--- /dev/null
+From 71daedd7ef86bae9904f6ab85f816d1d107f1f0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 15:30:39 +0100
+Subject: ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states
+ are invalid
+
+From: Giovanni Gherdovich <ggherdovich@suse.cz>
+
+[ Upstream commit 9e9b893404d43894d69a18dd2fc8fcf1c36abb7e ]
+
+Prior to commit 496121c02127 ("ACPI: processor: idle: Allow probing on
+platforms with one ACPI C-state"), the acpi_idle driver wouldn't load on
+systems without a valid C-State at least as deep as C2.
+
+The behavior was desirable for guests on hypervisors such as VMWare
+ESXi, which by default don't have the _CST ACPI method, and set the C2
+and C3 latencies to 101 and 1001 microseconds respectively via the FADT,
+to signify they're unsupported.
+
+Since the above change though, these virtualized deployments end up
+loading acpi_idle, and thus entering the default C1 C-State set by
+acpi_processor_get_power_info_default(); this is undesirable for a
+system that's communicating to the OS it doesn't want C-States (missing
+_CST, and invalid C2/C3 in FADT).
+
+Make acpi_processor_get_power_info_fadt() return -ENODEV in that case,
+so that acpi_processor_get_cstate_info() exits early and doesn't set
+pr->flags.power = 1.
+
+Fixes: 496121c02127 ("ACPI: processor: idle: Allow probing on platforms with one ACPI C-state")
+Signed-off-by: Giovanni Gherdovich <ggherdovich@suse.cz>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Link: https://patch.msgid.link/20250328143040.9348-1-ggherdovich@suse.cz
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/processor_idle.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
+index ae07927910ca0..42c7bdb352d20 100644
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -270,6 +270,10 @@ static int acpi_processor_get_power_info_fadt(struct acpi_processor *pr)
+ ACPI_CX_DESC_LEN, "ACPI P_LVL3 IOPORT 0x%x",
+ pr->power.states[ACPI_STATE_C3].address);
+
++ if (!pr->power.states[ACPI_STATE_C2].address &&
++ !pr->power.states[ACPI_STATE_C3].address)
++ return -ENODEV;
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1099e56946ecdebd2bc0cc8f5a6f747b7bda0d85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 08:14:44 +0000
+Subject: affs: don't write overlarge OFS data block size fields
+
+From: Simon Tatham <anakin@pobox.com>
+
+[ Upstream commit 011ea742a25a77bac3d995f457886a67d178c6f0 ]
+
+If a data sector on an OFS floppy contains a value > 0x1e8 (the
+largest amount of data that fits in the sector after its header), then
+an Amiga reading the file can return corrupt data, by taking the
+overlarge size at its word and reading past the end of the buffer it
+read the disk sector into!
+
+The cause: when affs_write_end_ofs() writes data to an OFS filesystem,
+the new size field for a data block was computed by adding the amount
+of data currently being written (into the block) to the existing value
+of the size field. This is correct if you're extending the file at the
+end, but if you seek backwards in the file and overwrite _existing_
+data, it can lead to the size field being larger than the maximum
+legal value.
+
+This commit changes the calculation so that it sets the size field to
+the max of its previous size and the position within the block that we
+just wrote up to.
+
+Signed-off-by: Simon Tatham <anakin@pobox.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/affs/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/affs/file.c b/fs/affs/file.c
+index 7738fafcccfc1..bc88ba29d393c 100644
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -725,7 +725,8 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
+ tmp = min(bsize - boff, to - from);
+ BUG_ON(boff + tmp > bsize || tmp > bsize);
+ memcpy(AFFS_DATA(bh) + boff, data + from, tmp);
+- be32_add_cpu(&AFFS_DATA_HEAD(bh)->size, tmp);
++ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(
++ max(boff + tmp, be32_to_cpu(AFFS_DATA_HEAD(bh)->size)));
+ affs_fix_checksum(sb, bh);
+ mark_buffer_dirty_inode(bh, inode);
+ written += tmp;
+--
+2.39.5
+
--- /dev/null
+From 0af340eb57690e489a556820e391f0054ea87300 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 08:14:43 +0000
+Subject: affs: generate OFS sequence numbers starting at 1
+
+From: Simon Tatham <anakin@pobox.com>
+
+[ Upstream commit e4cf8ec4de4e13f156c1d61977d282d90c221085 ]
+
+If I write a file to an OFS floppy image, and try to read it back on
+an emulated Amiga running Workbench 1.3, the Amiga reports a disk
+error trying to read the file. (That is, it's unable to read it _at
+all_, even to copy it to the NIL: device. It isn't a matter of getting
+the wrong data and being unable to parse the file format.)
+
+This is because the 'sequence number' field in the OFS data block
+header is supposed to be based at 1, but affs writes it based at 0.
+All three locations changed by this patch were setting the sequence
+number to a variable 'bidx' which was previously obtained by dividing
+a file position by bsize, so bidx will naturally use 0 for the first
+block. Therefore all three should add 1 to that value before writing
+it into the sequence number field.
+
+With this change, the Amiga successfully reads the file.
+
+For data block reference: https://wiki.osdev.org/FFS_(Amiga)
+
+Signed-off-by: Simon Tatham <anakin@pobox.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/affs/file.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/affs/file.c b/fs/affs/file.c
+index c3d89fa1bab77..7738fafcccfc1 100644
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -597,7 +597,7 @@ affs_extent_file_ofs(struct inode *inode, u32 newsize)
+ BUG_ON(tmp > bsize);
+ AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
+ AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
+- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
+ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp);
+ affs_fix_checksum(sb, bh);
+ bh->b_state &= ~(1UL << BH_New);
+@@ -747,7 +747,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
+ if (buffer_new(bh)) {
+ AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
+ AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
+- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
+ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(bsize);
+ AFFS_DATA_HEAD(bh)->next = 0;
+ bh->b_state &= ~(1UL << BH_New);
+@@ -781,7 +781,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
+ if (buffer_new(bh)) {
+ AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
+ AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
+- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
+ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp);
+ AFFS_DATA_HEAD(bh)->next = 0;
+ bh->b_state &= ~(1UL << BH_New);
+--
+2.39.5
+
--- /dev/null
+From 47f502e89bd858ab8a03680aad914917b2cd9114 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Mar 2025 03:03:19 +0530
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
+
+From: Navon John Lukose <navonjohnlukose@gmail.com>
+
+[ Upstream commit b11a74ac4f545626d0dc95a8ca8c41df90532bf3 ]
+
+Add a fixup to enable the mute LED on HP Pavilion x360 Convertible
+14-dy1xxx with ALC295 codec. The appropriate coefficient index and bits
+were identified through a brute-force method, as detailed in
+https://bbs.archlinux.org/viewtopic.php?pid=2079504#p2079504.
+
+Signed-off-by: Navon John Lukose <navonjohnlukose@gmail.com>
+Link: https://patch.msgid.link/20250307213319.35507-1-navonjohnlukose@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index f3cb24ed3a78a..3fdd2337919e1 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4702,6 +4702,21 @@ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec,
+ }
+ }
+
++static void alc295_fixup_hp_mute_led_coefbit11(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ spec->mute_led_polarity = 0;
++ spec->mute_led_coef.idx = 0xb;
++ spec->mute_led_coef.mask = 3 << 3;
++ spec->mute_led_coef.on = 1 << 3;
++ spec->mute_led_coef.off = 1 << 4;
++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set);
++ }
++}
++
+ static void alc285_fixup_hp_mute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -6942,6 +6957,7 @@ enum {
+ ALC290_FIXUP_MONO_SPEAKERS_HSJACK,
+ ALC290_FIXUP_SUBWOOFER,
+ ALC290_FIXUP_SUBWOOFER_HSJACK,
++ ALC295_FIXUP_HP_MUTE_LED_COEFBIT11,
+ ALC269_FIXUP_THINKPAD_ACPI,
+ ALC269_FIXUP_DMIC_THINKPAD_ACPI,
+ ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13,
+@@ -8487,6 +8503,10 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC283_FIXUP_INT_MIC,
+ },
++ [ALC295_FIXUP_HP_MUTE_LED_COEFBIT11] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc295_fixup_hp_mute_led_coefbit11,
++ },
+ [ALC298_FIXUP_SAMSUNG_AMP] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc298_fixup_samsung_amp,
+@@ -9195,6 +9215,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
+ SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x85c6, "HP Pavilion x360 Convertible 14-dy1xxx", ALC295_FIXUP_HP_MUTE_LED_COEFBIT11),
+ SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360),
+ SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+--
+2.39.5
+
--- /dev/null
+From 49a22de59bda3002788fcb23aada056e2d1f544c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Mar 2025 15:30:19 +0100
+Subject: ALSA: hda/realtek: Always honor no_shutup_pins
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5a0c72c1da3cbc0cd4940a95d1be2830104c6edf ]
+
+The workaround for Dell machines to skip the pin-shutup for mic pins
+introduced alc_headset_mic_no_shutup() that is replaced from the
+generic snd_hda_shutup_pins() for certain codecs. The problem is that
+the call is done unconditionally even if spec->no_shutup_pins is set.
+This seems causing problems on other platforms like Lenovo.
+
+This patch corrects the behavior and the driver honors always
+spec->no_shutup_pins flag and skips alc_headset_mic_no_shutup() if
+it's set.
+
+Fixes: dad3197da7a3 ("ALSA: hda/realtek - Fixup headphone noise via runtime suspend")
+Reported-and-tested-by: Oleg Gorobets <oleg.goro@gmail.com>
+Link: https://patch.msgid.link/20250315143020.27184-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 494a34af46b03..f3cb24ed3a78a 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -577,6 +577,9 @@ static void alc_shutup_pins(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
++ if (spec->no_shutup_pins)
++ return;
++
+ switch (codec->core.vendor_id) {
+ case 0x10ec0236:
+ case 0x10ec0256:
+@@ -592,8 +595,7 @@ static void alc_shutup_pins(struct hda_codec *codec)
+ alc_headset_mic_no_shutup(codec);
+ break;
+ default:
+- if (!spec->no_shutup_pins)
+- snd_hda_shutup_pins(codec);
++ snd_hda_shutup_pins(codec);
+ break;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From d2776993fdc97acbb3303c6eae1e470749690cc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 21:50:36 +0800
+Subject: arcnet: Add NULL check in com20020pci_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit fda8c491db2a90ff3e6fbbae58e495b4ddddeca3 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+com20020pci_probe() does not check for this case, which results in a
+NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue and ensure
+no resources are left allocated.
+
+Fixes: 6b17a597fc2f ("arcnet: restoring support for multiple Sohard Arcnet cards")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://patch.msgid.link/20250402135036.44697-1-bsdhenrymartin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/arcnet/com20020-pci.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c
+index 9d9e4200064f9..00a80f0adece4 100644
+--- a/drivers/net/arcnet/com20020-pci.c
++++ b/drivers/net/arcnet/com20020-pci.c
+@@ -250,18 +250,33 @@ static int com20020pci_probe(struct pci_dev *pdev,
+ card->tx_led.default_trigger = devm_kasprintf(&pdev->dev,
+ GFP_KERNEL, "arc%d-%d-tx",
+ dev->dev_id, i);
++ if (!card->tx_led.default_trigger) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "pci:green:tx:%d-%d",
+ dev->dev_id, i);
+-
++ if (!card->tx_led.name) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->tx_led.dev = &dev->dev;
+ card->recon_led.brightness_set = led_recon_set;
+ card->recon_led.default_trigger = devm_kasprintf(&pdev->dev,
+ GFP_KERNEL, "arc%d-%d-recon",
+ dev->dev_id, i);
++ if (!card->recon_led.default_trigger) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "pci:red:recon:%d-%d",
+ dev->dev_id, i);
++ if (!card->recon_led.name) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->recon_led.dev = &dev->dev;
+
+ ret = devm_led_classdev_register(&pdev->dev, &card->tx_led);
+--
+2.39.5
+
--- /dev/null
+From d7c98553d9c1ed48c3220a7c30b5d2c045e647f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:05:24 +0530
+Subject: ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio
+ compatible
+
+From: Jayesh Choudhary <j-choudhary@ti.com>
+
+[ Upstream commit 45ff65e30deb919604e68faed156ad96ce7474d9 ]
+
+For 'ti,j7200-cpb-audio' compatible, there is support for only one PLL for
+48k. For 11025, 22050, 44100 and 88200 sampling rates, due to absence of
+J721E_CLK_PARENT_44100, we get EINVAL while running any audio application.
+Add support for these rates by using the 48k parent clock and adjusting
+the clock for these rates later in j721e_configure_refclk.
+
+Fixes: 6748d0559059 ("ASoC: ti: Add custom machine driver for j721e EVM (CPB and IVI)")
+Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
+Link: https://patch.msgid.link/20250318113524.57100-1-j-choudhary@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/ti/j721e-evm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/ti/j721e-evm.c b/sound/soc/ti/j721e-evm.c
+index 756cd9694cbe8..b749bcc6f0414 100644
+--- a/sound/soc/ti/j721e-evm.c
++++ b/sound/soc/ti/j721e-evm.c
+@@ -179,6 +179,8 @@ static int j721e_configure_refclk(struct j721e_priv *priv,
+ clk_id = J721E_CLK_PARENT_48000;
+ else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_44100])
+ clk_id = J721E_CLK_PARENT_44100;
++ else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_48000])
++ clk_id = J721E_CLK_PARENT_48000;
+ else
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 001aecd9ee1103a874ad1bc64388ec54df34cddf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 12:22:59 +0800
+Subject: bpf: Use preempt_count() directly in bpf_send_signal_common()
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit b4a8b5bba712a711d8ca1f7d04646db63f9c88f5 ]
+
+bpf_send_signal_common() uses preemptible() to check whether or not the
+current context is preemptible. If it is preemptible, it will use
+irq_work to send the signal asynchronously instead of trying to hold a
+spin-lock, because spin-lock is sleepable under PREEMPT_RT.
+
+However, preemptible() depends on CONFIG_PREEMPT_COUNT. When
+CONFIG_PREEMPT_COUNT is turned off (e.g., CONFIG_PREEMPT_VOLUNTARY=y),
+!preemptible() will be evaluated as 1 and bpf_send_signal_common() will
+use irq_work unconditionally.
+
+Fix it by unfolding "!preemptible()" and using "preempt_count() != 0 ||
+irqs_disabled()" instead.
+
+Fixes: 87c544108b61 ("bpf: Send signals asynchronously if !preemptible")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20250220042259.1583319-1-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 1656a7d9bb697..6957381b139ce 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1081,7 +1081,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type)
+ if (unlikely(is_global_init(current)))
+ return -EPERM;
+
+- if (!preemptible()) {
++ if (preempt_count() != 0 || irqs_disabled()) {
+ /* Do an early check on signal validity. Otherwise,
+ * the error is lost in deferred irq_work.
+ */
+--
+2.39.5
+
--- /dev/null
+From 8747a9f36e1b82b44fd4e7559f0f13e9a80214d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 15:33:53 +0100
+Subject: can: statistics: use atomic access in hot path
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ]
+
+In can_send() and can_receive() CAN messages and CAN filter matches are
+counted to be visible in the CAN procfs files.
+
+KCSAN detected a data race within can_send() when two CAN frames have
+been generated by a timer event writing to the same CAN netdevice at the
+same time. Use atomic operations to access the statistics in the hot path
+to fix the KCSAN complaint.
+
+Reported-by: syzbot+78ce4489b812515d5e4d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/af_can.c | 12 ++++++------
+ net/can/af_can.h | 12 ++++++------
+ net/can/proc.c | 46 +++++++++++++++++++++++++++-------------------
+ 3 files changed, 39 insertions(+), 31 deletions(-)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index de47c16b134bf..3e77a52709aaa 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -288,8 +288,8 @@ int can_send(struct sk_buff *skb, int loop)
+ netif_rx_ni(newskb);
+
+ /* update statistics */
+- pkg_stats->tx_frames++;
+- pkg_stats->tx_frames_delta++;
++ atomic_long_inc(&pkg_stats->tx_frames);
++ atomic_long_inc(&pkg_stats->tx_frames_delta);
+
+ return 0;
+
+@@ -649,8 +649,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev)
+ int matches;
+
+ /* update statistics */
+- pkg_stats->rx_frames++;
+- pkg_stats->rx_frames_delta++;
++ atomic_long_inc(&pkg_stats->rx_frames);
++ atomic_long_inc(&pkg_stats->rx_frames_delta);
+
+ /* create non-zero unique skb identifier together with *skb */
+ while (!(can_skb_prv(skb)->skbcnt))
+@@ -671,8 +671,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev)
+ consume_skb(skb);
+
+ if (matches > 0) {
+- pkg_stats->matches++;
+- pkg_stats->matches_delta++;
++ atomic_long_inc(&pkg_stats->matches);
++ atomic_long_inc(&pkg_stats->matches_delta);
+ }
+ }
+
+diff --git a/net/can/af_can.h b/net/can/af_can.h
+index 7c2d9161e2245..22f3352c77fec 100644
+--- a/net/can/af_can.h
++++ b/net/can/af_can.h
+@@ -66,9 +66,9 @@ struct receiver {
+ struct can_pkg_stats {
+ unsigned long jiffies_init;
+
+- unsigned long rx_frames;
+- unsigned long tx_frames;
+- unsigned long matches;
++ atomic_long_t rx_frames;
++ atomic_long_t tx_frames;
++ atomic_long_t matches;
+
+ unsigned long total_rx_rate;
+ unsigned long total_tx_rate;
+@@ -82,9 +82,9 @@ struct can_pkg_stats {
+ unsigned long max_tx_rate;
+ unsigned long max_rx_match_ratio;
+
+- unsigned long rx_frames_delta;
+- unsigned long tx_frames_delta;
+- unsigned long matches_delta;
++ atomic_long_t rx_frames_delta;
++ atomic_long_t tx_frames_delta;
++ atomic_long_t matches_delta;
+ };
+
+ /* persistent statistics */
+diff --git a/net/can/proc.c b/net/can/proc.c
+index b15760b5c1cce..2be4a239f31e4 100644
+--- a/net/can/proc.c
++++ b/net/can/proc.c
+@@ -122,6 +122,13 @@ void can_stat_update(struct timer_list *t)
+ struct can_pkg_stats *pkg_stats = net->can.pkg_stats;
+ unsigned long j = jiffies; /* snapshot */
+
++ long rx_frames = atomic_long_read(&pkg_stats->rx_frames);
++ long tx_frames = atomic_long_read(&pkg_stats->tx_frames);
++ long matches = atomic_long_read(&pkg_stats->matches);
++ long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta);
++ long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta);
++ long matches_delta = atomic_long_read(&pkg_stats->matches_delta);
++
+ /* restart counting in timer context on user request */
+ if (user_reset)
+ can_init_stats(net);
+@@ -131,35 +138,33 @@ void can_stat_update(struct timer_list *t)
+ can_init_stats(net);
+
+ /* prevent overflow in calc_rate() */
+- if (pkg_stats->rx_frames > (ULONG_MAX / HZ))
++ if (rx_frames > (LONG_MAX / HZ))
+ can_init_stats(net);
+
+ /* prevent overflow in calc_rate() */
+- if (pkg_stats->tx_frames > (ULONG_MAX / HZ))
++ if (tx_frames > (LONG_MAX / HZ))
+ can_init_stats(net);
+
+ /* matches overflow - very improbable */
+- if (pkg_stats->matches > (ULONG_MAX / 100))
++ if (matches > (LONG_MAX / 100))
+ can_init_stats(net);
+
+ /* calc total values */
+- if (pkg_stats->rx_frames)
+- pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) /
+- pkg_stats->rx_frames;
++ if (rx_frames)
++ pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames;
+
+ pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j,
+- pkg_stats->tx_frames);
++ tx_frames);
+ pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j,
+- pkg_stats->rx_frames);
++ rx_frames);
+
+ /* calc current values */
+- if (pkg_stats->rx_frames_delta)
++ if (rx_frames_delta)
+ pkg_stats->current_rx_match_ratio =
+- (pkg_stats->matches_delta * 100) /
+- pkg_stats->rx_frames_delta;
++ (matches_delta * 100) / rx_frames_delta;
+
+- pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta);
+- pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta);
++ pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta);
++ pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta);
+
+ /* check / update maximum values */
+ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate)
+@@ -172,9 +177,9 @@ void can_stat_update(struct timer_list *t)
+ pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio;
+
+ /* clear values for 'current rate' calculation */
+- pkg_stats->tx_frames_delta = 0;
+- pkg_stats->rx_frames_delta = 0;
+- pkg_stats->matches_delta = 0;
++ atomic_long_set(&pkg_stats->tx_frames_delta, 0);
++ atomic_long_set(&pkg_stats->rx_frames_delta, 0);
++ atomic_long_set(&pkg_stats->matches_delta, 0);
+
+ /* restart timer (one second) */
+ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ));
+@@ -216,9 +221,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v)
+ struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats;
+
+ seq_putc(m, '\n');
+- seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames);
+- seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames);
+- seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches);
++ seq_printf(m, " %8ld transmitted frames (TXF)\n",
++ atomic_long_read(&pkg_stats->tx_frames));
++ seq_printf(m, " %8ld received frames (RXF)\n",
++ atomic_long_read(&pkg_stats->rx_frames));
++ seq_printf(m, " %8ld matched frames (RXMF)\n",
++ atomic_long_read(&pkg_stats->matches));
+
+ seq_putc(m, '\n');
+
+--
+2.39.5
+
--- /dev/null
+From 3119dbeceb4b3d351845b85d309f518592adf6ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 11:03:23 +0100
+Subject: clk: amlogic: g12a: fix mmc A peripheral clock
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 0079e77c08de692cb20b38e408365c830a44b1ef ]
+
+The bit index of the peripheral clock for mmc A is wrong
+This was probably not a problem for mmc A as the peripheral is likely left
+enabled by the bootloader.
+
+No issues has been reported so far but it could be a problem, most likely
+some form of conflict between the ethernet and mmc A clock, breaking
+ethernet on init.
+
+Use the value provided by the documentation for mmc A before this
+becomes an actual problem.
+
+Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-mmca-fix-v1-1-5af421f58b64@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/g12a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
+index 870cac6dd0453..3280b7410a13f 100644
+--- a/drivers/clk/meson/g12a.c
++++ b/drivers/clk/meson/g12a.c
+@@ -4136,7 +4136,7 @@ static MESON_GATE(g12a_spicc_1, HHI_GCLK_MPEG0, 14);
+ static MESON_GATE(g12a_hiu_reg, HHI_GCLK_MPEG0, 19);
+ static MESON_GATE(g12a_mipi_dsi_phy, HHI_GCLK_MPEG0, 20);
+ static MESON_GATE(g12a_assist_misc, HHI_GCLK_MPEG0, 23);
+-static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 4);
++static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 24);
+ static MESON_GATE(g12a_emmc_b, HHI_GCLK_MPEG0, 25);
+ static MESON_GATE(g12a_emmc_c, HHI_GCLK_MPEG0, 26);
+ static MESON_GATE(g12a_audio_codec, HHI_GCLK_MPEG0, 28);
+--
+2.39.5
+
--- /dev/null
+From e82c410aeaaaa1a438a15d14ce37a132b86c60b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 15:30:17 +0100
+Subject: clk: amlogic: g12b: fix cluster A parent data
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 8995f8f108c3ac5ad52b12a6cfbbc7b3b32e9a58 ]
+
+Several clocks used by both g12a and g12b use the g12a cpu A clock hw
+pointer as clock parent. This is incorrect on g12b since the parents of
+cluster A cpu clock are different. Also the hw clock provided as parent to
+these children is not even registered clock on g12b.
+
+Fix the problem by reverting to the global namespace and let CCF pick
+the appropriate, as it is already done for other clocks, such as
+cpu_clk_trace_div.
+
+Fixes: 25e682a02d91 ("clk: meson: g12a: migrate to the new parent description method")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-cpua-parent-fix-v1-1-d8c0f41865fe@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/g12a.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
+index 2876bb83d9d0e..870cac6dd0453 100644
+--- a/drivers/clk/meson/g12a.c
++++ b/drivers/clk/meson/g12a.c
+@@ -1135,8 +1135,18 @@ static struct clk_regmap g12a_cpu_clk_div16_en = {
+ .hw.init = &(struct clk_init_data) {
+ .name = "cpu_clk_div16_en",
+ .ops = &clk_regmap_gate_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) {
+- &g12a_cpu_clk.hw
++ .parent_data = &(const struct clk_parent_data) {
++ /*
++ * Note:
++ * G12A and G12B have different cpu clocks (with
++ * different struct clk_hw). We fallback to the global
++ * naming string mechanism so this clock picks
++ * up the appropriate one. Same goes for the other
++ * clock using cpu cluster A clock output and present
++ * on both G12 variant.
++ */
++ .name = "cpu_clk",
++ .index = -1,
+ },
+ .num_parents = 1,
+ /*
+@@ -1201,7 +1211,10 @@ static struct clk_regmap g12a_cpu_clk_apb_div = {
+ .hw.init = &(struct clk_init_data){
+ .name = "cpu_clk_apb_div",
+ .ops = &clk_regmap_divider_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
++ .parent_data = &(const struct clk_parent_data) {
++ .name = "cpu_clk",
++ .index = -1,
++ },
+ .num_parents = 1,
+ },
+ };
+@@ -1235,7 +1248,10 @@ static struct clk_regmap g12a_cpu_clk_atb_div = {
+ .hw.init = &(struct clk_init_data){
+ .name = "cpu_clk_atb_div",
+ .ops = &clk_regmap_divider_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
++ .parent_data = &(const struct clk_parent_data) {
++ .name = "cpu_clk",
++ .index = -1,
++ },
+ .num_parents = 1,
+ },
+ };
+@@ -1269,7 +1285,10 @@ static struct clk_regmap g12a_cpu_clk_axi_div = {
+ .hw.init = &(struct clk_init_data){
+ .name = "cpu_clk_axi_div",
+ .ops = &clk_regmap_divider_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
++ .parent_data = &(const struct clk_parent_data) {
++ .name = "cpu_clk",
++ .index = -1,
++ },
+ .num_parents = 1,
+ },
+ };
+@@ -1304,13 +1323,6 @@ static struct clk_regmap g12a_cpu_clk_trace_div = {
+ .name = "cpu_clk_trace_div",
+ .ops = &clk_regmap_divider_ro_ops,
+ .parent_data = &(const struct clk_parent_data) {
+- /*
+- * Note:
+- * G12A and G12B have different cpu_clks (with
+- * different struct clk_hw). We fallback to the global
+- * naming string mechanism so cpu_clk_trace_div picks
+- * up the appropriate one.
