]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
Fixes for 6.15
authorSasha Levin <sashal@kernel.org>
Mon, 7 Jul 2025 04:22:40 +0000 (00:22 -0400)
committerSasha Levin <sashal@kernel.org>
Mon, 7 Jul 2025 04:22:40 +0000 (00:22 -0400)
Signed-off-by: Sasha Levin <sashal@kernel.org>
109 files changed:
queue-6.15/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch [new file with mode: 0644]
queue-6.15/alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch [new file with mode: 0644]
queue-6.15/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch [new file with mode: 0644]
queue-6.15/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch [new file with mode: 0644]
queue-6.15/amd-xgbe-do-not-double-read-link-status.patch [new file with mode: 0644]
queue-6.15/aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch [new file with mode: 0644]
queue-6.15/arm64-dts-apple-drop-address-size-cells-from-spi-nor.patch [new file with mode: 0644]
queue-6.15/arm64-dts-apple-move-touchbar-mipi-address-size-cell.patch [new file with mode: 0644]
queue-6.15/arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch [new file with mode: 0644]
queue-6.15/asoc-amd-yc-add-quirk-for-msi-bravo-17-d7vf-internal.patch [new file with mode: 0644]
queue-6.15/asoc-amd-yc-update-quirk-data-for-hp-victus.patch [new file with mode: 0644]
queue-6.15/ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch [new file with mode: 0644]
queue-6.15/ata-pata_cs5536-fix-build-on-32-bit-uml.patch [new file with mode: 0644]
queue-6.15/bluetooth-prevent-unintended-pause-by-checking-if-ad.patch [new file with mode: 0644]
queue-6.15/btrfs-fix-failure-to-rebuild-free-space-tree-using-m.patch [new file with mode: 0644]
queue-6.15/btrfs-fix-inode-lookup-error-handling-during-log-rep.patch [new file with mode: 0644]
queue-6.15/btrfs-fix-iteration-of-extrefs-during-log-replay.patch [new file with mode: 0644]
queue-6.15/btrfs-fix-missing-error-handling-when-searching-for-.patch [new file with mode: 0644]
queue-6.15/btrfs-propagate-last_unlink_trans-earlier-when-doing.patch [new file with mode: 0644]
queue-6.15/btrfs-record-new-subvolume-in-parent-dir-earlier-to-.patch [new file with mode: 0644]
queue-6.15/btrfs-use-btrfs_record_snapshot_destroy-during-rmdir.patch [new file with mode: 0644]
queue-6.15/dpaa2-eth-fix-xdp_rxq_info-leak.patch [new file with mode: 0644]
queue-6.15/drm-bridge-aux-hpd-bridge-fix-assignment-of-the-of_n.patch [new file with mode: 0644]
queue-6.15/drm-bridge-panel-move-prepare_prev_first-handling-to.patch [new file with mode: 0644]
queue-6.15/drm-exynos-fimd-guard-display-clock-control-with-run.patch [new file with mode: 0644]
queue-6.15/drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch [new file with mode: 0644]
queue-6.15/drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch [new file with mode: 0644]
queue-6.15/drm-i915-selftests-change-mock_request-to-return-err.patch [new file with mode: 0644]
queue-6.15/drm-msm-fix-a-fence-leak-in-submit-error-path.patch [new file with mode: 0644]
queue-6.15/drm-msm-fix-another-leak-in-the-submit-error-path.patch [new file with mode: 0644]
queue-6.15/drm-vmwgfx-fix-guests-running-with-tdx-sev.patch [new file with mode: 0644]
queue-6.15/drm-xe-allow-dropping-kunit-dependency-as-built-in.patch [new file with mode: 0644]
queue-6.15/drm-xe-bmg-update-wa_14022085890.patch [new file with mode: 0644]
queue-6.15/drm-xe-bmg-update-wa_22019338487.patch [new file with mode: 0644]
queue-6.15/drm-xe-fix-out-of-bounds-field-write-in-mi_store_dat.patch [new file with mode: 0644]
queue-6.15/drm-xe-guc-enable-w-a-16026508708.patch [new file with mode: 0644]
queue-6.15/drm-xe-guc_pc-add-_locked-variant-for-min-max-freq.patch [new file with mode: 0644]
queue-6.15/drm-xe-split-xe_device_td_flush.patch [new file with mode: 0644]
queue-6.15/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch [new file with mode: 0644]
queue-6.15/ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch [new file with mode: 0644]
queue-6.15/firmware-arm_ffa-fix-memory-leak-by-freeing-notifier.patch [new file with mode: 0644]
queue-6.15/firmware-arm_ffa-fix-the-missing-entry-in-struct-ffa.patch [new file with mode: 0644]
queue-6.15/firmware-arm_ffa-move-memory-allocation-outside-the-.patch [new file with mode: 0644]
queue-6.15/firmware-arm_ffa-replace-mutex-with-rwlock-to-avoid-.patch [new file with mode: 0644]
queue-6.15/firmware-exynos-acpm-fix-timeouts-on-xfers-handling.patch [new file with mode: 0644]
queue-6.15/flexfiles-pnfs-update-stats-on-nfs4err_delay-for-v4..patch [new file with mode: 0644]
queue-6.15/fs-export-anon_inode_make_secure_inode-and-fix-secre.patch [new file with mode: 0644]
queue-6.15/genirq-irq_sim-initialize-work-context-pointers-prop.patch [new file with mode: 0644]
queue-6.15/ib-mlx5-fix-potential-deadlock-in-mr-deregistration.patch [new file with mode: 0644]
queue-6.15/idpf-convert-control-queue-mutex-to-a-spinlock.patch [new file with mode: 0644]
queue-6.15/idpf-return-0-size-for-rss-key-if-not-supported.patch [new file with mode: 0644]
queue-6.15/igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch [new file with mode: 0644]
queue-6.15/lib-test_objagg-set-error-message-in-check_expect_hi.patch [new file with mode: 0644]
queue-6.15/module-provide-export_symbol_gpl_for_modules-helper.patch [new file with mode: 0644]
queue-6.15/mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch [new file with mode: 0644]
queue-6.15/net-ipv4-fix-stat-increase-when-udp-early-demux-drop.patch [new file with mode: 0644]
queue-6.15/net-sched-always-pass-notifications-when-child-class.patch [new file with mode: 0644]
queue-6.15/net-usb-lan78xx-fix-warn-in-__netif_napi_del_locked-.patch [new file with mode: 0644]
queue-6.15/netfs-fix-double-put-of-request.patch [new file with mode: 0644]
queue-6.15/netfs-fix-hang-due-to-missing-case-in-final-dio-read.patch [new file with mode: 0644]
queue-6.15/netfs-fix-i_size-updating.patch [new file with mode: 0644]
queue-6.15/netfs-fix-looping-in-wait-functions.patch [new file with mode: 0644]
queue-6.15/netfs-fix-ref-leak-on-inserted-extra-subreq-in-write.patch [new file with mode: 0644]
queue-6.15/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch [new file with mode: 0644]
queue-6.15/nfsv4-flexfiles-fix-handling-of-nfs-level-errors-in-.patch [new file with mode: 0644]
queue-6.15/nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch [new file with mode: 0644]
queue-6.15/nui-fix-dma_mapping_error-check.patch [new file with mode: 0644]
queue-6.15/nvme-fix-incorrect-cdw15-value-in-passthru-error-log.patch [new file with mode: 0644]
queue-6.15/nvme-multipath-fix-suspicious-rcu-usage-warning.patch [new file with mode: 0644]
queue-6.15/nvme-pci-refresh-visible-attrs-after-being-checked.patch [new file with mode: 0644]
queue-6.15/nvmet-fix-memory-leak-of-bio-integrity.patch [new file with mode: 0644]
queue-6.15/platform-mellanox-mlxbf-pmc-fix-duplicate-event-id-f.patch [new file with mode: 0644]
queue-6.15/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch [new file with mode: 0644]
queue-6.15/platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch [new file with mode: 0644]
queue-6.15/platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch [new file with mode: 0644]
queue-6.15/platform-x86-amd-pmc-add-pcspecialist-lafite-pro-v-1.patch [new file with mode: 0644]
queue-6.15/platform-x86-dell-wmi-sysman-fix-class-device-unregi.patch [new file with mode: 0644]
queue-6.15/platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch [new file with mode: 0644]
queue-6.15/platform-x86-hp-bioscfg-fix-class-device-unregistrat.patch [new file with mode: 0644]
queue-6.15/platform-x86-think-lmi-fix-class-device-unregistrati.patch [new file with mode: 0644]
queue-6.15/platform-x86-wmi-fix-wmi-event-enablement.patch [new file with mode: 0644]
queue-6.15/powerpc-fix-struct-termio-related-ioctl-macros.patch [new file with mode: 0644]
queue-6.15/rcu-return-early-if-callback-is-not-specified.patch [new file with mode: 0644]
queue-6.15/rdma-mlx5-fix-cc-counters-query-for-mpv.patch [new file with mode: 0644]
queue-6.15/rdma-mlx5-fix-hw-counters-query-for-non-representor-.patch [new file with mode: 0644]
queue-6.15/rdma-mlx5-fix-unsafe-xarray-access-in-implicit-odp-h.patch [new file with mode: 0644]
queue-6.15/rdma-mlx5-fix-vport-loopback-for-mpv-device.patch [new file with mode: 0644]
queue-6.15/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch [new file with mode: 0644]
queue-6.15/rdma-mlx5-reduce-stack-usage-in-mlx5_ib_ufile_hw_cle.patch [new file with mode: 0644]
queue-6.15/regulator-fan53555-add-enable_time-support-and-soft-.patch [new file with mode: 0644]
queue-6.15/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch [new file with mode: 0644]
queue-6.15/scsi-core-enforce-unlimited-max_segment_size-when-vi.patch [new file with mode: 0644]
queue-6.15/scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch [new file with mode: 0644]
queue-6.15/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch [new file with mode: 0644]
queue-6.15/scsi-sd-fix-vpd-page-0xb7-length-check.patch [new file with mode: 0644]
queue-6.15/scsi-target-fix-null-pointer-dereference-in-core_scs.patch [new file with mode: 0644]
queue-6.15/scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch [new file with mode: 0644]
queue-6.15/series
queue-6.15/smb-client-fix-native-smb-symlink-traversal.patch [new file with mode: 0644]
queue-6.15/smb-client-fix-race-condition-in-negotiate-timeout-b.patch [new file with mode: 0644]
queue-6.15/smb-client-fix-warning-when-reconnecting-channel.patch [new file with mode: 0644]
queue-6.15/smb-client-set-missing-retry-flag-in-cifs_readv_call.patch [new file with mode: 0644]
queue-6.15/smb-client-set-missing-retry-flag-in-cifs_writev_cal.patch [new file with mode: 0644]
queue-6.15/smb-client-set-missing-retry-flag-in-smb2_writev_cal.patch [new file with mode: 0644]
queue-6.15/spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch [new file with mode: 0644]
queue-6.15/spi-spi-qpic-snand-reallocate-bam-transactions.patch [new file with mode: 0644]
queue-6.15/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch [new file with mode: 0644]
queue-6.15/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch [new file with mode: 0644]
queue-6.15/x86-platform-amd-move-final-timeout-check-to-after-f.patch [new file with mode: 0644]

diff --git a/queue-6.15/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch b/queue-6.15/acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch
new file mode 100644 (file)
index 0000000..894e708
--- /dev/null
@@ -0,0 +1,51 @@
+From fed7a33873c47f72bc10b46b011d0e7bd0d1f74d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:17:45 +0200
+Subject: ACPICA: Refuse to evaluate a method if arguments are missing
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 6fcab2791543924d438e7fa49276d0998b0a069f ]
+
+As reported in [1], a platform firmware update that increased the number
+of method parameters and forgot to update a least one of its callers,
+caused ACPICA to crash due to use-after-free.
+
+Since this a result of a clear AML issue that arguably cannot be fixed
+up by the interpreter (it cannot produce missing data out of thin air),
+address it by making ACPICA refuse to evaluate a method if the caller
+attempts to pass fewer arguments than expected to it.
+
+Closes: https://github.com/acpica/acpica/issues/1027 [1]
+Reported-by: Peter Williams <peter@newton.cx>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Tested-by: Hans de Goede <hansg@kernel.org> # Dell XPS 9640 with BIOS 1.12.0
+Link: https://patch.msgid.link/5909446.DvuYhMxLoT@rjwysocki.net
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/acpica/dsmethod.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c
+index e809c2aed78ae..a232746d150a7 100644
+--- a/drivers/acpi/acpica/dsmethod.c
++++ b/drivers/acpi/acpica/dsmethod.c
+@@ -483,6 +483,13 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
+               return_ACPI_STATUS(AE_NULL_OBJECT);
+       }
++      if (this_walk_state->num_operands < obj_desc->method.param_count) {
++              ACPI_ERROR((AE_INFO, "Missing argument for method [%4.4s]",
++                          acpi_ut_get_node_name(method_node)));
++
++              return_ACPI_STATUS(AE_AML_UNINITIALIZED_ARG);
++      }
++
+       /* Init for new method, possibly wait on method mutex */
+       status =
+-- 
+2.39.5
+
diff --git a/queue-6.15/alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch b/queue-6.15/alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch
new file mode 100644 (file)
index 0000000..e337e02
--- /dev/null
@@ -0,0 +1,38 @@
+From bd77cc927a9dd1b99f5c0745a43a38ebc86206ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 08:43:19 +0200
+Subject: ALSA: sb: Don't allow changing the DMA mode during operations
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ed29e073ba93f2d52832804cabdd831d5d357d33 ]
+
+When a PCM stream is already running, one shouldn't change the DMA
+mode via kcontrol, which may screw up the hardware.  Return -EBUSY
+instead.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218185
+Link: https://patch.msgid.link/20250610064322.26787-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c
+index 74db115250030..c4930efd44e3a 100644
+--- a/sound/isa/sb/sb16_main.c
++++ b/sound/isa/sb/sb16_main.c
+@@ -703,6 +703,9 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct
+       unsigned char nval, oval;
+       int change;
+       
++      if (chip->mode & (SB_MODE_PLAYBACK | SB_MODE_CAPTURE))
++              return -EBUSY;
++
+       nval = ucontrol->value.enumerated.item[0];
+       if (nval > 2)
+               return -EINVAL;
+-- 
+2.39.5
+
diff --git a/queue-6.15/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch b/queue-6.15/alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch
new file mode 100644 (file)
index 0000000..5c4746b
--- /dev/null
@@ -0,0 +1,41 @@
+From 1b750ced45034a39862ae0a44610a6ef837e0433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 08:43:20 +0200
+Subject: ALSA: sb: Force to disable DMAs once when DMA mode is changed
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 4c267ae2ef349639b4d9ebf00dd28586a82fdbe6 ]
+
+When the DMA mode is changed on the (still real!) SB AWE32 after
+playing a stream and closing, the previous DMA setup was still
+silently kept, and it can confuse the hardware, resulting in the
+unexpected noises.  As a workaround, enforce the disablement of DMA
+setups when the DMA setup is changed by the kcontrol.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=218185
+Link: https://patch.msgid.link/20250610064322.26787-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/isa/sb/sb16_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/isa/sb/sb16_main.c b/sound/isa/sb/sb16_main.c
+index c4930efd44e3a..5a083eecaa6b9 100644
+--- a/sound/isa/sb/sb16_main.c
++++ b/sound/isa/sb/sb16_main.c
+@@ -714,6 +714,10 @@ static int snd_sb16_dma_control_put(struct snd_kcontrol *kcontrol, struct snd_ct
+       change = nval != oval;
+       snd_sb16_set_dma_mode(chip, nval);
+       spin_unlock_irqrestore(&chip->reg_lock, flags);
++      if (change) {
++              snd_dma_disable(chip->dma8);
++              snd_dma_disable(chip->dma16);
++      }
+       return change;
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch b/queue-6.15/amd-xgbe-align-cl37-an-sequence-as-per-databook.patch
new file mode 100644 (file)
index 0000000..dd668c9
--- /dev/null
@@ -0,0 +1,90 @@
+From 555f25ccd495095c30ac8091a5f7886df8855d98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 00:56:36 +0530
+Subject: amd-xgbe: align CL37 AN sequence as per databook
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 42fd432fe6d320323215ebdf4de4d0d7e56e6792 ]
+
+Update the Clause 37 Auto-Negotiation implementation to properly align
+with the PCS hardware specifications:
+- Fix incorrect bit settings in Link Status and Link Duplex fields
+- Implement missing sequence steps 2 and 7
+
+These changes ensure CL37 auto-negotiation protocol follows the exact
+sequence patterns as specified in the hardware databook.
+
+Fixes: 1bf40ada6290 ("amd-xgbe: Add support for clause 37 auto-negotiation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Link: https://patch.msgid.link/20250630192636.3838291-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-common.h | 2 ++
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c   | 9 +++++++++
+ drivers/net/ethernet/amd/xgbe/xgbe.h        | 4 ++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+index 3b70f67376331..aa25a8a0a106f 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
+@@ -1373,6 +1373,8 @@
+ #define MDIO_VEND2_CTRL1_SS13         BIT(13)
+ #endif
++#define XGBE_VEND2_MAC_AUTO_SW                BIT(9)
++
+ /* MDIO mask values */
+ #define XGBE_AN_CL73_INT_CMPLT                BIT(0)
+ #define XGBE_AN_CL73_INC_LINK         BIT(1)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 07f4f3418d018..3316c719f9f8c 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -375,6 +375,10 @@ static void xgbe_an37_set(struct xgbe_prv_data *pdata, bool enable,
+               reg |= MDIO_VEND2_CTRL1_AN_RESTART;
+       XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_CTRL1, reg);
++
++      reg = XMDIO_READ(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL);
++      reg |= XGBE_VEND2_MAC_AUTO_SW;
++      XMDIO_WRITE(pdata, MDIO_MMD_VEND2, MDIO_PCS_DIG_CTRL, reg);
+ }
+ static void xgbe_an37_restart(struct xgbe_prv_data *pdata)
+@@ -1003,6 +1007,11 @@ static void xgbe_an37_init(struct xgbe_prv_data *pdata)
+       netif_dbg(pdata, link, pdata->netdev, "CL37 AN (%s) initialized\n",
+                 (pdata->an_mode == XGBE_AN_MODE_CL37) ? "BaseX" : "SGMII");
++
++      reg = XMDIO_READ(pdata, MDIO_MMD_AN, MDIO_CTRL1);
++      reg &= ~MDIO_AN_CTRL1_ENABLE;
++      XMDIO_WRITE(pdata, MDIO_MMD_AN, MDIO_CTRL1, reg);
++
+ }
+ static void xgbe_an73_init(struct xgbe_prv_data *pdata)
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
+index ed5d43c16d0e2..7526a0906b391 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -292,12 +292,12 @@
+ #define XGBE_LINK_TIMEOUT             5
+ #define XGBE_KR_TRAINING_WAIT_ITER    50
+-#define XGBE_SGMII_AN_LINK_STATUS     BIT(1)
++#define XGBE_SGMII_AN_LINK_DUPLEX     BIT(1)
+ #define XGBE_SGMII_AN_LINK_SPEED      (BIT(2) | BIT(3))
+ #define XGBE_SGMII_AN_LINK_SPEED_10   0x00
+ #define XGBE_SGMII_AN_LINK_SPEED_100  0x04
+ #define XGBE_SGMII_AN_LINK_SPEED_1000 0x08
+-#define XGBE_SGMII_AN_LINK_DUPLEX     BIT(4)
++#define XGBE_SGMII_AN_LINK_STATUS     BIT(4)
+ /* ECC correctable error notification window (seconds) */
+ #define XGBE_ECC_LIMIT                        60
+-- 
+2.39.5
+
diff --git a/queue-6.15/amd-xgbe-do-not-double-read-link-status.patch b/queue-6.15/amd-xgbe-do-not-double-read-link-status.patch
new file mode 100644 (file)
index 0000000..1339179
--- /dev/null
@@ -0,0 +1,94 @@
+From 15584bccf859c56fb489d880a2f6c064cf0e55bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 12:20:16 +0530
+Subject: amd-xgbe: do not double read link status
+
+From: Raju Rangoju <Raju.Rangoju@amd.com>
+
+[ Upstream commit 16ceda2ef683a50cd0783006c0504e1931cd8879 ]
+
+The link status is latched low so that momentary link drops
+can be detected. Always double-reading the status defeats this
+design feature. Only double read if link was already down
+
+This prevents unnecessary duplicate readings of the link status.
+
+Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
+Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250701065016.4140707-1-Raju.Rangoju@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-mdio.c   |  4 ++++
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 24 +++++++++++++--------
+ 2 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+index 3316c719f9f8c..ed76a8df6ec6e 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+@@ -1413,6 +1413,10 @@ static void xgbe_phy_status(struct xgbe_prv_data *pdata)
+       pdata->phy.link = pdata->phy_if.phy_impl.link_status(pdata,
+                                                            &an_restart);
++      /* bail out if the link status register read fails */
++      if (pdata->phy.link < 0)
++              return;
++
+       if (an_restart) {
+               xgbe_phy_config_aneg(pdata);
+               goto adjust_link;
+diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+index 268399dfcf22f..32e633d113484 100644
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -2855,8 +2855,7 @@ static bool xgbe_phy_valid_speed(struct xgbe_prv_data *pdata, int speed)
+ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+ {
+       struct xgbe_phy_data *phy_data = pdata->phy_data;
+-      unsigned int reg;
+-      int ret;
++      int reg, ret;
+       *an_restart = 0;
+@@ -2890,11 +2889,20 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+                       return 0;
+       }
+-      /* Link status is latched low, so read once to clear
+-       * and then read again to get current state
+-       */
+-      reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+       reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
++      if (reg < 0)
++              return reg;
++
++      /* Link status is latched low so that momentary link drops
++       * can be detected. If link was already down read again
++       * to get the latest state.
++       */
++
++      if (!pdata->phy.link && !(reg & MDIO_STAT1_LSTATUS)) {
++              reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
++              if (reg < 0)
++                      return reg;
++      }
+       if (pdata->en_rx_adap) {
+               /* if the link is available and adaptation is done,
+@@ -2913,9 +2921,7 @@ static int xgbe_phy_link_status(struct xgbe_prv_data *pdata, int *an_restart)
+                       xgbe_phy_set_mode(pdata, phy_data->cur_mode);
+               }
+-              /* check again for the link and adaptation status */
+-              reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_STAT1);
+-              if ((reg & MDIO_STAT1_LSTATUS) && pdata->rx_adapt_done)
++              if (pdata->rx_adapt_done)
+                       return 1;
+       } else if (reg & MDIO_STAT1_LSTATUS)
+               return 1;
+-- 
+2.39.5
+
diff --git a/queue-6.15/aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch b/queue-6.15/aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch
new file mode 100644 (file)
index 0000000..720adbc
--- /dev/null
@@ -0,0 +1,94 @@
+From 23ba2e2a54068d81f0d09fca41bad3cb113a2ba9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 17:06:00 +0000
+Subject: aoe: defer rexmit timer downdev work to workqueue
+
+From: Justin Sanders <jsanders.devel@gmail.com>
+
+[ Upstream commit cffc873d68ab09a0432b8212008c5613f8a70a2c ]
+
+When aoe's rexmit_timer() notices that an aoe target fails to respond to
+commands for more than aoe_deadsecs, it calls aoedev_downdev() which
+cleans the outstanding aoe and block queues. This can involve sleeping,
+such as in blk_mq_freeze_queue(), which should not occur in irq context.
+
+This patch defers that aoedev_downdev() call to the aoe device's
+workqueue.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=212665
+Signed-off-by: Justin Sanders <jsanders.devel@gmail.com>
+Link: https://lore.kernel.org/r/20250610170600.869-2-jsanders.devel@gmail.com
+Tested-By: Valentin Kleibel <valentin@vrvis.at>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/aoe/aoe.h    | 1 +
+ drivers/block/aoe/aoecmd.c | 8 ++++++--
+ drivers/block/aoe/aoedev.c | 5 ++++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/block/aoe/aoe.h b/drivers/block/aoe/aoe.h
+index 749ae1246f4cf..d35caa3c69e15 100644
+--- a/drivers/block/aoe/aoe.h
++++ b/drivers/block/aoe/aoe.h
+@@ -80,6 +80,7 @@ enum {
+       DEVFL_NEWSIZE = (1<<6), /* need to update dev size in block layer */
+       DEVFL_FREEING = (1<<7), /* set when device is being cleaned up */
+       DEVFL_FREED = (1<<8),   /* device has been cleaned up */
++      DEVFL_DEAD = (1<<9),    /* device has timed out of aoe_deadsecs */
+ };
+ enum {
+diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
+index 92b06d1de4cc7..6c94cfd1c480e 100644
+--- a/drivers/block/aoe/aoecmd.c
++++ b/drivers/block/aoe/aoecmd.c
+@@ -754,7 +754,7 @@ rexmit_timer(struct timer_list *timer)
+       utgts = count_targets(d, NULL);
+-      if (d->flags & DEVFL_TKILL) {
++      if (d->flags & (DEVFL_TKILL | DEVFL_DEAD)) {
+               spin_unlock_irqrestore(&d->lock, flags);
+               return;
+       }
+@@ -786,7 +786,8 @@ rexmit_timer(struct timer_list *timer)
+                        * to clean up.
+                        */
+                       list_splice(&flist, &d->factive[0]);
+-                      aoedev_downdev(d);
++                      d->flags |= DEVFL_DEAD;
++                      queue_work(aoe_wq, &d->work);
+                       goto out;
+               }
+@@ -898,6 +899,9 @@ aoecmd_sleepwork(struct work_struct *work)
+ {
+       struct aoedev *d = container_of(work, struct aoedev, work);
++      if (d->flags & DEVFL_DEAD)
++              aoedev_downdev(d);
++
+       if (d->flags & DEVFL_GDALLOC)
+               aoeblk_gdalloc(d);
+diff --git a/drivers/block/aoe/aoedev.c b/drivers/block/aoe/aoedev.c
+index 8c18034cb3d69..9b66f8ebce50d 100644
+--- a/drivers/block/aoe/aoedev.c
++++ b/drivers/block/aoe/aoedev.c
+@@ -200,8 +200,11 @@ aoedev_downdev(struct aoedev *d)
+       struct list_head *head, *pos, *nx;
+       struct request *rq, *rqnext;
+       int i;
++      unsigned long flags;
+-      d->flags &= ~DEVFL_UP;
++      spin_lock_irqsave(&d->lock, flags);
++      d->flags &= ~(DEVFL_UP | DEVFL_DEAD);
++      spin_unlock_irqrestore(&d->lock, flags);
+       /* clean out active and to-be-retransmitted buffers */
+       for (i = 0; i < NFACTIVE; i++) {
+-- 
+2.39.5
+
diff --git a/queue-6.15/arm64-dts-apple-drop-address-size-cells-from-spi-nor.patch b/queue-6.15/arm64-dts-apple-drop-address-size-cells-from-spi-nor.patch
new file mode 100644 (file)
index 0000000..d51d4f5
--- /dev/null
@@ -0,0 +1,39 @@
+From 6d594011a3dd1e2094d96f66feff730dc887b6d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:19:24 +0000
+Subject: arm64: dts: apple: Drop {address,size}-cells from SPI NOR
+
+From: Sven Peter <sven@kernel.org>
+
+[ Upstream commit 811a909978bf59caa25359e0aca4e30500dcff26 ]
+
+Fix the following warning by dropping #{address,size}-cells from the SPI
+NOR node which only has a single child node without reg property:
+
+spi1-nvram.dtsi:19.10-38.4: Warning (avoid_unnecessary_addr_size): /soc/spi@235104000/flash@0: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" property
+
+Fixes: 3febe9de5ca5 ("arm64: dts: apple: Add SPI NOR nvram partition to all devices")
+Reviewed-by: Janne Grunau <j@jannau.net>
+Link: https://lore.kernel.org/r/20250610-apple-dts-warnings-v1-1-70b53e8108a0@kernel.org
+Signed-off-by: Sven Peter <sven@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/spi1-nvram.dtsi | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/apple/spi1-nvram.dtsi b/arch/arm64/boot/dts/apple/spi1-nvram.dtsi
+index 3df2fd3993b52..9740fbf200f0b 100644
+--- a/arch/arm64/boot/dts/apple/spi1-nvram.dtsi
++++ b/arch/arm64/boot/dts/apple/spi1-nvram.dtsi
+@@ -20,8 +20,6 @@ flash@0 {
+               compatible = "jedec,spi-nor";
+               reg = <0x0>;
+               spi-max-frequency = <25000000>;
+-              #address-cells = <1>;
+-              #size-cells = <1>;
+               partitions {
+                       compatible = "fixed-partitions";
+-- 
+2.39.5
+
diff --git a/queue-6.15/arm64-dts-apple-move-touchbar-mipi-address-size-cell.patch b/queue-6.15/arm64-dts-apple-move-touchbar-mipi-address-size-cell.patch
new file mode 100644 (file)
index 0000000..63d4b44
--- /dev/null
@@ -0,0 +1,84 @@
+From 9c45f8f78d4568947e256022533520f14b1e9bf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:18:53 +0000
+Subject: arm64: dts: apple: Move touchbar mipi {address,size}-cells from dtsi
+ to dts
+
+From: Sven Peter <sven@kernel.org>
+
+[ Upstream commit 08a0d93c353bd55de8b5fb77b464d89425be0215 ]
+
+Move the {address,size}-cells property from the (disabled) touchbar screen
+mipi node inside the dtsi file to the model-specific dts file where it's
+enabled to fix the following W=1 warnings:
+
+t8103.dtsi:404.34-433.5: Warning (avoid_unnecessary_addr_size): /soc/dsi@228600000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" property
+t8112.dtsi:419.34-448.5: Warning (avoid_unnecessary_addr_size): /soc/dsi@228600000: unnecessary #address-cells/#size-cells without "ranges", "dma-ranges" or child "reg" property
+
+Fixes: 7275e795e520 ("arm64: dts: apple: Add touchbar screen nodes")
+Reviewed-by: Janne Grunau <j@jannau.net>
+Link: https://lore.kernel.org/r/20250611-display-pipe-mipi-warning-v1-1-bd80ba2c0eea@kernel.org
+Signed-off-by: Sven Peter <sven@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/t8103-j293.dts | 2 ++
+ arch/arm64/boot/dts/apple/t8103.dtsi     | 2 --
+ arch/arm64/boot/dts/apple/t8112-j493.dts | 2 ++
+ arch/arm64/boot/dts/apple/t8112.dtsi     | 2 --
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/apple/t8103-j293.dts b/arch/arm64/boot/dts/apple/t8103-j293.dts
+index e2d9439397f71..5b3c42e9f0e67 100644
+--- a/arch/arm64/boot/dts/apple/t8103-j293.dts
++++ b/arch/arm64/boot/dts/apple/t8103-j293.dts
+@@ -100,6 +100,8 @@ dfr_mipi_out_panel: endpoint@0 {
+ &displaydfr_mipi {
+       status = "okay";
++      #address-cells = <1>;
++      #size-cells = <0>;
+       dfr_panel: panel@0 {
+               compatible = "apple,j293-summit", "apple,summit";
+diff --git a/arch/arm64/boot/dts/apple/t8103.dtsi b/arch/arm64/boot/dts/apple/t8103.dtsi
+index 97b6a067394e3..229b10efaab9e 100644
+--- a/arch/arm64/boot/dts/apple/t8103.dtsi
++++ b/arch/arm64/boot/dts/apple/t8103.dtsi
+@@ -404,8 +404,6 @@ displaydfr_mipi: dsi@228600000 {
+                       compatible = "apple,t8103-display-pipe-mipi", "apple,h7-display-pipe-mipi";
+                       reg = <0x2 0x28600000 0x0 0x100000>;
+                       power-domains = <&ps_mipi_dsi>;
+-                      #address-cells = <1>;
+-                      #size-cells = <0>;
+                       status = "disabled";
+                       ports {
+diff --git a/arch/arm64/boot/dts/apple/t8112-j493.dts b/arch/arm64/boot/dts/apple/t8112-j493.dts
+index be86d34c6696c..fb8ad7d4c65a8 100644
+--- a/arch/arm64/boot/dts/apple/t8112-j493.dts
++++ b/arch/arm64/boot/dts/apple/t8112-j493.dts
+@@ -63,6 +63,8 @@ dfr_mipi_out_panel: endpoint@0 {
+ &displaydfr_mipi {
+       status = "okay";
++      #address-cells = <1>;
++      #size-cells = <0>;
+       dfr_panel: panel@0 {
+               compatible = "apple,j493-summit", "apple,summit";
+diff --git a/arch/arm64/boot/dts/apple/t8112.dtsi b/arch/arm64/boot/dts/apple/t8112.dtsi
+index d9b966d68e4fa..7488e3850493b 100644
+--- a/arch/arm64/boot/dts/apple/t8112.dtsi
++++ b/arch/arm64/boot/dts/apple/t8112.dtsi
+@@ -420,8 +420,6 @@ displaydfr_mipi: dsi@228600000 {
+                       compatible = "apple,t8112-display-pipe-mipi", "apple,h7-display-pipe-mipi";
+                       reg = <0x2 0x28600000 0x0 0x100000>;
+                       power-domains = <&ps_mipi_dsi>;
+-                      #address-cells = <1>;
+-                      #size-cells = <0>;
+                       status = "disabled";
+                       ports {
+-- 
+2.39.5
+
diff --git a/queue-6.15/arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch b/queue-6.15/arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch
new file mode 100644 (file)
index 0000000..d801e64
--- /dev/null
@@ -0,0 +1,42 @@
+From 0e83346a13b2235ddb2eb71c2b38e4249f7c5279 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 22:30:31 +0200
+Subject: arm64: dts: apple: t8103: Fix PCIe BCM4377 nodename
+
+From: Janne Grunau <j@jannau.net>
+
+[ Upstream commit ac1daa91e9370e3b88ef7826a73d62a4d09e2717 ]
+
+Fix the following `make dtbs_check` warnings for all t8103 based devices:
+
+arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: $nodename:0: 'network@0,0' does not match '^wifi(@.*)?$'
+        from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml#
+arch/arm64/boot/dts/apple/t8103-j274.dtb: network@0,0: Unevaluated properties are not allowed ('local-mac-address' was unexpected)
+        from schema $id: http://devicetree.org/schemas/net/wireless/brcm,bcm4329-fmac.yaml#
+
+Fixes: bf2c05b619ff ("arm64: dts: apple: t8103: Expose PCI node for the WiFi MAC address")
+Signed-off-by: Janne Grunau <j@jannau.net>
+Reviewed-by: Sven Peter <sven@kernel.org>
+Link: https://lore.kernel.org/r/20250611-arm64_dts_apple_wifi-v1-1-fb959d8e1eb4@jannau.net
+Signed-off-by: Sven Peter <sven@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/apple/t8103-jxxx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
+index 8e82231acab59..0c8206156bfef 100644
+--- a/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
++++ b/arch/arm64/boot/dts/apple/t8103-jxxx.dtsi
+@@ -71,7 +71,7 @@ hpm1: usb-pd@3f {
+  */
+ &port00 {
+       bus-range = <1 1>;
+-      wifi0: network@0,0 {
++      wifi0: wifi@0,0 {
+               compatible = "pci14e4,4425";
+               reg = <0x10000 0x0 0x0 0x0 0x0>;
+               /* To be filled by the loader */
+-- 
+2.39.5
+
diff --git a/queue-6.15/asoc-amd-yc-add-quirk-for-msi-bravo-17-d7vf-internal.patch b/queue-6.15/asoc-amd-yc-add-quirk-for-msi-bravo-17-d7vf-internal.patch
new file mode 100644 (file)
index 0000000..eedc0e6
--- /dev/null
@@ -0,0 +1,42 @@
+From 3a41b4685051965394300c5947bea6da1b338ee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 May 2025 02:52:32 +0200
+Subject: ASoC: amd: yc: Add quirk for MSI Bravo 17 D7VF internal mic
+
+From: Gabriel Santese <santesegabriel@gmail.com>
+
+[ Upstream commit ba06528ad5a31923efc24324706116ccd17e12d8 ]
+
+MSI Bravo 17 (D7VF), like other laptops from the family,
+has broken ACPI tables and needs a quirk for internal mic
+to work properly.
+
+Signed-off-by: Gabriel Santese <santesegabriel@gmail.com>
+Link: https://patch.msgid.link/20250530005444.23398-1-santesegabriel@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index b27966f82c8b6..4f8481c6802b1 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -451,6 +451,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+                       DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 17 D7VEK"),
+               }
+       },
++      {
++              .driver_data = &acp6x_card,
++              .matches = {
++                      DMI_MATCH(DMI_BOARD_VENDOR, "Micro-Star International Co., Ltd."),
++                      DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 17 D7VF"),
++              }
++      },
+       {
+               .driver_data = &acp6x_card,
+               .matches = {
+-- 
+2.39.5
+
diff --git a/queue-6.15/asoc-amd-yc-update-quirk-data-for-hp-victus.patch b/queue-6.15/asoc-amd-yc-update-quirk-data-for-hp-victus.patch
new file mode 100644 (file)
index 0000000..9a837f6
--- /dev/null
@@ -0,0 +1,40 @@
+From 3059574182dc623d5892dac9564974c0153fcb6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 07:51:25 -0400
+Subject: ASoC: amd: yc: update quirk data for HP Victus
+
+From: Raven Black <ravenblack@gmail.com>
+
+[ Upstream commit 13b86ea92ebf0fa587fbadfb8a60ca2e9993203f ]
+
+Make the internal microphone work on HP Victus laptops.
+
+Signed-off-by: Raven Black <ravenblack@gmail.com>
+Link: https://patch.msgid.link/20250613-support-hp-victus-microphone-v1-1-bebc4c3a2041@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
+index 4f8481c6802b1..723cb7bc12851 100644
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -521,6 +521,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
+                       DMI_MATCH(DMI_PRODUCT_NAME, "OMEN by HP Gaming Laptop 16z-n000"),
+               }
+       },
++      {
++              .driver_data = &acp6x_card,
++              .matches = {
++                      DMI_MATCH(DMI_BOARD_VENDOR, "HP"),
++                      DMI_MATCH(DMI_PRODUCT_NAME, "Victus by HP Gaming Laptop 15-fb2xxx"),
++              }
++      },
+       {
+               .driver_data = &acp6x_card,
+               .matches = {
+-- 
+2.39.5
+
diff --git a/queue-6.15/ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch b/queue-6.15/ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch
new file mode 100644 (file)
index 0000000..b40b857
--- /dev/null
@@ -0,0 +1,138 @@
+From 2f593edfa252886be1abc6504cfcfa0f32798924 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 May 2025 11:56:55 +0300
+Subject: ata: libata-acpi: Do not assume 40 wire cable if no devices are
+ enabled
+
+From: Tasos Sahanidis <tasos@tasossah.com>
+
+[ Upstream commit 33877220b8641b4cde474a4229ea92c0e3637883 ]
+
+On at least an ASRock 990FX Extreme 4 with a VIA VT6330, the devices
+have not yet been enabled by the first time ata_acpi_cbl_80wire() is
+called. This means that the ata_for_each_dev loop is never entered,
+and a 40 wire cable is assumed.
+
+The VIA controller on this board does not report the cable in the PCI
+config space, thus having to fall back to ACPI even though no SATA
+bridge is present.
+
+The _GTM values are correctly reported by the firmware through ACPI,
+which has already set up faster transfer modes, but due to the above
+the controller is forced down to a maximum of UDMA/33.
+
+Resolve this by modifying ata_acpi_cbl_80wire() to directly return the
+cable type. First, an unknown cable is assumed which preserves the mode
+set by the firmware, and then on subsequent calls when the devices have
+been enabled, an 80 wire cable is correctly detected.
+
+Since the function now directly returns the cable type, it is renamed
+to ata_acpi_cbl_pata_type().
+
+Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
+Link: https://lore.kernel.org/r/20250519085945.1399466-1-tasos@tasossah.com
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-acpi.c | 24 ++++++++++++++++--------
+ drivers/ata/pata_via.c    |  6 ++----
+ include/linux/libata.h    |  7 +++----
+ 3 files changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/ata/libata-acpi.c b/drivers/ata/libata-acpi.c
+index b7f0bf7955213..f2140fc06ba0f 100644
+--- a/drivers/ata/libata-acpi.c
++++ b/drivers/ata/libata-acpi.c
+@@ -514,15 +514,19 @@ unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+ EXPORT_SYMBOL_GPL(ata_acpi_gtm_xfermask);
+ /**
+- * ata_acpi_cbl_80wire                -       Check for 80 wire cable
++ * ata_acpi_cbl_pata_type - Return PATA cable type
+  * @ap: Port to check
+- * @gtm: GTM data to use
+  *
+- * Return 1 if the @gtm indicates the BIOS selected an 80wire mode.
++ * Return ATA_CBL_PATA* according to the transfer mode selected by BIOS
+  */
+-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm)
++int ata_acpi_cbl_pata_type(struct ata_port *ap)
+ {
+       struct ata_device *dev;
++      int ret = ATA_CBL_PATA_UNK;
++      const struct ata_acpi_gtm *gtm = ata_acpi_init_gtm(ap);
++
++      if (!gtm)
++              return ATA_CBL_PATA40;
+       ata_for_each_dev(dev, &ap->link, ENABLED) {
+               unsigned int xfer_mask, udma_mask;
+@@ -530,13 +534,17 @@ int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm)
+               xfer_mask = ata_acpi_gtm_xfermask(dev, gtm);
+               ata_unpack_xfermask(xfer_mask, NULL, NULL, &udma_mask);
+-              if (udma_mask & ~ATA_UDMA_MASK_40C)
+-                      return 1;
++              ret = ATA_CBL_PATA40;
++
++              if (udma_mask & ~ATA_UDMA_MASK_40C) {
++                      ret = ATA_CBL_PATA80;
++                      break;
++              }
+       }
+-      return 0;
++      return ret;
+ }
+-EXPORT_SYMBOL_GPL(ata_acpi_cbl_80wire);
++EXPORT_SYMBOL_GPL(ata_acpi_cbl_pata_type);
+ static void ata_acpi_gtf_to_tf(struct ata_device *dev,
+                              const struct ata_acpi_gtf *gtf,
+diff --git a/drivers/ata/pata_via.c b/drivers/ata/pata_via.c
+index d82728a01832b..bb80e7800dcbe 100644
+--- a/drivers/ata/pata_via.c
++++ b/drivers/ata/pata_via.c
+@@ -201,11 +201,9 @@ static int via_cable_detect(struct ata_port *ap) {
+          two drives */
+       if (ata66 & (0x10100000 >> (16 * ap->port_no)))
+               return ATA_CBL_PATA80;
++
+       /* Check with ACPI so we can spot BIOS reported SATA bridges */
+-      if (ata_acpi_init_gtm(ap) &&
+-          ata_acpi_cbl_80wire(ap, ata_acpi_init_gtm(ap)))
+-              return ATA_CBL_PATA80;
+-      return ATA_CBL_PATA40;
++      return ata_acpi_cbl_pata_type(ap);
+ }
+ static int via_pre_reset(struct ata_link *link, unsigned long deadline)
+diff --git a/include/linux/libata.h b/include/linux/libata.h
+index e5695998acb02..ec3b0c9c2a8cf 100644
+--- a/include/linux/libata.h
++++ b/include/linux/libata.h
+@@ -1363,7 +1363,7 @@ int ata_acpi_stm(struct ata_port *ap, const struct ata_acpi_gtm *stm);
+ int ata_acpi_gtm(struct ata_port *ap, struct ata_acpi_gtm *stm);
+ unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+                                  const struct ata_acpi_gtm *gtm);
+-int ata_acpi_cbl_80wire(struct ata_port *ap, const struct ata_acpi_gtm *gtm);
++int ata_acpi_cbl_pata_type(struct ata_port *ap);
+ #else
+ static inline const struct ata_acpi_gtm *ata_acpi_init_gtm(struct ata_port *ap)
+ {
+@@ -1388,10 +1388,9 @@ static inline unsigned int ata_acpi_gtm_xfermask(struct ata_device *dev,
+       return 0;
+ }
+-static inline int ata_acpi_cbl_80wire(struct ata_port *ap,
+-                                    const struct ata_acpi_gtm *gtm)
++static inline int ata_acpi_cbl_pata_type(struct ata_port *ap)
+ {
+-      return 0;
++      return ATA_CBL_PATA40;
+ }
+ #endif
+-- 
+2.39.5
+
diff --git a/queue-6.15/ata-pata_cs5536-fix-build-on-32-bit-uml.patch b/queue-6.15/ata-pata_cs5536-fix-build-on-32-bit-uml.patch
new file mode 100644 (file)
index 0000000..d45701d
--- /dev/null
@@ -0,0 +1,38 @@
+From 375213a74a54bf3fc19edf459da165d5055c7f80 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 11:01:11 +0200
+Subject: ata: pata_cs5536: fix build on 32-bit UML
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit fe5b391fc56f77cf3c22a9dd4f0ce20db0e3533f ]
+
+On 32-bit ARCH=um, CONFIG_X86_32 is still defined, so it
+doesn't indicate building on real X86 machines. There's
+no MSR on UML though, so add a check for CONFIG_X86.
+
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://lore.kernel.org/r/20250606090110.15784-2-johannes@sipsolutions.net
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_cs5536.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/pata_cs5536.c b/drivers/ata/pata_cs5536.c
+index b811efd2cc346..73e81e160c91f 100644
+--- a/drivers/ata/pata_cs5536.c
++++ b/drivers/ata/pata_cs5536.c
+@@ -27,7 +27,7 @@
+ #include <scsi/scsi_host.h>
+ #include <linux/dmi.h>
+-#ifdef CONFIG_X86_32
++#if defined(CONFIG_X86) && defined(CONFIG_X86_32)
+ #include <asm/msr.h>
+ static int use_msr;
+ module_param_named(msr, use_msr, int, 0644);
+-- 
+2.39.5
+
diff --git a/queue-6.15/bluetooth-prevent-unintended-pause-by-checking-if-ad.patch b/queue-6.15/bluetooth-prevent-unintended-pause-by-checking-if-ad.patch
new file mode 100644 (file)
index 0000000..b7abc14
--- /dev/null
@@ -0,0 +1,69 @@
+From 18b02af3501cefc9a3476cbdf15b992b4344973c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:01:07 +0800
+Subject: Bluetooth: Prevent unintended pause by checking if advertising is
+ active
+
+From: Yang Li <yang.li@amlogic.com>
+
+[ Upstream commit 1f029b4e30a602db33dedee5ac676e9236ad193c ]
+
+When PA Create Sync is enabled, advertising resumes unexpectedly.
+Therefore, it's necessary to check whether advertising is currently
+active before attempting to pause it.
+
+  < HCI Command: LE Add Device To... (0x08|0x0011) plen 7  #1345 [hci0] 48.306205
+               Address type: Random (0x01)
+               Address: 4F:84:84:5F:88:17 (Resolvable)
+               Identity type: Random (0x01)
+               Identity: FC:5B:8C:F7:5D:FB (Static)
+  < HCI Command: LE Set Address Re.. (0x08|0x002d) plen 1  #1347 [hci0] 48.308023
+               Address resolution: Enabled (0x01)
+  ...
+  < HCI Command: LE Set Extended A.. (0x08|0x0039) plen 6  #1349 [hci0] 48.309650
+               Extended advertising: Enabled (0x01)
+               Number of sets: 1 (0x01)
+               Entry 0
+               Handle: 0x01
+               Duration: 0 ms (0x00)
+               Max ext adv events: 0
+  ...
+  < HCI Command: LE Periodic Adve.. (0x08|0x0044) plen 14  #1355 [hci0] 48.314575
+               Options: 0x0000
+               Use advertising SID, Advertiser Address Type and address
+               Reporting initially enabled
+               SID: 0x02
+               Adv address type: Random (0x01)
+               Adv address: 4F:84:84:5F:88:17 (Resolvable)
+               Identity type: Random (0x01)
+               Identity: FC:5B:8C:F7:5D:FB (Static)
+               Skip: 0x0000
+               Sync timeout: 20000 msec (0x07d0)
+               Sync CTE type: 0x0000
+
+Fixes: ad383c2c65a5 ("Bluetooth: hci_sync: Enable advertising when LL privacy is enabled")
+Signed-off-by: Yang Li <yang.li@amlogic.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_sync.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
+index 3660da3b241a7..9955d6cd7b76f 100644
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2507,6 +2507,10 @@ static int hci_pause_advertising_sync(struct hci_dev *hdev)
+       int err;
+       int old_state;
++      /* If controller is not advertising we are done. */
++      if (!hci_dev_test_flag(hdev, HCI_LE_ADV))
++              return 0;
++
+       /* If already been paused there is nothing to do. */
+       if (hdev->advertising_paused)
+               return 0;
+-- 
+2.39.5
+
diff --git a/queue-6.15/btrfs-fix-failure-to-rebuild-free-space-tree-using-m.patch b/queue-6.15/btrfs-fix-failure-to-rebuild-free-space-tree-using-m.patch
new file mode 100644 (file)
index 0000000..8c43708
--- /dev/null
@@ -0,0 +1,190 @@
+From a928455718bd18356f3c58407fa23d51c0b69c52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Jun 2025 13:43:32 +0100
+Subject: btrfs: fix failure to rebuild free space tree using multiple
+ transactions
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1e6ed33cabba8f06f532f2e5851a102602823734 ]
+
+If we are rebuilding a free space tree, while modifying the free space
+tree we may need to allocate a new metadata block group.
