--- /dev/null
+From a9dec0963187d05725369156a5e0e14cd3487bfb Mon Sep 17 00:00:00 2001
+From: Edip Hazuri <edip@medip.dev>
+Date: Tue, 29 Jul 2025 21:18:50 +0300
+Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26)
+
+From: Edip Hazuri <edip@medip.dev>
+
+commit a9dec0963187d05725369156a5e0e14cd3487bfb upstream.
+
+My friend have Victus 16-d1xxx with board ID 8A26, the existing quirk
+for Victus 16-d1xxx wasn't working because of different board ID
+
+Tested on Victus 16-d1015nt Laptop. The LED behaviour works
+as intended.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Edip Hazuri <edip@medip.dev>
+Link: https://patch.msgid.link/20250729181848.24432-4-edip@medip.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10764,6 +10764,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8a0f, "HP Pavilion 14-ec1xxx", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x8a25, "HP Victus 16-d1xxx (MB 8A25)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
++ SND_PCI_QUIRK(0x103c, 0x8a26, "HP Victus 16-d1xxx (MB 8A26)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8a28, "HP Envy 13", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8a29, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8a2a, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
--- /dev/null
+From bd7814a4c0fd883894bdf9fe5eda24c9df826e4c Mon Sep 17 00:00:00 2001
+From: Edip Hazuri <edip@medip.dev>
+Date: Fri, 25 Jul 2025 18:14:37 +0300
+Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx
+
+From: Edip Hazuri <edip@medip.dev>
+
+commit bd7814a4c0fd883894bdf9fe5eda24c9df826e4c upstream.
+
+The mute led on this laptop is using ALC245 but requires a quirk to work
+This patch enables the existing quirk for the device.
+
+Tested on Victus 16-r1xxx Laptop. The LED behaviour works
+as intended.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Edip Hazuri <edip@medip.dev>
+Link: https://patch.msgid.link/20250725151436.51543-2-edip@medip.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10874,6 +10874,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8c91, "HP EliteBook 660", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c96, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8c97, "HP ZBook", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x8c99, "HP Victus 16-r1xxx (MB 8C99)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8c9c, "HP Victus 16-s1xxx (MB 8C9C)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8ca1, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 956048a3cd9d2575032e2c7ca62803677357ae18 Mon Sep 17 00:00:00 2001
+From: Edip Hazuri <edip@medip.dev>
+Date: Tue, 29 Jul 2025 21:18:48 +0300
+Subject: ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx
+
+From: Edip Hazuri <edip@medip.dev>
+
+commit 956048a3cd9d2575032e2c7ca62803677357ae18 upstream.
+
+The mute led on this laptop is using ALC245 but requires a quirk to work
+This patch enables the existing quirk for the device.
+
+Tested on Victus 16-S0063NT Laptop. The LED behaviour works
+as intended.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Edip Hazuri <edip@medip.dev>
+Link: https://patch.msgid.link/20250729181848.24432-2-edip@medip.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10822,6 +10822,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8bbe, "HP Victus 16-r0xxx (MB 8BBE)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8bc8, "HP Victus 15-fa1xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT),
++ SND_PCI_QUIRK(0x103c, 0x8bd4, "HP Victus 16-s0xxx (MB 8BD4)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
--- /dev/null
+From 8cbe564974248ee980562be02f2b1912769562c7 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Wed, 6 Aug 2025 01:41:53 +0200
+Subject: ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit 8cbe564974248ee980562be02f2b1912769562c7 upstream.
+
+In __hdmi_lpe_audio_probe(), strscpy() is incorrectly called with the
+length of the source string (excluding the NUL terminator) rather than
+the size of the destination buffer. This results in one character less
+being copied from 'card->shortname' to 'pcm->name'.
+
+Use the destination buffer size instead to ensure the card name is
+copied correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 75b1a8f9d62e ("ALSA: Convert strlcpy to strscpy when return value is unused")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Link: https://patch.msgid.link/20250805234156.60294-1-thorsten.blum@linux.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/x86/intel_hdmi_audio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/x86/intel_hdmi_audio.c
++++ b/sound/x86/intel_hdmi_audio.c
+@@ -1768,7 +1768,7 @@ static int __hdmi_lpe_audio_probe(struct
+ /* setup private data which can be retrieved when required */
+ pcm->private_data = ctx;
+ pcm->info_flags = 0;
+- strscpy(pcm->name, card->shortname, strlen(card->shortname));
++ strscpy(pcm->name, card->shortname, sizeof(pcm->name));
+ /* setup the ops for playback */
+ snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &had_pcm_ops);
+
--- /dev/null
+From 8a15ca0ca51399b652b1bbb23b590b220cf03d62 Mon Sep 17 00:00:00 2001
+From: "Geoffrey D. Bennett" <g@b4.vu>
+Date: Mon, 28 Jul 2025 19:00:35 +0930
+Subject: ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()
+
+From: Geoffrey D. Bennett <g@b4.vu>
+
+commit 8a15ca0ca51399b652b1bbb23b590b220cf03d62 upstream.
+
+During communication with Focusrite Scarlett Gen 2/3/4 USB audio
+interfaces, -EPROTO is sometimes returned from scarlett2_usb_tx(),
+snd_usb_ctl_msg() which can cause initialisation and control
+operations to fail intermittently.
+
+This patch adds up to 5 retries in scarlett2_usb(), with a delay
+starting at 5ms and doubling each time. This follows the same approach
+as the fix for usb_set_interface() in endpoint.c (commit f406005e162b
+("ALSA: usb-audio: Add retry on -EPROTO from usb_set_interface()")),
+which resolved similar -EPROTO issues during device initialisation,
+and is the same approach as in fcp.c:fcp_usb().
+
+Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface")
+Closes: https://github.com/geoffreybennett/linux-fcp/issues/41
+Cc: stable@vger.kernel.org
+Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
+Link: https://patch.msgid.link/aIdDO6ld50WQwNim@m.b4.vu
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_scarlett2.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/usb/mixer_scarlett2.c
++++ b/sound/usb/mixer_scarlett2.c
+@@ -2351,6 +2351,8 @@ static int scarlett2_usb(
+ struct scarlett2_usb_packet *req, *resp = NULL;
+ size_t req_buf_size = struct_size(req, data, req_size);
+ size_t resp_buf_size = struct_size(resp, data, resp_size);
++ int retries = 0;
++ const int max_retries = 5;
+ int err;
+
+ req = kmalloc(req_buf_size, GFP_KERNEL);
+@@ -2374,10 +2376,15 @@ static int scarlett2_usb(
+ if (req_size)
+ memcpy(req->data, req_data, req_size);
+
++retry:
+ err = scarlett2_usb_tx(dev, private->bInterfaceNumber,
+ req, req_buf_size);
+
+ if (err != req_buf_size) {
++ if (err == -EPROTO && ++retries <= max_retries) {
++ msleep(5 * (1 << (retries - 1)));
++ goto retry;
++ }
+ usb_audio_err(
+ mixer->chip,
+ "%s USB request result cmd %x was %d\n",
--- /dev/null
+From c061046fe9ce3ff31fb9a807144a2630ad349c17 Mon Sep 17 00:00:00 2001
+From: Aditya Garg <gargaditya08@live.com>
+Date: Mon, 30 Jun 2025 12:37:13 +0000
+Subject: HID: apple: avoid setting up battery timer for devices without battery
+
+From: Aditya Garg <gargaditya08@live.com>
+
+commit c061046fe9ce3ff31fb9a807144a2630ad349c17 upstream.
+
+Currently, the battery timer is set up for all devices using hid-apple,
+irrespective of whether they actually have a battery or not.
+
+APPLE_RDESC_BATTERY is a quirk that indicates the device has a battery
+and needs the battery timer. This patch checks for this quirk before
+setting up the timer, ensuring that only devices with a battery will
+have the timer set up.
+
+Fixes: 6e143293e17a ("HID: apple: Report Magic Keyboard battery over USB")
+Cc: stable@vger.kernel.org
+Signed-off-by: Aditya Garg <gargaditya08@live.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-apple.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -934,10 +934,12 @@ static int apple_probe(struct hid_device
+ return ret;
+ }
+
+- timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0);
+- mod_timer(&asc->battery_timer,
+- jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS));
+- apple_fetch_battery(hdev);
++ if (quirks & APPLE_RDESC_BATTERY) {
++ timer_setup(&asc->battery_timer, apple_battery_timer_tick, 0);
++ mod_timer(&asc->battery_timer,
++ jiffies + msecs_to_jiffies(APPLE_BATTERY_TIMEOUT_MS));
++ apple_fetch_battery(hdev);
++ }
+
+ if (quirks & APPLE_BACKLIGHT_CTL)
+ apple_backlight_init(hdev);
+@@ -951,7 +953,9 @@ static int apple_probe(struct hid_device
+ return 0;
+
+ out_err:
+- timer_delete_sync(&asc->battery_timer);
++ if (quirks & APPLE_RDESC_BATTERY)
++ timer_delete_sync(&asc->battery_timer);
++
+ hid_hw_stop(hdev);
+ return ret;
+ }
+@@ -960,7 +964,8 @@ static void apple_remove(struct hid_devi
+ {
+ struct apple_sc *asc = hid_get_drvdata(hdev);
+
+- timer_delete_sync(&asc->battery_timer);
++ if (asc->quirks & APPLE_RDESC_BATTERY)
++ timer_delete_sync(&asc->battery_timer);
+
+ hid_hw_stop(hdev);
+ }
--- /dev/null
+From 1bb3363da862e0464ec050eea2fb5472a36ad86b Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Mon, 14 Jul 2025 00:30:08 +0100
+Subject: HID: apple: validate feature-report field count to prevent NULL pointer dereference
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 1bb3363da862e0464ec050eea2fb5472a36ad86b upstream.
