--- /dev/null
+From fe483a3e913ffe975fb64281a79c7203bd0e1275 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:17:45 +0200
+Subject: ACPICA: Refuse to evaluate a method if arguments are missing
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 6fcab2791543924d438e7fa49276d0998b0a069f ]
+
+As reported in [1], a platform firmware update that increased the number
+of method parameters and forgot to update a least one of its callers,
+caused ACPICA to crash due to use-after-free.
+
+Since this a result of a clear AML issue that arguably cannot be fixed
+up by the interpreter (it cannot produce missing data out of thin air),
+address it by making ACPICA refuse to evaluate a method if the caller
+attempts to pass fewer arguments than expected to it.
+
+Closes: https://github.com/acpica/acpica/issues/1027 [1]
+Reported-by: Peter Williams <peter@newton.cx>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Tested-by: Hans de Goede <hansg@kernel.org> # Dell XPS 9640 with BIOS 1.12.0
+Link: https://patch.msgid.link/5909446.DvuYhMxLoT@rjwysocki.net
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsmethod.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c
+index e809c2aed78ae..a232746d150a7 100644
+--- a/drivers/acpi/acpica/dsmethod.c
++++ b/drivers/acpi/acpica/dsmethod.c
+@@ -483,6 +483,13 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
+ return_ACPI_STATUS(AE_NULL_OBJECT);
+ }
+
++ if (this_walk_state->num_operands < obj_desc->method.param_count) {
++ ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]",
++ acpi_ut_get_node_name(method_node)));
++
++ return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG);
++ }
++
+ /* Init for new method, possibly wait on method mutex */
+
+ status =
+--
+2.39.5
+
--- /dev/null
+From 1ecf6afc027ea8ff24d94b963db484abd844455b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 08:43:19 +0200
+Subject: ALSA: sb: Don't allow changing the DMA mode during operations
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ed29e073ba93f2d52832804cabdd831d5d357d33 ]
+
+When a PCM stream is already running, one shouldn't change the DMA
+mode via kcontrol, which may screw up the hardware. Return -EBUSY
+instead.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218185
+Link: https://patch.msgid.link/20250610064322.26787-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c
+index a9b87e159b2d1..5efbd0a41312b 100644
+--- a/sound/isa/sb/sb16_main.c
++++ b/sound/isa/sb/sb16_main.c
+@@ -703,6 +703,9 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct
+ unsigned char nval, oval;
+ int change;
+
++ if (chip->mode & (SB_MODE_PLAYBACK | SB_MODE_CAPTURE))
++ return -EBUSY;
++
+ nval = ucontrol->value.enumerated.item[0];
+ if (nval > 2)
+ return -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From 1ce6de5686ee5666eab48285b5efc2f8dcd3351b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 08:43:20 +0200
+Subject: ALSA: sb: Force to disable DMAs once when DMA mode is changed
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 4c267ae2ef349639b4d9ebf00dd28586a82fdbe6 ]
+
+When the DMA mode is changed on the (still real!) SB AWE32 after
+playing a stream and closing, the previous DMA setup was still
+silently kept, and it can confuse the hardware, resulting in the
+unexpected noises. As a workaround, enforce the disablement of DMA
+setups when the DMA setup is changed by the kcontrol.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=218185
+Link: https://patch.msgid.link/20250610064322.26787-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c
+index 5efbd0a41312b..1497a7822eee6 100644
+--- a/sound/isa/sb/sb16_main.c
++++ b/sound/isa/sb/sb16_main.c
+@@ -714,6 +714,10 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct
+ change = nval != oval;
+ snd_sb16_set_dma_mode(chip, nval);
+ spin_unlock_irqrestore(&chip->reg_lock, flags);
++ if (change) {
++ snd_dma_disable(chip->dma8);
++ snd_dma_disable(chip->dma16);
++ }
+ return change;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5349060442ab3acd5fc6c9bf4a058846b9d66c2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 00:56:36 +0530
+Subject: amd-xgbe: align CL37 AN sequence as per databook
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 42fd432fe6d320323215ebdf4de4d0d7e56e6792 ]
+
+Update the Clause 37 Auto-Negotiation implementation to properly align
+with the PCS hardware specifications:
+- Fix incorrect bit settings in Link Status and Link Duplex fields
+- Implement missing sequence steps 2 and 7
+
+These changes ensure CL37 auto-negotiation protocol follows the exact
+sequence patterns as specified in the hardware databook.
+
+Fixes: 1bf40ada6290 ("amd-xgbe: Add support for clause 37 auto-negotiation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20250630192636.3838291-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 ++
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 +++++++++
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+index 3b70f67376331..aa25a8a0a106f 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -1373,6 +1373,8 @@
+ #define MDIO_VEND2_CTRL1_SS13 BIT(13)
+ #endif
+
++#define XGBE_VEND2_MAC_AUTO_SW BIT(9)
++
+ /* MDIO mask values */
+ #define XGBE_AN_CL73_INT_CMPLT BIT(0)
+ #define XGBE_AN_CL73_INC_LINK BIT(1)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 4a2dc705b5280..154e7598a32bf 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -375,6 +375,10 @@ static void xgbe_an37_set(struct xgbe_prv_data *pdata, bool enable,
+ reg |= MDIO_VEND2_CTRL1_AN_RESTART;
+
+ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_CTRL1, reg);
++
++ reg = XMDIO_READ(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL);
++ reg |= XGBE_VEND2_MAC_AUTO_SW;
++ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL, reg);
+ }
+
+ static void xgbe_an37_restart(struct xgbe_prv_data *pdata)
+@@ -1003,6 +1007,11 @@ static void xgbe_an37_init(struct xgbe_prv_data *pdata)
+
+ netif_dbg(pdata, link, pdata->netdev, "CL37 AN (%s) initialized\n",
+ (pdata->an_mode == XGBE_AN_MODE_CL37) ? "BaseX" : "SGMII");
++
++ reg = XMDIO_READ(pdata, MDIO_MMD_AN, MDIO_CTRL1);
++ reg &= ~MDIO_AN_CTRL1_ENABLE;
++ XMDIO_WRITE(pdata, MDIO_MMD_AN, MDIO_CTRL1, reg);
++
+ }
+
+ static void xgbe_an73_init(struct xgbe_prv_data *pdata)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
+index 173f4dad470f5..a596cd08124fa 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -292,12 +292,12 @@
+ #define XGBE_LINK_TIMEOUT 5
+ #define XGBE_KR_TRAINING_WAIT_ITER 50
+
+-#define XGBE_SGMII_AN_LINK_STATUS BIT(1)
++#define XGBE_SGMII_AN_LINK_DUPLEX BIT(1)
+ #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3))
+ #define XGBE_SGMII_AN_LINK_SPEED_10 0x00
+ #define XGBE_SGMII_AN_LINK_SPEED_100 0x04
+ #define XGBE_SGMII_AN_LINK_SPEED_1000 0x08
+-#define XGBE_SGMII_AN_LINK_DUPLEX BIT(4)
++#define XGBE_SGMII_AN_LINK_STATUS BIT(4)
+
+ /* ECC correctable error notification window (seconds) */
+ #define XGBE_ECC_LIMIT 60
+--
+2.39.5
+
--- /dev/null
+From 909561d7b057a1c8adbf8b005f5202288ac90db3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 12:20:16 +0530
+Subject: amd-xgbe: do not double read link status
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 16ceda2ef683a50cd0783006c0504e1931cd8879 ]
+
+The link status is latched low so that momentary link drops
+can be detected. Always double-reading the status defeats this
+design feature. Only double read if link was already down
+
+This prevents unnecessary duplicate readings of the link status.
+
+Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250701065016.4140707-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 ++++
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 24 +++++++++++++--------
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 154e7598a32bf..8345d439184eb 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -1413,6 +1413,10 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata)
+
+ pdata->phy.link = pdata->phy_if.phy_impl.link_status(pdata,
+ &an_restart);
++ /* bail out if the link status register read fails */
++ if (pdata->phy.link < 0)
++ return;
++
+ if (an_restart) {
+ xgbe_phy_config_aneg(pdata);
+ goto adjust_link;
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 268399dfcf22f..32e633d113484 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -2855,8 +2855,7 @@ static bool xgbe_phy_valid_speed(struct xgbe_prv_data *pdata, int speed)
+ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+ {
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+- unsigned int reg;
+- int ret;
++ int reg, ret;
+
+ *an_restart = 0;
+
+@@ -2890,11 +2889,20 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+ return 0;
+ }
+
+- /* Link status is latched low, so read once to clear
+- * and then read again to get current state
+- */
+- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
++ if (reg < 0)
++ return reg;
++
++ /* Link status is latched low so that momentary link drops
++ * can be detected. If link was already down read again
++ * to get the latest state.
++ */
++
++ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) {
++ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
++ if (reg < 0)
++ return reg;
++ }
+
+ if (pdata->en_rx_adap) {
+ /* if the link is available and adaptation is done,
+@@ -2913,9 +2921,7 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+ xgbe_phy_set_mode(pdata, phy_data->cur_mode);
+ }
+
+- /* check again for the link and adaptation status */
+- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done)
++ if (pdata->rx_adapt_done)
+ return 1;
+ } else if (reg & MDIO_STAT1_LSTATUS)
+ return 1;
+--
+2.39.5
+
--- /dev/null
+From 04eab332f12c849492ea6acd755ad4fdc9d12fb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 17:06:00 +0000
+Subject: aoe: defer rexmit timer downdev work to workqueue
+
+From: Justin Sanders <jsanders.devel@gmail.com>
+
+[ Upstream commit cffc873d68ab09a0432b8212008c5613f8a70a2c ]
+
+When aoe's rexmit_timer() notices that an aoe target fails to respond to
+commands for more than aoe_deadsecs, it calls aoedev_downdev() which
+cleans the outstanding aoe and block queues. This can involve sleeping,
+such as in blk_mq_freeze_queue(), which should not occur in irq context.
+
+This patch defers that aoedev_downdev() call to the aoe device's
+workqueue.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=212665
+Signed-off-by: Justin Sanders <jsanders.devel@gmail.com>
+Link: https://lore.kernel.org/r/20250610170600.869-2-jsanders.devel@gmail.com
+Tested-By: Valentin Kleibel <valentin@vrvis.at>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/aoe/aoe.h | 1 +
+ drivers/block/aoe/aoecmd.c | 8 ++++++--
+ drivers/block/aoe/aoedev.c | 5 ++++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/aoe/aoe.h b/drivers/block/aoe/aoe.h
+index 749ae1246f4cf..d35caa3c69e15 100644
+--- a/drivers/block/aoe/aoe.h
++++ b/drivers/block/aoe/aoe.h
+@@ -80,6 +80,7 @@ enum {
+ DEVFL_NEWSIZE = (1<<6), /* need to update dev size in block layer */
+ DEVFL_FREEING = (1<<7), /* set when device is being cleaned up */
+ DEVFL_FREED = (1<<8), /* device has been cleaned up */
++ DEVFL_DEAD = (1<<9), /* device has timed out of aoe_deadsecs */
+ };
+
+ enum {
+diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
+index d1f4ddc576451..c4c5cf1ec71ba 100644
+--- a/drivers/block/aoe/aoecmd.c
++++ b/drivers/block/aoe/aoecmd.c
+@@ -754,7 +754,7 @@ rexmit_timer(struct timer_list *timer)
+
+ utgts = count_targets(d, NULL);
+
+- if (d->flags & DEVFL_TKILL) {
++ if (d->flags & (DEVFL_TKILL | DEVFL_DEAD)) {
+ spin_unlock_irqrestore(&d->lock, flags);
+ return;
+ }
+@@ -786,7 +786,8 @@ rexmit_timer(struct timer_list *timer)
+ * to clean up.
+ */
+ list_splice(&flist, &d->factive[0]);
+- aoedev_downdev(d);
++ d->flags |= DEVFL_DEAD;
++ queue_work(aoe_wq, &d->work);
+ goto out;
+ }
+
+@@ -898,6 +899,9 @@ aoecmd_sleepwork(struct work_struct *work)
+ {
+ struct aoedev *d = container_of(work, struct aoedev, work);
+
++ if (d->flags & DEVFL_DEAD)
++ aoedev_downdev(d);
++
+ if (d->flags & DEVFL_GDALLOC)
+ aoeblk_gdalloc(d);
+
+diff --git a/drivers/block/aoe/aoedev.c b/drivers/block/aoe/aoedev.c
+index 280679bde3a50..4240e11adfb76 100644
+--- a/drivers/block/aoe/aoedev.c
++++ b/drivers/block/aoe/aoedev.c
+@@ -200,8 +200,11 @@ aoedev_downdev(struct aoedev *d)
+ struct list_head *head, *pos, *nx;
+ struct request *rq, *rqnext;
+ int i;
++ unsigned long flags;
+
+- d->flags &= ~DEVFL_UP;
++ spin_lock_irqsave(&d->lock, flags);
++ d->flags &= ~(DEVFL_UP | DEVFL_DEAD);
++ spin_unlock_irqrestore(&d->lock, flags);
+
+ /* clean out active and to-be-retransmitted buffers */
+ for (i = 0; i < NFACTIVE; i++) {
+--
+2.39.5
+
--- /dev/null
+From da43ec36444a196e4e77ae6bb1bec2ee5bb256d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 22:30:31 +0200
+Subject: arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename
+
+From: Janne Grunau <j@jannau.net>
+
+[ Upstream commit ac1daa91e9370e3b88ef7826a73d62a4d09e2717 ]
+
+Fix the following `make dtbs_check` warnings for all t8103 based devices:
+
+arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: $nodename:0: 'network@0,0' does not match '^wifi(@.*)?$'
+ from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml#
+arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: Unevaluated properties are not allowed ('local-mac-address' was unexpected)
+ from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml#
+
+Fixes: bf2c05b619ff ("arm64: dts: apple: t8103: Expose PCI node for the WiFi MAC address")
+Signed-off-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Sven Peter <sven@kernel.org>
+Link: https://lore.kernel.org/r/20250611-arm64_dts_apple_wifi-v1-1-fb959d8e1eb4@jannau.net
+Signed-off-by: Sven Peter <sven@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/t8103-jxxx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
+index 5988a4eb6efaa..cb78ce7af0b38 100644
+--- a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
++++ b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
+@@ -71,7 +71,7 @@ hpm1: usb-pd@3f {
+ */
+ &port00 {
+ bus-range = <1 1>;
+- wifi0: network@0,0 {
++ wifi0: wifi@0,0 {
+ compatible = "pci14e4,4425";
+ reg = <0x10000 0x0 0x0 0x0 0x0>;
+ /* To be filled by the loader */
+--
+2.39.5
+
--- /dev/null
+From eed82bef2196491a30f65571375be965dddbf7d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 09:28:46 +0200
+Subject: arm64: dts: qcom: sm8550: add UART14 nodes
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit 75cac7090298978c12c59dbca377d957f6f8a8bb ]
+
+Add the Geni High Speed UART QUP instance 2 element 6
+node and associated default pinctrl.
+
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20230911-topic-sm8550-upstream-bt-v4-1-a5a428c77418@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Stable-dep-of: 5ff1fbb30597 ("platform/x86: think-lmi: Fix class device unregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8550.dtsi | 30 ++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8550.dtsi b/arch/arm64/boot/dts/qcom/sm8550.dtsi
+index c14c6f8583d54..2f0f1c2ab7391 100644
+--- a/arch/arm64/boot/dts/qcom/sm8550.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8550.dtsi
+@@ -1064,6 +1064,20 @@ spi13: spi@894000 {
+ status = "disabled";
+ };
+
++ uart14: serial@898000 {
++ compatible = "qcom,geni-uart";
++ reg = <0 0x898000 0 0x4000>;
++ clock-names = "se";
++ clocks = <&gcc GCC_QUPV3_WRAP2_S6_CLK>;
++ pinctrl-names = "default";
++ pinctrl-0 = <&qup_uart14_default>, <&qup_uart14_cts_rts>;
++ interrupts = <GIC_SPI 461 IRQ_TYPE_LEVEL_HIGH>;
++ interconnects = <&clk_virt MASTER_QUP_CORE_2 0 &clk_virt SLAVE_QUP_CORE_2 0>,
++ <&gem_noc MASTER_APPSS_PROC 0 &config_noc SLAVE_QUP_2 0>;
++ interconnect-names = "qup-core", "qup-config";
++ status = "disabled";
++ };
++
+ i2c15: i2c@89c000 {
+ compatible = "qcom,geni-i2c";
+ reg = <0 0x0089c000 0 0x4000>;
+@@ -3640,6 +3654,22 @@ qup_uart7_default: qup-uart7-default-state {
+ bias-disable;
+ };
+
++ qup_uart14_default: qup-uart14-default-state {
++ /* TX, RX */
++ pins = "gpio78", "gpio79";
++ function = "qup2_se6";
++ drive-strength = <2>;
++ bias-pull-up;
++ };
++
++ qup_uart14_cts_rts: qup-uart14-cts-rts-state {
++ /* CTS, RTS */
++ pins = "gpio76", "gpio77";
++ function = "qup2_se6";
++ drive-strength = <2>;
++ bias-pull-down;
++ };
++
+ sdc2_sleep: sdc2-sleep-state {
+ clk-pins {
+ pins = "sdc2_clk";
+--
+2.39.5
+
--- /dev/null
+From f8fcdf977c6fb2ec7f4841f418366f0fc75b6247 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 02:52:32 +0200
+Subject: ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic
+
+From: Gabriel Santese <santesegabriel@gmail.com>
+
+[ Upstream commit ba06528ad5a31923efc24324706116ccd17e12d8 ]
+
+MSI Bravo 17 (D7VF), like other laptops from the family,
+has broken ACPI tables and needs a quirk for internal mic
+to work properly.
+
+Signed-off-by: Gabriel Santese <santesegabriel@gmail.com>
+Link: https://patch.msgid.link/20250530005444.23398-1-santesegabriel@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 40e2b5a87916a..1547cf8b46b13 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -451,6 +451,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 17 D7VEK"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 17 D7VF"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.39.5
+
--- /dev/null
+From 928c1590fc351b23ece780a3199b0986ea34869d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 07:51:25 -0400
+Subject: ASoC: amd: yc: update quirk data for HP Victus
+
+From: Raven Black <ravenblack@gmail.com>
+
+[ Upstream commit 13b86ea92ebf0fa587fbadfb8a60ca2e9993203f ]
+
+Make the internal microphone work on HP Victus laptops.
+
+Signed-off-by: Raven Black <ravenblack@gmail.com>
+Link: https://patch.msgid.link/20250613-support-hp-victus-microphone-v1-1-bebc4c3a2041@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 1547cf8b46b13..429e61d47ffbb 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -521,6 +521,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16z-n000"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Victus by HP Gaming Laptop 15-fb2xxx"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.39.5
+
--- /dev/null
+From e058e78642a4a074b2b030100ab1326e32aa4d51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 11:56:55 +0300
+Subject: ata: libata-acpi: Do not assume 40 wire cable if no devices are
+ enabled
+
+From: Tasos Sahanidis <tasos@tasossah.com>
+
+[ Upstream commit 33877220b8641b4cde474a4229ea92c0e3637883 ]
+
+On at least an ASRock 990FX Extreme 4 with a VIA VT6330, the devices
+have not yet been enabled by the first time ata_acpi_cbl_80wire() is
+called. This means that the ata_for_each_dev loop is never entered,
+and a 40 wire cable is assumed.
+
+The VIA controller on this board does not report the cable in the PCI
+config space, thus having to fall back to ACPI even though no SATA
+bridge is present.
+
+The _GTM values are correctly reported by the firmware through ACPI,
+which has already set up faster transfer modes, but due to the above
+the controller is forced down to a maximum of UDMA/33.
+
+Resolve this by modifying ata_acpi_cbl_80wire() to directly return the
+cable type. First, an unknown cable is assumed which preserves the mode
+set by the firmware, and then on subsequent calls when the devices have
+been enabled, an 80 wire cable is correctly detected.
+
+Since the function now directly returns the cable type, it is renamed
+to ata_acpi_cbl_pata_type().
+
+Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
+Link: https://lore.kernel.org/r/20250519085945.1399466-1-tasos@tasossah.com
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-acpi.c | 24 ++++++++++++++++--------
+ drivers/ata/pata_via.c | 6 ++----
+ include/linux/libata.h | 7 +++----
+ 3 files changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/ata/libata-acpi.c b/drivers/ata/libata-acpi.c
+index d36e71f475abd..39a350755a1ba 100644
+--- a/drivers/ata/libata-acpi.c
++++ b/drivers/ata/libata-acpi.c
+@@ -514,15 +514,19 @@ unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+ EXPORT_SYMBOL_GPL(ata_acpi_gtm_xfermask);
+
+ /**
+- * ata_acpi_cbl_80wire - Check for 80 wire cable
++ * ata_acpi_cbl_pata_type - Return PATA cable type
+ * @ap: Port to check
+- * @gtm: GTM data to use
+ *
+- * Return 1 if the @gtm indicates the BIOS selected an 80wire mode.
++ * Return ATA_CBL_PATA* according to the transfer mode selected by BIOS
+ */
+-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm)
++int ata_acpi_cbl_pata_type(struct ata_port *ap)
+ {
+ struct ata_device *dev;
++ int ret = ATA_CBL_PATA_UNK;
++ const struct ata_acpi_gtm *gtm = ata_acpi_init_gtm(ap);
++
++ if (!gtm)
++ return ATA_CBL_PATA40;
+
+ ata_for_each_dev(dev, &ap->link, ENABLED) {
+ unsigned int xfer_mask, udma_mask;
+@@ -530,13 +534,17 @@ int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm)
+ xfer_mask = ata_acpi_gtm_xfermask(dev, gtm);
+ ata_unpack_xfermask(xfer_mask, NULL, NULL, &udma_mask);
+
+- if (udma_mask & ~ATA_UDMA_MASK_40C)
+- return 1;
++ ret = ATA_CBL_PATA40;
++
++ if (udma_mask & ~ATA_UDMA_MASK_40C) {
++ ret = ATA_CBL_PATA80;
++ break;
++ }
+ }
+
+- return 0;
++ return ret;
+ }
+-EXPORT_SYMBOL_GPL(ata_acpi_cbl_80wire);
++EXPORT_SYMBOL_GPL(ata_acpi_cbl_pata_type);
+
+ static void ata_acpi_gtf_to_tf(struct ata_device *dev,
+ const struct ata_acpi_gtf *gtf,
+diff --git a/drivers/ata/pata_via.c b/drivers/ata/pata_via.c
+index d82728a01832b..bb80e7800dcbe 100644
+--- a/drivers/ata/pata_via.c
++++ b/drivers/ata/pata_via.c
+@@ -201,11 +201,9 @@ static int via_cable_detect(struct ata_port *ap) {
+ two drives */
+ if (ata66 & (0x10100000 >> (16 * ap->port_no)))
+ return ATA_CBL_PATA80;
++
+ /* Check with ACPI so we can spot BIOS reported SATA bridges */
+- if (ata_acpi_init_gtm(ap) &&
+- ata_acpi_cbl_80wire(ap, ata_acpi_init_gtm(ap)))
+- return ATA_CBL_PATA80;
+- return ATA_CBL_PATA40;
++ return ata_acpi_cbl_pata_type(ap);
+ }
+
+ static int via_pre_reset(struct ata_link *link, unsigned long deadline)
+diff --git a/include/linux/libata.h b/include/linux/libata.h
+index 91c4e11cb6abb..285d709cbbde4 100644
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -1305,7 +1305,7 @@ int ata_acpi_stm(struct ata_port *ap, const struct ata_acpi_gtm *stm);
+ int ata_acpi_gtm(struct ata_port *ap, struct ata_acpi_gtm *stm);
+ unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+ const struct ata_acpi_gtm *gtm);
+-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm);
++int ata_acpi_cbl_pata_type(struct ata_port *ap);
+ #else
+ static inline const struct ata_acpi_gtm *ata_acpi_init_gtm(struct ata_port *ap)
+ {
+@@ -1330,10 +1330,9 @@ static inline unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+ return 0;
+ }
+
+-static inline int ata_acpi_cbl_80wire(struct ata_port *ap,
+- const struct ata_acpi_gtm *gtm)
++static inline int ata_acpi_cbl_pata_type(struct ata_port *ap)
+ {
+- return 0;
++ return ATA_CBL_PATA40;
+ }
+ #endif
+
+--
+2.39.5
+
--- /dev/null
+From e342d337648fe12b1558a02f84a56d49aad657d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 11:01:11 +0200
+Subject: ata: pata_cs5536: fix build on 32-bit UML
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit fe5b391fc56f77cf3c22a9dd4f0ce20db0e3533f ]
+
+On 32-bit ARCH=um, CONFIG_X86_32 is still defined, so it
+doesn't indicate building on real X86 machines. There's
+no MSR on UML though, so add a check for CONFIG_X86.
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20250606090110.15784-2-johannes@sipsolutions.net
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_cs5536.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_cs5536.c b/drivers/ata/pata_cs5536.c
+index b811efd2cc346..73e81e160c91f 100644
+--- a/drivers/ata/pata_cs5536.c
++++ b/drivers/ata/pata_cs5536.c
+@@ -27,7 +27,7 @@
+ #include <scsi/scsi_host.h>
+ #include <linux/dmi.h>
+
+-#ifdef CONFIG_X86_32
++#if defined(CONFIG_X86) && defined(CONFIG_X86_32)
+ #include <asm/msr.h>
+ static int use_msr;
+ module_param_named(msr, use_msr, int, 0644);
+--
+2.39.5
+
--- /dev/null
+From 56b55e958d8a2ed75056d10938ec26556ad4c0a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jul 2025 05:34:31 -0400
+Subject: Bluetooth: hci_core: Fix use-after-free in vhci_flush()
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit 1d6123102e9fbedc8d25bf4731da6d513173e49e ]
+
+syzbot reported use-after-free in vhci_flush() without repro. [0]
+
+From the splat, a thread close()d a vhci file descriptor while
+its device was being used by iotcl() on another thread.
+
+Once the last fd refcnt is released, vhci_release() calls
+hci_unregister_dev(), hci_free_dev(), and kfree() for struct
+vhci_data, which is set to hci_dev->dev->driver_data.
+
+The problem is that there is no synchronisation after unlinking
+hdev from hci_dev_list in hci_unregister_dev(). There might be
+another thread still accessing the hdev which was fetched before
+the unlink operation.
+
+We can use SRCU for such synchronisation.
+
+Let's run hci_dev_reset() under SRCU and wait for its completion
+in hci_unregister_dev().
+
+Another option would be to restore hci_dev->destruct(), which was
+removed in commit 587ae086f6e4 ("Bluetooth: Remove unused
+hci-destruct cb"). However, this would not be a good solution, as
+we should not run hci_unregister_dev() while there are in-flight
+ioctl() requests, which could lead to another data-race KCSAN splat.
+
+Note that other drivers seem to have the same problem, for exmaple,
+virtbt_remove().
+
+[0]:
+BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
+BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
+Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718
+
+CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xd2/0x2b0 mm/kasan/report.c:521
+ kasan_report+0x118/0x150 mm/kasan/report.c:634
+ skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline]
+ skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937
+ skb_queue_purge include/linux/skbuff.h:3368 [inline]
+ vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69
+ hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline]
+ hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592
+ sock_do_ioctl+0xd9/0x300 net/socket.c:1190
+ sock_ioctl+0x576/0x790 net/socket.c:1311
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fcf5b98e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929
+RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009
+RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528
+ </TASK>
+
+Allocated by task 6535:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ kzalloc_noprof include/linux/slab.h:1039 [inline]
+ vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635
+ misc_open+0x2bc/0x330 drivers/char/misc.c:161
+ chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414
+ do_dentry_open+0xdf0/0x1970 fs/open.c:964
+ vfs_open+0x3b/0x340 fs/open.c:1094
+ do_open fs/namei.c:3887 [inline]
+ path_openat+0x2ee5/0x3830 fs/namei.c:4046
+ do_filp_open+0x1fa/0x410 fs/namei.c:4073
+ do_sys_openat2+0x121/0x1c0 fs/open.c:1437
+ do_sys_open fs/open.c:1452 [inline]
+ __do_sys_openat fs/open.c:1468 [inline]
+ __se_sys_openat fs/open.c:1463 [inline]
+ __x64_sys_openat+0x138/0x170 fs/open.c:1463
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 6535:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2381 [inline]
+ slab_free mm/slub.c:4643 [inline]
+ kfree+0x18e/0x440 mm/slub.c:4842
+ vhci_release+0xbc/0xd0 drivers/bluetooth/hci_vhci.c:671
+ __fput+0x44c/0xa70 fs/file_table.c:465
+ task_work_run+0x1d1/0x260 kernel/task_work.c:227
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0x6ad/0x22e0 kernel/exit.c:955
+ do_group_exit+0x21c/0x2d0 kernel/exit.c:1104
+ __do_sys_exit_group kernel/exit.c:1115 [inline]
+ __se_sys_exit_group kernel/exit.c:1113 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1113
+ x64_sys_call+0x21ba/0x21c0 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The buggy address belongs to the object at ffff88807cb8d800
+ which belongs to the cache kmalloc-1k of size 1024
+The buggy address is located 88 bytes inside of
+ freed 1024-byte region [ffff88807cb8d800, ffff88807cb8dc00)
+
+Fixes: bf18c7118cf8 ("Bluetooth: vhci: Free driver_data on file release")
+Reported-by: syzbot+2faa4825e556199361f9@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f62d64848fc4c7c30cd6
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Acked-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 2 ++
+ net/bluetooth/hci_core.c | 34 ++++++++++++++++++++++++++++----
+ 2 files changed, 32 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index d63af08c6cdc2..4f067599e6e9e 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -29,6 +29,7 @@
+ #include <linux/idr.h>
+ #include <linux/leds.h>
+ #include <linux/rculist.h>
++#include <linux/srcu.h>
+
+ #include <net/bluetooth/hci.h>
+ #include <net/bluetooth/hci_sync.h>
+@@ -339,6 +340,7 @@ struct adv_monitor {
+
+ struct hci_dev {
+ struct list_head list;
++ struct srcu_struct srcu;
+ struct mutex lock;
+
+ struct ida unset_handle_ida;
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 32f7bd0e89168..824208a53c251 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -65,7 +65,7 @@ static DEFINE_IDA(hci_index_ida);
+
+ /* Get HCI device by index.