+- */
+ .name = "cpu_clk",
+ .index = -1,
+ },
+--
+2.39.5
+
--- /dev/null
+From e7475d20c8afc9a8a17bc5783254d20d7a1582d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2024 11:25:36 +0100
+Subject: clk: amlogic: gxbb: drop incorrect flag on 32k clock
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit f38f7fe4830c5cb4eac138249225f119e7939965 ]
+
+gxbb_32k_clk_div sets CLK_DIVIDER_ROUND_CLOSEST in the init_data flag which
+is incorrect. This is field is not where the divider flags belong.
+
+Thankfully, CLK_DIVIDER_ROUND_CLOSEST maps to bit 4 which is an unused
+clock flag, so there is no unintended consequence to this error.
+
+Effectively, the clock has been used without CLK_DIVIDER_ROUND_CLOSEST
+so far, so just drop it.
+
+Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-1-baca56ecf2db@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/gxbb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c
+index d42551a46ec91..a6428823371bf 100644
+--- a/drivers/clk/meson/gxbb.c
++++ b/drivers/clk/meson/gxbb.c
+@@ -1309,7 +1309,7 @@ static struct clk_regmap gxbb_32k_clk_div = {
+ &gxbb_32k_clk_sel.hw
+ },
+ .num_parents = 1,
+- .flags = CLK_SET_RATE_PARENT | CLK_DIVIDER_ROUND_CLOSEST,
++ .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+--
+2.39.5
+
--- /dev/null
+From b1076f5c3181ff948bbbe727d161508291b9bca5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2024 11:25:37 +0100
+Subject: clk: amlogic: gxbb: drop non existing 32k clock parent
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 7915d7d5407c026fa9343befb4d3343f7a345f97 ]
+
+The 32k clock reference a parent 'cts_slow_oscin' with a fixme note saying
+that this clock should be provided by AO controller.
+
+The HW probably has this clock but it does not exist at the moment in
+any controller implementation. Furthermore, referencing clock by the global
+name should be avoided whenever possible.
+
+There is no reason to keep this hack around, at least for now.
+
+Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-2-baca56ecf2db@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/gxbb.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c
+index a6428823371bf..cfdb1ce6d361c 100644
+--- a/drivers/clk/meson/gxbb.c
++++ b/drivers/clk/meson/gxbb.c
+@@ -1269,14 +1269,13 @@ static struct clk_regmap gxbb_cts_i958 = {
+ },
+ };
+
++/*
++ * This table skips a clock named 'cts_slow_oscin' in the documentation
++ * This clock does not exist yet in this controller or the AO one
++ */
++static u32 gxbb_32k_clk_parents_val_table[] = { 0, 2, 3 };
+ static const struct clk_parent_data gxbb_32k_clk_parent_data[] = {
+ { .fw_name = "xtal", },
+- /*
+- * FIXME: This clock is provided by the ao clock controller but the
+- * clock is not yet part of the binding of this controller, so string
+- * name must be use to set this parent.
+- */
+- { .name = "cts_slow_oscin", .index = -1 },
+ { .hw = &gxbb_fclk_div3.hw },
+ { .hw = &gxbb_fclk_div5.hw },
+ };
+@@ -1286,6 +1285,7 @@ static struct clk_regmap gxbb_32k_clk_sel = {
+ .offset = HHI_32K_CLK_CNTL,
+ .mask = 0x3,
+ .shift = 16,
++ .table = gxbb_32k_clk_parents_val_table,
+ },
+ .hw.init = &(struct clk_init_data){
+ .name = "32k_clk_sel",
+--
+2.39.5
+
--- /dev/null
+From c3e9020fc511d1ae131e2620d7d46f326b44d7b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 01:26:22 +0000
+Subject: clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
+
+From: Peter Geis <pgwipeout@gmail.com>
+
+[ Upstream commit a9e60f1ffe1ca57d6af6a2573e2f950e76efbf5b ]
+
+Correct the clk_ref_usb3otg parent to fix clock control for the usb3
+controller on rk3328. Verified against the rk3328 trm, the rk3228h trm,
+and the rk3328 usb3 phy clock map.
+
+Fixes: fe3511ad8a1c ("clk: rockchip: add clock controller for rk3328")
+Signed-off-by: Peter Geis <pgwipeout@gmail.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://lore.kernel.org/r/20250115012628.1035928-2-pgwipeout@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3328.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c
+index 2429b7c2a8b31..f021887147499 100644
+--- a/drivers/clk/rockchip/clk-rk3328.c
++++ b/drivers/clk/rockchip/clk-rk3328.c
+@@ -200,7 +200,7 @@ PNAME(mux_aclk_peri_pre_p) = { "cpll_peri",
+ "gpll_peri",
+ "hdmiphy_peri" };
+ PNAME(mux_ref_usb3otg_src_p) = { "xin24m",
+- "clk_usb3otg_ref" };
++ "clk_ref_usb3otg_src" };
+ PNAME(mux_xin24m_32k_p) = { "xin24m",
+ "clk_rtc32k" };
+ PNAME(mux_mac2io_src_p) = { "clk_mac2io_src",
+--
+2.39.5
+
--- /dev/null
+From 4be5ba3f224a0a5078a420ff19180015093994d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 10:32:52 -0800
+Subject: clk: samsung: Fix UBSAN panic in samsung_clk_init()
+
+From: Will McVicker <willmcvicker@google.com>
+
+[ Upstream commit d19d7345a7bcdb083b65568a11b11adffe0687af ]
+
+With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to
+dereferencing `ctx->clk_data.hws` before setting
+`ctx->clk_data.num = nr_clks`. Move that up to fix the crash.
+
+ UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP
+ <snip>
+ Call trace:
+ samsung_clk_init+0x110/0x124 (P)
+ samsung_clk_init+0x48/0x124 (L)
+ samsung_cmu_register_one+0x3c/0xa0
+ exynos_arm64_register_cmu+0x54/0x64
+ __gs101_cmu_top_of_clk_init_declare+0x28/0x60
+ ...
+
+Fixes: e620a1e061c4 ("drivers/clk: convert VL struct to struct_size")
+Signed-off-by: Will McVicker <willmcvicker@google.com>
+Link: https://lore.kernel.org/r/20250212183253.509771-1-willmcvicker@google.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/samsung/clk.c b/drivers/clk/samsung/clk.c
+index 1949ae7851b2e..0468ce5506aef 100644
+--- a/drivers/clk/samsung/clk.c
++++ b/drivers/clk/samsung/clk.c
+@@ -64,11 +64,11 @@ struct samsung_clk_provider *__init samsung_clk_init(struct device_node *np,
+ if (!ctx)
+ panic("could not allocate clock provider context.\n");
+
++ ctx->clk_data.num = nr_clks;
+ for (i = 0; i < nr_clks; ++i)
+ ctx->clk_data.hws[i] = ERR_PTR(-ENOENT);
+
+ ctx->reg_base = base;
+- ctx->clk_data.num = nr_clks;
+ spin_lock_init(&ctx->lock);
+
+ return ctx;
+--
+2.39.5
+
--- /dev/null
+From f500d0590e7f7a7495bc446012b795d8eb899cfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2025 21:53:48 +0000
+Subject: coresight: catu: Fix number of pages while using 64k pages
+
+From: Ilkka Koskinen <ilkka@os.amperecomputing.com>
+
+[ Upstream commit 0e14e062f5ff98aa15264dfa87c5f5e924028561 ]
+
+Trying to record a trace on kernel with 64k pages resulted in -ENOMEM.
+This happens due to a bug in calculating the number of table pages, which
+returns zero. Fix the issue by rounding up.
+
+$ perf record --kcore -e cs_etm/@tmc_etr55,cycacc,branch_broadcast/k --per-thread taskset --cpu-list 1 dd if=/dev/zero of=/dev/null
+failed to mmap with 12 (Cannot allocate memory)
+
+Fixes: 8ed536b1e283 ("coresight: catu: Add support for scatter gather tables")
+Signed-off-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250109215348.5483-1-ilkka@os.amperecomputing.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-catu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c
+index 8e19e8cdcce5e..3357e55fc5590 100644
+--- a/drivers/hwtracing/coresight/coresight-catu.c
++++ b/drivers/hwtracing/coresight/coresight-catu.c
+@@ -267,7 +267,7 @@ catu_init_sg_table(struct device *catu_dev, int node,
+ * Each table can address upto 1MB and we can have
+ * CATU_PAGES_PER_SYSPAGE tables in a system page.
+ */
+- nr_tpages = DIV_ROUND_UP(size, SZ_1M) / CATU_PAGES_PER_SYSPAGE;
++ nr_tpages = DIV_ROUND_UP(size, CATU_PAGES_PER_SYSPAGE * SZ_1M);
+ catu_table = tmc_alloc_sg_table(catu_dev, node, nr_tpages,
+ size >> PAGE_SHIFT, pages);
+ if (IS_ERR(catu_table))
+--
+2.39.5
+
--- /dev/null
+From 6728ebb01cbeb73ee1933c845c36133dfaa6dacc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 11:55:10 +0800
+Subject: cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
+
+From: Jie Zhan <zhanjie9@hisilicon.com>
+
+[ Upstream commit 3698dd6b139dc37b35a9ad83d9330c1f99666c02 ]
+
+We observed an issue that the CPU frequency can't raise up with a 100% CPU
+load when NOHZ is off and the 'conservative' governor is selected.
+
+'idle_time' can be negative if it's obtained from get_cpu_idle_time_jiffy()
+when NOHZ is off. This was found and explained in commit 9485e4ca0b48
+("cpufreq: governor: Fix handling of special cases in dbs_update()").
+
+However, commit 7592019634f8 ("cpufreq: governors: Fix long idle detection
+logic in load calculation") introduced a comparison between 'idle_time' and
+'samling_rate' to detect a long idle interval. While 'idle_time' is
+converted to int before comparison, it's actually promoted to unsigned
+again when compared with an unsigned 'sampling_rate'. Hence, this leads to
+wrong idle interval detection when it's in fact 100% busy and sets
+policy_dbs->idle_periods to a very large value. 'conservative' adjusts the
+frequency to minimum because of the large 'idle_periods', such that the
+frequency can't raise up. 'Ondemand' doesn't use policy_dbs->idle_periods
+so it fortunately avoids the issue.
+
+Correct negative 'idle_time' to 0 before any use of it in dbs_update().
+
+Fixes: 7592019634f8 ("cpufreq: governors: Fix long idle detection logic in load calculation")
+Signed-off-by: Jie Zhan <zhanjie9@hisilicon.com>
+Reviewed-by: Chen Yu <yu.c.chen@intel.com>
+Link: https://patch.msgid.link/20250213035510.2402076-1-zhanjie9@hisilicon.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq_governor.c | 45 +++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
+index 63f7c219062b9..d8b1a0d4cd21f 100644
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -145,7 +145,23 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
+ time_elapsed = update_time - j_cdbs->prev_update_time;
+ j_cdbs->prev_update_time = update_time;
+
+- idle_time = cur_idle_time - j_cdbs->prev_cpu_idle;
++ /*
++ * cur_idle_time could be smaller than j_cdbs->prev_cpu_idle if
++ * it's obtained from get_cpu_idle_time_jiffy() when NOHZ is
++ * off, where idle_time is calculated by the difference between
++ * time elapsed in jiffies and "busy time" obtained from CPU
++ * statistics. If a CPU is 100% busy, the time elapsed and busy
++ * time should grow with the same amount in two consecutive
++ * samples, but in practice there could be a tiny difference,
++ * making the accumulated idle time decrease sometimes. Hence,
++ * in this case, idle_time should be regarded as 0 in order to
++ * make the further process correct.
++ */
++ if (cur_idle_time > j_cdbs->prev_cpu_idle)
++ idle_time = cur_idle_time - j_cdbs->prev_cpu_idle;
++ else
++ idle_time = 0;
++
+ j_cdbs->prev_cpu_idle = cur_idle_time;
+
+ if (ignore_nice) {
+@@ -162,7 +178,7 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
+ * calls, so the previous load value can be used then.
+ */
+ load = j_cdbs->prev_load;
+- } else if (unlikely((int)idle_time > 2 * sampling_rate &&
++ } else if (unlikely(idle_time > 2 * sampling_rate &&
+ j_cdbs->prev_load)) {
+ /*
+ * If the CPU had gone completely idle and a task has
+@@ -189,30 +205,15 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
+ load = j_cdbs->prev_load;
+ j_cdbs->prev_load = 0;
+ } else {
+- if (time_elapsed >= idle_time) {
++ if (time_elapsed > idle_time)
+ load = 100 * (time_elapsed - idle_time) / time_elapsed;
+- } else {
+- /*
+- * That can happen if idle_time is returned by
+- * get_cpu_idle_time_jiffy(). In that case
+- * idle_time is roughly equal to the difference
+- * between time_elapsed and "busy time" obtained
+- * from CPU statistics. Then, the "busy time"
+- * can end up being greater than time_elapsed
+- * (for example, if jiffies_64 and the CPU
+- * statistics are updated by different CPUs),
+- * so idle_time may in fact be negative. That
+- * means, though, that the CPU was busy all
+- * the time (on the rough average) during the
+- * last sampling interval and 100 can be
+- * returned as the load.
+- */
+- load = (int)idle_time < 0 ? 100 : 0;
+- }
++ else
++ load = 0;
++
+ j_cdbs->prev_load = load;
+ }
+
+- if (unlikely((int)idle_time > 2 * sampling_rate)) {
++ if (unlikely(idle_time > 2 * sampling_rate)) {
+ unsigned int periods = idle_time / sampling_rate;
+
+ if (periods < idle_periods)
+--
+2.39.5
+
--- /dev/null
+From 8cfa8120c1f76b5bdc8e0e9fbb04dec65e34c32c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jan 2025 08:49:49 +0000
+Subject: cpufreq: scpi: compare kHz instead of Hz
+
+From: zuoqian <zuoqian113@gmail.com>
+
+[ Upstream commit 4742da9774a416908ef8e3916164192c15c0e2d1 ]
+
+The CPU rate from clk_get_rate() may not be divisible by 1000
+(e.g., 133333333). But the rate calculated from frequency(kHz) is
+always divisible by 1000 (e.g., 133333000).
+Comparing the rate causes a warning during CPU scaling:
+"cpufreq: __target_index: Failed to change cpu frequency: -5".
+When we choose to compare kHz here, the issue does not occur.
+
+Fixes: 343a8d17fa8d ("cpufreq: scpi: remove arm_big_little dependency")
+Signed-off-by: zuoqian <zuoqian113@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/scpi-cpufreq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c
+index e5140ad63db83..c79cdf1be7803 100644
+--- a/drivers/cpufreq/scpi-cpufreq.c
++++ b/drivers/cpufreq/scpi-cpufreq.c
+@@ -47,8 +47,9 @@ static unsigned int scpi_cpufreq_get_rate(unsigned int cpu)
+ static int
+ scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index)
+ {
+- u64 rate = policy->freq_table[index].frequency * 1000;
++ unsigned long freq_khz = policy->freq_table[index].frequency;
+ struct scpi_data *priv = policy->driver_data;
++ unsigned long rate = freq_khz * 1000;
+ int ret;
+
+ ret = clk_set_rate(priv->clk, rate);
+@@ -56,7 +57,7 @@ scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index)
+ if (ret)
+ return ret;
+
+- if (clk_get_rate(priv->clk) != rate)
++ if (clk_get_rate(priv->clk) / 1000 != freq_khz)
+ return -EIO;
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From aa8e3d0cfc97904db76f6f03875cec8dce4c8b37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 11:56:26 +0800
+Subject: crypto: hisilicon/sec2 - fix for aead auth key length
+
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+
+[ Upstream commit 1b284ffc30b02808a0de698667cbcf5ce5f9144e ]
+
+According to the HMAC RFC, the authentication key
+can be 0 bytes, and the hardware can handle this
+scenario. Therefore, remove the incorrect validation
+for this case.
+
+Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2")
+Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/sec2/sec_crypto.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
+index 2dbec638cca83..ce2ff9538c8dc 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
+@@ -856,11 +856,6 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
+ struct crypto_shash *hash_tfm = ctx->hash_tfm;
+ int blocksize, ret;
+
+- if (!keys->authkeylen) {
+- pr_err("hisi_sec2: aead auth key error!\n");
+- return -EINVAL;
+- }
+-
+ blocksize = crypto_shash_blocksize(hash_tfm);
+ if (keys->authkeylen > blocksize) {
+ ret = crypto_shash_tfm_digest(hash_tfm, keys->authkey,
+@@ -871,7 +866,8 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
+ }
+ ctx->a_key_len = blocksize;
+ } else {
+- memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
++ if (keys->authkeylen)
++ memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
+ ctx->a_key_len = keys->authkeylen;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a564376f887ccce692676ea98af902a47eec2a03 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 01:28:51 +0500
+Subject: drm/amd/display: fix type mismatch in
+ CalculateDynamicMetadataParameters()
+
+From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+
+[ Upstream commit c3c584c18c90a024a54716229809ba36424f9660 ]
+
+There is a type mismatch between what CalculateDynamicMetadataParameters()
+takes and what is passed to it. Currently this function accepts several
+args as signed long but it's called with unsigned integers and integer. On
+some systems where long is 32 bits and one of these unsigned int params is
+greater than INT_MAX it may cause passing input params as negative values.
+
+Fix this by changing these argument types from long to unsigned int and to
+int respectively. Also this will align the function's definition with
+similar functions in other dcn* drivers.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: 6725a88f88a7 ("drm/amd/display: Add DCN3 DML")
+Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+index e5b1002d7f3f0..ed4e7f3728ab3 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+@@ -283,10 +283,10 @@ static void CalculateDynamicMetadataParameters(
+ double DISPCLK,
+ double DCFClkDeepSleep,
+ double PixelClock,
+- long HTotal,
+- long VBlank,
+- long DynamicMetadataTransmittedBytes,
+- long DynamicMetadataLinesBeforeActiveRequired,
++ unsigned int HTotal,
++ unsigned int VBlank,
++ unsigned int DynamicMetadataTransmittedBytes,
++ int DynamicMetadataLinesBeforeActiveRequired,
+ int InterlaceEnable,
+ bool ProgressiveToInterlaceUnitInOPP,
+ double *Tsetup,
+@@ -3373,8 +3373,8 @@ static double CalculateWriteBackDelay(
+
+
+ static void CalculateDynamicMetadataParameters(int MaxInterDCNTileRepeaters, double DPPCLK, double DISPCLK,
+- double DCFClkDeepSleep, double PixelClock, long HTotal, long VBlank, long DynamicMetadataTransmittedBytes,
+- long DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP,
++ double DCFClkDeepSleep, double PixelClock, unsigned int HTotal, unsigned int VBlank, unsigned int DynamicMetadataTransmittedBytes,
++ int DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP,
+ double *Tsetup, double *Tdmbf, double *Tdmec, double *Tdmsks)
+ {
+ double TotalRepeaterDelayTime = 0;
+--
+2.39.5
+
--- /dev/null
+From 8753456a72ee8020da6752fae8e1b941da1e11ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 17:10:59 +0800
+Subject: drm/dp_mst: Fix drm RAD print
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+[ Upstream commit 6bbce873a9c97cb12f5455c497be279ac58e707f ]
+
+[Why]
+The RAD of sideband message printed today is incorrect.
+For RAD stored within MST branch
+- If MST branch LCT is 1, it's RAD array is untouched and remained as 0.
+- If MST branch LCT is larger than 1, use nibble to store the up facing
+ port number in cascaded sequence as illustrated below:
+
+ u8 RAD[0] = (LCT_2_UFP << 4) | LCT_3_UFP
+ RAD[1] = (LCT_4_UFP << 4) | LCT_5_UFP
+ ...
+
+In drm_dp_mst_rad_to_str(), it wrongly to use BIT_MASK(4) to fetch the port
+number of one nibble.
+
+[How]
+Adjust the code by:
+- RAD array items are valuable only for LCT >= 1.
+- Use 0xF as the mask to replace BIT_MASK(4)
+
+V2:
+- Document how RAD is constructed (Imre)
+
+V3:
+- Adjust the comment for rad[] so kdoc formats it properly (Lyude)
+
+Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing + selftests")
+Cc: Imre Deak <imre.deak@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Harry Wentland <hwentlan@amd.com>
+Cc: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250113091100.3314533-2-Wayne.Lin@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_dp_mst_topology.c | 8 ++++----
+ include/drm/drm_dp_mst_helper.h | 7 +++++++
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
+index 0eb2f30c1e3e1..702ab61484250 100644
+--- a/drivers/gpu/drm/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/drm_dp_mst_topology.c
+@@ -178,13 +178,13 @@ static int
+ drm_dp_mst_rad_to_str(const u8 rad[8], u8 lct, char *out, size_t len)
+ {
+ int i;
+- u8 unpacked_rad[16];
++ u8 unpacked_rad[16] = {};
+
+- for (i = 0; i < lct; i++) {
++ for (i = 1; i < lct; i++) {
+ if (i % 2)
+- unpacked_rad[i] = rad[i / 2] >> 4;
++ unpacked_rad[i] = rad[(i - 1) / 2] >> 4;
+ else
+- unpacked_rad[i] = rad[i / 2] & BIT_MASK(4);
++ unpacked_rad[i] = rad[(i - 1) / 2] & 0xF;
+ }
+
+ /* TODO: Eventually add something to printk so we can format the rad
+diff --git a/include/drm/drm_dp_mst_helper.h b/include/drm/drm_dp_mst_helper.h
+index bd1c39907b924..9c14d181397ca 100644
+--- a/include/drm/drm_dp_mst_helper.h
++++ b/include/drm/drm_dp_mst_helper.h
+@@ -232,6 +232,13 @@ struct drm_dp_mst_branch {
+ */
+ struct list_head destroy_next;
+
++ /**
++ * @rad: Relative Address of the MST branch.
++ * For &drm_dp_mst_topology_mgr.mst_primary, it's rad[8] are all 0,
++ * unset and unused. For MST branches connected after mst_primary,
++ * in each element of rad[] the nibbles are ordered by the most
++ * signifcant 4 bits first and the least significant 4 bits second.
++ */
+ u8 rad[8];
+ u8 lct;
+ int num_ports;
+--
+2.39.5
+
--- /dev/null
+From f8d25f9e0430315382b439f9c365232f728c3259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 12:35:57 +0300
+Subject: drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit dcb166ee43c3d594e7b73a24f6e8cf5663eeff2c ]
+
+There is a type bug because the return statement:
+
+ return ret < 0 ? ret : recv_cnt;
+
+The issue is that ret is an int, recv_cnt is a u32 and the function
+returns ssize_t, which is a signed long. The way that the type promotion
+works is that the negative error codes are first cast to u32 and then
+to signed long. The error codes end up being positive instead of
+negative and the callers treat them as success.
+
+Fixes: 81cc7e51c4f1 ("drm/mediatek: Allow commands to be sent during video mode")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/r/202412210801.iADw0oIH-lkp@intel.com/
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/b754a408-4f39-4e37-b52d-7706c132e27f@stanley.mountain/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
+index 17d45f06cedf3..3fa22af13f745 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
+@@ -920,12 +920,12 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host,
+ const struct mipi_dsi_msg *msg)
+ {
+ struct mtk_dsi *dsi = host_to_dsi(host);
+- u32 recv_cnt, i;
++ ssize_t recv_cnt;
+ u8 read_data[16];
+ void *src_addr;
+ u8 irq_flag = CMD_DONE_INT_FLAG;
+ u32 dsi_mode;
+- int ret;
++ int ret, i;
+
+ dsi_mode = readl(dsi->regs + DSI_MODE_CTRL);
+ if (dsi_mode & MODE) {
+@@ -974,7 +974,7 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host,
+ if (recv_cnt)
+ memcpy(msg->rx_buf, src_addr, recv_cnt);
+
+- DRM_INFO("dsi get %d byte data from the panel address(0x%x)\n",
++ DRM_INFO("dsi get %zd byte data from the panel address(0x%x)\n",
+ recv_cnt, *((u8 *)(msg->tx_buf)));
+
+ restore_dsi_mode:
+--
+2.39.5
+
--- /dev/null
+From da67c971ba539bcdb1e9f63d8e83722df1835f3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 16:48:12 +0100
+Subject: drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 72fcb88e7bbc053ed4fc74cebb0315b98a0f20c3 ]
+
+Rename member aud_sampe_size of struct hdmi_audio_param to
+aud_sample_size to fix a typo and enhance readability.
+
+This commit brings no functional changes.
