--- /dev/null
+From 5fce3aa135f09f1e87aa05032b1e618e61ef69ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:17:45 +0200
+Subject: ACPICA: Refuse to evaluate a method if arguments are missing
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 6fcab2791543924d438e7fa49276d0998b0a069f ]
+
+As reported in [1], a platform firmware update that increased the number
+of method parameters and forgot to update a least one of its callers,
+caused ACPICA to crash due to use-after-free.
+
+Since this a result of a clear AML issue that arguably cannot be fixed
+up by the interpreter (it cannot produce missing data out of thin air),
+address it by making ACPICA refuse to evaluate a method if the caller
+attempts to pass fewer arguments than expected to it.
+
+Closes: https://github.com/acpica/acpica/issues/1027 [1]
+Reported-by: Peter Williams <peter@newton.cx>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Tested-by: Hans de Goede <hansg@kernel.org> # Dell XPS 9640 with BIOS 1.12.0
+Link: https://patch.msgid.link/5909446.DvuYhMxLoT@rjwysocki.net
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsmethod.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c
+index 97971c79c5f56..13c67f58e9052 100644
+--- a/drivers/acpi/acpica/dsmethod.c
++++ b/drivers/acpi/acpica/dsmethod.c
+@@ -483,6 +483,13 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
+ return_ACPI_STATUS(AE_NULL_OBJECT);
+ }
+
++ if (this_walk_state->num_operands < obj_desc->method.param_count) {
++ ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]",
++ acpi_ut_get_node_name(method_node)));
++
++ return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG);
++ }
++
+ /* Init for new method, possibly wait on method mutex */
+
+ status =
+--
+2.39.5
+
--- /dev/null
+From 1258fba8d590a90028a8d22f18930ac36800fec3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 08:43:20 +0200
+Subject: ALSA: sb: Force to disable DMAs once when DMA mode is changed
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 4c267ae2ef349639b4d9ebf00dd28586a82fdbe6 ]
+
+When the DMA mode is changed on the (still real!) SB AWE32 after
+playing a stream and closing, the previous DMA setup was still
+silently kept, and it can confuse the hardware, resulting in the
+unexpected noises. As a workaround, enforce the disablement of DMA
+setups when the DMA setup is changed by the kcontrol.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=218185
+Link: https://patch.msgid.link/20250610064322.26787-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c
+index aa48705310231..19804d3fd98c4 100644
+--- a/sound/isa/sb/sb16_main.c
++++ b/sound/isa/sb/sb16_main.c
+@@ -710,6 +710,10 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct
+ change = nval != oval;
+ snd_sb16_set_dma_mode(chip, nval);
+ spin_unlock_irqrestore(&chip->reg_lock, flags);
++ if (change) {
++ snd_dma_disable(chip->dma8);
++ snd_dma_disable(chip->dma16);
++ }
+ return change;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a8cabfaae1b58c88e94bc28917b0228c665d24e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 00:56:36 +0530
+Subject: amd-xgbe: align CL37 AN sequence as per databook
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 42fd432fe6d320323215ebdf4de4d0d7e56e6792 ]
+
+Update the Clause 37 Auto-Negotiation implementation to properly align
+with the PCS hardware specifications:
+- Fix incorrect bit settings in Link Status and Link Duplex fields
+- Implement missing sequence steps 2 and 7
+
+These changes ensure CL37 auto-negotiation protocol follows the exact
+sequence patterns as specified in the hardware databook.
+
+Fixes: 1bf40ada6290 ("amd-xgbe: Add support for clause 37 auto-negotiation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20250630192636.3838291-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 ++
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 +++++++++
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+index 533b8519ec352..c5dc23906a78d 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -1355,6 +1355,8 @@
+ #define MDIO_VEND2_CTRL1_SS13 BIT(13)
+ #endif
+
++#define XGBE_VEND2_MAC_AUTO_SW BIT(9)
++
+ /* MDIO mask values */
+ #define XGBE_AN_CL73_INT_CMPLT BIT(0)
+ #define XGBE_AN_CL73_INC_LINK BIT(1)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 60be836b294bb..19fed56b6ee3f 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -363,6 +363,10 @@ static void xgbe_an37_set(struct xgbe_prv_data *pdata, bool enable,
+ reg |= MDIO_VEND2_CTRL1_AN_RESTART;
+
+ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_CTRL1, reg);
++
++ reg = XMDIO_READ(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL);
++ reg |= XGBE_VEND2_MAC_AUTO_SW;
++ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL, reg);
+ }
+
+ static void xgbe_an37_restart(struct xgbe_prv_data *pdata)
+@@ -991,6 +995,11 @@ static void xgbe_an37_init(struct xgbe_prv_data *pdata)
+
+ netif_dbg(pdata, link, pdata->netdev, "CL37 AN (%s) initialized\n",
+ (pdata->an_mode == XGBE_AN_MODE_CL37) ? "BaseX" : "SGMII");
++
++ reg = XMDIO_READ(pdata, MDIO_MMD_AN, MDIO_CTRL1);
++ reg &= ~MDIO_AN_CTRL1_ENABLE;
++ XMDIO_WRITE(pdata, MDIO_MMD_AN, MDIO_CTRL1, reg);
++
+ }
+
+ static void xgbe_an73_init(struct xgbe_prv_data *pdata)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
+index 0493de8ee545a..61f22462197ae 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -291,11 +291,11 @@
+ #define XGBE_LINK_TIMEOUT 5
+ #define XGBE_KR_TRAINING_WAIT_ITER 50
+
+-#define XGBE_SGMII_AN_LINK_STATUS BIT(1)
++#define XGBE_SGMII_AN_LINK_DUPLEX BIT(1)
+ #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3))
+ #define XGBE_SGMII_AN_LINK_SPEED_100 0x04
+ #define XGBE_SGMII_AN_LINK_SPEED_1000 0x08
+-#define XGBE_SGMII_AN_LINK_DUPLEX BIT(4)
++#define XGBE_SGMII_AN_LINK_STATUS BIT(4)
+
+ /* ECC correctable error notification window (seconds) */
+ #define XGBE_ECC_LIMIT 60
+--
+2.39.5
+
--- /dev/null
+From 0a946832ef324348ea3a3d42755b11eb6bacb869 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 11:01:11 +0200
+Subject: ata: pata_cs5536: fix build on 32-bit UML
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit fe5b391fc56f77cf3c22a9dd4f0ce20db0e3533f ]
+
+On 32-bit ARCH=um, CONFIG_X86_32 is still defined, so it
+doesn't indicate building on real X86 machines. There's
+no MSR on UML though, so add a check for CONFIG_X86.
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20250606090110.15784-2-johannes@sipsolutions.net
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_cs5536.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_cs5536.c b/drivers/ata/pata_cs5536.c
+index 760ac6e65216f..3737d1bf1539d 100644
+--- a/drivers/ata/pata_cs5536.c
++++ b/drivers/ata/pata_cs5536.c
+@@ -27,7 +27,7 @@
+ #include <scsi/scsi_host.h>
+ #include <linux/dmi.h>
+
+-#ifdef CONFIG_X86_32
++#if defined(CONFIG_X86) && defined(CONFIG_X86_32)
+ #include <asm/msr.h>
+ static int use_msr;
+ module_param_named(msr, use_msr, int, 0644);
+--
+2.39.5
+
--- /dev/null
+From a0a543af8a8b755b6a71c62854d1e4cc2d2fbee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:57:07 +0100
+Subject: btrfs: fix missing error handling when searching for inode refs
+ during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 6561a40ceced9082f50c374a22d5966cf9fc5f5c ]
+
+During log replay, at __add_inode_ref(), when we are searching for inode
+ref keys we totally ignore if btrfs_search_slot() returns an error. This
+may make a log replay succeed when there was an actual error and leave
+some metadata inconsistency in a subvolume tree. Fix this by checking if
+an error was returned from btrfs_search_slot() and if so, return it to
+the caller.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 4ee6814293279..dd1c40019412c 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1005,7 +1005,9 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+ search_key.type = BTRFS_INODE_REF_KEY;
+ search_key.offset = parent_objectid;
+ ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0);
+- if (ret == 0) {
++ if (ret < 0) {
++ return ret;
++ } else if (ret == 0) {
+ struct btrfs_inode_ref *victim_ref;
+ unsigned long ptr;
+ unsigned long ptr_end;
+--
+2.39.5
+
--- /dev/null
+From 5a6e96732034abc8c41395d60afb0fbd30565f45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:06:26 +0200
+Subject: drm/exynos: fimd: Guard display clock control with runtime PM calls
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 5d91394f236167ac624b823820faf4aa928b889e ]
+
+Commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable
+and post-disable") changed the call sequence to the CRTC enable/disable
+and bridge pre_enable/post_disable methods, so those bridge methods are
+now called when CRTC is not yet enabled.
+
+This causes a lockup observed on Samsung Peach-Pit/Pi Chromebooks. The
+source of this lockup is a call to fimd_dp_clock_enable() function, when
+FIMD device is not yet runtime resumed. It worked before the mentioned
+commit only because the CRTC implemented by the FIMD driver was always
+enabled what guaranteed the FIMD device to be runtime resumed.
+
+This patch adds runtime PM guards to the fimd_dp_clock_enable() function
+to enable its proper operation also when the CRTC implemented by FIMD is
+not yet enabled.