+ * Device is held on return. */
+-struct hci_dev *hci_dev_get(int index)
++static struct hci_dev *__hci_dev_get(int index, int *srcu_index)
+ {
+ struct hci_dev *hdev = NULL, *d;
+
+@@ -78,6 +78,8 @@ struct hci_dev *hci_dev_get(int index)
+ list_for_each_entry(d, &hci_dev_list, list) {
+ if (d->id == index) {
+ hdev = hci_dev_hold(d);
++ if (srcu_index)
++ *srcu_index = srcu_read_lock(&d->srcu);
+ break;
+ }
+ }
+@@ -85,6 +87,22 @@ struct hci_dev *hci_dev_get(int index)
+ return hdev;
+ }
+
++struct hci_dev *hci_dev_get(int index)
++{
++ return __hci_dev_get(index, NULL);
++}
++
++static struct hci_dev *hci_dev_get_srcu(int index, int *srcu_index)
++{
++ return __hci_dev_get(index, srcu_index);
++}
++
++static void hci_dev_put_srcu(struct hci_dev *hdev, int srcu_index)
++{
++ srcu_read_unlock(&hdev->srcu, srcu_index);
++ hci_dev_put(hdev);
++}
++
+ /* ---- Inquiry support ---- */
+
+ bool hci_discovery_active(struct hci_dev *hdev)
+@@ -590,9 +608,9 @@ static int hci_dev_do_reset(struct hci_dev *hdev)
+ int hci_dev_reset(__u16 dev)
+ {
+ struct hci_dev *hdev;
+- int err;
++ int err, srcu_index;
+
+- hdev = hci_dev_get(dev);
++ hdev = hci_dev_get_srcu(dev, &srcu_index);
+ if (!hdev)
+ return -ENODEV;
+
+@@ -614,7 +632,7 @@ int hci_dev_reset(__u16 dev)
+ err = hci_dev_do_reset(hdev);
+
+ done:
+- hci_dev_put(hdev);
++ hci_dev_put_srcu(hdev, srcu_index);
+ return err;
+ }
+
+@@ -2424,6 +2442,11 @@ struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
+ if (!hdev)
+ return NULL;
+
++ if (init_srcu_struct(&hdev->srcu)) {
++ kfree(hdev);
++ return NULL;
++ }
++
+ hdev->pkt_type = (HCI_DM1 | HCI_DH1 | HCI_HV1);
+ hdev->esco_type = (ESCO_HV1);
+ hdev->link_mode = (HCI_LM_ACCEPT);
+@@ -2670,6 +2693,9 @@ void hci_unregister_dev(struct hci_dev *hdev)
+ list_del(&hdev->list);
+ write_unlock(&hci_dev_list_lock);
+
++ synchronize_srcu(&hdev->srcu);
++ cleanup_srcu_struct(&hdev->srcu);
++
+ cancel_work_sync(&hdev->rx_work);
+ cancel_work_sync(&hdev->cmd_work);
+ cancel_work_sync(&hdev->tx_work);
+--
+2.39.5
+
--- /dev/null
+From 76c6c0e4740091682d7f37506409052ccec8d725 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:01:07 +0800
+Subject: Bluetooth: Prevent unintended pause by checking if advertising is
+ active
+
+From: Yang Li <yang.li@amlogic.com>
+
+[ Upstream commit 1f029b4e30a602db33dedee5ac676e9236ad193c ]
+
+When PA Create Sync is enabled, advertising resumes unexpectedly.
+Therefore, it's necessary to check whether advertising is currently
+active before attempting to pause it.
+
+ < HCI Command: LE Add Device To... (0x08|0x0011) plen 7 #1345 [hci0] 48.306205
+ Address type: Random (0x01)
+ Address: 4F:84:84:5F:88:17 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: FC:5B:8C:F7:5D:FB (Static)
+ < HCI Command: LE Set Address Re.. (0x08|0x002d) plen 1 #1347 [hci0] 48.308023
+ Address resolution: Enabled (0x01)
+ ...
+ < HCI Command: LE Set Extended A.. (0x08|0x0039) plen 6 #1349 [hci0] 48.309650
+ Extended advertising: Enabled (0x01)
+ Number of sets: 1 (0x01)
+ Entry 0
+ Handle: 0x01
+ Duration: 0 ms (0x00)
+ Max ext adv events: 0
+ ...
+ < HCI Command: LE Periodic Adve.. (0x08|0x0044) plen 14 #1355 [hci0] 48.314575
+ Options: 0x0000
+ Use advertising SID, Advertiser Address Type and address
+ Reporting initially enabled
+ SID: 0x02
+ Adv address type: Random (0x01)
+ Adv address: 4F:84:84:5F:88:17 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: FC:5B:8C:F7:5D:FB (Static)
+ Skip: 0x0000
+ Sync timeout: 20000 msec (0x07d0)
+ Sync CTE type: 0x0000
+
+Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled")
+Signed-off-by: Yang Li <yang.li@amlogic.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 9ba4cb90891b3..d602e9d8eff45 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2518,6 +2518,10 @@ static int hci_pause_advertising_sync(struct hci_dev *hdev)
+ int err;
+ int old_state;
+
++ /* If controller is not advertising we are done. */
++ if (!hci_dev_test_flag(hdev, HCI_LE_ADV))
++ return 0;
++
+ /* If already been paused there is nothing to do. */
+ if (hdev->advertising_paused)
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 5d491d1e73b2ebe28cabf3f2943718f0ba094dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 09:06:38 -0700
+Subject: bnxt: properly flush XDP redirect lists
+
+From: Yan Zhai <yan@cloudflare.com>
+
+[ Upstream commit 9caca6ac0e26cd20efd490d8b3b2ffb1c7c00f6f ]
+
+We encountered following crash when testing a XDP_REDIRECT feature
+in production:
+
+[56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd
+40f30).
+[56251.601413] ------------[ cut here ]------------
+[56251.611357] kernel BUG at lib/list_debug.c:29!
+[56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+[56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6.
+3 #1
+[56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE
+[56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025
+[56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0
+[56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48
+ 89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89
+[56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246
+[56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000
+[56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80
+[56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18
+[56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000
+[56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40
+[56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000
+[56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0
+[56251.831365] PKRU: 55555554
+[56251.838653] Call Trace:
+[56251.845560] <IRQ>
+[56251.851943] cpu_map_enqueue.cold+0x5/0xa
+[56251.860243] xdp_do_redirect+0x2d9/0x480
+[56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en]
+[56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en]
+[56251.885665] ? cpu_max_write+0x1e/0x100
+[56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5
+[56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en]
+[56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en]
+[56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5
+[56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5
+[56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5
+[56251.944250] __napi_poll+0x2b/0x160
+[56251.951155] bpf_trampoline_6442548651+0x79/0x123
+[56251.959262] __napi_poll+0x5/0x160
+[56251.966037] net_rx_action+0x3d2/0x880
+[56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5
+[56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5
+[56251.989262] ? __hrtimer_run_queues+0x162/0x2a0
+[56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5
+[56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5
+[56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en]
+[56252.019903] handle_softirqs+0xcf/0x270
+[56252.026650] irq_exit_rcu+0x67/0x90
+[56252.032933] common_interrupt+0x85/0xa0
+[56252.039498] </IRQ>
+[56252.044246] <TASK>
+[56252.048935] asm_common_interrupt+0x26/0x40
+[56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420
+[56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae
+ 01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29
+[56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202
+[56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000
+[56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000
+[56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e
+[56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860
+[56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000
+[56252.146667] ? cpuidle_enter_state+0xab/0x420
+[56252.153909] cpuidle_enter+0x2d/0x40
+[56252.160360] do_idle+0x176/0x1c0
+[56252.166456] cpu_startup_entry+0x29/0x30
+[56252.173248] start_secondary+0xf7/0x100
+[56252.179941] common_startup_64+0x13e/0x141
+[56252.186886] </TASK>
+
+From the crash dump, we found that the cpu_map_flush_list inside
+redirect info is partially corrupted: its list_head->next points to
+itself, but list_head->prev points to a valid list of unflushed bq
+entries.
+
+This turned out to be a result of missed XDP flush on redirect lists. By
+digging in the actual source code, we found that
+commit 7f0a168b0441 ("bnxt_en: Add completion ring pointer in TX and RX
+ring structures") incorrectly overwrites the event mask for XDP_REDIRECT
+in bnxt_rx_xdp. We can stably reproduce this crash by returning XDP_TX
+and XDP_REDIRECT randomly for incoming packets in a naive XDP program.
+Properly propagate the XDP_REDIRECT events back fixes the crash.
+
+Fixes: a7559bc8c17c ("bnxt: support transmit and free of aggregation buffers")
+Tested-by: Andrew Rzeznik <arzeznik@cloudflare.com>
+Signed-off-by: Yan Zhai <yan@cloudflare.com>
+Acked-by: Jesper Dangaard Brouer <hawk@kernel.org>
+Reviewed-by: Michael Chan <michael.chan@broadcom.com>
+Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
+Link: https://patch.msgid.link/aFl7jpCNzscumuN2@debian.debian
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+index 6bf4a21853858..8e4e8291d8c66 100644
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -2491,6 +2491,7 @@ static int __bnxt_poll_work(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+ {
+ struct bnxt_napi *bnapi = cpr->bnapi;
+ u32 raw_cons = cpr->cp_raw_cons;
++ bool flush_xdp = false;
+ u32 cons;
+ int tx_pkts = 0;
+ int rx_pkts = 0;
+@@ -2528,6 +2529,8 @@ static int __bnxt_poll_work(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+ else
+ rc = bnxt_force_rx_discard(bp, cpr, &raw_cons,
+ &event);
++ if (event & BNXT_REDIRECT_EVENT)
++ flush_xdp = true;
+ if (likely(rc >= 0))
+ rx_pkts += rc;
+ /* Increment rx_pkts when rc is -ENOMEM to count towards
+@@ -2555,8 +2558,10 @@ static int __bnxt_poll_work(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
+ }
+ }
+
+- if (event & BNXT_REDIRECT_EVENT)
++ if (flush_xdp) {
+ xdp_do_flush();
++ event &= ~BNXT_REDIRECT_EVENT;
++ }
+
+ if (event & BNXT_TX_EVENT) {
+ struct bnxt_tx_ring_info *txr = bnapi->tx_ring;
+--
+2.39.5
+
--- /dev/null
+From c8d283d774769993d0823bc9b5d3a0708a46cdd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 12:11:58 +0100
+Subject: btrfs: fix iteration of extrefs during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 54a7081ed168b72a8a2d6ef4ba3a1259705a2926 ]
+
+At __inode_add_ref() when processing extrefs, if we jump into the next
+label we have an undefined value of victim_name.len, since we haven't
+initialized it before we did the goto. This results in an invalid memory
+access in the next iteration of the loop since victim_name.len was not
+initialized to the length of the name of the current extref.
+
+Fix this by initializing victim_name.len with the current extref's name
+length.
+
+Fixes: e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 6dbb62f83f8c8..13377c3b22897 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1162,13 +1162,13 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+ struct fscrypt_str victim_name;
+
+ extref = (struct btrfs_inode_extref *)(base + cur_offset);
++ victim_name.len = btrfs_inode_extref_name_len(leaf, extref);
+
+ if (btrfs_inode_extref_parent(leaf, extref) != parent_objectid)
+ goto next;
+
+ ret = read_alloc_one_name(leaf, &extref->name,
+- btrfs_inode_extref_name_len(leaf, extref),
+- &victim_name);
++ victim_name.len, &victim_name);
+ if (ret)
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 36f0648dc3215b54f9c1bf2b44739c03bc7c9c71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:57:07 +0100
+Subject: btrfs: fix missing error handling when searching for inode refs
+ during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 6561a40ceced9082f50c374a22d5966cf9fc5f5c ]
+
+During log replay, at __add_inode_ref(), when we are searching for inode
+ref keys we totally ignore if btrfs_search_slot() returns an error. This
+may make a log replay succeed when there was an actual error and leave
+some metadata inconsistency in a subvolume tree. Fix this by checking if
+an error was returned from btrfs_search_slot() and if so, return it to
+the caller.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index cc9a2f8a4ae3b..6dbb62f83f8c8 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1087,7 +1087,9 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+ search_key.type = BTRFS_INODE_REF_KEY;
+ search_key.offset = parent_objectid;
+ ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0);
+- if (ret == 0) {
++ if (ret < 0) {
++ return ret;
++ } else if (ret == 0) {
+ struct btrfs_inode_ref *victim_ref;
+ unsigned long ptr;
+ unsigned long ptr_end;
+--
+2.39.5
+
--- /dev/null
+From 40dcabd12217b2142b6da4bcb0737e4cfb0872e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 13:05:36 +0100
+Subject: btrfs: fix qgroup reservation leak on failure to allocate ordered
+ extent
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1f2889f5594a2bc4c6a52634c4a51b93e785def5 ]
+
+If we fail to allocate an ordered extent for a COW write we end up leaking
+a qgroup data reservation since we called btrfs_qgroup_release_data() but
+we didn't call btrfs_qgroup_free_refroot() (which would happen when
+running the respective data delayed ref created by ordered extent
+completion or when finishing the ordered extent in case an error happened).
+
+So make sure we call btrfs_qgroup_free_refroot() if we fail to allocate an
+ordered extent for a COW write.
+
+Fixes: 7dbeaad0af7d ("btrfs: change timing for qgroup reserved space for ordered extents to fix reserved space leak")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ordered-data.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c
+index 86d846eb5ed49..c68e9ecbc438c 100644
+--- a/fs/btrfs/ordered-data.c
++++ b/fs/btrfs/ordered-data.c
+@@ -154,9 +154,10 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(
+ struct btrfs_ordered_extent *entry;
+ int ret;
+ u64 qgroup_rsv = 0;
++ const bool is_nocow = (flags &
++ ((1U << BTRFS_ORDERED_NOCOW) | (1U << BTRFS_ORDERED_PREALLOC)));
+
+- if (flags &
+- ((1 << BTRFS_ORDERED_NOCOW) | (1 << BTRFS_ORDERED_PREALLOC))) {
++ if (is_nocow) {
+ /* For nocow write, we can release the qgroup rsv right now */
+ ret = btrfs_qgroup_free_data(inode, NULL, file_offset, num_bytes, &qgroup_rsv);
+ if (ret < 0)
+@@ -171,8 +172,13 @@ static struct btrfs_ordered_extent *alloc_ordered_extent(
+ return ERR_PTR(ret);
+ }
+ entry = kmem_cache_zalloc(btrfs_ordered_extent_cache, GFP_NOFS);
+- if (!entry)
++ if (!entry) {
++ if (!is_nocow)
++ btrfs_qgroup_free_refroot(inode->root->fs_info,
++ btrfs_root_id(inode->root),
++ qgroup_rsv, BTRFS_QGROUP_RSV_DATA);
+ return ERR_PTR(-ENOMEM);
++ }
+
+ entry->file_offset = file_offset;
+ entry->num_bytes = num_bytes;
+--
+2.39.5
+
--- /dev/null
+From d62bdb6dcd75e8f12c52f4c48782eec748ed3d2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 15:54:05 +0100
+Subject: btrfs: propagate last_unlink_trans earlier when doing a rmdir
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit c466e33e729a0ee017d10d919cba18f503853c60 ]
+
+In case the removed directory had a snapshot that was deleted, we are
+propagating its inode's last_unlink_trans to the parent directory after
+we removed the entry from the parent directory. This leaves a small race
+window where someone can log the parent directory after we removed the
+entry and before we updated last_unlink_trans, and as a result if we ever
+try to replay such a log tree, we will fail since we will attempt to
+remove a snapshot during log replay, which is currently not possible and
+results in the log replay (and mount) to fail. This is the type of failure
+described in commit 1ec9a1ae1e30 ("Btrfs: fix unreplayable log after
+snapshot delete + parent dir fsync").
+
+So fix this by propagating the last_unlink_trans to the parent directory
+before we remove the entry from it.
+
+Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index c2c07ad194c0d..cee1a11959c51 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4617,7 +4617,6 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ struct btrfs_fs_info *fs_info = BTRFS_I(inode)->root->fs_info;
+ int ret = 0;
+ struct btrfs_trans_handle *trans;
+- u64 last_unlink_trans;
+ struct fscrypt_name fname;
+
+ if (inode->i_size > BTRFS_EMPTY_DIR_SIZE)
+@@ -4643,6 +4642,23 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ goto out_notrans;
+ }
+
++ /*
++ * Propagate the last_unlink_trans value of the deleted dir to its
++ * parent directory. This is to prevent an unrecoverable log tree in the
++ * case we do something like this:
++ * 1) create dir foo
++ * 2) create snapshot under dir foo
++ * 3) delete the snapshot
++ * 4) rmdir foo
++ * 5) mkdir foo
++ * 6) fsync foo or some file inside foo
++ *
++ * This is because we can't unlink other roots when replaying the dir
++ * deletes for directory foo.
++ */
++ if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
++ BTRFS_I(dir)->last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
++
+ if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+ ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+ goto out;
+@@ -4652,27 +4668,11 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ if (ret)
+ goto out;
+
+- last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
+-
+ /* now the directory is empty */
+ ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)),
+ &fname.disk_name);
+- if (!ret) {
++ if (!ret)
+ btrfs_i_size_write(BTRFS_I(inode), 0);
+- /*
+- * Propagate the last_unlink_trans value of the deleted dir to
+- * its parent directory. This is to prevent an unrecoverable
+- * log tree in the case we do something like this:
+- * 1) create dir foo
+- * 2) create snapshot under dir foo
+- * 3) delete the snapshot
+- * 4) rmdir foo
+- * 5) mkdir foo
+- * 6) fsync foo or some file inside foo
+- */
+- if (last_unlink_trans >= trans->transid)
+- BTRFS_I(dir)->last_unlink_trans = last_unlink_trans;
+- }
+ out:
+ btrfs_end_transaction(trans);
+ out_notrans:
+--
+2.39.5
+
--- /dev/null
+From fa2a057dfa9867b8269fdf3a074e9921d67d4b1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 11:40:23 +0800
+Subject: btrfs: rename err to ret in btrfs_rmdir()
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit c3a1cc8ff48875b050fda5285ac8a9889eb7898d ]
+
+Unify naming of return value to the preferred way.
+
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: c466e33e729a ("btrfs: propagate last_unlink_trans earlier when doing a rmdir")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index af1f22b3cff7d..c2c07ad194c0d 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4615,7 +4615,7 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ {
+ struct inode *inode = d_inode(dentry);
+ struct btrfs_fs_info *fs_info = BTRFS_I(inode)->root->fs_info;
+- int err = 0;
++ int ret = 0;
+ struct btrfs_trans_handle *trans;
+ u64 last_unlink_trans;
+ struct fscrypt_name fname;
+@@ -4631,33 +4631,33 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ return btrfs_delete_subvolume(BTRFS_I(dir), dentry);
+ }
+
+- err = fscrypt_setup_filename(dir, &dentry->d_name, 1, &fname);
+- if (err)
+- return err;
++ ret = fscrypt_setup_filename(dir, &dentry->d_name, 1, &fname);
++ if (ret)
++ return ret;
+
+ /* This needs to handle no-key deletions later on */
+
+ trans = __unlink_start_trans(BTRFS_I(dir));
+ if (IS_ERR(trans)) {
+- err = PTR_ERR(trans);
++ ret = PTR_ERR(trans);
+ goto out_notrans;
+ }
+
+ if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+- err = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
++ ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+ goto out;
+ }
+
+- err = btrfs_orphan_add(trans, BTRFS_I(inode));
+- if (err)
++ ret = btrfs_orphan_add(trans, BTRFS_I(inode));
++ if (ret)
+ goto out;
+
+ last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
+
+ /* now the directory is empty */
+- err = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)),
++ ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)),
+ &fname.disk_name);
+- if (!err) {
++ if (!ret) {
+ btrfs_i_size_write(BTRFS_I(inode), 0);
+ /*
+ * Propagate the last_unlink_trans value of the deleted dir to
+@@ -4679,7 +4679,7 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ btrfs_btree_balance_dirty(fs_info);
+ fscrypt_free_filename(&fname);
+
+- return err;
++ return ret;
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 8a7c2920702f5c13fda2a5d0609f5800fe26dda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:37:01 +0100
+Subject: btrfs: use btrfs_record_snapshot_destroy() during rmdir
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 157501b0469969fc1ba53add5049575aadd79d80 ]
+
+We are setting the parent directory's last_unlink_trans directly which
+may result in a concurrent task starting to log the directory not see the
+update and therefore can log the directory after we removed a child
+directory which had a snapshot within instead of falling back to a
+transaction commit. Replaying such a log tree would result in a mount
+failure since we can't currently delete snapshots (and subvolumes) during
+log replay. This is the type of failure described in commit 1ec9a1ae1e30
+("Btrfs: fix unreplayable log after snapshot delete + parent dir fsync").
+
+Fix this by using btrfs_record_snapshot_destroy() which updates the
+last_unlink_trans field while holding the inode's log_mutex lock.
+
+Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index cee1a11959c51..e8e57abb032d7 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4657,7 +4657,7 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ * deletes for directory foo.
+ */
+ if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
+- BTRFS_I(dir)->last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
++ btrfs_record_snapshot_destroy(trans, BTRFS_I(dir));
+
+ if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+ ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+--
+2.39.5
+
--- /dev/null
+From 5391f4b0b85577bc6de314c794beb9e8c5b8aee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:30:03 +0800
+Subject: dpaa2-eth: fix xdp_rxq_info leak
+
+From: Fushuai Wang <wangfushuai@baidu.com>
+
+[ Upstream commit 2def09ead4ad5907988b655d1e1454003aaf8297 ]
+
+The driver registered xdp_rxq_info structures via xdp_rxq_info_reg()
+but failed to properly unregister them in error paths and during
+removal.
+
+Fixes: d678be1dc1ec ("dpaa2-eth: add XDP_REDIRECT support")
+Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://patch.msgid.link/20250626133003.80136-1-wangfushuai@baidu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/freescale/dpaa2/dpaa2-eth.c | 26 +++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+index 40e8818295951..d3c36a6f84b01 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -3928,6 +3928,7 @@ static int dpaa2_eth_setup_rx_flow(struct dpaa2_eth_priv *priv,
+ MEM_TYPE_PAGE_ORDER0, NULL);
+ if (err) {
+ dev_err(dev, "xdp_rxq_info_reg_mem_model failed\n");
++ xdp_rxq_info_unreg(&fq->channel->xdp_rxq);
+ return err;
+ }
+
+@@ -4421,17 +4422,25 @@ static int dpaa2_eth_bind_dpni(struct dpaa2_eth_priv *priv)
+ return -EINVAL;
+ }
+ if (err)
+- return err;
++ goto out;
+ }
+
+ err = dpni_get_qdid(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_TX, &priv->tx_qdid);
+ if (err) {
+ dev_err(dev, "dpni_get_qdid() failed\n");
+- return err;
++ goto out;
+ }
+
+ return 0;
++
++out:
++ while (i--) {
++ if (priv->fq[i].type == DPAA2_RX_FQ &&
++ xdp_rxq_info_is_reg(&priv->fq[i].channel->xdp_rxq))
++ xdp_rxq_info_unreg(&priv->fq[i].channel->xdp_rxq);
++ }
++ return err;
+ }
+
+ /* Allocate rings for storing incoming frame descriptors */
+@@ -4813,6 +4822,17 @@ static void dpaa2_eth_del_ch_napi(struct dpaa2_eth_priv *priv)
+ }
+ }
+
++static void dpaa2_eth_free_rx_xdp_rxq(struct dpaa2_eth_priv *priv)
++{
++ int i;
++
++ for (i = 0; i < priv->num_fqs; i++) {
++ if (priv->fq[i].type == DPAA2_RX_FQ &&
++ xdp_rxq_info_is_reg(&priv->fq[i].channel->xdp_rxq))
++ xdp_rxq_info_unreg(&priv->fq[i].channel->xdp_rxq);
++ }
++}
++
+ static int dpaa2_eth_probe(struct fsl_mc_device *dpni_dev)
+ {
+ struct device *dev;
+@@ -5016,6 +5036,7 @@ static int dpaa2_eth_probe(struct fsl_mc_device *dpni_dev)
+ free_percpu(priv->percpu_stats);
+ err_alloc_percpu_stats:
+ dpaa2_eth_del_ch_napi(priv);
++ dpaa2_eth_free_rx_xdp_rxq(priv);
+ err_bind:
+ dpaa2_eth_free_dpbps(priv);
+ err_dpbp_setup:
+@@ -5068,6 +5089,7 @@ static void dpaa2_eth_remove(struct fsl_mc_device *ls_dev)
+ free_percpu(priv->percpu_extras);
+
+ dpaa2_eth_del_ch_napi(priv);
++ dpaa2_eth_free_rx_xdp_rxq(priv);
+ dpaa2_eth_free_dpbps(priv);
+ dpaa2_eth_free_dpio(priv);
+ dpaa2_eth_free_dpni(priv);
+--
+2.39.5
+
--- /dev/null
+From 3cee8860be902f3fd4f5b951d3d015af560a2266 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:06:26 +0200
+Subject: drm/exynos: fimd: Guard display clock control with runtime PM calls
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 5d91394f236167ac624b823820faf4aa928b889e ]
+
+Commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable
+and post-disable") changed the call sequence to the CRTC enable/disable
+and bridge pre_enable/post_disable methods, so those bridge methods are
+now called when CRTC is not yet enabled.
+
+This causes a lockup observed on Samsung Peach-Pit/Pi Chromebooks. The
+source of this lockup is a call to fimd_dp_clock_enable() function, when
+FIMD device is not yet runtime resumed. It worked before the mentioned
+commit only because the CRTC implemented by the FIMD driver was always
+enabled what guaranteed the FIMD device to be runtime resumed.
+
+This patch adds runtime PM guards to the fimd_dp_clock_enable() function
+to enable its proper operation also when the CRTC implemented by FIMD is
+not yet enabled.
+
+Fixes: 196e059a8a6a ("drm/exynos: convert clock_enable crtc callback to pipeline clock")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+index 5bdc246f5fad0..341e95269836e 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+@@ -187,6 +187,7 @@ struct fimd_context {
+ u32 i80ifcon;
+ bool i80_if;
+ bool suspended;
++ bool dp_clk_enabled;
+ wait_queue_head_t wait_vsync_queue;
+ atomic_t wait_vsync_event;
+ atomic_t win_updated;
+@@ -1047,7 +1048,18 @@ static void fimd_dp_clock_enable(struct exynos_drm_clk *clk, bool enable)
+ struct fimd_context *ctx = container_of(clk, struct fimd_context,
+ dp_clk);
+ u32 val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE;
++
++ if (enable == ctx->dp_clk_enabled)
++ return;
++
++ if (enable)
++ pm_runtime_resume_and_get(ctx->dev);
++
++ ctx->dp_clk_enabled = enable;
+ writel(val, ctx->regs + DP_MIE_CLKCON);
++
++ if (!enable)
++ pm_runtime_put(ctx->dev);
+ }
+
+ static const struct exynos_drm_crtc_ops fimd_crtc_ops = {
+--
+2.39.5
+
--- /dev/null
+From 6e6efe9c5bf983f93645c1d986be7263e3c0ab8d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:15:03 -0700
+Subject: drm/i915/dp_mst: Work around Thunderbolt sink disconnect after
+ SINK_COUNT_ESI read
+
+From: Xin Li (Intel) <xin@zytor.com>
+
+[ Upstream commit 9cb15478916e849d62a6ec44b10c593b9663328c ]
+
+Due to a problem in the iTBT DP-in adapter's firmware the sink on a TBT
+link may get disconnected inadvertently if the SINK_COUNT_ESI and the
+DP_LINK_SERVICE_IRQ_VECTOR_ESI0 registers are read in a single AUX
+transaction. Work around the issue by reading these registers in
+separate transactions.
+
+The issue affects MTL+ platforms and will be fixed in the DP-in adapter
+firmware, however releasing that firmware fix may take some time and is
+not guaranteed to be available for all systems. Based on this apply the
+workaround on affected platforms.
+
+See HSD #13013007775.
+
+v2: Cc'ing Mika Westerberg.
+
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13760
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14147
+Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250519133417.1469181-1-imre.deak@intel.com
+(cherry picked from commit c3a48363cf1f76147088b1adb518136ac5df86a0)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/common.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 3390814de0a54..cc1bbf70477b0 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -2215,9 +2215,6 @@ EXPORT_PER_CPU_SYMBOL(__stack_chk_guard);
+
+ #endif /* CONFIG_X86_64 */
+
+-/*
+- * Clear all 6 debug registers:
+- */
+ static void initialize_debug_regs(void)
+ {
+ /* Control register first -- to make sure everything is disabled. */
+--
+2.39.5
+
--- /dev/null
+From 074173a919af16c28efb33b481f8ac6c66072603 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 23:11:07 +0800
+Subject: drm/i915/gsc: mei interrupt top half should be in irq disabled
+ context
+
+From: Junxiao Chang <junxiao.chang@intel.com>
+
+[ Upstream commit 8cadce97bf264ed478669c6f32d5603b34608335 ]
+
+MEI GSC interrupt comes from i915. It has top half and bottom half.
+Top half is called from i915 interrupt handler. It should be in
+irq disabled context.
+
+With RT kernel, by default i915 IRQ handler is in threaded IRQ. MEI GSC
+top half might be in threaded IRQ context. generic_handle_irq_safe API
+could be called from either IRQ or process context, it disables local
+IRQ then calls MEI GSC interrupt top half.
+
+This change fixes A380/A770 GPU boot hang issue with RT kernel.
+
+Fixes: 1e3dc1d8622b ("drm/i915/gsc: add gsc as a mei auxiliary device")
+Tested-by: Furong Zhou <furong.zhou@intel.com>
+Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
+Link: https://lore.kernel.org/r/20250425151108.643649-1-junxiao.chang@intel.com
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit dccf655f69002d496a527ba441b4f008aa5bebbf)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_gsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_gsc.c b/drivers/gpu/drm/i915/gt/intel_gsc.c
+index bcc3605158dbd..27420ed631d85 100644
+--- a/drivers/gpu/drm/i915/gt/intel_gsc.c
++++ b/drivers/gpu/drm/i915/gt/intel_gsc.c
+@@ -298,7 +298,7 @@ static void gsc_irq_handler(struct intel_gt *gt, unsigned int intf_id)
+ if (gt->gsc.intf[intf_id].irq < 0)
+ return;
+
+- ret = generic_handle_irq(gt->gsc.intf[intf_id].irq);
++ ret = generic_handle_irq_safe(gt->gsc.intf[intf_id].irq);
+ if (ret)
+ drm_err_ratelimited(>->i915->drm, "error handling GSC irq: %d\n", ret);
+ }
+--
+2.39.5
+
--- /dev/null
+From 990fab6722fb4148d0cb9a2bc70406953b9f1bb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 12:42:13 +0200
+Subject: drm/i915/gt: Fix timeline left held on VMA alloc error
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+[ Upstream commit a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6 ]
+
+The following error has been reported sporadically by CI when a test
+unbinds the i915 driver on a ring submission platform:
+
+<4> [239.330153] ------------[ cut here ]------------
+<4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count)
+<4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330942] Call Trace:
+<4> [239.330944] <TASK>
+<4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915]
+<4> [239.331202] i915_driver_release+0x86/0xa0 [i915]
+<4> [239.331482] devm_drm_dev_init_release+0x61/0x90
+<4> [239.331494] devm_action_release+0x15/0x30
+<4> [239.331504] release_nodes+0x3d/0x120
+<4> [239.331517] devres_release_all+0x96/0xd0
+<4> [239.331533] device_unbind_cleanup+0x12/0x80
+<4> [239.331543] device_release_driver_internal+0x23a/0x280
+<4> [239.331550] ? bus_find_device+0xa5/0xe0
+<4> [239.331563] device_driver_detach+0x14/0x20
+...
