--- /dev/null
+From stable+bounces-196779-greg=kroah.com@vger.kernel.org Mon Nov 24 19:31:48 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 13:31:40 -0500
+Subject: ata: libata-scsi: Fix system suspend for a security locked drive
+To: stable@vger.kernel.org
+Cc: Niklas Cassel <cassel@kernel.org>, Ilia Baryshnikov <qwelias@gmail.com>, Hannes Reinecke <hare@suse.de>, "Martin K. Petersen" <martin.petersen@oracle.com>, Damien Le Moal <dlemoal@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124183140.4185297-1-sashal@kernel.org>
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit b11890683380a36b8488229f818d5e76e8204587 ]
+
+Commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status
+handling") fixed ata_to_sense_error() to properly generate sense key
+ABORTED COMMAND (without any additional sense code), instead of the
+previous bogus sense key ILLEGAL REQUEST with the additional sense code
+UNALIGNED WRITE COMMAND, for a failed command.
+
+However, this broke suspend for Security locked drives (drives that have
+Security enabled, and have not been Security unlocked by boot firmware).
+
+The reason for this is that the SCSI disk driver, for the Synchronize
+Cache command only, treats any sense data with sense key ILLEGAL REQUEST
+as a successful command (regardless of ASC / ASCQ).
+
+After commit cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error()
+status handling") the code that treats any sense data with sense key
+ILLEGAL REQUEST as a successful command is no longer applicable, so the
+command fails, which causes the system suspend to be aborted:
+
+ sd 1:0:0:0: PM: dpm_run_callback(): scsi_bus_suspend returns -5
+ sd 1:0:0:0: PM: failed to suspend async: error -5
+ PM: Some devices failed to suspend, or early wake event detected
+
+To make suspend work once again, for a Security locked device only,
+return sense data LOGICAL UNIT ACCESS NOT AUTHORIZED, the actual sense
+data which a real SCSI device would have returned if locked.
+The SCSI disk driver treats this sense data as a successful command.
+
+Cc: stable@vger.kernel.org
+Reported-by: Ilia Baryshnikov <qwelias@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220704
+Fixes: cf3fc037623c ("ata: libata-scsi: Fix ata_to_sense_error() status handling")
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 8 ++++++++
+ include/linux/ata.h | 1 +
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -996,6 +996,14 @@ static void ata_gen_ata_sense(struct ata
+ ata_scsi_set_sense(dev, cmd, NOT_READY, 0x04, 0x21);
+ return;
+ }
++
++ if (ata_id_is_locked(dev->id)) {
++ /* Security locked */
++ /* LOGICAL UNIT ACCESS NOT AUTHORIZED */
++ ata_scsi_set_sense(dev, cmd, DATA_PROTECT, 0x74, 0x71);
++ return;
++ }
++
+ /* Use ata_to_sense_error() to map status register bits
+ * onto sense key, asc & ascq.
+ */
+--- a/include/linux/ata.h
++++ b/include/linux/ata.h
+@@ -558,6 +558,7 @@ struct ata_bmdma_prd {
+ #define ata_id_has_ncq(id) ((id)[ATA_ID_SATA_CAPABILITY] & (1 << 8))
+ #define ata_id_queue_depth(id) (((id)[ATA_ID_QUEUE_DEPTH] & 0x1f) + 1)
+ #define ata_id_removable(id) ((id)[ATA_ID_CONFIG] & (1 << 7))
++#define ata_id_is_locked(id) (((id)[ATA_ID_DLF] & 0x7) == 0x7)
+ #define ata_id_has_atapi_AN(id) \
+ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \
+ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \
--- /dev/null
+From stable+bounces-196802-greg=kroah.com@vger.kernel.org Mon Nov 24 22:01:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:00:59 -0500
+Subject: dt-bindings: pinctrl: toshiba,visconti: Fix number of items in groups
+To: stable@vger.kernel.org
+Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>, Conor Dooley <conor.dooley@microchip.com>, Linus Walleij <linus.walleij@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124210059.28607-1-sashal@kernel.org>
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 316e361b5d2cdeb8d778983794a1c6eadcb26814 ]
+
+The "groups" property can hold multiple entries (e.g.
+toshiba/tmpv7708-rm-mbrc.dts file), so allow that by dropping incorrect
+type (pinmux-node.yaml schema already defines that as string-array) and
+adding constraints for items. This fixes dtbs_check warnings like:
+
+ toshiba/tmpv7708-rm-mbrc.dtb: pinctrl@24190000 (toshiba,tmpv7708-pinctrl):
+ pwm-pins:groups: ['pwm0_gpio16_grp', 'pwm1_gpio17_grp', 'pwm2_gpio18_grp', 'pwm3_gpio19_grp'] is too long
+
+Fixes: 1825c1fe0057 ("pinctrl: Add DT bindings for Toshiba Visconti TMPV7700 SoC")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+[ adjusted $ref context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml | 26 +++++-----
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+--- a/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
++++ b/Documentation/devicetree/bindings/pinctrl/toshiba,visconti-pinctrl.yaml
+@@ -50,18 +50,20 @@ patternProperties:
+ groups:
+ description:
+ Name of the pin group to use for the functions.
+- $ref: "/schemas/types.yaml#/definitions/string"
+- enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
+- i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
+- spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
+- spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
+- uart0_grp, uart1_grp, uart2_grp, uart3_grp,
+- pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
+- pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
+- pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
+- pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
+- pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
+- pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ items:
++ enum: [i2c0_grp, i2c1_grp, i2c2_grp, i2c3_grp, i2c4_grp,
++ i2c5_grp, i2c6_grp, i2c7_grp, i2c8_grp,
++ spi0_grp, spi0_cs0_grp, spi0_cs1_grp, spi0_cs2_grp,
++ spi1_grp, spi2_grp, spi3_grp, spi4_grp, spi5_grp, spi6_grp,
++ uart0_grp, uart1_grp, uart2_grp, uart3_grp,
++ pwm0_gpio4_grp, pwm0_gpio8_grp, pwm0_gpio12_grp,
++ pwm0_gpio16_grp, pwm1_gpio5_grp, pwm1_gpio9_grp,
++ pwm1_gpio13_grp, pwm1_gpio17_grp, pwm2_gpio6_grp,
++ pwm2_gpio10_grp, pwm2_gpio14_grp, pwm2_gpio18_grp,
++ pwm3_gpio7_grp, pwm3_gpio11_grp, pwm3_gpio15_grp,
++ pwm3_gpio19_grp, pcmif_out_grp, pcmif_in_grp]
++ minItems: 1
++ maxItems: 8
+
+ drive-strength:
+ enum: [2, 4, 6, 8, 16, 24, 32]
--- /dev/null
+From stable+bounces-196757-greg=kroah.com@vger.kernel.org Mon Nov 24 16:17:23 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 10:17:15 -0500
+Subject: HID: amd_sfh: Stop sensor before starting
+To: stable@vger.kernel.org
+Cc: "Mario Limonciello (AMD)" <superm1@kernel.org>, Titas <novatitas366@gmail.com>, Jiri Kosina <jkosina@suse.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124151715.4125733-1-sashal@kernel.org>
+
+From: "Mario Limonciello (AMD)" <superm1@kernel.org>
+
+[ Upstream commit 4d3a13afa8b64dc49293b3eab3e7beac11072c12 ]
+
+Titas reports that the accelerometer sensor on their laptop only
+works after a warm boot or unloading/reloading the amd-sfh kernel
+module.