+
+Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-20-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+index d6ca627cf00e9..f0e25ba860811 100644
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -138,7 +138,7 @@ enum hdmi_aud_channel_swap_type {
+
+ struct hdmi_audio_param {
+ enum hdmi_audio_coding_type aud_codec;
+- enum hdmi_audio_sample_size aud_sampe_size;
++ enum hdmi_audio_sample_size aud_sample_size;
+ enum hdmi_aud_input_type aud_input_type;
+ enum hdmi_aud_i2s_fmt aud_i2s_fmt;
+ enum hdmi_aud_mclk aud_mclk;
+@@ -1092,7 +1092,7 @@ static int mtk_hdmi_output_init(struct mtk_hdmi *hdmi)
+
+ hdmi->csp = HDMI_COLORSPACE_RGB;
+ aud_param->aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
+- aud_param->aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
++ aud_param->aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ aud_param->aud_input_type = HDMI_AUD_INPUT_I2S;
+ aud_param->aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT;
+ aud_param->aud_mclk = HDMI_AUD_MCLK_128FS;
+@@ -1618,14 +1618,14 @@ static int mtk_hdmi_audio_hw_params(struct device *dev, void *data,
+ switch (daifmt->fmt) {
+ case HDMI_I2S:
+ hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
+- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ hdmi_params.aud_input_type = HDMI_AUD_INPUT_I2S;
+ hdmi_params.aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT;
+ hdmi_params.aud_mclk = HDMI_AUD_MCLK_128FS;
+ break;
+ case HDMI_SPDIF:
+ hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
+- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ hdmi_params.aud_input_type = HDMI_AUD_INPUT_SPDIF;
+ break;
+ default:
+--
+2.39.5
+
--- /dev/null
+From 8c970e362c94be7658404fc9ad9ba314e95ff283 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 16:48:10 +0100
+Subject: drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 0be123cafc06eed0fd1227166a66e786434b0c50 ]
+
+The probe function of this driver may fail after registering the
+audio platform device: in that case, the state is not getting
+cleaned up, leaving this device registered.
+
+Adding up to the mix, should the probe function of this driver
+return a probe deferral for N times, we're registering up to N
+audio platform devices and, again, never freeing them up.
+
+To fix this, add a pointer to the audio platform device in the
+mtk_hdmi structure, and add a devm action to unregister it upon
+driver removal or probe failure.
+
+Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-18-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+index 97a1ff529a1dc..d6ca627cf00e9 100644
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -172,6 +172,7 @@ struct mtk_hdmi {
+ unsigned int sys_offset;
+ void __iomem *regs;
+ enum hdmi_colorspace csp;
++ struct platform_device *audio_pdev;
+ struct hdmi_audio_param aud_param;
+ bool audio_enable;
+ bool powered;
+@@ -1706,6 +1707,11 @@ static const struct hdmi_codec_ops mtk_hdmi_audio_codec_ops = {
+ .no_capture_mute = 1,
+ };
+
++static void mtk_hdmi_unregister_audio_driver(void *data)
++{
++ platform_device_unregister(data);
++}
++
+ static int mtk_hdmi_register_audio_driver(struct device *dev)
+ {
+ struct mtk_hdmi *hdmi = dev_get_drvdata(dev);
+@@ -1715,13 +1721,20 @@ static int mtk_hdmi_register_audio_driver(struct device *dev)
+ .i2s = 1,
+ .data = hdmi,
+ };
+- struct platform_device *pdev;
++ int ret;
+
+- pdev = platform_device_register_data(dev, HDMI_CODEC_DRV_NAME,
+- PLATFORM_DEVID_AUTO, &codec_data,
+- sizeof(codec_data));
+- if (IS_ERR(pdev))
+- return PTR_ERR(pdev);
++ hdmi->audio_pdev = platform_device_register_data(dev,
++ HDMI_CODEC_DRV_NAME,
++ PLATFORM_DEVID_AUTO,
++ &codec_data,
++ sizeof(codec_data));
++ if (IS_ERR(hdmi->audio_pdev))
++ return PTR_ERR(hdmi->audio_pdev);
++
++ ret = devm_add_action_or_reset(dev, mtk_hdmi_unregister_audio_driver,
++ hdmi->audio_pdev);
++ if (ret)
++ return ret;
+
+ DRM_INFO("%s driver bound to HDMI\n", HDMI_CODEC_DRV_NAME);
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From bdaa703c921e8e0254692e25ed24a142c5c7bb48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 11:03:39 +0200
+Subject: drm: xlnx: zynqmp: Fix max dma segment size
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit 28b529a98525123acd37372a04d21e87ec2edcf7 ]
+
+Fix "mapping sg segment longer than device claims to support" warning by
+setting the max segment size.
+
+Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem")
+Reviewed-by: Sean Anderson <sean.anderson@linux.dev>
+Tested-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250115-xilinx-formats-v2-10-160327ca652a@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
+index 5f6eea81f3cc8..ad081838c4492 100644
+--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
++++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
+@@ -218,6 +218,8 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
++ dma_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32));
++
+ /* Try the reserved memory. Proceed if there's none. */
+ of_reserved_mem_device_init(&pdev->dev);
+
+--
+2.39.5
+
--- /dev/null
+From ce0afecfe167cecf52a18868b68c490d3411a189 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 09:14:02 +0800
+Subject: EDAC/ie31200: Fix the DIMM size mask for several SoCs
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 3427befbbca6b19fe0e37f91d66ce5221de70bf1 ]
+
+The DIMM size mask for {Sky, Kaby, Coffee} Lake is not bits{7:0},
+but bits{5:0}. Fix it.
+
+Fixes: 953dee9bbd24 ("EDAC, ie31200_edac: Add Skylake support")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Gary Wang <gary.c.wang@intel.com>
+Link: https://lore.kernel.org/r/20250310011411.31685-3-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ie31200_edac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
+index 662a79dda74eb..0c894b4890678 100644
+--- a/drivers/edac/ie31200_edac.c
++++ b/drivers/edac/ie31200_edac.c
+@@ -154,6 +154,7 @@
+ #define IE31200_MAD_DIMM_0_OFFSET 0x5004
+ #define IE31200_MAD_DIMM_0_OFFSET_SKL 0x500C
+ #define IE31200_MAD_DIMM_SIZE GENMASK_ULL(7, 0)
++#define IE31200_MAD_DIMM_SIZE_SKL GENMASK_ULL(5, 0)
+ #define IE31200_MAD_DIMM_A_RANK BIT(17)
+ #define IE31200_MAD_DIMM_A_RANK_SHIFT 17
+ #define IE31200_MAD_DIMM_A_RANK_SKL BIT(10)
+@@ -368,7 +369,7 @@ static void __iomem *ie31200_map_mchbar(struct pci_dev *pdev)
+ static void __skl_populate_dimm_info(struct dimm_data *dd, u32 addr_decode,
+ int chan)
+ {
+- dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE;
++ dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE_SKL;
+ dd->dual_rank = (addr_decode & (IE31200_MAD_DIMM_A_RANK_SKL << (chan << 4))) ? 1 : 0;
+ dd->x16_width = ((addr_decode & (IE31200_MAD_DIMM_A_WIDTH_SKL << (chan << 4))) >>
+ (IE31200_MAD_DIMM_A_WIDTH_SKL_SHIFT + (chan << 4)));
+--
+2.39.5
+
--- /dev/null
+From a86649990f22eedd7f61ec105c90ce2bb8311703 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 09:14:03 +0800
+Subject: EDAC/ie31200: Fix the error path order of ie31200_init()
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 231e341036d9988447e3b3345cf741a98139199e ]
+
+The error path order of ie31200_init() is incorrect, fix it.
+
+Fixes: 709ed1bcef12 ("EDAC/ie31200: Fallback if host bridge device is already initialized")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Gary Wang <gary.c.wang@intel.com>
+Link: https://lore.kernel.org/r/20250310011411.31685-4-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ie31200_edac.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
+index 0c894b4890678..cad20e87783b5 100644
+--- a/drivers/edac/ie31200_edac.c
++++ b/drivers/edac/ie31200_edac.c
+@@ -608,7 +608,7 @@ static int __init ie31200_init(void)
+
+ pci_rc = pci_register_driver(&ie31200_driver);
+ if (pci_rc < 0)
+- goto fail0;
++ return pci_rc;
+
+ if (!mci_pdev) {
+ ie31200_registered = 0;
+@@ -619,11 +619,13 @@ static int __init ie31200_init(void)
+ if (mci_pdev)
+ break;
+ }
++
+ if (!mci_pdev) {
+ edac_dbg(0, "ie31200 pci_get_device fail\n");
+ pci_rc = -ENODEV;
+- goto fail1;
++ goto fail0;
+ }
++
+ pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]);
+ if (pci_rc < 0) {
+ edac_dbg(0, "ie31200 init fail\n");
+@@ -631,12 +633,12 @@ static int __init ie31200_init(void)
+ goto fail1;
+ }
+ }
+- return 0;
+
++ return 0;
+ fail1:
+- pci_unregister_driver(&ie31200_driver);
+-fail0:
+ pci_dev_put(mci_pdev);
++fail0:
++ pci_unregister_driver(&ie31200_driver);
+
+ return pci_rc;
+ }
+--
+2.39.5
+
--- /dev/null
+From 4045b1bae2ad520ccd7838971426916ffba12608 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 09:14:01 +0800
+Subject: EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit d59d844e319d97682c8de29b88d2d60922a683b3 ]
+
+The EDAC_MC_LAYER_CHIP_SELECT layer pertains to the rank, not the DIMM.
+Fix its size to reflect the number of ranks instead of the number of DIMMs.
+Also delete the unused macros IE31200_{DIMMS,RANKS}.
+
+Fixes: 7ee40b897d18 ("ie31200_edac: Introduce the driver")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Gary Wang <gary.c.wang@intel.com>
+Link: https://lore.kernel.org/r/20250310011411.31685-2-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ie31200_edac.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
+index c47963240b659..662a79dda74eb 100644
+--- a/drivers/edac/ie31200_edac.c
++++ b/drivers/edac/ie31200_edac.c
+@@ -83,8 +83,6 @@
+ (((did) & PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK) == \
+ PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK))
+
+-#define IE31200_DIMMS 4
+-#define IE31200_RANKS 8
+ #define IE31200_RANKS_PER_CHANNEL 4
+ #define IE31200_DIMMS_PER_CHANNEL 2
+ #define IE31200_CHANNELS 2
+@@ -419,7 +417,7 @@ static int ie31200_probe1(struct pci_dev *pdev, int dev_idx)
+
+ nr_channels = how_many_channels(pdev);
+ layers[0].type = EDAC_MC_LAYER_CHIP_SELECT;
+- layers[0].size = IE31200_DIMMS;
++ layers[0].size = IE31200_RANKS_PER_CHANNEL;
+ layers[0].is_virt_csrow = true;
+ layers[1].type = EDAC_MC_LAYER_CHANNEL;
+ layers[1].size = nr_channels;
+--
+2.39.5
+
--- /dev/null
+From b3fdd75957d234d01b7b1542e76b59ba2e0cb579 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 10:53:10 +0800
+Subject: exfat: fix the infinite loop in exfat_find_last_cluster()
+
+From: Yuezhang Mo <Yuezhang.Mo@sony.com>
+
+[ Upstream commit b0522303f67255926b946aa66885a0104d1b2980 ]
+
+In exfat_find_last_cluster(), the cluster chain is traversed until
+the EOF cluster. If the cluster chain includes a loop due to file
+system corruption, the EOF cluster cannot be traversed, resulting
+in an infinite loop.
+
+If the number of clusters indicated by the file size is inconsistent
+with the cluster chain length, exfat_find_last_cluster() will return
+an error, so if this inconsistency is found, the traversal can be
+aborted without traversing to the EOF cluster.
+
+Reported-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f7d147e6db52b1e09dba
+Tested-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com
+Fixes: 31023864e67a ("exfat: add fat entry operations")
+Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exfat/fatent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
+index a1481e47a7616..b6cce8225d058 100644
+--- a/fs/exfat/fatent.c
++++ b/fs/exfat/fatent.c
+@@ -208,7 +208,7 @@ int exfat_find_last_cluster(struct super_block *sb, struct exfat_chain *p_chain,
+ clu = next;
+ if (exfat_ent_get(sb, clu, &next))
+ return -EIO;
+- } while (next != EXFAT_EOF_CLUSTER);
++ } while (next != EXFAT_EOF_CLUSTER && count <= p_chain->size);
+
+ if (p_chain->size != count) {
+ exfat_fs_error(sb,
+--
+2.39.5
+
--- /dev/null
+From d0220ea064331a86c8ed6f1836488f93b4f69b12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 21:35:36 +0200
+Subject: fbdev: au1100fb: Move a variable assignment behind a null pointer
+ check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+[ Upstream commit 2df2c0caaecfd869b49e14f2b8df822397c5dd7f ]
+
+The address of a data structure member was determined before
+a corresponding null pointer check in the implementation of
+the function “au1100fb_setmode”.
+
+This issue was detected by using the Coccinelle software.
+
+Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.")
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/au1100fb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/au1100fb.c b/drivers/video/fbdev/au1100fb.c
+index 37a6512feda0f..abb769824840e 100644
+--- a/drivers/video/fbdev/au1100fb.c
++++ b/drivers/video/fbdev/au1100fb.c
+@@ -137,13 +137,15 @@ static int au1100fb_fb_blank(int blank_mode, struct fb_info *fbi)
+ */
+ int au1100fb_setmode(struct au1100fb_device *fbdev)
+ {
+- struct fb_info *info = &fbdev->info;
++ struct fb_info *info;
+ u32 words;
+ int index;
+
+ if (!fbdev)
+ return -EINVAL;
+
++ info = &fbdev->info;
++
+ /* Update var-dependent FB info */
+ if (panel_is_active(fbdev->panel) || panel_is_color(fbdev->panel)) {
+ if (info->var.bits_per_pixel <= 8) {
+--
+2.39.5
+
--- /dev/null
+From bd6b02fafd0773ee312a73d23e5c26be1947b883 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 01:30:11 +0000
+Subject: fbdev: sm501fb: Add some geometry checks.
+
+From: Danila Chernetsov <listdansp@mail.ru>
+
+[ Upstream commit aee50bd88ea5fde1ff4cc021385598f81a65830c ]
+
+Added checks for xoffset, yoffset settings.
+Incorrect settings of these parameters can lead to errors
+in sm501fb_pan_ functions.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 5fc404e47bdf ("[PATCH] fb: SM501 framebuffer driver")
+Signed-off-by: Danila Chernetsov <listdansp@mail.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sm501fb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c
+index 6a52eba645596..3c46838651b06 100644
+--- a/drivers/video/fbdev/sm501fb.c
++++ b/drivers/video/fbdev/sm501fb.c
+@@ -326,6 +326,13 @@ static int sm501fb_check_var(struct fb_var_screeninfo *var,
+ if (var->xres_virtual > 4096 || var->yres_virtual > 2048)
+ return -EINVAL;
+
++ /* geometry sanity checks */
++ if (var->xres + var->xoffset > var->xres_virtual)
++ return -EINVAL;
++
++ if (var->yres + var->yoffset > var->yres_virtual)
++ return -EINVAL;
++
+ /* can cope with 8,16 or 32bpp */
+
+ if (var->bits_per_pixel <= 8)
+--
+2.39.5
+
--- /dev/null
+From 40be138d4a48bdc6c92b6977d1e9e2f67488f66b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 14:02:22 -0700
+Subject: fs/procfs: fix the comment above proc_pid_wchan()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 6287fbad1cd91f0c25cdc3a580499060828a8f30 ]
+
+proc_pid_wchan() used to report kernel addresses to user space but that is
+no longer the case today. Bring the comment above proc_pid_wchan() in
+sync with the implementation.
+
+Link: https://lkml.kernel.org/r/20250319210222.1518771-1-bvanassche@acm.org
+Fixes: b2f73922d119 ("fs/proc, core/debug: Don't expose absolute kernel addresses via wchan")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index b955ba5db72cb..b09cc9e6d5914 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -415,7 +415,7 @@ static const struct file_operations proc_pid_cmdline_ops = {
+ #ifdef CONFIG_KALLSYMS
+ /*
+ * Provides a wchan file via kallsyms in a proper one-value-per-file format.
+- * Returns the resolved symbol. If that fails, simply return the address.
++ * Returns the resolved symbol to user space.
+ */
+ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task)
+--
+2.39.5
+
--- /dev/null
+From 295bf24388399aeef69098c6b7ae2faec1f51691 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 05:08:32 +0200
+Subject: hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
+
+From: Tasos Sahanidis <tasos@tasossah.com>
+
+[ Upstream commit 815f80ad20b63830949a77c816e35395d5d55144 ]
+
+pwm_num is set to 7 for these chips, but NCT6776_REG_PWM_MODE and
+NCT6776_PWM_MODE_MASK only contain 6 values.
+
+Fix this by adding another 0 to the end of each array.
+
+Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
+Link: https://lore.kernel.org/r/20250312030832.106475-1-tasos@tasossah.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
+index 3645a19cdaf4d..71cfc1c5bd12e 100644
+--- a/drivers/hwmon/nct6775.c
++++ b/drivers/hwmon/nct6775.c
+@@ -420,8 +420,8 @@ static const s8 NCT6776_BEEP_BITS[] = {
+ static const u16 NCT6776_REG_TOLERANCE_H[] = {
+ 0x10c, 0x20c, 0x30c, 0x80c, 0x90c, 0xa0c, 0xb0c };
+
+-static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0 };
+-static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0 };
++static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0, 0 };
++static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0, 0 };
+
+ static const u16 NCT6776_REG_FAN_MIN[] = {
+ 0x63a, 0x63c, 0x63e, 0x640, 0x642, 0x64a, 0x64c };
+--
+2.39.5
+
--- /dev/null
+From 11948185142cb1e67f88962da063dbd70dccaa5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 16:20:17 +0200
+Subject: IB/mad: Check available slots before posting receive WRs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 37826f0a8c2f6b6add5179003b8597e32a445362 ]
+
+The ib_post_receive_mads() function handles posting receive work
+requests (WRs) to MAD QPs and is called in two cases:
+1) When a MAD port is opened.
+2) When a receive WQE is consumed upon receiving a new MAD.
+
+Whereas, if MADs arrive during the port open phase, a race condition
+might cause an extra WR to be posted, exceeding the QP’s capacity.
+This leads to failures such as:
+infiniband mlx5_0: ib_post_recv failed: -12
+infiniband mlx5_0: Couldn't post receive WRs
+infiniband mlx5_0: Couldn't start port
+infiniband mlx5_0: Couldn't open port 1
+
+Fix this by checking the current receive count before posting a new WR.
+If the QP’s receive queue is full, do not post additional WRs.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Link: https://patch.msgid.link/c4984ba3c3a98a5711a558bccefcad789587ecf1.1741875592.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/mad.c | 38 ++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
+index 521c3d050be2d..19540a13cb84d 100644
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -2686,11 +2686,11 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ struct ib_mad_private *mad)
+ {
+ unsigned long flags;
+- int post, ret;
+ struct ib_mad_private *mad_priv;
+ struct ib_sge sg_list;
+ struct ib_recv_wr recv_wr;
+ struct ib_mad_queue *recv_queue = &qp_info->recv_queue;
++ int ret = 0;
+
+ /* Initialize common scatter list fields */
+ sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey;
+@@ -2700,7 +2700,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ recv_wr.sg_list = &sg_list;
+ recv_wr.num_sge = 1;
+
+- do {
++ while (true) {
+ /* Allocate and map receive buffer */
+ if (mad) {
+ mad_priv = mad;
+@@ -2708,10 +2708,8 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ } else {
+ mad_priv = alloc_mad_private(port_mad_size(qp_info->port_priv),
+ GFP_ATOMIC);
+- if (!mad_priv) {
+- ret = -ENOMEM;
+- break;
+- }
++ if (!mad_priv)
++ return -ENOMEM;
+ }
+ sg_list.length = mad_priv_dma_size(mad_priv);
+ sg_list.addr = ib_dma_map_single(qp_info->port_priv->device,
+@@ -2720,37 +2718,41 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ DMA_FROM_DEVICE);
+ if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device,
+ sg_list.addr))) {
+- kfree(mad_priv);
+ ret = -ENOMEM;
+- break;
++ goto free_mad_priv;
+ }
+ mad_priv->header.mapping = sg_list.addr;
+ mad_priv->header.mad_list.mad_queue = recv_queue;
+ mad_priv->header.mad_list.cqe.done = ib_mad_recv_done;
+ recv_wr.wr_cqe = &mad_priv->header.mad_list.cqe;
+-
+- /* Post receive WR */
+ spin_lock_irqsave(&recv_queue->lock, flags);
+- post = (++recv_queue->count < recv_queue->max_active);
+- list_add_tail(&mad_priv->header.mad_list.list, &recv_queue->list);
++ if (recv_queue->count >= recv_queue->max_active) {
++ /* Fully populated the receive queue */
++ spin_unlock_irqrestore(&recv_queue->lock, flags);
++ break;
++ }
++ recv_queue->count++;
++ list_add_tail(&mad_priv->header.mad_list.list,
++ &recv_queue->list);
+ spin_unlock_irqrestore(&recv_queue->lock, flags);
++
+ ret = ib_post_recv(qp_info->qp, &recv_wr, NULL);
+ if (ret) {
+ spin_lock_irqsave(&recv_queue->lock, flags);
+ list_del(&mad_priv->header.mad_list.list);
+ recv_queue->count--;
+ spin_unlock_irqrestore(&recv_queue->lock, flags);
+- ib_dma_unmap_single(qp_info->port_priv->device,
+- mad_priv->header.mapping,
+- mad_priv_dma_size(mad_priv),
+- DMA_FROM_DEVICE);
+- kfree(mad_priv);
+ dev_err(&qp_info->port_priv->device->dev,
+ "ib_post_recv failed: %d\n", ret);
+ break;
+ }
+- } while (post);
++ }
+
++ ib_dma_unmap_single(qp_info->port_priv->device,
++ mad_priv->header.mapping,
++ mad_priv_dma_size(mad_priv), DMA_FROM_DEVICE);
++free_mad_priv:
++ kfree(mad_priv);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1d79950fa501c67a7af8154a004fc1256c06ce9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 14:01:28 +0000
+Subject: iio: accel: mma8452: Ensure error return on failure to matching
+ oversampling ratio
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit df330c808182a8beab5d0f84a6cbc9cff76c61fc ]
+
+If a match was not found, then the write_raw() callback would return
+the odr index, not an error. Return -EINVAL if this occurs.
+To avoid similar issues in future, introduce j, a new indexing variable
+rather than using ret for this purpose.
+
+Fixes: 79de2ee469aa ("iio: accel: mma8452: claim direct mode during write raw")
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250217140135.896574-2-jic23@kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mma8452.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c
+index b12e804647063..760ee0685034b 100644
+--- a/drivers/iio/accel/mma8452.c
++++ b/drivers/iio/accel/mma8452.c
+@@ -711,7 +711,7 @@ static int mma8452_write_raw(struct iio_dev *indio_dev,
+ int val, int val2, long mask)
+ {
+ struct mma8452_data *data = iio_priv(indio_dev);
+- int i, ret;
++ int i, j, ret;
+
+ ret = iio_device_claim_direct_mode(indio_dev);
+ if (ret)
+@@ -771,14 +771,18 @@ static int mma8452_write_raw(struct iio_dev *indio_dev,
+ break;
+
+ case IIO_CHAN_INFO_OVERSAMPLING_RATIO:
+- ret = mma8452_get_odr_index(data);
++ j = mma8452_get_odr_index(data);
+
+ for (i = 0; i < ARRAY_SIZE(mma8452_os_ratio); i++) {
+- if (mma8452_os_ratio[i][ret] == val) {
++ if (mma8452_os_ratio[i][j] == val) {
+ ret = mma8452_set_power_mode(data, i);
+ break;
+ }
+ }
++ if (i == ARRAY_SIZE(mma8452_os_ratio)) {
++ ret = -EINVAL;
++ break;
++ }
+ break;
+ default:
+ ret = -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From 3c1c995ddfc9e52add9277072bbb194accc1c6f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 14:17:51 +0200
+Subject: ipv6: fix omitted netlink attributes when using
+ RTEXT_FILTER_SKIP_STATS
+
+From: Fernando Fernandez Mancera <ffmancera@riseup.net>
+
+[ Upstream commit 7ac6ea4a3e0898db76aecccd68fb2c403eb7d24e ]
+
+Using RTEXT_FILTER_SKIP_STATS is incorrectly skipping non-stats IPv6
+netlink attributes on link dump. This causes issues on userspace tools,
+e.g iproute2 is not rendering address generation mode as it should due
+to missing netlink attribute.
+
+Move the filling of IFLA_INET6_STATS and IFLA_INET6_ICMP6STATS to a
+helper function guarded by a flag check to avoid hitting the same
+situation in the future.
+
+Fixes: d5566fd72ec1 ("rtnetlink: RTEXT_FILTER_SKIP_STATS support to avoid dumping inet/inet6 stats")
+Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250402121751.3108-1-ffmancera@riseup.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 37 +++++++++++++++++++++++++------------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index 455bb4668407f..d38d15ccc7501 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5658,6 +5658,27 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype,
+ }
+ }
+
++static int inet6_fill_ifla6_stats_attrs(struct sk_buff *skb,
++ struct inet6_dev *idev)
++{
++ struct nlattr *nla;
++
++ nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64));
++ if (!nla)
++ goto nla_put_failure;
++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla));
++
++ nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64));
++ if (!nla)
++ goto nla_put_failure;
++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla));
++
++ return 0;
++
++nla_put_failure:
++ return -EMSGSIZE;
++}
++
+ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev,
+ u32 ext_filter_mask)
+ {
+@@ -5679,18 +5700,10 @@ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev,
+
+ /* XXX - MC not implemented */
+
+- if (ext_filter_mask & RTEXT_FILTER_SKIP_STATS)
+- return 0;
+-
+- nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64));
+- if (!nla)
+- goto nla_put_failure;
+- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla));
+-
+- nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64));
+- if (!nla)
+- goto nla_put_failure;
+- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla));
++ if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS)) {
++ if (inet6_fill_ifla6_stats_attrs(skb, idev) < 0)
++ goto nla_put_failure;
++ }
+
+ nla = nla_reserve(skb, IFLA_INET6_TOKEN, sizeof(struct in6_addr));
+ if (!nla)
+--
+2.39.5
+
--- /dev/null
+From b51865d1450ae03a0064b235067ead089d9178fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 19:59:00 +0000
+Subject: isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+[ Upstream commit 81a82e8f33880793029cd6f8a766fb13b737e6a7 ]
+
+In do_isofs_readdir() when assigning the variable
+"struct iso_directory_record *de" the b_data field of the buffer_head
+is accessed and an offset is added to it, the size of b_data is 2048
+and the offset size is 2047, meaning
+"de = (struct iso_directory_record *) (bh->b_data + offset);"
+yields the final byte of the 2048 sized b_data block.