+<4> [357.719679] ---[ end trace 0000000000000000 ]---
+
+If the test also unloads the i915 module then that's followed with:
+
+<3> [357.787478] =============================================================================
+<3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown()
+<3> [357.788031] -----------------------------------------------------------------------------
+<3> [357.788204] Object 0xffff888109e7f480 @offset=29824
+<3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244
+<4> [357.788994] i915_vma_instance+0xee/0xc10 [i915]
+<4> [357.789290] init_status_page+0x7b/0x420 [i915]
+<4> [357.789532] intel_engines_init+0x1d8/0x980 [i915]
+<4> [357.789772] intel_gt_init+0x175/0x450 [i915]
+<4> [357.790014] i915_gem_init+0x113/0x340 [i915]
+<4> [357.790281] i915_driver_probe+0x847/0xed0 [i915]
+<4> [357.790504] i915_pci_probe+0xe6/0x220 [i915]
+...
+
+Closer analysis of CI results history has revealed a dependency of the
+error on a few IGT tests, namely:
+- igt@api_intel_allocator@fork-simple-stress-signal,
+- igt@api_intel_allocator@two-level-inception-interruptible,
+- igt@gem_linear_blits@interruptible,
+- igt@prime_mmap_coherency@ioctl-errors,
+which invisibly trigger the issue, then exhibited with first driver unbind
+attempt.
+
+All of the above tests perform actions which are actively interrupted with
+signals. Further debugging has allowed to narrow that scope down to
+DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring
+submission, in particular.
+
+If successful then that function, or its execlists or GuC submission
+equivalent, is supposed to be called only once per GEM context engine,
+followed by raise of a flag that prevents the function from being called
+again. The function is expected to unwind its internal errors itself, so
+it may be safely called once more after it returns an error.
+
+In case of ring submission, the function first gets a reference to the
+engine's legacy timeline and then allocates a VMA. If the VMA allocation
+fails, e.g. when i915_vma_instance() called from inside is interrupted
+with a signal, then ring_context_alloc() fails, leaving the timeline held
+referenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the
+timeline is got, and only that last one is put on successful completion.
+As a consequence, the legacy timeline, with its underlying engine status
+page's VMA object, is still held and not released on driver unbind.
+
+Get the legacy timeline only after successful allocation of the context
+engine's VMA.
+
+v2: Add a note on other submission methods (Krzysztof Karas):
+ Both execlists and GuC submission use lrc_alloc() which seems free
+ from a similar issue.
+
+Fixes: 75d0a7f31eec ("drm/i915: Lift timeline into intel_context")
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12061
+Cc: Chris Wilson <chris.p.wilson@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Reviewed-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Reviewed-by: Nitin Gote <nitin.r.gote@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20250611104352.1014011-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_ring_submission.c b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+index 92085ffd23de0..4eb78895773f6 100644
+--- a/drivers/gpu/drm/i915/gt/intel_ring_submission.c
++++ b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+@@ -573,7 +573,6 @@ static int ring_context_alloc(struct intel_context *ce)
+ /* One ringbuffer to rule them all */
+ GEM_BUG_ON(!engine->legacy.ring);
+ ce->ring = engine->legacy.ring;
+- ce->timeline = intel_timeline_get(engine->legacy.timeline);
+
+ GEM_BUG_ON(ce->state);
+ if (engine->context_size) {
+@@ -586,6 +585,8 @@ static int ring_context_alloc(struct intel_context *ce)
+ ce->state = vma;
+ }
+
++ ce->timeline = intel_timeline_get(engine->legacy.timeline);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e920eb5c13fe93e0e6c763ca279f701b3c93f49e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 10:21:58 -0500
+Subject: drm/i915/selftests: Change mock_request() to return error pointers
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit caa7c7a76b78ce41d347003f84975125383e6b59 ]
+
+There was an error pointer vs NULL bug in __igt_breadcrumbs_smoketest().
+The __mock_request_alloc() function implements the
+smoketest->request_alloc() function pointer. It was supposed to return
+error pointers, but it propogates the NULL return from mock_request()
+so in the event of a failure, it would lead to a NULL pointer
+dereference.
+
+To fix this, change the mock_request() function to return error pointers
+and update all the callers to expect that.
+
+Fixes: 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with per-context interrupt tracking")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://lore.kernel.org/r/685c1417.050a0220.696f5.5c05@mx.google.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 778fa8ad5f0f23397d045c7ebca048ce8def1c43)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/selftests/i915_request.c | 20 +++++++++----------
+ drivers/gpu/drm/i915/selftests/mock_request.c | 2 +-
+ 2 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c
+index a9b79888c1931..c7ce2c570ad1f 100644
+--- a/drivers/gpu/drm/i915/selftests/i915_request.c
++++ b/drivers/gpu/drm/i915/selftests/i915_request.c
+@@ -73,8 +73,8 @@ static int igt_add_request(void *arg)
+ /* Basic preliminary test to create a request and let it loose! */
+
+ request = mock_request(rcs0(i915)->kernel_context, HZ / 10);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ i915_request_add(request);
+
+@@ -91,8 +91,8 @@ static int igt_wait_request(void *arg)
+ /* Submit a request, then wait upon it */
+
+ request = mock_request(rcs0(i915)->kernel_context, T);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ i915_request_get(request);
+
+@@ -160,8 +160,8 @@ static int igt_fence_wait(void *arg)
+ /* Submit a request, treat it as a fence and wait upon it */
+
+ request = mock_request(rcs0(i915)->kernel_context, T);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ if (dma_fence_wait_timeout(&request->fence, false, T) != -ETIME) {
+ pr_err("fence wait success before submit (expected timeout)!\n");
+@@ -219,8 +219,8 @@ static int igt_request_rewind(void *arg)
+ GEM_BUG_ON(IS_ERR(ce));
+ request = mock_request(ce, 2 * HZ);
+ intel_context_put(ce);
+- if (!request) {
+- err = -ENOMEM;
++ if (IS_ERR(request)) {
++ err = PTR_ERR(request);
+ goto err_context_0;
+ }
+
+@@ -237,8 +237,8 @@ static int igt_request_rewind(void *arg)
+ GEM_BUG_ON(IS_ERR(ce));
+ vip = mock_request(ce, 0);
+ intel_context_put(ce);
+- if (!vip) {
+- err = -ENOMEM;
++ if (IS_ERR(vip)) {
++ err = PTR_ERR(vip);
+ goto err_context_1;
+ }
+
+diff --git a/drivers/gpu/drm/i915/selftests/mock_request.c b/drivers/gpu/drm/i915/selftests/mock_request.c
+index 09f747228dff5..1b0cf073e9643 100644
+--- a/drivers/gpu/drm/i915/selftests/mock_request.c
++++ b/drivers/gpu/drm/i915/selftests/mock_request.c
+@@ -35,7 +35,7 @@ mock_request(struct intel_context *ce, unsigned long delay)
+ /* NB the i915->requests slab cache is enlarged to fit mock_request */
+ request = intel_context_create_request(ce);
+ if (IS_ERR(request))
+- return NULL;
++ return request;
+
+ request->mock.delay = delay;
+ return request;
+--
+2.39.5
+
--- /dev/null
+From bc99f254ec9fbd3fd79e492a79fed1c227bdfe81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 09:33:32 -0700
+Subject: drm/msm: Fix a fence leak in submit error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 5d319f75ccf7f0927425a7545aa1a22b3eedc189 ]
+
+In error paths, we could unref the submit without calling
+drm_sched_entity_push_job(), so msm_job_free() will never get
+called. Since drm_sched_job_cleanup() will NULL out the
+s_fence, we can use that to detect this case.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/653584/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 018b39546fc1d..27366304f5d59 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -85,6 +85,15 @@ void __msm_gem_submit_destroy(struct kref *kref)
+ container_of(kref, struct msm_gem_submit, ref);
+ unsigned i;
+
++ /*
++ * In error paths, we could unref the submit without calling
++ * drm_sched_entity_push_job(), so msm_job_free() will never
++ * get called. Since drm_sched_job_cleanup() will NULL out
++ * s_fence, we can use that to detect this case.
++ */
++ if (submit->base.s_fence)
++ drm_sched_job_cleanup(&submit->base);
++
+ if (submit->fence_id) {
+ spin_lock(&submit->queue->idr_lock);
+ idr_remove(&submit->queue->fence_idr, submit->fence_id);
+--
+2.39.5
+
--- /dev/null
+From c9586f6cdd7c7e87691772c4f1293b1b674c8b88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 09:33:33 -0700
+Subject: drm/msm: Fix another leak in the submit error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit f681c2aa8676a890eacc84044717ab0fd26e058f ]
+
+put_unused_fd() doesn't free the installed file, if we've already done
+fd_install(). So we need to also free the sync_file.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/653583/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 27366304f5d59..bbe4f1665b603 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -763,6 +763,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ struct msm_ringbuffer *ring;
+ struct msm_submit_post_dep *post_deps = NULL;
+ struct drm_syncobj **syncobjs_to_reset = NULL;
++ struct sync_file *sync_file = NULL;
+ int out_fence_fd = -1;
+ bool has_ww_ticket = false;
+ unsigned i;
+@@ -979,7 +980,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ }
+
+ if (ret == 0 && args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
+- struct sync_file *sync_file = sync_file_create(submit->user_fence);
++ sync_file = sync_file_create(submit->user_fence);
+ if (!sync_file) {
+ ret = -ENOMEM;
+ } else {
+@@ -1012,8 +1013,11 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ out_unlock:
+ mutex_unlock(&queue->lock);
+ out_post_unlock:
+- if (ret && (out_fence_fd >= 0))
++ if (ret && (out_fence_fd >= 0)) {
+ put_unused_fd(out_fence_fd);
++ if (sync_file)
++ fput(sync_file->file);
++ }
+
+ if (!IS_ERR_OR_NULL(submit)) {
+ msm_gem_submit_put(submit);
+--
+2.39.5
+
--- /dev/null
+From 818342dec5550852fbecbc245ecf674f5b7e52fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Apr 2025 15:47:24 +0200
+Subject: drm/simpledrm: Do not upcast in release helpers
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+[ Upstream commit d231cde7c84359fb18fb268cf6cff03b5bce48ff ]
+
+The res pointer passed to simpledrm_device_release_clocks() and
+simpledrm_device_release_regulators() points to an instance of
+struct simpledrm_device. No need to upcast from struct drm_device.
+The upcast is harmless, as DRM device is the first field in struct
+simpledrm_device.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 11e8f5fd223b ("drm: Add simpledrm driver")
+Cc: <stable@vger.kernel.org> # v5.14+
+Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Link: https://lore.kernel.org/r/20250407134753.985925-2-tzimmermann@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/tiny/simpledrm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/tiny/simpledrm.c b/drivers/gpu/drm/tiny/simpledrm.c
+index 8ea120eb8674b..30676b1073034 100644
+--- a/drivers/gpu/drm/tiny/simpledrm.c
++++ b/drivers/gpu/drm/tiny/simpledrm.c
+@@ -276,7 +276,7 @@ static struct simpledrm_device *simpledrm_device_of_dev(struct drm_device *dev)
+
+ static void simpledrm_device_release_clocks(void *res)
+ {
+- struct simpledrm_device *sdev = simpledrm_device_of_dev(res);
++ struct simpledrm_device *sdev = res;
+ unsigned int i;
+
+ for (i = 0; i < sdev->clk_count; ++i) {
+@@ -374,7 +374,7 @@ static int simpledrm_device_init_clocks(struct simpledrm_device *sdev)
+
+ static void simpledrm_device_release_regulators(void *res)
+ {
+- struct simpledrm_device *sdev = simpledrm_device_of_dev(res);
++ struct simpledrm_device *sdev = res;
+ unsigned int i;
+
+ for (i = 0; i < sdev->regulator_count; ++i) {
+--
+2.39.5
+
--- /dev/null
+From f379d99ac4d7f7de8e99e36e82784f0d0f639364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 19:42:42 -0300
+Subject: drm/v3d: Disable interrupts before resetting the GPU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: MaÃra Canal <mcanal@igalia.com>
+
+[ Upstream commit 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 ]
+
+Currently, an interrupt can be triggered during a GPU reset, which can
+lead to GPU hangs and NULL pointer dereference in an interrupt context
+as shown in the following trace:
+
+ [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0
+ [ 314.043822] Mem abort info:
+ [ 314.046606] ESR = 0x0000000096000005
+ [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits
+ [ 314.055651] SET = 0, FnV = 0
+ [ 314.058695] EA = 0, S1PTW = 0
+ [ 314.061826] FSC = 0x05: level 1 translation fault
+ [ 314.066694] Data abort info:
+ [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
+ [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000
+ [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
+ [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
+ [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight
+ [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1
+ [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)
+ [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]
+ [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]
+ [ 314.160198] sp : ffffffc080003ea0
+ [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000
+ [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0
+ [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000
+ [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000
+ [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000
+ [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001
+ [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874
+ [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180
+ [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb
+ [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
+ [ 314.234807] Call trace:
+ [ 314.237243] v3d_irq+0xec/0x2e0 [v3d]
+ [ 314.240906] __handle_irq_event_percpu+0x58/0x218
+ [ 314.245609] handle_irq_event+0x54/0xb8
+ [ 314.249439] handle_fasteoi_irq+0xac/0x240
+ [ 314.253527] handle_irq_desc+0x48/0x68
+ [ 314.257269] generic_handle_domain_irq+0x24/0x38
+ [ 314.261879] gic_handle_irq+0x48/0xd8
+ [ 314.265533] call_on_irq_stack+0x24/0x58
+ [ 314.269448] do_interrupt_handler+0x88/0x98
+ [ 314.273624] el1_interrupt+0x34/0x68
+ [ 314.277193] el1h_64_irq_handler+0x18/0x28
+ [ 314.281281] el1h_64_irq+0x64/0x68
+ [ 314.284673] default_idle_call+0x3c/0x168
+ [ 314.288675] do_idle+0x1fc/0x230
+ [ 314.291895] cpu_startup_entry+0x3c/0x50
+ [ 314.295810] rest_init+0xe4/0xf0
+ [ 314.299030] start_kernel+0x5e8/0x790
+ [ 314.302684] __primary_switched+0x80/0x90
+ [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)
+ [ 314.312775] ---[ end trace 0000000000000000 ]---
+ [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt
+ [ 314.324249] SMP: stopping secondary CPUs
+ [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000
+ [ 314.334076] PHYS_OFFSET: 0x0
+ [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b
+ [ 314.342337] Memory Limit: none
+ [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
+
+Before resetting the GPU, it's necessary to disable all interrupts and
+deal with any interrupt handler still in-flight. Otherwise, the GPU might
+reset with jobs still running, or yet, an interrupt could be handled
+during the reset.
+
+Cc: stable@vger.kernel.org
+Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+")
+Reviewed-by: Juan A. Suarez <jasuarez@igalia.com>
+Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
+Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com
+Signed-off-by: MaÃra Canal <mcanal@igalia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/v3d/v3d_drv.h | 8 ++++++++
+ drivers/gpu/drm/v3d/v3d_gem.c | 2 ++
+ drivers/gpu/drm/v3d/v3d_irq.c | 37 +++++++++++++++++++++++++----------
+ 3 files changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/v3d/v3d_drv.h b/drivers/gpu/drm/v3d/v3d_drv.h
+index 7f664a4b2a752..bcef978ba9c4c 100644
+--- a/drivers/gpu/drm/v3d/v3d_drv.h
++++ b/drivers/gpu/drm/v3d/v3d_drv.h
+@@ -62,6 +62,12 @@ struct v3d_perfmon {
+ u64 values[];
+ };
+
++enum v3d_irq {
++ V3D_CORE_IRQ,
++ V3D_HUB_IRQ,
++ V3D_MAX_IRQS,
++};
++
+ struct v3d_dev {
+ struct drm_device drm;
+
+@@ -71,6 +77,8 @@ struct v3d_dev {
+ int ver;
+ bool single_irq_line;
+
++ int irq[V3D_MAX_IRQS];
++
+ void __iomem *hub_regs;
+ void __iomem *core_regs[3];
+ void __iomem *bridge_regs;
+diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
+index 2e94ce788c714..ef991a9b1c6c4 100644
+--- a/drivers/gpu/drm/v3d/v3d_gem.c
++++ b/drivers/gpu/drm/v3d/v3d_gem.c
+@@ -120,6 +120,8 @@ v3d_reset(struct v3d_dev *v3d)
+ if (false)
+ v3d_idle_axi(v3d, 0);
+
++ v3d_irq_disable(v3d);
++
+ v3d_idle_gca(v3d);
+ v3d_reset_v3d(v3d);
+
+diff --git a/drivers/gpu/drm/v3d/v3d_irq.c b/drivers/gpu/drm/v3d/v3d_irq.c
+index b2d59a1686972..641315dbee8b2 100644
+--- a/drivers/gpu/drm/v3d/v3d_irq.c
++++ b/drivers/gpu/drm/v3d/v3d_irq.c
+@@ -215,7 +215,7 @@ v3d_hub_irq(int irq, void *arg)
+ int
+ v3d_irq_init(struct v3d_dev *v3d)
+ {
+- int irq1, ret, core;
++ int irq, ret, core;
+
+ INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work);
+
+@@ -226,17 +226,24 @@ v3d_irq_init(struct v3d_dev *v3d)
+ V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS);
+ V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS);
+
+- irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1);
+- if (irq1 == -EPROBE_DEFER)
+- return irq1;
+- if (irq1 > 0) {
+- ret = devm_request_irq(v3d->drm.dev, irq1,
++ irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1);
++ if (irq == -EPROBE_DEFER)
++ return irq;
++ if (irq > 0) {
++ v3d->irq[V3D_CORE_IRQ] = irq;
++
++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ],
+ v3d_irq, IRQF_SHARED,
+ "v3d_core0", v3d);
+ if (ret)
+ goto fail;
+- ret = devm_request_irq(v3d->drm.dev,
+- platform_get_irq(v3d_to_pdev(v3d), 0),
++
++ irq = platform_get_irq(v3d_to_pdev(v3d), 0);
++ if (irq < 0)
++ return irq;
++ v3d->irq[V3D_HUB_IRQ] = irq;
++
++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ],
+ v3d_hub_irq, IRQF_SHARED,
+ "v3d_hub", v3d);
+ if (ret)
+@@ -244,8 +251,12 @@ v3d_irq_init(struct v3d_dev *v3d)
+ } else {
+ v3d->single_irq_line = true;
+
+- ret = devm_request_irq(v3d->drm.dev,
+- platform_get_irq(v3d_to_pdev(v3d), 0),
++ irq = platform_get_irq(v3d_to_pdev(v3d), 0);
++ if (irq < 0)
++ return irq;
++ v3d->irq[V3D_CORE_IRQ] = irq;
++
++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ],
+ v3d_irq, IRQF_SHARED,
+ "v3d", v3d);
+ if (ret)
+@@ -286,6 +297,12 @@ v3d_irq_disable(struct v3d_dev *v3d)
+ V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0);
+ V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0);
+
++ /* Finish any interrupt handler still in flight. */
++ for (int i = 0; i < V3D_MAX_IRQS; i++) {
++ if (v3d->irq[i])
++ synchronize_irq(v3d->irq[i]);
++ }
++
+ /* Clear any pending interrupts we might have left. */
+ for (core = 0; core < v3d->cores; core++)
+ V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS);
+--
+2.39.5
+
--- /dev/null
+From 462ac35835b056bdea28db8b4ab19885ae8a2deb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 07:56:05 -0700
+Subject: enic: fix incorrect MTU comparison in enic_change_mtu()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit aaf2b2480375099c022a82023e1cd772bf1c6a5d ]
+
+The comparison in enic_change_mtu() incorrectly used the current
+netdev->mtu instead of the new new_mtu value when warning about
+an MTU exceeding the port MTU. This could suppress valid warnings
+or issue incorrect ones.
+
+Fix the condition and log to properly reflect the new_mtu.
+
+Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Acked-by: John Daley <johndale@cisco.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250628145612.476096-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index cccf0db2fb4e5..48701032c20c5 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -2057,10 +2057,10 @@ static int enic_change_mtu(struct net_device *netdev, int new_mtu)
+ if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic))
+ return -EOPNOTSUPP;
+
+- if (netdev->mtu > enic->port_mtu)
++ if (new_mtu > enic->port_mtu)
+ netdev_warn(netdev,
+ "interface MTU (%d) set higher than port MTU (%d)\n",
+- netdev->mtu, enic->port_mtu);
++ new_mtu, enic->port_mtu);
+
+ return _enic_change_mtu(netdev, new_mtu);
+ }
+--
+2.39.5
+
--- /dev/null
+From 1dfa4fa134c157fa5736a281b0eb375a31c873a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 16:16:24 +0200
+Subject: ethernet: atl1: Add missing DMA mapping error checks and count errors
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit d72411d20905180cdc452c553be17481b24463d2 ]
+
+The `dma_map_XXX()` functions can fail and must be checked using
+`dma_mapping_error()`. This patch adds proper error handling for all
+DMA mapping calls.
+
+In `atl1_alloc_rx_buffers()`, if DMA mapping fails, the buffer is
+deallocated and marked accordingly.
+
+In `atl1_tx_map()`, previously mapped buffers are unmapped and the
+packet is dropped on failure.
+
+If `atl1_xmit_frame()` drops the packet, increment the tx_error counter.
+
+Fixes: f3cc28c79760 ("Add Attansic L1 ethernet driver.")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250625141629.114984-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atlx/atl1.c | 79 +++++++++++++++++-------
+ 1 file changed, 57 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/atlx/atl1.c b/drivers/net/ethernet/atheros/atlx/atl1.c
+index 02aa6fd8ebc2d..4ed165702d58e 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl1.c
++++ b/drivers/net/ethernet/atheros/atlx/atl1.c
+@@ -1861,14 +1861,21 @@ static u16 atl1_alloc_rx_buffers(struct atl1_adapter *adapter)
+ break;
+ }
+
+- buffer_info->alloced = 1;
+- buffer_info->skb = skb;
+- buffer_info->length = (u16) adapter->rx_buffer_len;
+ page = virt_to_page(skb->data);
+ offset = offset_in_page(skb->data);
+ buffer_info->dma = dma_map_page(&pdev->dev, page, offset,
+ adapter->rx_buffer_len,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(&pdev->dev, buffer_info->dma)) {
++ kfree_skb(skb);
++ adapter->soft_stats.rx_dropped++;
++ break;
++ }
++
++ buffer_info->alloced = 1;
++ buffer_info->skb = skb;
++ buffer_info->length = (u16)adapter->rx_buffer_len;
++
+ rfd_desc->buffer_addr = cpu_to_le64(buffer_info->dma);
+ rfd_desc->buf_len = cpu_to_le16(adapter->rx_buffer_len);
+ rfd_desc->coalese = 0;
+@@ -2183,8 +2190,8 @@ static int atl1_tx_csum(struct atl1_adapter *adapter, struct sk_buff *skb,
+ return 0;
+ }
+
+-static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+- struct tx_packet_desc *ptpd)
++static bool atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
++ struct tx_packet_desc *ptpd)
+ {
+ struct atl1_tpd_ring *tpd_ring = &adapter->tpd_ring;
+ struct atl1_buffer *buffer_info;
+@@ -2194,6 +2201,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ unsigned int nr_frags;
+ unsigned int f;
+ int retval;
++ u16 first_mapped;
+ u16 next_to_use;
+ u16 data_len;
+ u8 hdr_len;
+@@ -2201,6 +2209,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buf_len -= skb->data_len;
+ nr_frags = skb_shinfo(skb)->nr_frags;
+ next_to_use = atomic_read(&tpd_ring->next_to_use);
++ first_mapped = next_to_use;
+ buffer_info = &tpd_ring->buffer_info[next_to_use];
+ BUG_ON(buffer_info->skb);
+ /* put skb in last TPD */
+@@ -2216,6 +2225,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buffer_info->dma = dma_map_page(&adapter->pdev->dev, page,
+ offset, hdr_len,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma))
++ goto dma_err;
+
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+@@ -2242,6 +2253,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ page, offset,
+ buffer_info->length,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ buffer_info->dma))
++ goto dma_err;
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+ }
+@@ -2254,6 +2268,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buffer_info->dma = dma_map_page(&adapter->pdev->dev, page,
+ offset, buf_len,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma))
++ goto dma_err;
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+ }
+@@ -2277,6 +2293,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buffer_info->dma = skb_frag_dma_map(&adapter->pdev->dev,
+ frag, i * ATL1_MAX_TX_BUF_LEN,
+ buffer_info->length, DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ buffer_info->dma))
++ goto dma_err;
+
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+@@ -2285,6 +2304,22 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+
+ /* last tpd's buffer-info */
+ buffer_info->skb = skb;
++
++ return true;
++
++ dma_err:
++ while (first_mapped != next_to_use) {
++ buffer_info = &tpd_ring->buffer_info[first_mapped];
++ dma_unmap_page(&adapter->pdev->dev,
++ buffer_info->dma,
++ buffer_info->length,
++ DMA_TO_DEVICE);
++ buffer_info->dma = 0;
++
++ if (++first_mapped == tpd_ring->count)
++ first_mapped = 0;
++ }
++ return false;
+ }
+
+ static void atl1_tx_queue(struct atl1_adapter *adapter, u16 count,
+@@ -2355,10 +2390,8 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+
+ len = skb_headlen(skb);
+
+- if (unlikely(skb->len <= 0)) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (unlikely(skb->len <= 0))
++ goto drop_packet;
+
+ nr_frags = skb_shinfo(skb)->nr_frags;
+ for (f = 0; f < nr_frags; f++) {
+@@ -2371,10 +2404,9 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+ if (mss) {
+ if (skb->protocol == htons(ETH_P_IP)) {
+ proto_hdr_len = skb_tcp_all_headers(skb);
+- if (unlikely(proto_hdr_len > len)) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (unlikely(proto_hdr_len > len))
++ goto drop_packet;
++
+ /* need additional TPD ? */
+ if (proto_hdr_len != len)
+ count += (len - proto_hdr_len +
+@@ -2406,23 +2438,26 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+ }
+
+ tso = atl1_tso(adapter, skb, ptpd);
+- if (tso < 0) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (tso < 0)
++ goto drop_packet;
+
+ if (!tso) {
+ ret_val = atl1_tx_csum(adapter, skb, ptpd);
+- if (ret_val < 0) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (ret_val < 0)
++ goto drop_packet;
+ }
+
+- atl1_tx_map(adapter, skb, ptpd);
++ if (!atl1_tx_map(adapter, skb, ptpd))
++ goto drop_packet;
++
+ atl1_tx_queue(adapter, count, ptpd);
+ atl1_update_mailbox(adapter);
+ return NETDEV_TX_OK;
++
++drop_packet:
++ adapter->soft_stats.tx_errors++;
++ dev_kfree_skb_any(skb);
++ return NETDEV_TX_OK;
+ }
+
+ static int atl1_rings_clean(struct napi_struct *napi, int budget)
+--
+2.39.5
+
--- /dev/null
+From be82d9e7d763f72c2717f7441a1ffb0d4c455dfd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 10 Dec 2023 17:20:40 +0800
+Subject: f2fs: add tracepoint for f2fs_vm_page_mkwrite()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 87f3afd366f7c668be0269efda8a89741a3ea6b3 ]
+
+This patch adds to support tracepoint for f2fs_vm_page_mkwrite(),
+meanwhile it prints more details for trace_f2fs_filemap_fault().