+
+Presumably the sensor is in a bad state on cold boot and failing to
+start, so explicitly stop it before starting.
+
+Cc: stable@vger.kernel.org
+Fixes: 93ce5e0231d79 ("HID: amd_sfh: Implement SFH1.1 functionality")
+Reported-by: Titas <novatitas366@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220670
+Tested-by: Titas <novatitas366@gmail.com>
+Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c
+@@ -163,6 +163,8 @@ static int amd_sfh1_1_hid_client_init(st
+ if (rc)
+ goto cleanup;
+
++ mp2_ops->stop(privdata, cl_data->sensor_idx[i]);
++ amd_sfh_wait_for_response(privdata, cl_data->sensor_idx[i], DISABLE_SENSOR);
+ writel(0, privdata->mmio + AMD_P2C_MSG(0));
+ mp2_ops->start(privdata, info);
+ status = amd_sfh_wait_for_response
--- /dev/null
+From 91a54090026f84ceffaa12ac53c99b9f162946f6 Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Thu, 30 Oct 2025 16:55:05 +0100
+Subject: maple_tree: fix tracepoint string pointers
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 91a54090026f84ceffaa12ac53c99b9f162946f6 upstream.
+
+maple_tree tracepoints contain pointers to function names. Such a pointer
+is saved when a tracepoint logs an event. There's no guarantee that it's
+still valid when the event is parsed later and the pointer is dereferenced.
+
+The kernel warns about these unsafe pointers.
+
+ event 'ma_read' has unsafe pointer field 'fn'
+ WARNING: kernel/trace/trace.c:3779 at ignore_event+0x1da/0x1e4
+
+Mark the function names as tracepoint_string() to fix the events.
+
+One case that doesn't work without my patch would be trace-cmd record
+to save the binary ringbuffer and trace-cmd report to parse it in
+userspace. The address of __func__ can't be dereferenced from
+userspace but tracepoint_string will add an entry to
+/sys/kernel/tracing/printk_formats
+
+Link: https://lkml.kernel.org/r/20251030155537.87972-1-martin@kaiser.cx
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Acked-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -62,6 +62,8 @@
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/maple_tree.h>
+
++#define TP_FCT tracepoint_string(__func__)
++
+ #define MA_ROOT_PARENT 1
+
+ /*
+@@ -3165,7 +3167,7 @@ static inline int mas_rebalance(struct m
+ MA_STATE(l_mas, mas->tree, mas->index, mas->last);
+ MA_STATE(r_mas, mas->tree, mas->index, mas->last);
+
+- trace_ma_op(__func__, mas);
++ trace_ma_op(TP_FCT, mas);
+
+ /*
+ * Rebalancing occurs if a node is insufficient. Data is rebalanced
+@@ -3542,7 +3544,7 @@ static int mas_split(struct ma_state *ma
+ MA_STATE(prev_r_mas, mas->tree, mas->index, mas->last);
+ MA_TOPIARY(mat, mas->tree);
+
+- trace_ma_op(__func__, mas);
++ trace_ma_op(TP_FCT, mas);
+ mas->depth = mas_mt_height(mas);
+ /* Allocation failures will happen early. */
+ mas_node_count(mas, 1 + mas->depth * 2);
+@@ -3786,7 +3788,7 @@ static bool mas_is_span_wr(struct ma_wr_
+ return false;
+ }
+
+- trace_ma_write(__func__, wr_mas->mas, piv, entry);
++ trace_ma_write(TP_FCT, wr_mas->mas, piv, entry);
+
+ return true;
+ }
+@@ -4035,7 +4037,7 @@ static inline int mas_wr_spanning_store(
+ * of data may happen.
+ */
+ mas = wr_mas->mas;
+- trace_ma_op(__func__, mas);
++ trace_ma_op(TP_FCT, mas);
+
+ if (unlikely(!mas->index && mas->last == ULONG_MAX))
+ return mas_new_root(mas, wr_mas->entry);
+@@ -4221,7 +4223,7 @@ done:
+ } else {
+ memcpy(wr_mas->node, newnode, sizeof(struct maple_node));
+ }
+- trace_ma_write(__func__, mas, 0, wr_mas->entry);
++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry);
+ mas_update_gap(mas);
+ return true;
+ }
+@@ -4276,7 +4278,7 @@ static inline bool mas_wr_slot_store(str
+ mas->offset++; /* Keep mas accurate. */
+
+ done:
+- trace_ma_write(__func__, mas, 0, wr_mas->entry);
++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry);
+ mas_update_gap(mas);
+ return true;
+ }
+@@ -4377,7 +4379,7 @@ static void mas_wr_bnode(struct ma_wr_st
+ {
+ struct maple_big_node b_node;
+
+- trace_ma_write(__func__, wr_mas->mas, 0, wr_mas->entry);
++ trace_ma_write(TP_FCT, wr_mas->mas, 0, wr_mas->entry);
+ memset(&b_node, 0, sizeof(struct maple_big_node));
+ mas_store_b_node(wr_mas, &b_node, wr_mas->offset_end);
+ mas_commit_b_node(wr_mas, &b_node, wr_mas->node_end);
+@@ -5722,7 +5724,7 @@ void *mas_store(struct ma_state *mas, vo
+ {
+ MA_WR_STATE(wr_mas, mas, entry);
+
+- trace_ma_write(__func__, mas, 0, entry);
++ trace_ma_write(TP_FCT, mas, 0, entry);
+ #ifdef CONFIG_DEBUG_MAPLE_TREE
+ if (mas->index > mas->last)
+ pr_err("Error %lu > %lu %p\n", mas->index, mas->last, entry);
+@@ -5760,7 +5762,7 @@ int mas_store_gfp(struct ma_state *mas,
+ MA_WR_STATE(wr_mas, mas, entry);
+
+ mas_wr_store_setup(&wr_mas);
+- trace_ma_write(__func__, mas, 0, entry);
++ trace_ma_write(TP_FCT, mas, 0, entry);
+ retry:
+ mas_wr_store_entry(&wr_mas);
+ if (unlikely(mas_nomem(mas, gfp)))
+@@ -5784,7 +5786,7 @@ void mas_store_prealloc(struct ma_state
+ MA_WR_STATE(wr_mas, mas, entry);
+
+ mas_wr_store_setup(&wr_mas);
+- trace_ma_write(__func__, mas, 0, entry);
++ trace_ma_write(TP_FCT, mas, 0, entry);
+ mas_wr_store_entry(&wr_mas);
+ BUG_ON(mas_is_err(mas));
+ mas_destroy(mas);
+@@ -6249,7 +6251,7 @@ void *mtree_load(struct maple_tree *mt,
+ MA_STATE(mas, mt, index, index);
+ void *entry;
+
+- trace_ma_read(__func__, &mas);
++ trace_ma_read(TP_FCT, &mas);
+ rcu_read_lock();
+ retry:
+ entry = mas_start(&mas);
+@@ -6292,7 +6294,7 @@ int mtree_store_range(struct maple_tree
+ MA_STATE(mas, mt, index, last);
+ MA_WR_STATE(wr_mas, &mas, entry);
+
+- trace_ma_write(__func__, &mas, 0, entry);
++ trace_ma_write(TP_FCT, &mas, 0, entry);