+
+The first byte of the directory record (de_len) is then read and
+found to be 31, meaning the directory record size is 31 bytes long.
+The directory record is defined by the structure:
+
+ struct iso_directory_record {
+ __u8 length; // 1 byte
+ __u8 ext_attr_length; // 1 byte
+ __u8 extent[8]; // 8 bytes
+ __u8 size[8]; // 8 bytes
+ __u8 date[7]; // 7 bytes
+ __u8 flags; // 1 byte
+ __u8 file_unit_size; // 1 byte
+ __u8 interleave; // 1 byte
+ __u8 volume_sequence_number[4]; // 4 bytes
+ __u8 name_len; // 1 byte
+ char name[]; // variable size
+ } __attribute__((packed));
+
+The fixed portion of this structure occupies 33 bytes. Therefore, a
+valid directory record must be at least 33 bytes long
+(even without considering the variable-length name field).
+Since de_len is only 31, it is insufficient to contain
+the complete fixed header.
+
+The code later hits the following sanity check that
+compares de_len against the sum of de->name_len and
+sizeof(struct iso_directory_record):
+
+ if (de_len < de->name_len[0] + sizeof(struct iso_directory_record)) {
+ ...
+ }
+
+Since the fixed portion of the structure is
+33 bytes (up to and including name_len member),
+a valid record should have de_len of at least 33 bytes;
+here, however, de_len is too short, and the field de->name_len
+(located at offset 32) is accessed even though it lies beyond
+the available 31 bytes.
+
+This access on the corrupted isofs data triggers a KASAN uninitialized
+memory warning. The fix would be to first verify that de_len is at least
+sizeof(struct iso_directory_record) before accessing any
+fields like de->name_len.
+
+Reported-by: syzbot <syzbot+812641c6c3d7586a1613@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+812641c6c3d7586a1613@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=812641c6c3d7586a1613
+Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem")
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250211195900.42406-1-qasdev00@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/isofs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c
+index b9e6a7ec78be4..23c73bb56d821 100644
+--- a/fs/isofs/dir.c
++++ b/fs/isofs/dir.c
+@@ -147,7 +147,8 @@ static int do_isofs_readdir(struct inode *inode, struct file *file,
+ de = tmpde;
+ }
+ /* Basic sanity check, whether name doesn't exceed dir entry */
+- if (de_len < de->name_len[0] +
++ if (de_len < sizeof(struct iso_directory_record) ||
++ de_len < de->name_len[0] +
+ sizeof(struct iso_directory_record)) {
+ printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+ " in block %lu of inode %lu\n", block,
+--
+2.39.5
+
--- /dev/null
+From e7fad5606710d0c6707097b6dd2928ea9605f7a3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jan 2025 17:08:24 +0530
+Subject: kexec: initialize ELF lowest address to ULONG_MAX
+
+From: Sourabh Jain <sourabhjain@linux.ibm.com>
+
+[ Upstream commit 9986fb5164c8b21f6439cfd45ba36d8cc80c9710 ]
+
+Patch series "powerpc/crash: use generic crashkernel reservation", v3.
+
+Commit 0ab97169aa05 ("crash_core: add generic function to do reservation")
+added a generic function to reserve crashkernel memory. So let's use the
+same function on powerpc and remove the architecture-specific code that
+essentially does the same thing.
+
+The generic crashkernel reservation also provides a way to split the
+crashkernel reservation into high and low memory reservations, which can
+be enabled for powerpc in the future.
+
+Additionally move powerpc to use generic APIs to locate memory hole for
+kexec segments while loading kdump kernel.
+
+This patch (of 7):
+
+kexec_elf_load() loads an ELF executable and sets the address of the
+lowest PT_LOAD section to the address held by the lowest_load_addr
+function argument.
+
+To determine the lowest PT_LOAD address, a local variable lowest_addr
+(type unsigned long) is initialized to UINT_MAX. After loading each
+PT_LOAD, its address is compared to lowest_addr. If a loaded PT_LOAD
+address is lower, lowest_addr is updated. However, setting lowest_addr to
+UINT_MAX won't work when the kernel image is loaded above 4G, as the
+returned lowest PT_LOAD address would be invalid. This is resolved by
+initializing lowest_addr to ULONG_MAX instead.
+
+This issue was discovered while implementing crashkernel high/low
+reservation on the PowerPC architecture.
+
+Link: https://lkml.kernel.org/r/20250131113830.925179-1-sourabhjain@linux.ibm.com
+Link: https://lkml.kernel.org/r/20250131113830.925179-2-sourabhjain@linux.ibm.com
+Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()")
+Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
+Acked-by: Hari Bathini <hbathini@linux.ibm.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/kexec_elf.c b/kernel/kexec_elf.c
+index d3689632e8b90..3a5c25b2adc94 100644
+--- a/kernel/kexec_elf.c
++++ b/kernel/kexec_elf.c
+@@ -390,7 +390,7 @@ int kexec_elf_load(struct kimage *image, struct elfhdr *ehdr,
+ struct kexec_buf *kbuf,
+ unsigned long *lowest_load_addr)
+ {
+- unsigned long lowest_addr = UINT_MAX;
++ unsigned long lowest_addr = ULONG_MAX;
+ int ret;
+ size_t i;
+
+--
+2.39.5
+
--- /dev/null
+From 7e293bf5844dcfb7a844db0ed31a44873213394f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jan 2025 19:42:04 +0530
+Subject: lib: 842: Improve error handling in sw842_compress()
+
+From: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+
+[ Upstream commit af324dc0e2b558678aec42260cce38be16cc77ca ]
+
+The static code analysis tool "Coverity Scan" pointed the following
+implementation details out for further development considerations:
+CID 1309755: Unused value
+In sw842_compress: A value assigned to a variable is never used. (CWE-563)
+returned_value: Assigning value from add_repeat_template(p, repeat_count)
+to ret here, but that stored value is overwritten before it can be used.
+
+Conclusion:
+Add error handling for the return value from an add_repeat_template()
+call.
+
+Fixes: 2da572c959dd ("lib: add software 842 compression/decompression")
+Signed-off-by: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/842/842_compress.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/842/842_compress.c b/lib/842/842_compress.c
+index c02baa4168e16..055356508d97c 100644
+--- a/lib/842/842_compress.c
++++ b/lib/842/842_compress.c
+@@ -532,6 +532,8 @@ int sw842_compress(const u8 *in, unsigned int ilen,
+ }
+ if (repeat_count) {
+ ret = add_repeat_template(p, repeat_count);
++ if (ret)
++ return ret;
+ repeat_count = 0;
+ if (next == last) /* reached max repeat bits */
+ goto repeat;
+--
+2.39.5
+
--- /dev/null
+From 233fde497cfe42d9fd98fca5f2e81eab175b748e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 11:36:18 +0100
+Subject: lockdep: Don't disable interrupts on RT in
+ disable_irq_nosync_lockdep.*()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 87886b32d669abc11c7be95ef44099215e4f5788 ]
+
+disable_irq_nosync_lockdep() disables interrupts with lockdep enabled to
+avoid false positive reports by lockdep that a certain lock has not been
+acquired with disabled interrupts. The user of this macros expects that
+a lock can be acquried without disabling interrupts because the IRQ line
+triggering the interrupt is disabled.
+
+This triggers a warning on PREEMPT_RT because after
+disable_irq_nosync_lockdep.*() the following spinlock_t now is acquired
+with disabled interrupts.
+
+On PREEMPT_RT there is no difference between spin_lock() and
+spin_lock_irq() so avoiding disabling interrupts in this case works for
+the two remaining callers as of today.
+
+Don't disable interrupts on PREEMPT_RT in disable_irq_nosync_lockdep.*().
+
+Closes: https://lore.kernel.org/760e34f9-6034-40e0-82a5-ee9becd24438@roeck-us.net
+Fixes: e8106b941ceab ("[PATCH] lockdep: core, add enable/disable_irq_irqsave/irqrestore() APIs")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250212103619.2560503-2-bigeasy@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/interrupt.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
+index 0652b4858ba62..71d3fa7f02655 100644
+--- a/include/linux/interrupt.h
++++ b/include/linux/interrupt.h
+@@ -426,7 +426,7 @@ irq_calc_affinity_vectors(unsigned int minvec, unsigned int maxvec,
+ static inline void disable_irq_nosync_lockdep(unsigned int irq)
+ {
+ disable_irq_nosync(irq);
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_disable();
+ #endif
+ }
+@@ -434,7 +434,7 @@ static inline void disable_irq_nosync_lockdep(unsigned int irq)
+ static inline void disable_irq_nosync_lockdep_irqsave(unsigned int irq, unsigned long *flags)
+ {
+ disable_irq_nosync(irq);
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_save(*flags);
+ #endif
+ }
+@@ -449,7 +449,7 @@ static inline void disable_irq_lockdep(unsigned int irq)
+
+ static inline void enable_irq_lockdep(unsigned int irq)
+ {
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_enable();
+ #endif
+ enable_irq(irq);
+@@ -457,7 +457,7 @@ static inline void enable_irq_lockdep(unsigned int irq)
+
+ static inline void enable_irq_lockdep_irqrestore(unsigned int irq, unsigned long *flags)
+ {
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_restore(*flags);
+ #endif
+ enable_irq(irq);
+--
+2.39.5
+
--- /dev/null
+From 686c4bad2861ceb1ee37e83d2f93719c2d8fc1b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 15:26:52 -0800
+Subject: locking/semaphore: Use wake_q to wake up processes outside lock
+ critical section
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 85b2b9c16d053364e2004883140538e73b333cdb ]
+
+A circular lock dependency splat has been seen involving down_trylock():
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 6.12.0-41.el10.s390x+debug
+ ------------------------------------------------------
+ dd/32479 is trying to acquire lock:
+ 0015a20accd0d4f8 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x26/0x90
+
+ but task is already holding lock:
+ 000000017e461698 (&zone->lock){-.-.}-{2:2}, at: rmqueue_bulk+0xac/0x8f0
+
+ the existing dependency chain (in reverse order) is:
+ -> #4 (&zone->lock){-.-.}-{2:2}:
+ -> #3 (hrtimer_bases.lock){-.-.}-{2:2}:
+ -> #2 (&rq->__lock){-.-.}-{2:2}:
+ -> #1 (&p->pi_lock){-.-.}-{2:2}:
+ -> #0 ((console_sem).lock){-.-.}-{2:2}:
+
+The console_sem -> pi_lock dependency is due to calling try_to_wake_up()
+while holding the console_sem raw_spinlock. This dependency can be broken
+by using wake_q to do the wakeup instead of calling try_to_wake_up()
+under the console_sem lock. This will also make the semaphore's
+raw_spinlock become a terminal lock without taking any further locks
+underneath it.
+
+The hrtimer_bases.lock is a raw_spinlock while zone->lock is a
+spinlock. The hrtimer_bases.lock -> zone->lock dependency happens via
+the debug_objects_fill_pool() helper function in the debugobjects code.
+
+ -> #4 (&zone->lock){-.-.}-{2:2}:
+ __lock_acquire+0xe86/0x1cc0
+ lock_acquire.part.0+0x258/0x630
+ lock_acquire+0xb8/0xe0
+ _raw_spin_lock_irqsave+0xb4/0x120
+ rmqueue_bulk+0xac/0x8f0
+ __rmqueue_pcplist+0x580/0x830
+ rmqueue_pcplist+0xfc/0x470
+ rmqueue.isra.0+0xdec/0x11b0
+ get_page_from_freelist+0x2ee/0xeb0
+ __alloc_pages_noprof+0x2c2/0x520
+ alloc_pages_mpol_noprof+0x1fc/0x4d0
+ alloc_pages_noprof+0x8c/0xe0
+ allocate_slab+0x320/0x460
+ ___slab_alloc+0xa58/0x12b0
+ __slab_alloc.isra.0+0x42/0x60
+ kmem_cache_alloc_noprof+0x304/0x350
+ fill_pool+0xf6/0x450
+ debug_object_activate+0xfe/0x360
+ enqueue_hrtimer+0x34/0x190
+ __run_hrtimer+0x3c8/0x4c0
+ __hrtimer_run_queues+0x1b2/0x260
+ hrtimer_interrupt+0x316/0x760
+ do_IRQ+0x9a/0xe0
+ do_irq_async+0xf6/0x160
+
+Normally a raw_spinlock to spinlock dependency is not legitimate
+and will be warned if CONFIG_PROVE_RAW_LOCK_NESTING is enabled,
+but debug_objects_fill_pool() is an exception as it explicitly
+allows this dependency for non-PREEMPT_RT kernel without causing
+PROVE_RAW_LOCK_NESTING lockdep splat. As a result, this dependency is
+legitimate and not a bug.
+
+Anyway, semaphore is the only locking primitive left that is still
+using try_to_wake_up() to do wakeup inside critical section, all the
+other locking primitives had been migrated to use wake_q to do wakeup
+outside of the critical section. It is also possible that there are
+other circular locking dependencies involving printk/console_sem or
+other existing/new semaphores lurking somewhere which may show up in
+the future. Let just do the migration now to wake_q to avoid headache
+like this.
+
+Reported-by: yzbot+ed801a886dfdbfe7136d@syzkaller.appspotmail.com
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250307232717.1759087-3-boqun.feng@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/semaphore.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/locking/semaphore.c b/kernel/locking/semaphore.c
+index 9aa855a96c4ae..aadde65402913 100644
+--- a/kernel/locking/semaphore.c
++++ b/kernel/locking/semaphore.c
+@@ -29,6 +29,7 @@
+ #include <linux/export.h>
+ #include <linux/sched.h>
+ #include <linux/sched/debug.h>
++#include <linux/sched/wake_q.h>
+ #include <linux/semaphore.h>
+ #include <linux/spinlock.h>
+ #include <linux/ftrace.h>
+@@ -37,7 +38,7 @@ static noinline void __down(struct semaphore *sem);
+ static noinline int __down_interruptible(struct semaphore *sem);
+ static noinline int __down_killable(struct semaphore *sem);
+ static noinline int __down_timeout(struct semaphore *sem, long timeout);
+-static noinline void __up(struct semaphore *sem);
++static noinline void __up(struct semaphore *sem, struct wake_q_head *wake_q);
+
+ /**
+ * down - acquire the semaphore
+@@ -178,13 +179,16 @@ EXPORT_SYMBOL(down_timeout);
+ void up(struct semaphore *sem)
+ {
+ unsigned long flags;
++ DEFINE_WAKE_Q(wake_q);
+
+ raw_spin_lock_irqsave(&sem->lock, flags);
+ if (likely(list_empty(&sem->wait_list)))
+ sem->count++;
+ else
+- __up(sem);
++ __up(sem, &wake_q);
+ raw_spin_unlock_irqrestore(&sem->lock, flags);
++ if (!wake_q_empty(&wake_q))
++ wake_up_q(&wake_q);
+ }
+ EXPORT_SYMBOL(up);
+
+@@ -252,11 +256,12 @@ static noinline int __sched __down_timeout(struct semaphore *sem, long timeout)
+ return __down_common(sem, TASK_UNINTERRUPTIBLE, timeout);
+ }
+
+-static noinline void __sched __up(struct semaphore *sem)
++static noinline void __sched __up(struct semaphore *sem,
++ struct wake_q_head *wake_q)
+ {
+ struct semaphore_waiter *waiter = list_first_entry(&sem->wait_list,
+ struct semaphore_waiter, list);
+ list_del(&waiter->list);
+ waiter->up = true;
+- wake_up_process(waiter->task);
++ wake_q_add(wake_q, waiter->task);
+ }
+--
+2.39.5
+
--- /dev/null
+From 23a43caadf82db794c1667a64904aac30378b575 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 17:44:23 +0100
+Subject: mdacon: rework dependency list
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 5bbcc7645f4b244ffb5ac6563fbe9d3d42194447 ]
+
+mdacon has roughly the same dependencies as vgacon but expresses them
+as a negative list instead of a positive list, with the only practical
+difference being PowerPC/CHRP, which uses vga16fb instead of vgacon.
+
+The CONFIG_MDA_CONSOLE description advises to only turn it on when vgacon
+is also used because MDA/Hercules-only systems should be using vgacon
+instead, so just change the list to enforce that directly for simplicity.
+
+The probing was broken from 2002 to 2008, this improves on the fix
+that was added then: If vgacon is a loadable module, then mdacon
+cannot be built-in now, and the list of systems that support vgacon
+is carried over.
+
+Fixes: 0b9cf3aa6b1e ("mdacon messing up default vc's - set default to vc13-16 again")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/console/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/console/Kconfig b/drivers/video/console/Kconfig
+index 47c4939577725..67aeb4e6494b6 100644
+--- a/drivers/video/console/Kconfig
++++ b/drivers/video/console/Kconfig
+@@ -23,7 +23,7 @@ config VGA_CONSOLE
+ Say Y.
+
+ config MDA_CONSOLE
+- depends on !M68K && !PARISC && ISA
++ depends on VGA_CONSOLE && ISA
+ tristate "MDA text console (dual-headed)"
+ help
+ Say Y here if you have an old MDA or monochrome Hercules graphics
+--
+2.39.5
+
--- /dev/null
+From b5975c78c990b5fe983db858882c7c7308683029 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 09:12:06 -0800
+Subject: mfd: sm501: Switch to BIT() to mitigate integer overflows
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 2d8cb9ffe18c2f1e5bd07a19cbce85b26c1d0cf0 ]
+
+If offset end up being high enough, right hand expression in functions
+like sm501_gpio_set() shifted left for that number of bits, may
+not fit in int type.
+
+Just in case, fix that by using BIT() both as an option safe from
+overflow issues and to make this step look similar to other gpio
+drivers.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: f61be273d369 ("sm501: add gpiolib support")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://lore.kernel.org/r/20250115171206.20308-1-n.zhandarovich@fintech.ru
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/sm501.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
+index 37ad72d8cde2a..8c67fdc2af7f1 100644
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -920,7 +920,7 @@ static void sm501_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
+ {
+ struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
+ struct sm501_gpio *smgpio = smchip->ourgpio;
+- unsigned long bit = 1 << offset;
++ unsigned long bit = BIT(offset);
+ void __iomem *regs = smchip->regbase;
+ unsigned long save;
+ unsigned long val;
+@@ -946,7 +946,7 @@ static int sm501_gpio_input(struct gpio_chip *chip, unsigned offset)
+ struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
+ struct sm501_gpio *smgpio = smchip->ourgpio;
+ void __iomem *regs = smchip->regbase;
+- unsigned long bit = 1 << offset;
++ unsigned long bit = BIT(offset);
+ unsigned long save;
+ unsigned long ddr;
+
+@@ -971,7 +971,7 @@ static int sm501_gpio_output(struct gpio_chip *chip,
+ {
+ struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
+ struct sm501_gpio *smgpio = smchip->ourgpio;
+- unsigned long bit = 1 << offset;
++ unsigned long bit = BIT(offset);
+ void __iomem *regs = smchip->regbase;
+ unsigned long save;
+ unsigned long val;
+--
+2.39.5
+
--- /dev/null
+From 8689d9f0d996770a1d2127d49f5d2bf82e511d8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 15:56:37 +0200
+Subject: net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on
+ destroy
+
+From: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
+
+[ Upstream commit a58d882841a0750da3c482cd3d82432b1c7edb77 ]
+
+The mv88e6xxx has an internal PPU that polls PHY state. If we want to
+access the internal PHYs, we need to disable the PPU first. Because
+that is a slow operation, a 10ms timer is used to re-enable it,
+canceled with every access, so bulk operations effectively only
+disable it once and re-enable it some 10ms after the last access.
+
+If a PHY is accessed and then the mv88e6xxx module is removed before
+the 10ms are up, the PPU re-enable ends up accessing a dangling pointer.
+
+This especially affects probing during bootup. The MDIO bus and PHY
+registration may succeed, but registration with the DSA framework
+may fail later on (e.g. because the CPU port depends on another,
+very slow device that isn't done probing yet, returning -EPROBE_DEFER).
+In this case, probe() fails, but the MDIO subsystem may already have
+accessed the MIDO bus or PHYs, arming the timer.
+
+This is fixed as follows:
+ - If probe fails after mv88e6xxx_phy_init(), make sure we also call
+ mv88e6xxx_phy_destroy() before returning
+ - In mv88e6xxx_remove(), make sure we do the teardown in the correct
+ order, calling mv88e6xxx_phy_destroy() after unregistering the
+ switch device.
+ - In mv88e6xxx_phy_destroy(), destroy both the timer and the work item
+ that the timer might schedule, synchronously waiting in case one of
+ the callbacks already fired and destroying the timer first, before
+ waiting for the work item.
+ - Access to the PPU is guarded by a mutex, the worker acquires it
+ with a mutex_trylock(), not proceeding with the expensive shutdown
+ if that fails. We grab the mutex in mv88e6xxx_phy_destroy() to make
+ sure the slow PPU shutdown is already done or won't even enter, when
+ we wait for the work item.
+
+Fixes: 2e5f032095ff ("dsa: add support for the Marvell 88E6131 switch chip")
+Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://patch.msgid.link/20250401135705.92760-1-david.oberhollenzer@sigma-star.at
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 11 +++++++----
+ drivers/net/dsa/mv88e6xxx/phy.c | 3 +++
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index c7f93329ae753..4cc60135589d1 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -5578,13 +5578,13 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+ err = mv88e6xxx_switch_reset(chip);
+ mv88e6xxx_reg_unlock(chip);
+ if (err)
+- goto out;
++ goto out_phy;
+
+ if (np) {
+ chip->irq = of_irq_get(np, 0);
+ if (chip->irq == -EPROBE_DEFER) {
+ err = chip->irq;
+- goto out;
++ goto out_phy;
+ }
+ }
+
+@@ -5603,7 +5603,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+ mv88e6xxx_reg_unlock(chip);
+
+ if (err)
+- goto out;
++ goto out_phy;
+
+ if (chip->info->g2_irqs > 0) {
+ err = mv88e6xxx_g2_irq_setup(chip);
+@@ -5643,6 +5643,8 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+ mv88e6xxx_g1_irq_free(chip);
+ else
+ mv88e6xxx_irq_poll_free(chip);
++out_phy:
++ mv88e6xxx_phy_destroy(chip);
+ out:
+ if (pdata)
+ dev_put(pdata->netdev);
+@@ -5660,7 +5662,6 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev)
+ mv88e6xxx_ptp_free(chip);
+ }
+
+- mv88e6xxx_phy_destroy(chip);
+ mv88e6xxx_unregister_switch(chip);
+ mv88e6xxx_mdios_unregister(chip);
+
+@@ -5674,6 +5675,8 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev)
+ mv88e6xxx_g1_irq_free(chip);
+ else
+ mv88e6xxx_irq_poll_free(chip);
++
++ mv88e6xxx_phy_destroy(chip);
+ }
+
+ static const struct of_device_id mv88e6xxx_of_match[] = {
+diff --git a/drivers/net/dsa/mv88e6xxx/phy.c b/drivers/net/dsa/mv88e6xxx/phy.c
+index 252b5b3a3efef..d2104bd346ea2 100644
+--- a/drivers/net/dsa/mv88e6xxx/phy.c
++++ b/drivers/net/dsa/mv88e6xxx/phy.c
+@@ -197,7 +197,10 @@ static void mv88e6xxx_phy_ppu_state_init(struct mv88e6xxx_chip *chip)
+
+ static void mv88e6xxx_phy_ppu_state_destroy(struct mv88e6xxx_chip *chip)
+ {
++ mutex_lock(&chip->ppu_mutex);
+ del_timer_sync(&chip->ppu_timer);
++ cancel_work_sync(&chip->ppu_work);
++ mutex_unlock(&chip->ppu_mutex);
+ }
+
+ int mv88e6185_phy_ppu_read(struct mv88e6xxx_chip *chip, struct mii_bus *bus,
+--
+2.39.5
+
--- /dev/null
+From bdfa3af60592442fdd15b2b9de5d72adc4f6f257 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 00:56:32 +0800
+Subject: net: fix geneve_opt length integer overflow
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ]
+
+struct geneve_opt uses 5 bit length for each single option, which
+means every vary size option should be smaller than 128 bytes.
+
+However, all current related Netlink policies cannot promise this
+length condition and the attacker can exploit a exact 128-byte size
+option to *fake* a zero length option and confuse the parsing logic,
+further achieve heap out-of-bounds read.
+
+One example crash log is like below:
+
+[ 3.905425] ==================================================================
+[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
+[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
+[ 3.906646]
+[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
+[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 3.907784] Call Trace:
+[ 3.907925] <TASK>
+[ 3.908048] dump_stack_lvl+0x44/0x5c
+[ 3.908258] print_report+0x184/0x4be
+[ 3.909151] kasan_report+0xc5/0x100
+[ 3.909539] kasan_check_range+0xf3/0x1a0
+[ 3.909794] memcpy+0x1f/0x60
+[ 3.909968] nla_put+0xa9/0xe0
+[ 3.910147] tunnel_key_dump+0x945/0xba0
+[ 3.911536] tcf_action_dump_1+0x1c1/0x340
+[ 3.912436] tcf_action_dump+0x101/0x180
+[ 3.912689] tcf_exts_dump+0x164/0x1e0
+[ 3.912905] fw_dump+0x18b/0x2d0
+[ 3.913483] tcf_fill_node+0x2ee/0x460
+[ 3.914778] tfilter_notify+0xf4/0x180
+[ 3.915208] tc_new_tfilter+0xd51/0x10d0
+[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560
+[ 3.919118] netlink_rcv_skb+0xcd/0x200
+[ 3.919787] netlink_unicast+0x395/0x530
+[ 3.921032] netlink_sendmsg+0x3d0/0x6d0
+[ 3.921987] __sock_sendmsg+0x99/0xa0
+[ 3.922220] __sys_sendto+0x1b7/0x240
+[ 3.922682] __x64_sys_sendto+0x72/0x90
+[ 3.922906] do_syscall_64+0x5e/0x90
+[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 3.924122] RIP: 0033:0x7e83eab84407
+[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
+[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
+[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
+[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
+[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
+[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
+[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8
+
+Fix these issues by enforing correct length condition in related
+policies.