+
+Fixes: 196e059a8a6a ("drm/exynos: convert clock_enable crtc callback to pipeline clock")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+index c045330f9c48f..3b89a8774db5a 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+@@ -182,6 +182,7 @@ struct fimd_context {
+ u32 i80ifcon;
+ bool i80_if;
+ bool suspended;
++ bool dp_clk_enabled;
+ wait_queue_head_t wait_vsync_queue;
+ atomic_t wait_vsync_event;
+ atomic_t win_updated;
+@@ -1003,7 +1004,18 @@ static void fimd_dp_clock_enable(struct exynos_drm_clk *clk, bool enable)
+ struct fimd_context *ctx = container_of(clk, struct fimd_context,
+ dp_clk);
+ u32 val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE;
++
++ if (enable == ctx->dp_clk_enabled)
++ return;
++
++ if (enable)
++ pm_runtime_resume_and_get(ctx->dev);
++
++ ctx->dp_clk_enabled = enable;
+ writel(val, ctx->regs + DP_MIE_CLKCON);
++
++ if (!enable)
++ pm_runtime_put(ctx->dev);
+ }
+
+ static const struct exynos_drm_crtc_ops fimd_crtc_ops = {
+--
+2.39.5
+
--- /dev/null
+From 431952891b2d2b72fcbfab98faf873befcf61f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 12:42:13 +0200
+Subject: drm/i915/gt: Fix timeline left held on VMA alloc error
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+[ Upstream commit a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6 ]
+
+The following error has been reported sporadically by CI when a test
+unbinds the i915 driver on a ring submission platform:
+
+<4> [239.330153] ------------[ cut here ]------------
+<4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count)
+<4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330942] Call Trace:
+<4> [239.330944] <TASK>
+<4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915]
+<4> [239.331202] i915_driver_release+0x86/0xa0 [i915]
+<4> [239.331482] devm_drm_dev_init_release+0x61/0x90
+<4> [239.331494] devm_action_release+0x15/0x30
+<4> [239.331504] release_nodes+0x3d/0x120
+<4> [239.331517] devres_release_all+0x96/0xd0
+<4> [239.331533] device_unbind_cleanup+0x12/0x80
+<4> [239.331543] device_release_driver_internal+0x23a/0x280
+<4> [239.331550] ? bus_find_device+0xa5/0xe0
+<4> [239.331563] device_driver_detach+0x14/0x20
+...
+<4> [357.719679] ---[ end trace 0000000000000000 ]---
+
+If the test also unloads the i915 module then that's followed with:
+
+<3> [357.787478] =============================================================================
+<3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown()
+<3> [357.788031] -----------------------------------------------------------------------------
+<3> [357.788204] Object 0xffff888109e7f480 @offset=29824
+<3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244
+<4> [357.788994] i915_vma_instance+0xee/0xc10 [i915]
+<4> [357.789290] init_status_page+0x7b/0x420 [i915]
+<4> [357.789532] intel_engines_init+0x1d8/0x980 [i915]
+<4> [357.789772] intel_gt_init+0x175/0x450 [i915]
+<4> [357.790014] i915_gem_init+0x113/0x340 [i915]
+<4> [357.790281] i915_driver_probe+0x847/0xed0 [i915]
+<4> [357.790504] i915_pci_probe+0xe6/0x220 [i915]
+...
+
+Closer analysis of CI results history has revealed a dependency of the
+error on a few IGT tests, namely:
+- igt@api_intel_allocator@fork-simple-stress-signal,
+- igt@api_intel_allocator@two-level-inception-interruptible,
+- igt@gem_linear_blits@interruptible,
+- igt@prime_mmap_coherency@ioctl-errors,
+which invisibly trigger the issue, then exhibited with first driver unbind
+attempt.
+
+All of the above tests perform actions which are actively interrupted with
+signals. Further debugging has allowed to narrow that scope down to
+DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring
+submission, in particular.
+
+If successful then that function, or its execlists or GuC submission
+equivalent, is supposed to be called only once per GEM context engine,
+followed by raise of a flag that prevents the function from being called
+again. The function is expected to unwind its internal errors itself, so
+it may be safely called once more after it returns an error.
+
+In case of ring submission, the function first gets a reference to the
+engine's legacy timeline and then allocates a VMA. If the VMA allocation
+fails, e.g. when i915_vma_instance() called from inside is interrupted
+with a signal, then ring_context_alloc() fails, leaving the timeline held
+referenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the
+timeline is got, and only that last one is put on successful completion.
+As a consequence, the legacy timeline, with its underlying engine status
+page's VMA object, is still held and not released on driver unbind.
+
+Get the legacy timeline only after successful allocation of the context
+engine's VMA.
+
+v2: Add a note on other submission methods (Krzysztof Karas):
+ Both execlists and GuC submission use lrc_alloc() which seems free
+ from a similar issue.
+
+Fixes: 75d0a7f31eec ("drm/i915: Lift timeline into intel_context")
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12061
+Cc: Chris Wilson <chris.p.wilson@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Reviewed-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Reviewed-by: Nitin Gote <nitin.r.gote@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20250611104352.1014011-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_ring_submission.c b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+index 6aaca73eaee60..af57192a7846f 100644
+--- a/drivers/gpu/drm/i915/gt/intel_ring_submission.c
++++ b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+@@ -576,7 +576,6 @@ static int ring_context_alloc(struct intel_context *ce)
+ /* One ringbuffer to rule them all */
+ GEM_BUG_ON(!engine->legacy.ring);
+ ce->ring = engine->legacy.ring;
+- ce->timeline = intel_timeline_get(engine->legacy.timeline);
+
+ GEM_BUG_ON(ce->state);
+ if (engine->context_size) {
+@@ -591,6 +590,8 @@ static int ring_context_alloc(struct intel_context *ce)
+ __set_bit(CONTEXT_VALID_BIT, &ce->flags);
+ }
+
++ ce->timeline = intel_timeline_get(engine->legacy.timeline);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 8afbd2445576ad95646d832e6c0ed8806cd4cad3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 10:21:58 -0500
+Subject: drm/i915/selftests: Change mock_request() to return error pointers
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit caa7c7a76b78ce41d347003f84975125383e6b59 ]
+
+There was an error pointer vs NULL bug in __igt_breadcrumbs_smoketest().
+The __mock_request_alloc() function implements the
+smoketest->request_alloc() function pointer. It was supposed to return
+error pointers, but it propogates the NULL return from mock_request()
+so in the event of a failure, it would lead to a NULL pointer
+dereference.
+
+To fix this, change the mock_request() function to return error pointers
+and update all the callers to expect that.
+
+Fixes: 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with per-context interrupt tracking")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://lore.kernel.org/r/685c1417.050a0220.696f5.5c05@mx.google.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 778fa8ad5f0f23397d045c7ebca048ce8def1c43)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/selftests/i915_request.c | 20 +++++++++----------
+ drivers/gpu/drm/i915/selftests/mock_request.c | 2 +-
+ 2 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c
+index 7a72faf29f272..1881a97659a7a 100644
+--- a/drivers/gpu/drm/i915/selftests/i915_request.c
++++ b/drivers/gpu/drm/i915/selftests/i915_request.c
+@@ -71,8 +71,8 @@ static int igt_add_request(void *arg)
+ /* Basic preliminary test to create a request and let it loose! */
+
+ request = mock_request(rcs0(i915)->kernel_context, HZ / 10);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ i915_request_add(request);
+
+@@ -89,8 +89,8 @@ static int igt_wait_request(void *arg)
+ /* Submit a request, then wait upon it */
+
+ request = mock_request(rcs0(i915)->kernel_context, T);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ i915_request_get(request);
+
+@@ -158,8 +158,8 @@ static int igt_fence_wait(void *arg)
+ /* Submit a request, treat it as a fence and wait upon it */
+
+ request = mock_request(rcs0(i915)->kernel_context, T);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ if (dma_fence_wait_timeout(&request->fence, false, T) != -ETIME) {
+ pr_err("fence wait success before submit (expected timeout)!\n");
+@@ -213,8 +213,8 @@ static int igt_request_rewind(void *arg)
+ GEM_BUG_ON(IS_ERR(ce));
+ request = mock_request(ce, 2 * HZ);
+ intel_context_put(ce);
+- if (!request) {
+- err = -ENOMEM;
++ if (IS_ERR(request)) {
++ err = PTR_ERR(request);
+ goto err_context_0;
+ }
+
+@@ -227,8 +227,8 @@ static int igt_request_rewind(void *arg)
+ GEM_BUG_ON(IS_ERR(ce));
+ vip = mock_request(ce, 0);
+ intel_context_put(ce);
+- if (!vip) {
+- err = -ENOMEM;
++ if (IS_ERR(vip)) {
++ err = PTR_ERR(vip);
+ goto err_context_1;
+ }
+
+diff --git a/drivers/gpu/drm/i915/selftests/mock_request.c b/drivers/gpu/drm/i915/selftests/mock_request.c
+index 09f747228dff5..1b0cf073e9643 100644
+--- a/drivers/gpu/drm/i915/selftests/mock_request.c
++++ b/drivers/gpu/drm/i915/selftests/mock_request.c
+@@ -35,7 +35,7 @@ mock_request(struct intel_context *ce, unsigned long delay)
+ /* NB the i915->requests slab cache is enlarged to fit mock_request */
+ request = intel_context_create_request(ce);
+ if (IS_ERR(request))
+- return NULL;
++ return request;
+
+ request->mock.delay = delay;
+ return request;
+--
+2.39.5
+
--- /dev/null
+From 417c1b7a1c348e93087280f0c42ee6df7341bbb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 07:56:05 -0700
+Subject: enic: fix incorrect MTU comparison in enic_change_mtu()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit aaf2b2480375099c022a82023e1cd772bf1c6a5d ]
+
+The comparison in enic_change_mtu() incorrectly used the current
+netdev->mtu instead of the new new_mtu value when warning about
+an MTU exceeding the port MTU. This could suppress valid warnings
+or issue incorrect ones.
+
+Fix the condition and log to properly reflect the new_mtu.
+
+Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Acked-by: John Daley <johndale@cisco.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250628145612.476096-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index b695f3f233286..f59d658d624f5 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -2058,10 +2058,10 @@ static int enic_change_mtu(struct net_device *netdev, int new_mtu)
+ if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic))
+ return -EOPNOTSUPP;
+
+- if (netdev->mtu > enic->port_mtu)
++ if (new_mtu > enic->port_mtu)
+ netdev_warn(netdev,
+ "interface MTU (%d) set higher than port MTU (%d)\n",
+- netdev->mtu, enic->port_mtu);
++ new_mtu, enic->port_mtu);
+
+ return _enic_change_mtu(netdev, new_mtu);
+ }
+--
+2.39.5
+
--- /dev/null
+From dc4b80ebff96320bf504f80c0ad104d869b2cff9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Dec 2020 11:08:12 -0800
+Subject: igc: Add new device ID
+
+From: Sasha Neftin <sasha.neftin@intel.com>
+
+[ Upstream commit bfa5e98c9de466bfe25a9b4bf6ef9122aee2d06a ]
+
+Add new device ID for the next step of the silicon and
+reflect the I226_K part.
