--- /dev/null
+From fed7a33873c47f72bc10b46b011d0e7bd0d1f74d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:17:45 +0200
+Subject: ACPICA: Refuse to evaluate a method if arguments are missing
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 6fcab2791543924d438e7fa49276d0998b0a069f ]
+
+As reported in [1], a platform firmware update that increased the number
+of method parameters and forgot to update a least one of its callers,
+caused ACPICA to crash due to use-after-free.
+
+Since this a result of a clear AML issue that arguably cannot be fixed
+up by the interpreter (it cannot produce missing data out of thin air),
+address it by making ACPICA refuse to evaluate a method if the caller
+attempts to pass fewer arguments than expected to it.
+
+Closes: https://github.com/acpica/acpica/issues/1027 [1]
+Reported-by: Peter Williams <peter@newton.cx>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Tested-by: Hans de Goede <hansg@kernel.org> # Dell XPS 9640 with BIOS 1.12.0
+Link: https://patch.msgid.link/5909446.DvuYhMxLoT@rjwysocki.net
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsmethod.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c
+index e809c2aed78ae..a232746d150a7 100644
+--- a/drivers/acpi/acpica/dsmethod.c
++++ b/drivers/acpi/acpica/dsmethod.c
+@@ -483,6 +483,13 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
+ return_ACPI_STATUS(AE_NULL_OBJECT);
+ }
+
++ if (this_walk_state->num_operands < obj_desc->method.param_count) {
++ ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]",
++ acpi_ut_get_node_name(method_node)));
++
++ return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG);
++ }
++
+ /* Init for new method, possibly wait on method mutex */
+
+ status =
+--
+2.39.5
+
--- /dev/null
+From bd77cc927a9dd1b99f5c0745a43a38ebc86206ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 08:43:19 +0200
+Subject: ALSA: sb: Don't allow changing the DMA mode during operations
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ed29e073ba93f2d52832804cabdd831d5d357d33 ]
+
+When a PCM stream is already running, one shouldn't change the DMA
+mode via kcontrol, which may screw up the hardware. Return -EBUSY
+instead.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218185
+Link: https://patch.msgid.link/20250610064322.26787-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c
+index 74db115250030..c4930efd44e3a 100644
+--- a/sound/isa/sb/sb16_main.c
++++ b/sound/isa/sb/sb16_main.c
+@@ -703,6 +703,9 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct
+ unsigned char nval, oval;
+ int change;
+
++ if (chip->mode & (SB_MODE_PLAYBACK | SB_MODE_CAPTURE))
++ return -EBUSY;
++
+ nval = ucontrol->value.enumerated.item[0];
+ if (nval > 2)
+ return -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From 1b750ced45034a39862ae0a44610a6ef837e0433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 08:43:20 +0200
+Subject: ALSA: sb: Force to disable DMAs once when DMA mode is changed
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 4c267ae2ef349639b4d9ebf00dd28586a82fdbe6 ]
+
+When the DMA mode is changed on the (still real!) SB AWE32 after
+playing a stream and closing, the previous DMA setup was still
+silently kept, and it can confuse the hardware, resulting in the
+unexpected noises. As a workaround, enforce the disablement of DMA
+setups when the DMA setup is changed by the kcontrol.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=218185
+Link: https://patch.msgid.link/20250610064322.26787-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c
+index c4930efd44e3a..5a083eecaa6b9 100644
+--- a/sound/isa/sb/sb16_main.c
++++ b/sound/isa/sb/sb16_main.c
+@@ -714,6 +714,10 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct
+ change = nval != oval;
+ snd_sb16_set_dma_mode(chip, nval);
+ spin_unlock_irqrestore(&chip->reg_lock, flags);
++ if (change) {
++ snd_dma_disable(chip->dma8);
++ snd_dma_disable(chip->dma16);
++ }
+ return change;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 555f25ccd495095c30ac8091a5f7886df8855d98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 00:56:36 +0530
+Subject: amd-xgbe: align CL37 AN sequence as per databook
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 42fd432fe6d320323215ebdf4de4d0d7e56e6792 ]
+
+Update the Clause 37 Auto-Negotiation implementation to properly align
+with the PCS hardware specifications:
+- Fix incorrect bit settings in Link Status and Link Duplex fields
+- Implement missing sequence steps 2 and 7
+
+These changes ensure CL37 auto-negotiation protocol follows the exact
+sequence patterns as specified in the hardware databook.
+
+Fixes: 1bf40ada6290 ("amd-xgbe: Add support for clause 37 auto-negotiation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20250630192636.3838291-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 ++
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 9 +++++++++
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+index 3b70f67376331..aa25a8a0a106f 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -1373,6 +1373,8 @@
+ #define MDIO_VEND2_CTRL1_SS13 BIT(13)
+ #endif
+
++#define XGBE_VEND2_MAC_AUTO_SW BIT(9)
++
+ /* MDIO mask values */
+ #define XGBE_AN_CL73_INT_CMPLT BIT(0)
+ #define XGBE_AN_CL73_INC_LINK BIT(1)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 07f4f3418d018..3316c719f9f8c 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -375,6 +375,10 @@ static void xgbe_an37_set(struct xgbe_prv_data *pdata, bool enable,
+ reg |= MDIO_VEND2_CTRL1_AN_RESTART;
+
+ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_CTRL1, reg);
++
++ reg = XMDIO_READ(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL);
++ reg |= XGBE_VEND2_MAC_AUTO_SW;
++ XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL, reg);
+ }
+
+ static void xgbe_an37_restart(struct xgbe_prv_data *pdata)
+@@ -1003,6 +1007,11 @@ static void xgbe_an37_init(struct xgbe_prv_data *pdata)
+
+ netif_dbg(pdata, link, pdata->netdev, "CL37 AN (%s) initialized\n",
+ (pdata->an_mode == XGBE_AN_MODE_CL37) ? "BaseX" : "SGMII");
++
++ reg = XMDIO_READ(pdata, MDIO_MMD_AN, MDIO_CTRL1);
++ reg &= ~MDIO_AN_CTRL1_ENABLE;
++ XMDIO_WRITE(pdata, MDIO_MMD_AN, MDIO_CTRL1, reg);
++
+ }
+
+ static void xgbe_an73_init(struct xgbe_prv_data *pdata)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
+index ed5d43c16d0e2..7526a0906b391 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -292,12 +292,12 @@
+ #define XGBE_LINK_TIMEOUT 5
+ #define XGBE_KR_TRAINING_WAIT_ITER 50
+
+-#define XGBE_SGMII_AN_LINK_STATUS BIT(1)
++#define XGBE_SGMII_AN_LINK_DUPLEX BIT(1)
+ #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3))
+ #define XGBE_SGMII_AN_LINK_SPEED_10 0x00
+ #define XGBE_SGMII_AN_LINK_SPEED_100 0x04
+ #define XGBE_SGMII_AN_LINK_SPEED_1000 0x08
+-#define XGBE_SGMII_AN_LINK_DUPLEX BIT(4)
++#define XGBE_SGMII_AN_LINK_STATUS BIT(4)
+
+ /* ECC correctable error notification window (seconds) */
+ #define XGBE_ECC_LIMIT 60
+--
+2.39.5
+
--- /dev/null
+From 15584bccf859c56fb489d880a2f6c064cf0e55bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 12:20:16 +0530
+Subject: amd-xgbe: do not double read link status
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 16ceda2ef683a50cd0783006c0504e1931cd8879 ]
+
+The link status is latched low so that momentary link drops
+can be detected. Always double-reading the status defeats this
+design feature. Only double read if link was already down
+
+This prevents unnecessary duplicate readings of the link status.
+
+Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250701065016.4140707-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 ++++
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 24 +++++++++++++--------
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 3316c719f9f8c..ed76a8df6ec6e 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -1413,6 +1413,10 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata)
+
+ pdata->phy.link = pdata->phy_if.phy_impl.link_status(pdata,
+ &an_restart);
++ /* bail out if the link status register read fails */
++ if (pdata->phy.link < 0)
++ return;
++
+ if (an_restart) {
+ xgbe_phy_config_aneg(pdata);
+ goto adjust_link;
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 268399dfcf22f..32e633d113484 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -2855,8 +2855,7 @@ static bool xgbe_phy_valid_speed(struct xgbe_prv_data *pdata, int speed)
+ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+ {
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+- unsigned int reg;
+- int ret;
++ int reg, ret;
+
+ *an_restart = 0;
+
+@@ -2890,11 +2889,20 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+ return 0;
+ }
+
+- /* Link status is latched low, so read once to clear
+- * and then read again to get current state
+- */
+- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
++ if (reg < 0)
++ return reg;
++
++ /* Link status is latched low so that momentary link drops
++ * can be detected. If link was already down read again
++ * to get the latest state.
++ */
++
++ if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) {
++ reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
++ if (reg < 0)
++ return reg;
++ }
+
+ if (pdata->en_rx_adap) {
+ /* if the link is available and adaptation is done,
+@@ -2913,9 +2921,7 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+ xgbe_phy_set_mode(pdata, phy_data->cur_mode);
+ }
+
+- /* check again for the link and adaptation status */
+- reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+- if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done)
++ if (pdata->rx_adapt_done)
+ return 1;
+ } else if (reg & MDIO_STAT1_LSTATUS)
+ return 1;
+--
+2.39.5
+
--- /dev/null
+From 23ba2e2a54068d81f0d09fca41bad3cb113a2ba9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 17:06:00 +0000
+Subject: aoe: defer rexmit timer downdev work to workqueue
+
+From: Justin Sanders <jsanders.devel@gmail.com>
+
+[ Upstream commit cffc873d68ab09a0432b8212008c5613f8a70a2c ]
+
+When aoe's rexmit_timer() notices that an aoe target fails to respond to
+commands for more than aoe_deadsecs, it calls aoedev_downdev() which
+cleans the outstanding aoe and block queues. This can involve sleeping,
+such as in blk_mq_freeze_queue(), which should not occur in irq context.
+
+This patch defers that aoedev_downdev() call to the aoe device's
+workqueue.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=212665
+Signed-off-by: Justin Sanders <jsanders.devel@gmail.com>
+Link: https://lore.kernel.org/r/20250610170600.869-2-jsanders.devel@gmail.com
+Tested-By: Valentin Kleibel <valentin@vrvis.at>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/aoe/aoe.h | 1 +
+ drivers/block/aoe/aoecmd.c | 8 ++++++--
+ drivers/block/aoe/aoedev.c | 5 ++++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/aoe/aoe.h b/drivers/block/aoe/aoe.h
+index 749ae1246f4cf..d35caa3c69e15 100644
+--- a/drivers/block/aoe/aoe.h
++++ b/drivers/block/aoe/aoe.h
+@@ -80,6 +80,7 @@ enum {
+ DEVFL_NEWSIZE = (1<<6), /* need to update dev size in block layer */
+ DEVFL_FREEING = (1<<7), /* set when device is being cleaned up */
+ DEVFL_FREED = (1<<8), /* device has been cleaned up */
++ DEVFL_DEAD = (1<<9), /* device has timed out of aoe_deadsecs */
+ };
+
+ enum {
+diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
+index 92b06d1de4cc7..6c94cfd1c480e 100644
+--- a/drivers/block/aoe/aoecmd.c
++++ b/drivers/block/aoe/aoecmd.c
+@@ -754,7 +754,7 @@ rexmit_timer(struct timer_list *timer)
+
+ utgts = count_targets(d, NULL);
+
+- if (d->flags & DEVFL_TKILL) {
++ if (d->flags & (DEVFL_TKILL | DEVFL_DEAD)) {
+ spin_unlock_irqrestore(&d->lock, flags);
+ return;
+ }
+@@ -786,7 +786,8 @@ rexmit_timer(struct timer_list *timer)
+ * to clean up.
+ */
+ list_splice(&flist, &d->factive[0]);
+- aoedev_downdev(d);
++ d->flags |= DEVFL_DEAD;
++ queue_work(aoe_wq, &d->work);
+ goto out;
+ }
+
+@@ -898,6 +899,9 @@ aoecmd_sleepwork(struct work_struct *work)
+ {
+ struct aoedev *d = container_of(work, struct aoedev, work);
+
++ if (d->flags & DEVFL_DEAD)
++ aoedev_downdev(d);
++
+ if (d->flags & DEVFL_GDALLOC)
+ aoeblk_gdalloc(d);
+
+diff --git a/drivers/block/aoe/aoedev.c b/drivers/block/aoe/aoedev.c
+index 8c18034cb3d69..9b66f8ebce50d 100644
+--- a/drivers/block/aoe/aoedev.c
++++ b/drivers/block/aoe/aoedev.c
+@@ -200,8 +200,11 @@ aoedev_downdev(struct aoedev *d)
+ struct list_head *head, *pos, *nx;
+ struct request *rq, *rqnext;
+ int i;
++ unsigned long flags;
+
+- d->flags &= ~DEVFL_UP;
++ spin_lock_irqsave(&d->lock, flags);
++ d->flags &= ~(DEVFL_UP | DEVFL_DEAD);
++ spin_unlock_irqrestore(&d->lock, flags);
+
+ /* clean out active and to-be-retransmitted buffers */
+ for (i = 0; i < NFACTIVE; i++) {
+--
+2.39.5
+
--- /dev/null
+From 6d594011a3dd1e2094d96f66feff730dc887b6d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:19:24 +0000
+Subject: arm64: dts: apple: Drop {address,size}-cells from SPI NOR
+
+From: Sven Peter <sven@kernel.org>
+
+[ Upstream commit 811a909978bf59caa25359e0aca4e30500dcff26 ]
+
+Fix the following warning by dropping #{address,size}-cells from the SPI
+NOR node which only has a single child node without reg property:
+
+spi1-nvram.dtsi:19.10-38.4: Warning (avoid_unnecessary_addr_size): /soc/spi@235104000/flash@0: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" property
+
+Fixes: 3febe9de5ca5 ("arm64: dts: apple: Add SPI NOR nvram partition to all devices")
+Reviewed-by: Janne Grunau <j@jannau.net>
+Link: https://lore.kernel.org/r/20250610-apple-dts-warnings-v1-1-70b53e8108a0@kernel.org
+Signed-off-by: Sven Peter <sven@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/spi1-nvram.dtsi | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/apple/spi1-nvram.dtsi b/arch/arm64/boot/dts/apple/spi1-nvram.dtsi
+index 3df2fd3993b52..9740fbf200f0b 100644
+--- a/arch/arm64/boot/dts/apple/spi1-nvram.dtsi
++++ b/arch/arm64/boot/dts/apple/spi1-nvram.dtsi
+@@ -20,8 +20,6 @@ flash@0 {
+ compatible = "jedec,spi-nor";
+ reg = <0x0>;
+ spi-max-frequency = <25000000>;
+- #address-cells = <1>;
+- #size-cells = <1>;
+
+ partitions {
+ compatible = "fixed-partitions";
+--
+2.39.5
+
--- /dev/null
+From 9c45f8f78d4568947e256022533520f14b1e9bf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:18:53 +0000
+Subject: arm64: dts: apple: Move touchbar mipi {address,size}-cells from dtsi
+ to dts
+
+From: Sven Peter <sven@kernel.org>
+
+[ Upstream commit 08a0d93c353bd55de8b5fb77b464d89425be0215 ]
+
+Move the {address,size}-cells property from the (disabled) touchbar screen
+mipi node inside the dtsi file to the model-specific dts file where it's
+enabled to fix the following W=1 warnings:
+
+t8103.dtsi:404.34-433.5: Warning (avoid_unnecessary_addr_size): /soc/dsi@228600000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" property
+t8112.dtsi:419.34-448.5: Warning (avoid_unnecessary_addr_size): /soc/dsi@228600000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" property
+
+Fixes: 7275e795e520 ("arm64: dts: apple: Add touchbar screen nodes")
+Reviewed-by: Janne Grunau <j@jannau.net>
+Link: https://lore.kernel.org/r/20250611-display-pipe-mipi-warning-v1-1-bd80ba2c0eea@kernel.org
+Signed-off-by: Sven Peter <sven@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/t8103-j293.dts | 2 ++
+ arch/arm64/boot/dts/apple/t8103.dtsi | 2 --
+ arch/arm64/boot/dts/apple/t8112-j493.dts | 2 ++
+ arch/arm64/boot/dts/apple/t8112.dtsi | 2 --
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/apple/t8103-j293.dts b/arch/arm64/boot/dts/apple/t8103-j293.dts
+index e2d9439397f71..5b3c42e9f0e67 100644
+--- a/arch/arm64/boot/dts/apple/t8103-j293.dts
++++ b/arch/arm64/boot/dts/apple/t8103-j293.dts
+@@ -100,6 +100,8 @@ dfr_mipi_out_panel: endpoint@0 {
+
+ &displaydfr_mipi {
+ status = "okay";
++ #address-cells = <1>;
++ #size-cells = <0>;
+
+ dfr_panel: panel@0 {
+ compatible = "apple,j293-summit", "apple,summit";
+diff --git a/arch/arm64/boot/dts/apple/t8103.dtsi b/arch/arm64/boot/dts/apple/t8103.dtsi
+index 97b6a067394e3..229b10efaab9e 100644
+--- a/arch/arm64/boot/dts/apple/t8103.dtsi
++++ b/arch/arm64/boot/dts/apple/t8103.dtsi
+@@ -404,8 +404,6 @@ displaydfr_mipi: dsi@228600000 {
+ compatible = "apple,t8103-display-pipe-mipi", "apple,h7-display-pipe-mipi";
+ reg = <0x2 0x28600000 0x0 0x100000>;
+ power-domains = <&ps_mipi_dsi>;
+- #address-cells = <1>;
+- #size-cells = <0>;
+ status = "disabled";
+
+ ports {
+diff --git a/arch/arm64/boot/dts/apple/t8112-j493.dts b/arch/arm64/boot/dts/apple/t8112-j493.dts
+index be86d34c6696c..fb8ad7d4c65a8 100644
+--- a/arch/arm64/boot/dts/apple/t8112-j493.dts
++++ b/arch/arm64/boot/dts/apple/t8112-j493.dts
+@@ -63,6 +63,8 @@ dfr_mipi_out_panel: endpoint@0 {
+
+ &displaydfr_mipi {
+ status = "okay";
++ #address-cells = <1>;
++ #size-cells = <0>;
+
+ dfr_panel: panel@0 {
+ compatible = "apple,j493-summit", "apple,summit";
+diff --git a/arch/arm64/boot/dts/apple/t8112.dtsi b/arch/arm64/boot/dts/apple/t8112.dtsi
+index d9b966d68e4fa..7488e3850493b 100644
+--- a/arch/arm64/boot/dts/apple/t8112.dtsi
++++ b/arch/arm64/boot/dts/apple/t8112.dtsi
+@@ -420,8 +420,6 @@ displaydfr_mipi: dsi@228600000 {
+ compatible = "apple,t8112-display-pipe-mipi", "apple,h7-display-pipe-mipi";
+ reg = <0x2 0x28600000 0x0 0x100000>;
+ power-domains = <&ps_mipi_dsi>;
+- #address-cells = <1>;
+- #size-cells = <0>;
+ status = "disabled";
+
+ ports {
+--
+2.39.5
+
--- /dev/null
+From 0e83346a13b2235ddb2eb71c2b38e4249f7c5279 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 22:30:31 +0200
+Subject: arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename
+
+From: Janne Grunau <j@jannau.net>
+
+[ Upstream commit ac1daa91e9370e3b88ef7826a73d62a4d09e2717 ]
+
+Fix the following `make dtbs_check` warnings for all t8103 based devices:
+
+arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: $nodename:0: 'network@0,0' does not match '^wifi(@.*)?$'
+ from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml#
+arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: Unevaluated properties are not allowed ('local-mac-address' was unexpected)
+ from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml#
+
+Fixes: bf2c05b619ff ("arm64: dts: apple: t8103: Expose PCI node for the WiFi MAC address")
+Signed-off-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Sven Peter <sven@kernel.org>
+Link: https://lore.kernel.org/r/20250611-arm64_dts_apple_wifi-v1-1-fb959d8e1eb4@jannau.net
+Signed-off-by: Sven Peter <sven@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/t8103-jxxx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
+index 8e82231acab59..0c8206156bfef 100644
+--- a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
++++ b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
+@@ -71,7 +71,7 @@ hpm1: usb-pd@3f {
+ */
+ &port00 {
+ bus-range = <1 1>;
+- wifi0: network@0,0 {
++ wifi0: wifi@0,0 {
+ compatible = "pci14e4,4425";
+ reg = <0x10000 0x0 0x0 0x0 0x0>;
+ /* To be filled by the loader */
+--
+2.39.5
+
--- /dev/null
+From 3a41b4685051965394300c5947bea6da1b338ee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 02:52:32 +0200
+Subject: ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic
+
+From: Gabriel Santese <santesegabriel@gmail.com>
+
+[ Upstream commit ba06528ad5a31923efc24324706116ccd17e12d8 ]
+
+MSI Bravo 17 (D7VF), like other laptops from the family,
+has broken ACPI tables and needs a quirk for internal mic
+to work properly.
+
+Signed-off-by: Gabriel Santese <santesegabriel@gmail.com>
+Link: https://patch.msgid.link/20250530005444.23398-1-santesegabriel@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index b27966f82c8b6..4f8481c6802b1 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -451,6 +451,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 17 D7VEK"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 17 D7VF"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.39.5
+
--- /dev/null
+From 3059574182dc623d5892dac9564974c0153fcb6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 07:51:25 -0400
+Subject: ASoC: amd: yc: update quirk data for HP Victus
+
+From: Raven Black <ravenblack@gmail.com>
+
+[ Upstream commit 13b86ea92ebf0fa587fbadfb8a60ca2e9993203f ]
+
+Make the internal microphone work on HP Victus laptops.
+
+Signed-off-by: Raven Black <ravenblack@gmail.com>
+Link: https://patch.msgid.link/20250613-support-hp-victus-microphone-v1-1-bebc4c3a2041@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 4f8481c6802b1..723cb7bc12851 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -521,6 +521,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16z-n000"),
+ }
+ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Victus by HP Gaming Laptop 15-fb2xxx"),
++ }
++ },
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+--
+2.39.5
+
--- /dev/null
+From 2f593edfa252886be1abc6504cfcfa0f32798924 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 11:56:55 +0300
+Subject: ata: libata-acpi: Do not assume 40 wire cable if no devices are
+ enabled
+
+From: Tasos Sahanidis <tasos@tasossah.com>
+
+[ Upstream commit 33877220b8641b4cde474a4229ea92c0e3637883 ]
+
+On at least an ASRock 990FX Extreme 4 with a VIA VT6330, the devices
+have not yet been enabled by the first time ata_acpi_cbl_80wire() is
+called. This means that the ata_for_each_dev loop is never entered,
+and a 40 wire cable is assumed.
+
+The VIA controller on this board does not report the cable in the PCI
+config space, thus having to fall back to ACPI even though no SATA
+bridge is present.
+
+The _GTM values are correctly reported by the firmware through ACPI,
+which has already set up faster transfer modes, but due to the above
+the controller is forced down to a maximum of UDMA/33.
+
+Resolve this by modifying ata_acpi_cbl_80wire() to directly return the
+cable type. First, an unknown cable is assumed which preserves the mode
+set by the firmware, and then on subsequent calls when the devices have
+been enabled, an 80 wire cable is correctly detected.
+
+Since the function now directly returns the cable type, it is renamed
+to ata_acpi_cbl_pata_type().
+
+Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
+Link: https://lore.kernel.org/r/20250519085945.1399466-1-tasos@tasossah.com
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-acpi.c | 24 ++++++++++++++++--------
+ drivers/ata/pata_via.c | 6 ++----
+ include/linux/libata.h | 7 +++----
+ 3 files changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/ata/libata-acpi.c b/drivers/ata/libata-acpi.c
+index b7f0bf7955213..f2140fc06ba0f 100644
+--- a/drivers/ata/libata-acpi.c
++++ b/drivers/ata/libata-acpi.c
+@@ -514,15 +514,19 @@ unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+ EXPORT_SYMBOL_GPL(ata_acpi_gtm_xfermask);
+
+ /**
+- * ata_acpi_cbl_80wire - Check for 80 wire cable
++ * ata_acpi_cbl_pata_type - Return PATA cable type
+ * @ap: Port to check
+- * @gtm: GTM data to use
+ *
+- * Return 1 if the @gtm indicates the BIOS selected an 80wire mode.
++ * Return ATA_CBL_PATA* according to the transfer mode selected by BIOS
+ */
+-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm)
++int ata_acpi_cbl_pata_type(struct ata_port *ap)
+ {
+ struct ata_device *dev;
++ int ret = ATA_CBL_PATA_UNK;
++ const struct ata_acpi_gtm *gtm = ata_acpi_init_gtm(ap);
++
++ if (!gtm)
++ return ATA_CBL_PATA40;
+
+ ata_for_each_dev(dev, &ap->link, ENABLED) {
+ unsigned int xfer_mask, udma_mask;
+@@ -530,13 +534,17 @@ int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm)
+ xfer_mask = ata_acpi_gtm_xfermask(dev, gtm);
+ ata_unpack_xfermask(xfer_mask, NULL, NULL, &udma_mask);
+
+- if (udma_mask & ~ATA_UDMA_MASK_40C)
+- return 1;
++ ret = ATA_CBL_PATA40;
++
++ if (udma_mask & ~ATA_UDMA_MASK_40C) {
++ ret = ATA_CBL_PATA80;
++ break;
++ }
+ }
+
+- return 0;
++ return ret;
+ }
+-EXPORT_SYMBOL_GPL(ata_acpi_cbl_80wire);
++EXPORT_SYMBOL_GPL(ata_acpi_cbl_pata_type);
+
+ static void ata_acpi_gtf_to_tf(struct ata_device *dev,
+ const struct ata_acpi_gtf *gtf,
+diff --git a/drivers/ata/pata_via.c b/drivers/ata/pata_via.c
+index d82728a01832b..bb80e7800dcbe 100644
+--- a/drivers/ata/pata_via.c
++++ b/drivers/ata/pata_via.c
+@@ -201,11 +201,9 @@ static int via_cable_detect(struct ata_port *ap) {
+ two drives */
+ if (ata66 & (0x10100000 >> (16 * ap->port_no)))
+ return ATA_CBL_PATA80;
++
+ /* Check with ACPI so we can spot BIOS reported SATA bridges */
+- if (ata_acpi_init_gtm(ap) &&
+- ata_acpi_cbl_80wire(ap, ata_acpi_init_gtm(ap)))
+- return ATA_CBL_PATA80;
+- return ATA_CBL_PATA40;
++ return ata_acpi_cbl_pata_type(ap);
+ }
+
+ static int via_pre_reset(struct ata_link *link, unsigned long deadline)
+diff --git a/include/linux/libata.h b/include/linux/libata.h
+index e5695998acb02..ec3b0c9c2a8cf 100644
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -1363,7 +1363,7 @@ int ata_acpi_stm(struct ata_port *ap, const struct ata_acpi_gtm *stm);
+ int ata_acpi_gtm(struct ata_port *ap, struct ata_acpi_gtm *stm);
+ unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+ const struct ata_acpi_gtm *gtm);
+-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm);
++int ata_acpi_cbl_pata_type(struct ata_port *ap);
+ #else
+ static inline const struct ata_acpi_gtm *ata_acpi_init_gtm(struct ata_port *ap)
+ {
+@@ -1388,10 +1388,9 @@ static inline unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+ return 0;
+ }
+
+-static inline int ata_acpi_cbl_80wire(struct ata_port *ap,
+- const struct ata_acpi_gtm *gtm)
++static inline int ata_acpi_cbl_pata_type(struct ata_port *ap)
+ {
+- return 0;
++ return ATA_CBL_PATA40;
+ }
+ #endif
+
+--
+2.39.5
+
--- /dev/null
+From 375213a74a54bf3fc19edf459da165d5055c7f80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 11:01:11 +0200
+Subject: ata: pata_cs5536: fix build on 32-bit UML
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit fe5b391fc56f77cf3c22a9dd4f0ce20db0e3533f ]
+
+On 32-bit ARCH=um, CONFIG_X86_32 is still defined, so it
+doesn't indicate building on real X86 machines. There's
+no MSR on UML though, so add a check for CONFIG_X86.
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20250606090110.15784-2-johannes@sipsolutions.net
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_cs5536.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_cs5536.c b/drivers/ata/pata_cs5536.c
+index b811efd2cc346..73e81e160c91f 100644
+--- a/drivers/ata/pata_cs5536.c
++++ b/drivers/ata/pata_cs5536.c
+@@ -27,7 +27,7 @@
+ #include <scsi/scsi_host.h>
+ #include <linux/dmi.h>
+
+-#ifdef CONFIG_X86_32
++#if defined(CONFIG_X86) && defined(CONFIG_X86_32)
+ #include <asm/msr.h>
+ static int use_msr;
+ module_param_named(msr, use_msr, int, 0644);
+--
+2.39.5
+
--- /dev/null
+From 18b02af3501cefc9a3476cbdf15b992b4344973c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:01:07 +0800
+Subject: Bluetooth: Prevent unintended pause by checking if advertising is
+ active
+
+From: Yang Li <yang.li@amlogic.com>
+
+[ Upstream commit 1f029b4e30a602db33dedee5ac676e9236ad193c ]
+
+When PA Create Sync is enabled, advertising resumes unexpectedly.
+Therefore, it's necessary to check whether advertising is currently
+active before attempting to pause it.
+
+ < HCI Command: LE Add Device To... (0x08|0x0011) plen 7 #1345 [hci0] 48.306205
+ Address type: Random (0x01)
+ Address: 4F:84:84:5F:88:17 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: FC:5B:8C:F7:5D:FB (Static)
+ < HCI Command: LE Set Address Re.. (0x08|0x002d) plen 1 #1347 [hci0] 48.308023
+ Address resolution: Enabled (0x01)
+ ...
+ < HCI Command: LE Set Extended A.. (0x08|0x0039) plen 6 #1349 [hci0] 48.309650
+ Extended advertising: Enabled (0x01)
+ Number of sets: 1 (0x01)
+ Entry 0
+ Handle: 0x01
+ Duration: 0 ms (0x00)
+ Max ext adv events: 0
+ ...
+ < HCI Command: LE Periodic Adve.. (0x08|0x0044) plen 14 #1355 [hci0] 48.314575
+ Options: 0x0000
+ Use advertising SID, Advertiser Address Type and address
+ Reporting initially enabled
+ SID: 0x02
+ Adv address type: Random (0x01)
+ Adv address: 4F:84:84:5F:88:17 (Resolvable)
+ Identity type: Random (0x01)
+ Identity: FC:5B:8C:F7:5D:FB (Static)
+ Skip: 0x0000
+ Sync timeout: 20000 msec (0x07d0)
+ Sync CTE type: 0x0000
+
+Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled")
+Signed-off-by: Yang Li <yang.li@amlogic.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 3660da3b241a7..9955d6cd7b76f 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2507,6 +2507,10 @@ static int hci_pause_advertising_sync(struct hci_dev *hdev)
+ int err;
+ int old_state;
+
++ /* If controller is not advertising we are done. */
++ if (!hci_dev_test_flag(hdev, HCI_LE_ADV))
++ return 0;
++
+ /* If already been paused there is nothing to do. */
+ if (hdev->advertising_paused)
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From a928455718bd18356f3c58407fa23d51c0b69c52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jun 2025 13:43:32 +0100
+Subject: btrfs: fix failure to rebuild free space tree using multiple
+ transactions
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1e6ed33cabba8f06f532f2e5851a102602823734 ]
+
+If we are rebuilding a free space tree, while modifying the free space
+tree we may need to allocate a new metadata block group.
+If we end up using multiple transactions for the rebuild, when we call
+btrfs_end_transaction() we enter btrfs_create_pending_block_groups()
+which calls add_block_group_free_space() to add items to the free space
+tree for the block group.
+
+Then later during the free space tree rebuild, at
+btrfs_rebuild_free_space_tree(), we may find such new block groups
+and call populate_free_space_tree() for them, which fails with -EEXIST
+because there are already items in the free space tree. Then we abort the
+transaction with -EEXIST at btrfs_rebuild_free_space_tree().
+Notice that we say "may find" the new block groups because a new block
+group may be inserted in the block groups rbtree, which is being iterated
+by the rebuild process, before or after the current node where the rebuild
+process is currently at.
+
+Syzbot recently reported such case which produces a trace like the
+following:
+
+ ------------[ cut here ]------------
+ BTRFS: Transaction aborted (error -17)
+ WARNING: CPU: 1 PID: 7626 at fs/btrfs/free-space-tree.c:1341 btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341
+ Modules linked in:
+ CPU: 1 UID: 0 PID: 7626 Comm: syz.2.25 Not tainted 6.15.0-rc7-syzkaller-00085-gd7fa1af5b33e-dirty #0 PREEMPT
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341
+ lr : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341
+ sp : ffff80009c4f7740
+ x29: ffff80009c4f77b0 x28: ffff0000d4c3f400 x27: 0000000000000000
+ x26: dfff800000000000 x25: ffff70001389eee8 x24: 0000000000000003
+ x23: 1fffe000182b6e7b x22: 0000000000000000 x21: ffff0000c15b73d8
+ x20: 00000000ffffffef x19: ffff0000c15b7378 x18: 1fffe0003386f276
+ x17: ffff80008f31e000 x16: ffff80008adbe98c x15: 0000000000000001
+ x14: 1fffe0001b281550 x13: 0000000000000000 x12: 0000000000000000
+ x11: ffff60001b281551 x10: 0000000000000003 x9 : 1c8922000a902c00
+ x8 : 1c8922000a902c00 x7 : ffff800080485878 x6 : 0000000000000000
+ x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008047843c
+ x2 : 0000000000000001 x1 : ffff80008b3ebc40 x0 : 0000000000000001
+ Call trace:
+ btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 (P)
+ btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074
+ btrfs_remount_rw fs/btrfs/super.c:1319 [inline]
+ btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543
+ reconfigure_super+0x1d4/0x6f0 fs/super.c:1083
+ do_remount fs/namespace.c:3365 [inline]
+ path_mount+0xb34/0xde0 fs/namespace.c:4200
+ do_mount fs/namespace.c:4221 [inline]
+ __do_sys_mount fs/namespace.c:4432 [inline]
+ __se_sys_mount fs/namespace.c:4409 [inline]
+ __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
+ el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
+ el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
+ irq event stamp: 330
+ hardirqs last enabled at (329): [<ffff80008048590c>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1525 [inline]
+ hardirqs last enabled at (329): [<ffff80008048590c>] finish_lock_switch+0xb0/0x1c0 kernel/sched/core.c:5130
+ hardirqs last disabled at (330): [<ffff80008adb9e60>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
+ softirqs last enabled at (10): [<ffff8000801fbf10>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
+ softirqs last disabled at (8): [<ffff8000801fbedc>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
+ ---[ end trace 0000000000000000 ]---
+
+Fix this by flagging new block groups which had their free space tree
+entries already added and then skip them in the rebuild process. Also,
+since the rebuild may be triggered when doing a remount, make sure that
+when we clear an existing free space tree that we clear such flag from
+every existing block group, otherwise we would skip those block groups
+during the rebuild.
+
+Reported-by: syzbot+d0014fb0fc39c5487ae5@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/68460a54.050a0220.daf97.0af5.GAE@google.com/
+Fixes: 882af9f13e83 ("btrfs: handle free space tree rebuild in multiple transactions")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.h | 2 ++
+ fs/btrfs/free-space-tree.c | 40 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+)
+
+diff --git a/fs/btrfs/block-group.h b/fs/btrfs/block-group.h
+index 36937eeab9b8a..08548b0b5ea1d 100644
+--- a/fs/btrfs/block-group.h
++++ b/fs/btrfs/block-group.h
+@@ -83,6 +83,8 @@ enum btrfs_block_group_flags {
+ BLOCK_GROUP_FLAG_ZONED_DATA_RELOC,
+ /* Does the block group need to be added to the free space tree? */
+ BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE,
++ /* Set after we add a new block group to the free space tree. */
++ BLOCK_GROUP_FLAG_FREE_SPACE_ADDED,
+ /* Indicate that the block group is placed on a sequential zone */
+ BLOCK_GROUP_FLAG_SEQUENTIAL_ZONE,
+ /*
+diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c
+index 39c6b96a4c25a..b65a20fd519ba 100644
+--- a/fs/btrfs/free-space-tree.c
++++ b/fs/btrfs/free-space-tree.c
+@@ -1217,6 +1217,7 @@ static int clear_free_space_tree(struct btrfs_trans_handle *trans,
+ {
+ BTRFS_PATH_AUTO_FREE(path);
+ struct btrfs_key key;
++ struct rb_node *node;
+ int nr;
+ int ret;
+
+@@ -1245,6 +1246,16 @@ static int clear_free_space_tree(struct btrfs_trans_handle *trans,
+ btrfs_release_path(path);
+ }
+
++ node = rb_first_cached(&trans->fs_info->block_group_cache_tree);
++ while (node) {
++ struct btrfs_block_group *bg;
++
++ bg = rb_entry(node, struct btrfs_block_group, cache_node);
++ clear_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &bg->runtime_flags);
++ node = rb_next(node);
++ cond_resched();
++ }
++
+ return 0;
+ }
+
+@@ -1334,12 +1345,18 @@ int btrfs_rebuild_free_space_tree(struct btrfs_fs_info *fs_info)
+
+ block_group = rb_entry(node, struct btrfs_block_group,
+ cache_node);
++
++ if (test_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED,
++ &block_group->runtime_flags))
++ goto next;
++
+ ret = populate_free_space_tree(trans, block_group);
+ if (ret) {
+ btrfs_abort_transaction(trans, ret);
+ btrfs_end_transaction(trans);
+ return ret;
+ }
++next:
+ if (btrfs_should_end_transaction(trans)) {
+ btrfs_end_transaction(trans);
+ trans = btrfs_start_transaction(free_space_root, 1);
+@@ -1366,6 +1383,29 @@ static int __add_block_group_free_space(struct btrfs_trans_handle *trans,
+
+ clear_bit(BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE, &block_group->runtime_flags);
+
++ /*
++ * While rebuilding the free space tree we may allocate new metadata
++ * block groups while modifying the free space tree.
++ *
++ * Because during the rebuild (at btrfs_rebuild_free_space_tree()) we
++ * can use multiple transactions, every time btrfs_end_transaction() is
++ * called at btrfs_rebuild_free_space_tree() we finish the creation of
++ * new block groups by calling btrfs_create_pending_block_groups(), and
++ * that in turn calls us, through add_block_group_free_space(), to add
++ * a free space info item and a free space extent item for the block
++ * group.
++ *
++ * Then later btrfs_rebuild_free_space_tree() may find such new block
++ * groups and processes them with populate_free_space_tree(), which can
++ * fail with EEXIST since there are already items for the block group in
++ * the free space tree. Notice that we say "may find" because a new
++ * block group may be added to the block groups rbtree in a node before
++ * or after the block group currently being processed by the rebuild
++ * process. So signal the rebuild process to skip such new block groups
++ * if it finds them.
++ */
++ set_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &block_group->runtime_flags);
++
+ ret = add_new_free_space_info(trans, block_group, path);
+ if (ret)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From bd9bca9af82723d88a926f90770ec16e840d68e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:58:31 +0100
+Subject: btrfs: fix inode lookup error handling during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 5f61b961599acbd2bed028d3089105a1f7d224b8 ]
+
+When replaying log trees we use read_one_inode() to get an inode, which is
+just a wrapper around btrfs_iget_logging(), which in turn is a wrapper for
+btrfs_iget(). But read_one_inode() always returns NULL for any error
+that btrfs_iget_logging() / btrfs_iget() may return and this is a problem
+because:
+
+1) In many callers of read_one_inode() we convert the NULL into -EIO,
+ which is not accurate since btrfs_iget() may return -ENOMEM and -ENOENT
+ for example, besides -EIO and other errors. So during log replay we
+ may end up reporting a false -EIO, which is confusing since we may
+ not have had any IO error at all;
+
+2) When replaying directory deletes, at replay_dir_deletes(), we assume
+ the NULL returned from read_one_inode() means that the inode doesn't
+ exist and then proceed as if no error had happened. This is wrong
+ because unless btrfs_iget() returned ERR_PTR(-ENOENT), we had an
+ actual error and the target inode may exist in the target subvolume
+ root - this may later result in the log replay code failing at a
+ later stage (if we are "lucky") or succeed but leaving some
+ inconsistency in the filesystem.
+
+So fix this by not ignoring errors from btrfs_iget_logging() and as
+a consequence remove the read_one_inode() wrapper and just use
+btrfs_iget_logging() directly. Also since btrfs_iget_logging() is
+supposed to be called only against subvolume roots, just like
+read_one_inode() which had a comment about it, add an assertion to
+btrfs_iget_logging() to check that the target root corresponds to a
+subvolume root.