+
+Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+Fixes: 4ece47787077 ("lwtunnel: add options setting and dumping for geneve")
+Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key")
+Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ net/netfilter/nft_tunnel.c | 2 +-
+ net/sched/act_tunnel_key.c | 2 +-
+ net/sched/cls_flower.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
+index dad9d7db5bf6c..01d362b5b8826 100644
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -459,7 +459,7 @@ static const struct nla_policy
+ geneve_opt_policy[LWTUNNEL_IP_OPT_GENEVE_MAX + 1] = {
+ [LWTUNNEL_IP_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
+ [LWTUNNEL_IP_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
+- [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 },
++ [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 },
+ };
+
+ static const struct nla_policy
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index 1b05b70497283..cfe6cf1be4217 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -305,7 +305,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
+ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GENEVE_MAX + 1] = {
+ [NFTA_TUNNEL_KEY_GENEVE_CLASS] = { .type = NLA_U16 },
+ [NFTA_TUNNEL_KEY_GENEVE_TYPE] = { .type = NLA_U8 },
+- [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 },
++ [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 },
+ };
+
+ static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
+diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
+index 85c0d0d5b9da5..0d90349636f0e 100644
+--- a/net/sched/act_tunnel_key.c
++++ b/net/sched/act_tunnel_key.c
+@@ -67,7 +67,7 @@ geneve_opt_policy[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_MAX + 1] = {
+ [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
+ [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
+ [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY,
+- .len = 128 },
++ .len = 127 },
+ };
+
+ static const struct nla_policy
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index 98f333aa0aac9..9f6f8430d0378 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -717,7 +717,7 @@ geneve_opt_policy[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1] = {
+ [TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
+ [TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
+ [TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY,
+- .len = 128 },
++ .len = 127 },
+ };
+
+ static const struct nla_policy
+--
+2.39.5
+
--- /dev/null
+From e40072e23e5229edf411dcd8a2e15f2923f10032 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Mar 2025 15:25:35 -0700
+Subject: net_sched: skbprio: Remove overly strict queue assertions
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8 ]
+
+In the current implementation, skbprio enqueue/dequeue contains an assertion
+that fails under certain conditions when SKBPRIO is used as a child qdisc under
+TBF with specific parameters. The failure occurs because TBF sometimes peeks at
+packets in the child qdisc without actually dequeuing them when tokens are
+unavailable.
+
+This peek operation creates a discrepancy between the parent and child qdisc
+queue length counters. When TBF later receives a high-priority packet,
+SKBPRIO's queue length may show a different value than what's reflected in its
+internal priority queue tracking, triggering the assertion.
+
+The fix removes this overly strict assertions in SKBPRIO, they are not
+necessary at all.
+
+Reported-by: syzbot+a3422a19b05ea96bee18@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a3422a19b05ea96bee18
+Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler")
+Cc: Nishanth Devarajan <ndev2021@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20250329222536.696204-2-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_skbprio.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/sched/sch_skbprio.c b/net/sched/sch_skbprio.c
+index df72fb83d9c7d..c9e422e466159 100644
+--- a/net/sched/sch_skbprio.c
++++ b/net/sched/sch_skbprio.c
+@@ -121,8 +121,6 @@ static int skbprio_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ /* Check to update highest and lowest priorities. */
+ if (skb_queue_empty(lp_qdisc)) {
+ if (q->lowest_prio == q->highest_prio) {
+- /* The incoming packet is the only packet in queue. */
+- BUG_ON(sch->q.qlen != 1);
+ q->lowest_prio = prio;
+ q->highest_prio = prio;
+ } else {
+@@ -154,7 +152,6 @@ static struct sk_buff *skbprio_dequeue(struct Qdisc *sch)
+ /* Update highest priority field. */
+ if (skb_queue_empty(hpq)) {
+ if (q->lowest_prio == q->highest_prio) {
+- BUG_ON(sch->q.qlen);
+ q->highest_prio = 0;
+ q->lowest_prio = SKBPRIO_MAX_PRIORITY - 1;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 0db16463da6b9eb7648845733824f028d5814f57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 01:00:26 +0800
+Subject: netfilter: nft_tunnel: fix geneve_opt type confusion addition
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 1b755d8eb1ace3870789d48fbd94f386ad6e30be ]
+
+When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
+parsing logic should place every geneve_opt structure one by one
+compactly. Hence, when deciding the next geneve_opt position, the
+pointer addition should be in units of char *.
+
+However, the current implementation erroneously does type conversion
+before the addition, which will lead to heap out-of-bounds write.
+
+[ 6.989857] ==================================================================
+[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
+[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
+[ 6.991162]
+[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
+[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 6.992281] Call Trace:
+[ 6.992423] <TASK>
+[ 6.992586] dump_stack_lvl+0x44/0x5c
+[ 6.992801] print_report+0x184/0x4be
+[ 6.993790] kasan_report+0xc5/0x100
+[ 6.994252] kasan_check_range+0xf3/0x1a0
+[ 6.994486] memcpy+0x38/0x60
+[ 6.994692] nft_tunnel_obj_init+0x977/0xa70
+[ 6.995677] nft_obj_init+0x10c/0x1b0
+[ 6.995891] nf_tables_newobj+0x585/0x950
+[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020
+[ 6.998997] nfnetlink_rcv+0x1df/0x220
+[ 6.999537] netlink_unicast+0x395/0x530
+[ 7.000771] netlink_sendmsg+0x3d0/0x6d0
+[ 7.001462] __sock_sendmsg+0x99/0xa0
+[ 7.001707] ____sys_sendmsg+0x409/0x450
+[ 7.002391] ___sys_sendmsg+0xfd/0x170
+[ 7.003145] __sys_sendmsg+0xea/0x170
+[ 7.004359] do_syscall_64+0x5e/0x90
+[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 7.006127] RIP: 0033:0x7ec756d4e407
+[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
+[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
+[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
+[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
+[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
+[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8
+
+Fix this bug with correct pointer addition and conversion in parse
+and dump code.
+
+Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index c8822fa8196d9..1b05b70497283 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -311,7 +311,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN
+ static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
+ struct nft_tunnel_opts *opts)
+ {
+- struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
++ struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);
+ struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
+ int err, data_len;
+
+@@ -592,7 +592,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ if (!inner)
+ goto failure;
+ while (opts->len > offset) {
+- opt = (struct geneve_opt *)opts->u.data + offset;
++ opt = (struct geneve_opt *)(opts->u.data + offset);
+ if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
+ opt->opt_class) ||
+ nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,
+--
+2.39.5
+
--- /dev/null
+From 80d77bd13ef93d3c423d0b456e6a584c9d8ffcf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 20:40:18 +0800
+Subject: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4
+ sockets
+
+From: Debin Zhu <mowenroot@163.com>
+
+[ Upstream commit 078aabd567de3d63d37d7673f714e309d369e6e2 ]
+
+When calling netlbl_conn_setattr(), addr->sa_family is used
+to determine the function behavior. If sk is an IPv4 socket,
+but the connect function is called with an IPv6 address,
+the function calipso_sock_setattr() is triggered.
+Inside this function, the following code is executed:
+
+sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
+
+Since sk is an IPv4 socket, pinet6 is NULL, leading to a
+null pointer dereference.
+
+This patch fixes the issue by checking if inet6_sk(sk)
+returns a NULL pointer before accessing pinet6.
+
+Signed-off-by: Debin Zhu <mowenroot@163.com>
+Signed-off-by: Bitao Ouyang <1985755126@qq.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Link: https://patch.msgid.link/20250401124018.4763-1-mowenroot@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 0ea66e9db2495..e17e756bb1ad9 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1075,8 +1075,13 @@ static int calipso_sock_getattr(struct sock *sk,
+ struct ipv6_opt_hdr *hop;
+ int opt_len, len, ret_val = -ENOMSG, offset;
+ unsigned char *opt;
+- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
++ struct ipv6_pinfo *pinfo = inet6_sk(sk);
++ struct ipv6_txoptions *txopts;
++
++ if (!pinfo)
++ return -EAFNOSUPPORT;
+
++ txopts = txopt_get(pinfo);
+ if (!txopts || !txopts->hopopt)
+ goto done;
+
+@@ -1128,8 +1133,13 @@ static int calipso_sock_setattr(struct sock *sk,
+ {
+ int ret_val;
+ struct ipv6_opt_hdr *old, *new;
+- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
++ struct ipv6_pinfo *pinfo = inet6_sk(sk);
++ struct ipv6_txoptions *txopts;
++
++ if (!pinfo)
++ return -EAFNOSUPPORT;
+
++ txopts = txopt_get(pinfo);
+ old = NULL;
+ if (txopts)
+ old = txopts->hopopt;
+@@ -1156,8 +1166,13 @@ static int calipso_sock_setattr(struct sock *sk,
+ static void calipso_sock_delattr(struct sock *sk)
+ {
+ struct ipv6_opt_hdr *new_hop;
+- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
++ struct ipv6_pinfo *pinfo = inet6_sk(sk);
++ struct ipv6_txoptions *txopts;
++
++ if (!pinfo)
++ return;
+
++ txopts = txopt_get(pinfo);
+ if (!txopts || !txopts->hopopt)
+ goto done;
+
+--
+2.39.5
+
--- /dev/null
+From 0b379ebfd028fa38f9c78727ed7e4df10e16ee28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2025 16:50:30 -0500
+Subject: NFSv4: Don't trigger uneccessary scans for return-on-close
+ delegations
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 47acca884f714f41d95dc654f802845544554784 ]
+
+The amount of looping through the list of delegations is occasionally
+leading to soft lockups. Avoid at least some loops by not requiring the
+NFSv4 state manager to scan for delegations that are marked for
+return-on-close. Instead, either mark them for immediate return (if
+possible) or else leave it up to nfs4_inode_return_delegation_on_close()
+to return them once the file is closed by the application.
+
+Fixes: b757144fd77c ("NFSv4: Be less aggressive about returning delegations for open files")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/delegation.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
+index 02d9af026ad15..dbed8d44d8053 100644
+--- a/fs/nfs/delegation.c
++++ b/fs/nfs/delegation.c
+@@ -552,17 +552,6 @@ static bool nfs_delegation_need_return(struct nfs_delegation *delegation)
+
+ if (test_and_clear_bit(NFS_DELEGATION_RETURN, &delegation->flags))
+ ret = true;
+- else if (test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags)) {
+- struct inode *inode;
+-
+- spin_lock(&delegation->lock);
+- inode = delegation->inode;
+- if (inode && list_empty(&NFS_I(inode)->open_files))
+- ret = true;
+- spin_unlock(&delegation->lock);
+- }
+- if (ret)
+- clear_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
+ if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags) ||
+ test_bit(NFS_DELEGATION_RETURN_DELAYED, &delegation->flags) ||
+ test_bit(NFS_DELEGATION_REVOKED, &delegation->flags))
+@@ -800,11 +789,25 @@ int nfs4_inode_make_writeable(struct inode *inode)
+ return nfs4_inode_return_delegation(inode);
+ }
+
+-static void nfs_mark_return_if_closed_delegation(struct nfs_server *server,
+- struct nfs_delegation *delegation)
++static void
++nfs_mark_return_if_closed_delegation(struct nfs_server *server,
++ struct nfs_delegation *delegation)
+ {
+- set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
+- set_bit(NFS4CLNT_DELEGRETURN, &server->nfs_client->cl_state);
++ struct inode *inode;
++
++ if (test_bit(NFS_DELEGATION_RETURN, &delegation->flags) ||
++ test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags))
++ return;
++ spin_lock(&delegation->lock);
++ inode = delegation->inode;
++ if (!inode)
++ goto out;
++ if (list_empty(&NFS_I(inode)->open_files))
++ nfs_mark_return_delegation(server, delegation);
++ else
++ set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
++out:
++ spin_unlock(&delegation->lock);
+ }
+
+ static bool nfs_server_mark_return_all_delegations(struct nfs_server *server)
+--
+2.39.5
+
--- /dev/null
+From 327066be50e4cf3eed9fae27f9a867d56cc9770f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 11:15:19 +0300
+Subject: ntb: intel: Fix using link status DB's
+
+From: Nikita Shubin <n.shubin@yadro.com>
+
+[ Upstream commit 8144e9c8f30fb23bb736a5d24d5c9d46965563c4 ]
+
+Make sure we are not using DB's which were remapped for link status.
+
+Fixes: f6e51c354b60 ("ntb: intel: split out the gen3 code")
+Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_gen3.c b/drivers/ntb/hw/intel/ntb_hw_gen3.c
+index ffcfc3e02c353..a5aa96a31f4a6 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_gen3.c
++++ b/drivers/ntb/hw/intel/ntb_hw_gen3.c
+@@ -215,6 +215,9 @@ static int gen3_init_ntb(struct intel_ntb_dev *ndev)
+ }
+
+ ndev->db_valid_mask = BIT_ULL(ndev->db_count) - 1;
++ /* Make sure we are not using DB's used for link status */
++ if (ndev->hwerr_flags & NTB_HWERR_MSIX_VECTOR32_BAD)
++ ndev->db_valid_mask &= ~ndev->db_link_mask;
+
+ ndev->reg->db_iowrite(ndev->db_valid_mask,
+ ndev->self_mmio +
+--
+2.39.5
+
--- /dev/null
+From 9efeca62b6fb87a062884c4219a53ab765a8fd65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 16:33:05 +0800
+Subject: ntb_hw_switchtec: Fix shift-out-of-bounds in
+ switchtec_ntb_mw_set_trans
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit de203da734fae00e75be50220ba5391e7beecdf9 ]
+
+There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
+size. This would make xlate_pos negative.
+
+[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
+[ 23.734158] ================================================================================
+[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
+[ 23.734418] shift exponent -1 is negative
+
+Ensuring xlate_pos is a positive or zero before BIT.
+
+Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+index ad09946100b56..c5c1963c699d9 100644
+--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+@@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx,
+ if (size != 0 && xlate_pos < 12)
+ return -EINVAL;
+
+- if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
++ if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
+ /*
+ * In certain circumstances we can get a buffer that is
+ * not aligned to its size. (Most of the time
+--
+2.39.5
+
--- /dev/null
+From b7422c7e94f14dc9f2eab64bbf05325cb64c8a16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 01:04:43 +0800
+Subject: nvme-pci: clean up CMBMSC when registering CMB fails
+
+From: Icenowy Zheng <uwu@icenowy.me>
+
+[ Upstream commit 6a3572e10f740acd48e2713ef37e92186a3ce5e8 ]
+
+CMB decoding should get disabled when the CMB block isn't successfully
+registered to P2P DMA subsystem.
+
+Clean up the CMBMSC register in this error handling codepath to disable
+CMB decoding (and CMBLOC/CMBSZ registers).
+
+Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index ae04bdce560a1..7993acdfd3185 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1888,6 +1888,7 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ if (pci_p2pdma_add_resource(pdev, bar, size, offset)) {
+ dev_warn(dev->ctrl.device,
+ "failed to register the CMB\n");
++ hi_lo_writeq(0, dev->bar + NVME_REG_CMBMSC);
+ return;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 173a27b5d565d422e6067ff852ce6ffd9a04a56d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 01:04:44 +0800
+Subject: nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
+
+From: Icenowy Zheng <uwu@icenowy.me>
+
+[ Upstream commit 56cf7ef0d490b28fad8f8629fc135c5ab7c9f54e ]
+
+The PCI P2PDMA code will register the CMB block to the memory
+hot-plugging subsystem, which have an alignment requirement. Memory
+blocks that do not satisfy this alignment requirement (usually 2MB) will
+lead to a WARNING from memory hotplugging.
+
+Verify the CMB block's address and size against the alignment and only
+try to send CMB blocks compatible with it to prevent this warning.
+
+Tested on Intel DC D4502 SSD, which has a 512K CMB block that is too
+small for memory hotplugging (thus PCI P2PDMA).
+
+Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 7993acdfd3185..a56baaafe79df 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1867,6 +1867,18 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ if (offset > bar_size)
+ return;
+
++ /*
++ * Controllers may support a CMB size larger than their BAR, for
++ * example, due to being behind a bridge. Reduce the CMB to the
++ * reported size of the BAR
++ */
++ size = min(size, bar_size - offset);
++
++ if (!IS_ALIGNED(size, memremap_compat_align()) ||
++ !IS_ALIGNED(pci_resource_start(pdev, bar),
++ memremap_compat_align()))
++ return;
++
+ /*
+ * Tell the controller about the host side address mapping the CMB,
+ * and enable CMB decoding for the NVMe 1.4+ scheme:
+@@ -1877,14 +1889,6 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ dev->bar + NVME_REG_CMBMSC);
+ }
+
+- /*
+- * Controllers may support a CMB size larger than their BAR,
+- * for example, due to being behind a bridge. Reduce the CMB to
+- * the reported size of the BAR
+- */
+- if (size > bar_size - offset)
+- size = bar_size - offset;
+-
+ if (pci_p2pdma_add_resource(pdev, bar, size, offset)) {
+ dev_warn(dev->ctrl.device,
+ "failed to register the CMB\n");
+--
+2.39.5
+
--- /dev/null
+From 4da8420ced1c071747a0a8c203b30dbbee6df825 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 13:18:30 +0200
+Subject: nvme-tcp: fix possible UAF in nvme_tcp_poll
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 8c1624b63a7d24142a2bbc3a5ee7e95f004ea36e ]
+
+nvme_tcp_poll() may race with the send path error handler because
+it may complete the request while it is actively being polled for
+completion, resulting in a UAF panic [1]:
+
+We should make sure to stop polling when we see an error when
+trying to read from the socket. Hence make sure to propagate the
+error so that the block layer breaks the polling cycle.
+
+[1]:
+--
+[35665.692310] nvme nvme2: failed to send request -13
+[35665.702265] nvme nvme2: unsupported pdu type (3)
+[35665.702272] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[35665.702542] nvme nvme2: queue 1 receive failed: -22
+[35665.703209] #PF: supervisor write access in kernel mode
+[35665.703213] #PF: error_code(0x0002) - not-present page
+[35665.703214] PGD 8000003801cce067 P4D 8000003801cce067 PUD 37e6f79067 PMD 0
+[35665.703220] Oops: 0002 [#1] SMP PTI
+[35665.703658] nvme nvme2: starting error recovery
+[35665.705809] Hardware name: Inspur aaabbb/YZMB-00882-104, BIOS 4.1.26 09/22/2022
+[35665.705812] Workqueue: kblockd blk_mq_requeue_work
+[35665.709172] RIP: 0010:_raw_spin_lock+0xc/0x30
+[35665.715788] Call Trace:
+[35665.716201] <TASK>
+[35665.716613] ? show_trace_log_lvl+0x1c1/0x2d9
+[35665.717049] ? show_trace_log_lvl+0x1c1/0x2d9
+[35665.717457] ? blk_mq_request_bypass_insert+0x2c/0xb0
+[35665.717950] ? __die_body.cold+0x8/0xd
+[35665.718361] ? page_fault_oops+0xac/0x140
+[35665.718749] ? blk_mq_start_request+0x30/0xf0
+[35665.719144] ? nvme_tcp_queue_rq+0xc7/0x170 [nvme_tcp]
+[35665.719547] ? exc_page_fault+0x62/0x130
+[35665.719938] ? asm_exc_page_fault+0x22/0x30
+[35665.720333] ? _raw_spin_lock+0xc/0x30
+[35665.720723] blk_mq_request_bypass_insert+0x2c/0xb0
+[35665.721101] blk_mq_requeue_work+0xa5/0x180
+[35665.721451] process_one_work+0x1e8/0x390
+[35665.721809] worker_thread+0x53/0x3d0
+[35665.722159] ? process_one_work+0x390/0x390
+[35665.722501] kthread+0x124/0x150
+[35665.722849] ? set_kthread_struct+0x50/0x50
+[35665.723182] ret_from_fork+0x1f/0x30
+
+Reported-by: Zhang Guanghui <zhang.guanghui@cestc.cn>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index ea4d3170acae5..93835c019b8e3 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -2462,6 +2462,7 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx)
+ {
+ struct nvme_tcp_queue *queue = hctx->driver_data;
+ struct sock *sk = queue->sock->sk;
++ int ret;
+
+ if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags))
+ return 0;
+@@ -2469,9 +2470,9 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx)
+ set_bit(NVME_TCP_Q_POLLING, &queue->flags);
+ if (sk_can_busy_loop(sk) && skb_queue_empty_lockless(&sk->sk_receive_queue))
+ sk_busy_loop(sk, true);
+- nvme_tcp_try_recv(queue);
++ ret = nvme_tcp_try_recv(queue);
+ clear_bit(NVME_TCP_Q_POLLING, &queue->flags);
+- return queue->nr_cqe;
++ return ret < 0 ? ret : queue->nr_cqe;
+ }
+
+ static const struct blk_mq_ops nvme_tcp_mq_ops = {
+--
+2.39.5
+
--- /dev/null
+From 92eb7e01371dce0e443c6a57e03437f3d44af9de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 14:56:06 -0700
+Subject: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ]
+
+If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result
+is a divide-by-zero. Prevent that from happening.
+
+Fixes the following warning with an UBSAN kernel:
+
+ drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()
+
+Fixes: 173a64cb3fcf ("[media] dib8000: enhancement")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.1742852847.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib8000.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
+index 02cb48223dc67..a28cbbd9e475c 100644
+--- a/drivers/media/dvb-frontends/dib8000.c
++++ b/drivers/media/dvb-frontends/dib8000.c
+@@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz)
+ u8 ratio;
+
+ if (state->revision == 0x8090) {
++ u32 internal = dib8000_read32(state, 23) / 1000;
++
+ ratio = 4;
+- unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000);
++
++ unit_khz_dds_val = (1<<26) / (internal ?: 1);
+ if (offset_khz < 0)
+ dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val);
+ else
+--
+2.39.5
+
--- /dev/null
+From 6b1d59e1e0331a5cc08c8baca3abcb0e8fa73b83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 11:49:08 +0300
+Subject: ocfs2: validate l_tree_depth to avoid out-of-bounds access
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+[ Upstream commit a406aff8c05115119127c962cbbbbd202e1973ef ]
+
+The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is
+limited to OCFS2_MAX_PATH_DEPTH.
+
+Add a check to prevent out-of-bounds access if l_tree_depth has an invalid
+value, which may occur when reading from a corrupted mounted disk [1].
+
+Link: https://lkml.kernel.org/r/20250214084908.736528-1-kovalev@altlinux.org
+Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1]
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Kurt Hackel <kurt.hackel@oracle.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Vasiliy Kovalev <kovalev@altlinux.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index a9a6276ff29bd..94c7acfebe183 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -1798,6 +1798,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
+
+ el = root_el;
+ while (el->l_tree_depth) {
++ if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) {
++ ocfs2_error(ocfs2_metadata_cache_get_super(ci),
++ "Owner %llu has invalid tree depth %u in extent list\n",
++ (unsigned long long)ocfs2_metadata_cache_owner(ci),
++ le16_to_cpu(el->l_tree_depth));
++ ret = -EROFS;
++ goto out;
++ }
+ if (le16_to_cpu(el->l_next_free_rec) == 0) {
+ ocfs2_error(ocfs2_metadata_cache_get_super(ci),
+ "Owner %llu has empty extent list at depth %u\n",
+--
+2.39.5
+
--- /dev/null
+From 169186ef157e8d96fa3b8c6e357e11b146a77892 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 14:44:41 +0530
+Subject: octeontx2-af: Fix mbox INTR handler when num VFs > 64
+
+From: Geetha sowjanya <gakula@marvell.com>
+
+[ Upstream commit 0fdba88a211508984eb5df62008c29688692b134 ]
+
+When number of RVU VFs > 64, the vfs value passed to "rvu_queue_work"
+function is incorrect. Due to which mbox workqueue entries for
+VFs 0 to 63 never gets added to workqueue.
+
+Fixes: 9bdc47a6e328 ("octeontx2-af: Mbox communication support btw AF and it's VFs")
+Signed-off-by: Geetha sowjanya <gakula@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250327091441.1284-1-gakula@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+index 78309821ce298..f8e86f2535635 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+@@ -2056,7 +2056,7 @@ static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq)
+ rvupf_write64(rvu, RVU_PF_VFPF_MBOX_INTX(1), intr);
+
+ rvu_queue_work(&rvu->afvf_wq_info, 64, vfs, intr);
+- vfs -= 64;
++ vfs = 64;
+ }
+
+ intr = rvupf_read64(rvu, RVU_PF_VFPF_MBOX_INTX(0));
+--
+2.39.5
+
--- /dev/null
+From f1ae84c36abb756f81f6106e459c516d194a7ce0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Dec 2024 19:39:08 -0800
+Subject: PCI/ASPM: Fix link state exit during switch upstream function removal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Stodden <daniel.stodden@gmail.com>
+
+[ Upstream commit cbf937dcadfd571a434f8074d057b32cd14fbea5 ]
+
+Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to
+avoid use-after-free"), we would free the ASPM link only after the last
+function on the bus pertaining to the given link was removed.
+
+That was too late. If function 0 is removed before sibling function,
+link->downstream would point to free'd memory after.
+
+After above change, we freed the ASPM parent link state upon any function
+removal on the bus pertaining to a given link.
+
+That is too early. If the link is to a PCIe switch with MFD on the upstream
+port, then removing functions other than 0 first would free a link which
+still remains parent_link to the remaining downstream ports.
+
+The resulting GPFs are especially frequent during hot-unplug, because
+pciehp removes devices on the link bus in reverse order.
+
+On that switch, function 0 is the virtual P2P bridge to the internal bus.