+If we end up using multiple transactions for the rebuild, when we call
+btrfs_end_transaction() we enter btrfs_create_pending_block_groups()
+which calls add_block_group_free_space() to add items to the free space
+tree for the block group.
+
+Then later during the free space tree rebuild, at
+btrfs_rebuild_free_space_tree(), we may find such new block groups
+and call populate_free_space_tree() for them, which fails with -EEXIST
+because there are already items in the free space tree. Then we abort the
+transaction with -EEXIST at btrfs_rebuild_free_space_tree().
+Notice that we say "may find" the new block groups because a new block
+group may be inserted in the block groups rbtree, which is being iterated
+by the rebuild process, before or after the current node where the rebuild
+process is currently at.
+
+Syzbot recently reported such case which produces a trace like the
+following:
+
+  ------------[ cut here ]------------
+  BTRFS: Transaction aborted (error -17)
+  WARNING: CPU: 1 PID: 7626 at fs/btrfs/free-space-tree.c:1341 btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341
+  Modules linked in:
+  CPU: 1 UID: 0 PID: 7626 Comm: syz.2.25 Not tainted 6.15.0-rc7-syzkaller-00085-gd7fa1af5b33e-dirty #0 PREEMPT
+  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+  pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+  pc : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341
+  lr : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341
+  sp : ffff80009c4f7740
+  x29: ffff80009c4f77b0 x28: ffff0000d4c3f400 x27: 0000000000000000
+  x26: dfff800000000000 x25: ffff70001389eee8 x24: 0000000000000003
+  x23: 1fffe000182b6e7b x22: 0000000000000000 x21: ffff0000c15b73d8
+  x20: 00000000ffffffef x19: ffff0000c15b7378 x18: 1fffe0003386f276
+  x17: ffff80008f31e000 x16: ffff80008adbe98c x15: 0000000000000001
+  x14: 1fffe0001b281550 x13: 0000000000000000 x12: 0000000000000000
+  x11: ffff60001b281551 x10: 0000000000000003 x9 : 1c8922000a902c00
+  x8 : 1c8922000a902c00 x7 : ffff800080485878 x6 : 0000000000000000
+  x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008047843c
+  x2 : 0000000000000001 x1 : ffff80008b3ebc40 x0 : 0000000000000001
+  Call trace:
+   btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 (P)
+   btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074
+   btrfs_remount_rw fs/btrfs/super.c:1319 [inline]
+   btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543
+   reconfigure_super+0x1d4/0x6f0 fs/super.c:1083
+   do_remount fs/namespace.c:3365 [inline]
+   path_mount+0xb34/0xde0 fs/namespace.c:4200
+   do_mount fs/namespace.c:4221 [inline]
+   __do_sys_mount fs/namespace.c:4432 [inline]
+   __se_sys_mount fs/namespace.c:4409 [inline]
+   __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409
+   __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+   invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+   el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+   do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+   el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
+   el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
+   el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
+  irq event stamp: 330
+  hardirqs last  enabled at (329): [<ffff80008048590c>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1525 [inline]
+  hardirqs last  enabled at (329): [<ffff80008048590c>] finish_lock_switch+0xb0/0x1c0 kernel/sched/core.c:5130
+  hardirqs last disabled at (330): [<ffff80008adb9e60>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511
+  softirqs last  enabled at (10): [<ffff8000801fbf10>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
+  softirqs last disabled at (8): [<ffff8000801fbedc>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
+  ---[ end trace 0000000000000000 ]---
+
+Fix this by flagging new block groups which had their free space tree
+entries already added and then skip them in the rebuild process. Also,
+since the rebuild may be triggered when doing a remount, make sure that
+when we clear an existing free space tree that we clear such flag from
+every existing block group, otherwise we would skip those block groups
+during the rebuild.
+
+Reported-by: syzbot+d0014fb0fc39c5487ae5@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/68460a54.050a0220.daf97.0af5.GAE@google.com/
+Fixes: 882af9f13e83 ("btrfs: handle free space tree rebuild in multiple transactions")
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/block-group.h     |  2 ++
+ fs/btrfs/free-space-tree.c | 40 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+)
+
+diff --git a/fs/btrfs/block-group.h b/fs/btrfs/block-group.h
+index 36937eeab9b8a..08548b0b5ea1d 100644
+--- a/fs/btrfs/block-group.h
++++ b/fs/btrfs/block-group.h
+@@ -83,6 +83,8 @@ enum btrfs_block_group_flags {
+       BLOCK_GROUP_FLAG_ZONED_DATA_RELOC,
+       /* Does the block group need to be added to the free space tree? */
+       BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE,
++      /* Set after we add a new block group to the free space tree. */
++      BLOCK_GROUP_FLAG_FREE_SPACE_ADDED,
+       /* Indicate that the block group is placed on a sequential zone */
+       BLOCK_GROUP_FLAG_SEQUENTIAL_ZONE,
+       /*
+diff --git a/fs/btrfs/free-space-tree.c b/fs/btrfs/free-space-tree.c
+index 39c6b96a4c25a..b65a20fd519ba 100644
+--- a/fs/btrfs/free-space-tree.c
++++ b/fs/btrfs/free-space-tree.c
+@@ -1217,6 +1217,7 @@ static int clear_free_space_tree(struct btrfs_trans_handle *trans,
+ {
+       BTRFS_PATH_AUTO_FREE(path);
+       struct btrfs_key key;
++      struct rb_node *node;
+       int nr;
+       int ret;
+@@ -1245,6 +1246,16 @@ static int clear_free_space_tree(struct btrfs_trans_handle *trans,
+               btrfs_release_path(path);
+       }
++      node = rb_first_cached(&trans->fs_info->block_group_cache_tree);
++      while (node) {
++              struct btrfs_block_group *bg;
++
++              bg = rb_entry(node, struct btrfs_block_group, cache_node);
++              clear_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &bg->runtime_flags);
++              node = rb_next(node);
++              cond_resched();
++      }
++
+       return 0;
+ }
+@@ -1334,12 +1345,18 @@ int btrfs_rebuild_free_space_tree(struct btrfs_fs_info *fs_info)
+               block_group = rb_entry(node, struct btrfs_block_group,
+                                      cache_node);
++
++              if (test_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED,
++                           &block_group->runtime_flags))
++                      goto next;
++
+               ret = populate_free_space_tree(trans, block_group);
+               if (ret) {
+                       btrfs_abort_transaction(trans, ret);
+                       btrfs_end_transaction(trans);
+                       return ret;
+               }
++next:
+               if (btrfs_should_end_transaction(trans)) {
+                       btrfs_end_transaction(trans);
+                       trans = btrfs_start_transaction(free_space_root, 1);
+@@ -1366,6 +1383,29 @@ static int __add_block_group_free_space(struct btrfs_trans_handle *trans,
+       clear_bit(BLOCK_GROUP_FLAG_NEEDS_FREE_SPACE, &block_group->runtime_flags);
++      /*
++       * While rebuilding the free space tree we may allocate new metadata
++       * block groups while modifying the free space tree.
++       *
++       * Because during the rebuild (at btrfs_rebuild_free_space_tree()) we
++       * can use multiple transactions, every time btrfs_end_transaction() is
++       * called at btrfs_rebuild_free_space_tree() we finish the creation of
++       * new block groups by calling btrfs_create_pending_block_groups(), and
++       * that in turn calls us, through add_block_group_free_space(), to add
++       * a free space info item and a free space extent item for the block
++       * group.
++       *
++       * Then later btrfs_rebuild_free_space_tree() may find such new block
++       * groups and processes them with populate_free_space_tree(), which can
++       * fail with EEXIST since there are already items for the block group in
++       * the free space tree. Notice that we say "may find" because a new
++       * block group may be added to the block groups rbtree in a node before
++       * or after the block group currently being processed by the rebuild
++       * process. So signal the rebuild process to skip such new block groups
++       * if it finds them.
++       */
++      set_bit(BLOCK_GROUP_FLAG_FREE_SPACE_ADDED, &block_group->runtime_flags);
++
+       ret = add_new_free_space_info(trans, block_group, path);
+       if (ret)
+               return ret;
+-- 
+2.39.5
+
diff --git a/queue-6.15/btrfs-fix-inode-lookup-error-handling-during-log-rep.patch b/queue-6.15/btrfs-fix-inode-lookup-error-handling-during-log-rep.patch
new file mode 100644 (file)
index 0000000..ec26ef0
--- /dev/null
@@ -0,0 +1,295 @@
+From bd9bca9af82723d88a926f90770ec16e840d68e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:58:31 +0100
+Subject: btrfs: fix inode lookup error handling during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 5f61b961599acbd2bed028d3089105a1f7d224b8 ]
+
+When replaying log trees we use read_one_inode() to get an inode, which is
+just a wrapper around btrfs_iget_logging(), which in turn is a wrapper for
+btrfs_iget(). But read_one_inode() always returns NULL for any error
+that btrfs_iget_logging() / btrfs_iget() may return and this is a problem
+because:
+
+1) In many callers of read_one_inode() we convert the NULL into -EIO,
+   which is not accurate since btrfs_iget() may return -ENOMEM and -ENOENT
+   for example, besides -EIO and other errors. So during log replay we
+   may end up reporting a false -EIO, which is confusing since we may
+   not have had any IO error at all;
+
+2) When replaying directory deletes, at replay_dir_deletes(), we assume
+   the NULL returned from read_one_inode() means that the inode doesn't
+   exist and then proceed as if no error had happened. This is wrong
+   because unless btrfs_iget() returned ERR_PTR(-ENOENT), we had an
+   actual error and the target inode may exist in the target subvolume
+   root - this may later result in the log replay code failing at a
+   later stage (if we are "lucky") or succeed but leaving some
+   inconsistency in the filesystem.
+
+So fix this by not ignoring errors from btrfs_iget_logging() and as
+a consequence remove the read_one_inode() wrapper and just use
+btrfs_iget_logging() directly. Also since btrfs_iget_logging() is
+supposed to be called only against subvolume roots, just like
+read_one_inode() which had a comment about it, add an assertion to
+btrfs_iget_logging() to check that the target root corresponds to a
+subvolume root.
+
+Fixes: 5d4f98a28c7d ("Btrfs: Mixed back reference  (FORWARD ROLLING FORMAT CHANGE)")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 127 +++++++++++++++++++++-----------------------
+ 1 file changed, 62 insertions(+), 65 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 118db10464207..f8611ec11da9d 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -143,6 +143,9 @@ static struct btrfs_inode *btrfs_iget_logging(u64 objectid, struct btrfs_root *r
+       unsigned int nofs_flag;
+       struct btrfs_inode *inode;
++      /* Only meant to be called for subvolume roots and not for log roots. */
++      ASSERT(is_fstree(btrfs_root_id(root)));
++
+       /*
+        * We're holding a transaction handle whether we are logging or
+        * replaying a log tree, so we must make sure NOFS semantics apply
+@@ -604,21 +607,6 @@ static int read_alloc_one_name(struct extent_buffer *eb, void *start, int len,
+       return 0;
+ }
+-/*
+- * simple helper to read an inode off the disk from a given root
+- * This can only be called for subvolume roots and not for the log
+- */
+-static noinline struct btrfs_inode *read_one_inode(struct btrfs_root *root,
+-                                                 u64 objectid)
+-{
+-      struct btrfs_inode *inode;
+-
+-      inode = btrfs_iget_logging(objectid, root);
+-      if (IS_ERR(inode))
+-              return NULL;
+-      return inode;
+-}
+-
+ /* replays a single extent in 'eb' at 'slot' with 'key' into the
+  * subvolume 'root'.  path is released on entry and should be released
+  * on exit.
+@@ -671,9 +659,9 @@ static noinline int replay_one_extent(struct btrfs_trans_handle *trans,
+               return 0;
+       }
+-      inode = read_one_inode(root, key->objectid);
+-      if (!inode)
+-              return -EIO;
++      inode = btrfs_iget_logging(key->objectid, root);
++      if (IS_ERR(inode))
++              return PTR_ERR(inode);
+       /*
+        * first check to see if we already have this extent in the
+@@ -945,9 +933,10 @@ static noinline int drop_one_dir_item(struct btrfs_trans_handle *trans,
+       btrfs_release_path(path);
+-      inode = read_one_inode(root, location.objectid);
+-      if (!inode) {
+-              ret = -EIO;
++      inode = btrfs_iget_logging(location.objectid, root);
++      if (IS_ERR(inode)) {
++              ret = PTR_ERR(inode);
++              inode = NULL;
+               goto out;
+       }
+@@ -1166,10 +1155,10 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+                               kfree(victim_name.name);
+                               return ret;
+                       } else if (!ret) {
+-                              ret = -ENOENT;
+-                              victim_parent = read_one_inode(root,
+-                                              parent_objectid);
+-                              if (victim_parent) {
++                              victim_parent = btrfs_iget_logging(parent_objectid, root);
++                              if (IS_ERR(victim_parent)) {
++                                      ret = PTR_ERR(victim_parent);
++                              } else {
+                                       inc_nlink(&inode->vfs_inode);
+                                       btrfs_release_path(path);
+@@ -1314,9 +1303,9 @@ static int unlink_old_inode_refs(struct btrfs_trans_handle *trans,
+                       struct btrfs_inode *dir;
+                       btrfs_release_path(path);
+-                      dir = read_one_inode(root, parent_id);
+-                      if (!dir) {
+-                              ret = -ENOENT;
++                      dir = btrfs_iget_logging(parent_id, root);
++                      if (IS_ERR(dir)) {
++                              ret = PTR_ERR(dir);
+                               kfree(name.name);
+                               goto out;
+                       }
+@@ -1388,15 +1377,17 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
+        * copy the back ref in.  The link count fixup code will take
+        * care of the rest
+        */
+-      dir = read_one_inode(root, parent_objectid);
+-      if (!dir) {
+-              ret = -ENOENT;
++      dir = btrfs_iget_logging(parent_objectid, root);
++      if (IS_ERR(dir)) {
++              ret = PTR_ERR(dir);
++              dir = NULL;
+               goto out;
+       }
+-      inode = read_one_inode(root, inode_objectid);
+-      if (!inode) {
+-              ret = -EIO;
++      inode = btrfs_iget_logging(inode_objectid, root);
++      if (IS_ERR(inode)) {
++              ret = PTR_ERR(inode);
++              inode = NULL;
+               goto out;
+       }
+@@ -1408,11 +1399,13 @@ static noinline int add_inode_ref(struct btrfs_trans_handle *trans,
+                        * parent object can change from one array
+                        * item to another.
+                        */
+-                      if (!dir)
+-                              dir = read_one_inode(root, parent_objectid);
+                       if (!dir) {
+-                              ret = -ENOENT;
+-                              goto out;
++                              dir = btrfs_iget_logging(parent_objectid, root);
++                              if (IS_ERR(dir)) {
++                                      ret = PTR_ERR(dir);
++                                      dir = NULL;
++                                      goto out;
++                              }
+                       }
+               } else {
+                       ret = ref_get_fields(eb, ref_ptr, &name, &ref_index);
+@@ -1681,9 +1674,9 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans,
+                       break;
+               btrfs_release_path(path);
+-              inode = read_one_inode(root, key.offset);
+-              if (!inode) {
+-                      ret = -EIO;
++              inode = btrfs_iget_logging(key.offset, root);
++              if (IS_ERR(inode)) {
++                      ret = PTR_ERR(inode);
+                       break;
+               }
+@@ -1719,9 +1712,9 @@ static noinline int link_to_fixup_dir(struct btrfs_trans_handle *trans,
+       struct btrfs_inode *inode;
+       struct inode *vfs_inode;
+-      inode = read_one_inode(root, objectid);
+-      if (!inode)
+-              return -EIO;
++      inode = btrfs_iget_logging(objectid, root);
++      if (IS_ERR(inode))
++              return PTR_ERR(inode);
+       vfs_inode = &inode->vfs_inode;
+       key.objectid = BTRFS_TREE_LOG_FIXUP_OBJECTID;
+@@ -1760,14 +1753,14 @@ static noinline int insert_one_name(struct btrfs_trans_handle *trans,
+       struct btrfs_inode *dir;
+       int ret;
+-      inode = read_one_inode(root, location->objectid);
+-      if (!inode)
+-              return -ENOENT;
++      inode = btrfs_iget_logging(location->objectid, root);
++      if (IS_ERR(inode))
++              return PTR_ERR(inode);
+-      dir = read_one_inode(root, dirid);
+-      if (!dir) {
++      dir = btrfs_iget_logging(dirid, root);
++      if (IS_ERR(dir)) {
+               iput(&inode->vfs_inode);
+-              return -EIO;
++              return PTR_ERR(dir);
+       }
+       ret = btrfs_add_link(trans, dir, inode, name, 1, index);
+@@ -1844,9 +1837,9 @@ static noinline int replay_one_name(struct btrfs_trans_handle *trans,
+       bool update_size = true;
+       bool name_added = false;
+-      dir = read_one_inode(root, key->objectid);
+-      if (!dir)
+-              return -EIO;
++      dir = btrfs_iget_logging(key->objectid, root);
++      if (IS_ERR(dir))
++              return PTR_ERR(dir);
+       ret = read_alloc_one_name(eb, di + 1, btrfs_dir_name_len(eb, di), &name);
+       if (ret)
+@@ -2146,9 +2139,10 @@ static noinline int check_item_in_log(struct btrfs_trans_handle *trans,
+       btrfs_dir_item_key_to_cpu(eb, di, &location);
+       btrfs_release_path(path);
+       btrfs_release_path(log_path);
+-      inode = read_one_inode(root, location.objectid);
+-      if (!inode) {
+-              ret = -EIO;
++      inode = btrfs_iget_logging(location.objectid, root);
++      if (IS_ERR(inode)) {
++              ret = PTR_ERR(inode);
++              inode = NULL;
+               goto out;
+       }
+@@ -2300,14 +2294,17 @@ static noinline int replay_dir_deletes(struct btrfs_trans_handle *trans,
+       if (!log_path)
+               return -ENOMEM;
+-      dir = read_one_inode(root, dirid);
+-      /* it isn't an error if the inode isn't there, that can happen
+-       * because we replay the deletes before we copy in the inode item
+-       * from the log
++      dir = btrfs_iget_logging(dirid, root);
++      /*
++       * It isn't an error if the inode isn't there, that can happen because
++       * we replay the deletes before we copy in the inode item from the log.
+        */
+-      if (!dir) {
++      if (IS_ERR(dir)) {
+               btrfs_free_path(log_path);
+-              return 0;
++              ret = PTR_ERR(dir);
++              if (ret == -ENOENT)
++                      ret = 0;
++              return ret;
+       }
+       range_start = 0;
+@@ -2466,9 +2463,9 @@ static int replay_one_buffer(struct btrfs_root *log, struct extent_buffer *eb,
+                               struct btrfs_inode *inode;
+                               u64 from;
+-                              inode = read_one_inode(root, key.objectid);
+-                              if (!inode) {
+-                                      ret = -EIO;
++                              inode = btrfs_iget_logging(key.objectid, root);
++                              if (IS_ERR(inode)) {
++                                      ret = PTR_ERR(inode);
+                                       break;
+                               }
+                               from = ALIGN(i_size_read(&inode->vfs_inode),
+-- 
+2.39.5
+
diff --git a/queue-6.15/btrfs-fix-iteration-of-extrefs-during-log-replay.patch b/queue-6.15/btrfs-fix-iteration-of-extrefs-during-log-replay.patch
new file mode 100644 (file)
index 0000000..a39ea2b
--- /dev/null
@@ -0,0 +1,51 @@
+From 9f3597b6313a535a6c6d70b27db36d524dfabb40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Jun 2025 12:11:58 +0100
+Subject: btrfs: fix iteration of extrefs during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 54a7081ed168b72a8a2d6ef4ba3a1259705a2926 ]
+
+At __inode_add_ref() when processing extrefs, if we jump into the next
+label we have an undefined value of victim_name.len, since we haven't
+initialized it before we did the goto. This results in an invalid memory
+access in the next iteration of the loop since victim_name.len was not
+initialized to the length of the name of the current extref.
+
+Fix this by initializing victim_name.len with the current extref's name
+length.
+
+Fixes: e43eec81c516 ("btrfs: use struct qstr instead of name and namelen pairs")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index cc223c3b39c10..118db10464207 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1145,13 +1145,13 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+                       struct fscrypt_str victim_name;
+                       extref = (struct btrfs_inode_extref *)(base + cur_offset);
++                      victim_name.len = btrfs_inode_extref_name_len(leaf, extref);
+                       if (btrfs_inode_extref_parent(leaf, extref) != parent_objectid)
+                               goto next;
+                       ret = read_alloc_one_name(leaf, &extref->name,
+-                               btrfs_inode_extref_name_len(leaf, extref),
+-                               &victim_name);
++                                                victim_name.len, &victim_name);
+                       if (ret)
+                               return ret;
+-- 
+2.39.5
+
diff --git a/queue-6.15/btrfs-fix-missing-error-handling-when-searching-for-.patch b/queue-6.15/btrfs-fix-missing-error-handling-when-searching-for-.patch
new file mode 100644 (file)
index 0000000..ba9e98b
--- /dev/null
@@ -0,0 +1,45 @@
+From 36c48910bcf47e502c02bd143177254338ad5b55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 16:57:07 +0100
+Subject: btrfs: fix missing error handling when searching for inode refs
+ during log replay
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 6561a40ceced9082f50c374a22d5966cf9fc5f5c ]
+
+During log replay, at __add_inode_ref(), when we are searching for inode
+ref keys we totally ignore if btrfs_search_slot() returns an error. This
+may make a log replay succeed when there was an actual error and leave
+some metadata inconsistency in a subvolume tree. Fix this by checking if
+an error was returned from btrfs_search_slot() and if so, return it to
+the caller.
+
+Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index ef9660eabf0c6..cc223c3b39c10 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -1070,7 +1070,9 @@ static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
+       search_key.type = BTRFS_INODE_REF_KEY;
+       search_key.offset = parent_objectid;
+       ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0);
+-      if (ret == 0) {
++      if (ret < 0) {
++              return ret;
++      } else if (ret == 0) {
+               struct btrfs_inode_ref *victim_ref;
+               unsigned long ptr;
+               unsigned long ptr_end;
+-- 
+2.39.5
+
diff --git a/queue-6.15/btrfs-propagate-last_unlink_trans-earlier-when-doing.patch b/queue-6.15/btrfs-propagate-last_unlink_trans-earlier-when-doing.patch
new file mode 100644 (file)
index 0000000..4ce9d31
--- /dev/null
@@ -0,0 +1,100 @@
+From b4765dc4d0808eb551f517604f5cdff6738ea9a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 15:54:05 +0100
+Subject: btrfs: propagate last_unlink_trans earlier when doing a rmdir
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit c466e33e729a0ee017d10d919cba18f503853c60 ]
+
+In case the removed directory had a snapshot that was deleted, we are
+propagating its inode's last_unlink_trans to the parent directory after
+we removed the entry from the parent directory. This leaves a small race
+window where someone can log the parent directory after we removed the
+entry and before we updated last_unlink_trans, and as a result if we ever
+try to replay such a log tree, we will fail since we will attempt to
+remove a snapshot during log replay, which is currently not possible and
+results in the log replay (and mount) to fail. This is the type of failure
+described in commit 1ec9a1ae1e30 ("Btrfs: fix unreplayable log after
+snapshot delete + parent dir fsync").
+
+So fix this by propagating the last_unlink_trans to the parent directory
+before we remove the entry from it.
+
+Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 391172b443e50..24db00a9319b3 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4724,7 +4724,6 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+       struct btrfs_fs_info *fs_info = BTRFS_I(inode)->root->fs_info;
+       int ret = 0;
+       struct btrfs_trans_handle *trans;
+-      u64 last_unlink_trans;
+       struct fscrypt_name fname;
+       if (inode->i_size > BTRFS_EMPTY_DIR_SIZE)
+@@ -4750,6 +4749,23 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+               goto out_notrans;
+       }
++      /*
++       * Propagate the last_unlink_trans value of the deleted dir to its
++       * parent directory. This is to prevent an unrecoverable log tree in the
++       * case we do something like this:
++       * 1) create dir foo
++       * 2) create snapshot under dir foo
++       * 3) delete the snapshot
++       * 4) rmdir foo
++       * 5) mkdir foo
++       * 6) fsync foo or some file inside foo
++       *
++       * This is because we can't unlink other roots when replaying the dir
++       * deletes for directory foo.
++       */
++      if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
++              BTRFS_I(dir)->last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
++
+       if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+               ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+               goto out;
+@@ -4759,27 +4775,11 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+       if (ret)
+               goto out;
+-      last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
+-
+       /* now the directory is empty */
+       ret = btrfs_unlink_inode(trans, BTRFS_I(dir), BTRFS_I(d_inode(dentry)),
+                                &fname.disk_name);
+-      if (!ret) {
++      if (!ret)
+               btrfs_i_size_write(BTRFS_I(inode), 0);
+-              /*
+-               * Propagate the last_unlink_trans value of the deleted dir to
+-               * its parent directory. This is to prevent an unrecoverable
+-               * log tree in the case we do something like this:
+-               * 1) create dir foo
+-               * 2) create snapshot under dir foo
+-               * 3) delete the snapshot
+-               * 4) rmdir foo
+-               * 5) mkdir foo
+-               * 6) fsync foo or some file inside foo
+-               */
+-              if (last_unlink_trans >= trans->transid)
+-                      BTRFS_I(dir)->last_unlink_trans = last_unlink_trans;
+-      }
+ out:
+       btrfs_end_transaction(trans);
+ out_notrans:
+-- 
+2.39.5
+
diff --git a/queue-6.15/btrfs-record-new-subvolume-in-parent-dir-earlier-to-.patch b/queue-6.15/btrfs-record-new-subvolume-in-parent-dir-earlier-to-.patch
new file mode 100644 (file)
index 0000000..c35e535
--- /dev/null
@@ -0,0 +1,70 @@
+From 84213d552a51c59cfc55732e455b3c65c96412fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 13:13:38 +0100
+Subject: btrfs: record new subvolume in parent dir earlier to avoid dir
+ logging races
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit bf5bcf9a6fa070ec8a725b08db63fb1318f77366 ]
+
+Instead of recording that a new subvolume was created in a directory after
+we add the entry do the directory, record it before adding the entry. This
+is to avoid races where after creating the entry and before recording the
+new subvolume in the directory (the call to btrfs_record_new_subvolume()),
+another task logs the directory, so we end up with a log tree where we
+logged a directory that has an entry pointing to a root that was not yet
+committed, resulting in an invalid entry if the log is persisted and
+replayed later due to a power failure or crash.
+
+Also state this requirement in the function comment for
+btrfs_record_new_subvolume(), similar to what we do for the
+btrfs_record_unlink_dir() and btrfs_record_snapshot_destroy().
+
+Fixes: 45c4102f0d82 ("btrfs: avoid transaction commit on any fsync after subvolume creation")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c    | 4 ++--
+ fs/btrfs/tree-log.c | 2 ++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 63aeacc549457..b70ef4455610a 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -666,14 +666,14 @@ static noinline int create_subvol(struct mnt_idmap *idmap,
+               goto out;
+       }
++      btrfs_record_new_subvolume(trans, BTRFS_I(dir));
++
+       ret = btrfs_create_new_inode(trans, &new_inode_args);
+       if (ret) {
+               btrfs_abort_transaction(trans, ret);
+               goto out;
+       }
+-      btrfs_record_new_subvolume(trans, BTRFS_I(dir));
+-
+       d_instantiate_new(dentry, new_inode_args.inode);
+       new_inode_args.inode = NULL;
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index f8611ec11da9d..e05140ce95be9 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -7444,6 +7444,8 @@ void btrfs_record_snapshot_destroy(struct btrfs_trans_handle *trans,
+  * full log sync.
+  * Also we don't need to worry with renames, since btrfs_rename() marks the log
+  * for full commit when renaming a subvolume.
++ *
++ * Must be called before creating the subvolume entry in its parent directory.
+  */
+ void btrfs_record_new_subvolume(const struct btrfs_trans_handle *trans,
+                               struct btrfs_inode *dir)
+-- 
+2.39.5
+
diff --git a/queue-6.15/btrfs-use-btrfs_record_snapshot_destroy-during-rmdir.patch b/queue-6.15/btrfs-use-btrfs_record_snapshot_destroy-during-rmdir.patch
new file mode 100644 (file)
index 0000000..faa82da
--- /dev/null
@@ -0,0 +1,46 @@
+From 1bf781bd5e1000ba269800ee7e370aa666c10c92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 16:37:01 +0100
+Subject: btrfs: use btrfs_record_snapshot_destroy() during rmdir
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 157501b0469969fc1ba53add5049575aadd79d80 ]
+
+We are setting the parent directory's last_unlink_trans directly which
+may result in a concurrent task starting to log the directory not see the
+update and therefore can log the directory after we removed a child
+directory which had a snapshot within instead of falling back to a
+transaction commit. Replaying such a log tree would result in a mount
+failure since we can't currently delete snapshots (and subvolumes) during
+log replay. This is the type of failure described in commit 1ec9a1ae1e30
+("Btrfs: fix unreplayable log after snapshot delete + parent dir fsync").
+
+Fix this by using btrfs_record_snapshot_destroy() which updates the
+last_unlink_trans field while holding the inode's log_mutex lock.
+
+Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 24db00a9319b3..f18f4d59d389e 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4764,7 +4764,7 @@ static int btrfs_rmdir(struct inode *dir, struct dentry *dentry)
+        * deletes for directory foo.
+        */
+       if (BTRFS_I(inode)->last_unlink_trans >= trans->transid)
+-              BTRFS_I(dir)->last_unlink_trans = BTRFS_I(inode)->last_unlink_trans;
++              btrfs_record_snapshot_destroy(trans, BTRFS_I(dir));
+       if (unlikely(btrfs_ino(BTRFS_I(inode)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)) {
+               ret = btrfs_unlink_subvol(trans, BTRFS_I(dir), dentry);
+-- 
+2.39.5
+
diff --git a/queue-6.15/dpaa2-eth-fix-xdp_rxq_info-leak.patch b/queue-6.15/dpaa2-eth-fix-xdp_rxq_info-leak.patch
new file mode 100644 (file)
index 0000000..6bc00d7
--- /dev/null
@@ -0,0 +1,101 @@
+From a7bf06420e6225309c3bda8ee2c7b5c269ebb670 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Jun 2025 21:30:03 +0800
+Subject: dpaa2-eth: fix xdp_rxq_info leak
+
+From: Fushuai Wang <wangfushuai@baidu.com>
+
+[ Upstream commit 2def09ead4ad5907988b655d1e1454003aaf8297 ]
+
+The driver registered xdp_rxq_info structures via xdp_rxq_info_reg()
+but failed to properly unregister them in error paths and during
+removal.
+
+Fixes: d678be1dc1ec ("dpaa2-eth: add XDP_REDIRECT support")
+Signed-off-by: Fushuai Wang <wangfushuai@baidu.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Ioana Ciornei <ioana.ciornei@nxp.com>
+Link: https://patch.msgid.link/20250626133003.80136-1-wangfushuai@baidu.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/freescale/dpaa2/dpaa2-eth.c  | 26 +++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+index 29886a8ba73f3..efd0048acd3b2 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -3928,6 +3928,7 @@ static int dpaa2_eth_setup_rx_flow(struct dpaa2_eth_priv *priv,
+                                        MEM_TYPE_PAGE_ORDER0, NULL);
+       if (err) {
+               dev_err(dev, "xdp_rxq_info_reg_mem_model failed\n");
++              xdp_rxq_info_unreg(&fq->channel->xdp_rxq);
+               return err;
+       }
+@@ -4421,17 +4422,25 @@ static int dpaa2_eth_bind_dpni(struct dpaa2_eth_priv *priv)
+                       return -EINVAL;
+               }
+               if (err)
+-                      return err;
++                      goto out;
+       }
+       err = dpni_get_qdid(priv->mc_io, 0, priv->mc_token,
+                           DPNI_QUEUE_TX, &priv->tx_qdid);
+       if (err) {
+               dev_err(dev, "dpni_get_qdid() failed\n");
+-              return err;
++              goto out;
+       }
+       return 0;
++
++out:
++      while (i--) {
++              if (priv->fq[i].type == DPAA2_RX_FQ &&
++                  xdp_rxq_info_is_reg(&priv->fq[i].channel->xdp_rxq))
++                      xdp_rxq_info_unreg(&priv->fq[i].channel->xdp_rxq);
++      }
++      return err;
+ }
+ /* Allocate rings for storing incoming frame descriptors */
+@@ -4814,6 +4823,17 @@ static void dpaa2_eth_del_ch_napi(struct dpaa2_eth_priv *priv)
+       }
+ }
++static void dpaa2_eth_free_rx_xdp_rxq(struct dpaa2_eth_priv *priv)
++{
++      int i;
++
++      for (i = 0; i < priv->num_fqs; i++) {
++              if (priv->fq[i].type == DPAA2_RX_FQ &&
++                  xdp_rxq_info_is_reg(&priv->fq[i].channel->xdp_rxq))
++                      xdp_rxq_info_unreg(&priv->fq[i].channel->xdp_rxq);
++      }
++}
++
+ static int dpaa2_eth_probe(struct fsl_mc_device *dpni_dev)
+ {
+       struct device *dev;
+@@ -5017,6 +5037,7 @@ static int dpaa2_eth_probe(struct fsl_mc_device *dpni_dev)
+       free_percpu(priv->percpu_stats);
+ err_alloc_percpu_stats:
+       dpaa2_eth_del_ch_napi(priv);
++      dpaa2_eth_free_rx_xdp_rxq(priv);
+ err_bind:
+       dpaa2_eth_free_dpbps(priv);
+ err_dpbp_setup:
+@@ -5069,6 +5090,7 @@ static void dpaa2_eth_remove(struct fsl_mc_device *ls_dev)
+       free_percpu(priv->percpu_extras);
+       dpaa2_eth_del_ch_napi(priv);
++      dpaa2_eth_free_rx_xdp_rxq(priv);
+       dpaa2_eth_free_dpbps(priv);
+       dpaa2_eth_free_dpio(priv);
+       dpaa2_eth_free_dpni(priv);
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-bridge-aux-hpd-bridge-fix-assignment-of-the-of_n.patch b/queue-6.15/drm-bridge-aux-hpd-bridge-fix-assignment-of-the-of_n.patch
new file mode 100644 (file)
index 0000000..215c304
--- /dev/null
@@ -0,0 +1,49 @@
+From 6e21bc3490e20d147b8b2c563de229475cea9ca2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Jun 2025 18:52:04 +0300
+Subject: drm/bridge: aux-hpd-bridge: fix assignment of the of_node
+
+From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+
+[ Upstream commit e8537cad824065b0425fb0429e762e14a08067c2 ]
+
+Perform fix similar to the one in the commit 85e444a68126 ("drm/bridge:
+Fix assignment of the of_node of the parent to aux bridge").
+
+The assignment of the of_node to the aux HPD bridge needs to mark the
+of_node as reused, otherwise driver core will attempt to bind resources
+like pinctrl, which is going to fail as corresponding pins are already
+marked as used by the parent device.
+Fix that by using the device_set_of_node_from_dev() helper instead of
+assigning it directly.
+
+Fixes: e560518a6c2e ("drm/bridge: implement generic DP HPD bridge")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250608-fix-aud-hpd-bridge-v1-1-4641a6f8e381@oss.qualcomm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/aux-hpd-bridge.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/aux-hpd-bridge.c b/drivers/gpu/drm/bridge/aux-hpd-bridge.c
+index 48f297c78ee67..1ec4f16b9939d 100644
+--- a/drivers/gpu/drm/bridge/aux-hpd-bridge.c
++++ b/drivers/gpu/drm/bridge/aux-hpd-bridge.c
+@@ -64,10 +64,11 @@ struct auxiliary_device *devm_drm_dp_hpd_bridge_alloc(struct device *parent, str
+       adev->id = ret;
+       adev->name = "dp_hpd_bridge";
+       adev->dev.parent = parent;
+-      adev->dev.of_node = of_node_get(parent->of_node);
+       adev->dev.release = drm_aux_hpd_bridge_release;
+       adev->dev.platform_data = of_node_get(np);
++      device_set_of_node_from_dev(&adev->dev, parent);
++
+       ret = auxiliary_device_init(adev);
+       if (ret) {
+               of_node_put(adev->dev.platform_data);
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-bridge-panel-move-prepare_prev_first-handling-to.patch b/queue-6.15/drm-bridge-panel-move-prepare_prev_first-handling-to.patch
new file mode 100644 (file)
index 0000000..907badd
--- /dev/null
@@ -0,0 +1,67 @@
+From e9aa8b54f7238cacfa3533d102d206acc80348ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 17:07:26 +0200
+Subject: drm/bridge: panel: move prepare_prev_first handling to
+ drm_panel_bridge_add_typed
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit eb028cd884e1b0976ff8c5944ee6650fe3ed0a6c ]
+
+The commit 5ea6b1702781 ("drm/panel: Add prepare_prev_first flag to
+drm_panel") and commit 0974687a19c3 ("drm/bridge: panel: Set
+pre_enable_prev_first from drmm_panel_bridge_add") added handling of
+panel's prepare_prev_first to devm_panel_bridge_add() and
+drmm_panel_bridge_add(). However if the driver calls
+drm_panel_bridge_add_typed() directly, then the flag won't be handled
+and thus the drm_bridge.pre_enable_prev_first will not be set.
+
+Move prepare_prev_first handling to the drm_panel_bridge_add_typed() so
+that there is no way to miss the flag.
+
+Fixes: 5ea6b1702781 ("drm/panel: Add prepare_prev_first flag to drm_panel")
+Fixes: 0974687a19c3 ("drm/bridge: panel: Set pre_enable_prev_first from drmm_panel_bridge_add")
+Reported-by: Svyatoslav Ryhel <clamor95@gmail.com>
+Closes: https://lore.kernel.org/dri-devel/CAPVz0n3YZass3Bns1m0XrFxtAC0DKbEPiW6vXimQx97G243sXw@mail.gmail.com/
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250220-panel_prev_first-v1-1-b9e787825a1a@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/panel.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/panel.c b/drivers/gpu/drm/bridge/panel.c
+index 258c85c83a283..6c58d0759f227 100644
+--- a/drivers/gpu/drm/bridge/panel.c
++++ b/drivers/gpu/drm/bridge/panel.c
+@@ -298,6 +298,7 @@ struct drm_bridge *drm_panel_bridge_add_typed(struct drm_panel *panel,
+       panel_bridge->bridge.of_node = panel->dev->of_node;
+       panel_bridge->bridge.ops = DRM_BRIDGE_OP_MODES;
+       panel_bridge->bridge.type = connector_type;
++      panel_bridge->bridge.pre_enable_prev_first = panel->prepare_prev_first;
+       drm_bridge_add(&panel_bridge->bridge);
+@@ -412,8 +413,6 @@ struct drm_bridge *devm_drm_panel_bridge_add_typed(struct device *dev,
+               return bridge;
+       }
+-      bridge->pre_enable_prev_first = panel->prepare_prev_first;
+-
+       *ptr = bridge;
+       devres_add(dev, ptr);
+@@ -455,8 +454,6 @@ struct drm_bridge *drmm_panel_bridge_add(struct drm_device *drm,
+       if (ret)
+               return ERR_PTR(ret);
+-      bridge->pre_enable_prev_first = panel->prepare_prev_first;
+-
+       return bridge;
+ }
+ EXPORT_SYMBOL(drmm_panel_bridge_add);
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-exynos-fimd-guard-display-clock-control-with-run.patch b/queue-6.15/drm-exynos-fimd-guard-display-clock-control-with-run.patch
new file mode 100644 (file)
index 0000000..a9bb61b
--- /dev/null
@@ -0,0 +1,67 @@
+From 03cccb6fa3a2e53eb603b0c21dd33a182eee2d1d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 14:06:26 +0200
+Subject: drm/exynos: fimd: Guard display clock control with runtime PM calls
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+[ Upstream commit 5d91394f236167ac624b823820faf4aa928b889e ]
+
+Commit c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable
+and post-disable") changed the call sequence to the CRTC enable/disable
+and bridge pre_enable/post_disable methods, so those bridge methods are
+now called when CRTC is not yet enabled.
+
+This causes a lockup observed on Samsung Peach-Pit/Pi Chromebooks. The
+source of this lockup is a call to fimd_dp_clock_enable() function, when
+FIMD device is not yet runtime resumed. It worked before the mentioned
+commit only because the CRTC implemented by the FIMD driver was always
+enabled what guaranteed the FIMD device to be runtime resumed.
+
+This patch adds runtime PM guards to the fimd_dp_clock_enable() function
+to enable its proper operation also when the CRTC implemented by FIMD is
+not yet enabled.
+
+Fixes: 196e059a8a6a ("drm/exynos: convert clock_enable crtc callback to pipeline clock")
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Inki Dae <inki.dae@samsung.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/exynos/exynos_drm_fimd.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/exynos/exynos_drm_fimd.c b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+index c394cc702d7d4..205c238cc73a6 100644
+--- a/drivers/gpu/drm/exynos/exynos_drm_fimd.c
++++ b/drivers/gpu/drm/exynos/exynos_drm_fimd.c
+@@ -187,6 +187,7 @@ struct fimd_context {
+       u32                             i80ifcon;
+       bool                            i80_if;
+       bool                            suspended;
++      bool                            dp_clk_enabled;
+       wait_queue_head_t               wait_vsync_queue;
+       atomic_t                        wait_vsync_event;
+       atomic_t                        win_updated;
+@@ -1047,7 +1048,18 @@ static void fimd_dp_clock_enable(struct exynos_drm_clk *clk, bool enable)
+       struct fimd_context *ctx = container_of(clk, struct fimd_context,
+                                               dp_clk);
+       u32 val = enable ? DP_MIE_CLK_DP_ENABLE : DP_MIE_CLK_DISABLE;
++
++      if (enable == ctx->dp_clk_enabled)
++              return;
++
++      if (enable)
++              pm_runtime_resume_and_get(ctx->dev);
++
++      ctx->dp_clk_enabled = enable;
+       writel(val, ctx->regs + DP_MIE_CLKCON);
++
++      if (!enable)
++              pm_runtime_put(ctx->dev);
+ }
+ static const struct exynos_drm_crtc_ops fimd_crtc_ops = {
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch b/queue-6.15/drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch
new file mode 100644 (file)
index 0000000..dff70b8
--- /dev/null
@@ -0,0 +1,52 @@
+From 28a5d8899f8c150852b2adf7b8ea2211cc35ecb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 23:11:07 +0800
+Subject: drm/i915/gsc: mei interrupt top half should be in irq disabled
+ context
+
+From: Junxiao Chang <junxiao.chang@intel.com>
+
+[ Upstream commit 8cadce97bf264ed478669c6f32d5603b34608335 ]
+
+MEI GSC interrupt comes from i915. It has top half and bottom half.
+Top half is called from i915 interrupt handler. It should be in
+irq disabled context.
+
+With RT kernel, by default i915 IRQ handler is in threaded IRQ. MEI GSC
+top half might be in threaded IRQ context. generic_handle_irq_safe API
+could be called from either IRQ or process context, it disables local
+IRQ then calls MEI GSC interrupt top half.
+
+This change fixes A380/A770 GPU boot hang issue with RT kernel.
+
+Fixes: 1e3dc1d8622b ("drm/i915/gsc: add gsc as a mei auxiliary device")
+Tested-by: Furong Zhou <furong.zhou@intel.com>
+Suggested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
+Link: https://lore.kernel.org/r/20250425151108.643649-1-junxiao.chang@intel.com
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit dccf655f69002d496a527ba441b4f008aa5bebbf)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_gsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_gsc.c b/drivers/gpu/drm/i915/gt/intel_gsc.c
+index 1e925c75fb080..c43febc862dc3 100644
+--- a/drivers/gpu/drm/i915/gt/intel_gsc.c
++++ b/drivers/gpu/drm/i915/gt/intel_gsc.c
+@@ -284,7 +284,7 @@ static void gsc_irq_handler(struct intel_gt *gt, unsigned int intf_id)
+       if (gt->gsc.intf[intf_id].irq < 0)
+               return;
+-      ret = generic_handle_irq(gt->gsc.intf[intf_id].irq);
++      ret = generic_handle_irq_safe(gt->gsc.intf[intf_id].irq);
+       if (ret)
+               gt_err_ratelimited(gt, "error handling GSC irq: %d\n", ret);
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch b/queue-6.15/drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch
new file mode 100644 (file)
index 0000000..7194e12
--- /dev/null
@@ -0,0 +1,128 @@
+From ae2360644eaafc3db578f90807bcff6434ffc9b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 12:42:13 +0200
+Subject: drm/i915/gt: Fix timeline left held on VMA alloc error
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+[ Upstream commit a5aa7bc1fca78c7fa127d9e33aa94a0c9066c1d6 ]
+
+The following error has been reported sporadically by CI when a test
+unbinds the i915 driver on a ring submission platform:
+
+<4> [239.330153] ------------[ cut here ]------------
+<4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count)
+<4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915]
+...
+<4> [239.330942] Call Trace:
+<4> [239.330944]  <TASK>
+<4> [239.330949]  i915_driver_late_release+0x2b/0xa0 [i915]
+<4> [239.331202]  i915_driver_release+0x86/0xa0 [i915]
+<4> [239.331482]  devm_drm_dev_init_release+0x61/0x90
+<4> [239.331494]  devm_action_release+0x15/0x30
+<4> [239.331504]  release_nodes+0x3d/0x120
+<4> [239.331517]  devres_release_all+0x96/0xd0
+<4> [239.331533]  device_unbind_cleanup+0x12/0x80
+<4> [239.331543]  device_release_driver_internal+0x23a/0x280
+<4> [239.331550]  ? bus_find_device+0xa5/0xe0
+<4> [239.331563]  device_driver_detach+0x14/0x20
+...
+<4> [357.719679] ---[ end trace 0000000000000000 ]---
+
+If the test also unloads the i915 module then that's followed with:
+
+<3> [357.787478] =============================================================================
+<3> [357.788006] BUG i915_vma (Tainted: G     U  W        N ): Objects remaining on __kmem_cache_shutdown()
+<3> [357.788031] -----------------------------------------------------------------------------
+<3> [357.788204] Object 0xffff888109e7f480 @offset=29824
+<3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244
+<4> [357.788994]  i915_vma_instance+0xee/0xc10 [i915]
+<4> [357.789290]  init_status_page+0x7b/0x420 [i915]
+<4> [357.789532]  intel_engines_init+0x1d8/0x980 [i915]
+<4> [357.789772]  intel_gt_init+0x175/0x450 [i915]
+<4> [357.790014]  i915_gem_init+0x113/0x340 [i915]
+<4> [357.790281]  i915_driver_probe+0x847/0xed0 [i915]
+<4> [357.790504]  i915_pci_probe+0xe6/0x220 [i915]
+...
+
+Closer analysis of CI results history has revealed a dependency of the
+error on a few IGT tests, namely:
+- igt@api_intel_allocator@fork-simple-stress-signal,
+- igt@api_intel_allocator@two-level-inception-interruptible,
+- igt@gem_linear_blits@interruptible,
+- igt@prime_mmap_coherency@ioctl-errors,
+which invisibly trigger the issue, then exhibited with first driver unbind
+attempt.
+
+All of the above tests perform actions which are actively interrupted with
+signals.  Further debugging has allowed to narrow that scope down to
+DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring
+submission, in particular.
+
+If successful then that function, or its execlists or GuC submission
+equivalent, is supposed to be called only once per GEM context engine,
+followed by raise of a flag that prevents the function from being called
+again.  The function is expected to unwind its internal errors itself, so
+it may be safely called once more after it returns an error.
+
+In case of ring submission, the function first gets a reference to the
+engine's legacy timeline and then allocates a VMA.  If the VMA allocation
+fails, e.g. when i915_vma_instance() called from inside is interrupted
+with a signal, then ring_context_alloc() fails, leaving the timeline held
+referenced.  On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the
+timeline is got, and only that last one is put on successful completion.
+As a consequence, the legacy timeline, with its underlying engine status
+page's VMA object, is still held and not released on driver unbind.
+
+Get the legacy timeline only after successful allocation of the context
+engine's VMA.
+
+v2: Add a note on other submission methods (Krzysztof Karas):
+    Both execlists and GuC submission use lrc_alloc() which seems free
+    from a similar issue.