+
+Fixes: 5d4f98a28c7d ("Btrfs: Mixed back reference (FORWARD ROLLING FORMAT CHANGE)")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 127 +++++++++++++++++++++-----------------------
+ 1 file changed, 62 insertions(+), 65 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 118db10464207..f8611ec11da9d 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -143,6 +143,9 @@ static struct btrfs_inode *btrfs_iget_logging(u64 objectid, struct btrfs_root *r
+ unsigned int nofs_flag;
+ struct btrfs_inode *inode;
+
++ /* Only meant to be called for subvolume roots and not for log roots. */
++ ASSERT(is_fstree(btrfs_root_id(root)));
++
+ /*
+ * We're holding a transaction handle whether we are logging or
+ * replaying a log tree, so we must make sure NOFS semantics apply
+@@ -604,21 +607,6 @@ static int read_alloc_one_name(struct extent_buffer *eb, void *start, int len,
+ return 0;
+ }
+
+-/*
+- * simple helper to read an inode off the disk from a given root
+- * This can only be called for subvolume roots and not for the log
+- */
+-static noinline struct btrfs_inode *read_one_inode(struct btrfs_root *root,
+- u64 objectid)
+-{
+- struct btrfs_inode *inode;
+-
+- inode = btrfs_iget_logging(objectid, root);
+- if (IS_ERR(inode))
+- return NULL;
+- return inode;
+-}
+-
+ /* replays a single extent in 'eb' at 'slot' with 'key' into the
+ * subvolume 'root'. path is released on entry and should be released
+ * on exit.
+@@ -671,9 +659,9 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans,
+ return 0;
+ }
+
+- inode = read_one_inode(root, key->objectid);
+- if (!inode)
+- return -EIO;
++ inode = btrfs_iget_logging(key->objectid, root);
++ if (IS_ERR(inode))
++ return PTR_ERR(inode);
+
+ /*
+ * first check to see if we already have this extent in the
+@@ -945,9 +933,10 @@ static noinline int drop_one_dir_item(struct btrfs_trans_handle *trans,
+
+ btrfs_release_path(path);
+
+- inode = read_one_inode(root, location.objectid);
+- if (!inode) {
+- ret = -EIO;
++ inode = btrfs_iget_logging(location.objectid, root);
++ if (IS_ERR(inode)) {
++ ret = PTR_ERR(inode);
++ inode = NULL;
+ goto out;
+ }
+
+@@ -1166,10 +1155,10 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+ kfree(victim_name.name);
+ return ret;
+ } else if (!ret) {
+- ret = -ENOENT;
+- victim_parent = read_one_inode(root,
+- parent_objectid);
+- if (victim_parent) {
++ victim_parent = btrfs_iget_logging(parent_objectid, root);
++ if (IS_ERR(victim_parent)) {
++ ret = PTR_ERR(victim_parent);
++ } else {
+ inc_nlink(&inode->vfs_inode);
+ btrfs_release_path(path);
+
+@@ -1314,9 +1303,9 @@ static int unlink_old_inode_refs(struct btrfs_trans_handle *trans,
+ struct btrfs_inode *dir;
+
+ btrfs_release_path(path);
+- dir = read_one_inode(root, parent_id);
+- if (!dir) {
+- ret = -ENOENT;
++ dir = btrfs_iget_logging(parent_id, root);
++ if (IS_ERR(dir)) {
++ ret = PTR_ERR(dir);
+ kfree(name.name);
+ goto out;
+ }
+@@ -1388,15 +1377,17 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
+ * copy the back ref in. The link count fixup code will take
+ * care of the rest
+ */
+- dir = read_one_inode(root, parent_objectid);
+- if (!dir) {
+- ret = -ENOENT;
++ dir = btrfs_iget_logging(parent_objectid, root);
++ if (IS_ERR(dir)) {
++ ret = PTR_ERR(dir);
++ dir = NULL;
+ goto out;
+ }
+
+- inode = read_one_inode(root, inode_objectid);
+- if (!inode) {
+- ret = -EIO;
++ inode = btrfs_iget_logging(inode_objectid, root);
++ if (IS_ERR(inode)) {
++ ret = PTR_ERR(inode);
++ inode = NULL;
+ goto out;
+ }
+
+@@ -1408,11 +1399,13 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
+ * parent object can change from one array
+ * item to another.
+ */
+- if (!dir)
+- dir = read_one_inode(root, parent_objectid);
+ if (!dir) {
+- ret = -ENOENT;
+- goto out;
++ dir = btrfs_iget_logging(parent_objectid, root);
++ if (IS_ERR(dir)) {
++ ret = PTR_ERR(dir);
++ dir = NULL;
++ goto out;
++ }
+ }
+ } else {
+ ret = ref_get_fields(eb, ref_ptr, &name, &ref_index);
+@@ -1681,9 +1674,9 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans,
+ break;
+
+ btrfs_release_path(path);
+- inode = read_one_inode(root, key.offset);
+- if (!inode) {
+- ret = -EIO;
++ inode = btrfs_iget_logging(key.offset, root);
++ if (IS_ERR(inode)) {
++ ret = PTR_ERR(inode);
+ break;
+ }
+
+@@ -1719,9 +1712,9 @@ static noinline int link_to_fixup_dir(struct btrfs_trans_handle *trans,
+ struct btrfs_inode *inode;
+ struct inode *vfs_inode;
+
+- inode = read_one_inode(root, objectid);
+- if (!inode)
+- return -EIO;
++ inode = btrfs_iget_logging(objectid, root);
++ if (IS_ERR(inode))
++ return PTR_ERR(inode);
+
+ vfs_inode = &inode->vfs_inode;
+ key.objectid = BTRFS_TREE_LOG_FIXUP_OBJECTID;
+@@ -1760,14 +1753,14 @@ static noinline int insert_one_name(struct btrfs_trans_handle *trans,
+ struct btrfs_inode *dir;
+ int ret;
+
+- inode = read_one_inode(root, location->objectid);
+- if (!inode)
+- return -ENOENT;
++ inode = btrfs_iget_logging(location->objectid, root);
++ if (IS_ERR(inode))
++ return PTR_ERR(inode);
+
+- dir = read_one_inode(root, dirid);
+- if (!dir) {
++ dir = btrfs_iget_logging(dirid, root);
++ if (IS_ERR(dir)) {
+ iput(&inode->vfs_inode);
+- return -EIO;
++ return PTR_ERR(dir);
+ }
+
+ ret = btrfs_add_link(trans, dir, inode, name, 1, index);
+@@ -1844,9 +1837,9 @@ static noinline int replay_one_name(struct btrfs_trans_handle *trans,
+ bool update_size = true;
+ bool name_added = false;
+
+- dir = read_one_inode(root, key->objectid);
+- if (!dir)
+- return -EIO;
++ dir = btrfs_iget_logging(key->objectid, root);
++ if (IS_ERR(dir))
++ return PTR_ERR(dir);
+
+ ret = read_alloc_one_name(eb, di + 1, btrfs_dir_name_len(eb, di), &name);
+ if (ret)
+@@ -2146,9 +2139,10 @@ static noinline int check_item_in_log(struct btrfs_trans_handle *trans,
+ btrfs_dir_item_key_to_cpu(eb, di, &location);
+ btrfs_release_path(path);
+ btrfs_release_path(log_path);
+- inode = read_one_inode(root, location.objectid);
+- if (!inode) {
+- ret = -EIO;
++ inode = btrfs_iget_logging(location.objectid, root);
++ if (IS_ERR(inode)) {
++ ret = PTR_ERR(inode);
++ inode = NULL;
+ goto out;
+ }
+
+@@ -2300,14 +2294,17 @@ static noinline int replay_dir_deletes(struct btrfs_trans_handle *trans,
+ if (!log_path)
+ return -ENOMEM;
+
+- dir = read_one_inode(root, dirid);
+- /* it isn't an error if the inode isn't there, that can happen
+- * because we replay the deletes before we copy in the inode item
+- * from the log
++ dir = btrfs_iget_logging(dirid, root);
++ /*
++ * It isn't an error if the inode isn't there, that can happen because
++ * we replay the deletes before we copy in the inode item from the log.
+ */
+- if (!dir) {
++ if (IS_ERR(dir)) {
+ btrfs_free_path(log_path);
+- return 0;
++ ret = PTR_ERR(dir);
++ if (ret == -ENOENT)
++ ret = 0;
++ return ret;
+ }
+
+ range_start = 0;
+@@ -2466,9 +2463,9 @@ static int replay_one_buffer(struct btrfs_root *log, struct extent_buffer *eb,
+ struct btrfs_inode *inode;
+ u64 from;
+
+- inode = read_one_inode(root, key.objectid);
+- if (!inode) {
+- ret = -EIO;
++ inode = btrfs_iget_logging(key.objectid, root);
++ if (IS_ERR(inode)) {
++ ret = PTR_ERR(inode);
+ break;
+ }
+ from = ALIGN(i_size_read(&inode->vfs_inode),
+--
+2.39.5
+
--- /dev/null
+From 9f3597b6313a535a6c6d70b27db36d524dfabb40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 12:11:58 +0100
+Subject: btrfs: fix iteration of extrefs during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 54a7081ed168b72a8a2d6ef4ba3a1259705a2926 ]
+
+At __inode_add_ref() when processing extrefs, if we jump into the next
+label we have an undefined value of victim_name.len, since we haven't
+initialized it before we did the goto. This results in an invalid memory
+access in the next iteration of the loop since victim_name.len was not
+initialized to the length of the name of the current extref.
+
+Fix this by initializing victim_name.len with the current extref's name
+length.
+
+Fixes: e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index cc223c3b39c10..118db10464207 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1145,13 +1145,13 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+ struct fscrypt_str victim_name;
+
+ extref = (struct btrfs_inode_extref *)(base + cur_offset);
++ victim_name.len = btrfs_inode_extref_name_len(leaf, extref);
+
+ if (btrfs_inode_extref_parent(leaf, extref) != parent_objectid)
+ goto next;
+
+ ret = read_alloc_one_name(leaf, &extref->name,
+- btrfs_inode_extref_name_len(leaf, extref),
+- &victim_name);
++ victim_name.len, &victim_name);
+ if (ret)
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 36c48910bcf47e502c02bd143177254338ad5b55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:57:07 +0100
+Subject: btrfs: fix missing error handling when searching for inode refs
+ during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 6561a40ceced9082f50c374a22d5966cf9fc5f5c ]
+
+During log replay, at __add_inode_ref(), when we are searching for inode
+ref keys we totally ignore if btrfs_search_slot() returns an error. This
+may make a log replay succeed when there was an actual error and leave
+some metadata inconsistency in a subvolume tree. Fix this by checking if
+an error was returned from btrfs_search_slot() and if so, return it to
+the caller.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index ef9660eabf0c6..cc223c3b39c10 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1070,7 +1070,9 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+ search_key.type = BTRFS_INODE_REF_KEY;
+ search_key.offset = parent_objectid;
+ ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0);
+- if (ret == 0) {
++ if (ret < 0) {
++ return ret;
++ } else if (ret == 0) {
+ struct btrfs_inode_ref *victim_ref;
+ unsigned long ptr;
+ unsigned long ptr_end;
+--
+2.39.5
+
--- /dev/null
+From b4765dc4d0808eb551f517604f5cdff6738ea9a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 15:54:05 +0100
+Subject: btrfs: propagate last_unlink_trans earlier when doing a rmdir
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit c466e33e729a0ee017d10d919cba18f503853c60 ]
+
+In case the removed directory had a snapshot that was deleted, we are
+propagating its inode's last_unlink_trans to the parent directory after
+we removed the entry from the parent directory. This leaves a small race
+window where someone can log the parent directory after we removed the
+entry and before we updated last_unlink_trans, and as a result if we ever
+try to replay such a log tree, we will fail since we will attempt to
+remove a snapshot during log replay, which is currently not possible and
+results in the log replay (and mount) to fail. This is the type of failure
+described in commit 1ec9a1ae1e30 ("Btrfs: fix unreplayable log after
+snapshot delete + parent dir fsync").
+
+So fix this by propagating the last_unlink_trans to the parent directory
+before we remove the entry from it.
+
+Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 391172b443e50..24db00a9319b3 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4724,7 +4724,6 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ struct btrfs_fs_info *fs_info = BTRFS_I(inode)->root->fs_info;
+ int ret = 0;
+ struct btrfs_trans_handle *trans;
+- u64 last_unlink_trans;
+ struct fscrypt_name fname;
+
+ if (inode->i_size > BTRFS_EMPTY_DIR_SIZE)
+@@ -4750,6 +4749,23 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ goto out_notrans;
+ }
+
++ /*
++ * Propagate the last_unlink_trans value of the deleted dir to its
++ * parent directory. This is to prevent an unrecoverable log tree in the
++ * case we do something like this:
++ * 1) create dir foo
++ * 2) create snapshot under dir foo
++ * 3) delete the snapshot
++ * 4) rmdir foo
++ * 5) mkdir foo
++ * 6) fsync foo or some file inside foo
++ *
++ * This is because we can't unlink other roots when replaying the dir
++ * deletes for directory foo.
++ */
++ if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
++ BTRFS_I(dir)->last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
++
+ if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+ ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+ goto out;
+@@ -4759,27 +4775,11 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ if (ret)
+ goto out;
+
+- last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
+-
+ /* now the directory is empty */
+ ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)),
+ &fname.disk_name);
+- if (!ret) {
++ if (!ret)
+ btrfs_i_size_write(BTRFS_I(inode), 0);
+- /*
+- * Propagate the last_unlink_trans value of the deleted dir to
+- * its parent directory. This is to prevent an unrecoverable
+- * log tree in the case we do something like this:
+- * 1) create dir foo
+- * 2) create snapshot under dir foo
+- * 3) delete the snapshot
+- * 4) rmdir foo
+- * 5) mkdir foo
+- * 6) fsync foo or some file inside foo
+- */
+- if (last_unlink_trans >= trans->transid)
+- BTRFS_I(dir)->last_unlink_trans = last_unlink_trans;
+- }
+ out:
+ btrfs_end_transaction(trans);
+ out_notrans:
+--
+2.39.5
+
--- /dev/null
+From 84213d552a51c59cfc55732e455b3c65c96412fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 13:13:38 +0100
+Subject: btrfs: record new subvolume in parent dir earlier to avoid dir
+ logging races
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit bf5bcf9a6fa070ec8a725b08db63fb1318f77366 ]
+
+Instead of recording that a new subvolume was created in a directory after
+we add the entry do the directory, record it before adding the entry. This
+is to avoid races where after creating the entry and before recording the
+new subvolume in the directory (the call to btrfs_record_new_subvolume()),
+another task logs the directory, so we end up with a log tree where we
+logged a directory that has an entry pointing to a root that was not yet
+committed, resulting in an invalid entry if the log is persisted and
+replayed later due to a power failure or crash.
+
+Also state this requirement in the function comment for
+btrfs_record_new_subvolume(), similar to what we do for the
+btrfs_record_unlink_dir() and btrfs_record_snapshot_destroy().
+
+Fixes: 45c4102f0d82 ("btrfs: avoid transaction commit on any fsync after subvolume creation")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 4 ++--
+ fs/btrfs/tree-log.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 63aeacc549457..b70ef4455610a 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -666,14 +666,14 @@ static noinline int create_subvol(struct mnt_idmap *idmap,
+ goto out;
+ }
+
++ btrfs_record_new_subvolume(trans, BTRFS_I(dir));
++
+ ret = btrfs_create_new_inode(trans, &new_inode_args);
+ if (ret) {
+ btrfs_abort_transaction(trans, ret);
+ goto out;
+ }
+
+- btrfs_record_new_subvolume(trans, BTRFS_I(dir));
+-
+ d_instantiate_new(dentry, new_inode_args.inode);
+ new_inode_args.inode = NULL;
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index f8611ec11da9d..e05140ce95be9 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -7444,6 +7444,8 @@ void btrfs_record_snapshot_destroy(struct btrfs_trans_handle *trans,
+ * full log sync.
+ * Also we don't need to worry with renames, since btrfs_rename() marks the log
+ * for full commit when renaming a subvolume.
++ *
++ * Must be called before creating the subvolume entry in its parent directory.
+ */
+ void btrfs_record_new_subvolume(const struct btrfs_trans_handle *trans,
+ struct btrfs_inode *dir)
+--
+2.39.5
+
--- /dev/null
+From 1bf781bd5e1000ba269800ee7e370aa666c10c92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:37:01 +0100
+Subject: btrfs: use btrfs_record_snapshot_destroy() during rmdir
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 157501b0469969fc1ba53add5049575aadd79d80 ]
+
+We are setting the parent directory's last_unlink_trans directly which
+may result in a concurrent task starting to log the directory not see the
+update and therefore can log the directory after we removed a child
+directory which had a snapshot within instead of falling back to a
+transaction commit. Replaying such a log tree would result in a mount
+failure since we can't currently delete snapshots (and subvolumes) during
+log replay. This is the type of failure described in commit 1ec9a1ae1e30
+("Btrfs: fix unreplayable log after snapshot delete + parent dir fsync").
+
+Fix this by using btrfs_record_snapshot_destroy() which updates the
+last_unlink_trans field while holding the inode's log_mutex lock.
+
+Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 24db00a9319b3..f18f4d59d389e 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4764,7 +4764,7 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+ * deletes for directory foo.
+ */
+ if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
+- BTRFS_I(dir)->last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
++ btrfs_record_snapshot_destroy(trans, BTRFS_I(dir));
+
+ if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+ ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+--
+2.39.5
+
--- /dev/null
+From a7bf06420e6225309c3bda8ee2c7b5c269ebb670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:30:03 +0800
+Subject: dpaa2-eth: fix xdp_rxq_info leak
+
+From: Fushuai Wang <wangfushuai@baidu.com>
+
+[ Upstream commit 2def09ead4ad5907988b655d1e1454003aaf8297 ]
+
+The driver registered xdp_rxq_info structures via xdp_rxq_info_reg()
+but failed to properly unregister them in error paths and during
+removal.
+
+Fixes: d678be1dc1ec ("dpaa2-eth: add XDP_REDIRECT support")
+Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://patch.msgid.link/20250626133003.80136-1-wangfushuai@baidu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/freescale/dpaa2/dpaa2-eth.c | 26 +++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+index 29886a8ba73f3..efd0048acd3b2 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -3928,6 +3928,7 @@ static int dpaa2_eth_setup_rx_flow(struct dpaa2_eth_priv *priv,
+ MEM_TYPE_PAGE_ORDER0, NULL);
+ if (err) {
+ dev_err(dev, "xdp_rxq_info_reg_mem_model failed\n");
++ xdp_rxq_info_unreg(&fq->channel->xdp_rxq);
+ return err;
+ }
+
+@@ -4421,17 +4422,25 @@ static int dpaa2_eth_bind_dpni(struct dpaa2_eth_priv *priv)
+ return -EINVAL;
+ }
+ if (err)
+- return err;
++ goto out;
+ }
+
+ err = dpni_get_qdid(priv->mc_io, 0, priv->mc_token,
+ DPNI_QUEUE_TX, &priv->tx_qdid);
+ if (err) {
+ dev_err(dev, "dpni_get_qdid() failed\n");
+- return err;
++ goto out;
+ }
+
+ return 0;
++
++out:
++ while (i--) {
++ if (priv->fq[i].type == DPAA2_RX_FQ &&
++ xdp_rxq_info_is_reg(&priv->fq[i].channel->xdp_rxq))
++ xdp_rxq_info_unreg(&priv->fq[i].channel->xdp_rxq);
++ }
++ return err;
+ }
+
+ /* Allocate rings for storing incoming frame descriptors */
+@@ -4814,6 +4823,17 @@ static void dpaa2_eth_del_ch_napi(struct dpaa2_eth_priv *priv)
+ }
+ }
+
++static void dpaa2_eth_free_rx_xdp_rxq(struct dpaa2_eth_priv *priv)
++{
++ int i;
++
++ for (i = 0; i < priv->num_fqs; i++) {
++ if (priv->fq[i].type == DPAA2_RX_FQ &&
++ xdp_rxq_info_is_reg(&priv->fq[i].channel->xdp_rxq))
++ xdp_rxq_info_unreg(&priv->fq[i].channel->xdp_rxq);
++ }
++}
++
+ static int dpaa2_eth_probe(struct fsl_mc_device *dpni_dev)
+ {
+ struct device *dev;
+@@ -5017,6 +5037,7 @@ static int dpaa2_eth_probe(struct fsl_mc_device *dpni_dev)
+ free_percpu(priv->percpu_stats);
+ err_alloc_percpu_stats:
+ dpaa2_eth_del_ch_napi(priv);
++ dpaa2_eth_free_rx_xdp_rxq(priv);
+ err_bind:
+ dpaa2_eth_free_dpbps(priv);
+ err_dpbp_setup:
+@@ -5069,6 +5090,7 @@ static void dpaa2_eth_remove(struct fsl_mc_device *ls_dev)
+ free_percpu(priv->percpu_extras);
+
+ dpaa2_eth_del_ch_napi(priv);
++ dpaa2_eth_free_rx_xdp_rxq(priv);
+ dpaa2_eth_free_dpbps(priv);
+ dpaa2_eth_free_dpio(priv);
+ dpaa2_eth_free_dpni(priv);
+--
+2.39.5
+
--- /dev/null
+From 6e21bc3490e20d147b8b2c563de229475cea9ca2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 18:52:04 +0300
+Subject: drm/bridge: aux-hpd-bridge: fix assignment of the of_node
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit e8537cad824065b0425fb0429e762e14a08067c2 ]
+
+Perform fix similar to the one in the commit 85e444a68126 ("drm/bridge:
+Fix assignment of the of_node of the parent to aux bridge").
+
+The assignment of the of_node to the aux HPD bridge needs to mark the
+of_node as reused, otherwise driver core will attempt to bind resources
+like pinctrl, which is going to fail as corresponding pins are already
+marked as used by the parent device.
+Fix that by using the device_set_of_node_from_dev() helper instead of
+assigning it directly.
+
+Fixes: e560518a6c2e ("drm/bridge: implement generic DP HPD bridge")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250608-fix-aud-hpd-bridge-v1-1-4641a6f8e381@oss.qualcomm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/aux-hpd-bridge.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/aux-hpd-bridge.c b/drivers/gpu/drm/bridge/aux-hpd-bridge.c
+index 48f297c78ee67..1ec4f16b9939d 100644
+--- a/drivers/gpu/drm/bridge/aux-hpd-bridge.c
++++ b/drivers/gpu/drm/bridge/aux-hpd-bridge.c
+@@ -64,10 +64,11 @@ struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, str
+ adev->id = ret;
+ adev->name = "dp_hpd_bridge";
+ adev->dev.parent = parent;
+- adev->dev.of_node = of_node_get(parent->of_node);
+ adev->dev.release = drm_aux_hpd_bridge_release;
+ adev->dev.platform_data = of_node_get(np);
+
++ device_set_of_node_from_dev(&adev->dev, parent);
++
+ ret = auxiliary_device_init(adev);
+ if (ret) {
+ of_node_put(adev->dev.platform_data);
+--
+2.39.5
+
--- /dev/null
+From e9aa8b54f7238cacfa3533d102d206acc80348ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 17:07:26 +0200
+Subject: drm/bridge: panel: move prepare_prev_first handling to
+ drm_panel_bridge_add_typed
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit eb028cd884e1b0976ff8c5944ee6650fe3ed0a6c ]
+
+The commit 5ea6b1702781 ("drm/panel: Add prepare_prev_first flag to
+drm_panel") and commit 0974687a19c3 ("drm/bridge: panel: Set
+pre_enable_prev_first from drmm_panel_bridge_add") added handling of
+panel's prepare_prev_first to devm_panel_bridge_add() and
+drmm_panel_bridge_add(). However if the driver calls
+drm_panel_bridge_add_typed() directly, then the flag won't be handled
+and thus the drm_bridge.pre_enable_prev_first will not be set.
+
+Move prepare_prev_first handling to the drm_panel_bridge_add_typed() so
+that there is no way to miss the flag.
+
+Fixes: 5ea6b1702781 ("drm/panel: Add prepare_prev_first flag to drm_panel")
+Fixes: 0974687a19c3 ("drm/bridge: panel: Set pre_enable_prev_first from drmm_panel_bridge_add")
+Reported-by: Svyatoslav Ryhel <clamor95@gmail.com>
+Closes: https://lore.kernel.org/dri-devel/CAPVz0n3YZass3Bns1m0XrFxtAC0DKbEPiW6vXimQx97G243sXw@mail.gmail.com/
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250220-panel_prev_first-v1-1-b9e787825a1a@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/panel.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c
+index 258c85c83a283..6c58d0759f227 100644
+--- a/drivers/gpu/drm/bridge/panel.c
++++ b/drivers/gpu/drm/bridge/panel.c
+@@ -298,6 +298,7 @@ struct drm_bridge *drm_panel_bridge_add_typed(struct drm_panel *panel,
+ panel_bridge->bridge.of_node = panel->dev->of_node;
+ panel_bridge->bridge.ops = DRM_BRIDGE_OP_MODES;
+ panel_bridge->bridge.type = connector_type;
++ panel_bridge->bridge.pre_enable_prev_first = panel->prepare_prev_first;
+
+ drm_bridge_add(&panel_bridge->bridge);
+
+@@ -412,8 +413,6 @@ struct drm_bridge *devm_drm_panel_bridge_add_typed(struct device *dev,
+ return bridge;
+ }
+
+- bridge->pre_enable_prev_first = panel->prepare_prev_first;
+-
+ *ptr = bridge;
+ devres_add(dev, ptr);
+
+@@ -455,8 +454,6 @@ struct drm_bridge *drmm_panel_bridge_add(struct drm_device *drm,
+ if (ret)
+ return ERR_PTR(ret);
+
+- bridge->pre_enable_prev_first = panel->prepare_prev_first;
+-
+ return bridge;
+ }
+ EXPORT_SYMBOL(drmm_panel_bridge_add);
+--
+2.39.5
+
--- /dev/null
+From 03cccb6fa3a2e53eb603b0c21dd33a182eee2d1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:06:26 +0200
+Subject: drm/exynos: fimd: Guard display clock control with runtime PM calls
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 5d91394f236167ac624b823820faf4aa928b889e ]
+
+Commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable
+and post-disable") changed the call sequence to the CRTC enable/disable
+and bridge pre_enable/post_disable methods, so those bridge methods are
+now called when CRTC is not yet enabled.
+
+This causes a lockup observed on Samsung Peach-Pit/Pi Chromebooks. The
+source of this lockup is a call to fimd_dp_clock_enable() function, when
+FIMD device is not yet runtime resumed. It worked before the mentioned
+commit only because the CRTC implemented by the FIMD driver was always
+enabled what guaranteed the FIMD device to be runtime resumed.
+
+This patch adds runtime PM guards to the fimd_dp_clock_enable() function
+to enable its proper operation also when the CRTC implemented by FIMD is
+not yet enabled.
+
+Fixes: 196e059a8a6a ("drm/exynos: convert clock_enable crtc callback to pipeline clock")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+index c394cc702d7d4..205c238cc73a6 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+@@ -187,6 +187,7 @@ struct fimd_context {
+ u32 i80ifcon;
+ bool i80_if;
+ bool suspended;
++ bool dp_clk_enabled;
+ wait_queue_head_t wait_vsync_queue;
+ atomic_t wait_vsync_event;
+ atomic_t win_updated;
+@@ -1047,7 +1048,18 @@ static void fimd_dp_clock_enable(struct exynos_drm_clk *clk, bool enable)
+ struct fimd_context *ctx = container_of(clk, struct fimd_context,
+ dp_clk);
+ u32 val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE;
++
++ if (enable == ctx->dp_clk_enabled)
++ return;
++
++ if (enable)
++ pm_runtime_resume_and_get(ctx->dev);
++
++ ctx->dp_clk_enabled = enable;
+ writel(val, ctx->regs + DP_MIE_CLKCON);
++
++ if (!enable)
++ pm_runtime_put(ctx->dev);
+ }
+
+ static const struct exynos_drm_crtc_ops fimd_crtc_ops = {
+--
+2.39.5
+
--- /dev/null
+From 28a5d8899f8c150852b2adf7b8ea2211cc35ecb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 23:11:07 +0800
+Subject: drm/i915/gsc: mei interrupt top half should be in irq disabled
+ context
+
+From: Junxiao Chang <junxiao.chang@intel.com>
+
+[ Upstream commit 8cadce97bf264ed478669c6f32d5603b34608335 ]
+
+MEI GSC interrupt comes from i915. It has top half and bottom half.
+Top half is called from i915 interrupt handler. It should be in
+irq disabled context.
+
+With RT kernel, by default i915 IRQ handler is in threaded IRQ. MEI GSC
+top half might be in threaded IRQ context. generic_handle_irq_safe API
+could be called from either IRQ or process context, it disables local
+IRQ then calls MEI GSC interrupt top half.
+
+This change fixes A380/A770 GPU boot hang issue with RT kernel.
+
+Fixes: 1e3dc1d8622b ("drm/i915/gsc: add gsc as a mei auxiliary device")
+Tested-by: Furong Zhou <furong.zhou@intel.com>
+Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
+Link: https://lore.kernel.org/r/20250425151108.643649-1-junxiao.chang@intel.com
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit dccf655f69002d496a527ba441b4f008aa5bebbf)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_gsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_gsc.c b/drivers/gpu/drm/i915/gt/intel_gsc.c
+index 1e925c75fb080..c43febc862dc3 100644
+--- a/drivers/gpu/drm/i915/gt/intel_gsc.c
++++ b/drivers/gpu/drm/i915/gt/intel_gsc.c
+@@ -284,7 +284,7 @@ static void gsc_irq_handler(struct intel_gt *gt, unsigned int intf_id)
+ if (gt->gsc.intf[intf_id].irq < 0)
+ return;
+
+- ret = generic_handle_irq(gt->gsc.intf[intf_id].irq);
++ ret = generic_handle_irq_safe(gt->gsc.intf[intf_id].irq);
+ if (ret)
+ gt_err_ratelimited(gt, "error handling GSC irq: %d\n", ret);
+ }
+--
+2.39.5
+
--- /dev/null
+From ae2360644eaafc3db578f90807bcff6434ffc9b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 12:42:13 +0200
+Subject: drm/i915/gt: Fix timeline left held on VMA alloc error
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+[ Upstream commit a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6 ]
+
+The following error has been reported sporadically by CI when a test
+unbinds the i915 driver on a ring submission platform:
+
+<4> [239.330153] ------------[ cut here ]------------
+<4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count)
+<4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330942] Call Trace:
+<4> [239.330944] <TASK>
+<4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915]
+<4> [239.331202] i915_driver_release+0x86/0xa0 [i915]
+<4> [239.331482] devm_drm_dev_init_release+0x61/0x90
+<4> [239.331494] devm_action_release+0x15/0x30
+<4> [239.331504] release_nodes+0x3d/0x120
+<4> [239.331517] devres_release_all+0x96/0xd0
+<4> [239.331533] device_unbind_cleanup+0x12/0x80
+<4> [239.331543] device_release_driver_internal+0x23a/0x280
+<4> [239.331550] ? bus_find_device+0xa5/0xe0
+<4> [239.331563] device_driver_detach+0x14/0x20
+...
+<4> [357.719679] ---[ end trace 0000000000000000 ]---
+
+If the test also unloads the i915 module then that's followed with:
+
+<3> [357.787478] =============================================================================
+<3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown()
+<3> [357.788031] -----------------------------------------------------------------------------
+<3> [357.788204] Object 0xffff888109e7f480 @offset=29824
+<3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244
+<4> [357.788994] i915_vma_instance+0xee/0xc10 [i915]
+<4> [357.789290] init_status_page+0x7b/0x420 [i915]
+<4> [357.789532] intel_engines_init+0x1d8/0x980 [i915]
+<4> [357.789772] intel_gt_init+0x175/0x450 [i915]
+<4> [357.790014] i915_gem_init+0x113/0x340 [i915]
+<4> [357.790281] i915_driver_probe+0x847/0xed0 [i915]
+<4> [357.790504] i915_pci_probe+0xe6/0x220 [i915]
+...
+
+Closer analysis of CI results history has revealed a dependency of the
+error on a few IGT tests, namely:
+- igt@api_intel_allocator@fork-simple-stress-signal,
+- igt@api_intel_allocator@two-level-inception-interruptible,
+- igt@gem_linear_blits@interruptible,
+- igt@prime_mmap_coherency@ioctl-errors,
+which invisibly trigger the issue, then exhibited with first driver unbind
+attempt.
+
+All of the above tests perform actions which are actively interrupted with
+signals. Further debugging has allowed to narrow that scope down to
+DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring
+submission, in particular.
+
+If successful then that function, or its execlists or GuC submission
+equivalent, is supposed to be called only once per GEM context engine,
+followed by raise of a flag that prevents the function from being called
+again. The function is expected to unwind its internal errors itself, so
+it may be safely called once more after it returns an error.
+
+In case of ring submission, the function first gets a reference to the
+engine's legacy timeline and then allocates a VMA. If the VMA allocation
+fails, e.g. when i915_vma_instance() called from inside is interrupted
+with a signal, then ring_context_alloc() fails, leaving the timeline held
+referenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the
+timeline is got, and only that last one is put on successful completion.
+As a consequence, the legacy timeline, with its underlying engine status
+page's VMA object, is still held and not released on driver unbind.
+
+Get the legacy timeline only after successful allocation of the context
+engine's VMA.
+
+v2: Add a note on other submission methods (Krzysztof Karas):
+ Both execlists and GuC submission use lrc_alloc() which seems free
+ from a similar issue.
+
+Fixes: 75d0a7f31eec ("drm/i915: Lift timeline into intel_context")
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12061
+Cc: Chris Wilson <chris.p.wilson@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Reviewed-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Reviewed-by: Nitin Gote <nitin.r.gote@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20250611104352.1014011-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_ring_submission.c b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+index 6e9977b2d1802..44a4b6723582f 100644
+--- a/drivers/gpu/drm/i915/gt/intel_ring_submission.c
++++ b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+@@ -604,7 +604,6 @@ static int ring_context_alloc(struct intel_context *ce)
+ /* One ringbuffer to rule them all */
+ GEM_BUG_ON(!engine->legacy.ring);
+ ce->ring = engine->legacy.ring;
+- ce->timeline = intel_timeline_get(engine->legacy.timeline);
+
+ GEM_BUG_ON(ce->state);
+ if (engine->context_size) {
+@@ -617,6 +616,8 @@ static int ring_context_alloc(struct intel_context *ce)
+ ce->state = vma;
+ }
+
++ ce->timeline = intel_timeline_get(engine->legacy.timeline);
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1d4ef85f62f6cf79443677c8594a7109ae6ca0ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 10:21:58 -0500
+Subject: drm/i915/selftests: Change mock_request() to return error pointers
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit caa7c7a76b78ce41d347003f84975125383e6b59 ]
+
+There was an error pointer vs NULL bug in __igt_breadcrumbs_smoketest().
+The __mock_request_alloc() function implements the
+smoketest->request_alloc() function pointer. It was supposed to return
+error pointers, but it propogates the NULL return from mock_request()
+so in the event of a failure, it would lead to a NULL pointer
+dereference.
+
+To fix this, change the mock_request() function to return error pointers
+and update all the callers to expect that.
+
+Fixes: 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with per-context interrupt tracking")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://lore.kernel.org/r/685c1417.050a0220.696f5.5c05@mx.google.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 778fa8ad5f0f23397d045c7ebca048ce8def1c43)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/selftests/i915_request.c | 20 +++++++++----------
+ drivers/gpu/drm/i915/selftests/mock_request.c | 2 +-
+ 2 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c
+index 88870844b5bd9..2fb7a9e7efec6 100644
+--- a/drivers/gpu/drm/i915/selftests/i915_request.c
++++ b/drivers/gpu/drm/i915/selftests/i915_request.c
+@@ -73,8 +73,8 @@ static int igt_add_request(void *arg)
+ /* Basic preliminary test to create a request and let it loose! */
+
+ request = mock_request(rcs0(i915)->kernel_context, HZ / 10);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ i915_request_add(request);
+
+@@ -91,8 +91,8 @@ static int igt_wait_request(void *arg)
+ /* Submit a request, then wait upon it */
+
+ request = mock_request(rcs0(i915)->kernel_context, T);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ i915_request_get(request);
+
+@@ -160,8 +160,8 @@ static int igt_fence_wait(void *arg)
+ /* Submit a request, treat it as a fence and wait upon it */
+
+ request = mock_request(rcs0(i915)->kernel_context, T);
+- if (!request)
+- return -ENOMEM;
++ if (IS_ERR(request))
++ return PTR_ERR(request);
+
+ if (dma_fence_wait_timeout(&request->fence, false, T) != -ETIME) {
+ pr_err("fence wait success before submit (expected timeout)!\n");
+@@ -219,8 +219,8 @@ static int igt_request_rewind(void *arg)
+ GEM_BUG_ON(IS_ERR(ce));
+ request = mock_request(ce, 2 * HZ);
+ intel_context_put(ce);
+- if (!request) {
+- err = -ENOMEM;
++ if (IS_ERR(request)) {
++ err = PTR_ERR(request);
+ goto err_context_0;
+ }
+
+@@ -237,8 +237,8 @@ static int igt_request_rewind(void *arg)
+ GEM_BUG_ON(IS_ERR(ce));
+ vip = mock_request(ce, 0);
+ intel_context_put(ce);
+- if (!vip) {
+- err = -ENOMEM;
++ if (IS_ERR(vip)) {
++ err = PTR_ERR(vip);
+ goto err_context_1;
+ }
+
+diff --git a/drivers/gpu/drm/i915/selftests/mock_request.c b/drivers/gpu/drm/i915/selftests/mock_request.c
+index 09f747228dff5..1b0cf073e9643 100644
+--- a/drivers/gpu/drm/i915/selftests/mock_request.c
++++ b/drivers/gpu/drm/i915/selftests/mock_request.c
+@@ -35,7 +35,7 @@ mock_request(struct intel_context *ce, unsigned long delay)
+ /* NB the i915->requests slab cache is enlarged to fit mock_request */
+ request = intel_context_create_request(ce);
+ if (IS_ERR(request))
+- return NULL;
++ return request;
+
+ request->mock.delay = delay;
+ return request;
+--
+2.39.5
+
--- /dev/null
+From f5bba720698fbc21c6c8d6f72cd368187ed2e213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 09:33:32 -0700
+Subject: drm/msm: Fix a fence leak in submit error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 5d319f75ccf7f0927425a7545aa1a22b3eedc189 ]
+
+In error paths, we could unref the submit without calling
+drm_sched_entity_push_job(), so msm_job_free() will never get
+called. Since drm_sched_job_cleanup() will NULL out the
+s_fence, we can use that to detect this case.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/653584/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 3e9aa2cc38ef9..b2aeaecaa39b3 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -85,6 +85,15 @@ void __msm_gem_submit_destroy(struct kref *kref)
+ container_of(kref, struct msm_gem_submit, ref);
+ unsigned i;
+
++ /*
++ * In error paths, we could unref the submit without calling
++ * drm_sched_entity_push_job(), so msm_job_free() will never
++ * get called. Since drm_sched_job_cleanup() will NULL out
++ * s_fence, we can use that to detect this case.
++ */
++ if (submit->base.s_fence)
++ drm_sched_job_cleanup(&submit->base);
++
+ if (submit->fence_id) {
+ spin_lock(&submit->queue->idr_lock);
+ idr_remove(&submit->queue->fence_idr, submit->fence_id);
+--
+2.39.5
+
--- /dev/null
+From 8f08787b49c743fe58cf596fa26923dc03a5f2ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 09:33:33 -0700
+Subject: drm/msm: Fix another leak in the submit error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit f681c2aa8676a890eacc84044717ab0fd26e058f ]
+
+put_unused_fd() doesn't free the installed file, if we've already done
+fd_install(). So we need to also free the sync_file.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/653583/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index b2aeaecaa39b3..d4f71bb54e84c 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -658,6 +658,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ struct msm_ringbuffer *ring;
+ struct msm_submit_post_dep *post_deps = NULL;
+ struct drm_syncobj **syncobjs_to_reset = NULL;
++ struct sync_file *sync_file = NULL;
+ int out_fence_fd = -1;
+ unsigned i;
+ int ret;
+@@ -867,7 +868,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ }
+
+ if (ret == 0 && args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
+- struct sync_file *sync_file = sync_file_create(submit->user_fence);
++ sync_file = sync_file_create(submit->user_fence);
+ if (!sync_file) {
+ ret = -ENOMEM;
+ } else {
+@@ -901,8 +902,11 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ out_unlock:
+ mutex_unlock(&queue->lock);
+ out_post_unlock:
+- if (ret && (out_fence_fd >= 0))
++ if (ret && (out_fence_fd >= 0)) {
+ put_unused_fd(out_fence_fd);
++ if (sync_file)
++ fput(sync_file->file);
++ }
+
+ if (!IS_ERR_OR_NULL(submit)) {
+ msm_gem_submit_put(submit);
+--
+2.39.5
+
--- /dev/null
+From 2e7f386f232cea28192f42a11bab658cb24bb046 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:29:26 -0400
+Subject: drm/vmwgfx: Fix guests running with TDX/SEV
+
+From: Marko Kiiskila <marko.kiiskila@broadcom.com>
+
+[ Upstream commit 7dfede7d7edd18c0c91ca854cde8eaaf4ccf97ea ]
+
+Commit 81256a50aa0f ("x86/mm: Make memremap(MEMREMAP_WB) map memory as
+encrypted by default") changed the default behavior of
+memremap(MEMREMAP_WB) and started mapping memory as encrypted.
