user_ringbuf.c
+@@ -21,8 +21,7 @@
+ #include "../progs/test_user_ringbuf.h"
+
+ static const long c_sample_size = sizeof(struct sample) + BPF_RINGBUF_HDR_SZ;
+-static const long c_ringbuf_size = 1 << 12; /* 1 small page */
+-static const long c_max_entries = c_ringbuf_size / c_sample_size;
++static long c_ringbuf_size, c_max_entries;
+
+ static void drain_current_samples(void)
+ {
+@@ -424,7 +423,9 @@ static void test_user_ringbuf_loop(void)
+ uint32_t remaining_samples = total_samples;
+ int err;
+
+- BUILD_BUG_ON(total_samples <= c_max_entries);
++ if (!ASSERT_LT(c_max_entries, total_samples, "compare_c_max_entries"))
++ return;
++
+ err = load_skel_create_user_ringbuf(&skel, &ringbuf);
+ if (err)
+ return;
+@@ -686,6 +687,9 @@ void test_user_ringbuf(void)
+ {
+ int i;
+
++ c_ringbuf_size = getpagesize(); /* 1 page */
++ c_max_entries = c_ringbuf_size / c_sample_size;
++
+ for (i = 0; i < ARRAY_SIZE(success_tests); i++) {
+ if (!test__start_subtest(success_tests[i].test_name))
+ continue;
+--
+2.39.5
+
--- /dev/null
+From 2932d8ffcd43d7cf9c6c4a24ffdd6e48b2418552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 18:36:30 +0800
+Subject: selftests/futex: Define SYS_futex on 32-bit architectures with 64-bit
+ time_t
+
+From: Cynthia Huang <cynthia@andestech.com>
+
+[ Upstream commit 04850819c65c8242072818655d4341e70ae998b5 ]
+
+The kernel does not provide sys_futex() on 32-bit architectures that do not
+support 32-bit time representations, such as riscv32.
+
+As a result, glibc cannot define SYS_futex, causing compilation failures in
+tests that rely on this syscall. Define SYS_futex as SYS_futex_time64 in
+such cases to ensure successful compilation and compatibility.
+
+Signed-off-by: Cynthia Huang <cynthia@andestech.com>
+Signed-off-by: Ben Zong-You Xie <ben717@andestech.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/all/20250710103630.3156130-1-ben717@andestech.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/futex/include/futextest.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/tools/testing/selftests/futex/include/futextest.h b/tools/testing/selftests/futex/include/futextest.h
+index ddbcfc9b7bac..7a5fd1d5355e 100644
+--- a/tools/testing/selftests/futex/include/futextest.h
++++ b/tools/testing/selftests/futex/include/futextest.h
+@@ -47,6 +47,17 @@ typedef volatile u_int32_t futex_t;
+ FUTEX_PRIVATE_FLAG)
+ #endif
+
++/*
++ * SYS_futex is expected from system C library, in glibc some 32-bit
++ * architectures (e.g. RV32) are using 64-bit time_t, therefore it doesn't have
++ * SYS_futex defined but just SYS_futex_time64. Define SYS_futex as
++ * SYS_futex_time64 in this situation to ensure the compilation and the
++ * compatibility.
++ */
++#if !defined(SYS_futex) && defined(SYS_futex_time64)
++#define SYS_futex SYS_futex_time64
++#endif
++
+ /**
+ * futex() - SYS_futex syscall wrapper
+ * @uaddr: address of first futex
+--
+2.39.5
+
--- /dev/null
+From 5fa12eb3e513270ae5bd606b11327dc1eed3893d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 13:26:43 +0900
+Subject: selftests: tracing: Use mutex_unlock for testing glob filter
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit a089bb2822a49b0c5777a8936f82c1f8629231fb ]
+
+Since commit c5b6ababd21a ("locking/mutex: implement
+mutex_trylock_nested") makes mutex_trylock() as an inlined
+function if CONFIG_DEBUG_LOCK_ALLOC=y, we can not use
+mutex_trylock() for testing the glob filter of ftrace.
+
+Use mutex_unlock instead.
+
+Link: https://lore.kernel.org/r/175151680309.2149615.9795104805153538717.stgit@mhiramat.tok.corp.google.com
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
+index 4b994b6df5ac..ed81eaf2afd6 100644
+--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
+@@ -29,7 +29,7 @@ ftrace_filter_check 'schedule*' '^schedule.*$'
+ ftrace_filter_check '*pin*lock' '.*pin.*lock$'
+
+ # filter by start*mid*
+-ftrace_filter_check 'mutex*try*' '^mutex.*try.*'
++ftrace_filter_check 'mutex*unl*' '^mutex.*unl.*'
+
+ # Advanced full-glob matching feature is recently supported.
+ # Skip the tests if we are sure the kernel does not support it.
+--
+2.39.5
+
cpuidle-governors-menu-avoid-using-invalid-recent-in.patch
ptp-prevent-possible-abba-deadlock-in-ptp_clock_free.patch
tls-handle-data-disappearing-from-under-the-tls-ulp.patch
+hfs-fix-general-protection-fault-in-hfs_find_init.patch
+hfs-fix-slab-out-of-bounds-in-hfs_bnode_read.patch
+hfsplus-fix-slab-out-of-bounds-in-hfsplus_bnode_read.patch
+hfsplus-fix-slab-out-of-bounds-read-in-hfsplus_uni2a.patch
+hfsplus-don-t-use-bug_on-in-hfsplus_create_attribute.patch
+arm64-handle-kcov-__init-vs-inline-mismatches.patch
+smb-server-avoid-deadlock-when-linking-with-replacei.patch
+nvme-pci-try-function-level-reset-on-init-failure.patch
+gfs2-set-.migrate_folio-in-gfs2_-rgrp-meta-_aops.patch
+md-call-del_gendisk-in-control-path.patch
+loop-avoid-updating-block-size-under-exclusive-owner.patch
+udf-verify-partition-map-count.patch
+drbd-add-missing-kref_get-in-handle_write_conflicts.patch
+hfs-fix-not-erasing-deleted-b-tree-node-issue.patch
+better-lockdep-annotations-for-simple_recursive_remo.patch
+ata-libata-sata-disallow-changing-lpm-state-if-not-s.patch
+fs-ntfs3-add-sanity-check-for-file-name.patch
+fs-ntfs3-correctly-create-symlink-for-relative-path.patch
+md-don-t-clear-md_closing-until-mddev-is-freed.patch
+ext2-handle-fiemap-on-empty-files-to-prevent-einval.patch
+fix-locking-in-efi_secret_unlink.patch
+securityfs-don-t-pin-dentries-twice-once-is-enough.patch
+tracefs-add-d_delete-to-remove-negative-dentries.patch
+usb-xhci-print-xhci-xhc_state-when-queue_command-fai.patch
+platform-x86-amd-pmc-add-lenovo-yoga-6-13alc6-to-pmc.patch
+cpufreq-cppc-mark-driver-with-need_update_limits-fla.patch
+selftests-futex-define-sys_futex-on-32-bit-architect.patch
+usb-typec-ucsi-psy-set-current-max-to-100ma-for-bc-1.patch
+usb-xhci-avoid-showing-warnings-for-dying-controller.patch
+usb-xhci-set-avg_trb_len-8-for-ep0-during-address-de.patch
+usb-xhci-avoid-showing-errors-during-surprise-remova.patch
+soc-qcom-rpmh-rsc-add-rsc-version-4-support.patch
+acpi-apei-send-sigbus-to-current-task-if-synchronous.patch
+remoteproc-imx_rproc-skip-clock-enable-when-m-core-i.patch
+gpio-wcd934x-check-the-return-value-of-regmap_update.patch
+cpufreq-exit-governor-when-failed-to-start-old-gover.patch
+arm-rockchip-fix-kernel-hang-during-smp-initializati.patch
+pm-devfreq-governor-replace-sscanf-with-kstrtoul-in-.patch
+edac-synopsys-clear-the-ecc-counters-on-init.patch
+asoc-soc-dapm-set-bias_level-if-snd_soc_dapm_set_bia.patch
+thermal-drivers-qcom-spmi-temp-alarm-enable-stage-2-.patch
+tools-nolibc-define-time_t-in-terms-of-__kernel_old_.patch
+iio-adc-ad_sigma_delta-don-t-overallocate-scan-buffe.patch
+gpio-tps65912-check-the-return-value-of-regmap_updat.patch
+arm-tegra-use-i-o-memcpy-to-write-to-iram.patch
+tools-build-fix-s390-x-cross-compilation-with-clang.patch
+selftests-tracing-use-mutex_unlock-for-testing-glob-.patch
+acpi-prm-reduce-unnecessary-printing-to-avoid-user-c.patch
+firmware-tegra-fix-ivc-dependency-problems.patch
+pm-runtime-clear-power.needs_force_resume-in-pm_runt.patch
+thermal-sysfs-return-enodata-instead-of-eagain-for-r.patch
+pm-sleep-console-fix-the-black-screen-issue.patch
+acpi-processor-fix-acpi_object-initialization.patch
+mmc-sdhci-msm-ensure-sd-card-power-isn-t-on-when-car.patch
+acpi-apei-ghes-add-taint_machine_check-on-ghes-panic.patch
+pps-clients-gpio-fix-interrupt-handling-order-in-rem.patch
+reset-brcmstb-enable-reset-drivers-for-arch_bcm2835.patch
+char-misc-fix-improper-and-inaccurate-error-code-ret.patch
+mei-bus-check-for-still-connected-devices-in-mei_cl_.patch
+mmc-rtsx_usb_sdmmc-fix-error-path-in-sd_set_power_mo.patch
+alsa-hda-handle-the-jack-polling-always-via-a-work.patch
+alsa-hda-disable-jack-polling-at-shutdown.patch
+x86-bugs-avoid-warning-when-overriding-return-thunk.patch
+asoc-hdac_hdmi-rate-limit-logging-on-connection-and-.patch
+alsa-intel8x0-fix-incorrect-codec-index-usage-in-mix.patch
+asoc-core-check-for-rtd-null-in-snd_soc_remove_pcm_r.patch
+usb-typec-intel_pmc_mux-defer-probe-if-scu-ipc-isn-t.patch
+usb-core-usb_submit_urb-downgrade-type-check.patch
+pm-cpupower-fix-the-snapshot-order-of-tsc-mperf-cloc.patch
+imx8m-blk-ctrl-set-isi-panic-write-hurry-level.patch
+soc-qcom-mdt_loader-actually-use-the-e_phoff.patch
+platform-x86-thinkpad_acpi-handle-kcov-__init-vs-inl.patch
+platform-chrome-cros_ec_typec-defer-probe-on-missing.patch
+alsa-hda-ca0132-fix-buffer-overflow-in-add_tuning_co.patch
+alsa-pcm-rewrite-recalculate_boundary-to-avoid-costl.patch
+alsa-usb-audio-avoid-precedence-issues-in-mixer_quir.patch
+iio-adc-ad7768-1-ensure-sync_in-pulse-minimum-timing.patch
+asoc-codecs-rt5640-retry-device_id-verification.patch
+asoc-qcom-use-drvdata-instead-of-component-to-keep-i.patch
+powerpc-thp-tracing-hide-hugepage-events-under-confi.patch
+bootconfig-fix-unaligned-access-when-building-footer.patch
+bluetooth-hci_sock-reset-cookie-to-zero-in-hci_sock_.patch
+xen-netfront-fix-tx-response-spurious-interrupts.patch
+net-usb-cdc-ncm-check-for-filtering-capability.patch
+wifi-ath12k-correct-tid-cleanup-when-tid-setup-fails.patch
+ktest.pl-prevent-recursion-of-default-variable-optio.patch
+wifi-cfg80211-reject-htc-bit-for-management-frames.patch
+s390-time-use-monotonic-clock-in-get_cycles.patch
+be2net-use-correct-byte-order-and-format-string-for-.patch
+wifi-rtw89-lower-the-timeout-in-rtw89_fw_read_c2h_re.patch
+et131x-add-missing-check-after-dma-map.patch
+net-ag71xx-add-missing-check-after-dma-map.patch
+net-mlx5e-properly-access-rcu-protected-qdisc_sleepi.patch
+arm64-mark-kernel-as-tainted-on-sae-and-serror-panic.patch
+rcu-protect-defer_qs_iw_pending-from-data-race.patch
+can-ti_hecc-fix-woverflow-compiler-warning.patch
+net-mctp-prevent-duplicate-binds.patch
+wifi-cfg80211-fix-interface-type-validation.patch
+net-ipv4-fix-incorrect-mtu-in-broadcast-routes.patch
+net-thunderx-fix-format-truncation-warning-in-bgx_ac.patch
+net-phy-micrel-add-ksz9131_resume.patch
+perf-cxlpmu-remove-unintended-newline-from-irq-name-.patch
+wifi-iwlwifi-mvm-set-gtk-id-also-in-older-fws.patch
+um-re-evaluate-thread-flags-repeatedly.patch
+wifi-iwlwifi-mvm-fix-scan-request-validation.patch
+s390-stp-remove-udelay-from-stp_sync_clock.patch
+sched-fair-bump-sd-max_newidle_lb_cost-when-newidle-.patch
+wifi-mac80211-don-t-complete-management-tx-on-sae-co.patch
+powerpc-512-fix-possible-dma_unmap_single-on-uniniti.patch
+ipv6-mcast-check-inet6_dev-dead-under-idev-mc_lock-i.patch
+wifi-mac80211-fix-rx-link-assignment-for-non-mlo-sta.patch
+drm-msm-use-trylock-for-debugfs.patch
+wifi-rtw89-fix-rtw89_mac_power_switch-for-usb.patch
+wifi-rtw89-disable-deep-power-saving-for-usb-sdio.patch
+wifi-mt76-mt7915-mcu-re-init-mcu-before-loading-fw-p.patch
+kselftest-arm64-specify-sve-data-when-testing-vl-set.patch
+net-thunderbolt-enable-end-to-end-flow-control-also-.patch
+net-thunderbolt-fix-the-parameter-passing-of-tb_xdom.patch
+xfrm-duplicate-spi-handling.patch
+net-atlantic-add-set_power-to-fw_ops-for-atl2-to-fix.patch
+net-fec-allow-disable-coalescing.patch
+drm-amd-display-separate-set_gsl-from-set_gsl_source.patch
+wifi-ath12k-add-memset-and-update-default-rate-value.patch
+wifi-iwlwifi-dvm-fix-potential-overflow-in-rs_fill_l.patch
+wifi-iwlwifi-fw-fix-possible-memory-leak-in-iwl_fw_d.patch
+drm-amd-display-fix-failed-to-blank-crtc.patch
+wifi-mac80211-update-radar_required-in-channel-conte.patch
+wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch
+wifi-ath12k-enable-reo-queue-lookup-table-feature-on.patch
+wifi-ath12k-decrement-tid-on-rx-peer-frag-setup-erro.patch
+powerpc-floppy-add-missing-checks-after-dma-map.patch
+netmem-fix-skb_frag_address_safe-with-unreadable-skb.patch
+wifi-iwlegacy-check-rate_idx-range-after-addition.patch
+neighbour-add-support-for-nud_permanent-proxy-entrie.patch
+dpaa_eth-don-t-use-fixed_phy_change_carrier.patch
+drm-amd-allow-printing-vangogh-od-sclk-levels-withou.patch
+net-vlan-make-is_vlan_dev-a-stub-when-vlan-is-not-co.patch
+net-vlan-replace-bug-with-warn_on_once-in-vlan_dev_-.patch
+gve-return-error-for-unknown-admin-queue-command.patch
+net-dsa-b53-fix-b53_imp_vlan_setup-for-bcm5325.patch
+net-dsa-b53-prevent-gmii_port_override_ctrl-access-o.patch
+net-dsa-b53-prevent-dis_learning-access-on-bcm5325.patch
+net-dsa-b53-prevent-switch_ctrl-access-on-bcm5325.patch
+bpftool-fix-json-writer-resource-leak-in-version-com.patch
+ptp-use-ratelimite-for-freerun-error-message.patch
+wifi-rtlwifi-fix-possible-skb-memory-leak-in-_rtl_pc.patch-16702
+ionic-clean-dbpage-in-de-init.patch
+net-ncsi-fix-buffer-overflow-in-fetching-version-id.patch
+drm-renesas-rz-du-mipi_dsi-add-min-check-for-vclk-ra.patch
+drm-ttm-should-to-return-the-evict-error.patch
+uapi-in6-restore-visibility-of-most-ipv6-socket-opti.patch
+bpf-make-reg_not_null-true-for-const_ptr_to_map.patch
+selftests-bpf-fix-a-user_ringbuf-failure-with-arm64-.patch
+drm-amd-display-avoid-trying-aux-transactions-on-dis.patch
+drm-ttm-respect-the-shrinker-core-free-target.patch
+rcu-fix-rcu_read_unlock-deadloop-due-to-irq-work.patch
+net-dsa-b53-fix-ip_multicast_ctrl-on-bcm5325.patch
+vsock-virtio-resize-receive-buffers-so-that-each-skb.patch
+vhost-fail-early-when-__vhost_add_used-fails.patch
+drm-amd-display-only-finalize-atomic_obj-if-it-was-i.patch
+drm-amd-display-avoid-configuring-psr-granularity-if.patch
+watchdog-sbsa-adjust-keepalive-timeout-to-avoid-medi.patch
+cifs-fix-calling-cifsfindfirst-for-root-path-without.patch
+fbdev-fix-potential-buffer-overflow-in-do_register_f.patch
+crypto-hisilicon-hpre-fix-dma-unmap-sequence.patch
+ext4-do-not-bug-when-inline_data_fl-lacks-system.dat.patch
+clk-tegra-periph-fix-error-handling-and-resolve-unsi.patch
+mfd-axp20x-set-explicit-id-for-axp313-regulator.patch
+phy-rockchip-pcie-properly-disable-test_write-strobe.patch
+scsi-libiscsi-initialize-iscsi_conn-dd_data-only-if-.patch
+fs-orangefs-use-snprintf-instead-of-sprintf.patch
+watchdog-dw_wdt-fix-default-timeout.patch
+hwmon-emc2305-set-initial-pwm-minimum-value-during-p.patch
+clk-qcom-ipq5018-keep-xo-clock-always-on.patch
+mips-vpe-mt-add-missing-prototypes-for-vpe_-alloc-st.patch