+
+A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL
+pointer dereference whilst the power feature-report is toggled and sent to
+the device in apple_magic_backlight_report_set(). The power feature-report
+is expected to have two data fields, but if the descriptor declares one
+field then accessing field[1] and dereferencing it in
+apple_magic_backlight_report_set() becomes invalid
+since field[1] will be NULL.
+
+An example of a minimal descriptor which can cause the crash is something
+like the following where the report with ID 3 (power report) only
+references a single 1-byte field. When hid core parses the descriptor it
+will encounter the final feature tag, allocate a hid_report (all members
+of field[] will be zeroed out), create field structure and populate it,
+increasing the maxfield to 1. The subsequent field[1] access and
+dereference causes the crash.
+
+ Usage Page (Vendor Defined 0xFF00)
+ Usage (0x0F)
+ Collection (Application)
+ Report ID (1)
+ Usage (0x01)
+ Logical Minimum (0)
+ Logical Maximum (255)
+ Report Size (8)
+ Report Count (1)
+ Feature (Data,Var,Abs)
+
+ Usage (0x02)
+ Logical Maximum (32767)
+ Report Size (16)
+ Report Count (1)
+ Feature (Data,Var,Abs)
+
+ Report ID (3)
+ Usage (0x03)
+ Logical Minimum (0)
+ Logical Maximum (1)
+ Report Size (8)
+ Report Count (1)
+ Feature (Data,Var,Abs)
+ End Collection
+
+Here we see the KASAN splat when the kernel dereferences the
+NULL pointer and crashes:
+
+ [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI
+ [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
+ [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary)
+ [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+ [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210
+ [ 15.165691] Call Trace:
+ [ 15.165691] <TASK>
+ [ 15.165691] apple_probe+0x571/0xa20
+ [ 15.165691] hid_device_probe+0x2e2/0x6f0
+ [ 15.165691] really_probe+0x1ca/0x5c0
+ [ 15.165691] __driver_probe_device+0x24f/0x310
+ [ 15.165691] driver_probe_device+0x4a/0xd0
+ [ 15.165691] __device_attach_driver+0x169/0x220
+ [ 15.165691] bus_for_each_drv+0x118/0x1b0
+ [ 15.165691] __device_attach+0x1d5/0x380
+ [ 15.165691] device_initial_probe+0x12/0x20
+ [ 15.165691] bus_probe_device+0x13d/0x180
+ [ 15.165691] device_add+0xd87/0x1510
+ [...]
+
+To fix this issue we should validate the number of fields that the
+backlight and power reports have and if they do not have the required
+number of fields then bail.
+
+Fixes: 394ba612f941 ("HID: apple: Add support for magic keyboard backlight on T2 Macs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Reviewed-by: Orlando Chamberlain <orlandoch.dev@gmail.com>
+Tested-by: Aditya Garg <gargaditya08@live.com>
+Link: https://patch.msgid.link/20250713233008.15131-1-qasdev00@gmail.com
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-apple.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -890,7 +890,8 @@ static int apple_magic_backlight_init(st
+ backlight->brightness = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_BRIGHTNESS];
+ backlight->power = report_enum->report_id_hash[APPLE_MAGIC_REPORT_ID_POWER];
+
+- if (!backlight->brightness || !backlight->power)
++ if (!backlight->brightness || backlight->brightness->maxfield < 2 ||
++ !backlight->power || backlight->power->maxfield < 2)
+ return -ENODEV;
+
+ backlight->cdev.name = ":white:" LED_FUNCTION_KBD_BACKLIGHT;
--- /dev/null
+From a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 23 Jul 2025 10:37:04 -0400
+Subject: HID: core: Harden s32ton() against conversion to 0 bits
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd upstream.
+
+Testing by the syzbot fuzzer showed that the HID core gets a
+shift-out-of-bounds exception when it tries to convert a 32-bit
+quantity to a 0-bit quantity. Ideally this should never occur, but
+there are buggy devices and some might have a report field with size
+set to zero; we shouldn't reject the report or the device just because
+of that.
+
+Instead, harden the s32ton() routine so that it returns a reasonable
+result instead of crashing when it is called with the number of bits
+set to 0 -- the same as what snto32() does.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/
+Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
+Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -66,8 +66,12 @@ static s32 snto32(__u32 value, unsigned
+
+ static u32 s32ton(__s32 value, unsigned int n)
+ {
+- s32 a = value >> (n - 1);
++ s32 a;
+
++ if (!value || !n)
++ return 0;
++
++ a = value >> (n - 1);
+ if (a && a != -1)
+ return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1;
+ return value & ((1 << n) - 1);
--- /dev/null
+From 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 Mon Sep 17 00:00:00 2001
+From: Aditya Garg <gargaditya08@live.com>
+Date: Mon, 30 Jun 2025 12:37:13 +0000
+Subject: HID: magicmouse: avoid setting up battery timer when not needed
+
+From: Aditya Garg <gargaditya08@live.com>
+
+commit 9bdc30e35cbc1aa78ccf01040354209f1e11ca22 upstream.
+
+Currently, the battery timer is set up for all devices using
+hid-magicmouse, irrespective of whether they actually need it or not.
+
+The current implementation requires the battery timer for Magic Mouse 2
+and Magic Trackpad 2 when connected via USB only. Add checks to ensure
+that the battery timer is only set up when they are connected via USB.
+
+Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB")
+Cc: stable@vger.kernel.org
+Signed-off-by: Aditya Garg <gargaditya08@live.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-magicmouse.c | 62 +++++++++++++++++++++++++++----------------
+ 1 file changed, 39 insertions(+), 23 deletions(-)
+
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -791,17 +791,31 @@ static void magicmouse_enable_mt_work(st
+ hid_err(msc->hdev, "unable to request touch data (%d)\n", ret);
+ }
+
++static bool is_usb_magicmouse2(__u32 vendor, __u32 product)
++{
++ if (vendor != USB_VENDOR_ID_APPLE)
++ return false;
++ return product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
++ product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC;
++}
++
++static bool is_usb_magictrackpad2(__u32 vendor, __u32 product)
++{
++ if (vendor != USB_VENDOR_ID_APPLE)
++ return false;
++ return product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 ||
++ product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC;
++}
++
+ static int magicmouse_fetch_battery(struct hid_device *hdev)
+ {
+ #ifdef CONFIG_HID_BATTERY_STRENGTH
+ struct hid_report_enum *report_enum;
+ struct hid_report *report;
+
+- if (!hdev->battery || hdev->vendor != USB_VENDOR_ID_APPLE ||
+- (hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2 &&
+- hdev->product != USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC &&
+- hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 &&
+- hdev->product != USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC))
++ if (!hdev->battery ||
++ (!is_usb_magicmouse2(hdev->vendor, hdev->product) &&
++ !is_usb_magictrackpad2(hdev->vendor, hdev->product)))
+ return -1;
+
+ report_enum = &hdev->report_enum[hdev->battery_report_type];
+@@ -863,17 +877,17 @@ static int magicmouse_probe(struct hid_d
+ return ret;
+ }
+
+- timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0);
+- mod_timer(&msc->battery_timer,
+- jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
+- magicmouse_fetch_battery(hdev);
+-
+- if (id->vendor == USB_VENDOR_ID_APPLE &&
+- (id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
+- id->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC ||
+- ((id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 ||
+- id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) &&
+- hdev->type != HID_TYPE_USBMOUSE)))
++ if (is_usb_magicmouse2(id->vendor, id->product) ||
++ is_usb_magictrackpad2(id->vendor, id->product)) {
++ timer_setup(&msc->battery_timer, magicmouse_battery_timer_tick, 0);
++ mod_timer(&msc->battery_timer,
++ jiffies + msecs_to_jiffies(USB_BATTERY_TIMEOUT_MS));
++ magicmouse_fetch_battery(hdev);
++ }
++
++ if (is_usb_magicmouse2(id->vendor, id->product) ||
++ (is_usb_magictrackpad2(id->vendor, id->product) &&
++ hdev->type != HID_TYPE_USBMOUSE))
+ return 0;
+
+ if (!msc->input) {
+@@ -936,7 +950,10 @@ static int magicmouse_probe(struct hid_d
+
+ return 0;
+ err_stop_hw:
+- timer_delete_sync(&msc->battery_timer);
++ if (is_usb_magicmouse2(id->vendor, id->product) ||
++ is_usb_magictrackpad2(id->vendor, id->product))
++ timer_delete_sync(&msc->battery_timer);
++
+ hid_hw_stop(hdev);
+ return ret;
+ }
+@@ -947,7 +964,9 @@ static void magicmouse_remove(struct hid
+
+ if (msc) {
+ cancel_delayed_work_sync(&msc->work);
+- timer_delete_sync(&msc->battery_timer);
++ if (is_usb_magicmouse2(hdev->vendor, hdev->product) ||
++ is_usb_magictrackpad2(hdev->vendor, hdev->product))
++ timer_delete_sync(&msc->battery_timer);
+ }
+
+ hid_hw_stop(hdev);
+@@ -964,11 +983,8 @@ static const __u8 *magicmouse_report_fix
+ * 0x05, 0x01, // Usage Page (Generic Desktop) 0
+ * 0x09, 0x02, // Usage (Mouse) 2
+ */
+- if (hdev->vendor == USB_VENDOR_ID_APPLE &&
+- (hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2 ||
+- hdev->product == USB_DEVICE_ID_APPLE_MAGICMOUSE2_USBC ||
+- hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 ||
+- hdev->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2_USBC) &&
++ if ((is_usb_magicmouse2(hdev->vendor, hdev->product) ||
++ is_usb_magictrackpad2(hdev->vendor, hdev->product)) &&
+ *rsize == 83 && rdesc[46] == 0x84 && rdesc[58] == 0x85) {
+ hid_info(hdev,
+ "fixing up magicmouse battery report descriptor\n");
--- /dev/null
+From c6e35dff58d348c1a9489e9b3b62b3721e62631d Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Sun, 20 Jul 2025 11:22:29 +0100
+Subject: KVM: arm64: Check for SYSREGS_ON_CPU before accessing the CPU state
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit c6e35dff58d348c1a9489e9b3b62b3721e62631d upstream.
