From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 24 Aug 2025 07:03:05 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v5.4.297~45
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e5d1f934180751202503e8cf5a3aa667eae6f57;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	arm64-dts-ti-k3-am62-main-remove-emmc-high-speed-ddr-support.patch
	drm-amd-display-don-t-overclock-dce-6-by-15.patch
	drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
	ext4-preserve-sb_i_version-on-remount.patch
	f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
	f2fs-fix-to-call-clear_page_private_reference-in-.-release-invalid-_folio.patch
	mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch
	mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch
	mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch
	mmc-sdhci-pci-gli-use-pci-aer-definitions-not-hard-coded-values.patch
	mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
	mptcp-remove-duplicate-sk_reset_timer-call.patch
	pci-rockchip-set-target-link-speed-to-5.0-gt-s-before-retraining.patch
	pci-rockchip-use-standard-pcie-definitions.patch
	scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
	scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
	scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
	soc-qcom-mdt_loader-enhance-split-binary-detection.patch
	soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
---

diff --git a/queue-6.1/arm64-dts-ti-k3-am62-main-remove-emmc-high-speed-ddr-support.patch b/queue-6.1/arm64-dts-ti-k3-am62-main-remove-emmc-high-speed-ddr-support.patch
new file mode 100644
index 0000000000..33fb973721
--- /dev/null
+++ b/queue-6.1/arm64-dts-ti-k3-am62-main-remove-emmc-high-speed-ddr-support.patch
@@ -0,0 +1,39 @@
+From stable+bounces-172406-greg=kroah.com@vger.kernel.org Fri Aug 22 16:10:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 10:10:30 -0400
+Subject: arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support
+To: stable@vger.kernel.org
+Cc: Judith Mendez <jm@ti.com>, Vignesh Raghavendra <vigneshr@ti.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822141031.1253096-1-sashal@kernel.org>
+
+From: Judith Mendez <jm@ti.com>
+
+[ Upstream commit 265f70af805f33a0dfc90f50cc0f116f702c3811 ]
+
+For eMMC, High Speed DDR mode is not supported [0], so remove
+mmc-ddr-1_8v flag which adds the capability.
+
+[0] https://www.ti.com/lit/gpn/am625
+
+Fixes: c37c58fdeb8a ("arm64: dts: ti: k3-am62: Add more peripheral nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Judith Mendez <jm@ti.com>
+Link: https://lore.kernel.org/r/20250707191250.3953990-1-jm@ti.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+[ adapted context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62-main.dtsi |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/ti/k3-am62-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am62-main.dtsi
+@@ -386,7 +386,6 @@
+ 		clock-names = "clk_ahb", "clk_xin";
+ 		assigned-clocks = <&k3_clks 57 6>;
+ 		assigned-clock-parents = <&k3_clks 57 8>;
+-		mmc-ddr-1_8v;
+ 		mmc-hs200-1_8v;
+ 		ti,trm-icp = <0x2>;
+ 		bus-width = <8>;
diff --git a/queue-6.1/drm-amd-display-don-t-overclock-dce-6-by-15.patch b/queue-6.1/drm-amd-display-don-t-overclock-dce-6-by-15.patch
new file mode 100644
index 0000000000..18d40be63c
--- /dev/null
+++ b/queue-6.1/drm-amd-display-don-t-overclock-dce-6-by-15.patch
@@ -0,0 +1,55 @@
+From stable+bounces-172669-greg=kroah.com@vger.kernel.org Sun Aug 24 02:31:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 20:31:08 -0400
+Subject: drm/amd/display: Don't overclock DCE 6 by 15%
+To: stable@vger.kernel.org
+Cc: "Timur Kristóf" <timur.kristof@gmail.com>, "Alex Deucher" <alexander.deucher@amd.com>, "Rodrigo Siqueira" <siqueira@igalia.com>, "Alex Hung" <alex.hung@amd.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250824003109.2531974-1-sashal@kernel.org>
+
+From: Timur KristÃ³f <timur.kristof@gmail.com>
+
+[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ]
+
+The extra 15% clock was added as a workaround for a Polaris issue
+which uses DCE 11, and should not have been used on DCE 6 which
+is already hardcoded to the highest possible display clock.
+Unfortunately, the extra 15% was mistakenly copied and kept
+even on code paths which don't affect Polaris.
+
+This commit fixes that and also adds a check to make sure
+not to exceed the maximum DCE 6 display clock.
+
+Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris")
+Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific")
+Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)")
+Signed-off-by: Timur KristÃ³f <timur.kristof@gmail.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408)
+Cc: stable@vger.kernel.org
+[ `MIN` => `min` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c
+ {
+ 	struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base);
+ 	struct dm_pp_power_level_change_request level_change_req;
+-	int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz;
+-
+-	/*TODO: W/A for dal3 linux, investigate why this works */
+-	if (!clk_mgr_dce->dfs_bypass_active)
+-		patched_disp_clk = patched_disp_clk * 115 / 100;
++	const int max_disp_clk =
++		clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz;
++	int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz);
+ 
+ 	level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context);
+ 	/* get max clock state from PPLIB */
diff --git a/queue-6.1/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-6.1/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
new file mode 100644
index 0000000000..8559c8e568
--- /dev/null
+++ b/queue-6.1/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
@@ -0,0 +1,49 @@
+From stable+bounces-172590-greg=kroah.com@vger.kernel.org Sat Aug 23 15:17:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 09:16:59 -0400
+Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
+To: stable@vger.kernel.org
+Cc: "Imre Deak" <imre.deak@intel.com>, "Ville Syrjälä" <ville.syrjala@linux.intel.com>, "Jani Nikula" <jani.nikula@linux.intel.com>, "Jani Nikula" <jani.nikula@intel.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250823131659.2118893-1-sashal@kernel.org>
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ]
+
+Reading DPCD registers has side-effects in general. In particular
+accessing registers outside of the link training register range
+(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
+forbidden by the DP v2.1 Standard, see
+
+3.6.5.1 DPTX AUX Transaction Handling Mandates
+3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
+
+Based on my tests, accessing the DPCD_REV register during the link
+training of an UHBR TBT DP tunnel sink leads to link training failures.
+
+Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
+DPCD register access quirk.
+
+Cc: <stable@vger.kernel.org>
+Cc: Ville SyrjÃ¤lÃ¤ <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/display/drm_dp_helper.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/display/drm_dp_helper.c
++++ b/drivers/gpu/drm/display/drm_dp_helper.c
+@@ -663,7 +663,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
+ 	 * monitor doesn't power down exactly after the throw away read.