+Free exactly when function 0 is removed -- before the parent link is
+obsolete, but after all subordinate links are gone.
+
+Link: https://lore.kernel.org/r/e12898835f25234561c9d7de4435590d957b85d9.1734924854.git.dns@arista.com
+Fixes: 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free")
+Signed-off-by: Daniel Stodden <dns@arista.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/aspm.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
+index 8ab8abd79e896..94b0b32340a8a 100644
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -1014,16 +1014,16 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
+ parent_link = link->parent;
+
+ /*
+- * link->downstream is a pointer to the pci_dev of function 0. If
+- * we remove that function, the pci_dev is about to be deallocated,
+- * so we can't use link->downstream again. Free the link state to
+- * avoid this.
++ * Free the parent link state, no later than function 0 (i.e.
++ * link->downstream) being removed.
+ *
+- * If we're removing a non-0 function, it's possible we could
+- * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends
+- * programming the same ASPM Control value for all functions of
+- * multi-function devices, so disable ASPM for all of them.
++ * Do not free the link state any earlier. If function 0 is a
++ * switch upstream port, this link state is parent_link to all
++ * subordinate ones.
+ */
++ if (pdev != link->downstream)
++ goto out;
++
+ pcie_config_aspm_link(link, 0);
+ list_del(&link->sibling);
+ free_link_state(link);
+@@ -1034,6 +1034,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
+ pcie_config_aspm_path(parent_link);
+ }
+
++ out:
+ mutex_unlock(&aspm_lock);
+ up_read(&pci_bus_sem);
+ }
+--
+2.39.5
+
--- /dev/null
+From 792a709334861b0689531c5c824b10fd75cf04e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 12:39:30 -0500
+Subject: PCI: brcmstb: Use internal register to change link capability
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jim Quinlan <james.quinlan@broadcom.com>
+
+[ Upstream commit 0c97321e11e0e9e18546f828492758f6aaecec59 ]
+
+The driver has been mistakenly writing to a read-only (RO)
+configuration space register (PCI_EXP_LNKCAP) to change the
+PCIe link capability.
+
+Although harmless in this case, the proper write destination
+is an internal register that is reflected by PCI_EXP_LNKCAP.
+
+Thus, fix the brcm_pcie_set_gen() function to correctly update
+the link capability.
+
+Fixes: c0452137034b ("PCI: brcmstb: Add Broadcom STB PCIe host controller driver")
+Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250214173944.47506-3-james.quinlan@broadcom.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-brcmstb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c
+index 9c3d2982248d3..be6af5585dd6b 100644
+--- a/drivers/pci/controller/pcie-brcmstb.c
++++ b/drivers/pci/controller/pcie-brcmstb.c
+@@ -402,10 +402,10 @@ static int brcm_pcie_set_ssc(struct brcm_pcie *pcie)
+ static void brcm_pcie_set_gen(struct brcm_pcie *pcie, int gen)
+ {
+ u16 lnkctl2 = readw(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2);
+- u32 lnkcap = readl(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP);
++ u32 lnkcap = readl(pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
+
+ lnkcap = (lnkcap & ~PCI_EXP_LNKCAP_SLS) | gen;
+- writel(lnkcap, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP);
++ writel(lnkcap, pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
+
+ lnkctl2 = (lnkctl2 & ~0xf) | gen;
+ writew(lnkctl2, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2);
+--
+2.39.5
+
--- /dev/null
+From 5849df3055b94caed379f2dfaf592e1717e6d62a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Feb 2025 00:57:24 +0800
+Subject: PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data
+ payload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit 3ac47fbf4f6e8c3a7c3855fac68cc3246f90f850 ]
+
+Per the Cadence's "PCIe Controller IP for AX14" user guide, Version
+1.04, Section 9.1.7.1, "AXI Subordinate to PCIe Address Translation
+Registers", Table 9.4, the bit 16 of the AXI Subordinate Address
+(axi_s_awaddr) when set corresponds to MSG with data, and when not set,
+to MSG without data.
+
+However, the driver is currently doing the opposite and due to this,
+the INTx is never received on the host.
+
+So, fix the driver to reflect the documentation and also make INTx work.
+
+Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+Signed-off-by: Hans Zhang <hans.zhang@cixtech.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250214165724.184599-1-18255117159@163.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/cadence/pcie-cadence-ep.c | 3 +--
+ drivers/pci/controller/cadence/pcie-cadence.h | 2 +-
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/controller/cadence/pcie-cadence-ep.c b/drivers/pci/controller/cadence/pcie-cadence-ep.c
+index 4c5e6349d78ce..403ff93bc8509 100644
+--- a/drivers/pci/controller/cadence/pcie-cadence-ep.c
++++ b/drivers/pci/controller/cadence/pcie-cadence-ep.c
+@@ -311,8 +311,7 @@ static void cdns_pcie_ep_assert_intx(struct cdns_pcie_ep *ep, u8 fn,
+ spin_unlock_irqrestore(&ep->lock, flags);
+
+ offset = CDNS_PCIE_NORMAL_MSG_ROUTING(MSG_ROUTING_LOCAL) |
+- CDNS_PCIE_NORMAL_MSG_CODE(msg_code) |
+- CDNS_PCIE_MSG_NO_DATA;
++ CDNS_PCIE_NORMAL_MSG_CODE(msg_code);
+ writel(0, ep->irq_cpu_addr + offset);
+ }
+
+diff --git a/drivers/pci/controller/cadence/pcie-cadence.h b/drivers/pci/controller/cadence/pcie-cadence.h
+index e0b59730bffb7..3139ea9f02c89 100644
+--- a/drivers/pci/controller/cadence/pcie-cadence.h
++++ b/drivers/pci/controller/cadence/pcie-cadence.h
+@@ -224,7 +224,7 @@ struct cdns_pcie_rp_ib_bar {
+ #define CDNS_PCIE_NORMAL_MSG_CODE_MASK GENMASK(15, 8)
+ #define CDNS_PCIE_NORMAL_MSG_CODE(code) \
+ (((code) << 8) & CDNS_PCIE_NORMAL_MSG_CODE_MASK)
+-#define CDNS_PCIE_MSG_NO_DATA BIT(16)
++#define CDNS_PCIE_MSG_DATA BIT(16)
+
+ struct cdns_pcie;
+
+--
+2.39.5
+
--- /dev/null
+From 4144b83f11f0305d901df2f189dd28e1872cf2ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 18:21:14 +0200
+Subject: PCI: pciehp: Don't enable HPIE when resuming in poll mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 527664f738afb6f2c58022cd35e63801e5dc7aec ]
+
+PCIe hotplug can operate in poll mode without interrupt handlers using a
+polling kthread only. eb34da60edee ("PCI: pciehp: Disable hotplug
+interrupt during suspend") failed to consider that and enables HPIE
+(Hot-Plug Interrupt Enable) unconditionally when resuming the Port.
+
+Only set HPIE if non-poll mode is in use. This makes
+pcie_enable_interrupt() match how pcie_enable_notification() already
+handles HPIE.
+
+Link: https://lore.kernel.org/r/20250321162114.3939-1-ilpo.jarvinen@linux.intel.com
+Fixes: eb34da60edee ("PCI: pciehp: Disable hotplug interrupt during suspend")
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pciehp_hpc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
+index 75c6c72ec32ac..d1e524078793c 100644
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -840,7 +840,9 @@ void pcie_enable_interrupt(struct controller *ctrl)
+ {
+ u16 mask;
+
+- mask = PCI_EXP_SLTCTL_HPIE | PCI_EXP_SLTCTL_DLLSCE;
++ mask = PCI_EXP_SLTCTL_DLLSCE;
++ if (!pciehp_poll_mode)
++ mask |= PCI_EXP_SLTCTL_HPIE;
+ pcie_write_cmd(ctrl, mask, mask);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ca39b41cfecbc1ccb06f7634c693d5b5c9de9e3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Mar 2025 10:36:30 +0800
+Subject: PCI/portdrv: Only disable pciehp interrupts early when needed
+
+From: Feng Tang <feng.tang@linux.alibaba.com>
+
+[ Upstream commit 9d7db4db19827380e225914618c0c1bf435ed2f5 ]
+
+Firmware developers reported that Linux issues two PCIe hotplug commands in
+very short intervals on an ARM server, which doesn't comply with the PCIe
+spec. According to PCIe r6.1, sec 6.7.3.2, if the Command Completed event
+is supported, software must wait for a command to complete or wait at
+least 1 second before sending a new command.
+
+In the failure case, the first PCIe hotplug command is from
+get_port_device_capability(), which sends a command to disable PCIe hotplug
+interrupts without waiting for its completion, and the second command comes
+from pcie_enable_notification() of pciehp driver, which enables hotplug
+interrupts again.
+
+Fix this by only disabling the hotplug interrupts when the pciehp driver is
+not enabled.
+
+Link: https://lore.kernel.org/r/20250303023630.78397-1-feng.tang@linux.alibaba.com
+Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization")
+Suggested-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Feng Tang <feng.tang@linux.alibaba.com>
+[bhelgaas: commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/portdrv_core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c
+index 3779b264dbec3..e3d998173433f 100644
+--- a/drivers/pci/pcie/portdrv_core.c
++++ b/drivers/pci/pcie/portdrv_core.c
+@@ -214,10 +214,12 @@ static int get_port_device_capability(struct pci_dev *dev)
+
+ /*
+ * Disable hot-plug interrupts in case they have been enabled
+- * by the BIOS and the hot-plug service driver is not loaded.
++ * by the BIOS and the hot-plug service driver won't be loaded
++ * to handle them.
+ */
+- pcie_capability_clear_word(dev, PCI_EXP_SLTCTL,
+- PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE);
++ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
++ pcie_capability_clear_word(dev, PCI_EXP_SLTCTL,
++ PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE);
+ }
+
+ #ifdef CONFIG_PCIEAER
+--
+2.39.5
+
--- /dev/null
+From c731fee5dc9a2f681aab8e053bcc86814b91c878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 11:46:34 +0300
+Subject: PCI: Remove stray put_device() in pci_register_host_bridge()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 6e8d06e5096c80cbf41313b4a204f43071ca42be ]
+
+This put_device() was accidentally left over from when we changed the code
+from using device_register() to calling device_add(). Delete it.
+
+Link: https://lore.kernel.org/r/55b24870-89fb-4c91-b85d-744e35db53c2@stanley.mountain
+Fixes: 9885440b16b8 ("PCI: Fix pci_host_bridge struct device release/free handling")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 02a75f3b59208..84edae9ba2e66 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -918,10 +918,9 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
+ goto free;
+
+ err = device_add(&bridge->dev);
+- if (err) {
+- put_device(&bridge->dev);
++ if (err)
+ goto free;
+- }
++
+ bus->bridge = get_device(&bridge->dev);
+ device_enable_async_suspend(bus->bridge);
+ pci_set_bus_of_node(bus);
+--
+2.39.5
+
--- /dev/null
+From 7fed7e38d24cece28ab3d12054639a38cb159c74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Feb 2025 21:20:22 +0530
+Subject: PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thippeswamy Havalige <thippeswamy.havalige@amd.com>
+
+[ Upstream commit 57b0302240741e73fe51f88404b3866e0d2933ad ]
+
+The IRQ domain allocated for the PCIe controller is not freed if
+resource_list_first_type() returns NULL, leading to a resource leak.
+
+This fix ensures properly cleaning up the allocated IRQ domain in
+the error path.
+
+Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
+Signed-off-by: Thippeswamy Havalige <thippeswamy.havalige@amd.com>
+[kwilczynski: added missing Fixes: tag, refactored to use one of the goto labels]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Link: https://lore.kernel.org/r/20250224155025.782179-2-thippeswamy.havalige@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-xilinx-cpm.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-cpm.c b/drivers/pci/controller/pcie-xilinx-cpm.c
+index 67937facd90cd..1b8366fa9f783 100644
+--- a/drivers/pci/controller/pcie-xilinx-cpm.c
++++ b/drivers/pci/controller/pcie-xilinx-cpm.c
+@@ -556,13 +556,15 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev)
+ return err;
+
+ bus = resource_list_first_type(&bridge->windows, IORESOURCE_BUS);
+- if (!bus)
+- return -ENODEV;
++ if (!bus) {
++ err = -ENODEV;
++ goto err_free_irq_domains;
++ }
+
+ err = xilinx_cpm_pcie_parse_dt(port, bus->res);
+ if (err) {
+ dev_err(dev, "Parsing DT failed\n");
+- goto err_parse_dt;
++ goto err_free_irq_domains;
+ }
+
+ xilinx_cpm_pcie_init_port(port);
+@@ -586,7 +588,7 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev)
+ xilinx_cpm_free_interrupts(port);
+ err_setup_irq:
+ pci_ecam_free(port->cfg);
+-err_parse_dt:
++err_free_irq_domains:
+ xilinx_cpm_free_irq_domains(port);
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From 23789a902858cd46140556a23f233ca40dfc772f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:41 -0300
+Subject: perf python: Check if there is space to copy all the event
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 89aaeaf84231157288035b366cb6300c1c6cac64 ]
+
+The pyrf_event__new() method copies the event obtained from the perf
+ring buffer to a structure that will then be turned into a python object
+for further consumption, so it copies perf_event.header.size bytes to
+its 'event' member:
+
+ $ pahole -C pyrf_event /tmp/build/perf-tools-next/python/perf.cpython-312-x86_64-linux-gnu.so
+ struct pyrf_event {
+ PyObject ob_base; /* 0 16 */
+ struct evsel * evsel; /* 16 8 */
+ struct perf_sample sample; /* 24 312 */
+
+ /* XXX last struct has 7 bytes of padding, 2 holes */
+
+ /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
+ union perf_event event; /* 336 4168 */
+
+ /* size: 4504, cachelines: 71, members: 4 */
+ /* member types with holes: 1, total: 2 */
+ /* paddings: 1, sum paddings: 7 */
+ /* last cacheline: 24 bytes */
+ };
+
+ $
+
+It was doing so without checking if the event just obtained has more
+than that space, fix it.
+
+This isn't a proper, final solution, as we need to support larger
+events, but for the time being we at least bounds check and document it.
+
+Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-7-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index b65cca0656396..240f9a0a7297b 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -558,6 +558,11 @@ static PyObject *pyrf_event__new(union perf_event *event)
+ event->header.type == PERF_RECORD_SWITCH_CPU_WIDE))
+ return NULL;
+
++ // FIXME this better be dynamic or we need to parse everything
++ // before calling perf_mmap__consume(), including tracepoint fields.
++ if (sizeof(pevent->event) < event->header.size)
++ return NULL;
++
+ ptype = pyrf_event__type[event->header.type];
+ pevent = PyObject_New(struct pyrf_event, ptype);
+ if (pevent != NULL)
+--
+2.39.5
+
--- /dev/null
+From 76b7f565739bede4740452e88e56dce1436c2c14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:39 -0300
+Subject: perf python: Decrement the refcount of just created event on failure
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 3de5a2bf5b4847f7a59a184568f969f8fe05d57f ]
+
+To avoid a leak if we have the python object but then something happens
+and we need to return the operation, decrement the offset of the newly
+created object.
+
+Fixes: 377f698db12150a1 ("perf python: Add struct evsel into struct pyrf_event")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-5-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index 51679d8d40b1b..ab3a444b4b868 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -1057,6 +1057,7 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
+
+ evsel = perf_evlist__event2evsel(evlist, event);
+ if (!evsel) {
++ Py_DECREF(pyevent);
+ Py_INCREF(Py_None);
+ return Py_None;
+ }
+@@ -1068,9 +1069,12 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
+ /* Consume the even only after we parsed it out. */
+ perf_mmap__consume(&md->core);
+
+- if (err)
++ if (err) {
++ Py_DECREF(pyevent);
+ return PyErr_Format(PyExc_OSError,
+ "perf: can't parse sample, err=%d", err);
++ }
++
+ return pyevent;
+ }
+ end:
+--
+2.39.5
+
--- /dev/null
+From 4efd5a9a553260c0a546f402e25cfff541ec3c19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:40 -0300
+Subject: perf python: Don't keep a raw_data pointer to consumed ring buffer
+ space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit f3fed3ae34d606819d87a63d970cc3092a5be7ab ]
+
+When processing tracepoints the perf python binding was parsing the
+event before calling perf_mmap__consume(&md->core) in
+pyrf_evlist__read_on_cpu().
+
+But part of this event parsing was to set the perf_sample->raw_data
+pointer to the payload of the event, which then could be overwritten by
+other event before tracepoint fields were asked for via event.prev_comm
+in a python program, for instance.
+
+This also happened with other fields, but strings were were problems
+were surfacing, as there is UTF-8 validation for the potentially garbled
+data.
+
+This ended up showing up as (with some added debugging messages):
+
+ ( field 'prev_comm' ret=0x7f7c31f65110, raw_size=68 ) ( field 'prev_pid' ret=0x7f7c23b1bed0, raw_size=68 ) ( field 'prev_prio' ret=0x7f7c239c0030, raw_size=68 ) ( field 'prev_state' ret=0x7f7c239c0250, raw_size=68 ) time 14771421785867 prev_comm= prev_pid=1919907691 prev_prio=796026219 prev_state=0x303a32313175 ==>
+ ( XXX '��' len=16, raw_size=68) ( field 'next_comm' ret=(nil), raw_size=68 ) Traceback (most recent call last):
+ File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 51, in <module>
+ main()
+ File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 46, in main
+ event.next_comm,
+ ^^^^^^^^^^^^^^^
+ AttributeError: 'perf.sample_event' object has no attribute 'next_comm'
+
+When event.next_comm was asked for, the PyUnicode_FromString() python
+API would fail and that tracepoint field wouldn't be available, stopping
+the tools/perf/python/tracepoint.py test tool.
+
+But, since we already do a copy of the whole event in pyrf_event__new,
+just use it and while at it remove what was done in in e8968e654191390a
+("perf python: Fix pyrf_evlist__read_on_cpu event consuming") because we
+don't really need to wait for parsing the sample before declaring the
+event as consumed.
+
+This copy is questionable as is now, as it limits the maximum event +
+sample_type and tracepoint payload to sizeof(union perf_event), this all
+has been "working" because 'struct perf_event_mmap2', the largest entry
+in 'union perf_event' is:
+
+ $ pahole -C perf_event ~/bin/perf | grep mmap2
+ struct perf_record_mmap2 mmap2; /* 0 4168 */
+ $
+
+Fixes: bae57e3825a3dded ("perf python: Add support to resolve tracepoint fields")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-6-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index ab3a444b4b868..b65cca0656396 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -1064,11 +1064,9 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
+
+ pevent->evsel = evsel;
+
+- err = evsel__parse_sample(evsel, event, &pevent->sample);
+-
+- /* Consume the even only after we parsed it out. */
+ perf_mmap__consume(&md->core);
+
++ err = evsel__parse_sample(evsel, &pevent->event, &pevent->sample);
+ if (err) {
+ Py_DECREF(pyevent);
+ return PyErr_Format(PyExc_OSError,
+--
+2.39.5
+
--- /dev/null
+From 2aa4a79ddd5ad54eec66a6b3284ec06e4627acca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:36 -0300
+Subject: perf python: Fixup description of sample.id event member
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 1376c195e8ad327bb9f2d32e0acc5ac39e7cb30a ]
+
+Some old cut'n'paste error, its "ip", so the description should be
+"event ip", not "event type".
+
+Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-2-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index ae8edde7c50ef..51679d8d40b1b 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -131,7 +131,7 @@ struct pyrf_event {
+ };
+
+ #define sample_members \
+- sample_member_def(sample_ip, ip, T_ULONGLONG, "event type"), \
++ sample_member_def(sample_ip, ip, T_ULONGLONG, "event ip"), \
+ sample_member_def(sample_pid, pid, T_INT, "event pid"), \
+ sample_member_def(sample_tid, tid, T_INT, "event tid"), \
+ sample_member_def(sample_time, time, T_ULONGLONG, "event timestamp"), \
+--
+2.39.5
+
--- /dev/null
+From 0ee24cd1818bc71c273809926be04d878a6d8e85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Mar 2025 11:00:36 +0800
+Subject: perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
+
+From: Tao Chen <chen.dylane@linux.dev>
+
+[ Upstream commit c96fff391c095c11dc87dab35be72dee7d217cde ]
+
+The poll man page says POLLRDNORM is equivalent to POLLIN. For poll(),
+it seems that if user sets pollfd with POLLRDNORM in userspace, perf_poll
+will not return until timeout even if perf_output_wakeup called,
+whereas POLLIN returns.
+
+Fixes: 76369139ceb9 ("perf: Split up buffer handling from core code")
+Signed-off-by: Tao Chen <chen.dylane@linux.dev>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250314030036.2543180-1-chen.dylane@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
+index ffca72b8c4c6d..74802ec5ab148 100644
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -19,7 +19,7 @@
+
+ static void perf_output_wakeup(struct perf_output_handle *handle)
+ {
+- atomic_set(&handle->rb->poll, EPOLLIN);
++ atomic_set(&handle->rb->poll, EPOLLIN | EPOLLRDNORM);
+
+ handle->event->pending_wakeup = 1;
+ irq_work_queue(&handle->event->pending);
+--
+2.39.5
+
--- /dev/null
+From da31b517dccd277d6b47012657d98b95b20cde34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 16:45:32 -0300
+Subject: perf units: Fix insufficient array space
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit cf67629f7f637fb988228abdb3aae46d0c1748fe ]
+
+No need to specify the array size, let the compiler figure that out.
+
+This addresses this compiler warning that was noticed while build
+testing on fedora rawhide:
+
+ 31 15.81 fedora:rawhide : FAIL gcc version 15.0.1 20250225 (Red Hat 15.0.1-0) (GCC)
+ util/units.c: In function 'unit_number__scnprintf':
+ util/units.c:67:24: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-initialization]
+ 67 | char unit[4] = "BKMG";
+ | ^~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: 9808143ba2e54818 ("perf tools: Add unit_number__scnprintf function")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lore.kernel.org/r/20250310194534.265487-3-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/units.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/units.c b/tools/perf/util/units.c
+index a46762aec4c9f..24c83b8b8c980 100644
+--- a/tools/perf/util/units.c
++++ b/tools/perf/util/units.c
+@@ -57,7 +57,7 @@ unsigned long convert_unit(unsigned long value, char *unit)
+
+ int unit_number__scnprintf(char *buf, size_t size, u64 n)
+ {
+- char unit[4] = "BKMG";
++ char unit[] = "BKMG";
+ int i = 0;
+
+ while (((n / 1024) > 1) && (i < 3)) {
+--
+2.39.5
+
--- /dev/null
+From 70e481429b9fa48cfdefb19c96ce533a68031389 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Mar 2025 16:37:53 +0000
+Subject: pinctrl: renesas: rza2: Fix missing of_node_put() call
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit abcdeb4e299a11ecb5a3ea0cce00e68e8f540375 ]
+
+of_parse_phandle_with_fixed_args() requires its caller to
+call into of_node_put() on the node pointer from the output
+structure, but such a call is currently missing.
+
+Call into of_node_put() to rectify that.
+
+Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20250305163753.34913-5-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/pinctrl-rza2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c
+index ddd8ee6b604ef..1fd3191d9f8d9 100644
+--- a/drivers/pinctrl/renesas/pinctrl-rza2.c
++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c
+@@ -253,6 +253,8 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv)
+ return ret;
+ }
+
++ of_node_put(of_args.np);
++
+ if ((of_args.args[0] != 0) ||
+ (of_args.args[1] != 0) ||
+ (of_args.args[2] != priv->npins)) {
+--
+2.39.5
+
--- /dev/null
+From e402bbcb3fd37df9fba6ceed2f220c73ee806b22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 10:35:42 +0530
+Subject: pinctrl: tegra: Set SFIO mode to Mux Register
+
+From: Prathamesh Shete <pshete@nvidia.com>
+
+[ Upstream commit 17013f0acb322e5052ff9b9d0fab0ab5a4bfd828 ]
+
+Tegra devices have an 'sfsel' bit field that determines whether a pin
+operates in SFIO (Special Function I/O) or GPIO mode. Currently,
+tegra_pinctrl_gpio_disable_free() sets this bit when releasing a GPIO.
+
+However, tegra_pinctrl_set_mux() can be called independently in certain
+code paths where gpio_disable_free() is not invoked. In such cases, failing
+to set the SFIO mode could lead to incorrect pin configurations, resulting
+in functional issues for peripherals relying on SFIO.
+
+This patch ensures that whenever set_mux() is called, the SFIO mode is
+correctly set in the Mux Register if the 'sfsel' bit is present. This
+prevents situations where the pin remains in GPIO mode despite being
+configured for SFIO use.
+
+Fixes: 971dac7123c7 ("pinctrl: add a driver for NVIDIA Tegra")
+Signed-off-by: Prathamesh Shete <pshete@nvidia.com>
+Link: https://lore.kernel.org/20250306050542.16335-1-pshete@nvidia.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/tegra/pinctrl-tegra.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pinctrl/tegra/pinctrl-tegra.c b/drivers/pinctrl/tegra/pinctrl-tegra.c
+index 195cfe557511b..90de78e4175c9 100644
+--- a/drivers/pinctrl/tegra/pinctrl-tegra.c
++++ b/drivers/pinctrl/tegra/pinctrl-tegra.c
+@@ -270,6 +270,9 @@ static int tegra_pinctrl_set_mux(struct pinctrl_dev *pctldev,
+ val = pmx_readl(pmx, g->mux_bank, g->mux_reg);
+ val &= ~(0x3 << g->mux_bit);
+ val |= i << g->mux_bit;
++ /* Set the SFIO/GPIO selection to SFIO when under pinmux control*/
++ if (pmx->soc->sfsel_in_mux)
++ val |= (1 << g->sfsel_bit);
+ pmx_writel(pmx, val, g->mux_bank, g->mux_reg);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From b12fe220a8c2207b6cf83217967bc58ed70bc6f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 17:39:31 +0200
+Subject: platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4
+ tablet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Panchenko <dmitry@d-systems.ee>
+
+[ Upstream commit 2738d06fb4f01145b24c542fb06de538ffc56430 ]
+
+Volume buttons on Microsoft Surface Go 4 tablet didn't send any events.