+
+Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 0325143b59c6 ("igc: disable L1.2 PCI-E link substate to avoid performance issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_base.c | 1 +
+ drivers/net/ethernet/intel/igc/igc_hw.h | 1 +
+ drivers/net/ethernet/intel/igc/igc_main.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_base.c b/drivers/net/ethernet/intel/igc/igc_base.c
+index 7f3523f0d196f..84f142f5e472e 100644
+--- a/drivers/net/ethernet/intel/igc/igc_base.c
++++ b/drivers/net/ethernet/intel/igc/igc_base.c
+@@ -205,6 +205,7 @@ static s32 igc_get_invariants_base(struct igc_hw *hw)
+ case IGC_DEV_ID_I220_V:
+ case IGC_DEV_ID_I225_K:
+ case IGC_DEV_ID_I225_K2:
++ case IGC_DEV_ID_I226_K:
+ case IGC_DEV_ID_I225_LMVP:
+ case IGC_DEV_ID_I225_IT:
+ case IGC_DEV_ID_I226_LM:
+diff --git a/drivers/net/ethernet/intel/igc/igc_hw.h b/drivers/net/ethernet/intel/igc/igc_hw.h
+index 7e29f41f70e0b..3ca8d2ac29c2d 100644
+--- a/drivers/net/ethernet/intel/igc/igc_hw.h
++++ b/drivers/net/ethernet/intel/igc/igc_hw.h
+@@ -24,6 +24,7 @@
+ #define IGC_DEV_ID_I225_K2 0x3101
+ #define IGC_DEV_ID_I226_K 0x3102
+ #define IGC_DEV_ID_I225_LMVP 0x5502
++#define IGC_DEV_ID_I226_K 0x5504
+ #define IGC_DEV_ID_I225_IT 0x0D9F
+ #define IGC_DEV_ID_I226_LM 0x125B
+ #define IGC_DEV_ID_I226_V 0x125C
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 7593e8b7469c5..192fd4e73dfe2 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -46,6 +46,7 @@ static const struct pci_device_id igc_pci_tbl[] = {
+ { PCI_VDEVICE(INTEL, IGC_DEV_ID_I220_V), board_base },
+ { PCI_VDEVICE(INTEL, IGC_DEV_ID_I225_K), board_base },
+ { PCI_VDEVICE(INTEL, IGC_DEV_ID_I225_K2), board_base },
++ { PCI_VDEVICE(INTEL, IGC_DEV_ID_I226_K), board_base },
+ { PCI_VDEVICE(INTEL, IGC_DEV_ID_I225_LMVP), board_base },
+ { PCI_VDEVICE(INTEL, IGC_DEV_ID_I225_IT), board_base },
+ { PCI_VDEVICE(INTEL, IGC_DEV_ID_I226_LM), board_base },
+--
+2.39.5
+
--- /dev/null
+From caf94cde7108a6f198c7d51f0ff5ef158d911100 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:52:54 +0300
+Subject: igc: disable L1.2 PCI-E link substate to avoid performance issue
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+[ Upstream commit 0325143b59c6c6d79987afc57d2456e7a20d13b7 ]
+
+I226 devices advertise support for the PCI-E link L1.2 substate. However,
+due to a hardware limitation, the exit latency from this low-power state
+is longer than the packet buffer can tolerate under high traffic
+conditions. This can lead to packet loss and degraded performance.
+
+To mitigate this, disable the L1.2 substate. The increased power draw
+between L1.1 and L1.2 is insignificant.
+
+Fixes: 43546211738e ("igc: Add new device ID's")
+Link: https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 76efb5bf819e7..71507d7f564d1 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -5244,6 +5244,10 @@ static int igc_probe(struct pci_dev *pdev,
+ adapter->port_num = hw->bus.func;
+ adapter->msg_enable = netif_msg_init(debug, DEFAULT_MSG_ENABLE);
+
++ /* Disable ASPM L1.2 on I226 devices to avoid packet loss */
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+ err = pci_save_state(pdev);
+ if (err)
+ goto err_ioremap;
+@@ -5601,6 +5605,9 @@ static int __maybe_unused igc_resume(struct device *dev)
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+ if (igc_init_interrupt_scheme(adapter, true)) {
+ netdev_err(netdev, "Unable to allocate memory for queues\n");
+ return -ENOMEM;
+@@ -5716,6 +5723,9 @@ static pci_ers_result_t igc_io_slot_reset(struct pci_dev *pdev)
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state_locked(pdev, PCIE_LINK_STATE_L1_2);
++
+ /* In case of PCI error, adapter loses its HW address
+ * so we should re-assign it here.
+ */
+--
+2.39.5
+
--- /dev/null
+From e498dcb8e1c609b53f68fd72199d09f5b0a3f956 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 00:29:07 +0800
+Subject: igc: remove I226 Qbv BaseTime restriction
+
+From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+
+[ Upstream commit b8897dc54e3bc9d25281bbb42a7d730782ff4588 ]
+
+Remove the Qbv BaseTime restriction for I226 so that the BaseTime can be
+scheduled to the future time. A new register bit of Tx Qav Control
+(Bit-7: FutScdDis) was introduced to allow I226 scheduling future time as
+Qbv BaseTime and not having the Tx hang timeout issue.
+
+Besides, according to datasheet section 7.5.2.9.3.3, FutScdDis bit has to
+be configured first before the cycle time and base time.
+
+Indeed the FutScdDis bit is only active on re-configuration, thus we have
+to set the BASET_L to zero and then only set it to the desired value.
+
+Please also note that the Qbv configuration flow is moved around based on
+the Qbv programming guideline that is documented in the latest datasheet.
+
+Co-developed-by: Tan Tee Min <tee.min.tan@linux.intel.com>
+Signed-off-by: Tan Tee Min <tee.min.tan@linux.intel.com>
+Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 0325143b59c6 ("igc: disable L1.2 PCI-E link substate to avoid performance issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_base.c | 29 +++++++++++++
+ drivers/net/ethernet/intel/igc/igc_base.h | 2 +
+ drivers/net/ethernet/intel/igc/igc_defines.h | 1 +
+ drivers/net/ethernet/intel/igc/igc_main.c | 5 ++-
+ drivers/net/ethernet/intel/igc/igc_tsn.c | 44 +++++++++++++-------
+ 5 files changed, 65 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_base.c b/drivers/net/ethernet/intel/igc/igc_base.c
+index 84f142f5e472e..be095c6531b68 100644
+--- a/drivers/net/ethernet/intel/igc/igc_base.c
++++ b/drivers/net/ethernet/intel/igc/igc_base.c
+@@ -402,6 +402,35 @@ void igc_rx_fifo_flush_base(struct igc_hw *hw)
+ rd32(IGC_MPC);
+ }
+
++bool igc_is_device_id_i225(struct igc_hw *hw)
++{
++ switch (hw->device_id) {
++ case IGC_DEV_ID_I225_LM:
++ case IGC_DEV_ID_I225_V:
++ case IGC_DEV_ID_I225_I:
++ case IGC_DEV_ID_I225_K:
++ case IGC_DEV_ID_I225_K2:
++ case IGC_DEV_ID_I225_LMVP:
++ case IGC_DEV_ID_I225_IT:
++ return true;
++ default:
++ return false;
++ }
++}
++
++bool igc_is_device_id_i226(struct igc_hw *hw)
++{
++ switch (hw->device_id) {
++ case IGC_DEV_ID_I226_LM:
++ case IGC_DEV_ID_I226_V:
++ case IGC_DEV_ID_I226_K:
++ case IGC_DEV_ID_I226_IT:
++ return true;
++ default:
++ return false;
++ }
++}
++
+ static struct igc_mac_operations igc_mac_ops_base = {
+ .init_hw = igc_init_hw_base,
+ .check_for_link = igc_check_for_copper_link,
+diff --git a/drivers/net/ethernet/intel/igc/igc_base.h b/drivers/net/ethernet/intel/igc/igc_base.h
+index ea627ce52525a..73b87a387a3a5 100644
+--- a/drivers/net/ethernet/intel/igc/igc_base.h
++++ b/drivers/net/ethernet/intel/igc/igc_base.h
+@@ -7,6 +7,8 @@
+ /* forward declaration */
+ void igc_rx_fifo_flush_base(struct igc_hw *hw);
+ void igc_power_down_phy_copper_base(struct igc_hw *hw);
++bool igc_is_device_id_i225(struct igc_hw *hw);
++bool igc_is_device_id_i226(struct igc_hw *hw);
+
+ /* Transmit Descriptor - Advanced */
+ union igc_adv_tx_desc {
+diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
+index 352b50d3881d0..dd337657c3109 100644
+--- a/drivers/net/ethernet/intel/igc/igc_defines.h
++++ b/drivers/net/ethernet/intel/igc/igc_defines.h
+@@ -410,6 +410,7 @@
+ /* Transmit Scheduling */
+ #define IGC_TQAVCTRL_TRANSMIT_MODE_TSN 0x00000001
+ #define IGC_TQAVCTRL_ENHANCED_QAV 0x00000008
++#define IGC_TQAVCTRL_FUTSCDDIS 0x00000080
+
+ #define IGC_TXQCTL_QUEUE_MODE_LAUNCHT 0x00000001
+ #define IGC_TXQCTL_STRICT_CYCLE 0x00000002
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index dd277ad18a543..76efb5bf819e7 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -4870,6 +4870,7 @@ static bool validate_schedule(struct igc_adapter *adapter,
+ const struct tc_taprio_qopt_offload *qopt)
+ {
+ int queue_uses[IGC_MAX_TX_QUEUES] = { };
++ struct igc_hw *hw = &adapter->hw;
+ struct timespec64 now;
+ size_t n;
+
+@@ -4882,8 +4883,10 @@ static bool validate_schedule(struct igc_adapter *adapter,
+ * in the future, it will hold all the packets until that
+ * time, causing a lot of TX Hangs, so to avoid that, we
+ * reject schedules that would start in the future.
++ * Note: Limitation above is no longer in i226.