+
+Fixes: 75d0a7f31eec ("drm/i915: Lift timeline into intel_context")
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/12061
+Cc: Chris Wilson <chris.p.wilson@linux.intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Sebastian Brzezinka <sebastian.brzezinka@intel.com>
+Reviewed-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Reviewed-by: Nitin Gote <nitin.r.gote@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://lore.kernel.org/r/20250611104352.1014011-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/gt/intel_ring_submission.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/gt/intel_ring_submission.c b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+index 6e9977b2d1802..44a4b6723582f 100644
+--- a/drivers/gpu/drm/i915/gt/intel_ring_submission.c
++++ b/drivers/gpu/drm/i915/gt/intel_ring_submission.c
+@@ -604,7 +604,6 @@ static int ring_context_alloc(struct intel_context *ce)
+       /* One ringbuffer to rule them all */
+       GEM_BUG_ON(!engine->legacy.ring);
+       ce->ring = engine->legacy.ring;
+-      ce->timeline = intel_timeline_get(engine->legacy.timeline);
+       GEM_BUG_ON(ce->state);
+       if (engine->context_size) {
+@@ -617,6 +616,8 @@ static int ring_context_alloc(struct intel_context *ce)
+               ce->state = vma;
+       }
++      ce->timeline = intel_timeline_get(engine->legacy.timeline);
++
+       return 0;
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-i915-selftests-change-mock_request-to-return-err.patch b/queue-6.15/drm-i915-selftests-change-mock_request-to-return-err.patch
new file mode 100644 (file)
index 0000000..21178f3
--- /dev/null
@@ -0,0 +1,107 @@
+From 1d4ef85f62f6cf79443677c8594a7109ae6ca0ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 10:21:58 -0500
+Subject: drm/i915/selftests: Change mock_request() to return error pointers
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit caa7c7a76b78ce41d347003f84975125383e6b59 ]
+
+There was an error pointer vs NULL bug in __igt_breadcrumbs_smoketest().
+The __mock_request_alloc() function implements the
+smoketest->request_alloc() function pointer.  It was supposed to return
+error pointers, but it propogates the NULL return from mock_request()
+so in the event of a failure, it would lead to a NULL pointer
+dereference.
+
+To fix this, change the mock_request() function to return error pointers
+and update all the callers to expect that.
+
+Fixes: 52c0fdb25c7c ("drm/i915: Replace global breadcrumbs with per-context interrupt tracking")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://lore.kernel.org/r/685c1417.050a0220.696f5.5c05@mx.google.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 778fa8ad5f0f23397d045c7ebca048ce8def1c43)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/selftests/i915_request.c | 20 +++++++++----------
+ drivers/gpu/drm/i915/selftests/mock_request.c |  2 +-
+ 2 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c
+index 88870844b5bd9..2fb7a9e7efec6 100644
+--- a/drivers/gpu/drm/i915/selftests/i915_request.c
++++ b/drivers/gpu/drm/i915/selftests/i915_request.c
+@@ -73,8 +73,8 @@ static int igt_add_request(void *arg)
+       /* Basic preliminary test to create a request and let it loose! */
+       request = mock_request(rcs0(i915)->kernel_context, HZ / 10);
+-      if (!request)
+-              return -ENOMEM;
++      if (IS_ERR(request))
++              return PTR_ERR(request);
+       i915_request_add(request);
+@@ -91,8 +91,8 @@ static int igt_wait_request(void *arg)
+       /* Submit a request, then wait upon it */
+       request = mock_request(rcs0(i915)->kernel_context, T);
+-      if (!request)
+-              return -ENOMEM;
++      if (IS_ERR(request))
++              return PTR_ERR(request);
+       i915_request_get(request);
+@@ -160,8 +160,8 @@ static int igt_fence_wait(void *arg)
+       /* Submit a request, treat it as a fence and wait upon it */
+       request = mock_request(rcs0(i915)->kernel_context, T);
+-      if (!request)
+-              return -ENOMEM;
++      if (IS_ERR(request))
++              return PTR_ERR(request);
+       if (dma_fence_wait_timeout(&request->fence, false, T) != -ETIME) {
+               pr_err("fence wait success before submit (expected timeout)!\n");
+@@ -219,8 +219,8 @@ static int igt_request_rewind(void *arg)
+       GEM_BUG_ON(IS_ERR(ce));
+       request = mock_request(ce, 2 * HZ);
+       intel_context_put(ce);
+-      if (!request) {
+-              err = -ENOMEM;
++      if (IS_ERR(request)) {
++              err = PTR_ERR(request);
+               goto err_context_0;
+       }
+@@ -237,8 +237,8 @@ static int igt_request_rewind(void *arg)
+       GEM_BUG_ON(IS_ERR(ce));
+       vip = mock_request(ce, 0);
+       intel_context_put(ce);
+-      if (!vip) {
+-              err = -ENOMEM;
++      if (IS_ERR(vip)) {
++              err = PTR_ERR(vip);
+               goto err_context_1;
+       }
+diff --git a/drivers/gpu/drm/i915/selftests/mock_request.c b/drivers/gpu/drm/i915/selftests/mock_request.c
+index 09f747228dff5..1b0cf073e9643 100644
+--- a/drivers/gpu/drm/i915/selftests/mock_request.c
++++ b/drivers/gpu/drm/i915/selftests/mock_request.c
+@@ -35,7 +35,7 @@ mock_request(struct intel_context *ce, unsigned long delay)
+       /* NB the i915->requests slab cache is enlarged to fit mock_request */
+       request = intel_context_create_request(ce);
+       if (IS_ERR(request))
+-              return NULL;
++              return request;
+       request->mock.delay = delay;
+       return request;
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-msm-fix-a-fence-leak-in-submit-error-path.patch b/queue-6.15/drm-msm-fix-a-fence-leak-in-submit-error-path.patch
new file mode 100644 (file)
index 0000000..c2c5806
--- /dev/null
@@ -0,0 +1,45 @@
+From f5bba720698fbc21c6c8d6f72cd368187ed2e213 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 09:33:32 -0700
+Subject: drm/msm: Fix a fence leak in submit error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 5d319f75ccf7f0927425a7545aa1a22b3eedc189 ]
+
+In error paths, we could unref the submit without calling
+drm_sched_entity_push_job(), so msm_job_free() will never get
+called.  Since drm_sched_job_cleanup() will NULL out the
+s_fence, we can use that to detect this case.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/653584/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index 3e9aa2cc38ef9..b2aeaecaa39b3 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -85,6 +85,15 @@ void __msm_gem_submit_destroy(struct kref *kref)
+                       container_of(kref, struct msm_gem_submit, ref);
+       unsigned i;
++      /*
++       * In error paths, we could unref the submit without calling
++       * drm_sched_entity_push_job(), so msm_job_free() will never
++       * get called.  Since drm_sched_job_cleanup() will NULL out
++       * s_fence, we can use that to detect this case.
++       */
++      if (submit->base.s_fence)
++              drm_sched_job_cleanup(&submit->base);
++
+       if (submit->fence_id) {
+               spin_lock(&submit->queue->idr_lock);
+               idr_remove(&submit->queue->fence_idr, submit->fence_id);
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-msm-fix-another-leak-in-the-submit-error-path.patch b/queue-6.15/drm-msm-fix-another-leak-in-the-submit-error-path.patch
new file mode 100644 (file)
index 0000000..a3c6b9a
--- /dev/null
@@ -0,0 +1,57 @@
+From 8f08787b49c743fe58cf596fa26923dc03a5f2ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 09:33:33 -0700
+Subject: drm/msm: Fix another leak in the submit error path
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit f681c2aa8676a890eacc84044717ab0fd26e058f ]
+
+put_unused_fd() doesn't free the installed file, if we've already done
+fd_install().  So we need to also free the sync_file.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/653583/
+Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index b2aeaecaa39b3..d4f71bb54e84c 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -658,6 +658,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+       struct msm_ringbuffer *ring;
+       struct msm_submit_post_dep *post_deps = NULL;
+       struct drm_syncobj **syncobjs_to_reset = NULL;
++      struct sync_file *sync_file = NULL;
+       int out_fence_fd = -1;
+       unsigned i;
+       int ret;
+@@ -867,7 +868,7 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+       }
+       if (ret == 0 && args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
+-              struct sync_file *sync_file = sync_file_create(submit->user_fence);
++              sync_file = sync_file_create(submit->user_fence);
+               if (!sync_file) {
+                       ret = -ENOMEM;
+               } else {
+@@ -901,8 +902,11 @@ int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
+ out_unlock:
+       mutex_unlock(&queue->lock);
+ out_post_unlock:
+-      if (ret && (out_fence_fd >= 0))
++      if (ret && (out_fence_fd >= 0)) {
+               put_unused_fd(out_fence_fd);
++              if (sync_file)
++                      fput(sync_file->file);
++      }
+       if (!IS_ERR_OR_NULL(submit)) {
+               msm_gem_submit_put(submit);
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-vmwgfx-fix-guests-running-with-tdx-sev.patch b/queue-6.15/drm-vmwgfx-fix-guests-running-with-tdx-sev.patch
new file mode 100644 (file)
index 0000000..1becc26
--- /dev/null
@@ -0,0 +1,53 @@
+From 2e7f386f232cea28192f42a11bab658cb24bb046 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 15:29:26 -0400
+Subject: drm/vmwgfx: Fix guests running with TDX/SEV
+
+From: Marko Kiiskila <marko.kiiskila@broadcom.com>
+
+[ Upstream commit 7dfede7d7edd18c0c91ca854cde8eaaf4ccf97ea ]
+
+Commit 81256a50aa0f ("x86/mm: Make memremap(MEMREMAP_WB) map memory as
+encrypted by default") changed the default behavior of
+memremap(MEMREMAP_WB) and started mapping memory as encrypted.
+The driver requires the fifo memory to be decrypted to communicate with
+the host but was relaying on the old default behavior of
+memremap(MEMREMAP_WB) and thus broke.
+
+Fix it by explicitly specifying the desired behavior and passing
+MEMREMAP_DEC to memremap.
+
+Fixes: 81256a50aa0f ("x86/mm: Make memremap(MEMREMAP_WB) map memory as encrypted by default")
+Signed-off-by: Marko Kiiskila <marko.kiiskila@broadcom.com>
+Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: linux-mm@kvack.org
+Cc: linux-kernel@vger.kernel.org
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Link: https://lore.kernel.org/r/20250618192926.1092450-1-zack.rusin@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+index 0f32471c85332..55c822a61b9ad 100644
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
+@@ -769,7 +769,7 @@ static int vmw_setup_pci_resources(struct vmw_private *dev,
+               dev->fifo_mem = devm_memremap(dev->drm.dev,
+                                             fifo_start,
+                                             fifo_size,
+-                                            MEMREMAP_WB);
++                                            MEMREMAP_WB | MEMREMAP_DEC);
+               if (IS_ERR(dev->fifo_mem)) {
+                       drm_err(&dev->drm,
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-xe-allow-dropping-kunit-dependency-as-built-in.patch b/queue-6.15/drm-xe-allow-dropping-kunit-dependency-as-built-in.patch
new file mode 100644 (file)
index 0000000..356bdfd
--- /dev/null
@@ -0,0 +1,51 @@
+From 6ec28634146caff107a000bdab8cee5c15add3d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 13:30:35 -0700
+Subject: drm/xe: Allow dropping kunit dependency as built-in
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Harry Austen <hpausten@protonmail.com>
+
+[ Upstream commit aa18d5769fcafe645a3ba01a9a69dde4f8dc8cc3 ]
+
+Fix Kconfig symbol dependency on KUNIT, which isn't actually required
+for XE to be built-in. However, if KUNIT is enabled, it must be built-in
+too.
+
+Fixes: 08987a8b6820 ("drm/xe: Fix build with KUNIT=m")
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Harry Austen <hpausten@protonmail.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Acked-by: Randy Dunlap <rdunlap@infradead.org>
+Tested-by: Randy Dunlap <rdunlap@infradead.org>
+Link: https://lore.kernel.org/r/20250627-xe-kunit-v2-2-756fe5cd56cf@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit a559434880b320b83733d739733250815aecf1b0)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/Kconfig | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/xe/Kconfig b/drivers/gpu/drm/xe/Kconfig
+index 9a46aafcb33ba..0dc3512876b3a 100644
+--- a/drivers/gpu/drm/xe/Kconfig
++++ b/drivers/gpu/drm/xe/Kconfig
+@@ -1,7 +1,8 @@
+ # SPDX-License-Identifier: GPL-2.0-only
+ config DRM_XE
+       tristate "Intel Xe Graphics"
+-      depends on DRM && PCI && MMU && (m || (y && KUNIT=y))
++      depends on DRM && PCI && MMU
++      depends on KUNIT || !KUNIT
+       depends on INTEL_VSEC || !INTEL_VSEC
+       depends on X86_PLATFORM_DEVICES || !(X86 && ACPI)
+       select INTERVAL_TREE
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-xe-bmg-update-wa_14022085890.patch b/queue-6.15/drm-xe-bmg-update-wa_14022085890.patch
new file mode 100644 (file)
index 0000000..dfe0ed3
--- /dev/null
@@ -0,0 +1,75 @@
+From 821299eeae5d5f476f4663f1be12b3782ff8b86e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 00:09:02 -0700
+Subject: drm/xe/bmg: Update Wa_14022085890
+
+From: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+
+[ Upstream commit a5c7dcdd969f2248cc91d65e5ac852859fc8dac2 ]
+
+Set GT min frequency to 1200Mhz once driver load is complete.
+
+v2: Review comments (Rodrigo)
+v3: Apply Wa earlier so user_req_min is not clobbered.
+v4: Apply to all GTs (Lucas)
+
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Reviewed-by: Stuart Summers <stuart.summers@intel.com>
+Link: https://lore.kernel.org/r/20250612-wa-14022085890-v4-3-94ba5dcc1e30@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit bdde16c9ac5cb56ad2ee19792222fa1853577af7)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_guc_pc.c     | 5 +++++
+ drivers/gpu/drm/xe/xe_wa_oob.rules | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c
+index 23a4c525c03bf..28b97a2c14e3b 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.c
++++ b/drivers/gpu/drm/xe/xe_guc_pc.c
+@@ -52,6 +52,7 @@
+ #define LNL_MERT_FREQ_CAP     800
+ #define BMG_MERT_FREQ_CAP     2133
++#define BMG_MIN_FREQ          1200
+ #define SLPC_RESET_TIMEOUT_MS 5 /* roughly 5ms, but no need for precision */
+ #define SLPC_RESET_EXTENDED_TIMEOUT_MS 1000 /* To be used only at pc_start */
+@@ -817,6 +818,7 @@ void xe_guc_pc_init_early(struct xe_guc_pc *pc)
+ static int pc_adjust_freq_bounds(struct xe_guc_pc *pc)
+ {
++      struct xe_tile *tile = gt_to_tile(pc_to_gt(pc));
+       int ret;
+       lockdep_assert_held(&pc->freq_lock);
+@@ -843,6 +845,9 @@ static int pc_adjust_freq_bounds(struct xe_guc_pc *pc)
+       if (pc_get_min_freq(pc) > pc->rp0_freq)
+               ret = pc_set_min_freq(pc, pc->rp0_freq);
++      if (XE_WA(tile->primary_gt, 14022085890))
++              ret = pc_set_min_freq(pc, max(BMG_MIN_FREQ, pc_get_min_freq(pc)));
++
+ out:
+       return ret;
+ }
+diff --git a/drivers/gpu/drm/xe/xe_wa_oob.rules b/drivers/gpu/drm/xe/xe_wa_oob.rules
+index 9efc5accd43d1..320766f6c5dff 100644
+--- a/drivers/gpu/drm/xe/xe_wa_oob.rules
++++ b/drivers/gpu/drm/xe/xe_wa_oob.rules
+@@ -59,3 +59,7 @@ no_media_l3  MEDIA_VERSION(3000)
+               MEDIA_VERSION_RANGE(1301, 3000)
+ 16026508708   GRAPHICS_VERSION_RANGE(1200, 3001)
+               MEDIA_VERSION_RANGE(1300, 3000)
++
++# SoC workaround - currently applies to all platforms with the following
++# primary GT GMDID
++14022085890   GRAPHICS_VERSION(2001)
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-xe-bmg-update-wa_22019338487.patch b/queue-6.15/drm-xe-bmg-update-wa_22019338487.patch
new file mode 100644 (file)
index 0000000..ab87691
--- /dev/null
@@ -0,0 +1,266 @@
+From 0d9d9a01a8656e6c5c319eec853df1ef8b65b805 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 11:50:01 -0700
+Subject: drm/xe/bmg: Update Wa_22019338487
+
+From: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+
+[ Upstream commit 84c0b4a00610afbde650fdb8ad6db0424f7b2cc3 ]
+
+Limit GT max frequency to 2600MHz and wait for frequency to reduce
+before proceeding with a transient flush. This is really only needed for
+the transient flush: if L2 flush is needed due to 16023588340 then
+there's no need to do this additional wait since we are already using
+the bigger hammer.
+
+v2: Use generic names, ensure user set max frequency requests wait
+for flush to complete (Rodrigo)
+v3:
+ - User requests wait via wait_var_event_timeout (Lucas)
+ - Close races on flush + user requests (Lucas)
+ - Fix xe_guc_pc_remove_flush_freq_limit() being called on last gt
+   rather than root gt (Lucas)
+v4:
+ - Only apply the freq reducing part if a TDF is needed: L2 flush trumps
+   the need for waiting a lower frequency
+
+Fixes: aaa08078e725 ("drm/xe/bmg: Apply Wa_22019338487")
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Vinay Belgaumkar <vinay.belgaumkar@intel.com>
+Link: https://lore.kernel.org/r/20250618-wa-22019338487-v5-4-b888388477f2@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit deea6a7d6d803d6bb874a3e6f1b312e560e6c6df)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_device.c       |   8 +-
+ drivers/gpu/drm/xe/xe_guc_pc.c       | 125 +++++++++++++++++++++++++++
+ drivers/gpu/drm/xe/xe_guc_pc.h       |   2 +
+ drivers/gpu/drm/xe/xe_guc_pc_types.h |   2 +
+ 4 files changed, 135 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c
+index 38fdddd7262aa..f3123914b1abf 100644
+--- a/drivers/gpu/drm/xe/xe_device.c
++++ b/drivers/gpu/drm/xe/xe_device.c
+@@ -38,6 +38,7 @@
+ #include "xe_gt_printk.h"
+ #include "xe_gt_sriov_vf.h"
+ #include "xe_guc.h"
++#include "xe_guc_pc.h"
+ #include "xe_hw_engine_group.h"
+ #include "xe_hwmon.h"
+ #include "xe_irq.h"
+@@ -1057,11 +1058,14 @@ void xe_device_td_flush(struct xe_device *xe)
+               return;
+       root_gt = xe_root_mmio_gt(xe);
+-      if (XE_WA(root_gt, 16023588340))
++      if (XE_WA(root_gt, 16023588340)) {
+               /* A transient flush is not sufficient: flush the L2 */
+               xe_device_l2_flush(xe);
+-      else
++      } else {
++              xe_guc_pc_apply_flush_freq_limit(&root_gt->uc.guc.pc);
+               tdf_request_sync(xe);
++              xe_guc_pc_remove_flush_freq_limit(&root_gt->uc.guc.pc);
++      }
+ }
+ u32 xe_device_ccs_bytes(struct xe_device *xe, u64 size)
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c
+index 28b97a2c14e3b..1c7b044413f26 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.c
++++ b/drivers/gpu/drm/xe/xe_guc_pc.c
+@@ -7,7 +7,9 @@
+ #include <linux/cleanup.h>
+ #include <linux/delay.h>
++#include <linux/jiffies.h>
+ #include <linux/ktime.h>
++#include <linux/wait_bit.h>
+ #include <drm/drm_managed.h>
+ #include <drm/drm_print.h>
+@@ -53,9 +55,11 @@
+ #define LNL_MERT_FREQ_CAP     800
+ #define BMG_MERT_FREQ_CAP     2133
+ #define BMG_MIN_FREQ          1200
++#define BMG_MERT_FLUSH_FREQ_CAP       2600
+ #define SLPC_RESET_TIMEOUT_MS 5 /* roughly 5ms, but no need for precision */
+ #define SLPC_RESET_EXTENDED_TIMEOUT_MS 1000 /* To be used only at pc_start */
++#define SLPC_ACT_FREQ_TIMEOUT_MS 100
+ /**
+  * DOC: GuC Power Conservation (PC)
+@@ -143,6 +147,36 @@ static int wait_for_pc_state(struct xe_guc_pc *pc,
+       return -ETIMEDOUT;
+ }
++static int wait_for_flush_complete(struct xe_guc_pc *pc)
++{
++      const unsigned long timeout = msecs_to_jiffies(30);
++
++      if (!wait_var_event_timeout(&pc->flush_freq_limit,
++                                  !atomic_read(&pc->flush_freq_limit),
++                                  timeout))
++              return -ETIMEDOUT;
++
++      return 0;
++}
++
++static int wait_for_act_freq_limit(struct xe_guc_pc *pc, u32 freq)
++{
++      int timeout_us = SLPC_ACT_FREQ_TIMEOUT_MS * USEC_PER_MSEC;
++      int slept, wait = 10;
++
++      for (slept = 0; slept < timeout_us;) {
++              if (xe_guc_pc_get_act_freq(pc) <= freq)
++                      return 0;
++
++              usleep_range(wait, wait << 1);
++              slept += wait;
++              wait <<= 1;
++              if (slept + wait > timeout_us)
++                      wait = timeout_us - slept;
++      }
++
++      return -ETIMEDOUT;
++}
+ static int pc_action_reset(struct xe_guc_pc *pc)
+ {
+       struct xe_guc_ct *ct = pc_to_ct(pc);
+@@ -673,6 +707,11 @@ static int xe_guc_pc_set_max_freq_locked(struct xe_guc_pc *pc, u32 freq)
+  */
+ int xe_guc_pc_set_max_freq(struct xe_guc_pc *pc, u32 freq)
+ {
++      if (XE_WA(pc_to_gt(pc), 22019338487)) {
++              if (wait_for_flush_complete(pc) != 0)
++                      return -EAGAIN;
++      }
++
+       guard(mutex)(&pc->freq_lock);
+       return xe_guc_pc_set_max_freq_locked(pc, freq);
+@@ -873,6 +912,92 @@ static int pc_adjust_requested_freq(struct xe_guc_pc *pc)
+       return ret;
+ }
++static bool needs_flush_freq_limit(struct xe_guc_pc *pc)
++{
++      struct xe_gt *gt = pc_to_gt(pc);
++
++      return  XE_WA(gt, 22019338487) &&
++              pc->rp0_freq > BMG_MERT_FLUSH_FREQ_CAP;
++}
++
++/**
++ * xe_guc_pc_apply_flush_freq_limit() - Limit max GT freq during L2 flush
++ * @pc: the xe_guc_pc object
++ *
++ * As per the WA, reduce max GT frequency during L2 cache flush
++ */
++void xe_guc_pc_apply_flush_freq_limit(struct xe_guc_pc *pc)
++{
++      struct xe_gt *gt = pc_to_gt(pc);
++      u32 max_freq;
++      int ret;
++
++      if (!needs_flush_freq_limit(pc))
++              return;
++
++      guard(mutex)(&pc->freq_lock);
++
++      ret = xe_guc_pc_get_max_freq_locked(pc, &max_freq);
++      if (!ret && max_freq > BMG_MERT_FLUSH_FREQ_CAP) {
++              ret = pc_set_max_freq(pc, BMG_MERT_FLUSH_FREQ_CAP);
++              if (ret) {
++                      xe_gt_err_once(gt, "Failed to cap max freq on flush to %u, %pe\n",
++                                     BMG_MERT_FLUSH_FREQ_CAP, ERR_PTR(ret));
++                      return;
++              }
++
++              atomic_set(&pc->flush_freq_limit, 1);
++
++              /*
++               * If user has previously changed max freq, stash that value to
++               * restore later, otherwise use the current max. New user
++               * requests wait on flush.
++               */
++              if (pc->user_requested_max != 0)
++                      pc->stashed_max_freq = pc->user_requested_max;
++              else
++                      pc->stashed_max_freq = max_freq;
++      }
++
++      /*
++       * Wait for actual freq to go below the flush cap: even if the previous
++       * max was below cap, the current one might still be above it
++       */
++      ret = wait_for_act_freq_limit(pc, BMG_MERT_FLUSH_FREQ_CAP);
++      if (ret)
++              xe_gt_err_once(gt, "Actual freq did not reduce to %u, %pe\n",
++                             BMG_MERT_FLUSH_FREQ_CAP, ERR_PTR(ret));
++}
++
++/**
++ * xe_guc_pc_remove_flush_freq_limit() - Remove max GT freq limit after L2 flush completes.
++ * @pc: the xe_guc_pc object
++ *
++ * Retrieve the previous GT max frequency value.
++ */
++void xe_guc_pc_remove_flush_freq_limit(struct xe_guc_pc *pc)
++{
++      struct xe_gt *gt = pc_to_gt(pc);
++      int ret = 0;
++
++      if (!needs_flush_freq_limit(pc))
++              return;
++
++      if (!atomic_read(&pc->flush_freq_limit))
++              return;
++
++      mutex_lock(&pc->freq_lock);
++
++      ret = pc_set_max_freq(&gt->uc.guc.pc, pc->stashed_max_freq);
++      if (ret)
++              xe_gt_err_once(gt, "Failed to restore max freq %u:%d",
++                             pc->stashed_max_freq, ret);
++
++      atomic_set(&pc->flush_freq_limit, 0);
++      mutex_unlock(&pc->freq_lock);
++      wake_up_var(&pc->flush_freq_limit);
++}
++
+ static int pc_set_mert_freq_cap(struct xe_guc_pc *pc)
+ {
+       int ret = 0;
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.h b/drivers/gpu/drm/xe/xe_guc_pc.h
+index 39102b79602fd..0302c7426ccde 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.h
++++ b/drivers/gpu/drm/xe/xe_guc_pc.h
+@@ -37,5 +37,7 @@ u64 xe_guc_pc_mc6_residency(struct xe_guc_pc *pc);
+ void xe_guc_pc_init_early(struct xe_guc_pc *pc);
+ int xe_guc_pc_restore_stashed_freq(struct xe_guc_pc *pc);
+ void xe_guc_pc_raise_unslice(struct xe_guc_pc *pc);
++void xe_guc_pc_apply_flush_freq_limit(struct xe_guc_pc *pc);
++void xe_guc_pc_remove_flush_freq_limit(struct xe_guc_pc *pc);
+ #endif /* _XE_GUC_PC_H_ */
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc_types.h b/drivers/gpu/drm/xe/xe_guc_pc_types.h
+index 2978ac9a249b5..c02053948a579 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc_types.h
++++ b/drivers/gpu/drm/xe/xe_guc_pc_types.h
+@@ -15,6 +15,8 @@
+ struct xe_guc_pc {
+       /** @bo: GGTT buffer object that is shared with GuC PC */
+       struct xe_bo *bo;
++      /** @flush_freq_limit: 1 when max freq changes are limited by driver */
++      atomic_t flush_freq_limit;
+       /** @rp0_freq: HW RP0 frequency - The Maximum one */
+       u32 rp0_freq;
+       /** @rpa_freq: HW RPa frequency - The Achievable one */
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-xe-fix-out-of-bounds-field-write-in-mi_store_dat.patch b/queue-6.15/drm-xe-fix-out-of-bounds-field-write-in-mi_store_dat.patch
new file mode 100644 (file)
index 0000000..dc0e9c2
--- /dev/null
@@ -0,0 +1,92 @@
+From 1c25565acf3d654563e843becea17df8551406ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 22:46:20 +0000
+Subject: drm/xe: Fix out-of-bounds field write in MI_STORE_DATA_IMM
+
+From: Jia Yao <jia.yao@intel.com>
+
+[ Upstream commit 2d5cff2b4bc567dcaad7ab5b46c973ba534cc062 ]
+
+According to Bspec, bits 0~9 of MI_STORE_DATA_IMM must not exceed 0x3FE.
+The macro MI_SDI_NUM_QW(x) evaluates to 2 * x + 1, which means the
+condition 2 * x + 1 <= 0x3FE must be satisfied. Therefore, the maximum
+valid value for x is 0x1FE, not 0x1FF.
+
+v2
+ - Replace 0x1fe with macro MAX_PTE_PER_SDI (Auld, Matthew & Patelczyk, Maciej)
+
+v3
+ - Change macro MAX_PTE_PER_SDI from 0x1fe to 0x1feU (De Marchi, Lucas)
+
+Bspec: 60246
+
+Fixes: 9c44fd5f6e8a ("drm/xe: Add migrate layer functions for SVM support")
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Brian3 Nguyen <brian3.nguyen@intel.com>
+Cc: Alex Zuo <alex.zuo@intel.com>
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Suggested-by: Shuicheng Lin <shuicheng.lin@intel.com>
+Signed-off-by: Jia Yao <jia.yao@intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Reviewed-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Link: https://lore.kernel.org/r/20250612224620.161105-1-jia.yao@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit c038bdba98c9f6a36378044a9d4385531a194d3e)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_migrate.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_migrate.c b/drivers/gpu/drm/xe/xe_migrate.c
+index 5a3e89022c381..752f57fd515e1 100644
+--- a/drivers/gpu/drm/xe/xe_migrate.c
++++ b/drivers/gpu/drm/xe/xe_migrate.c
+@@ -82,7 +82,7 @@ struct xe_migrate {
+  * of the instruction.  Subtracting the instruction header (1 dword) and
+  * address (2 dwords), that leaves 0x3FD dwords (0x1FE qwords) for PTE values.
+  */
+-#define MAX_PTE_PER_SDI 0x1FE
++#define MAX_PTE_PER_SDI 0x1FEU
+ /**
+  * xe_tile_migrate_exec_queue() - Get this tile's migrate exec queue.
+@@ -1550,15 +1550,17 @@ static u32 pte_update_cmd_size(u64 size)
+       u64 entries = DIV_U64_ROUND_UP(size, XE_PAGE_SIZE);
+       XE_WARN_ON(size > MAX_PREEMPTDISABLE_TRANSFER);
++
+       /*
+        * MI_STORE_DATA_IMM command is used to update page table. Each
+-       * instruction can update maximumly 0x1ff pte entries. To update
+-       * n (n <= 0x1ff) pte entries, we need:
+-       * 1 dword for the MI_STORE_DATA_IMM command header (opcode etc)
+-       * 2 dword for the page table's physical location
+-       * 2*n dword for value of pte to fill (each pte entry is 2 dwords)
++       * instruction can update maximumly MAX_PTE_PER_SDI pte entries. To
++       * update n (n <= MAX_PTE_PER_SDI) pte entries, we need:
++       *
++       * - 1 dword for the MI_STORE_DATA_IMM command header (opcode etc)
++       * - 2 dword for the page table's physical location
++       * - 2*n dword for value of pte to fill (each pte entry is 2 dwords)
+        */
+-      num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, 0x1ff);
++      num_dword = (1 + 2) * DIV_U64_ROUND_UP(entries, MAX_PTE_PER_SDI);
+       num_dword += entries * 2;
+       return num_dword;
+@@ -1574,7 +1576,7 @@ static void build_pt_update_batch_sram(struct xe_migrate *m,
+       ptes = DIV_ROUND_UP(size, XE_PAGE_SIZE);
+       while (ptes) {
+-              u32 chunk = min(0x1ffU, ptes);
++              u32 chunk = min(MAX_PTE_PER_SDI, ptes);
+               bb->cs[bb->len++] = MI_STORE_DATA_IMM | MI_SDI_NUM_QW(chunk);
+               bb->cs[bb->len++] = pt_offset;
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-xe-guc-enable-w-a-16026508708.patch b/queue-6.15/drm-xe-guc-enable-w-a-16026508708.patch
new file mode 100644 (file)
index 0000000..70715c1
--- /dev/null
@@ -0,0 +1,64 @@
+From ece7fb6ecebd5edbb49bde6c52091faa1272ed1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 11:56:11 -0700
+Subject: drm/xe/guc: Enable w/a 16026508708
+
+From: John Harrison <John.C.Harrison@Intel.com>
+
+[ Upstream commit d3e8349edf7ed9eaf076ab3d9973331ccc20e26c ]
+
+The workaround is only relevant to SRIOV but does affect all platforms.
+
+Signed-off-by: John Harrison <John.C.Harrison@Intel.com>
+Reviewed-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Link: https://lore.kernel.org/r/20250403185619.1555853-2-John.C.Harrison@Intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 1 +
+ drivers/gpu/drm/xe/xe_guc_ads.c       | 5 +++++
+ drivers/gpu/drm/xe/xe_wa_oob.rules    | 2 ++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+index d633f1c739e43..7de8f827281fc 100644
+--- a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
++++ b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+@@ -367,6 +367,7 @@ enum xe_guc_klv_ids {
+       GUC_WA_KLV_NP_RD_WRITE_TO_CLEAR_RCSM_AT_CGP_LATE_RESTORE                        = 0x9008,
+       GUC_WORKAROUND_KLV_ID_BACK_TO_BACK_RCS_ENGINE_RESET                             = 0x9009,
+       GUC_WA_KLV_WAKE_POWER_DOMAINS_FOR_OUTBOUND_MMIO                                 = 0x900a,
++      GUC_WA_KLV_RESET_BB_STACK_PTR_ON_VF_SWITCH                                      = 0x900b,
+ };
+ #endif
+diff --git a/drivers/gpu/drm/xe/xe_guc_ads.c b/drivers/gpu/drm/xe/xe_guc_ads.c
+index 7031542a70ceb..1fccdef9e532e 100644
+--- a/drivers/gpu/drm/xe/xe_guc_ads.c
++++ b/drivers/gpu/drm/xe/xe_guc_ads.c
+@@ -376,6 +376,11 @@ static void guc_waklv_init(struct xe_guc_ads *ads)
+                                       GUC_WORKAROUND_KLV_ID_BACK_TO_BACK_RCS_ENGINE_RESET,
+                                       &offset, &remain);
++      if (GUC_FIRMWARE_VER(&gt->uc.guc) >= MAKE_GUC_VER(70, 44, 0) && XE_WA(gt, 16026508708))
++              guc_waklv_enable_simple(ads,
++                                      GUC_WA_KLV_RESET_BB_STACK_PTR_ON_VF_SWITCH,
++                                      &offset, &remain);
++
+       size = guc_ads_waklv_size(ads) - remain;
+       if (!size)
+               return;
+diff --git a/drivers/gpu/drm/xe/xe_wa_oob.rules b/drivers/gpu/drm/xe/xe_wa_oob.rules
+index 9b9e176992a83..9efc5accd43d1 100644
+--- a/drivers/gpu/drm/xe/xe_wa_oob.rules
++++ b/drivers/gpu/drm/xe/xe_wa_oob.rules
+@@ -57,3 +57,5 @@ no_media_l3  MEDIA_VERSION(3000)
+               GRAPHICS_VERSION(1260), GRAPHICS_STEP(A0, B0)
+ 16023105232   GRAPHICS_VERSION_RANGE(2001, 3001)
+               MEDIA_VERSION_RANGE(1301, 3000)
++16026508708   GRAPHICS_VERSION_RANGE(1200, 3001)
++              MEDIA_VERSION_RANGE(1300, 3000)
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-xe-guc_pc-add-_locked-variant-for-min-max-freq.patch b/queue-6.15/drm-xe-guc_pc-add-_locked-variant-for-min-max-freq.patch
new file mode 100644 (file)
index 0000000..2972389
--- /dev/null
@@ -0,0 +1,223 @@
+From 443ff645b1edb328551eb979cfe5081ed36120bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 11:49:58 -0700
+Subject: drm/xe/guc_pc: Add _locked variant for min/max freq
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit d8390768dcf6f5a78af56aa03797a076871b01f3 ]
+
+There are places in which the getters/setters are called one after the
+other causing a multiple lock()/unlock(). These are not currently a
+problem since they are all happening from the same thread, but there's a
+race possibility as calls are added outside of the early init when the
+max/min and stashed values need to be correlated.
+
+Add the _locked() variants to prepare for that.
+
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://lore.kernel.org/r/20250618-wa-22019338487-v5-1-b888388477f2@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit 1beae9aa2b88d3a02eb666e7b777eb2d7bc645f4)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_guc_pc.c | 123 ++++++++++++++++++---------------
+ 1 file changed, 69 insertions(+), 54 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_guc_pc.c b/drivers/gpu/drm/xe/xe_guc_pc.c
+index a7b8bacfe64ef..23a4c525c03bf 100644
+--- a/drivers/gpu/drm/xe/xe_guc_pc.c
++++ b/drivers/gpu/drm/xe/xe_guc_pc.c
+@@ -5,6 +5,7 @@
+ #include "xe_guc_pc.h"
++#include <linux/cleanup.h>
+ #include <linux/delay.h>
+ #include <linux/ktime.h>
+@@ -538,6 +539,25 @@ u32 xe_guc_pc_get_rpn_freq(struct xe_guc_pc *pc)
+       return pc->rpn_freq;
+ }
++static int xe_guc_pc_get_min_freq_locked(struct xe_guc_pc *pc, u32 *freq)
++{
++      int ret;
++
++      lockdep_assert_held(&pc->freq_lock);
++
++      /* Might be in the middle of a gt reset */
++      if (!pc->freq_ready)
++              return -EAGAIN;
++
++      ret = pc_action_query_task_state(pc);
++      if (ret)
++              return ret;
++
++      *freq = pc_get_min_freq(pc);
++
++      return 0;
++}
++
+ /**
+  * xe_guc_pc_get_min_freq - Get the min operational frequency
+  * @pc: The GuC PC
+@@ -547,27 +567,29 @@ u32 xe_guc_pc_get_rpn_freq(struct xe_guc_pc *pc)
+  *         -EAGAIN if GuC PC not ready (likely in middle of a reset).
+  */
+ int xe_guc_pc_get_min_freq(struct xe_guc_pc *pc, u32 *freq)
++{
++      guard(mutex)(&pc->freq_lock);
++
++      return xe_guc_pc_get_min_freq_locked(pc, freq);
++}
++
++static int xe_guc_pc_set_min_freq_locked(struct xe_guc_pc *pc, u32 freq)
+ {
+       int ret;
+-      xe_device_assert_mem_access(pc_to_xe(pc));
++      lockdep_assert_held(&pc->freq_lock);
+-      mutex_lock(&pc->freq_lock);
+-      if (!pc->freq_ready) {
+-              /* Might be in the middle of a gt reset */
+-              ret = -EAGAIN;
+-              goto out;
+-      }
++      /* Might be in the middle of a gt reset */
++      if (!pc->freq_ready)
++              return -EAGAIN;
+-      ret = pc_action_query_task_state(pc);
++      ret = pc_set_min_freq(pc, freq);
+       if (ret)
+-              goto out;
++              return ret;
+-      *freq = pc_get_min_freq(pc);
++      pc->user_requested_min = freq;
+-out:
+-      mutex_unlock(&pc->freq_lock);
+-      return ret;
++      return 0;
+ }
+ /**
+@@ -580,25 +602,29 @@ int xe_guc_pc_get_min_freq(struct xe_guc_pc *pc, u32 *freq)
+  *         -EINVAL if value out of bounds.
+  */
+ int xe_guc_pc_set_min_freq(struct xe_guc_pc *pc, u32 freq)
++{
++      guard(mutex)(&pc->freq_lock);
++
++      return xe_guc_pc_set_min_freq_locked(pc, freq);
++}
++
++static int xe_guc_pc_get_max_freq_locked(struct xe_guc_pc *pc, u32 *freq)
+ {
+       int ret;
+-      mutex_lock(&pc->freq_lock);
+-      if (!pc->freq_ready) {
+-              /* Might be in the middle of a gt reset */
+-              ret = -EAGAIN;
+-              goto out;
+-      }
++      lockdep_assert_held(&pc->freq_lock);
+-      ret = pc_set_min_freq(pc, freq);
++      /* Might be in the middle of a gt reset */
++      if (!pc->freq_ready)
++              return -EAGAIN;
++
++      ret = pc_action_query_task_state(pc);
+       if (ret)
+-              goto out;
++              return ret;
+-      pc->user_requested_min = freq;
++      *freq = pc_get_max_freq(pc);
+-out:
+-      mutex_unlock(&pc->freq_lock);
+-      return ret;
++      return 0;
+ }
+ /**
+@@ -610,25 +636,29 @@ int xe_guc_pc_set_min_freq(struct xe_guc_pc *pc, u32 freq)
+  *         -EAGAIN if GuC PC not ready (likely in middle of a reset).
+  */
+ int xe_guc_pc_get_max_freq(struct xe_guc_pc *pc, u32 *freq)
++{
++      guard(mutex)(&pc->freq_lock);
++
++      return xe_guc_pc_get_max_freq_locked(pc, freq);
++}
++
++static int xe_guc_pc_set_max_freq_locked(struct xe_guc_pc *pc, u32 freq)
+ {
+       int ret;
+-      mutex_lock(&pc->freq_lock);
+-      if (!pc->freq_ready) {
+-              /* Might be in the middle of a gt reset */
+-              ret = -EAGAIN;
+-              goto out;
+-      }
++      lockdep_assert_held(&pc->freq_lock);
+-      ret = pc_action_query_task_state(pc);
++      /* Might be in the middle of a gt reset */
++      if (!pc->freq_ready)
++              return -EAGAIN;
++
++      ret = pc_set_max_freq(pc, freq);
+       if (ret)
+-              goto out;
++              return ret;
+-      *freq = pc_get_max_freq(pc);
++      pc->user_requested_max = freq;
+-out:
+-      mutex_unlock(&pc->freq_lock);
+-      return ret;
++      return 0;
+ }
+ /**
+@@ -642,24 +672,9 @@ int xe_guc_pc_get_max_freq(struct xe_guc_pc *pc, u32 *freq)
+  */
+ int xe_guc_pc_set_max_freq(struct xe_guc_pc *pc, u32 freq)
+ {
+-      int ret;
+-
+-      mutex_lock(&pc->freq_lock);
+-      if (!pc->freq_ready) {
+-              /* Might be in the middle of a gt reset */
+-              ret = -EAGAIN;
+-              goto out;
+-      }
+-
+-      ret = pc_set_max_freq(pc, freq);
+-      if (ret)
+-              goto out;
++      guard(mutex)(&pc->freq_lock);
+-      pc->user_requested_max = freq;
+-
+-out:
+-      mutex_unlock(&pc->freq_lock);
+-      return ret;
++      return xe_guc_pc_set_max_freq_locked(pc, freq);
+ }
+ /**
+-- 
+2.39.5
+
diff --git a/queue-6.15/drm-xe-split-xe_device_td_flush.patch b/queue-6.15/drm-xe-split-xe_device_td_flush.patch
new file mode 100644 (file)
index 0000000..29bb83c
--- /dev/null
@@ -0,0 +1,133 @@
+From 1124d79525844089be84655b448e9765372f34b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 11:50:00 -0700
+Subject: drm/xe: Split xe_device_td_flush()
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+[ Upstream commit a1eec6cae95a1a0888cb8370338822ca81cd9436 ]
+
+xe_device_td_flush() has 2 possible implementations: an entire L2 flush
+or a transient flush, depending on WA 16023588340. Make this clear by
+splitting the function so it calls each of them.
+
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://lore.kernel.org/r/20250618-wa-22019338487-v5-3-b888388477f2@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit 5e300ed8a545bdffc26b579c526b5fef7b2d5365)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Stable-dep-of: 84c0b4a00610 ("drm/xe/bmg: Update Wa_22019338487")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/xe_device.c | 68 ++++++++++++++++++++--------------
+ 1 file changed, 40 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_device.c b/drivers/gpu/drm/xe/xe_device.c
+index 00191227bc95c..38fdddd7262aa 100644
+--- a/drivers/gpu/drm/xe/xe_device.c
++++ b/drivers/gpu/drm/xe/xe_device.c
+@@ -972,38 +972,15 @@ void xe_device_wmb(struct xe_device *xe)
+               xe_mmio_write32(xe_root_tile_mmio(xe), VF_CAP_REG, 0);
+ }
+-/**
+- * xe_device_td_flush() - Flush transient L3 cache entries
+- * @xe: The device
+- *
+- * Display engine has direct access to memory and is never coherent with L3/L4
+- * caches (or CPU caches), however KMD is responsible for specifically flushing
+- * transient L3 GPU cache entries prior to the flip sequence to ensure scanout
+- * can happen from such a surface without seeing corruption.
+- *
+- * Display surfaces can be tagged as transient by mapping it using one of the
+- * various L3:XD PAT index modes on Xe2.
+- *
+- * Note: On non-discrete xe2 platforms, like LNL, the entire L3 cache is flushed
+- * at the end of each submission via PIPE_CONTROL for compute/render, since SA
+- * Media is not coherent with L3 and we want to support render-vs-media
+- * usescases. For other engines like copy/blt the HW internally forces uncached
+- * behaviour, hence why we can skip the TDF on such platforms.
++/*
++ * Issue a TRANSIENT_FLUSH_REQUEST and wait for completion on each gt.
+  */
+-void xe_device_td_flush(struct xe_device *xe)
++static void tdf_request_sync(struct xe_device *xe)
+ {
+-      struct xe_gt *gt;
+       unsigned int fw_ref;
++      struct xe_gt *gt;
+       u8 id;
+-      if (!IS_DGFX(xe) || GRAPHICS_VER(xe) < 20)
+-              return;
+-
+-      if (XE_WA(xe_root_mmio_gt(xe), 16023588340)) {
+-              xe_device_l2_flush(xe);
+-              return;
+-      }
+-
+       for_each_gt(gt, xe, id) {
+               if (xe_gt_is_media_type(gt))
+                       continue;
+@@ -1013,6 +990,7 @@ void xe_device_td_flush(struct xe_device *xe)
+                       return;
+               xe_mmio_write32(&gt->mmio, XE2_TDF_CTRL, TRANSIENT_FLUSH_REQUEST);
++
+               /*
+                * FIXME: We can likely do better here with our choice of
+                * timeout. Currently we just assume the worst case, i.e. 150us,
+@@ -1043,15 +1021,49 @@ void xe_device_l2_flush(struct xe_device *xe)
+               return;
+       spin_lock(&gt->global_invl_lock);
+-      xe_mmio_write32(&gt->mmio, XE2_GLOBAL_INVAL, 0x1);
++      xe_mmio_write32(&gt->mmio, XE2_GLOBAL_INVAL, 0x1);
+       if (xe_mmio_wait32(&gt->mmio, XE2_GLOBAL_INVAL, 0x1, 0x0, 500, NULL, true))
+               xe_gt_err_once(gt, "Global invalidation timeout\n");
++
+       spin_unlock(&gt->global_invl_lock);
+       xe_force_wake_put(gt_to_fw(gt), fw_ref);
+ }
++/**
++ * xe_device_td_flush() - Flush transient L3 cache entries
++ * @xe: The device
++ *
++ * Display engine has direct access to memory and is never coherent with L3/L4
++ * caches (or CPU caches), however KMD is responsible for specifically flushing
++ * transient L3 GPU cache entries prior to the flip sequence to ensure scanout
++ * can happen from such a surface without seeing corruption.
++ *
++ * Display surfaces can be tagged as transient by mapping it using one of the
++ * various L3:XD PAT index modes on Xe2.
++ *
++ * Note: On non-discrete xe2 platforms, like LNL, the entire L3 cache is flushed
++ * at the end of each submission via PIPE_CONTROL for compute/render, since SA
++ * Media is not coherent with L3 and we want to support render-vs-media
++ * usescases. For other engines like copy/blt the HW internally forces uncached
++ * behaviour, hence why we can skip the TDF on such platforms.
++ */
++void xe_device_td_flush(struct xe_device *xe)
++{
++      struct xe_gt *root_gt;
++
++      if (!IS_DGFX(xe) || GRAPHICS_VER(xe) < 20)
++              return;
++
++      root_gt = xe_root_mmio_gt(xe);
++      if (XE_WA(root_gt, 16023588340))
++              /* A transient flush is not sufficient: flush the L2 */
++              xe_device_l2_flush(xe);
++      else
++              tdf_request_sync(xe);
++}
++
+ u32 xe_device_ccs_bytes(struct xe_device *xe, u64 size)
+ {
+       return xe_device_has_flat_ccs(xe) ?
+-- 
+2.39.5
+
diff --git a/queue-6.15/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch b/queue-6.15/enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch
new file mode 100644 (file)
index 0000000..632ccd5
--- /dev/null
@@ -0,0 +1,47 @@
+From 5eb5da69c1aafd2104085d577b09276f0bcfe034 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 07:56:05 -0700
+Subject: enic: fix incorrect MTU comparison in enic_change_mtu()
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit aaf2b2480375099c022a82023e1cd772bf1c6a5d ]
+
+The comparison in enic_change_mtu() incorrectly used the current
+netdev->mtu instead of the new new_mtu value when warning about
+an MTU exceeding the port MTU. This could suppress valid warnings
+or issue incorrect ones.
+
+Fix the condition and log to properly reflect the new_mtu.