+The driver requires the fifo memory to be decrypted to communicate with
+the host but was relaying on the old default behavior of
+memremap(MEMREMAP_WB) and thus broke.
+
+Fix it by explicitly specifying the desired behavior and passing
+MEMREMAP_DEC to memremap.
+
+Fixes: 81256a50aa0f ("x86/mm: Make memremap(MEMREMAP_WB) map memory as encrypted by default")
+Signed-off-by: Marko Kiiskila <marko.kiiskila@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: linux-mm@kvack.org
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Link: https://lore.kernel.org/r/20250618192926.1092450-1-zack.rusin@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index 0f32471c85332..55c822a61b9ad 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -769,7 +769,7 @@ static int vmw_setup_pci_resources(struct vmw_private *dev,
+ dev->fifo_mem = devm_memremap(dev->drm.dev,
+ fifo_start,
+ fifo_size,
+- MEMREMAP_WB);
++ MEMREMAP_WB | MEMREMAP_DEC);
+
+ if (IS_ERR(dev->fifo_mem)) {
+ drm_err(&dev->drm,
+--
+2.39.5
+
--- /dev/null
+From 6ec28634146caff107a000bdab8cee5c15add3d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:30:35 -0700
+Subject: drm/xe: Allow dropping kunit dependency as built-in
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Harry Austen <hpausten@protonmail.com>
+
+[ Upstream commit aa18d5769fcafe645a3ba01a9a69dde4f8dc8cc3 ]
+
+Fix Kconfig symbol dependency on KUNIT, which isn't actually required
+for XE to be built-in. However, if KUNIT is enabled, it must be built-in
+too.
+
+Fixes: 08987a8b6820 ("drm/xe: Fix build with KUNIT=m")
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Harry Austen <hpausten@protonmail.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20250627-xe-kunit-v2-2-756fe5cd56cf@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit a559434880b320b83733d739733250815aecf1b0)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/Kconfig b/drivers/gpu/drm/xe/Kconfig
+index 9a46aafcb33ba..0dc3512876b3a 100644
+--- a/drivers/gpu/drm/xe/Kconfig
++++ b/drivers/gpu/drm/xe/Kconfig
+@@ -1,7 +1,8 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+ config DRM_XE
+ tristate "Intel Xe Graphics"
+- depends on DRM && PCI && MMU && (m || (y && KUNIT=y))
++ depends on DRM && PCI && MMU
++ depends on KUNIT || !KUNIT
+ depends on INTEL_VSEC || !INTEL_VSEC
+ depends on X86_PLATFORM_DEVICES || !(X86 && ACPI)
+ select INTERVAL_TREE
+--
+2.39.5
+
--- /dev/null
+From 821299eeae5d5f476f4663f1be12b3782ff8b86e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 00:09:02 -0700
+Subject: drm/xe/bmg: Update Wa_14022085890
+
+From: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+
+[ Upstream commit a5c7dcdd969f2248cc91d65e5ac852859fc8dac2 ]
+
+Set GT min frequency to 1200Mhz once driver load is complete.
+
+v2: Review comments (Rodrigo)
+v3: Apply Wa earlier so user_req_min is not clobbered.
+v4: Apply to all GTs (Lucas)
+
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Reviewed-by: Stuart Summers <stuart.summers@intel.com>
+Link: https://lore.kernel.org/r/20250612-wa-14022085890-v4-3-94ba5dcc1e30@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit bdde16c9ac5cb56ad2ee19792222fa1853577af7)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_guc_pc.c | 5 +++++
+ drivers/gpu/drm/xe/xe_wa_oob.rules | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c
+index 23a4c525c03bf..28b97a2c14e3b 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.c
++++ b/drivers/gpu/drm/xe/xe_guc_pc.c
+@@ -52,6 +52,7 @@
+
+ #define LNL_MERT_FREQ_CAP 800
+ #define BMG_MERT_FREQ_CAP 2133
++#define BMG_MIN_FREQ 1200
+
+ #define SLPC_RESET_TIMEOUT_MS 5 /* roughly 5ms, but no need for precision */
+ #define SLPC_RESET_EXTENDED_TIMEOUT_MS 1000 /* To be used only at pc_start */
+@@ -817,6 +818,7 @@ void xe_guc_pc_init_early(struct xe_guc_pc *pc)
+
+ static int pc_adjust_freq_bounds(struct xe_guc_pc *pc)
+ {
++ struct xe_tile *tile = gt_to_tile(pc_to_gt(pc));
+ int ret;
+
+ lockdep_assert_held(&pc->freq_lock);
+@@ -843,6 +845,9 @@ static int pc_adjust_freq_bounds(struct xe_guc_pc *pc)
+ if (pc_get_min_freq(pc) > pc->rp0_freq)
+ ret = pc_set_min_freq(pc, pc->rp0_freq);
+
++ if (XE_WA(tile->primary_gt, 14022085890))
++ ret = pc_set_min_freq(pc, max(BMG_MIN_FREQ, pc_get_min_freq(pc)));
++
+ out:
+ return ret;
+ }
+diff --git a/drivers/gpu/drm/xe/xe_wa_oob.rules b/drivers/gpu/drm/xe/xe_wa_oob.rules
+index 9efc5accd43d1..320766f6c5dff 100644
+--- a/drivers/gpu/drm/xe/xe_wa_oob.rules
++++ b/drivers/gpu/drm/xe/xe_wa_oob.rules
+@@ -59,3 +59,7 @@ no_media_l3 MEDIA_VERSION(3000)
+ MEDIA_VERSION_RANGE(1301, 3000)
+ 16026508708 GRAPHICS_VERSION_RANGE(1200, 3001)
+ MEDIA_VERSION_RANGE(1300, 3000)
++
++# SoC workaround - currently applies to all platforms with the following
++# primary GT GMDID
++14022085890 GRAPHICS_VERSION(2001)
+--
+2.39.5
+
--- /dev/null
+From 0d9d9a01a8656e6c5c319eec853df1ef8b65b805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 11:50:01 -0700
+Subject: drm/xe/bmg: Update Wa_22019338487
+
+From: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+
+[ Upstream commit 84c0b4a00610afbde650fdb8ad6db0424f7b2cc3 ]
+
+Limit GT max frequency to 2600MHz and wait for frequency to reduce
+before proceeding with a transient flush. This is really only needed for
+the transient flush: if L2 flush is needed due to 16023588340 then
+there's no need to do this additional wait since we are already using
+the bigger hammer.
+
+v2: Use generic names, ensure user set max frequency requests wait
+for flush to complete (Rodrigo)
+v3:
+ - User requests wait via wait_var_event_timeout (Lucas)
+ - Close races on flush + user requests (Lucas)
+ - Fix xe_guc_pc_remove_flush_freq_limit() being called on last gt
+ rather than root gt (Lucas)
+v4:
+ - Only apply the freq reducing part if a TDF is needed: L2 flush trumps
+ the need for waiting a lower frequency
+
+Fixes: aaa08078e725 ("drm/xe/bmg: Apply Wa_22019338487")
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Link: https://lore.kernel.org/r/20250618-wa-22019338487-v5-4-b888388477f2@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit deea6a7d6d803d6bb874a3e6f1b312e560e6c6df)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_device.c | 8 +-
+ drivers/gpu/drm/xe/xe_guc_pc.c | 125 +++++++++++++++++++++++++++
+ drivers/gpu/drm/xe/xe_guc_pc.h | 2 +
+ drivers/gpu/drm/xe/xe_guc_pc_types.h | 2 +
+ 4 files changed, 135 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c
+index 38fdddd7262aa..f3123914b1abf 100644
+--- a/drivers/gpu/drm/xe/xe_device.c
++++ b/drivers/gpu/drm/xe/xe_device.c
+@@ -38,6 +38,7 @@
+ #include "xe_gt_printk.h"
+ #include "xe_gt_sriov_vf.h"
+ #include "xe_guc.h"
++#include "xe_guc_pc.h"
+ #include "xe_hw_engine_group.h"
+ #include "xe_hwmon.h"
+ #include "xe_irq.h"
+@@ -1057,11 +1058,14 @@ void xe_device_td_flush(struct xe_device *xe)
+ return;
+
+ root_gt = xe_root_mmio_gt(xe);
+- if (XE_WA(root_gt, 16023588340))
++ if (XE_WA(root_gt, 16023588340)) {
+ /* A transient flush is not sufficient: flush the L2 */
+ xe_device_l2_flush(xe);
+- else
++ } else {
++ xe_guc_pc_apply_flush_freq_limit(&root_gt->uc.guc.pc);
+ tdf_request_sync(xe);
++ xe_guc_pc_remove_flush_freq_limit(&root_gt->uc.guc.pc);
++ }
+ }
+
+ u32 xe_device_ccs_bytes(struct xe_device *xe, u64 size)
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c
+index 28b97a2c14e3b..1c7b044413f26 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.c
++++ b/drivers/gpu/drm/xe/xe_guc_pc.c
+@@ -7,7 +7,9 @@
+
+ #include <linux/cleanup.h>
+ #include <linux/delay.h>
++#include <linux/jiffies.h>
+ #include <linux/ktime.h>
++#include <linux/wait_bit.h>
+
+ #include <drm/drm_managed.h>
+ #include <drm/drm_print.h>
+@@ -53,9 +55,11 @@
+ #define LNL_MERT_FREQ_CAP 800
+ #define BMG_MERT_FREQ_CAP 2133
+ #define BMG_MIN_FREQ 1200
++#define BMG_MERT_FLUSH_FREQ_CAP 2600
+
+ #define SLPC_RESET_TIMEOUT_MS 5 /* roughly 5ms, but no need for precision */
+ #define SLPC_RESET_EXTENDED_TIMEOUT_MS 1000 /* To be used only at pc_start */
++#define SLPC_ACT_FREQ_TIMEOUT_MS 100
+
+ /**
+ * DOC: GuC Power Conservation (PC)
+@@ -143,6 +147,36 @@ static int wait_for_pc_state(struct xe_guc_pc *pc,
+ return -ETIMEDOUT;
+ }
+
++static int wait_for_flush_complete(struct xe_guc_pc *pc)
++{
++ const unsigned long timeout = msecs_to_jiffies(30);
++
++ if (!wait_var_event_timeout(&pc->flush_freq_limit,
++ !atomic_read(&pc->flush_freq_limit),
++ timeout))
++ return -ETIMEDOUT;
++
++ return 0;
++}
++
++static int wait_for_act_freq_limit(struct xe_guc_pc *pc, u32 freq)
++{
++ int timeout_us = SLPC_ACT_FREQ_TIMEOUT_MS * USEC_PER_MSEC;
++ int slept, wait = 10;
++
++ for (slept = 0; slept < timeout_us;) {
++ if (xe_guc_pc_get_act_freq(pc) <= freq)
++ return 0;
++
++ usleep_range(wait, wait << 1);
++ slept += wait;
++ wait <<= 1;
++ if (slept + wait > timeout_us)
++ wait = timeout_us - slept;
++ }
++
++ return -ETIMEDOUT;
++}
+ static int pc_action_reset(struct xe_guc_pc *pc)
+ {
+ struct xe_guc_ct *ct = pc_to_ct(pc);
+@@ -673,6 +707,11 @@ static int xe_guc_pc_set_max_freq_locked(struct xe_guc_pc *pc, u32 freq)
+ */
+ int xe_guc_pc_set_max_freq(struct xe_guc_pc *pc, u32 freq)
+ {
++ if (XE_WA(pc_to_gt(pc), 22019338487)) {
++ if (wait_for_flush_complete(pc) != 0)
++ return -EAGAIN;
++ }
++
+ guard(mutex)(&pc->freq_lock);
+
+ return xe_guc_pc_set_max_freq_locked(pc, freq);
+@@ -873,6 +912,92 @@ static int pc_adjust_requested_freq(struct xe_guc_pc *pc)
+ return ret;
+ }
+
++static bool needs_flush_freq_limit(struct xe_guc_pc *pc)
++{
++ struct xe_gt *gt = pc_to_gt(pc);
++
++ return XE_WA(gt, 22019338487) &&
++ pc->rp0_freq > BMG_MERT_FLUSH_FREQ_CAP;
++}
++
++/**
++ * xe_guc_pc_apply_flush_freq_limit() - Limit max GT freq during L2 flush
++ * @pc: the xe_guc_pc object
++ *
++ * As per the WA, reduce max GT frequency during L2 cache flush
++ */
++void xe_guc_pc_apply_flush_freq_limit(struct xe_guc_pc *pc)
++{
++ struct xe_gt *gt = pc_to_gt(pc);
++ u32 max_freq;
++ int ret;
++
++ if (!needs_flush_freq_limit(pc))
++ return;
++
++ guard(mutex)(&pc->freq_lock);
++
++ ret = xe_guc_pc_get_max_freq_locked(pc, &max_freq);
++ if (!ret && max_freq > BMG_MERT_FLUSH_FREQ_CAP) {
++ ret = pc_set_max_freq(pc, BMG_MERT_FLUSH_FREQ_CAP);
++ if (ret) {
++ xe_gt_err_once(gt, "Failed to cap max freq on flush to %u, %pe\n",
++ BMG_MERT_FLUSH_FREQ_CAP, ERR_PTR(ret));
++ return;
++ }
++
++ atomic_set(&pc->flush_freq_limit, 1);
++
++ /*
++ * If user has previously changed max freq, stash that value to
++ * restore later, otherwise use the current max. New user
++ * requests wait on flush.
++ */
++ if (pc->user_requested_max != 0)
++ pc->stashed_max_freq = pc->user_requested_max;
++ else
++ pc->stashed_max_freq = max_freq;
++ }
++
++ /*
++ * Wait for actual freq to go below the flush cap: even if the previous
++ * max was below cap, the current one might still be above it
++ */
++ ret = wait_for_act_freq_limit(pc, BMG_MERT_FLUSH_FREQ_CAP);
++ if (ret)
++ xe_gt_err_once(gt, "Actual freq did not reduce to %u, %pe\n",
++ BMG_MERT_FLUSH_FREQ_CAP, ERR_PTR(ret));
++}
++
++/**
++ * xe_guc_pc_remove_flush_freq_limit() - Remove max GT freq limit after L2 flush completes.
++ * @pc: the xe_guc_pc object
++ *
++ * Retrieve the previous GT max frequency value.
++ */
++void xe_guc_pc_remove_flush_freq_limit(struct xe_guc_pc *pc)
++{
++ struct xe_gt *gt = pc_to_gt(pc);
++ int ret = 0;
++
++ if (!needs_flush_freq_limit(pc))
++ return;
++
++ if (!atomic_read(&pc->flush_freq_limit))
++ return;
++
++ mutex_lock(&pc->freq_lock);
++
++ ret = pc_set_max_freq(>->uc.guc.pc, pc->stashed_max_freq);
++ if (ret)
++ xe_gt_err_once(gt, "Failed to restore max freq %u:%d",
++ pc->stashed_max_freq, ret);
++
++ atomic_set(&pc->flush_freq_limit, 0);
++ mutex_unlock(&pc->freq_lock);
++ wake_up_var(&pc->flush_freq_limit);
++}
++
+ static int pc_set_mert_freq_cap(struct xe_guc_pc *pc)
+ {
+ int ret = 0;
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.h b/drivers/gpu/drm/xe/xe_guc_pc.h
+index 39102b79602fd..0302c7426ccde 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.h
++++ b/drivers/gpu/drm/xe/xe_guc_pc.h
+@@ -37,5 +37,7 @@ u64 xe_guc_pc_mc6_residency(struct xe_guc_pc *pc);
+ void xe_guc_pc_init_early(struct xe_guc_pc *pc);
+ int xe_guc_pc_restore_stashed_freq(struct xe_guc_pc *pc);
+ void xe_guc_pc_raise_unslice(struct xe_guc_pc *pc);
++void xe_guc_pc_apply_flush_freq_limit(struct xe_guc_pc *pc);
++void xe_guc_pc_remove_flush_freq_limit(struct xe_guc_pc *pc);
+
+ #endif /* _XE_GUC_PC_H_ */
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc_types.h b/drivers/gpu/drm/xe/xe_guc_pc_types.h
+index 2978ac9a249b5..c02053948a579 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc_types.h
++++ b/drivers/gpu/drm/xe/xe_guc_pc_types.h
+@@ -15,6 +15,8 @@
+ struct xe_guc_pc {
+ /** @bo: GGTT buffer object that is shared with GuC PC */
+ struct xe_bo *bo;
++ /** @flush_freq_limit: 1 when max freq changes are limited by driver */
++ atomic_t flush_freq_limit;
+ /** @rp0_freq: HW RP0 frequency - The Maximum one */
+ u32 rp0_freq;
+ /** @rpa_freq: HW RPa frequency - The Achievable one */
+--
+2.39.5
+
--- /dev/null
+From 1c25565acf3d654563e843becea17df8551406ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 22:46:20 +0000
+Subject: drm/xe: Fix out-of-bounds field write in MI_STORE_DATA_IMM
+
+From: Jia Yao <jia.yao@intel.com>
+
+[ Upstream commit 2d5cff2b4bc567dcaad7ab5b46c973ba534cc062 ]
+
+According to Bspec, bits 0~9 of MI_STORE_DATA_IMM must not exceed 0x3FE.
+The macro MI_SDI_NUM_QW(x) evaluates to 2 * x + 1, which means the
+condition 2 * x + 1 <= 0x3FE must be satisfied. Therefore, the maximum
+valid value for x is 0x1FE, not 0x1FF.
+
+v2
+ - Replace 0x1fe with macro MAX_PTE_PER_SDI (Auld, Matthew & Patelczyk, Maciej)
+
+v3
+ - Change macro MAX_PTE_PER_SDI from 0x1fe to 0x1feU (De Marchi, Lucas)
+
+Bspec: 60246
+
+Fixes: 9c44fd5f6e8a ("drm/xe: Add migrate layer functions for SVM support")
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Brian3 Nguyen <brian3.nguyen@intel.com>
+Cc: Alex Zuo <alex.zuo@intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Suggested-by: Shuicheng Lin <shuicheng.lin@intel.com>
+Signed-off-by: Jia Yao <jia.yao@intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Reviewed-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Link: https://lore.kernel.org/r/20250612224620.161105-1-jia.yao@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit c038bdba98c9f6a36378044a9d4385531a194d3e)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_migrate.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_migrate.c b/drivers/gpu/drm/xe/xe_migrate.c
+index 5a3e89022c381..752f57fd515e1 100644
+--- a/drivers/gpu/drm/xe/xe_migrate.c
++++ b/drivers/gpu/drm/xe/xe_migrate.c
+@@ -82,7 +82,7 @@ struct xe_migrate {
+ * of the instruction. Subtracting the instruction header (1 dword) and
+ * address (2 dwords), that leaves 0x3FD dwords (0x1FE qwords) for PTE values.
+ */
+-#define MAX_PTE_PER_SDI 0x1FE
++#define MAX_PTE_PER_SDI 0x1FEU
+
+ /**
+ * xe_tile_migrate_exec_queue() - Get this tile's migrate exec queue.
+@@ -1550,15 +1550,17 @@ static u32 pte_update_cmd_size(u64 size)
+ u64 entries = DIV_U64_ROUND_UP(size, XE_PAGE_SIZE);
+
+ XE_WARN_ON(size > MAX_PREEMPTDISABLE_TRANSFER);
++
+ /*
+ * MI_STORE_DATA_IMM command is used to update page table. Each
+- * instruction can update maximumly 0x1ff pte entries. To update
+- * n (n <= 0x1ff) pte entries, we need:
+- * 1 dword for the MI_STORE_DATA_IMM command header (opcode etc)
+- * 2 dword for the page table's physical location
+- * 2*n dword for value of pte to fill (each pte entry is 2 dwords)
++ * instruction can update maximumly MAX_PTE_PER_SDI pte entries. To
++ * update n (n <= MAX_PTE_PER_SDI) pte entries, we need:
++ *
++ * - 1 dword for the MI_STORE_DATA_IMM command header (opcode etc)
++ * - 2 dword for the page table's physical location
++ * - 2*n dword for value of pte to fill (each pte entry is 2 dwords)
+ */
+- num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, 0x1ff);
++ num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, MAX_PTE_PER_SDI);
+ num_dword += entries * 2;
+
+ return num_dword;
+@@ -1574,7 +1576,7 @@ static void build_pt_update_batch_sram(struct xe_migrate *m,
+
+ ptes = DIV_ROUND_UP(size, XE_PAGE_SIZE);
+ while (ptes) {
+- u32 chunk = min(0x1ffU, ptes);
++ u32 chunk = min(MAX_PTE_PER_SDI, ptes);
+
+ bb->cs[bb->len++] = MI_STORE_DATA_IMM | MI_SDI_NUM_QW(chunk);
+ bb->cs[bb->len++] = pt_offset;
+--
+2.39.5
+
--- /dev/null
+From ece7fb6ecebd5edbb49bde6c52091faa1272ed1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 11:56:11 -0700
+Subject: drm/xe/guc: Enable w/a 16026508708
+
+From: John Harrison <John.C.Harrison@Intel.com>
+
+[ Upstream commit d3e8349edf7ed9eaf076ab3d9973331ccc20e26c ]
+
+The workaround is only relevant to SRIOV but does affect all platforms.
+
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Link: https://lore.kernel.org/r/20250403185619.1555853-2-John.C.Harrison@Intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 1 +
+ drivers/gpu/drm/xe/xe_guc_ads.c | 5 +++++
+ drivers/gpu/drm/xe/xe_wa_oob.rules | 2 ++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+index d633f1c739e43..7de8f827281fc 100644
+--- a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
++++ b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+@@ -367,6 +367,7 @@ enum xe_guc_klv_ids {
+ GUC_WA_KLV_NP_RD_WRITE_TO_CLEAR_RCSM_AT_CGP_LATE_RESTORE = 0x9008,
+ GUC_WORKAROUND_KLV_ID_BACK_TO_BACK_RCS_ENGINE_RESET = 0x9009,
+ GUC_WA_KLV_WAKE_POWER_DOMAINS_FOR_OUTBOUND_MMIO = 0x900a,
++ GUC_WA_KLV_RESET_BB_STACK_PTR_ON_VF_SWITCH = 0x900b,
+ };
+
+ #endif
+diff --git a/drivers/gpu/drm/xe/xe_guc_ads.c b/drivers/gpu/drm/xe/xe_guc_ads.c
+index 7031542a70ceb..1fccdef9e532e 100644
+--- a/drivers/gpu/drm/xe/xe_guc_ads.c
++++ b/drivers/gpu/drm/xe/xe_guc_ads.c
+@@ -376,6 +376,11 @@ static void guc_waklv_init(struct xe_guc_ads *ads)
+ GUC_WORKAROUND_KLV_ID_BACK_TO_BACK_RCS_ENGINE_RESET,
+ &offset, &remain);
+
++ if (GUC_FIRMWARE_VER(>->uc.guc) >= MAKE_GUC_VER(70, 44, 0) && XE_WA(gt, 16026508708))
++ guc_waklv_enable_simple(ads,
++ GUC_WA_KLV_RESET_BB_STACK_PTR_ON_VF_SWITCH,
++ &offset, &remain);
++
+ size = guc_ads_waklv_size(ads) - remain;
+ if (!size)
+ return;
+diff --git a/drivers/gpu/drm/xe/xe_wa_oob.rules b/drivers/gpu/drm/xe/xe_wa_oob.rules
+index 9b9e176992a83..9efc5accd43d1 100644
+--- a/drivers/gpu/drm/xe/xe_wa_oob.rules
++++ b/drivers/gpu/drm/xe/xe_wa_oob.rules
+@@ -57,3 +57,5 @@ no_media_l3 MEDIA_VERSION(3000)
+ GRAPHICS_VERSION(1260), GRAPHICS_STEP(A0, B0)
+ 16023105232 GRAPHICS_VERSION_RANGE(2001, 3001)
+ MEDIA_VERSION_RANGE(1301, 3000)
++16026508708 GRAPHICS_VERSION_RANGE(1200, 3001)
++ MEDIA_VERSION_RANGE(1300, 3000)
+--
+2.39.5
+
--- /dev/null
+From 443ff645b1edb328551eb979cfe5081ed36120bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 11:49:58 -0700
+Subject: drm/xe/guc_pc: Add _locked variant for min/max freq
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit d8390768dcf6f5a78af56aa03797a076871b01f3 ]
+
+There are places in which the getters/setters are called one after the
+other causing a multiple lock()/unlock(). These are not currently a
+problem since they are all happening from the same thread, but there's a
+race possibility as calls are added outside of the early init when the
+max/min and stashed values need to be correlated.
+
+Add the _locked() variants to prepare for that.
+
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://lore.kernel.org/r/20250618-wa-22019338487-v5-1-b888388477f2@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit 1beae9aa2b88d3a02eb666e7b777eb2d7bc645f4)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_guc_pc.c | 123 ++++++++++++++++++---------------
+ 1 file changed, 69 insertions(+), 54 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c
+index a7b8bacfe64ef..23a4c525c03bf 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.c
++++ b/drivers/gpu/drm/xe/xe_guc_pc.c
+@@ -5,6 +5,7 @@
+
+ #include "xe_guc_pc.h"
+
++#include <linux/cleanup.h>
+ #include <linux/delay.h>
+ #include <linux/ktime.h>
+
+@@ -538,6 +539,25 @@ u32 xe_guc_pc_get_rpn_freq(struct xe_guc_pc *pc)
+ return pc->rpn_freq;
+ }
+
++static int xe_guc_pc_get_min_freq_locked(struct xe_guc_pc *pc, u32 *freq)
++{
++ int ret;
++
++ lockdep_assert_held(&pc->freq_lock);
++
++ /* Might be in the middle of a gt reset */
++ if (!pc->freq_ready)
++ return -EAGAIN;
++
++ ret = pc_action_query_task_state(pc);
++ if (ret)
++ return ret;
++
++ *freq = pc_get_min_freq(pc);
++
++ return 0;
++}
++
+ /**
+ * xe_guc_pc_get_min_freq - Get the min operational frequency
+ * @pc: The GuC PC
+@@ -547,27 +567,29 @@ u32 xe_guc_pc_get_rpn_freq(struct xe_guc_pc *pc)
+ * -EAGAIN if GuC PC not ready (likely in middle of a reset).
+ */
+ int xe_guc_pc_get_min_freq(struct xe_guc_pc *pc, u32 *freq)
++{
++ guard(mutex)(&pc->freq_lock);
++
++ return xe_guc_pc_get_min_freq_locked(pc, freq);
++}
++
++static int xe_guc_pc_set_min_freq_locked(struct xe_guc_pc *pc, u32 freq)
+ {
+ int ret;
+
+- xe_device_assert_mem_access(pc_to_xe(pc));
++ lockdep_assert_held(&pc->freq_lock);
+
+- mutex_lock(&pc->freq_lock);
+- if (!pc->freq_ready) {
+- /* Might be in the middle of a gt reset */
+- ret = -EAGAIN;
+- goto out;
+- }
++ /* Might be in the middle of a gt reset */
++ if (!pc->freq_ready)
++ return -EAGAIN;
+
+- ret = pc_action_query_task_state(pc);
++ ret = pc_set_min_freq(pc, freq);
+ if (ret)
+- goto out;
++ return ret;
+
+- *freq = pc_get_min_freq(pc);
++ pc->user_requested_min = freq;
+
+-out:
+- mutex_unlock(&pc->freq_lock);
+- return ret;
++ return 0;
+ }
+
+ /**
+@@ -580,25 +602,29 @@ int xe_guc_pc_get_min_freq(struct xe_guc_pc *pc, u32 *freq)
+ * -EINVAL if value out of bounds.
+ */
+ int xe_guc_pc_set_min_freq(struct xe_guc_pc *pc, u32 freq)
++{
++ guard(mutex)(&pc->freq_lock);
++
++ return xe_guc_pc_set_min_freq_locked(pc, freq);
++}
++
++static int xe_guc_pc_get_max_freq_locked(struct xe_guc_pc *pc, u32 *freq)
+ {
+ int ret;
+
+- mutex_lock(&pc->freq_lock);
+- if (!pc->freq_ready) {
+- /* Might be in the middle of a gt reset */
+- ret = -EAGAIN;
+- goto out;
+- }
++ lockdep_assert_held(&pc->freq_lock);
+
+- ret = pc_set_min_freq(pc, freq);
++ /* Might be in the middle of a gt reset */
++ if (!pc->freq_ready)
++ return -EAGAIN;
++
++ ret = pc_action_query_task_state(pc);
+ if (ret)
+- goto out;
++ return ret;
+
+- pc->user_requested_min = freq;
++ *freq = pc_get_max_freq(pc);
+
+-out:
+- mutex_unlock(&pc->freq_lock);
+- return ret;
++ return 0;
+ }
+
+ /**
+@@ -610,25 +636,29 @@ int xe_guc_pc_set_min_freq(struct xe_guc_pc *pc, u32 freq)
+ * -EAGAIN if GuC PC not ready (likely in middle of a reset).
+ */
+ int xe_guc_pc_get_max_freq(struct xe_guc_pc *pc, u32 *freq)
++{
++ guard(mutex)(&pc->freq_lock);
++
++ return xe_guc_pc_get_max_freq_locked(pc, freq);
++}
++
++static int xe_guc_pc_set_max_freq_locked(struct xe_guc_pc *pc, u32 freq)
+ {
+ int ret;
+
+- mutex_lock(&pc->freq_lock);
+- if (!pc->freq_ready) {
+- /* Might be in the middle of a gt reset */
+- ret = -EAGAIN;
+- goto out;
+- }
++ lockdep_assert_held(&pc->freq_lock);
+
+- ret = pc_action_query_task_state(pc);
++ /* Might be in the middle of a gt reset */
++ if (!pc->freq_ready)
++ return -EAGAIN;
++
++ ret = pc_set_max_freq(pc, freq);
+ if (ret)
+- goto out;
++ return ret;
+
+- *freq = pc_get_max_freq(pc);
++ pc->user_requested_max = freq;
+
+-out:
+- mutex_unlock(&pc->freq_lock);
+- return ret;
++ return 0;
+ }
+
+ /**
+@@ -642,24 +672,9 @@ int xe_guc_pc_get_max_freq(struct xe_guc_pc *pc, u32 *freq)
+ */
+ int xe_guc_pc_set_max_freq(struct xe_guc_pc *pc, u32 freq)
+ {
+- int ret;
+-
+- mutex_lock(&pc->freq_lock);
+- if (!pc->freq_ready) {
+- /* Might be in the middle of a gt reset */
+- ret = -EAGAIN;
+- goto out;
+- }
+-
+- ret = pc_set_max_freq(pc, freq);
+- if (ret)
+- goto out;
++ guard(mutex)(&pc->freq_lock);
+
+- pc->user_requested_max = freq;
+-
+-out:
+- mutex_unlock(&pc->freq_lock);
+- return ret;
++ return xe_guc_pc_set_max_freq_locked(pc, freq);
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 1124d79525844089be84655b448e9765372f34b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 11:50:00 -0700
+Subject: drm/xe: Split xe_device_td_flush()
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit a1eec6cae95a1a0888cb8370338822ca81cd9436 ]
+
+xe_device_td_flush() has 2 possible implementations: an entire L2 flush
+or a transient flush, depending on WA 16023588340. Make this clear by
+splitting the function so it calls each of them.
+
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://lore.kernel.org/r/20250618-wa-22019338487-v5-3-b888388477f2@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit 5e300ed8a545bdffc26b579c526b5fef7b2d5365)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_device.c | 68 ++++++++++++++++++++--------------
+ 1 file changed, 40 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c
+index 00191227bc95c..38fdddd7262aa 100644
+--- a/drivers/gpu/drm/xe/xe_device.c
++++ b/drivers/gpu/drm/xe/xe_device.c
+@@ -972,38 +972,15 @@ void xe_device_wmb(struct xe_device *xe)
+ xe_mmio_write32(xe_root_tile_mmio(xe), VF_CAP_REG, 0);
+ }
+
+-/**
+- * xe_device_td_flush() - Flush transient L3 cache entries
+- * @xe: The device
+- *
+- * Display engine has direct access to memory and is never coherent with L3/L4
+- * caches (or CPU caches), however KMD is responsible for specifically flushing
+- * transient L3 GPU cache entries prior to the flip sequence to ensure scanout
+- * can happen from such a surface without seeing corruption.
+- *
+- * Display surfaces can be tagged as transient by mapping it using one of the
+- * various L3:XD PAT index modes on Xe2.
+- *
+- * Note: On non-discrete xe2 platforms, like LNL, the entire L3 cache is flushed
+- * at the end of each submission via PIPE_CONTROL for compute/render, since SA
+- * Media is not coherent with L3 and we want to support render-vs-media
+- * usescases. For other engines like copy/blt the HW internally forces uncached
+- * behaviour, hence why we can skip the TDF on such platforms.
++/*
++ * Issue a TRANSIENT_FLUSH_REQUEST and wait for completion on each gt.
+ */
+-void xe_device_td_flush(struct xe_device *xe)
++static void tdf_request_sync(struct xe_device *xe)
+ {
+- struct xe_gt *gt;
+ unsigned int fw_ref;
++ struct xe_gt *gt;
+ u8 id;
+
+- if (!IS_DGFX(xe) || GRAPHICS_VER(xe) < 20)
+- return;
+-
+- if (XE_WA(xe_root_mmio_gt(xe), 16023588340)) {
+- xe_device_l2_flush(xe);
+- return;
+- }
+-
+ for_each_gt(gt, xe, id) {
+ if (xe_gt_is_media_type(gt))
+ continue;
+@@ -1013,6 +990,7 @@ void xe_device_td_flush(struct xe_device *xe)
+ return;
+
+ xe_mmio_write32(>->mmio, XE2_TDF_CTRL, TRANSIENT_FLUSH_REQUEST);
++
+ /*
+ * FIXME: We can likely do better here with our choice of
+ * timeout. Currently we just assume the worst case, i.e. 150us,
+@@ -1043,15 +1021,49 @@ void xe_device_l2_flush(struct xe_device *xe)
+ return;
+
+ spin_lock(>->global_invl_lock);
+- xe_mmio_write32(>->mmio, XE2_GLOBAL_INVAL, 0x1);
+
++ xe_mmio_write32(>->mmio, XE2_GLOBAL_INVAL, 0x1);
+ if (xe_mmio_wait32(>->mmio, XE2_GLOBAL_INVAL, 0x1, 0x0, 500, NULL, true))
+ xe_gt_err_once(gt, "Global invalidation timeout\n");
++
+ spin_unlock(>->global_invl_lock);
+
+ xe_force_wake_put(gt_to_fw(gt), fw_ref);
+ }
+
++/**
++ * xe_device_td_flush() - Flush transient L3 cache entries
++ * @xe: The device
++ *
++ * Display engine has direct access to memory and is never coherent with L3/L4
++ * caches (or CPU caches), however KMD is responsible for specifically flushing
++ * transient L3 GPU cache entries prior to the flip sequence to ensure scanout
++ * can happen from such a surface without seeing corruption.
++ *
++ * Display surfaces can be tagged as transient by mapping it using one of the
++ * various L3:XD PAT index modes on Xe2.
++ *
++ * Note: On non-discrete xe2 platforms, like LNL, the entire L3 cache is flushed
++ * at the end of each submission via PIPE_CONTROL for compute/render, since SA
++ * Media is not coherent with L3 and we want to support render-vs-media
++ * usescases. For other engines like copy/blt the HW internally forces uncached
++ * behaviour, hence why we can skip the TDF on such platforms.
++ */
++void xe_device_td_flush(struct xe_device *xe)
++{
++ struct xe_gt *root_gt;
++
++ if (!IS_DGFX(xe) || GRAPHICS_VER(xe) < 20)
++ return;
++
++ root_gt = xe_root_mmio_gt(xe);
++ if (XE_WA(root_gt, 16023588340))
++ /* A transient flush is not sufficient: flush the L2 */
++ xe_device_l2_flush(xe);
++ else
++ tdf_request_sync(xe);
++}
++
+ u32 xe_device_ccs_bytes(struct xe_device *xe, u64 size)
+ {
+ return xe_device_has_flat_ccs(xe) ?
+--
+2.39.5
+
--- /dev/null
+From 5eb5da69c1aafd2104085d577b09276f0bcfe034 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 07:56:05 -0700
+Subject: enic: fix incorrect MTU comparison in enic_change_mtu()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit aaf2b2480375099c022a82023e1cd772bf1c6a5d ]
+
+The comparison in enic_change_mtu() incorrectly used the current
+netdev->mtu instead of the new new_mtu value when warning about
+an MTU exceeding the port MTU. This could suppress valid warnings
+or issue incorrect ones.
+
+Fix the condition and log to properly reflect the new_mtu.
+
+Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Acked-by: John Daley <johndale@cisco.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250628145612.476096-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index c753c35b26ebd..5a8ca5be9ca00 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1864,10 +1864,10 @@ static int enic_change_mtu(struct net_device *netdev, int new_mtu)
+ if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic))
+ return -EOPNOTSUPP;
+
+- if (netdev->mtu > enic->port_mtu)
++ if (new_mtu > enic->port_mtu)
+ netdev_warn(netdev,
+ "interface MTU (%d) set higher than port MTU (%d)\n",
+- netdev->mtu, enic->port_mtu);
++ new_mtu, enic->port_mtu);
+
+ return _enic_change_mtu(netdev, new_mtu);
+ }
+--
+2.39.5
+
--- /dev/null
+From 6ee823e79d1d10ff48ac76d60ebf2621fd3d7e17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 16:16:24 +0200
+Subject: ethernet: atl1: Add missing DMA mapping error checks and count errors
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit d72411d20905180cdc452c553be17481b24463d2 ]
+
+The `dma_map_XXX()` functions can fail and must be checked using
+`dma_mapping_error()`. This patch adds proper error handling for all
+DMA mapping calls.
+
+In `atl1_alloc_rx_buffers()`, if DMA mapping fails, the buffer is
+deallocated and marked accordingly.
+
+In `atl1_tx_map()`, previously mapped buffers are unmapped and the
+packet is dropped on failure.
+
+If `atl1_xmit_frame()` drops the packet, increment the tx_error counter.