+Add Surface Go 4 DMI match to button_array_table to fix this.
+
+Signed-off-by: Dmitry Panchenko <dmitry@d-systems.ee>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20250220154016.3620917-1-dmitry@d-systems.ee
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel-hid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c
+index 0b0602fc43601..9bc2652b15e71 100644
+--- a/drivers/platform/x86/intel-hid.c
++++ b/drivers/platform/x86/intel-hid.c
+@@ -100,6 +100,13 @@ static const struct dmi_system_id button_array_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 3"),
+ },
+ },
++ {
++ .ident = "Microsoft Surface Go 4",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Microsoft Corporation"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 4"),
++ },
++ },
+ { }
+ };
+
+--
+2.39.5
+
--- /dev/null
+From b846b29c1b29fb79197e7d1b9a465f7762725c3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 11:53:50 +0100
+Subject: PM: sleep: Adjust check before setting power.must_resume
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit eeb87d17aceab7803a5a5bcb6cf2817b745157cf ]
+
+The check before setting power.must_resume in device_suspend_noirq()
+does not take power.child_count into account, but it should do that, so
+use pm_runtime_need_not_resume() in it for this purpose and adjust the
+comment next to it accordingly.
+
+Fixes: 107d47b2b95e ("PM: sleep: core: Simplify the SMART_SUSPEND flag handling")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://patch.msgid.link/3353728.44csPzL39Z@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 13 ++++++-------
+ drivers/base/power/runtime.c | 2 +-
+ include/linux/pm_runtime.h | 2 ++
+ 3 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index fbc57c4fcdd01..34f1969dab73b 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1242,14 +1242,13 @@ static int __device_suspend_noirq(struct device *dev, pm_message_t state, bool a
+ dev->power.is_noirq_suspended = true;
+
+ /*
+- * Skipping the resume of devices that were in use right before the
+- * system suspend (as indicated by their PM-runtime usage counters)
+- * would be suboptimal. Also resume them if doing that is not allowed
+- * to be skipped.
++ * Devices must be resumed unless they are explicitly allowed to be left
++ * in suspend, but even in that case skipping the resume of devices that
++ * were in use right before the system suspend (as indicated by their
++ * runtime PM usage counters and child counters) would be suboptimal.
+ */
+- if (atomic_read(&dev->power.usage_count) > 1 ||
+- !(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) &&
+- dev->power.may_skip_resume))
++ if (!(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) &&
++ dev->power.may_skip_resume) || !pm_runtime_need_not_resume(dev))
+ dev->power.must_resume = true;
+
+ if (dev->power.must_resume)
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index f5c9e6629f0c7..4950864d3ea50 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1811,7 +1811,7 @@ void pm_runtime_drop_link(struct device_link *link)
+ pm_request_idle(link->supplier);
+ }
+
+-static bool pm_runtime_need_not_resume(struct device *dev)
++bool pm_runtime_need_not_resume(struct device *dev)
+ {
+ return atomic_read(&dev->power.usage_count) <= 1 &&
+ (atomic_read(&dev->power.child_count) == 0 ||
+diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
+index ca856e5829145..96e3256738e48 100644
+--- a/include/linux/pm_runtime.h
++++ b/include/linux/pm_runtime.h
+@@ -32,6 +32,7 @@ static inline bool queue_pm_work(struct work_struct *work)
+
+ extern int pm_generic_runtime_suspend(struct device *dev);
+ extern int pm_generic_runtime_resume(struct device *dev);
++extern bool pm_runtime_need_not_resume(struct device *dev);
+ extern int pm_runtime_force_suspend(struct device *dev);
+ extern int pm_runtime_force_resume(struct device *dev);
+
+@@ -220,6 +221,7 @@ static inline bool queue_pm_work(struct work_struct *work) { return false; }
+
+ static inline int pm_generic_runtime_suspend(struct device *dev) { return 0; }
+ static inline int pm_generic_runtime_resume(struct device *dev) { return 0; }
++static inline bool pm_runtime_need_not_resume(struct device *dev) {return true; }
+ static inline int pm_runtime_force_suspend(struct device *dev) { return 0; }
+ static inline int pm_runtime_force_resume(struct device *dev) { return 0; }
+
+--
+2.39.5
+
--- /dev/null
+From 32dddda0a6703babb43a4186126aec64a20d4688 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 17:00:00 +0100
+Subject: PM: sleep: Fix handling devices with direct_complete set on errors
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 03f1444016b71feffa1dfb8a51f15ba592f94b13 ]
+
+When dpm_suspend() fails, some devices with power.direct_complete set
+may not have been handled by device_suspend() yet, so runtime PM has
+not been disabled for them yet even though power.direct_complete is set.
+
+Since device_resume() expects that runtime PM has been disabled for all
+devices with power.direct_complete set, it will attempt to reenable
+runtime PM for the devices that have not been processed by device_suspend()
+which does not make sense. Had those devices had runtime PM disabled
+before device_suspend() had run, device_resume() would have inadvertently
+enable runtime PM for them, but this is not expected to happen because
+it would require ->prepare() callbacks to return positive values for
+devices with runtime PM disabled, which would be invalid.
+
+In practice, this issue is most likely benign because pm_runtime_enable()
+will not allow the "disable depth" counter to underflow, but it causes a
+warning message to be printed for each affected device.
+
+To allow device_resume() to distinguish the "direct complete" devices
+that have been processed by device_suspend() from those which have not
+been handled by it, make device_suspend() set power.is_suspended for
+"direct complete" devices.
+
+Next, move the power.is_suspended check in device_resume() before the
+power.direct_complete check in it to make it skip the "direct complete"
+devices that have not been handled by device_suspend().
+
+This change is based on a preliminary patch from Saravana Kannan.
+
+Fixes: aae4518b3124 ("PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily")
+Link: https://lore.kernel.org/linux-pm/20241114220921.2529905-2-saravanak@google.com/
+Reported-by: Saravana Kannan <saravanak@google.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Saravana Kannan <saravanak@google.com>
+Link: https://patch.msgid.link/12627587.O9o76ZdvQC@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 34f1969dab73b..00a0bdcbb4aa8 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -900,6 +900,9 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ if (dev->power.syscore)
+ goto Complete;
+
++ if (!dev->power.is_suspended)
++ goto Complete;
++
+ if (dev->power.direct_complete) {
+ /* Match the pm_runtime_disable() in __device_suspend(). */
+ pm_runtime_enable(dev);
+@@ -918,9 +921,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ */
+ dev->power.is_prepared = false;
+
+- if (!dev->power.is_suspended)
+- goto Unlock;
+-
+ if (dev->pm_domain) {
+ info = "power domain ";
+ callback = pm_op(&dev->pm_domain->ops, state);
+@@ -960,7 +960,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ error = dpm_run_callback(callback, dev, state, info);
+ dev->power.is_suspended = false;
+
+- Unlock:
+ device_unlock(dev);
+ dpm_watchdog_clear(&wd);
+
+@@ -1645,6 +1644,7 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
+ pm_runtime_disable(dev);
+ if (pm_runtime_status_suspended(dev)) {
+ pm_dev_dbg(dev, state, "direct-complete ");
++ dev->power.is_suspended = true;
+ goto Complete;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b6b68a30e4b34645155084350dd280f761f0abd0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Mar 2025 21:11:49 +0100
+Subject: power: supply: max77693: Fix wrong conversion of charge input
+ threshold value
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 30cc7b0d0e9341d419eb7da15fb5c22406dbe499 ]
+
+The charge input threshold voltage register on the MAX77693 PMIC accepts
+four values: 0x0 for 4.3v, 0x1 for 4.7v, 0x2 for 4.8v and 0x3 for 4.9v.
+Due to an oversight, the driver calculated the values for 4.7v and above
+starting from 0x0, rather than from 0x1 ([(4700000 - 4700000) / 100000]
+gives 0).
+
+Add 1 to the calculation to ensure that 4.7v is converted to a register
+value of 0x1 and that the other two voltages are converted correctly as
+well.
+
+Fixes: 87c2d9067893 ("power: max77693: Add charger driver for Maxim 77693")
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250316-max77693-charger-input-threshold-fix-v1-1-2b037d0ac722@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max77693_charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/max77693_charger.c b/drivers/power/supply/max77693_charger.c
+index a2c5c9858639f..ef3482fa4023e 100644
+--- a/drivers/power/supply/max77693_charger.c
++++ b/drivers/power/supply/max77693_charger.c
+@@ -556,7 +556,7 @@ static int max77693_set_charge_input_threshold_volt(struct max77693_charger *chg
+ case 4700000:
+ case 4800000:
+ case 4900000:
+- data = (uvolt - 4700000) / 100000;
++ data = ((uvolt - 4700000) / 100000) + 1;
+ break;
+ default:
+ dev_err(chg->dev, "Wrong value for charge input voltage regulation threshold\n");
+--
+2.39.5
+
--- /dev/null
+From 65ab6b5e7d8bea3ccdd96249ba4bcf406994f160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 16:29:53 +0200
+Subject: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd ]
+
+When cur_qp isn't NULL, in order to avoid fetching the QP from
+the radix tree again we check if the next cqe QP is identical to
+the one we already have.
+
+The bug however is that we are checking if the QP is identical by
+checking the QP number inside the CQE against the QP number inside the
+mlx5_ib_qp, but that's wrong since the QP number from the CQE is from
+FW so it should be matched against mlx5_core_qp which is our FW QP
+number.
+
+Otherwise we could use the wrong QP when handling a CQE which could
+cause the kernel trace below.
+
+This issue is mainly noticeable over QPs 0 & 1, since for now they are
+the only QPs in our driver whereas the QP number inside mlx5_ib_qp
+doesn't match the QP number inside mlx5_core_qp.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000012
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP
+ CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+ Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
+ RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
+ Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21
+ RSP: 0018:ffff88810511bd60 EFLAGS: 00010046
+ RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a
+ RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10
+ R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000
+ R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0
+ FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0
+ Call Trace:
+ <TASK>
+ ? __die+0x20/0x60
+ ? page_fault_oops+0x150/0x3e0
+ ? exc_page_fault+0x74/0x130
+ ? asm_exc_page_fault+0x22/0x30
+ ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
+ __ib_process_cq+0x5a/0x150 [ib_core]
+ ib_cq_poll_work+0x31/0x90 [ib_core]
+ process_one_work+0x169/0x320
+ worker_thread+0x288/0x3a0
+ ? work_busy+0xb0/0xb0
+ kthread+0xd7/0x1f0
+ ? kthreads_online_cpu+0x130/0x130
+ ? kthreads_online_cpu+0x130/0x130
+ ret_from_fork+0x2d/0x50
+ ? kthreads_online_cpu+0x130/0x130
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Edward Srouji <edwards@nvidia.com>
+Link: https://patch.msgid.link/4ada09d41f1e36db62c44a9b25c209ea5f054316.1741875692.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/cq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
+index 74644b6ea0ff1..e6d3ac4e10dc0 100644
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -481,7 +481,7 @@ static int mlx5_poll_one(struct mlx5_ib_cq *cq,
+ }
+
+ qpn = ntohl(cqe64->sop_drop_qpn) & 0xffffff;
+- if (!*cur_qp || (qpn != (*cur_qp)->ibqp.qp_num)) {
++ if (!*cur_qp || (qpn != (*cur_qp)->trans_qp.base.mqp.qpn)) {
+ /* We do not have to take the QP table lock here,
+ * because CQs will be locked while QPs are removed
+ * from the table.
+--
+2.39.5
+
--- /dev/null
+From e79a45647dcc1087a6080ba91019c269823013b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2025 22:54:00 +0100
+Subject: remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
+
+From: Luca Weiss <luca@lucaweiss.eu>
+
+[ Upstream commit e917b73234b02aa4966325e7380d2559bf127ba9 ]
+
+Only go into the if condition for single-PD handling when there's
+actually just one power domain specified there. Otherwise it'll be an
+issue in the dts and we should fail in the regular code path.
+
+This also mirrors the latest changes in the qcom_q6v5_mss driver.
+
+Suggested-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains")
+Signed-off-by: Luca Weiss <luca@lucaweiss.eu>
+Reviewed-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Link: https://lore.kernel.org/r/20250128-pas-singlepd-v1-2-85d9ae4b0093@lucaweiss.eu
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_pas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index 1a0d6eb9425bb..653d204338285 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -309,16 +309,16 @@ static int adsp_pds_attach(struct device *dev, struct device **devs,
+ if (!pd_names)
+ return 0;
+
++ while (pd_names[num_pds])
++ num_pds++;
++
+ /* Handle single power domain */
+- if (dev->pm_domain) {
++ if (num_pds == 1 && dev->pm_domain) {
+ devs[0] = dev;
+ pm_runtime_enable(dev);
+ return 1;
+ }
+
+- while (pd_names[num_pds])
+- num_pds++;
+-
+ for (i = 0; i < num_pds; i++) {
+ devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]);
+ if (IS_ERR_OR_NULL(devs[i])) {
+@@ -343,7 +343,7 @@ static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds,
+ int i;
+
+ /* Handle single power domain */
+- if (dev->pm_domain && pd_count) {
++ if (pd_count == 1 && dev->pm_domain) {
+ pm_runtime_disable(dev);
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From eca81447cdd59e7d08956118dc4b7436604530ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Feb 2025 15:01:06 +0800
+Subject: ring-buffer: Fix bytes_dropped calculation issue
+
+From: Feng Yang <yangfeng@kylinos.cn>
+
+[ Upstream commit c73f0b69648501978e8b3e8fa7eef7f4197d0481 ]
+
+The calculation of bytes-dropped and bytes_dropped_nested is reversed.
+Although it does not affect the final calculation of total_dropped,
+it should still be modified.
+
+Link: https://lore.kernel.org/20250223070106.6781-1-yangfeng59949@163.com
+Fixes: 6c43e554a2a5 ("ring-buffer: Add ring buffer startup selftest")
+Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index 9a2c8727b033d..225dbe4a56413 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -5768,9 +5768,9 @@ static __init int rb_write_something(struct rb_test_data *data, bool nested)
+ /* Ignore dropped events before test starts. */
+ if (started) {
+ if (nested)
+- data->bytes_dropped += len;
+- else
+ data->bytes_dropped_nested += len;
++ else
++ data->bytes_dropped += len;
+ }
+ return len;
+ }
+--
+2.39.5
+
--- /dev/null
+From d0876797826e07e7ade78c3a0dc2550d22431266 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 11:02:26 +0200
+Subject: rtnetlink: Allocate vfinfo size for VF GUIDs when supported
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 23f00807619d15063d676218f36c5dfeda1eb420 ]
+
+Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs")
+added support for getting VF port and node GUIDs in netlink ifinfo
+messages, but their size was not taken into consideration in the
+function that allocates the netlink message, causing the following
+warning when a netlink message is filled with many VF port and node
+GUIDs:
+ # echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs
+ # ip link show dev ib0
+ RTNETLINK answers: Message too long
+ Cannot send link get request: Message too long
+
+Kernel warning:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0
+ Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core
+ CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:rtnl_getlink+0x586/0x5a0
+ Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00
+ RSP: 0018:ffff888113557348 EFLAGS: 00010246
+ RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000
+ RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8
+ RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000
+ R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00
+ R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff
+ FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ? __warn+0xa5/0x230
+ ? rtnl_getlink+0x586/0x5a0
+ ? report_bug+0x22d/0x240
+ ? handle_bug+0x53/0xa0
+ ? exc_invalid_op+0x14/0x50
+ ? asm_exc_invalid_op+0x16/0x20
+ ? skb_trim+0x6a/0x80
+ ? rtnl_getlink+0x586/0x5a0
+ ? __pfx_rtnl_getlink+0x10/0x10
+ ? rtnetlink_rcv_msg+0x1e5/0x860
+ ? __pfx___mutex_lock+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? __pfx_lock_acquire+0x10/0x10
+ ? stack_trace_save+0x90/0xd0
+ ? filter_irq_stacks+0x1d/0x70
+ ? kasan_save_stack+0x30/0x40
+ ? kasan_save_stack+0x20/0x40
+ ? kasan_save_track+0x10/0x30
+ rtnetlink_rcv_msg+0x21c/0x860
+ ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ? __pfx_rtnetlink_rcv_msg+0x10/0x10
+ ? arch_stack_walk+0x9e/0xf0
+ ? rcu_is_watching+0x34/0x60
+ ? lock_acquire+0xd5/0x410
+ ? rcu_is_watching+0x34/0x60
+ netlink_rcv_skb+0xe0/0x210
+ ? __pfx_rtnetlink_rcv_msg+0x10/0x10
+ ? __pfx_netlink_rcv_skb+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? __pfx___netlink_lookup+0x10/0x10
+ ? lock_release+0x62/0x200
+ ? netlink_deliver_tap+0xfd/0x290
+ ? rcu_is_watching+0x34/0x60
+ ? lock_release+0x62/0x200
+ ? netlink_deliver_tap+0x95/0x290
+ netlink_unicast+0x31f/0x480
+ ? __pfx_netlink_unicast+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? lock_acquire+0xd5/0x410
+ netlink_sendmsg+0x369/0x660
+ ? lock_release+0x62/0x200
+ ? __pfx_netlink_sendmsg+0x10/0x10
+ ? import_ubuf+0xb9/0xf0
+ ? __import_iovec+0x254/0x2b0
+ ? lock_release+0x62/0x200
+ ? __pfx_netlink_sendmsg+0x10/0x10
+ ____sys_sendmsg+0x559/0x5a0
+ ? __pfx_____sys_sendmsg+0x10/0x10
+ ? __pfx_copy_msghdr_from_user+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? do_read_fault+0x213/0x4a0
+ ? rcu_is_watching+0x34/0x60
+ ___sys_sendmsg+0xe4/0x150
+ ? __pfx____sys_sendmsg+0x10/0x10
+ ? do_fault+0x2cc/0x6f0
+ ? handle_pte_fault+0x2e3/0x3d0
+ ? __pfx_handle_pte_fault+0x10/0x10
+ ? preempt_count_sub+0x14/0xc0
+ ? __down_read_trylock+0x150/0x270
+ ? __handle_mm_fault+0x404/0x8e0
+ ? __pfx___handle_mm_fault+0x10/0x10
+ ? lock_release+0x62/0x200
+ ? __rcu_read_unlock+0x65/0x90
+ ? rcu_is_watching+0x34/0x60
+ __sys_sendmsg+0xd5/0x150
+ ? __pfx___sys_sendmsg+0x10/0x10
+ ? __up_read+0x192/0x480
+ ? lock_release+0x62/0x200
+ ? __rcu_read_unlock+0x65/0x90
+ ? rcu_is_watching+0x34/0x60
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f63a5b13367
+ Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+ RSP: 002b:00007fff8c726bc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000000067b687c2 RCX: 00007f63a5b13367
+ RDX: 0000000000000000 RSI: 00007fff8c726c30 RDI: 0000000000000004
+ RBP: 00007fff8c726cb8 R08: 0000000000000000 R09: 0000000000000034
+ R10: 00007fff8c726c7c R11: 0000000000000246 R12: 0000000000000001
+ R13: 0000000000000000 R14: 00007fff8c726cd0 R15: 00007fff8c726cd0
+ </TASK>
+ irq event stamp: 0
+ hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ hardirqs last disabled at (0): [<ffffffff813f9e58>] copy_process+0xd08/0x2830
+ softirqs last enabled at (0): [<ffffffff813f9e58>] copy_process+0xd08/0x2830
+ softirqs last disabled at (0): [<0000000000000000>] 0x0
+ ---[ end trace 0000000000000000 ]---
+
+Thus, when calculating ifinfo message size, take VF GUIDs sizes into
+account when supported.
+
+Fixes: 30aad41721e0 ("net/core: Add support for getting VF GUIDs")
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250325090226.749730-1-mbloch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 2806b9ed63879..bc86034e17eab 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -950,6 +950,9 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev,
+ /* IFLA_VF_STATS_TX_DROPPED */
+ nla_total_size_64bit(sizeof(__u64)));
+ }
++ if (dev->netdev_ops->ndo_get_vf_guid)
++ size += num_vfs * 2 *
++ nla_total_size(sizeof(struct ifla_vf_guid));
+ return size;
+ } else
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 37e33bbff08d099d541152ff00a0b3a37339df2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 10:59:53 +0530
+Subject: sched/deadline: Use online cpus for validating runtime
+
+From: Shrikanth Hegde <sshegde@linux.ibm.com>
+
+[ Upstream commit 14672f059d83f591afb2ee1fff56858efe055e5a ]
+
+The ftrace selftest reported a failure because writing -1 to
+sched_rt_runtime_us returns -EBUSY. This happens when the possible
+CPUs are different from active CPUs.
+
+Active CPUs are part of one root domain, while remaining CPUs are part
+of def_root_domain. Since active cpumask is being used, this results in
+cpus=0 when a non active CPUs is used in the loop.
+
+Fix it by looping over the online CPUs instead for validating the
+bandwidth calculations.
+
+Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
+Link: https://lore.kernel.org/r/20250306052954.452005-2-sshegde@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index d91295d3059f7..6548bd90c5c3a 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2577,7 +2577,7 @@ int sched_dl_global_validate(void)
+ * cycling on root_domains... Discussion on different/better
+ * solutions is welcome!
+ */
+- for_each_possible_cpu(cpu) {
++ for_each_online_cpu(cpu) {
+ rcu_read_lock_sched();
+ dl_b = dl_bw_of(cpu);
+ cpus = dl_bw_cpus(cpu);
+--
+2.39.5
+
--- /dev/null
+From 70257d8b6027c96a12bc39642e0f0755df0c35c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 21:26:44 -0700
+Subject: sched/smt: Always inline sched_smt_active()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 09f37f2d7b21ff35b8b533f9ab8cfad2fe8f72f6 ]
+
+sched_smt_active() can be called from noinstr code, so it should always
+be inlined. The CONFIG_SCHED_SMT version already has __always_inline.
+Do the same for its !CONFIG_SCHED_SMT counterpart.
+
+Fixes the following warning:
+
+ vmlinux.o: error: objtool: intel_idle_ibrs+0x13: call to sched_smt_active() leaves .noinstr.text section
+
+Fixes: 321a874a7ef8 ("sched/smt: Expose sched_smt_present static key")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/1d03907b0a247cf7fb5c1d518de378864f603060.1743481539.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/r/202503311434.lyw2Tveh-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/smt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h
+index 59d3736c454cf..737b50f40137b 100644
+--- a/include/linux/sched/smt.h
++++ b/include/linux/sched/smt.h
+@@ -12,7 +12,7 @@ static __always_inline bool sched_smt_active(void)
+ return static_branch_likely(&sched_smt_present);
+ }
+ #else
+-static inline bool sched_smt_active(void) { return false; }
++static __always_inline bool sched_smt_active(void) { return false; }
+ #endif
+
+ void arch_smt_update(void);
+--
+2.39.5
+
--- /dev/null
+From a11fa59b452759a5272a3213e5fd35a90d4ebc67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 10:56:43 +0100
+Subject: selinux: Chain up tool resolving errors in install_policy.sh
+
+From: Tim Schumacher <tim.schumacher1@huawei.com>
+
+[ Upstream commit 6ae0042f4d3f331e841495eb0a3d51598e593ec2 ]
+
+Subshell evaluations are not exempt from errexit, so if a command is
+not available, `which` will fail and exit the script as a whole.
+This causes the helpful error messages to not be printed if they are
+tacked on using a `$?` comparison.
+
+Resolve the issue by using chains of logical operators, which are not
+subject to the effects of errexit.
+
+Fixes: e37c1877ba5b1 ("scripts/selinux: modernize mdp")
+Signed-off-by: Tim Schumacher <tim.schumacher1@huawei.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/selinux/install_policy.sh | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
+index 20af56ce245c5..c68f0e045fb00 100755
+--- a/scripts/selinux/install_policy.sh
++++ b/scripts/selinux/install_policy.sh
+@@ -6,27 +6,24 @@ if [ `id -u` -ne 0 ]; then
+ exit 1
+ fi
+
+-SF=`which setfiles`
+-if [ $? -eq 1 ]; then
++SF=`which setfiles` || {
+ echo "Could not find setfiles"
+ echo "Do you have policycoreutils installed?"
+ exit 1
+-fi
++}
+
+-CP=`which checkpolicy`
+-if [ $? -eq 1 ]; then
++CP=`which checkpolicy` || {
+ echo "Could not find checkpolicy"
+ echo "Do you have checkpolicy installed?"
+ exit 1
+-fi
++}
+ VERS=`$CP -V | awk '{print $1}'`
+
+-ENABLED=`which selinuxenabled`
+-if [ $? -eq 1 ]; then
++ENABLED=`which selinuxenabled` || {
+ echo "Could not find selinuxenabled"
+ echo "Do you have libselinux-utils installed?"