+watchdog-itco_wdt-report-error-if-timeout-configurat.patch
+scsi-bfa-double-free-fix.patch
+jfs-truncate-good-inode-pages-when-hard-link-is-0.patch
+jfs-regular-file-corruption-check.patch
+jfs-upper-bound-check-of-tree-index-in-dballocag.patch
+crypto-jitter-fix-intermediary-handling.patch
+mips-don-t-crash-in-stack_top-for-tasks-without-abi-.patch
+mips-lantiq-falcon-sysctrl-fix-request-memory-check-.patch
+media-v4l2-common-reduce-warnings-about-missing-v4l2.patch
+leds-leds-lp50xx-handle-reg-to-get-correct-multi_ind.patch
+dmaengine-stm32-dma-configure-next-sg-only-if-there-.patch
+rdma-hfi1-fix-possible-divide-by-zero-in-find_hw_thr.patch
+rdma-core-reduce-stack-using-in-nldev_stat_get_doit.patch
+scsi-lpfc-check-for-hdwq-null-ptr-when-cleaning-up-l.patch
+power-supply-qcom_battmgr-add-lithium-polymer-entry.patch
+scsi-mpt3sas-correctly-handle-ata-device-errors.patch
+scsi-mpi3mr-correctly-handle-ata-device-errors.patch
+pinctrl-stm32-manage-irq-affinity-settings.patch
+media-tc358743-check-i2c-succeeded-during-probe.patch
+media-tc358743-return-an-appropriate-colorspace-from.patch
+media-tc358743-increase-fifo-trigger-level-to-374.patch
+media-usb-hdpvr-disable-zero-length-read-messages.patch
+media-dvb-frontends-dib7090p-fix-null-ptr-deref-in-d.patch
+media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch
+media-uvcvideo-fix-bandwidth-issue-for-alcor-camera.patch
+crypto-octeontx2-add-timeout-for-load_fvc-completion.patch
+soundwire-amd-serialize-amd-manager-resume-sequence-.patch
+soundwire-move-handle_nested_irq-outside-of-sdw_dev_.patch
+md-dm-zoned-target-initialize-return-variable-r-to-a.patch
+module-prevent-silent-truncation-of-module-name-in-d.patch
+i3c-add-missing-include-to-internal-header.patch
+rtc-ds1307-handle-oscillator-stop-flag-osf-for-ds134.patch
+apparmor-shift-ouid-when-mediating-hard-links-in-use.patch
+i3c-don-t-fail-if-gethdrcap-is-unsupported.patch
+i3c-master-initialize-ret-in-i3c_i2c_notifier_call.patch
+dm-mpath-don-t-print-the-loaded-message-if-registeri.patch
+dm-table-fix-checking-for-rq-stackable-devices.patch
+apparmor-use-the-condition-in-aa_bug_fmt-even-with-d.patch
+i2c-force-dll0945-touchpad-i2c-freq-to-100khz.patch
+exfat-add-cluster-chain-loop-check-for-dir.patch
+f2fs-check-the-generic-conditions-first.patch
+kconfig-lxdialog-replace-strcpy-with-strncpy-in-inpu.patch
+vfio-type1-conditional-rescheduling-while-pinning.patch
+kconfig-nconf-ensure-null-termination-where-strncpy-.patch
+scsi-fix-sas_user_scan-to-handle-wildcard-and-multi-.patch
+scsi-target-core-generate-correct-identifiers-for-pr.patch
+scsi-aacraid-stop-using-pci_irq_affinity.patch
+vfio-mlx5-fix-possible-overflow-in-tracking-max-mess.patch
+ipmi-use-dev_warn_ratelimited-for-incorrect-message-.patch
+kconfig-gconf-avoid-hardcoding-model2-in-on_treeview.patch
+kconfig-gconf-fix-potential-memory-leak-in-renderer_.patch
+kconfig-lxdialog-fix-space-to-de-select-options.patch
+ipmi-fix-strcpy-source-and-destination-the-same.patch
+net-phy-smsc-add-proper-reset-flags-for-lan8710a.patch
+asoc-intel-avs-fix-uninitialized-pointer-error-in-pr.patch
+block-avoid-possible-overflow-for-chunk_sectors-chec.patch
+pnfs-fix-stripe-mapping-in-block-scsi-layout.patch
+pnfs-fix-disk-addr-range-check-in-block-scsi-layout.patch
+pnfs-handle-rpc-size-limit-for-layoutcommits.patch
+pnfs-fix-uninited-ptr-deref-in-block-scsi-layout.patch
+rtc-ds1307-remove-clear-of-oscillator-stop-flag-osf-.patch
--- /dev/null
+From ffd723bb545c1a225812234005d0573a5fb16bec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 09:35:09 +1000
+Subject: smb/server: avoid deadlock when linking with ReplaceIfExists
+
+From: NeilBrown <neil@brown.name>
+
+[ Upstream commit d5fc1400a34b4ea5e8f2ce296ea12bf8c8421694 ]
+
+If smb2_create_link() is called with ReplaceIfExists set and the name
+does exist then a deadlock will happen.
+
+ksmbd_vfs_kern_path_locked() will return with success and the parent
+directory will be locked. ksmbd_vfs_remove_file() will then remove the
+file. ksmbd_vfs_link() will then be called while the parent is still
+locked. It will try to lock the same parent and will deadlock.
+
+This patch moves the ksmbd_vfs_kern_path_unlock() call to *before*
+ksmbd_vfs_link() and then simplifies the code, removing the file_present
+flag variable.
+
+Signed-off-by: NeilBrown <neil@brown.name>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/smb2pdu.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index d3dd3b9b4005..85e7bc3a2bd3 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -6011,7 +6011,6 @@ static int smb2_create_link(struct ksmbd_work *work,
+ {
+ char *link_name = NULL, *target_name = NULL, *pathname = NULL;
+ struct path path, parent_path;
+- bool file_present = false;
+ int rc;
+
+ if (buf_len < (u64)sizeof(struct smb2_file_link_info) +
+@@ -6044,11 +6043,8 @@ static int smb2_create_link(struct ksmbd_work *work,
+ if (rc) {
+ if (rc != -ENOENT)
+ goto out;
+- } else
+- file_present = true;
+-
+- if (file_info->ReplaceIfExists) {
+- if (file_present) {
++ } else {
++ if (file_info->ReplaceIfExists) {
+ rc = ksmbd_vfs_remove_file(work, &path);
+ if (rc) {
+ rc = -EINVAL;
+@@ -6056,21 +6052,17 @@ static int smb2_create_link(struct ksmbd_work *work,
+ link_name);
+ goto out;
+ }
+- }
+- } else {
+- if (file_present) {
++ } else {
+ rc = -EEXIST;
+ ksmbd_debug(SMB, "link already exists\n");
+ goto out;
+ }
++ ksmbd_vfs_kern_path_unlock(&parent_path, &path);
+ }
+-
+ rc = ksmbd_vfs_link(work, target_name, link_name);
+ if (rc)
+ rc = -EINVAL;
+ out:
+- if (file_present)
+- ksmbd_vfs_kern_path_unlock(&parent_path, &path);
+
+ if (!IS_ERR(link_name))
+ kfree(link_name);
+--
+2.39.5
+
--- /dev/null
+From c9d567548c4c9b2261dd62b7d881187eb22b79c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 21:58:30 -0500
+Subject: soc: qcom: mdt_loader: Actually use the e_phoff
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 47e339cac89143709e84a3b71ba8bd9b2fdd2368 ]
+
+Rather than relying/assuming that the tools generating the firmware
+places the program headers immediately following the ELF header, use
+e_phoff as intended to find the program headers.
+
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-3-f7073e9ab899@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c
+index 6f177e46fa0f..8de1d478bec2 100644
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -85,7 +85,7 @@ ssize_t qcom_mdt_get_size(const struct firmware *fw)
+ int i;
+
+ ehdr = (struct elf32_hdr *)fw->data;
+- phdrs = (struct elf32_phdr *)(ehdr + 1);
++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff);
+
+ for (i = 0; i < ehdr->e_phnum; i++) {
+ phdr = &phdrs[i];
+@@ -137,7 +137,7 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len,
+ void *data;
+
+ ehdr = (struct elf32_hdr *)fw->data;
+- phdrs = (struct elf32_phdr *)(ehdr + 1);
++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff);
+
+ if (ehdr->e_phnum < 2)
+ return ERR_PTR(-EINVAL);
+@@ -217,7 +217,7 @@ int qcom_mdt_pas_init(struct device *dev, const struct firmware *fw,
+ int i;
+
+ ehdr = (struct elf32_hdr *)fw->data;
+- phdrs = (struct elf32_phdr *)(ehdr + 1);
++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff);
+
+ for (i = 0; i < ehdr->e_phnum; i++) {
+ phdr = &phdrs[i];
+@@ -272,7 +272,7 @@ static bool qcom_mdt_bins_are_split(const struct firmware *fw, const char *fw_na
+ int i;
+
+ ehdr = (struct elf32_hdr *)fw->data;
+- phdrs = (struct elf32_phdr *)(ehdr + 1);
++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff);
+
+ for (i = 0; i < ehdr->e_phnum; i++) {
+ /*
+@@ -314,7 +314,7 @@ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
+
+ is_split = qcom_mdt_bins_are_split(fw, fw_name);
+ ehdr = (struct elf32_hdr *)fw->data;
+- phdrs = (struct elf32_phdr *)(ehdr + 1);
++ phdrs = (struct elf32_phdr *)(fw->data + ehdr->e_phoff);
+
+ for (i = 0; i < ehdr->e_phnum; i++) {
+ phdr = &phdrs[i];
+--
+2.39.5
+
--- /dev/null
+From 6626f05a0b84eb75101fdeb73d83700a9d79acb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 11:19:43 +0530
+Subject: soc: qcom: rpmh-rsc: Add RSC version 4 support
+
+From: Maulik Shah <maulik.shah@oss.qualcomm.com>
+
+[ Upstream commit 84684c57c9cd47b86c883a7170dd68222d97ef13 ]
+
+Register offsets for v3 and v4 versions are backward compatible. Assign v3
+offsets for v4 and all higher versions to avoid end up using v2 offsets.
+
+Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250623-rsc_v4-v1-1-275b27bc5e3c@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/qcom/rpmh-rsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/rpmh-rsc.c b/drivers/soc/qcom/rpmh-rsc.c
+index dfc2d4e38fa9..163a58eb02e0 100644
+--- a/drivers/soc/qcom/rpmh-rsc.c
++++ b/drivers/soc/qcom/rpmh-rsc.c
+@@ -1075,7 +1075,7 @@ static int rpmh_rsc_probe(struct platform_device *pdev)
+ drv->ver.minor = rsc_id & (MINOR_VER_MASK << MINOR_VER_SHIFT);
+ drv->ver.minor >>= MINOR_VER_SHIFT;
+
+- if (drv->ver.major == 3)
++ if (drv->ver.major >= 3)
+ drv->regs = rpmh_rsc_reg_offset_ver_3_0;
+ else
+ drv->regs = rpmh_rsc_reg_offset_ver_2_7;
+--
+2.39.5
+
--- /dev/null
+From c73360ba0d32f668378f1b7e3d11e36a95003285 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 11:13:40 +0530
+Subject: soundwire: amd: serialize amd manager resume sequence during
+ pm_prepare
+
+From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+
+[ Upstream commit 03837341790039d6f1cbf7a1ae7dfa2cb77ef0a4 ]
+
+During pm_prepare callback, pm_request_resume() delays SoundWire manager D0
+entry sequence. Synchronize runtime resume sequence for amd_manager
+instance prior to invoking child devices resume sequence for both the amd
+power modes(ClockStop Mode and Power off mode).
+Change the power_mode_mask check and use pm_runtime_resume() in
+amd_pm_prepare() callback.
+
+Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
+Link: https://lore.kernel.org/r/20250530054447.1645807-3-Vijendar.Mukunda@amd.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/amd_manager.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soundwire/amd_manager.c b/drivers/soundwire/amd_manager.c
+index b89f8067e6cd..3d8937245c18 100644
+--- a/drivers/soundwire/amd_manager.c
++++ b/drivers/soundwire/amd_manager.c
+@@ -1104,10 +1104,10 @@ static int __maybe_unused amd_pm_prepare(struct device *dev)
+ * device is not in runtime suspend state, observed that device alerts are missing
+ * without pm_prepare on AMD platforms in clockstop mode0.
+ */
+- if (amd_manager->power_mode_mask & AMD_SDW_CLK_STOP_MODE) {
+- ret = pm_request_resume(dev);
++ if (amd_manager->power_mode_mask) {
++ ret = pm_runtime_resume(dev);
+ if (ret < 0) {
+- dev_err(bus->dev, "pm_request_resume failed: %d\n", ret);
++ dev_err(bus->dev, "pm_runtime_resume failed: %d\n", ret);
+ return 0;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 8c459e922a029f3f8aa3a3cb8c3e9beb660553db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 15:30:40 +0100
+Subject: soundwire: Move handle_nested_irq outside of sdw_dev_lock
+
+From: Charles Keepax <ckeepax@opensource.cirrus.com>
+
+[ Upstream commit ccb7bb13c00bcc3178d270da052635c56148bc16 ]
+
+The sdw_dev_lock protects the SoundWire driver callbacks against
+the probed flag, which is used to skip the callbacks if the
+driver gets removed. For more information see commit bd29c00edd0a
+("soundwire: revisit driver bind/unbind and callbacks").
+
+However, this lock is a frequent source of mutex inversions.
+Many audio operations eventually hit the hardware resulting in a
+SoundWire callback, this means that typically the driver has the
+locking order ALSA/ASoC locks -> sdw_dev_lock. Conversely, the IRQ
+comes in directly from the SoundWire hardware, but then will often
+want to access ALSA/ASoC, such as updating something in DAPM or
+an ALSA control. This gives the other lock order sdw_dev_lock ->
+ALSA/ASoC locks.
+
+When the IRQ handling was initially added to SoundWire this was
+through a callback mechanism. As such it required being covered by
+the lock because the callbacks are part of the sdw_driver structure
+and are thus present regardless of if the driver is currently
+probed.
+
+Since then a newer mechanism using the IRQ framework has been
+added, which is currently covered by the same lock but this isn't
+actually required. Handlers for the IRQ framework are registered in
+probe and should by released during remove, thus the IRQ framework
+will have already unbound the IRQ before the slave driver is
+removed. Avoid the aforementioned mutex inversion by moving the
+handle_nested_irq call outside of the sdw_dev_lock.
+
+Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
+Link: https://lore.kernel.org/r/20250609143041.495049-3-ckeepax@opensource.cirrus.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/bus.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c
+index 767942f19adb..e7397fd8e9ad 100644
+--- a/drivers/soundwire/bus.c
++++ b/drivers/soundwire/bus.c
+@@ -1730,15 +1730,15 @@ static int sdw_handle_slave_alerts(struct sdw_slave *slave)
+
+ /* Update the Slave driver */
+ if (slave_notify) {
++ if (slave->prop.use_domain_irq && slave->irq)
++ handle_nested_irq(slave->irq);
++
+ mutex_lock(&slave->sdw_dev_lock);
+
+ if (slave->probed) {
+ struct device *dev = &slave->dev;
+ struct sdw_driver *drv = drv_to_sdw_driver(dev->driver);
+
+- if (slave->prop.use_domain_irq && slave->irq)
+- handle_nested_irq(slave->irq);
+-
+ if (drv->ops && drv->ops->interrupt_callback) {
+ slave_intr.sdca_cascade = sdca_cascade;
+ slave_intr.control_port = clear;
+--
+2.39.5
+
--- /dev/null
+From e82bba366b6e385b3fe948b3e209a090a2eb34e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 15:45:51 -0700
+Subject: thermal/drivers/qcom-spmi-temp-alarm: Enable stage 2 shutdown when
+ required
+
+From: David Collins <david.collins@oss.qualcomm.com>
+
+[ Upstream commit f8e157ff2df46ddabd930815d196895976227831 ]
+
+Certain TEMP_ALARM GEN2 PMIC peripherals need over-temperature stage 2
+automatic PMIC partial shutdown. This will ensure that in the event of
+reaching the hotter stage 3 over-temperature threshold, repeated faults
+will be avoided during the automatic PMIC hardware full shutdown.