+
+Fixes: f3cc28c79760 ("Add Attansic L1 ethernet driver.")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250625141629.114984-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atlx/atl1.c | 79 +++++++++++++++++-------
+ 1 file changed, 57 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/atlx/atl1.c b/drivers/net/ethernet/atheros/atlx/atl1.c
+index 38cd84b7677cf..86663aa0de17e 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl1.c
++++ b/drivers/net/ethernet/atheros/atlx/atl1.c
+@@ -1861,14 +1861,21 @@ static u16 atl1_alloc_rx_buffers(struct atl1_adapter *adapter)
+ break;
+ }
+
+- buffer_info->alloced = 1;
+- buffer_info->skb = skb;
+- buffer_info->length = (u16) adapter->rx_buffer_len;
+ page = virt_to_page(skb->data);
+ offset = offset_in_page(skb->data);
+ buffer_info->dma = dma_map_page(&pdev->dev, page, offset,
+ adapter->rx_buffer_len,
+ DMA_FROM_DEVICE);
++ if (dma_mapping_error(&pdev->dev, buffer_info->dma)) {
++ kfree_skb(skb);
++ adapter->soft_stats.rx_dropped++;
++ break;
++ }
++
++ buffer_info->alloced = 1;
++ buffer_info->skb = skb;
++ buffer_info->length = (u16)adapter->rx_buffer_len;
++
+ rfd_desc->buffer_addr = cpu_to_le64(buffer_info->dma);
+ rfd_desc->buf_len = cpu_to_le16(adapter->rx_buffer_len);
+ rfd_desc->coalese = 0;
+@@ -2183,8 +2190,8 @@ static int atl1_tx_csum(struct atl1_adapter *adapter, struct sk_buff *skb,
+ return 0;
+ }
+
+-static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+- struct tx_packet_desc *ptpd)
++static bool atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
++ struct tx_packet_desc *ptpd)
+ {
+ struct atl1_tpd_ring *tpd_ring = &adapter->tpd_ring;
+ struct atl1_buffer *buffer_info;
+@@ -2194,6 +2201,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ unsigned int nr_frags;
+ unsigned int f;
+ int retval;
++ u16 first_mapped;
+ u16 next_to_use;
+ u16 data_len;
+ u8 hdr_len;
+@@ -2201,6 +2209,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buf_len -= skb->data_len;
+ nr_frags = skb_shinfo(skb)->nr_frags;
+ next_to_use = atomic_read(&tpd_ring->next_to_use);
++ first_mapped = next_to_use;
+ buffer_info = &tpd_ring->buffer_info[next_to_use];
+ BUG_ON(buffer_info->skb);
+ /* put skb in last TPD */
+@@ -2216,6 +2225,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buffer_info->dma = dma_map_page(&adapter->pdev->dev, page,
+ offset, hdr_len,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma))
++ goto dma_err;
+
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+@@ -2242,6 +2253,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ page, offset,
+ buffer_info->length,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ buffer_info->dma))
++ goto dma_err;
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+ }
+@@ -2254,6 +2268,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buffer_info->dma = dma_map_page(&adapter->pdev->dev, page,
+ offset, buf_len,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma))
++ goto dma_err;
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+ }
+@@ -2277,6 +2293,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+ buffer_info->dma = skb_frag_dma_map(&adapter->pdev->dev,
+ frag, i * ATL1_MAX_TX_BUF_LEN,
+ buffer_info->length, DMA_TO_DEVICE);
++ if (dma_mapping_error(&adapter->pdev->dev,
++ buffer_info->dma))
++ goto dma_err;
+
+ if (++next_to_use == tpd_ring->count)
+ next_to_use = 0;
+@@ -2285,6 +2304,22 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+
+ /* last tpd's buffer-info */
+ buffer_info->skb = skb;
++
++ return true;
++
++ dma_err:
++ while (first_mapped != next_to_use) {
++ buffer_info = &tpd_ring->buffer_info[first_mapped];
++ dma_unmap_page(&adapter->pdev->dev,
++ buffer_info->dma,
++ buffer_info->length,
++ DMA_TO_DEVICE);
++ buffer_info->dma = 0;
++
++ if (++first_mapped == tpd_ring->count)
++ first_mapped = 0;
++ }
++ return false;
+ }
+
+ static void atl1_tx_queue(struct atl1_adapter *adapter, u16 count,
+@@ -2355,10 +2390,8 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+
+ len = skb_headlen(skb);
+
+- if (unlikely(skb->len <= 0)) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (unlikely(skb->len <= 0))
++ goto drop_packet;
+
+ nr_frags = skb_shinfo(skb)->nr_frags;
+ for (f = 0; f < nr_frags; f++) {
+@@ -2371,10 +2404,9 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+ if (mss) {
+ if (skb->protocol == htons(ETH_P_IP)) {
+ proto_hdr_len = skb_tcp_all_headers(skb);
+- if (unlikely(proto_hdr_len > len)) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (unlikely(proto_hdr_len > len))
++ goto drop_packet;
++
+ /* need additional TPD ? */
+ if (proto_hdr_len != len)
+ count += (len - proto_hdr_len +
+@@ -2406,23 +2438,26 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+ }
+
+ tso = atl1_tso(adapter, skb, ptpd);
+- if (tso < 0) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (tso < 0)
++ goto drop_packet;
+
+ if (!tso) {
+ ret_val = atl1_tx_csum(adapter, skb, ptpd);
+- if (ret_val < 0) {
+- dev_kfree_skb_any(skb);
+- return NETDEV_TX_OK;
+- }
++ if (ret_val < 0)
++ goto drop_packet;
+ }
+
+- atl1_tx_map(adapter, skb, ptpd);
++ if (!atl1_tx_map(adapter, skb, ptpd))
++ goto drop_packet;
++
+ atl1_tx_queue(adapter, count, ptpd);
+ atl1_update_mailbox(adapter);
+ return NETDEV_TX_OK;
++
++drop_packet:
++ adapter->soft_stats.tx_errors++;
++ dev_kfree_skb_any(skb);
++ return NETDEV_TX_OK;
+ }
+
+ static int atl1_rings_clean(struct napi_struct *napi, int budget)
+--
+2.39.5
+
--- /dev/null
+From ebb03bbd823c501d99857a7cb6e990b38ede8ec9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 09:49:41 +0100
+Subject: firmware: arm_ffa: Fix memory leak by freeing notifier callback node
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit a833d31ad867103ba72a0b73f3606f4ab8601719 ]
+
+Commit e0573444edbf ("firmware: arm_ffa: Add interfaces to request
+notification callbacks") adds support for notifier callbacks by allocating
+and inserting a callback node into a hashtable during registration of
+notifiers. However, during unregistration, the code only removes the
+node from the hashtable without freeing the associated memory, resulting
+in a memory leak.
+
+Resolve the memory leak issue by ensuring the allocated notifier callback
+node is properly freed after it is removed from the hashtable entry.
+
+Fixes: e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks")
+Message-Id: <20250528-ffa_notif_fix-v1-1-5ed7bc7f8437@arm.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index fe55613a8ea99..6f75cdf297209 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -1284,6 +1284,7 @@ update_notifier_cb(struct ffa_device *dev, int notify_id, void *cb,
+ hash_add(drv_info->notifier_hash, &cb_info->hnode, notify_id);
+ } else {
+ hash_del(&cb_info->hnode);
++ kfree(cb_info);
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From bbe97f34e1a80f54642c235a556bd07844094ae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 16:38:53 +0530
+Subject: firmware: arm_ffa: Fix the missing entry in struct
+ ffa_indirect_msg_hdr
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit 4c46a471be12216347ba707f8eadadbf5d68e698 ]
+
+As per the spec, one 32 bit reserved entry is missing here, add it.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Fixes: 910cc1acc9b4 ("firmware: arm_ffa: Add support for passing UUID in FFA_MSG_SEND2")
+Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
+Message-Id: <28a624fbf416975de4fbe08cfbf7c2db89cb630e.1748948911.git.viresh.kumar@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/arm_ffa.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h
+index 5bded24dc24fe..e1634897e159c 100644
+--- a/include/linux/arm_ffa.h
++++ b/include/linux/arm_ffa.h
+@@ -283,6 +283,7 @@ struct ffa_indirect_msg_hdr {
+ u32 offset;
+ u32 send_recv_id;
+ u32 size;
++ u32 res1;
+ uuid_t uuid;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 7238f487414194e112dfc00d91e85067e555c467 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 09:49:42 +0100
+Subject: firmware: arm_ffa: Move memory allocation outside the mutex locking
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 27e850c88df0e25474a8caeb2903e2e90b62c1dc ]
+
+The notifier callback node allocation is currently done while holding
+the notify_lock mutex. While this is safe even if memory allocation may
+sleep, we need to move the allocation outside the locked region in
+preparation to move from using muxtes to rwlocks.
+
+Move the memory allocation to avoid potential sleeping in atomic context
+once the locks are moved from mutex to rwlocks.
+
+Fixes: e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks")
+Message-Id: <20250528-ffa_notif_fix-v1-2-5ed7bc7f8437@arm.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 48 +++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index 6f75cdf297209..44eecb786e67b 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -1250,13 +1250,12 @@ notifier_hnode_get_by_type(u16 notify_id, enum notify_type type)
+ return NULL;
+ }
+
+-static int
+-update_notifier_cb(struct ffa_device *dev, int notify_id, void *cb,
+- void *cb_data, bool is_registration, bool is_framework)
++static int update_notifier_cb(struct ffa_device *dev, int notify_id,
++ struct notifier_cb_info *cb, bool is_framework)
+ {
+ struct notifier_cb_info *cb_info = NULL;
+ enum notify_type type = ffa_notify_type_get(dev->vm_id);
+- bool cb_found;
++ bool cb_found, is_registration = !!cb;
+
+ if (is_framework)
+ cb_info = notifier_hnode_get_by_vmid_uuid(notify_id, dev->vm_id,
+@@ -1270,18 +1269,7 @@ update_notifier_cb(struct ffa_device *dev, int notify_id, void *cb,
+ return -EINVAL;
+
+ if (is_registration) {
+- cb_info = kzalloc(sizeof(*cb_info), GFP_KERNEL);
+- if (!cb_info)
+- return -ENOMEM;
+-
+- cb_info->dev = dev;
+- cb_info->cb_data = cb_data;
+- if (is_framework)
+- cb_info->fwk_cb = cb;
+- else
+- cb_info->cb = cb;
+-
+- hash_add(drv_info->notifier_hash, &cb_info->hnode, notify_id);
++ hash_add(drv_info->notifier_hash, &cb->hnode, notify_id);
+ } else {
+ hash_del(&cb_info->hnode);
+ kfree(cb_info);
+@@ -1303,8 +1291,7 @@ static int __ffa_notify_relinquish(struct ffa_device *dev, int notify_id,
+
+ mutex_lock(&drv_info->notify_lock);
+
+- rc = update_notifier_cb(dev, notify_id, NULL, NULL, false,
+- is_framework);
++ rc = update_notifier_cb(dev, notify_id, NULL, is_framework);
+ if (rc) {
+ pr_err("Could not unregister notification callback\n");
+ mutex_unlock(&drv_info->notify_lock);
+@@ -1335,6 +1322,7 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+ {
+ int rc;
+ u32 flags = 0;
++ struct notifier_cb_info *cb_info = NULL;
+
+ if (ffa_notifications_disabled())
+ return -EOPNOTSUPP;
+@@ -1342,6 +1330,17 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+ if (notify_id >= FFA_MAX_NOTIFICATIONS)
+ return -EINVAL;
+
++ cb_info = kzalloc(sizeof(*cb_info), GFP_KERNEL);
++ if (!cb_info)
++ return -ENOMEM;
++
++ cb_info->dev = dev;
++ cb_info->cb_data = cb_data;
++ if (is_framework)
++ cb_info->fwk_cb = cb;
++ else
++ cb_info->cb = cb;
++
+ mutex_lock(&drv_info->notify_lock);
+
+ if (!is_framework) {
+@@ -1349,21 +1348,22 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+ flags = PER_VCPU_NOTIFICATION_FLAG;
+
+ rc = ffa_notification_bind(dev->vm_id, BIT(notify_id), flags);
+- if (rc) {
+- mutex_unlock(&drv_info->notify_lock);
+- return rc;
+- }
++ if (rc)
++ goto out_unlock_free;
+ }
+
+- rc = update_notifier_cb(dev, notify_id, cb, cb_data, true,
+- is_framework);
++ rc = update_notifier_cb(dev, notify_id, cb_info, is_framework);
+ if (rc) {
+ pr_err("Failed to register callback for %d - %d\n",
+ notify_id, rc);
+ if (!is_framework)
+ ffa_notification_unbind(dev->vm_id, BIT(notify_id));
+ }
++
++out_unlock_free:
+ mutex_unlock(&drv_info->notify_lock);
++ if (rc)
++ kfree(cb_info);
+
+ return rc;
+ }
+--
+2.39.5
+
--- /dev/null
+From 70f5446fd9f645f4729ad0253974f120fdf6d677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 09:49:43 +0100
+Subject: firmware: arm_ffa: Replace mutex with rwlock to avoid sleep in atomic
+ context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 9ca7a421229bbdfbe2e1e628cff5cfa782720a10 ]
+
+The current use of a mutex to protect the notifier hashtable accesses
+can lead to issues in the atomic context. It results in the below
+kernel warnings:
+
+ | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258
+ | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0
+ | preempt_count: 1, expected: 0
+ | RCU nest depth: 0, expected: 0
+ | CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0 #4
+ | Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn
+ | Call trace:
+ | show_stack+0x18/0x24 (C)
+ | dump_stack_lvl+0x78/0x90
+ | dump_stack+0x18/0x24
+ | __might_resched+0x114/0x170
+ | __might_sleep+0x48/0x98
+ | mutex_lock+0x24/0x80
+ | handle_notif_callbacks+0x54/0xe0
+ | notif_get_and_handle+0x40/0x88
+ | generic_exec_single+0x80/0xc0
+ | smp_call_function_single+0xfc/0x1a0
+ | notif_pcpu_irq_work_fn+0x2c/0x38
+ | process_one_work+0x14c/0x2b4
+ | worker_thread+0x2e4/0x3e0
+ | kthread+0x13c/0x210
+ | ret_from_fork+0x10/0x20
+
+To address this, replace the mutex with an rwlock to protect the notifier
+hashtable accesses. This ensures that read-side locking does not sleep and
+multiple readers can acquire the lock concurrently, avoiding unnecessary
+contention and potential deadlocks. Writer access remains exclusive,
+preserving correctness.
+
+This change resolves warnings from lockdep about potential sleep in
+atomic context.
+
+Cc: Jens Wiklander <jens.wiklander@linaro.org>
+Reported-by: Jérôme Forissier <jerome.forissier@linaro.org>
+Closes: https://github.com/OP-TEE/optee_os/issues/7394
+Fixes: e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks")
+Message-Id: <20250528-ffa_notif_fix-v1-3-5ed7bc7f8437@arm.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Tested-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index 44eecb786e67b..37eb2e6c2f9f4 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -110,7 +110,7 @@ struct ffa_drv_info {
+ struct work_struct sched_recv_irq_work;
+ struct xarray partition_info;
+ DECLARE_HASHTABLE(notifier_hash, ilog2(FFA_MAX_NOTIFICATIONS));
+- struct mutex notify_lock; /* lock to protect notifier hashtable */
++ rwlock_t notify_lock; /* lock to protect notifier hashtable */
+ };
+
+ static struct ffa_drv_info *drv_info;
+@@ -1289,19 +1289,19 @@ static int __ffa_notify_relinquish(struct ffa_device *dev, int notify_id,
+ if (notify_id >= FFA_MAX_NOTIFICATIONS)
+ return -EINVAL;
+
+- mutex_lock(&drv_info->notify_lock);
++ write_lock(&drv_info->notify_lock);
+
+ rc = update_notifier_cb(dev, notify_id, NULL, is_framework);
+ if (rc) {
+ pr_err("Could not unregister notification callback\n");
+- mutex_unlock(&drv_info->notify_lock);
++ write_unlock(&drv_info->notify_lock);
+ return rc;
+ }
+
+ if (!is_framework)
+ rc = ffa_notification_unbind(dev->vm_id, BIT(notify_id));
+
+- mutex_unlock(&drv_info->notify_lock);
++ write_unlock(&drv_info->notify_lock);
+
+ return rc;
+ }
+@@ -1341,7 +1341,7 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+ else
+ cb_info->cb = cb;
+
+- mutex_lock(&drv_info->notify_lock);
++ write_lock(&drv_info->notify_lock);
+
+ if (!is_framework) {
+ if (is_per_vcpu)
+@@ -1361,7 +1361,7 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+ }
+
+ out_unlock_free:
+- mutex_unlock(&drv_info->notify_lock);
++ write_unlock(&drv_info->notify_lock);
+ if (rc)
+ kfree(cb_info);
+
+@@ -1407,9 +1407,9 @@ static void handle_notif_callbacks(u64 bitmap, enum notify_type type)
+ if (!(bitmap & 1))
+ continue;
+
+- mutex_lock(&drv_info->notify_lock);
++ read_lock(&drv_info->notify_lock);
+ cb_info = notifier_hnode_get_by_type(notify_id, type);
+- mutex_unlock(&drv_info->notify_lock);
++ read_unlock(&drv_info->notify_lock);
+
+ if (cb_info && cb_info->cb)
+ cb_info->cb(notify_id, cb_info->cb_data);
+@@ -1447,9 +1447,9 @@ static void handle_fwk_notif_callbacks(u32 bitmap)
+
+ ffa_rx_release();
+
+- mutex_lock(&drv_info->notify_lock);
++ read_lock(&drv_info->notify_lock);
+ cb_info = notifier_hnode_get_by_vmid_uuid(notify_id, target, &uuid);
+- mutex_unlock(&drv_info->notify_lock);
++ read_unlock(&drv_info->notify_lock);
+
+ if (cb_info && cb_info->fwk_cb)
+ cb_info->fwk_cb(notify_id, cb_info->cb_data, buf);
+@@ -1974,7 +1974,7 @@ static void ffa_notifications_setup(void)
+ goto cleanup;
+
+ hash_init(drv_info->notifier_hash);
+- mutex_init(&drv_info->notify_lock);
++ rwlock_init(&drv_info->notify_lock);
+
+ drv_info->notif_enabled = true;
+ return;
+--
+2.39.5
+
--- /dev/null
+From 10dda582265f07f7852cf54eaf14e92cccc6f3d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 10:45:37 +0000
+Subject: firmware: exynos-acpm: fix timeouts on xfers handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+[ Upstream commit 8d2c2fa2209e83d0eb10f7330d8a0bbdc1df32ff ]
+
+The mailbox framework has a single inflight request at a time. If
+a request is sent while another is still active, it will be queued
+to the mailbox core ring buffer.
+
+ACPM protocol did not serialize the calls to the mailbox subsystem so we
+could start the timeout ticks in parallel for multiple requests, while
+just one was being inflight.
+
+Consider a hypothetical case where the xfer timeout is 100ms and an ACPM
+transaction takes 90ms:
+ | 0ms: Message #0 is queued in mailbox layer and sent out, then sits
+ | at acpm_dequeue_by_polling() with a timeout of 100ms
+ | 1ms: Message #1 is queued in mailbox layer but not sent out yet.
+ | Since send_message() doesn't block, it also sits at
+ | acpm_dequeue_by_polling() with a timeout of 100ms
+ | ...
+ | 90ms: Message #0 is completed, txdone is called and message #1 is sent
+ | 101ms: Message #1 times out since the count started at 1ms. Even though
+ | it has only been inflight for 11ms.
+
+Fix the problem by moving mbox_send_message() and mbox_client_txdone()
+immediately after the message has been written to the TX queue and while
+still keeping the ACPM TX queue lock. We thus tie together the TX write
+with the doorbell ring and mark the TX as done after the doorbell has
+been rung. This guarantees that the doorbell has been rang before
+starting the timeout ticks. We should also see some performance
+improvement as we no longer wait to receive a response before ringing
+the doorbell for the next request, so the ACPM firmware shall be able to
+drain faster the TX queue. Another benefit is that requests are no
+longer able to ring the doorbell one for the other, so it eases
+debugging. Finally, the mailbox software queue will always contain a
+single doorbell request due to the serialization done at the ACPM TX
+queue level. Protocols like ACPM, that handle their own hardware queues
+need a passthrough mailbox API, where they are able to just ring the
+doorbell or flip a bit directly into the mailbox controller. The mailbox
+software queue mechanism, the locking done into the mailbox core is not
+really needed, so hopefully this lays the foundation for a passthrough
+mailbox API.
+
+Reported-by: André Draszik <andre.draszik@linaro.org>
+Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://lore.kernel.org/r/20250606-acpm-timeout-v2-1-306b1aa07a6c@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/samsung/exynos-acpm.c | 25 +++++++++----------------
+ 1 file changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/samsung/exynos-acpm.c
+index e80cb7a8da8f2..520a9fd3b0fd3 100644
+--- a/drivers/firmware/samsung/exynos-acpm.c
++++ b/drivers/firmware/samsung/exynos-acpm.c
+@@ -430,6 +430,9 @@ int acpm_do_xfer(const struct acpm_handle *handle, const struct acpm_xfer *xfer)
+ return -EOPNOTSUPP;
+ }
+
++ msg.chan_id = xfer->acpm_chan_id;
++ msg.chan_type = EXYNOS_MBOX_CHAN_TYPE_DOORBELL;
++
+ scoped_guard(mutex, &achan->tx_lock) {
+ tx_front = readl(achan->tx.front);
+ idx = (tx_front + 1) % achan->qlen;
+@@ -446,25 +449,15 @@ int acpm_do_xfer(const struct acpm_handle *handle, const struct acpm_xfer *xfer)
+
+ /* Advance TX front. */
+ writel(idx, achan->tx.front);
+- }
+
+- msg.chan_id = xfer->acpm_chan_id;
+- msg.chan_type = EXYNOS_MBOX_CHAN_TYPE_DOORBELL;
+- ret = mbox_send_message(achan->chan, (void *)&msg);
+- if (ret < 0)
+- return ret;
+-
+- ret = acpm_wait_for_message_response(achan, xfer);
++ ret = mbox_send_message(achan->chan, (void *)&msg);
++ if (ret < 0)
++ return ret;
+
+- /*
+- * NOTE: we might prefer not to need the mailbox ticker to manage the
+- * transfer queueing since the protocol layer queues things by itself.
+- * Unfortunately, we have to kick the mailbox framework after we have
+- * received our message.
+- */
+- mbox_client_txdone(achan->chan, ret);
++ mbox_client_txdone(achan->chan, 0);
++ }
+
+- return ret;
++ return acpm_wait_for_message_response(achan, xfer);
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From 4a6c9f2ec581e1dfad0139a66e81d42491d70510 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 21:04:15 +0200
+Subject: flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes
+
+From: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+
+[ Upstream commit e3e3775392f3f0f3e3044f8c162bf47858e01759 ]
+
+On NFS4ERR_DELAY nfs slient updates its stats, but misses for
+flexfiles v4.1 DSes.
+
+Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Stable-dep-of: 38074de35b01 ("NFSv4/flexfiles: Fix handling of NFS level errors in I/O")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index e6909cafab686..df48074605967 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1129,6 +1129,8 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+ nfs4_schedule_session_recovery(clp->cl_session, task->tk_status);
+ break;
+ case -NFS4ERR_DELAY:
++ nfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);
++ fallthrough;
+ case -NFS4ERR_GRACE:
+ rpc_delay(task, FF_LAYOUT_POLL_RETRY_MAX);
+ break;
+--
+2.39.5
+
--- /dev/null
+From 5e73477cd349fd3ddf56f94558e6aa323ee0cb04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 07:03:30 +0000
+Subject: fs: export anon_inode_make_secure_inode() and fix secretmem LSM
+ bypass
+
+From: Shivank Garg <shivankg@amd.com>
+
+[ Upstream commit cbe4134ea4bc493239786220bd69cb8a13493190 ]
+
+Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create
+anonymous inodes with proper security context. This replaces the current
+pattern of calling alloc_anon_inode() followed by
+inode_init_security_anon() for creating security context manually.
+
+This change also fixes a security regression in secretmem where the
+S_PRIVATE flag was not cleared after alloc_anon_inode(), causing
+LSM/SELinux checks to be bypassed for secretmem file descriptors.
+
+As guest_memfd currently resides in the KVM module, we need to export this
+symbol for use outside the core kernel. In the future, guest_memfd might be
+moved to core-mm, at which point the symbols no longer would have to be
+exported. When/if that happens is still unclear.
+
+Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes")
+Suggested-by: David Hildenbrand <david@redhat.com>
+Suggested-by: Mike Rapoport <rppt@kernel.org>
+Signed-off-by: Shivank Garg <shivankg@amd.com>
+Link: https://lore.kernel.org/20250620070328.803704-3-shivankg@amd.com
+Acked-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/anon_inodes.c | 23 ++++++++++++++++++-----
+ include/linux/fs.h | 2 ++
+ mm/secretmem.c | 9 +--------
+ 3 files changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
+index e51e7d88980a2..1d847a939f29a 100644
+--- a/fs/anon_inodes.c
++++ b/fs/anon_inodes.c
+@@ -98,14 +98,25 @@ static struct file_system_type anon_inode_fs_type = {
+ .kill_sb = kill_anon_super,
+ };
+
+-static struct inode *anon_inode_make_secure_inode(
+- const char *name,
+- const struct inode *context_inode)
++/**
++ * anon_inode_make_secure_inode - allocate an anonymous inode with security context
++ * @sb: [in] Superblock to allocate from
++ * @name: [in] Name of the class of the newfile (e.g., "secretmem")
++ * @context_inode:
++ * [in] Optional parent inode for security inheritance
++ *
++ * The function ensures proper security initialization through the LSM hook
++ * security_inode_init_security_anon().
++ *
++ * Return: Pointer to new inode on success, ERR_PTR on failure.
++ */
++struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name,
++ const struct inode *context_inode)
+ {
+ struct inode *inode;
+ int error;
+
+- inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
++ inode = alloc_anon_inode(sb);
+ if (IS_ERR(inode))
+ return inode;
+ inode->i_flags &= ~S_PRIVATE;
+@@ -118,6 +129,7 @@ static struct inode *anon_inode_make_secure_inode(
+ }
+ return inode;
+ }
++EXPORT_SYMBOL_GPL_FOR_MODULES(anon_inode_make_secure_inode, "kvm");
+
+ static struct file *__anon_inode_getfile(const char *name,
+ const struct file_operations *fops,
+@@ -132,7 +144,8 @@ static struct file *__anon_inode_getfile(const char *name,
+ return ERR_PTR(-ENOENT);
+
+ if (make_inode) {
+- inode = anon_inode_make_secure_inode(name, context_inode);
++ inode = anon_inode_make_secure_inode(anon_inode_mnt->mnt_sb,
++ name, context_inode);
+ if (IS_ERR(inode)) {
+ file = ERR_CAST(inode);
+ goto err;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index ef41a8213a6fa..1fe7bf10d442c 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -3552,6 +3552,8 @@ extern int simple_write_begin(struct file *file, struct address_space *mapping,
+ extern const struct address_space_operations ram_aops;
+ extern int always_delete_dentry(const struct dentry *);
+ extern struct inode *alloc_anon_inode(struct super_block *);
++struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name,
++ const struct inode *context_inode);
+ extern int simple_nosetlease(struct file *, int, struct file_lease **, void **);
+ extern const struct dentry_operations simple_dentry_operations;
+
+diff --git a/mm/secretmem.c b/mm/secretmem.c
+index 1b0a214ee5580..4662f2510ae5f 100644
+--- a/mm/secretmem.c
++++ b/mm/secretmem.c
+@@ -195,18 +195,11 @@ static struct file *secretmem_file_create(unsigned long flags)
+ struct file *file;
+ struct inode *inode;
+ const char *anon_name = "[secretmem]";
+- int err;
+
+- inode = alloc_anon_inode(secretmem_mnt->mnt_sb);
++ inode = anon_inode_make_secure_inode(secretmem_mnt->mnt_sb, anon_name, NULL);
+ if (IS_ERR(inode))
+ return ERR_CAST(inode);
+
+- err = security_inode_init_security_anon(inode, &QSTR(anon_name), NULL);
+- if (err) {
+- file = ERR_PTR(err);
+- goto err_free_inode;
+- }
+-
+ file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
+ O_RDWR, &secretmem_fops);
+ if (IS_ERR(file))
+--
+2.39.5
+
--- /dev/null
+From 22bc2708b5fb54a85c01666a98fef27ca4b00e04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 21:48:27 +0900
+Subject: genirq/irq_sim: Initialize work context pointers properly
+
+From: Gyeyoung Baek <gye976@gmail.com>
+
+[ Upstream commit 8a2277a3c9e4cc5398f80821afe7ecbe9bdf2819 ]
+
+Initialize `ops` member's pointers properly by using kzalloc() instead of
+kmalloc() when allocating the simulation work context. Otherwise the
+pointers contain random content leading to invalid dereferencing.
+
+Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20250612124827.63259-1-gye976@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/irq_sim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/irq/irq_sim.c b/kernel/irq/irq_sim.c
+index 1a3d483548e2f..ae4c9cbd1b4b9 100644
+--- a/kernel/irq/irq_sim.c
++++ b/kernel/irq/irq_sim.c
+@@ -202,7 +202,7 @@ struct irq_domain *irq_domain_create_sim_full(struct fwnode_handle *fwnode,
+ void *data)
+ {
+ struct irq_sim_work_ctx *work_ctx __free(kfree) =
+- kmalloc(sizeof(*work_ctx), GFP_KERNEL);
++ kzalloc(sizeof(*work_ctx), GFP_KERNEL);
+
+ if (!work_ctx)
+ return ERR_PTR(-ENOMEM);
+--
+2.39.5
+
--- /dev/null
+From c64c7d665911ae0e23b21f5c3f51719cec8b21e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 11:14:09 +0300
+Subject: IB/mlx5: Fix potential deadlock in MR deregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Or Har-Toov <ohartoov@nvidia.com>
+
+[ Upstream commit 2ed25aa7f7711f508b6120e336f05cd9d49943c0 ]
+
+The issue arises when kzalloc() is invoked while holding umem_mutex or
+any other lock acquired under umem_mutex. This is problematic because
+kzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke
+mmu_notifier_invalidate_range_start(). This function can lead to
+mlx5_ib_invalidate_range(), which attempts to acquire umem_mutex again,
+resulting in a deadlock.
+
+The problematic flow:
+ CPU0 | CPU1
+---------------------------------------|------------------------------------------------
+mlx5_ib_dereg_mr() |
+ → revoke_mr() |
+ → mutex_lock(&umem_odp->umem_mutex) |
+ | mlx5_mkey_cache_init()
+ | → mutex_lock(&dev->cache.rb_lock)
+ | → mlx5r_cache_create_ent_locked()
+ | → kzalloc(GFP_KERNEL)
+ | → fs_reclaim()
+ | → mmu_notifier_invalidate_range_start()
+ | → mlx5_ib_invalidate_range()
+ | → mutex_lock(&umem_odp->umem_mutex)
+ → cache_ent_find_and_store() |
+ → mutex_lock(&dev->cache.rb_lock) |
+
+Additionally, when kzalloc() is called from within
+cache_ent_find_and_store(), we encounter the same deadlock due to
+re-acquisition of umem_mutex.
+
+Solve by releasing umem_mutex in dereg_mr() after umr_revoke_mr()
+and before acquiring rb_lock. This ensures that we don't hold
+umem_mutex while performing memory allocations that could trigger
+the reclaim path.
+
+This change prevents the deadlock by ensuring proper lock ordering and
+avoiding holding locks during memory allocation operations that could
+trigger the reclaim path.
+
+The following lockdep warning demonstrates the deadlock:
+
+ python3/20557 is trying to acquire lock:
+ ffff888387542128 (&umem_odp->umem_mutex){+.+.}-{4:4}, at:
+ mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib]
+
+ but task is already holding lock:
+ ffffffff82f6b840 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at:
+ unmap_vmas+0x7b/0x1a0
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}:
+ fs_reclaim_acquire+0x60/0xd0
+ mem_cgroup_css_alloc+0x6f/0x9b0
+ cgroup_init_subsys+0xa4/0x240
+ cgroup_init+0x1c8/0x510
+ start_kernel+0x747/0x760
+ x86_64_start_reservations+0x25/0x30
+ x86_64_start_kernel+0x73/0x80
+ common_startup_64+0x129/0x138
+
+ -> #2 (fs_reclaim){+.+.}-{0:0}:
+ fs_reclaim_acquire+0x91/0xd0
+ __kmalloc_cache_noprof+0x4d/0x4c0
+ mlx5r_cache_create_ent_locked+0x75/0x620 [mlx5_ib]
+ mlx5_mkey_cache_init+0x186/0x360 [mlx5_ib]
+ mlx5_ib_stage_post_ib_reg_umr_init+0x3c/0x60 [mlx5_ib]
+ __mlx5_ib_add+0x4b/0x190 [mlx5_ib]
+ mlx5r_probe+0xd9/0x320 [mlx5_ib]
+ auxiliary_bus_probe+0x42/0x70
+ really_probe+0xdb/0x360
+ __driver_probe_device+0x8f/0x130
+ driver_probe_device+0x1f/0xb0
+ __driver_attach+0xd4/0x1f0
+ bus_for_each_dev+0x79/0xd0
+ bus_add_driver+0xf0/0x200
+ driver_register+0x6e/0xc0
+ __auxiliary_driver_register+0x6a/0xc0
+ do_one_initcall+0x5e/0x390
+ do_init_module+0x88/0x240
+ init_module_from_file+0x85/0xc0
+ idempotent_init_module+0x104/0x300
+ __x64_sys_finit_module+0x68/0xc0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ -> #1 (&dev->cache.rb_lock){+.+.}-{4:4}:
+ __mutex_lock+0x98/0xf10
+ __mlx5_ib_dereg_mr+0x6f2/0x890 [mlx5_ib]
+ mlx5_ib_dereg_mr+0x21/0x110 [mlx5_ib]
+ ib_dereg_mr_user+0x85/0x1f0 [ib_core]
+ uverbs_free_mr+0x19/0x30 [ib_uverbs]
+ destroy_hw_idr_uobject+0x21/0x80 [ib_uverbs]
+ uverbs_destroy_uobject+0x60/0x3d0 [ib_uverbs]
+ uobj_destroy+0x57/0xa0 [ib_uverbs]
+ ib_uverbs_cmd_verbs+0x4d5/0x1210 [ib_uverbs]
+ ib_uverbs_ioctl+0x129/0x230 [ib_uverbs]
+ __x64_sys_ioctl+0x596/0xaa0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ -> #0 (&umem_odp->umem_mutex){+.+.}-{4:4}:
+ __lock_acquire+0x1826/0x2f00
+ lock_acquire+0xd3/0x2e0
+ __mutex_lock+0x98/0xf10
+ mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib]
+ __mmu_notifier_invalidate_range_start+0x18e/0x1f0
+ unmap_vmas+0x182/0x1a0
+ exit_mmap+0xf3/0x4a0
+ mmput+0x3a/0x100
+ do_exit+0x2b9/0xa90
+ do_group_exit+0x32/0xa0
+ get_signal+0xc32/0xcb0
+ arch_do_signal_or_restart+0x29/0x1d0
+ syscall_exit_to_user_mode+0x105/0x1d0
+ do_syscall_64+0x79/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ Chain exists of:
+ &dev->cache.rb_lock --> mmu_notifier_invalidate_range_start -->
+ &umem_odp->umem_mutex
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&umem_odp->umem_mutex);
+ lock(mmu_notifier_invalidate_range_start);
+ lock(&umem_odp->umem_mutex);
+ lock(&dev->cache.rb_lock);
+
+ *** DEADLOCK ***
+
+Fixes: abb604a1a9c8 ("RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error")
+Signed-off-by: Or Har-Toov <ohartoov@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/3c8f225a8a9fade647d19b014df1172544643e4a.1750061612.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 61 +++++++++++++++++++++++++--------
+ 1 file changed, 47 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 5fbebafc87742..cb403134eeaea 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -2027,23 +2027,50 @@ void mlx5_ib_revoke_data_direct_mrs(struct mlx5_ib_dev *dev)
+ }
+ }
+
+-static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
++static int mlx5_umr_revoke_mr_with_lock(struct mlx5_ib_mr *mr)
+ {
+- struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device);
+- struct mlx5_cache_ent *ent = mr->mmkey.cache_ent;
+- bool is_odp = is_odp_mr(mr);
+ bool is_odp_dma_buf = is_dmabuf_mr(mr) &&
+- !to_ib_umem_dmabuf(mr->umem)->pinned;
+- bool from_cache = !!ent;
+- int ret = 0;
++ !to_ib_umem_dmabuf(mr->umem)->pinned;
++ bool is_odp = is_odp_mr(mr);
++ int ret;
+
+ if (is_odp)
+ mutex_lock(&to_ib_umem_odp(mr->umem)->umem_mutex);
+
+ if (is_odp_dma_buf)
+- dma_resv_lock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv, NULL);
++ dma_resv_lock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv,
++ NULL);
++
++ ret = mlx5r_umr_revoke_mr(mr);
++
++ if (is_odp) {
++ if (!ret)
++ to_ib_umem_odp(mr->umem)->private = NULL;
++ mutex_unlock(&to_ib_umem_odp(mr->umem)->umem_mutex);
++ }
++
++ if (is_odp_dma_buf) {
++ if (!ret)
++ to_ib_umem_dmabuf(mr->umem)->private = NULL;
++ dma_resv_unlock(
++ to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv);
++ }
+
+- if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr)) {
++ return ret;
++}
++
++static int mlx5r_handle_mkey_cleanup(struct mlx5_ib_mr *mr)
++{
++ bool is_odp_dma_buf = is_dmabuf_mr(mr) &&
++ !to_ib_umem_dmabuf(mr->umem)->pinned;
++ struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device);
++ struct mlx5_cache_ent *ent = mr->mmkey.cache_ent;
++ bool is_odp = is_odp_mr(mr);
++ bool from_cache = !!ent;
++ int ret;
++
++ if (mr->mmkey.cacheable && !mlx5_umr_revoke_mr_with_lock(mr) &&
++ !cache_ent_find_and_store(dev, mr)) {
+ ent = mr->mmkey.cache_ent;
+ /* upon storing to a clean temp entry - schedule its cleanup */
+ spin_lock_irq(&ent->mkeys_queue.lock);
+@@ -2055,7 +2082,7 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+ ent->tmp_cleanup_scheduled = true;
+ }
+ spin_unlock_irq(&ent->mkeys_queue.lock);
+- goto out;
++ return 0;
+ }
+
+ if (ent) {
+@@ -2064,8 +2091,14 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+ mr->mmkey.cache_ent = NULL;
+ spin_unlock_irq(&ent->mkeys_queue.lock);
+ }
++
++ if (is_odp)
++ mutex_lock(&to_ib_umem_odp(mr->umem)->umem_mutex);
++
++ if (is_odp_dma_buf)
++ dma_resv_lock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv,
++ NULL);
+ ret = destroy_mkey(dev, mr);
+-out:
+ if (is_odp) {
+ if (!ret)
+ to_ib_umem_odp(mr->umem)->private = NULL;
+@@ -2075,9 +2108,9 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+ if (is_odp_dma_buf) {
+ if (!ret)
+ to_ib_umem_dmabuf(mr->umem)->private = NULL;
+- dma_resv_unlock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv);
++ dma_resv_unlock(
++ to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv);
+ }
+-
+ return ret;
+ }
+
+@@ -2126,7 +2159,7 @@ static int __mlx5_ib_dereg_mr(struct ib_mr *ibmr)
+ }
+
+ /* Stop DMA */
+- rc = mlx5_revoke_mr(mr);
++ rc = mlx5r_handle_mkey_cleanup(mr);
+ if (rc)
+ return rc;
+
+--
+2.39.5
+
--- /dev/null
+From c54d7701d9e5b78a8eedfb64dab935314c6b5e51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 14:55:37 -0600
+Subject: idpf: convert control queue mutex to a spinlock
+
+From: Ahmed Zaki <ahmed.zaki@intel.com>
+
+[ Upstream commit b2beb5bb2cd90d7939e470ed4da468683f41baa3 ]
+
+With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated
+on module load:
+
+[ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578
+[ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager
+[ 324.701689] preempt_count: 201, expected: 0
+[ 324.701693] RCU nest depth: 0, expected: 0
+[ 324.701697] 2 locks held by NetworkManager/1582:
+[ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0
+[ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870
+[ 324.701749] Preemption disabled at:
+[ 324.701752] [<ffffffff9cd23b9d>] __dev_open+0x3dd/0x870
+[ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary)
+[ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022
+[ 324.701774] Call Trace:
+[ 324.701777] <TASK>
+[ 324.701779] dump_stack_lvl+0x5d/0x80
+[ 324.701788] ? __dev_open+0x3dd/0x870
+[ 324.701793] __might_resched.cold+0x1ef/0x23d
+<..>
+[ 324.701818] __mutex_lock+0x113/0x1b80
+<..>
+[ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf]
+[ 324.701935] ? kasan_save_track+0x14/0x30
+[ 324.701941] idpf_mb_clean+0x143/0x380 [idpf]
+<..>
+[ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf]
+[ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf]
+[ 324.702021] ? rcu_is_watching+0x12/0xc0
+[ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf]
+<..>
+[ 324.702122] __hw_addr_sync_dev+0x1cf/0x300
+[ 324.702126] ? find_held_lock+0x32/0x90
+[ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf]
+[ 324.702152] __dev_open+0x3f8/0x870
+[ 324.702159] ? __pfx___dev_open+0x10/0x10
+[ 324.702174] __dev_change_flags+0x443/0x650
+<..>
+[ 324.702208] netif_change_flags+0x80/0x160
+[ 324.702218] do_setlink.isra.0+0x16a0/0x3960
+<..>
+[ 324.702349] rtnl_newlink+0x12fd/0x21e0
+
+The sequence is as follows:
+ rtnl_newlink()->
+ __dev_change_flags()->
+ __dev_open()->
+ dev_set_rx_mode() - > # disables BH and grabs "dev->addr_list_lock"
+ idpf_set_rx_mode() -> # proceed only if VIRTCHNL2_CAP_MACFILTER is ON
+ __dev_uc_sync() ->
+ idpf_add_mac_filter ->
+ idpf_add_del_mac_filters ->
+ idpf_send_mb_msg() ->
+ idpf_mb_clean() ->
+ idpf_ctlq_clean_sq() # mutex_lock(cq_lock)
+
+Fix by converting cq_lock to a spinlock. All operations under the new
+lock are safe except freeing the DMA memory, which may use vunmap(). Fix
+by requesting a contiguous physical memory for the DMA mapping.