+ exit 1
+-fi
++}
+
+ if selinuxenabled; then
+ echo "SELinux is already enabled"
+--
+2.39.5
+
serial-8250_dma-terminate-correct-dma-in-tx_dma_flush.patch
media-i2c-et8ek8-don-t-strip-remove-function-when-driver-is-builtin.patch
i2c-dev-check-return-value-when-calling-dev_set_name.patch
+watch_queue-fix-pipe-accounting-mismatch.patch
+x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch
+cpufreq-scpi-compare-khz-instead-of-hz.patch
+cpufreq-governor-fix-negative-idle_time-handling-in-.patch
+x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch
+x86-platform-only-allow-config_eisa-for-32-bit.patch
+pm-sleep-adjust-check-before-setting-power.must_resu.patch
+selinux-chain-up-tool-resolving-errors-in-install_po.patch
+edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch
+edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch
+edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch
+thermal-int340x-add-null-check-for-adev.patch
+pm-sleep-fix-handling-devices-with-direct_complete-s.patch
+lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch
+perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch
+alsa-hda-realtek-always-honor-no_shutup_pins.patch
+asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch
+drm-dp_mst-fix-drm-rad-print.patch
+drm-xlnx-zynqmp-fix-max-dma-segment-size.patch
+drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch
+drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch
+pci-aspm-fix-link-state-exit-during-switch-upstream-.patch
+pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch
+pci-brcmstb-use-internal-register-to-change-link-cap.patch
+pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch
+drm-amd-display-fix-type-mismatch-in-calculatedynami.patch
+pci-remove-stray-put_device-in-pci_register_host_bri.patch
+pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch
+drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch
+pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch
+fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch
+mdacon-rework-dependency-list.patch
+fbdev-sm501fb-add-some-geometry-checks.patch
+clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch
+remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch
+clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch
+bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch
+lib-842-improve-error-handling-in-sw842_compress.patch
+pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch
+clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch
+ib-mad-check-available-slots-before-posting-receive-.patch
+pinctrl-tegra-set-sfio-mode-to-mux-register.patch
+clk-amlogic-g12b-fix-cluster-a-parent-data.patch
+clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch
+clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch
+x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch
+power-supply-max77693-fix-wrong-conversion-of-charge.patch
+rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch
+mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch
+x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch
+crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch
+isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch
+coresight-catu-fix-number-of-pages-while-using-64k-p.patch
+iio-accel-mma8452-ensure-error-return-on-failure-to-.patch
+perf-units-fix-insufficient-array-space.patch
+kexec-initialize-elf-lowest-address-to-ulong_max.patch
+ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch
+nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch
+perf-python-fixup-description-of-sample.id-event-mem.patch
+perf-python-decrement-the-refcount-of-just-created-e.patch
+perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch
+perf-python-check-if-there-is-space-to-copy-all-the-.patch
+fs-procfs-fix-the-comment-above-proc_pid_wchan.patch
+objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch
+exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch
+rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch
+ring-buffer-fix-bytes_dropped-calculation-issue.patch
+acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch
+octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch
+sched-smt-always-inline-sched_smt_active.patch
+wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch
+nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch
+nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch
+nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch
+affs-generate-ofs-sequence-numbers-starting-at-1.patch
+affs-don-t-write-overlarge-ofs-data-block-size-field.patch
+platform-x86-intel-hid-fix-volume-buttons-on-microso.patch
+sched-deadline-use-online-cpus-for-validating-runtim.patch
+locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+can-statistics-use-atomic-access-in-hot-path.patch
+hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch
+spufs-fix-a-leak-on-spufs_new_file-failure.patch
+spufs-fix-a-leak-in-spufs_create_context.patch
+ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch
+ntb-intel-fix-using-link-status-db-s.patch
+netlabel-fix-null-pointer-exception-caused-by-calips.patch
+net_sched-skbprio-remove-overly-strict-queue-asserti.patch
+vsock-avoid-timeout-during-connect-if-the-socket-is-.patch
+tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch
+netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch
+ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch
+net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch
+net-fix-geneve_opt-length-integer-overflow.patch
+arcnet-add-null-check-in-com20020pci_probe.patch
--- /dev/null
+From 8a4e036f6994dd5bd733b9a99d951455eb7a1285 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 19:38:28 -0400
+Subject: spufs: fix a leak in spufs_create_context()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 0f5cce3fc55b08ee4da3372baccf4bcd36a98396 ]
+
+Leak fixes back in 2008 missed one case - if we are trying to set affinity
+and spufs_mkdir() fails, we need to drop the reference to neighbor.
+
+Fixes: 58119068cb27 "[POWERPC] spufs: Fix memory leak on SPU affinity"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/inode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
+index 0159bd9231ef8..373814bbc43d7 100644
+--- a/arch/powerpc/platforms/cell/spufs/inode.c
++++ b/arch/powerpc/platforms/cell/spufs/inode.c
+@@ -438,8 +438,11 @@ spufs_create_context(struct inode *inode, struct dentry *dentry,
+ }
+
+ ret = spufs_mkdir(inode, dentry, flags, mode & 0777);
+- if (ret)
++ if (ret) {
++ if (neighbor)
++ put_spu_context(neighbor);
+ goto out_aff_unlock;
++ }
+
+ if (affinity) {
+ spufs_set_affinity(flags, SPUFS_I(d_inode(dentry))->i_ctx,
+--
+2.39.5
+
--- /dev/null
+From 9c916e6358c4f35462a53c0f5ab65d51810162b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Mar 2025 19:26:31 -0500
+Subject: spufs: fix a leak on spufs_new_file() failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit d1ca8698ca1332625d83ea0d753747be66f9906d ]
+
+It's called from spufs_fill_dir(), and caller of that will do
+spufs_rmdir() in case of failure. That does remove everything
+we'd managed to create, but... the problem dentry is still
+negative. IOW, it needs to be explicitly dropped.
+
+Fixes: 3f51dd91c807 "[PATCH] spufs: fix spufs_fill_dir error path"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
+index 908e9b8e79fe6..0159bd9231ef8 100644
+--- a/arch/powerpc/platforms/cell/spufs/inode.c
++++ b/arch/powerpc/platforms/cell/spufs/inode.c
+@@ -189,8 +189,10 @@ static int spufs_fill_dir(struct dentry *dir,
+ return -ENOMEM;
+ ret = spufs_new_file(dir->d_sb, dentry, files->ops,
+ files->mode & mode, files->size, ctx);
+- if (ret)
++ if (ret) {
++ dput(dentry);
+ return ret;
++ }
+ files++;
+ }
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From f3a5dc9859395c3da089c5a35478ddf3977b6a64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 23:36:11 -0500
+Subject: thermal: int340x: Add NULL check for adev
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit 2542a3f70e563a9e70e7ded314286535a3321bdb ]
+
+Not all devices have an ACPI companion fwnode, so adev might be NULL.
+This is similar to the commit cd2fd6eab480
+("platform/x86: int3472: Check for adev == NULL").
+
+Add a check for adev not being set and return -ENODEV in that case to
+avoid a possible NULL pointer deref in int3402_thermal_probe().
+
+Note, under the same directory, int3400_thermal_probe() has such a
+check.
+
+Fixes: 77e337c6e23e ("Thermal: introduce INT3402 thermal driver")
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Link: https://patch.msgid.link/20250313043611.1212116-1-chenyuan0y@gmail.com
+[ rjw: Subject edit, added Fixes: ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel/int340x_thermal/int3402_thermal.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
+index 43fa351e2b9ec..b7fdf25bfd237 100644
+--- a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
++++ b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
+@@ -45,6 +45,9 @@ static int int3402_thermal_probe(struct platform_device *pdev)
+ struct int3402_thermal_data *d;
+ int ret;
+
++ if (!adev)
++ return -ENODEV;
++
+ if (!acpi_has_method(adev->handle, "_TMP"))
+ return -ENODEV;
+
+--
+2.39.5
+
--- /dev/null
+From d04771a314053e06f00ca4a7a0e18d5f5bf8efba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Mar 2025 01:33:44 +0100
+Subject: tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 8930424777e43257f5bf6f0f0f53defd0d30415c ]
+
+Because skb_tunnel_check_pmtu() doesn't handle PACKET_HOST packets,
+commit 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper
+pmtud support.") forced skb->pkt_type to PACKET_OUTGOING for
+openvswitch packets that are sent using the OVS_ACTION_ATTR_OUTPUT
+action. This allowed such packets to invoke the
+iptunnel_pmtud_check_icmp() or iptunnel_pmtud_check_icmpv6() helpers
+and thus trigger PMTU update on the input device.
+
+However, this also broke other parts of PMTU discovery. Since these
+packets don't have the PACKET_HOST type anymore, they won't trigger the
+sending of ICMP Fragmentation Needed or Packet Too Big messages to
+remote hosts when oversized (see the skb_in->pkt_type condition in
+__icmp_send() for example).
+
+These two skb->pkt_type checks are therefore incompatible as one
+requires skb->pkt_type to be PACKET_HOST, while the other requires it
+to be anything but PACKET_HOST.
+
+It makes sense to not trigger ICMP messages for non-PACKET_HOST packets
+as these messages should be generated only for incoming l2-unicast
+packets. However there doesn't seem to be any reason for
+skb_tunnel_check_pmtu() to ignore PACKET_HOST packets.
+
+Allow both cases to work by allowing skb_tunnel_check_pmtu() to work on
+PACKET_HOST packets and not overriding skb->pkt_type in openvswitch
+anymore.
+
+Fixes: 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper pmtud support.")
+Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Tested-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/eac941652b86fddf8909df9b3bf0d97bc9444793.1743208264.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ net/openvswitch/actions.c | 6 ------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
+index ba1388ba6c6e5..dad9d7db5bf6c 100644
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -415,7 +415,7 @@ int skb_tunnel_check_pmtu(struct sk_buff *skb, struct dst_entry *encap_dst,
+
+ skb_dst_update_pmtu_no_confirm(skb, mtu);
+
+- if (!reply || skb->pkt_type == PACKET_HOST)
++ if (!reply)
+ return 0;
+
+ if (skb->protocol == htons(ETH_P_IP))
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 4095456f413df..80fee9d118eec 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -923,12 +923,6 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,
+ pskb_trim(skb, ovs_mac_header_len(key));
+ }
+
+- /* Need to set the pkt_type to involve the routing layer. The
+- * packet movement through the OVS datapath doesn't generally
+- * use routing, but this is needed for tunnel cases.
+- */
+- skb->pkt_type = PACKET_OUTGOING;
+-
+ if (likely(!mru ||
+ (skb->len <= mru + vport->dev->hard_header_len))) {
+ ovs_vport_send(vport, skb, ovs_key_mac_proto(key));
+--
+2.39.5
+
--- /dev/null
+From 0ee104eb45ed09dad5de58079313516be3272888 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 15:15:28 +0100
+Subject: vsock: avoid timeout during connect() if the socket is closing
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit fccd2b711d9628c7ce0111d5e4938652101ee30a ]
+
+When a peer attempts to establish a connection, vsock_connect() contains
+a loop that waits for the state to be TCP_ESTABLISHED. However, the
+other peer can be fast enough to accept the connection and close it
+immediately, thus moving the state to TCP_CLOSING.
+
+When this happens, the peer in the vsock_connect() is properly woken up,
+but since the state is not TCP_ESTABLISHED, it goes back to sleep
+until the timeout expires, returning -ETIMEDOUT.
+
+If the socket state is TCP_CLOSING, waiting for the timeout is pointless.
+vsock_connect() can return immediately without errors or delay since the
+connection actually happened. The socket will be in a closing state,
+but this is not an issue, and subsequent calls will fail as expected.
+
+We discovered this issue while developing a test that accepts and
+immediately closes connections to stress the transport switch between
+two connect() calls, where the first one was interrupted by a signal
+(see Closes link).
+
+Reported-by: Luigi Leonardi <leonardi@redhat.com>
+Closes: https://lore.kernel.org/virtualization/bq6hxrolno2vmtqwcvb5bljfpb7mvwb3kohrvaed6auz5vxrfv@ijmd2f3grobn/
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Tested-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Link: https://patch.msgid.link/20250328141528.420719-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index d7395601a0e30..fc0306ba2d43e 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1382,7 +1382,11 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = vsk->connect_timeout;
+ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+
+- while (sk->sk_state != TCP_ESTABLISHED && sk->sk_err == 0) {
++ /* If the socket is already closing or it is in an error state, there
++ * is no point in waiting.
++ */
++ while (sk->sk_state != TCP_ESTABLISHED &&
++ sk->sk_state != TCP_CLOSING && sk->sk_err == 0) {
+ if (flags & O_NONBLOCK) {
+ /* If we're not going to block, we schedule a timeout
+ * function to generate a timeout on the connection
+--
+2.39.5
+
--- /dev/null
+From 14a432f7734a2d16e9d0acbe01f40833b56b6930 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 11:41:08 -0600
+Subject: watch_queue: fix pipe accounting mismatch
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit f13abc1e8e1a3b7455511c4e122750127f6bc9b0 ]
+
+Currently, watch_queue_set_size() modifies the pipe buffers charged to
+user->pipe_bufs without updating the pipe->nr_accounted on the pipe
+itself, due to the if (!pipe_has_watch_queue()) test in
+pipe_resize_ring(). This means that when the pipe is ultimately freed,
+we decrement user->pipe_bufs by something other than what than we had
+charged to it, potentially leading to an underflow. This in turn can
+cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.
+
+To remedy this, explicitly account for the pipe usage in
+watch_queue_set_size() to match the number set via account_pipe_buffers()
+
+(It's unclear why watch_queue_set_size() does not update nr_accounted;
+it may be due to intentional overprovisioning in watch_queue_set_size()?)
+
+Fixes: e95aada4cb93d ("pipe: wakeup wr_wait after setting max_usage")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Link: https://lore.kernel.org/r/206682a8-0604-49e5-8224-fdbe0c12b460@redhat.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/watch_queue.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
+index 73717917d8164..37da8647b4ecb 100644
+--- a/kernel/watch_queue.c
++++ b/kernel/watch_queue.c
+@@ -274,6 +274,15 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
+ if (ret < 0)
+ goto error;
+
++ /*
++ * pipe_resize_ring() does not update nr_accounted for watch_queue
++ * pipes, because the above vastly overprovisions. Set nr_accounted on
++ * and max_usage this pipe to the number that was actually charged to
++ * the user above via account_pipe_buffers.
++ */
++ pipe->max_usage = nr_pages;
++ pipe->nr_accounted = nr_pages;
++
+ ret = -ENOMEM;
+ pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL);
+ if (!pages)
+--
+2.39.5
+
--- /dev/null
+From 279efb0328f93f9dc3b36b3b9896a59d27ef140e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Feb 2025 14:34:45 +0200
+Subject: wifi: iwlwifi: fw: allocate chained SG tables for dump
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 7774e3920029398ad49dc848b23840593f14d515 ]
+
+The firmware dumps can be pretty big, and since we use single
+pages for each SG table entry, even the table itself may end
+up being an order-5 allocation. Build chained tables so that
+we need not allocate a higher-order table here.
+
+This could be improved and cleaned up, e.g. by using the SG
+pool code or simply kvmalloc(), but all of that would require
+also updating the devcoredump first since that frees it all,
+so we need to be more careful. SG pool might also run against
+the CONFIG_ARCH_NO_SG_CHAIN limitation, which is irrelevant
+here.
+
+Also use _devcd_free_sgtable() for the error paths now, much
+simpler especially since it's in two places now.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250209143303.697c7a465ac9.Iea982df46b5c075bfb77ade36f187d99a70c63db@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++++++++++-------
+ 1 file changed, 58 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+index 79d08e5d9a81c..558caf78a56da 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -619,41 +619,71 @@ static void iwl_dump_prph(struct iwl_fw_runtime *fwrt,
+ }
+
+ /*
+- * alloc_sgtable - allocates scallerlist table in the given size,
+- * fills it with pages and returns it
++ * alloc_sgtable - allocates (chained) scatterlist in the given size,
++ * fills it with pages and returns it
+ * @size: the size (in bytes) of the table
+-*/
+-static struct scatterlist *alloc_sgtable(int size)
++ */
++static struct scatterlist *alloc_sgtable(ssize_t size)
+ {
+- int alloc_size, nents, i;
+- struct page *new_page;
+- struct scatterlist *iter;
+- struct scatterlist *table;
++ struct scatterlist *result = NULL, *prev;
++ int nents, i, n_prev;
+
+ nents = DIV_ROUND_UP(size, PAGE_SIZE);
+- table = kcalloc(nents, sizeof(*table), GFP_KERNEL);
+- if (!table)
+- return NULL;
+- sg_init_table(table, nents);
+- iter = table;
+- for_each_sg(table, iter, sg_nents(table), i) {
+- new_page = alloc_page(GFP_KERNEL);
+- if (!new_page) {
+- /* release all previous allocated pages in the table */
+- iter = table;
+- for_each_sg(table, iter, sg_nents(table), i) {
+- new_page = sg_page(iter);
+- if (new_page)
+- __free_page(new_page);
+- }
+- kfree(table);
++
++#define N_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(*result))
++ /*
++ * We need an additional entry for table chaining,
++ * this ensures the loop can finish i.e. we can
++ * fit at least two entries per page (obviously,
++ * many more really fit.)
++ */
++ BUILD_BUG_ON(N_ENTRIES_PER_PAGE < 2);
++
++ while (nents > 0) {
++ struct scatterlist *new, *iter;
++ int n_fill, n_alloc;
++
++ if (nents <= N_ENTRIES_PER_PAGE) {
++ /* last needed table */
++ n_fill = nents;
++ n_alloc = nents;
++ nents = 0;
++ } else {
++ /* fill a page with entries */
++ n_alloc = N_ENTRIES_PER_PAGE;
++ /* reserve one for chaining */
++ n_fill = n_alloc - 1;
++ nents -= n_fill;
++ }
++
++ new = kcalloc(n_alloc, sizeof(*new), GFP_KERNEL);
++ if (!new) {
++ if (result)
++ _devcd_free_sgtable(result);
+ return NULL;
+ }
+- alloc_size = min_t(int, size, PAGE_SIZE);
+- size -= PAGE_SIZE;
+- sg_set_page(iter, new_page, alloc_size, 0);
++ sg_init_table(new, n_alloc);
++
++ if (!result)
++ result = new;
++ else
++ sg_chain(prev, n_prev, new);
++ prev = new;
++ n_prev = n_alloc;
++
++ for_each_sg(new, iter, n_fill, i) {
++ struct page *new_page = alloc_page(GFP_KERNEL);
++
++ if (!new_page) {
++ _devcd_free_sgtable(result);
++ return NULL;
++ }
++
++ sg_set_page(iter, new_page, PAGE_SIZE, 0);
++ }
+ }
+- return table;
++
++ return result;
+ }
+
+ static void iwl_fw_get_prph_len(struct iwl_fw_runtime *fwrt,
+--
+2.39.5
+
--- /dev/null
+From 5ba99de02d9164c5aa95f8cfd28a73941312e322 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 03:01:23 +0100
+Subject: x86/dumpstack: Fix inaccurate unwinding from exception stacks due to
+ misplaced assignment
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 2c118f50d7fd4d9aefc4533a26f83338b2906b7a ]
+
+Commit:
+
+ 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again")
+
+was intended to ensure alignment of the stack pointer; but it also moved
+the initialization of the "stack" variable down into the loop header.
+
+This was likely intended as a no-op cleanup, since the commit
+message does not mention it; however, this caused a behavioral change
+because the value of "regs" is different between the two places.
+
+Originally, get_stack_pointer() used the regs provided by the caller; after
+that commit, get_stack_pointer() instead uses the regs at the top of the
+stack frame the unwinder is looking at. Often, there are no such regs at
+all, and "regs" is NULL, causing get_stack_pointer() to fall back to the
+task's current stack pointer, which is not what we want here, but probably
+happens to mostly work. Other times, the original regs will point to
+another regs frame - in that case, the linear guess unwind logic in
+show_trace_log_lvl() will start unwinding too far up the stack, causing the
+first frame found by the proper unwinder to never be visited, resulting in
+a stack trace consisting purely of guess lines.
+
+Fix it by moving the "stack = " assignment back where it belongs.
+
+Fixes: 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-2-acd774364768@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/dumpstack.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
+index b9736aac20eef..cf92191de2b2a 100644
+--- a/arch/x86/kernel/dumpstack.c
++++ b/arch/x86/kernel/dumpstack.c
+@@ -195,6 +195,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ printk("%sCall Trace:\n", log_lvl);
+
+ unwind_start(&state, task, regs, stack);
++ stack = stack ?: get_stack_pointer(task, regs);
+ regs = unwind_get_entry_regs(&state, &partial);
+
+ /*
+@@ -213,9 +214,7 @@ void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ * - hardirq stack
+ * - entry stack
+ */
+- for (stack = stack ?: get_stack_pointer(task, regs);
+- stack;
+- stack = stack_info.next_sp) {
++ for (; stack; stack = stack_info.next_sp) {
+ const char *stack_name;
+
+ stack = PTR_ALIGN(stack, sizeof(long));
+--
+2.39.5
+
--- /dev/null
+From b29adec45c41e56d7f35b92029d8e69a0cf4ee95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 03:01:22 +0100
+Subject: x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 57e2428f8df8263275344566e02c277648a4b7f1 ]
+
+PUSH_REGS with save_ret=1 is used by interrupt entry helper functions that
+initially start with a UNWIND_HINT_FUNC ORC state.
+
+However, save_ret=1 means that we clobber the helper function's return
+address (and then later restore the return address further down on the
+stack); after that point, the only thing on the stack we can unwind through
+is the IRET frame, so use UNWIND_HINT_IRET_REGS until we have a full
+pt_regs frame.
+
+( An alternate approach would be to move the pt_regs->di overwrite down
+ such that it is the final step of pt_regs setup; but I don't want to
+ rearrange entry code just to make unwinding a tiny bit more elegant. )
+
+Fixes: 9e809d15d6b6 ("x86/entry: Reduce the code footprint of the 'idtentry' macro")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-1-acd774364768@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/calling.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
+index a4b357e5bbfe9..b6715c835f9fd 100644
+--- a/arch/x86/entry/calling.h
++++ b/arch/x86/entry/calling.h
+@@ -104,6 +104,8 @@ For 32-bit we have the following conventions - kernel is built with
+ pushq %rsi /* pt_regs->si */
+ movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */
+ movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */
++ /* We just clobbered the return address - use the IRET frame for unwinding: */
++ UNWIND_HINT_IRET_REGS offset=3*8
+ .else
+ pushq %rdi /* pt_regs->di */
+ pushq %rsi /* pt_regs->si */
+--
+2.39.5
+
--- /dev/null
+From 4a83aa39222e4194f3091324667816f5a72aaa49 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2025 14:31:36 +0100
+Subject: x86/fpu: Avoid copying dynamic FP state from init_task in
+ arch_dup_task_struct()
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 5d3b81d4d8520efe888536b6906dc10fd1a228a8 ]
+
+The init_task instance of struct task_struct is statically allocated and
+may not contain the full FP state for userspace. As such, limit the copy
+to the valid area of both init_task and 'dst' and ensure all memory is
+initialized.
+
+Note that the FP state is only needed for userspace, and as such it is
+entirely reasonable for init_task to not contain parts of it.
+
+Fixes: 5aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Link: https://lore.kernel.org/r/20250226133136.816901-1-benjamin@sipsolutions.net
+----
+
+v2:
+- Fix code if arch_task_struct_size < sizeof(init_task) by using
+ memcpy_and_pad.
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index 4f731981d3267..38c517a786f4b 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -88,7 +88,12 @@ EXPORT_PER_CPU_SYMBOL_GPL(__tss_limit_invalid);
+ */
+ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
+ {
+- memcpy(dst, src, arch_task_struct_size);
++ /* init_task is not dynamically sized (incomplete FPU state) */
++ if (unlikely(src == &init_task))
++ memcpy_and_pad(dst, arch_task_struct_size, src, sizeof(init_task), 0);
++ else
++ memcpy(dst, src, arch_task_struct_size);
++
+ #ifdef CONFIG_VM86
+ dst->thread.vm86 = NULL;
+ #endif
+--
+2.39.5
+
--- /dev/null
+From c6bf560bc2b2834b8bd543d72ef42167280f0705 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Jan 2025 09:47:25 +0200
+Subject: x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
+
+From: Mike Rapoport (Microsoft) <rppt@kernel.org>
+
+[ Upstream commit 33ea120582a638b2f2e380a50686c2b1d7cce795 ]
+
+The CPA_ARRAY test always uses len[1] as numpages argument to
+change_page_attr_set() although the addresses array is different each
+iteration of the test loop.
+
+Replace len[1] with len[i] to have numpages matching the addresses array.
+
+Fixes: ecc729f1f471 ("x86/mm/cpa: Add ARRAY and PAGES_ARRAY selftests")
+Signed-off-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250126074733.1384926-2-rppt@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/pat/cpa-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/mm/pat/cpa-test.c b/arch/x86/mm/pat/cpa-test.c
+index 0612a73638a81..7641cff719bd0 100644
+--- a/arch/x86/mm/pat/cpa-test.c
++++ b/arch/x86/mm/pat/cpa-test.c
+@@ -183,7 +183,7 @@ static int pageattr_test(void)
+ break;
+
+ case 1:
+- err = change_page_attr_set(addrs, len[1], PAGE_CPA_TEST, 1);
++ err = change_page_attr_set(addrs, len[i], PAGE_CPA_TEST, 1);
+ break;
+
+ case 2:
+--
+2.39.5
+
--- /dev/null
+From be748528d1e6afb8b4318d9dd03b58cd7c1ded91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2025 22:37:14 +0100
+Subject: x86/platform: Only allow CONFIG_EISA for 32-bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 976ba8da2f3c2f1e997f4f620da83ae65c0e3728 ]
+
+The CONFIG_EISA menu was cleaned up in 2018, but this inadvertently
+brought the option back on 64-bit machines: ISA remains guarded by
+a CONFIG_X86_32 check, but EISA no longer depends on ISA.
+
+The last Intel machines ith EISA support used a 82375EB PCI/EISA bridge
+from 1993 that could be paired with the 440FX chipset on early Pentium-II
+CPUs, long before the first x86-64 products.
+
+Fixes: 6630a8e50105 ("eisa: consolidate EISA Kconfig entry in drivers/eisa")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250226213714.4040853-11-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 00ae2e2adcadb..93a1f9937a9bb 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -174,7 +174,7 @@ config X86
+ select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS
+ select HAVE_EBPF_JIT
+ select HAVE_EFFICIENT_UNALIGNED_ACCESS
+- select HAVE_EISA
++ select HAVE_EISA if X86_32
+ select HAVE_EXIT_THREAD
+ select HAVE_FAST_GUP
+ select HAVE_FENTRY if X86_64 || DYNAMIC_FTRACE
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