+ 	 */
+ 	if (!aux->is_remote) {
+-		ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV);
++		ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS);
+ 		if (ret < 0)
+ 			return ret;
+ 	}
diff --git a/queue-6.1/ext4-preserve-sb_i_version-on-remount.patch b/queue-6.1/ext4-preserve-sb_i_version-on-remount.patch
new file mode 100644
index 0000000000..4235d4b3c7
--- /dev/null
+++ b/queue-6.1/ext4-preserve-sb_i_version-on-remount.patch
@@ -0,0 +1,60 @@
+From stable+bounces-172471-greg=kroah.com@vger.kernel.org Fri Aug 22 19:03:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:01:24 -0400
+Subject: ext4: preserve SB_I_VERSION on remount
+To: stable@vger.kernel.org
+Cc: Baokun Li <libaokun1@huawei.com>, stable@kernel.org, Jan Kara <jack@suse.cz>, Theodore Ts'o <tytso@mit.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822170124.1319222-1-sashal@kernel.org>
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit f2326fd14a224e4cccbab89e14c52279ff79b7ec ]
+
+IMA testing revealed that after an ext4 remount, file accesses triggered
+full measurements even without modifications, instead of skipping as
+expected when i_version is unchanged.
+
+Debugging showed `SB_I_VERSION` was cleared in reconfigure_super() during
+remount due to commit 1ff20307393e ("ext4: unconditionally enable the
+i_version counter") removing the fix from commit 960e0ab63b2e ("ext4: fix
+i_version handling on remount").
+
+To rectify this, `SB_I_VERSION` is always set for `fc->sb_flags` in
+ext4_init_fs_context(), instead of `sb->s_flags` in __ext4_fill_super(),
+ensuring it persists across all mounts.
+
+Cc: stable@kernel.org
+Fixes: 1ff20307393e ("ext4: unconditionally enable the i_version counter")
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250703073903.6952-2-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1937,6 +1937,9 @@ int ext4_init_fs_context(struct fs_conte
+ 	fc->fs_private = ctx;
+ 	fc->ops = &ext4_context_ops;
+ 
++	/* i_version is always enabled now */
++	fc->sb_flags |= SB_I_VERSION;
++
+ 	return 0;
+ }
+ 
+@@ -5113,9 +5116,6 @@ static int __ext4_fill_super(struct fs_c
+ 	sb->s_flags = (sb->s_flags & ~SB_POSIXACL) |
+ 		(test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0);
+ 
+-	/* i_version is always enabled now */
+-	sb->s_flags |= SB_I_VERSION;
+-
+ 	if (ext4_check_feature_compatibility(sb, es, silent))
+ 		goto failed_mount;
+ 
diff --git a/queue-6.1/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-6.1/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
new file mode 100644
index 0000000000..83d84aff36
--- /dev/null
+++ b/queue-6.1/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
@@ -0,0 +1,75 @@
+From stable+bounces-172540-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:20 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:09 -0400
+Subject: f2fs: fix to avoid out-of-boundary access in dnode page
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, Jiaming Zhang <r772577952@gmail.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025009.1694095-2-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ]
+
+As Jiaming Zhang reported:
+
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x17e/0x800 mm/kasan/report.c:480
+ kasan_report+0x147/0x180 mm/kasan/report.c:593
+ data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
+ f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
+ f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
+ f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
+ prepare_write_begin fs/f2fs/data.c:3395 [inline]
+ f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
+ generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
+ f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
+ f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x546/0xa90 fs/read_write.c:686
+ ksys_write+0x149/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is in the corrupted image, there is a dnode has the same
+node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
+access block address in dnode at offset 934, however it parses the dnode
+as inode node, so that get_dnode_addr() returns 360, then it tries to
+access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
+
+To fix this issue, let's add sanity check for node id of all direct nodes
+during f2fs_get_dnode_of_data().
+
+Cc: stable@kernel.org
+Reported-by: Jiaming Zhang <r772577952@gmail.com>
+Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -797,6 +797,16 @@ int f2fs_get_dnode_of_data(struct dnode_
+ 	for (i = 1; i <= level; i++) {
+ 		bool done = false;
+ 
++		if (nids[i] && nids[i] == dn->inode->i_ino) {
++			err = -EFSCORRUPTED;
++			f2fs_err(sbi,
++				"inode mapping table is corrupted, run fsck to fix it, "
++				"ino:%lu, nid:%u, level:%d, offset:%d",
++				dn->inode->i_ino, nids[i], level, offset[level]);
++			set_sbi_flag(sbi, SBI_NEED_FSCK);
++			goto release_pages;
++		}
++
+ 		if (!nids[i] && mode == ALLOC_NODE) {
+ 			/* alloc new node */
+ 			if (!f2fs_alloc_nid(sbi, &(nids[i]))) {
diff --git a/queue-6.1/f2fs-fix-to-call-clear_page_private_reference-in-.-release-invalid-_folio.patch b/queue-6.1/f2fs-fix-to-call-clear_page_private_reference-in-.-release-invalid-_folio.patch
new file mode 100644
index 0000000000..94edfa7b44
--- /dev/null
+++ b/queue-6.1/f2fs-fix-to-call-clear_page_private_reference-in-.-release-invalid-_folio.patch
@@ -0,0 +1,57 @@
+From stable+bounces-172539-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:35 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:08 -0400
+Subject: f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025009.1694095-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 6779b5db90c5b925293f7ccc5ed5336c5b24ed50 ]
+
+b763f3bedc2d ("f2fs: restructure f2fs page.private layout") missed
+to call clear_page_private_reference() in .{release,invalid}_folio,
+fix it, though it's not a big deal since folio_detach_private() was
+called to clear all privae info and reference count in the page.
+
+BTW, remove page_private_reference() definition as it never be used.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: 77de19b6867f ("f2fs: fix to avoid out-of-boundary access in dnode page")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c |    2 ++
+ fs/f2fs/f2fs.h |    1 -
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -3729,6 +3729,7 @@ void f2fs_invalidate_folio(struct folio
+ 		}
+ 	}
+ 
++	clear_page_private_reference(&folio->page);
+ 	clear_page_private_gcing(&folio->page);
+ 
+ 	if (test_opt(sbi, COMPRESS_CACHE) &&
+@@ -3754,6 +3755,7 @@ bool f2fs_release_folio(struct folio *fo
+ 			clear_page_private_data(&folio->page);
+ 	}
+ 
++	clear_page_private_reference(&folio->page);
+ 	clear_page_private_gcing(&folio->page);
+ 
+ 	folio_detach_private(folio);
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1428,7 +1428,6 @@ static inline void clear_page_private_##
+ }
+ 
+ PAGE_PRIVATE_GET_FUNC(nonpointer, NOT_POINTER);
+-PAGE_PRIVATE_GET_FUNC(reference, REF_RESOURCE);
+ PAGE_PRIVATE_GET_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_GET_FUNC(gcing, ONGOING_MIGRATION);
+ PAGE_PRIVATE_GET_FUNC(atomic, ATOMIC_WRITE);
diff --git a/queue-6.1/mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch b/queue-6.1/mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch
new file mode 100644
index 0000000000..7ee771a3aa
--- /dev/null
+++ b/queue-6.1/mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch
@@ -0,0 +1,67 @@
+From stable+bounces-172672-greg=kroah.com@vger.kernel.org Sun Aug 24 02:36:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 20:36:26 -0400
+Subject: mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn
+To: stable@vger.kernel.org
+Cc: Jinjiang Tu <tujinjiang@huawei.com>, David Hildenbrand <david@redhat.com>, Miaohe Lin <linmiaohe@huawei.com>, Jane Chu <jane.chu@oracle.com>, Kefeng Wang <wangkefeng.wang@huawei.com>, Naoya Horiguchi <nao.horiguchi@gmail.com>, Oscar Salvador <osalvador@suse.de>, Shuai Xue <xueshuai@linux.alibaba.com>, Zi Yan <ziy@nvidia.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250824003626.2559323-1-sashal@kernel.org>
+
+From: Jinjiang Tu <tujinjiang@huawei.com>
+
+[ Upstream commit 2e6053fea379806269c4f7f5e36b523c9c0fb35c ]
+
+When memory_failure() is called for a already hwpoisoned pfn,
+kill_accessing_process() will be called to kill current task.  However, if
+the vma of the accessing vaddr is VM_PFNMAP, walk_page_range() will skip
+the vma in walk_page_test() and return 0.