+
+Mark Brown reports that since we commit to making exceptions
+visible without the vcpu being loaded, the external abort selftest
+fails.
+
+Upon investigation, it turns out that the code that makes registers
+affected by an exception visible to the guest is completely broken
+on VHE, as we don't check whether the system registers are loaded
+on the CPU at this point. We managed to get away with this so far,
+but that's obviously as bad as it gets,
+
+Add the required checksm and document the absolute need to check
+for the SYSREGS_ON_CPU flag before calling into any of the
+__vcpu_write_sys_reg_to_cpu()__vcpu_read_sys_reg_from_cpu() helpers.
+
+Reported-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/18535df8-e647-4643-af9a-bb780af03a70@sirena.org.uk
+Link: https://lore.kernel.org/r/20250720102229.179114-1-maz@kernel.org
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_host.h | 4 ++++
+ arch/arm64/kvm/hyp/exception.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_host.h
++++ b/arch/arm64/include/asm/kvm_host.h
+@@ -1149,6 +1149,8 @@ static inline bool __vcpu_read_sys_reg_f
+ * System registers listed in the switch are not saved on every
+ * exit from the guest but are only saved on vcpu_put.
+ *
++ * SYSREGS_ON_CPU *MUST* be checked before using this helper.
++ *
+ * Note that MPIDR_EL1 for the guest is set by KVM via VMPIDR_EL2 but
+ * should never be listed below, because the guest cannot modify its
+ * own MPIDR_EL1 and MPIDR_EL1 is accessed for VCPU A from VCPU B's
+@@ -1200,6 +1202,8 @@ static inline bool __vcpu_write_sys_reg_
+ * System registers listed in the switch are not restored on every
+ * entry to the guest but are only restored on vcpu_load.
+ *
++ * SYSREGS_ON_CPU *MUST* be checked before using this helper.
++ *
+ * Note that MPIDR_EL1 for the guest is set by KVM via VMPIDR_EL2 but
+ * should never be listed below, because the MPIDR should only be set
+ * once, before running the VCPU, and never changed later.
+--- a/arch/arm64/kvm/hyp/exception.c
++++ b/arch/arm64/kvm/hyp/exception.c
+@@ -26,7 +26,8 @@ static inline u64 __vcpu_read_sys_reg(co
+
+ if (unlikely(vcpu_has_nv(vcpu)))
+ return vcpu_read_sys_reg(vcpu, reg);
+- else if (__vcpu_read_sys_reg_from_cpu(reg, &val))
++ else if (vcpu_get_flag(vcpu, SYSREGS_ON_CPU) &&
++ __vcpu_read_sys_reg_from_cpu(reg, &val))
+ return val;
+
+ return __vcpu_sys_reg(vcpu, reg);
+@@ -36,7 +37,8 @@ static inline void __vcpu_write_sys_reg(
+ {
+ if (unlikely(vcpu_has_nv(vcpu)))
+ vcpu_write_sys_reg(vcpu, val, reg);
+- else if (!__vcpu_write_sys_reg_to_cpu(val, reg))
++ else if (!vcpu_get_flag(vcpu, SYSREGS_ON_CPU) ||
++ !__vcpu_write_sys_reg_to_cpu(val, reg))
+ __vcpu_assign_sys_reg(vcpu, reg, val);
+ }
+
--- /dev/null
+From 303084ad12767db64c84ba8fcd0450aec38c8534 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Mon, 21 Jul 2025 11:19:50 +0100
+Subject: KVM: arm64: Filter out HCR_EL2 bits when running in hypervisor context
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 303084ad12767db64c84ba8fcd0450aec38c8534 upstream.
+
+Most HCR_EL2 bits are not supposed to affect EL2 at all, but only
+the guest. However, we gladly merge these bits with the host's
+HCR_EL2 configuration, irrespective of entering L1 or L2.
+
+This leads to some funky behaviour, such as L1 trying to inject
+a virtual SError for L2, and getting a taste of its own medecine.
+Not quite what the architecture anticipated.
+
+In the end, the only bits that matter are those we have defined as
+invariants, either because we've made them RESx (E2H, HCD...), or
+that we actively refuse to merge because the mess with KVM's own
+logic.
+
+Use the sanitisation infrastructure to get the RES1 bits, and let
+things rip in a safer way.
+
+Fixes: 04ab519bb86df ("KVM: arm64: nv: Configure HCR_EL2 for FEAT_NV2")
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250721101955.535159-3-maz@kernel.org
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/vhe/switch.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kvm/hyp/vhe/switch.c
++++ b/arch/arm64/kvm/hyp/vhe/switch.c
+@@ -48,8 +48,7 @@ DEFINE_PER_CPU(unsigned long, kvm_hyp_ve
+
+ static u64 __compute_hcr(struct kvm_vcpu *vcpu)
+ {
+- u64 guest_hcr = __vcpu_sys_reg(vcpu, HCR_EL2);
+- u64 hcr = vcpu->arch.hcr_el2;
++ u64 guest_hcr, hcr = vcpu->arch.hcr_el2;
+
+ if (!vcpu_has_nv(vcpu))
+ return hcr;
+@@ -68,10 +67,21 @@ static u64 __compute_hcr(struct kvm_vcpu
+ if (!vcpu_el2_e2h_is_set(vcpu))
+ hcr |= HCR_NV1;
+
++ /*
++ * Nothing in HCR_EL2 should impact running in hypervisor
++ * context, apart from bits we have defined as RESx (E2H,
++ * HCD and co), or that cannot be set directly (the EXCLUDE
++ * bits). Given that we OR the guest's view with the host's,
++ * we can use the 0 value as the starting point, and only
++ * use the config-driven RES1 bits.
++ */
++ guest_hcr = kvm_vcpu_apply_reg_masks(vcpu, HCR_EL2, 0);
++
+ write_sysreg_s(vcpu->arch.ctxt.vncr_array, SYS_VNCR_EL2);
+ } else {
+ host_data_clear_flag(VCPU_IN_HYP_CONTEXT);
+
++ guest_hcr = __vcpu_sys_reg(vcpu, HCR_EL2);
+ if (guest_hcr & HCR_NV) {
+ u64 va = __fix_to_virt(vncr_fixmap(smp_processor_id()));
+
--- /dev/null
+From 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 10 Jun 2025 16:20:06 -0700
+Subject: KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 17ec2f965344ee3fd6620bef7ef68792f4ac3af0 upstream.
+
+Let the guest set DEBUGCTL.RTM_DEBUG if RTM is supported according to the
+guest CPUID model, as debug support is supposed to be available if RTM is
+supported, and there are no known downsides to letting the guest debug RTM
+aborts.
+
+Note, there are no known bug reports related to RTM_DEBUG, the primary
+motivation is to reduce the probability of breaking existing guests when a
+future change adds a missing consistency check on vmcs12.GUEST_DEBUGCTL
+(KVM currently lets L2 run with whatever hardware supports; whoops).
+
+Note #2, KVM already emulates DR6.RTM, and doesn't restrict access to
+DR7.RTM.
+
+Fixes: 83c529151ab0 ("KVM: x86: expose Intel cpu new features (HLE, RTM) to guest")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250610232010.162191-5-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/msr-index.h | 1 +
+ arch/x86/kvm/vmx/vmx.c | 4 ++++
+ 2 files changed, 5 insertions(+)
+
+--- a/arch/x86/include/asm/msr-index.h
++++ b/arch/x86/include/asm/msr-index.h
+@@ -419,6 +419,7 @@
+ #define DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI (1UL << 12)
+ #define DEBUGCTLMSR_FREEZE_IN_SMM_BIT 14
+ #define DEBUGCTLMSR_FREEZE_IN_SMM (1UL << DEBUGCTLMSR_FREEZE_IN_SMM_BIT)
++#define DEBUGCTLMSR_RTM_DEBUG BIT(15)
+
+ #define MSR_PEBS_FRONTEND 0x000003f7
+
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -2186,6 +2186,10 @@ static u64 vmx_get_supported_debugctl(st
+ (host_initiated || intel_pmu_lbr_is_enabled(vcpu)))
+ debugctl |= DEBUGCTLMSR_LBR | DEBUGCTLMSR_FREEZE_LBRS_ON_PMI;
+
++ if (boot_cpu_has(X86_FEATURE_RTM) &&
++ (host_initiated || guest_cpu_cap_has(vcpu, X86_FEATURE_RTM)))
++ debugctl |= DEBUGCTLMSR_RTM_DEBUG;
++
+ return debugctl;
+ }
+
--- /dev/null
+From 2478b1b220c49d25cb1c3f061ec4f9b351d9a131 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 10 Jun 2025 16:20:04 -0700
+Subject: KVM: x86: Convert vcpu_run()'s immediate exit param into a generic bitmap
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 2478b1b220c49d25cb1c3f061ec4f9b351d9a131 upstream.