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: ba8dac350faf ("f2fs: fix to zero post-eof page")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 25 ++++++++++++++----------
+ include/trace/events/f2fs.h | 39 ++++++++++++++++++++++++-------------
+ 2 files changed, 41 insertions(+), 23 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index ae129044c52f4..3e3822115d1e4 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -46,7 +46,7 @@ static vm_fault_t f2fs_filemap_fault(struct vm_fault *vmf)
+ f2fs_update_iostat(F2FS_I_SB(inode), inode,
+ APP_MAPPED_READ_IO, F2FS_BLKSIZE);
+
+- trace_f2fs_filemap_fault(inode, vmf->pgoff, (unsigned long)ret);
++ trace_f2fs_filemap_fault(inode, vmf->pgoff, vmf->vma->vm_flags, ret);
+
+ return ret;
+ }
+@@ -59,26 +59,29 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ struct dnode_of_data dn;
+ bool need_alloc = true;
+ int err = 0;
++ vm_fault_t ret;
+
+ if (unlikely(IS_IMMUTABLE(inode)))
+ return VM_FAULT_SIGBUS;
+
+- if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED))
+- return VM_FAULT_SIGBUS;
++ if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED)) {
++ err = -EIO;
++ goto out;
++ }
+
+ if (unlikely(f2fs_cp_error(sbi))) {
+ err = -EIO;
+- goto err;
++ goto out;
+ }
+
+ if (!f2fs_is_checkpoint_ready(sbi)) {
+ err = -ENOSPC;
+- goto err;
++ goto out;
+ }
+
+ err = f2fs_convert_inline_inode(inode);
+ if (err)
+- goto err;
++ goto out;
+
+ #ifdef CONFIG_F2FS_FS_COMPRESSION
+ if (f2fs_compressed_file(inode)) {
+@@ -86,7 +89,7 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+
+ if (ret < 0) {
+ err = ret;
+- goto err;
++ goto out;
+ } else if (ret) {
+ need_alloc = false;
+ }
+@@ -153,13 +156,15 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ f2fs_update_iostat(sbi, inode, APP_MAPPED_IO, F2FS_BLKSIZE);
+ f2fs_update_time(sbi, REQ_TIME);
+
+- trace_f2fs_vm_page_mkwrite(page, DATA);
+ out_sem:
+ filemap_invalidate_unlock_shared(inode->i_mapping);
+
+ sb_end_pagefault(inode->i_sb);
+-err:
+- return vmf_fs_error(err);
++out:
++ ret = vmf_fs_error(err);
++
++ trace_f2fs_vm_page_mkwrite(inode, page->index, vmf->vma->vm_flags, ret);
++ return ret;
+ }
+
+ static const struct vm_operations_struct f2fs_file_vm_ops = {
+diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h
+index b6ffae01a8cd8..f2ce7f6da8797 100644
+--- a/include/trace/events/f2fs.h
++++ b/include/trace/events/f2fs.h
+@@ -1284,13 +1284,6 @@ DEFINE_EVENT(f2fs__page, f2fs_set_page_dirty,
+ TP_ARGS(page, type)
+ );
+
+-DEFINE_EVENT(f2fs__page, f2fs_vm_page_mkwrite,
+-
+- TP_PROTO(struct page *page, int type),
+-
+- TP_ARGS(page, type)
+-);
+-
+ TRACE_EVENT(f2fs_replace_atomic_write_block,
+
+ TP_PROTO(struct inode *inode, struct inode *cow_inode, pgoff_t index,
+@@ -1328,30 +1321,50 @@ TRACE_EVENT(f2fs_replace_atomic_write_block,
+ __entry->recovery)
+ );
+
+-TRACE_EVENT(f2fs_filemap_fault,
++DECLARE_EVENT_CLASS(f2fs_mmap,
+
+- TP_PROTO(struct inode *inode, pgoff_t index, unsigned long ret),
++ TP_PROTO(struct inode *inode, pgoff_t index,
++ vm_flags_t flags, vm_fault_t ret),
+
+- TP_ARGS(inode, index, ret),
++ TP_ARGS(inode, index, flags, ret),
+
+ TP_STRUCT__entry(
+ __field(dev_t, dev)
+ __field(ino_t, ino)
+ __field(pgoff_t, index)
+- __field(unsigned long, ret)
++ __field(vm_flags_t, flags)
++ __field(vm_fault_t, ret)
+ ),
+
+ TP_fast_assign(
+ __entry->dev = inode->i_sb->s_dev;
+ __entry->ino = inode->i_ino;
+ __entry->index = index;
++ __entry->flags = flags;
+ __entry->ret = ret;
+ ),
+
+- TP_printk("dev = (%d,%d), ino = %lu, index = %lu, ret = %lx",
++ TP_printk("dev = (%d,%d), ino = %lu, index = %lu, flags: %s, ret: %s",
+ show_dev_ino(__entry),
+ (unsigned long)__entry->index,
+- __entry->ret)
++ __print_flags(__entry->flags, "|", FAULT_FLAG_TRACE),
++ __print_flags(__entry->ret, "|", VM_FAULT_RESULT_TRACE))
++);
++
++DEFINE_EVENT(f2fs_mmap, f2fs_filemap_fault,
++
++ TP_PROTO(struct inode *inode, pgoff_t index,
++ vm_flags_t flags, vm_fault_t ret),
++
++ TP_ARGS(inode, index, flags, ret)
++);
++
++DEFINE_EVENT(f2fs_mmap, f2fs_vm_page_mkwrite,
++
++ TP_PROTO(struct inode *inode, pgoff_t index,
++ vm_flags_t flags, vm_fault_t ret),
++
++ TP_ARGS(inode, index, flags, ret)
+ );
+
+ TRACE_EVENT(f2fs_writepages,
+--
+2.39.5
+
--- /dev/null
+From c7bb07440a4da7e0dc63453327756eb0dd4e15c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 22:13:24 +0800
+Subject: f2fs: convert f2fs_vm_page_mkwrite() to use folio
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit aec5755951b74e3bbb5ddee39ac142a788547854 ]
+
+Convert to use folio, so that we can get rid of 'page->index' to
+prepare for removal of 'index' field in structure page [1].
+
+[1] https://lore.kernel.org/all/Zp8fgUSIBGQ1TN0D@casper.infradead.org/
+
+Cc: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: ba8dac350faf ("f2fs: fix to zero post-eof page")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 2eff37cc37601..121849a4dcfda 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -53,7 +53,7 @@ static vm_fault_t f2fs_filemap_fault(struct vm_fault *vmf)
+
+ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ {
+- struct page *page = vmf->page;
++ struct folio *folio = page_folio(vmf->page);
+ struct inode *inode = file_inode(vmf->vma->vm_file);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct dnode_of_data dn;
+@@ -85,7 +85,7 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+
+ #ifdef CONFIG_F2FS_FS_COMPRESSION
+ if (f2fs_compressed_file(inode)) {
+- int ret = f2fs_is_compressed_cluster(inode, page->index);
++ int ret = f2fs_is_compressed_cluster(inode, folio->index);
+
+ if (ret < 0) {
+ err = ret;
+@@ -105,11 +105,11 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+
+ file_update_time(vmf->vma->vm_file);
+ filemap_invalidate_lock_shared(inode->i_mapping);
+- lock_page(page);
+- if (unlikely(page->mapping != inode->i_mapping ||
+- page_offset(page) > i_size_read(inode) ||
+- !PageUptodate(page))) {
+- unlock_page(page);
++ folio_lock(folio);
++ if (unlikely(folio->mapping != inode->i_mapping ||
++ folio_pos(folio) > i_size_read(inode) ||
++ !folio_test_uptodate(folio))) {
++ folio_unlock(folio);
+ err = -EFAULT;
+ goto out_sem;
+ }
+@@ -117,9 +117,9 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ set_new_dnode(&dn, inode, NULL, NULL, 0);
+ if (need_alloc) {
+ /* block allocation */
+- err = f2fs_get_block_locked(&dn, page->index);
++ err = f2fs_get_block_locked(&dn, folio->index);
+ } else {
+- err = f2fs_get_dnode_of_data(&dn, page->index, LOOKUP_NODE);
++ err = f2fs_get_dnode_of_data(&dn, folio->index, LOOKUP_NODE);
+ f2fs_put_dnode(&dn);
+ if (f2fs_is_pinned_file(inode) &&
+ !__is_valid_data_blkaddr(dn.data_blkaddr))
+@@ -127,11 +127,11 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ }
+
+ if (err) {
+- unlock_page(page);
++ folio_unlock(folio);
+ goto out_sem;
+ }
+
+- f2fs_wait_on_page_writeback(page, DATA, false, true);
++ f2fs_wait_on_page_writeback(folio_page(folio, 0), DATA, false, true);
+
+ /* wait for GCed page writeback via META_MAPPING */
+ f2fs_wait_on_block_writeback(inode, dn.data_blkaddr);
+@@ -139,18 +139,18 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ /*
+ * check to see if the page is mapped already (no holes)
+ */
+- if (PageMappedToDisk(page))
++ if (folio_test_mappedtodisk(folio))
+ goto out_sem;
+
+ /* page is wholly or partially inside EOF */
+- if (((loff_t)(page->index + 1) << PAGE_SHIFT) >
++ if (((loff_t)(folio->index + 1) << PAGE_SHIFT) >
+ i_size_read(inode)) {
+ loff_t offset;
+
+ offset = i_size_read(inode) & ~PAGE_MASK;
+- zero_user_segment(page, offset, PAGE_SIZE);
++ folio_zero_segment(folio, offset, folio_size(folio));
+ }
+- set_page_dirty(page);
++ folio_mark_dirty(folio);
+
+ f2fs_update_iostat(sbi, inode, APP_MAPPED_IO, F2FS_BLKSIZE);
+ f2fs_update_time(sbi, REQ_TIME);
+@@ -162,7 +162,7 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ out:
+ ret = vmf_fs_error(err);
+
+- trace_f2fs_vm_page_mkwrite(inode, page->index, vmf->vma->vm_flags, ret);
++ trace_f2fs_vm_page_mkwrite(inode, folio->index, vmf->vma->vm_flags, ret);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 34e7bff1a5873036908ca9fe2e6577d8a8356198 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 11:26:33 +0800
+Subject: f2fs: fix to zero post-eof page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit ba8dac350faf16afc129ce6303ca4feaf083ccb1 ]
+
+fstest reports a f2fs bug:
+
+generic/363 42s ... [failed, exit status 1]- output mismatch (see /share/git/fstests/results//generic/363.out.bad)
+ --- tests/generic/363.out 2025-01-12 21:57:40.271440542 +0800
+ +++ /share/git/fstests/results//generic/363.out.bad 2025-05-19 19:55:58.000000000 +0800
+ @@ -1,2 +1,78 @@
+ QA output created by 363
+ fsx -q -S 0 -e 1 -N 100000
+ +READ BAD DATA: offset = 0xd6fb, size = 0xf044, fname = /mnt/f2fs/junk
+ +OFFSET GOOD BAD RANGE
+ +0x1540d 0x0000 0x2a25 0x0
+ +operation# (mod 256) for the bad data may be 37
+ +0x1540e 0x0000 0x2527 0x1
+ ...
+ (Run 'diff -u /share/git/fstests/tests/generic/363.out /share/git/fstests/results//generic/363.out.bad' to see the entire diff)
+Ran: generic/363
+Failures: generic/363
+Failed 1 of 1 tests
+
+The root cause is user can update post-eof page via mmap [1], however, f2fs
+missed to zero post-eof page in below operations, so, once it expands i_size,
+then it will include dummy data locates previous post-eof page, so during
+below operations, we need to zero post-eof page.
+
+Operations which can include dummy data after previous i_size after expanding
+i_size:
+- write
+- mapwrite [1]
+- truncate
+- fallocate
+ * preallocate
+ * zero_range
+ * insert_range
+ * collapse_range
+- clone_range (doesn’t support in f2fs)
+- copy_range (doesn’t support in f2fs)
+
+[1] https://man7.org/linux/man-pages/man2/mmap.2.html 'BUG section'
+
+Cc: stable@kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 121849a4dcfda..b73d40f981916 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -36,6 +36,17 @@
+ #include <trace/events/f2fs.h>
+ #include <uapi/linux/f2fs.h>
+
++static void f2fs_zero_post_eof_page(struct inode *inode, loff_t new_size)
++{
++ loff_t old_size = i_size_read(inode);
++
++ if (old_size >= new_size)
++ return;
++
++ /* zero or drop pages only in range of [old_size, new_size] */
++ truncate_pagecache(inode, old_size);
++}
++
+ static vm_fault_t f2fs_filemap_fault(struct vm_fault *vmf)
+ {
+ struct inode *inode = file_inode(vmf->vma->vm_file);
+@@ -103,8 +114,13 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+
+ f2fs_bug_on(sbi, f2fs_has_inline_data(inode));
+
++ filemap_invalidate_lock(inode->i_mapping);
++ f2fs_zero_post_eof_page(inode, (folio->index + 1) << PAGE_SHIFT);
++ filemap_invalidate_unlock(inode->i_mapping);
++
+ file_update_time(vmf->vma->vm_file);
+ filemap_invalidate_lock_shared(inode->i_mapping);
++
+ folio_lock(folio);
+ if (unlikely(folio->mapping != inode->i_mapping ||
+ folio_pos(folio) > i_size_read(inode) ||
+@@ -1051,6 +1067,8 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
+ f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ filemap_invalidate_lock(inode->i_mapping);
+
++ if (attr->ia_size > old_size)
++ f2fs_zero_post_eof_page(inode, attr->ia_size);
+ truncate_setsize(inode, attr->ia_size);
+
+ if (attr->ia_size <= old_size)
+@@ -1169,6 +1187,10 @@ static int f2fs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
+ if (ret)
+ return ret;
+
++ filemap_invalidate_lock(inode->i_mapping);
++ f2fs_zero_post_eof_page(inode, offset + len);
++ filemap_invalidate_unlock(inode->i_mapping);
++
+ pg_start = ((unsigned long long) offset) >> PAGE_SHIFT;
+ pg_end = ((unsigned long long) offset + len) >> PAGE_SHIFT;
+
+@@ -1453,6 +1475,8 @@ static int f2fs_do_collapse(struct inode *inode, loff_t offset, loff_t len)
+ f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ filemap_invalidate_lock(inode->i_mapping);
+
++ f2fs_zero_post_eof_page(inode, offset + len);
++
+ f2fs_lock_op(sbi);
+ f2fs_drop_extent_tree(inode);
+ truncate_pagecache(inode, offset);
+@@ -1575,6 +1599,10 @@ static int f2fs_zero_range(struct inode *inode, loff_t offset, loff_t len,
+ if (ret)
+ return ret;
+
++ filemap_invalidate_lock(mapping);
++ f2fs_zero_post_eof_page(inode, offset + len);
++ filemap_invalidate_unlock(mapping);
++
+ pg_start = ((unsigned long long) offset) >> PAGE_SHIFT;
+ pg_end = ((unsigned long long) offset + len) >> PAGE_SHIFT;
+
+@@ -1706,6 +1734,8 @@ static int f2fs_insert_range(struct inode *inode, loff_t offset, loff_t len)
+ /* avoid gc operation during block exchange */
+ f2fs_down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+ filemap_invalidate_lock(mapping);
++
++ f2fs_zero_post_eof_page(inode, offset + len);
+ truncate_pagecache(inode, offset);
+
+ while (!ret && idx > pg_start) {
+@@ -1761,6 +1791,10 @@ static int f2fs_expand_inode_data(struct inode *inode, loff_t offset,
+ if (err)
+ return err;
+
++ filemap_invalidate_lock(inode->i_mapping);
++ f2fs_zero_post_eof_page(inode, offset + len);
++ filemap_invalidate_unlock(inode->i_mapping);
++
+ f2fs_balance_fs(sbi, true);
+
+ pg_start = ((unsigned long long)offset) >> PAGE_SHIFT;
+@@ -4674,6 +4708,10 @@ static ssize_t f2fs_write_checks(struct kiocb *iocb, struct iov_iter *from)
+ err = file_modified(file);
+ if (err)
+ return err;
++
++ filemap_invalidate_lock(inode->i_mapping);
++ f2fs_zero_post_eof_page(inode, iocb->ki_pos + iov_iter_count(from));
++ filemap_invalidate_unlock(inode->i_mapping);
+ return count;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1eae457eba13cab4ed4df9570097222cb27b89ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 10:54:10 -0700
+Subject: f2fs: prevent writing without fallocate() for pinned files
+
+From: Daeho Jeong <daehojeong@google.com>
+
+[ Upstream commit 3fdd89b452c2ea5e2195d6e315bef122769584c9 ]
+
+In a case writing without fallocate(), we can't guarantee it's allocated
+in the conventional area for zoned stroage. To make it consistent across
+storage devices, we disallow it regardless of storage device types.
+
+Signed-off-by: Daeho Jeong <daehojeong@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: ba8dac350faf ("f2fs: fix to zero post-eof page")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/file.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 3e3822115d1e4..2eff37cc37601 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -57,7 +57,7 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ struct inode *inode = file_inode(vmf->vma->vm_file);
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct dnode_of_data dn;
+- bool need_alloc = true;
++ bool need_alloc = !f2fs_is_pinned_file(inode);
+ int err = 0;
+ vm_fault_t ret;
+
+@@ -114,19 +114,18 @@ static vm_fault_t f2fs_vm_page_mkwrite(struct vm_fault *vmf)
+ goto out_sem;
+ }
+
++ set_new_dnode(&dn, inode, NULL, NULL, 0);
+ if (need_alloc) {
+ /* block allocation */
+- set_new_dnode(&dn, inode, NULL, NULL, 0);
+ err = f2fs_get_block_locked(&dn, page->index);
+- }
+-
+-#ifdef CONFIG_F2FS_FS_COMPRESSION
+- if (!need_alloc) {
+- set_new_dnode(&dn, inode, NULL, NULL, 0);
++ } else {
+ err = f2fs_get_dnode_of_data(&dn, page->index, LOOKUP_NODE);
+ f2fs_put_dnode(&dn);
++ if (f2fs_is_pinned_file(inode) &&
++ !__is_valid_data_blkaddr(dn.data_blkaddr))
++ err = -EIO;
+ }
+-#endif
++
+ if (err) {
+ unlock_page(page);
+ goto out_sem;
+@@ -3332,7 +3331,7 @@ static int f2fs_ioc_set_pin_file(struct file *filp, unsigned long arg)
+ goto done;
+ }
+
+- if (f2fs_sb_has_blkzoned(sbi) && F2FS_HAS_BLOCKS(inode)) {
++ if (F2FS_HAS_BLOCKS(inode)) {
+ ret = -EFBIG;
+ goto out;
+ }
+@@ -4919,6 +4918,8 @@ static ssize_t f2fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ bool dio;
+ bool may_need_sync = true;
+ int preallocated;
++ const loff_t pos = iocb->ki_pos;
++ const ssize_t count = iov_iter_count(from);
+ ssize_t ret;
+
+ if (unlikely(f2fs_cp_error(F2FS_I_SB(inode)))) {
+@@ -4940,6 +4941,12 @@ static ssize_t f2fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
+ inode_lock(inode);
+ }
+
++ if (f2fs_is_pinned_file(inode) &&
++ !f2fs_overwrite_io(inode, pos, count)) {
++ ret = -EIO;
++ goto out_unlock;
++ }
++
+ ret = f2fs_write_checks(iocb, from);
+ if (ret <= 0)
+ goto out_unlock;
+--
+2.39.5
+
--- /dev/null
+From 25de079c7b68c24e0dd4e32357ba21f4cd7ca169 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:52:54 +0300
+Subject: igc: disable L1.2 PCI-E link substate to avoid performance issue
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+[ Upstream commit 0325143b59c6c6d79987afc57d2456e7a20d13b7 ]
+
+I226 devices advertise support for the PCI-E link L1.2 substate. However,
+due to a hardware limitation, the exit latency from this low-power state
+is longer than the packet buffer can tolerate under high traffic
+conditions. This can lead to packet loss and degraded performance.
+
+To mitigate this, disable the L1.2 substate. The increased power draw
+between L1.1 and L1.2 is insignificant.
+
+Fixes: 43546211738e ("igc: Add new device ID's")
+Link: https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index e2f5c4384455e..11543db4c47f0 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6772,6 +6772,10 @@ static int igc_probe(struct pci_dev *pdev,
+ adapter->port_num = hw->bus.func;
+ adapter->msg_enable = netif_msg_init(debug, DEFAULT_MSG_ENABLE);
+
++ /* Disable ASPM L1.2 on I226 devices to avoid packet loss */
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+ err = pci_save_state(pdev);
+ if (err)
+ goto err_ioremap;
+@@ -7144,6 +7148,9 @@ static int __maybe_unused igc_resume(struct device *dev)
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+ if (igc_init_interrupt_scheme(adapter, true)) {
+ netdev_err(netdev, "Unable to allocate memory for queues\n");
+ return -ENOMEM;
+@@ -7259,6 +7266,9 @@ static pci_ers_result_t igc_io_slot_reset(struct pci_dev *pdev)
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state_locked(pdev, PCIE_LINK_STATE_L1_2);
++
+ /* In case of PCI error, adapter loses its HW address
+ * so we should re-assign it here.
+ */
+--
+2.39.5
+
--- /dev/null
+From 6fab0c1c797c2f953cbb92f2eeeec7bbc5820c46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 14:36:40 -0500
+Subject: lib: test_objagg: Set error message in check_expect_hints_stats()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit e6ed134a4ef592fe1fd0cafac9683813b3c8f3e8 ]
+
+Smatch complains that the error message isn't set in the caller:
+
+ lib/test_objagg.c:923 test_hints_case2()
+ error: uninitialized symbol 'errmsg'.
+
+This static checker warning only showed up after a recent refactoring
+but the bug dates back to when the code was originally added. This
+likely doesn't affect anything in real life.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/r/202506281403.DsuyHFTZ-lkp@intel.com/
+Fixes: 0a020d416d0a ("lib: introduce initial implementation of object aggregation manager")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/8548f423-2e3b-4bb7-b816-5041de2762aa@sabinyo.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_objagg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_objagg.c b/lib/test_objagg.c
+index c0c957c506354..c0f7bb53db8d5 100644
+--- a/lib/test_objagg.c
++++ b/lib/test_objagg.c
+@@ -899,8 +899,10 @@ static int check_expect_hints_stats(struct objagg_hints *objagg_hints,
+ int err;
+
+ stats = objagg_hints_stats_get(objagg_hints);
+- if (IS_ERR(stats))
++ if (IS_ERR(stats)) {
++ *errmsg = "objagg_hints_stats_get() failed.";
+ return PTR_ERR(stats);
++ }
+ err = __check_expect_stats(stats, expect_stats, errmsg);
+ objagg_stats_put(stats);
+ return err;
+--
+2.39.5
+
--- /dev/null
+From c6f83ebb6eb5629dbf55b82bfd0484b599dfdd79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 13:35:16 +0200
+Subject: mtd: spinand: fix memory leak of ECC engine conf
+
+From: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
+
+[ Upstream commit 6463cbe08b0cbf9bba8763306764f5fd643023e1 ]
+
+Memory allocated for the ECC engine conf is not released during spinand
+cleanup. Below kmemleak trace is seen for this memory leak:
+
+unreferenced object 0xffffff80064f00e0 (size 8):
+ comm "swapper/0", pid 1, jiffies 4294937458
+ hex dump (first 8 bytes):
+ 00 00 00 00 00 00 00 00 ........
+ backtrace (crc 0):
+ kmemleak_alloc+0x30/0x40
+ __kmalloc_cache_noprof+0x208/0x3c0
+ spinand_ondie_ecc_init_ctx+0x114/0x200
+ nand_ecc_init_ctx+0x70/0xa8
+ nanddev_ecc_engine_init+0xec/0x27c
+ spinand_probe+0xa2c/0x1620
+ spi_mem_probe+0x130/0x21c
+ spi_probe+0xf0/0x170
+ really_probe+0x17c/0x6e8
+ __driver_probe_device+0x17c/0x21c
+ driver_probe_device+0x58/0x180
+ __device_attach_driver+0x15c/0x1f8
+ bus_for_each_drv+0xec/0x150
+ __device_attach+0x188/0x24c
+ device_initial_probe+0x10/0x20
+ bus_probe_device+0x11c/0x160
+
+Fix the leak by calling nanddev_ecc_engine_cleanup() inside
+spinand_cleanup().
+
+Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/spi/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
+index 393ff37f0d23c..cd21bf8f254a7 100644
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -1316,6 +1316,7 @@ static void spinand_cleanup(struct spinand_device *spinand)
+ {
+ struct nand_device *nand = spinand_to_nand(spinand);
+
++ nanddev_ecc_engine_cleanup(nand);
+ nanddev_cleanup(nand);
+ spinand_manufacturer_cleanup(spinand);
+ kfree(spinand->databuf);
+--
+2.39.5
+
--- /dev/null
+From dd4fc07a918b99581ed5b50b4c6fd4a5892bc2a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:27:30 +0200
+Subject: net/sched: Always pass notifications when child class becomes empty
+
+From: Lion Ackermann <nnamrec@gmail.com>
+
+[ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ]
+
+Certain classful qdiscs may invoke their classes' dequeue handler on an
+enqueue operation. This may unexpectedly empty the child qdisc and thus
+make an in-flight class passive via qlen_notify(). Most qdiscs do not
+expect such behaviour at this point in time and may re-activate the
+class eventually anyways which will lead to a use-after-free.
+
+The referenced fix commit attempted to fix this behavior for the HFSC
+case by moving the backlog accounting around, though this turned out to
+be incomplete since the parent's parent may run into the issue too.
+The following reproducer demonstrates this use-after-free:
+
+ tc qdisc add dev lo root handle 1: drr
+ tc filter add dev lo parent 1: basic classid 1:1
+ tc class add dev lo parent 1: classid 1:1 drr
+ tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
+ tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
+ tc qdisc add dev lo parent 2:1 handle 3: netem
+ tc qdisc add dev lo parent 3:1 handle 4: blackhole
+
+ echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+ tc class delete dev lo classid 1:1
+ echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+
+Since backlog accounting issues leading to a use-after-frees on stale
+class pointers is a recurring pattern at this point, this patch takes
+a different approach. Instead of trying to fix the accounting, the patch
+ensures that qdisc_tree_reduce_backlog always calls qlen_notify when
+the child qdisc is empty. This solves the problem because deletion of
+qdiscs always involves a call to qdisc_reset() and / or
+qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing
+the following qdisc_tree_reduce_backlog() to report to the parent. Note
+that this may call qlen_notify on passive classes multiple times. This
+is not a problem after the recent patch series that made all the
+classful qdiscs qlen_notify() handlers idempotent.
+
+Fixes: 3f981138109f ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()")
+Signed-off-by: Lion Ackermann <nnamrec@gmail.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index df89790c459ad..282423106f15d 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -779,15 +779,12 @@ static u32 qdisc_alloc_handle(struct net_device *dev)
+
+ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ {
+- bool qdisc_is_offloaded = sch->flags & TCQ_F_OFFLOADED;
+ const struct Qdisc_class_ops *cops;
+ unsigned long cl;
+ u32 parentid;
+ bool notify;
+ int drops;
+
+- if (n == 0 && len == 0)
+- return;
+ drops = max_t(int, n, 0);
+ rcu_read_lock();
+ while ((parentid = sch->parent)) {
+@@ -796,17 +793,8 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+
+ if (sch->flags & TCQ_F_NOPARENT)
+ break;
+- /* Notify parent qdisc only if child qdisc becomes empty.
+- *
+- * If child was empty even before update then backlog
+- * counter is screwed and we skip notification because
+- * parent class is already passive.
+- *
+- * If the original child was offloaded then it is allowed
+- * to be seem as empty, so the parent is notified anyway.
+- */
+- notify = !sch->q.qlen && !WARN_ON_ONCE(!n &&
+- !qdisc_is_offloaded);
++ /* Notify parent qdisc only if child qdisc becomes empty. */
++ notify = !sch->q.qlen;
+ /* TODO: perform the search on a per txq basis */
+ sch = qdisc_lookup_rcu(qdisc_dev(sch), TC_H_MAJ(parentid));
+ if (sch == NULL) {
+@@ -815,6 +803,9 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ }
+ cops = sch->ops->cl_ops;
+ if (notify && cops->qlen_notify) {
++ /* Note that qlen_notify must be idempotent as it may get called
++ * multiple times.
++ */
+ cl = cops->find(sch, parentid);
+ cops->qlen_notify(sch, cl);
+ }
+--
+2.39.5
+
--- /dev/null
+From 83520896ac27ad4f50af3fbda0c8f40c29598617 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 07:13:46 +0200
+Subject: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 6c7ffc9af7186ed79403a3ffee9a1e5199fc7450 ]
+
+Remove redundant netif_napi_del() call from disconnect path.
+
+A WARN may be triggered in __netif_napi_del_locked() during USB device
+disconnect:
+
+ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
+
+This happens because netif_napi_del() is called in the disconnect path while
+NAPI is still enabled. However, it is not necessary to call netif_napi_del()
+explicitly, since unregister_netdev() will handle NAPI teardown automatically
+and safely. Removing the redundant call avoids triggering the warning.
+
+Full trace:
+ lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV
+ lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV
+ lan78xx 1-1:1.0 enu1: Link is Down
+ lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
+ Modules linked in: flexcan can_dev fuse
+ CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT
+ Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)
+ Workqueue: usb_hub_wq hub_event
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : __netif_napi_del_locked+0x2b4/0x350
+ lr : __netif_napi_del_locked+0x7c/0x350
+ sp : ffffffc085b673c0
+ x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8
+ x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb
+ x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000
+ x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000
+ x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028
+ x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8
+ x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000
+ x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001
+ x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000
+ Call trace:
+ __netif_napi_del_locked+0x2b4/0x350 (P)
+ lan78xx_disconnect+0xf4/0x360
+ usb_unbind_interface+0x158/0x718
+ device_remove+0x100/0x150
+ device_release_driver_internal+0x308/0x478
+ device_release_driver+0x1c/0x30
+ bus_remove_device+0x1a8/0x368
+ device_del+0x2e0/0x7b0
+ usb_disable_device+0x244/0x540
+ usb_disconnect+0x220/0x758
+ hub_event+0x105c/0x35e0
+ process_one_work+0x760/0x17b0
+ worker_thread+0x768/0xce8
+ kthread+0x3bc/0x690
+ ret_from_fork+0x10/0x20
+ irq event stamp: 211604
+ hardirqs last enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98
+ hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80
+ softirqs last enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8
+ softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20
+ ---[ end trace 0000000000000000 ]---
+ lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0
+
+Fixes: ec4c7e12396b ("lan78xx: Introduce NAPI polling support")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20250627051346.276029-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index 09173d7b87ed5..ec5689cd240aa 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -4229,8 +4229,6 @@ static void lan78xx_disconnect(struct usb_interface *intf)
+ if (!dev)
+ return;
+
+- netif_napi_del(&dev->napi);
+-
+ udev = interface_to_usbdev(intf);
+ net = dev->net;
+
+--
+2.39.5
+
--- /dev/null
+From 9f536eeb5dc837674c4e50fab61b13ba0fea536d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 14:52:50 -0700
+Subject: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit e8d6f3ab59468e230f3253efe5cb63efa35289f7 ]
+
+syzbot reported a warning below [1] following a fault injection in
+nfs_fs_proc_net_init(). [0]
+
+When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed.
+
+Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning
+is logged as the directory is not empty.
+
+Let's handle the error of nfs_fs_proc_net_init() properly.
+
+[0]:
+FAULT_INJECTION: forcing a failure.