+
+Before commit aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes
+with recovered clean pages"), kill_accessing_process() will return EFAULT.
+For x86, the current task will be killed in kill_me_maybe().
+
+However, after this commit, kill_accessing_process() simplies return 0,
+that means UCE is handled properly, but it doesn't actually.  In such
+case, the user task will trigger UCE infinitely.
+
+To fix it, add .test_walk callback for hwpoison_walk_ops to scan all vmas.
+
+Link: https://lkml.kernel.org/r/20250815073209.1984582-1-tujinjiang@huawei.com
+Fixes: aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes with recovered clean pages")
+Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Jane Chu <jane.chu@oracle.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Shuai Xue <xueshuai@linux.alibaba.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -731,9 +731,17 @@ static int hwpoison_hugetlb_range(pte_t
+ #define hwpoison_hugetlb_range	NULL
+ #endif
+ 
++static int hwpoison_test_walk(unsigned long start, unsigned long end,
++			     struct mm_walk *walk)
++{
++	/* We also want to consider pages mapped into VM_PFNMAP. */
++	return 0;
++}
++
+ static const struct mm_walk_ops hwp_walk_ops = {
+ 	.pmd_entry = hwpoison_pte_range,
+ 	.hugetlb_entry = hwpoison_hugetlb_range,
++	.test_walk = hwpoison_test_walk,
+ };
+ 
+ /*
diff --git a/queue-6.1/mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch b/queue-6.1/mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch
new file mode 100644
index 0000000000..7ab5e49f92
--- /dev/null
+++ b/queue-6.1/mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch
@@ -0,0 +1,52 @@
+From stable+bounces-172655-greg=kroah.com@vger.kernel.org Sat Aug 23 18:55:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 12:55:03 -0400
+Subject: mmc: sdhci-pci-gli: Add a new function to simplify the code
+To: stable@vger.kernel.org
+Cc: Victor Shih <victor.shih@genesyslogic.com.tw>, Adrian Hunter <adrian.hunter@intel.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823165504.2340548-2-sashal@kernel.org>
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+[ Upstream commit dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 ]
+
+In preparation to fix replay timer timeout, add
+sdhci_gli_mask_replay_timer_timeout() function
+to simplify some of the code, allowing it to be re-used.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250731065752.450231-2-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 340be332e420 ("mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -156,6 +156,20 @@
+ #define GLI_MAX_TUNING_LOOP 40
+ 
+ /* Genesys Logic chipset */
++static void sdhci_gli_mask_replay_timer_timeout(struct pci_dev *pdev)
++{
++	int aer;
++	u32 value;
++
++	/* mask the replay timer timeout of AER */
++	aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
++	if (aer) {
++		pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
++		value |= PCI_ERR_COR_REP_TIMER;
++		pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
++	}
++}
++
+ static inline void gl9750_wt_on(struct sdhci_host *host)
+ {
+ 	u32 wt_value;
diff --git a/queue-6.1/mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch b/queue-6.1/mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch
new file mode 100644
index 0000000000..f5b8551891
--- /dev/null
+++ b/queue-6.1/mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch
@@ -0,0 +1,41 @@
+From stable+bounces-172656-greg=kroah.com@vger.kernel.org Sat Aug 23 18:55:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 12:55:04 -0400
+Subject: mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER
+To: stable@vger.kernel.org
+Cc: Victor Shih <victor.shih@genesyslogic.com.tw>, Adrian Hunter <adrian.hunter@intel.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823165504.2340548-3-sashal@kernel.org>
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+[ Upstream commit 340be332e420ed37d15d4169a1b4174e912ad6cb ]
+
+Due to a flaw in the hardware design, the GL9763e replay timer frequently
+times out when ASPM is enabled. As a result, the warning messages will
+often appear in the system log when the system accesses the GL9763e
+PCI config. Therefore, the replay timer timeout must be masked.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250731065752.450231-4-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -988,6 +988,9 @@ static void gl9763e_hw_setting(struct sd
+ 	value |= FIELD_PREP(GLI_9763E_HS400_RXDLY, GLI_9763E_HS400_RXDLY_5);
+ 	pci_write_config_dword(pdev, PCIE_GLI_9763E_CLKRXDLY, value);
+ 
++	/* mask the replay timer timeout of AER */
++	sdhci_gli_mask_replay_timer_timeout(pdev);
++
+ 	pci_read_config_dword(pdev, PCIE_GLI_9763E_VHS, &value);
+ 	value &= ~GLI_9763E_VHS_REV;
+ 	value |= FIELD_PREP(GLI_9763E_VHS_REV, GLI_9763E_VHS_REV_R);
diff --git a/queue-6.1/mmc-sdhci-pci-gli-use-pci-aer-definitions-not-hard-coded-values.patch b/queue-6.1/mmc-sdhci-pci-gli-use-pci-aer-definitions-not-hard-coded-values.patch
new file mode 100644
index 0000000000..1c6fd26b62
--- /dev/null
+++ b/queue-6.1/mmc-sdhci-pci-gli-use-pci-aer-definitions-not-hard-coded-values.patch
@@ -0,0 +1,74 @@
+From stable+bounces-172654-greg=kroah.com@vger.kernel.org Sat Aug 23 18:55:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 12:55:02 -0400
+Subject: mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values
+To: stable@vger.kernel.org
+Cc: Bjorn Helgaas <bhelgaas@google.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823165504.2340548-1-sashal@kernel.org>
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit 951b7ccc54591ba48755b5e0c7fc8b9623a64640 ]
+
+015c9cbcf0ad ("mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of
+AER") added PCI_GLI_9750_CORRERR_MASK, the offset of the AER Capability in
+config space, and PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT, the
+Replay Timer Timeout bit in the AER Correctable Error Status register.
+
+Use pci_find_ext_capability() to locate the AER Capability and use the
+existing PCI_ERR_COR_REP_TIMER definition to mask the bit.
+
+This removes a little bit of unnecessarily device-specific code and makes
+AER-related things more greppable.