+
+Convert kvm_x86_ops.vcpu_run()'s "force_immediate_exit" boolean parameter
+into an a generic bitmap so that similar "take action" information can be
+passed to vendor code without creating a pile of boolean parameters.
+
+This will allow dropping kvm_x86_ops.set_dr6() in favor of a new flag, and
+will also allow for adding similar functionality for re-loading debugctl
+in the active VMCS.
+
+Opportunistically massage the TDX WARN and comment to prepare for adding
+more run_flags, all of which are expected to be mutually exclusive with
+TDX, i.e. should be WARNed on.
+
+No functional change intended.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250610232010.162191-3-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm_host.h | 6 +++++-
+ arch/x86/kvm/svm/svm.c | 4 ++--
+ arch/x86/kvm/vmx/main.c | 6 +++---
+ arch/x86/kvm/vmx/tdx.c | 18 +++++++++---------
+ arch/x86/kvm/vmx/vmx.c | 3 ++-
+ arch/x86/kvm/vmx/x86_ops.h | 4 ++--
+ arch/x86/kvm/x86.c | 11 ++++++++---
+ 7 files changed, 31 insertions(+), 21 deletions(-)
+
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1680,6 +1680,10 @@ static inline u16 kvm_lapic_irq_dest_mod
+ return dest_mode_logical ? APIC_DEST_LOGICAL : APIC_DEST_PHYSICAL;
+ }
+
++enum kvm_x86_run_flags {
++ KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0),
++};
++
+ struct kvm_x86_ops {
+ const char *name;
+
+@@ -1761,7 +1765,7 @@ struct kvm_x86_ops {
+
+ int (*vcpu_pre_run)(struct kvm_vcpu *vcpu);
+ enum exit_fastpath_completion (*vcpu_run)(struct kvm_vcpu *vcpu,
+- bool force_immediate_exit);
++ u64 run_flags);
+ int (*handle_exit)(struct kvm_vcpu *vcpu,
+ enum exit_fastpath_completion exit_fastpath);
+ int (*skip_emulated_instruction)(struct kvm_vcpu *vcpu);
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -4389,9 +4389,9 @@ static noinstr void svm_vcpu_enter_exit(
+ guest_state_exit_irqoff();
+ }
+
+-static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu,
+- bool force_immediate_exit)
++static __no_kcsan fastpath_t svm_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
+ {
++ bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT;
+ struct vcpu_svm *svm = to_svm(vcpu);
+ bool spec_ctrl_intercepted = msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL);
+
+--- a/arch/x86/kvm/vmx/main.c
++++ b/arch/x86/kvm/vmx/main.c
+@@ -175,12 +175,12 @@ static int vt_vcpu_pre_run(struct kvm_vc
+ return vmx_vcpu_pre_run(vcpu);
+ }
+
+-static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
++static fastpath_t vt_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
+ {
+ if (is_td_vcpu(vcpu))
+- return tdx_vcpu_run(vcpu, force_immediate_exit);
++ return tdx_vcpu_run(vcpu, run_flags);
+
+- return vmx_vcpu_run(vcpu, force_immediate_exit);
++ return vmx_vcpu_run(vcpu, run_flags);
+ }
+
+ static int vt_handle_exit(struct kvm_vcpu *vcpu,
+--- a/arch/x86/kvm/vmx/tdx.c
++++ b/arch/x86/kvm/vmx/tdx.c
+@@ -1025,20 +1025,20 @@ static void tdx_load_host_xsave_state(st
+ DEBUGCTLMSR_FREEZE_PERFMON_ON_PMI | \
+ DEBUGCTLMSR_FREEZE_IN_SMM)
+
+-fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
++fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
+ {
+ struct vcpu_tdx *tdx = to_tdx(vcpu);
+ struct vcpu_vt *vt = to_vt(vcpu);
+
+ /*
+- * force_immediate_exit requires vCPU entering for events injection with
+- * an immediately exit followed. But The TDX module doesn't guarantee
+- * entry, it's already possible for KVM to _think_ it completely entry
+- * to the guest without actually having done so.
+- * Since KVM never needs to force an immediate exit for TDX, and can't
+- * do direct injection, just warn on force_immediate_exit.
++ * WARN if KVM wants to force an immediate exit, as the TDX module does
++ * not guarantee entry into the guest, i.e. it's possible for KVM to
++ * _think_ it completed entry to the guest and forced an immediate exit
++ * without actually having done so. Luckily, KVM never needs to force
++ * an immediate exit for TDX (KVM can't do direct event injection, so
++ * just WARN and continue on.
+ */
+- WARN_ON_ONCE(force_immediate_exit);
++ WARN_ON_ONCE(run_flags);
+
+ /*
+ * Wait until retry of SEPT-zap-related SEAMCALL completes before
+@@ -1048,7 +1048,7 @@ fastpath_t tdx_vcpu_run(struct kvm_vcpu
+ if (unlikely(READ_ONCE(to_kvm_tdx(vcpu->kvm)->wait_for_sept_zap)))
+ return EXIT_FASTPATH_EXIT_HANDLED;
+
+- trace_kvm_entry(vcpu, force_immediate_exit);
++ trace_kvm_entry(vcpu, run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT);
+
+ if (pi_test_on(&vt->pi_desc)) {
+ apic->send_IPI_self(POSTED_INTR_VECTOR);
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -7323,8 +7323,9 @@ out:
+ guest_state_exit_irqoff();
+ }
+
+-fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit)
++fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags)
+ {
++ bool force_immediate_exit = run_flags & KVM_RUN_FORCE_IMMEDIATE_EXIT;
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ unsigned long cr3, cr4;
+
+--- a/arch/x86/kvm/vmx/x86_ops.h
++++ b/arch/x86/kvm/vmx/x86_ops.h
+@@ -21,7 +21,7 @@ void vmx_vm_destroy(struct kvm *kvm);
+ int vmx_vcpu_precreate(struct kvm *kvm);
+ int vmx_vcpu_create(struct kvm_vcpu *vcpu);
+ int vmx_vcpu_pre_run(struct kvm_vcpu *vcpu);
+-fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit);
++fastpath_t vmx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags);
+ void vmx_vcpu_free(struct kvm_vcpu *vcpu);
+ void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event);
+ void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu);
+@@ -133,7 +133,7 @@ void tdx_vcpu_reset(struct kvm_vcpu *vcp
+ void tdx_vcpu_free(struct kvm_vcpu *vcpu);
+ void tdx_vcpu_load(struct kvm_vcpu *vcpu, int cpu);
+ int tdx_vcpu_pre_run(struct kvm_vcpu *vcpu);
+-fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, bool force_immediate_exit);
++fastpath_t tdx_vcpu_run(struct kvm_vcpu *vcpu, u64 run_flags);
+ void tdx_prepare_switch_to_guest(struct kvm_vcpu *vcpu);
+ void tdx_vcpu_put(struct kvm_vcpu *vcpu);
+ bool tdx_protected_apic_has_interrupt(struct kvm_vcpu *vcpu);
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -10785,6 +10785,7 @@ static int vcpu_enter_guest(struct kvm_v
+ dm_request_for_irq_injection(vcpu) &&
+ kvm_cpu_accept_dm_intr(vcpu);
+ fastpath_t exit_fastpath;
++ u64 run_flags;
+
+ bool req_immediate_exit = false;
+
+@@ -11029,8 +11030,11 @@ static int vcpu_enter_guest(struct kvm_v
+ goto cancel_injection;
+ }
+
+- if (req_immediate_exit)
++ run_flags = 0;
++ if (req_immediate_exit) {
++ run_flags |= KVM_RUN_FORCE_IMMEDIATE_EXIT;
+ kvm_make_request(KVM_REQ_EVENT, vcpu);
++ }
+
+ fpregs_assert_state_consistent();
+ if (test_thread_flag(TIF_NEED_FPU_LOAD))
+@@ -11067,8 +11071,7 @@ static int vcpu_enter_guest(struct kvm_v
+ WARN_ON_ONCE((kvm_vcpu_apicv_activated(vcpu) != kvm_vcpu_apicv_active(vcpu)) &&
+ (kvm_get_apic_mode(vcpu) != LAPIC_MODE_DISABLED));
+
+- exit_fastpath = kvm_x86_call(vcpu_run)(vcpu,
+- req_immediate_exit);
++ exit_fastpath = kvm_x86_call(vcpu_run)(vcpu, run_flags);
+ if (likely(exit_fastpath != EXIT_FASTPATH_REENTER_GUEST))
+ break;
+
+@@ -11080,6 +11083,8 @@ static int vcpu_enter_guest(struct kvm_v
+ break;
+ }
+
++ run_flags = 0;
++
+ /* Note, VM-Exits that go down the "slow" path are accounted below. */
+ ++vcpu->stat.exits;
+ }
--- /dev/null
+From 80c64c7afea1da6a93ebe88d3d29d8a60377ef80 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 10 Jun 2025 16:20:05 -0700
+Subject: KVM: x86: Drop kvm_x86_ops.set_dr6() in favor of a new KVM_RUN flag
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 80c64c7afea1da6a93ebe88d3d29d8a60377ef80 upstream.