+ */
+- if (!is_base_time_past(qopt->base_time, &now))
++ if (!is_base_time_past(qopt->base_time, &now) &&
++ igc_is_device_id_i225(hw))
+ return false;
+
+ for (n = 0; n < qopt->num_entries; n++) {
+diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
+index e466088cfa3aa..e5ea34f2275c6 100644
+--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
++++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
+@@ -2,6 +2,7 @@
+ /* Copyright (c) 2019 Intel Corporation */
+
+ #include "igc.h"
++#include "igc_hw.h"
+ #include "igc_tsn.h"
+
+ static bool is_any_launchtime(struct igc_adapter *adapter)
+@@ -45,7 +46,8 @@ static int igc_tsn_disable_offload(struct igc_adapter *adapter)
+
+ tqavctrl = rd32(IGC_TQAVCTRL);
+ tqavctrl &= ~(IGC_TQAVCTRL_TRANSMIT_MODE_TSN |
+- IGC_TQAVCTRL_ENHANCED_QAV);
++ IGC_TQAVCTRL_ENHANCED_QAV | IGC_TQAVCTRL_FUTSCDDIS);
++
+ wr32(IGC_TQAVCTRL, tqavctrl);
+
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+@@ -76,20 +78,10 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
+ ktime_t base_time, systim;
+ int i;
+
+- cycle = adapter->cycle_time;
+- base_time = adapter->base_time;
+-
+ wr32(IGC_TSAUXC, 0);
+ wr32(IGC_DTXMXPKTSZ, IGC_DTXMXPKTSZ_TSN);
+ wr32(IGC_TXPBS, IGC_TXPBSIZE_TSN);
+
+- tqavctrl = rd32(IGC_TQAVCTRL);
+- tqavctrl |= IGC_TQAVCTRL_TRANSMIT_MODE_TSN | IGC_TQAVCTRL_ENHANCED_QAV;
+- wr32(IGC_TQAVCTRL, tqavctrl);
+-
+- wr32(IGC_QBVCYCLET_S, cycle);
+- wr32(IGC_QBVCYCLET, cycle);
+-
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+ struct igc_ring *ring = adapter->tx_ring[i];
+ u32 txqctl = 0;
+@@ -106,21 +98,43 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
+ wr32(IGC_TXQCTL(i), txqctl);
+ }
+
++ tqavctrl = rd32(IGC_TQAVCTRL);
++ tqavctrl |= IGC_TQAVCTRL_TRANSMIT_MODE_TSN | IGC_TQAVCTRL_ENHANCED_QAV;
++
++ cycle = adapter->cycle_time;
++ base_time = adapter->base_time;
++
+ nsec = rd32(IGC_SYSTIML);
+ sec = rd32(IGC_SYSTIMH);
+
+ systim = ktime_set(sec, nsec);
+-
+ if (ktime_compare(systim, base_time) > 0) {
+- s64 n;
++ s64 n = div64_s64(ktime_sub_ns(systim, base_time), cycle);
+
+- n = div64_s64(ktime_sub_ns(systim, base_time), cycle);
+ base_time = ktime_add_ns(base_time, (n + 1) * cycle);
++ } else {
++ /* According to datasheet section 7.5.2.9.3.3, FutScdDis bit
++ * has to be configured before the cycle time and base time.
++ */
++ if (igc_is_device_id_i226(hw))
++ tqavctrl |= IGC_TQAVCTRL_FUTSCDDIS;
+ }
+
+- baset_h = div_s64_rem(base_time, NSEC_PER_SEC, &baset_l);
++ wr32(IGC_TQAVCTRL, tqavctrl);
++
++ wr32(IGC_QBVCYCLET_S, cycle);
++ wr32(IGC_QBVCYCLET, cycle);
+
++ baset_h = div_s64_rem(base_time, NSEC_PER_SEC, &baset_l);
+ wr32(IGC_BASET_H, baset_h);
++
++ /* In i226, Future base time is only supported when FutScdDis bit
++ * is enabled and only active for re-configuration.
++ * In this case, initialize the base time with zero to create
++ * "re-configuration" scenario then only set the desired base time.
++ */
++ if (tqavctrl & IGC_TQAVCTRL_FUTSCDDIS)
++ wr32(IGC_BASET_L, 0);
+ wr32(IGC_BASET_L, baset_l);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 46f00dec4a86b216ffd38628ecf641b8dac16549 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 20:23:39 +0530
+Subject: igc: Simplify TSN flags handling
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit 61572d5f8f91d8603d8db028e1ec9e18fc0ca245 ]
+
+Separates the procedure done during reset from applying a
+configuration, knowing when the code is executing allow us to
+separate the better what changes the hardware state from what
+changes only the driver state.
+
+Introduces a flag for bookkeeping the driver state of TSN
+features. When Qav and frame-preemption is also implemented
+this flag makes it easier to keep track on whether a TSN feature
+driver state is enabled or not though controller state changes,
+say, during a reset.
+
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Aravindhan Gunasekaran <aravindhan.gunasekaran@intel.com>
+Signed-off-by: Mallikarjuna Chilakala <mallikarjuna.chilakala@intel.com>
+Tested-by: Dvora Fuxbrumer <dvorax.fuxbrumer@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Stable-dep-of: 0325143b59c6 ("igc: disable L1.2 PCI-E link substate to avoid performance issue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc.h | 2 +
+ drivers/net/ethernet/intel/igc/igc_main.c | 2 +-
+ drivers/net/ethernet/intel/igc/igc_tsn.c | 65 ++++++++++++++---------
+ drivers/net/ethernet/intel/igc/igc_tsn.h | 1 +
+ 4 files changed, 43 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
+index 31af08ceb36b9..31c14bff8f0cf 100644
+--- a/drivers/net/ethernet/intel/igc/igc.h
++++ b/drivers/net/ethernet/intel/igc/igc.h
+@@ -270,6 +270,8 @@ extern char igc_driver_name[];
+ #define IGC_FLAG_RX_LEGACY BIT(16)
+ #define IGC_FLAG_TSN_QBV_ENABLED BIT(17)
+
++#define IGC_FLAG_TSN_ANY_ENABLED IGC_FLAG_TSN_QBV_ENABLED
++
+ #define IGC_FLAG_RSS_FIELD_IPV4_UDP BIT(6)
+ #define IGC_FLAG_RSS_FIELD_IPV6_UDP BIT(7)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 192fd4e73dfe2..dd277ad18a543 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -109,7 +109,7 @@ void igc_reset(struct igc_adapter *adapter)
+ igc_ptp_reset(adapter);
+
+ /* Re-enable TSN offloading, where applicable. */
+- igc_tsn_offload_apply(adapter);
++ igc_tsn_reset(adapter);
+
+ igc_get_phy_info(hw);
+ }
+diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
+index 2d4db2a547b26..e466088cfa3aa 100644
+--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
++++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
+@@ -18,8 +18,21 @@ static bool is_any_launchtime(struct igc_adapter *adapter)
+ return false;
+ }
+
++static unsigned int igc_tsn_new_flags(struct igc_adapter *adapter)
++{
++ unsigned int new_flags = adapter->flags & ~IGC_FLAG_TSN_ANY_ENABLED;
++
++ if (adapter->base_time)
++ new_flags |= IGC_FLAG_TSN_QBV_ENABLED;
++
++ if (is_any_launchtime(adapter))
++ new_flags |= IGC_FLAG_TSN_QBV_ENABLED;
++
++ return new_flags;
++}
++
+ /* Returns the TSN specific registers to their default values after
+- * TSN offloading is disabled.
++ * the adapter is reset.
+ */
+ static int igc_tsn_disable_offload(struct igc_adapter *adapter)
+ {
+@@ -27,11 +40,6 @@ static int igc_tsn_disable_offload(struct igc_adapter *adapter)
+ u32 tqavctrl;
+ int i;
+
+- if (!(adapter->flags & IGC_FLAG_TSN_QBV_ENABLED))
+- return 0;
+-
+- adapter->cycle_time = 0;
+-
+ wr32(IGC_TXPBS, I225_TXPBSIZE_DEFAULT);
+ wr32(IGC_DTXMXPKTSZ, IGC_DTXMXPKTSZ_DEFAULT);
+
+@@ -68,9 +76,6 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
+ ktime_t base_time, systim;
+ int i;
+
+- if (adapter->flags & IGC_FLAG_TSN_QBV_ENABLED)
+- return 0;
+-
+ cycle = adapter->cycle_time;
+ base_time = adapter->base_time;
+
+@@ -118,33 +123,41 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
+ wr32(IGC_BASET_H, baset_h);
+ wr32(IGC_BASET_L, baset_l);
+
+- adapter->flags |= IGC_FLAG_TSN_QBV_ENABLED;
+-
+ return 0;
+ }
+
+-int igc_tsn_offload_apply(struct igc_adapter *adapter)
++int igc_tsn_reset(struct igc_adapter *adapter)
+ {
+- bool is_any_enabled = adapter->base_time || is_any_launchtime(adapter);
++ unsigned int new_flags;
++ int err = 0;
+
+- if (!(adapter->flags & IGC_FLAG_TSN_QBV_ENABLED) && !is_any_enabled)
+- return 0;
++ new_flags = igc_tsn_new_flags(adapter);
++
++ if (!(new_flags & IGC_FLAG_TSN_ANY_ENABLED))
++ return igc_tsn_disable_offload(adapter);
++
++ err = igc_tsn_enable_offload(adapter);
++ if (err < 0)
++ return err;
+
+- if (!is_any_enabled) {
+- int err = igc_tsn_disable_offload(adapter);
++ adapter->flags = new_flags;
+
+- if (err < 0)
+- return err;
++ return err;
++}
+
+- /* The BASET registers aren't cleared when writing
+- * into them, force a reset if the interface is
+- * running.