+
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20240327214831.1544595-2-helgaas@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c |   12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -27,8 +27,6 @@
+ #define PCI_GLI_9750_PM_CTRL	0xFC
+ #define   PCI_GLI_9750_PM_STATE	  GENMASK(1, 0)
+ 
+-#define PCI_GLI_9750_CORRERR_MASK				0x214
+-#define   PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT	  BIT(12)
+ 
+ #define SDHCI_GLI_9750_CFG2          0x848
+ #define   SDHCI_GLI_9750_CFG2_L1DLY    GENMASK(28, 24)
+@@ -154,8 +152,6 @@
+ #define PCI_GLI_9755_PM_CTRL     0xFC
+ #define   PCI_GLI_9755_PM_STATE    GENMASK(1, 0)
+ 
+-#define PCI_GLI_9755_CORRERR_MASK				0x214
+-#define   PCI_GLI_9755_CORRERR_MASK_REPLAY_TIMER_TIMEOUT	  BIT(12)
+ 
+ #define GLI_MAX_TUNING_LOOP 40
+ 
+@@ -501,9 +497,7 @@ static void gl9750_hw_setting(struct sdh
+ 	pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value);
+ 
+ 	/* mask the replay timer timeout of AER */
+-	pci_read_config_dword(pdev, PCI_GLI_9750_CORRERR_MASK, &value);
+-	value |= PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT;
+-	pci_write_config_dword(pdev, PCI_GLI_9750_CORRERR_MASK, value);
++	sdhci_gli_mask_replay_timer_timeout(pdev);
+ 
+ 	gl9750_wt_off(host);
+ }
+@@ -715,9 +709,7 @@ static void gl9755_hw_setting(struct sdh
+ 	pci_write_config_dword(pdev, PCI_GLI_9755_PM_CTRL, value);
+ 
+ 	/* mask the replay timer timeout of AER */
+-	pci_read_config_dword(pdev, PCI_GLI_9755_CORRERR_MASK, &value);
+-	value |= PCI_GLI_9755_CORRERR_MASK_REPLAY_TIMER_TIMEOUT;
+-	pci_write_config_dword(pdev, PCI_GLI_9755_CORRERR_MASK, value);
++	sdhci_gli_mask_replay_timer_timeout(pdev);
+ 
+ 	gl9755_wt_off(pdev);
+ }
diff --git a/queue-6.1/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch b/queue-6.1/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
new file mode 100644
index 0000000000..b11e608dfd
--- /dev/null
+++ b/queue-6.1/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
@@ -0,0 +1,108 @@
+From stable+bounces-172614-greg=kroah.com@vger.kernel.org Sat Aug 23 16:56:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 10:55:34 -0400
+Subject: mptcp: disable add_addr retransmission when timeout is 0
+To: stable@vger.kernel.org
+Cc: Geliang Tang <tanggeliang@kylinos.cn>, Matthieu Baerts <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823145534.2259284-1-sashal@kernel.org>
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit f5ce0714623cffd00bf2a83e890d09c609b7f50a ]
+
+When add_addr_timeout was set to 0, this caused the ADD_ADDR to be
+retransmitted immediately, which looks like a buggy behaviour. Instead,
+interpret 0 as "no retransmissions needed".
+
+The documentation is updated to explicitly state that setting the timeout
+to 0 disables retransmission.
+
+Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout")
+Cc: stable@vger.kernel.org
+Suggested-by: Matthieu Baerts <matttbe@kernel.org>
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-5-521fe9957892@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Apply to net/mptcp/pm_netlink.c , structural changes in mptcp_pm_alloc_anno_list ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/networking/mptcp-sysctl.rst |    2 ++
+ net/mptcp/pm_netlink.c                    |   18 ++++++++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/Documentation/networking/mptcp-sysctl.rst
++++ b/Documentation/networking/mptcp-sysctl.rst
+@@ -20,6 +20,8 @@ add_addr_timeout - INTEGER (seconds)
+ 	resent to an MPTCP peer that has not acknowledged a previous
+ 	ADD_ADDR message.
+ 
++	Do not retransmit if set to 0.
++
+ 	The default value matches TCP_RTO_MAX. This is a per-namespace
+ 	sysctl.
+ 
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -304,6 +304,7 @@ static void mptcp_pm_add_timer(struct ti
+ 	struct mptcp_pm_add_entry *entry = from_timer(entry, timer, add_timer);
+ 	struct mptcp_sock *msk = entry->sock;
+ 	struct sock *sk = (struct sock *)msk;
++	unsigned int timeout;
+ 
+ 	pr_debug("msk=%p\n", msk);
+ 
+@@ -321,6 +322,10 @@ static void mptcp_pm_add_timer(struct ti
+ 		goto out;
+ 	}
+ 
++	timeout = mptcp_get_add_addr_timeout(sock_net(sk));
++	if (!timeout)
++		goto out;
++
+ 	spin_lock_bh(&msk->pm.lock);
+ 
+ 	if (!mptcp_pm_should_add_signal_addr(msk)) {
+@@ -332,7 +337,7 @@ static void mptcp_pm_add_timer(struct ti
+ 
+ 	if (entry->retrans_times < ADD_ADDR_RETRANS_MAX)
+ 		sk_reset_timer(sk, timer,
+-			       jiffies + mptcp_get_add_addr_timeout(sock_net(sk)));
++			       jiffies + timeout);
+ 
+ 	spin_unlock_bh(&msk->pm.lock);
+ 
+@@ -374,6 +379,7 @@ bool mptcp_pm_alloc_anno_list(struct mpt
+ 	struct mptcp_pm_add_entry *add_entry = NULL;
+ 	struct sock *sk = (struct sock *)msk;
+ 	struct net *net = sock_net(sk);
++	unsigned int timeout;
+ 
+ 	lockdep_assert_held(&msk->pm.lock);
+ 
+@@ -383,9 +389,7 @@ bool mptcp_pm_alloc_anno_list(struct mpt
+ 		if (WARN_ON_ONCE(mptcp_pm_is_kernel(msk)))
+ 			return false;
+ 
+-		sk_reset_timer(sk, &add_entry->add_timer,
+-			       jiffies + mptcp_get_add_addr_timeout(net));
+-		return true;
++		goto reset_timer;
+ 	}
+ 
+ 	add_entry = kmalloc(sizeof(*add_entry), GFP_ATOMIC);
+@@ -399,8 +403,10 @@ bool mptcp_pm_alloc_anno_list(struct mpt
+ 	add_entry->retrans_times = 0;
+ 
+ 	timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
+-	sk_reset_timer(sk, &add_entry->add_timer,
+-		       jiffies + mptcp_get_add_addr_timeout(net));
++reset_timer:
++	timeout = mptcp_get_add_addr_timeout(net);
++	if (timeout)
++		sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout);
+ 
+ 	return true;
+ }
diff --git a/queue-6.1/mptcp-remove-duplicate-sk_reset_timer-call.patch b/queue-6.1/mptcp-remove-duplicate-sk_reset_timer-call.patch
new file mode 100644
index 0000000000..ea21612f5d
--- /dev/null
+++ b/queue-6.1/mptcp-remove-duplicate-sk_reset_timer-call.patch
@@ -0,0 +1,60 @@
+From stable+bounces-172607-greg=kroah.com@vger.kernel.org Sat Aug 23 16:34:14 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 10:34:06 -0400
+Subject: mptcp: remove duplicate sk_reset_timer call
+To: stable@vger.kernel.org
+Cc: Geliang Tang <geliang@kernel.org>, Geliang Tang <tanggeliang@kylinos.cn>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823143406.2247894-1-sashal@kernel.org>
+
+From: Geliang Tang <geliang@kernel.org>
+
+[ Upstream commit 5d13349472ac8abcbcb94407969aa0fdc2e1f1be ]
+
+sk_reset_timer() was called twice in mptcp_pm_alloc_anno_list.