+
+Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Acked-by: John Daley <johndale@cisco.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250628145612.476096-1-alok.a.tiwari@oracle.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cisco/enic/enic_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
+index c753c35b26ebd..5a8ca5be9ca00 100644
+--- a/drivers/net/ethernet/cisco/enic/enic_main.c
++++ b/drivers/net/ethernet/cisco/enic/enic_main.c
+@@ -1864,10 +1864,10 @@ static int enic_change_mtu(struct net_device *netdev, int new_mtu)
+       if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic))
+               return -EOPNOTSUPP;
+-      if (netdev->mtu > enic->port_mtu)
++      if (new_mtu > enic->port_mtu)
+               netdev_warn(netdev,
+                           "interface MTU (%d) set higher than port MTU (%d)\n",
+-                          netdev->mtu, enic->port_mtu);
++                          new_mtu, enic->port_mtu);
+       return _enic_change_mtu(netdev, new_mtu);
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch b/queue-6.15/ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch
new file mode 100644 (file)
index 0000000..b84e9b4
--- /dev/null
@@ -0,0 +1,213 @@
+From 6ee823e79d1d10ff48ac76d60ebf2621fd3d7e17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 16:16:24 +0200
+Subject: ethernet: atl1: Add missing DMA mapping error checks and count errors
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit d72411d20905180cdc452c553be17481b24463d2 ]
+
+The `dma_map_XXX()` functions can fail and must be checked using
+`dma_mapping_error()`.  This patch adds proper error handling for all
+DMA mapping calls.
+
+In `atl1_alloc_rx_buffers()`, if DMA mapping fails, the buffer is
+deallocated and marked accordingly.
+
+In `atl1_tx_map()`, previously mapped buffers are unmapped and the
+packet is dropped on failure.
+
+If `atl1_xmit_frame()` drops the packet, increment the tx_error counter.
+
+Fixes: f3cc28c79760 ("Add Attansic L1 ethernet driver.")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://patch.msgid.link/20250625141629.114984-2-fourier.thomas@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/atheros/atlx/atl1.c | 79 +++++++++++++++++-------
+ 1 file changed, 57 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/net/ethernet/atheros/atlx/atl1.c b/drivers/net/ethernet/atheros/atlx/atl1.c
+index 38cd84b7677cf..86663aa0de17e 100644
+--- a/drivers/net/ethernet/atheros/atlx/atl1.c
++++ b/drivers/net/ethernet/atheros/atlx/atl1.c
+@@ -1861,14 +1861,21 @@ static u16 atl1_alloc_rx_buffers(struct atl1_adapter *adapter)
+                       break;
+               }
+-              buffer_info->alloced = 1;
+-              buffer_info->skb = skb;
+-              buffer_info->length = (u16) adapter->rx_buffer_len;
+               page = virt_to_page(skb->data);
+               offset = offset_in_page(skb->data);
+               buffer_info->dma = dma_map_page(&pdev->dev, page, offset,
+                                               adapter->rx_buffer_len,
+                                               DMA_FROM_DEVICE);
++              if (dma_mapping_error(&pdev->dev, buffer_info->dma)) {
++                      kfree_skb(skb);
++                      adapter->soft_stats.rx_dropped++;
++                      break;
++              }
++
++              buffer_info->alloced = 1;
++              buffer_info->skb = skb;
++              buffer_info->length = (u16)adapter->rx_buffer_len;
++
+               rfd_desc->buffer_addr = cpu_to_le64(buffer_info->dma);
+               rfd_desc->buf_len = cpu_to_le16(adapter->rx_buffer_len);
+               rfd_desc->coalese = 0;
+@@ -2183,8 +2190,8 @@ static int atl1_tx_csum(struct atl1_adapter *adapter, struct sk_buff *skb,
+       return 0;
+ }
+-static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+-      struct tx_packet_desc *ptpd)
++static bool atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
++                      struct tx_packet_desc *ptpd)
+ {
+       struct atl1_tpd_ring *tpd_ring = &adapter->tpd_ring;
+       struct atl1_buffer *buffer_info;
+@@ -2194,6 +2201,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+       unsigned int nr_frags;
+       unsigned int f;
+       int retval;
++      u16 first_mapped;
+       u16 next_to_use;
+       u16 data_len;
+       u8 hdr_len;
+@@ -2201,6 +2209,7 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+       buf_len -= skb->data_len;
+       nr_frags = skb_shinfo(skb)->nr_frags;
+       next_to_use = atomic_read(&tpd_ring->next_to_use);
++      first_mapped = next_to_use;
+       buffer_info = &tpd_ring->buffer_info[next_to_use];
+       BUG_ON(buffer_info->skb);
+       /* put skb in last TPD */
+@@ -2216,6 +2225,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+               buffer_info->dma = dma_map_page(&adapter->pdev->dev, page,
+                                               offset, hdr_len,
+                                               DMA_TO_DEVICE);
++              if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma))
++                      goto dma_err;
+               if (++next_to_use == tpd_ring->count)
+                       next_to_use = 0;
+@@ -2242,6 +2253,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+                                                               page, offset,
+                                                               buffer_info->length,
+                                                               DMA_TO_DEVICE);
++                              if (dma_mapping_error(&adapter->pdev->dev,
++                                                    buffer_info->dma))
++                                      goto dma_err;
+                               if (++next_to_use == tpd_ring->count)
+                                       next_to_use = 0;
+                       }
+@@ -2254,6 +2268,8 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+               buffer_info->dma = dma_map_page(&adapter->pdev->dev, page,
+                                               offset, buf_len,
+                                               DMA_TO_DEVICE);
++              if (dma_mapping_error(&adapter->pdev->dev, buffer_info->dma))
++                      goto dma_err;
+               if (++next_to_use == tpd_ring->count)
+                       next_to_use = 0;
+       }
+@@ -2277,6 +2293,9 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+                       buffer_info->dma = skb_frag_dma_map(&adapter->pdev->dev,
+                               frag, i * ATL1_MAX_TX_BUF_LEN,
+                               buffer_info->length, DMA_TO_DEVICE);
++                      if (dma_mapping_error(&adapter->pdev->dev,
++                                            buffer_info->dma))
++                              goto dma_err;
+                       if (++next_to_use == tpd_ring->count)
+                               next_to_use = 0;
+@@ -2285,6 +2304,22 @@ static void atl1_tx_map(struct atl1_adapter *adapter, struct sk_buff *skb,
+       /* last tpd's buffer-info */
+       buffer_info->skb = skb;
++
++      return true;
++
++ dma_err:
++      while (first_mapped != next_to_use) {
++              buffer_info = &tpd_ring->buffer_info[first_mapped];
++              dma_unmap_page(&adapter->pdev->dev,
++                             buffer_info->dma,
++                             buffer_info->length,
++                             DMA_TO_DEVICE);
++              buffer_info->dma = 0;
++
++              if (++first_mapped == tpd_ring->count)
++                      first_mapped = 0;
++      }
++      return false;
+ }
+ static void atl1_tx_queue(struct atl1_adapter *adapter, u16 count,
+@@ -2355,10 +2390,8 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+       len = skb_headlen(skb);
+-      if (unlikely(skb->len <= 0)) {
+-              dev_kfree_skb_any(skb);
+-              return NETDEV_TX_OK;
+-      }
++      if (unlikely(skb->len <= 0))
++              goto drop_packet;
+       nr_frags = skb_shinfo(skb)->nr_frags;
+       for (f = 0; f < nr_frags; f++) {
+@@ -2371,10 +2404,9 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+       if (mss) {
+               if (skb->protocol == htons(ETH_P_IP)) {
+                       proto_hdr_len = skb_tcp_all_headers(skb);
+-                      if (unlikely(proto_hdr_len > len)) {
+-                              dev_kfree_skb_any(skb);
+-                              return NETDEV_TX_OK;
+-                      }
++                      if (unlikely(proto_hdr_len > len))
++                              goto drop_packet;
++
+                       /* need additional TPD ? */
+                       if (proto_hdr_len != len)
+                               count += (len - proto_hdr_len +
+@@ -2406,23 +2438,26 @@ static netdev_tx_t atl1_xmit_frame(struct sk_buff *skb,
+       }
+       tso = atl1_tso(adapter, skb, ptpd);
+-      if (tso < 0) {
+-              dev_kfree_skb_any(skb);
+-              return NETDEV_TX_OK;
+-      }
++      if (tso < 0)
++              goto drop_packet;
+       if (!tso) {
+               ret_val = atl1_tx_csum(adapter, skb, ptpd);
+-              if (ret_val < 0) {
+-                      dev_kfree_skb_any(skb);
+-                      return NETDEV_TX_OK;
+-              }
++              if (ret_val < 0)
++                      goto drop_packet;
+       }
+-      atl1_tx_map(adapter, skb, ptpd);
++      if (!atl1_tx_map(adapter, skb, ptpd))
++              goto drop_packet;
++
+       atl1_tx_queue(adapter, count, ptpd);
+       atl1_update_mailbox(adapter);
+       return NETDEV_TX_OK;
++
++drop_packet:
++      adapter->soft_stats.tx_errors++;
++      dev_kfree_skb_any(skb);
++      return NETDEV_TX_OK;
+ }
+ static int atl1_rings_clean(struct napi_struct *napi, int budget)
+-- 
+2.39.5
+
diff --git a/queue-6.15/firmware-arm_ffa-fix-memory-leak-by-freeing-notifier.patch b/queue-6.15/firmware-arm_ffa-fix-memory-leak-by-freeing-notifier.patch
new file mode 100644 (file)
index 0000000..654e33f
--- /dev/null
@@ -0,0 +1,43 @@
+From ebb03bbd823c501d99857a7cb6e990b38ede8ec9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 09:49:41 +0100
+Subject: firmware: arm_ffa: Fix memory leak by freeing notifier callback node
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit a833d31ad867103ba72a0b73f3606f4ab8601719 ]
+
+Commit e0573444edbf ("firmware: arm_ffa: Add interfaces to request
+notification callbacks") adds support for notifier callbacks by allocating
+and inserting a callback node into a hashtable during registration of
+notifiers. However, during unregistration, the code only removes the
+node from the hashtable without freeing the associated memory, resulting
+in a memory leak.
+
+Resolve the memory leak issue by ensuring the allocated notifier callback
+node is properly freed after it is removed from the hashtable entry.
+
+Fixes: e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks")
+Message-Id: <20250528-ffa_notif_fix-v1-1-5ed7bc7f8437@arm.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index fe55613a8ea99..6f75cdf297209 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -1284,6 +1284,7 @@ update_notifier_cb(struct ffa_device *dev, int notify_id, void *cb,
+               hash_add(drv_info->notifier_hash, &cb_info->hnode, notify_id);
+       } else {
+               hash_del(&cb_info->hnode);
++              kfree(cb_info);
+       }
+       return 0;
+-- 
+2.39.5
+
diff --git a/queue-6.15/firmware-arm_ffa-fix-the-missing-entry-in-struct-ffa.patch b/queue-6.15/firmware-arm_ffa-fix-the-missing-entry-in-struct-ffa.patch
new file mode 100644 (file)
index 0000000..93c7820
--- /dev/null
@@ -0,0 +1,37 @@
+From bbe97f34e1a80f54642c235a556bd07844094ae0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Jun 2025 16:38:53 +0530
+Subject: firmware: arm_ffa: Fix the missing entry in struct
+ ffa_indirect_msg_hdr
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+[ Upstream commit 4c46a471be12216347ba707f8eadadbf5d68e698 ]
+
+As per the spec, one 32 bit reserved entry is missing here, add it.
+
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Fixes: 910cc1acc9b4 ("firmware: arm_ffa: Add support for passing UUID in FFA_MSG_SEND2")
+Reviewed-by: Bertrand Marquis <bertrand.marquis@arm.com>
+Message-Id: <28a624fbf416975de4fbe08cfbf7c2db89cb630e.1748948911.git.viresh.kumar@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/arm_ffa.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/arm_ffa.h b/include/linux/arm_ffa.h
+index 5bded24dc24fe..e1634897e159c 100644
+--- a/include/linux/arm_ffa.h
++++ b/include/linux/arm_ffa.h
+@@ -283,6 +283,7 @@ struct ffa_indirect_msg_hdr {
+       u32 offset;
+       u32 send_recv_id;
+       u32 size;
++      u32 res1;
+       uuid_t uuid;
+ };
+-- 
+2.39.5
+
diff --git a/queue-6.15/firmware-arm_ffa-move-memory-allocation-outside-the-.patch b/queue-6.15/firmware-arm_ffa-move-memory-allocation-outside-the-.patch
new file mode 100644 (file)
index 0000000..22c69ce
--- /dev/null
@@ -0,0 +1,135 @@
+From 7238f487414194e112dfc00d91e85067e555c467 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 09:49:42 +0100
+Subject: firmware: arm_ffa: Move memory allocation outside the mutex locking
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 27e850c88df0e25474a8caeb2903e2e90b62c1dc ]
+
+The notifier callback node allocation is currently done while holding
+the notify_lock mutex. While this is safe even if memory allocation may
+sleep, we need to move the allocation outside the locked region in
+preparation to move from using muxtes to rwlocks.
+
+Move the memory allocation to avoid potential sleeping in atomic context
+once the locks are moved from mutex to rwlocks.
+
+Fixes: e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks")
+Message-Id: <20250528-ffa_notif_fix-v1-2-5ed7bc7f8437@arm.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 48 +++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index 6f75cdf297209..44eecb786e67b 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -1250,13 +1250,12 @@ notifier_hnode_get_by_type(u16 notify_id, enum notify_type type)
+       return NULL;
+ }
+-static int
+-update_notifier_cb(struct ffa_device *dev, int notify_id, void *cb,
+-                 void *cb_data, bool is_registration, bool is_framework)
++static int update_notifier_cb(struct ffa_device *dev, int notify_id,
++                            struct notifier_cb_info *cb, bool is_framework)
+ {
+       struct notifier_cb_info *cb_info = NULL;
+       enum notify_type type = ffa_notify_type_get(dev->vm_id);
+-      bool cb_found;
++      bool cb_found, is_registration = !!cb;
+       if (is_framework)
+               cb_info = notifier_hnode_get_by_vmid_uuid(notify_id, dev->vm_id,
+@@ -1270,18 +1269,7 @@ update_notifier_cb(struct ffa_device *dev, int notify_id, void *cb,
+               return -EINVAL;
+       if (is_registration) {
+-              cb_info = kzalloc(sizeof(*cb_info), GFP_KERNEL);
+-              if (!cb_info)
+-                      return -ENOMEM;
+-
+-              cb_info->dev = dev;
+-              cb_info->cb_data = cb_data;
+-              if (is_framework)
+-                      cb_info->fwk_cb = cb;
+-              else
+-                      cb_info->cb = cb;
+-
+-              hash_add(drv_info->notifier_hash, &cb_info->hnode, notify_id);
++              hash_add(drv_info->notifier_hash, &cb->hnode, notify_id);
+       } else {
+               hash_del(&cb_info->hnode);
+               kfree(cb_info);
+@@ -1303,8 +1291,7 @@ static int __ffa_notify_relinquish(struct ffa_device *dev, int notify_id,
+       mutex_lock(&drv_info->notify_lock);
+-      rc = update_notifier_cb(dev, notify_id, NULL, NULL, false,
+-                              is_framework);
++      rc = update_notifier_cb(dev, notify_id, NULL, is_framework);
+       if (rc) {
+               pr_err("Could not unregister notification callback\n");
+               mutex_unlock(&drv_info->notify_lock);
+@@ -1335,6 +1322,7 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+ {
+       int rc;
+       u32 flags = 0;
++      struct notifier_cb_info *cb_info = NULL;
+       if (ffa_notifications_disabled())
+               return -EOPNOTSUPP;
+@@ -1342,6 +1330,17 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+       if (notify_id >= FFA_MAX_NOTIFICATIONS)
+               return -EINVAL;
++      cb_info = kzalloc(sizeof(*cb_info), GFP_KERNEL);
++      if (!cb_info)
++              return -ENOMEM;
++
++      cb_info->dev = dev;
++      cb_info->cb_data = cb_data;
++      if (is_framework)
++              cb_info->fwk_cb = cb;
++      else
++              cb_info->cb = cb;
++
+       mutex_lock(&drv_info->notify_lock);
+       if (!is_framework) {
+@@ -1349,21 +1348,22 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+                       flags = PER_VCPU_NOTIFICATION_FLAG;
+               rc = ffa_notification_bind(dev->vm_id, BIT(notify_id), flags);
+-              if (rc) {
+-                      mutex_unlock(&drv_info->notify_lock);
+-                      return rc;
+-              }
++              if (rc)
++                      goto out_unlock_free;
+       }
+-      rc = update_notifier_cb(dev, notify_id, cb, cb_data, true,
+-                              is_framework);
++      rc = update_notifier_cb(dev, notify_id, cb_info, is_framework);
+       if (rc) {
+               pr_err("Failed to register callback for %d - %d\n",
+                      notify_id, rc);
+               if (!is_framework)
+                       ffa_notification_unbind(dev->vm_id, BIT(notify_id));
+       }
++
++out_unlock_free:
+       mutex_unlock(&drv_info->notify_lock);
++      if (rc)
++              kfree(cb_info);
+       return rc;
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/firmware-arm_ffa-replace-mutex-with-rwlock-to-avoid-.patch b/queue-6.15/firmware-arm_ffa-replace-mutex-with-rwlock-to-avoid-.patch
new file mode 100644 (file)
index 0000000..c134a66
--- /dev/null
@@ -0,0 +1,152 @@
+From 70f5446fd9f645f4729ad0253974f120fdf6d677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 May 2025 09:49:43 +0100
+Subject: firmware: arm_ffa: Replace mutex with rwlock to avoid sleep in atomic
+ context
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit 9ca7a421229bbdfbe2e1e628cff5cfa782720a10 ]
+
+The current use of a mutex to protect the notifier hashtable accesses
+can lead to issues in the atomic context. It results in the below
+kernel warnings:
+
+  |  BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258
+  |  in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0
+  |  preempt_count: 1, expected: 0
+  |  RCU nest depth: 0, expected: 0
+  |  CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0 #4
+  |  Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn
+  |  Call trace:
+  |   show_stack+0x18/0x24 (C)
+  |   dump_stack_lvl+0x78/0x90
+  |   dump_stack+0x18/0x24
+  |   __might_resched+0x114/0x170
+  |   __might_sleep+0x48/0x98
+  |   mutex_lock+0x24/0x80
+  |   handle_notif_callbacks+0x54/0xe0
+  |   notif_get_and_handle+0x40/0x88
+  |   generic_exec_single+0x80/0xc0
+  |   smp_call_function_single+0xfc/0x1a0
+  |   notif_pcpu_irq_work_fn+0x2c/0x38
+  |   process_one_work+0x14c/0x2b4
+  |   worker_thread+0x2e4/0x3e0
+  |   kthread+0x13c/0x210
+  |   ret_from_fork+0x10/0x20
+
+To address this, replace the mutex with an rwlock to protect the notifier
+hashtable accesses. This ensures that read-side locking does not sleep and
+multiple readers can acquire the lock concurrently, avoiding unnecessary
+contention and potential deadlocks. Writer access remains exclusive,
+preserving correctness.
+
+This change resolves warnings from lockdep about potential sleep in
+atomic context.
+
+Cc: Jens Wiklander <jens.wiklander@linaro.org>
+Reported-by: Jérôme Forissier <jerome.forissier@linaro.org>
+Closes: https://github.com/OP-TEE/optee_os/issues/7394
+Fixes: e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks")
+Message-Id: <20250528-ffa_notif_fix-v1-3-5ed7bc7f8437@arm.com>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Tested-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/arm_ffa/driver.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/firmware/arm_ffa/driver.c b/drivers/firmware/arm_ffa/driver.c
+index 44eecb786e67b..37eb2e6c2f9f4 100644
+--- a/drivers/firmware/arm_ffa/driver.c
++++ b/drivers/firmware/arm_ffa/driver.c
+@@ -110,7 +110,7 @@ struct ffa_drv_info {
+       struct work_struct sched_recv_irq_work;
+       struct xarray partition_info;
+       DECLARE_HASHTABLE(notifier_hash, ilog2(FFA_MAX_NOTIFICATIONS));
+-      struct mutex notify_lock; /* lock to protect notifier hashtable  */
++      rwlock_t notify_lock; /* lock to protect notifier hashtable  */
+ };
+ static struct ffa_drv_info *drv_info;
+@@ -1289,19 +1289,19 @@ static int __ffa_notify_relinquish(struct ffa_device *dev, int notify_id,
+       if (notify_id >= FFA_MAX_NOTIFICATIONS)
+               return -EINVAL;
+-      mutex_lock(&drv_info->notify_lock);
++      write_lock(&drv_info->notify_lock);
+       rc = update_notifier_cb(dev, notify_id, NULL, is_framework);
+       if (rc) {
+               pr_err("Could not unregister notification callback\n");
+-              mutex_unlock(&drv_info->notify_lock);
++              write_unlock(&drv_info->notify_lock);
+               return rc;
+       }
+       if (!is_framework)
+               rc = ffa_notification_unbind(dev->vm_id, BIT(notify_id));
+-      mutex_unlock(&drv_info->notify_lock);
++      write_unlock(&drv_info->notify_lock);
+       return rc;
+ }
+@@ -1341,7 +1341,7 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+       else
+               cb_info->cb = cb;
+-      mutex_lock(&drv_info->notify_lock);
++      write_lock(&drv_info->notify_lock);
+       if (!is_framework) {
+               if (is_per_vcpu)
+@@ -1361,7 +1361,7 @@ static int __ffa_notify_request(struct ffa_device *dev, bool is_per_vcpu,
+       }
+ out_unlock_free:
+-      mutex_unlock(&drv_info->notify_lock);
++      write_unlock(&drv_info->notify_lock);
+       if (rc)
+               kfree(cb_info);
+@@ -1407,9 +1407,9 @@ static void handle_notif_callbacks(u64 bitmap, enum notify_type type)
+               if (!(bitmap & 1))
+                       continue;
+-              mutex_lock(&drv_info->notify_lock);
++              read_lock(&drv_info->notify_lock);
+               cb_info = notifier_hnode_get_by_type(notify_id, type);
+-              mutex_unlock(&drv_info->notify_lock);
++              read_unlock(&drv_info->notify_lock);
+               if (cb_info && cb_info->cb)
+                       cb_info->cb(notify_id, cb_info->cb_data);
+@@ -1447,9 +1447,9 @@ static void handle_fwk_notif_callbacks(u32 bitmap)
+       ffa_rx_release();
+-      mutex_lock(&drv_info->notify_lock);
++      read_lock(&drv_info->notify_lock);
+       cb_info = notifier_hnode_get_by_vmid_uuid(notify_id, target, &uuid);
+-      mutex_unlock(&drv_info->notify_lock);
++      read_unlock(&drv_info->notify_lock);
+       if (cb_info && cb_info->fwk_cb)
+               cb_info->fwk_cb(notify_id, cb_info->cb_data, buf);
+@@ -1974,7 +1974,7 @@ static void ffa_notifications_setup(void)
+               goto cleanup;
+       hash_init(drv_info->notifier_hash);
+-      mutex_init(&drv_info->notify_lock);
++      rwlock_init(&drv_info->notify_lock);
+       drv_info->notif_enabled = true;
+       return;
+-- 
+2.39.5
+
diff --git a/queue-6.15/firmware-exynos-acpm-fix-timeouts-on-xfers-handling.patch b/queue-6.15/firmware-exynos-acpm-fix-timeouts-on-xfers-handling.patch
new file mode 100644 (file)
index 0000000..db1aa1a
--- /dev/null
@@ -0,0 +1,110 @@
+From 10dda582265f07f7852cf54eaf14e92cccc6f3d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 10:45:37 +0000
+Subject: firmware: exynos-acpm: fix timeouts on xfers handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+[ Upstream commit 8d2c2fa2209e83d0eb10f7330d8a0bbdc1df32ff ]
+
+The mailbox framework has a single inflight request at a time. If
+a request is sent while another is still active, it will be queued
+to the mailbox core ring buffer.
+
+ACPM protocol did not serialize the calls to the mailbox subsystem so we
+could start the timeout ticks in parallel for multiple requests, while
+just one was being inflight.
+
+Consider a hypothetical case where the xfer timeout is 100ms and an ACPM
+transaction takes 90ms:
+      | 0ms: Message #0 is queued in mailbox layer and sent out, then sits
+      |      at acpm_dequeue_by_polling() with a timeout of 100ms
+      | 1ms: Message #1 is queued in mailbox layer but not sent out yet.
+      |      Since send_message() doesn't block, it also sits at
+      |      acpm_dequeue_by_polling() with a timeout of 100ms
+      |  ...
+      | 90ms: Message #0 is completed, txdone is called and message #1 is sent
+      | 101ms: Message #1 times out since the count started at 1ms. Even though
+      |       it has only been inflight for 11ms.
+
+Fix the problem by moving mbox_send_message() and mbox_client_txdone()
+immediately after the message has been written to the TX queue and while
+still keeping the ACPM TX queue lock. We thus tie together the TX write
+with the doorbell ring and mark the TX as done after the doorbell has
+been rung. This guarantees that the doorbell has been rang before
+starting the timeout ticks. We should also see some performance
+improvement as we no longer wait to receive a response before ringing
+the doorbell for the next request, so the ACPM firmware shall be able to
+drain faster the TX queue. Another benefit is that requests are no
+longer able to ring the doorbell one for the other, so it eases
+debugging. Finally, the mailbox software queue will always contain a
+single doorbell request due to the serialization done at the ACPM TX
+queue level. Protocols like ACPM, that handle their own hardware queues
+need a passthrough mailbox API, where they are able to just ring the
+doorbell or flip a bit directly into the mailbox controller. The mailbox
+software queue mechanism, the locking done into the mailbox core is not
+really needed, so hopefully this lays the foundation for a passthrough
+mailbox API.
+
+Reported-by: André Draszik <andre.draszik@linaro.org>
+Fixes: a88927b534ba ("firmware: add Exynos ACPM protocol driver")
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://lore.kernel.org/r/20250606-acpm-timeout-v2-1-306b1aa07a6c@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/samsung/exynos-acpm.c | 25 +++++++++----------------
+ 1 file changed, 9 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/firmware/samsung/exynos-acpm.c b/drivers/firmware/samsung/exynos-acpm.c
+index e80cb7a8da8f2..520a9fd3b0fd3 100644
+--- a/drivers/firmware/samsung/exynos-acpm.c
++++ b/drivers/firmware/samsung/exynos-acpm.c
+@@ -430,6 +430,9 @@ int acpm_do_xfer(const struct acpm_handle *handle, const struct acpm_xfer *xfer)
+               return -EOPNOTSUPP;
+       }
++      msg.chan_id = xfer->acpm_chan_id;
++      msg.chan_type = EXYNOS_MBOX_CHAN_TYPE_DOORBELL;
++
+       scoped_guard(mutex, &achan->tx_lock) {
+               tx_front = readl(achan->tx.front);
+               idx = (tx_front + 1) % achan->qlen;
+@@ -446,25 +449,15 @@ int acpm_do_xfer(const struct acpm_handle *handle, const struct acpm_xfer *xfer)
+               /* Advance TX front. */
+               writel(idx, achan->tx.front);
+-      }
+-      msg.chan_id = xfer->acpm_chan_id;
+-      msg.chan_type = EXYNOS_MBOX_CHAN_TYPE_DOORBELL;
+-      ret = mbox_send_message(achan->chan, (void *)&msg);
+-      if (ret < 0)
+-              return ret;
+-
+-      ret = acpm_wait_for_message_response(achan, xfer);
++              ret = mbox_send_message(achan->chan, (void *)&msg);
++              if (ret < 0)
++                      return ret;
+-      /*
+-       * NOTE: we might prefer not to need the mailbox ticker to manage the
+-       * transfer queueing since the protocol layer queues things by itself.
+-       * Unfortunately, we have to kick the mailbox framework after we have
+-       * received our message.
+-       */
+-      mbox_client_txdone(achan->chan, ret);
++              mbox_client_txdone(achan->chan, 0);
++      }
+-      return ret;
++      return acpm_wait_for_message_response(achan, xfer);
+ }
+ /**
+-- 
+2.39.5
+
diff --git a/queue-6.15/flexfiles-pnfs-update-stats-on-nfs4err_delay-for-v4..patch b/queue-6.15/flexfiles-pnfs-update-stats-on-nfs4err_delay-for-v4..patch
new file mode 100644 (file)
index 0000000..7555005
--- /dev/null
@@ -0,0 +1,36 @@
+From 4a6c9f2ec581e1dfad0139a66e81d42491d70510 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 May 2025 21:04:15 +0200
+Subject: flexfiles/pNFS: update stats on NFS4ERR_DELAY for v4.1 DSes
+
+From: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+
+[ Upstream commit e3e3775392f3f0f3e3044f8c162bf47858e01759 ]
+
+On NFS4ERR_DELAY nfs slient updates its stats, but misses for
+flexfiles v4.1 DSes.
+
+Signed-off-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Stable-dep-of: 38074de35b01 ("NFSv4/flexfiles: Fix handling of NFS level errors in I/O")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index e6909cafab686..df48074605967 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1129,6 +1129,8 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+               nfs4_schedule_session_recovery(clp->cl_session, task->tk_status);
+               break;
+       case -NFS4ERR_DELAY:
++              nfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);
++              fallthrough;
+       case -NFS4ERR_GRACE:
+               rpc_delay(task, FF_LAYOUT_POLL_RETRY_MAX);
+               break;
+-- 
+2.39.5
+
diff --git a/queue-6.15/fs-export-anon_inode_make_secure_inode-and-fix-secre.patch b/queue-6.15/fs-export-anon_inode_make_secure_inode-and-fix-secre.patch
new file mode 100644 (file)
index 0000000..9ee9312
--- /dev/null
@@ -0,0 +1,130 @@
+From 5e73477cd349fd3ddf56f94558e6aa323ee0cb04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 07:03:30 +0000
+Subject: fs: export anon_inode_make_secure_inode() and fix secretmem LSM
+ bypass
+
+From: Shivank Garg <shivankg@amd.com>
+
+[ Upstream commit cbe4134ea4bc493239786220bd69cb8a13493190 ]
+
+Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create
+anonymous inodes with proper security context. This replaces the current
+pattern of calling alloc_anon_inode() followed by
+inode_init_security_anon() for creating security context manually.
+
+This change also fixes a security regression in secretmem where the
+S_PRIVATE flag was not cleared after alloc_anon_inode(), causing
+LSM/SELinux checks to be bypassed for secretmem file descriptors.
+
+As guest_memfd currently resides in the KVM module, we need to export this
+symbol for use outside the core kernel. In the future, guest_memfd might be
+moved to core-mm, at which point the symbols no longer would have to be
+exported. When/if that happens is still unclear.
+
+Fixes: 2bfe15c52612 ("mm: create security context for memfd_secret inodes")
+Suggested-by: David Hildenbrand <david@redhat.com>
+Suggested-by: Mike Rapoport <rppt@kernel.org>
+Signed-off-by: Shivank Garg <shivankg@amd.com>
+Link: https://lore.kernel.org/20250620070328.803704-3-shivankg@amd.com
+Acked-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/anon_inodes.c   | 23 ++++++++++++++++++-----
+ include/linux/fs.h |  2 ++
+ mm/secretmem.c     |  9 +--------
+ 3 files changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c
+index e51e7d88980a2..1d847a939f29a 100644
+--- a/fs/anon_inodes.c
++++ b/fs/anon_inodes.c
+@@ -98,14 +98,25 @@ static struct file_system_type anon_inode_fs_type = {
+       .kill_sb        = kill_anon_super,
+ };
+-static struct inode *anon_inode_make_secure_inode(
+-      const char *name,
+-      const struct inode *context_inode)
++/**
++ * anon_inode_make_secure_inode - allocate an anonymous inode with security context
++ * @sb:               [in]    Superblock to allocate from
++ * @name:     [in]    Name of the class of the newfile (e.g., "secretmem")
++ * @context_inode:
++ *            [in]    Optional parent inode for security inheritance
++ *
++ * The function ensures proper security initialization through the LSM hook
++ * security_inode_init_security_anon().
++ *
++ * Return:    Pointer to new inode on success, ERR_PTR on failure.
++ */
++struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name,
++                                         const struct inode *context_inode)
+ {
+       struct inode *inode;
+       int error;
+-      inode = alloc_anon_inode(anon_inode_mnt->mnt_sb);
++      inode = alloc_anon_inode(sb);
+       if (IS_ERR(inode))
+               return inode;
+       inode->i_flags &= ~S_PRIVATE;
+@@ -118,6 +129,7 @@ static struct inode *anon_inode_make_secure_inode(
+       }
+       return inode;
+ }
++EXPORT_SYMBOL_GPL_FOR_MODULES(anon_inode_make_secure_inode, "kvm");
+ static struct file *__anon_inode_getfile(const char *name,
+                                        const struct file_operations *fops,
+@@ -132,7 +144,8 @@ static struct file *__anon_inode_getfile(const char *name,
+               return ERR_PTR(-ENOENT);
+       if (make_inode) {
+-              inode = anon_inode_make_secure_inode(name, context_inode);
++              inode = anon_inode_make_secure_inode(anon_inode_mnt->mnt_sb,
++                                                   name, context_inode);
+               if (IS_ERR(inode)) {
+                       file = ERR_CAST(inode);
+                       goto err;
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index ef41a8213a6fa..1fe7bf10d442c 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -3552,6 +3552,8 @@ extern int simple_write_begin(struct file *file, struct address_space *mapping,
+ extern const struct address_space_operations ram_aops;
+ extern int always_delete_dentry(const struct dentry *);
+ extern struct inode *alloc_anon_inode(struct super_block *);
++struct inode *anon_inode_make_secure_inode(struct super_block *sb, const char *name,
++                                         const struct inode *context_inode);
+ extern int simple_nosetlease(struct file *, int, struct file_lease **, void **);
+ extern const struct dentry_operations simple_dentry_operations;
+diff --git a/mm/secretmem.c b/mm/secretmem.c
+index 1b0a214ee5580..4662f2510ae5f 100644
+--- a/mm/secretmem.c
++++ b/mm/secretmem.c
+@@ -195,18 +195,11 @@ static struct file *secretmem_file_create(unsigned long flags)
+       struct file *file;
+       struct inode *inode;
+       const char *anon_name = "[secretmem]";
+-      int err;
+-      inode = alloc_anon_inode(secretmem_mnt->mnt_sb);
++      inode = anon_inode_make_secure_inode(secretmem_mnt->mnt_sb, anon_name, NULL);
+       if (IS_ERR(inode))
+               return ERR_CAST(inode);
+-      err = security_inode_init_security_anon(inode, &QSTR(anon_name), NULL);
+-      if (err) {
+-              file = ERR_PTR(err);
+-              goto err_free_inode;
+-      }
+-
+       file = alloc_file_pseudo(inode, secretmem_mnt, "secretmem",
+                                O_RDWR, &secretmem_fops);
+       if (IS_ERR(file))
+-- 
+2.39.5
+
diff --git a/queue-6.15/genirq-irq_sim-initialize-work-context-pointers-prop.patch b/queue-6.15/genirq-irq_sim-initialize-work-context-pointers-prop.patch
new file mode 100644 (file)
index 0000000..d621e87
--- /dev/null
@@ -0,0 +1,37 @@
+From 22bc2708b5fb54a85c01666a98fef27ca4b00e04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 21:48:27 +0900
+Subject: genirq/irq_sim: Initialize work context pointers properly
+
+From: Gyeyoung Baek <gye976@gmail.com>
+
+[ Upstream commit 8a2277a3c9e4cc5398f80821afe7ecbe9bdf2819 ]
+
+Initialize `ops` member's pointers properly by using kzalloc() instead of
+kmalloc() when allocating the simulation work context. Otherwise the
+pointers contain random content leading to invalid dereferencing.
+
+Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20250612124827.63259-1-gye976@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/irq_sim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/irq/irq_sim.c b/kernel/irq/irq_sim.c
+index 1a3d483548e2f..ae4c9cbd1b4b9 100644
+--- a/kernel/irq/irq_sim.c
++++ b/kernel/irq/irq_sim.c
+@@ -202,7 +202,7 @@ struct irq_domain *irq_domain_create_sim_full(struct fwnode_handle *fwnode,
+                                             void *data)
+ {
+       struct irq_sim_work_ctx *work_ctx __free(kfree) =
+-                              kmalloc(sizeof(*work_ctx), GFP_KERNEL);
++                              kzalloc(sizeof(*work_ctx), GFP_KERNEL);
+       if (!work_ctx)
+               return ERR_PTR(-ENOMEM);
+-- 
+2.39.5
+
diff --git a/queue-6.15/ib-mlx5-fix-potential-deadlock-in-mr-deregistration.patch b/queue-6.15/ib-mlx5-fix-potential-deadlock-in-mr-deregistration.patch
new file mode 100644 (file)
index 0000000..91f1e8e
--- /dev/null
@@ -0,0 +1,268 @@
+From c64c7d665911ae0e23b21f5c3f51719cec8b21e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 11:14:09 +0300
+Subject: IB/mlx5: Fix potential deadlock in MR deregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Or Har-Toov <ohartoov@nvidia.com>
+
+[ Upstream commit 2ed25aa7f7711f508b6120e336f05cd9d49943c0 ]
+
+The issue arises when kzalloc() is invoked while holding umem_mutex or
+any other lock acquired under umem_mutex. This is problematic because
+kzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke
+mmu_notifier_invalidate_range_start(). This function can lead to
+mlx5_ib_invalidate_range(), which attempts to acquire umem_mutex again,
+resulting in a deadlock.
+
+The problematic flow:
+             CPU0                      |              CPU1
+---------------------------------------|------------------------------------------------
+mlx5_ib_dereg_mr()                     |
+ → revoke_mr()                         |
+   → mutex_lock(&umem_odp->umem_mutex) |
+                                       | mlx5_mkey_cache_init()
+                                       |  → mutex_lock(&dev->cache.rb_lock)
+                                       |  → mlx5r_cache_create_ent_locked()
+                                       |    → kzalloc(GFP_KERNEL)
+                                       |      → fs_reclaim()
+                                       |        → mmu_notifier_invalidate_range_start()
+                                       |          → mlx5_ib_invalidate_range()
+                                       |            → mutex_lock(&umem_odp->umem_mutex)
+   → cache_ent_find_and_store()        |
+     → mutex_lock(&dev->cache.rb_lock) |
+
+Additionally, when kzalloc() is called from within
+cache_ent_find_and_store(), we encounter the same deadlock due to
+re-acquisition of umem_mutex.
+
+Solve by releasing umem_mutex in dereg_mr() after umr_revoke_mr()
+and before acquiring rb_lock. This ensures that we don't hold
+umem_mutex while performing memory allocations that could trigger
+the reclaim path.
+
+This change prevents the deadlock by ensuring proper lock ordering and
+avoiding holding locks during memory allocation operations that could
+trigger the reclaim path.
+
+The following lockdep warning demonstrates the deadlock:
+
+ python3/20557 is trying to acquire lock:
+ ffff888387542128 (&umem_odp->umem_mutex){+.+.}-{4:4}, at:
+ mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib]
+
+ but task is already holding lock:
+ ffffffff82f6b840 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at:
+ unmap_vmas+0x7b/0x1a0
+
+ which lock already depends on the new lock.
+
+ the existing dependency chain (in reverse order) is:
+
+ -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}:
+       fs_reclaim_acquire+0x60/0xd0
+       mem_cgroup_css_alloc+0x6f/0x9b0
+       cgroup_init_subsys+0xa4/0x240
+       cgroup_init+0x1c8/0x510
+       start_kernel+0x747/0x760
+       x86_64_start_reservations+0x25/0x30
+       x86_64_start_kernel+0x73/0x80
+       common_startup_64+0x129/0x138
+
+ -> #2 (fs_reclaim){+.+.}-{0:0}:
+       fs_reclaim_acquire+0x91/0xd0
+       __kmalloc_cache_noprof+0x4d/0x4c0
+       mlx5r_cache_create_ent_locked+0x75/0x620 [mlx5_ib]
+       mlx5_mkey_cache_init+0x186/0x360 [mlx5_ib]
+       mlx5_ib_stage_post_ib_reg_umr_init+0x3c/0x60 [mlx5_ib]
+       __mlx5_ib_add+0x4b/0x190 [mlx5_ib]
+       mlx5r_probe+0xd9/0x320 [mlx5_ib]
+       auxiliary_bus_probe+0x42/0x70
+       really_probe+0xdb/0x360
+       __driver_probe_device+0x8f/0x130
+       driver_probe_device+0x1f/0xb0
+       __driver_attach+0xd4/0x1f0
+       bus_for_each_dev+0x79/0xd0
+       bus_add_driver+0xf0/0x200
+       driver_register+0x6e/0xc0
+       __auxiliary_driver_register+0x6a/0xc0
+       do_one_initcall+0x5e/0x390
+       do_init_module+0x88/0x240
+       init_module_from_file+0x85/0xc0
+       idempotent_init_module+0x104/0x300
+       __x64_sys_finit_module+0x68/0xc0
+       do_syscall_64+0x6d/0x140
+       entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ -> #1 (&dev->cache.rb_lock){+.+.}-{4:4}:
+       __mutex_lock+0x98/0xf10
+       __mlx5_ib_dereg_mr+0x6f2/0x890 [mlx5_ib]
+       mlx5_ib_dereg_mr+0x21/0x110 [mlx5_ib]
+       ib_dereg_mr_user+0x85/0x1f0 [ib_core]
+       uverbs_free_mr+0x19/0x30 [ib_uverbs]
+       destroy_hw_idr_uobject+0x21/0x80 [ib_uverbs]
+       uverbs_destroy_uobject+0x60/0x3d0 [ib_uverbs]
+       uobj_destroy+0x57/0xa0 [ib_uverbs]
+       ib_uverbs_cmd_verbs+0x4d5/0x1210 [ib_uverbs]
+       ib_uverbs_ioctl+0x129/0x230 [ib_uverbs]
+       __x64_sys_ioctl+0x596/0xaa0
+       do_syscall_64+0x6d/0x140
+       entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ -> #0 (&umem_odp->umem_mutex){+.+.}-{4:4}:
+       __lock_acquire+0x1826/0x2f00
+       lock_acquire+0xd3/0x2e0
+       __mutex_lock+0x98/0xf10
+       mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib]
+       __mmu_notifier_invalidate_range_start+0x18e/0x1f0
+       unmap_vmas+0x182/0x1a0
+       exit_mmap+0xf3/0x4a0
+       mmput+0x3a/0x100
+       do_exit+0x2b9/0xa90
+       do_group_exit+0x32/0xa0
+       get_signal+0xc32/0xcb0
+       arch_do_signal_or_restart+0x29/0x1d0
+       syscall_exit_to_user_mode+0x105/0x1d0
+       do_syscall_64+0x79/0x140
+       entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ Chain exists of:
+ &dev->cache.rb_lock --> mmu_notifier_invalidate_range_start -->
+ &umem_odp->umem_mutex
+
+ Possible unsafe locking scenario:
+
+       CPU0                        CPU1
+       ----                        ----
+   lock(&umem_odp->umem_mutex);
+                                lock(mmu_notifier_invalidate_range_start);
+                                lock(&umem_odp->umem_mutex);
+   lock(&dev->cache.rb_lock);
+
+ *** DEADLOCK ***
+
+Fixes: abb604a1a9c8 ("RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error")
+Signed-off-by: Or Har-Toov <ohartoov@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/3c8f225a8a9fade647d19b014df1172544643e4a.1750061612.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/mr.c | 61 +++++++++++++++++++++++++--------
+ 1 file changed, 47 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
+index 5fbebafc87742..cb403134eeaea 100644
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -2027,23 +2027,50 @@ void mlx5_ib_revoke_data_direct_mrs(struct mlx5_ib_dev *dev)
+       }
+ }
+-static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
++static int mlx5_umr_revoke_mr_with_lock(struct mlx5_ib_mr *mr)
+ {
+-      struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device);
+-      struct mlx5_cache_ent *ent = mr->mmkey.cache_ent;
+-      bool is_odp = is_odp_mr(mr);
+       bool is_odp_dma_buf = is_dmabuf_mr(mr) &&
+-                      !to_ib_umem_dmabuf(mr->umem)->pinned;
+-      bool from_cache = !!ent;
+-      int ret = 0;
++                            !to_ib_umem_dmabuf(mr->umem)->pinned;
++      bool is_odp = is_odp_mr(mr);
++      int ret;
+       if (is_odp)
+               mutex_lock(&to_ib_umem_odp(mr->umem)->umem_mutex);
+       if (is_odp_dma_buf)
+-              dma_resv_lock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv, NULL);
++              dma_resv_lock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv,
++                            NULL);
++
++      ret = mlx5r_umr_revoke_mr(mr);
++
++      if (is_odp) {
++              if (!ret)
++                      to_ib_umem_odp(mr->umem)->private = NULL;
++              mutex_unlock(&to_ib_umem_odp(mr->umem)->umem_mutex);
++      }
++
++      if (is_odp_dma_buf) {
++              if (!ret)
++                      to_ib_umem_dmabuf(mr->umem)->private = NULL;
++              dma_resv_unlock(
++                      to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv);
++      }
+-      if (mr->mmkey.cacheable && !mlx5r_umr_revoke_mr(mr) && !cache_ent_find_and_store(dev, mr)) {
++      return ret;
++}
++
++static int mlx5r_handle_mkey_cleanup(struct mlx5_ib_mr *mr)
++{
++      bool is_odp_dma_buf = is_dmabuf_mr(mr) &&
++                            !to_ib_umem_dmabuf(mr->umem)->pinned;
++      struct mlx5_ib_dev *dev = to_mdev(mr->ibmr.device);
++      struct mlx5_cache_ent *ent = mr->mmkey.cache_ent;
++      bool is_odp = is_odp_mr(mr);
++      bool from_cache = !!ent;
++      int ret;
++
++      if (mr->mmkey.cacheable && !mlx5_umr_revoke_mr_with_lock(mr) &&
++          !cache_ent_find_and_store(dev, mr)) {
+               ent = mr->mmkey.cache_ent;
+               /* upon storing to a clean temp entry - schedule its cleanup */
+               spin_lock_irq(&ent->mkeys_queue.lock);
+@@ -2055,7 +2082,7 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+                       ent->tmp_cleanup_scheduled = true;
+               }
+               spin_unlock_irq(&ent->mkeys_queue.lock);
+-              goto out;
++              return 0;
+       }
+       if (ent) {
+@@ -2064,8 +2091,14 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+               mr->mmkey.cache_ent = NULL;
+               spin_unlock_irq(&ent->mkeys_queue.lock);
+       }
++
++      if (is_odp)
++              mutex_lock(&to_ib_umem_odp(mr->umem)->umem_mutex);
++
++      if (is_odp_dma_buf)
++              dma_resv_lock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv,
++                            NULL);
+       ret = destroy_mkey(dev, mr);
+-out:
+       if (is_odp) {
+               if (!ret)
+                       to_ib_umem_odp(mr->umem)->private = NULL;
+@@ -2075,9 +2108,9 @@ static int mlx5_revoke_mr(struct mlx5_ib_mr *mr)
+       if (is_odp_dma_buf) {
+               if (!ret)
+                       to_ib_umem_dmabuf(mr->umem)->private = NULL;
+-              dma_resv_unlock(to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv);
++              dma_resv_unlock(
++                      to_ib_umem_dmabuf(mr->umem)->attach->dmabuf->resv);
+       }
+-
+       return ret;
+ }
+@@ -2126,7 +2159,7 @@ static int __mlx5_ib_dereg_mr(struct ib_mr *ibmr)
+       }
+       /* Stop DMA */
+-      rc = mlx5_revoke_mr(mr);
++      rc = mlx5r_handle_mkey_cleanup(mr);
+       if (rc)
+               return rc;
+-- 
+2.39.5
+
diff --git a/queue-6.15/idpf-convert-control-queue-mutex-to-a-spinlock.patch b/queue-6.15/idpf-convert-control-queue-mutex-to-a-spinlock.patch
new file mode 100644 (file)
index 0000000..7ee42bf
--- /dev/null
@@ -0,0 +1,232 @@
+From c54d7701d9e5b78a8eedfb64dab935314c6b5e51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 May 2025 14:55:37 -0600
+Subject: idpf: convert control queue mutex to a spinlock
+
+From: Ahmed Zaki <ahmed.zaki@intel.com>
+
+[ Upstream commit b2beb5bb2cd90d7939e470ed4da468683f41baa3 ]
+
+With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated
+on module load:
+
+[  324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578
+[  324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager
+[  324.701689] preempt_count: 201, expected: 0
+[  324.701693] RCU nest depth: 0, expected: 0
+[  324.701697] 2 locks held by NetworkManager/1582:
+[  324.701702]  #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0
+[  324.701730]  #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870
+[  324.701749] Preemption disabled at:
+[  324.701752] [<ffffffff9cd23b9d>] __dev_open+0x3dd/0x870
+[  324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary)
+[  324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022
+[  324.701774] Call Trace:
+[  324.701777]  <TASK>
+[  324.701779]  dump_stack_lvl+0x5d/0x80
+[  324.701788]  ? __dev_open+0x3dd/0x870
+[  324.701793]  __might_resched.cold+0x1ef/0x23d
+<..>
+[  324.701818]  __mutex_lock+0x113/0x1b80
+<..>
+[  324.701917]  idpf_ctlq_clean_sq+0xad/0x4b0 [idpf]
+[  324.701935]  ? kasan_save_track+0x14/0x30
+[  324.701941]  idpf_mb_clean+0x143/0x380 [idpf]
+<..>
+[  324.701991]  idpf_send_mb_msg+0x111/0x720 [idpf]
+[  324.702009]  idpf_vc_xn_exec+0x4cc/0x990 [idpf]
+[  324.702021]  ? rcu_is_watching+0x12/0xc0
+[  324.702035]  idpf_add_del_mac_filters+0x3ed/0xb50 [idpf]
+<..>
+[  324.702122]  __hw_addr_sync_dev+0x1cf/0x300
+[  324.702126]  ? find_held_lock+0x32/0x90
+[  324.702134]  idpf_set_rx_mode+0x317/0x390 [idpf]
+[  324.702152]  __dev_open+0x3f8/0x870
+[  324.702159]  ? __pfx___dev_open+0x10/0x10
+[  324.702174]  __dev_change_flags+0x443/0x650
+<..>
+[  324.702208]  netif_change_flags+0x80/0x160
+[  324.702218]  do_setlink.isra.0+0x16a0/0x3960
+<..>
+[  324.702349]  rtnl_newlink+0x12fd/0x21e0
+
+The sequence is as follows:
+       rtnl_newlink()->
+       __dev_change_flags()->
+       __dev_open()->
+       dev_set_rx_mode() - >  # disables BH and grabs "dev->addr_list_lock"
+       idpf_set_rx_mode() ->  # proceed only if VIRTCHNL2_CAP_MACFILTER is ON
+       __dev_uc_sync() ->
+       idpf_add_mac_filter ->
+       idpf_add_del_mac_filters ->
+       idpf_send_mb_msg() ->
+       idpf_mb_clean() ->
+       idpf_ctlq_clean_sq()   # mutex_lock(cq_lock)
+
+Fix by converting cq_lock to a spinlock. All operations under the new
+lock are safe except freeing the DMA memory, which may use vunmap(). Fix
+by requesting a contiguous physical memory for the DMA mapping.