+- */
+- if (netif_running(adapter->netdev))
+- schedule_work(&adapter->reset_task);
++int igc_tsn_offload_apply(struct igc_adapter *adapter)
++{
++ int err;
+
++ if (netif_running(adapter->netdev)) {
++ schedule_work(&adapter->reset_task);
+ return 0;
+ }
+
+- return igc_tsn_enable_offload(adapter);
++ err = igc_tsn_enable_offload(adapter);
++ if (err < 0)
++ return err;
++
++ adapter->flags = igc_tsn_new_flags(adapter);
++ return 0;
+ }
+diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.h b/drivers/net/ethernet/intel/igc/igc_tsn.h
+index f76bc86ddccd9..1512307f5a528 100644
+--- a/drivers/net/ethernet/intel/igc/igc_tsn.h
++++ b/drivers/net/ethernet/intel/igc/igc_tsn.h
+@@ -5,5 +5,6 @@
+ #define _IGC_TSN_H_
+
+ int igc_tsn_offload_apply(struct igc_adapter *adapter);
++int igc_tsn_reset(struct igc_adapter *adapter);
+
+ #endif /* _IGC_BASE_H */
+--
+2.39.5
+
--- /dev/null
+From e9a7ab48ff7b179f617de0c0f47994dc3e5b7264 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 14:36:40 -0500
+Subject: lib: test_objagg: Set error message in check_expect_hints_stats()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit e6ed134a4ef592fe1fd0cafac9683813b3c8f3e8 ]
+
+Smatch complains that the error message isn't set in the caller:
+
+ lib/test_objagg.c:923 test_hints_case2()
+ error: uninitialized symbol 'errmsg'.
+
+This static checker warning only showed up after a recent refactoring
+but the bug dates back to when the code was originally added. This
+likely doesn't affect anything in real life.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/r/202506281403.DsuyHFTZ-lkp@intel.com/
+Fixes: 0a020d416d0a ("lib: introduce initial implementation of object aggregation manager")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/8548f423-2e3b-4bb7-b816-5041de2762aa@sabinyo.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_objagg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_objagg.c b/lib/test_objagg.c
+index da137939a4100..78d25ab19a960 100644
+--- a/lib/test_objagg.c
++++ b/lib/test_objagg.c
+@@ -899,8 +899,10 @@ static int check_expect_hints_stats(struct objagg_hints *objagg_hints,
+ int err;
+
+ stats = objagg_hints_stats_get(objagg_hints);
+- if (IS_ERR(stats))
++ if (IS_ERR(stats)) {
++ *errmsg = "objagg_hints_stats_get() failed.";
+ return PTR_ERR(stats);
++ }
+ err = __check_expect_stats(stats, expect_stats, errmsg);
+ objagg_stats_put(stats);
+ return err;
+--
+2.39.5
+
--- /dev/null
+From ca2b1436423914abb43108c986a1492a338e37f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 23:43:45 -0600
+Subject: net: rose: Fix fall-through warnings for Clang
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+[ Upstream commit 90d181ca488f466904ea59dd5c836f766b69c71b ]
+
+In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple
+warnings by explicitly adding multiple break statements instead of
+letting the code fall through to the next case.
+
+Link: https://github.com/KSPP/linux/issues/115
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 34a500caf48c ("rose: fix dangling neighbour pointers in rose_rt_device_down()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/rose_route.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index 981bdefd478b0..66aa05db5390f 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -347,6 +347,7 @@ static int rose_del_node(struct rose_route_struct *rose_route,
+ case 1:
+ rose_node->neighbour[1] =
+ rose_node->neighbour[2];
++ break;
+ case 2:
+ break;
+ }
+@@ -508,6 +509,7 @@ void rose_rt_device_down(struct net_device *dev)
+ fallthrough;
+ case 1:
+ t->neighbour[1] = t->neighbour[2];
++ break;
+ case 2:
+ break;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9e0b93ac474e81c97c8c2d65a0c42a8971550609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:27:30 +0200
+Subject: net/sched: Always pass notifications when child class becomes empty
+
+From: Lion Ackermann <nnamrec@gmail.com>
+
+[ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ]
+
+Certain classful qdiscs may invoke their classes' dequeue handler on an
+enqueue operation. This may unexpectedly empty the child qdisc and thus
+make an in-flight class passive via qlen_notify(). Most qdiscs do not
+expect such behaviour at this point in time and may re-activate the
+class eventually anyways which will lead to a use-after-free.
+
+The referenced fix commit attempted to fix this behavior for the HFSC
+case by moving the backlog accounting around, though this turned out to
+be incomplete since the parent's parent may run into the issue too.
+The following reproducer demonstrates this use-after-free:
+
+ tc qdisc add dev lo root handle 1: drr
+ tc filter add dev lo parent 1: basic classid 1:1
+ tc class add dev lo parent 1: classid 1:1 drr
+ tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
+ tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
+ tc qdisc add dev lo parent 2:1 handle 3: netem
+ tc qdisc add dev lo parent 3:1 handle 4: blackhole
+
+ echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+ tc class delete dev lo classid 1:1
+ echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+
+Since backlog accounting issues leading to a use-after-frees on stale
+class pointers is a recurring pattern at this point, this patch takes
+a different approach. Instead of trying to fix the accounting, the patch
+ensures that qdisc_tree_reduce_backlog always calls qlen_notify when
+the child qdisc is empty. This solves the problem because deletion of
+qdiscs always involves a call to qdisc_reset() and / or
+qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing
+the following qdisc_tree_reduce_backlog() to report to the parent. Note
+that this may call qlen_notify on passive classes multiple times. This
+is not a problem after the recent patch series that made all the
+classful qdiscs qlen_notify() handlers idempotent.
+
+Fixes: 3f981138109f ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()")
+Signed-off-by: Lion Ackermann <nnamrec@gmail.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index b8fb94bfa9606..7fd4c94d6f464 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -768,15 +768,12 @@ static u32 qdisc_alloc_handle(struct net_device *dev)
+
+ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ {
+- bool qdisc_is_offloaded = sch->flags & TCQ_F_OFFLOADED;
+ const struct Qdisc_class_ops *cops;
+ unsigned long cl;
+ u32 parentid;
+ bool notify;
+ int drops;
+
+- if (n == 0 && len == 0)
+- return;
+ drops = max_t(int, n, 0);
+ rcu_read_lock();
+ while ((parentid = sch->parent)) {
+@@ -785,17 +782,8 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+
+ if (sch->flags & TCQ_F_NOPARENT)
+ break;
+- /* Notify parent qdisc only if child qdisc becomes empty.
+- *
+- * If child was empty even before update then backlog
+- * counter is screwed and we skip notification because
+- * parent class is already passive.
+- *
+- * If the original child was offloaded then it is allowed
+- * to be seem as empty, so the parent is notified anyway.
+- */
+- notify = !sch->q.qlen && !WARN_ON_ONCE(!n &&
+- !qdisc_is_offloaded);
++ /* Notify parent qdisc only if child qdisc becomes empty. */
++ notify = !sch->q.qlen;
+ /* TODO: perform the search on a per txq basis */
+ sch = qdisc_lookup(qdisc_dev(sch), TC_H_MAJ(parentid));
+ if (sch == NULL) {
+@@ -804,6 +792,9 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ }
+ cops = sch->ops->cl_ops;
+ if (notify && cops->qlen_notify) {
++ /* Note that qlen_notify must be idempotent as it may get called
++ * multiple times.
++ */
+ cl = cops->find(sch, parentid);
+ cops->qlen_notify(sch, cl);
+ }
+--
+2.39.5
+
--- /dev/null
+From 3bbd150db8821331ab5a61cc902f212d0658b0f2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 14:52:50 -0700
+Subject: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit e8d6f3ab59468e230f3253efe5cb63efa35289f7 ]
+
+syzbot reported a warning below [1] following a fault injection in
+nfs_fs_proc_net_init(). [0]
+
+When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed.
+
+Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning
+is logged as the directory is not empty.
+
+Let's handle the error of nfs_fs_proc_net_init() properly.
+
+[0]:
+FAULT_INJECTION: forcing a failure.
+name failslab, interval 1, probability 0, space 0, times 0
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl (lib/dump_stack.c:123)
+ should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174)
+ should_failslab (mm/failslab.c:46)
+ kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204)
+ __proc_create (fs/proc/generic.c:427)
+ proc_create_reg (fs/proc/generic.c:554)
+ proc_create_net_data (fs/proc/proc_net.c:120)
+ nfs_fs_proc_net_init (fs/nfs/client.c:1409)
+ nfs_net_init (fs/nfs/inode.c:2600)
+ ops_init (net/core/net_namespace.c:138)
+ setup_net (net/core/net_namespace.c:443)
+ copy_net_ns (net/core/net_namespace.c:576)
+ create_new_namespaces (kernel/nsproxy.c:110)
+ unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4))
+ ksys_unshare (kernel/fork.c:3123)
+ __x64_sys_unshare (kernel/fork.c:3190)
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+ </TASK>
+
+[1]:
+remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs'
+ WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Modules linked in:
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+ RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00
+RSP: 0018:ffffc90003637b08 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8
+RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001
+RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00
+R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000
+FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76
+ ops_exit_list net/core/net_namespace.c:200 [inline]
+ ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253
+ setup_net+0x2e1/0x510 net/core/net_namespace.c:457
+ copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574
+ create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
+ unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218
+ ksys_unshare+0x45b/0xa40 kernel/fork.c:3121
+ __do_sys_unshare kernel/fork.c:3192 [inline]
+ __se_sys_unshare kernel/fork.c:3190 [inline]
+ __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa1a6b8e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff3a090368 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
+RAX: ffffffffffffffda RBX: 00007fa1a6db5fa0 RCX: 00007fa1a6b8e929
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080
+RBP: 00007fa1a6c10b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa1a6db5fa0 R14: 00007fa1a6db5fa0 R15: 0000000000000001
+ </TASK>
+
+Fixes: d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces")
+Reported-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a4cc4ac22daa4a71b87c
+Tested-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index d82eb1b2164f3..3e3114a9d1937 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -2227,15 +2227,26 @@ EXPORT_SYMBOL_GPL(nfs_net_id);
+ static int nfs_net_init(struct net *net)
+ {
+ struct nfs_net *nn = net_generic(net, nfs_net_id);
++ int err;
+
+ nfs_clients_init(net);
+
+ if (!rpc_proc_register(net, &nn->rpcstats)) {
+- nfs_clients_exit(net);
+- return -ENOMEM;
++ err = -ENOMEM;
++ goto err_proc_rpc;
+ }
+
+- return nfs_fs_proc_net_init(net);
++ err = nfs_fs_proc_net_init(net);
++ if (err)
++ goto err_proc_nfs;
++
++ return 0;
++
++err_proc_nfs:
++ rpc_proc_unregister(net, "nfs");
++err_proc_rpc:
++ nfs_clients_exit(net);
++ return err;
+ }
+
+ static void nfs_net_exit(struct net *net)
+--
+2.39.5
+
--- /dev/null
+From b72c829033ab380aa3d8d2c1a1ecfd1fcadd2a96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:02:21 -0400
+Subject: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit c01776287414ca43412d1319d2877cbad65444ac ]
+
+We found a few different systems hung up in writeback waiting on the same
+page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in
+pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count
+was zero.