+name failslab, interval 1, probability 0, space 0, times 0
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl (lib/dump_stack.c:123)
+ should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174)
+ should_failslab (mm/failslab.c:46)
+ kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204)
+ __proc_create (fs/proc/generic.c:427)
+ proc_create_reg (fs/proc/generic.c:554)
+ proc_create_net_data (fs/proc/proc_net.c:120)
+ nfs_fs_proc_net_init (fs/nfs/client.c:1409)
+ nfs_net_init (fs/nfs/inode.c:2600)
+ ops_init (net/core/net_namespace.c:138)
+ setup_net (net/core/net_namespace.c:443)
+ copy_net_ns (net/core/net_namespace.c:576)
+ create_new_namespaces (kernel/nsproxy.c:110)
+ unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4))
+ ksys_unshare (kernel/fork.c:3123)
+ __x64_sys_unshare (kernel/fork.c:3190)
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+ </TASK>
+
+[1]:
+remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs'
+ WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Modules linked in:
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+ RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00
+RSP: 0018:ffffc90003637b08 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8
+RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001
+RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00
+R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000
+FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76
+ ops_exit_list net/core/net_namespace.c:200 [inline]
+ ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253
+ setup_net+0x2e1/0x510 net/core/net_namespace.c:457
+ copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574
+ create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
+ unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218
+ ksys_unshare+0x45b/0xa40 kernel/fork.c:3121
+ __do_sys_unshare kernel/fork.c:3192 [inline]
+ __se_sys_unshare kernel/fork.c:3190 [inline]
+ __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa1a6b8e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff3a090368 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
+RAX: ffffffffffffffda RBX: 00007fa1a6db5fa0 RCX: 00007fa1a6b8e929
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080
+RBP: 00007fa1a6c10b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa1a6db5fa0 R14: 00007fa1a6db5fa0 R15: 0000000000000001
+ </TASK>
+
+Fixes: d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces")
+Reported-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a4cc4ac22daa4a71b87c
+Tested-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 419d98cf9e29f..7e7dd2aab449d 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -2442,15 +2442,26 @@ EXPORT_SYMBOL_GPL(nfs_net_id);
+ static int nfs_net_init(struct net *net)
+ {
+ struct nfs_net *nn = net_generic(net, nfs_net_id);
++ int err;
+
+ nfs_clients_init(net);
+
+ if (!rpc_proc_register(net, &nn->rpcstats)) {
+- nfs_clients_exit(net);
+- return -ENOMEM;
++ err = -ENOMEM;
++ goto err_proc_rpc;
+ }
+
+- return nfs_fs_proc_net_init(net);
++ err = nfs_fs_proc_net_init(net);
++ if (err)
++ goto err_proc_nfs;
++
++ return 0;
++
++err_proc_nfs:
++ rpc_proc_unregister(net, "nfs");
++err_proc_rpc:
++ nfs_clients_exit(net);
++ return err;
+ }
+
+ static void nfs_net_exit(struct net *net)
+--
+2.39.5
+
--- /dev/null
+From b13efa04f02681f3523dc5028e7edafe3ce7580d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:02:21 -0400
+Subject: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit c01776287414ca43412d1319d2877cbad65444ac ]
+
+We found a few different systems hung up in writeback waiting on the same
+page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in
+pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count
+was zero.
+
+It seems most likely that this is another race between the waiter and waker
+similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task").
+Fix it up by applying the advised barrier.
+
+Fixes: 880265c77ac4 ("pNFS: Avoid a live lock condition in pnfs_update_layout()")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 73aa5a63afe3f..79d1ffdcbebd3 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1930,8 +1930,10 @@ static void nfs_layoutget_begin(struct pnfs_layout_hdr *lo)
+ static void nfs_layoutget_end(struct pnfs_layout_hdr *lo)
+ {
+ if (atomic_dec_and_test(&lo->plh_outstanding) &&
+- test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags))
++ test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags)) {
++ smp_mb__after_atomic();
+ wake_up_bit(&lo->plh_flags, NFS_LAYOUT_DRAIN);
++ }
+ }
+
+ static bool pnfs_is_first_layoutget(struct pnfs_layout_hdr *lo)
+--
+2.39.5
+
--- /dev/null
+From 4276cebd6703c6dd54e6f37bc783f452d7538fe0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 10:36:43 +0200
+Subject: nui: Fix dma_mapping_error() check
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 561aa0e22b70a5e7246b73d62a824b3aef3fc375 ]
+
+dma_map_XXX() functions return values DMA_MAPPING_ERROR as error values
+which is often ~0. The error value should be tested with
+dma_mapping_error().
+
+This patch creates a new function in niu_ops to test if the mapping
+failed. The test is fixed in niu_rbr_add_page(), added in
+niu_start_xmit() and the successfully mapped pages are unmaped upon error.
+
+Fixes: ec2deec1f352 ("niu: Fix to check for dma mapping errors.")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/niu.c | 31 ++++++++++++++++++++++++++++++-
+ drivers/net/ethernet/sun/niu.h | 4 ++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index 011d74087f860..fc6217917fc22 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -3336,7 +3336,7 @@ static int niu_rbr_add_page(struct niu *np, struct rx_ring_info *rp,
+
+ addr = np->ops->map_page(np->device, page, 0,
+ PAGE_SIZE, DMA_FROM_DEVICE);
+- if (!addr) {
++ if (np->ops->mapping_error(np->device, addr)) {
+ __free_page(page);
+ return -ENOMEM;
+ }
+@@ -6672,6 +6672,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ len = skb_headlen(skb);
+ mapping = np->ops->map_single(np->device, skb->data,
+ len, DMA_TO_DEVICE);
++ if (np->ops->mapping_error(np->device, mapping))
++ goto out_drop;
+
+ prod = rp->prod;
+
+@@ -6713,6 +6715,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ mapping = np->ops->map_page(np->device, skb_frag_page(frag),
+ skb_frag_off(frag), len,
+ DMA_TO_DEVICE);
++ if (np->ops->mapping_error(np->device, mapping))
++ goto out_unmap;
+
+ rp->tx_buffs[prod].skb = NULL;
+ rp->tx_buffs[prod].mapping = mapping;
+@@ -6737,6 +6741,19 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ out:
+ return NETDEV_TX_OK;
+
++out_unmap:
++ while (i--) {
++ const skb_frag_t *frag;
++
++ prod = PREVIOUS_TX(rp, prod);
++ frag = &skb_shinfo(skb)->frags[i];
++ np->ops->unmap_page(np->device, rp->tx_buffs[prod].mapping,
++ skb_frag_size(frag), DMA_TO_DEVICE);
++ }
++
++ np->ops->unmap_single(np->device, rp->tx_buffs[rp->prod].mapping,
++ skb_headlen(skb), DMA_TO_DEVICE);
++
+ out_drop:
+ rp->tx_errors++;
+ kfree_skb(skb);
+@@ -9636,6 +9653,11 @@ static void niu_pci_unmap_single(struct device *dev, u64 dma_address,
+ dma_unmap_single(dev, dma_address, size, direction);
+ }
+
++static int niu_pci_mapping_error(struct device *dev, u64 addr)
++{
++ return dma_mapping_error(dev, addr);
++}
++
+ static const struct niu_ops niu_pci_ops = {
+ .alloc_coherent = niu_pci_alloc_coherent,
+ .free_coherent = niu_pci_free_coherent,
+@@ -9643,6 +9665,7 @@ static const struct niu_ops niu_pci_ops = {
+ .unmap_page = niu_pci_unmap_page,
+ .map_single = niu_pci_map_single,
+ .unmap_single = niu_pci_unmap_single,
++ .mapping_error = niu_pci_mapping_error,
+ };
+
+ static void niu_driver_version(void)
+@@ -10009,6 +10032,11 @@ static void niu_phys_unmap_single(struct device *dev, u64 dma_address,
+ /* Nothing to do. */
+ }
+
++static int niu_phys_mapping_error(struct device *dev, u64 dma_address)
++{
++ return false;
++}
++
+ static const struct niu_ops niu_phys_ops = {
+ .alloc_coherent = niu_phys_alloc_coherent,
+ .free_coherent = niu_phys_free_coherent,
+@@ -10016,6 +10044,7 @@ static const struct niu_ops niu_phys_ops = {
+ .unmap_page = niu_phys_unmap_page,
+ .map_single = niu_phys_map_single,
+ .unmap_single = niu_phys_unmap_single,
++ .mapping_error = niu_phys_mapping_error,
+ };
+
+ static int niu_of_probe(struct platform_device *op)
+diff --git a/drivers/net/ethernet/sun/niu.h b/drivers/net/ethernet/sun/niu.h
+index 04c215f91fc08..0b169c08b0f2d 100644
+--- a/drivers/net/ethernet/sun/niu.h
++++ b/drivers/net/ethernet/sun/niu.h
+@@ -2879,6 +2879,9 @@ struct tx_ring_info {
+ #define NEXT_TX(tp, index) \
+ (((index) + 1) < (tp)->pending ? ((index) + 1) : 0)
+
++#define PREVIOUS_TX(tp, index) \
++ (((index) - 1) >= 0 ? ((index) - 1) : (((tp)->pending) - 1))
++
+ static inline u32 niu_tx_avail(struct tx_ring_info *tp)
+ {
+ return (tp->pending -
+@@ -3140,6 +3143,7 @@ struct niu_ops {
+ enum dma_data_direction direction);
+ void (*unmap_single)(struct device *dev, u64 dma_address,
+ size_t size, enum dma_data_direction direction);
++ int (*mapping_error)(struct device *dev, u64 dma_address);
+ };
+
+ struct niu_link_config {
+--
+2.39.5
+
--- /dev/null
+From 3311b7f31d8bfc8599dd3b7af38bf856c856aa5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 21:46:08 +0000
+Subject: platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Thompson <davthompson@nvidia.com>
+
+[ Upstream commit 109f4d29dade8ae5b4ac6325af9d1bc24b4230f8 ]
+
+Fix warnings reported by sparse, related to incorrect type:
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: warning: incorrect type in assignment (different base types)
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: expected restricted __virtio32 [usertype] len
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: got unsigned long
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202404040339.S7CUIgf3-lkp@intel.com/
+Fixes: 78034cbece79 ("platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/20250613214608.2250130-1-davthompson@nvidia.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index 39828eb84e0ba..1015948ef43eb 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -281,7 +281,8 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo,
+ vring->align = SMP_CACHE_BYTES;
+ vring->index = i;
+ vring->vdev_id = tm_vdev->vdev.id.device;
+- vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN;
++ vring->drop_desc.len = cpu_to_virtio32(&tm_vdev->vdev,
++ VRING_DROP_DESC_MAX_LEN);
+ dev = &tm_vdev->vdev.dev;
+
+ size = vring_size(vring->num, vring->align);
+--
+2.39.5
+
--- /dev/null
+From 06707d1ef5bc8935bf6cb577574cb3471d8be919 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 03:58:08 -0700
+Subject: platform/mellanox: mlxreg-lc: Fix logic error in power state check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 644bec18e705ca41d444053407419a21832fcb2f ]
+
+Fixes a logic issue in mlxreg_lc_completion_notify() where the
+intention was to check if MLXREG_LC_POWERED flag is not set before
+powering on the device.
+
+The original code used "state & ~MLXREG_LC_POWERED" to check for the
+absence of the POWERED bit. However this condition evaluates to true
+even when other bits are set, leading to potentially incorrect
+behavior.
+
+Corrected the logic to explicitly check for the absence of
+MLXREG_LC_POWERED using !(state & MLXREG_LC_POWERED).
+
+Fixes: 62f9529b8d5c ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices")
+Suggested-by: Vadim Pasternak <vadimp@nvidia.com>
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://lore.kernel.org/r/20250630105812.601014-1-alok.a.tiwari@oracle.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxreg-lc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c
+index 8d833836a6d32..74e9d78ff01ef 100644
+--- a/drivers/platform/mellanox/mlxreg-lc.c
++++ b/drivers/platform/mellanox/mlxreg-lc.c
+@@ -688,7 +688,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent,
+ if (regval & mlxreg_lc->data->mask) {
+ mlxreg_lc->state |= MLXREG_LC_SYNCED;
+ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_SYNCED, 1);
+- if (mlxreg_lc->state & ~MLXREG_LC_POWERED) {
++ if (!(mlxreg_lc->state & MLXREG_LC_POWERED)) {
+ err = mlxreg_lc_power_on_off(mlxreg_lc, 1);
+ if (err)
+ goto mlxreg_lc_regmap_power_on_off_fail;
+--
+2.39.5
+
--- /dev/null
+From 67664f2f028046675b43e5bed11aa1c5840b8d5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Jun 2025 00:29:12 -0700
+Subject: platform/mellanox: nvsw-sn2201: Fix bus number in adapter error
+ message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit d07143b507c51c04c091081627c5a130e9d3c517 ]
+
+change error log to use correct bus number from main_mux_devs
+instead of cpld_devs.
+
+Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20250622072921.4111552-2-alok.a.tiwari@oracle.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/nvsw-sn2201.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/nvsw-sn2201.c b/drivers/platform/mellanox/nvsw-sn2201.c
+index 1a7c45aa41bbf..6b4d3c44d7bd9 100644
+--- a/drivers/platform/mellanox/nvsw-sn2201.c
++++ b/drivers/platform/mellanox/nvsw-sn2201.c
+@@ -1088,7 +1088,7 @@ static int nvsw_sn2201_i2c_completion_notify(void *handle, int id)
+ if (!nvsw_sn2201->main_mux_devs->adapter) {
+ err = -ENODEV;
+ dev_err(nvsw_sn2201->dev, "Failed to get adapter for bus %d\n",
+- nvsw_sn2201->cpld_devs->nr);
++ nvsw_sn2201->main_mux_devs->nr);
+ goto i2c_get_adapter_main_fail;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b322cc3ba9b219e50e34e2dfa883dfa086e89cc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:33:40 -0500
+Subject: platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042
+ quirks list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 9ba75ccad85708c5a484637dccc1fc59295b0a83 ]
+
+Every other s2idle cycle fails to reach hardware sleep when keyboard
+wakeup is enabled. This appears to be an EC bug, but the vendor
+refuses to fix it.
+
+It was confirmed that turning off i8042 wakeup avoids ths issue
+(albeit keyboard wakeup is disabled). Take the lesser of two evils
+and add it to the i8042 quirk list.
+
+Reported-by: Raoul <ein4rth@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220116
+Tested-by: Raoul <ein4rth@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20250611203341.3733478-1-superm1@kernel.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index 2e3f6fc67c568..7ed12c1d3b34c 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -224,6 +224,15 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "WUJIE14-GX4HRXL"),
+ }
+ },
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=220116 */
++ {
++ .ident = "PCSpecialist Lafite Pro V 14M",
++ .driver_data = &quirk_spurious_8042,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "PCSpecialist"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Lafite Pro V 14M"),
++ }
++ },
+ {}
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 2375205c86c019d9deb40714812b285f2d3d97ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 00:05:13 +0100
+Subject: platform/x86: dell-sysman: Directly use firmware_attributes_class
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 501d2f0e78951b9a933bbff73404b25aec45f389 ]
+
+The usage of the lifecycle functions is not necessary anymore.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://lore.kernel.org/r/20250104-firmware-attributes-simplify-v1-5-949f9709e405@weissschuh.net
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Stable-dep-of: 314e5ad4782d ("platform/x86: dell-wmi-sysman: Fix class device unregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platform/x86/dell/dell-wmi-sysman/sysman.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index decb3b997d86a..3c74d5e8350a4 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -25,7 +25,6 @@ struct wmi_sysman_priv wmi_priv = {
+ /* reset bios to defaults */
+ static const char * const reset_types[] = {"builtinsafe", "lastknowngood", "factory", "custom"};
+ static int reset_option = -1;
+-static const struct class *fw_attr_class;
+
+
+ /**
+@@ -541,15 +540,11 @@ static int __init sysman_init(void)
+ goto err_exit_bios_attr_pass_interface;
+ }
+
+- ret = fw_attributes_class_get(&fw_attr_class);
+- if (ret)
+- goto err_exit_bios_attr_pass_interface;
+-
+- wmi_priv.class_dev = device_create(fw_attr_class, NULL, MKDEV(0, 0),
++ wmi_priv.class_dev = device_create(&firmware_attributes_class, NULL, MKDEV(0, 0),
+ NULL, "%s", DRIVER_NAME);
+ if (IS_ERR(wmi_priv.class_dev)) {
+ ret = PTR_ERR(wmi_priv.class_dev);
+- goto err_unregister_class;
++ goto err_exit_bios_attr_pass_interface;
+ }
+
+ wmi_priv.main_dir_kset = kset_create_and_add("attributes", NULL,
+@@ -602,10 +597,7 @@ static int __init sysman_init(void)
+ release_attributes_data();
+
+ err_destroy_classdev:
+- device_destroy(fw_attr_class, MKDEV(0, 0));
+-
+-err_unregister_class:
+- fw_attributes_class_put();
++ device_destroy(&firmware_attributes_class, MKDEV(0, 0));
+
+ err_exit_bios_attr_pass_interface:
+ exit_bios_attr_pass_interface();
+@@ -619,8 +611,7 @@ static int __init sysman_init(void)
+ static void __exit sysman_exit(void)
+ {
+ release_attributes_data();
+- device_destroy(fw_attr_class, MKDEV(0, 0));
+- fw_attributes_class_put();
++ device_destroy(&firmware_attributes_class, MKDEV(0, 0));
+ exit_bios_attr_set_interface();
+ exit_bios_attr_pass_interface();
+ }
+--
+2.39.5
+
--- /dev/null
+From a480b5a63e7d1853b28dda96a6012a2cf86a3a2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:37 -0300
+Subject: platform/x86: dell-wmi-sysman: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 314e5ad4782d08858b3abc325c0487bd2abc23a1 ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-3-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index 3c74d5e8350a4..f5402b7146572 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -597,7 +597,7 @@ static int __init sysman_init(void)
+ release_attributes_data();
+
+ err_destroy_classdev:
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(wmi_priv.class_dev);
+
+ err_exit_bios_attr_pass_interface:
+ exit_bios_attr_pass_interface();
+@@ -611,7 +611,7 @@ static int __init sysman_init(void)
+ static void __exit sysman_exit(void)
+ {
+ release_attributes_data();
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(wmi_priv.class_dev);
+ exit_bios_attr_set_interface();
+ exit_bios_attr_pass_interface();
+ }
+--
+2.39.5
+
--- /dev/null
+From b33d5c9aaf1e77ff84cf06e3a276eb584be833e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 00:43:12 -0300
+Subject: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs
+ callbacks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit eb617dd25ca176f3fee24f873f0fd60010773d67 ]
+
+After retrieving WMI data blocks in sysfs callbacks, check for the
+validity of them before dereferencing their content.
+
+Reported-by: Jan Graczyk <jangraczyk@yahoo.ca>
+Closes: https://lore.kernel.org/r/CAHk-=wgMiSKXf7SvQrfEnxVtmT=QVQPjJdNjfm3aXS7wc=rzTw@mail.gmail.com/
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250630-sysman-fix-v2-1-d185674d0a30@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h | 5 +++++
+ .../platform/x86/dell/dell-wmi-sysman/enum-attributes.c | 5 +++--
+ .../platform/x86/dell/dell-wmi-sysman/int-attributes.c | 5 +++--
+ .../x86/dell/dell-wmi-sysman/passobj-attributes.c | 5 +++--
+ .../platform/x86/dell/dell-wmi-sysman/string-attributes.c | 5 +++--
+ drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 8 ++++----
+ 6 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
+index 3ad33a094588c..817ee7ba07ca0 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
+@@ -89,6 +89,11 @@ extern struct wmi_sysman_priv wmi_priv;
+
+ enum { ENUM, INT, STR, PO };
+
++#define ENUM_MIN_ELEMENTS 8
++#define INT_MIN_ELEMENTS 9
++#define STR_MIN_ELEMENTS 8
++#define PO_MIN_ELEMENTS 4
++
+ enum {
+ ATTR_NAME,
+ DISPL_NAME_LANG_CODE,
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+index 8cc212c852668..fc2f58b4cbc6e 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+@@ -23,9 +23,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_ENUMERATION_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < ENUM_MIN_ELEMENTS ||
++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
+index 951e75b538fad..7352480642391 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
+@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_INTEGER_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < INT_MIN_ELEMENTS ||
++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[CURRENT_VAL].integer.value);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
+index d8f1bf5e58a0f..3167e06d416ed 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
+@@ -26,9 +26,10 @@ static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_PASSOBJ_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < PO_MIN_ELEMENTS ||
++ obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[IS_PASS_SET].integer.value);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
+index c392f0ecf8b55..0d2c74f8d1aad 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
+@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_STRING_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < STR_MIN_ELEMENTS ||
++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index af49dd6b31ade..f567d37a64a33 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -408,10 +408,10 @@ static int init_bios_attributes(int attr_type, const char *guid)
+ return retval;
+
+ switch (attr_type) {
+- case ENUM: min_elements = 8; break;
+- case INT: min_elements = 9; break;
+- case STR: min_elements = 8; break;
+- case PO: min_elements = 4; break;
++ case ENUM: min_elements = ENUM_MIN_ELEMENTS; break;
++ case INT: min_elements = INT_MIN_ELEMENTS; break;
++ case STR: min_elements = STR_MIN_ELEMENTS; break;
++ case PO: min_elements = PO_MIN_ELEMENTS; break;
+ default:
+ pr_err("Error: Unknown attr_type: %d\n", attr_type);
+ return -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From bb12acd9589648a71c86222a09243266fe04056f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 00:05:09 +0100
+Subject: platform/x86: firmware_attributes_class: Move include
+ linux/device/class.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit d0eee1be379204d2ee6cdb09bd98b3fd0165b6d3 ]
+
+The header firmware_attributes_class.h uses 'struct class'. It should
+also include the necessary dependency header.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://lore.kernel.org/r/20250104-firmware-attributes-simplify-v1-1-949f9709e405@weissschuh.net
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Stable-dep-of: 5ff1fbb30597 ("platform/x86: think-lmi: Fix class device unregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/firmware_attributes_class.c | 1 -
+ drivers/platform/x86/firmware_attributes_class.h | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/firmware_attributes_class.c b/drivers/platform/x86/firmware_attributes_class.c
+index dd8240009565d..4801f9f44aaa6 100644
+--- a/drivers/platform/x86/firmware_attributes_class.c
++++ b/drivers/platform/x86/firmware_attributes_class.c
+@@ -3,7 +3,6 @@
+ /* Firmware attributes class helper module */
+
+ #include <linux/mutex.h>
+-#include <linux/device/class.h>
+ #include <linux/module.h>
+ #include "firmware_attributes_class.h"
+
+diff --git a/drivers/platform/x86/firmware_attributes_class.h b/drivers/platform/x86/firmware_attributes_class.h
+index 363c75f1ac1b8..8e0f47cfdf92e 100644
+--- a/drivers/platform/x86/firmware_attributes_class.h
++++ b/drivers/platform/x86/firmware_attributes_class.h
+@@ -5,6 +5,8 @@
+ #ifndef FW_ATTR_CLASS_H
+ #define FW_ATTR_CLASS_H
+
++#include <linux/device/class.h>
++
+ int fw_attributes_class_get(const struct class **fw_attr_class);
+ int fw_attributes_class_put(void);
+
+--
+2.39.5
+
--- /dev/null
+From f523632ed2a71831f75ea16798ceec415fd3bd4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 00:05:10 +0100
+Subject: platform/x86: firmware_attributes_class: Simplify API
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit d03cfde56f5cf9ec50b4cf099a42bf056fc80ddd ]
+
+The module core already guarantees that a module can only be unloaded
+after all other modules using its symbols have been unloaded.
+As it's already the responsibility of the drivers using
+firmware_attributes_class to clean up their devices before unloading,
+the lifetime of the firmware_attributes_class can be bound to the
+lifetime of the module.
+This enables the direct usage of firmware_attributes_class from the
+drivers, without having to go through the lifecycle functions,
+leading to simplifications for both the subsystem and its users.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://lore.kernel.org/r/20250104-firmware-attributes-simplify-v1-2-949f9709e405@weissschuh.net
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Stable-dep-of: 5ff1fbb30597 ("platform/x86: think-lmi: Fix class device unregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platform/x86/firmware_attributes_class.c | 40 +++++++------------
+ .../platform/x86/firmware_attributes_class.h | 1 +
+ 2 files changed, 15 insertions(+), 26 deletions(-)
+
+diff --git a/drivers/platform/x86/firmware_attributes_class.c b/drivers/platform/x86/firmware_attributes_class.c
+index 4801f9f44aaa6..e214efc97311e 100644
+--- a/drivers/platform/x86/firmware_attributes_class.c
++++ b/drivers/platform/x86/firmware_attributes_class.c
+@@ -2,47 +2,35 @@
+
+ /* Firmware attributes class helper module */
+
+-#include <linux/mutex.h>
+ #include <linux/module.h>
+ #include "firmware_attributes_class.h"
+
+-static DEFINE_MUTEX(fw_attr_lock);
+-static int fw_attr_inuse;
+-
+-static const struct class firmware_attributes_class = {
++const struct class firmware_attributes_class = {
+ .name = "firmware-attributes",
+ };
++EXPORT_SYMBOL_GPL(firmware_attributes_class);
++
++static __init int fw_attributes_class_init(void)
++{
++ return class_register(&firmware_attributes_class);
++}
++module_init(fw_attributes_class_init);
++
++static __exit void fw_attributes_class_exit(void)
++{
++ class_unregister(&firmware_attributes_class);
++}
++module_exit(fw_attributes_class_exit);
+
+ int fw_attributes_class_get(const struct class **fw_attr_class)
+ {
+- int err;
+-
+- mutex_lock(&fw_attr_lock);
+- if (!fw_attr_inuse) { /*first time class is being used*/
+- err = class_register(&firmware_attributes_class);
+- if (err) {
+- mutex_unlock(&fw_attr_lock);
+- return err;
+- }
+- }
+- fw_attr_inuse++;
+ *fw_attr_class = &firmware_attributes_class;
+- mutex_unlock(&fw_attr_lock);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(fw_attributes_class_get);
+
+ int fw_attributes_class_put(void)
+ {
+- mutex_lock(&fw_attr_lock);
+- if (!fw_attr_inuse) {
+- mutex_unlock(&fw_attr_lock);
+- return -EINVAL;
+- }
+- fw_attr_inuse--;
+- if (!fw_attr_inuse) /* No more consumers */
+- class_unregister(&firmware_attributes_class);
+- mutex_unlock(&fw_attr_lock);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(fw_attributes_class_put);
+diff --git a/drivers/platform/x86/firmware_attributes_class.h b/drivers/platform/x86/firmware_attributes_class.h
+index 8e0f47cfdf92e..ef6c3764a8349 100644
+--- a/drivers/platform/x86/firmware_attributes_class.h
++++ b/drivers/platform/x86/firmware_attributes_class.h
+@@ -7,6 +7,7 @@
+
+ #include <linux/device/class.h>
+
++extern const struct class firmware_attributes_class;
+ int fw_attributes_class_get(const struct class **fw_attr_class);
+ int fw_attributes_class_put(void);
+
+--
+2.39.5
+
--- /dev/null
+From 0429099abcf958ad04ee0353804ef9d13b4b985e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 00:05:12 +0100
+Subject: platform/x86: hp-bioscfg: Directly use firmware_attributes_class
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 63f8c058036057644f095123a35895cd11639b88 ]
+
+The usage of the lifecycle functions is not necessary anymore.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://lore.kernel.org/r/20250104-firmware-attributes-simplify-v1-4-949f9709e405@weissschuh.net
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Stable-dep-of: 11cba4793b95 ("platform/x86: hp-bioscfg: Fix class device unregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+index b8bac35ebd42b..049851e469f60 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+@@ -24,8 +24,6 @@ struct bioscfg_priv bioscfg_drv = {
+ .mutex = __MUTEX_INITIALIZER(bioscfg_drv.mutex),
+ };
+
+-static const struct class *fw_attr_class;
+-
+ ssize_t display_name_language_code_show(struct kobject *kobj,
+ struct kobj_attribute *attr,
+ char *buf)
+@@ -974,11 +972,7 @@ static int __init hp_init(void)
+ if (ret)
+ return ret;
+
+- ret = fw_attributes_class_get(&fw_attr_class);
+- if (ret)
+- goto err_unregister_class;
+-
+- bioscfg_drv.class_dev = device_create(fw_attr_class, NULL, MKDEV(0, 0),
++ bioscfg_drv.class_dev = device_create(&firmware_attributes_class, NULL, MKDEV(0, 0),
+ NULL, "%s", DRIVER_NAME);
+ if (IS_ERR(bioscfg_drv.class_dev)) {
+ ret = PTR_ERR(bioscfg_drv.class_dev);
+@@ -1045,10 +1039,9 @@ static int __init hp_init(void)
+ release_attributes_data();
+
+ err_destroy_classdev:
+- device_destroy(fw_attr_class, MKDEV(0, 0));
++ device_destroy(&firmware_attributes_class, MKDEV(0, 0));
+
+ err_unregister_class:
+- fw_attributes_class_put();
+ hp_exit_attr_set_interface();
+
+ return ret;
+@@ -1057,9 +1050,8 @@ static int __init hp_init(void)
+ static void __exit hp_exit(void)
+ {
+ release_attributes_data();
+- device_destroy(fw_attr_class, MKDEV(0, 0));
++ device_destroy(&firmware_attributes_class, MKDEV(0, 0));
+
+- fw_attributes_class_put();
+ hp_exit_attr_set_interface();
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 010c720e12361ceade503a9fdcc26b33903faeb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:35 -0300
+Subject: platform/x86: hp-bioscfg: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 11cba4793b95df3bc192149a6eb044f69aa0b99e ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-1-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+index 049851e469f60..b62b158cffd85 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+@@ -1039,7 +1039,7 @@ static int __init hp_init(void)
+ release_attributes_data();
+
+ err_destroy_classdev:
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(bioscfg_drv.class_dev);
+
+ err_unregister_class:
+ hp_exit_attr_set_interface();
+@@ -1050,7 +1050,7 @@ static int __init hp_init(void)
+ static void __exit hp_exit(void)
+ {
+ release_attributes_data();
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(bioscfg_drv.class_dev);
+
+ hp_exit_attr_set_interface();
+ }
+--
+2.39.5
+
--- /dev/null
+From a405d35d67c6e1a93f794a28ddbeb79f89d1eeee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 15:55:04 -0300
+Subject: platform/x86: make fw_attr_class constant
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo B. Marliere <ricardo@marliere.net>
+
+[ Upstream commit 5878e5b760b6fcf7bc00dec085ba2b439a929871 ]
+
+Since commit 43a7206b0963 ("driver core: class: make class_register() take
+a const *"), the driver core allows for struct class to be in read-only
+memory, so move the fw_attr_class structure to be declared at build time
+placing it into read-only memory, instead of having to be dynamically
+allocated at boot time.