+ if (WARN_ON_ONCE(xa_is_advanced(entry)))
+ return -EINVAL;
+
+@@ -6467,7 +6469,7 @@ void *mtree_erase(struct maple_tree *mt,
+ void *entry = NULL;
+
+ MA_STATE(mas, mt, index, index);
+- trace_ma_op(__func__, &mas);
++ trace_ma_op(TP_FCT, &mas);
+
+ mtree_lock(mt);
+ entry = mas_erase(&mas);
+@@ -6527,7 +6529,7 @@ void *mt_find(struct maple_tree *mt, uns
+ unsigned long copy = *index;
+ #endif
+
+- trace_ma_read(__func__, &mas);
++ trace_ma_read(TP_FCT, &mas);
+
+ if ((*index) > max)
+ return NULL;
--- /dev/null
+From stable+bounces-196803-greg=kroah.com@vger.kernel.org Mon Nov 24 22:18:31 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:18:03 -0500
+Subject: mm/mempool: fix poisoning order>0 pages with HIGHMEM
+To: stable@vger.kernel.org
+Cc: Vlastimil Babka <vbabka@suse.cz>, kernel test robot <oliver.sang@intel.com>, Christoph Hellwig <hch@lst.de>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124211803.34596-2-sashal@kernel.org>
+
+From: Vlastimil Babka <vbabka@suse.cz>
+
+[ Upstream commit ec33b59542d96830e3c89845ff833cf7b25ef172 ]
+
+The kernel test has reported:
+
+ BUG: unable to handle page fault for address: fffba000
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ *pde = 03171067 *pte = 00000000
+ Oops: Oops: 0002 [#1]
+ CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.18.0-rc2-00031-gec7f31b2a2d3 #1 NONE a1d066dfe789f54bc7645c7989957d2bdee593ca
+ Tainted: [T]=RANDSTRUCT
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ EIP: memset (arch/x86/include/asm/string_32.h:168 arch/x86/lib/memcpy_32.c:17)
+ Code: a5 8b 4d f4 83 e1 03 74 02 f3 a4 83 c4 04 5e 5f 5d 2e e9 73 41 01 00 90 90 90 3e 8d 74 26 00 55 89 e5 57 56 89 c6 89 d0 89 f7 <f3> aa 89 f0 5e 5f 5d 2e e9 53 41 01 00 cc cc cc 55 89 e5 53 57 56
+ EAX: 0000006b EBX: 00000015 ECX: 001fefff EDX: 0000006b
+ ESI: fffb9000 EDI: fffba000 EBP: c611fbf0 ESP: c611fbe8
+ DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010287
+ CR0: 80050033 CR2: fffba000 CR3: 0316e000 CR4: 00040690
+ Call Trace:
+ poison_element (mm/mempool.c:83 mm/mempool.c:102)
+ mempool_init_node (mm/mempool.c:142 mm/mempool.c:226)
+ mempool_init_noprof (mm/mempool.c:250 (discriminator 1))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ bio_integrity_initfn (block/bio-integrity.c:483 (discriminator 8))
+ ? mempool_alloc_pages (mm/mempool.c:640)
+ do_one_initcall (init/main.c:1283)
+
+Christoph found out this is due to the poisoning code not dealing
+properly with CONFIG_HIGHMEM because only the first page is mapped but
+then the whole potentially high-order page is accessed.
+
+We could give up on HIGHMEM here, but it's straightforward to fix this
+with a loop that's mapping, poisoning or checking and unmapping
+individual pages.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202511111411.9ebfa1ba-lkp@intel.com
+Analyzed-by: Christoph Hellwig <hch@lst.de>
+Fixes: bdfedb76f4f5 ("mm, mempool: poison elements backed by slab allocator")
+Cc: stable@vger.kernel.org
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://patch.msgid.link/20251113-mempool-poison-v1-1-233b3ef984c3@suse.cz
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -62,10 +62,20 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __check_element(pool, addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __check_element(pool, addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+
+@@ -85,10 +95,20 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_local_page((struct page *)element);
+
+- __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_local(addr);
++#ifdef CONFIG_HIGHMEM
++ for (int i = 0; i < (1 << order); i++) {
++ struct page *page = (struct page *)element;
++ void *addr = kmap_local_page(page + i);
++
++ __poison_element(addr, PAGE_SIZE);
++ kunmap_local(addr);
++ }
++#else
++ void *addr = page_address((struct page *)element);
++
++ __poison_element(addr, PAGE_SIZE << order);
++#endif
+ }
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From stable+bounces-196804-greg=kroah.com@vger.kernel.org Mon Nov 24 22:18:32 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 16:18:02 -0500
+Subject: mm/mempool: replace kmap_atomic() with kmap_local_page()
+To: stable@vger.kernel.org
+Cc: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>, Ira Weiny <ira.weiny@intel.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124211803.34596-1-sashal@kernel.org>
+
+From: "Fabio M. De Francesco" <fabio.maria.de.francesco@linux.intel.com>
+
+[ Upstream commit f2bcc99a5e901a13b754648d1dbab60f4adf9375 ]
+
+kmap_atomic() has been deprecated in favor of kmap_local_page().
+
+Therefore, replace kmap_atomic() with kmap_local_page().
+
+kmap_atomic() is implemented like a kmap_local_page() which also disables
+page-faults and preemption (the latter only in !PREEMPT_RT kernels). The
+kernel virtual addresses returned by these two API are only valid in the
+context of the callers (i.e., they cannot be handed to other threads).
+
+With kmap_local_page() the mappings are per thread and CPU local like in
+kmap_atomic(); however, they can handle page-faults and can be called from
+any context (including interrupts). The tasks that call kmap_local_page()
+can be preempted and, when they are scheduled to run again, the kernel
+virtual addresses are restored and are still valid.
+
+The code blocks between the mappings and un-mappings don't rely on the
+above-mentioned side effects of kmap_atomic(), so that mere replacements
+of the old API with the new one is all that they require (i.e., there is
+no need to explicitly call pagefault_disable() and/or preempt_disable()).