+
+Fixes: a251eee62133 ("idpf: add SRIOV support and other ndo_ops")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Ahmed Zaki <ahmed.zaki@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/idpf/idpf_controlq.c | 23 +++++++++----------
+ .../ethernet/intel/idpf/idpf_controlq_api.h | 2 +-
+ drivers/net/ethernet/intel/idpf/idpf_lib.c | 12 ++++++----
+ 3 files changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_controlq.c b/drivers/net/ethernet/intel/idpf/idpf_controlq.c
+index b28991dd18703..48b8e184f3db6 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_controlq.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_controlq.c
+@@ -96,7 +96,7 @@ static void idpf_ctlq_init_rxq_bufs(struct idpf_ctlq_info *cq)
+ */
+ static void idpf_ctlq_shutdown(struct idpf_hw *hw, struct idpf_ctlq_info *cq)
+ {
+- mutex_lock(&cq->cq_lock);
++ spin_lock(&cq->cq_lock);
+
+ /* free ring buffers and the ring itself */
+ idpf_ctlq_dealloc_ring_res(hw, cq);
+@@ -104,8 +104,7 @@ static void idpf_ctlq_shutdown(struct idpf_hw *hw, struct idpf_ctlq_info *cq)
+ /* Set ring_size to 0 to indicate uninitialized queue */
+ cq->ring_size = 0;
+
+- mutex_unlock(&cq->cq_lock);
+- mutex_destroy(&cq->cq_lock);
++ spin_unlock(&cq->cq_lock);
+ }
+
+ /**
+@@ -173,7 +172,7 @@ int idpf_ctlq_add(struct idpf_hw *hw,
+
+ idpf_ctlq_init_regs(hw, cq, is_rxq);
+
+- mutex_init(&cq->cq_lock);
++ spin_lock_init(&cq->cq_lock);
+
+ list_add(&cq->cq_list, &hw->cq_list_head);
+
+@@ -272,7 +271,7 @@ int idpf_ctlq_send(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+ int err = 0;
+ int i;
+
+- mutex_lock(&cq->cq_lock);
++ spin_lock(&cq->cq_lock);
+
+ /* Ensure there are enough descriptors to send all messages */
+ num_desc_avail = IDPF_CTLQ_DESC_UNUSED(cq);
+@@ -332,7 +331,7 @@ int idpf_ctlq_send(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+ wr32(hw, cq->reg.tail, cq->next_to_use);
+
+ err_unlock:
+- mutex_unlock(&cq->cq_lock);
++ spin_unlock(&cq->cq_lock);
+
+ return err;
+ }
+@@ -364,7 +363,7 @@ int idpf_ctlq_clean_sq(struct idpf_ctlq_info *cq, u16 *clean_count,
+ if (*clean_count > cq->ring_size)
+ return -EBADR;
+
+- mutex_lock(&cq->cq_lock);
++ spin_lock(&cq->cq_lock);
+
+ ntc = cq->next_to_clean;
+
+@@ -397,7 +396,7 @@ int idpf_ctlq_clean_sq(struct idpf_ctlq_info *cq, u16 *clean_count,
+
+ cq->next_to_clean = ntc;
+
+- mutex_unlock(&cq->cq_lock);
++ spin_unlock(&cq->cq_lock);
+
+ /* Return number of descriptors actually cleaned */
+ *clean_count = i;
+@@ -435,7 +434,7 @@ int idpf_ctlq_post_rx_buffs(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+ if (*buff_count > 0)
+ buffs_avail = true;
+
+- mutex_lock(&cq->cq_lock);
++ spin_lock(&cq->cq_lock);
+
+ if (tbp >= cq->ring_size)
+ tbp = 0;
+@@ -524,7 +523,7 @@ int idpf_ctlq_post_rx_buffs(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+ wr32(hw, cq->reg.tail, cq->next_to_post);
+ }
+
+- mutex_unlock(&cq->cq_lock);
++ spin_unlock(&cq->cq_lock);
+
+ /* return the number of buffers that were not posted */
+ *buff_count = *buff_count - i;
+@@ -552,7 +551,7 @@ int idpf_ctlq_recv(struct idpf_ctlq_info *cq, u16 *num_q_msg,
+ u16 i;
+
+ /* take the lock before we start messing with the ring */
+- mutex_lock(&cq->cq_lock);
++ spin_lock(&cq->cq_lock);
+
+ ntc = cq->next_to_clean;
+
+@@ -614,7 +613,7 @@ int idpf_ctlq_recv(struct idpf_ctlq_info *cq, u16 *num_q_msg,
+
+ cq->next_to_clean = ntc;
+
+- mutex_unlock(&cq->cq_lock);
++ spin_unlock(&cq->cq_lock);
+
+ *num_q_msg = i;
+ if (*num_q_msg == 0)
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h b/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h
+index e8e046ef2f0d7..5890d8adca4a8 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h
++++ b/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h
+@@ -99,7 +99,7 @@ struct idpf_ctlq_info {
+
+ enum idpf_ctlq_type cq_type;
+ int q_id;
+- struct mutex cq_lock; /* control queue lock */
++ spinlock_t cq_lock; /* control queue lock */
+ /* used for interrupt processing */
+ u16 next_to_use;
+ u16 next_to_clean;
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+index 2ed801398971c..fe96e20573660 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+@@ -2329,8 +2329,12 @@ void *idpf_alloc_dma_mem(struct idpf_hw *hw, struct idpf_dma_mem *mem, u64 size)
+ struct idpf_adapter *adapter = hw->back;
+ size_t sz = ALIGN(size, 4096);
+
+- mem->va = dma_alloc_coherent(&adapter->pdev->dev, sz,
+- &mem->pa, GFP_KERNEL);
++ /* The control queue resources are freed under a spinlock, contiguous
++ * pages will avoid IOMMU remapping and the use vmap (and vunmap in
++ * dma_free_*() path.
++ */
++ mem->va = dma_alloc_attrs(&adapter->pdev->dev, sz, &mem->pa,
++ GFP_KERNEL, DMA_ATTR_FORCE_CONTIGUOUS);
+ mem->size = sz;
+
+ return mem->va;
+@@ -2345,8 +2349,8 @@ void idpf_free_dma_mem(struct idpf_hw *hw, struct idpf_dma_mem *mem)
+ {
+ struct idpf_adapter *adapter = hw->back;
+
+- dma_free_coherent(&adapter->pdev->dev, mem->size,
+- mem->va, mem->pa);
++ dma_free_attrs(&adapter->pdev->dev, mem->size,
++ mem->va, mem->pa, DMA_ATTR_FORCE_CONTIGUOUS);
+ mem->size = 0;
+ mem->va = NULL;
+ mem->pa = 0;
+--
+2.39.5
+
--- /dev/null
+From 521f9753b3ac2ea6a221e5c3e9afde6c68d7a1a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 10:52:06 +0200
+Subject: idpf: return 0 size for RSS key if not supported
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit f77bf1ebf8ff6301ccdbc346f7b52db928f9cbf8 ]
+
+Returning -EOPNOTSUPP from function returning u32 is leading to
+cast and invalid size value as a result.
+
+-EOPNOTSUPP as a size probably will lead to allocation fail.
+
+Command: ethtool -x eth0
+It is visible on all devices that don't have RSS caps set.
+
+[ 136.615917] Call Trace:
+[ 136.615921] <TASK>
+[ 136.615927] ? __warn+0x89/0x130
+[ 136.615942] ? __alloc_frozen_pages_noprof+0x322/0x330
+[ 136.615953] ? report_bug+0x164/0x190
+[ 136.615968] ? handle_bug+0x58/0x90
+[ 136.615979] ? exc_invalid_op+0x17/0x70
+[ 136.615987] ? asm_exc_invalid_op+0x1a/0x20
+[ 136.616001] ? rss_prepare_get.constprop.0+0xb9/0x170
+[ 136.616016] ? __alloc_frozen_pages_noprof+0x322/0x330
+[ 136.616028] __alloc_pages_noprof+0xe/0x20
+[ 136.616038] ___kmalloc_large_node+0x80/0x110
+[ 136.616072] __kmalloc_large_node_noprof+0x1d/0xa0
+[ 136.616081] __kmalloc_noprof+0x32c/0x4c0
+[ 136.616098] ? rss_prepare_get.constprop.0+0xb9/0x170
+[ 136.616105] rss_prepare_get.constprop.0+0xb9/0x170
+[ 136.616114] ethnl_default_doit+0x107/0x3d0
+[ 136.616131] genl_family_rcv_msg_doit+0x100/0x160
+[ 136.616147] genl_rcv_msg+0x1b8/0x2c0
+[ 136.616156] ? __pfx_ethnl_default_doit+0x10/0x10
+[ 136.616168] ? __pfx_genl_rcv_msg+0x10/0x10
+[ 136.616176] netlink_rcv_skb+0x58/0x110
+[ 136.616186] genl_rcv+0x28/0x40
+[ 136.616195] netlink_unicast+0x19b/0x290
+[ 136.616206] netlink_sendmsg+0x222/0x490
+[ 136.616215] __sys_sendto+0x1fd/0x210
+[ 136.616233] __x64_sys_sendto+0x24/0x30
+[ 136.616242] do_syscall_64+0x82/0x160
+[ 136.616252] ? __sys_recvmsg+0x83/0xe0
+[ 136.616265] ? syscall_exit_to_user_mode+0x10/0x210
+[ 136.616275] ? do_syscall_64+0x8e/0x160
+[ 136.616282] ? __count_memcg_events+0xa1/0x130
+[ 136.616295] ? count_memcg_events.constprop.0+0x1a/0x30
+[ 136.616306] ? handle_mm_fault+0xae/0x2d0
+[ 136.616319] ? do_user_addr_fault+0x379/0x670
+[ 136.616328] ? clear_bhb_loop+0x45/0xa0
+[ 136.616340] ? clear_bhb_loop+0x45/0xa0
+[ 136.616349] ? clear_bhb_loop+0x45/0xa0
+[ 136.616359] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 136.616369] RIP: 0033:0x7fd30ba7b047
+[ 136.616376] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d bd d5 0c 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 71 c3 55 48 83 ec 30 44 89 4c 24 2c 4c 89 44
+[ 136.616381] RSP: 002b:00007ffde1796d68 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
+[ 136.616388] RAX: ffffffffffffffda RBX: 000055d7bd89f2a0 RCX: 00007fd30ba7b047
+[ 136.616392] RDX: 0000000000000028 RSI: 000055d7bd89f3b0 RDI: 0000000000000003
+[ 136.616396] RBP: 00007ffde1796e10 R08: 00007fd30bb4e200 R09: 000000000000000c
+[ 136.616399] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d7bd89f340
+[ 136.616403] R13: 000055d7bd89f3b0 R14: 000055d78943f200 R15: 0000000000000000
+
+Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks")
+Reviewed-by: Ahmed Zaki <ahmed.zaki@intel.com>
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+index 59b1a1a099967..f72420cf68216 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+@@ -46,7 +46,7 @@ static u32 idpf_get_rxfh_key_size(struct net_device *netdev)
+ struct idpf_vport_user_config_data *user_config;
+
+ if (!idpf_is_cap_ena_all(np->adapter, IDPF_RSS_CAPS, IDPF_CAP_RSS))
+- return -EOPNOTSUPP;
++ return 0;
+
+ user_config = &np->adapter->vport_config[np->vport_idx]->user_config;
+
+@@ -65,7 +65,7 @@ static u32 idpf_get_rxfh_indir_size(struct net_device *netdev)
+ struct idpf_vport_user_config_data *user_config;
+
+ if (!idpf_is_cap_ena_all(np->adapter, IDPF_RSS_CAPS, IDPF_CAP_RSS))
+- return -EOPNOTSUPP;
++ return 0;
+
+ user_config = &np->adapter->vport_config[np->vport_idx]->user_config;
+
+--
+2.39.5
+
--- /dev/null
+From 89ec734a1da7c4cb45107b21daf2a5b8032979db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:52:54 +0300
+Subject: igc: disable L1.2 PCI-E link substate to avoid performance issue
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+[ Upstream commit 0325143b59c6c6d79987afc57d2456e7a20d13b7 ]
+
+I226 devices advertise support for the PCI-E link L1.2 substate. However,
+due to a hardware limitation, the exit latency from this low-power state
+is longer than the packet buffer can tolerate under high traffic
+conditions. This can lead to packet loss and degraded performance.
+
+To mitigate this, disable the L1.2 substate. The increased power draw
+between L1.1 and L1.2 is insignificant.
+
+Fixes: 43546211738e ("igc: Add new device ID's")
+Link: https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index b1669d7cf4359..7d8cc783b2282 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -7046,6 +7046,10 @@ static int igc_probe(struct pci_dev *pdev,
+ adapter->port_num = hw->bus.func;
+ adapter->msg_enable = netif_msg_init(debug, DEFAULT_MSG_ENABLE);
+
++ /* Disable ASPM L1.2 on I226 devices to avoid packet loss */
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+ err = pci_save_state(pdev);
+ if (err)
+ goto err_ioremap;
+@@ -7426,6 +7430,9 @@ static int __igc_resume(struct device *dev, bool rpm)
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+ if (igc_init_interrupt_scheme(adapter, true)) {
+ netdev_err(netdev, "Unable to allocate memory for queues\n");
+ return -ENOMEM;
+@@ -7551,6 +7558,9 @@ static pci_ers_result_t igc_io_slot_reset(struct pci_dev *pdev)
+ pci_enable_wake(pdev, PCI_D3hot, 0);
+ pci_enable_wake(pdev, PCI_D3cold, 0);
+
++ if (igc_is_device_id_i226(hw))
++ pci_disable_link_state_locked(pdev, PCIE_LINK_STATE_L1_2);
++
+ /* In case of PCI error, adapter loses its HW address
+ * so we should re-assign it here.
+ */
+--
+2.39.5
+
--- /dev/null
+From 9169070f8a73ef54f34f9cdbdf619a8236fbef2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 14:36:40 -0500
+Subject: lib: test_objagg: Set error message in check_expect_hints_stats()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit e6ed134a4ef592fe1fd0cafac9683813b3c8f3e8 ]
+
+Smatch complains that the error message isn't set in the caller:
+
+ lib/test_objagg.c:923 test_hints_case2()
+ error: uninitialized symbol 'errmsg'.
+
+This static checker warning only showed up after a recent refactoring
+but the bug dates back to when the code was originally added. This
+likely doesn't affect anything in real life.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/r/202506281403.DsuyHFTZ-lkp@intel.com/
+Fixes: 0a020d416d0a ("lib: introduce initial implementation of object aggregation manager")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/8548f423-2e3b-4bb7-b816-5041de2762aa@sabinyo.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_objagg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_objagg.c b/lib/test_objagg.c
+index d34df4306b874..222b39fc2629e 100644
+--- a/lib/test_objagg.c
++++ b/lib/test_objagg.c
+@@ -899,8 +899,10 @@ static int check_expect_hints_stats(struct objagg_hints *objagg_hints,
+ int err;
+
+ stats = objagg_hints_stats_get(objagg_hints);
+- if (IS_ERR(stats))
++ if (IS_ERR(stats)) {
++ *errmsg = "objagg_hints_stats_get() failed.";
+ return PTR_ERR(stats);
++ }
+ err = __check_expect_stats(stats, expect_stats, errmsg);
+ objagg_stats_put(stats);
+ return err;
+--
+2.39.5
+
--- /dev/null
+From 7edbf0d1181068b6369c3d886149b41bbb881c4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 16:12:09 +0200
+Subject: module: Provide EXPORT_SYMBOL_GPL_FOR_MODULES() helper
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 707f853d7fa3ce323a6875487890c213e34d81a0 ]
+
+Helper macro to more easily limit the export of a symbol to a given
+list of modules.
+
+Eg:
+
+ EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm");
+
+will limit the use of said function to kvm.ko, any other module trying
+to use this symbol will refure to load (and get modpost build
+failures).
+
+Requested-by: Masahiro Yamada <masahiroy@kernel.org>
+Requested-by: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Stable-dep-of: cbe4134ea4bc ("fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/core-api/symbol-namespaces.rst | 22 ++++++++++++++++++++
+ include/linux/export.h | 12 +++++++++--
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
+index 06f766a6aab24..c6f59c5e25648 100644
+--- a/Documentation/core-api/symbol-namespaces.rst
++++ b/Documentation/core-api/symbol-namespaces.rst
+@@ -28,6 +28,9 @@ kernel. As of today, modules that make use of symbols exported into namespaces,
+ are required to import the namespace. Otherwise the kernel will, depending on
+ its configuration, reject loading the module or warn about a missing import.
+
++Additionally, it is possible to put symbols into a module namespace, strictly
++limiting which modules are allowed to use these symbols.
++
+ 2. How to define Symbol Namespaces
+ ==================================
+
+@@ -83,6 +86,22 @@ unit as preprocessor statement. The above example would then read::
+ within the corresponding compilation unit before the #include for
+ <linux/export.h>. Typically it's placed before the first #include statement.
+
++2.3 Using the EXPORT_SYMBOL_GPL_FOR_MODULES() macro
++===================================================
++
++Symbols exported using this macro are put into a module namespace. This
++namespace cannot be imported.
++
++The macro takes a comma separated list of module names, allowing only those
++modules to access this symbol. Simple tail-globs are supported.
++
++For example:
++
++ EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
++
++will limit usage of this symbol to modules whoes name matches the given
++patterns.
++
+ 3. How to use Symbols exported in Namespaces
+ ============================================
+
+@@ -154,3 +173,6 @@ in-tree modules::
+ You can also run nsdeps for external module builds. A typical usage is::
+
+ $ make -C <path_to_kernel_src> M=$PWD nsdeps
++
++Note: it will happily generate an import statement for the module namespace;
++which will not work and generates build and runtime failures.
+diff --git a/include/linux/export.h b/include/linux/export.h
+index a8c23d945634b..f35d03b4113b1 100644
+--- a/include/linux/export.h
++++ b/include/linux/export.h
+@@ -24,11 +24,17 @@
+ .long sym
+ #endif
+
+-#define ___EXPORT_SYMBOL(sym, license, ns) \
++/*
++ * LLVM integrated assembler cam merge adjacent string literals (like
++ * C and GNU-as) passed to '.ascii', but not to '.asciz' and chokes on:
++ *
++ * .asciz "MODULE_" "kvm" ;
++ */
++#define ___EXPORT_SYMBOL(sym, license, ns...) \
+ .section ".export_symbol","a" ASM_NL \
+ __export_symbol_##sym: ASM_NL \
+ .asciz license ASM_NL \
+- .asciz ns ASM_NL \
++ .ascii ns "\0" ASM_NL \
+ __EXPORT_SYMBOL_REF(sym) ASM_NL \
+ .previous
+
+@@ -85,4 +91,6 @@
+ #define EXPORT_SYMBOL_NS(sym, ns) __EXPORT_SYMBOL(sym, "", ns)
+ #define EXPORT_SYMBOL_NS_GPL(sym, ns) __EXPORT_SYMBOL(sym, "GPL", ns)
+
++#define EXPORT_SYMBOL_GPL_FOR_MODULES(sym, mods) __EXPORT_SYMBOL(sym, "GPL", "module:" mods)
++
+ #endif /* _LINUX_EXPORT_H */
+--
+2.39.5
+
--- /dev/null
+From 10bb6b3d5d530c509870cabf37db373076bae563 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 13:35:16 +0200
+Subject: mtd: spinand: fix memory leak of ECC engine conf
+
+From: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
+
+[ Upstream commit 6463cbe08b0cbf9bba8763306764f5fd643023e1 ]
+
+Memory allocated for the ECC engine conf is not released during spinand
+cleanup. Below kmemleak trace is seen for this memory leak:
+
+unreferenced object 0xffffff80064f00e0 (size 8):
+ comm "swapper/0", pid 1, jiffies 4294937458
+ hex dump (first 8 bytes):
+ 00 00 00 00 00 00 00 00 ........
+ backtrace (crc 0):
+ kmemleak_alloc+0x30/0x40
+ __kmalloc_cache_noprof+0x208/0x3c0
+ spinand_ondie_ecc_init_ctx+0x114/0x200
+ nand_ecc_init_ctx+0x70/0xa8
+ nanddev_ecc_engine_init+0xec/0x27c
+ spinand_probe+0xa2c/0x1620
+ spi_mem_probe+0x130/0x21c
+ spi_probe+0xf0/0x170
+ really_probe+0x17c/0x6e8
+ __driver_probe_device+0x17c/0x21c
+ driver_probe_device+0x58/0x180
+ __device_attach_driver+0x15c/0x1f8
+ bus_for_each_drv+0xec/0x150
+ __device_attach+0x188/0x24c
+ device_initial_probe+0x10/0x20
+ bus_probe_device+0x11c/0x160
+
+Fix the leak by calling nanddev_ecc_engine_cleanup() inside
+spinand_cleanup().
+
+Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/spi/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
+index d16e42cf8faeb..303aede6e5aa4 100644
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -1585,6 +1585,7 @@ static void spinand_cleanup(struct spinand_device *spinand)
+ {
+ struct nand_device *nand = spinand_to_nand(spinand);
+
++ nanddev_ecc_engine_cleanup(nand);
+ nanddev_cleanup(nand);
+ spinand_manufacturer_cleanup(spinand);
+ kfree(spinand->databuf);
+--
+2.39.5
+
--- /dev/null
+From bc98ce92823efa9a6e7b450a34a46fa274b0b505 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 09:49:34 +0200
+Subject: net: ipv4: fix stat increase when udp early demux drops the packet
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit c2a2ff6b4db55647575260bf2227b0e09d46addb ]
+
+udp_v4_early_demux now returns drop reasons as it either returns 0 or
+ip_mc_validate_source, which returns itself a drop reason. However its
+use was not converted in ip_rcv_finish_core and the drop reason is
+ignored, leading to potentially skipping increasing LINUX_MIB_IPRPFILTER
+if the drop reason is SKB_DROP_REASON_IP_RPFILTER.
+
+This is a fix and we're not converting udp_v4_early_demux to explicitly
+return a drop reason to ease backports; this can be done as a follow-up.
+
+Fixes: d46f827016d8 ("net: ip: make ip_mc_validate_source() return drop reason")
+Cc: Menglong Dong <menglong8.dong@gmail.com>
+Reported-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250701074935.144134-1-atenart@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_input.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+index 30a5e9460d006..5a49eb99e5c48 100644
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -319,8 +319,8 @@ static int ip_rcv_finish_core(struct net *net,
+ const struct sk_buff *hint)
+ {
+ const struct iphdr *iph = ip_hdr(skb);
+- int err, drop_reason;
+ struct rtable *rt;
++ int drop_reason;
+
+ if (ip_can_use_hint(skb, iph, hint)) {
+ drop_reason = ip_route_use_hint(skb, iph->daddr, iph->saddr,
+@@ -345,9 +345,10 @@ static int ip_rcv_finish_core(struct net *net,
+ break;
+ case IPPROTO_UDP:
+ if (READ_ONCE(net->ipv4.sysctl_udp_early_demux)) {
+- err = udp_v4_early_demux(skb);
+- if (unlikely(err))
++ drop_reason = udp_v4_early_demux(skb);
++ if (unlikely(drop_reason))
+ goto drop_error;
++ drop_reason = SKB_DROP_REASON_NOT_SPECIFIED;
+
+ /* must reload iph, skb->head might have changed */
+ iph = ip_hdr(skb);
+--
+2.39.5
+
--- /dev/null
+From fbdf56739a622d95de1c828057ecd7335f41499e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:27:30 +0200
+Subject: net/sched: Always pass notifications when child class becomes empty
+
+From: Lion Ackermann <nnamrec@gmail.com>
+
+[ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ]
+
+Certain classful qdiscs may invoke their classes' dequeue handler on an
+enqueue operation. This may unexpectedly empty the child qdisc and thus
+make an in-flight class passive via qlen_notify(). Most qdiscs do not
+expect such behaviour at this point in time and may re-activate the
+class eventually anyways which will lead to a use-after-free.
+
+The referenced fix commit attempted to fix this behavior for the HFSC
+case by moving the backlog accounting around, though this turned out to
+be incomplete since the parent's parent may run into the issue too.
+The following reproducer demonstrates this use-after-free:
+
+ tc qdisc add dev lo root handle 1: drr
+ tc filter add dev lo parent 1: basic classid 1:1
+ tc class add dev lo parent 1: classid 1:1 drr
+ tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
+ tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
+ tc qdisc add dev lo parent 2:1 handle 3: netem
+ tc qdisc add dev lo parent 3:1 handle 4: blackhole
+
+ echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+ tc class delete dev lo classid 1:1
+ echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+
+Since backlog accounting issues leading to a use-after-frees on stale
+class pointers is a recurring pattern at this point, this patch takes
+a different approach. Instead of trying to fix the accounting, the patch
+ensures that qdisc_tree_reduce_backlog always calls qlen_notify when
+the child qdisc is empty. This solves the problem because deletion of
+qdiscs always involves a call to qdisc_reset() and / or
+qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing
+the following qdisc_tree_reduce_backlog() to report to the parent. Note
+that this may call qlen_notify on passive classes multiple times. This
+is not a problem after the recent patch series that made all the
+classful qdiscs qlen_notify() handlers idempotent.
+
+Fixes: 3f981138109f ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()")
+Signed-off-by: Lion Ackermann <nnamrec@gmail.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index f74a097f54ae7..d58921ffcf35e 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -779,15 +779,12 @@ static u32 qdisc_alloc_handle(struct net_device *dev)
+
+ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ {
+- bool qdisc_is_offloaded = sch->flags & TCQ_F_OFFLOADED;
+ const struct Qdisc_class_ops *cops;
+ unsigned long cl;
+ u32 parentid;
+ bool notify;
+ int drops;
+
+- if (n == 0 && len == 0)
+- return;
+ drops = max_t(int, n, 0);
+ rcu_read_lock();
+ while ((parentid = sch->parent)) {
+@@ -796,17 +793,8 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+
+ if (sch->flags & TCQ_F_NOPARENT)
+ break;
+- /* Notify parent qdisc only if child qdisc becomes empty.
+- *
+- * If child was empty even before update then backlog
+- * counter is screwed and we skip notification because
+- * parent class is already passive.
+- *
+- * If the original child was offloaded then it is allowed
+- * to be seem as empty, so the parent is notified anyway.
+- */
+- notify = !sch->q.qlen && !WARN_ON_ONCE(!n &&
+- !qdisc_is_offloaded);
++ /* Notify parent qdisc only if child qdisc becomes empty. */
++ notify = !sch->q.qlen;
+ /* TODO: perform the search on a per txq basis */
+ sch = qdisc_lookup_rcu(qdisc_dev(sch), TC_H_MAJ(parentid));
+ if (sch == NULL) {
+@@ -815,6 +803,9 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ }
+ cops = sch->ops->cl_ops;
+ if (notify && cops->qlen_notify) {
++ /* Note that qlen_notify must be idempotent as it may get called
++ * multiple times.
++ */
+ cl = cops->find(sch, parentid);
+ cops->qlen_notify(sch, cl);
+ }
+--
+2.39.5
+
--- /dev/null
+From f224950f48ae2fa921f941b2c9ffc1b146057f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 07:13:46 +0200
+Subject: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 6c7ffc9af7186ed79403a3ffee9a1e5199fc7450 ]
+
+Remove redundant netif_napi_del() call from disconnect path.
+
+A WARN may be triggered in __netif_napi_del_locked() during USB device
+disconnect:
+
+ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
+
+This happens because netif_napi_del() is called in the disconnect path while
+NAPI is still enabled. However, it is not necessary to call netif_napi_del()
+explicitly, since unregister_netdev() will handle NAPI teardown automatically
+and safely. Removing the redundant call avoids triggering the warning.
+
+Full trace:
+ lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV
+ lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV
+ lan78xx 1-1:1.0 enu1: Link is Down
+ lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
+ Modules linked in: flexcan can_dev fuse
+ CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT
+ Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)
+ Workqueue: usb_hub_wq hub_event
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : __netif_napi_del_locked+0x2b4/0x350
+ lr : __netif_napi_del_locked+0x7c/0x350
+ sp : ffffffc085b673c0
+ x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8
+ x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb
+ x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000
+ x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000
+ x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028
+ x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8
+ x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000
+ x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001
+ x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000
+ Call trace:
+ __netif_napi_del_locked+0x2b4/0x350 (P)
+ lan78xx_disconnect+0xf4/0x360
+ usb_unbind_interface+0x158/0x718
+ device_remove+0x100/0x150
+ device_release_driver_internal+0x308/0x478
+ device_release_driver+0x1c/0x30
+ bus_remove_device+0x1a8/0x368
+ device_del+0x2e0/0x7b0
+ usb_disable_device+0x244/0x540
+ usb_disconnect+0x220/0x758
+ hub_event+0x105c/0x35e0
+ process_one_work+0x760/0x17b0
+ worker_thread+0x768/0xce8
+ kthread+0x3bc/0x690
+ ret_from_fork+0x10/0x20
+ irq event stamp: 211604
+ hardirqs last enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98
+ hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80
+ softirqs last enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8
+ softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20
+ ---[ end trace 0000000000000000 ]---
+ lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0
+
+Fixes: ec4c7e12396b ("lan78xx: Introduce NAPI polling support")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20250627051346.276029-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index e4f1663b62047..5f014b8626853 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -4344,8 +4344,6 @@ static void lan78xx_disconnect(struct usb_interface *intf)
+ if (!dev)
+ return;
+
+- netif_napi_del(&dev->napi);
+-
+ udev = interface_to_usbdev(intf);
+ net = dev->net;
+
+--
+2.39.5
+
--- /dev/null
+From a4ed508c6a2a97ab6318eab7953d224a5929be22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:37 +0100
+Subject: netfs: Fix double put of request
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9df7b5ebead649b00bf9a53a798e4bf83a1318fd ]
+
+If a netfs request finishes during the pause loop, it will have the ref
+that belongs to the IN_PROGRESS flag removed at that point - however, if it
+then goes to the final wait loop, that will *also* put the ref because it
+sees that the IN_PROGRESS flag is clear and incorrectly assumes that this
+happened when it called the collector.
+
+In fact, since IN_PROGRESS is clear, we shouldn't call the collector again
+since it's done all the cleanup, such as calling ->ki_complete().
+
+Fix this by making netfs_collect_in_app() just return, indicating that
+we're done if IN_PROGRESS is removed.
+
+Fixes: 2b1424cd131c ("netfs: Fix wait/wake to be consistent about the waitqueue used")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-3-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: Steve French <sfrench@samba.org>
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+cc: linux-cifs@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/misc.c | 9 +++++++--
+ include/trace/events/netfs.h | 1 +
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
+index d8b1a279dbda9..8b1c11ef32aa5 100644
+--- a/fs/netfs/misc.c
++++ b/fs/netfs/misc.c
+@@ -383,6 +383,11 @@ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+ {
+ bool need_collect = false, inactive = true, done = true;
+
++ if (!test_bit(NETFS_RREQ_IN_PROGRESS, &rreq->flags)) {
++ trace_netfs_rreq(rreq, netfs_rreq_trace_recollect);
++ return 1; /* Done */
++ }
++
+ for (int i = 0; i < NR_IO_STREAMS; i++) {
+ struct netfs_io_subrequest *subreq;
+ struct netfs_io_stream *stream = &rreq->io_streams[i];
+@@ -442,7 +447,7 @@ static ssize_t netfs_wait_for_in_progress(struct netfs_io_request *rreq,
+ case 1:
+ goto all_collected;
+ case 2:
+- if (!netfs_check_rreq_in_progress(rreq))
++ if (!test_bit(NETFS_RREQ_IN_PROGRESS, &rreq->flags))
+ break;
+ cond_resched();
+ continue;
+@@ -512,7 +517,7 @@ static void netfs_wait_for_pause(struct netfs_io_request *rreq,
+ case 1:
+ goto all_collected;
+ case 2:
+- if (!netfs_check_rreq_in_progress(rreq) ||
++ if (!test_bit(NETFS_RREQ_IN_PROGRESS, &rreq->flags) ||
+ !test_bit(NETFS_RREQ_PAUSE, &rreq->flags))
+ break;
+ cond_resched();
+diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h
+index 4175eec40048a..ecc1b852661e3 100644
+--- a/include/trace/events/netfs.h
++++ b/include/trace/events/netfs.h
+@@ -56,6 +56,7 @@
+ EM(netfs_rreq_trace_dirty, "DIRTY ") \
+ EM(netfs_rreq_trace_done, "DONE ") \
+ EM(netfs_rreq_trace_free, "FREE ") \
++ EM(netfs_rreq_trace_recollect, "RECLLCT") \
+ EM(netfs_rreq_trace_redirty, "REDIRTY") \
+ EM(netfs_rreq_trace_resubmit, "RESUBMT") \
+ EM(netfs_rreq_trace_set_abandon, "S-ABNDN") \
+--
+2.39.5
+
--- /dev/null
+From d1f14be026b0f656f25aa96173bf700a952be41d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:36 +0100
+Subject: netfs: Fix hang due to missing case in final DIO read result
+ collection
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit da8cf4bd458722d090a788c6e581eeb72695c62f ]
+
+When doing a DIO read, if the subrequests we issue fail and cause the
+request PAUSE flag to be set to put a pause on subrequest generation, we
+may complete collection of the subrequests (possibly discarding them) prior
+to the ALL_QUEUED flags being set.
+
+In such a case, netfs_read_collection() doesn't see ALL_QUEUED being set
+after netfs_collect_read_results() returns and will just return to the app
+(the collector can be seen unpausing the generator in the trace log).
+
+The subrequest generator can then set ALL_QUEUED and the app thread reaches
+netfs_wait_for_request(). This causes netfs_collect_in_app() to be called
+to see if we're done yet, but there's missing case here.
+
+netfs_collect_in_app() will see that a thread is active and set inactive to
+false, but won't see any subrequests in the read stream, and so won't set
+need_collect to true. The function will then just return 0, indicating
+that the caller should just sleep until further activity (which won't be
+forthcoming) occurs.
+
+Fix this by making netfs_collect_in_app() check to see if an active thread
+is complete - i.e. that ALL_QUEUED is set and the subrequests list is empty
+- and to skip the sleep return path. The collector will then be called
+which will clear the request IN_PROGRESS flag, allowing the app to
+progress.
+
+Fixes: 2b1424cd131c ("netfs: Fix wait/wake to be consistent about the waitqueue used")
+Reported-by: Steve French <sfrench@samba.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-2-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: linux-cifs@vger.kernel.org
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/misc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
+index 43b67a28a8fa0..0a54b12034868 100644
+--- a/fs/netfs/misc.c
++++ b/fs/netfs/misc.c
+@@ -381,7 +381,7 @@ void netfs_wait_for_in_progress_stream(struct netfs_io_request *rreq,
+ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+ bool (*collector)(struct netfs_io_request *rreq))
+ {
+- bool need_collect = false, inactive = true;
++ bool need_collect = false, inactive = true, done = true;
+
+ for (int i = 0; i < NR_IO_STREAMS; i++) {
+ struct netfs_io_subrequest *subreq;
+@@ -400,9 +400,11 @@ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+ need_collect = true;
+ break;
+ }
++ if (subreq || !test_bit(NETFS_RREQ_ALL_QUEUED, &rreq->flags))
++ done = false;
+ }
+
+- if (!need_collect && !inactive)
++ if (!need_collect && !inactive && !done)
+ return 0; /* Sleep */
+
+ __set_current_state(TASK_RUNNING);
+--
+2.39.5
+
--- /dev/null
+From 93c34854601d7a7ada0c3993dd9c41783532b919 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:45 +0100
+Subject: netfs: Fix i_size updating
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2e0658940d90a3dc130bb3b7f75bae9f4100e01f ]
+
+Fix the updating of i_size, particularly in regard to the completion of DIO
+writes and especially async DIO writes by using a lock.
+
+The bug is triggered occasionally by the generic/207 xfstest as it chucks a
+bunch of AIO DIO writes at the filesystem and then checks that fstat()
+returns a reasonable st_size as each completes.
+
+The problem is that netfs is trying to do "if new_size > inode->i_size,
+update inode->i_size" sort of thing but without a lock around it.
+
+This can be seen with cifs, but shouldn't be seen with kafs because kafs
+serialises modification ops on the client whereas cifs sends the requests
+to the server as they're generated and lets the server order them.
+
+Fixes: 153a9961b551 ("netfs: Implement unbuffered/DIO write support")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-11-dhowells@redhat.com
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+cc: Steve French <sfrench@samba.org>
+cc: Paulo Alcantara <pc@manguebit.org>
+cc: linux-cifs@vger.kernel.org
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/buffered_write.c | 2 ++
+ fs/netfs/direct_write.c | 8 ++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
+index dbb544e183d13..9f22ff890a8cd 100644
+--- a/fs/netfs/buffered_write.c
++++ b/fs/netfs/buffered_write.c
+@@ -64,6 +64,7 @@ static void netfs_update_i_size(struct netfs_inode *ctx, struct inode *inode,
+ return;
+ }
+
++ spin_lock(&inode->i_lock);
+ i_size_write(inode, pos);
+ #if IS_ENABLED(CONFIG_FSCACHE)
+ fscache_update_cookie(ctx->cache, NULL, &pos);
+@@ -77,6 +78,7 @@ static void netfs_update_i_size(struct netfs_inode *ctx, struct inode *inode,
+ DIV_ROUND_UP(pos, SECTOR_SIZE),
+ inode->i_blocks + add);
+ }
++ spin_unlock(&inode->i_lock);
+ }
+
+ /**
+diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
+index fa9a5bf3c6d51..3efa5894b2c07 100644
+--- a/fs/netfs/direct_write.c
++++ b/fs/netfs/direct_write.c
+@@ -14,13 +14,17 @@ static void netfs_cleanup_dio_write(struct netfs_io_request *wreq)
+ struct inode *inode = wreq->inode;
+ unsigned long long end = wreq->start + wreq->transferred;
+
+- if (!wreq->error &&
+- i_size_read(inode) < end) {
++ if (wreq->error || end <= i_size_read(inode))
++ return;
++
++ spin_lock(&inode->i_lock);
++ if (end > i_size_read(inode)) {
+ if (wreq->netfs_ops->update_i_size)
+ wreq->netfs_ops->update_i_size(inode, end);
+ else
+ i_size_write(inode, end);
+ }
++ spin_unlock(&inode->i_lock);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 0e7d1bed5de370dd8b9426c7097272d513d97c3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:39 +0100
+Subject: netfs: Fix looping in wait functions
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 09623e3a14c1c5465124350cd227457c2b0fb017 ]
+
+netfs_wait_for_request() and netfs_wait_for_pause() can loop forever if
+netfs_collect_in_app() returns 2, indicating that it wants to repeat
+because the ALL_QUEUED flag isn't yet set and there are no subreqs left
+that haven't been collected.
+
+The problem is that, unless collection is offloaded (OFFLOAD_COLLECTION),
+we have to return to the application thread to continue and eventually set
+ALL_QUEUED after pausing to deal with a retry - but we never get there.
+
+Fix this by inserting checks for the IN_PROGRESS and PAUSE flags as
+appropriate before cycling round - and add cond_resched() for good measure.
+
+Fixes: 2b1424cd131c ("netfs: Fix wait/wake to be consistent about the waitqueue used")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-5-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/misc.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
+index 0a54b12034868..d8b1a279dbda9 100644
+--- a/fs/netfs/misc.c
++++ b/fs/netfs/misc.c
+@@ -425,8 +425,8 @@ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+ /*
+ * Wait for a request to complete, successfully or otherwise.