+
+Simplify the code by using a 'goto' statement to eliminate the
+duplication.
+
+Note that this is not a fix, but it will help backporting the following
+patch. The same "Fixes" tag has been added for this reason.
+
+Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout")
+Cc: stable@vger.kernel.org
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-4-521fe9957892@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ adjusted function location from pm.c to pm_netlink.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
+index 3391d4df2dbb..1f22c434d122 100644
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -383,9 +383,7 @@ bool mptcp_pm_alloc_anno_list(struct mptcp_sock *msk,
+ 		if (WARN_ON_ONCE(mptcp_pm_is_kernel(msk)))
+ 			return false;
+ 
+-		sk_reset_timer(sk, &add_entry->add_timer,
+-			       jiffies + mptcp_get_add_addr_timeout(net));
+-		return true;
++		goto reset_timer;
+ 	}
+ 
+ 	add_entry = kmalloc(sizeof(*add_entry), GFP_ATOMIC);
+@@ -399,6 +397,7 @@ bool mptcp_pm_alloc_anno_list(struct mptcp_sock *msk,
+ 	add_entry->retrans_times = 0;
+ 
+ 	timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
++reset_timer:
+ 	sk_reset_timer(sk, &add_entry->add_timer,
+ 		       jiffies + mptcp_get_add_addr_timeout(net));
+ 
+-- 
+2.50.1
+
diff --git a/queue-6.1/pci-rockchip-set-target-link-speed-to-5.0-gt-s-before-retraining.patch b/queue-6.1/pci-rockchip-set-target-link-speed-to-5.0-gt-s-before-retraining.patch
new file mode 100644
index 0000000000..bd7db71fc1
--- /dev/null
+++ b/queue-6.1/pci-rockchip-set-target-link-speed-to-5.0-gt-s-before-retraining.patch
@@ -0,0 +1,44 @@
+From stable+bounces-172521-greg=kroah.com@vger.kernel.org Fri Aug 22 22:55:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 16:55:44 -0400
+Subject: PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining
+To: stable@vger.kernel.org
+Cc: Geraldo Nascimento <geraldogabriel@gmail.com>, Manivannan Sadhasivam <mani@kernel.org>, Bjorn Helgaas <bhelgaas@google.com>, Robin Murphy <robin.murphy@arm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822205544.1528134-2-sashal@kernel.org>
+
+From: Geraldo Nascimento <geraldogabriel@gmail.com>
+
+[ Upstream commit 114b06ee108cabc82b995fbac6672230a9776936 ]
+
+Rockchip controllers can support up to 5.0 GT/s link speed. But the driver
+doesn't set the Target Link Speed currently. This may cause failure in
+retraining the link to 5.0 GT/s if supported by the endpoint. So set the
+Target Link Speed to 5.0 GT/s in the Link Control and Status Register 2.
+
+Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
+Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
+[mani: fixed whitespace warning, commit message rewording, added fixes tag]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Robin Murphy <robin.murphy@arm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/0afa6bc47b7f50e2e81b0b47d51c66feb0fb565f.1751322015.git.geraldogabriel@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rockchip-host.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/controller/pcie-rockchip-host.c
++++ b/drivers/pci/controller/pcie-rockchip-host.c
+@@ -342,6 +342,10 @@ static int rockchip_pcie_host_init_port(
+ 		 * Enable retrain for gen2. This should be configured only after
+ 		 * gen1 finished.
+ 		 */
++		status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL2);
++		status &= ~PCI_EXP_LNKCTL2_TLS;
++		status |= PCI_EXP_LNKCTL2_TLS_5_0GT;
++		rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL2);
+ 		status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 		status |= PCI_EXP_LNKCTL_RL;
+ 		rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
diff --git a/queue-6.1/pci-rockchip-use-standard-pcie-definitions.patch b/queue-6.1/pci-rockchip-use-standard-pcie-definitions.patch
new file mode 100644
index 0000000000..ecad615291
--- /dev/null
+++ b/queue-6.1/pci-rockchip-use-standard-pcie-definitions.patch
@@ -0,0 +1,162 @@
+From stable+bounces-172520-greg=kroah.com@vger.kernel.org Fri Aug 22 22:55:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 16:55:43 -0400
+Subject: PCI: rockchip: Use standard PCIe definitions
+To: stable@vger.kernel.org
+Cc: Geraldo Nascimento <geraldogabriel@gmail.com>, Bjorn Helgaas <bhelgaas@google.com>, Manivannan Sadhasivam <mani@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822205544.1528134-1-sashal@kernel.org>
+
+From: Geraldo Nascimento <geraldogabriel@gmail.com>
+
+[ Upstream commit cbbfe9f683f0f9b6a1da2eaa53b995a4b5961086 ]
+
+Current code uses custom-defined register offsets and bitfields for the
+standard PCIe registers. This creates duplication as the PCI header already
+defines them. So, switch to using the standard PCIe definitions and drop
+the custom ones.
+
+Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
+[mani: commit message rewording]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+[bhelgaas: include bitfield.h]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://patch.msgid.link/e81700ef4b49f584bc8834bfb07b6d8995fc1f42.1751322015.git.geraldogabriel@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rockchip-host.c |   45 ++++++++++++++--------------
+ drivers/pci/controller/pcie-rockchip.h      |   11 ------
+ 2 files changed, 24 insertions(+), 32 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rockchip-host.c
++++ b/drivers/pci/controller/pcie-rockchip-host.c
+@@ -11,6 +11,7 @@
+  * ARM PCI Host generic driver.