+
+Fixes: a251eee62133 ("idpf: add SRIOV support and other ndo_ops")
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Signed-off-by: Ahmed Zaki <ahmed.zaki@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/intel/idpf/idpf_controlq.c   | 23 +++++++++----------
+ .../ethernet/intel/idpf/idpf_controlq_api.h   |  2 +-
+ drivers/net/ethernet/intel/idpf/idpf_lib.c    | 12 ++++++----
+ 3 files changed, 20 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_controlq.c b/drivers/net/ethernet/intel/idpf/idpf_controlq.c
+index b28991dd18703..48b8e184f3db6 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_controlq.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_controlq.c
+@@ -96,7 +96,7 @@ static void idpf_ctlq_init_rxq_bufs(struct idpf_ctlq_info *cq)
+  */
+ static void idpf_ctlq_shutdown(struct idpf_hw *hw, struct idpf_ctlq_info *cq)
+ {
+-      mutex_lock(&cq->cq_lock);
++      spin_lock(&cq->cq_lock);
+       /* free ring buffers and the ring itself */
+       idpf_ctlq_dealloc_ring_res(hw, cq);
+@@ -104,8 +104,7 @@ static void idpf_ctlq_shutdown(struct idpf_hw *hw, struct idpf_ctlq_info *cq)
+       /* Set ring_size to 0 to indicate uninitialized queue */
+       cq->ring_size = 0;
+-      mutex_unlock(&cq->cq_lock);
+-      mutex_destroy(&cq->cq_lock);
++      spin_unlock(&cq->cq_lock);
+ }
+ /**
+@@ -173,7 +172,7 @@ int idpf_ctlq_add(struct idpf_hw *hw,
+       idpf_ctlq_init_regs(hw, cq, is_rxq);
+-      mutex_init(&cq->cq_lock);
++      spin_lock_init(&cq->cq_lock);
+       list_add(&cq->cq_list, &hw->cq_list_head);
+@@ -272,7 +271,7 @@ int idpf_ctlq_send(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+       int err = 0;
+       int i;
+-      mutex_lock(&cq->cq_lock);
++      spin_lock(&cq->cq_lock);
+       /* Ensure there are enough descriptors to send all messages */
+       num_desc_avail = IDPF_CTLQ_DESC_UNUSED(cq);
+@@ -332,7 +331,7 @@ int idpf_ctlq_send(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+       wr32(hw, cq->reg.tail, cq->next_to_use);
+ err_unlock:
+-      mutex_unlock(&cq->cq_lock);
++      spin_unlock(&cq->cq_lock);
+       return err;
+ }
+@@ -364,7 +363,7 @@ int idpf_ctlq_clean_sq(struct idpf_ctlq_info *cq, u16 *clean_count,
+       if (*clean_count > cq->ring_size)
+               return -EBADR;
+-      mutex_lock(&cq->cq_lock);
++      spin_lock(&cq->cq_lock);
+       ntc = cq->next_to_clean;
+@@ -397,7 +396,7 @@ int idpf_ctlq_clean_sq(struct idpf_ctlq_info *cq, u16 *clean_count,
+       cq->next_to_clean = ntc;
+-      mutex_unlock(&cq->cq_lock);
++      spin_unlock(&cq->cq_lock);
+       /* Return number of descriptors actually cleaned */
+       *clean_count = i;
+@@ -435,7 +434,7 @@ int idpf_ctlq_post_rx_buffs(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+       if (*buff_count > 0)
+               buffs_avail = true;
+-      mutex_lock(&cq->cq_lock);
++      spin_lock(&cq->cq_lock);
+       if (tbp >= cq->ring_size)
+               tbp = 0;
+@@ -524,7 +523,7 @@ int idpf_ctlq_post_rx_buffs(struct idpf_hw *hw, struct idpf_ctlq_info *cq,
+               wr32(hw, cq->reg.tail, cq->next_to_post);
+       }
+-      mutex_unlock(&cq->cq_lock);
++      spin_unlock(&cq->cq_lock);
+       /* return the number of buffers that were not posted */
+       *buff_count = *buff_count - i;
+@@ -552,7 +551,7 @@ int idpf_ctlq_recv(struct idpf_ctlq_info *cq, u16 *num_q_msg,
+       u16 i;
+       /* take the lock before we start messing with the ring */
+-      mutex_lock(&cq->cq_lock);
++      spin_lock(&cq->cq_lock);
+       ntc = cq->next_to_clean;
+@@ -614,7 +613,7 @@ int idpf_ctlq_recv(struct idpf_ctlq_info *cq, u16 *num_q_msg,
+       cq->next_to_clean = ntc;
+-      mutex_unlock(&cq->cq_lock);
++      spin_unlock(&cq->cq_lock);
+       *num_q_msg = i;
+       if (*num_q_msg == 0)
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h b/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h
+index e8e046ef2f0d7..5890d8adca4a8 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h
++++ b/drivers/net/ethernet/intel/idpf/idpf_controlq_api.h
+@@ -99,7 +99,7 @@ struct idpf_ctlq_info {
+       enum idpf_ctlq_type cq_type;
+       int q_id;
+-      struct mutex cq_lock;           /* control queue lock */
++      spinlock_t cq_lock;             /* control queue lock */
+       /* used for interrupt processing */
+       u16 next_to_use;
+       u16 next_to_clean;
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+index 2ed801398971c..fe96e20573660 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
+@@ -2329,8 +2329,12 @@ void *idpf_alloc_dma_mem(struct idpf_hw *hw, struct idpf_dma_mem *mem, u64 size)
+       struct idpf_adapter *adapter = hw->back;
+       size_t sz = ALIGN(size, 4096);
+-      mem->va = dma_alloc_coherent(&adapter->pdev->dev, sz,
+-                                   &mem->pa, GFP_KERNEL);
++      /* The control queue resources are freed under a spinlock, contiguous
++       * pages will avoid IOMMU remapping and the use vmap (and vunmap in
++       * dma_free_*() path.
++       */
++      mem->va = dma_alloc_attrs(&adapter->pdev->dev, sz, &mem->pa,
++                                GFP_KERNEL, DMA_ATTR_FORCE_CONTIGUOUS);
+       mem->size = sz;
+       return mem->va;
+@@ -2345,8 +2349,8 @@ void idpf_free_dma_mem(struct idpf_hw *hw, struct idpf_dma_mem *mem)
+ {
+       struct idpf_adapter *adapter = hw->back;
+-      dma_free_coherent(&adapter->pdev->dev, mem->size,
+-                        mem->va, mem->pa);
++      dma_free_attrs(&adapter->pdev->dev, mem->size,
++                     mem->va, mem->pa, DMA_ATTR_FORCE_CONTIGUOUS);
+       mem->size = 0;
+       mem->va = NULL;
+       mem->pa = 0;
+-- 
+2.39.5
+
diff --git a/queue-6.15/idpf-return-0-size-for-rss-key-if-not-supported.patch b/queue-6.15/idpf-return-0-size-for-rss-key-if-not-supported.patch
new file mode 100644 (file)
index 0000000..b01ffed
--- /dev/null
@@ -0,0 +1,101 @@
+From 521f9753b3ac2ea6a221e5c3e9afde6c68d7a1a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 May 2025 10:52:06 +0200
+Subject: idpf: return 0 size for RSS key if not supported
+
+From: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+
+[ Upstream commit f77bf1ebf8ff6301ccdbc346f7b52db928f9cbf8 ]
+
+Returning -EOPNOTSUPP from function returning u32 is leading to
+cast and invalid size value as a result.
+
+-EOPNOTSUPP as a size probably will lead to allocation fail.
+
+Command: ethtool -x eth0
+It is visible on all devices that don't have RSS caps set.
+
+[  136.615917] Call Trace:
+[  136.615921]  <TASK>
+[  136.615927]  ? __warn+0x89/0x130
+[  136.615942]  ? __alloc_frozen_pages_noprof+0x322/0x330
+[  136.615953]  ? report_bug+0x164/0x190
+[  136.615968]  ? handle_bug+0x58/0x90
+[  136.615979]  ? exc_invalid_op+0x17/0x70
+[  136.615987]  ? asm_exc_invalid_op+0x1a/0x20
+[  136.616001]  ? rss_prepare_get.constprop.0+0xb9/0x170
+[  136.616016]  ? __alloc_frozen_pages_noprof+0x322/0x330
+[  136.616028]  __alloc_pages_noprof+0xe/0x20
+[  136.616038]  ___kmalloc_large_node+0x80/0x110
+[  136.616072]  __kmalloc_large_node_noprof+0x1d/0xa0
+[  136.616081]  __kmalloc_noprof+0x32c/0x4c0
+[  136.616098]  ? rss_prepare_get.constprop.0+0xb9/0x170
+[  136.616105]  rss_prepare_get.constprop.0+0xb9/0x170
+[  136.616114]  ethnl_default_doit+0x107/0x3d0
+[  136.616131]  genl_family_rcv_msg_doit+0x100/0x160
+[  136.616147]  genl_rcv_msg+0x1b8/0x2c0
+[  136.616156]  ? __pfx_ethnl_default_doit+0x10/0x10
+[  136.616168]  ? __pfx_genl_rcv_msg+0x10/0x10
+[  136.616176]  netlink_rcv_skb+0x58/0x110
+[  136.616186]  genl_rcv+0x28/0x40
+[  136.616195]  netlink_unicast+0x19b/0x290
+[  136.616206]  netlink_sendmsg+0x222/0x490
+[  136.616215]  __sys_sendto+0x1fd/0x210
+[  136.616233]  __x64_sys_sendto+0x24/0x30
+[  136.616242]  do_syscall_64+0x82/0x160
+[  136.616252]  ? __sys_recvmsg+0x83/0xe0
+[  136.616265]  ? syscall_exit_to_user_mode+0x10/0x210
+[  136.616275]  ? do_syscall_64+0x8e/0x160
+[  136.616282]  ? __count_memcg_events+0xa1/0x130
+[  136.616295]  ? count_memcg_events.constprop.0+0x1a/0x30
+[  136.616306]  ? handle_mm_fault+0xae/0x2d0
+[  136.616319]  ? do_user_addr_fault+0x379/0x670
+[  136.616328]  ? clear_bhb_loop+0x45/0xa0
+[  136.616340]  ? clear_bhb_loop+0x45/0xa0
+[  136.616349]  ? clear_bhb_loop+0x45/0xa0
+[  136.616359]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[  136.616369] RIP: 0033:0x7fd30ba7b047
+[  136.616376] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d bd d5 0c 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 71 c3 55 48 83 ec 30 44 89 4c 24 2c 4c 89 44
+[  136.616381] RSP: 002b:00007ffde1796d68 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
+[  136.616388] RAX: ffffffffffffffda RBX: 000055d7bd89f2a0 RCX: 00007fd30ba7b047
+[  136.616392] RDX: 0000000000000028 RSI: 000055d7bd89f3b0 RDI: 0000000000000003
+[  136.616396] RBP: 00007ffde1796e10 R08: 00007fd30bb4e200 R09: 000000000000000c
+[  136.616399] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d7bd89f340
+[  136.616403] R13: 000055d7bd89f3b0 R14: 000055d78943f200 R15: 0000000000000000
+
+Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks")
+Reviewed-by: Ahmed Zaki <ahmed.zaki@intel.com>
+Signed-off-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Samuel Salin <Samuel.salin@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+index 59b1a1a099967..f72420cf68216 100644
+--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
++++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+@@ -46,7 +46,7 @@ static u32 idpf_get_rxfh_key_size(struct net_device *netdev)
+       struct idpf_vport_user_config_data *user_config;
+       if (!idpf_is_cap_ena_all(np->adapter, IDPF_RSS_CAPS, IDPF_CAP_RSS))
+-              return -EOPNOTSUPP;
++              return 0;
+       user_config = &np->adapter->vport_config[np->vport_idx]->user_config;
+@@ -65,7 +65,7 @@ static u32 idpf_get_rxfh_indir_size(struct net_device *netdev)
+       struct idpf_vport_user_config_data *user_config;
+       if (!idpf_is_cap_ena_all(np->adapter, IDPF_RSS_CAPS, IDPF_CAP_RSS))
+-              return -EOPNOTSUPP;
++              return 0;
+       user_config = &np->adapter->vport_config[np->vport_idx]->user_config;
+-- 
+2.39.5
+
diff --git a/queue-6.15/igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch b/queue-6.15/igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch
new file mode 100644 (file)
index 0000000..4ffc63a
--- /dev/null
@@ -0,0 +1,66 @@
+From 89ec734a1da7c4cb45107b21daf2a5b8032979db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:52:54 +0300
+Subject: igc: disable L1.2 PCI-E link substate to avoid performance issue
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+[ Upstream commit 0325143b59c6c6d79987afc57d2456e7a20d13b7 ]
+
+I226 devices advertise support for the PCI-E link L1.2 substate. However,
+due to a hardware limitation, the exit latency from this low-power state
+is longer than the packet buffer can tolerate under high traffic
+conditions. This can lead to packet loss and degraded performance.
+
+To mitigate this, disable the L1.2 substate. The increased power draw
+between L1.1 and L1.2 is insignificant.
+
+Fixes: 43546211738e ("igc: Add new device ID's")
+Link: https://lore.kernel.org/intel-wired-lan/15248b4f-3271-42dd-8e35-02bfc92b25e1@intel.com
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index b1669d7cf4359..7d8cc783b2282 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -7046,6 +7046,10 @@ static int igc_probe(struct pci_dev *pdev,
+       adapter->port_num = hw->bus.func;
+       adapter->msg_enable = netif_msg_init(debug, DEFAULT_MSG_ENABLE);
++      /* Disable ASPM L1.2 on I226 devices to avoid packet loss */
++      if (igc_is_device_id_i226(hw))
++              pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+       err = pci_save_state(pdev);
+       if (err)
+               goto err_ioremap;
+@@ -7426,6 +7430,9 @@ static int __igc_resume(struct device *dev, bool rpm)
+       pci_enable_wake(pdev, PCI_D3hot, 0);
+       pci_enable_wake(pdev, PCI_D3cold, 0);
++      if (igc_is_device_id_i226(hw))
++              pci_disable_link_state(pdev, PCIE_LINK_STATE_L1_2);
++
+       if (igc_init_interrupt_scheme(adapter, true)) {
+               netdev_err(netdev, "Unable to allocate memory for queues\n");
+               return -ENOMEM;
+@@ -7551,6 +7558,9 @@ static pci_ers_result_t igc_io_slot_reset(struct pci_dev *pdev)
+               pci_enable_wake(pdev, PCI_D3hot, 0);
+               pci_enable_wake(pdev, PCI_D3cold, 0);
++              if (igc_is_device_id_i226(hw))
++                      pci_disable_link_state_locked(pdev, PCIE_LINK_STATE_L1_2);
++
+               /* In case of PCI error, adapter loses its HW address
+                * so we should re-assign it here.
+                */
+-- 
+2.39.5
+
diff --git a/queue-6.15/lib-test_objagg-set-error-message-in-check_expect_hi.patch b/queue-6.15/lib-test_objagg-set-error-message-in-check_expect_hi.patch
new file mode 100644 (file)
index 0000000..4f87f5b
--- /dev/null
@@ -0,0 +1,50 @@
+From 9169070f8a73ef54f34f9cdbdf619a8236fbef2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 14:36:40 -0500
+Subject: lib: test_objagg: Set error message in check_expect_hints_stats()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit e6ed134a4ef592fe1fd0cafac9683813b3c8f3e8 ]
+
+Smatch complains that the error message isn't set in the caller:
+
+    lib/test_objagg.c:923 test_hints_case2()
+    error: uninitialized symbol 'errmsg'.
+
+This static checker warning only showed up after a recent refactoring
+but the bug dates back to when the code was originally added.  This
+likely doesn't affect anything in real life.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/r/202506281403.DsuyHFTZ-lkp@intel.com/
+Fixes: 0a020d416d0a ("lib: introduce initial implementation of object aggregation manager")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/8548f423-2e3b-4bb7-b816-5041de2762aa@sabinyo.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_objagg.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/test_objagg.c b/lib/test_objagg.c
+index d34df4306b874..222b39fc2629e 100644
+--- a/lib/test_objagg.c
++++ b/lib/test_objagg.c
+@@ -899,8 +899,10 @@ static int check_expect_hints_stats(struct objagg_hints *objagg_hints,
+       int err;
+       stats = objagg_hints_stats_get(objagg_hints);
+-      if (IS_ERR(stats))
++      if (IS_ERR(stats)) {
++              *errmsg = "objagg_hints_stats_get() failed.";
+               return PTR_ERR(stats);
++      }
+       err = __check_expect_stats(stats, expect_stats, errmsg);
+       objagg_stats_put(stats);
+       return err;
+-- 
+2.39.5
+
diff --git a/queue-6.15/module-provide-export_symbol_gpl_for_modules-helper.patch b/queue-6.15/module-provide-export_symbol_gpl_for_modules-helper.patch
new file mode 100644 (file)
index 0000000..3fde723
--- /dev/null
@@ -0,0 +1,110 @@
+From 7edbf0d1181068b6369c3d886149b41bbb881c4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 16:12:09 +0200
+Subject: module: Provide EXPORT_SYMBOL_GPL_FOR_MODULES() helper
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit 707f853d7fa3ce323a6875487890c213e34d81a0 ]
+
+Helper macro to more easily limit the export of a symbol to a given
+list of modules.
+
+Eg:
+
+  EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm");
+
+will limit the use of said function to kvm.ko, any other module trying
+to use this symbol will refure to load (and get modpost build
+failures).
+
+Requested-by: Masahiro Yamada <masahiroy@kernel.org>
+Requested-by: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Peter Zijlstra <peterz@infradead.org>
+Reviewed-by: Petr Pavlu <petr.pavlu@suse.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Stable-dep-of: cbe4134ea4bc ("fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/core-api/symbol-namespaces.rst | 22 ++++++++++++++++++++
+ include/linux/export.h                       | 12 +++++++++--
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/core-api/symbol-namespaces.rst b/Documentation/core-api/symbol-namespaces.rst
+index 06f766a6aab24..c6f59c5e25648 100644
+--- a/Documentation/core-api/symbol-namespaces.rst
++++ b/Documentation/core-api/symbol-namespaces.rst
+@@ -28,6 +28,9 @@ kernel. As of today, modules that make use of symbols exported into namespaces,
+ are required to import the namespace. Otherwise the kernel will, depending on
+ its configuration, reject loading the module or warn about a missing import.
++Additionally, it is possible to put symbols into a module namespace, strictly
++limiting which modules are allowed to use these symbols.
++
+ 2. How to define Symbol Namespaces
+ ==================================
+@@ -83,6 +86,22 @@ unit as preprocessor statement. The above example would then read::
+ within the corresponding compilation unit before the #include for
+ <linux/export.h>. Typically it's placed before the first #include statement.
++2.3 Using the EXPORT_SYMBOL_GPL_FOR_MODULES() macro
++===================================================
++
++Symbols exported using this macro are put into a module namespace. This
++namespace cannot be imported.
++
++The macro takes a comma separated list of module names, allowing only those
++modules to access this symbol. Simple tail-globs are supported.
++
++For example:
++
++  EXPORT_SYMBOL_GPL_FOR_MODULES(preempt_notifier_inc, "kvm,kvm-*")
++
++will limit usage of this symbol to modules whoes name matches the given
++patterns.
++
+ 3. How to use Symbols exported in Namespaces
+ ============================================
+@@ -154,3 +173,6 @@ in-tree modules::
+ You can also run nsdeps for external module builds. A typical usage is::
+       $ make -C <path_to_kernel_src> M=$PWD nsdeps
++
++Note: it will happily generate an import statement for the module namespace;
++which will not work and generates build and runtime failures.
+diff --git a/include/linux/export.h b/include/linux/export.h
+index a8c23d945634b..f35d03b4113b1 100644
+--- a/include/linux/export.h
++++ b/include/linux/export.h
+@@ -24,11 +24,17 @@
+       .long sym
+ #endif
+-#define ___EXPORT_SYMBOL(sym, license, ns)            \
++/*
++ * LLVM integrated assembler cam merge adjacent string literals (like
++ * C and GNU-as) passed to '.ascii', but not to '.asciz' and chokes on:
++ *
++ *   .asciz "MODULE_" "kvm" ;
++ */
++#define ___EXPORT_SYMBOL(sym, license, ns...)         \
+       .section ".export_symbol","a"           ASM_NL  \
+       __export_symbol_##sym:                  ASM_NL  \
+               .asciz license                  ASM_NL  \
+-              .asciz ns                       ASM_NL  \
++              .ascii ns "\0"                  ASM_NL  \
+               __EXPORT_SYMBOL_REF(sym)        ASM_NL  \
+       .previous
+@@ -85,4 +91,6 @@
+ #define EXPORT_SYMBOL_NS(sym, ns)     __EXPORT_SYMBOL(sym, "", ns)
+ #define EXPORT_SYMBOL_NS_GPL(sym, ns) __EXPORT_SYMBOL(sym, "GPL", ns)
++#define EXPORT_SYMBOL_GPL_FOR_MODULES(sym, mods) __EXPORT_SYMBOL(sym, "GPL", "module:" mods)
++
+ #endif /* _LINUX_EXPORT_H */
+-- 
+2.39.5
+
diff --git a/queue-6.15/mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch b/queue-6.15/mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch
new file mode 100644 (file)
index 0000000..d92f19d
--- /dev/null
@@ -0,0 +1,59 @@
+From 10bb6b3d5d530c509870cabf37db373076bae563 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 13:35:16 +0200
+Subject: mtd: spinand: fix memory leak of ECC engine conf
+
+From: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
+
+[ Upstream commit 6463cbe08b0cbf9bba8763306764f5fd643023e1 ]
+
+Memory allocated for the ECC engine conf is not released during spinand
+cleanup. Below kmemleak trace is seen for this memory leak:
+
+unreferenced object 0xffffff80064f00e0 (size 8):
+  comm "swapper/0", pid 1, jiffies 4294937458
+  hex dump (first 8 bytes):
+    00 00 00 00 00 00 00 00                          ........
+  backtrace (crc 0):
+    kmemleak_alloc+0x30/0x40
+    __kmalloc_cache_noprof+0x208/0x3c0
+    spinand_ondie_ecc_init_ctx+0x114/0x200
+    nand_ecc_init_ctx+0x70/0xa8
+    nanddev_ecc_engine_init+0xec/0x27c
+    spinand_probe+0xa2c/0x1620
+    spi_mem_probe+0x130/0x21c
+    spi_probe+0xf0/0x170
+    really_probe+0x17c/0x6e8
+    __driver_probe_device+0x17c/0x21c
+    driver_probe_device+0x58/0x180
+    __device_attach_driver+0x15c/0x1f8
+    bus_for_each_drv+0xec/0x150
+    __device_attach+0x188/0x24c
+    device_initial_probe+0x10/0x20
+    bus_probe_device+0x11c/0x160
+
+Fix the leak by calling nanddev_ecc_engine_cleanup() inside
+spinand_cleanup().
+
+Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/nand/spi/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
+index d16e42cf8faeb..303aede6e5aa4 100644
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -1585,6 +1585,7 @@ static void spinand_cleanup(struct spinand_device *spinand)
+ {
+       struct nand_device *nand = spinand_to_nand(spinand);
++      nanddev_ecc_engine_cleanup(nand);
+       nanddev_cleanup(nand);
+       spinand_manufacturer_cleanup(spinand);
+       kfree(spinand->databuf);
+-- 
+2.39.5
+
diff --git a/queue-6.15/net-ipv4-fix-stat-increase-when-udp-early-demux-drop.patch b/queue-6.15/net-ipv4-fix-stat-increase-when-udp-early-demux-drop.patch
new file mode 100644 (file)
index 0000000..58c1d7d
--- /dev/null
@@ -0,0 +1,60 @@
+From bc98ce92823efa9a6e7b450a34a46fa274b0b505 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 09:49:34 +0200
+Subject: net: ipv4: fix stat increase when udp early demux drops the packet
+
+From: Antoine Tenart <atenart@kernel.org>
+
+[ Upstream commit c2a2ff6b4db55647575260bf2227b0e09d46addb ]
+
+udp_v4_early_demux now returns drop reasons as it either returns 0 or
+ip_mc_validate_source, which returns itself a drop reason. However its
+use was not converted in ip_rcv_finish_core and the drop reason is
+ignored, leading to potentially skipping increasing LINUX_MIB_IPRPFILTER
+if the drop reason is SKB_DROP_REASON_IP_RPFILTER.
+
+This is a fix and we're not converting udp_v4_early_demux to explicitly
+return a drop reason to ease backports; this can be done as a follow-up.
+
+Fixes: d46f827016d8 ("net: ip: make ip_mc_validate_source() return drop reason")
+Cc: Menglong Dong <menglong8.dong@gmail.com>
+Reported-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: Antoine Tenart <atenart@kernel.org>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250701074935.144134-1-atenart@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_input.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
+index 30a5e9460d006..5a49eb99e5c48 100644
+--- a/net/ipv4/ip_input.c
++++ b/net/ipv4/ip_input.c
+@@ -319,8 +319,8 @@ static int ip_rcv_finish_core(struct net *net,
+                             const struct sk_buff *hint)
+ {
+       const struct iphdr *iph = ip_hdr(skb);
+-      int err, drop_reason;
+       struct rtable *rt;
++      int drop_reason;
+       if (ip_can_use_hint(skb, iph, hint)) {
+               drop_reason = ip_route_use_hint(skb, iph->daddr, iph->saddr,
+@@ -345,9 +345,10 @@ static int ip_rcv_finish_core(struct net *net,
+                       break;
+               case IPPROTO_UDP:
+                       if (READ_ONCE(net->ipv4.sysctl_udp_early_demux)) {
+-                              err = udp_v4_early_demux(skb);
+-                              if (unlikely(err))
++                              drop_reason = udp_v4_early_demux(skb);
++                              if (unlikely(drop_reason))
+                                       goto drop_error;
++                              drop_reason = SKB_DROP_REASON_NOT_SPECIFIED;
+                               /* must reload iph, skb->head might have changed */
+                               iph = ip_hdr(skb);
+-- 
+2.39.5
+
diff --git a/queue-6.15/net-sched-always-pass-notifications-when-child-class.patch b/queue-6.15/net-sched-always-pass-notifications-when-child-class.patch
new file mode 100644 (file)
index 0000000..997a399
--- /dev/null
@@ -0,0 +1,109 @@
+From fbdf56739a622d95de1c828057ecd7335f41499e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:27:30 +0200
+Subject: net/sched: Always pass notifications when child class becomes empty
+
+From: Lion Ackermann <nnamrec@gmail.com>
+
+[ Upstream commit 103406b38c600fec1fe375a77b27d87e314aea09 ]
+
+Certain classful qdiscs may invoke their classes' dequeue handler on an
+enqueue operation. This may unexpectedly empty the child qdisc and thus
+make an in-flight class passive via qlen_notify(). Most qdiscs do not
+expect such behaviour at this point in time and may re-activate the
+class eventually anyways which will lead to a use-after-free.
+
+The referenced fix commit attempted to fix this behavior for the HFSC
+case by moving the backlog accounting around, though this turned out to
+be incomplete since the parent's parent may run into the issue too.
+The following reproducer demonstrates this use-after-free:
+
+    tc qdisc add dev lo root handle 1: drr
+    tc filter add dev lo parent 1: basic classid 1:1
+    tc class add dev lo parent 1: classid 1:1 drr
+    tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1
+    tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0
+    tc qdisc add dev lo parent 2:1 handle 3: netem
+    tc qdisc add dev lo parent 3:1 handle 4: blackhole
+
+    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+    tc class delete dev lo classid 1:1
+    echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888
+
+Since backlog accounting issues leading to a use-after-frees on stale
+class pointers is a recurring pattern at this point, this patch takes
+a different approach. Instead of trying to fix the accounting, the patch
+ensures that qdisc_tree_reduce_backlog always calls qlen_notify when
+the child qdisc is empty. This solves the problem because deletion of
+qdiscs always involves a call to qdisc_reset() and / or
+qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing
+the following qdisc_tree_reduce_backlog() to report to the parent. Note
+that this may call qlen_notify on passive classes multiple times. This
+is not a problem after the recent patch series that made all the
+classful qdiscs qlen_notify() handlers idempotent.
+
+Fixes: 3f981138109f ("sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue()")
+Signed-off-by: Lion Ackermann <nnamrec@gmail.com>
+Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Link: https://patch.msgid.link/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index f74a097f54ae7..d58921ffcf35e 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -779,15 +779,12 @@ static u32 qdisc_alloc_handle(struct net_device *dev)
+ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+ {
+-      bool qdisc_is_offloaded = sch->flags & TCQ_F_OFFLOADED;
+       const struct Qdisc_class_ops *cops;
+       unsigned long cl;
+       u32 parentid;
+       bool notify;
+       int drops;
+-      if (n == 0 && len == 0)
+-              return;
+       drops = max_t(int, n, 0);
+       rcu_read_lock();
+       while ((parentid = sch->parent)) {
+@@ -796,17 +793,8 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+               if (sch->flags & TCQ_F_NOPARENT)
+                       break;
+-              /* Notify parent qdisc only if child qdisc becomes empty.
+-               *
+-               * If child was empty even before update then backlog
+-               * counter is screwed and we skip notification because
+-               * parent class is already passive.
+-               *
+-               * If the original child was offloaded then it is allowed
+-               * to be seem as empty, so the parent is notified anyway.
+-               */
+-              notify = !sch->q.qlen && !WARN_ON_ONCE(!n &&
+-                                                     !qdisc_is_offloaded);
++              /* Notify parent qdisc only if child qdisc becomes empty. */
++              notify = !sch->q.qlen;
+               /* TODO: perform the search on a per txq basis */
+               sch = qdisc_lookup_rcu(qdisc_dev(sch), TC_H_MAJ(parentid));
+               if (sch == NULL) {
+@@ -815,6 +803,9 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len)
+               }
+               cops = sch->ops->cl_ops;
+               if (notify && cops->qlen_notify) {
++                      /* Note that qlen_notify must be idempotent as it may get called
++                       * multiple times.
++                       */
+                       cl = cops->find(sch, parentid);
+                       cops->qlen_notify(sch, cl);
+               }
+-- 
+2.39.5
+
diff --git a/queue-6.15/net-usb-lan78xx-fix-warn-in-__netif_napi_del_locked-.patch b/queue-6.15/net-usb-lan78xx-fix-warn-in-__netif_napi_del_locked-.patch
new file mode 100644 (file)
index 0000000..5c0293f
--- /dev/null
@@ -0,0 +1,96 @@
+From f224950f48ae2fa921f941b2c9ffc1b146057f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 07:13:46 +0200
+Subject: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 6c7ffc9af7186ed79403a3ffee9a1e5199fc7450 ]
+
+Remove redundant netif_napi_del() call from disconnect path.
+
+A WARN may be triggered in __netif_napi_del_locked() during USB device
+disconnect:
+
+  WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
+
+This happens because netif_napi_del() is called in the disconnect path while
+NAPI is still enabled. However, it is not necessary to call netif_napi_del()
+explicitly, since unregister_netdev() will handle NAPI teardown automatically
+and safely. Removing the redundant call avoids triggering the warning.
+
+Full trace:
+ lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV
+ lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV
+ lan78xx 1-1:1.0 enu1: Link is Down
+ lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV
+ ------------[ cut here ]------------
+ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350
+ Modules linked in: flexcan can_dev fuse
+ CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT
+ Hardware name: SKOV IMX8MP CPU revC - bd500 (DT)
+ Workqueue: usb_hub_wq hub_event
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : __netif_napi_del_locked+0x2b4/0x350
+ lr : __netif_napi_del_locked+0x7c/0x350
+ sp : ffffffc085b673c0
+ x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8
+ x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb
+ x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000
+ x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000
+ x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028
+ x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8
+ x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000
+ x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001
+ x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000
+ Call trace:
+  __netif_napi_del_locked+0x2b4/0x350 (P)
+  lan78xx_disconnect+0xf4/0x360
+  usb_unbind_interface+0x158/0x718
+  device_remove+0x100/0x150
+  device_release_driver_internal+0x308/0x478
+  device_release_driver+0x1c/0x30
+  bus_remove_device+0x1a8/0x368
+  device_del+0x2e0/0x7b0
+  usb_disable_device+0x244/0x540
+  usb_disconnect+0x220/0x758
+  hub_event+0x105c/0x35e0
+  process_one_work+0x760/0x17b0
+  worker_thread+0x768/0xce8
+  kthread+0x3bc/0x690
+  ret_from_fork+0x10/0x20
+ irq event stamp: 211604
+ hardirqs last  enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98
+ hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80
+ softirqs last  enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8
+ softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20
+ ---[ end trace 0000000000000000 ]---
+ lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0
+
+Fixes: ec4c7e12396b ("lan78xx: Introduce NAPI polling support")
+Suggested-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://patch.msgid.link/20250627051346.276029-1-o.rempel@pengutronix.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/lan78xx.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
+index e4f1663b62047..5f014b8626853 100644
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -4344,8 +4344,6 @@ static void lan78xx_disconnect(struct usb_interface *intf)
+       if (!dev)
+               return;
+-      netif_napi_del(&dev->napi);
+-
+       udev = interface_to_usbdev(intf);
+       net = dev->net;
+-- 
+2.39.5
+
diff --git a/queue-6.15/netfs-fix-double-put-of-request.patch b/queue-6.15/netfs-fix-double-put-of-request.patch
new file mode 100644 (file)
index 0000000..c448cbf
--- /dev/null
@@ -0,0 +1,86 @@
+From a4ed508c6a2a97ab6318eab7953d224a5929be22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:37 +0100
+Subject: netfs: Fix double put of request
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 9df7b5ebead649b00bf9a53a798e4bf83a1318fd ]
+
+If a netfs request finishes during the pause loop, it will have the ref
+that belongs to the IN_PROGRESS flag removed at that point - however, if it
+then goes to the final wait loop, that will *also* put the ref because it
+sees that the IN_PROGRESS flag is clear and incorrectly assumes that this
+happened when it called the collector.
+
+In fact, since IN_PROGRESS is clear, we shouldn't call the collector again
+since it's done all the cleanup, such as calling ->ki_complete().
+
+Fix this by making netfs_collect_in_app() just return, indicating that
+we're done if IN_PROGRESS is removed.
+
+Fixes: 2b1424cd131c ("netfs: Fix wait/wake to be consistent about the waitqueue used")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-3-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: Steve French <sfrench@samba.org>
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+cc: linux-cifs@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/misc.c              | 9 +++++++--
+ include/trace/events/netfs.h | 1 +
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
+index d8b1a279dbda9..8b1c11ef32aa5 100644
+--- a/fs/netfs/misc.c
++++ b/fs/netfs/misc.c
+@@ -383,6 +383,11 @@ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+ {
+       bool need_collect = false, inactive = true, done = true;
++      if (!test_bit(NETFS_RREQ_IN_PROGRESS, &rreq->flags)) {
++              trace_netfs_rreq(rreq, netfs_rreq_trace_recollect);
++              return 1; /* Done */
++      }
++
+       for (int i = 0; i < NR_IO_STREAMS; i++) {
+               struct netfs_io_subrequest *subreq;
+               struct netfs_io_stream *stream = &rreq->io_streams[i];
+@@ -442,7 +447,7 @@ static ssize_t netfs_wait_for_in_progress(struct netfs_io_request *rreq,
+                       case 1:
+                               goto all_collected;
+                       case 2:
+-                              if (!netfs_check_rreq_in_progress(rreq))
++                              if (!test_bit(NETFS_RREQ_IN_PROGRESS, &rreq->flags))
+                                       break;
+                               cond_resched();
+                               continue;
+@@ -512,7 +517,7 @@ static void netfs_wait_for_pause(struct netfs_io_request *rreq,
+                       case 1:
+                               goto all_collected;
+                       case 2:
+-                              if (!netfs_check_rreq_in_progress(rreq) ||
++                              if (!test_bit(NETFS_RREQ_IN_PROGRESS, &rreq->flags) ||
+                                   !test_bit(NETFS_RREQ_PAUSE, &rreq->flags))
+                                       break;
+                               cond_resched();
+diff --git a/include/trace/events/netfs.h b/include/trace/events/netfs.h
+index 4175eec40048a..ecc1b852661e3 100644
+--- a/include/trace/events/netfs.h
++++ b/include/trace/events/netfs.h
+@@ -56,6 +56,7 @@
+       EM(netfs_rreq_trace_dirty,              "DIRTY  ")      \
+       EM(netfs_rreq_trace_done,               "DONE   ")      \
+       EM(netfs_rreq_trace_free,               "FREE   ")      \
++      EM(netfs_rreq_trace_recollect,          "RECLLCT")      \
+       EM(netfs_rreq_trace_redirty,            "REDIRTY")      \
+       EM(netfs_rreq_trace_resubmit,           "RESUBMT")      \
+       EM(netfs_rreq_trace_set_abandon,        "S-ABNDN")      \
+-- 
+2.39.5
+
diff --git a/queue-6.15/netfs-fix-hang-due-to-missing-case-in-final-dio-read.patch b/queue-6.15/netfs-fix-hang-due-to-missing-case-in-final-dio-read.patch
new file mode 100644 (file)
index 0000000..2ec1423
--- /dev/null
@@ -0,0 +1,79 @@
+From d1f14be026b0f656f25aa96173bf700a952be41d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:36 +0100
+Subject: netfs: Fix hang due to missing case in final DIO read result
+ collection
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit da8cf4bd458722d090a788c6e581eeb72695c62f ]
+
+When doing a DIO read, if the subrequests we issue fail and cause the
+request PAUSE flag to be set to put a pause on subrequest generation, we
+may complete collection of the subrequests (possibly discarding them) prior
+to the ALL_QUEUED flags being set.
+
+In such a case, netfs_read_collection() doesn't see ALL_QUEUED being set
+after netfs_collect_read_results() returns and will just return to the app
+(the collector can be seen unpausing the generator in the trace log).
+
+The subrequest generator can then set ALL_QUEUED and the app thread reaches
+netfs_wait_for_request().  This causes netfs_collect_in_app() to be called
+to see if we're done yet, but there's missing case here.
+
+netfs_collect_in_app() will see that a thread is active and set inactive to
+false, but won't see any subrequests in the read stream, and so won't set
+need_collect to true.  The function will then just return 0, indicating
+that the caller should just sleep until further activity (which won't be
+forthcoming) occurs.
+
+Fix this by making netfs_collect_in_app() check to see if an active thread
+is complete - i.e. that ALL_QUEUED is set and the subrequests list is empty
+- and to skip the sleep return path.  The collector will then be called
+which will clear the request IN_PROGRESS flag, allowing the app to
+progress.
+
+Fixes: 2b1424cd131c ("netfs: Fix wait/wake to be consistent about the waitqueue used")
+Reported-by: Steve French <sfrench@samba.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-2-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: linux-cifs@vger.kernel.org
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/misc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
+index 43b67a28a8fa0..0a54b12034868 100644
+--- a/fs/netfs/misc.c
++++ b/fs/netfs/misc.c
+@@ -381,7 +381,7 @@ void netfs_wait_for_in_progress_stream(struct netfs_io_request *rreq,
+ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+                               bool (*collector)(struct netfs_io_request *rreq))
+ {
+-      bool need_collect = false, inactive = true;
++      bool need_collect = false, inactive = true, done = true;
+       for (int i = 0; i < NR_IO_STREAMS; i++) {
+               struct netfs_io_subrequest *subreq;
+@@ -400,9 +400,11 @@ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+                       need_collect = true;
+                       break;
+               }
++              if (subreq || !test_bit(NETFS_RREQ_ALL_QUEUED, &rreq->flags))
++                      done = false;
+       }
+-      if (!need_collect && !inactive)
++      if (!need_collect && !inactive && !done)
+               return 0; /* Sleep */
+       __set_current_state(TASK_RUNNING);
+-- 
+2.39.5
+
diff --git a/queue-6.15/netfs-fix-i_size-updating.patch b/queue-6.15/netfs-fix-i_size-updating.patch
new file mode 100644 (file)
index 0000000..94fd48b
--- /dev/null
@@ -0,0 +1,86 @@
+From 93c34854601d7a7ada0c3993dd9c41783532b919 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:45 +0100
+Subject: netfs: Fix i_size updating
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 2e0658940d90a3dc130bb3b7f75bae9f4100e01f ]
+
+Fix the updating of i_size, particularly in regard to the completion of DIO
+writes and especially async DIO writes by using a lock.
+
+The bug is triggered occasionally by the generic/207 xfstest as it chucks a
+bunch of AIO DIO writes at the filesystem and then checks that fstat()
+returns a reasonable st_size as each completes.
+
+The problem is that netfs is trying to do "if new_size > inode->i_size,
+update inode->i_size" sort of thing but without a lock around it.
+
+This can be seen with cifs, but shouldn't be seen with kafs because kafs
+serialises modification ops on the client whereas cifs sends the requests
+to the server as they're generated and lets the server order them.
+
+Fixes: 153a9961b551 ("netfs: Implement unbuffered/DIO write support")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-11-dhowells@redhat.com
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+cc: Steve French <sfrench@samba.org>
+cc: Paulo Alcantara <pc@manguebit.org>
+cc: linux-cifs@vger.kernel.org
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/buffered_write.c | 2 ++
+ fs/netfs/direct_write.c   | 8 ++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
+index dbb544e183d13..9f22ff890a8cd 100644
+--- a/fs/netfs/buffered_write.c
++++ b/fs/netfs/buffered_write.c
+@@ -64,6 +64,7 @@ static void netfs_update_i_size(struct netfs_inode *ctx, struct inode *inode,
+               return;
+       }
++      spin_lock(&inode->i_lock);
+       i_size_write(inode, pos);
+ #if IS_ENABLED(CONFIG_FSCACHE)
+       fscache_update_cookie(ctx->cache, NULL, &pos);
+@@ -77,6 +78,7 @@ static void netfs_update_i_size(struct netfs_inode *ctx, struct inode *inode,
+                                       DIV_ROUND_UP(pos, SECTOR_SIZE),
+                                       inode->i_blocks + add);
+       }
++      spin_unlock(&inode->i_lock);
+ }
+ /**
+diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
+index fa9a5bf3c6d51..3efa5894b2c07 100644
+--- a/fs/netfs/direct_write.c
++++ b/fs/netfs/direct_write.c
+@@ -14,13 +14,17 @@ static void netfs_cleanup_dio_write(struct netfs_io_request *wreq)
+       struct inode *inode = wreq->inode;
+       unsigned long long end = wreq->start + wreq->transferred;
+-      if (!wreq->error &&
+-          i_size_read(inode) < end) {
++      if (wreq->error || end <= i_size_read(inode))
++              return;
++
++      spin_lock(&inode->i_lock);
++      if (end > i_size_read(inode)) {
+               if (wreq->netfs_ops->update_i_size)
+                       wreq->netfs_ops->update_i_size(inode, end);
+               else
+                       i_size_write(inode, end);
+       }
++      spin_unlock(&inode->i_lock);
+ }
+ /*
+-- 
+2.39.5
+
diff --git a/queue-6.15/netfs-fix-looping-in-wait-functions.patch b/queue-6.15/netfs-fix-looping-in-wait-functions.patch
new file mode 100644 (file)
index 0000000..395722b
--- /dev/null
@@ -0,0 +1,88 @@
+From 0e7d1bed5de370dd8b9426c7097272d513d97c3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:39 +0100
+Subject: netfs: Fix looping in wait functions
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 09623e3a14c1c5465124350cd227457c2b0fb017 ]
+
+netfs_wait_for_request() and netfs_wait_for_pause() can loop forever if
+netfs_collect_in_app() returns 2, indicating that it wants to repeat
+because the ALL_QUEUED flag isn't yet set and there are no subreqs left
+that haven't been collected.
+
+The problem is that, unless collection is offloaded (OFFLOAD_COLLECTION),
+we have to return to the application thread to continue and eventually set
+ALL_QUEUED after pausing to deal with a retry - but we never get there.
+
+Fix this by inserting checks for the IN_PROGRESS and PAUSE flags as
+appropriate before cycling round - and add cond_resched() for good measure.
+
+Fixes: 2b1424cd131c ("netfs: Fix wait/wake to be consistent about the waitqueue used")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-5-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/misc.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
+index 0a54b12034868..d8b1a279dbda9 100644
+--- a/fs/netfs/misc.c
++++ b/fs/netfs/misc.c
+@@ -425,8 +425,8 @@ static int netfs_collect_in_app(struct netfs_io_request *rreq,
+ /*
+  * Wait for a request to complete, successfully or otherwise.
+  */
+-static ssize_t netfs_wait_for_request(struct netfs_io_request *rreq,
+-                                    bool (*collector)(struct netfs_io_request *rreq))
++static ssize_t netfs_wait_for_in_progress(struct netfs_io_request *rreq,
++                                        bool (*collector)(struct netfs_io_request *rreq))
+ {
+       DEFINE_WAIT(myself);
+       ssize_t ret;
+@@ -442,6 +442,9 @@ static ssize_t netfs_wait_for_request(struct netfs_io_request *rreq,
+                       case 1:
+                               goto all_collected;
+                       case 2:
++                              if (!netfs_check_rreq_in_progress(rreq))
++                                      break;
++                              cond_resched();
+                               continue;
+                       }
+               }
+@@ -480,12 +483,12 @@ static ssize_t netfs_wait_for_request(struct netfs_io_request *rreq,
+ ssize_t netfs_wait_for_read(struct netfs_io_request *rreq)
+ {
+-      return netfs_wait_for_request(rreq, netfs_read_collection);
++      return netfs_wait_for_in_progress(rreq, netfs_read_collection);
+ }
+ ssize_t netfs_wait_for_write(struct netfs_io_request *rreq)
+ {
+-      return netfs_wait_for_request(rreq, netfs_write_collection);
++      return netfs_wait_for_in_progress(rreq, netfs_write_collection);
+ }
+ /*
+@@ -509,6 +512,10 @@ static void netfs_wait_for_pause(struct netfs_io_request *rreq,
+                       case 1:
+                               goto all_collected;
+                       case 2:
++                              if (!netfs_check_rreq_in_progress(rreq) ||
++                                  !test_bit(NETFS_RREQ_PAUSE, &rreq->flags))
++                                      break;
++                              cond_resched();
+                               continue;
+                       }
+               }
+-- 
+2.39.5
+
diff --git a/queue-6.15/netfs-fix-ref-leak-on-inserted-extra-subreq-in-write.patch b/queue-6.15/netfs-fix-ref-leak-on-inserted-extra-subreq-in-write.patch
new file mode 100644 (file)
index 0000000..82c1002
--- /dev/null
@@ -0,0 +1,49 @@
+From 485ff606f148b501dd8add82035d705fcfb85daf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:40 +0100
+Subject: netfs: Fix ref leak on inserted extra subreq in write retry
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 97d8e8e52cb8ab3d7675880a92626d9a4332f7a6 ]
+
+The write-retry algorithm will insert extra subrequests into the list if it
+can't get sufficient capacity to split the range that needs to be retried
+into the sequence of subrequests it currently has (for instance, if the
+cifs credit pool has fewer credits available than it did when the range was
+originally divided).