+
+It seems most likely that this is another race between the waiter and waker
+similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task").
+Fix it up by applying the advised barrier.
+
+Fixes: 880265c77ac4 ("pNFS: Avoid a live lock condition in pnfs_update_layout()")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 1800836306a5d..758689877d85d 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1934,8 +1934,10 @@ static void nfs_layoutget_begin(struct pnfs_layout_hdr *lo)
+ static void nfs_layoutget_end(struct pnfs_layout_hdr *lo)
+ {
+ if (atomic_dec_and_test(&lo->plh_outstanding) &&
+- test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags))
++ test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags)) {
++ smp_mb__after_atomic();
+ wake_up_bit(&lo->plh_flags, NFS_LAYOUT_DRAIN);
++ }
+ }
+
+ static bool pnfs_is_first_layoutget(struct pnfs_layout_hdr *lo)
+--
+2.39.5
+
--- /dev/null
+From d0056a3bb4ab0690166aedd1bf1fb3d9dbbc619f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 10:36:43 +0200
+Subject: nui: Fix dma_mapping_error() check
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 561aa0e22b70a5e7246b73d62a824b3aef3fc375 ]
+
+dma_map_XXX() functions return values DMA_MAPPING_ERROR as error values
+which is often ~0. The error value should be tested with
+dma_mapping_error().
+
+This patch creates a new function in niu_ops to test if the mapping
+failed. The test is fixed in niu_rbr_add_page(), added in
+niu_start_xmit() and the successfully mapped pages are unmaped upon error.
+
+Fixes: ec2deec1f352 ("niu: Fix to check for dma mapping errors.")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/niu.c | 31 ++++++++++++++++++++++++++++++-
+ drivers/net/ethernet/sun/niu.h | 4 ++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index 1a269fa8c1a07..6a626b1b02338 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -3317,7 +3317,7 @@ static int niu_rbr_add_page(struct niu *np, struct rx_ring_info *rp,
+
+ addr = np->ops->map_page(np->device, page, 0,
+ PAGE_SIZE, DMA_FROM_DEVICE);
+- if (!addr) {
++ if (np->ops->mapping_error(np->device, addr)) {
+ __free_page(page);
+ return -ENOMEM;
+ }
+@@ -6654,6 +6654,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ len = skb_headlen(skb);
+ mapping = np->ops->map_single(np->device, skb->data,
+ len, DMA_TO_DEVICE);
++ if (np->ops->mapping_error(np->device, mapping))
++ goto out_drop;
+
+ prod = rp->prod;
+
+@@ -6695,6 +6697,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ mapping = np->ops->map_page(np->device, skb_frag_page(frag),
+ skb_frag_off(frag), len,
+ DMA_TO_DEVICE);
++ if (np->ops->mapping_error(np->device, mapping))
++ goto out_unmap;
+
+ rp->tx_buffs[prod].skb = NULL;
+ rp->tx_buffs[prod].mapping = mapping;
+@@ -6719,6 +6723,19 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ out:
+ return NETDEV_TX_OK;
+
++out_unmap:
++ while (i--) {
++ const skb_frag_t *frag;
++
++ prod = PREVIOUS_TX(rp, prod);
++ frag = &skb_shinfo(skb)->frags[i];
++ np->ops->unmap_page(np->device, rp->tx_buffs[prod].mapping,
++ skb_frag_size(frag), DMA_TO_DEVICE);
++ }
++
++ np->ops->unmap_single(np->device, rp->tx_buffs[rp->prod].mapping,
++ skb_headlen(skb), DMA_TO_DEVICE);
++
+ out_drop:
+ rp->tx_errors++;
+ kfree_skb(skb);
+@@ -9612,6 +9629,11 @@ static void niu_pci_unmap_single(struct device *dev, u64 dma_address,
+ dma_unmap_single(dev, dma_address, size, direction);
+ }
+
++static int niu_pci_mapping_error(struct device *dev, u64 addr)
++{
++ return dma_mapping_error(dev, addr);
++}
++
+ static const struct niu_ops niu_pci_ops = {
+ .alloc_coherent = niu_pci_alloc_coherent,
+ .free_coherent = niu_pci_free_coherent,
+@@ -9619,6 +9641,7 @@ static const struct niu_ops niu_pci_ops = {
+ .unmap_page = niu_pci_unmap_page,
+ .map_single = niu_pci_map_single,
+ .unmap_single = niu_pci_unmap_single,
++ .mapping_error = niu_pci_mapping_error,
+ };
+
+ static void niu_driver_version(void)
+@@ -9993,6 +10016,11 @@ static void niu_phys_unmap_single(struct device *dev, u64 dma_address,
+ /* Nothing to do. */
+ }
+
++static int niu_phys_mapping_error(struct device *dev, u64 dma_address)
++{
++ return false;
++}
++
+ static const struct niu_ops niu_phys_ops = {
+ .alloc_coherent = niu_phys_alloc_coherent,
+ .free_coherent = niu_phys_free_coherent,
+@@ -10000,6 +10028,7 @@ static const struct niu_ops niu_phys_ops = {
+ .unmap_page = niu_phys_unmap_page,
+ .map_single = niu_phys_map_single,
+ .unmap_single = niu_phys_unmap_single,
++ .mapping_error = niu_phys_mapping_error,
+ };
+
+ static int niu_of_probe(struct platform_device *op)
+diff --git a/drivers/net/ethernet/sun/niu.h b/drivers/net/ethernet/sun/niu.h
+index 04c215f91fc08..0b169c08b0f2d 100644
+--- a/drivers/net/ethernet/sun/niu.h
++++ b/drivers/net/ethernet/sun/niu.h
+@@ -2879,6 +2879,9 @@ struct tx_ring_info {
+ #define NEXT_TX(tp, index) \
+ (((index) + 1) < (tp)->pending ? ((index) + 1) : 0)
+
++#define PREVIOUS_TX(tp, index) \
++ (((index) - 1) >= 0 ? ((index) - 1) : (((tp)->pending) - 1))
++
+ static inline u32 niu_tx_avail(struct tx_ring_info *tp)
+ {
+ return (tp->pending -
+@@ -3140,6 +3143,7 @@ struct niu_ops {
+ enum dma_data_direction direction);
+ void (*unmap_single)(struct device *dev, u64 dma_address,
+ size_t size, enum dma_data_direction direction);
++ int (*mapping_error)(struct device *dev, u64 dma_address);
+ };
+
+ struct niu_link_config {
+--
+2.39.5
+
--- /dev/null
+From 68a08cf6155c096e602cd0885783dce5ca0dcf78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 21:46:08 +0000
+Subject: platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Thompson <davthompson@nvidia.com>
+
+[ Upstream commit 109f4d29dade8ae5b4ac6325af9d1bc24b4230f8 ]
+
+Fix warnings reported by sparse, related to incorrect type:
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: warning: incorrect type in assignment (different base types)
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: expected restricted __virtio32 [usertype] len
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: got unsigned long
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202404040339.S7CUIgf3-lkp@intel.com/
+Fixes: 78034cbece79 ("platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/20250613214608.2250130-1-davthompson@nvidia.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index 767f4406e55f1..1eb7f4eb1156c 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -253,7 +253,8 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo,
+ vring->align = SMP_CACHE_BYTES;
+ vring->index = i;
+ vring->vdev_id = tm_vdev->vdev.id.device;
+- vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN;
++ vring->drop_desc.len = cpu_to_virtio32(&tm_vdev->vdev,
++ VRING_DROP_DESC_MAX_LEN);
+ dev = &tm_vdev->vdev.dev;
+
+ size = vring_size(vring->num, vring->align);
+--
+2.39.5
+
--- /dev/null
+From 896bd9f8500aba3c0abf836bde61f52d4c5274bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 May 2025 19:52:37 +0530
+Subject: powerpc: Fix struct termio related ioctl macros
+
+From: Madhavan Srinivasan <maddy@linux.ibm.com>
+
+[ Upstream commit ab107276607af90b13a5994997e19b7b9731e251 ]
+
+Since termio interface is now obsolete, include/uapi/asm/ioctls.h
+has some constant macros referring to "struct termio", this caused
+build failure at userspace.
+
+In file included from /usr/include/asm/ioctl.h:12,
+ from /usr/include/asm/ioctls.h:5,
+ from tst-ioctls.c:3:
+tst-ioctls.c: In function 'get_TCGETA':
+tst-ioctls.c:12:10: error: invalid application of 'sizeof' to incomplete type 'struct termio'
+ 12 | return TCGETA;
+ | ^~~~~~
+
+Even though termios.h provides "struct termio", trying to juggle definitions around to
+make it compile could introduce regressions. So better to open code it.