+Modify the stage 2 shutdown control logic to ensure that stage 2
+shutdown is enabled on all affected PMICs. Read the digital major
+and minor revision registers to identify these PMICs.
+
+Signed-off-by: David Collins <david.collins@oss.qualcomm.com>
+Signed-off-by: Anjelique Melendez <anjelique.melendez@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250710224555.3047790-2-anjelique.melendez@oss.qualcomm.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/qcom/qcom-spmi-temp-alarm.c | 43 ++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+index 78c5cfe6a0c0..eeccf905f83e 100644
+--- a/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
++++ b/drivers/thermal/qcom/qcom-spmi-temp-alarm.c
+@@ -1,6 +1,7 @@
+ // SPDX-License-Identifier: GPL-2.0-only
+ /*
+ * Copyright (c) 2011-2015, 2017, 2020, The Linux Foundation. All rights reserved.
++ * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.
+ */
+
+ #include <linux/bitops.h>
+@@ -16,6 +17,7 @@
+
+ #include "../thermal_hwmon.h"
+
++#define QPNP_TM_REG_DIG_MINOR 0x00
+ #define QPNP_TM_REG_DIG_MAJOR 0x01
+ #define QPNP_TM_REG_TYPE 0x04
+ #define QPNP_TM_REG_SUBTYPE 0x05
+@@ -31,7 +33,7 @@
+ #define STATUS_GEN2_STATE_MASK GENMASK(6, 4)
+ #define STATUS_GEN2_STATE_SHIFT 4
+
+-#define SHUTDOWN_CTRL1_OVERRIDE_S2 BIT(6)
++#define SHUTDOWN_CTRL1_OVERRIDE_STAGE2 BIT(6)
+ #define SHUTDOWN_CTRL1_THRESHOLD_MASK GENMASK(1, 0)
+
+ #define SHUTDOWN_CTRL1_RATE_25HZ BIT(3)
+@@ -79,6 +81,7 @@ struct qpnp_tm_chip {
+ /* protects .thresh, .stage and chip registers */
+ struct mutex lock;
+ bool initialized;
++ bool require_stage2_shutdown;
+
+ struct iio_channel *adc;
+ const long (*temp_map)[THRESH_COUNT][STAGE_COUNT];
+@@ -221,13 +224,13 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
+ {
+ long stage2_threshold_min = (*chip->temp_map)[THRESH_MIN][1];
+ long stage2_threshold_max = (*chip->temp_map)[THRESH_MAX][1];
+- bool disable_s2_shutdown = false;
++ bool disable_stage2_shutdown = false;
+ u8 reg;
+
+ WARN_ON(!mutex_is_locked(&chip->lock));
+
+ /*
+- * Default: S2 and S3 shutdown enabled, thresholds at
++ * Default: Stage 2 and Stage 3 shutdown enabled, thresholds at
+ * lowest threshold set, monitoring at 25Hz
+ */
+ reg = SHUTDOWN_CTRL1_RATE_25HZ;
+@@ -242,12 +245,12 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
+ chip->thresh = THRESH_MAX -
+ ((stage2_threshold_max - temp) /
+ TEMP_THRESH_STEP);
+- disable_s2_shutdown = true;
++ disable_stage2_shutdown = true;
+ } else {
+ chip->thresh = THRESH_MAX;
+
+ if (chip->adc)
+- disable_s2_shutdown = true;
++ disable_stage2_shutdown = true;
+ else
+ dev_warn(chip->dev,
+ "No ADC is configured and critical temperature %d mC is above the maximum stage 2 threshold of %ld mC! Configuring stage 2 shutdown at %ld mC.\n",
+@@ -256,8 +259,8 @@ static int qpnp_tm_update_critical_trip_temp(struct qpnp_tm_chip *chip,
+
+ skip:
+ reg |= chip->thresh;
+- if (disable_s2_shutdown)
+- reg |= SHUTDOWN_CTRL1_OVERRIDE_S2;
++ if (disable_stage2_shutdown && !chip->require_stage2_shutdown)
++ reg |= SHUTDOWN_CTRL1_OVERRIDE_STAGE2;
+
+ return qpnp_tm_write(chip, QPNP_TM_REG_SHUTDOWN_CTRL1, reg);
+ }
+@@ -371,8 +374,8 @@ static int qpnp_tm_probe(struct platform_device *pdev)
+ {
+ struct qpnp_tm_chip *chip;
+ struct device_node *node;
+- u8 type, subtype, dig_major;
+- u32 res;
++ u8 type, subtype, dig_major, dig_minor;
++ u32 res, dig_revision;
+ int ret, irq;
+
+ node = pdev->dev.of_node;
+@@ -424,6 +427,11 @@ static int qpnp_tm_probe(struct platform_device *pdev)
+ return dev_err_probe(&pdev->dev, ret,
+ "could not read dig_major\n");
+
++ ret = qpnp_tm_read(chip, QPNP_TM_REG_DIG_MINOR, &dig_minor);
++ if (ret < 0)
++ return dev_err_probe(&pdev->dev, ret,
++ "could not read dig_minor\n");
++
+ if (type != QPNP_TM_TYPE || (subtype != QPNP_TM_SUBTYPE_GEN1
+ && subtype != QPNP_TM_SUBTYPE_GEN2)) {
+ dev_err(&pdev->dev, "invalid type 0x%02x or subtype 0x%02x\n",
+@@ -437,6 +445,23 @@ static int qpnp_tm_probe(struct platform_device *pdev)
+ else
+ chip->temp_map = &temp_map_gen1;
+
++ if (chip->subtype == QPNP_TM_SUBTYPE_GEN2) {
++ dig_revision = (dig_major << 8) | dig_minor;
++ /*
++ * Check if stage 2 automatic partial shutdown must remain
++ * enabled to avoid potential repeated faults upon reaching
++ * over-temperature stage 3.
++ */
++ switch (dig_revision) {
++ case 0x0001:
++ case 0x0002:
++ case 0x0100:
++ case 0x0101:
++ chip->require_stage2_shutdown = true;
++ break;
++ }
++ }
++
+ /*
+ * Register the sensor before initializing the hardware to be able to
+ * read the trip points. get_temp() returns the default temperature
+--
+2.39.5
+
--- /dev/null
+From d819137ad5036a9dd40c732672d91291c1bccecb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 10:41:43 +0000
+Subject: thermal: sysfs: Return ENODATA instead of EAGAIN for reads
+
+From: Hsin-Te Yuan <yuanhsinte@chromium.org>
+
+[ Upstream commit 1a4aabc27e95674837f2e25f4ef340c0469e6203 ]
+
+According to POSIX spec, EAGAIN returned by read with O_NONBLOCK set
+means the read would block. Hence, the common implementation in
+nonblocking model will poll the file when the nonblocking read returns
+EAGAIN. However, when the target file is thermal zone, this mechanism
+will totally malfunction because thermal zone doesn't implement sysfs
+notification and thus the poll will never return.
+
+For example, the read in Golang implemnts such method and sometimes
+hangs at reading some thermal zones via sysfs.
+
+Change to return -ENODATA instead of -EAGAIN to userspace.
+
+Signed-off-by: Hsin-Te Yuan <yuanhsinte@chromium.org>
+Link: https://patch.msgid.link/20250620-temp-v3-1-6becc6aeb66c@chromium.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/thermal_sysfs.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c
+index eef40d4f3063..0dea605faadb 100644
+--- a/drivers/thermal/thermal_sysfs.c
++++ b/drivers/thermal/thermal_sysfs.c
+@@ -39,10 +39,13 @@ temp_show(struct device *dev, struct device_attribute *attr, char *buf)
+
+ ret = thermal_zone_get_temp(tz, &temperature);
+
+- if (ret)
+- return ret;
++ if (!ret)
++ return sprintf(buf, "%d\n", temperature);
+
+- return sprintf(buf, "%d\n", temperature);
++ if (ret == -EAGAIN)
++ return -ENODATA;
++
++ return ret;
+ }
+
+ static ssize_t
+--
+2.39.5
+
--- /dev/null
+From 88e31fc1494e0da19ef8ae2ebda055289726904b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 13:00:27 +0200
+Subject: tools/build: Fix s390(x) cross-compilation with clang
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit a40f0cdce78be8a559ee8a85c908049c65a410b2 ]
+
+The heuristic to derive a clang target triple from a GCC one does not work
+for s390. GCC uses "s390-linux" while clang expects "s390x-linux" or
+"powerz-linux".
+
+Add an explicit override.
+
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Link: https://lore.kernel.org/r/20250620-tools-cross-s390-v2-1-ecda886e00e5@linutronix.de
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/scripts/Makefile.include | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/scripts/Makefile.include b/tools/scripts/Makefile.include
+index ff527ac065cf..c006e72b4f43 100644
+--- a/tools/scripts/Makefile.include
++++ b/tools/scripts/Makefile.include
+@@ -98,7 +98,9 @@ else ifneq ($(CROSS_COMPILE),)
+ # Allow userspace to override CLANG_CROSS_FLAGS to specify their own
+ # sysroots and flags or to avoid the GCC call in pure Clang builds.
+ ifeq ($(CLANG_CROSS_FLAGS),)
+-CLANG_CROSS_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%))
++CLANG_TARGET := $(notdir $(CROSS_COMPILE:%-=%))
++CLANG_TARGET := $(subst s390-linux,s390x-linux,$(CLANG_TARGET))
++CLANG_CROSS_FLAGS := --target=$(CLANG_TARGET)
+ GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)gcc 2>/dev/null))
+ ifneq ($(GCC_TOOLCHAIN_DIR),)
+ CLANG_CROSS_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE))
+--
+2.39.5
+
--- /dev/null
+From f3d22bdfad9943d2d0789b4cf06e2619b5795784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Jul 2025 11:00:55 +0200
+Subject: tools/nolibc: define time_t in terms of __kernel_old_time_t
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit d5094bcb5bfdfea2cf0de8aaf77cc65db56cbdb5 ]
+
+Nolibc assumes that the kernel ABI is using a time values that are as
+large as a long integer. For most ABIs this holds true.
+But for x32 this is not correct, as it uses 32bit longs but 64bit times.
+
+Also the 'struct stat' implementation of nolibc relies on timespec::tv_sec
+and time_t being the same type. While timespec::tv_sec comes from the
+kernel and is of type __kernel_old_time_t, time_t is defined within nolibc.
+
+Switch to the __kernel_old_time_t to always get the correct type.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lore.kernel.org/r/20250712-nolibc-x32-v1-1-6d81cb798710@weissschuh.net
+Acked-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/include/nolibc/std.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/include/nolibc/std.h b/tools/include/nolibc/std.h
+index 933bc0be7e1c..a9d8b5b51f37 100644
+--- a/tools/include/nolibc/std.h
++++ b/tools/include/nolibc/std.h
+@@ -20,6 +20,8 @@
+
+ #include "stdint.h"
+
++#include <linux/types.h>
++
+ /* those are commonly provided by sys/types.h */
+ typedef unsigned int dev_t;
+ typedef unsigned long ino_t;
+@@ -31,6 +33,6 @@ typedef unsigned long nlink_t;
+ typedef signed long off_t;
+ typedef signed long blksize_t;
+ typedef signed long blkcnt_t;
+-typedef signed long time_t;
++typedef __kernel_old_time_t time_t;
+
+ #endif /* _NOLIBC_STD_H */
+--
+2.39.5
+
--- /dev/null
+From 53605390a9c25b31291736e2fcf9f94ef003374b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 12:18:15 -0400
+Subject: tracefs: Add d_delete to remove negative dentries
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+[ Upstream commit d9b13cdad80dc11d74408cf201939a946e9303a6 ]
+
+If a lookup in tracefs is done on a file that does not exist, it leaves a
+dentry hanging around until memory pressure removes it. But eventfs
+dentries should hang around as when their ref count goes to zero, it
+requires more work to recreate it. For the rest of the tracefs dentries,
+they hang around as their dentry is used as a descriptor for the tracing
+system. But if a file lookup happens for a file in tracefs that does not
+exist, it should be deleted.
+
+Add a .d_delete callback that checks if dentry->fsdata is set or not. Only
+eventfs dentries set fsdata so if it has content it should not be deleted
+and should hang around in the cache.
+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/tracefs/inode.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
+index 7d389dd5ed51..6b70965063d7 100644
+--- a/fs/tracefs/inode.c
++++ b/fs/tracefs/inode.c
+@@ -483,9 +483,20 @@ static int tracefs_d_revalidate(struct dentry *dentry, unsigned int flags)
+ return !(ei && ei->is_freed);
+ }
+
++static int tracefs_d_delete(const struct dentry *dentry)
++{
++ /*
++ * We want to keep eventfs dentries around but not tracefs
++ * ones. eventfs dentries have content in d_fsdata.
++ * Use d_fsdata to determine if it's a eventfs dentry or not.
++ */
++ return dentry->d_fsdata == NULL;
++}
++
+ static const struct dentry_operations tracefs_dentry_operations = {
+ .d_revalidate = tracefs_d_revalidate,
+ .d_release = tracefs_d_release,
++ .d_delete = tracefs_d_delete,
+ };
+
+ static int trace_fill_super(struct super_block *sb, void *data, int silent)
+--
+2.39.5
+
--- /dev/null
+From b471dfbb9d2c9136cbee619d0161a6cdb5565104 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 07:39:33 -0700
+Subject: uapi: in6: restore visibility of most IPv6 socket options
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 31557b3487b349464daf42bc4366153743c1e727 ]
+
+A decade ago commit 6d08acd2d32e ("in6: fix conflict with glibc")
+hid the definitions of IPV6 options, because GCC was complaining
+about duplicates. The commit did not list the warnings seen, but
+trying to recreate them now I think they are (building iproute2):
+
+In file included from ./include/uapi/rdma/rdma_user_cm.h:39,
+ from rdma.h:16,
+ from res.h:9,
+ from res-ctx.c:7:
+../include/uapi/linux/in6.h:171:9: warning: ‘IPV6_ADD_MEMBERSHIP’ redefined
+ 171 | #define IPV6_ADD_MEMBERSHIP 20
+ | ^~~~~~~~~~~~~~~~~~~
+In file included from /usr/include/netinet/in.h:37,
+ from rdma.h:13:
+/usr/include/bits/in.h:233:10: note: this is the location of the previous definition
+ 233 | # define IPV6_ADD_MEMBERSHIP IPV6_JOIN_GROUP
+ | ^~~~~~~~~~~~~~~~~~~
+../include/uapi/linux/in6.h:172:9: warning: ‘IPV6_DROP_MEMBERSHIP’ redefined
+ 172 | #define IPV6_DROP_MEMBERSHIP 21
+ | ^~~~~~~~~~~~~~~~~~~~
+/usr/include/bits/in.h:234:10: note: this is the location of the previous definition
+ 234 | # define IPV6_DROP_MEMBERSHIP IPV6_LEAVE_GROUP
+ | ^~~~~~~~~~~~~~~~~~~~
+
+Compilers don't complain about redefinition if the defines
+are identical, but here we have the kernel using the literal
+value, and glibc using an indirection (defining to a name
+of another define, with the same numerical value).
+
+Problem is, the commit in question hid all the IPV6 socket
+options, and glibc has a pretty sparse list. For instance
+it lacks Flow Label related options. Willem called this out
+in commit 3fb321fde22d ("selftests/net: ipv6 flowlabel"):
+
+ /* uapi/glibc weirdness may leave this undefined */
+ #ifndef IPV6_FLOWINFO
+ #define IPV6_FLOWINFO 11
+ #endif
+
+More interestingly some applications (socat) use
+a #ifdef IPV6_FLOWINFO to gate compilation of thier
+rudimentary flow label support. (For added confusion
+socat misspells it as IPV4_FLOWINFO in some places.)
+
+Hide only the two defines we know glibc has a problem
+with. If we discover more warnings we can hide more
+but we should avoid covering the entire block of
+defines for "IPV6 socket options".