+
+Link: https://lkml.kernel.org/r/20231120142640.7077-1-fabio.maria.de.francesco@linux.intel.com
+Signed-off-by: Fabio M. De Francesco <fabio.maria.de.francesco@linux.intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: ec33b59542d9 ("mm/mempool: fix poisoning order>0 pages with HIGHMEM")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/mempool.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/mm/mempool.c
++++ b/mm/mempool.c
+@@ -62,10 +62,10 @@ static void check_element(mempool_t *poo
+ } else if (pool->free == mempool_free_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_atomic((struct page *)element);
++ void *addr = kmap_local_page((struct page *)element);
+
+ __check_element(pool, addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_atomic(addr);
++ kunmap_local(addr);
+ }
+ }
+
+@@ -85,10 +85,10 @@ static void poison_element(mempool_t *po
+ } else if (pool->alloc == mempool_alloc_pages) {
+ /* Mempools backed by page allocator */
+ int order = (int)(long)pool->pool_data;
+- void *addr = kmap_atomic((struct page *)element);
++ void *addr = kmap_local_page((struct page *)element);
+
+ __poison_element(addr, 1UL << (PAGE_SHIFT + order));
+- kunmap_atomic(addr);
++ kunmap_local(addr);
+ }
+ }
+ #else /* CONFIG_DEBUG_SLAB || CONFIG_SLUB_DEBUG_ON */
--- /dev/null
+From fa04f5b60fda62c98a53a60de3a1e763f11feb41 Mon Sep 17 00:00:00 2001
+From: Kiryl Shutsemau <kas@kernel.org>
+Date: Mon, 27 Oct 2025 11:56:36 +0000
+Subject: mm/truncate: unmap large folio on split failure
+
+From: Kiryl Shutsemau <kas@kernel.org>
+
+commit fa04f5b60fda62c98a53a60de3a1e763f11feb41 upstream.
+
+Accesses within VMA, but beyond i_size rounded up to PAGE_SIZE are
+supposed to generate SIGBUS.
+
+This behavior might not be respected on truncation.
+
+During truncation, the kernel splits a large folio in order to reclaim
+memory. As a side effect, it unmaps the folio and destroys PMD mappings
+of the folio. The folio will be refaulted as PTEs and SIGBUS semantics
+are preserved.
+
+However, if the split fails, PMD mappings are preserved and the user will
+not receive SIGBUS on any accesses within the PMD.
+
+Unmap the folio on split failure. It will lead to refault as PTEs and
+preserve SIGBUS semantics.
+
+Make an exception for shmem/tmpfs that for long time intentionally mapped
+with PMDs across i_size.
+
+Link: https://lkml.kernel.org/r/20251027115636.82382-3-kirill@shutemov.name
+Fixes: b9a8a4195c7d ("truncate,shmem: Handle truncates that split large folios")
+Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: "Darrick J. Wong" <djwong@kernel.org>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: Shakeel Butt <shakeel.butt@linux.dev>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/truncate.c | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+--- a/mm/truncate.c
++++ b/mm/truncate.c
+@@ -196,6 +196,31 @@ int truncate_inode_folio(struct address_
+ return 0;
+ }
+
++static int try_folio_split_or_unmap(struct folio *folio)
++{
++ enum ttu_flags ttu_flags =
++ TTU_SYNC |
++ TTU_SPLIT_HUGE_PMD |
++ TTU_IGNORE_MLOCK;
++ int ret;
++
++ ret = split_folio(folio);
++
++ /*
++ * If the split fails, unmap the folio, so it will be refaulted
++ * with PTEs to respect SIGBUS semantics.
++ *
++ * Make an exception for shmem/tmpfs that for long time
++ * intentionally mapped with PMDs across i_size.
++ */
++ if (ret && !shmem_mapping(folio->mapping)) {
++ try_to_unmap(folio, ttu_flags);
++ WARN_ON(folio_mapped(folio));
++ }
++
++ return ret;
++}
++
+ /*
+ * Handle partial folios. The folio may be entirely within the
+ * range if a split has raced with us. If not, we zero the part of the
+@@ -239,7 +264,7 @@ bool truncate_inode_partial_folio(struct
+ folio_invalidate(folio, offset, length);
+ if (!folio_test_large(folio))
+ return true;
+- if (split_folio(folio) == 0)
++ if (try_folio_split_or_unmap(folio) == 0)
+ return true;
+ if (folio_test_dirty(folio))
+ return false;
--- /dev/null
+From stable+bounces-196920-greg=kroah.com@vger.kernel.org Tue Nov 25 16:54:45 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Nov 2025 10:54:29 -0500
+Subject: mptcp: decouple mptcp fastclose from tcp close
+To: stable@vger.kernel.org
+Cc: Paolo Abeni <pabeni@redhat.com>, Geliang Tang <geliang@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125155429.693062-1-sashal@kernel.org>
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit fff0c87996672816a84c3386797a5e69751c5888 ]
+
+With the current fastclose implementation, the mptcp_do_fastclose()
+helper is in charge of two distinct actions: send the fastclose reset
+and cleanup the subflows.
+
+Formally decouple the two steps, ensuring that mptcp explicitly closes
+all the subflows after the mentioned helper.
+
+This will make the upcoming fix simpler, and allows dropping the 2nd
+argument from mptcp_destroy_common(). The Fixes tag is then the same as
+in the next commit to help with the backports.
+
+Fixes: d21f83485518 ("mptcp: use fastclose on more edge scenarios")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251118-net-mptcp-misc-fixes-6-18-rc6-v1-5-806d3781c95f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 13 +++++++++----
+ net/mptcp/protocol.h | 2 +-
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -2826,8 +2826,12 @@ static void mptcp_worker(struct work_str
+ __mptcp_close_subflow(sk);
+
+ if (mptcp_close_tout_expired(sk)) {
++ struct mptcp_subflow_context *subflow, *tmp;
++
+ inet_sk_state_store(sk, TCP_CLOSE);
+ mptcp_do_fastclose(sk);
++ mptcp_for_each_subflow_safe(msk, subflow, tmp)
++ __mptcp_close_ssk(sk, subflow->tcp_sock, subflow, 0);
+ mptcp_close_wake_up(sk);
+ }
+
+@@ -3233,7 +3237,8 @@ static int mptcp_disconnect(struct sock
+ /* msk->subflow is still intact, the following will not free the first
+ * subflow
+ */
+- mptcp_destroy_common(msk, MPTCP_CF_FASTCLOSE);
++ mptcp_do_fastclose(sk);
++ mptcp_destroy_common(msk);
+ msk->last_snd = NULL;
+
+ /* The first subflow is already in TCP_CLOSE status, the following
+@@ -3456,7 +3461,7 @@ out:
+ return newsk;
+ }
+
+-void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags)
++void mptcp_destroy_common(struct mptcp_sock *msk)
+ {
+ struct mptcp_subflow_context *subflow, *tmp;
+ struct sock *sk = (struct sock *)msk;
+@@ -3465,7 +3470,7 @@ void mptcp_destroy_common(struct mptcp_s
+
+ /* join list will be eventually flushed (with rst) at sock lock release time */
+ mptcp_for_each_subflow_safe(msk, subflow, tmp)
+- __mptcp_close_ssk(sk, mptcp_subflow_tcp_sock(subflow), subflow, flags);
++ __mptcp_close_ssk(sk, mptcp_subflow_tcp_sock(subflow), subflow, 0);
+
+ /* move to sk_receive_queue, sk_stream_kill_queues will purge it */
+ mptcp_data_lock(sk);
+@@ -3492,7 +3497,7 @@ static void mptcp_destroy(struct sock *s
+
+ /* allow the following to close even the initial subflow */
+ msk->free_first = 1;
+- mptcp_destroy_common(msk, 0);
++ mptcp_destroy_common(msk);
+ sk_sockets_allocated_dec(sk);
+ }
+
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -762,7 +762,7 @@ static inline void mptcp_write_space(str
+ }
+ }
+
+-void mptcp_destroy_common(struct mptcp_sock *msk, unsigned int flags);
++void mptcp_destroy_common(struct mptcp_sock *msk);
+
+ #define MPTCP_TOKEN_MAX_RETRIES 4
+
--- /dev/null
+From stable+bounces-196837-greg=kroah.com@vger.kernel.org Tue Nov 25 03:14:16 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 21:14:06 -0500
+Subject: mptcp: fix a race in mptcp_pm_del_add_timer()
+To: stable@vger.kernel.org
+Cc: Eric Dumazet <edumazet@google.com>, syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com, Geliang Tang <geliang@kernel.org>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251125021407.267435-1-sashal@kernel.org>
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 426358d9be7ce3518966422f87b96f1bad27295f ]
+
+mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer)
+while another might have free entry already, as reported by syzbot.