+
+Instruct vendor code to load the guest's DR6 into hardware via a new
+KVM_RUN flag, and remove kvm_x86_ops.set_dr6(), whose sole purpose was to
+load vcpu->arch.dr6 into hardware when DR6 can be read/written directly
+by the guest.
+
+Note, TDX already WARNs on any run_flag being set, i.e. will yell if KVM
+thinks DR6 needs to be reloaded. TDX vCPUs force KVM_DEBUGREG_AUTO_SWITCH
+and never clear the flag, i.e. should never observe KVM_RUN_LOAD_GUEST_DR6.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250610232010.162191-4-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/kvm-x86-ops.h | 1 -
+ arch/x86/include/asm/kvm_host.h | 2 +-
+ arch/x86/kvm/svm/svm.c | 12 +++++++-----
+ arch/x86/kvm/vmx/main.c | 9 ---------
+ arch/x86/kvm/vmx/vmx.c | 9 +++------
+ arch/x86/kvm/x86.c | 2 +-
+ 6 files changed, 12 insertions(+), 23 deletions(-)
+
+--- a/arch/x86/include/asm/kvm-x86-ops.h
++++ b/arch/x86/include/asm/kvm-x86-ops.h
+@@ -49,7 +49,6 @@ KVM_X86_OP(set_idt)
+ KVM_X86_OP(get_gdt)
+ KVM_X86_OP(set_gdt)
+ KVM_X86_OP(sync_dirty_debug_regs)
+-KVM_X86_OP(set_dr6)
+ KVM_X86_OP(set_dr7)
+ KVM_X86_OP(cache_reg)
+ KVM_X86_OP(get_rflags)
+--- a/arch/x86/include/asm/kvm_host.h
++++ b/arch/x86/include/asm/kvm_host.h
+@@ -1682,6 +1682,7 @@ static inline u16 kvm_lapic_irq_dest_mod
+
+ enum kvm_x86_run_flags {
+ KVM_RUN_FORCE_IMMEDIATE_EXIT = BIT(0),
++ KVM_RUN_LOAD_GUEST_DR6 = BIT(1),
+ };
+
+ struct kvm_x86_ops {
+@@ -1734,7 +1735,6 @@ struct kvm_x86_ops {
+ void (*get_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
+ void (*set_gdt)(struct kvm_vcpu *vcpu, struct desc_ptr *dt);
+ void (*sync_dirty_debug_regs)(struct kvm_vcpu *vcpu);
+- void (*set_dr6)(struct kvm_vcpu *vcpu, unsigned long value);
+ void (*set_dr7)(struct kvm_vcpu *vcpu, unsigned long value);
+ void (*cache_reg)(struct kvm_vcpu *vcpu, enum kvm_reg reg);
+ unsigned long (*get_rflags)(struct kvm_vcpu *vcpu);
+--- a/arch/x86/kvm/svm/svm.c
++++ b/arch/x86/kvm/svm/svm.c
+@@ -4438,10 +4438,13 @@ static __no_kcsan fastpath_t svm_vcpu_ru
+ svm_hv_update_vp_id(svm->vmcb, vcpu);
+
+ /*
+- * Run with all-zero DR6 unless needed, so that we can get the exact cause
+- * of a #DB.
+- */
+- if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)))
++ * Run with all-zero DR6 unless the guest can write DR6 freely, so that
++ * KVM can get the exact cause of a #DB. Note, loading guest DR6 from
++ * KVM's snapshot is only necessary when DR accesses won't exit.
++ */
++ if (unlikely(run_flags & KVM_RUN_LOAD_GUEST_DR6))
++ svm_set_dr6(vcpu, vcpu->arch.dr6);
++ else if (likely(!(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT)))
+ svm_set_dr6(vcpu, DR6_ACTIVE_LOW);
+
+ clgi();
+@@ -5252,7 +5255,6 @@ static struct kvm_x86_ops svm_x86_ops __
+ .set_idt = svm_set_idt,
+ .get_gdt = svm_get_gdt,
+ .set_gdt = svm_set_gdt,
+- .set_dr6 = svm_set_dr6,
+ .set_dr7 = svm_set_dr7,
+ .sync_dirty_debug_regs = svm_sync_dirty_debug_regs,
+ .cache_reg = svm_cache_reg,
+--- a/arch/x86/kvm/vmx/main.c
++++ b/arch/x86/kvm/vmx/main.c
+@@ -489,14 +489,6 @@ static void vt_set_gdt(struct kvm_vcpu *
+ vmx_set_gdt(vcpu, dt);
+ }
+
+-static void vt_set_dr6(struct kvm_vcpu *vcpu, unsigned long val)
+-{
+- if (is_td_vcpu(vcpu))
+- return;
+-
+- vmx_set_dr6(vcpu, val);
+-}
+-
+ static void vt_set_dr7(struct kvm_vcpu *vcpu, unsigned long val)
+ {
+ if (is_td_vcpu(vcpu))
+@@ -943,7 +935,6 @@ struct kvm_x86_ops vt_x86_ops __initdata
+ .set_idt = vt_op(set_idt),
+ .get_gdt = vt_op(get_gdt),
+ .set_gdt = vt_op(set_gdt),
+- .set_dr6 = vt_op(set_dr6),
+ .set_dr7 = vt_op(set_dr7),
+ .sync_dirty_debug_regs = vt_op(sync_dirty_debug_regs),
+ .cache_reg = vt_op(cache_reg),
+--- a/arch/x86/kvm/vmx/vmx.c
++++ b/arch/x86/kvm/vmx/vmx.c
+@@ -5606,12 +5606,6 @@ void vmx_sync_dirty_debug_regs(struct kv
+ set_debugreg(DR6_RESERVED, 6);
+ }
+
+-void vmx_set_dr6(struct kvm_vcpu *vcpu, unsigned long val)
+-{
+- lockdep_assert_irqs_disabled();
+- set_debugreg(vcpu->arch.dr6, 6);
+-}
+-
+ void vmx_set_dr7(struct kvm_vcpu *vcpu, unsigned long val)
+ {
+ vmcs_writel(GUEST_DR7, val);
+@@ -7370,6 +7364,9 @@ fastpath_t vmx_vcpu_run(struct kvm_vcpu
+ vmcs_writel(GUEST_RIP, vcpu->arch.regs[VCPU_REGS_RIP]);
+ vcpu->arch.regs_dirty = 0;
+
++ if (run_flags & KVM_RUN_LOAD_GUEST_DR6)
++ set_debugreg(vcpu->arch.dr6, 6);
++
+ /*
+ * Refresh vmcs.HOST_CR3 if necessary. This must be done immediately
+ * prior to VM-Enter, as the kernel may load a new ASID (PCID) any time
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -11052,7 +11052,7 @@ static int vcpu_enter_guest(struct kvm_v
+ set_debugreg(vcpu->arch.eff_db[3], 3);
+ /* When KVM_DEBUGREG_WONT_EXIT, dr6 is accessible in guest. */
+ if (unlikely(vcpu->arch.switch_db_regs & KVM_DEBUGREG_WONT_EXIT))
+- kvm_x86_call(set_dr6)(vcpu, vcpu->arch.dr6);
++ run_flags |= KVM_RUN_LOAD_GUEST_DR6;
+ } else if (unlikely(hw_breakpoint_active())) {
+ set_debugreg(DR7_FIXED_1, 7);
+ }
--- /dev/null
+From ae42c6fe531425ef2f47e82f96851427d24bbf6b Mon Sep 17 00:00:00 2001
+From: Julien Massot <julien.massot@collabora.com>
+Date: Mon, 30 Jun 2025 12:46:43 +0200
+Subject: media: ti: j721e-csi2rx: fix list_del corruption
+
+From: Julien Massot <julien.massot@collabora.com>
+
+commit ae42c6fe531425ef2f47e82f96851427d24bbf6b upstream.
+
+If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is
+marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue.
+This causes the same buffer to be retried in the next iteration, resulting
+in a double list_del() and eventual list corruption.
+
+Fix this by removing the buffer from the queue before calling
+vb2_buffer_done() on error.
+
+This resolves a crash due to list_del corruption:
+[ 37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA
+[ 37.832187] slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048
+[ 37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428)
+[ 37.850799] ------------[ cut here ]------------
+[ 37.855424] kernel BUG at lib/list_debug.c:65!