+
+Link: https://patch.msgid.link/20250609143933.1654417-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/in6.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h
+index ff8d21f9e95b..5a47339ef7d7 100644
+--- a/include/uapi/linux/in6.h
++++ b/include/uapi/linux/in6.h
+@@ -152,7 +152,6 @@ struct in6_flowlabel_req {
+ /*
+ * IPV6 socket options
+ */
+-#if __UAPI_DEF_IPV6_OPTIONS
+ #define IPV6_ADDRFORM 1
+ #define IPV6_2292PKTINFO 2
+ #define IPV6_2292HOPOPTS 3
+@@ -169,8 +168,10 @@ struct in6_flowlabel_req {
+ #define IPV6_MULTICAST_IF 17
+ #define IPV6_MULTICAST_HOPS 18
+ #define IPV6_MULTICAST_LOOP 19
++#if __UAPI_DEF_IPV6_OPTIONS
+ #define IPV6_ADD_MEMBERSHIP 20
+ #define IPV6_DROP_MEMBERSHIP 21
++#endif
+ #define IPV6_ROUTER_ALERT 22
+ #define IPV6_MTU_DISCOVER 23
+ #define IPV6_MTU 24
+@@ -203,7 +204,6 @@ struct in6_flowlabel_req {
+ #define IPV6_IPSEC_POLICY 34
+ #define IPV6_XFRM_POLICY 35
+ #define IPV6_HDRINCL 36
+-#endif
+
+ /*
+ * Multicast:
+--
+2.39.5
+
--- /dev/null
+From 7a90560f63beb18da982671c2fcaf97aa95f819c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Jul 2025 19:01:20 +0200
+Subject: udf: Verify partition map count
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 1a11201668e8635602577dcf06f2e96c591d8819 ]
+
+Verify that number of partition maps isn't insanely high which can lead
+to large allocation in udf_sb_alloc_partition_maps(). All partition maps
+have to fit in the LVD which is in a single block.
+
+Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 20dff9ed2471..cb13a07a4aa8 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1409,7 +1409,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ struct genericPartitionMap *gpm;
+ uint16_t ident;
+ struct buffer_head *bh;
+- unsigned int table_len;
++ unsigned int table_len, part_map_count;
+ int ret;
+
+ bh = udf_read_tagged(sb, block, block, &ident);
+@@ -1430,7 +1430,16 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ "logical volume");
+ if (ret)
+ goto out_bh;
+- ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
++
++ part_map_count = le32_to_cpu(lvd->numPartitionMaps);
++ if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) {
++ udf_err(sb, "error loading logical volume descriptor: "
++ "Too many partition maps (%u > %u)\n", part_map_count,
++ table_len / (unsigned)sizeof(struct genericPartitionMap1));
++ ret = -EIO;
++ goto out_bh;
++ }
++ ret = udf_sb_alloc_partition_maps(sb, part_map_count);
+ if (ret)
+ goto out_bh;
+
+--
+2.39.5
+
--- /dev/null
+From d531b826527f086530fb4e4e5d9897b252c2f450 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 14:34:47 +0200
+Subject: um: Re-evaluate thread flags repeatedly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit b9e2f2246eb2b5617d53af7b5e4e1b8c916f26a8 ]
+
+The thread flags may change during their processing.
+For example a task_work can queue a new signal to be sent.
+This signal should be delivered before returning to usespace again.
+
+Evaluate the flags repeatedly similar to other architectures.
+
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Nam Cao <namcao@linutronix.de>
+Link: https://patch.msgid.link/20250704-uml-thread_flags-v1-1-0e293fd8d627@linutronix.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/asm/thread_info.h | 4 ++++
+ arch/um/kernel/process.c | 20 ++++++++++++--------
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/arch/um/include/asm/thread_info.h b/arch/um/include/asm/thread_info.h
+index c7b4b49826a2..40d823f36c09 100644
+--- a/arch/um/include/asm/thread_info.h
++++ b/arch/um/include/asm/thread_info.h
+@@ -68,7 +68,11 @@ static inline struct thread_info *current_thread_info(void)
+ #define _TIF_NOTIFY_SIGNAL (1 << TIF_NOTIFY_SIGNAL)
+ #define _TIF_MEMDIE (1 << TIF_MEMDIE)
+ #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
++#define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
+ #define _TIF_SECCOMP (1 << TIF_SECCOMP)
+ #define _TIF_SINGLESTEP (1 << TIF_SINGLESTEP)
+
++#define _TIF_WORK_MASK (_TIF_NEED_RESCHED | _TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL | \
++ _TIF_NOTIFY_RESUME)
++
+ #endif
+diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
+index afe67d816146..e7fbf610bda8 100644
+--- a/arch/um/kernel/process.c
++++ b/arch/um/kernel/process.c
+@@ -98,14 +98,18 @@ void *__switch_to(struct task_struct *from, struct task_struct *to)
+ void interrupt_end(void)
+ {
+ struct pt_regs *regs = ¤t->thread.regs;
+-
+- if (need_resched())
+- schedule();
+- if (test_thread_flag(TIF_SIGPENDING) ||
+- test_thread_flag(TIF_NOTIFY_SIGNAL))
+- do_signal(regs);
+- if (test_thread_flag(TIF_NOTIFY_RESUME))
+- resume_user_mode_work(regs);
++ unsigned long thread_flags;
++
++ thread_flags = read_thread_flags();
++ while (thread_flags & _TIF_WORK_MASK) {
++ if (thread_flags & _TIF_NEED_RESCHED)
++ schedule();
++ if (thread_flags & (_TIF_SIGPENDING | _TIF_NOTIFY_SIGNAL))
++ do_signal(regs);
++ if (thread_flags & _TIF_NOTIFY_RESUME)
++ resume_user_mode_work(regs);
++ thread_flags = read_thread_flags();
++ }
+ }
+
+ int get_current_pid(void)
+--
+2.39.5
+
--- /dev/null
+From 2e44efd27b475a9f3ac9ad5af8abd589813316ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 14:20:25 +0200
+Subject: usb: core: usb_submit_urb: downgrade type check
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit 503bbde34cc3dd2acd231f277ba70c3f9ed22e59 ]
+
+Checking for the endpoint type is no reason for a WARN, as that can
+cause a reboot. A driver not checking the endpoint type must not cause a
+reboot, as there is just no point in this. We cannot prevent a device
+from doing something incorrect as a reaction to a transfer. Hence
+warning for a mere assumption being wrong is not sensible.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20250612122149.2559724-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/urb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c
+index 7576920e2d5a..9f202f575cec 100644
+--- a/drivers/usb/core/urb.c
++++ b/drivers/usb/core/urb.c
+@@ -500,7 +500,7 @@ int usb_submit_urb(struct urb *urb, gfp_t mem_flags)
+
+ /* Check that the pipe's type matches the endpoint's type */
+ if (usb_pipe_type_check(urb->dev, urb->pipe))
+- dev_WARN(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
++ dev_warn_once(&dev->dev, "BOGUS urb xfer, pipe %x != type %x\n",
+ usb_pipetype(urb->pipe), pipetypes[xfertype]);
+
+ /* Check against a simple/standard policy */
+--
+2.39.5
+
--- /dev/null
+From 15a6f15158cc6bba410c23fc365f0f227805301f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 17:40:58 +0200
+Subject: usb: typec: intel_pmc_mux: Defer probe if SCU IPC isn't present
+
+From: Tomasz Michalec <tmichalec@google.com>
+
+[ Upstream commit df9a825f330e76c72d1985bc9bdc4b8981e3d15f ]
+
+If pmc_usb_probe is called before SCU IPC is registered, pmc_usb_probe
+will fail.
+
+Return -EPROBE_DEFER when pmc_usb_probe doesn't get SCU IPC device, so
+the probe function can be called again after SCU IPC is initialized.
+
+Signed-off-by: Tomasz Michalec <tmichalec@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250610154058.1859812-1-tmichalec@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/mux/intel_pmc_mux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/mux/intel_pmc_mux.c b/drivers/usb/typec/mux/intel_pmc_mux.c
+index 60ed1f809130..a174ff7a9abd 100644
+--- a/drivers/usb/typec/mux/intel_pmc_mux.c
++++ b/drivers/usb/typec/mux/intel_pmc_mux.c
+@@ -730,7 +730,7 @@ static int pmc_usb_probe(struct platform_device *pdev)
+
+ pmc->ipc = devm_intel_scu_ipc_dev_get(&pdev->dev);
+ if (!pmc->ipc)
+- return -ENODEV;
++ return -EPROBE_DEFER;
+
+ pmc->dev = &pdev->dev;
+
+--
+2.39.5
+
--- /dev/null
+From 073853a909344f1f9e20b3b9a20dc9427be3dac8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 20:08:05 +0000
+Subject: usb: typec: ucsi: psy: Set current max to 100mA for BC 1.2 and
+ Default
+
+From: Benson Leung <bleung@chromium.org>
+
+[ Upstream commit af833e7f7db3cf4c82f063668e1b52297a30ec18 ]
+
+ucsi_psy_get_current_max would return 0mA as the maximum current if
+UCSI detected a BC or a Default USB Power sporce.
+
+The comment in this function is true that we can't tell the difference
+between DCP/CDP or SDP chargers, but we can guarantee that at least 1-unit
+of USB 1.1/2.0 power is available, which is 100mA, which is a better
+fallback value than 0, which causes some userspaces, including the ChromeOS
+power manager, to regard this as a power source that is not providing
+any power.
+
+In reality, 100mA is guaranteed from all sources in these classes.
+
+Signed-off-by: Benson Leung <bleung@chromium.org>
+Reviewed-by: Jameson Thies <jthies@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Link: https://lore.kernel.org/r/20250717200805.3710473-1-bleung@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/ucsi/psy.c | 2 +-
+ drivers/usb/typec/ucsi/ucsi.h | 7 ++++---
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/typec/ucsi/psy.c b/drivers/usb/typec/ucsi/psy.c
+index b35c6e07911e..9b0157063df0 100644
+--- a/drivers/usb/typec/ucsi/psy.c
++++ b/drivers/usb/typec/ucsi/psy.c
+@@ -163,7 +163,7 @@ static int ucsi_psy_get_current_max(struct ucsi_connector *con,
+ case UCSI_CONSTAT_PWR_OPMODE_DEFAULT:
+ /* UCSI can't tell b/w DCP/CDP or USB2/3x1/3x2 SDP chargers */
+ default:
+- val->intval = 0;
++ val->intval = UCSI_TYPEC_DEFAULT_CURRENT * 1000;
+ break;
+ }
+ return 0;
+diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h
+index 7706f4e95125..51e745117dcb 100644
+--- a/drivers/usb/typec/ucsi/ucsi.h
++++ b/drivers/usb/typec/ucsi/ucsi.h
+@@ -340,9 +340,10 @@ struct ucsi {
+ #define UCSI_MAX_SVID 5
+ #define UCSI_MAX_ALTMODES (UCSI_MAX_SVID * 6)
+
+-#define UCSI_TYPEC_VSAFE5V 5000
+-#define UCSI_TYPEC_1_5_CURRENT 1500
+-#define UCSI_TYPEC_3_0_CURRENT 3000
++#define UCSI_TYPEC_VSAFE5V 5000
++#define UCSI_TYPEC_DEFAULT_CURRENT 100
++#define UCSI_TYPEC_1_5_CURRENT 1500
++#define UCSI_TYPEC_3_0_CURRENT 3000
+
+ struct ucsi_connector {
+ int num;
+--
+2.39.5
+
--- /dev/null
+From a5489d25a7a6602bd6995d40eb81885c43b169b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:31:05 +0300
+Subject: usb: xhci: Avoid showing errors during surprise removal
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 4b9c60e440525b729ac5f071e00bcee12e0a7e84 ]
+
+When a USB4 dock is unplugged from a system it won't respond to ring
+events. The PCI core handles the surprise removal event and notifies
+all PCI drivers. The XHCI PCI driver sets a flag that the device is
+being removed as well.
+
+When that flag is set don't show messages in the cleanup path for
+marking the controller dead.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250717073107.488599-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-ring.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index c6d89b51c678..2a74a47a1c76 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1338,12 +1338,15 @@ static void xhci_kill_endpoint_urbs(struct xhci_hcd *xhci,
+ */
+ void xhci_hc_died(struct xhci_hcd *xhci)
+ {
++ bool notify;
+ int i, j;
+
+ if (xhci->xhc_state & XHCI_STATE_DYING)
+ return;
+
+- xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
++ notify = !(xhci->xhc_state & XHCI_STATE_REMOVING);
++ if (notify)
++ xhci_err(xhci, "xHCI host controller not responding, assume dead\n");
+ xhci->xhc_state |= XHCI_STATE_DYING;
+
+ xhci_cleanup_command_queue(xhci);
+@@ -1357,7 +1360,7 @@ void xhci_hc_died(struct xhci_hcd *xhci)
+ }
+
+ /* inform usb core hc died if PCI remove isn't already handling it */
+- if (!(xhci->xhc_state & XHCI_STATE_REMOVING))
++ if (notify)
+ usb_hc_died(xhci_to_hcd(xhci));
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1cb7c152604dcfc6acd04a05957fcc3b6d0a4c93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:31:06 +0300
+Subject: usb: xhci: Avoid showing warnings for dying controller
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 65fc0fc137b5da3ee1f4ca4f61050fcb203d7582 ]
+
+When a USB4 dock is unplugged from a system it won't respond to ring
+events. The PCI core handles the surprise removal event and notifies
+all PCI drivers. The XHCI PCI driver sets a flag that the device is
+being removed, and when the device stops responding a flag is also
+added to indicate it's dying.
+
+When that flag is set don't bother to show warnings about a missing
+controller.
+
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250717073107.488599-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
+index ce38cd2435c8..f5e170fe5f79 100644
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -119,7 +119,8 @@ int xhci_halt(struct xhci_hcd *xhci)
+ ret = xhci_handshake(&xhci->op_regs->status,
+ STS_HALT, STS_HALT, XHCI_MAX_HALT_USEC);
+ if (ret) {
+- xhci_warn(xhci, "Host halt failed, %d\n", ret);
++ if (!(xhci->xhc_state & XHCI_STATE_DYING))
++ xhci_warn(xhci, "Host halt failed, %d\n", ret);
+ return ret;
+ }
+
+@@ -178,7 +179,8 @@ int xhci_reset(struct xhci_hcd *xhci, u64 timeout_us)
+ state = readl(&xhci->op_regs->status);
+
+ if (state == ~(u32)0) {
+- xhci_warn(xhci, "Host not accessible, reset failed.\n");
++ if (!(xhci->xhc_state & XHCI_STATE_DYING))
++ xhci_warn(xhci, "Host not accessible, reset failed.\n");
+ return -ENODEV;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d88f3f92e6b7d3c9f97931ffabbad28e235ce0ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 14:01:18 +0800
+Subject: usb: xhci: print xhci->xhc_state when queue_command failed
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit 7919407eca2ef562fa6c98c41cfdf6f6cdd69d92 ]
+
+When encounters some errors like these:
+xhci_hcd 0000:4a:00.2: xHCI dying or halted, can't queue_command
+xhci_hcd 0000:4a:00.2: FIXME: allocate a command ring segment
+usb usb5-port6: couldn't allocate usb_device
+
+It's hard to know whether xhc_state is dying or halted. So it's better
+to print xhc_state's value which can help locate the resaon of the bug.
+
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Link: https://lore.kernel.org/r/20250725060117.1773770-1-suhui@nfschina.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-ring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 44352df58c9e..c6d89b51c678 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -4454,7 +4454,8 @@ static int queue_command(struct xhci_hcd *xhci, struct xhci_command *cmd,
+
+ if ((xhci->xhc_state & XHCI_STATE_DYING) ||
+ (xhci->xhc_state & XHCI_STATE_HALTED)) {
+- xhci_dbg(xhci, "xHCI dying or halted, can't queue_command\n");
++ xhci_dbg(xhci, "xHCI dying or halted, can't queue_command. state: 0x%x\n",
++ xhci->xhc_state);
+ return -ESHUTDOWN;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 7a4f6dda3b9a338257d7b0afffca626500e8f7e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:31:07 +0300
+Subject: usb: xhci: Set avg_trb_len = 8 for EP0 during Address Device Command
+
+From: Jay Chen <shawn2000100@gmail.com>
+
+[ Upstream commit f72b9aa821a2bfe4b6dfec4be19f264d0673b008 ]
+
+There is a subtle contradiction between sections of the xHCI 1.2 spec
+regarding the initialization of Input Endpoint Context fields. Section
+4.8.2 ("Endpoint Context Initialization") states that all fields should
+be initialized to 0. However, Section 6.2.3 ("Endpoint Context", p.453)
+specifies that the Average TRB Length (avg_trb_len) field shall be
+greater than 0, and explicitly notes (p.454): "Software shall set
+Average TRB Length to '8' for control endpoints."
+
+Strictly setting all fields to 0 during initialization conflicts with
+the specific recommendation for control endpoints. In practice, setting
+avg_trb_len = 0 is not meaningful for the hardware/firmware, as the
+value is used for bandwidth calculation.