+  */
+ 
++#include <linux/bitfield.h>
+ #include <linux/bitrev.h>
+ #include <linux/clk.h>
+ #include <linux/delay.h>
+@@ -43,18 +44,18 @@ static void rockchip_pcie_enable_bw_int(
+ {
+ 	u32 status;
+ 
+-	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 	status |= (PCI_EXP_LNKCTL_LBMIE | PCI_EXP_LNKCTL_LABIE);
+-	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ }
+ 
+ static void rockchip_pcie_clr_bw_int(struct rockchip_pcie *rockchip)
+ {
+ 	u32 status;
+ 
+-	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 	status |= (PCI_EXP_LNKSTA_LBMS | PCI_EXP_LNKSTA_LABS) << 16;
+-	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ }
+ 
+ static void rockchip_pcie_update_txcredit_mui(struct rockchip_pcie *rockchip)
+@@ -272,7 +273,7 @@ static void rockchip_pcie_set_power_limi
+ 	scale = 3; /* 0.001x */
+ 	curr = curr / 1000; /* convert to mA */
+ 	power = (curr * 3300) / 1000; /* milliwatt */
+-	while (power > PCIE_RC_CONFIG_DCR_CSPL_LIMIT) {
++	while (power > FIELD_MAX(PCI_EXP_DEVCAP_PWR_VAL)) {
+ 		if (!scale) {
+ 			dev_warn(rockchip->dev, "invalid power supply\n");
+ 			return;
+@@ -281,10 +282,10 @@ static void rockchip_pcie_set_power_limi
+ 		power = power / 10;
+ 	}
+ 
+-	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_DCR);
+-	status |= (power << PCIE_RC_CONFIG_DCR_CSPL_SHIFT) |
+-		  (scale << PCIE_RC_CONFIG_DCR_CPLS_SHIFT);
+-	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_DCR);
++	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCAP);
++	status |= FIELD_PREP(PCI_EXP_DEVCAP_PWR_VAL, power);
++	status |= FIELD_PREP(PCI_EXP_DEVCAP_PWR_SCL, scale);
++	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCAP);
+ }
+ 
+ /**
+@@ -312,14 +313,14 @@ static int rockchip_pcie_host_init_port(
+ 	rockchip_pcie_set_power_limit(rockchip);
+ 
+ 	/* Set RC's clock architecture as common clock */
+-	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 	status |= PCI_EXP_LNKSTA_SLC << 16;
+-	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 
+ 	/* Set RC's RCB to 128 */
+-	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 	status |= PCI_EXP_LNKCTL_RCB;
+-	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 
+ 	/* Enable Gen1 training */
+ 	rockchip_pcie_write(rockchip, PCIE_CLIENT_LINK_TRAIN_ENABLE,
+@@ -341,9 +342,9 @@ static int rockchip_pcie_host_init_port(
+ 		 * Enable retrain for gen2. This should be configured only after
+ 		 * gen1 finished.
+ 		 */
+-		status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++		status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 		status |= PCI_EXP_LNKCTL_RL;
+-		rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++		rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ 
+ 		err = readl_poll_timeout(rockchip->apb_base + PCIE_CORE_CTRL,
+ 					 status, PCIE_LINK_IS_GEN2(status), 20,
+@@ -380,15 +381,15 @@ static int rockchip_pcie_host_init_port(
+ 
+ 	/* Clear L0s from RC's link cap */
+ 	if (of_property_read_bool(dev->of_node, "aspm-no-l0s")) {
+-		status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LINK_CAP);
+-		status &= ~PCIE_RC_CONFIG_LINK_CAP_L0S;
+-		rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LINK_CAP);
++		status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCAP);
++		status &= ~PCI_EXP_LNKCAP_ASPM_L0S;
++		rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCAP);
+ 	}
+ 
+-	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_DCSR);
+-	status &= ~PCIE_RC_CONFIG_DCSR_MPS_MASK;
+-	status |= PCIE_RC_CONFIG_DCSR_MPS_256;
+-	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_DCSR);
++	status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCTL);
++	status &= ~PCI_EXP_DEVCTL_PAYLOAD;
++	status |= PCI_EXP_DEVCTL_PAYLOAD_256B;
++	rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCTL);
+ 
+ 	return 0;
+ err_power_off_phy:
+--- a/drivers/pci/controller/pcie-rockchip.h
++++ b/drivers/pci/controller/pcie-rockchip.h
+@@ -144,16 +144,7 @@
+ #define PCIE_EP_CONFIG_BASE		0xa00000
+ #define PCIE_EP_CONFIG_DID_VID		(PCIE_EP_CONFIG_BASE + 0x00)
+ #define PCIE_RC_CONFIG_RID_CCR		(PCIE_RC_CONFIG_BASE + 0x08)
+-#define PCIE_RC_CONFIG_DCR		(PCIE_RC_CONFIG_BASE + 0xc4)
+-#define   PCIE_RC_CONFIG_DCR_CSPL_SHIFT		18
+-#define   PCIE_RC_CONFIG_DCR_CSPL_LIMIT		0xff
+-#define   PCIE_RC_CONFIG_DCR_CPLS_SHIFT		26
+-#define PCIE_RC_CONFIG_DCSR		(PCIE_RC_CONFIG_BASE + 0xc8)
+-#define   PCIE_RC_CONFIG_DCSR_MPS_MASK		GENMASK(7, 5)
+-#define   PCIE_RC_CONFIG_DCSR_MPS_256		(0x1 << 5)
+-#define PCIE_RC_CONFIG_LINK_CAP		(PCIE_RC_CONFIG_BASE + 0xcc)
+-#define   PCIE_RC_CONFIG_LINK_CAP_L0S		BIT(10)
+-#define PCIE_RC_CONFIG_LCS		(PCIE_RC_CONFIG_BASE + 0xd0)
++#define PCIE_RC_CONFIG_CR		(PCIE_RC_CONFIG_BASE + 0xc0)
+ #define PCIE_RC_CONFIG_L1_SUBSTATE_CTRL2 (PCIE_RC_CONFIG_BASE + 0x90c)
+ #define PCIE_RC_CONFIG_THP_CAP		(PCIE_RC_CONFIG_BASE + 0x274)
+ #define   PCIE_RC_CONFIG_THP_CAP_NEXT_MASK	GENMASK(31, 20)
diff --git a/queue-6.1/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch b/queue-6.1/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
new file mode 100644
index 0000000000..abf3d82b36
--- /dev/null
+++ b/queue-6.1/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
@@ -0,0 +1,56 @@
+From stable+bounces-172455-greg=kroah.com@vger.kernel.org Fri Aug 22 17:14:06 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:10:12 -0400
+Subject: scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
+To: stable@vger.kernel.org
+Cc: Ranjan Kumar <ranjan.kumar@broadcom.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822151013.1280211-1-sashal@kernel.org>
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit 6853885b21cb1d7157cc14c9d30cc17141565bae ]
+
+The volatile qualifier is redundant for __iomem pointers.
+
+Cleaned up usage in mpi3mr_writeq() and sysif_regs pointer as per
+Upstream compliance.
+
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-3-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: c91e140c82eb ("scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h    |    2 +-
+ drivers/scsi/mpi3mr/mpi3mr_fw.c |    4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -1035,7 +1035,7 @@ struct mpi3mr_ioc {
+ 	char name[MPI3MR_NAME_LENGTH];
+ 	char driver_name[MPI3MR_NAME_LENGTH];
+ 
+-	volatile struct mpi3_sysif_registers __iomem *sysif_regs;
++	struct mpi3_sysif_registers __iomem *sysif_regs;
+ 	resource_size_t sysif_regs_phys;
+ 	int bars;
+ 	u64 dma_mask;
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -23,12 +23,12 @@ module_param(poll_queues, int, 0444);
+ MODULE_PARM_DESC(poll_queues, "Number of queues for io_uring poll mode. (Range 1 - 126)");
+ 
+ #if defined(writeq) && defined(CONFIG_64BIT)
+-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+ {
+ 	writeq(b, addr);
+ }
+ #else
+-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+ {
+ 	__u64 data_out = b;
+ 
diff --git a/queue-6.1/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch b/queue-6.1/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
new file mode 100644
index 0000000000..55dc94c4c9
--- /dev/null
+++ b/queue-6.1/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
@@ -0,0 +1,104 @@
+From stable+bounces-172456-greg=kroah.com@vger.kernel.org Fri Aug 22 17:17:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:10:13 -0400
+Subject: scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems
+To: stable@vger.kernel.org
+Cc: Ranjan Kumar <ranjan.kumar@broadcom.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822151013.1280211-2-sashal@kernel.org>
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit c91e140c82eb58724c435f623702e51cc7896646 ]
+
+On 32-bit systems, 64-bit BAR writes to admin queue registers are
+performed as two 32-bit writes. Without locking, this can cause partial
+writes when accessed concurrently.