+
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: "Ricardo B. Marliere" <ricardo@marliere.net>
+Link: https://lore.kernel.org/r/20240305-class_cleanup-platform-v1-1-9085c97b9355@marliere.net
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Stable-dep-of: 5ff1fbb30597 ("platform/x86: think-lmi: Fix class device unregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 2 +-
+ drivers/platform/x86/firmware_attributes_class.c | 4 ++--
+ drivers/platform/x86/firmware_attributes_class.h | 2 +-
+ drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 2 +-
+ drivers/platform/x86/think-lmi.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index f567d37a64a33..decb3b997d86a 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -25,7 +25,7 @@ struct wmi_sysman_priv wmi_priv = {
+ /* reset bios to defaults */
+ static const char * const reset_types[] = {"builtinsafe", "lastknowngood", "factory", "custom"};
+ static int reset_option = -1;
+-static struct class *fw_attr_class;
++static const struct class *fw_attr_class;
+
+
+ /**
+diff --git a/drivers/platform/x86/firmware_attributes_class.c b/drivers/platform/x86/firmware_attributes_class.c
+index fafe8eaf6e3e4..dd8240009565d 100644
+--- a/drivers/platform/x86/firmware_attributes_class.c
++++ b/drivers/platform/x86/firmware_attributes_class.c
+@@ -10,11 +10,11 @@
+ static DEFINE_MUTEX(fw_attr_lock);
+ static int fw_attr_inuse;
+
+-static struct class firmware_attributes_class = {
++static const struct class firmware_attributes_class = {
+ .name = "firmware-attributes",
+ };
+
+-int fw_attributes_class_get(struct class **fw_attr_class)
++int fw_attributes_class_get(const struct class **fw_attr_class)
+ {
+ int err;
+
+diff --git a/drivers/platform/x86/firmware_attributes_class.h b/drivers/platform/x86/firmware_attributes_class.h
+index 486485cb1f54e..363c75f1ac1b8 100644
+--- a/drivers/platform/x86/firmware_attributes_class.h
++++ b/drivers/platform/x86/firmware_attributes_class.h
+@@ -5,7 +5,7 @@
+ #ifndef FW_ATTR_CLASS_H
+ #define FW_ATTR_CLASS_H
+
+-int fw_attributes_class_get(struct class **fw_attr_class);
++int fw_attributes_class_get(const struct class **fw_attr_class);
+ int fw_attributes_class_put(void);
+
+ #endif /* FW_ATTR_CLASS_H */
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+index 6ddca857cc4d1..b8bac35ebd42b 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+@@ -24,7 +24,7 @@ struct bioscfg_priv bioscfg_drv = {
+ .mutex = __MUTEX_INITIALIZER(bioscfg_drv.mutex),
+ };
+
+-static struct class *fw_attr_class;
++static const struct class *fw_attr_class;
+
+ ssize_t display_name_language_code_show(struct kobject *kobj,
+ struct kobj_attribute *attr,
+diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
+index 2396decdb3cb3..3a496c615ce6b 100644
+--- a/drivers/platform/x86/think-lmi.c
++++ b/drivers/platform/x86/think-lmi.c
+@@ -195,7 +195,7 @@ static const char * const level_options[] = {
+ [TLMI_LEVEL_MASTER] = "master",
+ };
+ static struct think_lmi tlmi_priv;
+-static struct class *fw_attr_class;
++static const struct class *fw_attr_class;
+ static DEFINE_MUTEX(tlmi_mutex);
+
+ /* ------ Utility functions ------------*/
+--
+2.39.5
+
--- /dev/null
+From fbd6cae3dabfad05d078452ca56eda8c495a0dcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 00:05:11 +0100
+Subject: platform/x86: think-lmi: Directly use firmware_attributes_class
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 55922403807a12d4f96c67ba01a920edfb6f2633 ]
+
+The usage of the lifecycle functions is not necessary anymore.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Link: https://lore.kernel.org/r/20250104-firmware-attributes-simplify-v1-3-949f9709e405@weissschuh.net
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Stable-dep-of: 5ff1fbb30597 ("platform/x86: think-lmi: Fix class device unregistration")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/think-lmi.c | 13 +++----------
+ 1 file changed, 3 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
+index 3a496c615ce6b..f0efa60cf8ee2 100644
+--- a/drivers/platform/x86/think-lmi.c
++++ b/drivers/platform/x86/think-lmi.c
+@@ -195,7 +195,6 @@ static const char * const level_options[] = {
+ [TLMI_LEVEL_MASTER] = "master",
+ };
+ static struct think_lmi tlmi_priv;
+-static const struct class *fw_attr_class;
+ static DEFINE_MUTEX(tlmi_mutex);
+
+ /* ------ Utility functions ------------*/
+@@ -1272,11 +1271,7 @@ static int tlmi_sysfs_init(void)
+ {
+ int i, ret;
+
+- ret = fw_attributes_class_get(&fw_attr_class);
+- if (ret)
+- return ret;
+-
+- tlmi_priv.class_dev = device_create(fw_attr_class, NULL, MKDEV(0, 0),
++ tlmi_priv.class_dev = device_create(&firmware_attributes_class, NULL, MKDEV(0, 0),
+ NULL, "%s", "thinklmi");
+ if (IS_ERR(tlmi_priv.class_dev)) {
+ ret = PTR_ERR(tlmi_priv.class_dev);
+@@ -1385,9 +1380,8 @@ static int tlmi_sysfs_init(void)
+ fail_create_attr:
+ tlmi_release_attr();
+ fail_device_created:
+- device_destroy(fw_attr_class, MKDEV(0, 0));
++ device_destroy(&firmware_attributes_class, MKDEV(0, 0));
+ fail_class_created:
+- fw_attributes_class_put();
+ return ret;
+ }
+
+@@ -1610,8 +1604,7 @@ static int tlmi_analyze(void)
+ static void tlmi_remove(struct wmi_device *wdev)
+ {
+ tlmi_release_attr();
+- device_destroy(fw_attr_class, MKDEV(0, 0));
+- fw_attributes_class_put();
++ device_destroy(&firmware_attributes_class, MKDEV(0, 0));
+ }
+
+ static int tlmi_probe(struct wmi_device *wdev, const void *context)
+--
+2.39.5
+
--- /dev/null
+From a2e848746344608b57e4a0c89f132a688d9b4b34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:36 -0300
+Subject: platform/x86: think-lmi: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 5ff1fbb3059730700b4823f43999fc1315984632 ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-2-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/think-lmi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
+index f0efa60cf8ee2..626990d103e36 100644
+--- a/drivers/platform/x86/think-lmi.c
++++ b/drivers/platform/x86/think-lmi.c
+@@ -1380,7 +1380,7 @@ static int tlmi_sysfs_init(void)
+ fail_create_attr:
+ tlmi_release_attr();
+ fail_device_created:
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(tlmi_priv.class_dev);
+ fail_class_created:
+ return ret;
+ }
+@@ -1604,7 +1604,7 @@ static int tlmi_analyze(void)
+ static void tlmi_remove(struct wmi_device *wdev)
+ {
+ tlmi_release_attr();
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(tlmi_priv.class_dev);
+ }
+
+ static int tlmi_probe(struct wmi_device *wdev, const void *context)
+--
+2.39.5
+
--- /dev/null
+From f069ae1035b26b1f0c1223f89308437ed84de08e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 May 2025 19:52:37 +0530
+Subject: powerpc: Fix struct termio related ioctl macros
+
+From: Madhavan Srinivasan <maddy@linux.ibm.com>
+
+[ Upstream commit ab107276607af90b13a5994997e19b7b9731e251 ]
+
+Since termio interface is now obsolete, include/uapi/asm/ioctls.h
+has some constant macros referring to "struct termio", this caused
+build failure at userspace.
+
+In file included from /usr/include/asm/ioctl.h:12,
+ from /usr/include/asm/ioctls.h:5,
+ from tst-ioctls.c:3:
+tst-ioctls.c: In function 'get_TCGETA':
+tst-ioctls.c:12:10: error: invalid application of 'sizeof' to incomplete type 'struct termio'
+ 12 | return TCGETA;
+ | ^~~~~~
+
+Even though termios.h provides "struct termio", trying to juggle definitions around to
+make it compile could introduce regressions. So better to open code it.
+
+Reported-by: Tulio Magno <tuliom@ascii.art.br>
+Suggested-by: Nicholas Piggin <npiggin@gmail.com>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
+Closes: https://lore.kernel.org/linuxppc-dev/8734dji5wl.fsf@ascii.art.br/
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250517142237.156665-1-maddy@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/uapi/asm/ioctls.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/include/uapi/asm/ioctls.h b/arch/powerpc/include/uapi/asm/ioctls.h
+index 2c145da3b774a..b5211e413829a 100644
+--- a/arch/powerpc/include/uapi/asm/ioctls.h
++++ b/arch/powerpc/include/uapi/asm/ioctls.h
+@@ -23,10 +23,10 @@
+ #define TCSETSW _IOW('t', 21, struct termios)
+ #define TCSETSF _IOW('t', 22, struct termios)
+
+-#define TCGETA _IOR('t', 23, struct termio)
+-#define TCSETA _IOW('t', 24, struct termio)
+-#define TCSETAW _IOW('t', 25, struct termio)
+-#define TCSETAF _IOW('t', 28, struct termio)
++#define TCGETA 0x40147417 /* _IOR('t', 23, struct termio) */
++#define TCSETA 0x80147418 /* _IOW('t', 24, struct termio) */
++#define TCSETAW 0x80147419 /* _IOW('t', 25, struct termio) */
++#define TCSETAF 0x8014741c /* _IOW('t', 28, struct termio) */
+
+ #define TCSBRK _IO('t', 29)
+ #define TCXONC _IO('t', 30)
+--
+2.39.5
+
--- /dev/null
+From 83ff12e512f6fd598977831e9b00912e26712b55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:34:48 +0200
+Subject: rcu: Return early if callback is not specified
+
+From: Uladzislau Rezki (Sony) <urezki@gmail.com>
+
+[ Upstream commit 33b6a1f155d627f5bd80c7485c598ce45428f74f ]
+
+Currently the call_rcu() API does not check whether a callback
+pointer is NULL. If NULL is passed, rcu_core() will try to invoke
+it, resulting in NULL pointer dereference and a kernel crash.
+
+To prevent this and improve debuggability, this patch adds a check
+for NULL and emits a kernel stack trace to help identify a faulty
+caller.
+
+Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index 1fb3b7a0ed5d2..536acebf22b0d 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -2699,6 +2699,10 @@ __call_rcu_common(struct rcu_head *head, rcu_callback_t func, bool lazy_in)
+ /* Misaligned rcu_head! */
+ WARN_ON_ONCE((unsigned long)head & (sizeof(void *) - 1));
+
++ /* Avoid NULL dereference if callback is NULL. */
++ if (WARN_ON_ONCE(!func))
++ return;
++
+ if (debug_rcu_head_queue(head)) {
+ /*
+ * Probable double call_rcu(), so leak the callback.
+--
+2.39.5
+
--- /dev/null
+From b31dc420c402c737824f9521fa5f3b84da236584 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:53 +0300
+Subject: RDMA/mlx5: Fix CC counters query for MPV
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit acd245b1e33fc4b9d0f2e3372021d632f7ee0652 ]
+
+In case, CC counters are querying for the second port use the correct
+core device for the query instead of always using the master core device.
+
+Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/9cace74dcf106116118bebfa9146d40d4166c6b0.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c
+index f4aa72166cf35..d06128501ce4e 100644
+--- a/drivers/infiniband/hw/mlx5/counters.c
++++ b/drivers/infiniband/hw/mlx5/counters.c
+@@ -407,7 +407,7 @@ static int do_get_hw_stats(struct ib_device *ibdev,
+ */
+ goto done;
+ }
+- ret = mlx5_lag_query_cong_counters(dev->mdev,
++ ret = mlx5_lag_query_cong_counters(mdev,
+ stats->value +
+ cnts->num_q_counters,
+ cnts->num_cong_counters,
+--
+2.39.5
+
--- /dev/null
+From bbc89d85dc3e147bda5dc506c5a2fb1cef116c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:52 +0300
+Subject: RDMA/mlx5: Fix HW counters query for non-representor devices
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 3cc1dbfddf88dc5ecce0a75185061403b1f7352d ]
+
+To get the device HW counters, a non-representor switchdev device
+should use the mlx5_ib_query_q_counters() function and query all of
+the available counters. While a representor device in switchdev mode
+should use the mlx5_ib_query_q_counters_vport() function and query only
+the Q_Counters without the PPCNT counters and congestion control counters,
+since they aren't relevant for a representor device.
+
+Currently a non-representor switchdev device skips querying the PPCNT
+counters and congestion control counters, leaving them unupdated.
+Fix that by properly querying those counters for non-representor devices.
+
+Fixes: d22467a71ebe ("RDMA/mlx5: Expand switchdev Q-counters to expose representor statistics")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Link: https://patch.msgid.link/56bf8af4ca8c58e3fb9f7e47b1dca2009eeeed81.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c
+index b049bba215790..f4aa72166cf35 100644
+--- a/drivers/infiniband/hw/mlx5/counters.c
++++ b/drivers/infiniband/hw/mlx5/counters.c
+@@ -387,7 +387,7 @@ static int do_get_hw_stats(struct ib_device *ibdev,
+ return ret;
+
+ /* We don't expose device counters over Vports */
+- if (is_mdev_switchdev_mode(dev->mdev) && port_num != 0)
++ if (is_mdev_switchdev_mode(dev->mdev) && dev->is_rep && port_num != 0)
+ goto done;
+
+ if (MLX5_CAP_PCAM_FEATURE(dev->mdev, rx_icrc_encapsulated_counter)) {
+--
+2.39.5
+
--- /dev/null
+From a5406a7235783dd3d7e42215ba93e7886f31b16c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:54 +0300
+Subject: RDMA/mlx5: Fix vport loopback for MPV device
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit a9a9e68954f29b1e197663f76289db4879fd51bb ]
+
+Always enable vport loopback for both MPV devices on driver start.
+
+Previously in some cases related to MPV RoCE, packets weren't correctly
+executing loopback check at vport in FW, since it was disabled.
+Due to complexity of identifying such cases for MPV always enable vport
+loopback for both GVMIs when binding the slave to the master port.
+
+Fixes: 0042f9e458a5 ("RDMA/mlx5: Enable vport loopback when user context or QP mandate")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Link: https://patch.msgid.link/d4298f5ebb2197459e9e7221c51ecd6a34699847.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 33 +++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index ada7dbf8eb1cf..e922fb8728654 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1690,6 +1690,33 @@ static void deallocate_uars(struct mlx5_ib_dev *dev,
+ context->devx_uid);
+ }
+
++static int mlx5_ib_enable_lb_mp(struct mlx5_core_dev *master,
++ struct mlx5_core_dev *slave)
++{
++ int err;
++
++ err = mlx5_nic_vport_update_local_lb(master, true);
++ if (err)
++ return err;
++
++ err = mlx5_nic_vport_update_local_lb(slave, true);
++ if (err)
++ goto out;
++
++ return 0;
++
++out:
++ mlx5_nic_vport_update_local_lb(master, false);
++ return err;
++}
++
++static void mlx5_ib_disable_lb_mp(struct mlx5_core_dev *master,
++ struct mlx5_core_dev *slave)
++{
++ mlx5_nic_vport_update_local_lb(slave, false);
++ mlx5_nic_vport_update_local_lb(master, false);
++}
++
+ int mlx5_ib_enable_lb(struct mlx5_ib_dev *dev, bool td, bool qp)
+ {
+ int err = 0;
+@@ -3224,6 +3251,8 @@ static void mlx5_ib_unbind_slave_port(struct mlx5_ib_dev *ibdev,
+
+ lockdep_assert_held(&mlx5_ib_multiport_mutex);
+
++ mlx5_ib_disable_lb_mp(ibdev->mdev, mpi->mdev);
++
+ mlx5_core_mp_event_replay(ibdev->mdev,
+ MLX5_DRIVER_EVENT_AFFILIATION_REMOVED,
+ NULL);
+@@ -3319,6 +3348,10 @@ static bool mlx5_ib_bind_slave_port(struct mlx5_ib_dev *ibdev,
+ MLX5_DRIVER_EVENT_AFFILIATION_DONE,
+ &key);
+
++ err = mlx5_ib_enable_lb_mp(ibdev->mdev, mpi->mdev);
++ if (err)
++ goto unbind;
++
+ return true;
+
+ unbind:
+--
+2.39.5
+
--- /dev/null
+From 4d68d6967a24a48caeac5e9a6a4080035939d574 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:13:55 +0300
+Subject: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a ]
+
+The obj_event may be loaded immediately after inserted, then if the
+list_head is not initialized then we may get a poisonous pointer. This
+fixes the crash below:
+
+ mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)
+ mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056
+ mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0
+ mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps
+ IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
+ Mem abort info:
+ ESR = 0x96000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000
+ [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#1] SMP
+ Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)
+ [last unloaded: mst_pci]
+ CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1
+ Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023
+ pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)
+ pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]
+ lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]
+ sp : ffff80001005bcf0
+ x29: ffff80001005bcf0 x28: 0000000000000001
+ x27: ffff244e0740a1d8 x26: ffff244e0740a1d0
+ x25: ffffda56beff5ae0 x24: ffffda56bf911618
+ x23: ffff244e0596a480 x22: ffff244e0596a480
+ x21: ffff244d8312ad90 x20: ffff244e0596a480
+ x19: fffffffffffffff0 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffda56be66d620
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000040 x10: ffffda56bfcafb50
+ x9 : ffffda5655c25f2c x8 : 0000000000000010
+ x7 : 0000000000000000 x6 : ffff24545a2e24b8
+ x5 : 0000000000000003 x4 : ffff80001005bd28
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : ffff244e0596a480 x0 : ffff244d8312ad90
+ Call trace:
+ dispatch_event_fd+0x68/0x300 [mlx5_ib]
+ devx_event_notifier+0xcc/0x228 [mlx5_ib]
+ atomic_notifier_call_chain+0x58/0x80
+ mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]
+ atomic_notifier_call_chain+0x58/0x80
+ irq_int_handler+0x20/0x30 [mlx5_core]
+ __handle_irq_event_percpu+0x60/0x220
+ handle_irq_event_percpu+0x3c/0x90
+ handle_irq_event+0x58/0x158
+ handle_fasteoi_irq+0xfc/0x188
+ generic_handle_irq+0x34/0x48
+ ...
+
+Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX")
+Link: https://patch.msgid.link/r/3ce7f20e0d1a03dc7de6e57494ec4b8eaf1f05c2.1750147949.git.leon@kernel.org
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index 6e19974ecf6e7..3f1fa45d93682 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -1914,6 +1914,7 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+ /* Level1 is valid for future use, no need to free */
+ return -ENOMEM;
+
++ INIT_LIST_HEAD(&obj_event->obj_sub_list);
+ err = xa_insert(&event->object_ids,
+ key_level2,
+ obj_event,
+@@ -1922,7 +1923,6 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+ kfree(obj_event);
+ return err;
+ }
+- INIT_LIST_HEAD(&obj_event->obj_sub_list);
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 8ea55aec776b7aa6cfca944995214f9a3f6eb8ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 21:04:18 +0200
+Subject: regulator: fan53555: add enable_time support and soft-start times
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 8acfb165a492251a08a22a4fa6497a131e8c2609 ]
+
+The datasheets for all the fan53555 variants (and clones using the same
+interface) define so called soft start times, from enabling the regulator
+until at least some percentage of the output (i.e. 92% for the rk860x
+types) are available.
+
+The regulator framework supports this with the enable_time property
+but currently the fan53555 driver does not define enable_times for any
+variant.
+
+I ran into a problem with this while testing the new driver for the
+Rockchip NPUs (rocket), which does runtime-pm including disabling and
+enabling a rk8602 as needed. When reenabling the regulator while running
+a load, fatal hangs could be observed while enabling the associated
+power-domain, which the regulator supplies.
+
+Experimentally setting the regulator to always-on, made the issue
+disappear, leading to the missing delay to let power stabilize.
+And as expected, setting the enable-time to a non-zero value
+according to the datasheet also resolved the regulator-issue.
+
+The datasheets in nearly all cases only specify "typical" values,
+except for the fan53555 type 08. There both a typical and maximum
+value are listed - 40uS apart.
+
+For all typical values I've added 100uS to be on the safe side.
+Individual details for the relevant regulators below:
+
+- fan53526:
+ The datasheet for all variants lists a typical value of 150uS, so
+ make that 250uS with safety margin.
+- fan53555:
+ types 08 and 18 (unsupported) are given a typical enable time of 135uS
+ but also a maximum of 175uS so use that value. All the other types only
+ have a typical time in the datasheet of 300uS, so give a bit margin by
+ setting it to 400uS.
+- rk8600 + rk8602:
+ Datasheet reports a typical value of 260us, so use 360uS to be safe.
+- syr82x + syr83x:
+ All datasheets report typical soft-start values of 300uS for these
+ regulators, so use 400uS.
+- tcs452x:
+ Datasheet sadly does not report a soft-start time, so I've not set
+ an enable-time
+
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patch.msgid.link/20250606190418.478633-1-heiko@sntech.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/fan53555.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c
+index 48f312167e535..8912f5be72707 100644
+--- a/drivers/regulator/fan53555.c
++++ b/drivers/regulator/fan53555.c
+@@ -147,6 +147,7 @@ struct fan53555_device_info {
+ unsigned int slew_mask;
+ const unsigned int *ramp_delay_table;
+ unsigned int n_ramp_values;
++ unsigned int enable_time;
+ unsigned int slew_rate;
+ };
+
+@@ -282,6 +283,7 @@ static int fan53526_voltages_setup_fairchild(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 250;
+ di->vsel_count = FAN53526_NVOLTAGES;
+
+ return 0;
+@@ -296,10 +298,12 @@ static int fan53555_voltages_setup_fairchild(struct fan53555_device_info *di)
+ case FAN53555_CHIP_REV_00:
+ di->vsel_min = 600000;
+ di->vsel_step = 10000;
++ di->enable_time = 400;
+ break;
+ case FAN53555_CHIP_REV_13:
+ di->vsel_min = 800000;
+ di->vsel_step = 10000;
++ di->enable_time = 400;
+ break;
+ default:
+ dev_err(di->dev,
+@@ -311,13 +315,19 @@ static int fan53555_voltages_setup_fairchild(struct fan53555_device_info *di)
+ case FAN53555_CHIP_ID_01:
+ case FAN53555_CHIP_ID_03:
+ case FAN53555_CHIP_ID_05:
++ di->vsel_min = 600000;
++ di->vsel_step = 10000;
++ di->enable_time = 400;
++ break;
+ case FAN53555_CHIP_ID_08:
+ di->vsel_min = 600000;
+ di->vsel_step = 10000;
++ di->enable_time = 175;
+ break;
+ case FAN53555_CHIP_ID_04:
+ di->vsel_min = 603000;
+ di->vsel_step = 12826;
++ di->enable_time = 400;
+ break;
+ default:
+ dev_err(di->dev,
+@@ -350,6 +360,7 @@ static int fan53555_voltages_setup_rockchip(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 360;
+ di->vsel_count = FAN53555_NVOLTAGES;
+
+ return 0;
+@@ -372,6 +383,7 @@ static int rk8602_voltages_setup_rockchip(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 360;
+ di->vsel_count = RK8602_NVOLTAGES;
+
+ return 0;
+@@ -395,6 +407,7 @@ static int fan53555_voltages_setup_silergy(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 400;
+ di->vsel_count = FAN53555_NVOLTAGES;
+
+ return 0;
+@@ -594,6 +607,7 @@ static int fan53555_regulator_register(struct fan53555_device_info *di,
+ rdesc->ramp_mask = di->slew_mask;
+ rdesc->ramp_delay_table = di->ramp_delay_table;
+ rdesc->n_ramp_values = di->n_ramp_values;
++ rdesc->enable_time = di->enable_time;
+ rdesc->owner = THIS_MODULE;
+
+ rdev = devm_regulator_register(di->dev, &di->desc, config);
+--
+2.39.5
+
--- /dev/null
+From dd07e4d3aab777f6b3bb8626ec31a19f12bccde1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 09:41:27 +0300
+Subject: Revert "drm/i915/gem: Allow EXEC_CAPTURE on recoverable contexts on
+ DG1"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+[ Upstream commit ed5915cfce2abb9a553c3737badebd4a11d6c9c7 ]
+
+This reverts commit d6e020819612a4a06207af858e0978be4d3e3140.
+
+The IS_DGFX check was put in place because error capture of buffer
+objects is expected to be broken on devices with VRAM.
+
+Userspace fix[1] to the impacted media driver has been submitted, merged
+and a new driver release is out as 25.2.3 where the capture flag is
+dropped on DG1 thus unblocking the usage of media driver on DG1.
+
+[1] https://github.com/intel/media-driver/commit/93c07d9b4b96a78bab21f6acd4eb863f4313ea4a
+
+Cc: stable@vger.kernel.org # v6.0+
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Tvrtko Ursulin <tursulin@ursulin.net>
+Acked-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20250522064127.24293-1-joonas.lahtinen@linux.intel.com
+[Joonas: Update message to point out the merged userspace fix]
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+(cherry picked from commit d2dc30e0aa252830f908c8e793d3139d51321370)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+index 023b2ea74c360..5a687a3686bd5 100644
+--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+@@ -2013,7 +2013,7 @@ static int eb_capture_stage(struct i915_execbuffer *eb)
+ continue;
+
+ if (i915_gem_context_is_recoverable(eb->gem_context) &&
+- GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 10))
++ (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0)))
+ return -EINVAL;
+
+ for_each_batch_create_order(eb, j) {
+--
+2.39.5
+
--- /dev/null
+From 86098b7f5263bfe8492ba2dcd27029b60e751f2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 12:06:31 +0900
+Subject: rose: fix dangling neighbour pointers in rose_rt_device_down()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 34a500caf48c47d5171f4aa1f237da39b07c6157 ]
+
+There are two bugs in rose_rt_device_down() that can cause
+use-after-free:
+
+1. The loop bound `t->count` is modified within the loop, which can
+ cause the loop to terminate early and miss some entries.
+
+2. When removing an entry from the neighbour array, the subsequent entries
+ are moved up to fill the gap, but the loop index `i` is still
+ incremented, causing the next entry to be skipped.
+
+For example, if a node has three neighbours (A, A, B) with count=3 and A
+is being removed, the second A is not checked.
+
+ i=0: (A, A, B) -> (A, B) with count=2
+ ^ checked
+ i=1: (A, B) -> (A, B) with count=2
+ ^ checked (B, not A!)
+ i=2: (doesn't occur because i < count is false)
+
+This leaves the second A in the array with count=2, but the rose_neigh
+structure has been freed. Code that accesses these entries assumes that
+the first `count` entries are valid pointers, causing a use-after-free
+when it accesses the dangling pointer.
+
+Fix both issues by iterating over the array in reverse order with a fixed
+loop bound. This ensures that all entries are examined and that the removal
+of an entry doesn't affect subsequent iterations.
+
+Reported-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e04e2c007ba2c80476cb
+Tested-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250629030833.6680-1-enjuk@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/rose_route.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index fee772b4637c8..a7054546f52df 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -497,22 +497,15 @@ void rose_rt_device_down(struct net_device *dev)
+ t = rose_node;
+ rose_node = rose_node->next;
+
+- for (i = 0; i < t->count; i++) {
++ for (i = t->count - 1; i >= 0; i--) {
+ if (t->neighbour[i] != s)
+ continue;
+
+ t->count--;
+
+- switch (i) {
+- case 0:
+- t->neighbour[0] = t->neighbour[1];
+- fallthrough;
+- case 1:
+- t->neighbour[1] = t->neighbour[2];
+- break;
+- case 2:
+- break;
+- }
++ memmove(&t->neighbour[i], &t->neighbour[i + 1],
++ sizeof(t->neighbour[0]) *
++ (t->count - i));
+ }
+
+ if (t->count <= 0)
+--
+2.39.5
+
--- /dev/null
+From 09365a784bb1dbb9078f83259b23d4a9b41ca6d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 18:11:11 +0200
+Subject: scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c3b214719a87735d4f67333a8ef3c0e31a34837c ]
+
+dma_map_XXX() functions return as error values DMA_MAPPING_ERROR which is
+often ~0. The error value should be tested with dma_mapping_error() like
+it was done in qla26xx_dport_diagnostics().
+
+Fixes: 818c7f87a177 ("scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250617161115.39888-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 0cd6f3e148824..13b6cb1b93acd 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -2147,7 +2147,7 @@ qla24xx_get_port_database(scsi_qla_host_t *vha, u16 nport_handle,
+
+ pdb_dma = dma_map_single(&vha->hw->pdev->dev, pdb,
+ sizeof(*pdb), DMA_FROM_DEVICE);
+- if (!pdb_dma) {
++ if (dma_mapping_error(&vha->hw->pdev->dev, pdb_dma)) {
+ ql_log(ql_log_warn, vha, 0x1116, "Failed to map dma buffer.\n");
+ return QLA_MEMORY_ALLOC_FAILED;
+ }
+--
+2.39.5
+
--- /dev/null
+From 2b4a2adbadce0fb4af6c7a963128878c2cd78b18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 09:17:37 +0200
+Subject: scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 00f452a1b084efbe8dcb60a29860527944a002a1 ]
+
+dma_map_XXX() can fail and should be tested for errors with
+dma_mapping_error().
+
+Fixes: b3a271a94d00 ("[SCSI] qla4xxx: support iscsiadm session mgmt")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250618071742.21822-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index 675332e49a7b0..77c28d2ebf013 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -3420,6 +3420,8 @@ static int qla4xxx_alloc_pdu(struct iscsi_task *task, uint8_t opcode)
+ task_data->data_dma = dma_map_single(&ha->pdev->dev, task->data,
+ task->data_count,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&ha->pdev->dev, task_data->data_dma))
++ return -ENOMEM;
+ }
+
+ DEBUG2(ql4_printk(KERN_INFO, ha, "%s: MaxRecvLen %u, iscsi hrd %d\n",
+--
+2.39.5
+
--- /dev/null
+From c348ca15ea72c2dd231b9ab9c8e8f57be5913910 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 12:15:56 +0200
+Subject: scsi: target: Fix NULL pointer dereference in
+ core_scsi3_decode_spec_i_port()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit d8ab68bdb294b09a761e967dad374f2965e1913f ]
+
+The function core_scsi3_decode_spec_i_port(), in its error code path,
+unconditionally calls core_scsi3_lunacl_undepend_item() passing the
+dest_se_deve pointer, which may be NULL.
+
+This can lead to a NULL pointer dereference if dest_se_deve remains
+unset.
+
+SPC-3 PR SPEC_I_PT: Unable to locate dest_tpg
+Unable to handle kernel paging request at virtual address dfff800000000012
+Call trace:
+ core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)
+ core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]
+ core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]
+ target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]
+
+Fix this by adding a NULL check before calling
+core_scsi3_lunacl_undepend_item()
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20250612101556.24829-1-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
+index 49d9167bb263b..a9eb6a3e83834 100644
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1841,7 +1841,9 @@ core_scsi3_decode_spec_i_port(
+ }
+
+ kmem_cache_free(t10_pr_reg_cache, dest_pr_reg);
+- core_scsi3_lunacl_undepend_item(dest_se_deve);
++
++ if (dest_se_deve)
++ core_scsi3_lunacl_undepend_item(dest_se_deve);
+
+ if (is_local)
+ continue;
+--
+2.39.5
+
--- /dev/null
+From b6a857186f5c84e36b5f8f885b62021a064ce65a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Oct 2023 22:51:26 +0530
+Subject: scsi: ufs: core: Add OPP support for scaling clocks and regulators
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+[ Upstream commit 930bd77ebe3dc23b18aa49e55e6a515d5663d67a ]
+
+UFS core is only scaling the clocks during devfreq scaling and
+initialization. But for an optimum power saving, regulators should also be
+scaled along with the clocks.