+
+Motivation: Our company is developing a custom Virtual xHC hardware
+platform that strictly follows the xHCI spec and its recommendations.
+During validation, we observed that enumeration fails and a parameter
+error (TRB Completion Code = 5) is reported if avg_trb_len for EP0 is
+not set to 8 as recommended by Section 6.2.3. This demonstrates the
+importance of assigning a meaningful, non-zero value to avg_trb_len,
+even in virtualized or emulated environments.
+
+This patch explicitly sets avg_trb_len to 8 for EP0 in
+xhci_setup_addressable_virt_dev(), as recommended in Section 6.2.3, to
+prevent potential issues with xHCI host controllers that enforce the
+spec strictly.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=220033
+Signed-off-by: Jay Chen <shawn2000100@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250717073107.488599-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index cceb69d4f61e..b51464eeac46 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1182,6 +1182,8 @@ int xhci_setup_addressable_virt_dev(struct xhci_hcd *xhci, struct usb_device *ud
+ ep0_ctx->deq = cpu_to_le64(dev->eps[0].ring->first_seg->dma |
+ dev->eps[0].ring->cycle_state);
+
++ ep0_ctx->tx_info = cpu_to_le32(EP_AVG_TRB_LENGTH(8));
++
+ trace_xhci_setup_addressable_virt_device(dev);
+
+ /* Steps 7 and 8 were done in xhci_alloc_virt_device() */
+--
+2.39.5
+
--- /dev/null
+From 6dc30020087d021a5b521b92000a11361d487e50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 14:40:17 +0000
+Subject: vfio/mlx5: fix possible overflow in tracking max message size
+
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+
+[ Upstream commit b3060198483bac43ec113c62ae3837076f61f5de ]
+
+MLX cap pg_track_log_max_msg_size consists of 5 bits, value of which is
+used as power of 2 for max_msg_size. This can lead to multiplication
+overflow between max_msg_size (u32) and integer constant, and afterwards
+incorrect value is being written to rq_size.
+
+Fix this issue by extending integer constant to u64 type.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Suggested-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Reviewed-by: Yishai Hadas <yishaih@nvidia.com>
+Link: https://lore.kernel.org/r/20250701144017.2410-2-a.sadovnikov@ispras.ru
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/mlx5/cmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/vfio/pci/mlx5/cmd.c b/drivers/vfio/pci/mlx5/cmd.c
+index 2d996c913ecd..82558fa7712e 100644
+--- a/drivers/vfio/pci/mlx5/cmd.c
++++ b/drivers/vfio/pci/mlx5/cmd.c
+@@ -1389,8 +1389,8 @@ int mlx5vf_start_page_tracker(struct vfio_device *vdev,
+ log_max_msg_size = MLX5_CAP_ADV_VIRTUALIZATION(mdev, pg_track_log_max_msg_size);
+ max_msg_size = (1ULL << log_max_msg_size);
+ /* The RQ must hold at least 4 WQEs/messages for successful QP creation */
+- if (rq_size < 4 * max_msg_size)
+- rq_size = 4 * max_msg_size;
++ if (rq_size < 4ULL * max_msg_size)
++ rq_size = 4ULL * max_msg_size;
+
+ memset(tracker, 0, sizeof(*tracker));
+ tracker->uar = mlx5_get_uars_page(mdev);
+--
+2.39.5
+
--- /dev/null
+From 4f5af4437cf5a62b705437f0c4c75525cfd79f19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 11:46:22 -0700
+Subject: vfio/type1: conditional rescheduling while pinning
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit b1779e4f209c7ff7e32f3c79d69bca4e3a3a68b6 ]
+
+A large DMA mapping request can loop through dma address pinning for
+many pages. In cases where THP can not be used, the repeated vmf_insert_pfn can
+be costly, so let the task reschedule as need to prevent CPU stalls. Failure to
+do so has potential harmful side effects, like increased memory pressure
+as unrelated rcu tasks are unable to make their reclaim callbacks and
+result in OOM conditions.
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 36-....: (20999 ticks this GP) idle=b01c/1/0x4000000000000000 softirq=35839/35839 fqs=3538
+ rcu: hardirqs softirqs csw/system
+ rcu: number: 0 107 0
+ rcu: cputime: 50 0 10446 ==> 10556(ms)
+ rcu: (t=21075 jiffies g=377761 q=204059 ncpus=384)
+...
+ <TASK>
+ ? asm_sysvec_apic_timer_interrupt+0x16/0x20
+ ? walk_system_ram_range+0x63/0x120
+ ? walk_system_ram_range+0x46/0x120
+ ? pgprot_writethrough+0x20/0x20
+ lookup_memtype+0x67/0xf0
+ track_pfn_insert+0x20/0x40
+ vmf_insert_pfn_prot+0x88/0x140
+ vfio_pci_mmap_huge_fault+0xf9/0x1b0 [vfio_pci_core]
+ __do_fault+0x28/0x1b0
+ handle_mm_fault+0xef1/0x2560
+ fixup_user_fault+0xf5/0x270
+ vaddr_get_pfns+0x169/0x2f0 [vfio_iommu_type1]
+ vfio_pin_pages_remote+0x162/0x8e0 [vfio_iommu_type1]
+ vfio_iommu_type1_ioctl+0x1121/0x1810 [vfio_iommu_type1]
+ ? futex_wake+0x1c1/0x260
+ x64_sys_call+0x234/0x17a0
+ do_syscall_64+0x63/0x130
+ ? exc_page_fault+0x63/0x130
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
+Link: https://lore.kernel.org/r/20250715184622.3561598-1-kbusch@meta.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c
+index 5fe7aed3672e..f63f116b9cd0 100644
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -635,6 +635,13 @@ static long vfio_pin_pages_remote(struct vfio_dma *dma, unsigned long vaddr,
+
+ while (npage) {
+ if (!batch->size) {
++ /*
++ * Large mappings may take a while to repeatedly refill
++ * the batch, so conditionally relinquish the CPU when
++ * needed to avoid stalls.
++ */
++ cond_resched();
++
+ /* Empty batch, so refill it. */
+ long req_pages = min_t(long, npage, batch->capacity);
+
+--
+2.39.5
+
--- /dev/null
+From 61b2443964e55c59b8f37a36b30b75b6ccfd6d61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Jul 2025 16:47:53 +0800
+Subject: vhost: fail early when __vhost_add_used() fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Wang <jasowang@redhat.com>
+
+[ Upstream commit b4ba1207d45adaafa2982c035898b36af2d3e518 ]
+
+This patch fails vhost_add_used_n() early when __vhost_add_used()
+fails to make sure used idx is not updated with stale used ring
+information.
+
+Reported-by: Eugenio Pérez <eperezma@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+Message-Id: <20250714084755.11921-2-jasowang@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Tested-by: Lei Yang <leiyang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vhost.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index d0238bd741b0..147cfb64bba2 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -2770,6 +2770,9 @@ int vhost_add_used_n(struct vhost_virtqueue *vq, struct vring_used_elem *heads,
+ }
+ r = __vhost_add_used_n(vq, heads, count);
+
++ if (r < 0)
++ return r;
++
+ /* Make sure buffer is written before we update index. */
+ smp_wmb();
+ if (vhost_put_used_idx(vq)) {
+--
+2.39.5
+
--- /dev/null
+From 443ec5593f28f0ff9f7876374e25af43a2d005e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 10:01:11 +0100
+Subject: vsock/virtio: Resize receive buffers so that each SKB fits in a 4K
+ page
+
+From: Will Deacon <will@kernel.org>
+
+[ Upstream commit 03a92f036a04fed2b00d69f5f46f1a486e70dc5c ]
+
+When allocating receive buffers for the vsock virtio RX virtqueue, an
+SKB is allocated with a 4140 data payload (the 44-byte packet header +
+VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE). Even when factoring in the SKB
+overhead, the resulting 8KiB allocation thanks to the rounding in
+kmalloc_reserve() is wasteful (~3700 unusable bytes) and results in a
+higher-order page allocation on systems with 4KiB pages just for the
+sake of a few hundred bytes of packet data.
+
+Limit the vsock virtio RX buffers to 4KiB per SKB, resulting in much
+better memory utilisation and removing the need to allocate higher-order
+pages entirely.
+
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Message-Id: <20250717090116.11987-5-will@kernel.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/virtio_vsock.h | 7 ++++++-
+ net/vmw_vsock/virtio_transport.c | 2 +-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/virtio_vsock.h b/include/linux/virtio_vsock.h
+index fbf30721bac9..5148b035a8f3 100644
+--- a/include/linux/virtio_vsock.h
++++ b/include/linux/virtio_vsock.h
+@@ -110,7 +110,12 @@ static inline size_t virtio_vsock_skb_len(struct sk_buff *skb)
+ return (size_t)(skb_end_pointer(skb) - skb->head);
+ }
+
+-#define VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE (1024 * 4)
++/* Dimension the RX SKB so that the entire thing fits exactly into
++ * a single 4KiB page. This avoids wasting memory due to alloc_skb()
++ * rounding up to the next page order and also means that we
++ * don't leave higher-order pages sitting around in the RX queue.
++ */
++#define VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE SKB_WITH_OVERHEAD(1024 * 4)
+ #define VIRTIO_VSOCK_MAX_BUF_SIZE 0xFFFFFFFFUL
+ #define VIRTIO_VSOCK_MAX_PKT_BUF_SIZE (1024 * 64)
+
+diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
+index 2925f5d27ad3..51d51c67922b 100644
+--- a/net/vmw_vsock/virtio_transport.c
++++ b/net/vmw_vsock/virtio_transport.c
+@@ -221,7 +221,7 @@ virtio_transport_cancel_pkt(struct vsock_sock *vsk)
+
+ static void virtio_vsock_rx_fill(struct virtio_vsock *vsock)
+ {
+- int total_len = VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM;
++ int total_len = VIRTIO_VSOCK_DEFAULT_RX_BUF_SIZE;
+ struct scatterlist pkt, *p;
+ struct virtqueue *vq;
+ struct sk_buff *skb;
+--
+2.39.5
+
--- /dev/null
+From 68ca276bb0c97e8ef78239b9ab0a6ef45003f300 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Jul 2025 18:55:02 +0200
+Subject: watchdog: dw_wdt: Fix default timeout
+
+From: Sebastian Reichel <sebastian.reichel@collabora.com>
+
+[ Upstream commit ac3dbb91e0167d017f44701dd51c1efe30d0c256 ]
+
+The Synopsys Watchdog driver sets the default timeout to 30 seconds,
+but on some devices this is not a valid timeout. E.g. on RK3588 the
+actual timeout being used is 44 seconds instead.
+
+Once the watchdog is started the value is updated accordingly, but
+it would be better to expose a sensible timeout to userspace without
+the need to first start the watchdog.
+
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250717-dw-wdt-fix-initial-timeout-v1-1-86dc864d48dd@kernel.org
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/dw_wdt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/watchdog/dw_wdt.c b/drivers/watchdog/dw_wdt.c
+index 84dca3695f86..e5e6d7f15918 100644
+--- a/drivers/watchdog/dw_wdt.c
++++ b/drivers/watchdog/dw_wdt.c
+@@ -644,6 +644,8 @@ static int dw_wdt_drv_probe(struct platform_device *pdev)
+ } else {
+ wdd->timeout = DW_WDT_DEFAULT_SECONDS;
+ watchdog_init_timeout(wdd, 0, dev);
++ /* Limit timeout value to hardware constraints. */
++ dw_wdt_set_timeout(wdd, wdd->timeout);
+ }
+
+ platform_set_drvdata(pdev, dw_wdt);
+--
+2.39.5
+
--- /dev/null
+From 19728745d96089b24cbc7bf44f052616e5f3387e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Jul 2025 15:35:18 +0800
+Subject: watchdog: iTCO_wdt: Report error if timeout configuration fails
+
+From: Ziyan Fu <fuzy5@lenovo.com>
+
+[ Upstream commit 40efc43eb7ffb5a4e2f998c13b8cfb555e671b92 ]
+
+The driver probes with the invalid timeout value when
+'iTCO_wdt_set_timeout()' fails, as its return value is not checked. In
+this case, when executing "wdctl", we may get:
+
+Device: /dev/watchdog0
+Timeout: 30 seconds
+Timeleft: 613 seconds
+
+The timeout value is the value of "heartbeat" or "WATCHDOG_TIMEOUT", and
+the timeleft value is calculated from the register value we actually read
+(0xffff) by masking with 0x3ff and converting ticks to seconds (* 6 / 10).
+
+Add error handling to return the failure code if 'iTCO_wdt_set_timeout()'
+fails, ensuring the driver probe fails and prevents invalid operation.
+
+Signed-off-by: Ziyan Fu <fuzy5@lenovo.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250704073518.7838-1-13281011316@163.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/iTCO_wdt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/watchdog/iTCO_wdt.c b/drivers/watchdog/iTCO_wdt.c
+index dd297dcd524c..68973be2ce62 100644
+--- a/drivers/watchdog/iTCO_wdt.c
++++ b/drivers/watchdog/iTCO_wdt.c
+@@ -601,7 +601,11 @@ static int iTCO_wdt_probe(struct platform_device *pdev)
+ /* Check that the heartbeat value is within it's range;
+ if not reset to the default */
+ if (iTCO_wdt_set_timeout(&p->wddev, heartbeat)) {
+- iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
++ ret = iTCO_wdt_set_timeout(&p->wddev, WATCHDOG_TIMEOUT);
++ if (ret != 0) {
++ dev_err(dev, "Failed to set watchdog timeout (%d)\n", WATCHDOG_TIMEOUT);
++ return ret;
++ }
+ dev_info(dev, "timeout value out of range, using %d\n",
+ WATCHDOG_TIMEOUT);
+ }
+--
+2.39.5
+
--- /dev/null
+From 4f2bd11910934d17bccfcbdf109378f178e1759b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 16:06:39 -0700
+Subject: watchdog: sbsa: Adjust keepalive timeout to avoid MediaTek WS0 race
+ condition
+
+From: Aaron Plattner <aplattner@nvidia.com>
+
+[ Upstream commit 48defdf6b083f74a44e1f742db284960d3444aec ]
+
+The MediaTek implementation of the sbsa_gwdt watchdog has a race
+condition where a write to SBSA_GWDT_WRR is ignored if it occurs while
+the hardware is processing a timeout refresh that asserts WS0.
+
+Detect this based on the hardware implementer and adjust
+wdd->min_hw_heartbeat_ms to avoid the race by forcing the keepalive ping
+to be one second later.
+
+Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
+Acked-by: Timur Tabi <ttabi@nvidia.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250721230640.2244915-1-aplattner@nvidia.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/watchdog/sbsa_gwdt.c | 50 +++++++++++++++++++++++++++++++++---
+ 1 file changed, 47 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/watchdog/sbsa_gwdt.c b/drivers/watchdog/sbsa_gwdt.c
+index 5f23913ce3b4..6ce1bfb39064 100644
+--- a/drivers/watchdog/sbsa_gwdt.c
++++ b/drivers/watchdog/sbsa_gwdt.c
+@@ -75,11 +75,17 @@
+ #define SBSA_GWDT_VERSION_MASK 0xF
+ #define SBSA_GWDT_VERSION_SHIFT 16
+
++#define SBSA_GWDT_IMPL_MASK 0x7FF
++#define SBSA_GWDT_IMPL_SHIFT 0
++#define SBSA_GWDT_IMPL_MEDIATEK 0x426
++
+ /**
+ * struct sbsa_gwdt - Internal representation of the SBSA GWDT
+ * @wdd: kernel watchdog_device structure
+ * @clk: store the System Counter clock frequency, in Hz.
+ * @version: store the architecture version
++ * @need_ws0_race_workaround:
++ * indicate whether to adjust wdd->timeout to avoid a race with WS0
+ * @refresh_base: Virtual address of the watchdog refresh frame
+ * @control_base: Virtual address of the watchdog control frame
+ */
+@@ -87,6 +93,7 @@ struct sbsa_gwdt {
+ struct watchdog_device wdd;
+ u32 clk;
+ int version;
++ bool need_ws0_race_workaround;
+ void __iomem *refresh_base;
+ void __iomem *control_base;
+ };
+@@ -161,6 +168,31 @@ static int sbsa_gwdt_set_timeout(struct watchdog_device *wdd,
+ */
+ sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt);
+
++ /*
++ * Some watchdog hardware has a race condition where it will ignore
++ * sbsa_gwdt_keepalive() if it is called at the exact moment that a
++ * timeout occurs and WS0 is being asserted. Unfortunately, the default
++ * behavior of the watchdog core is very likely to trigger this race
++ * when action=0 because it programs WOR to be half of the desired
++ * timeout, and watchdog_next_keepalive() chooses the exact same time to
++ * send keepalive pings.