+
+Add RCU protection to fix this issue.
+
+Also change confusing add_timer variable with stop_timer boolean.
+
+syzbot report:
+
+BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44
+
+CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
+Workqueue: events mptcp_worker
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xca/0x240 mm/kasan/report.c:482
+ kasan_report+0x118/0x150 mm/kasan/report.c:595
+ __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616
+ sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631
+ mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362
+ mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174
+ tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361
+ tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441
+ tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931
+ tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374
+ ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
+ __netif_receive_skb_one_core net/core/dev.c:6079 [inline]
+ __netif_receive_skb+0x143/0x380 net/core/dev.c:6192
+ process_backlog+0x31e/0x900 net/core/dev.c:6544
+ __napi_poll+0xb6/0x540 net/core/dev.c:7594
+ napi_poll net/core/dev.c:7657 [inline]
+ net_rx_action+0x5f7/0xda0 net/core/dev.c:7784
+ handle_softirqs+0x22f/0x710 kernel/softirq.c:622
+ __do_softirq kernel/softirq.c:656 [inline]
+ __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302
+ mptcp_pm_send_ack net/mptcp/pm.c:210 [inline]
+ mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1
+ mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002
+ mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+ process_one_work kernel/workqueue.c:3263 [inline]
+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+ </TASK>
+
+Allocated by task 44:
+ kasan_save_stack mm/kasan/common.c:56 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+ poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
+ __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
+ kasan_kmalloc include/linux/kasan.h:262 [inline]
+ __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748
+ kmalloc_noprof include/linux/slab.h:957 [inline]
+ mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385
+ mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355
+ mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline]
+ __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529
+ mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008
+ mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762
+ process_one_work kernel/workqueue.c:3263 [inline]
+ process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
+ worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
+ kthread+0x711/0x8a0 kernel/kthread.c:463
+ ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
+
+Freed by task 6630:
+ kasan_save_stack mm/kasan/common.c:56 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
+ __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
+ kasan_save_free_info mm/kasan/kasan.h:406 [inline]
+ poison_slab_object mm/kasan/common.c:252 [inline]
+ __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
+ kasan_slab_free include/linux/kasan.h:234 [inline]
+ slab_free_hook mm/slub.c:2523 [inline]
+ slab_free mm/slub.c:6611 [inline]
+ kfree+0x197/0x950 mm/slub.c:6818
+ mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158
+ mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline]
+ mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline]
+ mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281
+ genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552
+ genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
+ netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346
+ netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896
+ sock_sendmsg_nosec net/socket.c:727 [inline]
+ __sock_sendmsg+0x21c/0x270 net/socket.c:742
+ ____sys_sendmsg+0x508/0x820 net/socket.c:2630
+ ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684
+ __sys_sendmsg net/socket.c:2716 [inline]
+ __do_sys_sendmsg net/socket.c:2721 [inline]
+ __se_sys_sendmsg net/socket.c:2719 [inline]
+ __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Cc: stable@vger.kernel.org
+Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
+Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ applied changes to pm_netlink.c instead of pm.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -28,6 +28,7 @@ struct mptcp_pm_add_entry {
+ struct timer_list add_timer;
+ struct mptcp_sock *sock;
+ u8 retrans_times;
++ struct rcu_head rcu;
+ };
+
+ struct pm_nl_pernet {
+@@ -354,22 +355,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock
+ {
+ struct mptcp_pm_add_entry *entry;
+ struct sock *sk = (struct sock *)msk;
+- struct timer_list *add_timer = NULL;
++ bool stop_timer = false;
++
++ rcu_read_lock();
+
+ spin_lock_bh(&msk->pm.lock);
+ entry = mptcp_lookup_anno_list_by_saddr(msk, addr);
+ if (entry && (!check_id || entry->addr.id == addr->id)) {
+ entry->retrans_times = ADD_ADDR_RETRANS_MAX;
+- add_timer = &entry->add_timer;
++ stop_timer = true;
+ }
+ if (!check_id && entry)
+ list_del(&entry->list);
+ spin_unlock_bh(&msk->pm.lock);
+
+- /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */
+- if (add_timer)
+- sk_stop_timer_sync(sk, add_timer);
++ /* Note: entry might have been removed by another thread.
++ * We hold rcu_read_lock() to ensure it is not freed under us.
++ */
++ if (stop_timer)
++ sk_stop_timer_sync(sk, &entry->add_timer);
+
++ rcu_read_unlock();
+ return entry;
+ }
+
+@@ -425,7 +431,7 @@ void mptcp_pm_free_anno_list(struct mptc
+
+ list_for_each_entry_safe(entry, tmp, &free_list, list) {
+ sk_stop_timer_sync(sk, &entry->add_timer);
+- kfree(entry);
++ kfree_rcu(entry, rcu);
+ }
+ }
+
+@@ -1569,7 +1575,7 @@ static bool remove_anno_list_by_saddr(st
+
+ entry = mptcp_pm_del_add_timer(msk, addr, false);
+ if (entry) {
+- kfree(entry);
++ kfree_rcu(entry, rcu);
+ return true;
+ }
+
--- /dev/null
+From stable+bounces-196771-greg=kroah.com@vger.kernel.org Mon Nov 24 18:18:14 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Nov 2025 12:18:02 -0500
+Subject: mptcp: Fix proto fallback detection with BPF
+To: stable@vger.kernel.org
+Cc: Jiayuan Chen <jiayuan.chen@linux.dev>, Martin KaFai Lau <martin.lau@kernel.org>, Jakub Sitnicki <jakub@cloudflare.com>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251124171802.4158681-1-sashal@kernel.org>
+
+From: Jiayuan Chen <jiayuan.chen@linux.dev>
+
+[ Upstream commit c77b3b79a92e3345aa1ee296180d1af4e7031f8f ]
+
+The sockmap feature allows bpf syscall from userspace, or based
+on bpf sockops, replacing the sk_prot of sockets during protocol stack
+processing with sockmap's custom read/write interfaces.