+
+Updated per-queue spinlocks is used to serialize these writes and prevent
+race conditions.
+
+Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-4-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h    |    4 ++++
+ drivers/scsi/mpi3mr/mpi3mr_fw.c |   15 +++++++++++----
+ drivers/scsi/mpi3mr/mpi3mr_os.c |    2 ++
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -1005,6 +1005,8 @@ struct scmd_priv {
+  * @logdata_buf: Circular buffer to store log data entries
+  * @logdata_buf_idx: Index of entry in buffer to store
+  * @logdata_entry_sz: log data entry size
++ * @adm_req_q_bar_writeq_lock: Admin request queue lock
++ * @adm_reply_q_bar_writeq_lock: Admin reply queue lock
+  * @pend_large_data_sz: Counter to track pending large data
+  * @io_throttle_data_length: I/O size to track in 512b blocks
+  * @io_throttle_high: I/O size to start throttle in 512b blocks
+@@ -1186,6 +1188,8 @@ struct mpi3mr_ioc {
+ 	u8 *logdata_buf;
+ 	u16 logdata_buf_idx;
+ 	u16 logdata_entry_sz;
++	spinlock_t adm_req_q_bar_writeq_lock;
++	spinlock_t adm_reply_q_bar_writeq_lock;
+ 
+ 	atomic_t pend_large_data_sz;
+ 	u32 io_throttle_data_length;
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -23,17 +23,22 @@ module_param(poll_queues, int, 0444);
+ MODULE_PARM_DESC(poll_queues, "Number of queues for io_uring poll mode. (Range 1 - 126)");
+ 
+ #if defined(writeq) && defined(CONFIG_64BIT)
+-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
++	spinlock_t *write_queue_lock)
+ {
+ 	writeq(b, addr);
+ }
+ #else
+-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
++	spinlock_t *write_queue_lock)
+ {
+ 	__u64 data_out = b;
++	unsigned long flags;
+ 
++	spin_lock_irqsave(write_queue_lock, flags);
+ 	writel((u32)(data_out), addr);
+ 	writel((u32)(data_out >> 32), (addr + 4));
++	spin_unlock_irqrestore(write_queue_lock, flags);
+ }
+ #endif
+ 
+@@ -2662,9 +2667,11 @@ static int mpi3mr_setup_admin_qpair(stru
+ 	    (mrioc->num_admin_req);
+ 	writel(num_admin_entries, &mrioc->sysif_regs->admin_queue_num_entries);
+ 	mpi3mr_writeq(mrioc->admin_req_dma,
+-	    &mrioc->sysif_regs->admin_request_queue_address);
++		&mrioc->sysif_regs->admin_request_queue_address,
++		&mrioc->adm_req_q_bar_writeq_lock);
+ 	mpi3mr_writeq(mrioc->admin_reply_dma,
+-	    &mrioc->sysif_regs->admin_reply_queue_address);
++		&mrioc->sysif_regs->admin_reply_queue_address,
++		&mrioc->adm_reply_q_bar_writeq_lock);
+ 	writel(mrioc->admin_req_pi, &mrioc->sysif_regs->admin_request_queue_pi);
+ 	writel(mrioc->admin_reply_ci, &mrioc->sysif_regs->admin_reply_queue_ci);
+ 	return retval;
+--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
+@@ -4966,6 +4966,8 @@ mpi3mr_probe(struct pci_dev *pdev, const
+ 	spin_lock_init(&mrioc->tgtdev_lock);
+ 	spin_lock_init(&mrioc->watchdog_lock);
+ 	spin_lock_init(&mrioc->chain_buf_lock);
++	spin_lock_init(&mrioc->adm_req_q_bar_writeq_lock);
++	spin_lock_init(&mrioc->adm_reply_q_bar_writeq_lock);
+ 	spin_lock_init(&mrioc->sas_node_lock);
+ 
+ 	INIT_LIST_HEAD(&mrioc->fwevt_list);
diff --git a/queue-6.1/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch b/queue-6.1/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
new file mode 100644
index 0000000000..0b04036789
--- /dev/null
+++ b/queue-6.1/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
@@ -0,0 +1,58 @@
+From stable+bounces-172474-greg=kroah.com@vger.kernel.org Fri Aug 22 19:06:56 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:06:46 -0400
+Subject: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
+To: stable@vger.kernel.org
+Cc: "André Draszik" <andre.draszik@linaro.org>, "Bart Van Assche" <bvanassche@acm.org>, "Peter Griffin" <peter.griffin@linaro.org>, "Martin K. Petersen" <martin.petersen@oracle.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822170646.1321395-1-sashal@kernel.org>
+
+From: AndrÃ© Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ]
+
+On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
+and in this case the driver ends up programming the UTRL_NEXUS_TYPE
+incorrectly as 0.
+
+This is because the left hand side of the shift is 1, which is of type
+int, i.e. 31 bits wide. Shifting by more than that width results in
+undefined behaviour.
+
+Fix this by switching to the BIT() macro, which applies correct type
+casting as required. This ensures the correct value is written to
+UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
+warning:
+
+    UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
+    shift exponent 32 is too large for 32-bit type 'int'
+
+For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
+write.
+
+Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: AndrÃ© Draszik <andre.draszik@linaro.org>
+Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Adapted context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-exynos.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -1028,8 +1028,8 @@ static int exynos_ufs_post_link(struct u
+ 	hci_writel(ufs, 0xa, HCI_DATA_REORDER);
+ 	hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE);
+ 	hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE);
+-	hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
+-	hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
++	hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
++	hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
+ 	hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN);
+ 
+ 	if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB)
diff --git a/queue-6.1/series b/queue-6.1/series
index 0865cf8e86..a43dee84cd 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -421,3 +421,22 @@ usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch
 usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch
 usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch
 usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch
+arm64-dts-ti-k3-am62-main-remove-emmc-high-speed-ddr-support.patch
+scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
+ext4-preserve-sb_i_version-on-remount.patch
+scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
+scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
+pci-rockchip-use-standard-pcie-definitions.patch
+pci-rockchip-set-target-link-speed-to-5.0-gt-s-before-retraining.patch
+soc-qcom-mdt_loader-enhance-split-binary-detection.patch
+soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
+f2fs-fix-to-call-clear_page_private_reference-in-.-release-invalid-_folio.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
+mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
+drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
+mmc-sdhci-pci-gli-use-pci-aer-definitions-not-hard-coded-values.patch
+mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch
+mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch
+mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch
+drm-amd-display-don-t-overclock-dce-6-by-15.patch
+mptcp-remove-duplicate-sk_reset_timer-call.patch
diff --git a/queue-6.1/soc-qcom-mdt_loader-enhance-split-binary-detection.patch b/queue-6.1/soc-qcom-mdt_loader-enhance-split-binary-detection.patch
new file mode 100644
index 0000000000..0ea595b03b
--- /dev/null
+++ b/queue-6.1/soc-qcom-mdt_loader-enhance-split-binary-detection.patch
@@ -0,0 +1,86 @@
+From stable+bounces-172478-greg=kroah.com@vger.kernel.org Fri Aug 22 19:20:12 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:20:04 -0400
+Subject: soc: qcom: mdt_loader: Enhance split binary detection
+To: stable@vger.kernel.org
+Cc: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>, Melody Olvera <quic_molvera@quicinc.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822172005.1328408-1-sashal@kernel.org>
+
+From: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>
+
+[ Upstream commit 210d12c8197a551caa2979be421aa42381156aec ]
+
+It may be that the offset of the first program header lies inside the mdt's
+filesize, in this case the loader would incorrectly assume that the bins
+were not split and in this scenario the firmware authentication fails.