+[ 37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP
+[ 37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul
+[ 37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY
+[ 37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT)
+[ 37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114
+[ 37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114
+[ 37.914059] sp : ffff800080003db0
+[ 37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000
+[ 37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122
+[ 37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0
+[ 37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a
+[ 37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720
+[ 37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea
+[ 37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568
+[ 37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff
+[ 37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000
+[ 37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d
+[ 37.988832] Call trace:
+[ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P)
+[ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4
+[ 38.001419] udma_vchan_complete+0x1e0/0x344
+[ 38.005705] tasklet_action_common+0x118/0x310
+[ 38.010163] tasklet_action+0x30/0x3c
+[ 38.013832] handle_softirqs+0x10c/0x2e0
+[ 38.017761] __do_softirq+0x14/0x20
+[ 38.021256] ____do_softirq+0x10/0x20
+[ 38.024931] call_on_irq_stack+0x24/0x60
+[ 38.028873] do_softirq_own_stack+0x1c/0x40
+[ 38.033064] __irq_exit_rcu+0x130/0x15c
+[ 38.036909] irq_exit_rcu+0x10/0x20
+[ 38.040403] el1_interrupt+0x38/0x60
+[ 38.043987] el1h_64_irq_handler+0x18/0x24
+[ 38.048091] el1h_64_irq+0x6c/0x70
+[ 38.051501] default_idle_call+0x34/0xe0 (P)
+[ 38.055783] do_idle+0x1f8/0x250
+[ 38.059021] cpu_startup_entry+0x34/0x3c
+[ 38.062951] rest_init+0xb4/0xc0
+[ 38.066186] console_on_rootfs+0x0/0x6c
+[ 38.070031] __primary_switched+0x88/0x90
+[ 38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000)
+[ 38.080168] ---[ end trace 0000000000000000 ]---
+[ 38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt
+[ 38.092197] SMP: stopping secondary CPUs
+[ 38.096139] Kernel Offset: disabled
+[ 38.099631] CPU features: 0x0000,00002000,02000801,0400420b
+[ 38.105202] Memory Limit: none
+[ 38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]---
+
+Fixes: b4a3d877dc92 ("media: ti: Add CSI2RX support for J721E")
+Cc: stable@vger.kernel.org
+Suggested-by: Sjoerd Simons <sjoerd@collabora.com>
+Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
+Signed-off-by: Julien Massot <julien.massot@collabora.com>
+Reviewed-by: Jai Luthra <jai.luthra@linux.dev>
+Tested-by: Dirk Behme <dirk.behme@de.bosch.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
++++ b/drivers/media/platform/ti/j721e-csi2rx/j721e-csi2rx.c
+@@ -619,6 +619,7 @@ static void ti_csi2rx_dma_callback(void
+
+ if (ti_csi2rx_start_dma(csi, buf)) {
+ dev_err(csi->dev, "Failed to queue the next buffer for DMA\n");
++ list_del(&buf->list);
+ vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_ERROR);
+ } else {
+ list_move_tail(&buf->list, &dma->submitted);
--- /dev/null
+From 35ad7e181541aa5757f9f316768d3e64403ec843 Mon Sep 17 00:00:00 2001
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Date: Sat, 7 Jun 2025 13:43:56 +0100
+Subject: MIPS: mm: tlb-r4k: Uniquify TLB entries on init
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+commit 35ad7e181541aa5757f9f316768d3e64403ec843 upstream.
+
+Hardware or bootloader will initialize TLB entries to any value, which
+may collide with kernel's UNIQUE_ENTRYHI value. On MIPS microAptiv/M5150
+family of cores this will trigger machine check exception and cause boot
+failure. On M5150 simulation this could happen 7 times out of 1000 boots.
+
+Replace local_flush_tlb_all() with r4k_tlb_uniquify() which probes each
+TLB ENTRIHI unique value for collisions before it's written, and in case
+of collision try a different ASID.
+
+Cc: stable@kernel.org
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/mm/tlb-r4k.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 55 insertions(+), 1 deletion(-)
+
+--- a/arch/mips/mm/tlb-r4k.c
++++ b/arch/mips/mm/tlb-r4k.c
+@@ -508,6 +508,60 @@ static int __init set_ntlb(char *str)
+
+ __setup("ntlb=", set_ntlb);
+
++/* Initialise all TLB entries with unique values */
++static void r4k_tlb_uniquify(void)
++{
++ int entry = num_wired_entries();
++
++ htw_stop();
++ write_c0_entrylo0(0);
++ write_c0_entrylo1(0);
++
++ while (entry < current_cpu_data.tlbsize) {
++ unsigned long asid_mask = cpu_asid_mask(¤t_cpu_data);
++ unsigned long asid = 0;
++ int idx;
++
++ /* Skip wired MMID to make ginvt_mmid work */
++ if (cpu_has_mmid)
++ asid = MMID_KERNEL_WIRED + 1;
++
++ /* Check for match before using UNIQUE_ENTRYHI */
++ do {
++ if (cpu_has_mmid) {
++ write_c0_memorymapid(asid);
++ write_c0_entryhi(UNIQUE_ENTRYHI(entry));
++ } else {
++ write_c0_entryhi(UNIQUE_ENTRYHI(entry) | asid);
++ }
++ mtc0_tlbw_hazard();
++ tlb_probe();
++ tlb_probe_hazard();
++ idx = read_c0_index();
++ /* No match or match is on current entry */
++ if (idx < 0 || idx == entry)
++ break;
++ /*
++ * If we hit a match, we need to try again with
++ * a different ASID.
++ */
++ asid++;
++ } while (asid < asid_mask);
++
++ if (idx >= 0 && idx != entry)
++ panic("Unable to uniquify TLB entry %d", idx);
++
++ write_c0_index(entry);
++ mtc0_tlbw_hazard();
++ tlb_write_indexed();
++ entry++;
++ }
++
++ tlbw_use_hazard();
++ htw_start();
++ flush_micro_tlb();
++}
++
+ /*
+ * Configure TLB (for init or after a CPU has been powered off).
+ */
+@@ -547,7 +601,7 @@ static void r4k_tlb_configure(void)
+ temp_tlb_entry = current_cpu_data.tlbsize - 1;
+
+ /* From this point on the ARC firmware is dead. */
+- local_flush_tlb_all();
++ r4k_tlb_uniquify();
+
+ /* Did I tell you that ARC SUCKS? */
+ }
--- /dev/null
+From 188cb385bbf04d486df3e52f28c47b3961f5f0c0 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Thu, 10 Jul 2025 11:23:53 +0300
+Subject: mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 188cb385bbf04d486df3e52f28c47b3961f5f0c0 upstream.
+
+When pmd_to_hmm_pfn_flags() is unused, it prevents kernel builds with
+clang, `make W=1` and CONFIG_TRANSPARENT_HUGEPAGE=n:
+
+ mm/hmm.c:186:29: warning: unused function 'pmd_to_hmm_pfn_flags' [-Wunused-function]
+
+Fix this by moving the function to the respective existing ifdeffery
+for its the only user.
+
+See also:
+
+ 6863f5643dd7 ("kbuild: allow Clang to find unused static inline functions for W=1 build")
+
+Link: https://lkml.kernel.org/r/20250710082403.664093-1-andriy.shevchenko@linux.intel.com
+Fixes: 992de9a8b751 ("mm/hmm: allow to mirror vma of a file on a DAX backed filesystem")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Alistair Popple <apopple@nvidia.com>
+Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hmm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hmm.c
++++ b/mm/hmm.c
+@@ -183,6 +183,7 @@ static inline unsigned long hmm_pfn_flag
+ return order << HMM_PFN_ORDER_SHIFT;
+ }
+
++#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static inline unsigned long pmd_to_hmm_pfn_flags(struct hmm_range *range,
+ pmd_t pmd)
+ {
+@@ -193,7 +194,6 @@ static inline unsigned long pmd_to_hmm_p
+ hmm_pfn_flags_order(PMD_SHIFT - PAGE_SHIFT);
+ }
+
+-#ifdef CONFIG_TRANSPARENT_HUGEPAGE
+ static int hmm_vma_handle_pmd(struct mm_walk *walk, unsigned long addr,
+ unsigned long end, unsigned long hmm_pfns[],
+ pmd_t pmd)
--- /dev/null
+From 8d58d65621118fdca3ed6a0b3d658ba7e0e5153c Mon Sep 17 00:00:00 2001
+From: Baolin Wang <baolin.wang@linux.alibaba.com>
+Date: Thu, 31 Jul 2025 09:53:43 +0800
+Subject: mm: shmem: fix the shmem large folio allocation for the i915 driver
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Baolin Wang <baolin.wang@linux.alibaba.com>
+
+commit 8d58d65621118fdca3ed6a0b3d658ba7e0e5153c upstream.
+
+After commit acd7ccb284b8 ("mm: shmem: add large folio support for
+tmpfs"), we extend the 'huge=' option to allow any sized large folios for
+tmpfs, which means tmpfs will allow getting a highest order hint based on
+the size of write() and fallocate() paths, and then will try each
+allowable large order.
+
+However, when the i915 driver allocates shmem memory, it doesn't provide
+hint information about the size of the large folio to be allocated,
+resulting in the inability to allocate PMD-sized shmem, which in turn
+affects GPU performance.
+
+Patryk added:
+
+: In my tests, the performance drop ranges from a few percent up to 13%
+: in Unigine Superposition under heavy memory usage on the CPU Core Ultra
+: 155H with the Xe 128 EU GPU. Other users have reported performance
+: impact up to 30% on certain workloads. Please find more in the
+: regressions reports:
+: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14645
+: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13845
+:
+: I believe the change should be backported to all active kernel branches
+: after version 6.12.
+
+To fix this issue, we can use the inode's size as a write size hint in
+shmem_read_folio_gfp() to help allocate PMD-sized large folios.