+ */
+-static ssize_t netfs_wait_for_request(struct netfs_io_request *rreq,
+- bool (*collector)(struct netfs_io_request *rreq))
++static ssize_t netfs_wait_for_in_progress(struct netfs_io_request *rreq,
++ bool (*collector)(struct netfs_io_request *rreq))
+ {
+ DEFINE_WAIT(myself);
+ ssize_t ret;
+@@ -442,6 +442,9 @@ static ssize_t netfs_wait_for_request(struct netfs_io_request *rreq,
+ case 1:
+ goto all_collected;
+ case 2:
++ if (!netfs_check_rreq_in_progress(rreq))
++ break;
++ cond_resched();
+ continue;
+ }
+ }
+@@ -480,12 +483,12 @@ static ssize_t netfs_wait_for_request(struct netfs_io_request *rreq,
+
+ ssize_t netfs_wait_for_read(struct netfs_io_request *rreq)
+ {
+- return netfs_wait_for_request(rreq, netfs_read_collection);
++ return netfs_wait_for_in_progress(rreq, netfs_read_collection);
+ }
+
+ ssize_t netfs_wait_for_write(struct netfs_io_request *rreq)
+ {
+- return netfs_wait_for_request(rreq, netfs_write_collection);
++ return netfs_wait_for_in_progress(rreq, netfs_write_collection);
+ }
+
+ /*
+@@ -509,6 +512,10 @@ static void netfs_wait_for_pause(struct netfs_io_request *rreq,
+ case 1:
+ goto all_collected;
+ case 2:
++ if (!netfs_check_rreq_in_progress(rreq) ||
++ !test_bit(NETFS_RREQ_PAUSE, &rreq->flags))
++ break;
++ cond_resched();
+ continue;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 485ff606f148b501dd8add82035d705fcfb85daf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:40 +0100
+Subject: netfs: Fix ref leak on inserted extra subreq in write retry
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 97d8e8e52cb8ab3d7675880a92626d9a4332f7a6 ]
+
+The write-retry algorithm will insert extra subrequests into the list if it
+can't get sufficient capacity to split the range that needs to be retried
+into the sequence of subrequests it currently has (for instance, if the
+cifs credit pool has fewer credits available than it did when the range was
+originally divided).
+
+However, the allocator furnishes each new subreq with 2 refs and then
+another is added for resubmission, causing one to be leaked.
+
+Fix this by replacing the ref-getting line with a neutral trace line.
+
+Fixes: 288ace2f57c9 ("netfs: New writeback implementation")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-6-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/write_retry.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/netfs/write_retry.c b/fs/netfs/write_retry.c
+index 9d1d8a8bab726..7158657061e98 100644
+--- a/fs/netfs/write_retry.c
++++ b/fs/netfs/write_retry.c
+@@ -153,7 +153,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
+ trace_netfs_sreq_ref(wreq->debug_id, subreq->debug_index,
+ refcount_read(&subreq->ref),
+ netfs_sreq_trace_new);
+- netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
++ trace_netfs_sreq(subreq, netfs_sreq_trace_split);
+
+ list_add(&subreq->rreq_link, &to->rreq_link);
+ to = list_next_entry(to, rreq_link);
+--
+2.39.5
+
--- /dev/null
+From 1860fa5ac2f4ade0aa83177f0856f1b72aae4eef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 14:52:50 -0700
+Subject: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit e8d6f3ab59468e230f3253efe5cb63efa35289f7 ]
+
+syzbot reported a warning below [1] following a fault injection in
+nfs_fs_proc_net_init(). [0]
+
+When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed.
+
+Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning
+is logged as the directory is not empty.
+
+Let's handle the error of nfs_fs_proc_net_init() properly.
+
+[0]:
+FAULT_INJECTION: forcing a failure.
+name failslab, interval 1, probability 0, space 0, times 0
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+ dump_stack_lvl (lib/dump_stack.c:123)
+ should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174)
+ should_failslab (mm/failslab.c:46)
+ kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204)
+ __proc_create (fs/proc/generic.c:427)
+ proc_create_reg (fs/proc/generic.c:554)
+ proc_create_net_data (fs/proc/proc_net.c:120)
+ nfs_fs_proc_net_init (fs/nfs/client.c:1409)
+ nfs_net_init (fs/nfs/inode.c:2600)
+ ops_init (net/core/net_namespace.c:138)
+ setup_net (net/core/net_namespace.c:443)
+ copy_net_ns (net/core/net_namespace.c:576)
+ create_new_namespaces (kernel/nsproxy.c:110)
+ unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4))
+ ksys_unshare (kernel/fork.c:3123)
+ __x64_sys_unshare (kernel/fork.c:3190)
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+ </TASK>
+
+[1]:
+remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs'
+ WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Modules linked in:
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+ RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00
+RSP: 0018:ffffc90003637b08 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8
+RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001
+RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00
+R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000
+FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76
+ ops_exit_list net/core/net_namespace.c:200 [inline]
+ ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253
+ setup_net+0x2e1/0x510 net/core/net_namespace.c:457
+ copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574
+ create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
+ unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218
+ ksys_unshare+0x45b/0xa40 kernel/fork.c:3121
+ __do_sys_unshare kernel/fork.c:3192 [inline]
+ __se_sys_unshare kernel/fork.c:3190 [inline]
+ __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa1a6b8e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff3a090368 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
+RAX: ffffffffffffffda RBX: 00007fa1a6db5fa0 RCX: 00007fa1a6b8e929
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080
+RBP: 00007fa1a6c10b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa1a6db5fa0 R14: 00007fa1a6db5fa0 R15: 0000000000000001
+ </TASK>
+
+Fixes: d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces")
+Reported-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a4cc4ac22daa4a71b87c
+Tested-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 8ab7868807a7d..a2fa6bc4d74e3 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -2589,15 +2589,26 @@ EXPORT_SYMBOL_GPL(nfs_net_id);
+ static int nfs_net_init(struct net *net)
+ {
+ struct nfs_net *nn = net_generic(net, nfs_net_id);
++ int err;
+
+ nfs_clients_init(net);
+
+ if (!rpc_proc_register(net, &nn->rpcstats)) {
+- nfs_clients_exit(net);
+- return -ENOMEM;
++ err = -ENOMEM;
++ goto err_proc_rpc;
+ }
+
+- return nfs_fs_proc_net_init(net);
++ err = nfs_fs_proc_net_init(net);
++ if (err)
++ goto err_proc_nfs;
++
++ return 0;
++
++err_proc_nfs:
++ rpc_proc_unregister(net, "nfs");
++err_proc_rpc:
++ nfs_clients_exit(net);
++ return err;
+ }
+
+ static void nfs_net_exit(struct net *net)
+--
+2.39.5
+
--- /dev/null
+From cbd7be1d9ad1dcfe63eadb42e8f1238ed632128e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 15:16:11 -0400
+Subject: NFSv4/flexfiles: Fix handling of NFS level errors in I/O
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 38074de35b015df5623f524d6f2b49a0cd395c40 ]
+
+Allow the flexfiles error handling to recognise NFS level errors (as
+opposed to RPC level errors) and handle them separately. The main
+motivator is the NFSERR_PERM errors that get returned if the NFS client
+connects to the data server through a port number that is lower than
+1024. In that case, the client should disconnect and retry a READ on a
+different data server, or it should retry a WRITE after reconnecting.
+
+Reviewed-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 118 ++++++++++++++++++-------
+ 1 file changed, 84 insertions(+), 34 deletions(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index df48074605967..4bea008dbebd7 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1105,6 +1105,7 @@ static void ff_layout_reset_read(struct nfs_pgio_header *hdr)
+ }
+
+ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
++ u32 op_status,
+ struct nfs4_state *state,
+ struct nfs_client *clp,
+ struct pnfs_layout_segment *lseg,
+@@ -1115,34 +1116,42 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+ struct nfs4_deviceid_node *devid = FF_LAYOUT_DEVID_NODE(lseg, idx);
+ struct nfs4_slot_table *tbl = &clp->cl_session->fc_slot_table;
+
+- switch (task->tk_status) {
+- case -NFS4ERR_BADSESSION:
+- case -NFS4ERR_BADSLOT:
+- case -NFS4ERR_BAD_HIGH_SLOT:
+- case -NFS4ERR_DEADSESSION:
+- case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
+- case -NFS4ERR_SEQ_FALSE_RETRY:
+- case -NFS4ERR_SEQ_MISORDERED:
++ switch (op_status) {
++ case NFS4_OK:
++ case NFS4ERR_NXIO:
++ break;
++ case NFSERR_PERM:
++ if (!task->tk_xprt)
++ break;
++ xprt_force_disconnect(task->tk_xprt);
++ goto out_retry;
++ case NFS4ERR_BADSESSION:
++ case NFS4ERR_BADSLOT:
++ case NFS4ERR_BAD_HIGH_SLOT:
++ case NFS4ERR_DEADSESSION:
++ case NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
++ case NFS4ERR_SEQ_FALSE_RETRY:
++ case NFS4ERR_SEQ_MISORDERED:
+ dprintk("%s ERROR %d, Reset session. Exchangeid "
+ "flags 0x%x\n", __func__, task->tk_status,
+ clp->cl_exchange_flags);
+ nfs4_schedule_session_recovery(clp->cl_session, task->tk_status);
+- break;
+- case -NFS4ERR_DELAY:
++ goto out_retry;
++ case NFS4ERR_DELAY:
+ nfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);
+ fallthrough;
+- case -NFS4ERR_GRACE:
++ case NFS4ERR_GRACE:
+ rpc_delay(task, FF_LAYOUT_POLL_RETRY_MAX);
+- break;
+- case -NFS4ERR_RETRY_UNCACHED_REP:
+- break;
++ goto out_retry;
++ case NFS4ERR_RETRY_UNCACHED_REP:
++ goto out_retry;
+ /* Invalidate Layout errors */
+- case -NFS4ERR_PNFS_NO_LAYOUT:
+- case -ESTALE: /* mapped NFS4ERR_STALE */
+- case -EBADHANDLE: /* mapped NFS4ERR_BADHANDLE */
+- case -EISDIR: /* mapped NFS4ERR_ISDIR */
+- case -NFS4ERR_FHEXPIRED:
+- case -NFS4ERR_WRONG_TYPE:
++ case NFS4ERR_PNFS_NO_LAYOUT:
++ case NFS4ERR_STALE:
++ case NFS4ERR_BADHANDLE:
++ case NFS4ERR_ISDIR:
++ case NFS4ERR_FHEXPIRED:
++ case NFS4ERR_WRONG_TYPE:
+ dprintk("%s Invalid layout error %d\n", __func__,
+ task->tk_status);
+ /*
+@@ -1155,6 +1164,11 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+ pnfs_destroy_layout(NFS_I(inode));
+ rpc_wake_up(&tbl->slot_tbl_waitq);
+ goto reset;
++ default:
++ break;
++ }
++
++ switch (task->tk_status) {
+ /* RPC connection errors */
+ case -ENETDOWN:
+ case -ENETUNREACH:
+@@ -1174,27 +1188,56 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+ nfs4_delete_deviceid(devid->ld, devid->nfs_client,
+ &devid->deviceid);
+ rpc_wake_up(&tbl->slot_tbl_waitq);
+- fallthrough;
++ break;
+ default:
+- if (ff_layout_avoid_mds_available_ds(lseg))
+- return -NFS4ERR_RESET_TO_PNFS;
+-reset:
+- dprintk("%s Retry through MDS. Error %d\n", __func__,
+- task->tk_status);
+- return -NFS4ERR_RESET_TO_MDS;
++ break;
+ }
++
++ if (ff_layout_avoid_mds_available_ds(lseg))
++ return -NFS4ERR_RESET_TO_PNFS;
++reset:
++ dprintk("%s Retry through MDS. Error %d\n", __func__,
++ task->tk_status);
++ return -NFS4ERR_RESET_TO_MDS;
++
++out_retry:
+ task->tk_status = 0;
+ return -EAGAIN;
+ }
+
+ /* Retry all errors through either pNFS or MDS except for -EJUKEBOX */
+ static int ff_layout_async_handle_error_v3(struct rpc_task *task,
++ u32 op_status,
+ struct nfs_client *clp,
+ struct pnfs_layout_segment *lseg,
+ u32 idx)
+ {
+ struct nfs4_deviceid_node *devid = FF_LAYOUT_DEVID_NODE(lseg, idx);
+
++ switch (op_status) {
++ case NFS_OK:
++ case NFSERR_NXIO:
++ break;
++ case NFSERR_PERM:
++ if (!task->tk_xprt)
++ break;
++ xprt_force_disconnect(task->tk_xprt);
++ goto out_retry;
++ case NFSERR_ACCES:
++ case NFSERR_BADHANDLE:
++ case NFSERR_FBIG:
++ case NFSERR_IO:
++ case NFSERR_NOSPC:
++ case NFSERR_ROFS:
++ case NFSERR_STALE:
++ goto out_reset_to_pnfs;
++ case NFSERR_JUKEBOX:
++ nfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);
++ goto out_retry;
++ default:
++ break;
++ }
++
+ switch (task->tk_status) {
+ /* File access problems. Don't mark the device as unavailable */
+ case -EACCES:
+@@ -1218,6 +1261,7 @@ static int ff_layout_async_handle_error_v3(struct rpc_task *task,
+ nfs4_delete_deviceid(devid->ld, devid->nfs_client,
+ &devid->deviceid);
+ }
++out_reset_to_pnfs:
+ /* FIXME: Need to prevent infinite looping here. */
+ return -NFS4ERR_RESET_TO_PNFS;
+ out_retry:
+@@ -1228,6 +1272,7 @@ static int ff_layout_async_handle_error_v3(struct rpc_task *task,
+ }
+
+ static int ff_layout_async_handle_error(struct rpc_task *task,
++ u32 op_status,
+ struct nfs4_state *state,
+ struct nfs_client *clp,
+ struct pnfs_layout_segment *lseg,
+@@ -1246,10 +1291,11 @@ static int ff_layout_async_handle_error(struct rpc_task *task,
+
+ switch (vers) {
+ case 3:
+- return ff_layout_async_handle_error_v3(task, clp, lseg, idx);
+- case 4:
+- return ff_layout_async_handle_error_v4(task, state, clp,
++ return ff_layout_async_handle_error_v3(task, op_status, clp,
+ lseg, idx);
++ case 4:
++ return ff_layout_async_handle_error_v4(task, op_status, state,
++ clp, lseg, idx);
+ default:
+ /* should never happen */
+ WARN_ON_ONCE(1);
+@@ -1302,6 +1348,7 @@ static void ff_layout_io_track_ds_error(struct pnfs_layout_segment *lseg,
+ switch (status) {
+ case NFS4ERR_DELAY:
+ case NFS4ERR_GRACE:
++ case NFS4ERR_PERM:
+ break;
+ case NFS4ERR_NXIO:
+ ff_layout_mark_ds_unreachable(lseg, idx);
+@@ -1334,7 +1381,8 @@ static int ff_layout_read_done_cb(struct rpc_task *task,
+ trace_ff_layout_read_error(hdr, task->tk_status);
+ }
+
+- err = ff_layout_async_handle_error(task, hdr->args.context->state,
++ err = ff_layout_async_handle_error(task, hdr->res.op_status,
++ hdr->args.context->state,
+ hdr->ds_clp, hdr->lseg,
+ hdr->pgio_mirror_idx);
+
+@@ -1507,7 +1555,8 @@ static int ff_layout_write_done_cb(struct rpc_task *task,
+ trace_ff_layout_write_error(hdr, task->tk_status);
+ }
+
+- err = ff_layout_async_handle_error(task, hdr->args.context->state,
++ err = ff_layout_async_handle_error(task, hdr->res.op_status,
++ hdr->args.context->state,
+ hdr->ds_clp, hdr->lseg,
+ hdr->pgio_mirror_idx);
+
+@@ -1556,8 +1605,9 @@ static int ff_layout_commit_done_cb(struct rpc_task *task,
+ trace_ff_layout_commit_error(data, task->tk_status);
+ }
+
+- err = ff_layout_async_handle_error(task, NULL, data->ds_clp,
+- data->lseg, data->ds_commit_index);
++ err = ff_layout_async_handle_error(task, data->res.op_status,
++ NULL, data->ds_clp, data->lseg,
++ data->ds_commit_index);
+
+ trace_nfs4_pnfs_commit_ds(data, err);
+ switch (err) {
+--
+2.39.5
+
--- /dev/null
+From 7d3d134b1af4a1c5d01d665711c06136741a0570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:02:21 -0400
+Subject: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit c01776287414ca43412d1319d2877cbad65444ac ]
+
+We found a few different systems hung up in writeback waiting on the same
+page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in
+pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count
+was zero.
+
+It seems most likely that this is another race between the waiter and waker
+similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task").
+Fix it up by applying the advised barrier.
+
+Fixes: 880265c77ac4 ("pNFS: Avoid a live lock condition in pnfs_update_layout()")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 3adb7d0dbec7a..1a7ec68bde153 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -2059,8 +2059,10 @@ static void nfs_layoutget_begin(struct pnfs_layout_hdr *lo)
+ static void nfs_layoutget_end(struct pnfs_layout_hdr *lo)
+ {
+ if (atomic_dec_and_test(&lo->plh_outstanding) &&
+- test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags))
++ test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags)) {
++ smp_mb__after_atomic();
+ wake_up_bit(&lo->plh_flags, NFS_LAYOUT_DRAIN);
++ }
+ }
+
+ static bool pnfs_is_first_layoutget(struct pnfs_layout_hdr *lo)
+--
+2.39.5
+
--- /dev/null
+From 322413ff55c4124453a3601e1b51d38086c539bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 10:36:43 +0200
+Subject: nui: Fix dma_mapping_error() check
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 561aa0e22b70a5e7246b73d62a824b3aef3fc375 ]
+
+dma_map_XXX() functions return values DMA_MAPPING_ERROR as error values
+which is often ~0. The error value should be tested with
+dma_mapping_error().
+
+This patch creates a new function in niu_ops to test if the mapping
+failed. The test is fixed in niu_rbr_add_page(), added in
+niu_start_xmit() and the successfully mapped pages are unmaped upon error.
+
+Fixes: ec2deec1f352 ("niu: Fix to check for dma mapping errors.")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/niu.c | 31 ++++++++++++++++++++++++++++++-
+ drivers/net/ethernet/sun/niu.h | 4 ++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index 379b6e90121d9..02b8a9e5c9a90 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -3336,7 +3336,7 @@ static int niu_rbr_add_page(struct niu *np, struct rx_ring_info *rp,
+
+ addr = np->ops->map_page(np->device, page, 0,
+ PAGE_SIZE, DMA_FROM_DEVICE);
+- if (!addr) {
++ if (np->ops->mapping_error(np->device, addr)) {
+ __free_page(page);
+ return -ENOMEM;
+ }
+@@ -6676,6 +6676,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ len = skb_headlen(skb);
+ mapping = np->ops->map_single(np->device, skb->data,
+ len, DMA_TO_DEVICE);
++ if (np->ops->mapping_error(np->device, mapping))
++ goto out_drop;
+
+ prod = rp->prod;
+
+@@ -6717,6 +6719,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ mapping = np->ops->map_page(np->device, skb_frag_page(frag),
+ skb_frag_off(frag), len,
+ DMA_TO_DEVICE);
++ if (np->ops->mapping_error(np->device, mapping))
++ goto out_unmap;
+
+ rp->tx_buffs[prod].skb = NULL;
+ rp->tx_buffs[prod].mapping = mapping;
+@@ -6741,6 +6745,19 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ out:
+ return NETDEV_TX_OK;
+
++out_unmap:
++ while (i--) {
++ const skb_frag_t *frag;
++
++ prod = PREVIOUS_TX(rp, prod);
++ frag = &skb_shinfo(skb)->frags[i];
++ np->ops->unmap_page(np->device, rp->tx_buffs[prod].mapping,
++ skb_frag_size(frag), DMA_TO_DEVICE);
++ }
++
++ np->ops->unmap_single(np->device, rp->tx_buffs[rp->prod].mapping,
++ skb_headlen(skb), DMA_TO_DEVICE);
++
+ out_drop:
+ rp->tx_errors++;
+ kfree_skb(skb);
+@@ -9644,6 +9661,11 @@ static void niu_pci_unmap_single(struct device *dev, u64 dma_address,
+ dma_unmap_single(dev, dma_address, size, direction);
+ }
+
++static int niu_pci_mapping_error(struct device *dev, u64 addr)
++{
++ return dma_mapping_error(dev, addr);
++}
++
+ static const struct niu_ops niu_pci_ops = {
+ .alloc_coherent = niu_pci_alloc_coherent,
+ .free_coherent = niu_pci_free_coherent,
+@@ -9651,6 +9673,7 @@ static const struct niu_ops niu_pci_ops = {
+ .unmap_page = niu_pci_unmap_page,
+ .map_single = niu_pci_map_single,
+ .unmap_single = niu_pci_unmap_single,
++ .mapping_error = niu_pci_mapping_error,
+ };
+
+ static void niu_driver_version(void)
+@@ -10019,6 +10042,11 @@ static void niu_phys_unmap_single(struct device *dev, u64 dma_address,
+ /* Nothing to do. */
+ }
+
++static int niu_phys_mapping_error(struct device *dev, u64 dma_address)
++{
++ return false;
++}
++
+ static const struct niu_ops niu_phys_ops = {
+ .alloc_coherent = niu_phys_alloc_coherent,
+ .free_coherent = niu_phys_free_coherent,
+@@ -10026,6 +10054,7 @@ static const struct niu_ops niu_phys_ops = {
+ .unmap_page = niu_phys_unmap_page,
+ .map_single = niu_phys_map_single,
+ .unmap_single = niu_phys_unmap_single,
++ .mapping_error = niu_phys_mapping_error,
+ };
+
+ static int niu_of_probe(struct platform_device *op)
+diff --git a/drivers/net/ethernet/sun/niu.h b/drivers/net/ethernet/sun/niu.h
+index 04c215f91fc08..0b169c08b0f2d 100644
+--- a/drivers/net/ethernet/sun/niu.h
++++ b/drivers/net/ethernet/sun/niu.h
+@@ -2879,6 +2879,9 @@ struct tx_ring_info {
+ #define NEXT_TX(tp, index) \
+ (((index) + 1) < (tp)->pending ? ((index) + 1) : 0)
+
++#define PREVIOUS_TX(tp, index) \
++ (((index) - 1) >= 0 ? ((index) - 1) : (((tp)->pending) - 1))
++
+ static inline u32 niu_tx_avail(struct tx_ring_info *tp)
+ {
+ return (tp->pending -
+@@ -3140,6 +3143,7 @@ struct niu_ops {
+ enum dma_data_direction direction);
+ void (*unmap_single)(struct device *dev, u64 dma_address,
+ size_t size, enum dma_data_direction direction);
++ int (*mapping_error)(struct device *dev, u64 dma_address);
+ };
+
+ struct niu_link_config {
+--
+2.39.5
+
--- /dev/null
+From ad2e4996940bdd503e233adcabf0f8f57f5b371b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 11:12:32 -0700
+Subject: nvme: Fix incorrect cdw15 value in passthru error logging
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 2e96d2d8c2a7a6c2cef45593c028d9c5ef180316 ]
+
+Fix an error in nvme_log_err_passthru() where cdw14 was incorrectly
+printed twice instead of cdw15. This fix ensures accurate logging of
+the full passthrough command payload.
+
+Fixes: 9f079dda1433 ("nvme: allow passthru cmd error logging")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index d253b82901110..ae584c97f5284 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -382,7 +382,7 @@ static void nvme_log_err_passthru(struct request *req)
+ nr->cmd->common.cdw12,
+ nr->cmd->common.cdw13,
+ nr->cmd->common.cdw14,
+- nr->cmd->common.cdw14);
++ nr->cmd->common.cdw15);
+ }
+
+ enum nvme_disposition {
+--
+2.39.5
+
--- /dev/null
+From 5438b5c5debd3b4c397764fab07200673913172a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:48:32 +0800
+Subject: nvme-multipath: fix suspicious RCU usage warning
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit d6811074203b13f715ce2480ac64c5b1c773f2a5 ]
+
+When I run the NVME over TCP test in virtme-ng, I get the following
+"suspicious RCU usage" warning in nvme_mpath_add_sysfs_link():
+
+'''
+[ 5.024557][ T44] nvmet: Created nvm controller 1 for subsystem nqn.2025-06.org.nvmexpress.mptcp for NQN nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77.
+[ 5.027401][ T183] nvme nvme0: creating 2 I/O queues.
+[ 5.029017][ T183] nvme nvme0: mapped 2/0/0 default/read/poll queues.
+[ 5.032587][ T183] nvme nvme0: new ctrl: NQN "nqn.2025-06.org.nvmexpress.mptcp", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77
+[ 5.042214][ T25]
+[ 5.042440][ T25] =============================
+[ 5.042579][ T25] WARNING: suspicious RCU usage
+[ 5.042705][ T25] 6.16.0-rc3+ #23 Not tainted
+[ 5.042812][ T25] -----------------------------
+[ 5.042934][ T25] drivers/nvme/host/multipath.c:1203 RCU-list traversed in non-reader section!!
+[ 5.043111][ T25]
+[ 5.043111][ T25] other info that might help us debug this:
+[ 5.043111][ T25]
+[ 5.043341][ T25]
+[ 5.043341][ T25] rcu_scheduler_active = 2, debug_locks = 1
+[ 5.043502][ T25] 3 locks held by kworker/u9:0/25:
+[ 5.043615][ T25] #0: ffff888008730948 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x7ed/0x1350
+[ 5.043830][ T25] #1: ffffc900001afd40 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0xcf3/0x1350
+[ 5.044084][ T25] #2: ffff888013ee0020 (&head->srcu){.+.+}-{0:0}, at: nvme_mpath_add_sysfs_link.part.0+0xb4/0x3a0
+[ 5.044300][ T25]
+[ 5.044300][ T25] stack backtrace:
+[ 5.044439][ T25] CPU: 0 UID: 0 PID: 25 Comm: kworker/u9:0 Not tainted 6.16.0-rc3+ #23 PREEMPT(full)
+[ 5.044441][ T25] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 5.044442][ T25] Workqueue: async async_run_entry_fn
+[ 5.044445][ T25] Call Trace:
+[ 5.044446][ T25] <TASK>
+[ 5.044449][ T25] dump_stack_lvl+0x6f/0xb0
+[ 5.044453][ T25] lockdep_rcu_suspicious.cold+0x4f/0xb1
+[ 5.044457][ T25] nvme_mpath_add_sysfs_link.part.0+0x2fb/0x3a0
+[ 5.044459][ T25] ? queue_work_on+0x90/0xf0
+[ 5.044461][ T25] ? lockdep_hardirqs_on+0x78/0x110
+[ 5.044466][ T25] nvme_mpath_set_live+0x1e9/0x4f0
+[ 5.044470][ T25] nvme_mpath_add_disk+0x240/0x2f0
+[ 5.044472][ T25] ? __pfx_nvme_mpath_add_disk+0x10/0x10
+[ 5.044475][ T25] ? add_disk_fwnode+0x361/0x580
+[ 5.044480][ T25] nvme_alloc_ns+0x81c/0x17c0
+[ 5.044483][ T25] ? kasan_quarantine_put+0x104/0x240
+[ 5.044487][ T25] ? __pfx_nvme_alloc_ns+0x10/0x10
+[ 5.044495][ T25] ? __pfx_nvme_find_get_ns+0x10/0x10
+[ 5.044496][ T25] ? rcu_read_lock_any_held+0x45/0xa0
+[ 5.044498][ T25] ? validate_chain+0x232/0x4f0
+[ 5.044503][ T25] nvme_scan_ns+0x4c8/0x810
+[ 5.044506][ T25] ? __pfx_nvme_scan_ns+0x10/0x10
+[ 5.044508][ T25] ? find_held_lock+0x2b/0x80
+[ 5.044512][ T25] ? ktime_get+0x16d/0x220
+[ 5.044517][ T25] ? kvm_clock_get_cycles+0x18/0x30
+[ 5.044520][ T25] ? __pfx_nvme_scan_ns_async+0x10/0x10
+[ 5.044522][ T25] async_run_entry_fn+0x97/0x560
+[ 5.044523][ T25] ? rcu_is_watching+0x12/0xc0
+[ 5.044526][ T25] process_one_work+0xd3c/0x1350
+[ 5.044532][ T25] ? __pfx_process_one_work+0x10/0x10
+[ 5.044536][ T25] ? assign_work+0x16c/0x240
+[ 5.044539][ T25] worker_thread+0x4da/0xd50
+[ 5.044545][ T25] ? __pfx_worker_thread+0x10/0x10
+[ 5.044546][ T25] kthread+0x356/0x5c0
+[ 5.044548][ T25] ? __pfx_kthread+0x10/0x10
+[ 5.044549][ T25] ? ret_from_fork+0x1b/0x2e0
+[ 5.044552][ T25] ? __lock_release.isra.0+0x5d/0x180
+[ 5.044553][ T25] ? ret_from_fork+0x1b/0x2e0
+[ 5.044555][ T25] ? rcu_is_watching+0x12/0xc0
+[ 5.044557][ T25] ? __pfx_kthread+0x10/0x10
+[ 5.044559][ T25] ret_from_fork+0x218/0x2e0
+[ 5.044561][ T25] ? __pfx_kthread+0x10/0x10
+[ 5.044562][ T25] ret_from_fork_asm+0x1a/0x30
+[ 5.044570][ T25] </TASK>
+'''
+
+This patch uses sleepable RCU version of helper list_for_each_entry_srcu()
+instead of list_for_each_entry_rcu() to fix it.
+
+Fixes: 4dbd2b2ebe4c ("nvme-multipath: Add visibility for round-robin io-policy")
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index cf0ef4745564c..700dfbd5a4512 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -1050,7 +1050,8 @@ void nvme_mpath_add_sysfs_link(struct nvme_ns_head *head)
+ */
+ srcu_idx = srcu_read_lock(&head->srcu);
+
+- list_for_each_entry_rcu(ns, &head->list, siblings) {
++ list_for_each_entry_srcu(ns, &head->list, siblings,
++ srcu_read_lock_held(&head->srcu)) {
+ /*
+ * Ensure that ns path disk node is already added otherwise we
+ * may get invalid kobj name for target
+--
+2.39.5
+
--- /dev/null
+From 8172ae10af7361c206618b76b10d7351fa50305e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 16:21:01 -0300
+Subject: nvme-pci: refresh visible attrs after being checked
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugen Hristev <eugen.hristev@collabora.com>
+
+[ Upstream commit 14005c96d6649b27fa52d0cd0f492eb3b5586c07 ]
+
+The sysfs attributes are registered early, but the driver does not know
+whether they are needed or not at that moment.
+
+For the CMB attributes, commit e917a849c3fc ("nvme-pci: refresh visible
+attrs for cmb attributes") solved this problem by
+calling nvme_update_attrs after mapping the CMB. However the issue
+persists for the HMB attributes. To solve the problem, moved the call to
+nvme_update_attrs after nvme_setup_host_mem, which sets up the HMB.
+
+Fixes: e917a849c3fc ("nvme-pci: refresh visible attrs for cmb attributes")
+Fixes: 86adbf0cdb9e ("nvme: simplify transport specific device attribute handling")
+Signed-off-by: Eugen Hristev <eugen.hristev@collabora.com>
+Signed-off-by: André Almeida <andrealmeid@igalia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index f1dd804151b1c..776c867fb64d5 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2031,8 +2031,6 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ if ((dev->cmbsz & (NVME_CMBSZ_WDS | NVME_CMBSZ_RDS)) ==
+ (NVME_CMBSZ_WDS | NVME_CMBSZ_RDS))
+ pci_p2pmem_publish(pdev, true);
+-
+- nvme_update_attrs(dev);
+ }
+
+ static int nvme_set_host_mem(struct nvme_dev *dev, u32 bits)
+@@ -2969,6 +2967,8 @@ static void nvme_reset_work(struct work_struct *work)
+ if (result < 0)
+ goto out;
+
++ nvme_update_attrs(dev);
++
+ result = nvme_setup_io_queues(dev);
+ if (result)
+ goto out;
+@@ -3305,6 +3305,8 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+ if (result < 0)
+ goto out_disable;
+
++ nvme_update_attrs(dev);
++
+ result = nvme_setup_io_queues(dev);
+ if (result)
+ goto out_disable;
+--
+2.39.5
+
--- /dev/null
+From 925c37a3e368152b4701889f1807d7eff2d40005 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 14:45:33 +0300
+Subject: nvmet: fix memory leak of bio integrity
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 190f4c2c863af7cc5bb354b70e0805f06419c038 ]
+
+If nvmet receives commands with metadata there is a continuous memory
+leak of kmalloc-128 slab or more precisely bio->bi_integrity.
+
+Since commit bf4c89fc8797 ("block: don't call bio_uninit from bio_endio")
+each user of bio_init has to use bio_uninit as well. Otherwise the bio
+integrity is not getting free. Nvmet uses bio_init for inline bios.
+
+Uninit the inline bio to complete deallocation of integrity in bio.
+
+Fixes: bf4c89fc8797 ("block: don't call bio_uninit from bio_endio")
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/nvmet.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
+index b6db8b74dc4ad..85e50e2981742 100644
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -857,6 +857,8 @@ static inline void nvmet_req_bio_put(struct nvmet_req *req, struct bio *bio)
+ {
+ if (bio != &req->b.inline_bio)
+ bio_put(bio);
++ else
++ bio_uninit(bio);
+ }
+
+ #ifdef CONFIG_NVME_TARGET_TCP_TLS
+--
+2.39.5
+
--- /dev/null
+From 37fc0030d5a39b9ed799611f90ed178c1415673e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 23:05:00 -0700
+Subject: platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 173bbec6693f3f3f00dac144f3aa0cd62fb60d33 ]
+
+same ID (103) was assigned to both GDC_BANK0_G_RSE_PIPE_CACHE_DATA0
+and GDC_BANK0_G_RSE_PIPE_CACHE_DATA1. This could lead to incorrect
+event mapping.
+Updated the ID to 104 to ensure uniqueness.
+
+Fixes: 423c3361855c ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/20250619060502.3594350-1-alok.a.tiwari@oracle.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index 36a00692347dc..771a24c397c12 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -713,7 +713,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_llt_events[] = {
+ {101, "GDC_BANK0_HIT_DCL_PARTIAL"},
+ {102, "GDC_BANK0_EVICT_DCL"},
+ {103, "GDC_BANK0_G_RSE_PIPE_CACHE_DATA0"},
+- {103, "GDC_BANK0_G_RSE_PIPE_CACHE_DATA1"},
++ {104, "GDC_BANK0_G_RSE_PIPE_CACHE_DATA1"},
+ {105, "GDC_BANK0_ARB_STRB"},
+ {106, "GDC_BANK0_ARB_WAIT"},
+ {107, "GDC_BANK0_GGA_STRB"},
+--
+2.39.5
+
--- /dev/null
+From b631089272c9d8693882a659ccb0edcb6aad0430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 21:46:08 +0000
+Subject: platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Thompson <davthompson@nvidia.com>
+
+[ Upstream commit 109f4d29dade8ae5b4ac6325af9d1bc24b4230f8 ]
+
+Fix warnings reported by sparse, related to incorrect type:
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: warning: incorrect type in assignment (different base types)
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: expected restricted __virtio32 [usertype] len
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: got unsigned long
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202404040339.S7CUIgf3-lkp@intel.com/
+Fixes: 78034cbece79 ("platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/20250613214608.2250130-1-davthompson@nvidia.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index aae99adb29eb0..70c58c4c6c842 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -281,7 +281,8 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo,
+ vring->align = SMP_CACHE_BYTES;
+ vring->index = i;
+ vring->vdev_id = tm_vdev->vdev.id.device;
+- vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN;
++ vring->drop_desc.len = cpu_to_virtio32(&tm_vdev->vdev,
++ VRING_DROP_DESC_MAX_LEN);
+ dev = &tm_vdev->vdev.dev;
+
+ size = vring_size(vring->num, vring->align);
+--
+2.39.5
+
--- /dev/null
+From 703396c839f371492982f6721d711d38ea37bd8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 03:58:08 -0700
+Subject: platform/mellanox: mlxreg-lc: Fix logic error in power state check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 644bec18e705ca41d444053407419a21832fcb2f ]
+
+Fixes a logic issue in mlxreg_lc_completion_notify() where the
+intention was to check if MLXREG_LC_POWERED flag is not set before
+powering on the device.
+
+The original code used "state & ~MLXREG_LC_POWERED" to check for the
+absence of the POWERED bit. However this condition evaluates to true
+even when other bits are set, leading to potentially incorrect
+behavior.
+
+Corrected the logic to explicitly check for the absence of
+MLXREG_LC_POWERED using !(state & MLXREG_LC_POWERED).
+
+Fixes: 62f9529b8d5c ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices")
+Suggested-by: Vadim Pasternak <vadimp@nvidia.com>
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://lore.kernel.org/r/20250630105812.601014-1-alok.a.tiwari@oracle.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxreg-lc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c
+index aee395bb48ae4..8681ceb7144ba 100644
+--- a/drivers/platform/mellanox/mlxreg-lc.c
++++ b/drivers/platform/mellanox/mlxreg-lc.c
+@@ -688,7 +688,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent,
+ if (regval & mlxreg_lc->data->mask) {
+ mlxreg_lc->state |= MLXREG_LC_SYNCED;
+ mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_SYNCED, 1);
+- if (mlxreg_lc->state & ~MLXREG_LC_POWERED) {
++ if (!(mlxreg_lc->state & MLXREG_LC_POWERED)) {
+ err = mlxreg_lc_power_on_off(mlxreg_lc, 1);
+ if (err)
+ goto mlxreg_lc_regmap_power_on_off_fail;
+--
+2.39.5
+
--- /dev/null
+From 7188052268e1999499fb07bc192b398402b840d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Jun 2025 00:29:12 -0700
+Subject: platform/mellanox: nvsw-sn2201: Fix bus number in adapter error
+ message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit d07143b507c51c04c091081627c5a130e9d3c517 ]
+
+change error log to use correct bus number from main_mux_devs
+instead of cpld_devs.
+
+Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20250622072921.4111552-2-alok.a.tiwari@oracle.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/nvsw-sn2201.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/nvsw-sn2201.c b/drivers/platform/mellanox/nvsw-sn2201.c
+index 0c047aa2345b3..490001a9afd76 100644
+--- a/drivers/platform/mellanox/nvsw-sn2201.c
++++ b/drivers/platform/mellanox/nvsw-sn2201.c
+@@ -1088,7 +1088,7 @@ static int nvsw_sn2201_i2c_completion_notify(void *handle, int id)
+ if (!nvsw_sn2201->main_mux_devs->adapter) {
+ err = -ENODEV;
+ dev_err(nvsw_sn2201->dev, "Failed to get adapter for bus %d\n",
+- nvsw_sn2201->cpld_devs->nr);
++ nvsw_sn2201->main_mux_devs->nr);
+ goto i2c_get_adapter_main_fail;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5015a90fe6f20bc37df8585295f0783f573e42ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:33:40 -0500
+Subject: platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042
+ quirks list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 9ba75ccad85708c5a484637dccc1fc59295b0a83 ]
+
+Every other s2idle cycle fails to reach hardware sleep when keyboard
+wakeup is enabled. This appears to be an EC bug, but the vendor
+refuses to fix it.
+
+It was confirmed that turning off i8042 wakeup avoids ths issue
+(albeit keyboard wakeup is disabled). Take the lesser of two evils
+and add it to the i8042 quirk list.
+
+Reported-by: Raoul <ein4rth@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220116
+Tested-by: Raoul <ein4rth@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20250611203341.3733478-1-superm1@kernel.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index 2e3f6fc67c568..7ed12c1d3b34c 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -224,6 +224,15 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_BOARD_NAME, "WUJIE14-GX4HRXL"),
+ }
+ },
++ /* https://bugzilla.kernel.org/show_bug.cgi?id=220116 */
++ {
++ .ident = "PCSpecialist Lafite Pro V 14M",
++ .driver_data = &quirk_spurious_8042,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "PCSpecialist"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Lafite Pro V 14M"),
++ }
++ },
+ {}
+ };
+
+--
+2.39.5
+
--- /dev/null
+From f51041b4324faf00b834e7e91d0223df916e9425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:37 -0300
+Subject: platform/x86: dell-wmi-sysman: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 314e5ad4782d08858b3abc325c0487bd2abc23a1 ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-3-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index 3c74d5e8350a4..f5402b7146572 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -597,7 +597,7 @@ static int __init sysman_init(void)
+ release_attributes_data();
+
+ err_destroy_classdev:
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(wmi_priv.class_dev);
+
+ err_exit_bios_attr_pass_interface:
+ exit_bios_attr_pass_interface();
+@@ -611,7 +611,7 @@ static int __init sysman_init(void)
+ static void __exit sysman_exit(void)
+ {
+ release_attributes_data();
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(wmi_priv.class_dev);
+ exit_bios_attr_set_interface();
+ exit_bios_attr_pass_interface();
+ }
+--
+2.39.5
+
--- /dev/null
+From 764f642c735cf17c2b2e925c2ac4e8e6f8159489 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 00:43:12 -0300
+Subject: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs
+ callbacks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit eb617dd25ca176f3fee24f873f0fd60010773d67 ]
+
+After retrieving WMI data blocks in sysfs callbacks, check for the
+validity of them before dereferencing their content.