+'''
+tcp_rcv_state_process()
+ syn_recv_sock()/subflow_syn_recv_sock()
+ tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB)
+ bpf_skops_established <== sockops
+ bpf_sock_map_update(sk) <== call bpf helper
+ tcp_bpf_update_proto() <== update sk_prot
+'''
+
+When the server has MPTCP enabled but the client sends a TCP SYN
+without MPTCP, subflow_syn_recv_sock() performs a fallback on the
+subflow, replacing the subflow sk's sk_prot with the native sk_prot.
+'''
+subflow_syn_recv_sock()
+ subflow_ulp_fallback()
+ subflow_drop_ctx()
+ mptcp_subflow_ops_undo_override()
+'''
+
+Then, this subflow can be normally used by sockmap, which replaces the
+native sk_prot with sockmap's custom sk_prot. The issue occurs when the
+user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops().
+Here, it uses sk->sk_prot to compare with the native sk_prot, but this
+is incorrect when sockmap is used, as we may incorrectly set
+sk->sk_socket->ops.
+
+This fix uses the more generic sk_family for the comparison instead.
+
+Additionally, this also prevents a WARNING from occurring:
+
+result from ./scripts/decode_stacktrace.sh:
+------------[ cut here ]------------
+WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \
+(net/mptcp/protocol.c:4005)
+Modules linked in:
+...
+
+PKRU: 55555554
+Call Trace:
+<TASK>
+do_accept (net/socket.c:1989)
+__sys_accept4 (net/socket.c:2028 net/socket.c:2057)
+__x64_sys_accept (net/socket.c:2067)
+x64_sys_call (arch/x86/entry/syscall_64.c:41)
+do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+RIP: 0033:0x7f87ac92b83d
+
+---[ end trace 0000000000000000 ]---
+
+Fixes: 0b4f33def7bb ("mptcp: fix tcp fallback crash")
+Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20251111060307.194196-3-jiayuan.chen@linux.dev
+[ applied fix to mptcp_is_tcpsk() instead of mptcp_fallback_tcp_ops() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -79,8 +79,9 @@ static u64 mptcp_wnd_end(const struct mp
+ static bool mptcp_is_tcpsk(struct sock *sk)
+ {
+ struct socket *sock = sk->sk_socket;
++ unsigned short family = READ_ONCE(sk->sk_family);
+
+- if (unlikely(sk->sk_prot == &tcp_prot)) {
++ if (unlikely(family == AF_INET)) {
+ /* we are being invoked after mptcp_accept() has
+ * accepted a non-mp-capable flow: sk is a tcp_sk,
+ * not an mptcp one.
+@@ -91,7 +92,7 @@ static bool mptcp_is_tcpsk(struct sock *
+ sock->ops = &inet_stream_ops;
+ return true;
+ #if IS_ENABLED(CONFIG_MPTCP_IPV6)
+- } else if (unlikely(sk->sk_prot == &tcpv6_prot)) {
++ } else if (unlikely(family == AF_INET6)) {
+ sock->ops = &inet6_stream_ops;
+ return true;
+ #endif
--- /dev/null
+From stable+bounces-196514-greg=kroah.com@vger.kernel.org Fri Nov 21 17:05:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:04:16 -0500
+Subject: pmdomain: arm: scmi: Fix genpd leak on provider registration failure
+To: stable@vger.kernel.org
+Cc: Sudeep Holla <sudeep.holla@arm.com>, Peng Fan <peng.fan@nxp.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121160416.2587981-1-sashal@kernel.org>
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 7458f72cc28f9eb0de811effcb5376d0ec19094a ]
+
+If of_genpd_add_provider_onecell() fails during probe, the previously
+created generic power domains are not removed, leading to a memory leak
+and potential kernel crash later in genpd_debug_add().
+
+Add proper error handling to unwind the initialized domains before
+returning from probe to ensure all resources are correctly released on
+failure.
+
+Example crash trace observed without this fix:
+
+ | Unable to handle kernel paging request at virtual address fffffffffffffc70
+ | CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.18.0-rc1 #405 PREEMPT
+ | Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform
+ | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ | pc : genpd_debug_add+0x2c/0x160
+ | lr : genpd_debug_init+0x74/0x98
+ | Call trace:
+ | genpd_debug_add+0x2c/0x160 (P)
+ | genpd_debug_init+0x74/0x98
+ | do_one_initcall+0xd0/0x2d8
+ | do_initcall_level+0xa0/0x140
+ | do_initcalls+0x60/0xa8
+ | do_basic_setup+0x28/0x40
+ | kernel_init_freeable+0xe8/0x170
+ | kernel_init+0x2c/0x140
+ | ret_from_fork+0x10/0x20
+
+Fixes: 898216c97ed2 ("firmware: arm_scmi: add device power domain support using genpd")
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/arm/scmi_pm_domain.c -> drivers/firmware/arm_scmi/scmi_pm_domain.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/arm_scmi/scmi_pm_domain.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/arm_scmi/scmi_pm_domain.c
++++ b/drivers/firmware/arm_scmi/scmi_pm_domain.c
+@@ -54,7 +54,7 @@ static int scmi_pd_power_off(struct gene
+
+ static int scmi_pm_domain_probe(struct scmi_device *sdev)
+ {
+- int num_domains, i;
++ int num_domains, i, ret;
+ struct device *dev = &sdev->dev;
+ struct device_node *np = dev->of_node;
+ struct scmi_pm_domain *scmi_pd;
+@@ -112,9 +112,18 @@ static int scmi_pm_domain_probe(struct s
+ scmi_pd_data->domains = domains;
+ scmi_pd_data->num_domains = num_domains;
+
++ ret = of_genpd_add_provider_onecell(np, scmi_pd_data);
++ if (ret)
++ goto err_rm_genpds;
++
+ dev_set_drvdata(dev, scmi_pd_data);
+
+- return of_genpd_add_provider_onecell(np, scmi_pd_data);
++ return 0;
++err_rm_genpds:
++ for (i = num_domains - 1; i >= 0; i--)
++ pm_genpd_remove(domains[i]);
++
++ return ret;
+ }
+
+ static void scmi_pm_domain_remove(struct scmi_device *sdev)
--- /dev/null
+From stable+bounces-196517-greg=kroah.com@vger.kernel.org Fri Nov 21 17:04:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:04:48 -0500
+Subject: pmdomain: imx: Fix reference count leak in imx_gpc_remove
+To: stable@vger.kernel.org
+Cc: Miaoqian Lin <linmq006@gmail.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121160448.2588409-1-sashal@kernel.org>
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit bbde14682eba21d86f5f3d6fe2d371b1f97f1e61 ]
+
+of_get_child_by_name() returns a node pointer with refcount incremented, we
+should use of_node_put() on it when not needed anymore. Add the missing
+of_node_put() to avoid refcount leak.