+
+Link: https://lkml.kernel.org/r/f7e64e99a3a87a8144cc6b2f1dddf7a89c12ce44.1753926601.git.baolin.wang@linux.alibaba.com
+Fixes: acd7ccb284b8 ("mm: shmem: add large folio support for tmpfs")
+Signed-off-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Reported-by: Patryk Kowalczyk <patryk@kowalczyk.ws>
+Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Tested-by: Patryk Kowalczyk <patryk@kowalczyk.ws>
+Suggested-by: Hugh Dickins <hughd@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/shmem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -5928,8 +5928,8 @@ struct folio *shmem_read_folio_gfp(struc
+ struct folio *folio;
+ int error;
+
+- error = shmem_get_folio_gfp(inode, index, 0, &folio, SGP_CACHE,
+- gfp, NULL, NULL);
++ error = shmem_get_folio_gfp(inode, index, i_size_read(inode),
++ &folio, SGP_CACHE, gfp, NULL, NULL);
+ if (error)
+ return ERR_PTR(error);
+
--- /dev/null
+From 255116c5b0fa2145ede28c2f7b248df5e73834d1 Mon Sep 17 00:00:00 2001
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+Date: Thu, 22 May 2025 20:25:52 +0800
+Subject: mm: swap: correctly use maxpages in swapon syscall to avoid potential deadloop
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+commit 255116c5b0fa2145ede28c2f7b248df5e73834d1 upstream.
+
+We use maxpages from read_swap_header() to initialize swap_info_struct,
+however the maxpages might be reduced in setup_swap_extents() and the
+si->max is assigned with the reduced maxpages from the
+setup_swap_extents().
+
+Obviously, this could lead to memory waste as we allocated memory based on
+larger maxpages, besides, this could lead to a potential deadloop as
+following:
+
+1) When calling setup_clusters() with larger maxpages, unavailable
+ pages within range [si->max, larger maxpages) are not accounted with
+ inc_cluster_info_page(). As a result, these pages are assumed
+ available but can not be allocated. The cluster contains these pages
+ can be moved to frag_clusters list after it's all available pages were
+ allocated.
+
+2) When the cluster mentioned in 1) is the only cluster in
+ frag_clusters list, cluster_alloc_swap_entry() assume order 0
+ allocation will never failed and will enter a deadloop by keep trying
+ to allocate page from the only cluster in frag_clusters which contains
+ no actually available page.
+
+Call setup_swap_extents() to get the final maxpages before
+swap_info_struct initialization to fix the issue.
+
+After this change, span will include badblocks and will become large
+value which I think is correct value:
+In summary, there are two kinds of swapfile_activate operations.
+
+1. Filesystem style: Treat all blocks logical continuity and find
+ usable physical extents in logical range. In this way, si->pages will
+ be actual usable physical blocks and span will be "1 + highest_block -
+ lowest_block".
+
+2. Block device style: Treat all blocks physically continue and only
+ one single extent is added. In this way, si->pages will be si->max and
+ span will be "si->pages - 1". Actually, si->pages and si->max is only
+ used in block device style and span value is set with si->pages. As a
+ result, span value in block device style will become a larger value as
+ you mentioned.
+
+I think larger value is correct based on:
+
+1. Span value in filesystem style is "1 + highest_block -
+ lowest_block" which is the range cover all possible phisical blocks
+ including the badblocks.
+
+2. For block device style, si->pages is the actual usable block number
+ and is already in pr_info. The original span value before this patch
+ is also refer to usable block number which is redundant in pr_info.
+
+[shikemeng@huaweicloud.com: ensure si->pages == si->max - 1 after setup_swap_extents()]
+ Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com
+ Link: https://lkml.kernel.org/r/20250718065139.61989-1-shikemeng@huaweicloud.com
+Link: https://lkml.kernel.org/r/20250522122554.12209-3-shikemeng@huaweicloud.com
+Fixes: 661383c6111a ("mm: swap: relaim the cached parts that got scanned")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Baoquan He <bhe@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Kairui Song <kasong@tencent.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c | 53 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 26 insertions(+), 27 deletions(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -3141,43 +3141,30 @@ static unsigned long read_swap_header(st
+ return maxpages;
+ }
+
+-static int setup_swap_map_and_extents(struct swap_info_struct *si,
+- union swap_header *swap_header,
+- unsigned char *swap_map,
+- unsigned long maxpages,
+- sector_t *span)
++static int setup_swap_map(struct swap_info_struct *si,
++ union swap_header *swap_header,
++ unsigned char *swap_map,
++ unsigned long maxpages)
+ {
+- unsigned int nr_good_pages;
+ unsigned long i;
+- int nr_extents;
+-
+- nr_good_pages = maxpages - 1; /* omit header page */
+
++ swap_map[0] = SWAP_MAP_BAD; /* omit header page */
+ for (i = 0; i < swap_header->info.nr_badpages; i++) {
+ unsigned int page_nr = swap_header->info.badpages[i];
+ if (page_nr == 0 || page_nr > swap_header->info.last_page)
+ return -EINVAL;
+ if (page_nr < maxpages) {
+ swap_map[page_nr] = SWAP_MAP_BAD;
+- nr_good_pages--;
++ si->pages--;
+ }
+ }
+
+- if (nr_good_pages) {
+- swap_map[0] = SWAP_MAP_BAD;
+- si->max = maxpages;
+- si->pages = nr_good_pages;
+- nr_extents = setup_swap_extents(si, span);
+- if (nr_extents < 0)
+- return nr_extents;
+- nr_good_pages = si->pages;
+- }
+- if (!nr_good_pages) {
++ if (!si->pages) {
+ pr_warn("Empty swap-file\n");
+ return -EINVAL;
+ }
+
+- return nr_extents;
++ return 0;
+ }
+
+ #define SWAP_CLUSTER_INFO_COLS \
+@@ -3217,7 +3204,7 @@ static struct swap_cluster_info *setup_c
+ * Mark unusable pages as unavailable. The clusters aren't
+ * marked free yet, so no list operations are involved yet.
+ *
+- * See setup_swap_map_and_extents(): header page, bad pages,
++ * See setup_swap_map(): header page, bad pages,
+ * and the EOF part of the last cluster.
+ */
+ inc_cluster_info_page(si, cluster_info, 0);
+@@ -3363,6 +3350,21 @@ SYSCALL_DEFINE2(swapon, const char __use
+ goto bad_swap_unlock_inode;
+ }
+
++ si->max = maxpages;
++ si->pages = maxpages - 1;
++ nr_extents = setup_swap_extents(si, &span);
++ if (nr_extents < 0) {
++ error = nr_extents;
++ goto bad_swap_unlock_inode;
++ }
++ if (si->pages != si->max - 1) {
++ pr_err("swap:%u != (max:%u - 1)\n", si->pages, si->max);
++ error = -EINVAL;
++ goto bad_swap_unlock_inode;
++ }
++
++ maxpages = si->max;
++
+ /* OK, set up the swap map and apply the bad block list */
+ swap_map = vzalloc(maxpages);
+ if (!swap_map) {
+@@ -3374,12 +3376,9 @@ SYSCALL_DEFINE2(swapon, const char __use
+ if (error)
+ goto bad_swap_unlock_inode;
+
+- nr_extents = setup_swap_map_and_extents(si, swap_header, swap_map,
+- maxpages, &span);
+- if (unlikely(nr_extents < 0)) {
+- error = nr_extents;
++ error = setup_swap_map(si, swap_header, swap_map, maxpages);
++ if (error)
+ goto bad_swap_unlock_inode;
+- }
+
+ /*
+ * Use kvmalloc_array instead of bitmap_zalloc as the allocation order might
--- /dev/null
+From 152c1339dc13ad46f1b136e8693de15980750835 Mon Sep 17 00:00:00 2001
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+Date: Thu, 22 May 2025 20:25:53 +0800
+Subject: mm: swap: fix potential buffer overflow in setup_clusters()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+commit 152c1339dc13ad46f1b136e8693de15980750835 upstream.
+
+In setup_swap_map(), we only ensure badpages are in range (0, last_page].
+As maxpages might be < last_page, setup_clusters() will encounter a buffer
+overflow when a badpage is >= maxpages.
+
+Only call inc_cluster_info_page() for badpage which is < maxpages to fix
+the issue.
+
+Link: https://lkml.kernel.org/r/20250522122554.12209-4-shikemeng@huaweicloud.com
+Fixes: b843786b0bd0 ("mm: swapfile: fix SSD detection with swapfile on btrfs")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Baoquan He <bhe@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Kairui Song <kasong@tencent.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -3208,9 +3208,13 @@ static struct swap_cluster_info *setup_c
+ * and the EOF part of the last cluster.
+ */
+ inc_cluster_info_page(si, cluster_info, 0);
+- for (i = 0; i < swap_header->info.nr_badpages; i++)
+- inc_cluster_info_page(si, cluster_info,
+- swap_header->info.badpages[i]);
++ for (i = 0; i < swap_header->info.nr_badpages; i++) {
++ unsigned int page_nr = swap_header->info.badpages[i];
++
++ if (page_nr >= maxpages)
++ continue;
++ inc_cluster_info_page(si, cluster_info, page_nr);
++ }
+ for (i = maxpages; i < round_up(maxpages, SWAPFILE_CLUSTER); i++)
+ inc_cluster_info_page(si, cluster_info, i);
+
--- /dev/null
+From 4f78252da887ee7e9d1875dd6e07d9baa936c04f Mon Sep 17 00:00:00 2001
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+Date: Thu, 22 May 2025 20:25:51 +0800
+Subject: mm: swap: move nr_swap_pages counter decrement from folio_alloc_swap() to swap_range_alloc()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+commit 4f78252da887ee7e9d1875dd6e07d9baa936c04f upstream.