+
+So let's use the OPP framework which supports scaling clocks, regulators,
+and performance state using OPP table defined in devicetree. For
+accomodating the OPP support, the existing APIs (ufshcd_scale_clks,
+ufshcd_is_devfreq_scaling_required and ufshcd_devfreq_scale) are modified
+to accept "freq" as an argument which in turn used by the OPP helpers.
+
+The OPP support is added along with the old freq-table based clock scaling
+so that the existing platforms work as expected.
+
+Co-developed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20231012172129.65172-3-manivannan.sadhasivam@linaro.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 2e083cd80229 ("scsi: ufs: core: Fix clk scaling to be conditional in reset and restore")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 144 +++++++++++++++++++++++++++++---------
+ include/ufs/ufshcd.h | 4 ++
+ 2 files changed, 115 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 08c46fefb32b4..fa86942efd11f 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -20,6 +20,7 @@
+ #include <linux/delay.h>
+ #include <linux/interrupt.h>
+ #include <linux/module.h>
++#include <linux/pm_opp.h>
+ #include <linux/regulator/consumer.h>
+ #include <linux/sched/clock.h>
+ #include <linux/iopoll.h>
+@@ -289,7 +290,8 @@ static inline void ufshcd_add_delay_before_dme_cmd(struct ufs_hba *hba);
+ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba);
+ static void ufshcd_resume_clkscaling(struct ufs_hba *hba);
+ static void ufshcd_suspend_clkscaling(struct ufs_hba *hba);
+-static int ufshcd_scale_clks(struct ufs_hba *hba, bool scale_up);
++static int ufshcd_scale_clks(struct ufs_hba *hba, unsigned long freq,
++ bool scale_up);
+ static irqreturn_t ufshcd_intr(int irq, void *__hba);
+ static int ufshcd_change_power_mode(struct ufs_hba *hba,
+ struct ufs_pa_layer_attr *pwr_mode);
+@@ -1078,14 +1080,32 @@ static int ufshcd_set_clk_freq(struct ufs_hba *hba, bool scale_up)
+ return ret;
+ }
+
++static int ufshcd_opp_set_rate(struct ufs_hba *hba, unsigned long freq)
++{
++ struct dev_pm_opp *opp;
++ int ret;
++
++ opp = dev_pm_opp_find_freq_floor_indexed(hba->dev,
++ &freq, 0);
++ if (IS_ERR(opp))
++ return PTR_ERR(opp);
++
++ ret = dev_pm_opp_set_opp(hba->dev, opp);
++ dev_pm_opp_put(opp);
++
++ return ret;
++}
++
+ /**
+ * ufshcd_scale_clks - scale up or scale down UFS controller clocks
+ * @hba: per adapter instance
++ * @freq: frequency to scale
+ * @scale_up: True if scaling up and false if scaling down
+ *
+ * Return: 0 if successful; < 0 upon failure.
+ */
+-static int ufshcd_scale_clks(struct ufs_hba *hba, bool scale_up)
++static int ufshcd_scale_clks(struct ufs_hba *hba, unsigned long freq,
++ bool scale_up)
+ {
+ int ret = 0;
+ ktime_t start = ktime_get();
+@@ -1094,13 +1114,21 @@ static int ufshcd_scale_clks(struct ufs_hba *hba, bool scale_up)
+ if (ret)
+ goto out;
+
+- ret = ufshcd_set_clk_freq(hba, scale_up);
++ if (hba->use_pm_opp)
++ ret = ufshcd_opp_set_rate(hba, freq);
++ else
++ ret = ufshcd_set_clk_freq(hba, scale_up);
+ if (ret)
+ goto out;
+
+ ret = ufshcd_vops_clk_scale_notify(hba, scale_up, POST_CHANGE);
+- if (ret)
+- ufshcd_set_clk_freq(hba, !scale_up);
++ if (ret) {
++ if (hba->use_pm_opp)
++ ufshcd_opp_set_rate(hba,
++ hba->devfreq->previous_freq);
++ else
++ ufshcd_set_clk_freq(hba, !scale_up);
++ }
+
+ out:
+ trace_ufshcd_profile_clk_scaling(dev_name(hba->dev),
+@@ -1112,12 +1140,13 @@ static int ufshcd_scale_clks(struct ufs_hba *hba, bool scale_up)
+ /**
+ * ufshcd_is_devfreq_scaling_required - check if scaling is required or not
+ * @hba: per adapter instance
++ * @freq: frequency to scale
+ * @scale_up: True if scaling up and false if scaling down
+ *
+ * Return: true if scaling is required, false otherwise.
+ */
+ static bool ufshcd_is_devfreq_scaling_required(struct ufs_hba *hba,
+- bool scale_up)
++ unsigned long freq, bool scale_up)
+ {
+ struct ufs_clk_info *clki;
+ struct list_head *head = &hba->clk_list_head;
+@@ -1125,6 +1154,9 @@ static bool ufshcd_is_devfreq_scaling_required(struct ufs_hba *hba,
+ if (list_empty(head))
+ return false;
+
++ if (hba->use_pm_opp)
++ return freq != hba->clk_scaling.target_freq;
++
+ list_for_each_entry(clki, head, list) {
+ if (!IS_ERR_OR_NULL(clki->clk)) {
+ if (scale_up && clki->max_freq) {
+@@ -1323,12 +1355,14 @@ static void ufshcd_clock_scaling_unprepare(struct ufs_hba *hba, int err, bool sc
+ /**
+ * ufshcd_devfreq_scale - scale up/down UFS clocks and gear
+ * @hba: per adapter instance
++ * @freq: frequency to scale
+ * @scale_up: True for scaling up and false for scalin down
+ *
+ * Return: 0 for success; -EBUSY if scaling can't happen at this time; non-zero
+ * for any other errors.
+ */
+-static int ufshcd_devfreq_scale(struct ufs_hba *hba, bool scale_up)
++static int ufshcd_devfreq_scale(struct ufs_hba *hba, unsigned long freq,
++ bool scale_up)
+ {
+ int ret = 0;
+
+@@ -1343,7 +1377,7 @@ static int ufshcd_devfreq_scale(struct ufs_hba *hba, bool scale_up)
+ goto out_unprepare;
+ }
+
+- ret = ufshcd_scale_clks(hba, scale_up);
++ ret = ufshcd_scale_clks(hba, freq, scale_up);
+ if (ret) {
+ if (!scale_up)
+ ufshcd_scale_gear(hba, true);
+@@ -1354,7 +1388,8 @@ static int ufshcd_devfreq_scale(struct ufs_hba *hba, bool scale_up)
+ if (scale_up) {
+ ret = ufshcd_scale_gear(hba, true);
+ if (ret) {
+- ufshcd_scale_clks(hba, false);
++ ufshcd_scale_clks(hba, hba->devfreq->previous_freq,
++ false);
+ goto out_unprepare;
+ }
+ }
+@@ -1413,9 +1448,22 @@ static int ufshcd_devfreq_target(struct device *dev,
+ if (!ufshcd_is_clkscaling_supported(hba))
+ return -EINVAL;
+
+- clki = list_first_entry(&hba->clk_list_head, struct ufs_clk_info, list);
+- /* Override with the closest supported frequency */
+- *freq = (unsigned long) clk_round_rate(clki->clk, *freq);
++ if (hba->use_pm_opp) {
++ struct dev_pm_opp *opp;
++
++ /* Get the recommended frequency from OPP framework */
++ opp = devfreq_recommended_opp(dev, freq, flags);
++ if (IS_ERR(opp))
++ return PTR_ERR(opp);
++
++ dev_pm_opp_put(opp);
++ } else {
++ /* Override with the closest supported frequency */
++ clki = list_first_entry(&hba->clk_list_head, struct ufs_clk_info,
++ list);
++ *freq = (unsigned long) clk_round_rate(clki->clk, *freq);
++ }
++
+ spin_lock_irqsave(hba->host->host_lock, irq_flags);
+ if (ufshcd_eh_in_progress(hba)) {
+ spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+@@ -1430,12 +1478,17 @@ static int ufshcd_devfreq_target(struct device *dev,
+ goto out;
+ }
+
+- /* Decide based on the rounded-off frequency and update */
+- scale_up = *freq == clki->max_freq;
+- if (!scale_up)
++ /* Decide based on the target or rounded-off frequency and update */
++ if (hba->use_pm_opp)
++ scale_up = *freq > hba->clk_scaling.target_freq;
++ else
++ scale_up = *freq == clki->max_freq;
++
++ if (!hba->use_pm_opp && !scale_up)
+ *freq = clki->min_freq;
++
+ /* Update the frequency */
+- if (!ufshcd_is_devfreq_scaling_required(hba, scale_up)) {
++ if (!ufshcd_is_devfreq_scaling_required(hba, *freq, scale_up)) {
+ spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+ ret = 0;
+ goto out; /* no state change required */
+@@ -1443,7 +1496,9 @@ static int ufshcd_devfreq_target(struct device *dev,
+ spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+
+ start = ktime_get();
+- ret = ufshcd_devfreq_scale(hba, scale_up);
++ ret = ufshcd_devfreq_scale(hba, *freq, scale_up);
++ if (!ret)
++ hba->clk_scaling.target_freq = *freq;
+
+ trace_ufshcd_profile_clk_scaling(dev_name(hba->dev),
+ (scale_up ? "up" : "down"),
+@@ -1463,8 +1518,6 @@ static int ufshcd_devfreq_get_dev_status(struct device *dev,
+ struct ufs_hba *hba = dev_get_drvdata(dev);
+ struct ufs_clk_scaling *scaling = &hba->clk_scaling;
+ unsigned long flags;
+- struct list_head *clk_list = &hba->clk_list_head;
+- struct ufs_clk_info *clki;
+ ktime_t curr_t;
+
+ if (!ufshcd_is_clkscaling_supported(hba))
+@@ -1477,17 +1530,24 @@ static int ufshcd_devfreq_get_dev_status(struct device *dev,
+ if (!scaling->window_start_t)
+ goto start_window;
+
+- clki = list_first_entry(clk_list, struct ufs_clk_info, list);
+ /*
+ * If current frequency is 0, then the ondemand governor considers
+ * there's no initial frequency set. And it always requests to set
+ * to max. frequency.
+ */
+- stat->current_frequency = clki->curr_freq;
++ if (hba->use_pm_opp) {
++ stat->current_frequency = hba->clk_scaling.target_freq;
++ } else {
++ struct list_head *clk_list = &hba->clk_list_head;
++ struct ufs_clk_info *clki;
++
++ clki = list_first_entry(clk_list, struct ufs_clk_info, list);
++ stat->current_frequency = clki->curr_freq;
++ }
++
+ if (scaling->is_busy_started)
+ scaling->tot_busy_t += ktime_us_delta(curr_t,
+ scaling->busy_start_t);
+-
+ stat->total_time = ktime_us_delta(curr_t, scaling->window_start_t);
+ stat->busy_time = scaling->tot_busy_t;
+ start_window:
+@@ -1516,9 +1576,11 @@ static int ufshcd_devfreq_init(struct ufs_hba *hba)
+ if (list_empty(clk_list))
+ return 0;
+
+- clki = list_first_entry(clk_list, struct ufs_clk_info, list);
+- dev_pm_opp_add(hba->dev, clki->min_freq, 0);
+- dev_pm_opp_add(hba->dev, clki->max_freq, 0);
++ if (!hba->use_pm_opp) {
++ clki = list_first_entry(clk_list, struct ufs_clk_info, list);
++ dev_pm_opp_add(hba->dev, clki->min_freq, 0);
++ dev_pm_opp_add(hba->dev, clki->max_freq, 0);
++ }
+
+ ufshcd_vops_config_scaling_param(hba, &hba->vps->devfreq_profile,
+ &hba->vps->ondemand_data);
+@@ -1530,8 +1592,10 @@ static int ufshcd_devfreq_init(struct ufs_hba *hba)
+ ret = PTR_ERR(devfreq);
+ dev_err(hba->dev, "Unable to register with devfreq %d\n", ret);
+
+- dev_pm_opp_remove(hba->dev, clki->min_freq);
+- dev_pm_opp_remove(hba->dev, clki->max_freq);
++ if (!hba->use_pm_opp) {
++ dev_pm_opp_remove(hba->dev, clki->min_freq);
++ dev_pm_opp_remove(hba->dev, clki->max_freq);
++ }
+ return ret;
+ }
+
+@@ -1543,7 +1607,6 @@ static int ufshcd_devfreq_init(struct ufs_hba *hba)
+ static void ufshcd_devfreq_remove(struct ufs_hba *hba)
+ {
+ struct list_head *clk_list = &hba->clk_list_head;
+- struct ufs_clk_info *clki;
+
+ if (!hba->devfreq)
+ return;
+@@ -1551,9 +1614,13 @@ static void ufshcd_devfreq_remove(struct ufs_hba *hba)
+ devfreq_remove_device(hba->devfreq);
+ hba->devfreq = NULL;
+
+- clki = list_first_entry(clk_list, struct ufs_clk_info, list);
+- dev_pm_opp_remove(hba->dev, clki->min_freq);
+- dev_pm_opp_remove(hba->dev, clki->max_freq);
++ if (!hba->use_pm_opp) {
++ struct ufs_clk_info *clki;
++
++ clki = list_first_entry(clk_list, struct ufs_clk_info, list);
++ dev_pm_opp_remove(hba->dev, clki->min_freq);
++ dev_pm_opp_remove(hba->dev, clki->max_freq);
++ }
+ }
+
+ static void ufshcd_suspend_clkscaling(struct ufs_hba *hba)
+@@ -1629,7 +1696,7 @@ static ssize_t ufshcd_clkscale_enable_store(struct device *dev,
+ ufshcd_resume_clkscaling(hba);
+ } else {
+ ufshcd_suspend_clkscaling(hba);
+- err = ufshcd_devfreq_scale(hba, true);
++ err = ufshcd_devfreq_scale(hba, ULONG_MAX, true);
+ if (err)
+ dev_err(hba->dev, "%s: failed to scale clocks up %d\n",
+ __func__, err);
+@@ -7713,7 +7780,7 @@ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba)
+ hba->silence_err_logs = false;
+
+ /* scale up clocks to max frequency before full reinitialization */
+- ufshcd_scale_clks(hba, true);
++ ufshcd_scale_clks(hba, ULONG_MAX, true);
+
+ err = ufshcd_hba_enable(hba);
+
+@@ -9351,6 +9418,17 @@ static int ufshcd_init_clocks(struct ufs_hba *hba)
+ dev_dbg(dev, "%s: clk: %s, rate: %lu\n", __func__,
+ clki->name, clk_get_rate(clki->clk));
+ }
++
++ /* Set Max. frequency for all clocks */
++ if (hba->use_pm_opp) {
++ ret = ufshcd_opp_set_rate(hba, ULONG_MAX);
++ if (ret) {
++ dev_err(hba->dev, "%s: failed to set OPP: %d", __func__,
++ ret);
++ goto out;
++ }
++ }
++
+ out:
+ return ret;
+ }
+diff --git a/include/ufs/ufshcd.h b/include/ufs/ufshcd.h
+index d5aa832f8dba3..e9db9682316a2 100644
+--- a/include/ufs/ufshcd.h
++++ b/include/ufs/ufshcd.h
+@@ -430,6 +430,7 @@ struct ufs_clk_gating {
+ * @workq: workqueue to schedule devfreq suspend/resume work
+ * @suspend_work: worker to suspend devfreq
+ * @resume_work: worker to resume devfreq
++ * @target_freq: frequency requested by devfreq framework
+ * @min_gear: lowest HS gear to scale down to
+ * @is_enabled: tracks if scaling is currently enabled or not, controlled by
+ * clkscale_enable sysfs node
+@@ -449,6 +450,7 @@ struct ufs_clk_scaling {
+ struct workqueue_struct *workq;
+ struct work_struct suspend_work;
+ struct work_struct resume_work;
++ unsigned long target_freq;
+ u32 min_gear;
+ bool is_enabled;
+ bool is_allowed;
+@@ -862,6 +864,7 @@ enum ufshcd_mcq_opr {
+ * @auto_bkops_enabled: to track whether bkops is enabled in device
+ * @vreg_info: UFS device voltage regulator information
+ * @clk_list_head: UFS host controller clocks list node head
++ * @use_pm_opp: Indicates whether OPP based scaling is used or not
+ * @req_abort_count: number of times ufshcd_abort() has been called
+ * @lanes_per_direction: number of lanes per data direction between the UFS
+ * controller and the UFS device.
+@@ -1014,6 +1017,7 @@ struct ufs_hba {
+ bool auto_bkops_enabled;
+ struct ufs_vreg_info vreg_info;
+ struct list_head clk_list_head;
++ bool use_pm_opp;
+
+ /* Number of requests aborts */
+ int req_abort_count;
+--
+2.39.5
+
--- /dev/null
+From 438ddee07bedcdf5d5373c871f968e5dbdb4eaf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 21:08:25 +0800
+Subject: scsi: ufs: core: Fix abnormal scale up after last cmd finish
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+[ Upstream commit 6fd53da45bbc834b9cfdf707d2f7ebe666667943 ]
+
+When ufshcd_clk_scaling_suspend_work (thread A) running and new command
+coming, ufshcd_clk_scaling_start_busy (thread B) may get host_lock after
+thread A first time release host_lock. Then thread A second time get
+host_lock will set clk_scaling.window_start_t = 0 which scale up clock
+abnormal next polling_ms time. Also inlines another
+__ufshcd_suspend_clkscaling calls.
+
+Below is racing step:
+1 hba->clk_scaling.suspend_work (Thread A)
+ ufshcd_clk_scaling_suspend_work
+2 spin_lock_irqsave(hba->host->host_lock, irq_flags);
+3 hba->clk_scaling.is_suspended = true;
+4 spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+ __ufshcd_suspend_clkscaling
+7 spin_lock_irqsave(hba->host->host_lock, flags);
+8 hba->clk_scaling.window_start_t = 0;
+9 spin_unlock_irqrestore(hba->host->host_lock, flags);
+
+ ufshcd_send_command (Thread B)
+ ufshcd_clk_scaling_start_busy
+5 spin_lock_irqsave(hba->host->host_lock, flags);
+ ....
+6 spin_unlock_irqrestore(hba->host->host_lock, flags);
+
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Link: https://lore.kernel.org/r/20230831130826.5592-3-peter.wang@mediatek.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 2e083cd80229 ("scsi: ufs: core: Fix clk scaling to be conditional in reset and restore")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 412931cf240f6..08c46fefb32b4 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -289,7 +289,6 @@ static inline void ufshcd_add_delay_before_dme_cmd(struct ufs_hba *hba);
+ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba);
+ static void ufshcd_resume_clkscaling(struct ufs_hba *hba);
+ static void ufshcd_suspend_clkscaling(struct ufs_hba *hba);
+-static void __ufshcd_suspend_clkscaling(struct ufs_hba *hba);
+ static int ufshcd_scale_clks(struct ufs_hba *hba, bool scale_up);
+ static irqreturn_t ufshcd_intr(int irq, void *__hba);
+ static int ufshcd_change_power_mode(struct ufs_hba *hba,
+@@ -1377,9 +1376,10 @@ static void ufshcd_clk_scaling_suspend_work(struct work_struct *work)
+ return;
+ }
+ hba->clk_scaling.is_suspended = true;
++ hba->clk_scaling.window_start_t = 0;
+ spin_unlock_irqrestore(hba->host->host_lock, irq_flags);
+
+- __ufshcd_suspend_clkscaling(hba);
++ devfreq_suspend_device(hba->devfreq);
+ }
+
+ static void ufshcd_clk_scaling_resume_work(struct work_struct *work)
+@@ -1556,16 +1556,6 @@ static void ufshcd_devfreq_remove(struct ufs_hba *hba)
+ dev_pm_opp_remove(hba->dev, clki->max_freq);
+ }
+
+-static void __ufshcd_suspend_clkscaling(struct ufs_hba *hba)
+-{
+- unsigned long flags;
+-
+- devfreq_suspend_device(hba->devfreq);
+- spin_lock_irqsave(hba->host->host_lock, flags);
+- hba->clk_scaling.window_start_t = 0;
+- spin_unlock_irqrestore(hba->host->host_lock, flags);
+-}
+-
+ static void ufshcd_suspend_clkscaling(struct ufs_hba *hba)
+ {
+ unsigned long flags;
+@@ -1578,11 +1568,12 @@ static void ufshcd_suspend_clkscaling(struct ufs_hba *hba)
+ if (!hba->clk_scaling.is_suspended) {
+ suspend = true;
+ hba->clk_scaling.is_suspended = true;
++ hba->clk_scaling.window_start_t = 0;
+ }
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+
+ if (suspend)
+- __ufshcd_suspend_clkscaling(hba);
++ devfreq_suspend_device(hba->devfreq);
+ }
+
+ static void ufshcd_resume_clkscaling(struct ufs_hba *hba)
+--
+2.39.5
+
--- /dev/null
+From 6229100d63ea3369e22f2a718fba80abcd2cf2ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 08:57:34 +0000
+Subject: scsi: ufs: core: Fix clk scaling to be conditional in reset and
+ restore
+
+From: anvithdosapati <anvithdosapati@google.com>
+
+[ Upstream commit 2e083cd802294693a5414e4557a183dd7e442e71 ]
+
+In ufshcd_host_reset_and_restore(), scale up clocks only when clock
+scaling is supported. Without this change CPU latency is voted for 0
+(ufshcd_pm_qos_update) during resume unconditionally.
+
+Signed-off-by: anvithdosapati <anvithdosapati@google.com>
+Link: https://lore.kernel.org/r/20250616085734.2133581-1-anvithdosapati@google.com
+Fixes: a3cd5ec55f6c ("scsi: ufs: add load based scaling of UFS gear")
+Cc: stable@vger.kernel.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index fa86942efd11f..da20bd3d46bc7 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -7780,7 +7780,8 @@ static int ufshcd_host_reset_and_restore(struct ufs_hba *hba)
+ hba->silence_err_logs = false;
+
+ /* scale up clocks to max frequency before full reinitialization */
+- ufshcd_scale_clks(hba, ULONG_MAX, true);
++ if (ufshcd_is_clkscaling_supported(hba))
++ ufshcd_scale_clks(hba, ULONG_MAX, true);
+
+ err = ufshcd_hba_enable(hba);
+
+--
+2.39.5
+
--- /dev/null
+From 3b362e3f3e511309e96869647eafb0e5409736d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 11:16:44 -0700
+Subject: scsi: ufs: core: Fix spelling of a sysfs attribute name
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 021f243627ead17eb6500170256d3d9be787dad8 ]
+
+Change "resourse" into "resource" in the name of a sysfs attribute.
+
+Fixes: d829fc8a1058 ("scsi: ufs: sysfs: unit descriptor")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20250624181658.336035-1-bvanassche@acm.org
+Reviewed-by: Avri Altman <avri.altman@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-driver-ufs | 2 +-
+ drivers/ufs/core/ufs-sysfs.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-driver-ufs b/Documentation/ABI/testing/sysfs-driver-ufs
+index 0c7efaf62de0c..84131641580c9 100644
+--- a/Documentation/ABI/testing/sysfs-driver-ufs
++++ b/Documentation/ABI/testing/sysfs-driver-ufs
+@@ -711,7 +711,7 @@ Description: This file shows the thin provisioning type. This is one of
+
+ The file is read only.
+
+-What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resourse_count
++What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resource_count
+ Date: February 2018
+ Contact: Stanislav Nijnikov <stanislav.nijnikov@wdc.com>
+ Description: This file shows the total physical memory resources. This is
+diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c
+index 3692b39b35e78..6c48255dfff02 100644
+--- a/drivers/ufs/core/ufs-sysfs.c
++++ b/drivers/ufs/core/ufs-sysfs.c
+@@ -1278,7 +1278,7 @@ UFS_UNIT_DESC_PARAM(logical_block_size, _LOGICAL_BLK_SIZE, 1);
+ UFS_UNIT_DESC_PARAM(logical_block_count, _LOGICAL_BLK_COUNT, 8);
+ UFS_UNIT_DESC_PARAM(erase_block_size, _ERASE_BLK_SIZE, 4);
+ UFS_UNIT_DESC_PARAM(provisioning_type, _PROVISIONING_TYPE, 1);
+-UFS_UNIT_DESC_PARAM(physical_memory_resourse_count, _PHY_MEM_RSRC_CNT, 8);
++UFS_UNIT_DESC_PARAM(physical_memory_resource_count, _PHY_MEM_RSRC_CNT, 8);
+ UFS_UNIT_DESC_PARAM(context_capabilities, _CTX_CAPABILITIES, 2);
+ UFS_UNIT_DESC_PARAM(large_unit_granularity, _LARGE_UNIT_SIZE_M1, 1);
+ UFS_UNIT_DESC_PARAM(wb_buf_alloc_units, _WB_BUF_ALLOC_UNITS, 4);
+@@ -1295,7 +1295,7 @@ static struct attribute *ufs_sysfs_unit_descriptor[] = {
+ &dev_attr_logical_block_count.attr,
+ &dev_attr_erase_block_size.attr,
+ &dev_attr_provisioning_type.attr,
+- &dev_attr_physical_memory_resourse_count.attr,
++ &dev_attr_physical_memory_resource_count.attr,
+ &dev_attr_context_capabilities.attr,
+ &dev_attr_large_unit_granularity.attr,
+ &dev_attr_wb_buf_alloc_units.attr,
+--
+2.39.5
+
mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch
mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch
mtk-sd-reset-host-mrq-on-prepare_data-error.patch
+arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch
+platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch
+rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch
+nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch
+nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch
+scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch
+scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch
+scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch
+rdma-mlx5-fix-hw-counters-query-for-non-representor-.patch
+rdma-mlx5-fix-cc-counters-query-for-mpv.patch
+rdma-mlx5-fix-vport-loopback-for-mpv-device.patch
+platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch
+bluetooth-prevent-unintended-pause-by-checking-if-ad.patch
+btrfs-fix-missing-error-handling-when-searching-for-.patch
+btrfs-fix-iteration-of-extrefs-during-log-replay.patch
+btrfs-rename-err-to-ret-in-btrfs_rmdir.patch
+btrfs-propagate-last_unlink_trans-earlier-when-doing.patch
+btrfs-use-btrfs_record_snapshot_destroy-during-rmdir.patch
+ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch
+dpaa2-eth-fix-xdp_rxq_info-leak.patch
+drm-exynos-fimd-guard-display-clock-control-with-run.patch
+spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch
+drm-i915-selftests-change-mock_request-to-return-err.patch
+platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch
+arm64-dts-qcom-sm8550-add-uart14-nodes.patch
+platform-x86-make-fw_attr_class-constant.patch
+platform-x86-firmware_attributes_class-move-include-.patch
+platform-x86-firmware_attributes_class-simplify-api.patch
+platform-x86-think-lmi-directly-use-firmware_attribu.patch
+platform-x86-think-lmi-fix-class-device-unregistrati.patch
+platform-x86-dell-sysman-directly-use-firmware_attri.patch
+platform-x86-dell-wmi-sysman-fix-class-device-unregi.patch
+platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch
+smb-client-fix-warning-when-reconnecting-channel.patch
+net-usb-lan78xx-fix-warn-in-__netif_napi_del_locked-.patch
+drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch
+drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch
+igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch
+lib-test_objagg-set-error-message-in-check_expect_hi.patch
+amd-xgbe-align-cl37-an-sequence-as-per-databook.patch
+enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch
+rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch
+nui-fix-dma_mapping_error-check.patch
+net-sched-always-pass-notifications-when-child-class.patch
+amd-xgbe-do-not-double-read-link-status.patch
+smb-client-fix-race-condition-in-negotiate-timeout-b.patch
+revert-drm-i915-gem-allow-exec_capture-on-recoverabl.patch
+btrfs-fix-qgroup-reservation-leak-on-failure-to-allo.patch
+smb-client-remove-t-from-tp_printk-statements.patch
+bluetooth-hci_core-fix-use-after-free-in-vhci_flush.patch
+wifi-mac80211-chan-chandef-is-non-null-for-reserved.patch
+wifi-mac80211-add-link-iteration-macro-for-link-data.patch
+wifi-mac80211-finish-link-init-before-rcu-publish.patch
+bnxt-properly-flush-xdp-redirect-lists.patch
+x86-traps-initialize-dr6-by-writing-its-architectura.patch
+f2fs-add-tracepoint-for-f2fs_vm_page_mkwrite.patch
+f2fs-prevent-writing-without-fallocate-for-pinned-fi.patch
+f2fs-convert-f2fs_vm_page_mkwrite-to-use-folio.patch
+f2fs-fix-to-zero-post-eof-page.patch
+scsi-ufs-core-fix-abnormal-scale-up-after-last-cmd-f.patch
+scsi-ufs-core-add-opp-support-for-scaling-clocks-and.patch
+scsi-ufs-core-fix-clk-scaling-to-be-conditional-in-r.patch
+drm-simpledrm-do-not-upcast-in-release-helpers.patch
+drm-i915-dp_mst-work-around-thunderbolt-sink-disconn.patch
+drm-msm-fix-a-fence-leak-in-submit-error-path.patch
+drm-msm-fix-another-leak-in-the-submit-error-path.patch
+alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch
+alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch
+ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch
+ata-pata_cs5536-fix-build-on-32-bit-uml.patch
+asoc-amd-yc-add-quirk-for-msi-bravo-17-d7vf-internal.patch
+platform-x86-amd-pmc-add-pcspecialist-lafite-pro-v-1.patch
+powerpc-fix-struct-termio-related-ioctl-macros.patch
+asoc-amd-yc-update-quirk-data-for-hp-victus.patch
+regulator-fan53555-add-enable_time-support-and-soft-.patch
+scsi-target-fix-null-pointer-dereference-in-core_scs.patch
+aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch
+wifi-mac80211-drop-invalid-source-address-ocb-frames.patch
+wifi-ath6kl-remove-warn-on-bad-firmware-input.patch
+acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch
+mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch
+rcu-return-early-if-callback-is-not-specified.patch
+drm-v3d-disable-interrupts-before-resetting-the-gpu.patch
+platform-x86-hp-bioscfg-directly-use-firmware_attrib.patch
+platform-x86-hp-bioscfg-fix-class-device-unregistrat.patch
--- /dev/null
+From fd0a6ca46f5b8552fac836c4b597910bb1a39aaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 21:29:52 +0800
+Subject: smb: client: fix race condition in negotiate timeout by using more
+ precise timing
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+[ Upstream commit 266b5d02e14f3a0e07414e11f239397de0577a1d ]
+
+When the SMB server reboots and the client immediately accesses the mount
+point, a race condition can occur that causes operations to fail with
+"Host is down" error.