+
+However, the allocator furnishes each new subreq with 2 refs and then
+another is added for resubmission, causing one to be leaked.
+
+Fix this by replacing the ref-getting line with a neutral trace line.
+
+Fixes: 288ace2f57c9 ("netfs: New writeback implementation")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-6-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Reviewed-by: Paulo Alcantara <pc@manguebit.org>
+cc: netfs@lists.linux.dev
+cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/netfs/write_retry.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/netfs/write_retry.c b/fs/netfs/write_retry.c
+index 9d1d8a8bab726..7158657061e98 100644
+--- a/fs/netfs/write_retry.c
++++ b/fs/netfs/write_retry.c
+@@ -153,7 +153,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
+                       trace_netfs_sreq_ref(wreq->debug_id, subreq->debug_index,
+                                            refcount_read(&subreq->ref),
+                                            netfs_sreq_trace_new);
+-                      netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
++                      trace_netfs_sreq(subreq, netfs_sreq_trace_split);
+                       list_add(&subreq->rreq_link, &to->rreq_link);
+                       to = list_next_entry(to, rreq_link);
+-- 
+2.39.5
+
diff --git a/queue-6.15/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch b/queue-6.15/nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch
new file mode 100644 (file)
index 0000000..86a2c6f
--- /dev/null
@@ -0,0 +1,139 @@
+From 1860fa5ac2f4ade0aa83177f0856f1b72aae4eef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 14:52:50 -0700
+Subject: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails.
+
+From: Kuniyuki Iwashima <kuniyu@google.com>
+
+[ Upstream commit e8d6f3ab59468e230f3253efe5cb63efa35289f7 ]
+
+syzbot reported a warning below [1] following a fault injection in
+nfs_fs_proc_net_init(). [0]
+
+When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed.
+
+Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning
+is logged as the directory is not empty.
+
+Let's handle the error of nfs_fs_proc_net_init() properly.
+
+[0]:
+FAULT_INJECTION: forcing a failure.
+name failslab, interval 1, probability 0, space 0, times 0
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+Call Trace:
+ <TASK>
+  dump_stack_lvl (lib/dump_stack.c:123)
+ should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174)
+ should_failslab (mm/failslab.c:46)
+ kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204)
+ __proc_create (fs/proc/generic.c:427)
+ proc_create_reg (fs/proc/generic.c:554)
+ proc_create_net_data (fs/proc/proc_net.c:120)
+ nfs_fs_proc_net_init (fs/nfs/client.c:1409)
+ nfs_net_init (fs/nfs/inode.c:2600)
+ ops_init (net/core/net_namespace.c:138)
+ setup_net (net/core/net_namespace.c:443)
+ copy_net_ns (net/core/net_namespace.c:576)
+ create_new_namespaces (kernel/nsproxy.c:110)
+ unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4))
+ ksys_unshare (kernel/fork.c:3123)
+ __x64_sys_unshare (kernel/fork.c:3190)
+ do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
+ entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
+ </TASK>
+
+[1]:
+remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs'
+ WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Modules linked in:
+CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
+ RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727
+Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00
+RSP: 0018:ffffc90003637b08 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8
+RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001
+RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00
+R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000
+FS:  0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+  sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76
+  ops_exit_list net/core/net_namespace.c:200 [inline]
+  ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253
+  setup_net+0x2e1/0x510 net/core/net_namespace.c:457
+  copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574
+  create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110
+  unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218
+  ksys_unshare+0x45b/0xa40 kernel/fork.c:3121
+  __do_sys_unshare kernel/fork.c:3192 [inline]
+  __se_sys_unshare kernel/fork.c:3190 [inline]
+  __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190
+  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+  do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fa1a6b8e929
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff3a090368 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
+RAX: ffffffffffffffda RBX: 00007fa1a6db5fa0 RCX: 00007fa1a6b8e929
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000080
+RBP: 00007fa1a6c10b39 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fa1a6db5fa0 R14: 00007fa1a6db5fa0 R15: 0000000000000001
+ </TASK>
+
+Fixes: d47151b79e32 ("nfs: expose /proc/net/sunrpc/nfs in net namespaces")
+Reported-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a4cc4ac22daa4a71b87c
+Tested-by: syzbot+a4cc4ac22daa4a71b87c@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/inode.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
+index 8ab7868807a7d..a2fa6bc4d74e3 100644
+--- a/fs/nfs/inode.c
++++ b/fs/nfs/inode.c
+@@ -2589,15 +2589,26 @@ EXPORT_SYMBOL_GPL(nfs_net_id);
+ static int nfs_net_init(struct net *net)
+ {
+       struct nfs_net *nn = net_generic(net, nfs_net_id);
++      int err;
+       nfs_clients_init(net);
+       if (!rpc_proc_register(net, &nn->rpcstats)) {
+-              nfs_clients_exit(net);
+-              return -ENOMEM;
++              err = -ENOMEM;
++              goto err_proc_rpc;
+       }
+-      return nfs_fs_proc_net_init(net);
++      err = nfs_fs_proc_net_init(net);
++      if (err)
++              goto err_proc_nfs;
++
++      return 0;
++
++err_proc_nfs:
++      rpc_proc_unregister(net, "nfs");
++err_proc_rpc:
++      nfs_clients_exit(net);
++      return err;
+ }
+ static void nfs_net_exit(struct net *net)
+-- 
+2.39.5
+
diff --git a/queue-6.15/nfsv4-flexfiles-fix-handling-of-nfs-level-errors-in-.patch b/queue-6.15/nfsv4-flexfiles-fix-handling-of-nfs-level-errors-in-.patch
new file mode 100644 (file)
index 0000000..7ed4543
--- /dev/null
@@ -0,0 +1,250 @@
+From cbd7be1d9ad1dcfe63eadb42e8f1238ed632128e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 15:16:11 -0400
+Subject: NFSv4/flexfiles: Fix handling of NFS level errors in I/O
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 38074de35b015df5623f524d6f2b49a0cd395c40 ]
+
+Allow the flexfiles error handling to recognise NFS level errors (as
+opposed to RPC level errors) and handle them separately. The main
+motivator is the NFSERR_PERM errors that get returned if the NFS client
+connects to the data server through a port number that is lower than
+1024. In that case, the client should disconnect and retry a READ on a
+different data server, or it should retry a WRITE after reconnecting.
+
+Reviewed-by: Tigran Mkrtchyan <tigran.mkrtchyan@desy.de>
+Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 118 ++++++++++++++++++-------
+ 1 file changed, 84 insertions(+), 34 deletions(-)
+
+diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
+index df48074605967..4bea008dbebd7 100644
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -1105,6 +1105,7 @@ static void ff_layout_reset_read(struct nfs_pgio_header *hdr)
+ }
+ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
++                                         u32 op_status,
+                                          struct nfs4_state *state,
+                                          struct nfs_client *clp,
+                                          struct pnfs_layout_segment *lseg,
+@@ -1115,34 +1116,42 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+       struct nfs4_deviceid_node *devid = FF_LAYOUT_DEVID_NODE(lseg, idx);
+       struct nfs4_slot_table *tbl = &clp->cl_session->fc_slot_table;
+-      switch (task->tk_status) {
+-      case -NFS4ERR_BADSESSION:
+-      case -NFS4ERR_BADSLOT:
+-      case -NFS4ERR_BAD_HIGH_SLOT:
+-      case -NFS4ERR_DEADSESSION:
+-      case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
+-      case -NFS4ERR_SEQ_FALSE_RETRY:
+-      case -NFS4ERR_SEQ_MISORDERED:
++      switch (op_status) {
++      case NFS4_OK:
++      case NFS4ERR_NXIO:
++              break;
++      case NFSERR_PERM:
++              if (!task->tk_xprt)
++                      break;
++              xprt_force_disconnect(task->tk_xprt);
++              goto out_retry;
++      case NFS4ERR_BADSESSION:
++      case NFS4ERR_BADSLOT:
++      case NFS4ERR_BAD_HIGH_SLOT:
++      case NFS4ERR_DEADSESSION:
++      case NFS4ERR_CONN_NOT_BOUND_TO_SESSION:
++      case NFS4ERR_SEQ_FALSE_RETRY:
++      case NFS4ERR_SEQ_MISORDERED:
+               dprintk("%s ERROR %d, Reset session. Exchangeid "
+                       "flags 0x%x\n", __func__, task->tk_status,
+                       clp->cl_exchange_flags);
+               nfs4_schedule_session_recovery(clp->cl_session, task->tk_status);
+-              break;
+-      case -NFS4ERR_DELAY:
++              goto out_retry;
++      case NFS4ERR_DELAY:
+               nfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);
+               fallthrough;
+-      case -NFS4ERR_GRACE:
++      case NFS4ERR_GRACE:
+               rpc_delay(task, FF_LAYOUT_POLL_RETRY_MAX);
+-              break;
+-      case -NFS4ERR_RETRY_UNCACHED_REP:
+-              break;
++              goto out_retry;
++      case NFS4ERR_RETRY_UNCACHED_REP:
++              goto out_retry;
+       /* Invalidate Layout errors */
+-      case -NFS4ERR_PNFS_NO_LAYOUT:
+-      case -ESTALE:           /* mapped NFS4ERR_STALE */
+-      case -EBADHANDLE:       /* mapped NFS4ERR_BADHANDLE */
+-      case -EISDIR:           /* mapped NFS4ERR_ISDIR */
+-      case -NFS4ERR_FHEXPIRED:
+-      case -NFS4ERR_WRONG_TYPE:
++      case NFS4ERR_PNFS_NO_LAYOUT:
++      case NFS4ERR_STALE:
++      case NFS4ERR_BADHANDLE:
++      case NFS4ERR_ISDIR:
++      case NFS4ERR_FHEXPIRED:
++      case NFS4ERR_WRONG_TYPE:
+               dprintk("%s Invalid layout error %d\n", __func__,
+                       task->tk_status);
+               /*
+@@ -1155,6 +1164,11 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+               pnfs_destroy_layout(NFS_I(inode));
+               rpc_wake_up(&tbl->slot_tbl_waitq);
+               goto reset;
++      default:
++              break;
++      }
++
++      switch (task->tk_status) {
+       /* RPC connection errors */
+       case -ENETDOWN:
+       case -ENETUNREACH:
+@@ -1174,27 +1188,56 @@ static int ff_layout_async_handle_error_v4(struct rpc_task *task,
+               nfs4_delete_deviceid(devid->ld, devid->nfs_client,
+                               &devid->deviceid);
+               rpc_wake_up(&tbl->slot_tbl_waitq);
+-              fallthrough;
++              break;
+       default:
+-              if (ff_layout_avoid_mds_available_ds(lseg))
+-                      return -NFS4ERR_RESET_TO_PNFS;
+-reset:
+-              dprintk("%s Retry through MDS. Error %d\n", __func__,
+-                      task->tk_status);
+-              return -NFS4ERR_RESET_TO_MDS;
++              break;
+       }
++
++      if (ff_layout_avoid_mds_available_ds(lseg))
++              return -NFS4ERR_RESET_TO_PNFS;
++reset:
++      dprintk("%s Retry through MDS. Error %d\n", __func__,
++              task->tk_status);
++      return -NFS4ERR_RESET_TO_MDS;
++
++out_retry:
+       task->tk_status = 0;
+       return -EAGAIN;
+ }
+ /* Retry all errors through either pNFS or MDS except for -EJUKEBOX */
+ static int ff_layout_async_handle_error_v3(struct rpc_task *task,
++                                         u32 op_status,
+                                          struct nfs_client *clp,
+                                          struct pnfs_layout_segment *lseg,
+                                          u32 idx)
+ {
+       struct nfs4_deviceid_node *devid = FF_LAYOUT_DEVID_NODE(lseg, idx);
++      switch (op_status) {
++      case NFS_OK:
++      case NFSERR_NXIO:
++              break;
++      case NFSERR_PERM:
++              if (!task->tk_xprt)
++                      break;
++              xprt_force_disconnect(task->tk_xprt);
++              goto out_retry;
++      case NFSERR_ACCES:
++      case NFSERR_BADHANDLE:
++      case NFSERR_FBIG:
++      case NFSERR_IO:
++      case NFSERR_NOSPC:
++      case NFSERR_ROFS:
++      case NFSERR_STALE:
++              goto out_reset_to_pnfs;
++      case NFSERR_JUKEBOX:
++              nfs_inc_stats(lseg->pls_layout->plh_inode, NFSIOS_DELAY);
++              goto out_retry;
++      default:
++              break;
++      }
++
+       switch (task->tk_status) {
+       /* File access problems. Don't mark the device as unavailable */
+       case -EACCES:
+@@ -1218,6 +1261,7 @@ static int ff_layout_async_handle_error_v3(struct rpc_task *task,
+               nfs4_delete_deviceid(devid->ld, devid->nfs_client,
+                               &devid->deviceid);
+       }
++out_reset_to_pnfs:
+       /* FIXME: Need to prevent infinite looping here. */
+       return -NFS4ERR_RESET_TO_PNFS;
+ out_retry:
+@@ -1228,6 +1272,7 @@ static int ff_layout_async_handle_error_v3(struct rpc_task *task,
+ }
+ static int ff_layout_async_handle_error(struct rpc_task *task,
++                                      u32 op_status,
+                                       struct nfs4_state *state,
+                                       struct nfs_client *clp,
+                                       struct pnfs_layout_segment *lseg,
+@@ -1246,10 +1291,11 @@ static int ff_layout_async_handle_error(struct rpc_task *task,
+       switch (vers) {
+       case 3:
+-              return ff_layout_async_handle_error_v3(task, clp, lseg, idx);
+-      case 4:
+-              return ff_layout_async_handle_error_v4(task, state, clp,
++              return ff_layout_async_handle_error_v3(task, op_status, clp,
+                                                      lseg, idx);
++      case 4:
++              return ff_layout_async_handle_error_v4(task, op_status, state,
++                                                     clp, lseg, idx);
+       default:
+               /* should never happen */
+               WARN_ON_ONCE(1);
+@@ -1302,6 +1348,7 @@ static void ff_layout_io_track_ds_error(struct pnfs_layout_segment *lseg,
+       switch (status) {
+       case NFS4ERR_DELAY:
+       case NFS4ERR_GRACE:
++      case NFS4ERR_PERM:
+               break;
+       case NFS4ERR_NXIO:
+               ff_layout_mark_ds_unreachable(lseg, idx);
+@@ -1334,7 +1381,8 @@ static int ff_layout_read_done_cb(struct rpc_task *task,
+               trace_ff_layout_read_error(hdr, task->tk_status);
+       }
+-      err = ff_layout_async_handle_error(task, hdr->args.context->state,
++      err = ff_layout_async_handle_error(task, hdr->res.op_status,
++                                         hdr->args.context->state,
+                                          hdr->ds_clp, hdr->lseg,
+                                          hdr->pgio_mirror_idx);
+@@ -1507,7 +1555,8 @@ static int ff_layout_write_done_cb(struct rpc_task *task,
+               trace_ff_layout_write_error(hdr, task->tk_status);
+       }
+-      err = ff_layout_async_handle_error(task, hdr->args.context->state,
++      err = ff_layout_async_handle_error(task, hdr->res.op_status,
++                                         hdr->args.context->state,
+                                          hdr->ds_clp, hdr->lseg,
+                                          hdr->pgio_mirror_idx);
+@@ -1556,8 +1605,9 @@ static int ff_layout_commit_done_cb(struct rpc_task *task,
+               trace_ff_layout_commit_error(data, task->tk_status);
+       }
+-      err = ff_layout_async_handle_error(task, NULL, data->ds_clp,
+-                                         data->lseg, data->ds_commit_index);
++      err = ff_layout_async_handle_error(task, data->res.op_status,
++                                         NULL, data->ds_clp, data->lseg,
++                                         data->ds_commit_index);
+       trace_nfs4_pnfs_commit_ds(data, err);
+       switch (err) {
+-- 
+2.39.5
+
diff --git a/queue-6.15/nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch b/queue-6.15/nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch
new file mode 100644 (file)
index 0000000..4aefc8b
--- /dev/null
@@ -0,0 +1,45 @@
+From 7d3d134b1af4a1c5d01d665711c06136741a0570 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 11:02:21 -0400
+Subject: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+[ Upstream commit c01776287414ca43412d1319d2877cbad65444ac ]
+
+We found a few different systems hung up in writeback waiting on the same
+page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in
+pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count
+was zero.
+
+It seems most likely that this is another race between the waiter and waker
+similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task").
+Fix it up by applying the advised barrier.
+
+Fixes: 880265c77ac4 ("pNFS: Avoid a live lock condition in pnfs_update_layout()")
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 3adb7d0dbec7a..1a7ec68bde153 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -2059,8 +2059,10 @@ static void nfs_layoutget_begin(struct pnfs_layout_hdr *lo)
+ static void nfs_layoutget_end(struct pnfs_layout_hdr *lo)
+ {
+       if (atomic_dec_and_test(&lo->plh_outstanding) &&
+-          test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags))
++          test_and_clear_bit(NFS_LAYOUT_DRAIN, &lo->plh_flags)) {
++              smp_mb__after_atomic();
+               wake_up_bit(&lo->plh_flags, NFS_LAYOUT_DRAIN);
++      }
+ }
+ static bool pnfs_is_first_layoutget(struct pnfs_layout_hdr *lo)
+-- 
+2.39.5
+
diff --git a/queue-6.15/nui-fix-dma_mapping_error-check.patch b/queue-6.15/nui-fix-dma_mapping_error-check.patch
new file mode 100644 (file)
index 0000000..bd4756d
--- /dev/null
@@ -0,0 +1,143 @@
+From 322413ff55c4124453a3601e1b51d38086c539bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 10:36:43 +0200
+Subject: nui: Fix dma_mapping_error() check
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 561aa0e22b70a5e7246b73d62a824b3aef3fc375 ]
+
+dma_map_XXX() functions return values DMA_MAPPING_ERROR as error values
+which is often ~0.  The error value should be tested with
+dma_mapping_error().
+
+This patch creates a new function in niu_ops to test if the mapping
+failed.  The test is fixed in niu_rbr_add_page(), added in
+niu_start_xmit() and the successfully mapped pages are unmaped upon error.
+
+Fixes: ec2deec1f352 ("niu: Fix to check for dma mapping errors.")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/sun/niu.c | 31 ++++++++++++++++++++++++++++++-
+ drivers/net/ethernet/sun/niu.h |  4 ++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c
+index 379b6e90121d9..02b8a9e5c9a90 100644
+--- a/drivers/net/ethernet/sun/niu.c
++++ b/drivers/net/ethernet/sun/niu.c
+@@ -3336,7 +3336,7 @@ static int niu_rbr_add_page(struct niu *np, struct rx_ring_info *rp,
+       addr = np->ops->map_page(np->device, page, 0,
+                                PAGE_SIZE, DMA_FROM_DEVICE);
+-      if (!addr) {
++      if (np->ops->mapping_error(np->device, addr)) {
+               __free_page(page);
+               return -ENOMEM;
+       }
+@@ -6676,6 +6676,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+       len = skb_headlen(skb);
+       mapping = np->ops->map_single(np->device, skb->data,
+                                     len, DMA_TO_DEVICE);
++      if (np->ops->mapping_error(np->device, mapping))
++              goto out_drop;
+       prod = rp->prod;
+@@ -6717,6 +6719,8 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+               mapping = np->ops->map_page(np->device, skb_frag_page(frag),
+                                           skb_frag_off(frag), len,
+                                           DMA_TO_DEVICE);
++              if (np->ops->mapping_error(np->device, mapping))
++                      goto out_unmap;
+               rp->tx_buffs[prod].skb = NULL;
+               rp->tx_buffs[prod].mapping = mapping;
+@@ -6741,6 +6745,19 @@ static netdev_tx_t niu_start_xmit(struct sk_buff *skb,
+ out:
+       return NETDEV_TX_OK;
++out_unmap:
++      while (i--) {
++              const skb_frag_t *frag;
++
++              prod = PREVIOUS_TX(rp, prod);
++              frag = &skb_shinfo(skb)->frags[i];
++              np->ops->unmap_page(np->device, rp->tx_buffs[prod].mapping,
++                                  skb_frag_size(frag), DMA_TO_DEVICE);
++      }
++
++      np->ops->unmap_single(np->device, rp->tx_buffs[rp->prod].mapping,
++                            skb_headlen(skb), DMA_TO_DEVICE);
++
+ out_drop:
+       rp->tx_errors++;
+       kfree_skb(skb);
+@@ -9644,6 +9661,11 @@ static void niu_pci_unmap_single(struct device *dev, u64 dma_address,
+       dma_unmap_single(dev, dma_address, size, direction);
+ }
++static int niu_pci_mapping_error(struct device *dev, u64 addr)
++{
++      return dma_mapping_error(dev, addr);
++}
++
+ static const struct niu_ops niu_pci_ops = {
+       .alloc_coherent = niu_pci_alloc_coherent,
+       .free_coherent  = niu_pci_free_coherent,
+@@ -9651,6 +9673,7 @@ static const struct niu_ops niu_pci_ops = {
+       .unmap_page     = niu_pci_unmap_page,
+       .map_single     = niu_pci_map_single,
+       .unmap_single   = niu_pci_unmap_single,
++      .mapping_error  = niu_pci_mapping_error,
+ };
+ static void niu_driver_version(void)
+@@ -10019,6 +10042,11 @@ static void niu_phys_unmap_single(struct device *dev, u64 dma_address,
+       /* Nothing to do.  */
+ }
++static int niu_phys_mapping_error(struct device *dev, u64 dma_address)
++{
++      return false;
++}
++
+ static const struct niu_ops niu_phys_ops = {
+       .alloc_coherent = niu_phys_alloc_coherent,
+       .free_coherent  = niu_phys_free_coherent,
+@@ -10026,6 +10054,7 @@ static const struct niu_ops niu_phys_ops = {
+       .unmap_page     = niu_phys_unmap_page,
+       .map_single     = niu_phys_map_single,
+       .unmap_single   = niu_phys_unmap_single,
++      .mapping_error  = niu_phys_mapping_error,
+ };
+ static int niu_of_probe(struct platform_device *op)
+diff --git a/drivers/net/ethernet/sun/niu.h b/drivers/net/ethernet/sun/niu.h
+index 04c215f91fc08..0b169c08b0f2d 100644
+--- a/drivers/net/ethernet/sun/niu.h
++++ b/drivers/net/ethernet/sun/niu.h
+@@ -2879,6 +2879,9 @@ struct tx_ring_info {
+ #define NEXT_TX(tp, index) \
+       (((index) + 1) < (tp)->pending ? ((index) + 1) : 0)
++#define PREVIOUS_TX(tp, index) \
++      (((index) - 1) >= 0 ? ((index) - 1) : (((tp)->pending) - 1))
++
+ static inline u32 niu_tx_avail(struct tx_ring_info *tp)
+ {
+       return (tp->pending -
+@@ -3140,6 +3143,7 @@ struct niu_ops {
+                         enum dma_data_direction direction);
+       void (*unmap_single)(struct device *dev, u64 dma_address,
+                            size_t size, enum dma_data_direction direction);
++      int (*mapping_error)(struct device *dev, u64 dma_address);
+ };
+ struct niu_link_config {
+-- 
+2.39.5
+
diff --git a/queue-6.15/nvme-fix-incorrect-cdw15-value-in-passthru-error-log.patch b/queue-6.15/nvme-fix-incorrect-cdw15-value-in-passthru-error-log.patch
new file mode 100644 (file)
index 0000000..d49adad
--- /dev/null
@@ -0,0 +1,38 @@
+From ad2e4996940bdd503e233adcabf0f8f57f5b371b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Jun 2025 11:12:32 -0700
+Subject: nvme: Fix incorrect cdw15 value in passthru error logging
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 2e96d2d8c2a7a6c2cef45593c028d9c5ef180316 ]
+
+Fix an error in nvme_log_err_passthru() where cdw14 was incorrectly
+printed twice instead of cdw15. This fix ensures accurate logging of
+the full passthrough command payload.
+
+Fixes: 9f079dda1433 ("nvme: allow passthru cmd error logging")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index d253b82901110..ae584c97f5284 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -382,7 +382,7 @@ static void nvme_log_err_passthru(struct request *req)
+               nr->cmd->common.cdw12,
+               nr->cmd->common.cdw13,
+               nr->cmd->common.cdw14,
+-              nr->cmd->common.cdw14);
++              nr->cmd->common.cdw15);
+ }
+ enum nvme_disposition {
+-- 
+2.39.5
+
diff --git a/queue-6.15/nvme-multipath-fix-suspicious-rcu-usage-warning.patch b/queue-6.15/nvme-multipath-fix-suspicious-rcu-usage-warning.patch
new file mode 100644 (file)
index 0000000..7e3ca54
--- /dev/null
@@ -0,0 +1,111 @@
+From 5438b5c5debd3b4c397764fab07200673913172a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 15:48:32 +0800
+Subject: nvme-multipath: fix suspicious RCU usage warning
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit d6811074203b13f715ce2480ac64c5b1c773f2a5 ]
+
+When I run the NVME over TCP test in virtme-ng, I get the following
+"suspicious RCU usage" warning in nvme_mpath_add_sysfs_link():
+
+'''
+[    5.024557][   T44] nvmet: Created nvm controller 1 for subsystem nqn.2025-06.org.nvmexpress.mptcp for NQN nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77.
+[    5.027401][  T183] nvme nvme0: creating 2 I/O queues.
+[    5.029017][  T183] nvme nvme0: mapped 2/0/0 default/read/poll queues.
+[    5.032587][  T183] nvme nvme0: new ctrl: NQN "nqn.2025-06.org.nvmexpress.mptcp", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77
+[    5.042214][   T25]
+[    5.042440][   T25] =============================
+[    5.042579][   T25] WARNING: suspicious RCU usage
+[    5.042705][   T25] 6.16.0-rc3+ #23 Not tainted
+[    5.042812][   T25] -----------------------------
+[    5.042934][   T25] drivers/nvme/host/multipath.c:1203 RCU-list traversed in non-reader section!!
+[    5.043111][   T25]
+[    5.043111][   T25] other info that might help us debug this:
+[    5.043111][   T25]
+[    5.043341][   T25]
+[    5.043341][   T25] rcu_scheduler_active = 2, debug_locks = 1
+[    5.043502][   T25] 3 locks held by kworker/u9:0/25:
+[    5.043615][   T25]  #0: ffff888008730948 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x7ed/0x1350
+[    5.043830][   T25]  #1: ffffc900001afd40 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0xcf3/0x1350
+[    5.044084][   T25]  #2: ffff888013ee0020 (&head->srcu){.+.+}-{0:0}, at: nvme_mpath_add_sysfs_link.part.0+0xb4/0x3a0
+[    5.044300][   T25]
+[    5.044300][   T25] stack backtrace:
+[    5.044439][   T25] CPU: 0 UID: 0 PID: 25 Comm: kworker/u9:0 Not tainted 6.16.0-rc3+ #23 PREEMPT(full)
+[    5.044441][   T25] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[    5.044442][   T25] Workqueue: async async_run_entry_fn
+[    5.044445][   T25] Call Trace:
+[    5.044446][   T25]  <TASK>
+[    5.044449][   T25]  dump_stack_lvl+0x6f/0xb0
+[    5.044453][   T25]  lockdep_rcu_suspicious.cold+0x4f/0xb1
+[    5.044457][   T25]  nvme_mpath_add_sysfs_link.part.0+0x2fb/0x3a0
+[    5.044459][   T25]  ? queue_work_on+0x90/0xf0
+[    5.044461][   T25]  ? lockdep_hardirqs_on+0x78/0x110
+[    5.044466][   T25]  nvme_mpath_set_live+0x1e9/0x4f0
+[    5.044470][   T25]  nvme_mpath_add_disk+0x240/0x2f0
+[    5.044472][   T25]  ? __pfx_nvme_mpath_add_disk+0x10/0x10
+[    5.044475][   T25]  ? add_disk_fwnode+0x361/0x580
+[    5.044480][   T25]  nvme_alloc_ns+0x81c/0x17c0
+[    5.044483][   T25]  ? kasan_quarantine_put+0x104/0x240
+[    5.044487][   T25]  ? __pfx_nvme_alloc_ns+0x10/0x10
+[    5.044495][   T25]  ? __pfx_nvme_find_get_ns+0x10/0x10
+[    5.044496][   T25]  ? rcu_read_lock_any_held+0x45/0xa0
+[    5.044498][   T25]  ? validate_chain+0x232/0x4f0
+[    5.044503][   T25]  nvme_scan_ns+0x4c8/0x810
+[    5.044506][   T25]  ? __pfx_nvme_scan_ns+0x10/0x10
+[    5.044508][   T25]  ? find_held_lock+0x2b/0x80
+[    5.044512][   T25]  ? ktime_get+0x16d/0x220
+[    5.044517][   T25]  ? kvm_clock_get_cycles+0x18/0x30
+[    5.044520][   T25]  ? __pfx_nvme_scan_ns_async+0x10/0x10
+[    5.044522][   T25]  async_run_entry_fn+0x97/0x560
+[    5.044523][   T25]  ? rcu_is_watching+0x12/0xc0
+[    5.044526][   T25]  process_one_work+0xd3c/0x1350
+[    5.044532][   T25]  ? __pfx_process_one_work+0x10/0x10
+[    5.044536][   T25]  ? assign_work+0x16c/0x240
+[    5.044539][   T25]  worker_thread+0x4da/0xd50
+[    5.044545][   T25]  ? __pfx_worker_thread+0x10/0x10
+[    5.044546][   T25]  kthread+0x356/0x5c0
+[    5.044548][   T25]  ? __pfx_kthread+0x10/0x10
+[    5.044549][   T25]  ? ret_from_fork+0x1b/0x2e0
+[    5.044552][   T25]  ? __lock_release.isra.0+0x5d/0x180
+[    5.044553][   T25]  ? ret_from_fork+0x1b/0x2e0
+[    5.044555][   T25]  ? rcu_is_watching+0x12/0xc0
+[    5.044557][   T25]  ? __pfx_kthread+0x10/0x10
+[    5.044559][   T25]  ret_from_fork+0x218/0x2e0
+[    5.044561][   T25]  ? __pfx_kthread+0x10/0x10
+[    5.044562][   T25]  ret_from_fork_asm+0x1a/0x30
+[    5.044570][   T25]  </TASK>
+'''
+
+This patch uses sleepable RCU version of helper list_for_each_entry_srcu()
+instead of list_for_each_entry_rcu() to fix it.
+
+Fixes: 4dbd2b2ebe4c ("nvme-multipath: Add visibility for round-robin io-policy")
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Nilay Shroff <nilay@linux.ibm.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index cf0ef4745564c..700dfbd5a4512 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -1050,7 +1050,8 @@ void nvme_mpath_add_sysfs_link(struct nvme_ns_head *head)
+        */
+       srcu_idx = srcu_read_lock(&head->srcu);
+-      list_for_each_entry_rcu(ns, &head->list, siblings) {
++      list_for_each_entry_srcu(ns, &head->list, siblings,
++                               srcu_read_lock_held(&head->srcu)) {
+               /*
+                * Ensure that ns path disk node is already added otherwise we
+                * may get invalid kobj name for target
+-- 
+2.39.5
+
diff --git a/queue-6.15/nvme-pci-refresh-visible-attrs-after-being-checked.patch b/queue-6.15/nvme-pci-refresh-visible-attrs-after-being-checked.patch
new file mode 100644 (file)
index 0000000..e48e159
--- /dev/null
@@ -0,0 +1,65 @@
+From 8172ae10af7361c206618b76b10d7351fa50305e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 16:21:01 -0300
+Subject: nvme-pci: refresh visible attrs after being checked
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eugen Hristev <eugen.hristev@collabora.com>
+
+[ Upstream commit 14005c96d6649b27fa52d0cd0f492eb3b5586c07 ]
+
+The sysfs attributes are registered early, but the driver does not know
+whether they are needed or not at that moment.
+
+For the CMB attributes, commit e917a849c3fc ("nvme-pci: refresh visible
+attrs for cmb attributes") solved this problem by
+calling nvme_update_attrs after mapping the CMB.  However the issue
+persists for the HMB attributes. To solve the problem, moved the call to
+nvme_update_attrs after nvme_setup_host_mem, which sets up the HMB.
+
+Fixes: e917a849c3fc ("nvme-pci: refresh visible attrs for cmb attributes")
+Fixes: 86adbf0cdb9e ("nvme: simplify transport specific device attribute handling")
+Signed-off-by: Eugen Hristev <eugen.hristev@collabora.com>
+Signed-off-by: André Almeida <andrealmeid@igalia.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index f1dd804151b1c..776c867fb64d5 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2031,8 +2031,6 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+       if ((dev->cmbsz & (NVME_CMBSZ_WDS | NVME_CMBSZ_RDS)) ==
+                       (NVME_CMBSZ_WDS | NVME_CMBSZ_RDS))
+               pci_p2pmem_publish(pdev, true);
+-
+-      nvme_update_attrs(dev);
+ }
+ static int nvme_set_host_mem(struct nvme_dev *dev, u32 bits)
+@@ -2969,6 +2967,8 @@ static void nvme_reset_work(struct work_struct *work)
+       if (result < 0)
+               goto out;
++      nvme_update_attrs(dev);
++
+       result = nvme_setup_io_queues(dev);
+       if (result)
+               goto out;
+@@ -3305,6 +3305,8 @@ static int nvme_probe(struct pci_dev *pdev, const struct pci_device_id *id)
+       if (result < 0)
+               goto out_disable;
++      nvme_update_attrs(dev);
++
+       result = nvme_setup_io_queues(dev);
+       if (result)
+               goto out_disable;
+-- 
+2.39.5
+
diff --git a/queue-6.15/nvmet-fix-memory-leak-of-bio-integrity.patch b/queue-6.15/nvmet-fix-memory-leak-of-bio-integrity.patch
new file mode 100644 (file)
index 0000000..7ac7b66
--- /dev/null
@@ -0,0 +1,42 @@
+From 925c37a3e368152b4701889f1807d7eff2d40005 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 14:45:33 +0300
+Subject: nvmet: fix memory leak of bio integrity
+
+From: Dmitry Bogdanov <d.bogdanov@yadro.com>
+
+[ Upstream commit 190f4c2c863af7cc5bb354b70e0805f06419c038 ]
+
+If nvmet receives commands with metadata there is a continuous memory
+leak of kmalloc-128 slab or more precisely bio->bi_integrity.
+
+Since commit bf4c89fc8797 ("block: don't call bio_uninit from bio_endio")
+each user of bio_init has to use bio_uninit as well. Otherwise the bio
+integrity is not getting free. Nvmet uses bio_init for inline bios.
+
+Uninit the inline bio to complete deallocation of integrity in bio.
+
+Fixes: bf4c89fc8797 ("block: don't call bio_uninit from bio_endio")
+Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/nvmet.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h
+index b6db8b74dc4ad..85e50e2981742 100644
+--- a/drivers/nvme/target/nvmet.h
++++ b/drivers/nvme/target/nvmet.h
+@@ -857,6 +857,8 @@ static inline void nvmet_req_bio_put(struct nvmet_req *req, struct bio *bio)
+ {
+       if (bio != &req->b.inline_bio)
+               bio_put(bio);
++      else
++              bio_uninit(bio);
+ }
+ #ifdef CONFIG_NVME_TARGET_TCP_TLS
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-mellanox-mlxbf-pmc-fix-duplicate-event-id-f.patch b/queue-6.15/platform-mellanox-mlxbf-pmc-fix-duplicate-event-id-f.patch
new file mode 100644 (file)
index 0000000..0f7858d
--- /dev/null
@@ -0,0 +1,44 @@
+From 37fc0030d5a39b9ed799611f90ed178c1415673e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 23:05:00 -0700
+Subject: platform/mellanox: mlxbf-pmc: Fix duplicate event ID for CACHE_DATA1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 173bbec6693f3f3f00dac144f3aa0cd62fb60d33 ]
+
+same ID (103) was assigned to both GDC_BANK0_G_RSE_PIPE_CACHE_DATA0
+and GDC_BANK0_G_RSE_PIPE_CACHE_DATA1. This could lead to incorrect
+event mapping.
+Updated the ID to 104 to ensure uniqueness.
+
+Fixes: 423c3361855c ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/20250619060502.3594350-1-alok.a.tiwari@oracle.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-pmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
+index 36a00692347dc..771a24c397c12 100644
+--- a/drivers/platform/mellanox/mlxbf-pmc.c
++++ b/drivers/platform/mellanox/mlxbf-pmc.c
+@@ -713,7 +713,7 @@ static const struct mlxbf_pmc_events mlxbf_pmc_llt_events[] = {
+       {101, "GDC_BANK0_HIT_DCL_PARTIAL"},
+       {102, "GDC_BANK0_EVICT_DCL"},
+       {103, "GDC_BANK0_G_RSE_PIPE_CACHE_DATA0"},
+-      {103, "GDC_BANK0_G_RSE_PIPE_CACHE_DATA1"},
++      {104, "GDC_BANK0_G_RSE_PIPE_CACHE_DATA1"},
+       {105, "GDC_BANK0_ARB_STRB"},
+       {106, "GDC_BANK0_ARB_WAIT"},
+       {107, "GDC_BANK0_GGA_STRB"},
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch b/queue-6.15/platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch
new file mode 100644 (file)
index 0000000..c3a822f
--- /dev/null
@@ -0,0 +1,46 @@
+From b631089272c9d8693882a659ccb0edcb6aad0430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Jun 2025 21:46:08 +0000
+Subject: platform/mellanox: mlxbf-tmfifo: fix vring_desc.len assignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Thompson <davthompson@nvidia.com>
+
+[ Upstream commit 109f4d29dade8ae5b4ac6325af9d1bc24b4230f8 ]
+
+Fix warnings reported by sparse, related to incorrect type:
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38: warning: incorrect type in assignment (different base types)
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38:    expected restricted __virtio32 [usertype] len
+drivers/platform/mellanox/mlxbf-tmfifo.c:284:38:    got unsigned long
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202404040339.S7CUIgf3-lkp@intel.com/
+Fixes: 78034cbece79 ("platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors")
+Signed-off-by: David Thompson <davthompson@nvidia.com>
+Link: https://lore.kernel.org/r/20250613214608.2250130-1-davthompson@nvidia.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxbf-tmfifo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxbf-tmfifo.c b/drivers/platform/mellanox/mlxbf-tmfifo.c
+index aae99adb29eb0..70c58c4c6c842 100644
+--- a/drivers/platform/mellanox/mlxbf-tmfifo.c
++++ b/drivers/platform/mellanox/mlxbf-tmfifo.c
+@@ -281,7 +281,8 @@ static int mlxbf_tmfifo_alloc_vrings(struct mlxbf_tmfifo *fifo,
+               vring->align = SMP_CACHE_BYTES;
+               vring->index = i;
+               vring->vdev_id = tm_vdev->vdev.id.device;
+-              vring->drop_desc.len = VRING_DROP_DESC_MAX_LEN;
++              vring->drop_desc.len = cpu_to_virtio32(&tm_vdev->vdev,
++                                                     VRING_DROP_DESC_MAX_LEN);
+               dev = &tm_vdev->vdev.dev;
+               size = vring_size(vring->num, vring->align);
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch b/queue-6.15/platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch
new file mode 100644 (file)
index 0000000..5aeed4f
--- /dev/null
@@ -0,0 +1,51 @@
+From 703396c839f371492982f6721d711d38ea37bd8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 03:58:08 -0700
+Subject: platform/mellanox: mlxreg-lc: Fix logic error in power state check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit 644bec18e705ca41d444053407419a21832fcb2f ]
+
+Fixes a logic issue in mlxreg_lc_completion_notify() where the
+intention was to check if MLXREG_LC_POWERED flag is not set before
+powering on the device.
+
+The original code used "state & ~MLXREG_LC_POWERED" to check for the
+absence of the POWERED bit. However this condition evaluates to true
+even when other bits are set, leading to potentially incorrect
+behavior.
+
+Corrected the logic to explicitly check for the absence of
+MLXREG_LC_POWERED using !(state & MLXREG_LC_POWERED).
+
+Fixes: 62f9529b8d5c ("platform/mellanox: mlxreg-lc: Add initial support for Nvidia line card devices")
+Suggested-by: Vadim Pasternak <vadimp@nvidia.com>
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Link: https://lore.kernel.org/r/20250630105812.601014-1-alok.a.tiwari@oracle.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/mlxreg-lc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/mlxreg-lc.c b/drivers/platform/mellanox/mlxreg-lc.c
+index aee395bb48ae4..8681ceb7144ba 100644
+--- a/drivers/platform/mellanox/mlxreg-lc.c
++++ b/drivers/platform/mellanox/mlxreg-lc.c
+@@ -688,7 +688,7 @@ static int mlxreg_lc_completion_notify(void *handle, struct i2c_adapter *parent,
+       if (regval & mlxreg_lc->data->mask) {
+               mlxreg_lc->state |= MLXREG_LC_SYNCED;
+               mlxreg_lc_state_update_locked(mlxreg_lc, MLXREG_LC_SYNCED, 1);
+-              if (mlxreg_lc->state & ~MLXREG_LC_POWERED) {
++              if (!(mlxreg_lc->state & MLXREG_LC_POWERED)) {
+                       err = mlxreg_lc_power_on_off(mlxreg_lc, 1);
+                       if (err)
+                               goto mlxreg_lc_regmap_power_on_off_fail;
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch b/queue-6.15/platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch
new file mode 100644 (file)
index 0000000..f74ba41
--- /dev/null
@@ -0,0 +1,42 @@
+From 7188052268e1999499fb07bc192b398402b840d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Jun 2025 00:29:12 -0700
+Subject: platform/mellanox: nvsw-sn2201: Fix bus number in adapter error
+ message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alok Tiwari <alok.a.tiwari@oracle.com>
+
+[ Upstream commit d07143b507c51c04c091081627c5a130e9d3c517 ]
+
+change error log to use correct bus number from main_mux_devs
+instead of cpld_devs.
+
+Fixes: 662f24826f95 ("platform/mellanox: Add support for new SN2201 system")
+Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
+Reviewed-by: Vadim Pasternak <vadimp@nvidia.com>
+Link: https://lore.kernel.org/r/20250622072921.4111552-2-alok.a.tiwari@oracle.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/mellanox/nvsw-sn2201.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/mellanox/nvsw-sn2201.c b/drivers/platform/mellanox/nvsw-sn2201.c
+index 0c047aa2345b3..490001a9afd76 100644
+--- a/drivers/platform/mellanox/nvsw-sn2201.c
++++ b/drivers/platform/mellanox/nvsw-sn2201.c
+@@ -1088,7 +1088,7 @@ static int nvsw_sn2201_i2c_completion_notify(void *handle, int id)
+       if (!nvsw_sn2201->main_mux_devs->adapter) {
+               err = -ENODEV;
+               dev_err(nvsw_sn2201->dev, "Failed to get adapter for bus %d\n",
+-                      nvsw_sn2201->cpld_devs->nr);
++                      nvsw_sn2201->main_mux_devs->nr);
+               goto i2c_get_adapter_main_fail;
+       }
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-x86-amd-pmc-add-pcspecialist-lafite-pro-v-1.patch b/queue-6.15/platform-x86-amd-pmc-add-pcspecialist-lafite-pro-v-1.patch
new file mode 100644 (file)
index 0000000..9998cc3
--- /dev/null
@@ -0,0 +1,56 @@
+From 5015a90fe6f20bc37df8585295f0783f573e42ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jun 2025 15:33:40 -0500
+Subject: platform/x86/amd/pmc: Add PCSpecialist Lafite Pro V 14M to 8042
+ quirks list
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 9ba75ccad85708c5a484637dccc1fc59295b0a83 ]
+
+Every other s2idle cycle fails to reach hardware sleep when keyboard
+wakeup is enabled.  This appears to be an EC bug, but the vendor
+refuses to fix it.
+
+It was confirmed that turning off i8042 wakeup avoids ths issue
+(albeit keyboard wakeup is disabled).  Take the lesser of two evils
+and add it to the i8042 quirk list.
+
+Reported-by: Raoul <ein4rth@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220116
+Tested-by: Raoul <ein4rth@gmail.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20250611203341.3733478-1-superm1@kernel.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index 2e3f6fc67c568..7ed12c1d3b34c 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -224,6 +224,15 @@ static const struct dmi_system_id fwbug_list[] = {
+                       DMI_MATCH(DMI_BOARD_NAME, "WUJIE14-GX4HRXL"),
+               }
+       },
++      /* https://bugzilla.kernel.org/show_bug.cgi?id=220116 */
++      {
++              .ident = "PCSpecialist Lafite Pro V 14M",
++              .driver_data = &quirk_spurious_8042,
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "PCSpecialist"),
++                      DMI_MATCH(DMI_PRODUCT_NAME, "Lafite Pro V 14M"),
++              }
++      },
+       {}
+ };
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-x86-dell-wmi-sysman-fix-class-device-unregi.patch b/queue-6.15/platform-x86-dell-wmi-sysman-fix-class-device-unregi.patch
new file mode 100644 (file)
index 0000000..9b71fd1
--- /dev/null
@@ -0,0 +1,52 @@
+From f51041b4324faf00b834e7e91d0223df916e9425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:37 -0300
+Subject: platform/x86: dell-wmi-sysman: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 314e5ad4782d08858b3abc325c0487bd2abc23a1 ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-3-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell/dell-wmi-sysman/sysman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index 3c74d5e8350a4..f5402b7146572 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -597,7 +597,7 @@ static int __init sysman_init(void)
+       release_attributes_data();
+ err_destroy_classdev:
+-      device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++      device_unregister(wmi_priv.class_dev);
+ err_exit_bios_attr_pass_interface:
+       exit_bios_attr_pass_interface();
+@@ -611,7 +611,7 @@ static int __init sysman_init(void)
+ static void __exit sysman_exit(void)
+ {
+       release_attributes_data();
+-      device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++      device_unregister(wmi_priv.class_dev);
+       exit_bios_attr_set_interface();
+       exit_bios_attr_pass_interface();
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch b/queue-6.15/platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch
new file mode 100644 (file)
index 0000000..1ed821e
--- /dev/null
@@ -0,0 +1,141 @@
+From 764f642c735cf17c2b2e925c2ac4e8e6f8159489 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Jun 2025 00:43:12 -0300
+Subject: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs
+ callbacks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit eb617dd25ca176f3fee24f873f0fd60010773d67 ]
+
+After retrieving WMI data blocks in sysfs callbacks, check for the
+validity of them before dereferencing their content.