+This change updates the logic used by the mdt loader to understand whether
+the firmware images are split or not. It figures this out by checking if
+each programs header's segment lies within the file or not.
+
+Co-developed-by: Melody Olvera <quic_molvera@quicinc.com>
+Signed-off-by: Melody Olvera <quic_molvera@quicinc.com>
+Signed-off-by: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230509001821.24010-1-quic_gokukris@quicinc.com
+Stable-dep-of: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c |   25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -264,6 +264,26 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(qcom_mdt_pas_init);
+ 
++static bool qcom_mdt_bins_are_split(const struct firmware *fw, const char *fw_name)
++{
++	const struct elf32_phdr *phdrs;
++	const struct elf32_hdr *ehdr;
++	uint64_t seg_start, seg_end;
++	int i;
++
++	ehdr = (struct elf32_hdr *)fw->data;
++	phdrs = (struct elf32_phdr *)(ehdr + 1);
++
++	for (i = 0; i < ehdr->e_phnum; i++) {
++		seg_start = phdrs[i].p_offset;
++		seg_end = phdrs[i].p_offset + phdrs[i].p_filesz;
++		if (seg_start > fw->size || seg_end > fw->size)
++			return true;
++	}
++
++	return false;
++}
++
+ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
+ 			   const char *fw_name, int pas_id, void *mem_region,
+ 			   phys_addr_t mem_phys, size_t mem_size,
+@@ -276,6 +296,7 @@ static int __qcom_mdt_load(struct device
+ 	phys_addr_t min_addr = PHYS_ADDR_MAX;
+ 	ssize_t offset;
+ 	bool relocate = false;
++	bool is_split;
+ 	void *ptr;
+ 	int ret = 0;
+ 	int i;
+@@ -283,6 +304,7 @@ static int __qcom_mdt_load(struct device
+ 	if (!fw || !mem_region || !mem_phys || !mem_size)
+ 		return -EINVAL;
+ 
++	is_split = qcom_mdt_bins_are_split(fw, fw_name);
+ 	ehdr = (struct elf32_hdr *)fw->data;
+ 	phdrs = (struct elf32_phdr *)(ehdr + 1);
+ 
+@@ -336,8 +358,7 @@ static int __qcom_mdt_load(struct device
+ 
+ 		ptr = mem_region + offset;
+ 
+-		if (phdr->p_filesz && phdr->p_offset < fw->size &&
+-		    phdr->p_offset + phdr->p_filesz <= fw->size) {
++		if (phdr->p_filesz && !is_split) {
+ 			/* Firmware is large enough to be non-split */
+ 			if (phdr->p_offset + phdr->p_filesz > fw->size) {
+ 				dev_err(dev, "file %s segment %d would be truncated\n",
diff --git a/queue-6.1/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch b/queue-6.1/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
new file mode 100644
index 0000000000..154a1ef8df
--- /dev/null
+++ b/queue-6.1/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
@@ -0,0 +1,113 @@
+From stable+bounces-172480-greg=kroah.com@vger.kernel.org Fri Aug 22 19:20:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:20:05 -0400
+Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>, Doug Anderson <dianders@chromium.org>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822172005.1328408-2-sashal@kernel.org>
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ]
+
+When the MDT loader is used in remoteproc, the ELF header is sanitized
+beforehand, but that's not necessary the case for other clients.
+
+Validate the size of the firmware buffer to ensure that we don't read
+past the end as we iterate over the header. e_phentsize and e_shentsize
+are validated as well, to ensure that the assumptions about step size in
+the traversal are valid.
+
+Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
+Cc: stable@vger.kernel.org
+Reported-by: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c |   43 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -17,6 +17,37 @@
+ #include <linux/slab.h>
+ #include <linux/soc/qcom/mdt_loader.h>
+ 
++static bool mdt_header_valid(const struct firmware *fw)
++{
++	const struct elf32_hdr *ehdr;
++	size_t phend;
++	size_t shend;
++
++	if (fw->size < sizeof(*ehdr))
++		return false;
++
++	ehdr = (struct elf32_hdr *)fw->data;
++
++	if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
++		return false;
++
++	if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
++		return -EINVAL;
++
++	phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
++	if (phend > fw->size)
++		return false;
++
++	if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++		return -EINVAL;
++
++	shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++	if (shend > fw->size)
++		return false;
++
++	return true;
++}
++
+ static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
+ {
+ 	if (phdr->p_type != PT_LOAD)
+@@ -84,6 +115,9 @@ ssize_t qcom_mdt_get_size(const struct f
+ 	phys_addr_t max_addr = 0;
+ 	int i;
+ 
++	if (!mdt_header_valid(fw))
++		return -EINVAL;
++
+ 	ehdr = (struct elf32_hdr *)fw->data;
+ 	phdrs = (struct elf32_phdr *)(ehdr + 1);
+ 
+@@ -136,6 +170,9 @@ void *qcom_mdt_read_metadata(const struc
+ 	ssize_t ret;
+ 	void *data;
+ 
++	if (!mdt_header_valid(fw))
++		return ERR_PTR(-EINVAL);
++
+ 	ehdr = (struct elf32_hdr *)fw->data;
+ 	phdrs = (struct elf32_phdr *)(ehdr + 1);
+ 
+@@ -216,6 +253,9 @@ int qcom_mdt_pas_init(struct device *dev
+ 	int ret;
+ 	int i;
+ 
++	if (!mdt_header_valid(fw))
++		return -EINVAL;
++
+ 	ehdr = (struct elf32_hdr *)fw->data;
+ 	phdrs = (struct elf32_phdr *)(ehdr + 1);
+ 
+@@ -304,6 +344,9 @@ static int __qcom_mdt_load(struct device
+ 	if (!fw || !mem_region || !mem_phys || !mem_size)
+ 		return -EINVAL;
+ 
++	if (!mdt_header_valid(fw))
++		return -EINVAL;
++
+ 	is_split = qcom_mdt_bins_are_split(fw, fw_name);
+ 	ehdr = (struct elf32_hdr *)fw->data;
+ 	phdrs = (struct elf32_phdr *)(ehdr + 1);