++ *
++ * This triggers a race where sbsa_gwdt_keepalive() can be called right
++ * as WS0 is being asserted, and affected hardware will ignore that
++ * write and continue to assert WS0. After another (timeout / 2)
++ * seconds, the same race happens again. If the driver wins then the
++ * explicit refresh will reset WS0 to false but if the hardware wins,
++ * then WS1 is asserted and the system resets.
++ *
++ * Avoid the problem by scheduling keepalive heartbeats one second later
++ * than the WOR timeout.
++ *
++ * This workaround might not be needed in a future revision of the
++ * hardware.
++ */
++ if (gwdt->need_ws0_race_workaround)
++ wdd->min_hw_heartbeat_ms = timeout * 500 + 1000;
++
+ return 0;
+ }
+
+@@ -202,12 +234,15 @@ static int sbsa_gwdt_keepalive(struct watchdog_device *wdd)
+ static void sbsa_gwdt_get_version(struct watchdog_device *wdd)
+ {
+ struct sbsa_gwdt *gwdt = watchdog_get_drvdata(wdd);
+- int ver;
++ int iidr, ver, impl;
+
+- ver = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
+- ver = (ver >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
++ iidr = readl(gwdt->control_base + SBSA_GWDT_W_IIDR);
++ ver = (iidr >> SBSA_GWDT_VERSION_SHIFT) & SBSA_GWDT_VERSION_MASK;
++ impl = (iidr >> SBSA_GWDT_IMPL_SHIFT) & SBSA_GWDT_IMPL_MASK;
+
+ gwdt->version = ver;
++ gwdt->need_ws0_race_workaround =
++ !action && (impl == SBSA_GWDT_IMPL_MEDIATEK);
+ }
+
+ static int sbsa_gwdt_start(struct watchdog_device *wdd)
+@@ -299,6 +334,15 @@ static int sbsa_gwdt_probe(struct platform_device *pdev)
+ else
+ wdd->max_hw_heartbeat_ms = GENMASK_ULL(47, 0) / gwdt->clk * 1000;
+
++ if (gwdt->need_ws0_race_workaround) {
++ /*
++ * A timeout of 3 seconds means that WOR will be set to 1.5
++ * seconds and the heartbeat will be scheduled every 2.5
++ * seconds.
++ */
++ wdd->min_timeout = 3;
++ }
++
+ status = readl(cf_base + SBSA_GWDT_WCS);
+ if (status & SBSA_GWDT_WCS_WS1) {
+ dev_warn(dev, "System reset by WDT.\n");
+--
+2.39.5
+
--- /dev/null
+From 7051266c6596ce9f74b27fd7614764e59d909c5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 12:05:12 +0530
+Subject: wifi: ath12k: Add memset and update default rate value in wmi tx
+ completion
+
+From: Sarika Sharma <quic_sarishar@quicinc.com>
+
+[ Upstream commit 9903c0986f782dfc511d7638b6f15fb6e8600cd3 ]
+
+When both AP/STA and monitor interfaces are enabled, ieee80211_tx_status()
+is invoked from two paths: the TX completion handler for data frames
+and the WMI TX completion handler for management frames.
+In the data path, the skb->cb is properly zeroed using memset, but in
+the WMI path, this step is missing.
+
+As a result, mac80211 encountered uninitialized (junk) values in
+skb->cb when generating the radiotap header for monitor mode, leading
+to invalid radiotap lengths.
+
+Hence, explicitly zero the status field in the skb->cb using memset
+in WMI TX completion path to ensure consistent and correct behavior
+during WMI tx completion path.
+
+Additionally, set info->status.rates[0].idx = -1 to indicate that
+no valid rate information is available, avoiding misinterpretation of
+garbage values.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250603063512.1887652-1-quic_sarishar@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/wmi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
+index e918218ce2d6..7e400a0e0eb1 100644
+--- a/drivers/net/wireless/ath/ath12k/wmi.c
++++ b/drivers/net/wireless/ath/ath12k/wmi.c
+@@ -4965,6 +4965,11 @@ static int wmi_process_mgmt_tx_comp(struct ath12k *ar, u32 desc_id,
+ dma_unmap_single(ar->ab->dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE);
+
+ info = IEEE80211_SKB_CB(msdu);
++ memset(&info->status, 0, sizeof(info->status));
++
++ /* skip tx rate update from ieee80211_status*/
++ info->status.rates[0].idx = -1;
++
+ if ((!(info->flags & IEEE80211_TX_CTL_NO_ACK)) && !status)
+ info->flags |= IEEE80211_TX_STAT_ACK;
+
+--
+2.39.5
+
--- /dev/null
+From 533d7ebf6c14c6334d75c2da043c0cf31cb509de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 11:47:49 +0530
+Subject: wifi: ath12k: Correct tid cleanup when tid setup fails
+
+From: Sarika Sharma <quic_sarishar@quicinc.com>
+
+[ Upstream commit 4a2bf707270f897ab8077baee8ed5842a5321686 ]
+
+Currently, if any error occurs during ath12k_dp_rx_peer_tid_setup(),
+the tid value is already incremented, even though the corresponding
+TID is not actually allocated. Proceed to
+ath12k_dp_rx_peer_tid_delete() starting from unallocated tid,
+which might leads to freeing unallocated TID and cause potential
+crash or out-of-bounds access.
+
+Hence, fix by correctly decrementing tid before cleanup to match only
+the successfully allocated TIDs.
+
+Also, remove tid-- from failure case of ath12k_dp_rx_peer_frag_setup(),
+as decrementing the tid before cleanup in loop will take care of this.
+
+Compile tested only.
+
+Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250721061749.886732-1-quic_sarishar@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c
+index c663ff990b47..c8777ee2079f 100644
+--- a/drivers/net/wireless/ath/ath12k/dp.c
++++ b/drivers/net/wireless/ath/ath12k/dp.c
+@@ -91,7 +91,7 @@ int ath12k_dp_peer_setup(struct ath12k *ar, int vdev_id, const u8 *addr)
+ return -ENOENT;
+ }
+
+- for (; tid >= 0; tid--)
++ for (tid--; tid >= 0; tid--)
+ ath12k_dp_rx_peer_tid_delete(ar, peer, tid);
+
+ spin_unlock_bh(&ab->base_lock);
+--
+2.39.5
+
--- /dev/null
+From 3e6c0f41418e245aa1ae27d1ee2e60998cb6a13b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 May 2025 09:17:13 +0530
+Subject: wifi: ath12k: Decrement TID on RX peer frag setup error handling
+
+From: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
+
+[ Upstream commit 7c0884fcd2ddde0544d2e77f297ae461e1f53f58 ]
+
+Currently, TID is not decremented before peer cleanup, during error
+handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to
+out-of-bounds access in peer->rx_tid[].
+
+Hence, add a decrement operation for TID, before peer cleanup to
+ensures proper cleanup and prevents out-of-bounds access issues when
+the RX peer frag setup fails.
+
+Found during code review. Compile tested only.
+
+Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
+Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250526034713.712592-1-quic_sarishar@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/dp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath12k/dp.c b/drivers/net/wireless/ath/ath12k/dp.c
+index c8777ee2079f..c918f5d12975 100644
+--- a/drivers/net/wireless/ath/ath12k/dp.c
++++ b/drivers/net/wireless/ath/ath12k/dp.c
+@@ -74,6 +74,7 @@ int ath12k_dp_peer_setup(struct ath12k *ar, int vdev_id, const u8 *addr)
+ ret = ath12k_dp_rx_peer_frag_setup(ar, addr, vdev_id);
+ if (ret) {
+ ath12k_warn(ab, "failed to setup rx defrag context\n");
++ tid--;
+ goto peer_clean;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 4eabdb068cba91fb859a041d9c33deb63dc6d011 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 08:48:50 +0530
+Subject: wifi: ath12k: Enable REO queue lookup table feature on QCN9274 hw2.0
+
+From: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
+
+[ Upstream commit b79742b84e16e41c4a09f3126436f39f36e75c06 ]
+
+The commit 89ac53e96217 ("wifi: ath12k: Enable REO queue lookup table
+feature on QCN9274") originally intended to enable the reoq_lut_support
+hardware parameter flag for both QCN9274 hw1.0 and hw2.0. However,
+it enabled it only for QCN9274 hw1.0.
+
+Hence, enable REO queue lookup table feature on QCN9274 hw2.0.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250609-qcn9274-reoq-v1-1-a92c91abc9b9@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath12k/hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath12k/hw.c b/drivers/net/wireless/ath/ath12k/hw.c
+index dafd7c34d746..97ed179be228 100644
+--- a/drivers/net/wireless/ath/ath12k/hw.c
++++ b/drivers/net/wireless/ath/ath12k/hw.c
+@@ -1002,7 +1002,7 @@ static const struct ath12k_hw_params ath12k_hw_params[] = {
+ .download_calib = true,
+ .supports_suspend = false,
+ .tcl_ring_retry = true,
+- .reoq_lut_support = false,
++ .reoq_lut_support = true,
+ .supports_shadow_regs = false,
+
+ .hal_desc_sz = sizeof(struct hal_rx_desc_qcn9274),
+--
+2.39.5
+
--- /dev/null
+From c3aac7399169ca70296b6d2ccc764b72aa28df2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 23:37:55 +0300
+Subject: wifi: cfg80211: Fix interface type validation
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 14450be2332a49445106403492a367412b8c23f4 ]
+
+Fix a condition that verified valid values of interface types.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250709233537.7ad199ca5939.I0ac1ff74798bf59a87a57f2e18f2153c308b119b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/cfg80211.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
+index 2fb3151ea7c9..5b3a63c377d6 100644
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -559,7 +559,7 @@ ieee80211_get_sband_iftype_data(const struct ieee80211_supported_band *sband,
+ {
+ int i;
+
+- if (WARN_ON(iftype >= NL80211_IFTYPE_MAX))
++ if (WARN_ON(iftype >= NUM_NL80211_IFTYPES))
+ return NULL;
+
+ if (iftype == NL80211_IFTYPE_AP_VLAN)
+--
+2.39.5
+
--- /dev/null
+From f5d2d45534e85bed3ded19c3ca3fe79828acfbbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 18 Jul 2025 20:23:06 +0200
+Subject: wifi: cfg80211: reject HTC bit for management frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit be06a8c7313943109fa870715356503c4c709cbc ]
+
+Management frames sent by userspace should never have the
+order/HTC bit set, reject that. It could also cause some
+confusion with the length of the buffer and the header so
+the validation might end up wrong.
+
+Link: https://patch.msgid.link/20250718202307.97a0455f0f35.I1805355c7e331352df16611839bc8198c855a33f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/mlme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
+index 55a1d3633853..3d631f8073f0 100644
+--- a/net/wireless/mlme.c
++++ b/net/wireless/mlme.c
+@@ -739,7 +739,8 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
+
+ mgmt = (const struct ieee80211_mgmt *)params->buf;
+
+- if (!ieee80211_is_mgmt(mgmt->frame_control))
++ if (!ieee80211_is_mgmt(mgmt->frame_control) ||
++ ieee80211_has_order(mgmt->frame_control))
+ return -EINVAL;
+
+ stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
+--
+2.39.5
+
--- /dev/null
+From d266b836e7c533ea675e8079442ea1e4ff8fdd0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 May 2025 16:45:24 +0200
+Subject: wifi: iwlegacy: Check rate_idx range after addition
+
+From: Stanislaw Gruszka <stf_xl@wp.pl>
+
+[ Upstream commit 0de19d5ae0b2c5b18b88c5c7f0442f707a207409 ]
+
+Limit rate_idx to IL_LAST_OFDM_RATE for 5GHz band for thinkable case
+the index is incorrect.
+
+Reported-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reported-by: Alexei Safin <a.safin@rosa.ru>
+Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Reviewed-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Link: https://patch.msgid.link/20250525144524.GA172583@wp.pl
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlegacy/4965-mac.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+index 0a4aa3c678c1..75118e240619 100644
+--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+@@ -1575,8 +1575,11 @@ il4965_tx_cmd_build_rate(struct il_priv *il,
+ || rate_idx > RATE_COUNT_LEGACY)
+ rate_idx = rate_lowest_index(&il->bands[info->band], sta);
+ /* For 5 GHZ band, remap mac80211 rate indices into driver indices */
+- if (info->band == NL80211_BAND_5GHZ)
++ if (info->band == NL80211_BAND_5GHZ) {
+ rate_idx += IL_FIRST_OFDM_RATE;
++ if (rate_idx > IL_LAST_OFDM_RATE)
++ rate_idx = IL_LAST_OFDM_RATE;
++ }
+ /* Get PLCP rate for tx_cmd->rate_n_flags */
+ rate_plcp = il_rates[rate_idx].plcp;
+ /* Zero out flags for this packet */
+--
+2.39.5
+
--- /dev/null
+From ac00333e02a736a09f4beca0c4893c2bc941cee5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 13:17:55 +0300
+Subject: wifi: iwlwifi: dvm: fix potential overflow in rs_fill_link_cmd()
+
+From: Rand Deeb <rand.sec96@gmail.com>
+
+[ Upstream commit e3ad987e9dc7d1e12e3f2f1e623f0e174cd0ca78 ]
+
+The 'index' variable in the rs_fill_link_cmd() function can reach
+LINK_QUAL_MAX_RETRY_NUM during the execution of the inner loop. This
+variable is used as an index for the lq_cmd->rs_table array, which has a
+size of LINK_QUAL_MAX_RETRY_NUM, without proper validation.
+
+Modify the condition of the inner loop to ensure that the 'index' variable
+does not exceed LINK_QUAL_MAX_RETRY_NUM - 1, thereby preventing any
+potential overflow issues.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
+Link: https://patch.msgid.link/20240313101755.269209-1-rand.sec96@gmail.com
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/dvm/rs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+index f4a6f76cf193..e70024525eb9 100644
+--- a/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
++++ b/drivers/net/wireless/intel/iwlwifi/dvm/rs.c
+@@ -2904,7 +2904,7 @@ static void rs_fill_link_cmd(struct iwl_priv *priv,
+ /* Repeat initial/next rate.
+ * For legacy IWL_NUMBER_TRY == 1, this loop will not execute.
+ * For HT IWL_HT_NUMBER_TRY == 3, this executes twice. */
+- while (repeat_rate > 0 && (index < LINK_QUAL_MAX_RETRY_NUM)) {
++ while (repeat_rate > 0 && index < (LINK_QUAL_MAX_RETRY_NUM - 1)) {
+ if (is_legacy(tbl_type.lq_type)) {
+ if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE)
+ ant_toggle_cnt++;
+--
+2.39.5
+
--- /dev/null
+From c4f55e758c0cf3ef61adad785e8fbdce354999c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 22:26:23 +0300
+Subject: wifi: iwlwifi: fw: Fix possible memory leak in iwl_fw_dbg_collect
+
+From: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
+
+[ Upstream commit cc8d9cbf269dab363c768bfa9312265bc807fca5 ]
+
+Ensure descriptor is freed on error to avoid memory leak.
+
+Signed-off-by: Pagadala Yesu Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250611222325.8158d15ec866.Ifa3e422c302397111f20a16da7509e6574bc19e3@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+index 0a1f302ad6d3..2deb259615d9 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -2816,6 +2816,7 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
+ struct iwl_fw_dump_desc *desc;
+ unsigned int delay = 0;
+ bool monitor_only = false;
++ int ret;
+
+ if (trigger) {
+ u16 occurrences = le16_to_cpu(trigger->occurrences) - 1;
+@@ -2846,7 +2847,11 @@ int iwl_fw_dbg_collect(struct iwl_fw_runtime *fwrt,
+ desc->trig_desc.type = cpu_to_le32(trig);
+ memcpy(desc->trig_desc.data, str, len);
+
+- return iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
++ ret = iwl_fw_dbg_collect_desc(fwrt, desc, monitor_only, delay);
++ if (ret)
++ kfree(desc);
++
++ return ret;
+ }
+ IWL_EXPORT_SYMBOL(iwl_fw_dbg_collect);
+
+--
+2.39.5
+
--- /dev/null
+From 918381ce884c132d87503b529c0aac07901d145e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Jul 2025 23:05:43 +0300
+Subject: wifi: iwlwifi: mvm: fix scan request validation
+
+From: Avraham Stern <avraham.stern@intel.com>
+
+[ Upstream commit 7c2f3ec7707188d8d5269ae2dce97d7be3e9f261 ]
+
+The scan request validation function uses bitwise and instead
+of logical and. Fix it.