+
+Reported-by: Jan Graczyk <jangraczyk@yahoo.ca>
+Closes: https://lore.kernel.org/r/CAHk-=wgMiSKXf7SvQrfEnxVtmT=QVQPjJdNjfm3aXS7wc=rzTw@mail.gmail.com/
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250630-sysman-fix-v2-1-d185674d0a30@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h | 5 +++++
+ .../platform/x86/dell/dell-wmi-sysman/enum-attributes.c | 5 +++--
+ .../platform/x86/dell/dell-wmi-sysman/int-attributes.c | 5 +++--
+ .../x86/dell/dell-wmi-sysman/passobj-attributes.c | 5 +++--
+ .../platform/x86/dell/dell-wmi-sysman/string-attributes.c | 5 +++--
+ drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 8 ++++----
+ 6 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
+index 3ad33a094588c..817ee7ba07ca0 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
+@@ -89,6 +89,11 @@ extern struct wmi_sysman_priv wmi_priv;
+
+ enum { ENUM, INT, STR, PO };
+
++#define ENUM_MIN_ELEMENTS 8
++#define INT_MIN_ELEMENTS 9
++#define STR_MIN_ELEMENTS 8
++#define PO_MIN_ELEMENTS 4
++
+ enum {
+ ATTR_NAME,
+ DISPL_NAME_LANG_CODE,
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+index 8cc212c852668..fc2f58b4cbc6e 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+@@ -23,9 +23,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_ENUMERATION_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < ENUM_MIN_ELEMENTS ||
++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
+index 951e75b538fad..7352480642391 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
+@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_INTEGER_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < INT_MIN_ELEMENTS ||
++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[CURRENT_VAL].integer.value);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
+index d8f1bf5e58a0f..3167e06d416ed 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
+@@ -26,9 +26,10 @@ static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_PASSOBJ_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < PO_MIN_ELEMENTS ||
++ obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[IS_PASS_SET].integer.value);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
+index c392f0ecf8b55..0d2c74f8d1aad 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
+@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+ obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_STRING_ATTRIBUTE_GUID);
+ if (!obj)
+ return -EIO;
+- if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < STR_MIN_ELEMENTS ||
++ obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
+ kfree(obj);
+- return -EINVAL;
++ return -EIO;
+ }
+ ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
+ kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index d00389b860e4e..3c74d5e8350a4 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -407,10 +407,10 @@ static int init_bios_attributes(int attr_type, const char *guid)
+ return retval;
+
+ switch (attr_type) {
+- case ENUM: min_elements = 8; break;
+- case INT: min_elements = 9; break;
+- case STR: min_elements = 8; break;
+- case PO: min_elements = 4; break;
++ case ENUM: min_elements = ENUM_MIN_ELEMENTS; break;
++ case INT: min_elements = INT_MIN_ELEMENTS; break;
++ case STR: min_elements = STR_MIN_ELEMENTS; break;
++ case PO: min_elements = PO_MIN_ELEMENTS; break;
+ default:
+ pr_err("Error: Unknown attr_type: %d\n", attr_type);
+ return -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From 02e28fc00ee16897254801b4b9f00737f5661c53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:35 -0300
+Subject: platform/x86: hp-bioscfg: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 11cba4793b95df3bc192149a6eb044f69aa0b99e ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-1-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+index 13237890fc920..5bfa7159f5bcd 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+@@ -1034,7 +1034,7 @@ static int __init hp_init(void)
+ release_attributes_data();
+
+ err_destroy_classdev:
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(bioscfg_drv.class_dev);
+
+ err_unregister_class:
+ hp_exit_attr_set_interface();
+@@ -1045,7 +1045,7 @@ static int __init hp_init(void)
+ static void __exit hp_exit(void)
+ {
+ release_attributes_data();
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(bioscfg_drv.class_dev);
+
+ hp_exit_attr_set_interface();
+ }
+--
+2.39.5
+
--- /dev/null
+From c27e2ff6c45299e9e73874977c0e9966faf24577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:36 -0300
+Subject: platform/x86: think-lmi: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 5ff1fbb3059730700b4823f43999fc1315984632 ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-2-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/think-lmi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
+index 00b1e7c79a3d1..28ce475f6c377 100644
+--- a/drivers/platform/x86/think-lmi.c
++++ b/drivers/platform/x86/think-lmi.c
+@@ -1554,7 +1554,7 @@ static int tlmi_sysfs_init(void)
+ fail_create_attr:
+ tlmi_release_attr();
+ fail_device_created:
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(tlmi_priv.class_dev);
+ fail_class_created:
+ return ret;
+ }
+@@ -1781,7 +1781,7 @@ static int tlmi_analyze(struct wmi_device *wdev)
+ static void tlmi_remove(struct wmi_device *wdev)
+ {
+ tlmi_release_attr();
+- device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++ device_unregister(tlmi_priv.class_dev);
+ }
+
+ static int tlmi_probe(struct wmi_device *wdev, const void *context)
+--
+2.39.5
+
--- /dev/null
+From d3710a46906258261d470b3bad5a51ced69afd40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 00:14:39 +0200
+Subject: platform/x86: wmi: Fix WMI event enablement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit cf0b812500e64a7d5e2957abed38c3a97917b34f ]
+
+It turns out that the Windows WMI-ACPI driver always enables/disables
+WMI events regardless of whether they are marked as expensive or not.
+This finding is further reinforced when reading the documentation of
+the WMI_FUNCTION_CONTROL_CALLBACK callback used by Windows drivers
+for enabling/disabling WMI devices:
+
+ The DpWmiFunctionControl routine enables or disables
+ notification of events, and enables or disables data
+ collection for data blocks that the driver registered
+ as expensive to collect.
+
+Follow this behavior to fix the WMI event used for reporting hotkey
+events on the Dell Latitude 5400 and likely many more devices.
+
+Reported-by: Dmytro Bagrii <dimich.dmb@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220246
+Tested-by: Dmytro Bagrii <dimich.dmb@gmail.com>
+Fixes: 656f0961d126 ("platform/x86: wmi: Rework WCxx/WExx ACPI method handling")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20250619221440.6737-1-W_Armin@gmx.de
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index e46453750d5f1..03aecf8bb7f8e 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -177,16 +177,22 @@ static int wmi_device_enable(struct wmi_device *wdev, bool enable)
+ acpi_handle handle;
+ acpi_status status;
+
+- if (!(wblock->gblock.flags & ACPI_WMI_EXPENSIVE))
+- return 0;
+-
+ if (wblock->dev.dev.type == &wmi_type_method)
+ return 0;
+
+- if (wblock->dev.dev.type == &wmi_type_event)
++ if (wblock->dev.dev.type == &wmi_type_event) {
++ /*
++ * Windows always enables/disables WMI events, even when they are
++ * not marked as being expensive. We follow this behavior for
++ * compatibility reasons.
++ */
+ snprintf(method, sizeof(method), "WE%02X", wblock->gblock.notify_id);
+- else
++ } else {
++ if (!(wblock->gblock.flags & ACPI_WMI_EXPENSIVE))
++ return 0;
++
+ get_acpi_method_name(wblock, 'C', method);
++ }
+
+ /*
+ * Not all WMI devices marked as expensive actually implement the
+--
+2.39.5
+
--- /dev/null
+From df549717903c50eb9de544c092c0c50ba22a99dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 May 2025 19:52:37 +0530
+Subject: powerpc: Fix struct termio related ioctl macros
+
+From: Madhavan Srinivasan <maddy@linux.ibm.com>
+
+[ Upstream commit ab107276607af90b13a5994997e19b7b9731e251 ]
+
+Since termio interface is now obsolete, include/uapi/asm/ioctls.h
+has some constant macros referring to "struct termio", this caused
+build failure at userspace.
+
+In file included from /usr/include/asm/ioctl.h:12,
+ from /usr/include/asm/ioctls.h:5,
+ from tst-ioctls.c:3:
+tst-ioctls.c: In function 'get_TCGETA':
+tst-ioctls.c:12:10: error: invalid application of 'sizeof' to incomplete type 'struct termio'
+ 12 | return TCGETA;
+ | ^~~~~~
+
+Even though termios.h provides "struct termio", trying to juggle definitions around to
+make it compile could introduce regressions. So better to open code it.
+
+Reported-by: Tulio Magno <tuliom@ascii.art.br>
+Suggested-by: Nicholas Piggin <npiggin@gmail.com>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
+Closes: https://lore.kernel.org/linuxppc-dev/8734dji5wl.fsf@ascii.art.br/
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250517142237.156665-1-maddy@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/uapi/asm/ioctls.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/include/uapi/asm/ioctls.h b/arch/powerpc/include/uapi/asm/ioctls.h
+index 2c145da3b774a..b5211e413829a 100644
+--- a/arch/powerpc/include/uapi/asm/ioctls.h
++++ b/arch/powerpc/include/uapi/asm/ioctls.h
+@@ -23,10 +23,10 @@
+ #define TCSETSW _IOW('t', 21, struct termios)
+ #define TCSETSF _IOW('t', 22, struct termios)
+
+-#define TCGETA _IOR('t', 23, struct termio)
+-#define TCSETA _IOW('t', 24, struct termio)
+-#define TCSETAW _IOW('t', 25, struct termio)
+-#define TCSETAF _IOW('t', 28, struct termio)
++#define TCGETA 0x40147417 /* _IOR('t', 23, struct termio) */
++#define TCSETA 0x80147418 /* _IOW('t', 24, struct termio) */
++#define TCSETAW 0x80147419 /* _IOW('t', 25, struct termio) */
++#define TCSETAF 0x8014741c /* _IOW('t', 28, struct termio) */
+
+ #define TCSBRK _IO('t', 29)
+ #define TCXONC _IO('t', 30)
+--
+2.39.5
+
--- /dev/null
+From 36dd4ec375d0ccf54c77a2feb5a513e6c452f6db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:34:48 +0200
+Subject: rcu: Return early if callback is not specified
+
+From: Uladzislau Rezki (Sony) <urezki@gmail.com>
+
+[ Upstream commit 33b6a1f155d627f5bd80c7485c598ce45428f74f ]
+
+Currently the call_rcu() API does not check whether a callback
+pointer is NULL. If NULL is passed, rcu_core() will try to invoke
+it, resulting in NULL pointer dereference and a kernel crash.
+
+To prevent this and improve debuggability, this patch adds a check
+for NULL and emits a kernel stack trace to help identify a faulty
+caller.
+
+Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index 80b10893b5038..37778d913f011 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -3068,6 +3068,10 @@ __call_rcu_common(struct rcu_head *head, rcu_callback_t func, bool lazy_in)
+ /* Misaligned rcu_head! */
+ WARN_ON_ONCE((unsigned long)head & (sizeof(void *) - 1));
+
++ /* Avoid NULL dereference if callback is NULL. */
++ if (WARN_ON_ONCE(!func))
++ return;
++
+ if (debug_rcu_head_queue(head)) {
+ /*
+ * Probable double call_rcu(), so leak the callback.
+--
+2.39.5
+
--- /dev/null
+From d17f29c52b837412614ab1a738261dcee5ca92b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:53 +0300
+Subject: RDMA/mlx5: Fix CC counters query for MPV
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit acd245b1e33fc4b9d0f2e3372021d632f7ee0652 ]
+
+In case, CC counters are querying for the second port use the correct
+core device for the query instead of always using the master core device.
+
+Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/9cace74dcf106116118bebfa9146d40d4166c6b0.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c
+index 943e9eb2ad20d..a506fafd2b151 100644
+--- a/drivers/infiniband/hw/mlx5/counters.c
++++ b/drivers/infiniband/hw/mlx5/counters.c
+@@ -418,7 +418,7 @@ static int do_get_hw_stats(struct ib_device *ibdev,
+ */
+ goto done;
+ }
+- ret = mlx5_lag_query_cong_counters(dev->mdev,
++ ret = mlx5_lag_query_cong_counters(mdev,
+ stats->value +
+ cnts->num_q_counters,
+ cnts->num_cong_counters,
+--
+2.39.5
+
--- /dev/null
+From 8c4a8324609544a4cdf779ca338d9e9c5f2eb6cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:52 +0300
+Subject: RDMA/mlx5: Fix HW counters query for non-representor devices
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 3cc1dbfddf88dc5ecce0a75185061403b1f7352d ]
+
+To get the device HW counters, a non-representor switchdev device
+should use the mlx5_ib_query_q_counters() function and query all of
+the available counters. While a representor device in switchdev mode
+should use the mlx5_ib_query_q_counters_vport() function and query only
+the Q_Counters without the PPCNT counters and congestion control counters,
+since they aren't relevant for a representor device.
+
+Currently a non-representor switchdev device skips querying the PPCNT
+counters and congestion control counters, leaving them unupdated.
+Fix that by properly querying those counters for non-representor devices.
+
+Fixes: d22467a71ebe ("RDMA/mlx5: Expand switchdev Q-counters to expose representor statistics")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Link: https://patch.msgid.link/56bf8af4ca8c58e3fb9f7e47b1dca2009eeeed81.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c
+index b847084dcd998..943e9eb2ad20d 100644
+--- a/drivers/infiniband/hw/mlx5/counters.c
++++ b/drivers/infiniband/hw/mlx5/counters.c
+@@ -398,7 +398,7 @@ static int do_get_hw_stats(struct ib_device *ibdev,
+ return ret;
+
+ /* We don't expose device counters over Vports */
+- if (is_mdev_switchdev_mode(dev->mdev) && port_num != 0)
++ if (is_mdev_switchdev_mode(dev->mdev) && dev->is_rep && port_num != 0)
+ goto done;
+
+ if (MLX5_CAP_PCAM_FEATURE(dev->mdev, rx_icrc_encapsulated_counter)) {
+--
+2.39.5
+
--- /dev/null
+From 16b9804ab43a3ded3ee778240e5d03a93f956b1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 11:17:01 +0300
+Subject: RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling
+
+From: Or Har-Toov <ohartoov@nvidia.com>
+
+[ Upstream commit 2c6b640ea08bff1a192bf87fa45246ff1e40767c ]
+
+__xa_store() and __xa_erase() were used without holding the proper lock,
+which led to a lockdep warning due to unsafe RCU usage. This patch
+replaces them with xa_store() and xa_erase(), which perform the necessary
+locking internally.
+
+ =============================
+ WARNING: suspicious RCPU usage
+ 6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1 Not tainted
+ -----------------------------
+ ./include/linux/xarray.h:1211 suspicious rcu_dereference_protected() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 3 locks held by kworker/u136:0/219:
+ at: process_one_work+0xbe4/0x15f0
+ process_one_work+0x75c/0x15f0
+ pagefault_mr+0x9a5/0x1390 [mlx5_ib]
+
+ stack backtrace:
+ CPU: 14 UID: 0 PID: 219 Comm: kworker/u136:0 Not tainted
+ 6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+ rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]
+ Call Trace:
+ dump_stack_lvl+0xa8/0xc0
+ lockdep_rcu_suspicious+0x1e6/0x260
+ xas_create+0xb8a/0xee0
+ xas_store+0x73/0x14c0
+ __xa_store+0x13c/0x220
+ ? xa_store_range+0x390/0x390
+ ? spin_bug+0x1d0/0x1d0
+ pagefault_mr+0xcb5/0x1390 [mlx5_ib]
+ ? _raw_spin_unlock+0x1f/0x30
+ mlx5_ib_eqe_pf_action+0x3be/0x2620 [mlx5_ib]
+ ? lockdep_hardirqs_on_prepare+0x400/0x400
+ ? mlx5_ib_invalidate_range+0xcb0/0xcb0 [mlx5_ib]
+ process_one_work+0x7db/0x15f0
+ ? pwq_dec_nr_in_flight+0xda0/0xda0
+ ? assign_work+0x168/0x240
+ worker_thread+0x57d/0xcd0
+ ? rescuer_thread+0xc40/0xc40
+ kthread+0x3b3/0x800
+ ? kthread_is_per_cpu+0xb0/0xb0
+ ? lock_downgrade+0x680/0x680
+ ? do_raw_spin_lock+0x12d/0x270
+ ? spin_bug+0x1d0/0x1d0
+ ? finish_task_switch.isra.0+0x284/0x9e0
+ ? lockdep_hardirqs_on_prepare+0x284/0x400
+ ? kthread_is_per_cpu+0xb0/0xb0
+ ret_from_fork+0x2d/0x70
+ ? kthread_is_per_cpu+0xb0/0xb0
+ ret_from_fork_asm+0x11/0x20
+
+Fixes: d3d930411ce3 ("RDMA/mlx5: Fix implicit ODP use after free")
+Link: https://patch.msgid.link/r/a85ddd16f45c8cb2bc0a188c2b0fcedfce975eb8.1750061791.git.leon@kernel.org
+Signed-off-by: Or Har-Toov <ohartoov@nvidia.com>
+Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/odp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index 86d8fa63bf691..4183bab753a39 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -247,8 +247,8 @@ static void destroy_unused_implicit_child_mr(struct mlx5_ib_mr *mr)
+ }
+
+ if (MLX5_CAP_ODP(mr_to_mdev(mr)->mdev, mem_page_fault))
+- __xa_erase(&mr_to_mdev(mr)->odp_mkeys,
+- mlx5_base_mkey(mr->mmkey.key));
++ xa_erase(&mr_to_mdev(mr)->odp_mkeys,
++ mlx5_base_mkey(mr->mmkey.key));
+ xa_unlock(&imr->implicit_children);
+
+ /* Freeing a MR is a sleeping operation, so bounce to a work queue */
+@@ -521,8 +521,8 @@ static struct mlx5_ib_mr *implicit_get_child_mr(struct mlx5_ib_mr *imr,
+ }
+
+ if (MLX5_CAP_ODP(dev->mdev, mem_page_fault)) {
+- ret = __xa_store(&dev->odp_mkeys, mlx5_base_mkey(mr->mmkey.key),
+- &mr->mmkey, GFP_KERNEL);
++ ret = xa_store(&dev->odp_mkeys, mlx5_base_mkey(mr->mmkey.key),
++ &mr->mmkey, GFP_KERNEL);
+ if (xa_is_err(ret)) {
+ ret = ERR_PTR(xa_err(ret));
+ __xa_erase(&imr->implicit_children, idx);
+--
+2.39.5
+
--- /dev/null
+From 841df7d1b83ee4c0e14805cab20e2e8d3295a9a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:54 +0300
+Subject: RDMA/mlx5: Fix vport loopback for MPV device
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit a9a9e68954f29b1e197663f76289db4879fd51bb ]
+
+Always enable vport loopback for both MPV devices on driver start.
+
+Previously in some cases related to MPV RoCE, packets weren't correctly
+executing loopback check at vport in FW, since it was disabled.
+Due to complexity of identifying such cases for MPV always enable vport
+loopback for both GVMIs when binding the slave to the master port.
+
+Fixes: 0042f9e458a5 ("RDMA/mlx5: Enable vport loopback when user context or QP mandate")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Link: https://patch.msgid.link/d4298f5ebb2197459e9e7221c51ecd6a34699847.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 33 +++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index d07cacaa0abd0..4ffe3afb560c9 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1779,6 +1779,33 @@ static void deallocate_uars(struct mlx5_ib_dev *dev,
+ context->devx_uid);
+ }
+
++static int mlx5_ib_enable_lb_mp(struct mlx5_core_dev *master,
++ struct mlx5_core_dev *slave)
++{
++ int err;
++
++ err = mlx5_nic_vport_update_local_lb(master, true);
++ if (err)
++ return err;
++
++ err = mlx5_nic_vport_update_local_lb(slave, true);
++ if (err)
++ goto out;
++
++ return 0;
++
++out:
++ mlx5_nic_vport_update_local_lb(master, false);
++ return err;
++}
++
++static void mlx5_ib_disable_lb_mp(struct mlx5_core_dev *master,
++ struct mlx5_core_dev *slave)
++{
++ mlx5_nic_vport_update_local_lb(slave, false);
++ mlx5_nic_vport_update_local_lb(master, false);
++}
++
+ int mlx5_ib_enable_lb(struct mlx5_ib_dev *dev, bool td, bool qp)
+ {
+ int err = 0;
+@@ -3483,6 +3510,8 @@ static void mlx5_ib_unbind_slave_port(struct mlx5_ib_dev *ibdev,
+
+ lockdep_assert_held(&mlx5_ib_multiport_mutex);
+
++ mlx5_ib_disable_lb_mp(ibdev->mdev, mpi->mdev);
++
+ mlx5_core_mp_event_replay(ibdev->mdev,
+ MLX5_DRIVER_EVENT_AFFILIATION_REMOVED,
+ NULL);
+@@ -3578,6 +3607,10 @@ static bool mlx5_ib_bind_slave_port(struct mlx5_ib_dev *ibdev,
+ MLX5_DRIVER_EVENT_AFFILIATION_DONE,
+ &key);
+
++ err = mlx5_ib_enable_lb_mp(ibdev->mdev, mpi->mdev);
++ if (err)
++ goto unbind;
++
+ return true;
+
+ unbind:
+--
+2.39.5
+
--- /dev/null
+From df41eb67cd49e55ec344be5bc740df8799aeedbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:13:55 +0300
+Subject: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a ]
+
+The obj_event may be loaded immediately after inserted, then if the
+list_head is not initialized then we may get a poisonous pointer. This
+fixes the crash below:
+
+ mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)
+ mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056
+ mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0
+ mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps
+ IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
+ Mem abort info:
+ ESR = 0x96000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000
+ [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#1] SMP
+ Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)
+ [last unloaded: mst_pci]
+ CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1
+ Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023
+ pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)
+ pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]
+ lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]
+ sp : ffff80001005bcf0
+ x29: ffff80001005bcf0 x28: 0000000000000001
+ x27: ffff244e0740a1d8 x26: ffff244e0740a1d0
+ x25: ffffda56beff5ae0 x24: ffffda56bf911618
+ x23: ffff244e0596a480 x22: ffff244e0596a480
+ x21: ffff244d8312ad90 x20: ffff244e0596a480
+ x19: fffffffffffffff0 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffda56be66d620
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000040 x10: ffffda56bfcafb50
+ x9 : ffffda5655c25f2c x8 : 0000000000000010
+ x7 : 0000000000000000 x6 : ffff24545a2e24b8
+ x5 : 0000000000000003 x4 : ffff80001005bd28
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : ffff244e0596a480 x0 : ffff244d8312ad90
+ Call trace:
+ dispatch_event_fd+0x68/0x300 [mlx5_ib]
+ devx_event_notifier+0xcc/0x228 [mlx5_ib]
+ atomic_notifier_call_chain+0x58/0x80
+ mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]
+ atomic_notifier_call_chain+0x58/0x80
+ irq_int_handler+0x20/0x30 [mlx5_core]
+ __handle_irq_event_percpu+0x60/0x220
+ handle_irq_event_percpu+0x3c/0x90
+ handle_irq_event+0x58/0x158
+ handle_fasteoi_irq+0xfc/0x188
+ generic_handle_irq+0x34/0x48
+ ...
+
+Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX")
+Link: https://patch.msgid.link/r/3ce7f20e0d1a03dc7de6e57494ec4b8eaf1f05c2.1750147949.git.leon@kernel.org
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index bceae1c1f9801..843dcd3122424 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -1958,6 +1958,7 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+ /* Level1 is valid for future use, no need to free */
+ return -ENOMEM;
+
++ INIT_LIST_HEAD(&obj_event->obj_sub_list);
+ err = xa_insert(&event->object_ids,
+ key_level2,
+ obj_event,
+@@ -1966,7 +1967,6 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+ kfree(obj_event);
+ return err;
+ }
+- INIT_LIST_HEAD(&obj_event->obj_sub_list);
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 9b051f105741f5e2b93fc555116400487585f0bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 11:28:42 +0200
+Subject: RDMA/mlx5: reduce stack usage in mlx5_ib_ufile_hw_cleanup
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b26852daaa83f535109253d114426d1fa674155d ]
+
+This function has an array of eight mlx5_async_cmd structures, which
+often fits on the stack, but depending on the configuration can
+end up blowing the stack frame warning limit:
+
+drivers/infiniband/hw/mlx5/devx.c:2670:6: error: stack frame size (1392) exceeds limit (1280) in 'mlx5_ib_ufile_hw_cleanup' [-Werror,-Wframe-larger-than]
+
+Change this to a dynamic allocation instead. While a kmalloc()
+can theoretically fail, a GFP_KERNEL allocation under a page will
+block until memory has been freed up, so in the worst case, this
+only adds extra time in an already constrained environment.
+
+Fixes: 7c891a4dbcc1 ("RDMA/mlx5: Add implementation for ufile_hw_cleanup device operation")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250610092846.2642535-1-arnd@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index 2479da8620ca9..bceae1c1f9801 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -2669,7 +2669,7 @@ static void devx_wait_async_destroy(struct mlx5_async_cmd *cmd)
+
+ void mlx5_ib_ufile_hw_cleanup(struct ib_uverbs_file *ufile)
+ {
+- struct mlx5_async_cmd async_cmd[MAX_ASYNC_CMDS];
++ struct mlx5_async_cmd *async_cmd;
+ struct ib_ucontext *ucontext = ufile->ucontext;
+ struct ib_device *device = ucontext->device;
+ struct mlx5_ib_dev *dev = to_mdev(device);
+@@ -2678,6 +2678,10 @@ void mlx5_ib_ufile_hw_cleanup(struct ib_uverbs_file *ufile)
+ int head = 0;
+ int tail = 0;
+
++ async_cmd = kcalloc(MAX_ASYNC_CMDS, sizeof(*async_cmd), GFP_KERNEL);
++ if (!async_cmd)
++ return;
++
+ list_for_each_entry(uobject, &ufile->uobjects, list) {
+ WARN_ON(uverbs_try_lock_object(uobject, UVERBS_LOOKUP_WRITE));
+
+@@ -2713,6 +2717,8 @@ void mlx5_ib_ufile_hw_cleanup(struct ib_uverbs_file *ufile)
+ devx_wait_async_destroy(&async_cmd[head % MAX_ASYNC_CMDS]);
+ head++;
+ }
++
++ kfree(async_cmd);
+ }
+
+ static ssize_t devx_async_cmd_event_read(struct file *filp, char __user *buf,
+--
+2.39.5
+
--- /dev/null
+From bb65f4f470327fbbd758947257329973777048e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 21:04:18 +0200
+Subject: regulator: fan53555: add enable_time support and soft-start times
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 8acfb165a492251a08a22a4fa6497a131e8c2609 ]
+
+The datasheets for all the fan53555 variants (and clones using the same
+interface) define so called soft start times, from enabling the regulator
+until at least some percentage of the output (i.e. 92% for the rk860x
+types) are available.
+
+The regulator framework supports this with the enable_time property
+but currently the fan53555 driver does not define enable_times for any
+variant.
+
+I ran into a problem with this while testing the new driver for the
+Rockchip NPUs (rocket), which does runtime-pm including disabling and
+enabling a rk8602 as needed. When reenabling the regulator while running
+a load, fatal hangs could be observed while enabling the associated
+power-domain, which the regulator supplies.
+
+Experimentally setting the regulator to always-on, made the issue
+disappear, leading to the missing delay to let power stabilize.
+And as expected, setting the enable-time to a non-zero value
+according to the datasheet also resolved the regulator-issue.
+
+The datasheets in nearly all cases only specify "typical" values,
+except for the fan53555 type 08. There both a typical and maximum
+value are listed - 40uS apart.
+
+For all typical values I've added 100uS to be on the safe side.
+Individual details for the relevant regulators below:
+
+- fan53526:
+ The datasheet for all variants lists a typical value of 150uS, so
+ make that 250uS with safety margin.
+- fan53555:
+ types 08 and 18 (unsupported) are given a typical enable time of 135uS
+ but also a maximum of 175uS so use that value. All the other types only
+ have a typical time in the datasheet of 300uS, so give a bit margin by
+ setting it to 400uS.
+- rk8600 + rk8602:
+ Datasheet reports a typical value of 260us, so use 360uS to be safe.
+- syr82x + syr83x:
+ All datasheets report typical soft-start values of 300uS for these
+ regulators, so use 400uS.
+- tcs452x:
+ Datasheet sadly does not report a soft-start time, so I've not set
+ an enable-time
+
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patch.msgid.link/20250606190418.478633-1-heiko@sntech.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/fan53555.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c
+index bd9447dac5967..c282236959b18 100644
+--- a/drivers/regulator/fan53555.c
++++ b/drivers/regulator/fan53555.c
+@@ -147,6 +147,7 @@ struct fan53555_device_info {
+ unsigned int slew_mask;
+ const unsigned int *ramp_delay_table;
+ unsigned int n_ramp_values;
++ unsigned int enable_time;
+ unsigned int slew_rate;
+ };
+
+@@ -282,6 +283,7 @@ static int fan53526_voltages_setup_fairchild(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 250;
+ di->vsel_count = FAN53526_NVOLTAGES;
+
+ return 0;
+@@ -296,10 +298,12 @@ static int fan53555_voltages_setup_fairchild(struct fan53555_device_info *di)
+ case FAN53555_CHIP_REV_00:
+ di->vsel_min = 600000;
+ di->vsel_step = 10000;
++ di->enable_time = 400;
+ break;
+ case FAN53555_CHIP_REV_13:
+ di->vsel_min = 800000;
+ di->vsel_step = 10000;
++ di->enable_time = 400;
+ break;
+ default:
+ dev_err(di->dev,
+@@ -311,13 +315,19 @@ static int fan53555_voltages_setup_fairchild(struct fan53555_device_info *di)
+ case FAN53555_CHIP_ID_01:
+ case FAN53555_CHIP_ID_03:
+ case FAN53555_CHIP_ID_05:
++ di->vsel_min = 600000;
++ di->vsel_step = 10000;
++ di->enable_time = 400;
++ break;
+ case FAN53555_CHIP_ID_08:
+ di->vsel_min = 600000;
+ di->vsel_step = 10000;
++ di->enable_time = 175;
+ break;
+ case FAN53555_CHIP_ID_04:
+ di->vsel_min = 603000;
+ di->vsel_step = 12826;
++ di->enable_time = 400;
+ break;
+ default:
+ dev_err(di->dev,
+@@ -350,6 +360,7 @@ static int fan53555_voltages_setup_rockchip(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 360;
+ di->vsel_count = FAN53555_NVOLTAGES;
+
+ return 0;
+@@ -372,6 +383,7 @@ static int rk8602_voltages_setup_rockchip(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 360;
+ di->vsel_count = RK8602_NVOLTAGES;
+
+ return 0;
+@@ -395,6 +407,7 @@ static int fan53555_voltages_setup_silergy(struct fan53555_device_info *di)
+ di->slew_mask = CTL_SLEW_MASK;
+ di->ramp_delay_table = slew_rates;
+ di->n_ramp_values = ARRAY_SIZE(slew_rates);
++ di->enable_time = 400;
+ di->vsel_count = FAN53555_NVOLTAGES;
+
+ return 0;
+@@ -594,6 +607,7 @@ static int fan53555_regulator_register(struct fan53555_device_info *di,
+ rdesc->ramp_mask = di->slew_mask;
+ rdesc->ramp_delay_table = di->ramp_delay_table;
+ rdesc->n_ramp_values = di->n_ramp_values;
++ rdesc->enable_time = di->enable_time;
+ rdesc->owner = THIS_MODULE;
+
+ rdev = devm_regulator_register(di->dev, &di->desc, config);
+--
+2.39.5
+
--- /dev/null
+From bde5eeed317a4249dff5ce8a4b947b5f60204656 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 12:06:31 +0900
+Subject: rose: fix dangling neighbour pointers in rose_rt_device_down()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 34a500caf48c47d5171f4aa1f237da39b07c6157 ]
+
+There are two bugs in rose_rt_device_down() that can cause
+use-after-free:
+
+1. The loop bound `t->count` is modified within the loop, which can
+ cause the loop to terminate early and miss some entries.
+
+2. When removing an entry from the neighbour array, the subsequent entries
+ are moved up to fill the gap, but the loop index `i` is still
+ incremented, causing the next entry to be skipped.
+
+For example, if a node has three neighbours (A, A, B) with count=3 and A
+is being removed, the second A is not checked.
+
+ i=0: (A, A, B) -> (A, B) with count=2
+ ^ checked
+ i=1: (A, B) -> (A, B) with count=2
+ ^ checked (B, not A!)
+ i=2: (doesn't occur because i < count is false)
+
+This leaves the second A in the array with count=2, but the rose_neigh
+structure has been freed. Code that accesses these entries assumes that
+the first `count` entries are valid pointers, causing a use-after-free
+when it accesses the dangling pointer.
+
+Fix both issues by iterating over the array in reverse order with a fixed
+loop bound. This ensures that all entries are examined and that the removal
+of an entry doesn't affect subsequent iterations.
+
+Reported-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e04e2c007ba2c80476cb
+Tested-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250629030833.6680-1-enjuk@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/rose_route.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index 2dd6bd3a3011f..b72bf8a08d489 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -497,22 +497,15 @@ void rose_rt_device_down(struct net_device *dev)
+ t = rose_node;
+ rose_node = rose_node->next;
+
+- for (i = 0; i < t->count; i++) {
++ for (i = t->count - 1; i >= 0; i--) {
+ if (t->neighbour[i] != s)
+ continue;
+
+ t->count--;
+
+- switch (i) {
+- case 0:
+- t->neighbour[0] = t->neighbour[1];
+- fallthrough;
+- case 1:
+- t->neighbour[1] = t->neighbour[2];
+- break;
+- case 2:
+- break;
+- }
++ memmove(&t->neighbour[i], &t->neighbour[i + 1],
++ sizeof(t->neighbour[0]) *
++ (t->count - i));
+ }
+
+ if (t->count <= 0)
+--
+2.39.5
+
--- /dev/null
+From c317f60ff1e8151ed1431177d05d5ed5eb3fbcfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:52:28 +0200
+Subject: scsi: core: Enforce unlimited max_segment_size when
+ virt_boundary_mask is set
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 4937e604ca24c41cae3296d069c871c2f3f519c8 ]
+
+The virt_boundary_mask limit requires an unlimited max_segment_size for
+bio splitting to not corrupt data. Historically, the block layer tried
+to validate this, although the check was half-hearted until the addition
+of the atomic queue limits API. The full blown check then triggered
+issues with stacked devices incorrectly inheriting limits such as the
+virt boundary and got disabled in commit b561ea56a264 ("block: allow
+device to have both virt_boundary_mask and max segment size") instead of
+fixing the issue properly.
+
+Ensure that the SCSI mid layer doesn't set the default low
+max_segment_size limit for this case, and check for invalid
+max_segment_size values in the host template, similar to the original
+block layer check given that SCSI devices can't be stacked.
+
+This fixes reported data corruption on storvsc, although as far as I can
+tell storvsc always failed to properly set the max_segment_size limit as
+the SCSI APIs historically applied that when setting up the host, while
+storvsc only set the virt_boundary_mask when configuring the scsi_device.
+
+Fixes: 81988a0e6b03 ("storvsc: get rid of bounce buffer")
+Fixes: b561ea56a264 ("block: allow device to have both virt_boundary_mask and max segment size")
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250624125233.219635-3-hch@lst.de
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index e021f1106beab..cc5d05dc395c4 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -473,10 +473,17 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv
+ else
+ shost->max_sectors = SCSI_DEFAULT_MAX_SECTORS;
+
+- if (sht->max_segment_size)
+- shost->max_segment_size = sht->max_segment_size;
+- else
+- shost->max_segment_size = BLK_MAX_SEGMENT_SIZE;
++ shost->virt_boundary_mask = sht->virt_boundary_mask;
++ if (shost->virt_boundary_mask) {
++ WARN_ON_ONCE(sht->max_segment_size &&
++ sht->max_segment_size != UINT_MAX);
++ shost->max_segment_size = UINT_MAX;
++ } else {
++ if (sht->max_segment_size)
++ shost->max_segment_size = sht->max_segment_size;
++ else
++ shost->max_segment_size = BLK_MAX_SEGMENT_SIZE;
++ }
+
+ /* 32-byte (dword) is a common minimum for HBAs. */
+ if (sht->dma_alignment)
+@@ -492,9 +499,6 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv
+ else
+ shost->dma_boundary = 0xffffffff;
+
+- if (sht->virt_boundary_mask)
+- shost->virt_boundary_mask = sht->virt_boundary_mask;
+-
+ device_initialize(&shost->shost_gendev);
+ dev_set_name(&shost->shost_gendev, "host%d", shost->host_no);
+ shost->shost_gendev.bus = &scsi_bus_type;
+--
+2.39.5
+
--- /dev/null
+From 42a157fed15df280a15bd1cd1f771977828d9c3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 18:11:11 +0200
+Subject: scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c3b214719a87735d4f67333a8ef3c0e31a34837c ]
+
+dma_map_XXX() functions return as error values DMA_MAPPING_ERROR which is
+often ~0. The error value should be tested with dma_mapping_error() like
+it was done in qla26xx_dport_diagnostics().
+
+Fixes: 818c7f87a177 ("scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250617161115.39888-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 0cd6f3e148824..13b6cb1b93acd 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -2147,7 +2147,7 @@ qla24xx_get_port_database(scsi_qla_host_t *vha, u16 nport_handle,
+
+ pdb_dma = dma_map_single(&vha->hw->pdev->dev, pdb,
+ sizeof(*pdb), DMA_FROM_DEVICE);
+- if (!pdb_dma) {
++ if (dma_mapping_error(&vha->hw->pdev->dev, pdb_dma)) {
+ ql_log(ql_log_warn, vha, 0x1116, "Failed to map dma buffer.\n");
+ return QLA_MEMORY_ALLOC_FAILED;
+ }
+--
+2.39.5
+
--- /dev/null
+From cb5d7123c50c9f4121fbdf1fda03011e41d267d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 09:17:37 +0200
+Subject: scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 00f452a1b084efbe8dcb60a29860527944a002a1 ]
+
+dma_map_XXX() can fail and should be tested for errors with
+dma_mapping_error().
+
+Fixes: b3a271a94d00 ("[SCSI] qla4xxx: support iscsiadm session mgmt")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250618071742.21822-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index d540d66e6ffc4..80c4b4e7526b1 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -3420,6 +3420,8 @@ static int qla4xxx_alloc_pdu(struct iscsi_task *task, uint8_t opcode)
+ task_data->data_dma = dma_map_single(&ha->pdev->dev, task->data,
+ task->data_count,
+ DMA_TO_DEVICE);
++ if (dma_mapping_error(&ha->pdev->dev, task_data->data_dma))
++ return -ENOMEM;
+ }
+
+ DEBUG2(ql4_printk(KERN_INFO, ha, "%s: MaxRecvLen %u, iscsi hrd %d\n",
+--
+2.39.5
+
--- /dev/null
+From 6ec0a3e1dd82f33fe053ab5593385a0542890c8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 12:03:02 +0800
+Subject: scsi: sd: Fix VPD page 0xb7 length check
+
+From: jackysliu <1972843537@qq.com>
+
+[ Upstream commit 8889676cd62161896f1d861ce294adc29c4f2cb5 ]
+
+sd_read_block_limits_ext() currently assumes that vpd->len excludes the
+size of the page header. However, vpd->len describes the size of the entire
+VPD page, therefore the sanity check is incorrect.
+
+In practice this is not really a problem since we don't attach VPD
+pages unless they actually report data trailing the header. But fix
+the length check regardless.
+
+This issue was identified by Wukong-Agent (formerly Tencent Woodpecker), a
+code security AI agent, through static code analysis.
+
+[mkp: rewrote patch description]
+
+Signed-off-by: jackysliu <1972843537@qq.com>
+Link: https://lore.kernel.org/r/tencent_ADA5210D1317EEB6CD7F3DE9FE9DA4591D05@qq.com
+Fixes: 96b171d6dba6 ("scsi: core: Query the Block Limits Extension VPD page")
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 950d8c9fb8843..89d5c4b17bc46 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
+
+ rcu_read_lock();
+ vpd = rcu_dereference(sdkp->device->vpd_pgb7);
+- if (vpd && vpd->len >= 2)
++ if (vpd && vpd->len >= 6)
+ sdkp->rscs = vpd->data[5] & 1;
+ rcu_read_unlock();
+ }
+--
+2.39.5
+
--- /dev/null
+From 9765587c6fc7c5795fa7c317d189b5bc41b2e65d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 12:15:56 +0200
+Subject: scsi: target: Fix NULL pointer dereference in
+ core_scsi3_decode_spec_i_port()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit d8ab68bdb294b09a761e967dad374f2965e1913f ]
+
+The function core_scsi3_decode_spec_i_port(), in its error code path,
+unconditionally calls core_scsi3_lunacl_undepend_item() passing the
+dest_se_deve pointer, which may be NULL.