+
+Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/imx/gpc.c -> drivers/soc/imx/gpc.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/imx/gpc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/soc/imx/gpc.c
++++ b/drivers/soc/imx/gpc.c
+@@ -541,6 +541,8 @@ static int imx_gpc_remove(struct platfor
+ return ret;
+ }
+
++ of_node_put(pgc_node);
++
+ return 0;
+ }
+
--- /dev/null
+From stable+bounces-196537-greg=kroah.com@vger.kernel.org Fri Nov 21 18:03:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 11:58:38 -0500
+Subject: pmdomain: samsung: plug potential memleak during probe
+To: stable@vger.kernel.org
+Cc: "André Draszik" <andre.draszik@linaro.org>, "Peter Griffin" <peter.griffin@linaro.org>, "Krzysztof Kozlowski" <krzysztof.kozlowski@linaro.org>, "Marek Szyprowski" <m.szyprowski@samsung.com>, "Ulf Hansson" <ulf.hansson@linaro.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20251121165838.2606571-1-sashal@kernel.org>
+
+From: André Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit 90c82941adf1986364e0f82c35cf59f2bf5f6a1d ]
+
+of_genpd_add_provider_simple() could fail, in which case this code
+leaks the domain name, pd->pd.name.
+
+Use devm_kstrdup_const() to plug this leak. As a side-effect, we can
+simplify existing error handling.
+
+Fixes: c09a3e6c97f0 ("soc: samsung: pm_domains: Convert to regular platform driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+[ drivers/pmdomain/samsung/exynos-pm-domains.c -> drivers/soc/samsung/pm_domains.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/samsung/pm_domains.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/soc/samsung/pm_domains.c
++++ b/drivers/soc/samsung/pm_domains.c
+@@ -91,13 +91,14 @@ static const struct of_device_id exynos_
+ { },
+ };
+
+-static const char *exynos_get_domain_name(struct device_node *node)
++static const char *exynos_get_domain_name(struct device *dev,
++ struct device_node *node)
+ {
+ const char *name;
+
+ if (of_property_read_string(node, "label", &name) < 0)
+ name = kbasename(node->full_name);
+- return kstrdup_const(name, GFP_KERNEL);
++ return devm_kstrdup_const(dev, name, GFP_KERNEL);
+ }
+
+ static int exynos_pd_probe(struct platform_device *pdev)
+@@ -114,15 +115,13 @@ static int exynos_pd_probe(struct platfo
+ if (!pd)
+ return -ENOMEM;
+
+- pd->pd.name = exynos_get_domain_name(np);
++ pd->pd.name = exynos_get_domain_name(dev, np);
+ if (!pd->pd.name)
+ return -ENOMEM;
+
+ pd->base = of_iomap(np, 0);
+- if (!pd->base) {
+- kfree_const(pd->pd.name);
++ if (!pd->base)
+ return -ENODEV;
+- }
+
+ pd->pd.power_off = exynos_pd_power_off;
+ pd->pd.power_on = exynos_pd_power_on;
--- /dev/null
+From stable+bounces-196548-greg=kroah.com@vger.kernel.org Fri Nov 21 19:10:22 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 13:04:36 -0500
+Subject: selftests: mptcp: connect: fix fallback note due to OoO
+To: stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Geliang Tang <geliang@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121180436.2635827-1-sashal@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+[ Upstream commit 63c643aa7b7287fdbb0167063785f89ece3f000f ]
+
+The "fallback due to TCP OoO" was never printed because the stat_ooo_now
+variable was checked twice: once in the parent if-statement, and one in
+the child one. The second condition was then always true then, and the
+'else' branch was never taken.
+
+The idea is that when there are more ACK + MP_CAPABLE than expected, the
+test either fails if there was no out of order packets, or a notice is
+printed.
+
+Fixes: 69ca3d29a755 ("mptcp: update selftest for fallback due to OoO")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-1-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Different operators used ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+@@ -523,7 +523,7 @@ do_transfer()
+ "${stat_synrx_now_l}" "${expect_synrx}" 1>&2
+ retc=1
+ fi
+- if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} -a ${stat_ooo_now} -eq 0 ]; then
++ if [ ${stat_ackrx_now_l} -lt ${expect_ackrx} ]; then
+ if [ ${stat_ooo_now} -eq 0 ]; then
+ printf "[ FAIL ] lower MPC ACK rx (%d) than expected (%d)\n" \
+ "${stat_ackrx_now_l}" "${expect_ackrx}" 1>&2
--- /dev/null
+From stable+bounces-196549-greg=kroah.com@vger.kernel.org Fri Nov 21 19:10:52 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Nov 2025 13:06:53 -0500
+Subject: selftests: mptcp: join: rm: set backup flag
+To: stable@vger.kernel.org
+Cc: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Geliang Tang <geliang@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20251121180653.2636754-1-sashal@kernel.org>
+
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+
+[ Upstream commit aea73bae662a0e184393d6d7d0feb18d2577b9b9 ]
+
+Some of these 'remove' tests rarely fail because a subflow has been
+reset instead of cleanly removed. This can happen when one extra subflow
+which has never carried data is being closed (FIN) on one side, while
+the other is sending data for the first time.
+
+To avoid such subflows to be used right at the end, the backup flag has
+been added. With that, data will be only carried on the initial subflow.