+
+Reported-by: Jan Graczyk <jangraczyk@yahoo.ca>
+Closes: https://lore.kernel.org/r/CAHk-=wgMiSKXf7SvQrfEnxVtmT=QVQPjJdNjfm3aXS7wc=rzTw@mail.gmail.com/
+Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems")
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250630-sysman-fix-v2-1-d185674d0a30@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h   | 5 +++++
+ .../platform/x86/dell/dell-wmi-sysman/enum-attributes.c   | 5 +++--
+ .../platform/x86/dell/dell-wmi-sysman/int-attributes.c    | 5 +++--
+ .../x86/dell/dell-wmi-sysman/passobj-attributes.c         | 5 +++--
+ .../platform/x86/dell/dell-wmi-sysman/string-attributes.c | 5 +++--
+ drivers/platform/x86/dell/dell-wmi-sysman/sysman.c        | 8 ++++----
+ 6 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
+index 3ad33a094588c..817ee7ba07ca0 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/dell-wmi-sysman.h
+@@ -89,6 +89,11 @@ extern struct wmi_sysman_priv wmi_priv;
+ enum { ENUM, INT, STR, PO };
++#define ENUM_MIN_ELEMENTS             8
++#define INT_MIN_ELEMENTS              9
++#define STR_MIN_ELEMENTS              8
++#define PO_MIN_ELEMENTS                       4
++
+ enum {
+       ATTR_NAME,
+       DISPL_NAME_LANG_CODE,
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+index 8cc212c852668..fc2f58b4cbc6e 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/enum-attributes.c
+@@ -23,9 +23,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+       obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_ENUMERATION_ATTRIBUTE_GUID);
+       if (!obj)
+               return -EIO;
+-      if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
++      if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < ENUM_MIN_ELEMENTS ||
++          obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
+               kfree(obj);
+-              return -EINVAL;
++              return -EIO;
+       }
+       ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
+       kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
+index 951e75b538fad..7352480642391 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/int-attributes.c
+@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+       obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_INTEGER_ATTRIBUTE_GUID);
+       if (!obj)
+               return -EIO;
+-      if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
++      if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < INT_MIN_ELEMENTS ||
++          obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_INTEGER) {
+               kfree(obj);
+-              return -EINVAL;
++              return -EIO;
+       }
+       ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[CURRENT_VAL].integer.value);
+       kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
+index d8f1bf5e58a0f..3167e06d416ed 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/passobj-attributes.c
+@@ -26,9 +26,10 @@ static ssize_t is_enabled_show(struct kobject *kobj, struct kobj_attribute *attr
+       obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_PASSOBJ_ATTRIBUTE_GUID);
+       if (!obj)
+               return -EIO;
+-      if (obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
++      if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < PO_MIN_ELEMENTS ||
++          obj->package.elements[IS_PASS_SET].type != ACPI_TYPE_INTEGER) {
+               kfree(obj);
+-              return -EINVAL;
++              return -EIO;
+       }
+       ret = snprintf(buf, PAGE_SIZE, "%lld\n", obj->package.elements[IS_PASS_SET].integer.value);
+       kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
+index c392f0ecf8b55..0d2c74f8d1aad 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/string-attributes.c
+@@ -25,9 +25,10 @@ static ssize_t current_value_show(struct kobject *kobj, struct kobj_attribute *a
+       obj = get_wmiobj_pointer(instance_id, DELL_WMI_BIOS_STRING_ATTRIBUTE_GUID);
+       if (!obj)
+               return -EIO;
+-      if (obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
++      if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count < STR_MIN_ELEMENTS ||
++          obj->package.elements[CURRENT_VAL].type != ACPI_TYPE_STRING) {
+               kfree(obj);
+-              return -EINVAL;
++              return -EIO;
+       }
+       ret = snprintf(buf, PAGE_SIZE, "%s\n", obj->package.elements[CURRENT_VAL].string.pointer);
+       kfree(obj);
+diff --git a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+index d00389b860e4e..3c74d5e8350a4 100644
+--- a/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
++++ b/drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
+@@ -407,10 +407,10 @@ static int init_bios_attributes(int attr_type, const char *guid)
+               return retval;
+       switch (attr_type) {
+-      case ENUM:      min_elements = 8;       break;
+-      case INT:       min_elements = 9;       break;
+-      case STR:       min_elements = 8;       break;
+-      case PO:        min_elements = 4;       break;
++      case ENUM:      min_elements = ENUM_MIN_ELEMENTS;       break;
++      case INT:       min_elements = INT_MIN_ELEMENTS;        break;
++      case STR:       min_elements = STR_MIN_ELEMENTS;        break;
++      case PO:        min_elements = PO_MIN_ELEMENTS;         break;
+       default:
+               pr_err("Error: Unknown attr_type: %d\n", attr_type);
+               return -EINVAL;
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-x86-hp-bioscfg-fix-class-device-unregistrat.patch b/queue-6.15/platform-x86-hp-bioscfg-fix-class-device-unregistrat.patch
new file mode 100644 (file)
index 0000000..2261a5b
--- /dev/null
@@ -0,0 +1,52 @@
+From 02e28fc00ee16897254801b4b9f00737f5661c53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:35 -0300
+Subject: platform/x86: hp-bioscfg: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 11cba4793b95df3bc192149a6eb044f69aa0b99e ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: a34fc329b189 ("platform/x86: hp-bioscfg: bioscfg")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-1-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/hp/hp-bioscfg/bioscfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+index 13237890fc920..5bfa7159f5bcd 100644
+--- a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
++++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+@@ -1034,7 +1034,7 @@ static int __init hp_init(void)
+       release_attributes_data();
+ err_destroy_classdev:
+-      device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++      device_unregister(bioscfg_drv.class_dev);
+ err_unregister_class:
+       hp_exit_attr_set_interface();
+@@ -1045,7 +1045,7 @@ static int __init hp_init(void)
+ static void __exit hp_exit(void)
+ {
+       release_attributes_data();
+-      device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++      device_unregister(bioscfg_drv.class_dev);
+       hp_exit_attr_set_interface();
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-x86-think-lmi-fix-class-device-unregistrati.patch b/queue-6.15/platform-x86-think-lmi-fix-class-device-unregistrati.patch
new file mode 100644 (file)
index 0000000..17d21e3
--- /dev/null
@@ -0,0 +1,52 @@
+From c27e2ff6c45299e9e73874977c0e9966faf24577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 22:17:36 -0300
+Subject: platform/x86: think-lmi: Fix class device unregistration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kurt Borja <kuurtb@gmail.com>
+
+[ Upstream commit 5ff1fbb3059730700b4823f43999fc1315984632 ]
+
+Devices under the firmware_attributes_class do not have unique a dev_t.
+Therefore, device_unregister() should be used instead of
+device_destroy(), since the latter may match any device with a given
+dev_t.
+
+Fixes: a40cd7ef22fb ("platform/x86: think-lmi: Add WMI interface support on Lenovo platforms")
+Signed-off-by: Kurt Borja <kuurtb@gmail.com>
+Link: https://lore.kernel.org/r/20250625-dest-fix-v1-2-3a0f342312bb@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/think-lmi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/x86/think-lmi.c b/drivers/platform/x86/think-lmi.c
+index 00b1e7c79a3d1..28ce475f6c377 100644
+--- a/drivers/platform/x86/think-lmi.c
++++ b/drivers/platform/x86/think-lmi.c
+@@ -1554,7 +1554,7 @@ static int tlmi_sysfs_init(void)
+ fail_create_attr:
+       tlmi_release_attr();
+ fail_device_created:
+-      device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++      device_unregister(tlmi_priv.class_dev);
+ fail_class_created:
+       return ret;
+ }
+@@ -1781,7 +1781,7 @@ static int tlmi_analyze(struct wmi_device *wdev)
+ static void tlmi_remove(struct wmi_device *wdev)
+ {
+       tlmi_release_attr();
+-      device_destroy(&firmware_attributes_class, MKDEV(0, 0));
++      device_unregister(tlmi_priv.class_dev);
+ }
+ static int tlmi_probe(struct wmi_device *wdev, const void *context)
+-- 
+2.39.5
+
diff --git a/queue-6.15/platform-x86-wmi-fix-wmi-event-enablement.patch b/queue-6.15/platform-x86-wmi-fix-wmi-event-enablement.patch
new file mode 100644 (file)
index 0000000..1304043
--- /dev/null
@@ -0,0 +1,74 @@
+From d3710a46906258261d470b3bad5a51ced69afd40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Jun 2025 00:14:39 +0200
+Subject: platform/x86: wmi: Fix WMI event enablement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit cf0b812500e64a7d5e2957abed38c3a97917b34f ]
+
+It turns out that the Windows WMI-ACPI driver always enables/disables
+WMI events regardless of whether they are marked as expensive or not.
+This finding is further reinforced when reading the documentation of
+the WMI_FUNCTION_CONTROL_CALLBACK callback used by Windows drivers
+for enabling/disabling WMI devices:
+
+       The DpWmiFunctionControl routine enables or disables
+       notification of events, and enables or disables data
+       collection for data blocks that the driver registered
+       as expensive to collect.
+
+Follow this behavior to fix the WMI event used for reporting hotkey
+events on the Dell Latitude 5400 and likely many more devices.
+
+Reported-by: Dmytro Bagrii <dimich.dmb@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220246
+Tested-by: Dmytro Bagrii <dimich.dmb@gmail.com>
+Fixes: 656f0961d126 ("platform/x86: wmi: Rework WCxx/WExx ACPI method handling")
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20250619221440.6737-1-W_Armin@gmx.de
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/wmi.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c
+index e46453750d5f1..03aecf8bb7f8e 100644
+--- a/drivers/platform/x86/wmi.c
++++ b/drivers/platform/x86/wmi.c
+@@ -177,16 +177,22 @@ static int wmi_device_enable(struct wmi_device *wdev, bool enable)
+       acpi_handle handle;
+       acpi_status status;
+-      if (!(wblock->gblock.flags & ACPI_WMI_EXPENSIVE))
+-              return 0;
+-
+       if (wblock->dev.dev.type == &wmi_type_method)
+               return 0;
+-      if (wblock->dev.dev.type == &wmi_type_event)
++      if (wblock->dev.dev.type == &wmi_type_event) {
++              /*
++               * Windows always enables/disables WMI events, even when they are
++               * not marked as being expensive. We follow this behavior for
++               * compatibility reasons.
++               */
+               snprintf(method, sizeof(method), "WE%02X", wblock->gblock.notify_id);
+-      else
++      } else {
++              if (!(wblock->gblock.flags & ACPI_WMI_EXPENSIVE))
++                      return 0;
++
+               get_acpi_method_name(wblock, 'C', method);
++      }
+       /*
+        * Not all WMI devices marked as expensive actually implement the
+-- 
+2.39.5
+
diff --git a/queue-6.15/powerpc-fix-struct-termio-related-ioctl-macros.patch b/queue-6.15/powerpc-fix-struct-termio-related-ioctl-macros.patch
new file mode 100644 (file)
index 0000000..2760a22
--- /dev/null
@@ -0,0 +1,58 @@
+From df549717903c50eb9de544c092c0c50ba22a99dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 May 2025 19:52:37 +0530
+Subject: powerpc: Fix struct termio related ioctl macros
+
+From: Madhavan Srinivasan <maddy@linux.ibm.com>
+
+[ Upstream commit ab107276607af90b13a5994997e19b7b9731e251 ]
+
+Since termio interface is now obsolete, include/uapi/asm/ioctls.h
+has some constant macros referring to "struct termio", this caused
+build failure at userspace.
+
+In file included from /usr/include/asm/ioctl.h:12,
+                 from /usr/include/asm/ioctls.h:5,
+                 from tst-ioctls.c:3:
+tst-ioctls.c: In function 'get_TCGETA':
+tst-ioctls.c:12:10: error: invalid application of 'sizeof' to incomplete type 'struct termio'
+   12 |   return TCGETA;
+      |          ^~~~~~
+
+Even though termios.h provides "struct termio", trying to juggle definitions around to
+make it compile could introduce regressions. So better to open code it.
+
+Reported-by: Tulio Magno <tuliom@ascii.art.br>
+Suggested-by: Nicholas Piggin <npiggin@gmail.com>
+Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
+Reviewed-by: Michael Ellerman <mpe@ellerman.id.au>
+Closes: https://lore.kernel.org/linuxppc-dev/8734dji5wl.fsf@ascii.art.br/
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250517142237.156665-1-maddy@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/uapi/asm/ioctls.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/powerpc/include/uapi/asm/ioctls.h b/arch/powerpc/include/uapi/asm/ioctls.h
+index 2c145da3b774a..b5211e413829a 100644
+--- a/arch/powerpc/include/uapi/asm/ioctls.h
++++ b/arch/powerpc/include/uapi/asm/ioctls.h
+@@ -23,10 +23,10 @@
+ #define TCSETSW               _IOW('t', 21, struct termios)
+ #define TCSETSF               _IOW('t', 22, struct termios)
+-#define TCGETA                _IOR('t', 23, struct termio)
+-#define TCSETA                _IOW('t', 24, struct termio)
+-#define TCSETAW               _IOW('t', 25, struct termio)
+-#define TCSETAF               _IOW('t', 28, struct termio)
++#define TCGETA                0x40147417 /* _IOR('t', 23, struct termio) */
++#define TCSETA                0x80147418 /* _IOW('t', 24, struct termio) */
++#define TCSETAW               0x80147419 /* _IOW('t', 25, struct termio) */
++#define TCSETAF               0x8014741c /* _IOW('t', 28, struct termio) */
+ #define TCSBRK                _IO('t', 29)
+ #define TCXONC                _IO('t', 30)
+-- 
+2.39.5
+
diff --git a/queue-6.15/rcu-return-early-if-callback-is-not-specified.patch b/queue-6.15/rcu-return-early-if-callback-is-not-specified.patch
new file mode 100644 (file)
index 0000000..5bb0e68
--- /dev/null
@@ -0,0 +1,43 @@
+From 36dd4ec375d0ccf54c77a2feb5a513e6c452f6db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 19:34:48 +0200
+Subject: rcu: Return early if callback is not specified
+
+From: Uladzislau Rezki (Sony) <urezki@gmail.com>
+
+[ Upstream commit 33b6a1f155d627f5bd80c7485c598ce45428f74f ]
+
+Currently the call_rcu() API does not check whether a callback
+pointer is NULL. If NULL is passed, rcu_core() will try to invoke
+it, resulting in NULL pointer dereference and a kernel crash.
+
+To prevent this and improve debuggability, this patch adds a check
+for NULL and emits a kernel stack trace to help identify a faulty
+caller.
+
+Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Reviewed-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Joel Fernandes <joelagnelf@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
+index 80b10893b5038..37778d913f011 100644
+--- a/kernel/rcu/tree.c
++++ b/kernel/rcu/tree.c
+@@ -3068,6 +3068,10 @@ __call_rcu_common(struct rcu_head *head, rcu_callback_t func, bool lazy_in)
+       /* Misaligned rcu_head! */
+       WARN_ON_ONCE((unsigned long)head & (sizeof(void *) - 1));
++      /* Avoid NULL dereference if callback is NULL. */
++      if (WARN_ON_ONCE(!func))
++              return;
++
+       if (debug_rcu_head_queue(head)) {
+               /*
+                * Probable double call_rcu(), so leak the callback.
+-- 
+2.39.5
+
diff --git a/queue-6.15/rdma-mlx5-fix-cc-counters-query-for-mpv.patch b/queue-6.15/rdma-mlx5-fix-cc-counters-query-for-mpv.patch
new file mode 100644 (file)
index 0000000..7b2553c
--- /dev/null
@@ -0,0 +1,38 @@
+From d17f29c52b837412614ab1a738261dcee5ca92b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:53 +0300
+Subject: RDMA/mlx5: Fix CC counters query for MPV
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit acd245b1e33fc4b9d0f2e3372021d632f7ee0652 ]
+
+In case, CC counters are querying for the second port use the correct
+core device for the query instead of always using the master core device.
+
+Fixes: aac4492ef23a ("IB/mlx5: Update counter implementation for dual port RoCE")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/9cace74dcf106116118bebfa9146d40d4166c6b0.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c
+index 943e9eb2ad20d..a506fafd2b151 100644
+--- a/drivers/infiniband/hw/mlx5/counters.c
++++ b/drivers/infiniband/hw/mlx5/counters.c
+@@ -418,7 +418,7 @@ static int do_get_hw_stats(struct ib_device *ibdev,
+                        */
+                       goto done;
+               }
+-              ret = mlx5_lag_query_cong_counters(dev->mdev,
++              ret = mlx5_lag_query_cong_counters(mdev,
+                                                  stats->value +
+                                                  cnts->num_q_counters,
+                                                  cnts->num_cong_counters,
+-- 
+2.39.5
+
diff --git a/queue-6.15/rdma-mlx5-fix-hw-counters-query-for-non-representor-.patch b/queue-6.15/rdma-mlx5-fix-hw-counters-query-for-non-representor-.patch
new file mode 100644 (file)
index 0000000..a08f8a8
--- /dev/null
@@ -0,0 +1,46 @@
+From 8c4a8324609544a4cdf779ca338d9e9c5f2eb6cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:52 +0300
+Subject: RDMA/mlx5: Fix HW counters query for non-representor devices
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 3cc1dbfddf88dc5ecce0a75185061403b1f7352d ]
+
+To get the device HW counters, a non-representor switchdev device
+should use the mlx5_ib_query_q_counters() function and query all of
+the available counters. While a representor device in switchdev mode
+should use the mlx5_ib_query_q_counters_vport() function and query only
+the Q_Counters without the PPCNT counters and congestion control counters,
+since they aren't relevant for a representor device.
+
+Currently a non-representor switchdev device skips querying the PPCNT
+counters and congestion control counters, leaving them unupdated.
+Fix that by properly querying those counters for non-representor devices.
+
+Fixes: d22467a71ebe ("RDMA/mlx5: Expand switchdev Q-counters to expose representor statistics")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Link: https://patch.msgid.link/56bf8af4ca8c58e3fb9f7e47b1dca2009eeeed81.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/counters.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/counters.c b/drivers/infiniband/hw/mlx5/counters.c
+index b847084dcd998..943e9eb2ad20d 100644
+--- a/drivers/infiniband/hw/mlx5/counters.c
++++ b/drivers/infiniband/hw/mlx5/counters.c
+@@ -398,7 +398,7 @@ static int do_get_hw_stats(struct ib_device *ibdev,
+               return ret;
+       /* We don't expose device counters over Vports */
+-      if (is_mdev_switchdev_mode(dev->mdev) && port_num != 0)
++      if (is_mdev_switchdev_mode(dev->mdev) && dev->is_rep && port_num != 0)
+               goto done;
+       if (MLX5_CAP_PCAM_FEATURE(dev->mdev, rx_icrc_encapsulated_counter)) {
+-- 
+2.39.5
+
diff --git a/queue-6.15/rdma-mlx5-fix-unsafe-xarray-access-in-implicit-odp-h.patch b/queue-6.15/rdma-mlx5-fix-unsafe-xarray-access-in-implicit-odp-h.patch
new file mode 100644 (file)
index 0000000..f977d53
--- /dev/null
@@ -0,0 +1,104 @@
+From 16b9804ab43a3ded3ee778240e5d03a93f956b1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 11:17:01 +0300
+Subject: RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling
+
+From: Or Har-Toov <ohartoov@nvidia.com>
+
+[ Upstream commit 2c6b640ea08bff1a192bf87fa45246ff1e40767c ]
+
+__xa_store() and __xa_erase() were used without holding the proper lock,
+which led to a lockdep warning due to unsafe RCU usage.  This patch
+replaces them with xa_store() and xa_erase(), which perform the necessary
+locking internally.
+
+  =============================
+  WARNING: suspicious RCPU usage
+  6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1 Not tainted
+  -----------------------------
+  ./include/linux/xarray.h:1211 suspicious rcu_dereference_protected() usage!
+
+  other info that might help us debug this:
+
+  rcu_scheduler_active = 2, debug_locks = 1
+  3 locks held by kworker/u136:0/219:
+      at: process_one_work+0xbe4/0x15f0
+      process_one_work+0x75c/0x15f0
+      pagefault_mr+0x9a5/0x1390 [mlx5_ib]
+
+  stack backtrace:
+  CPU: 14 UID: 0 PID: 219 Comm: kworker/u136:0 Not tainted
+  6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1
+  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+  rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+  Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]
+  Call Trace:
+   dump_stack_lvl+0xa8/0xc0
+   lockdep_rcu_suspicious+0x1e6/0x260
+   xas_create+0xb8a/0xee0
+   xas_store+0x73/0x14c0
+   __xa_store+0x13c/0x220
+   ? xa_store_range+0x390/0x390
+   ? spin_bug+0x1d0/0x1d0
+   pagefault_mr+0xcb5/0x1390 [mlx5_ib]
+   ? _raw_spin_unlock+0x1f/0x30
+   mlx5_ib_eqe_pf_action+0x3be/0x2620 [mlx5_ib]
+   ? lockdep_hardirqs_on_prepare+0x400/0x400
+   ? mlx5_ib_invalidate_range+0xcb0/0xcb0 [mlx5_ib]
+   process_one_work+0x7db/0x15f0
+   ? pwq_dec_nr_in_flight+0xda0/0xda0
+   ? assign_work+0x168/0x240
+   worker_thread+0x57d/0xcd0
+   ? rescuer_thread+0xc40/0xc40
+   kthread+0x3b3/0x800
+   ? kthread_is_per_cpu+0xb0/0xb0
+   ? lock_downgrade+0x680/0x680
+   ? do_raw_spin_lock+0x12d/0x270
+   ? spin_bug+0x1d0/0x1d0
+   ? finish_task_switch.isra.0+0x284/0x9e0
+   ? lockdep_hardirqs_on_prepare+0x284/0x400
+   ? kthread_is_per_cpu+0xb0/0xb0
+   ret_from_fork+0x2d/0x70
+   ? kthread_is_per_cpu+0xb0/0xb0
+   ret_from_fork_asm+0x11/0x20
+
+Fixes: d3d930411ce3 ("RDMA/mlx5: Fix implicit ODP use after free")
+Link: https://patch.msgid.link/r/a85ddd16f45c8cb2bc0a188c2b0fcedfce975eb8.1750061791.git.leon@kernel.org
+Signed-off-by: Or Har-Toov <ohartoov@nvidia.com>
+Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/odp.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index 86d8fa63bf691..4183bab753a39 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -247,8 +247,8 @@ static void destroy_unused_implicit_child_mr(struct mlx5_ib_mr *mr)
+       }
+       if (MLX5_CAP_ODP(mr_to_mdev(mr)->mdev, mem_page_fault))
+-              __xa_erase(&mr_to_mdev(mr)->odp_mkeys,
+-                         mlx5_base_mkey(mr->mmkey.key));
++              xa_erase(&mr_to_mdev(mr)->odp_mkeys,
++                       mlx5_base_mkey(mr->mmkey.key));
+       xa_unlock(&imr->implicit_children);
+       /* Freeing a MR is a sleeping operation, so bounce to a work queue */
+@@ -521,8 +521,8 @@ static struct mlx5_ib_mr *implicit_get_child_mr(struct mlx5_ib_mr *imr,
+       }
+       if (MLX5_CAP_ODP(dev->mdev, mem_page_fault)) {
+-              ret = __xa_store(&dev->odp_mkeys, mlx5_base_mkey(mr->mmkey.key),
+-                               &mr->mmkey, GFP_KERNEL);
++              ret = xa_store(&dev->odp_mkeys, mlx5_base_mkey(mr->mmkey.key),
++                             &mr->mmkey, GFP_KERNEL);
+               if (xa_is_err(ret)) {
+                       ret = ERR_PTR(xa_err(ret));
+                       __xa_erase(&imr->implicit_children, idx);
+-- 
+2.39.5
+
diff --git a/queue-6.15/rdma-mlx5-fix-vport-loopback-for-mpv-device.patch b/queue-6.15/rdma-mlx5-fix-vport-loopback-for-mpv-device.patch
new file mode 100644 (file)
index 0000000..0e4d5b9
--- /dev/null
@@ -0,0 +1,87 @@
+From 841df7d1b83ee4c0e14805cab20e2e8d3295a9a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 12:14:54 +0300
+Subject: RDMA/mlx5: Fix vport loopback for MPV device
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit a9a9e68954f29b1e197663f76289db4879fd51bb ]
+
+Always enable vport loopback for both MPV devices on driver start.
+
+Previously in some cases related to MPV RoCE, packets weren't correctly
+executing loopback check at vport in FW, since it was disabled.
+Due to complexity of identifying such cases for MPV always enable vport
+loopback for both GVMIs when binding the slave to the master port.
+
+Fixes: 0042f9e458a5 ("RDMA/mlx5: Enable vport loopback when user context or QP mandate")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Mark Bloch <mbloch@nvidia.com>
+Link: https://patch.msgid.link/d4298f5ebb2197459e9e7221c51ecd6a34699847.1750064969.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/main.c | 33 +++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c
+index d07cacaa0abd0..4ffe3afb560c9 100644
+--- a/drivers/infiniband/hw/mlx5/main.c
++++ b/drivers/infiniband/hw/mlx5/main.c
+@@ -1779,6 +1779,33 @@ static void deallocate_uars(struct mlx5_ib_dev *dev,
+                                            context->devx_uid);
+ }
++static int mlx5_ib_enable_lb_mp(struct mlx5_core_dev *master,
++                              struct mlx5_core_dev *slave)
++{
++      int err;
++
++      err = mlx5_nic_vport_update_local_lb(master, true);
++      if (err)
++              return err;
++
++      err = mlx5_nic_vport_update_local_lb(slave, true);
++      if (err)
++              goto out;
++
++      return 0;
++
++out:
++      mlx5_nic_vport_update_local_lb(master, false);
++      return err;
++}
++
++static void mlx5_ib_disable_lb_mp(struct mlx5_core_dev *master,
++                                struct mlx5_core_dev *slave)
++{
++      mlx5_nic_vport_update_local_lb(slave, false);
++      mlx5_nic_vport_update_local_lb(master, false);
++}
++
+ int mlx5_ib_enable_lb(struct mlx5_ib_dev *dev, bool td, bool qp)
+ {
+       int err = 0;
+@@ -3483,6 +3510,8 @@ static void mlx5_ib_unbind_slave_port(struct mlx5_ib_dev *ibdev,
+       lockdep_assert_held(&mlx5_ib_multiport_mutex);
++      mlx5_ib_disable_lb_mp(ibdev->mdev, mpi->mdev);
++
+       mlx5_core_mp_event_replay(ibdev->mdev,
+                                 MLX5_DRIVER_EVENT_AFFILIATION_REMOVED,
+                                 NULL);
+@@ -3578,6 +3607,10 @@ static bool mlx5_ib_bind_slave_port(struct mlx5_ib_dev *ibdev,
+                                 MLX5_DRIVER_EVENT_AFFILIATION_DONE,
+                                 &key);
++      err = mlx5_ib_enable_lb_mp(ibdev->mdev, mpi->mdev);
++      if (err)
++              goto unbind;
++
+       return true;
+ unbind:
+-- 
+2.39.5
+
diff --git a/queue-6.15/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch b/queue-6.15/rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch
new file mode 100644 (file)
index 0000000..064f294
--- /dev/null
@@ -0,0 +1,100 @@
+From df41eb67cd49e55ec344be5bc740df8799aeedbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:13:55 +0300
+Subject: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 8edab8a72d67742f87e9dc2e2b0cdfddda5dc29a ]
+
+The obj_event may be loaded immediately after inserted, then if the
+list_head is not initialized then we may get a poisonous pointer.  This
+fixes the crash below:
+
+ mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced)
+ mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056
+ mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0
+ mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps
+ IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
+ Mem abort info:
+   ESR = 0x96000006
+   EC = 0x25: DABT (current EL), IL = 32 bits
+   SET = 0, FnV = 0
+   EA = 0, S1PTW = 0
+ Data abort info:
+   ISV = 0, ISS = 0x00000006
+   CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000
+ [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000
+ Internal error: Oops: 96000006 [#1] SMP
+ Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E)
+  [last unloaded: mst_pci]
+ CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G           OE K   5.10.134-13.1.an8.aarch64 #1
+ Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023
+ pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--)
+ pc : dispatch_event_fd+0x68/0x300 [mlx5_ib]
+ lr : devx_event_notifier+0xcc/0x228 [mlx5_ib]
+ sp : ffff80001005bcf0
+ x29: ffff80001005bcf0 x28: 0000000000000001
+ x27: ffff244e0740a1d8 x26: ffff244e0740a1d0
+ x25: ffffda56beff5ae0 x24: ffffda56bf911618
+ x23: ffff244e0596a480 x22: ffff244e0596a480
+ x21: ffff244d8312ad90 x20: ffff244e0596a480
+ x19: fffffffffffffff0 x18: 0000000000000000
+ x17: 0000000000000000 x16: ffffda56be66d620
+ x15: 0000000000000000 x14: 0000000000000000
+ x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000040 x10: ffffda56bfcafb50
+ x9 : ffffda5655c25f2c x8 : 0000000000000010
+ x7 : 0000000000000000 x6 : ffff24545a2e24b8
+ x5 : 0000000000000003 x4 : ffff80001005bd28
+ x3 : 0000000000000000 x2 : 0000000000000000
+ x1 : ffff244e0596a480 x0 : ffff244d8312ad90
+ Call trace:
+  dispatch_event_fd+0x68/0x300 [mlx5_ib]
+  devx_event_notifier+0xcc/0x228 [mlx5_ib]
+  atomic_notifier_call_chain+0x58/0x80
+  mlx5_eq_async_int+0x148/0x2b0 [mlx5_core]
+  atomic_notifier_call_chain+0x58/0x80
+  irq_int_handler+0x20/0x30 [mlx5_core]
+  __handle_irq_event_percpu+0x60/0x220
+  handle_irq_event_percpu+0x3c/0x90
+  handle_irq_event+0x58/0x158
+  handle_fasteoi_irq+0xfc/0x188
+  generic_handle_irq+0x34/0x48
+  ...
+
+Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX")
+Link: https://patch.msgid.link/r/3ce7f20e0d1a03dc7de6e57494ec4b8eaf1f05c2.1750147949.git.leon@kernel.org
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index bceae1c1f9801..843dcd3122424 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -1958,6 +1958,7 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+                       /* Level1 is valid for future use, no need to free */
+                       return -ENOMEM;
++              INIT_LIST_HEAD(&obj_event->obj_sub_list);
+               err = xa_insert(&event->object_ids,
+                               key_level2,
+                               obj_event,
+@@ -1966,7 +1967,6 @@ subscribe_event_xa_alloc(struct mlx5_devx_event_table *devx_event_table,
+                       kfree(obj_event);
+                       return err;
+               }
+-              INIT_LIST_HEAD(&obj_event->obj_sub_list);
+       }
+       return 0;
+-- 
+2.39.5
+
diff --git a/queue-6.15/rdma-mlx5-reduce-stack-usage-in-mlx5_ib_ufile_hw_cle.patch b/queue-6.15/rdma-mlx5-reduce-stack-usage-in-mlx5_ib_ufile_hw_cle.patch
new file mode 100644 (file)
index 0000000..4cb666b
--- /dev/null
@@ -0,0 +1,65 @@
+From 9b051f105741f5e2b93fc555116400487585f0bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Jun 2025 11:28:42 +0200
+Subject: RDMA/mlx5: reduce stack usage in mlx5_ib_ufile_hw_cleanup
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit b26852daaa83f535109253d114426d1fa674155d ]
+
+This function has an array of eight mlx5_async_cmd structures, which
+often fits on the stack, but depending on the configuration can
+end up blowing the stack frame warning limit:
+
+drivers/infiniband/hw/mlx5/devx.c:2670:6: error: stack frame size (1392) exceeds limit (1280) in 'mlx5_ib_ufile_hw_cleanup' [-Werror,-Wframe-larger-than]
+
+Change this to a dynamic allocation instead. While a kmalloc()
+can theoretically fail, a GFP_KERNEL allocation under a page will
+block until memory has been freed up, so in the worst case, this
+only adds extra time in an already constrained environment.
+
+Fixes: 7c891a4dbcc1 ("RDMA/mlx5: Add implementation for ufile_hw_cleanup device operation")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://patch.msgid.link/20250610092846.2642535-1-arnd@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/devx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/devx.c b/drivers/infiniband/hw/mlx5/devx.c
+index 2479da8620ca9..bceae1c1f9801 100644
+--- a/drivers/infiniband/hw/mlx5/devx.c
++++ b/drivers/infiniband/hw/mlx5/devx.c
+@@ -2669,7 +2669,7 @@ static void devx_wait_async_destroy(struct mlx5_async_cmd *cmd)
+ void mlx5_ib_ufile_hw_cleanup(struct ib_uverbs_file *ufile)
+ {
+-      struct mlx5_async_cmd async_cmd[MAX_ASYNC_CMDS];
++      struct mlx5_async_cmd *async_cmd;
+       struct ib_ucontext *ucontext = ufile->ucontext;
+       struct ib_device *device = ucontext->device;
+       struct mlx5_ib_dev *dev = to_mdev(device);
+@@ -2678,6 +2678,10 @@ void mlx5_ib_ufile_hw_cleanup(struct ib_uverbs_file *ufile)
+       int head = 0;
+       int tail = 0;
++      async_cmd = kcalloc(MAX_ASYNC_CMDS, sizeof(*async_cmd), GFP_KERNEL);
++      if (!async_cmd)
++              return;
++
+       list_for_each_entry(uobject, &ufile->uobjects, list) {
+               WARN_ON(uverbs_try_lock_object(uobject, UVERBS_LOOKUP_WRITE));
+@@ -2713,6 +2717,8 @@ void mlx5_ib_ufile_hw_cleanup(struct ib_uverbs_file *ufile)
+               devx_wait_async_destroy(&async_cmd[head % MAX_ASYNC_CMDS]);
+               head++;
+       }
++
++      kfree(async_cmd);
+ }
+ static ssize_t devx_async_cmd_event_read(struct file *filp, char __user *buf,
+-- 
+2.39.5
+
diff --git a/queue-6.15/regulator-fan53555-add-enable_time-support-and-soft-.patch b/queue-6.15/regulator-fan53555-add-enable_time-support-and-soft-.patch
new file mode 100644 (file)
index 0000000..6f527f9
--- /dev/null
@@ -0,0 +1,149 @@
+From bb65f4f470327fbbd758947257329973777048e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Jun 2025 21:04:18 +0200
+Subject: regulator: fan53555: add enable_time support and soft-start times
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit 8acfb165a492251a08a22a4fa6497a131e8c2609 ]
+
+The datasheets for all the fan53555 variants (and clones using the same
+interface) define so called soft start times, from enabling the regulator
+until at least some percentage of the output (i.e. 92% for the rk860x
+types) are available.
+
+The regulator framework supports this with the enable_time property
+but currently the fan53555 driver does not define enable_times for any
+variant.
+
+I ran into a problem with this while testing the new driver for the
+Rockchip NPUs (rocket), which does runtime-pm including disabling and
+enabling a rk8602 as needed. When reenabling the regulator while running
+a load, fatal hangs could be observed while enabling the associated
+power-domain, which the regulator supplies.
+
+Experimentally setting the regulator to always-on, made the issue
+disappear, leading to the missing delay to let power stabilize.
+And as expected, setting the enable-time to a non-zero value
+according to the datasheet also resolved the regulator-issue.
+
+The datasheets in nearly all cases only specify "typical" values,
+except for the fan53555 type 08. There both a typical and maximum
+value are listed - 40uS apart.
+
+For all typical values I've added 100uS to be on the safe side.
+Individual details for the relevant regulators below:
+
+- fan53526:
+  The datasheet for all variants lists a typical value of 150uS, so
+  make that 250uS with safety margin.
+- fan53555:
+  types 08 and 18 (unsupported) are given a typical enable time of 135uS
+  but also a maximum of 175uS so use that value. All the other types only
+  have a typical time in the datasheet of 300uS, so give a bit margin by
+  setting it to 400uS.
+- rk8600 + rk8602:
+  Datasheet reports a typical value of 260us, so use 360uS to be safe.
+- syr82x + syr83x:
+  All datasheets report typical soft-start values of 300uS for these
+  regulators, so use 400uS.
+- tcs452x:
+  Datasheet sadly does not report a soft-start time, so I've not set
+  an enable-time
+
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patch.msgid.link/20250606190418.478633-1-heiko@sntech.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/fan53555.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c
+index bd9447dac5967..c282236959b18 100644
+--- a/drivers/regulator/fan53555.c
++++ b/drivers/regulator/fan53555.c
+@@ -147,6 +147,7 @@ struct fan53555_device_info {
+       unsigned int slew_mask;
+       const unsigned int *ramp_delay_table;
+       unsigned int n_ramp_values;
++      unsigned int enable_time;
+       unsigned int slew_rate;
+ };
+@@ -282,6 +283,7 @@ static int fan53526_voltages_setup_fairchild(struct fan53555_device_info *di)
+       di->slew_mask = CTL_SLEW_MASK;
+       di->ramp_delay_table = slew_rates;
+       di->n_ramp_values = ARRAY_SIZE(slew_rates);
++      di->enable_time = 250;
+       di->vsel_count = FAN53526_NVOLTAGES;
+       return 0;
+@@ -296,10 +298,12 @@ static int fan53555_voltages_setup_fairchild(struct fan53555_device_info *di)
+               case FAN53555_CHIP_REV_00:
+                       di->vsel_min = 600000;
+                       di->vsel_step = 10000;
++                      di->enable_time = 400;
+                       break;
+               case FAN53555_CHIP_REV_13:
+                       di->vsel_min = 800000;
+                       di->vsel_step = 10000;
++                      di->enable_time = 400;
+                       break;
+               default:
+                       dev_err(di->dev,
+@@ -311,13 +315,19 @@ static int fan53555_voltages_setup_fairchild(struct fan53555_device_info *di)
+       case FAN53555_CHIP_ID_01:
+       case FAN53555_CHIP_ID_03:
+       case FAN53555_CHIP_ID_05:
++              di->vsel_min = 600000;
++              di->vsel_step = 10000;
++              di->enable_time = 400;
++              break;
+       case FAN53555_CHIP_ID_08:
+               di->vsel_min = 600000;
+               di->vsel_step = 10000;
++              di->enable_time = 175;
+               break;
+       case FAN53555_CHIP_ID_04:
+               di->vsel_min = 603000;
+               di->vsel_step = 12826;
++              di->enable_time = 400;
+               break;
+       default:
+               dev_err(di->dev,
+@@ -350,6 +360,7 @@ static int fan53555_voltages_setup_rockchip(struct fan53555_device_info *di)
+       di->slew_mask = CTL_SLEW_MASK;
+       di->ramp_delay_table = slew_rates;
+       di->n_ramp_values = ARRAY_SIZE(slew_rates);
++      di->enable_time = 360;
+       di->vsel_count = FAN53555_NVOLTAGES;
+       return 0;
+@@ -372,6 +383,7 @@ static int rk8602_voltages_setup_rockchip(struct fan53555_device_info *di)
+       di->slew_mask = CTL_SLEW_MASK;
+       di->ramp_delay_table = slew_rates;
+       di->n_ramp_values = ARRAY_SIZE(slew_rates);
++      di->enable_time = 360;
+       di->vsel_count = RK8602_NVOLTAGES;
+       return 0;
+@@ -395,6 +407,7 @@ static int fan53555_voltages_setup_silergy(struct fan53555_device_info *di)
+       di->slew_mask = CTL_SLEW_MASK;
+       di->ramp_delay_table = slew_rates;
+       di->n_ramp_values = ARRAY_SIZE(slew_rates);
++      di->enable_time = 400;
+       di->vsel_count = FAN53555_NVOLTAGES;
+       return 0;
+@@ -594,6 +607,7 @@ static int fan53555_regulator_register(struct fan53555_device_info *di,
+       rdesc->ramp_mask = di->slew_mask;
+       rdesc->ramp_delay_table = di->ramp_delay_table;
+       rdesc->n_ramp_values = di->n_ramp_values;
++      rdesc->enable_time = di->enable_time;
+       rdesc->owner = THIS_MODULE;
+       rdev = devm_regulator_register(di->dev, &di->desc, config);
+-- 
+2.39.5
+
diff --git a/queue-6.15/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch b/queue-6.15/rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch
new file mode 100644 (file)
index 0000000..d849b22
--- /dev/null
@@ -0,0 +1,84 @@
+From bde5eeed317a4249dff5ce8a4b947b5f60204656 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Jun 2025 12:06:31 +0900
+Subject: rose: fix dangling neighbour pointers in rose_rt_device_down()
+
+From: Kohei Enju <enjuk@amazon.com>
+
+[ Upstream commit 34a500caf48c47d5171f4aa1f237da39b07c6157 ]
+
+There are two bugs in rose_rt_device_down() that can cause
+use-after-free:
+
+1. The loop bound `t->count` is modified within the loop, which can
+   cause the loop to terminate early and miss some entries.
+
+2. When removing an entry from the neighbour array, the subsequent entries
+   are moved up to fill the gap, but the loop index `i` is still
+   incremented, causing the next entry to be skipped.
+
+For example, if a node has three neighbours (A, A, B) with count=3 and A
+is being removed, the second A is not checked.
+
+    i=0: (A, A, B) -> (A, B) with count=2
+          ^ checked
+    i=1: (A, B)    -> (A, B) with count=2
+             ^ checked (B, not A!)
+    i=2: (doesn't occur because i < count is false)
+
+This leaves the second A in the array with count=2, but the rose_neigh
+structure has been freed. Code that accesses these entries assumes that
+the first `count` entries are valid pointers, causing a use-after-free
+when it accesses the dangling pointer.
+
+Fix both issues by iterating over the array in reverse order with a fixed
+loop bound. This ensures that all entries are examined and that the removal
+of an entry doesn't affect subsequent iterations.
+
+Reported-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e04e2c007ba2c80476cb
+Tested-by: syzbot+e04e2c007ba2c80476cb@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kohei Enju <enjuk@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250629030833.6680-1-enjuk@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/rose_route.c | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
+index 2dd6bd3a3011f..b72bf8a08d489 100644
+--- a/net/rose/rose_route.c
++++ b/net/rose/rose_route.c
+@@ -497,22 +497,15 @@ void rose_rt_device_down(struct net_device *dev)
+                       t         = rose_node;
+                       rose_node = rose_node->next;
+-                      for (i = 0; i < t->count; i++) {
++                      for (i = t->count - 1; i >= 0; i--) {
+                               if (t->neighbour[i] != s)
+                                       continue;
+                               t->count--;
+-                              switch (i) {
+-                              case 0:
+-                                      t->neighbour[0] = t->neighbour[1];
+-                                      fallthrough;
+-                              case 1:
+-                                      t->neighbour[1] = t->neighbour[2];
+-                                      break;
+-                              case 2:
+-                                      break;
+-                              }
++                              memmove(&t->neighbour[i], &t->neighbour[i + 1],
++                                      sizeof(t->neighbour[0]) *
++                                              (t->count - i));
+                       }
+                       if (t->count <= 0)
+-- 
+2.39.5
+
diff --git a/queue-6.15/scsi-core-enforce-unlimited-max_segment_size-when-vi.patch b/queue-6.15/scsi-core-enforce-unlimited-max_segment_size-when-vi.patch
new file mode 100644 (file)
index 0000000..34b40f1
--- /dev/null
@@ -0,0 +1,83 @@
+From c317f60ff1e8151ed1431177d05d5ed5eb3fbcfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 14:52:28 +0200
+Subject: scsi: core: Enforce unlimited max_segment_size when
+ virt_boundary_mask is set
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit 4937e604ca24c41cae3296d069c871c2f3f519c8 ]
+
+The virt_boundary_mask limit requires an unlimited max_segment_size for
+bio splitting to not corrupt data.  Historically, the block layer tried
+to validate this, although the check was half-hearted until the addition
+of the atomic queue limits API.  The full blown check then triggered
+issues with stacked devices incorrectly inheriting limits such as the
+virt boundary and got disabled in commit b561ea56a264 ("block: allow
+device to have both virt_boundary_mask and max segment size") instead of
+fixing the issue properly.
+
+Ensure that the SCSI mid layer doesn't set the default low
+max_segment_size limit for this case, and check for invalid
+max_segment_size values in the host template, similar to the original
+block layer check given that SCSI devices can't be stacked.
+
+This fixes reported data corruption on storvsc, although as far as I can
+tell storvsc always failed to properly set the max_segment_size limit as
+the SCSI APIs historically applied that when setting up the host, while
+storvsc only set the virt_boundary_mask when configuring the scsi_device.
+
+Fixes: 81988a0e6b03 ("storvsc: get rid of bounce buffer")
+Fixes: b561ea56a264 ("block: allow device to have both virt_boundary_mask and max segment size")
+Reported-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250624125233.219635-3-hch@lst.de
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hosts.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
+index e021f1106beab..cc5d05dc395c4 100644
+--- a/drivers/scsi/hosts.c
++++ b/drivers/scsi/hosts.c
+@@ -473,10 +473,17 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv
+       else
+               shost->max_sectors = SCSI_DEFAULT_MAX_SECTORS;
+-      if (sht->max_segment_size)
+-              shost->max_segment_size = sht->max_segment_size;
+-      else
+-              shost->max_segment_size = BLK_MAX_SEGMENT_SIZE;
++      shost->virt_boundary_mask = sht->virt_boundary_mask;
++      if (shost->virt_boundary_mask) {
++              WARN_ON_ONCE(sht->max_segment_size &&
++                           sht->max_segment_size != UINT_MAX);
++              shost->max_segment_size = UINT_MAX;
++      } else {
++              if (sht->max_segment_size)
++                      shost->max_segment_size = sht->max_segment_size;
++              else
++                      shost->max_segment_size = BLK_MAX_SEGMENT_SIZE;
++      }
+       /* 32-byte (dword) is a common minimum for HBAs. */
+       if (sht->dma_alignment)
+@@ -492,9 +499,6 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv
+       else
+               shost->dma_boundary = 0xffffffff;
+-      if (sht->virt_boundary_mask)
+-              shost->virt_boundary_mask = sht->virt_boundary_mask;
+-
+       device_initialize(&shost->shost_gendev);
+       dev_set_name(&shost->shost_gendev, "host%d", shost->host_no);
+       shost->shost_gendev.bus = &scsi_bus_type;
+-- 
+2.39.5
+
diff --git a/queue-6.15/scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch b/queue-6.15/scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch
new file mode 100644 (file)
index 0000000..32261dd
--- /dev/null
@@ -0,0 +1,38 @@
+From 42a157fed15df280a15bd1cd1f771977828d9c3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 18:11:11 +0200
+Subject: scsi: qla2xxx: Fix DMA mapping test in qla24xx_get_port_database()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit c3b214719a87735d4f67333a8ef3c0e31a34837c ]
+
+dma_map_XXX() functions return as error values DMA_MAPPING_ERROR which is
+often ~0.  The error value should be tested with dma_mapping_error() like
+it was done in qla26xx_dport_diagnostics().
+
+Fixes: 818c7f87a177 ("scsi: qla2xxx: Add changes in preparation for vendor extended FDMI/RDP")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250617161115.39888-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_mbx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
+index 0cd6f3e148824..13b6cb1b93acd 100644
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -2147,7 +2147,7 @@ qla24xx_get_port_database(scsi_qla_host_t *vha, u16 nport_handle,
+       pdb_dma = dma_map_single(&vha->hw->pdev->dev, pdb,
+           sizeof(*pdb), DMA_FROM_DEVICE);
+-      if (!pdb_dma) {
++      if (dma_mapping_error(&vha->hw->pdev->dev, pdb_dma)) {
+               ql_log(ql_log_warn, vha, 0x1116, "Failed to map dma buffer.\n");
+               return QLA_MEMORY_ALLOC_FAILED;
+       }
+-- 
+2.39.5
+
diff --git a/queue-6.15/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch b/queue-6.15/scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch
new file mode 100644 (file)
index 0000000..c8c7057
--- /dev/null
@@ -0,0 +1,37 @@
+From cb5d7123c50c9f4121fbdf1fda03011e41d267d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 09:17:37 +0200
+Subject: scsi: qla4xxx: Fix missing DMA mapping error in qla4xxx_alloc_pdu()
+
+From: Thomas Fourier <fourier.thomas@gmail.com>
+
+[ Upstream commit 00f452a1b084efbe8dcb60a29860527944a002a1 ]
+
+dma_map_XXX() can fail and should be tested for errors with
+dma_mapping_error().
+
+Fixes: b3a271a94d00 ("[SCSI] qla4xxx: support iscsiadm session mgmt")
+Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
+Link: https://lore.kernel.org/r/20250618071742.21822-2-fourier.thomas@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla4xxx/ql4_os.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
+index d540d66e6ffc4..80c4b4e7526b1 100644
+--- a/drivers/scsi/qla4xxx/ql4_os.c
++++ b/drivers/scsi/qla4xxx/ql4_os.c
+@@ -3420,6 +3420,8 @@ static int qla4xxx_alloc_pdu(struct iscsi_task *task, uint8_t opcode)
+               task_data->data_dma = dma_map_single(&ha->pdev->dev, task->data,
+                                                    task->data_count,
+                                                    DMA_TO_DEVICE);
++              if (dma_mapping_error(&ha->pdev->dev, task_data->data_dma))
++                      return -ENOMEM;
+       }
+       DEBUG2(ql4_printk(KERN_INFO, ha, "%s: MaxRecvLen %u, iscsi hrd %d\n",
+-- 
+2.39.5
+
diff --git a/queue-6.15/scsi-sd-fix-vpd-page-0xb7-length-check.patch b/queue-6.15/scsi-sd-fix-vpd-page-0xb7-length-check.patch
new file mode 100644 (file)
index 0000000..93761d2
--- /dev/null
@@ -0,0 +1,47 @@
+From 6ec0a3e1dd82f33fe053ab5593385a0542890c8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Jun 2025 12:03:02 +0800
+Subject: scsi: sd: Fix VPD page 0xb7 length check
+
+From: jackysliu <1972843537@qq.com>
+
+[ Upstream commit 8889676cd62161896f1d861ce294adc29c4f2cb5 ]
+
+sd_read_block_limits_ext() currently assumes that vpd->len excludes the
+size of the page header. However, vpd->len describes the size of the entire
+VPD page, therefore the sanity check is incorrect.
+
+In practice this is not really a problem since we don't attach VPD
+pages unless they actually report data trailing the header. But fix
+the length check regardless.
+
+This issue was identified by Wukong-Agent (formerly Tencent Woodpecker), a
+code security AI agent, through static code analysis.
+
+[mkp: rewrote patch description]
+
+Signed-off-by: jackysliu <1972843537@qq.com>
+Link: https://lore.kernel.org/r/tencent_ADA5210D1317EEB6CD7F3DE9FE9DA4591D05@qq.com
+Fixes: 96b171d6dba6 ("scsi: core: Query the Block Limits Extension VPD page")
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index 950d8c9fb8843..89d5c4b17bc46 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3384,7 +3384,7 @@ static void sd_read_block_limits_ext(struct scsi_disk *sdkp)
+       rcu_read_lock();
+       vpd = rcu_dereference(sdkp->device->vpd_pgb7);
+-      if (vpd && vpd->len >= 2)
++      if (vpd && vpd->len >= 6)
+               sdkp->rscs = vpd->data[5] & 1;
+       rcu_read_unlock();
+ }
+-- 
+2.39.5
+
diff --git a/queue-6.15/scsi-target-fix-null-pointer-dereference-in-core_scs.patch b/queue-6.15/scsi-target-fix-null-pointer-dereference-in-core_scs.patch
new file mode 100644 (file)
index 0000000..6925251
--- /dev/null
@@ -0,0 +1,56 @@
+From 9765587c6fc7c5795fa7c317d189b5bc41b2e65d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Jun 2025 12:15:56 +0200
+Subject: scsi: target: Fix NULL pointer dereference in
+ core_scsi3_decode_spec_i_port()
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit d8ab68bdb294b09a761e967dad374f2965e1913f ]
+
+The function core_scsi3_decode_spec_i_port(), in its error code path,
+unconditionally calls core_scsi3_lunacl_undepend_item() passing the
+dest_se_deve pointer, which may be NULL.