+
+This can lead to a NULL pointer dereference if dest_se_deve remains
+unset.
+
+SPC-3 PR SPEC_I_PT: Unable to locate dest_tpg
+Unable to handle kernel paging request at virtual address dfff800000000012
+Call trace:
+ core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)
+ core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]
+ core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]
+ target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]
+
+Fix this by adding a NULL check before calling
+core_scsi3_lunacl_undepend_item()
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20250612101556.24829-1-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
+index 34cf2c399b399..70905805cb175 100644
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1842,7 +1842,9 @@ core_scsi3_decode_spec_i_port(
+ }
+
+ kmem_cache_free(t10_pr_reg_cache, dest_pr_reg);
+- core_scsi3_lunacl_undepend_item(dest_se_deve);
++
++ if (dest_se_deve)
++ core_scsi3_lunacl_undepend_item(dest_se_deve);
+
+ if (is_local)
+ continue;
+--
+2.39.5
+
--- /dev/null
+From 2f064207c5d462966591913fbaad9e4cef5bf337 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 11:16:44 -0700
+Subject: scsi: ufs: core: Fix spelling of a sysfs attribute name
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 021f243627ead17eb6500170256d3d9be787dad8 ]
+
+Change "resourse" into "resource" in the name of a sysfs attribute.
+
+Fixes: d829fc8a1058 ("scsi: ufs: sysfs: unit descriptor")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20250624181658.336035-1-bvanassche@acm.org
+Reviewed-by: Avri Altman <avri.altman@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-driver-ufs | 2 +-
+ drivers/ufs/core/ufs-sysfs.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-driver-ufs b/Documentation/ABI/testing/sysfs-driver-ufs
+index e36d2de16cbda..0397664e869a0 100644
+--- a/Documentation/ABI/testing/sysfs-driver-ufs
++++ b/Documentation/ABI/testing/sysfs-driver-ufs
+@@ -711,7 +711,7 @@ Description: This file shows the thin provisioning type. This is one of
+
+ The file is read only.
+
+-What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resourse_count
++What: /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resource_count
+ Date: February 2018
+ Contact: Stanislav Nijnikov <stanislav.nijnikov@wdc.com>
+ Description: This file shows the total physical memory resources. This is
+diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c
+index 634cf163f4cb1..c53f924f7fa83 100644
+--- a/drivers/ufs/core/ufs-sysfs.c
++++ b/drivers/ufs/core/ufs-sysfs.c
+@@ -1675,7 +1675,7 @@ UFS_UNIT_DESC_PARAM(logical_block_size, _LOGICAL_BLK_SIZE, 1);
+ UFS_UNIT_DESC_PARAM(logical_block_count, _LOGICAL_BLK_COUNT, 8);
+ UFS_UNIT_DESC_PARAM(erase_block_size, _ERASE_BLK_SIZE, 4);
+ UFS_UNIT_DESC_PARAM(provisioning_type, _PROVISIONING_TYPE, 1);
+-UFS_UNIT_DESC_PARAM(physical_memory_resourse_count, _PHY_MEM_RSRC_CNT, 8);
++UFS_UNIT_DESC_PARAM(physical_memory_resource_count, _PHY_MEM_RSRC_CNT, 8);
+ UFS_UNIT_DESC_PARAM(context_capabilities, _CTX_CAPABILITIES, 2);
+ UFS_UNIT_DESC_PARAM(large_unit_granularity, _LARGE_UNIT_SIZE_M1, 1);
+ UFS_UNIT_DESC_PARAM(wb_buf_alloc_units, _WB_BUF_ALLOC_UNITS, 4);
+@@ -1692,7 +1692,7 @@ static struct attribute *ufs_sysfs_unit_descriptor[] = {
+ &dev_attr_logical_block_count.attr,
+ &dev_attr_erase_block_size.attr,
+ &dev_attr_provisioning_type.attr,
+- &dev_attr_physical_memory_resourse_count.attr,
++ &dev_attr_physical_memory_resource_count.attr,
+ &dev_attr_context_capabilities.attr,
+ &dev_attr_large_unit_granularity.attr,
+ &dev_attr_wb_buf_alloc_units.attr,
+--
+2.39.5
+
mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch
mtk-sd-reset-host-mrq-on-prepare_data-error.patch
drm-v3d-disable-interrupts-before-resetting-the-gpu.patch
+firmware-arm_ffa-fix-memory-leak-by-freeing-notifier.patch
+firmware-arm_ffa-move-memory-allocation-outside-the-.patch
+firmware-arm_ffa-replace-mutex-with-rwlock-to-avoid-.patch
+firmware-arm_ffa-fix-the-missing-entry-in-struct-ffa.patch
+firmware-exynos-acpm-fix-timeouts-on-xfers-handling.patch
+rdma-mlx5-reduce-stack-usage-in-mlx5_ib_ufile_hw_cle.patch
+arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch
+arm64-dts-apple-drop-address-size-cells-from-spi-nor.patch
+arm64-dts-apple-move-touchbar-mipi-address-size-cell.patch
+platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch
+rdma-mlx5-fix-unsafe-xarray-access-in-implicit-odp-h.patch
+rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch
+module-provide-export_symbol_gpl_for_modules-helper.patch
+fs-export-anon_inode_make_secure_inode-and-fix-secre.patch
+nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch
+nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch
+scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch
+scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch
+scsi-sd-fix-vpd-page-0xb7-length-check.patch
+scsi-core-enforce-unlimited-max_segment_size-when-vi.patch
+scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch
+ib-mlx5-fix-potential-deadlock-in-mr-deregistration.patch
+rdma-mlx5-fix-hw-counters-query-for-non-representor-.patch
+rdma-mlx5-fix-cc-counters-query-for-mpv.patch
+rdma-mlx5-fix-vport-loopback-for-mpv-device.patch
+platform-mellanox-mlxbf-pmc-fix-duplicate-event-id-f.patch
+platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch
+platform-x86-wmi-fix-wmi-event-enablement.patch
+flexfiles-pnfs-update-stats-on-nfs4err_delay-for-v4..patch
+nfsv4-flexfiles-fix-handling-of-nfs-level-errors-in-.patch
+bluetooth-prevent-unintended-pause-by-checking-if-ad.patch
+btrfs-fix-failure-to-rebuild-free-space-tree-using-m.patch
+btrfs-fix-missing-error-handling-when-searching-for-.patch
+btrfs-fix-iteration-of-extrefs-during-log-replay.patch
+btrfs-fix-inode-lookup-error-handling-during-log-rep.patch
+btrfs-record-new-subvolume-in-parent-dir-earlier-to-.patch
+btrfs-propagate-last_unlink_trans-earlier-when-doing.patch
+btrfs-use-btrfs_record_snapshot_destroy-during-rmdir.patch
+ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch
+dpaa2-eth-fix-xdp_rxq_info-leak.patch
+drm-exynos-fimd-guard-display-clock-control-with-run.patch
+spi-spi-qpic-snand-reallocate-bam-transactions.patch
+spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch
+drm-i915-selftests-change-mock_request-to-return-err.patch
+nvme-fix-incorrect-cdw15-value-in-passthru-error-log.patch
+nvmet-fix-memory-leak-of-bio-integrity.patch
+nvme-pci-refresh-visible-attrs-after-being-checked.patch
+platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch
+platform-x86-hp-bioscfg-fix-class-device-unregistrat.patch
+platform-x86-think-lmi-fix-class-device-unregistrati.patch
+platform-x86-dell-wmi-sysman-fix-class-device-unregi.patch
+platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch
+drm-bridge-panel-move-prepare_prev_first-handling-to.patch
+drm-bridge-aux-hpd-bridge-fix-assignment-of-the-of_n.patch
+smb-client-fix-warning-when-reconnecting-channel.patch
+net-usb-lan78xx-fix-warn-in-__netif_napi_del_locked-.patch
+drm-vmwgfx-fix-guests-running-with-tdx-sev.patch
+drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch
+drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch
+nvme-multipath-fix-suspicious-rcu-usage-warning.patch
+idpf-return-0-size-for-rss-key-if-not-supported.patch
+idpf-convert-control-queue-mutex-to-a-spinlock.patch
+igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch
+drm-xe-fix-out-of-bounds-field-write-in-mi_store_dat.patch
+netfs-fix-hang-due-to-missing-case-in-final-dio-read.patch
+netfs-fix-looping-in-wait-functions.patch
+netfs-fix-ref-leak-on-inserted-extra-subreq-in-write.patch
+smb-client-set-missing-retry-flag-in-smb2_writev_cal.patch
+smb-client-set-missing-retry-flag-in-cifs_readv_call.patch
+smb-client-set-missing-retry-flag-in-cifs_writev_cal.patch
+netfs-fix-i_size-updating.patch
+drm-xe-guc-enable-w-a-16026508708.patch
+drm-xe-guc_pc-add-_locked-variant-for-min-max-freq.patch
+drm-xe-split-xe_device_td_flush.patch
+drm-xe-bmg-update-wa_14022085890.patch
+drm-xe-bmg-update-wa_22019338487.patch
+lib-test_objagg-set-error-message-in-check_expect_hi.patch
+amd-xgbe-align-cl37-an-sequence-as-per-databook.patch
+enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch
+rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch
+nui-fix-dma_mapping_error-check.patch
+net-sched-always-pass-notifications-when-child-class.patch
+amd-xgbe-do-not-double-read-link-status.patch
+net-ipv4-fix-stat-increase-when-udp-early-demux-drop.patch
+smb-client-fix-race-condition-in-negotiate-timeout-b.patch
+smb-client-fix-native-smb-symlink-traversal.patch
+netfs-fix-double-put-of-request.patch
+drm-xe-allow-dropping-kunit-dependency-as-built-in.patch
+x86-platform-amd-move-final-timeout-check-to-after-f.patch
+drm-msm-fix-a-fence-leak-in-submit-error-path.patch
+drm-msm-fix-another-leak-in-the-submit-error-path.patch
+alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch
+alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch
+ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch
+ata-pata_cs5536-fix-build-on-32-bit-uml.patch
+asoc-amd-yc-add-quirk-for-msi-bravo-17-d7vf-internal.patch
+platform-x86-amd-pmc-add-pcspecialist-lafite-pro-v-1.patch
+genirq-irq_sim-initialize-work-context-pointers-prop.patch
+powerpc-fix-struct-termio-related-ioctl-macros.patch
+asoc-amd-yc-update-quirk-data-for-hp-victus.patch
+regulator-fan53555-add-enable_time-support-and-soft-.patch
+scsi-target-fix-null-pointer-dereference-in-core_scs.patch
+aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch
+wifi-mac80211-drop-invalid-source-address-ocb-frames.patch
+wifi-ath6kl-remove-warn-on-bad-firmware-input.patch
+acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch
+mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch
+rcu-return-early-if-callback-is-not-specified.patch
--- /dev/null
+From c6ffb5b8f6c6c12f71c77531a4d86e3ffe99dfd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:57:19 -0300
+Subject: smb: client: fix native SMB symlink traversal
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 3363da82e02f1bddc54faa92ea430c6532e2cd2e ]
+
+We've seen customers having shares mounted in paths like /??/C:/ or
+/??/UNC/foo.example.com/share in order to get their native SMB
+symlinks successfully followed from different mounts.
+
+After commit 12b466eb52d9 ("cifs: Fix creating and resolving absolute NT-style symlinks"),
+the client would then convert absolute paths from "/??/C:/" to "/mnt/c/"
+by default. The absolute paths would vary depending on the value of
+symlinkroot= mount option.
+
+Fix this by restoring old behavior of not trying to convert absolute
+paths by default. Only do this if symlinkroot= was _explicitly_ set.
+
+Before patch:
+
+ $ mount.cifs //w22-fs0/test2 /mnt/1 -o vers=3.1.1,username=xxx,password=yyy
+ $ ls -l /mnt/1/symlink2
+ lrwxr-xr-x 1 root root 15 Jun 20 14:22 /mnt/1/symlink2 -> /mnt/c/testfile
+ $ mkdir -p /??/C:; echo foo > //??/C:/testfile
+ $ cat /mnt/1/symlink2
+ cat: /mnt/1/symlink2: No such file or directory
+
+After patch:
+
+ $ mount.cifs //w22-fs0/test2 /mnt/1 -o vers=3.1.1,username=xxx,password=yyy
+ $ ls -l /mnt/1/symlink2
+ lrwxr-xr-x 1 root root 15 Jun 20 14:22 /mnt/1/symlink2 -> '/??/C:/testfile'
+ $ mkdir -p /??/C:; echo foo > //??/C:/testfile
+ $ cat /mnt/1/symlink2
+ foo
+
+Cc: linux-cifs@vger.kernel.org
+Reported-by: Pierguido Lambri <plambri@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Stefan Metzmacher <metze@samba.org>
+Fixes: 12b466eb52d9 ("cifs: Fix creating and resolving absolute NT-style symlinks")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 17 +++++++----------
+ fs/smb/client/reparse.c | 22 +++++++++++++---------
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index a634a34d4086a..59ccc2229ab30 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1824,10 +1824,14 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+ cifs_errorf(fc, "symlinkroot mount options must be absolute path\n");
+ goto cifs_parse_mount_err;
+ }
+- kfree(ctx->symlinkroot);
+- ctx->symlinkroot = kstrdup(param->string, GFP_KERNEL);
+- if (!ctx->symlinkroot)
++ if (strnlen(param->string, PATH_MAX) == PATH_MAX) {
++ cifs_errorf(fc, "symlinkroot path too long (max path length: %u)\n",
++ PATH_MAX - 1);
+ goto cifs_parse_mount_err;
++ }
++ kfree(ctx->symlinkroot);
++ ctx->symlinkroot = param->string;
++ param->string = NULL;
+ break;
+ }
+ /* case Opt_ignore: - is ignored as expected ... */
+@@ -1837,13 +1841,6 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+ goto cifs_parse_mount_err;
+ }
+
+- /*
+- * By default resolve all native absolute symlinks relative to "/mnt/".
+- * Same default has drvfs driver running in WSL for resolving SMB shares.
+- */
+- if (!ctx->symlinkroot)
+- ctx->symlinkroot = kstrdup("/mnt/", GFP_KERNEL);
+-
+ return 0;
+
+ cifs_parse_mount_err:
+diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
+index 1c40e42e4d897..5fa29a97ac154 100644
+--- a/fs/smb/client/reparse.c
++++ b/fs/smb/client/reparse.c
+@@ -57,6 +57,7 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+ struct reparse_symlink_data_buffer *buf = NULL;
+ struct cifs_open_info_data data = {};
+ struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
++ const char *symroot = cifs_sb->ctx->symlinkroot;
+ struct inode *new;
+ struct kvec iov;
+ __le16 *path = NULL;
+@@ -82,7 +83,8 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+ .symlink_target = symlink_target,
+ };
+
+- if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && symname[0] == '/') {
++ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) &&
++ symroot && symname[0] == '/') {
+ /*
+ * This is a request to create an absolute symlink on the server
+ * which does not support POSIX paths, and expects symlink in
+@@ -92,7 +94,7 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+ * ensure compatibility of this symlink stored in absolute form
+ * on the SMB server.
+ */
+- if (!strstarts(symname, cifs_sb->ctx->symlinkroot)) {
++ if (!strstarts(symname, symroot)) {
+ /*
+ * If the absolute Linux symlink target path is not
+ * inside "symlinkroot" location then there is no way
+@@ -101,12 +103,12 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+ cifs_dbg(VFS,
+ "absolute symlink '%s' cannot be converted to NT format "
+ "because it is outside of symlinkroot='%s'\n",
+- symname, cifs_sb->ctx->symlinkroot);
++ symname, symroot);
+ rc = -EINVAL;
+ goto out;
+ }
+- len = strlen(cifs_sb->ctx->symlinkroot);
+- if (cifs_sb->ctx->symlinkroot[len-1] != '/')
++ len = strlen(symroot);
++ if (symroot[len - 1] != '/')
+ len++;
+ if (symname[len] >= 'a' && symname[len] <= 'z' &&
+ (symname[len+1] == '/' || symname[len+1] == '\0')) {
+@@ -782,6 +784,7 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
+ const char *full_path,
+ struct cifs_sb_info *cifs_sb)
+ {
++ const char *symroot = cifs_sb->ctx->symlinkroot;
+ char sep = CIFS_DIR_SEP(cifs_sb);
+ char *linux_target = NULL;
+ char *smb_target = NULL;
+@@ -815,7 +818,8 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
+ goto out;
+ }
+
+- if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && !relative) {
++ if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) &&
++ symroot && !relative) {
+ /*
+ * This is an absolute symlink from the server which does not
+ * support POSIX paths, so the symlink is in NT-style path.
+@@ -907,15 +911,15 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
+ }
+
+ abs_path_len = strlen(abs_path)+1;
+- symlinkroot_len = strlen(cifs_sb->ctx->symlinkroot);
+- if (cifs_sb->ctx->symlinkroot[symlinkroot_len-1] == '/')
++ symlinkroot_len = strlen(symroot);
++ if (symroot[symlinkroot_len - 1] == '/')
+ symlinkroot_len--;
+ linux_target = kmalloc(symlinkroot_len + 1 + abs_path_len, GFP_KERNEL);
+ if (!linux_target) {
+ rc = -ENOMEM;
+ goto out;
+ }
+- memcpy(linux_target, cifs_sb->ctx->symlinkroot, symlinkroot_len);
++ memcpy(linux_target, symroot, symlinkroot_len);
+ linux_target[symlinkroot_len] = '/';
+ memcpy(linux_target + symlinkroot_len + 1, abs_path, abs_path_len);
+ } else if (smb_target[0] == sep && relative) {
+--
+2.39.5
+
--- /dev/null
+From e69b5754a5e3dbe6959fd67f76d9a77e27202064 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 21:29:52 +0800
+Subject: smb: client: fix race condition in negotiate timeout by using more
+ precise timing
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+[ Upstream commit 266b5d02e14f3a0e07414e11f239397de0577a1d ]
+
+When the SMB server reboots and the client immediately accesses the mount
+point, a race condition can occur that causes operations to fail with
+"Host is down" error.
+
+Reproduction steps:
+ # Mount SMB share
+ mount -t cifs //192.168.245.109/TEST /mnt/ -o xxxx
+ ls /mnt
+
+ # Reboot server
+ ssh root@192.168.245.109 reboot
+ ssh root@192.168.245.109 /path/to/cifs_server_setup.sh
+ ssh root@192.168.245.109 systemctl stop firewalld
+
+ # Immediate access fails
+ ls /mnt
+ ls: cannot access '/mnt': Host is down
+
+ # But works if there is a delay
+
+The issue is caused by a race condition between negotiate and reconnect.
+The 20-second negotiate timeout mechanism can interfere with the normal
+recovery process when both are triggered simultaneously.
+
+ ls cifsd
+---------------------------------------------------
+ cifs_getattr
+ cifs_revalidate_dentry
+ cifs_get_inode_info
+ cifs_get_fattr
+ smb2_query_path_info
+ smb2_compound_op
+ SMB2_open_init
+ smb2_reconnect
+ cifs_negotiate_protocol
+ smb2_negotiate
+ cifs_send_recv
+ smb_send_rqst
+ wait_for_response
+ cifs_demultiplex_thread
+ cifs_read_from_socket
+ cifs_readv_from_socket
+ server_unresponsive
+ cifs_reconnect
+ __cifs_reconnect
+ cifs_abort_connection
+ mid->mid_state = MID_RETRY_NEEDED
+ cifs_wake_up_task
+ cifs_sync_mid_result
+ // case MID_RETRY_NEEDED
+ rc = -EAGAIN;
+ // In smb2_negotiate()
+ rc = -EHOSTDOWN;
+
+The server_unresponsive() timeout triggers cifs_reconnect(), which aborts
+ongoing mid requests and causes the ls command to receive -EAGAIN, leading
+to -EHOSTDOWN.
+
+Fix this by introducing a dedicated `neg_start` field to
+precisely tracks when the negotiate process begins. The timeout check
+now uses this accurate timestamp instead of `lstrp`, ensuring that:
+
+1. Timeout is only triggered after negotiate has actually run for 20s
+2. The mechanism doesn't interfere with concurrent recovery processes
+3. Uninitialized timestamps (value 0) don't trigger false timeouts
+
+Fixes: 7ccc1465465d ("smb: client: fix hang in wait_for_response() for negproto")
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsglob.h | 1 +
+ fs/smb/client/connect.c | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
+index b89db44e0a8e3..eed29f043114a 100644
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -777,6 +777,7 @@ struct TCP_Server_Info {
+ __le32 session_key_id; /* retrieved from negotiate response and send in session setup request */
+ struct session_key session_key;
+ unsigned long lstrp; /* when we got last response from this server */
++ unsigned long neg_start; /* when negotiate started (jiffies) */
+ struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
+ #define CIFS_NEGFLAVOR_UNENCAP 1 /* wct == 17, but no ext_sec */
+ #define CIFS_NEGFLAVOR_EXTENDED 2 /* wct == 17, ext_sec bit set */
+diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
+index e92c7b71626fd..b4b162c93106b 100644
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -679,12 +679,12 @@ server_unresponsive(struct TCP_Server_Info *server)
+ /*
+ * If we're in the process of mounting a share or reconnecting a session
+ * and the server abruptly shut down (e.g. socket wasn't closed, packet
+- * had been ACK'ed but no SMB response), don't wait longer than 20s to
+- * negotiate protocol.
++ * had been ACK'ed but no SMB response), don't wait longer than 20s from
++ * when negotiate actually started.
+ */
+ spin_lock(&server->srv_lock);
+ if (server->tcpStatus == CifsInNegotiate &&
+- time_after(jiffies, server->lstrp + 20 * HZ)) {
++ time_after(jiffies, server->neg_start + 20 * HZ)) {
+ spin_unlock(&server->srv_lock);
+ cifs_reconnect(server, false);
+ return true;
+@@ -4209,6 +4209,7 @@ cifs_negotiate_protocol(const unsigned int xid, struct cifs_ses *ses,
+
+ server->lstrp = jiffies;
+ server->tcpStatus = CifsInNegotiate;
++ server->neg_start = jiffies;
+ spin_unlock(&server->srv_lock);
+
+ rc = server->ops->negotiate(xid, ses, server);
+--
+2.39.5
+
--- /dev/null
+From a7e0338cabed78ba10808f13b1f2d0c45e153769 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 00:00:17 -0300
+Subject: smb: client: fix warning when reconnecting channel
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 3bbe46716092d8ef6b0df4b956f585c5cd0fc78e ]
+
+When reconnecting a channel in smb2_reconnect_server(), a dummy tcon
+is passed down to smb2_reconnect() with ->query_interface
+uninitialized, so we can't call queue_delayed_work() on it.
+
+Fix the following warning by ensuring that we're queueing the delayed
+worker from correct tcon.
+
+WARNING: CPU: 4 PID: 1126 at kernel/workqueue.c:2498 __queue_delayed_work+0x1d2/0x200
+Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
+CPU: 4 UID: 0 PID: 1126 Comm: kworker/4:0 Not tainted 6.16.0-rc3 #5 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-4.fc42 04/01/2014
+Workqueue: cifsiod smb2_reconnect_server [cifs]
+RIP: 0010:__queue_delayed_work+0x1d2/0x200
+Code: 41 5e 41 5f e9 7f ee ff ff 90 0f 0b 90 e9 5d ff ff ff bf 02 00
+00 00 e8 6c f3 07 00 89 c3 eb bd 90 0f 0b 90 e9 57 f> 0b 90 e9 65 fe
+ff ff 90 0f 0b 90 e9 72 fe ff ff 90 0f 0b 90 e9
+RSP: 0018:ffffc900014afad8 EFLAGS: 00010003
+RAX: 0000000000000000 RBX: ffff888124d99988 RCX: ffffffff81399cc1
+RDX: dffffc0000000000 RSI: ffff888114326e00 RDI: ffff888124d999f0
+RBP: 000000000000ea60 R08: 0000000000000001 R09: ffffed10249b3331
+R10: ffff888124d9998f R11: 0000000000000004 R12: 0000000000000040
+R13: ffff888114326e00 R14: ffff888124d999d8 R15: ffff888114939020
+FS: 0000000000000000(0000) GS:ffff88829f7fe000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffe7a2b4038 CR3: 0000000120a6f000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ queue_delayed_work_on+0xb4/0xc0
+ smb2_reconnect+0xb22/0xf50 [cifs]
+ smb2_reconnect_server+0x413/0xd40 [cifs]
+ ? __pfx_smb2_reconnect_server+0x10/0x10 [cifs]
+ ? local_clock_noinstr+0xd/0xd0
+ ? local_clock+0x15/0x30
+ ? lock_release+0x29b/0x390
+ process_one_work+0x4c5/0xa10
+ ? __pfx_process_one_work+0x10/0x10
+ ? __list_add_valid_or_report+0x37/0x120
+ worker_thread+0x2f1/0x5a0
+ ? __kthread_parkme+0xde/0x100
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x1fe/0x380
+ ? kthread+0x10f/0x380
+ ? __pfx_kthread+0x10/0x10
+ ? local_clock_noinstr+0xd/0xd0
+ ? ret_from_fork+0x1b/0x1f0
+ ? local_clock+0x15/0x30
+ ? lock_release+0x29b/0x390
+ ? rcu_is_watching+0x20/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x15b/0x1f0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+irq event stamp: 1116206
+hardirqs last enabled at (1116205): [<ffffffff8143af42>] __up_console_sem+0x52/0x60
+hardirqs last disabled at (1116206): [<ffffffff81399f0e>] queue_delayed_work_on+0x6e/0xc0
+softirqs last enabled at (1116138): [<ffffffffc04562fd>] __smb_send_rqst+0x42d/0x950 [cifs]
+softirqs last disabled at (1116136): [<ffffffff823d35e1>] release_sock+0x21/0xf0
+
+Cc: linux-cifs@vger.kernel.org
+Reported-by: David Howells <dhowells@redhat.com>
+Fixes: 42ca547b13a2 ("cifs: do not disable interface polling on failure")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Tested-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Shyam Prasad N <nspmangalore@gmail.com>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsglob.h | 1 +
+ fs/smb/client/smb2pdu.c | 10 ++++------
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
+index 56381cbb63990..b89db44e0a8e3 100644
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -1303,6 +1303,7 @@ struct cifs_tcon {
+ bool use_persistent:1; /* use persistent instead of durable handles */
+ bool no_lease:1; /* Do not request leases on files or directories */
+ bool use_witness:1; /* use witness protocol */
++ bool dummy:1; /* dummy tcon used for reconnecting channels */
+ __le32 capabilities;
+ __u32 share_flags;
+ __u32 maximal_access;
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index 72903265b1706..c3b212175b2bf 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -423,9 +423,9 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
+ free_xid(xid);
+ ses->flags &= ~CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES;
+
+- /* regardless of rc value, setup polling */
+- queue_delayed_work(cifsiod_wq, &tcon->query_interfaces,
+- (SMB_INTERFACE_POLL_INTERVAL * HZ));
++ if (!tcon->ipc && !tcon->dummy)
++ queue_delayed_work(cifsiod_wq, &tcon->query_interfaces,
++ (SMB_INTERFACE_POLL_INTERVAL * HZ));
+
+ mutex_unlock(&ses->session_mutex);
+
+@@ -4221,10 +4221,8 @@ void smb2_reconnect_server(struct work_struct *work)
+ }
+ goto done;
+ }
+-
+ tcon->status = TID_GOOD;
+- tcon->retry = false;
+- tcon->need_reconnect = false;
++ tcon->dummy = true;
+
+ /* now reconnect sessions for necessary channels */
+ list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) {
+--
+2.39.5
+
--- /dev/null
+From e7c29937335f8a22a6a0627fc23a1a8c3987a63f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:42 +0100
+Subject: smb: client: set missing retry flag in cifs_readv_callback()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 0e60bae24ad28ab06a485698077d3c626f1e54ab ]
+
+Set NETFS_SREQ_NEED_RETRY flag to tell netfslib that the subreq needs
+to be retried.
+
+Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-8-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: netfs@lists.linux.dev
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifssmb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index 7216fcec79e8b..f9ccae5de5b88 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -1335,6 +1335,7 @@ cifs_readv_callback(struct mid_q_entry *mid)
+ break;
+ case MID_REQUEST_SUBMITTED:
+ case MID_RETRY_NEEDED:
++ __set_bit(NETFS_SREQ_NEED_RETRY, &rdata->subreq.flags);
+ rdata->result = -EAGAIN;
+ if (server->sign && rdata->got_bytes)
+ /* reset bytes number since we can not check a sign */
+--
+2.39.5
+
--- /dev/null
+From 19af7c76cda1f124106511b9989271fa979620e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:43 +0100
+Subject: smb: client: set missing retry flag in cifs_writev_callback()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 74ee76bea4b445c023d04806e0bcd78a912fd30b ]
+
+Set NETFS_SREQ_NEED_RETRY flag to tell netfslib that the subreq needs
+to be retried.
+
+Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-9-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: netfs@lists.linux.dev
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifssmb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index f9ccae5de5b88..0e509a0433fb6 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -1715,6 +1715,7 @@ cifs_writev_callback(struct mid_q_entry *mid)
+ break;
+ case MID_REQUEST_SUBMITTED:
+ case MID_RETRY_NEEDED:
++ __set_bit(NETFS_SREQ_NEED_RETRY, &wdata->subreq.flags);
+ result = -EAGAIN;
+ break;
+ default:
+--
+2.39.5
+
--- /dev/null
+From 80bcde21959a8a7dd7e7312443f7e90b571ceb3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:41 +0100
+Subject: smb: client: set missing retry flag in smb2_writev_callback()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit e67e75edeb88022c04f8e0a173e1ff6dc688f155 ]
+
+Set NETFS_SREQ_NEED_RETRY flag to tell netfslib that the subreq needs
+to be retried.
+
+Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-7-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: netfs@lists.linux.dev
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2pdu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index c3b212175b2bf..2c0cc544dfb31 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -4852,6 +4852,7 @@ smb2_writev_callback(struct mid_q_entry *mid)
+ break;
+ case MID_REQUEST_SUBMITTED:
+ case MID_RETRY_NEEDED:
++ __set_bit(NETFS_SREQ_NEED_RETRY, &wdata->subreq.flags);
+ result = -EAGAIN;
+ break;
+ case MID_RESPONSE_MALFORMED:
+--
+2.39.5
+
--- /dev/null
+From c87f2eeea1991258a66d2d924907494e9bf2d131 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 11:21:37 +0100
+Subject: spi: spi-fsl-dspi: Clear completion counter before initiating
+ transfer
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit fa60c094c19b97e103d653f528f8d9c178b6a5f5 ]
+
+In target mode, extra interrupts can be received between the end of a
+transfer and halting the module if the host continues sending more data.
+If the interrupt from this occurs after the reinit_completion() then the
+completion counter is left at a non-zero value. The next unrelated
+transfer initiated by userspace will then complete immediately without
+waiting for the interrupt or writing to the RX buffer.
+
+Fix it by resetting the counter before the transfer so that lingering
+values are cleared. This is done after clearing the FIFOs and the
+status register but before the transfer is initiated, so no interrupts
+should be received at this point resulting in other race conditions.
+
+Fixes: 4f5ee75ea171 ("spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion")
+Signed-off-by: James Clark <james.clark@linaro.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250627-james-nxp-spi-dma-v4-1-178dba20c120@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index 863781ba6c160..0dcd491140950 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -983,11 +983,20 @@ static int dspi_transfer_one_message(struct spi_controller *ctlr,
+ if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) {
+ status = dspi_dma_xfer(dspi);
+ } else {
++ /*
++ * Reinitialize the completion before transferring data
++ * to avoid the case where it might remain in the done
++ * state due to a spurious interrupt from a previous
++ * transfer. This could falsely signal that the current
++ * transfer has completed.
++ */
++ if (dspi->irq)
++ reinit_completion(&dspi->xfer_done);
++
+ dspi_fifo_write(dspi);
+
+ if (dspi->irq) {
+ wait_for_completion(&dspi->xfer_done);
+- reinit_completion(&dspi->xfer_done);
+ } else {
+ do {
+ status = dspi_poll(dspi);
+--
+2.39.5
+
--- /dev/null
+From 568dfe17798b5b1d3677028f2839d3270548d387 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 22:22:49 +0200
+Subject: spi: spi-qpic-snand: reallocate BAM transactions
+
+From: Gabor Juhos <j4g8y7@gmail.com>
+
+[ Upstream commit d85d0380292a7e618915069c3579ae23c7c80339 ]
+
+Using the mtd_nandbiterrs module for testing the driver occasionally
+results in weird things like below.
+
+1. swiotlb mapping fails with the following message:
+
+ [ 85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)
+ [ 85.932937] qcom_snand 79b0000.spi: failure in mapping desc
+ [ 87.999314] qcom_snand 79b0000.spi: failure to write raw page
+ [ 87.999352] mtd_nandbiterrs: error: write_oob failed (-110)
+
+ Rebooting the board after this causes a panic due to a NULL pointer
+ dereference.
+
+2. If the swiotlb mapping does not fail, rebooting the board may result
+ in a different panic due to a bad spinlock magic:
+
+ [ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241
+ [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b
+ ...
+
+Investigating the issue revealed that these symptoms are results of
+memory corruption which is caused by out of bounds access within the
+driver.
+
+The driver uses a dynamically allocated structure for BAM transactions,
+which structure must have enough space for all possible variations of
+different flash operations initiated by the driver. The required space
+heavily depends on the actual number of 'codewords' which is calculated
+from the pagesize of the actual NAND chip.
+
+Although the qcom_nandc_alloc() function allocates memory for the BAM
+transactions during probe, but since the actual number of 'codewords'
+is not yet know the allocation is done for one 'codeword' only.
+
+Because of this, whenever the driver does a flash operation, and the
+number of the required transactions exceeds the size of the allocated
+arrays the driver accesses memory out of the allocated range.
+
+To avoid this, change the code to free the initially allocated BAM
+transactions memory, and allocate a new one once the actual number of
+'codewords' required for a given NAND chip is known.
+
+Fixes: 7304d1909080 ("spi: spi-qpic: add driver for QCOM SPI NAND flash Interface")
+Reviewed-by: Md Sadre Alam <quic_mdalam@quicinc.com>
+Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
+Link: https://patch.msgid.link/20250618-qpic-snand-avoid-mem-corruption-v3-1-319c71296cda@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-qpic-snand.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/spi/spi-qpic-snand.c b/drivers/spi/spi-qpic-snand.c
+index d3a4e091dca4e..80856d2fa35c6 100644
+--- a/drivers/spi/spi-qpic-snand.c
++++ b/drivers/spi/spi-qpic-snand.c
+@@ -316,6 +316,22 @@ static int qcom_spi_ecc_init_ctx_pipelined(struct nand_device *nand)
+
+ mtd_set_ooblayout(mtd, &qcom_spi_ooblayout);
+
++ /*
++ * Free the temporary BAM transaction allocated initially by
++ * qcom_nandc_alloc(), and allocate a new one based on the
++ * updated max_cwperpage value.
++ */
++ qcom_free_bam_transaction(snandc);
++
++ snandc->max_cwperpage = cwperpage;
++
++ snandc->bam_txn = qcom_alloc_bam_transaction(snandc);
++ if (!snandc->bam_txn) {
++ dev_err(snandc->dev, "failed to allocate BAM transaction\n");
++ ret = -ENOMEM;
++ goto err_free_ecc_cfg;
++ }
++
+ ecc_cfg->cfg0 = FIELD_PREP(CW_PER_PAGE_MASK, (cwperpage - 1)) |
+ FIELD_PREP(UD_SIZE_BYTES_MASK, ecc_cfg->cw_data) |
+ FIELD_PREP(DISABLE_STATUS_AFTER_WRITE, 1) |
+--
+2.39.5
+
--- /dev/null
+From 0efb1ddf2bed00c7158c59778d15a415341bb441 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:45:29 +0200
+Subject: wifi: ath6kl: remove WARN on bad firmware input
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit e7417421d89358da071fd2930f91e67c7128fbff ]
+
+If the firmware gives bad input, that's nothing to do with
+the driver's stack at this point etc., so the WARN_ON()
+doesn't add any value. Additionally, this is one of the
+top syzbot reports now. Just print a message, and as an
+added bonus, print the sizes too.
+
+Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Tested-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Acked-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250617114529.031a677a348e.I58bf1eb4ac16a82c546725ff010f3f0d2b0cca49@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/bmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c
+index af98e871199d3..5a9e93fd1ef42 100644
+--- a/drivers/net/wireless/ath/ath6kl/bmi.c
++++ b/drivers/net/wireless/ath/ath6kl/bmi.c
+@@ -87,7 +87,9 @@ int ath6kl_bmi_get_target_info(struct ath6kl *ar,
+ * We need to do some backwards compatibility to make this work.
+ */
+ if (le32_to_cpu(targ_info->byte_count) != sizeof(*targ_info)) {
+- WARN_ON(1);
++ ath6kl_err("mismatched byte count %d vs. expected %zd\n",
++ le32_to_cpu(targ_info->byte_count),
++ sizeof(*targ_info));
+ return -EINVAL;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From f58f0827bdd1c40b959ec2f8296c88b8eb317cb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 17:18:38 +0200
+Subject: wifi: mac80211: drop invalid source address OCB frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d1b1a5eb27c4948e8811cf4dbb05aaf3eb10700c ]
+
+In OCB, don't accept frames from invalid source addresses
+(and in particular don't try to create stations for them),
+drop the frames instead.
+
+Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Link: https://patch.msgid.link/20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b67bb99e1fea37eec6f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 09beb65d6108b..e73431549ce77 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4432,6 +4432,10 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
+ if (!multicast &&
+ !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
+ return false;
++ /* reject invalid/our STA address */
++ if (!is_valid_ether_addr(hdr->addr2) ||
++ ether_addr_equal(sdata->dev->dev_addr, hdr->addr2))
++ return false;
+ if (!rx->sta) {
+ int rate_idx;
+ if (status->encoding != RX_ENC_LEGACY)
+--
+2.39.5
+
--- /dev/null
+From 2568d51844897d6b30aaa74c2824f4109413490e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 19:09:26 +0100
+Subject: x86/platform/amd: move final timeout check to after final sleep
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jake Hillion <jake@hillion.co.uk>
+
+[ Upstream commit f8afb12a2d7503de6558c23cacd7acbf6e9fe678 ]
+
+__hsmp_send_message sleeps between result read attempts and has a
+timeout of 100ms. Under extreme load it's possible for these sleeps to
+take a long time, exceeding the 100ms. In this case the current code
+does not check the register and fails with ETIMEDOUT.
+
+Refactor the loop to ensure there is at least one read of the register
+after a sleep of any duration. This removes instances of ETIMEDOUT with
+a single caller, even with a misbehaving scheduler. Tested on AMD
+Bergamo machines.
+
+Suggested-by: Blaise Sanouillet <linux@blaise.sanouillet.com>
+Reviewed-by: Suma Hegde <suma.hegde@amd.com>
+Tested-by: Suma Hegde <suma.hegde@amd.com>
+Signed-off-by: Jake Hillion <jake@hillion.co.uk>
+Link: https://lore.kernel.org/r/20250605-amd-hsmp-v2-1-a811bc3dd74a@hillion.co.uk
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/hsmp/hsmp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/amd/hsmp/hsmp.c b/drivers/platform/x86/amd/hsmp/hsmp.c
+index a3ac09a90de45..ab877112f4c80 100644
+--- a/drivers/platform/x86/amd/hsmp/hsmp.c
++++ b/drivers/platform/x86/amd/hsmp/hsmp.c
+@@ -99,7 +99,7 @@ static int __hsmp_send_message(struct hsmp_socket *sock, struct hsmp_message *ms
+ short_sleep = jiffies + msecs_to_jiffies(HSMP_SHORT_SLEEP);
+ timeout = jiffies + msecs_to_jiffies(HSMP_MSG_TIMEOUT);
+
+- while (time_before(jiffies, timeout)) {
++ while (true) {
+ ret = sock->amd_hsmp_rdwr(sock, mbinfo->msg_resp_off, &mbox_status, HSMP_RD);
+ if (ret) {
+ dev_err(sock->dev, "Error %d reading mailbox status\n", ret);
+@@ -108,6 +108,10 @@ static int __hsmp_send_message(struct hsmp_socket *sock, struct hsmp_message *ms
+
+ if (mbox_status != HSMP_STATUS_NOT_READY)
+ break;
++
++ if (!time_before(jiffies, timeout))
++ break;
++
+ if (time_before(jiffies, short_sleep))
+ usleep_range(50, 100);
+ else
+--
+2.39.5
+