+
+Fixes: d2c4333a801c ("selftests: mptcp: add testcases for removing addrs")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251110-net-mptcp-sft-join-unstable-v1-2-a4332c714e10@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 54 ++++++++++++------------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -2332,7 +2332,7 @@ remove_tests()
+ if reset "remove single subflow"; then
+ pm_nl_set_limits $ns1 0 1
+ pm_nl_set_limits $ns2 0 1
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ run_tests $ns1 $ns2 10.0.1.1 0 0 -1 slow
+ chk_join_nr 1 1 1
+ chk_rm_nr 1 1
+@@ -2343,8 +2343,8 @@ remove_tests()
+ if reset "remove multiple subflows"; then
+ pm_nl_set_limits $ns1 0 2
+ pm_nl_set_limits $ns2 0 2
+- pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ run_tests $ns1 $ns2 10.0.1.1 0 0 -2 slow
+ chk_join_nr 2 2 2
+ chk_rm_nr 2 2
+@@ -2354,7 +2354,7 @@ remove_tests()
+ # single address, remove
+ if reset "remove single address"; then
+ pm_nl_set_limits $ns1 0 1
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 1
+ run_tests $ns1 $ns2 10.0.1.1 0 -1 0 slow
+ chk_join_nr 1 1 1
+@@ -2366,9 +2366,9 @@ remove_tests()
+ # subflow and signal, remove
+ if reset "remove subflow and signal"; then
+ pm_nl_set_limits $ns1 0 2
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 2
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
+ run_tests $ns1 $ns2 10.0.1.1 0 -1 -1 slow
+ chk_join_nr 2 2 2
+ chk_add_nr 1 1
+@@ -2379,10 +2379,10 @@ remove_tests()
+ # subflows and signal, remove
+ if reset "remove subflows and signal"; then
+ pm_nl_set_limits $ns1 0 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 3
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ run_tests $ns1 $ns2 10.0.1.1 0 -1 -2 speed_10
+ chk_join_nr 3 3 3
+ chk_add_nr 1 1
+@@ -2393,9 +2393,9 @@ remove_tests()
+ # addresses remove
+ if reset "remove addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.4.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup
+ pm_nl_set_limits $ns2 3 3
+ run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10
+ chk_join_nr 3 3 3
+@@ -2407,10 +2407,10 @@ remove_tests()
+ # invalid addresses remove
+ if reset "remove invalid addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.12.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup
+ # broadcast IP: no packet for this address will be received on ns1
+- pm_nl_add_endpoint $ns1 224.0.0.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
++ pm_nl_add_endpoint $ns1 224.0.0.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
+ pm_nl_set_limits $ns2 2 2
+ run_tests $ns1 $ns2 10.0.1.1 0 -3 0 speed_10
+ chk_join_nr 1 1 1
+@@ -2422,10 +2422,10 @@ remove_tests()
+ # subflows and signal, flush
+ if reset "flush subflows and signal"; then
+ pm_nl_set_limits $ns1 0 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup
+ pm_nl_set_limits $ns2 1 3
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ run_tests $ns1 $ns2 10.0.1.1 0 -8 -8 slow
+ chk_join_nr 3 3 3
+ chk_add_nr 1 1
+@@ -2437,9 +2437,9 @@ remove_tests()
+ if reset "flush subflows"; then
+ pm_nl_set_limits $ns1 3 3
+ pm_nl_set_limits $ns2 3 3
+- pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow id 150
+- pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow
+- pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.2.2 flags subflow,backup id 150
++ pm_nl_add_endpoint $ns2 10.0.3.2 flags subflow,backup
++ pm_nl_add_endpoint $ns2 10.0.4.2 flags subflow,backup
+ run_tests $ns1 $ns2 10.0.1.1 0 -8 -8 slow
+ chk_join_nr 3 3 3
+
+@@ -2454,9 +2454,9 @@ remove_tests()
+ # addresses flush
+ if reset "flush addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.2.1 flags signal id 250
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.4.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal,backup id 250
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.4.1 flags signal,backup
+ pm_nl_set_limits $ns2 3 3
+ run_tests $ns1 $ns2 10.0.1.1 0 -8 -8 slow
+ chk_join_nr 3 3 3
+@@ -2468,9 +2468,9 @@ remove_tests()
+ # invalid addresses flush
+ if reset "flush invalid addresses"; then
+ pm_nl_set_limits $ns1 3 3
+- pm_nl_add_endpoint $ns1 10.0.12.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.3.1 flags signal
+- pm_nl_add_endpoint $ns1 10.0.14.1 flags signal
++ pm_nl_add_endpoint $ns1 10.0.12.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.3.1 flags signal,backup
++ pm_nl_add_endpoint $ns1 10.0.14.1 flags signal,backup
+ pm_nl_set_limits $ns2 3 3
+ run_tests $ns1 $ns2 10.0.1.1 0 -8 0 slow
+ chk_join_nr 1 1 1
alsa-usb-audio-fix-uac2-clock-source-at-terminal-par.patch
net-ethernet-ti-netcp-standardize-knav_dma_open_chan.patch
tracing-tools-fix-incorrcet-short-option-in-usage-te.patch
+uio_hv_generic-set-event-for-all-channels-on-the-device.patch
+mm-truncate-unmap-large-folio-on-split-failure.patch
+maple_tree-fix-tracepoint-string-pointers.patch
+mptcp-decouple-mptcp-fastclose-from-tcp-close.patch
+mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch
+mm-mempool-replace-kmap_atomic-with-kmap_local_page.patch
+mm-mempool-fix-poisoning-order-0-pages-with-highmem.patch
+dt-bindings-pinctrl-toshiba-visconti-fix-number-of-items-in-groups.patch
+ata-libata-scsi-fix-system-suspend-for-a-security-locked-drive.patch
+mptcp-fix-proto-fallback-detection-with-bpf.patch
+hid-amd_sfh-stop-sensor-before-starting.patch
+selftests-mptcp-join-rm-set-backup-flag.patch
+selftests-mptcp-connect-fix-fallback-note-due-to-ooo.patch
+pmdomain-samsung-plug-potential-memleak-during-probe.patch
+pmdomain-arm-scmi-fix-genpd-leak-on-provider-registration-failure.patch
+pmdomain-imx-fix-reference-count-leak-in-imx_gpc_remove.patch
--- /dev/null
+From d062463edf1770427dc2d637df4088df4835aa47 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Mon, 10 Mar 2025 15:12:01 -0700
+Subject: uio_hv_generic: Set event for all channels on the device
+
+From: Long Li <longli@microsoft.com>
+
+commit d062463edf1770427dc2d637df4088df4835aa47 upstream.
+
+Hyper-V may offer a non latency sensitive device with subchannels without
+monitor bit enabled. The decision is entirely on the Hyper-V host not
+configurable within guest.
+
+When a device has subchannels, also signal events for the subchannel
+if its monitor bit is disabled.
+
+This patch also removes the memory barrier when monitor bit is enabled
+as it is not necessary. The memory barrier is only needed between
+setting up interrupt mask and calling vmbus_set_event() when monitor
+bit is disabled.
+
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Link: https://lore.kernel.org/r/1741644721-20389-1-git-send-email-longli@linuxonhyperv.com
+Fixes: b15b7d2a1b09 ("uio_hv_generic: Let userspace take care of interrupt mask")
+Closes: https://bugs.debian.org/1120602
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -80,9 +80,15 @@ hv_uio_irqcontrol(struct uio_info *info,
+ {
+ struct hv_uio_private_data *pdata = info->priv;
+ struct hv_device *dev = pdata->device;
++ struct vmbus_channel *primary, *sc;
+
+- dev->channel->inbound.ring_buffer->interrupt_mask = !irq_state;
+- virt_mb();
++ primary = dev->channel;
++ primary->inbound.ring_buffer->interrupt_mask = !irq_state;
++
++ mutex_lock(&vmbus_connection.channel_mutex);
++ list_for_each_entry(sc, &primary->sc_list, sc_list)
++ sc->inbound.ring_buffer->interrupt_mask = !irq_state;
++ mutex_unlock(&vmbus_connection.channel_mutex);
+
+ return 0;
+ }
+@@ -93,11 +99,18 @@ hv_uio_irqcontrol(struct uio_info *info,
+ static void hv_uio_channel_cb(void *context)
+ {
+ struct vmbus_channel *chan = context;
+- struct hv_device *hv_dev = chan->device_obj;
+- struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
++ struct hv_device *hv_dev;
++ struct hv_uio_private_data *pdata;
+
+ virt_mb();
+
++ /*
++ * The callback may come from a subchannel, in which case look
++ * for the hv device in the primary channel
++ */
++ hv_dev = chan->primary_channel ?
++ chan->primary_channel->device_obj : chan->device_obj;
++ pdata = hv_get_drvdata(hv_dev);
+ uio_event_notify(&pdata->info);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