+
+Reported-by: Tulio Magno <tuliom@ascii.art.br>
+Suggested-by: Nicholas Piggin <npiggin@gmail.com>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
+Closes: https://lore.kernel.org/linuxppc-dev/8734dji5wl.fsf@ascii.art.br/
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250517142237.156665-1-maddy@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/uapi/asm/ioctls.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/include/uapi/asm/ioctls.h b/arch/powerpc/include/uapi/asm/ioctls.h
+index 2c145da3b774a..b5211e413829a 100644
+--- a/arch/powerpc/include/uapi/asm/ioctls.h
++++ b/arch/powerpc/include/uapi/asm/ioctls.h
+@@ -23,10 +23,10 @@
+ #define TCSETSW _IOW('t', 21, struct termios)
+ #define TCSETSF _IOW('t', 22, struct termios)
+
+-#define TCGETA _IOR('t', 23, struct termio)
+-#define TCSETA _IOW('t', 24, struct termio)
+-#define TCSETAW _IOW('t', 25, struct termio)
+-#define TCSETAF _IOW('t', 28, struct termio)
++#define TCGETA 0x40147417 /* _IOR('t', 23, struct termio) */
++#define TCSETA 0x80147418 /* _IOW('t', 24, struct termio) */
++#define TCSETAW 0x80147419 /* _IOW('t', 25, struct termio) */
++#define TCSETAF 0x8014741c /* _IOW('t', 28, struct termio) */
+
+ #define TCSBRK _IO('t', 29)
+ #define TCXONC _IO('t', 30)
+--
+2.39.5
+
--- /dev/null
+From d2ba555904179e71b344d842bba6a28762028edc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:34:48 +0200
+Subject: rcu: Return early if callback is not specified
+
+From: Uladzislau Rezki (Sony) <urezki@gmail.com>
+
+[ Upstream commit 33b6a1f155d627f5bd80c7485c598ce45428f74f ]
+
+Currently the call_rcu() API does not check whether a callback
+pointer is NULL. If NULL is passed, rcu_core() will try to invoke
+it, resulting in NULL pointer dereference and a kernel crash.
+
+To prevent this and improve debuggability, this patch adds a check
+for NULL and emits a kernel stack trace to help identify a faulty
+caller.
+
+Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index 06bfe61d3cd38..c4eb06d37ae91 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -2959,6 +2959,10 @@ __call_rcu(struct rcu_head *head, rcu_callback_t func)
+ /* Misaligned rcu_head! */
+ WARN_ON_ONCE((unsigned long)head & (sizeof(void *) - 1));
+
++ /* Avoid NULL dereference if callback is NULL. */
++ if (WARN_ON_ONCE(!func))
++ return;
++
+ if (debug_rcu_head_queue(head)) {
+ /*
+ * Probable double call_rcu(), so leak the callback.
+--
+2.39.5
+
--- /dev/null
+From d5e45fa2111142e3eacbefe45687964aa8787259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:53 +0300
+Subject: RDMA/mlx5: Fix CC counters query for MPV
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit acd245b1e33fc4b9d0f2e3372021d632f7ee0652 ]
+
+In case, CC counters are querying for the second port use the correct
+core device for the query instead of always using the master core device.
+
+Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/9cace74dcf106116118bebfa9146d40d4166c6b0.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c
+index f6bae1f7545b5..33636268d43d9 100644
+--- a/drivers/infiniband/hw/mlx5/counters.c
++++ b/drivers/infiniband/hw/mlx5/counters.c
+@@ -279,7 +279,7 @@ static int mlx5_ib_get_hw_stats(struct ib_device *ibdev,
+ */
+ goto done;
+ }
+- ret = mlx5_lag_query_cong_counters(dev->mdev,
++ ret = mlx5_lag_query_cong_counters(mdev,
+ stats->value +
+ cnts->num_q_counters,
+ cnts->num_cong_counters,
+--
+2.39.5
+
--- /dev/null
+From 6e4af26b0baab69f9e4c3f9fad27bb6317e1ff69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:13:55 +0300
+Subject: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a ]
+
+The obj_event may be loaded immediately after inserted, then if the
+list_head is not initialized then we may get a poisonous pointer. This
+fixes the crash below:
+
+ mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)
+ mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056
+ mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0
+ mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps
+ IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
+ Mem abort info:
+ ESR = 0x96000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000
+ [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#1] SMP
+ Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)
+ [last unloaded: mst_pci]
+ CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1
+ Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023
+ pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)
+ pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]
+ lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]
+ sp : ffff80001005bcf0
+ x29: ffff80001005bcf0 x28: 0000000000000001
+ x27: ffff244e0740a1d8 x26: ffff244e0740a1d0
+ x25: ffffda56beff5ae0 x24: ffffda56bf911618
+ x23: ffff244e0596a480 x22: ffff244e0596a480
+ x21: ffff244d8312ad90 x20: ffff244e0596a480
+ x19: fffffffffffffff0 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffda56be66d620
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000040 x10: ffffda56bfcafb50
+ x9 : ffffda5655c25f2c x8 : 0000000000000010
+ x7 : 0000000000000000 x6 : ffff24545a2e24b8
+ x5 : 0000000000000003 x4 : ffff80001005bd28
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : ffff244e0596a480 x0 : ffff244d8312ad90
+ Call trace:
+ dispatch_event_fd+0x68/0x300 [mlx5_ib]
+ devx_event_notifier+0xcc/0x228 [mlx5_ib]
+ atomic_notifier_call_chain+0x58/0x80
+ mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]
+ atomic_notifier_call_chain+0x58/0x80
+ irq_int_handler+0x20/0x30 [mlx5_core]
+ __handle_irq_event_percpu+0x60/0x220
+ handle_irq_event_percpu+0x3c/0x90
+ handle_irq_event+0x58/0x158
+ handle_fasteoi_irq+0xfc/0x188
+ generic_handle_irq+0x34/0x48
+ ...
+
+Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX")
+Link: https://patch.msgid.link/r/3ce7f20e0d1a03dc7de6e57494ec4b8eaf1f05c2.1750147949.git.leon@kernel.org
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index f67ebd9f3cdd1..301c061bb3190 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -1809,6 +1809,7 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+ /* Level1 is valid for future use, no need to free */
+ return -ENOMEM;
+
++ INIT_LIST_HEAD(&obj_event->obj_sub_list);
+ err = xa_insert(&event->object_ids,
+ key_level2,
+ obj_event,
+@@ -1817,7 +1818,6 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+ kfree(obj_event);
+ return err;
+ }
+- INIT_LIST_HEAD(&obj_event->obj_sub_list);
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From f1909d4ab2f953fbb939b5b3be0c85dc963ed9bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 12:06:31 +0900
+Subject: rose: fix dangling neighbour pointers in rose_rt_device_down()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 34a500caf48c47d5171f4aa1f237da39b07c6157 ]
+
+There are two bugs in rose_rt_device_down() that can cause
+use-after-free:
+
+1. The loop bound `t->count` is modified within the loop, which can
+ cause the loop to terminate early and miss some entries.
+
+2. When removing an entry from the neighbour array, the subsequent entries
+ are moved up to fill the gap, but the loop index `i` is still
+ incremented, causing the next entry to be skipped.
+
+For example, if a node has three neighbours (A, A, B) with count=3 and A
+is being removed, the second A is not checked.
+
+ i=0: (A, A, B) -> (A, B) with count=2
+ ^ checked
+ i=1: (A, B) -> (A, B) with count=2
+ ^ checked (B, not A!)
+ i=2: (doesn't occur because i < count is false)
+
+This leaves the second A in the array with count=2, but the rose_neigh
+structure has been freed. Code that accesses these entries assumes that
+the first `count` entries are valid pointers, causing a use-after-free
+when it accesses the dangling pointer.
+
+Fix both issues by iterating over the array in reverse order with a fixed
+loop bound. This ensures that all entries are examined and that the removal
+of an entry doesn't affect subsequent iterations.
+
+Reported-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e04e2c007ba2c80476cb
+Tested-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250629030833.6680-1-enjuk@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/rose_route.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index 66aa05db5390f..d0112f1863850 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -497,22 +497,15 @@ void rose_rt_device_down(struct net_device *dev)
+ t = rose_node;
+ rose_node = rose_node->next;
+
+- for (i = 0; i < t->count; i++) {
++ for (i = t->count - 1; i >= 0; i--) {
+ if (t->neighbour[i] != s)
+ continue;
+
+ t->count--;
+
+- switch (i) {
+- case 0:
+- t->neighbour[0] = t->neighbour[1];
+- fallthrough;
+- case 1:
+- t->neighbour[1] = t->neighbour[2];
+- break;
+- case 2:
+- break;
+- }
++ memmove(&t->neighbour[i], &t->neighbour[i + 1],
++ sizeof(t->neighbour[0]) *
++ (t->count - i));
+ }
+
+ if (t->count <= 0)
+--
+2.39.5
+
--- /dev/null
+From 214c2cd5e78f496c60981a3837fabdea2e646d2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 18:11:11 +0200
+Subject: scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c3b214719a87735d4f67333a8ef3c0e31a34837c ]
+
+dma_map_XXX() functions return as error values DMA_MAPPING_ERROR which is
+often ~0. The error value should be tested with dma_mapping_error() like
+it was done in qla26xx_dport_diagnostics().
+
+Fixes: 818c7f87a177 ("scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250617161115.39888-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 21ba7100ff676..8b7c71e779a78 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -2097,7 +2097,7 @@ qla24xx_get_port_database(scsi_qla_host_t *vha, u16 nport_handle,
+
+ pdb_dma = dma_map_single(&vha->hw->pdev->dev, pdb,
+ sizeof(*pdb), DMA_FROM_DEVICE);
+- if (!pdb_dma) {
++ if (dma_mapping_error(&vha->hw->pdev->dev, pdb_dma)) {
+ ql_log(ql_log_warn, vha, 0x1116, "Failed to map dma buffer.\n");
+ return QLA_MEMORY_ALLOC_FAILED;
+ }
+--
+2.39.5
+
--- /dev/null
+From 73bb58e680bcc4a703fa5aa83d86ca8ffd8673e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 09:17:37 +0200
+Subject: scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 00f452a1b084efbe8dcb60a29860527944a002a1 ]
+
+dma_map_XXX() can fail and should be tested for errors with
+dma_mapping_error().
+
+Fixes: b3a271a94d00 ("[SCSI] qla4xxx: support iscsiadm session mgmt")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250618071742.21822-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 05ae9b1157096..f02d8bbea3e51 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -3425,6 +3425,8 @@ static int qla4xxx_alloc_pdu(struct iscsi_task *task, uint8_t opcode)
+ task_data->data_dma = dma_map_single(&ha->pdev->dev, task->data,
+ task->data_count,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&ha->pdev->dev, task_data->data_dma))
++ return -ENOMEM;
+ }
+
+ DEBUG2(ql4_printk(KERN_INFO, ha, "%s: MaxRecvLen %u, iscsi hrd %d\n",
+--
+2.39.5
+
--- /dev/null
+From 1a715f1837eca19d42906b049fb4fe255bfc05db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 12:15:56 +0200
+Subject: scsi: target: Fix NULL pointer dereference in
+ core_scsi3_decode_spec_i_port()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit d8ab68bdb294b09a761e967dad374f2965e1913f ]
+
+The function core_scsi3_decode_spec_i_port(), in its error code path,
+unconditionally calls core_scsi3_lunacl_undepend_item() passing the
+dest_se_deve pointer, which may be NULL.