+
+This can lead to a NULL pointer dereference if dest_se_deve remains
+unset.
+
+SPC-3 PR SPEC_I_PT: Unable to locate dest_tpg
+Unable to handle kernel paging request at virtual address dfff800000000012
+Call trace:
+  core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P)
+  core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod]
+  core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod]
+  target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod]
+
+Fix this by adding a NULL check before calling
+core_scsi3_lunacl_undepend_item()
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20250612101556.24829-1-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_pr.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/target/target_core_pr.c b/drivers/target/target_core_pr.c
+index 34cf2c399b399..70905805cb175 100644
+--- a/drivers/target/target_core_pr.c
++++ b/drivers/target/target_core_pr.c
+@@ -1842,7 +1842,9 @@ core_scsi3_decode_spec_i_port(
+               }
+               kmem_cache_free(t10_pr_reg_cache, dest_pr_reg);
+-              core_scsi3_lunacl_undepend_item(dest_se_deve);
++
++              if (dest_se_deve)
++                      core_scsi3_lunacl_undepend_item(dest_se_deve);
+               if (is_local)
+                       continue;
+-- 
+2.39.5
+
diff --git a/queue-6.15/scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch b/queue-6.15/scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch
new file mode 100644 (file)
index 0000000..d471b3f
--- /dev/null
@@ -0,0 +1,60 @@
+From 2f064207c5d462966591913fbaad9e4cef5bf337 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Jun 2025 11:16:44 -0700
+Subject: scsi: ufs: core: Fix spelling of a sysfs attribute name
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 021f243627ead17eb6500170256d3d9be787dad8 ]
+
+Change "resourse" into "resource" in the name of a sysfs attribute.
+
+Fixes: d829fc8a1058 ("scsi: ufs: sysfs: unit descriptor")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20250624181658.336035-1-bvanassche@acm.org
+Reviewed-by: Avri Altman <avri.altman@sandisk.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-driver-ufs | 2 +-
+ drivers/ufs/core/ufs-sysfs.c               | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-driver-ufs b/Documentation/ABI/testing/sysfs-driver-ufs
+index e36d2de16cbda..0397664e869a0 100644
+--- a/Documentation/ABI/testing/sysfs-driver-ufs
++++ b/Documentation/ABI/testing/sysfs-driver-ufs
+@@ -711,7 +711,7 @@ Description:       This file shows the thin provisioning type. This is one of
+               The file is read only.
+-What:         /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resourse_count
++What:         /sys/class/scsi_device/*/device/unit_descriptor/physical_memory_resource_count
+ Date:         February 2018
+ Contact:      Stanislav Nijnikov <stanislav.nijnikov@wdc.com>
+ Description:  This file shows the total physical memory resources. This is
+diff --git a/drivers/ufs/core/ufs-sysfs.c b/drivers/ufs/core/ufs-sysfs.c
+index 634cf163f4cb1..c53f924f7fa83 100644
+--- a/drivers/ufs/core/ufs-sysfs.c
++++ b/drivers/ufs/core/ufs-sysfs.c
+@@ -1675,7 +1675,7 @@ UFS_UNIT_DESC_PARAM(logical_block_size, _LOGICAL_BLK_SIZE, 1);
+ UFS_UNIT_DESC_PARAM(logical_block_count, _LOGICAL_BLK_COUNT, 8);
+ UFS_UNIT_DESC_PARAM(erase_block_size, _ERASE_BLK_SIZE, 4);
+ UFS_UNIT_DESC_PARAM(provisioning_type, _PROVISIONING_TYPE, 1);
+-UFS_UNIT_DESC_PARAM(physical_memory_resourse_count, _PHY_MEM_RSRC_CNT, 8);
++UFS_UNIT_DESC_PARAM(physical_memory_resource_count, _PHY_MEM_RSRC_CNT, 8);
+ UFS_UNIT_DESC_PARAM(context_capabilities, _CTX_CAPABILITIES, 2);
+ UFS_UNIT_DESC_PARAM(large_unit_granularity, _LARGE_UNIT_SIZE_M1, 1);
+ UFS_UNIT_DESC_PARAM(wb_buf_alloc_units, _WB_BUF_ALLOC_UNITS, 4);
+@@ -1692,7 +1692,7 @@ static struct attribute *ufs_sysfs_unit_descriptor[] = {
+       &dev_attr_logical_block_count.attr,
+       &dev_attr_erase_block_size.attr,
+       &dev_attr_provisioning_type.attr,
+-      &dev_attr_physical_memory_resourse_count.attr,
++      &dev_attr_physical_memory_resource_count.attr,
+       &dev_attr_context_capabilities.attr,
+       &dev_attr_large_unit_granularity.attr,
+       &dev_attr_wb_buf_alloc_units.attr,
+-- 
+2.39.5
+
index c5dcff0bd231d256b345a55ca31fa319d4f5b253..c974e338a5fdd80b1dc07ef72a4b37d7bb24b721 100644 (file)
@@ -30,3 +30,111 @@ mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch
 mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch
 mtk-sd-reset-host-mrq-on-prepare_data-error.patch
 drm-v3d-disable-interrupts-before-resetting-the-gpu.patch
+firmware-arm_ffa-fix-memory-leak-by-freeing-notifier.patch
+firmware-arm_ffa-move-memory-allocation-outside-the-.patch
+firmware-arm_ffa-replace-mutex-with-rwlock-to-avoid-.patch
+firmware-arm_ffa-fix-the-missing-entry-in-struct-ffa.patch
+firmware-exynos-acpm-fix-timeouts-on-xfers-handling.patch
+rdma-mlx5-reduce-stack-usage-in-mlx5_ib_ufile_hw_cle.patch
+arm64-dts-apple-t8103-fix-pcie-bcm4377-nodename.patch
+arm64-dts-apple-drop-address-size-cells-from-spi-nor.patch
+arm64-dts-apple-move-touchbar-mipi-address-size-cell.patch
+platform-mellanox-mlxbf-tmfifo-fix-vring_desc.len-as.patch
+rdma-mlx5-fix-unsafe-xarray-access-in-implicit-odp-h.patch
+rdma-mlx5-initialize-obj_event-obj_sub_list-before-x.patch
+module-provide-export_symbol_gpl_for_modules-helper.patch
+fs-export-anon_inode_make_secure_inode-and-fix-secre.patch
+nfs-clean-up-proc-net-rpc-nfs-when-nfs_fs_proc_net_i.patch
+nfsv4-pnfs-fix-a-race-to-wake-on-nfs_layout_drain.patch
+scsi-qla2xxx-fix-dma-mapping-test-in-qla24xx_get_por.patch
+scsi-qla4xxx-fix-missing-dma-mapping-error-in-qla4xx.patch
+scsi-sd-fix-vpd-page-0xb7-length-check.patch
+scsi-core-enforce-unlimited-max_segment_size-when-vi.patch
+scsi-ufs-core-fix-spelling-of-a-sysfs-attribute-name.patch
+ib-mlx5-fix-potential-deadlock-in-mr-deregistration.patch
+rdma-mlx5-fix-hw-counters-query-for-non-representor-.patch
+rdma-mlx5-fix-cc-counters-query-for-mpv.patch
+rdma-mlx5-fix-vport-loopback-for-mpv-device.patch
+platform-mellanox-mlxbf-pmc-fix-duplicate-event-id-f.patch
+platform-mellanox-nvsw-sn2201-fix-bus-number-in-adap.patch
+platform-x86-wmi-fix-wmi-event-enablement.patch
+flexfiles-pnfs-update-stats-on-nfs4err_delay-for-v4..patch
+nfsv4-flexfiles-fix-handling-of-nfs-level-errors-in-.patch
+bluetooth-prevent-unintended-pause-by-checking-if-ad.patch
+btrfs-fix-failure-to-rebuild-free-space-tree-using-m.patch
+btrfs-fix-missing-error-handling-when-searching-for-.patch
+btrfs-fix-iteration-of-extrefs-during-log-replay.patch
+btrfs-fix-inode-lookup-error-handling-during-log-rep.patch
+btrfs-record-new-subvolume-in-parent-dir-earlier-to-.patch
+btrfs-propagate-last_unlink_trans-earlier-when-doing.patch
+btrfs-use-btrfs_record_snapshot_destroy-during-rmdir.patch
+ethernet-atl1-add-missing-dma-mapping-error-checks-a.patch
+dpaa2-eth-fix-xdp_rxq_info-leak.patch
+drm-exynos-fimd-guard-display-clock-control-with-run.patch
+spi-spi-qpic-snand-reallocate-bam-transactions.patch
+spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch
+drm-i915-selftests-change-mock_request-to-return-err.patch
+nvme-fix-incorrect-cdw15-value-in-passthru-error-log.patch
+nvmet-fix-memory-leak-of-bio-integrity.patch
+nvme-pci-refresh-visible-attrs-after-being-checked.patch
+platform-x86-dell-wmi-sysman-fix-wmi-data-block-retr.patch
+platform-x86-hp-bioscfg-fix-class-device-unregistrat.patch
+platform-x86-think-lmi-fix-class-device-unregistrati.patch
+platform-x86-dell-wmi-sysman-fix-class-device-unregi.patch
+platform-mellanox-mlxreg-lc-fix-logic-error-in-power.patch
+drm-bridge-panel-move-prepare_prev_first-handling-to.patch
+drm-bridge-aux-hpd-bridge-fix-assignment-of-the-of_n.patch
+smb-client-fix-warning-when-reconnecting-channel.patch
+net-usb-lan78xx-fix-warn-in-__netif_napi_del_locked-.patch
+drm-vmwgfx-fix-guests-running-with-tdx-sev.patch
+drm-i915-gt-fix-timeline-left-held-on-vma-alloc-erro.patch
+drm-i915-gsc-mei-interrupt-top-half-should-be-in-irq.patch
+nvme-multipath-fix-suspicious-rcu-usage-warning.patch
+idpf-return-0-size-for-rss-key-if-not-supported.patch
+idpf-convert-control-queue-mutex-to-a-spinlock.patch
+igc-disable-l1.2-pci-e-link-substate-to-avoid-perfor.patch
+drm-xe-fix-out-of-bounds-field-write-in-mi_store_dat.patch
+netfs-fix-hang-due-to-missing-case-in-final-dio-read.patch
+netfs-fix-looping-in-wait-functions.patch
+netfs-fix-ref-leak-on-inserted-extra-subreq-in-write.patch
+smb-client-set-missing-retry-flag-in-smb2_writev_cal.patch
+smb-client-set-missing-retry-flag-in-cifs_readv_call.patch
+smb-client-set-missing-retry-flag-in-cifs_writev_cal.patch
+netfs-fix-i_size-updating.patch
+drm-xe-guc-enable-w-a-16026508708.patch
+drm-xe-guc_pc-add-_locked-variant-for-min-max-freq.patch
+drm-xe-split-xe_device_td_flush.patch
+drm-xe-bmg-update-wa_14022085890.patch
+drm-xe-bmg-update-wa_22019338487.patch
+lib-test_objagg-set-error-message-in-check_expect_hi.patch
+amd-xgbe-align-cl37-an-sequence-as-per-databook.patch
+enic-fix-incorrect-mtu-comparison-in-enic_change_mtu.patch
+rose-fix-dangling-neighbour-pointers-in-rose_rt_devi.patch
+nui-fix-dma_mapping_error-check.patch
+net-sched-always-pass-notifications-when-child-class.patch
+amd-xgbe-do-not-double-read-link-status.patch
+net-ipv4-fix-stat-increase-when-udp-early-demux-drop.patch
+smb-client-fix-race-condition-in-negotiate-timeout-b.patch
+smb-client-fix-native-smb-symlink-traversal.patch
+netfs-fix-double-put-of-request.patch
+drm-xe-allow-dropping-kunit-dependency-as-built-in.patch
+x86-platform-amd-move-final-timeout-check-to-after-f.patch
+drm-msm-fix-a-fence-leak-in-submit-error-path.patch
+drm-msm-fix-another-leak-in-the-submit-error-path.patch
+alsa-sb-don-t-allow-changing-the-dma-mode-during-ope.patch
+alsa-sb-force-to-disable-dmas-once-when-dma-mode-is-.patch
+ata-libata-acpi-do-not-assume-40-wire-cable-if-no-de.patch
+ata-pata_cs5536-fix-build-on-32-bit-uml.patch
+asoc-amd-yc-add-quirk-for-msi-bravo-17-d7vf-internal.patch
+platform-x86-amd-pmc-add-pcspecialist-lafite-pro-v-1.patch
+genirq-irq_sim-initialize-work-context-pointers-prop.patch
+powerpc-fix-struct-termio-related-ioctl-macros.patch
+asoc-amd-yc-update-quirk-data-for-hp-victus.patch
+regulator-fan53555-add-enable_time-support-and-soft-.patch
+scsi-target-fix-null-pointer-dereference-in-core_scs.patch
+aoe-defer-rexmit-timer-downdev-work-to-workqueue.patch
+wifi-mac80211-drop-invalid-source-address-ocb-frames.patch
+wifi-ath6kl-remove-warn-on-bad-firmware-input.patch
+acpica-refuse-to-evaluate-a-method-if-arguments-are-.patch
+mtd-spinand-fix-memory-leak-of-ecc-engine-conf.patch
+rcu-return-early-if-callback-is-not-specified.patch
diff --git a/queue-6.15/smb-client-fix-native-smb-symlink-traversal.patch b/queue-6.15/smb-client-fix-native-smb-symlink-traversal.patch
new file mode 100644 (file)
index 0000000..69b8a7d
--- /dev/null
@@ -0,0 +1,175 @@
+From c6ffb5b8f6c6c12f71c77531a4d86e3ffe99dfd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 17:57:19 -0300
+Subject: smb: client: fix native SMB symlink traversal
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 3363da82e02f1bddc54faa92ea430c6532e2cd2e ]
+
+We've seen customers having shares mounted in paths like /??/C:/ or
+/??/UNC/foo.example.com/share in order to get their native SMB
+symlinks successfully followed from different mounts.
+
+After commit 12b466eb52d9 ("cifs: Fix creating and resolving absolute NT-style symlinks"),
+the client would then convert absolute paths from "/??/C:/" to "/mnt/c/"
+by default.  The absolute paths would vary depending on the value of
+symlinkroot= mount option.
+
+Fix this by restoring old behavior of not trying to convert absolute
+paths by default.  Only do this if symlinkroot= was _explicitly_ set.
+
+Before patch:
+
+  $ mount.cifs //w22-fs0/test2 /mnt/1 -o vers=3.1.1,username=xxx,password=yyy
+  $ ls -l /mnt/1/symlink2
+  lrwxr-xr-x 1 root root 15 Jun 20 14:22 /mnt/1/symlink2 -> /mnt/c/testfile
+  $ mkdir -p /??/C:; echo foo > //??/C:/testfile
+  $ cat /mnt/1/symlink2
+  cat: /mnt/1/symlink2: No such file or directory
+
+After patch:
+
+  $ mount.cifs //w22-fs0/test2 /mnt/1 -o vers=3.1.1,username=xxx,password=yyy
+  $ ls -l /mnt/1/symlink2
+  lrwxr-xr-x 1 root root 15 Jun 20 14:22 /mnt/1/symlink2 -> '/??/C:/testfile'
+  $ mkdir -p /??/C:; echo foo > //??/C:/testfile
+  $ cat /mnt/1/symlink2
+  foo
+
+Cc: linux-cifs@vger.kernel.org
+Reported-by: Pierguido Lambri <plambri@redhat.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Stefan Metzmacher <metze@samba.org>
+Fixes: 12b466eb52d9 ("cifs: Fix creating and resolving absolute NT-style symlinks")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/fs_context.c | 17 +++++++----------
+ fs/smb/client/reparse.c    | 22 +++++++++++++---------
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
+index a634a34d4086a..59ccc2229ab30 100644
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1824,10 +1824,14 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+                       cifs_errorf(fc, "symlinkroot mount options must be absolute path\n");
+                       goto cifs_parse_mount_err;
+               }
+-              kfree(ctx->symlinkroot);
+-              ctx->symlinkroot = kstrdup(param->string, GFP_KERNEL);
+-              if (!ctx->symlinkroot)
++              if (strnlen(param->string, PATH_MAX) == PATH_MAX) {
++                      cifs_errorf(fc, "symlinkroot path too long (max path length: %u)\n",
++                                  PATH_MAX - 1);
+                       goto cifs_parse_mount_err;
++              }
++              kfree(ctx->symlinkroot);
++              ctx->symlinkroot = param->string;
++              param->string = NULL;
+               break;
+       }
+       /* case Opt_ignore: - is ignored as expected ... */
+@@ -1837,13 +1841,6 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
+               goto cifs_parse_mount_err;
+       }
+-      /*
+-       * By default resolve all native absolute symlinks relative to "/mnt/".
+-       * Same default has drvfs driver running in WSL for resolving SMB shares.
+-       */
+-      if (!ctx->symlinkroot)
+-              ctx->symlinkroot = kstrdup("/mnt/", GFP_KERNEL);
+-
+       return 0;
+  cifs_parse_mount_err:
+diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
+index 1c40e42e4d897..5fa29a97ac154 100644
+--- a/fs/smb/client/reparse.c
++++ b/fs/smb/client/reparse.c
+@@ -57,6 +57,7 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+       struct reparse_symlink_data_buffer *buf = NULL;
+       struct cifs_open_info_data data = {};
+       struct cifs_sb_info *cifs_sb = CIFS_SB(inode->i_sb);
++      const char *symroot = cifs_sb->ctx->symlinkroot;
+       struct inode *new;
+       struct kvec iov;
+       __le16 *path = NULL;
+@@ -82,7 +83,8 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+               .symlink_target = symlink_target,
+       };
+-      if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && symname[0] == '/') {
++      if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) &&
++          symroot && symname[0] == '/') {
+               /*
+                * This is a request to create an absolute symlink on the server
+                * which does not support POSIX paths, and expects symlink in
+@@ -92,7 +94,7 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+                * ensure compatibility of this symlink stored in absolute form
+                * on the SMB server.
+                */
+-              if (!strstarts(symname, cifs_sb->ctx->symlinkroot)) {
++              if (!strstarts(symname, symroot)) {
+                       /*
+                        * If the absolute Linux symlink target path is not
+                        * inside "symlinkroot" location then there is no way
+@@ -101,12 +103,12 @@ static int create_native_symlink(const unsigned int xid, struct inode *inode,
+                       cifs_dbg(VFS,
+                                "absolute symlink '%s' cannot be converted to NT format "
+                                "because it is outside of symlinkroot='%s'\n",
+-                               symname, cifs_sb->ctx->symlinkroot);
++                               symname, symroot);
+                       rc = -EINVAL;
+                       goto out;
+               }
+-              len = strlen(cifs_sb->ctx->symlinkroot);
+-              if (cifs_sb->ctx->symlinkroot[len-1] != '/')
++              len = strlen(symroot);
++              if (symroot[len - 1] != '/')
+                       len++;
+               if (symname[len] >= 'a' && symname[len] <= 'z' &&
+                   (symname[len+1] == '/' || symname[len+1] == '\0')) {
+@@ -782,6 +784,7 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
+                             const char *full_path,
+                             struct cifs_sb_info *cifs_sb)
+ {
++      const char *symroot = cifs_sb->ctx->symlinkroot;
+       char sep = CIFS_DIR_SEP(cifs_sb);
+       char *linux_target = NULL;
+       char *smb_target = NULL;
+@@ -815,7 +818,8 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
+               goto out;
+       }
+-      if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) && !relative) {
++      if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) &&
++          symroot && !relative) {
+               /*
+                * This is an absolute symlink from the server which does not
+                * support POSIX paths, so the symlink is in NT-style path.
+@@ -907,15 +911,15 @@ int smb2_parse_native_symlink(char **target, const char *buf, unsigned int len,
+               }
+               abs_path_len = strlen(abs_path)+1;
+-              symlinkroot_len = strlen(cifs_sb->ctx->symlinkroot);
+-              if (cifs_sb->ctx->symlinkroot[symlinkroot_len-1] == '/')
++              symlinkroot_len = strlen(symroot);
++              if (symroot[symlinkroot_len - 1] == '/')
+                       symlinkroot_len--;
+               linux_target = kmalloc(symlinkroot_len + 1 + abs_path_len, GFP_KERNEL);
+               if (!linux_target) {
+                       rc = -ENOMEM;
+                       goto out;
+               }
+-              memcpy(linux_target, cifs_sb->ctx->symlinkroot, symlinkroot_len);
++              memcpy(linux_target, symroot, symlinkroot_len);
+               linux_target[symlinkroot_len] = '/';
+               memcpy(linux_target + symlinkroot_len + 1, abs_path, abs_path_len);
+       } else if (smb_target[0] == sep && relative) {
+-- 
+2.39.5
+
diff --git a/queue-6.15/smb-client-fix-race-condition-in-negotiate-timeout-b.patch b/queue-6.15/smb-client-fix-race-condition-in-negotiate-timeout-b.patch
new file mode 100644 (file)
index 0000000..f831f55
--- /dev/null
@@ -0,0 +1,128 @@
+From e69b5754a5e3dbe6959fd67f76d9a77e27202064 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Jul 2025 21:29:52 +0800
+Subject: smb: client: fix race condition in negotiate timeout by using more
+ precise timing
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+[ Upstream commit 266b5d02e14f3a0e07414e11f239397de0577a1d ]
+
+When the SMB server reboots and the client immediately accesses the mount
+point, a race condition can occur that causes operations to fail with
+"Host is down" error.
+
+Reproduction steps:
+  # Mount SMB share
+  mount -t cifs //192.168.245.109/TEST /mnt/ -o xxxx
+  ls /mnt
+
+  # Reboot server
+  ssh root@192.168.245.109 reboot
+  ssh root@192.168.245.109 /path/to/cifs_server_setup.sh
+  ssh root@192.168.245.109 systemctl stop firewalld
+
+  # Immediate access fails
+  ls /mnt
+  ls: cannot access '/mnt': Host is down
+
+  # But works if there is a delay
+
+The issue is caused by a race condition between negotiate and reconnect.
+The 20-second negotiate timeout mechanism can interfere with the normal
+recovery process when both are triggered simultaneously.
+
+  ls                              cifsd
+---------------------------------------------------
+ cifs_getattr
+ cifs_revalidate_dentry
+ cifs_get_inode_info
+ cifs_get_fattr
+ smb2_query_path_info
+ smb2_compound_op
+ SMB2_open_init
+ smb2_reconnect
+ cifs_negotiate_protocol
+  smb2_negotiate
+   cifs_send_recv
+    smb_send_rqst
+    wait_for_response
+                            cifs_demultiplex_thread
+                              cifs_read_from_socket
+                              cifs_readv_from_socket
+                                server_unresponsive
+                                cifs_reconnect
+                                  __cifs_reconnect
+                                  cifs_abort_connection
+                                    mid->mid_state = MID_RETRY_NEEDED
+                                    cifs_wake_up_task
+    cifs_sync_mid_result
+     // case MID_RETRY_NEEDED
+     rc = -EAGAIN;
+   // In smb2_negotiate()
+   rc = -EHOSTDOWN;
+
+The server_unresponsive() timeout triggers cifs_reconnect(), which aborts
+ongoing mid requests and causes the ls command to receive -EAGAIN, leading
+to -EHOSTDOWN.
+
+Fix this by introducing a dedicated `neg_start` field to
+precisely tracks when the negotiate process begins. The timeout check
+now uses this accurate timestamp instead of `lstrp`, ensuring that:
+
+1. Timeout is only triggered after negotiate has actually run for 20s
+2. The mechanism doesn't interfere with concurrent recovery processes
+3. Uninitialized timestamps (value 0) don't trigger false timeouts
+
+Fixes: 7ccc1465465d ("smb: client: fix hang in wait_for_response() for negproto")
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsglob.h | 1 +
+ fs/smb/client/connect.c  | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
+index b89db44e0a8e3..eed29f043114a 100644
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -777,6 +777,7 @@ struct TCP_Server_Info {
+       __le32 session_key_id; /* retrieved from negotiate response and send in session setup request */
+       struct session_key session_key;
+       unsigned long lstrp; /* when we got last response from this server */
++      unsigned long neg_start; /* when negotiate started (jiffies) */
+       struct cifs_secmech secmech; /* crypto sec mech functs, descriptors */
+ #define       CIFS_NEGFLAVOR_UNENCAP  1       /* wct == 17, but no ext_sec */
+ #define       CIFS_NEGFLAVOR_EXTENDED 2       /* wct == 17, ext_sec bit set */
+diff --git a/fs/smb/client/connect.c b/fs/smb/client/connect.c
+index e92c7b71626fd..b4b162c93106b 100644
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -679,12 +679,12 @@ server_unresponsive(struct TCP_Server_Info *server)
+       /*
+        * If we're in the process of mounting a share or reconnecting a session
+        * and the server abruptly shut down (e.g. socket wasn't closed, packet
+-       * had been ACK'ed but no SMB response), don't wait longer than 20s to
+-       * negotiate protocol.
++       * had been ACK'ed but no SMB response), don't wait longer than 20s from
++       * when negotiate actually started.
+        */
+       spin_lock(&server->srv_lock);
+       if (server->tcpStatus == CifsInNegotiate &&
+-          time_after(jiffies, server->lstrp + 20 * HZ)) {
++          time_after(jiffies, server->neg_start + 20 * HZ)) {
+               spin_unlock(&server->srv_lock);
+               cifs_reconnect(server, false);
+               return true;
+@@ -4209,6 +4209,7 @@ cifs_negotiate_protocol(const unsigned int xid, struct cifs_ses *ses,
+       server->lstrp = jiffies;
+       server->tcpStatus = CifsInNegotiate;
++      server->neg_start = jiffies;
+       spin_unlock(&server->srv_lock);
+       rc = server->ops->negotiate(xid, ses, server);
+-- 
+2.39.5
+
diff --git a/queue-6.15/smb-client-fix-warning-when-reconnecting-channel.patch b/queue-6.15/smb-client-fix-warning-when-reconnecting-channel.patch
new file mode 100644 (file)
index 0000000..de73f2b
--- /dev/null
@@ -0,0 +1,129 @@
+From a7e0338cabed78ba10808f13b1f2d0c45e153769 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Jun 2025 00:00:17 -0300
+Subject: smb: client: fix warning when reconnecting channel
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 3bbe46716092d8ef6b0df4b956f585c5cd0fc78e ]
+
+When reconnecting a channel in smb2_reconnect_server(), a dummy tcon
+is passed down to smb2_reconnect() with ->query_interface
+uninitialized, so we can't call queue_delayed_work() on it.
+
+Fix the following warning by ensuring that we're queueing the delayed
+worker from correct tcon.
+
+WARNING: CPU: 4 PID: 1126 at kernel/workqueue.c:2498 __queue_delayed_work+0x1d2/0x200
+Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs]
+CPU: 4 UID: 0 PID: 1126 Comm: kworker/4:0 Not tainted 6.16.0-rc3 #5 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-4.fc42 04/01/2014
+Workqueue: cifsiod smb2_reconnect_server [cifs]
+RIP: 0010:__queue_delayed_work+0x1d2/0x200
+Code: 41 5e 41 5f e9 7f ee ff ff 90 0f 0b 90 e9 5d ff ff ff bf 02 00
+00 00 e8 6c f3 07 00 89 c3 eb bd 90 0f 0b 90 e9 57 f> 0b 90 e9 65 fe
+ff ff 90 0f 0b 90 e9 72 fe ff ff 90 0f 0b 90 e9
+RSP: 0018:ffffc900014afad8 EFLAGS: 00010003
+RAX: 0000000000000000 RBX: ffff888124d99988 RCX: ffffffff81399cc1
+RDX: dffffc0000000000 RSI: ffff888114326e00 RDI: ffff888124d999f0
+RBP: 000000000000ea60 R08: 0000000000000001 R09: ffffed10249b3331
+R10: ffff888124d9998f R11: 0000000000000004 R12: 0000000000000040
+R13: ffff888114326e00 R14: ffff888124d999d8 R15: ffff888114939020
+FS:  0000000000000000(0000) GS:ffff88829f7fe000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffe7a2b4038 CR3: 0000000120a6f000 CR4: 0000000000750ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ queue_delayed_work_on+0xb4/0xc0
+ smb2_reconnect+0xb22/0xf50 [cifs]
+ smb2_reconnect_server+0x413/0xd40 [cifs]
+ ? __pfx_smb2_reconnect_server+0x10/0x10 [cifs]
+ ? local_clock_noinstr+0xd/0xd0
+ ? local_clock+0x15/0x30
+ ? lock_release+0x29b/0x390
+ process_one_work+0x4c5/0xa10
+ ? __pfx_process_one_work+0x10/0x10
+ ? __list_add_valid_or_report+0x37/0x120
+ worker_thread+0x2f1/0x5a0
+ ? __kthread_parkme+0xde/0x100
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x1fe/0x380
+ ? kthread+0x10f/0x380
+ ? __pfx_kthread+0x10/0x10
+ ? local_clock_noinstr+0xd/0xd0
+ ? ret_from_fork+0x1b/0x1f0
+ ? local_clock+0x15/0x30
+ ? lock_release+0x29b/0x390
+ ? rcu_is_watching+0x20/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x15b/0x1f0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+irq event stamp: 1116206
+hardirqs last  enabled at (1116205): [<ffffffff8143af42>] __up_console_sem+0x52/0x60
+hardirqs last disabled at (1116206): [<ffffffff81399f0e>] queue_delayed_work_on+0x6e/0xc0
+softirqs last  enabled at (1116138): [<ffffffffc04562fd>] __smb_send_rqst+0x42d/0x950 [cifs]
+softirqs last disabled at (1116136): [<ffffffff823d35e1>] release_sock+0x21/0xf0
+
+Cc: linux-cifs@vger.kernel.org
+Reported-by: David Howells <dhowells@redhat.com>
+Fixes: 42ca547b13a2 ("cifs: do not disable interface polling on failure")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Tested-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Shyam Prasad N <nspmangalore@gmail.com>
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifsglob.h |  1 +
+ fs/smb/client/smb2pdu.c  | 10 ++++------
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
+index 56381cbb63990..b89db44e0a8e3 100644
+--- a/fs/smb/client/cifsglob.h
++++ b/fs/smb/client/cifsglob.h
+@@ -1303,6 +1303,7 @@ struct cifs_tcon {
+       bool use_persistent:1; /* use persistent instead of durable handles */
+       bool no_lease:1;    /* Do not request leases on files or directories */
+       bool use_witness:1; /* use witness protocol */
++      bool dummy:1; /* dummy tcon used for reconnecting channels */
+       __le32 capabilities;
+       __u32 share_flags;
+       __u32 maximal_access;
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index 72903265b1706..c3b212175b2bf 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -423,9 +423,9 @@ smb2_reconnect(__le16 smb2_command, struct cifs_tcon *tcon,
+               free_xid(xid);
+               ses->flags &= ~CIFS_SES_FLAGS_PENDING_QUERY_INTERFACES;
+-              /* regardless of rc value, setup polling */
+-              queue_delayed_work(cifsiod_wq, &tcon->query_interfaces,
+-                                 (SMB_INTERFACE_POLL_INTERVAL * HZ));
++              if (!tcon->ipc && !tcon->dummy)
++                      queue_delayed_work(cifsiod_wq, &tcon->query_interfaces,
++                                         (SMB_INTERFACE_POLL_INTERVAL * HZ));
+               mutex_unlock(&ses->session_mutex);
+@@ -4221,10 +4221,8 @@ void smb2_reconnect_server(struct work_struct *work)
+               }
+               goto done;
+       }
+-
+       tcon->status = TID_GOOD;
+-      tcon->retry = false;
+-      tcon->need_reconnect = false;
++      tcon->dummy = true;
+       /* now reconnect sessions for necessary channels */
+       list_for_each_entry_safe(ses, ses2, &tmp_ses_list, rlist) {
+-- 
+2.39.5
+
diff --git a/queue-6.15/smb-client-set-missing-retry-flag-in-cifs_readv_call.patch b/queue-6.15/smb-client-set-missing-retry-flag-in-cifs_readv_call.patch
new file mode 100644 (file)
index 0000000..4b4bf33
--- /dev/null
@@ -0,0 +1,40 @@
+From e7c29937335f8a22a6a0627fc23a1a8c3987a63f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:42 +0100
+Subject: smb: client: set missing retry flag in cifs_readv_callback()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 0e60bae24ad28ab06a485698077d3c626f1e54ab ]
+
+Set NETFS_SREQ_NEED_RETRY flag to tell netfslib that the subreq needs
+to be retried.
+
+Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-8-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: netfs@lists.linux.dev
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifssmb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index 7216fcec79e8b..f9ccae5de5b88 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -1335,6 +1335,7 @@ cifs_readv_callback(struct mid_q_entry *mid)
+               break;
+       case MID_REQUEST_SUBMITTED:
+       case MID_RETRY_NEEDED:
++              __set_bit(NETFS_SREQ_NEED_RETRY, &rdata->subreq.flags);
+               rdata->result = -EAGAIN;
+               if (server->sign && rdata->got_bytes)
+                       /* reset bytes number since we can not check a sign */
+-- 
+2.39.5
+
diff --git a/queue-6.15/smb-client-set-missing-retry-flag-in-cifs_writev_cal.patch b/queue-6.15/smb-client-set-missing-retry-flag-in-cifs_writev_cal.patch
new file mode 100644 (file)
index 0000000..4878210
--- /dev/null
@@ -0,0 +1,40 @@
+From 19af7c76cda1f124106511b9989271fa979620e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:43 +0100
+Subject: smb: client: set missing retry flag in cifs_writev_callback()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit 74ee76bea4b445c023d04806e0bcd78a912fd30b ]
+
+Set NETFS_SREQ_NEED_RETRY flag to tell netfslib that the subreq needs
+to be retried.
+
+Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-9-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: netfs@lists.linux.dev
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/cifssmb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
+index f9ccae5de5b88..0e509a0433fb6 100644
+--- a/fs/smb/client/cifssmb.c
++++ b/fs/smb/client/cifssmb.c
+@@ -1715,6 +1715,7 @@ cifs_writev_callback(struct mid_q_entry *mid)
+               break;
+       case MID_REQUEST_SUBMITTED:
+       case MID_RETRY_NEEDED:
++              __set_bit(NETFS_SREQ_NEED_RETRY, &wdata->subreq.flags);
+               result = -EAGAIN;
+               break;
+       default:
+-- 
+2.39.5
+
diff --git a/queue-6.15/smb-client-set-missing-retry-flag-in-smb2_writev_cal.patch b/queue-6.15/smb-client-set-missing-retry-flag-in-smb2_writev_cal.patch
new file mode 100644 (file)
index 0000000..386ed8a
--- /dev/null
@@ -0,0 +1,40 @@
+From 80bcde21959a8a7dd7e7312443f7e90b571ceb3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Jul 2025 17:38:41 +0100
+Subject: smb: client: set missing retry flag in smb2_writev_callback()
+
+From: Paulo Alcantara <pc@manguebit.org>
+
+[ Upstream commit e67e75edeb88022c04f8e0a173e1ff6dc688f155 ]
+
+Set NETFS_SREQ_NEED_RETRY flag to tell netfslib that the subreq needs
+to be retried.
+
+Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/20250701163852.2171681-7-dhowells@redhat.com
+Tested-by: Steve French <sfrench@samba.org>
+Cc: linux-cifs@vger.kernel.org
+Cc: netfs@lists.linux.dev
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb2pdu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
+index c3b212175b2bf..2c0cc544dfb31 100644
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -4852,6 +4852,7 @@ smb2_writev_callback(struct mid_q_entry *mid)
+               break;
+       case MID_REQUEST_SUBMITTED:
+       case MID_RETRY_NEEDED:
++              __set_bit(NETFS_SREQ_NEED_RETRY, &wdata->subreq.flags);
+               result = -EAGAIN;
+               break;
+       case MID_RESPONSE_MALFORMED:
+-- 
+2.39.5
+
diff --git a/queue-6.15/spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch b/queue-6.15/spi-spi-fsl-dspi-clear-completion-counter-before-ini.patch
new file mode 100644 (file)
index 0000000..a812b9c
--- /dev/null
@@ -0,0 +1,61 @@
+From c87f2eeea1991258a66d2d924907494e9bf2d131 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Jun 2025 11:21:37 +0100
+Subject: spi: spi-fsl-dspi: Clear completion counter before initiating
+ transfer
+
+From: James Clark <james.clark@linaro.org>
+
+[ Upstream commit fa60c094c19b97e103d653f528f8d9c178b6a5f5 ]
+
+In target mode, extra interrupts can be received between the end of a
+transfer and halting the module if the host continues sending more data.
+If the interrupt from this occurs after the reinit_completion() then the
+completion counter is left at a non-zero value. The next unrelated
+transfer initiated by userspace will then complete immediately without
+waiting for the interrupt or writing to the RX buffer.
+
+Fix it by resetting the counter before the transfer so that lingering
+values are cleared. This is done after clearing the FIFOs and the
+status register but before the transfer is initiated, so no interrupts
+should be received at this point resulting in other race conditions.
+
+Fixes: 4f5ee75ea171 ("spi: spi-fsl-dspi: Replace interruptible wait queue with a simple completion")
+Signed-off-by: James Clark <james.clark@linaro.org>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250627-james-nxp-spi-dma-v4-1-178dba20c120@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-fsl-dspi.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
+index 863781ba6c160..0dcd491140950 100644
+--- a/drivers/spi/spi-fsl-dspi.c
++++ b/drivers/spi/spi-fsl-dspi.c
+@@ -983,11 +983,20 @@ static int dspi_transfer_one_message(struct spi_controller *ctlr,
+               if (dspi->devtype_data->trans_mode == DSPI_DMA_MODE) {
+                       status = dspi_dma_xfer(dspi);
+               } else {
++                      /*
++                       * Reinitialize the completion before transferring data
++                       * to avoid the case where it might remain in the done
++                       * state due to a spurious interrupt from a previous
++                       * transfer. This could falsely signal that the current
++                       * transfer has completed.
++                       */
++                      if (dspi->irq)
++                              reinit_completion(&dspi->xfer_done);
++
+                       dspi_fifo_write(dspi);
+                       if (dspi->irq) {
+                               wait_for_completion(&dspi->xfer_done);
+-                              reinit_completion(&dspi->xfer_done);
+                       } else {
+                               do {
+                                       status = dspi_poll(dspi);
+-- 
+2.39.5
+
diff --git a/queue-6.15/spi-spi-qpic-snand-reallocate-bam-transactions.patch b/queue-6.15/spi-spi-qpic-snand-reallocate-bam-transactions.patch
new file mode 100644 (file)
index 0000000..3850586
--- /dev/null
@@ -0,0 +1,91 @@
+From 568dfe17798b5b1d3677028f2839d3270548d387 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Jun 2025 22:22:49 +0200
+Subject: spi: spi-qpic-snand: reallocate BAM transactions
+
+From: Gabor Juhos <j4g8y7@gmail.com>
+
+[ Upstream commit d85d0380292a7e618915069c3579ae23c7c80339 ]
+
+Using the mtd_nandbiterrs module for testing the driver occasionally
+results in weird things like below.
+
+1. swiotlb mapping fails with the following message:
+
+  [   85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots)
+  [   85.932937] qcom_snand 79b0000.spi: failure in mapping desc
+  [   87.999314] qcom_snand 79b0000.spi: failure to write raw page
+  [   87.999352] mtd_nandbiterrs: error: write_oob failed (-110)
+
+  Rebooting the board after this causes a panic due to a NULL pointer
+  dereference.
+
+2. If the swiotlb mapping does not fail, rebooting the board may result
+   in a different panic due to a bad spinlock magic:
+
+  [  256.104459] BUG: spinlock bad magic on CPU#3, procd/2241
+  [  256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b
+  ...
+
+Investigating the issue revealed that these symptoms are results of
+memory corruption which is caused by out of bounds access within the
+driver.
+
+The driver uses a dynamically allocated structure for BAM transactions,
+which structure must have enough space for all possible variations of
+different flash operations initiated by the driver. The required space
+heavily depends on the actual number of 'codewords' which is calculated
+from the pagesize of the actual NAND chip.
+
+Although the qcom_nandc_alloc() function allocates memory for the BAM
+transactions during probe, but since the actual number of 'codewords'
+is not yet know the allocation is done for one 'codeword' only.
+
+Because of this, whenever the driver does a flash operation, and the
+number of the required transactions exceeds the size of the allocated
+arrays the driver accesses memory out of the allocated range.
+
+To avoid this, change the code to free the initially allocated BAM
+transactions memory, and allocate a new one once the actual number of
+'codewords' required for a given NAND chip is known.
+
+Fixes: 7304d1909080 ("spi: spi-qpic: add driver for QCOM SPI NAND flash Interface")
+Reviewed-by: Md Sadre Alam <quic_mdalam@quicinc.com>
+Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
+Link: https://patch.msgid.link/20250618-qpic-snand-avoid-mem-corruption-v3-1-319c71296cda@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-qpic-snand.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/spi/spi-qpic-snand.c b/drivers/spi/spi-qpic-snand.c
+index d3a4e091dca4e..80856d2fa35c6 100644
+--- a/drivers/spi/spi-qpic-snand.c
++++ b/drivers/spi/spi-qpic-snand.c
+@@ -316,6 +316,22 @@ static int qcom_spi_ecc_init_ctx_pipelined(struct nand_device *nand)
+       mtd_set_ooblayout(mtd, &qcom_spi_ooblayout);
++      /*
++       * Free the temporary BAM transaction allocated initially by
++       * qcom_nandc_alloc(), and allocate a new one based on the
++       * updated max_cwperpage value.
++       */
++      qcom_free_bam_transaction(snandc);
++
++      snandc->max_cwperpage = cwperpage;
++
++      snandc->bam_txn = qcom_alloc_bam_transaction(snandc);
++      if (!snandc->bam_txn) {
++              dev_err(snandc->dev, "failed to allocate BAM transaction\n");
++              ret = -ENOMEM;
++              goto err_free_ecc_cfg;
++      }
++
+       ecc_cfg->cfg0 = FIELD_PREP(CW_PER_PAGE_MASK, (cwperpage - 1)) |
+                       FIELD_PREP(UD_SIZE_BYTES_MASK, ecc_cfg->cw_data) |
+                       FIELD_PREP(DISABLE_STATUS_AFTER_WRITE, 1) |
+-- 
+2.39.5
+
diff --git a/queue-6.15/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch b/queue-6.15/wifi-ath6kl-remove-warn-on-bad-firmware-input.patch
new file mode 100644 (file)
index 0000000..f7b60e1
--- /dev/null
@@ -0,0 +1,43 @@
+From 0efb1ddf2bed00c7158c59778d15a415341bb441 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Jun 2025 11:45:29 +0200
+Subject: wifi: ath6kl: remove WARN on bad firmware input
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit e7417421d89358da071fd2930f91e67c7128fbff ]
+
+If the firmware gives bad input, that's nothing to do with
+the driver's stack at this point etc., so the WARN_ON()
+doesn't add any value. Additionally, this is one of the
+top syzbot reports now. Just print a message, and as an
+added bonus, print the sizes too.
+
+Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Tested-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com
+Acked-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Link: https://patch.msgid.link/20250617114529.031a677a348e.I58bf1eb4ac16a82c546725ff010f3f0d2b0cca49@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath6kl/bmi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c
+index af98e871199d3..5a9e93fd1ef42 100644
+--- a/drivers/net/wireless/ath/ath6kl/bmi.c
++++ b/drivers/net/wireless/ath/ath6kl/bmi.c
+@@ -87,7 +87,9 @@ int ath6kl_bmi_get_target_info(struct ath6kl *ar,
+                * We need to do some backwards compatibility to make this work.
+                */
+               if (le32_to_cpu(targ_info->byte_count) != sizeof(*targ_info)) {
+-                      WARN_ON(1);
++                      ath6kl_err("mismatched byte count %d vs. expected %zd\n",
++                                 le32_to_cpu(targ_info->byte_count),
++                                 sizeof(*targ_info));
+                       return -EINVAL;
+               }
+-- 
+2.39.5
+
diff --git a/queue-6.15/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch b/queue-6.15/wifi-mac80211-drop-invalid-source-address-ocb-frames.patch
new file mode 100644 (file)
index 0000000..d2d872c
--- /dev/null
@@ -0,0 +1,42 @@
+From f58f0827bdd1c40b959ec2f8296c88b8eb317cb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Jun 2025 17:18:38 +0200
+Subject: wifi: mac80211: drop invalid source address OCB frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit d1b1a5eb27c4948e8811cf4dbb05aaf3eb10700c ]
+
+In OCB, don't accept frames from invalid source addresses
+(and in particular don't try to create stations for them),
+drop the frames instead.
+
+Reported-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/6788d2d9.050a0220.20d369.0028.GAE@google.com/
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Tested-by: syzbot+8b512026a7ec10dcbdd9@syzkaller.appspotmail.com
+Link: https://patch.msgid.link/20250616171838.7433379cab5d.I47444d63c72a0bd58d2e2b67bb99e1fea37eec6f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
+index 09beb65d6108b..e73431549ce77 100644
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4432,6 +4432,10 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
+               if (!multicast &&
+                   !ether_addr_equal(sdata->dev->dev_addr, hdr->addr1))
+                       return false;
++              /* reject invalid/our STA address */
++              if (!is_valid_ether_addr(hdr->addr2) ||
++                  ether_addr_equal(sdata->dev->dev_addr, hdr->addr2))
++                      return false;
+               if (!rx->sta) {
+                       int rate_idx;
+                       if (status->encoding != RX_ENC_LEGACY)
+-- 
+2.39.5
+
diff --git a/queue-6.15/x86-platform-amd-move-final-timeout-check-to-after-f.patch b/queue-6.15/x86-platform-amd-move-final-timeout-check-to-after-f.patch
new file mode 100644 (file)
index 0000000..a6c368e
--- /dev/null
@@ -0,0 +1,61 @@
+From 2568d51844897d6b30aaa74c2824f4109413490e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Jun 2025 19:09:26 +0100
+Subject: x86/platform/amd: move final timeout check to after final sleep
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jake Hillion <jake@hillion.co.uk>
+
+[ Upstream commit f8afb12a2d7503de6558c23cacd7acbf6e9fe678 ]
+
+__hsmp_send_message sleeps between result read attempts and has a
+timeout of 100ms. Under extreme load it's possible for these sleeps to
+take a long time, exceeding the 100ms. In this case the current code
+does not check the register and fails with ETIMEDOUT.
+
+Refactor the loop to ensure there is at least one read of the register
+after a sleep of any duration. This removes instances of ETIMEDOUT with
+a single caller, even with a misbehaving scheduler. Tested on AMD
+Bergamo machines.
+
+Suggested-by: Blaise Sanouillet <linux@blaise.sanouillet.com>
+Reviewed-by: Suma Hegde <suma.hegde@amd.com>
+Tested-by: Suma Hegde <suma.hegde@amd.com>
+Signed-off-by: Jake Hillion <jake@hillion.co.uk>
+Link: https://lore.kernel.org/r/20250605-amd-hsmp-v2-1-a811bc3dd74a@hillion.co.uk
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/hsmp/hsmp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/amd/hsmp/hsmp.c b/drivers/platform/x86/amd/hsmp/hsmp.c
+index a3ac09a90de45..ab877112f4c80 100644
+--- a/drivers/platform/x86/amd/hsmp/hsmp.c
++++ b/drivers/platform/x86/amd/hsmp/hsmp.c
+@@ -99,7 +99,7 @@ static int __hsmp_send_message(struct hsmp_socket *sock, struct hsmp_message *ms
+       short_sleep = jiffies + msecs_to_jiffies(HSMP_SHORT_SLEEP);
+       timeout = jiffies + msecs_to_jiffies(HSMP_MSG_TIMEOUT);
+-      while (time_before(jiffies, timeout)) {
++      while (true) {
+               ret = sock->amd_hsmp_rdwr(sock, mbinfo->msg_resp_off, &mbox_status, HSMP_RD);
+               if (ret) {
+                       dev_err(sock->dev, "Error %d reading mailbox status\n", ret);
+@@ -108,6 +108,10 @@ static int __hsmp_send_message(struct hsmp_socket *sock, struct hsmp_message *ms
+               if (mbox_status != HSMP_STATUS_NOT_READY)
+                       break;
++
++              if (!time_before(jiffies, timeout))
++                      break;
++
+               if (time_before(jiffies, short_sleep))
+                       usleep_range(50, 100);
+               else
+-- 
+2.39.5
+