+
+Signed-off-by: Avraham Stern <avraham.stern@intel.com>
+Reviewed-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250709230308.3fbc1f27871b.I7a8ee91f463c1a2d9d8561c8232e196885d02c43@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+index cc866401aad0..8b22779e5b3e 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+@@ -828,7 +828,7 @@ static inline bool iwl_mvm_scan_fits(struct iwl_mvm *mvm, int n_ssids,
+ int n_channels)
+ {
+ return ((n_ssids <= PROBE_OPTION_MAX) &&
+- (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &
++ (n_channels <= mvm->fw->ucode_capa.n_scan_channels) &&
+ (ies->common_ie_len +
+ ies->len[NL80211_BAND_2GHZ] + ies->len[NL80211_BAND_5GHZ] +
+ ies->len[NL80211_BAND_6GHZ] <=
+--
+2.39.5
+
--- /dev/null
+From da9f3317fda9345e4d1eacddd0e3bef1b34a40ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Jul 2025 21:28:27 +0300
+Subject: wifi: iwlwifi: mvm: set gtk id also in older FWs
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+[ Upstream commit 61be9803f322ab46f31ba944c6ef7de195891f64 ]
+
+We use gtk[i].id, but it is not even set in older FW APIs
+(iwl_wowlan_status_v6 and iwl_wowlan_status_v7).
+Set it also in older FWs.
+
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250710212632.e91e49590414.I27d2fdbed1c54aee59929fa11ec169f07e159406@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+index a82cdd897173..6c108dbbbc54 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c
+@@ -2143,6 +2143,7 @@ static void iwl_mvm_convert_gtk_v2(struct iwl_wowlan_status_data *status,
+
+ status->gtk[0].len = data->key_len;
+ status->gtk[0].flags = data->key_flags;
++ status->gtk[0].id = status->gtk[0].flags & IWL_WOWLAN_GTK_IDX_MASK;
+
+ memcpy(status->gtk[0].key, data->key, sizeof(data->key));
+
+@@ -2369,6 +2370,7 @@ iwl_mvm_send_wowlan_get_status(struct iwl_mvm *mvm, u8 sta_id)
+ * currently used key.
+ */
+ status->gtk[0].flags = v6->gtk.key_index | BIT(7);
++ status->gtk[0].id = v6->gtk.key_index;
+ } else if (notif_ver == 7) {
+ struct iwl_wowlan_status_v7 *v7 = (void *)cmd.resp_pkt->data;
+
+--
+2.39.5
+
--- /dev/null
+From dc6f8eb1dabcdea42610016aff6d0ffb7855ea81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Jun 2025 21:35:27 +0300
+Subject: wifi: mac80211: don't complete management TX on SAE commit
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 6b04716cdcac37bdbacde34def08bc6fdb5fc4e2 ]
+
+When SAE commit is sent and received in response, there's no
+ordering for the SAE confirm messages. As such, don't call
+drivers to stop listening on the channel when the confirm
+message is still expected.
+
+This fixes an issue if the local confirm is transmitted later
+than the AP's confirm, for iwlwifi (and possibly mt76) the
+AP's confirm would then get lost since the device isn't on
+the channel at the time the AP transmit the confirm.
+
+For iwlwifi at least, this also improves the overall timing
+of the authentication handshake (by about 15ms according to
+the report), likely since the session protection won't be
+aborted and rescheduled.
+
+Note that even before this, mgd_complete_tx() wasn't always
+called for each call to mgd_prepare_tx() (e.g. in the case
+of WEP key shared authentication), and the current drivers
+that have the complete callback don't seem to mind. Document
+this as well though.
+
+Reported-by: Jan Hendrik Farr <kernel@jfarr.cc>
+Closes: https://lore.kernel.org/all/aB30Ea2kRG24LINR@archlinux/
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250609213232.12691580e140.I3f1d3127acabcd58348a110ab11044213cf147d3@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/mac80211.h | 2 ++
+ net/mac80211/mlme.c | 9 ++++++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/mac80211.h b/include/net/mac80211.h
+index 835a58ce9ca5..adaa1b2323d2 100644
+--- a/include/net/mac80211.h
++++ b/include/net/mac80211.h
+@@ -4111,6 +4111,8 @@ struct ieee80211_prep_tx_info {
+ * @mgd_complete_tx: Notify the driver that the response frame for a previously
+ * transmitted frame announced with @mgd_prepare_tx was received, the data
+ * is filled similarly to @mgd_prepare_tx though the duration is not used.
++ * Note that this isn't always called for each mgd_prepare_tx() call, for
++ * example for SAE the 'confirm' messages can be on the air in any order.
+ *
+ * @mgd_protect_tdls_discover: Protect a TDLS discovery session. After sending
+ * a TDLS discovery-request, we expect a reply to arrive on the AP's
+diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
+index 2c7e139efd53..295c2fdbd3c7 100644
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -3662,6 +3662,7 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+ struct ieee80211_prep_tx_info info = {
+ .subtype = IEEE80211_STYPE_AUTH,
+ };
++ bool sae_need_confirm = false;
+
+ sdata_assert_lock(sdata);
+
+@@ -3705,6 +3706,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+ jiffies + IEEE80211_AUTH_WAIT_SAE_RETRY;
+ ifmgd->auth_data->timeout_started = true;
+ run_again(sdata, ifmgd->auth_data->timeout);
++ if (auth_transaction == 1)
++ sae_need_confirm = true;
+ goto notify_driver;
+ }
+
+@@ -3747,6 +3750,9 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+ ifmgd->auth_data->expected_transaction == 2)) {
+ if (!ieee80211_mark_sta_auth(sdata))
+ return; /* ignore frame -- wait for timeout */
++ } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
++ auth_transaction == 1) {
++ sae_need_confirm = true;
+ } else if (ifmgd->auth_data->algorithm == WLAN_AUTH_SAE &&
+ auth_transaction == 2) {
+ sdata_info(sdata, "SAE peer confirmed\n");
+@@ -3755,7 +3761,8 @@ static void ieee80211_rx_mgmt_auth(struct ieee80211_sub_if_data *sdata,
+
+ cfg80211_rx_mlme_mgmt(sdata->dev, (u8 *)mgmt, len);
+ notify_driver:
+- drv_mgd_complete_tx(sdata->local, sdata, &info);
++ if (!sae_need_confirm)
++ drv_mgd_complete_tx(sdata->local, sdata, &info);
+ }
+
+ #define case_WLAN(type) \
+--
+2.39.5
+
--- /dev/null
+From a7cfa6526517f669a3687dd90ada013e55458a5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 14:11:19 +0530
+Subject: wifi: mac80211: fix rx link assignment for non-MLO stations
+
+From: Hari Chandrakanthan <quic_haric@quicinc.com>
+
+[ Upstream commit cc2b722132893164bcb3cee4f08ed056e126eb6c ]
+
+Currently, ieee80211_rx_data_set_sta() does not correctly handle the
+case where the interface supports multiple links (MLO), but the station
+does not (non-MLO). This can lead to incorrect link assignment or
+unexpected warnings when accessing link information.
+
+Hence, add a fix to check if the station lacks valid link support and
+use its default link ID for rx->link assignment. If the station
+unexpectedly has valid links, fall back to the default link.
+
+This ensures correct link association and prevents potential issues
+in mixed MLO/non-MLO environments.
+
+Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
+Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com>
+Link: https://patch.msgid.link/20250630084119.3583593-1-quic_sarishar@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 58665b6ae635..210337ef23cf 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4221,10 +4221,16 @@ static bool ieee80211_rx_data_set_sta(struct ieee80211_rx_data *rx,
+ rx->link_sta = NULL;
+ }
+
+- if (link_id < 0)
+- rx->link = &rx->sdata->deflink;
+- else if (!ieee80211_rx_data_set_link(rx, link_id))
++ if (link_id < 0) {
++ if (ieee80211_vif_is_mld(&rx->sdata->vif) &&
++ sta && !sta->sta.valid_links)
++ rx->link =
++ rcu_dereference(rx->sdata->link[sta->deflink.link_id]);
++ else
++ rx->link = &rx->sdata->deflink;
++ } else if (!ieee80211_rx_data_set_link(rx, link_id)) {
+ return false;
++ }
+
+ return true;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9fb097ad1110d2d6439be3b25c26c21a7ff1870b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 19:33:24 +0530
+Subject: wifi: mac80211: update radar_required in channel context after
+ channel switch
+
+From: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
+
+[ Upstream commit 140c6a61d83cbd85adba769b5ef8d61acfa5b392 ]
+
+Currently, when a non-DFS channel is brought up and the bandwidth is
+expanded from 80 MHz to 160 MHz, where the primary 80 MHz is non-DFS
+and the secondary 80 MHz consists of DFS channels, radar detection
+fails if radar occurs in the secondary 80 MHz.
+
+When the channel is switched from 80 MHz to 160 MHz, with the primary
+80 MHz being non-DFS and the secondary 80 MHz consisting of DFS
+channels, the radar required flag in the channel switch parameters
+is set to true. However, when using a reserved channel context,
+it is not updated in sdata, which disables radar detection in the
+secondary 80 MHz DFS channels.
+
+Update the radar required flag in sdata to fix this issue when using
+a reserved channel context.
+
+Signed-off-by: Ramya Gnanasekar <ramya.gnanasekar@oss.qualcomm.com>
+Signed-off-by: Ramasamy Kaliappan <ramasamy.kaliappan@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250608140324.1687117-1-ramasamy.kaliappan@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/chan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
+index 31c4f112345e..4a21e53afa72 100644
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -1313,6 +1313,7 @@ ieee80211_link_use_reserved_reassign(struct ieee80211_link_data *link)
+ goto out;
+ }
+
++ link->radar_required = link->reserved_radar_required;
+ list_move(&link->assigned_chanctx_list, &new_ctx->assigned_links);
+ rcu_assign_pointer(link_conf->chanctx_conf, &new_ctx->conf);
+
+--
+2.39.5
+
--- /dev/null
+From c03e4688fb6f7ab77807fe5390b3de8e83eb0c85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 02:45:27 +0200
+Subject: wifi: mt76: mt7915: mcu: re-init MCU before loading FW patch
+
+From: David Bauer <mail@david-bauer.net>
+
+[ Upstream commit ac9c50c79eaef5fca0f165e45d0c5880606db53e ]
+
+Restart the MCU and release the patch semaphore before loading the MCU
+patch firmware from the host.
+
+This fixes failures upon error recovery in case the semaphore was
+previously taken and never released by the host.
+
+This happens from time to time upon triggering a full-chip error
+recovery. Under this circumstance, the hardware restart fails and the
+radio is rendered inoperational.
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+Link: https://patch.msgid.link/20250402004528.1036715-3-mail@david-bauer.net
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/wireless/mediatek/mt76/mt7915/mcu.c | 25 +++++++++++--------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index f0226db2e57c..fae9ec98da3b 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -2060,16 +2060,21 @@ static int mt7915_load_firmware(struct mt7915_dev *dev)
+ {
+ int ret;
+
+- /* make sure fw is download state */
+- if (mt7915_firmware_state(dev, false)) {
+- /* restart firmware once */
+- mt76_connac_mcu_restart(&dev->mt76);
+- ret = mt7915_firmware_state(dev, false);
+- if (ret) {
+- dev_err(dev->mt76.dev,
+- "Firmware is not ready for download\n");
+- return ret;
+- }
++ /* Release Semaphore if taken by previous failed attempt */
++ ret = mt76_connac_mcu_patch_sem_ctrl(&dev->mt76, false);
++ if (ret != PATCH_REL_SEM_SUCCESS) {
++ dev_err(dev->mt76.dev, "Could not release semaphore\n");
++ /* Continue anyways */
++ }
++
++ /* Always restart MCU firmware */
++ mt76_connac_mcu_restart(&dev->mt76);
++
++ /* Check if MCU is ready */
++ ret = mt7915_firmware_state(dev, false);
++ if (ret) {
++ dev_err(dev->mt76.dev, "Firmware did not enter download state\n");
++ return ret;
+ }
+
+ ret = mt76_connac2_load_patch(&dev->mt76, fw_name_var(dev, ROM_PATCH));
+--
+2.39.5
+
--- /dev/null
+From 535866c33f06f2fe19ddba7f6d6fea7f23caf7dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:56:30 +0200
+Subject: wifi: rtlwifi: fix possible skb memory leak in
+ `_rtl_pci_rx_interrupt()`.
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 44c0e191004f0e3aa1bdee3be248be14dbe5b020 ]
+
+The function `_rtl_pci_init_one_rxdesc()` can fail even when the new
+`skb` is passed because of a DMA mapping error. If it fails, the `skb`
+is not saved in the rx ringbuffer and thus lost.
+
+Compile tested only
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250616105631.444309-4-fourier.thomas@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 3645f212021f..6264ef7805d6 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -803,13 +803,19 @@ static void _rtl_pci_rx_interrupt(struct ieee80211_hw *hw)
+ skb = new_skb;
+ no_new:
+ if (rtlpriv->use_new_trx_flow) {
+- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
+- rxring_idx,
+- rtlpci->rx_ring[rxring_idx].idx);
++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)buffer_desc,
++ rxring_idx,
++ rtlpci->rx_ring[rxring_idx].idx)) {
++ if (new_skb)
++ dev_kfree_skb_any(skb);
++ }
+ } else {
+- _rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
+- rxring_idx,
+- rtlpci->rx_ring[rxring_idx].idx);
++ if (!_rtl_pci_init_one_rxdesc(hw, skb, (u8 *)pdesc,
++ rxring_idx,
++ rtlpci->rx_ring[rxring_idx].idx)) {
++ if (new_skb)
++ dev_kfree_skb_any(skb);
++ }
+ if (rtlpci->rx_ring[rxring_idx].idx ==
+ rtlpci->rxringcount - 1)
+ rtlpriv->cfg->ops->set_desc(hw, (u8 *)pdesc,
+--
+2.39.5
+
--- /dev/null
+From 23c606c47369f06e49c8520cacc68f4ca37efdb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 09:38:36 +0200
+Subject: wifi: rtlwifi: fix possible skb memory leak in
+ _rtl_pci_init_one_rxdesc()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 76b3e5078d76f0eeadb7aacf9845399f8473da0d ]
+
+When `dma_mapping_error()` is true, if a new `skb` has been allocated,
+then it must be de-allocated.
+
+Compile tested only
+
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250613074014.69856-2-fourier.thomas@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 6264ef7805d6..40112b2c3777 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -573,8 +573,11 @@ static int _rtl_pci_init_one_rxdesc(struct ieee80211_hw *hw,
+ dma_map_single(&rtlpci->pdev->dev, skb_tail_pointer(skb),
+ rtlpci->rxbuffersize, DMA_FROM_DEVICE);
+ bufferaddress = *((dma_addr_t *)skb->cb);
+- if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress))
++ if (dma_mapping_error(&rtlpci->pdev->dev, bufferaddress)) {
++ if (!new_skb)
++ kfree_skb(skb);
+ return 0;
++ }
+ rtlpci->rx_ring[rxring_idx].rx_buf[desc_idx] = skb;
+ if (rtlpriv->use_new_trx_flow) {
+ /* skb->cb may be 64 bit address */
+--
+2.39.5
+
--- /dev/null
+From b96ff1dbc367a36bfb4430898cef379ec42e7e02 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 23:43:25 +0300
+Subject: wifi: rtw89: Disable deep power saving for USB/SDIO
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit a3b871a0f7c083c2a632a31da8bc3de554ae8550 ]
+
+Disable deep power saving for USB and SDIO because rtw89_mac_send_rpwm()
+is called in atomic context and accessing hardware registers results in
+"scheduling while atomic" errors.
+
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/0f49eceb-0de0-47e2-ba36-3c6a0dddd17d@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c
+index 21e9ec8768b5..c172ef13c954 100644
+--- a/drivers/net/wireless/realtek/rtw89/core.c
++++ b/drivers/net/wireless/realtek/rtw89/core.c
+@@ -1996,6 +1996,9 @@ static enum rtw89_ps_mode rtw89_update_ps_mode(struct rtw89_dev *rtwdev)
+ {
+ const struct rtw89_chip_info *chip = rtwdev->chip;
+
++ if (rtwdev->hci.type != RTW89_HCI_TYPE_PCIE)
++ return RTW89_PS_MODE_NONE;
++
+ if (rtw89_disable_ps_mode || !chip->ps_mode_supported ||
+ RTW89_CHK_FW_FEATURE(NO_DEEP_PS, &rtwdev->fw))
+ return RTW89_PS_MODE_NONE;
+--
+2.39.5
+
--- /dev/null
+From 241c299c00a15cb9821147cfe4d833e80e963706 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 23:45:55 +0300
+Subject: wifi: rtw89: Fix rtw89_mac_power_switch() for USB
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit e2b71603333a9dd73ee88347d8894fffc3456ac1 ]
+
+Clear some bits in some registers in order to allow RTL8851BU to power
+on. This is done both when powering on and when powering off because
+that's what the vendor driver does.
+
+Also tested with RTL8832BU and RTL8832CU.