+
+Reproduction steps:
+ # Mount SMB share
+ mount -t cifs //192.168.245.109/TEST /mnt/ -o xxxx
+ ls /mnt
+
+ # Reboot server
+ ssh root@192.168.245.109 reboot
+ ssh root@192.168.245.109 /path/to/cifs_server_setup.sh
+ ssh root@192.168.245.109 systemctl stop firewalld
+
+ # Immediate access fails
+ ls /mnt
+ ls: cannot access '/mnt': Host is down
+
+ # But works if there is a delay
+
+The issue is caused by a race condition between negotiate and reconnect.
+The 20-second negotiate timeout mechanism can interfere with the normal
+recovery process when both are triggered simultaneously.
+
+ ls cifsd
+---------------------------------------------------
+ cifs_getattr
+ cifs_revalidate_dentry
+ cifs_get_inode_info
+ cifs_get_fattr
+ smb2_query_path_info
+ smb2_compound_op
+ SMB2_open_init
+ smb2_reconnect
+ cifs_negotiate_protocol
+ smb2_negotiate
+ cifs_send_recv
+ smb_send_rqst
+ wait_for_response
+ cifs_demultiplex_thread
+ cifs_read_from_socket
+ cifs_readv_from_socket
+ server_unresponsive
+ cifs_reconnect
+ __cifs_reconnect
+ cifs_abort_connection
+ mid->mid_state = MID_RETRY_NEEDED
+ cifs_wake_up_task
+ cifs_sync_mid_result
+ // case MID_RETRY_NEEDED
+ rc = -EAGAIN;
+ // In smb2_negotiate()
+ rc = -EHOSTDOWN;
+
+The server_unresponsive() timeout triggers cifs_reconnect(), which aborts
+ongoing mid requests and causes the ls command to receive -EAGAIN, leading
+to -EHOSTDOWN.
+
+Fix this by introducing a dedicated `neg_start` field to
+precisely tracks when the negotiate process begins. The timeout check
+now uses this accurate timestamp instead of `lstrp`, ensuring that:
+
+1. Timeout is only triggered after negotiate has actually run for 20s
+2. The mechanism doesn't interfere with concurrent recovery processes
+3. Uninitialized timestamps (value 0) don't trigger false timeouts
+
+Fixes: 7ccc1465465d ("smb: client: fix hang in wait_for_response() for negproto")
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsglob.h | 1 +
+ fs/smb/client/connect.c | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
+index a6020f7408fe5..5c856adf7be9e 100644
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -743,6 +743,7 @@ struct TCP_Server_Info {
+ __le32 session_key_id; /* retrieved from negotiate response and send in session setup request */
+ struct session_key session_key;
+ unsigned long lstrp; /* when we got last response from this server */
++ unsigned long neg_start; /* when negotiate started (jiffies) */
+ struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
+ #define CIFS_NEGFLAVOR_UNENCAP 1 /* wct == 17, but no ext_sec */
+ #define CIFS_NEGFLAVOR_EXTENDED 2 /* wct == 17, ext_sec bit set */
+diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
+index 454420aa02220..8298d1745f9b9 100644
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -677,12 +677,12 @@ server_unresponsive(struct TCP_Server_Info *server)
+ /*
+ * If we're in the process of mounting a share or reconnecting a session
+ * and the server abruptly shut down (e.g. socket wasn't closed, packet
+- * had been ACK'ed but no SMB response), don't wait longer than 20s to
+- * negotiate protocol.
++ * had been ACK'ed but no SMB response), don't wait longer than 20s from
++ * when negotiate actually started.
+ */
+ spin_lock(&server->srv_lock);
+ if (server->tcpStatus == CifsInNegotiate &&
+- time_after(jiffies, server->lstrp + 20 * HZ)) {
++ time_after(jiffies, server->neg_start + 20 * HZ)) {
+ spin_unlock(&server->srv_lock);
+ cifs_reconnect(server, false);
+ return true;
+@@ -3998,6 +3998,7 @@ cifs_negotiate_protocol(const unsigned int xid, struct cifs_ses *ses,
+
+ server->lstrp = jiffies;
+ server->tcpStatus = CifsInNegotiate;
++ server->neg_start = jiffies;
+ spin_unlock(&server->srv_lock);
+
+ rc = server->ops->negotiate(xid, ses, server);
+--
+2.39.5
+
--- /dev/null
+From a02c564dce9873aeeaf35673cc37a0177738a914 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 00:00:17 -0300
+Subject: smb: client: fix warning when reconnecting channel
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 3bbe46716092d8ef6b0df4b956f585c5cd0fc78e ]
+
+When reconnecting a channel in smb2_reconnect_server(), a dummy tcon
+is passed down to smb2_reconnect() with ->query_interface
+uninitialized, so we can't call queue_delayed_work() on it.
+
+Fix the following warning by ensuring that we're queueing the delayed
+worker from correct tcon.
+
+WARNING: CPU: 4 PID: 1126 at kernel/workqueue.c:2498 __queue_delayed_work+0x1d2/0x200
+Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
+CPU: 4 UID: 0 PID: 1126 Comm: kworker/4:0 Not tainted 6.16.0-rc3 #5 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-4.fc42 04/01/2014
+Workqueue: cifsiod smb2_reconnect_server [cifs]
+RIP: 0010:__queue_delayed_work+0x1d2/0x200
+Code: 41 5e 41 5f e9 7f ee ff ff 90 0f 0b 90 e9 5d ff ff ff bf 02 00
+00 00 e8 6c f3 07 00 89 c3 eb bd 90 0f 0b 90 e9 57 f> 0b 90 e9 65 fe
+ff ff 90 0f 0b 90 e9 72 fe ff ff 90 0f 0b 90 e9
+RSP: 0018:ffffc900014afad8 EFLAGS: 00010003
+RAX: 0000000000000000 RBX: ffff888124d99988 RCX: ffffffff81399cc1
+RDX: dffffc0000000000 RSI: ffff888114326e00 RDI: ffff888124d999f0
+RBP: 000000000000ea60 R08: 0000000000000001 R09: ffffed10249b3331
+R10: ffff888124d9998f R11: 0000000000000004 R12: 0000000000000040
+R13: ffff888114326e00 R14: ffff888124d999d8 R15: ffff888114939020
+FS: 0000000000000000(0000) GS:ffff88829f7fe000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffe7a2b4038 CR3: 0000000120a6f000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ queue_delayed_work_on+0xb4/0xc0
+ smb2_reconnect+0xb22/0xf50 [cifs]
+ smb2_reconnect_server+0x413/0xd40 [cifs]
+ ? __pfx_smb2_reconnect_server+0x10/0x10 [cifs]
+ ? local_clock_noinstr+0xd/0xd0
+ ? local_clock+0x15/0x30
+ ? lock_release+0x29b/0x390
+ process_one_work+0x4c5/0xa10
+ ? __pfx_process_one_work+0x10/0x10
+ ? __list_add_valid_or_report+0x37/0x120
+ worker_thread+0x2f1/0x5a0
+ ? __kthread_parkme+0xde/0x100
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x1fe/0x380
+ ? kthread+0x10f/0x380
+ ? __pfx_kthread+0x10/0x10
+ ? local_clock_noinstr+0xd/0xd0
+ ? ret_from_fork+0x1b/0x1f0
+ ? local_clock+0x15/0x30
+ ? lock_release+0x29b/0x390
+ ? rcu_is_watching+0x20/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x15b/0x1f0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+irq event stamp: 1116206
+hardirqs last enabled at (1116205): [<ffffffff8143af42>] __up_console_sem+0x52/0x60
+hardirqs last disabled at (1116206): [<ffffffff81399f0e>] queue_delayed_work_on+0x6e/0xc0
+softirqs last enabled at (1116138): [<ffffffffc04562fd>] __smb_send_rqst+0x42d/0x950 [cifs]
+softirqs last disabled at (1116136): [<ffffffff823d35e1>] release_sock+0x21/0xf0
+
+Cc: linux-cifs@vger.kernel.org
+Reported-by: David Howells <dhowells@redhat.com>
+Fixes: 42ca547b13a2 ("cifs: do not disable interface polling on failure")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Tested-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Shyam Prasad N <nspmangalore@gmail.com>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsglob.h | 1 +
+ fs/smb/client/smb2pdu.c | 10 ++++------
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
+index d776340ad91ce..a6020f7408fe5 100644
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -1268,6 +1268,7 @@ struct cifs_tcon {
+ bool use_persistent:1; /* use persistent instead of durable handles */
+ bool no_lease:1; /* Do not request leases on files or directories */
+ bool use_witness:1; /* use witness protocol */
++ bool dummy:1; /* dummy tcon used for reconnecting channels */
+ __le32 capabilities;
+ __u32 share_flags;
+ __u32 maximal_access;
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index e0f5860093305..357abb0170c49 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -437,9 +437,9 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
+ free_xid(xid);
+ ses->flags &= ~CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES;
+
+- /* regardless of rc value, setup polling */
+- queue_delayed_work(cifsiod_wq, &tcon->query_interfaces,
+- (SMB_INTERFACE_POLL_INTERVAL * HZ));
++ if (!tcon->ipc && !tcon->dummy)
++ queue_delayed_work(cifsiod_wq, &tcon->query_interfaces,
++ (SMB_INTERFACE_POLL_INTERVAL * HZ));
+
+ mutex_unlock(&ses->session_mutex);
+
+@@ -4228,10 +4228,8 @@ void smb2_reconnect_server(struct work_struct *work)
+ }
+ goto done;
+ }
+-
+ tcon->status = TID_GOOD;
+- tcon->retry = false;
+- tcon->need_reconnect = false;
++ tcon->dummy = true;
+
+ /* now reconnect sessions for necessary channels */
+ list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) {
+--
+2.39.5
+
--- /dev/null
+From 26cf1de3fad223c75fcc74ca1ef2cb07aebfe71d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jul 2025 05:03:16 -0400
+Subject: smb: client: remove \t from TP_printk statements
+
+From: Stefan Metzmacher <metze@samba.org>
+
+[ Upstream commit e97f9540ce001503a4539f337da742c1dfa7d86a ]
+
+The generate '[FAILED TO PARSE]' strings in trace-cmd report output like this:
+
+ rm-5298 [001] 6084.533748493: smb3_exit_err: [FAILED TO PARSE] xid=972 func_name=cifs_rmdir rc=-39
+ rm-5298 [001] 6084.533959234: smb3_enter: [FAILED TO PARSE] xid=973 func_name=cifs_closedir
+ rm-5298 [001] 6084.533967630: smb3_close_enter: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361
+ rm-5298 [001] 6084.534004008: smb3_cmd_enter: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566
+ rm-5298 [001] 6084.552248232: smb3_cmd_done: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566
+ rm-5298 [001] 6084.552280542: smb3_close_done: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361
+ rm-5298 [001] 6084.552316034: smb3_exit_done: [FAILED TO PARSE] xid=973 func_name=cifs_closedir
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/trace.h | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/fs/smb/client/trace.h b/fs/smb/client/trace.h
+index 563cb4d8edf0c..4dfdc521c5c98 100644
+--- a/fs/smb/client/trace.h
++++ b/fs/smb/client/trace.h
+@@ -114,7 +114,7 @@ DECLARE_EVENT_CLASS(smb3_rw_err_class,
+ __entry->len = len;
+ __entry->rc = rc;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->fid,
+ __entry->offset, __entry->len, __entry->rc)
+ )
+@@ -247,7 +247,7 @@ DECLARE_EVENT_CLASS(smb3_fd_class,
+ __entry->tid = tid;
+ __entry->sesid = sesid;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->fid)
+ )
+
+@@ -286,7 +286,7 @@ DECLARE_EVENT_CLASS(smb3_fd_err_class,
+ __entry->sesid = sesid;
+ __entry->rc = rc;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->fid,
+ __entry->rc)
+ )
+@@ -558,7 +558,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_err_class,
+ __entry->status = status;
+ __entry->rc = rc;
+ ),
+- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d",
++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d",
+ __entry->sesid, __entry->tid, __entry->cmd, __entry->mid,
+ __entry->status, __entry->rc)
+ )
+@@ -593,7 +593,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_done_class,
+ __entry->cmd = cmd;
+ __entry->mid = mid;
+ ),
+- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu",
++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu",
+ __entry->sesid, __entry->tid,
+ __entry->cmd, __entry->mid)
+ )
+@@ -631,7 +631,7 @@ DECLARE_EVENT_CLASS(smb3_mid_class,
+ __entry->when_sent = when_sent;
+ __entry->when_received = when_received;
+ ),
+- TP_printk("\tcmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu",
++ TP_printk("cmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu",
+ __entry->cmd, __entry->mid, __entry->pid, __entry->when_sent,
+ __entry->when_received)
+ )
+@@ -662,7 +662,7 @@ DECLARE_EVENT_CLASS(smb3_exit_err_class,
+ __assign_str(func_name, func_name);
+ __entry->rc = rc;
+ ),
+- TP_printk("\t%s: xid=%u rc=%d",
++ TP_printk("%s: xid=%u rc=%d",
+ __get_str(func_name), __entry->xid, __entry->rc)
+ )
+
+@@ -688,7 +688,7 @@ DECLARE_EVENT_CLASS(smb3_sync_err_class,
+ __entry->ino = ino;
+ __entry->rc = rc;
+ ),
+- TP_printk("\tino=%lu rc=%d",
++ TP_printk("ino=%lu rc=%d",
+ __entry->ino, __entry->rc)
+ )
+
+@@ -714,7 +714,7 @@ DECLARE_EVENT_CLASS(smb3_enter_exit_class,
+ __entry->xid = xid;
+ __assign_str(func_name, func_name);
+ ),
+- TP_printk("\t%s: xid=%u",
++ TP_printk("%s: xid=%u",
+ __get_str(func_name), __entry->xid)
+ )
+
+--
+2.39.5
+
--- /dev/null
+From dc196ab9715a91fe408ff4bd0aaf9a739bc8cdf2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 11:21:37 +0100
+Subject: spi: spi-fsl-dspi: Clear completion counter before initiating
+ transfer
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit fa60c094c19b97e103d653f528f8d9c178b6a5f5 ]
+
+In target mode, extra interrupts can be received between the end of a
+transfer and halting the module if the host continues sending more data.
+If the interrupt from this occurs after the reinit_completion() then the
+completion counter is left at a non-zero value. The next unrelated
+transfer initiated by userspace will then complete immediately without
+waiting for the interrupt or writing to the RX buffer.
+
+Fix it by resetting the counter before the transfer so that lingering
+values are cleared. This is done after clearing the FIFOs and the
+status register but before the transfer is initiated, so no interrupts
+should be received at this point resulting in other race conditions.
+
+Fixes: 4f5ee75ea171 ("spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion")
+Signed-off-by: James Clark <james.clark@linaro.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250627-james-nxp-spi-dma-v4-1-178dba20c120@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index 7dd94369abb47..3206c84c6f22f 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -988,11 +988,20 @@ static int dspi_transfer_one_message(struct spi_controller *ctlr,
+ if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) {
+ status = dspi_dma_xfer(dspi);
+ } else {
++ /*
++ * Reinitialize the completion before transferring data
++ * to avoid the case where it might remain in the done
++ * state due to a spurious interrupt from a previous
++ * transfer. This could falsely signal that the current
++ * transfer has completed.
++ */
++ if (dspi->irq)
++ reinit_completion(&dspi->xfer_done);
++
+ dspi_fifo_write(dspi);
+
+ if (dspi->irq) {
+ wait_for_completion(&dspi->xfer_done);
+- reinit_completion(&dspi->xfer_done);
+ } else {
+ do {
+ status = dspi_poll(dspi);
+--
+2.39.5
+
--- /dev/null
+From 4fc56cd5ffd8de4152d645d1b704761cc55f8c65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:45:29 +0200
+Subject: wifi: ath6kl: remove WARN on bad firmware input
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit e7417421d89358da071fd2930f91e67c7128fbff ]
+
+If the firmware gives bad input, that's nothing to do with
+the driver's stack at this point etc., so the WARN_ON()
+doesn't add any value. Additionally, this is one of the
+top syzbot reports now. Just print a message, and as an
+added bonus, print the sizes too.
+
+Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Tested-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Acked-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250617114529.031a677a348e.I58bf1eb4ac16a82c546725ff010f3f0d2b0cca49@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/bmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c
+index af98e871199d3..5a9e93fd1ef42 100644
+--- a/drivers/net/wireless/ath/ath6kl/bmi.c
++++ b/drivers/net/wireless/ath/ath6kl/bmi.c
+@@ -87,7 +87,9 @@ int ath6kl_bmi_get_target_info(struct ath6kl *ar,
+ * We need to do some backwards compatibility to make this work.
+ */
+ if (le32_to_cpu(targ_info->byte_count) != sizeof(*targ_info)) {
+- WARN_ON(1);
++ ath6kl_err("mismatched byte count %d vs. expected %zd\n",
++ le32_to_cpu(targ_info->byte_count),
++ sizeof(*targ_info));
+ return -EINVAL;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 89549b7686d6a136bfbfec5465fbf3c60f8e8ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 14:31:23 -0700
+Subject: wifi: mac80211: Add link iteration macro for link data
+
+From: Muna Sinada <muna.sinada@oss.qualcomm.com>
+
+[ Upstream commit f61c7b3d442bef91dd432d468d08f72eadcc3209 ]
+
+Currently before iterating through valid links we are utilizing
+open-coding when checking if vif valid_links is a non-zero value.
+
+Add new macro, for_each_link_data(), which iterates through link_id
+and checks if it is set on vif valid_links. If it is a valid link then
+access link data for that link id.
+
+Signed-off-by: Muna Sinada <muna.sinada@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250325213125.1509362-2-muna.sinada@oss.qualcomm.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: d87c3ca0f8f1 ("wifi: mac80211: finish link init before RCU publish")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 04c876d78d3bf..44aad3394084b 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1186,6 +1186,15 @@ ieee80211_vif_get_shift(struct ieee80211_vif *vif)
+ return shift;
+ }
+
++#define for_each_link_data(sdata, __link) \
++ struct ieee80211_sub_if_data *__sdata = sdata; \
++ for (int __link_id = 0; \
++ __link_id < ARRAY_SIZE((__sdata)->link); __link_id++) \
++ if ((!(__sdata)->vif.valid_links || \
++ (__sdata)->vif.valid_links & BIT(__link_id)) && \
++ ((__link) = sdata_dereference((__sdata)->link[__link_id], \
++ (__sdata))))
++
+ static inline int
+ ieee80211_get_mbssid_beacon_len(struct cfg80211_mbssid_elems *elems,
+ struct cfg80211_rnr_elems *rnr_elems,
+--
+2.39.5
+
--- /dev/null
+From 637e7d88bbfb5cc744ef7067204fe6ad5f0cb7f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jan 2024 19:34:39 +0100
+Subject: wifi: mac80211: chan: chandef is non-NULL for reserved
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 9bf7079bc2271321fac467cae981c44e495b76b9 ]
+
+The last caller of this with a NULL argument was related to
+the non-chanctx code, so we can now remove this odd logic.
+
+Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240129194108.bad8ec1e76c8.I12287452f42c54baf75821e75491cf6d021af20a@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: d87c3ca0f8f1 ("wifi: mac80211: finish link init before RCU publish")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/chan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
+index 68952752b5990..31c4f112345ea 100644
+--- a/net/mac80211/chan.c
++++ b/net/mac80211/chan.c
+@@ -89,11 +89,11 @@ ieee80211_chanctx_reserved_chandef(struct ieee80211_local *local,
+
+ lockdep_assert_held(&local->chanctx_mtx);
+
++ if (WARN_ON(!compat))
++ return NULL;
++
+ list_for_each_entry(link, &ctx->reserved_links,
+ reserved_chanctx_list) {
+- if (!compat)
+- compat = &link->reserved_chandef;
+-
+ compat = cfg80211_chandef_compatible(&link->reserved_chandef,
+ compat);
+ if (!compat)
+--
+2.39.5
+
--- /dev/null
+From afe9ee3c4f9ef28ab58049228af6fd4ee0560d15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 17:18:38 +0200
+Subject: wifi: mac80211: drop invalid source address OCB frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d1b1a5eb27c4948e8811cf4dbb05aaf3eb10700c ]
+
+In OCB, don't accept frames from invalid source addresses
+(and in particular don't try to create stations for them),
+drop the frames instead.
+
+Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Link: https://patch.msgid.link/20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b67bb99e1fea37eec6f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 5eb233f619817..58665b6ae6354 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4419,6 +4419,10 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
+ if (!multicast &&
+ !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
+ return false;
++ /* reject invalid/our STA address */
++ if (!is_valid_ether_addr(hdr->addr2) ||
++ ether_addr_equal(sdata->dev->dev_addr, hdr->addr2))
++ return false;
+ if (!rx->sta) {
+ int rate_idx;
+ if (status->encoding != RX_ENC_LEGACY)
+--
+2.39.5
+
--- /dev/null
+From b067245894a63b6189104440e2f919f4cb6260f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 13:07:49 +0200
+Subject: wifi: mac80211: finish link init before RCU publish
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d87c3ca0f8f1ca4c25f2ed819e954952f4d8d709 ]
+
+Since the link/conf pointers can be accessed without any
+protection other than RCU, make sure the data is actually
+set up before publishing the structures.
+
+Fixes: b2e8434f1829 ("wifi: mac80211: set up/tear down client vif links properly")
+Link: https://patch.msgid.link/20250624130749.9a308b713c74.I4a80f5eead112a38730939ea591d2e275c721256@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/link.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/link.c b/net/mac80211/link.c
+index 16cbaea93fc32..af4d2b2e9a26f 100644
+--- a/net/mac80211/link.c
++++ b/net/mac80211/link.c
+@@ -28,8 +28,16 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata,
+ if (link_id < 0)
+ link_id = 0;
+
+- rcu_assign_pointer(sdata->vif.link_conf[link_id], link_conf);
+- rcu_assign_pointer(sdata->link[link_id], link);
++ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
++ struct ieee80211_sub_if_data *ap_bss;
++ struct ieee80211_bss_conf *ap_bss_conf;
++
++ ap_bss = container_of(sdata->bss,
++ struct ieee80211_sub_if_data, u.ap);
++ ap_bss_conf = sdata_dereference(ap_bss->vif.link_conf[link_id],
++ ap_bss);
++ memcpy(link_conf, ap_bss_conf, sizeof(*link_conf));
++ }
+
+ link->sdata = sdata;
+ link->link_id = link_id;
+@@ -65,6 +73,9 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata,
+
+ ieee80211_link_debugfs_add(link);
+ }
++
++ rcu_assign_pointer(sdata->vif.link_conf[link_id], link_conf);
++ rcu_assign_pointer(sdata->link[link_id], link);
+ }
+
+ void ieee80211_link_stop(struct ieee80211_link_data *link)
+--
+2.39.5
+
--- /dev/null
+From 3a9c94ed1e8d078729ed30d4eae92513186e6544 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Jul 2025 07:43:08 -0400
+Subject: x86/traps: Initialize DR6 by writing its architectural reset value
+
+From: Xin Li (Intel) <xin@zytor.com>
+
+[ Upstream commit 5f465c148c61e876b6d6eacd8e8e365f2d47758f ]
+
+Initialize DR6 by writing its architectural reset value to avoid
+incorrectly zeroing DR6 to clear DR6.BLD at boot time, which leads
+to a false bus lock detected warning.
+
+The Intel SDM says:
+
+ 1) Certain debug exceptions may clear bits 0-3 of DR6.
+
+ 2) BLD induced #DB clears DR6.BLD and any other debug exception
+ doesn't modify DR6.BLD.
+
+ 3) RTM induced #DB clears DR6.RTM and any other debug exception
+ sets DR6.RTM.
+
+ To avoid confusion in identifying debug exceptions, debug handlers
+ should set DR6.BLD and DR6.RTM, and clear other DR6 bits before
+ returning.
+
+The DR6 architectural reset value 0xFFFF0FF0, already defined as
+macro DR6_RESERVED, satisfies these requirements, so just use it to
+reinitialize DR6 whenever needed.
+
+Since clear_all_debug_regs() no longer zeros all debug registers,
+rename it to initialize_debug_regs() to better reflect its current
+behavior.
+
+Since debug_read_clear_dr6() no longer clears DR6, rename it to
+debug_read_reset_dr6() to better reflect its current behavior.
+
+Fixes: ebb1064e7c2e9 ("x86/traps: Handle #DB for bus lock")
+Reported-by: Sohil Mehta <sohil.mehta@intel.com>
+Suggested-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+Signed-off-by: Xin Li (Intel) <xin@zytor.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Sohil Mehta <sohil.mehta@intel.com>
+Link: https://lore.kernel.org/lkml/06e68373-a92b-472e-8fd9-ba548119770c@intel.com/
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250620231504.2676902-2-xin%40zytor.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/uapi/asm/debugreg.h | 21 +++++++++++++++++-
+ arch/x86/kernel/cpu/common.c | 21 +++++++++---------
+ arch/x86/kernel/traps.c | 32 +++++++++++++++++-----------
+ 3 files changed, 50 insertions(+), 24 deletions(-)
+
+diff --git a/arch/x86/include/uapi/asm/debugreg.h b/arch/x86/include/uapi/asm/debugreg.h
+index 0007ba077c0c2..41da492dfb01f 100644
+--- a/arch/x86/include/uapi/asm/debugreg.h
++++ b/arch/x86/include/uapi/asm/debugreg.h
+@@ -15,7 +15,26 @@
+ which debugging register was responsible for the trap. The other bits
+ are either reserved or not of interest to us. */
+
+-/* Define reserved bits in DR6 which are always set to 1 */
++/*
++ * Define bits in DR6 which are set to 1 by default.
++ *
++ * This is also the DR6 architectural value following Power-up, Reset or INIT.
++ *
++ * Note, with the introduction of Bus Lock Detection (BLD) and Restricted
++ * Transactional Memory (RTM), the DR6 register has been modified:
++ *
++ * 1) BLD flag (bit 11) is no longer reserved to 1 if the CPU supports
++ * Bus Lock Detection. The assertion of a bus lock could clear it.
++ *
++ * 2) RTM flag (bit 16) is no longer reserved to 1 if the CPU supports
++ * restricted transactional memory. #DB occurred inside an RTM region
++ * could clear it.
++ *
++ * Apparently, DR6.BLD and DR6.RTM are active low bits.
++ *
++ * As a result, DR6_RESERVED is an incorrect name now, but it is kept for
++ * compatibility.
++ */
+ #define DR6_RESERVED (0xFFFF0FF0)
+
+ #define DR_TRAP0 (0x1) /* db0 */
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index b6e43dad577a3..3390814de0a54 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -2218,17 +2218,16 @@ EXPORT_PER_CPU_SYMBOL(__stack_chk_guard);
+ /*
+ * Clear all 6 debug registers:
+ */
+-static void clear_all_debug_regs(void)
++static void initialize_debug_regs(void)
+ {
+- int i;
+-
+- for (i = 0; i < 8; i++) {
+- /* Ignore db4, db5 */
+- if ((i == 4) || (i == 5))
+- continue;
+-
+- set_debugreg(0, i);
+- }
++ /* Control register first -- to make sure everything is disabled. */
++ set_debugreg(0, 7);
++ set_debugreg(DR6_RESERVED, 6);
++ /* dr5 and dr4 don't exist */
++ set_debugreg(0, 3);
++ set_debugreg(0, 2);
++ set_debugreg(0, 1);
++ set_debugreg(0, 0);
+ }
+
+ #ifdef CONFIG_KGDB
+@@ -2371,7 +2370,7 @@ void cpu_init(void)
+
+ load_mm_ldt(&init_mm);
+
+- clear_all_debug_regs();
++ initialize_debug_regs();
+ dbg_restore_debug_regs();
+
+ doublefault_init_cpu_tss();
+diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
+index 8718d58dd0fbe..a52db362a65d1 100644
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -975,24 +975,32 @@ static bool is_sysenter_singlestep(struct pt_regs *regs)
+ #endif
+ }
+
+-static __always_inline unsigned long debug_read_clear_dr6(void)
++static __always_inline unsigned long debug_read_reset_dr6(void)
+ {
+ unsigned long dr6;
+
++ get_debugreg(dr6, 6);
++ dr6 ^= DR6_RESERVED; /* Flip to positive polarity */
++
+ /*
+ * The Intel SDM says:
+ *
+- * Certain debug exceptions may clear bits 0-3. The remaining
+- * contents of the DR6 register are never cleared by the
+- * processor. To avoid confusion in identifying debug
+- * exceptions, debug handlers should clear the register before
+- * returning to the interrupted task.
++ * Certain debug exceptions may clear bits 0-3 of DR6.
++ *
++ * BLD induced #DB clears DR6.BLD and any other debug
++ * exception doesn't modify DR6.BLD.
+ *
+- * Keep it simple: clear DR6 immediately.
++ * RTM induced #DB clears DR6.RTM and any other debug
++ * exception sets DR6.RTM.
++ *
++ * To avoid confusion in identifying debug exceptions,
++ * debug handlers should set DR6.BLD and DR6.RTM, and
++ * clear other DR6 bits before returning.
++ *
++ * Keep it simple: write DR6 with its architectural reset
++ * value 0xFFFF0FF0, defined as DR6_RESERVED, immediately.
+ */
+- get_debugreg(dr6, 6);
+ set_debugreg(DR6_RESERVED, 6);
+- dr6 ^= DR6_RESERVED; /* Flip to positive polarity */
+
+ return dr6;
+ }
+@@ -1188,19 +1196,19 @@ static __always_inline void exc_debug_user(struct pt_regs *regs,
+ /* IST stack entry */
+ DEFINE_IDTENTRY_DEBUG(exc_debug)
+ {
+- exc_debug_kernel(regs, debug_read_clear_dr6());
++ exc_debug_kernel(regs, debug_read_reset_dr6());
+ }
+
+ /* User entry, runs on regular task stack */
+ DEFINE_IDTENTRY_DEBUG_USER(exc_debug)
+ {
+- exc_debug_user(regs, debug_read_clear_dr6());
++ exc_debug_user(regs, debug_read_reset_dr6());
+ }
+ #else
+ /* 32 bit does not have separate entry points. */
+ DEFINE_IDTENTRY_RAW(exc_debug)
+ {
+- unsigned long dr6 = debug_read_clear_dr6();
++ unsigned long dr6 = debug_read_reset_dr6();
+
+ if (user_mode(regs))
+ exc_debug_user(regs, dr6);
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