+
+This can lead to a NULL pointer dereference if dest_se_deve remains
+unset.
+
+SPC-3 PR SPEC_I_PT: Unable to locate dest_tpg
+Unable to handle kernel paging request at virtual address dfff800000000012
+Call trace:
+ core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)
+ core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]
+ core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]
+ target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]
+
+Fix this by adding a NULL check before calling
+core_scsi3_lunacl_undepend_item()
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20250612101556.24829-1-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
+index b42193c554fb2..2bc849799739e 100644
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1858,7 +1858,9 @@ core_scsi3_decode_spec_i_port(
+ }
+
+ kmem_cache_free(t10_pr_reg_cache, dest_pr_reg);
+- core_scsi3_lunacl_undepend_item(dest_se_deve);
++
++ if (dest_se_deve)
++ core_scsi3_lunacl_undepend_item(dest_se_deve);
+
+ if (is_local)
+ continue;
+--
+2.39.5
+
--- /dev/null
+From 346be70ae1879c15c625268287ebe4bca5a81a7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 11:16:44 -0700
+Subject: scsi: ufs: core: Fix spelling of a sysfs attribute name
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 021f243627ead17eb6500170256d3d9be787dad8 ]
+
+Change "resourse" into "resource" in the name of a sysfs attribute.
+
+Fixes: d829fc8a1058 ("scsi: ufs: sysfs: unit descriptor")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20250624181658.336035-1-bvanassche@acm.org
+Reviewed-by: Avri Altman <avri.altman@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-driver-ufs | 2 +-
+ drivers/scsi/ufs/ufs-sysfs.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-driver-ufs b/Documentation/ABI/testing/sysfs-driver-ufs
+index adc0d0e916078..00d8bd574d1a0 100644
+--- a/Documentation/ABI/testing/sysfs-driver-ufs
++++ b/Documentation/ABI/testing/sysfs-driver-ufs
+@@ -655,7 +655,7 @@ Description: This file shows the thin provisioning type. This is one of
+
+ The file is read only.
+
+-What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resourse_count
++What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resource_count
+ Date: February 2018
+ Contact: Stanislav Nijnikov <stanislav.nijnikov@wdc.com>
+ Description: This file shows the total physical memory resources. This is
+diff --git a/drivers/scsi/ufs/ufs-sysfs.c b/drivers/scsi/ufs/ufs-sysfs.c
+index 34b424ad96a20..32b6fe493ae98 100644
+--- a/drivers/scsi/ufs/ufs-sysfs.c
++++ b/drivers/scsi/ufs/ufs-sysfs.c
+@@ -806,7 +806,7 @@ UFS_UNIT_DESC_PARAM(logical_block_size, _LOGICAL_BLK_SIZE, 1);
+ UFS_UNIT_DESC_PARAM(logical_block_count, _LOGICAL_BLK_COUNT, 8);
+ UFS_UNIT_DESC_PARAM(erase_block_size, _ERASE_BLK_SIZE, 4);
+ UFS_UNIT_DESC_PARAM(provisioning_type, _PROVISIONING_TYPE, 1);
+-UFS_UNIT_DESC_PARAM(physical_memory_resourse_count, _PHY_MEM_RSRC_CNT, 8);
++UFS_UNIT_DESC_PARAM(physical_memory_resource_count, _PHY_MEM_RSRC_CNT, 8);
+ UFS_UNIT_DESC_PARAM(context_capabilities, _CTX_CAPABILITIES, 2);
+ UFS_UNIT_DESC_PARAM(large_unit_granularity, _LARGE_UNIT_SIZE_M1, 1);
+ UFS_UNIT_DESC_PARAM(wb_buf_alloc_units, _WB_BUF_ALLOC_UNITS, 4);
+@@ -823,7 +823,7 @@ static struct attribute *ufs_sysfs_unit_descriptor[] = {
+ &dev_attr_logical_block_count.attr,
+ &dev_attr_erase_block_size.attr,
+ &dev_attr_provisioning_type.attr,
+- &dev_attr_physical_memory_resourse_count.attr,
++ &dev_attr_physical_memory_resource_count.attr,
+ &dev_attr_context_capabilities.attr,
+ &dev_attr_large_unit_granularity.attr,
+ &dev_attr_wb_buf_alloc_units.attr,
+--
+2.39.5
+
revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch
usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch
mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch
+platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch
+rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch
+nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch
+nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch
+scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch
+scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch
+scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch
+rdma-mlx5-fix-cc-counters-query-for-mpv.patch
+btrfs-fix-missing-error-handling-when-searching-for-.patch
+drm-exynos-fimd-guard-display-clock-control-with-run.patch
+spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch
+drm-i915-selftests-change-mock_request-to-return-err.patch
+drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch
+igc-add-new-device-id.patch
+igc-simplify-tsn-flags-handling.patch
+igc-remove-i226-qbv-basetime-restriction.patch
+igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch
+lib-test_objagg-set-error-message-in-check_expect_hi.patch
+amd-xgbe-align-cl37-an-sequence-as-per-databook.patch
+enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch
+net-rose-fix-fall-through-warnings-for-clang.patch
+rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch
+nui-fix-dma_mapping_error-check.patch
+net-sched-always-pass-notifications-when-child-class.patch
+alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch
+ata-pata_cs5536-fix-build-on-32-bit-uml.patch
+powerpc-fix-struct-termio-related-ioctl-macros.patch
+scsi-target-fix-null-pointer-dereference-in-core_scs.patch
+wifi-mac80211-drop-invalid-source-address-ocb-frames.patch
+wifi-ath6kl-remove-warn-on-bad-firmware-input.patch
+acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch
+rcu-return-early-if-callback-is-not-specified.patch
--- /dev/null
+From 133a9dd1f61d6ca41fc62c6998d5582c37ec0bcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 11:21:37 +0100
+Subject: spi: spi-fsl-dspi: Clear completion counter before initiating
+ transfer
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit fa60c094c19b97e103d653f528f8d9c178b6a5f5 ]
+
+In target mode, extra interrupts can be received between the end of a
+transfer and halting the module if the host continues sending more data.
+If the interrupt from this occurs after the reinit_completion() then the
+completion counter is left at a non-zero value. The next unrelated
+transfer initiated by userspace will then complete immediately without
+waiting for the interrupt or writing to the RX buffer.
+
+Fix it by resetting the counter before the transfer so that lingering
+values are cleared. This is done after clearing the FIFOs and the
+status register but before the transfer is initiated, so no interrupts
+should be received at this point resulting in other race conditions.
+
+Fixes: 4f5ee75ea171 ("spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion")
+Signed-off-by: James Clark <james.clark@linaro.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250627-james-nxp-spi-dma-v4-1-178dba20c120@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index eda7ed618369d..580fdcbcd9b6c 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -964,11 +964,20 @@ static int dspi_transfer_one_message(struct spi_controller *ctlr,
+ if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) {
+ status = dspi_dma_xfer(dspi);
+ } else {
++ /*
++ * Reinitialize the completion before transferring data
++ * to avoid the case where it might remain in the done
++ * state due to a spurious interrupt from a previous
++ * transfer. This could falsely signal that the current
++ * transfer has completed.
++ */
++ if (dspi->irq)
++ reinit_completion(&dspi->xfer_done);
++
+ dspi_fifo_write(dspi);
+
+ if (dspi->irq) {
+ wait_for_completion(&dspi->xfer_done);
+- reinit_completion(&dspi->xfer_done);
+ } else {
+ do {
+ status = dspi_poll(dspi);
+--
+2.39.5
+
--- /dev/null
+From 7609b9d65b1acb4f1cc38a80c5f19882d14339e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:45:29 +0200
+Subject: wifi: ath6kl: remove WARN on bad firmware input
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit e7417421d89358da071fd2930f91e67c7128fbff ]
+
+If the firmware gives bad input, that's nothing to do with
+the driver's stack at this point etc., so the WARN_ON()
+doesn't add any value. Additionally, this is one of the
+top syzbot reports now. Just print a message, and as an
+added bonus, print the sizes too.
+
+Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Tested-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Acked-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250617114529.031a677a348e.I58bf1eb4ac16a82c546725ff010f3f0d2b0cca49@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/bmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c
+index af98e871199d3..5a9e93fd1ef42 100644
+--- a/drivers/net/wireless/ath/ath6kl/bmi.c
++++ b/drivers/net/wireless/ath/ath6kl/bmi.c
+@@ -87,7 +87,9 @@ int ath6kl_bmi_get_target_info(struct ath6kl *ar,
+ * We need to do some backwards compatibility to make this work.
+ */
+ if (le32_to_cpu(targ_info->byte_count) != sizeof(*targ_info)) {
+- WARN_ON(1);
++ ath6kl_err("mismatched byte count %d vs. expected %zd\n",
++ le32_to_cpu(targ_info->byte_count),
++ sizeof(*targ_info));
+ return -EINVAL;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 8bdf210960af295e80c4f3e26d778cab7693e8a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 17:18:38 +0200
+Subject: wifi: mac80211: drop invalid source address OCB frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d1b1a5eb27c4948e8811cf4dbb05aaf3eb10700c ]
+
+In OCB, don't accept frames from invalid source addresses
+(and in particular don't try to create stations for them),
+drop the frames instead.
+
+Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Link: https://patch.msgid.link/20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b67bb99e1fea37eec6f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 65fea564c9c00..b46c4c770608c 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4097,6 +4097,10 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
+ if (!multicast &&
+ !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
+ return false;
++ /* reject invalid/our STA address */
++ if (!is_valid_ether_addr(hdr->addr2) ||
++ ether_addr_equal(sdata->dev->dev_addr, hdr->addr2))
++ return false;
+ if (!rx->sta) {
+ int rate_idx;
+ if (status->encoding != RX_ENC_LEGACY)
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