+
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/a39da939-d640-4486-ad38-f658f220afc8@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/mac.c | 19 +++++++++++++++++++
+ drivers/net/wireless/realtek/rtw89/reg.h | 1 +
+ 2 files changed, 20 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c
+index 3c818c4b4653..3d63f8b2770e 100644
+--- a/drivers/net/wireless/realtek/rtw89/mac.c
++++ b/drivers/net/wireless/realtek/rtw89/mac.c
+@@ -1301,6 +1301,23 @@ void rtw89_mac_notify_wake(struct rtw89_dev *rtwdev)
+ rtw89_mac_send_rpwm(rtwdev, state, true);
+ }
+
++static void rtw89_mac_power_switch_boot_mode(struct rtw89_dev *rtwdev)
++{
++ u32 boot_mode;
++
++ if (rtwdev->hci.type != RTW89_HCI_TYPE_USB)
++ return;
++
++ boot_mode = rtw89_read32_mask(rtwdev, R_AX_GPIO_MUXCFG, B_AX_BOOT_MODE);
++ if (!boot_mode)
++ return;
++
++ rtw89_write32_clr(rtwdev, R_AX_SYS_PW_CTRL, B_AX_APFN_ONMAC);
++ rtw89_write32_clr(rtwdev, R_AX_SYS_STATUS1, B_AX_AUTO_WLPON);
++ rtw89_write32_clr(rtwdev, R_AX_GPIO_MUXCFG, B_AX_BOOT_MODE);
++ rtw89_write32_clr(rtwdev, R_AX_RSV_CTRL, B_AX_R_DIS_PRST);
++}
++
+ static int rtw89_mac_power_switch(struct rtw89_dev *rtwdev, bool on)
+ {
+ #define PWR_ACT 1
+@@ -1310,6 +1327,8 @@ static int rtw89_mac_power_switch(struct rtw89_dev *rtwdev, bool on)
+ int ret;
+ u8 val;
+
++ rtw89_mac_power_switch_boot_mode(rtwdev);
++
+ if (on) {
+ cfg_seq = chip->pwr_on_seq;
+ cfg_func = chip->ops->pwr_on_func;
+diff --git a/drivers/net/wireless/realtek/rtw89/reg.h b/drivers/net/wireless/realtek/rtw89/reg.h
+index c0aac4d3678a..ef1162595042 100644
+--- a/drivers/net/wireless/realtek/rtw89/reg.h
++++ b/drivers/net/wireless/realtek/rtw89/reg.h
+@@ -172,6 +172,7 @@
+
+ #define R_AX_SYS_STATUS1 0x00F4
+ #define B_AX_SEL_0XC0_MASK GENMASK(17, 16)
++#define B_AX_AUTO_WLPON BIT(10)
+ #define B_AX_PAD_HCI_SEL_V2_MASK GENMASK(5, 3)
+ #define MAC_AX_HCI_SEL_SDIO_UART 0
+ #define MAC_AX_HCI_SEL_MULTI_USB 1
+--
+2.39.5
+
--- /dev/null
+From a314d23f77c014538c9dd120f0970247f442bee8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Jul 2025 22:44:47 +0300
+Subject: wifi: rtw89: Lower the timeout in rtw89_fw_read_c2h_reg() for USB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+[ Upstream commit 671be46afd1f03de9dc6e4679c88e1a7a81cdff6 ]
+
+This read_poll_timeout_atomic() with a delay of 1 µs and a timeout of
+1000000 µs can take ~250 seconds in the worst case because sending a
+USB control message takes ~250 µs.
+
+Lower the timeout to 4000 for USB in order to reduce the maximum polling
+time to ~1 second.
+
+This problem was observed with RTL8851BU while suspending to RAM with
+WOWLAN enabled. The computer sat for 4 minutes with a black screen
+before suspending.
+
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/09313da6-c865-4e91-b758-4cb38a878796@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/fw.c | 9 +++++++--
+ drivers/net/wireless/realtek/rtw89/fw.h | 2 ++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
+index 89b0a7970508..539537360914 100644
+--- a/drivers/net/wireless/realtek/rtw89/fw.c
++++ b/drivers/net/wireless/realtek/rtw89/fw.c
+@@ -3427,13 +3427,18 @@ static int rtw89_fw_read_c2h_reg(struct rtw89_dev *rtwdev,
+ const struct rtw89_chip_info *chip = rtwdev->chip;
+ struct rtw89_fw_info *fw_info = &rtwdev->fw;
+ const u32 *c2h_reg = chip->c2h_regs;
+- u32 ret;
++ u32 ret, timeout;
+ u8 i, val;
+
+ info->id = RTW89_FWCMD_C2HREG_FUNC_NULL;
+
++ if (rtwdev->hci.type == RTW89_HCI_TYPE_USB)
++ timeout = RTW89_C2H_TIMEOUT_USB;
++ else
++ timeout = RTW89_C2H_TIMEOUT;
++
+ ret = read_poll_timeout_atomic(rtw89_read8, val, val, 1,
+- RTW89_C2H_TIMEOUT, false, rtwdev,
++ timeout, false, rtwdev,
+ chip->c2h_ctrl_reg);
+ if (ret) {
+ rtw89_warn(rtwdev, "c2h reg timeout\n");
+diff --git a/drivers/net/wireless/realtek/rtw89/fw.h b/drivers/net/wireless/realtek/rtw89/fw.h
+index 775f4e8fbda4..bc6a9ea9352e 100644
+--- a/drivers/net/wireless/realtek/rtw89/fw.h
++++ b/drivers/net/wireless/realtek/rtw89/fw.h
+@@ -69,6 +69,8 @@ struct rtw89_h2creg_sch_tx_en {
+ #define RTW89_C2HREG_HDR_LEN 2
+ #define RTW89_H2CREG_HDR_LEN 2
+ #define RTW89_C2H_TIMEOUT 1000000
++#define RTW89_C2H_TIMEOUT_USB 4000
++
+ struct rtw89_mac_c2h_info {
+ u8 id;
+ u8 content_len;
+--
+2.39.5
+
--- /dev/null
+From cf032389a437397101a495a5e37f10a9f9f58376 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 10:29:31 -0700
+Subject: x86/bugs: Avoid warning when overriding return thunk
+
+From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+
+[ Upstream commit 9f85fdb9fc5a1bd308a10a0a7d7e34f2712ba58b ]
+
+The purpose of the warning is to prevent an unexpected change to the return
+thunk mitigation. However, there are legitimate cases where the return
+thunk is intentionally set more than once. For example, ITS and SRSO both
+can set the return thunk after retbleed has set it. In both the cases
+retbleed is still mitigated.
+
+Replace the warning with an info about the active return thunk.
+
+Suggested-by: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/20250611-eibrs-fix-v4-3-5ff86cac6c61@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index c4d5ac99c6af..332c6f24280d 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -71,10 +71,9 @@ void (*x86_return_thunk)(void) __ro_after_init = __x86_return_thunk;
+
+ static void __init set_return_thunk(void *thunk)
+ {
+- if (x86_return_thunk != __x86_return_thunk)
+- pr_warn("x86/bugs: return thunk changed\n");
+-
+ x86_return_thunk = thunk;
++
++ pr_info("active return thunk: %ps\n", thunk);
+ }
+
+ /* Update SPEC_CTRL MSR and its cached copy unconditionally */
+--
+2.39.5
+
--- /dev/null
+From fd3f5c38a44203dc9ae517a9b097f45d5357a9fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Jul 2025 09:34:54 +0000
+Subject: xen/netfront: Fix TX response spurious interrupts
+
+From: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
+
+[ Upstream commit 114a2de6fa86d99ed9546cc9113a3cad58beef79 ]
+
+We found at Vates that there are lot of spurious interrupts when
+benchmarking the xen-net PV driver frontend. This issue appeared with a
+patch that addresses security issue XSA-391 (b27d47950e48 "xen/netfront:
+harden netfront against event channel storms"). On an iperf benchmark,
+spurious interrupts can represent up to 50% of the interrupts.
+
+Spurious interrupts are interrupts that are rised for nothing, there is
+no work to do. This appends because the function that handles the
+interrupts ("xennet_tx_buf_gc") is also called at the end of the request
+path to garbage collect the responses received during the transmission
+load.
+
+The request path is doing the work that the interrupt handler should
+have done otherwise. This is particurary true when there is more than
+one vcpu and get worse linearly with the number of vcpu/queue.
+
+Moreover, this problem is amplifyed by the penalty imposed by a spurious
+interrupt. When an interrupt is found spurious the interrupt chip will
+delay the EOI to slowdown the backend. This delay will allow more
+responses to be handled by the request path and then there will be more
+chance the next interrupt will not find any work to do, creating a new
+spurious interrupt.
+
+This causes performance issue. The solution here is to remove the calls
+from the request path and let the interrupt handler do the processing of
+the responses. This approch removes most of the spurious interrupts
+(<0.05%) and also has the benefit of freeing up cycles in the request
+path, allowing it to process more work, which improves performance
+compared to masking the spurious interrupt one way or another.
+
+This optimization changes a part of the code that is present since the
+net frontend driver was upstreamed. There is no similar pattern in the
+other xen PV drivers. Since the first commit of xen-netfront is a blob
+that doesn't explain all the design choices I can only guess why this
+specific mecanism was here. This could have been introduce to compensate
+a slow backend at the time (maybe the backend was fixed or optimize
+later) or a small queue. In 18 years, both frontend and backend gain lot
+of features and optimizations that could have obsolete the feature of
+reaping completions from the TX path.
+
+Some vif throughput performance figures from a 8 vCPUs, 4GB of RAM HVM
+guest(s):
+
+Without this patch on the :
+vm -> dom0: 4.5Gb/s
+vm -> vm: 7.0Gb/s
+
+Without XSA-391 patch (revert of b27d47950e48):
+vm -> dom0: 8.3Gb/s
+vm -> vm: 8.7Gb/s
+
+With XSA-391 and this patch:
+vm -> dom0: 11.5Gb/s
+vm -> vm: 12.6Gb/s
+
+v2:
+- add revewed and tested by tags
+- resend with the maintainers in the recipients list
+
+v3:
+- remove Fixes tag but keep the commit ref in the explanation
+- add a paragraph on why this code was here
+
+Signed-off-by: Anthoine Bourgeois <anthoine.bourgeois@vates.tech>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Tested-by: Elliott Mitchell <ehem+xen@m5p.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250721093316.23560-1-anthoine.bourgeois@vates.tech>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/xen-netfront.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/net/xen-netfront.c b/drivers/net/xen-netfront.c
+index 0115f8f5b724..5b59c0ee6c66 100644
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -637,8 +637,6 @@ static int xennet_xdp_xmit_one(struct net_device *dev,
+ tx_stats->packets++;
+ u64_stats_update_end(&tx_stats->syncp);
+
+- xennet_tx_buf_gc(queue);
+-
+ return 0;
+ }
+
+@@ -848,9 +846,6 @@ static netdev_tx_t xennet_start_xmit(struct sk_buff *skb, struct net_device *dev
+ tx_stats->packets++;
+ u64_stats_update_end(&tx_stats->syncp);
+
+- /* Note: It is not safe to access skb after xennet_tx_buf_gc()! */
+- xennet_tx_buf_gc(queue);
+-
+ if (!netfront_tx_slot_available(queue))
+ netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
+
+--
+2.39.5
+
--- /dev/null
+From ea8665537b85ea29b54348538bbd5beb092299d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 18:08:56 +0530
+Subject: xfrm: Duplicate SPI Handling
+
+From: Aakash Kumar S <saakashkumar@marvell.com>
+
+[ Upstream commit 94f39804d891cffe4ce17737d295f3b195bc7299 ]
+
+The issue originates when Strongswan initiates an XFRM_MSG_ALLOCSPI
+Netlink message, which triggers the kernel function xfrm_alloc_spi().
+This function is expected to ensure uniqueness of the Security Parameter
+Index (SPI) for inbound Security Associations (SAs). However, it can
+return success even when the requested SPI is already in use, leading
+to duplicate SPIs assigned to multiple inbound SAs, differentiated
+only by their destination addresses.
+
+This behavior causes inconsistencies during SPI lookups for inbound packets.
+Since the lookup may return an arbitrary SA among those with the same SPI,
+packet processing can fail, resulting in packet drops.
+
+According to RFC 4301 section 4.4.2 , for inbound processing a unicast SA
+is uniquely identified by the SPI and optionally protocol.
+
+Reproducing the Issue Reliably:
+To consistently reproduce the problem, restrict the available SPI range in
+charon.conf : spi_min = 0x10000000 spi_max = 0x10000002
+This limits the system to only 2 usable SPI values.
+Next, create more than 2 Child SA. each using unique pair of src/dst address.
+As soon as the 3rd Child SA is initiated, it will be assigned a duplicate
+SPI, since the SPI pool is already exhausted.
+With a narrow SPI range, the issue is consistently reproducible.
+With a broader/default range, it becomes rare and unpredictable.
+
+Current implementation:
+xfrm_spi_hash() lookup function computes hash using daddr, proto, and family.
+So if two SAs have the same SPI but different destination addresses, then
+they will:
+a. Hash into different buckets
+b. Be stored in different linked lists (byspi + h)
+c. Not be seen in the same hlist_for_each_entry_rcu() iteration.
+As a result, the lookup will result in NULL and kernel allows that Duplicate SPI
+
+Proposed Change:
+xfrm_state_lookup_spi_proto() does a truly global search - across all states,
+regardless of hash bucket and matches SPI and proto.
+
+Signed-off-by: Aakash Kumar S <saakashkumar@marvell.com>
+Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_state.c | 72 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 43 insertions(+), 29 deletions(-)
+
+diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
+index d2bd5bddfb05..acfbe1f013d1 100644
+--- a/net/xfrm/xfrm_state.c
++++ b/net/xfrm/xfrm_state.c
+@@ -1466,6 +1466,26 @@ struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
+ }
+ EXPORT_SYMBOL(xfrm_state_lookup_byspi);
+
++static struct xfrm_state *xfrm_state_lookup_spi_proto(struct net *net, __be32 spi, u8 proto)
++{
++ struct xfrm_state *x;
++ unsigned int i;
++
++ rcu_read_lock();
++ for (i = 0; i <= net->xfrm.state_hmask; i++) {
++ hlist_for_each_entry_rcu(x, &net->xfrm.state_byspi[i], byspi) {
++ if (x->id.spi == spi && x->id.proto == proto) {
++ if (!xfrm_state_hold_rcu(x))
++ continue;
++ rcu_read_unlock();
++ return x;
++ }
++ }
++ }
++ rcu_read_unlock();
++ return NULL;
++}
++
+ static void __xfrm_state_insert(struct xfrm_state *x)
+ {
+ struct net *net = xs_net(x);
+@@ -2259,10 +2279,8 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high,
+ unsigned int h;
+ struct xfrm_state *x0;
+ int err = -ENOENT;
+- __be32 minspi = htonl(low);
+- __be32 maxspi = htonl(high);
++ u32 range = high - low + 1;
+ __be32 newspi = 0;
+- u32 mark = x->mark.v & x->mark.m;
+
+ spin_lock_bh(&x->lock);
+ if (x->km.state == XFRM_STATE_DEAD) {
+@@ -2276,38 +2294,34 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high,
+
+ err = -ENOENT;
+
+- if (minspi == maxspi) {
+- x0 = xfrm_state_lookup(net, mark, &x->id.daddr, minspi, x->id.proto, x->props.family);
+- if (x0) {
+- NL_SET_ERR_MSG(extack, "Requested SPI is already in use");
+- xfrm_state_put(x0);
++ for (h = 0; h < range; h++) {
++ u32 spi = (low == high) ? low : get_random_u32_inclusive(low, high);
++ newspi = htonl(spi);
++
++ spin_lock_bh(&net->xfrm.xfrm_state_lock);
++ x0 = xfrm_state_lookup_spi_proto(net, newspi, x->id.proto);
++ if (!x0) {
++ x->id.spi = newspi;
++ h = xfrm_spi_hash(net, &x->id.daddr, newspi, x->id.proto, x->props.family);
++ XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h, x->xso.type);
++ spin_unlock_bh(&net->xfrm.xfrm_state_lock);
++ err = 0;
+ goto unlock;
+ }
+- newspi = minspi;
+- } else {
+- u32 spi = 0;
+- for (h = 0; h < high-low+1; h++) {
+- spi = get_random_u32_inclusive(low, high);
+- x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family);
+- if (x0 == NULL) {
+- newspi = htonl(spi);
+- break;
+- }
+- xfrm_state_put(x0);
++ xfrm_state_put(x0);
++ spin_unlock_bh(&net->xfrm.xfrm_state_lock);
++
++ if (signal_pending(current)) {
++ err = -ERESTARTSYS;
++ goto unlock;
+ }
++
++ if (low == high)
++ break;
+ }
+- if (newspi) {
+- spin_lock_bh(&net->xfrm.xfrm_state_lock);
+- x->id.spi = newspi;
+- h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
+- XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h,
+- x->xso.type);
+- spin_unlock_bh(&net->xfrm.xfrm_state_lock);
+
+- err = 0;
+- } else {
++ if (err)
+ NL_SET_ERR_MSG(extack, "No SPI available in the requested range");
+- }
+
+ unlock:
+ spin_unlock_bh(&x->lock);
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