+
+Patch series "Some randome fixes and cleanups to swapfile".
+
+Patch 0-3 are some random fixes. Patch 4 is a cleanup. More details can
+be found in respective patches.
+
+
+This patch (of 4):
+
+When folio_alloc_swap() encounters a failure in either
+mem_cgroup_try_charge_swap() or add_to_swap_cache(), nr_swap_pages counter
+is not decremented for allocated entry. However, the following
+put_swap_folio() will increase nr_swap_pages counter unpairly and lead to
+an imbalance.
+
+Move nr_swap_pages decrement from folio_alloc_swap() to swap_range_alloc()
+to pair the nr_swap_pages counting.
+
+Link: https://lkml.kernel.org/r/20250522122554.12209-1-shikemeng@huaweicloud.com
+Link: https://lkml.kernel.org/r/20250522122554.12209-2-shikemeng@huaweicloud.com
+Fixes: 0ff67f990bd4 ("mm, swap: remove swap slot cache")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Reviewed-by: Kairui Song <kasong@tencent.com>
+Reviewed-by: Baoquan He <bhe@redhat.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/swapfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/swapfile.c
++++ b/mm/swapfile.c
+@@ -1115,6 +1115,7 @@ static void swap_range_alloc(struct swap
+ if (vm_swap_full())
+ schedule_work(&si->reclaim_work);
+ }
++ atomic_long_sub(nr_entries, &nr_swap_pages);
+ }
+
+ static void swap_range_free(struct swap_info_struct *si, unsigned long offset,
+@@ -1313,7 +1314,6 @@ int folio_alloc_swap(struct folio *folio
+ if (add_to_swap_cache(folio, entry, gfp | __GFP_NOMEMALLOC, NULL))
+ goto out_free;
+
+- atomic_long_sub(size, &nr_swap_pages);
+ return 0;
+
+ out_free:
--- /dev/null
+From c872d7c837382517c51a76dfdcf550332cfab231 Mon Sep 17 00:00:00 2001
+From: Robin Murphy <robin.murphy@arm.com>
+Date: Tue, 13 May 2025 16:38:58 +0100
+Subject: perf/arm-ni: Set initial IRQ affinity
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+commit c872d7c837382517c51a76dfdcf550332cfab231 upstream.
+
+While we do request our IRQs with the right flags to stop their affinity
+changing unexpectedly, we forgot to actually set it to start with. Oops.
+
+Cc: stable@vger.kernel.org
+Fixes: 4d5a7680f2b4 ("perf: Add driver for Arm NI-700 interconnect PMU")
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Tested-by: Shouping Wang <allen.wang@hj-micro.com>
+Link: https://lore.kernel.org/r/614ced9149ee8324e58930862bd82cbf46228d27.1747149165.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/perf/arm-ni.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/perf/arm-ni.c
++++ b/drivers/perf/arm-ni.c
+@@ -544,6 +544,8 @@ static int arm_ni_init_cd(struct arm_ni
+ return err;
+
+ cd->cpu = cpumask_local_spread(0, dev_to_node(ni->dev));
++ irq_set_affinity(cd->irq, cpumask_of(cd->cpu));
++
+ cd->pmu = (struct pmu) {
+ .module = THIS_MODULE,
+ .parent = ni->dev,
--- /dev/null
+From 54d5cd4719c5e87f33d271c9ac2e393147d934f8 Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Sun, 13 Jul 2025 13:29:31 -0400
+Subject: platform/x86/intel/pmt: fix a crashlog NULL pointer access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit 54d5cd4719c5e87f33d271c9ac2e393147d934f8 upstream.
+
+Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The
+current use of the endpoint value is only valid for telemetry endpoint
+usage.
+
+Without the ep, the crashlog usage causes the following NULL pointer
+exception:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+Oops: Oops: 0000 [#1] SMP NOPTI
+RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class]
+Code:
+Call Trace:
+ <TASK>
+ ? sysfs_kf_bin_read+0xc0/0xe0
+ kernfs_fop_read_iter+0xac/0x1a0
+ vfs_read+0x26d/0x350
+ ksys_read+0x6b/0xe0
+ __x64_sys_read+0x1d/0x30
+ x64_sys_call+0x1bc8/0x1d70
+ do_syscall_64+0x6d/0x110
+
+Augment struct intel_pmt_entry with a pointer to the pcidev to avoid
+the NULL pointer exception.
+
+Fixes: 045a513040cc ("platform/x86/intel/pmt: Use PMT callbacks")
+Cc: stable@vger.kernel.org
+Reviewed-by: David E. Box <david.e.box@linux.intel.com>
+Reviewed-by: Tejas Upadhyay <tejas.upadhyay@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Link: https://lore.kernel.org/r/20250713172943.7335-2-michael.j.ruhl@intel.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/intel/pmt/class.c | 3 ++-
+ drivers/platform/x86/intel/pmt/class.h | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/intel/pmt/class.c
++++ b/drivers/platform/x86/intel/pmt/class.c
+@@ -97,7 +97,7 @@ intel_pmt_read(struct file *filp, struct
+ if (count > entry->size - off)
+ count = entry->size - off;
+
+- count = pmt_telem_read_mmio(entry->ep->pcidev, entry->cb, entry->header.guid, buf,
++ count = pmt_telem_read_mmio(entry->pcidev, entry->cb, entry->header.guid, buf,
+ entry->base, off, count);
+
+ return count;
+@@ -252,6 +252,7 @@ static int intel_pmt_populate_entry(stru
+ return -EINVAL;
+ }
+
++ entry->pcidev = pci_dev;
+ entry->guid = header->guid;
+ entry->size = header->size;
+ entry->cb = ivdev->priv_data;
+--- a/drivers/platform/x86/intel/pmt/class.h
++++ b/drivers/platform/x86/intel/pmt/class.h
+@@ -39,6 +39,7 @@ struct intel_pmt_header {
+
+ struct intel_pmt_entry {
+ struct telem_endpoint *ep;
++ struct pci_dev *pcidev;
+ struct intel_pmt_header header;
+ struct bin_attribute pmt_bin_attr;
+ struct kobject *kobj;
--- /dev/null
+From 5647f61ad9171e8f025558ed6dc5702c56a33ba3 Mon Sep 17 00:00:00 2001
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Date: Wed, 9 Jul 2025 20:34:30 +0200
+Subject: s390/mm: Remove possible false-positive warning in pte_free_defer()
+
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+
+commit 5647f61ad9171e8f025558ed6dc5702c56a33ba3 upstream.
+
+Commit 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing
+page") added a warning to pte_free_defer(), on our request. It was meant
+to warn if this would ever be reached for KVM guest mappings, because
+the page table would be freed w/o a gmap_unlink(). THP mappings are not
+allowed for KVM guests on s390, so this should never happen.
+
+However, it is possible that the warning is triggered in a valid case as
+false-positive.
+
+s390_enable_sie() takes the mmap_lock, marks all VMAs as VM_NOHUGEPAGE and
+splits possibly existing THP guest mappings. mm->context.has_pgste is set
+to 1 before that, to prevent races with the mm_has_pgste() check in
+MADV_HUGEPAGE.
+
+khugepaged drops the mmap_lock for file mappings and might run in parallel,
+before a vma is marked VM_NOHUGEPAGE, but after mm->context.has_pgste was
+set to 1. If it finds file mappings to collapse, it will eventually call
+pte_free_defer(). This will trigger the warning, but it is a valid case
+because gmap is not yet set up, and the THP mappings will be split again.
+
+Therefore, remove the warning and the comment.
+
+Fixes: 8211dad627981 ("s390: add pte_free_defer() for pgtables sharing page")
+Cc: <stable@vger.kernel.org> # 6.6+
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/mm/pgalloc.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -173,11 +173,6 @@ void pte_free_defer(struct mm_struct *mm
+ struct ptdesc *ptdesc = virt_to_ptdesc(pgtable);
+
+ call_rcu(&ptdesc->pt_rcu_head, pte_free_now);
+- /*
+- * THPs are not allowed for KVM guests. Warn if pgste ever reaches here.
+- * Turn to the generic pte_free_defer() version once gmap is removed.
+- */
+- WARN_ON_ONCE(mm_has_pgste(mm));
+ }
+ #endif /* CONFIG_TRANSPARENT_HUGEPAGE */
+
bluetooth-btusb-add-usb-id-3625-010b-for-tp-link-archer-tx10ub-nano.patch
net-usbnet-avoid-potential-rcu-stall-on-link_change-event.patch
net-usbnet-fix-the-wrong-netif_carrier_on-call.patch
+x86-sev-evict-cache-lines-during-snp-memory-validation.patch
+alsa-intel_hdmi-fix-off-by-one-error-in-__hdmi_lpe_audio_probe.patch
+alsa-scarlett2-add-retry-on-eproto-from-scarlett2_usb_tx.patch
+alsa-hda-realtek-fix-mute-led-for-hp-victus-16-r1xxx.patch
+alsa-hda-realtek-fix-mute-led-for-hp-victus-16-s0xxx.patch
+alsa-hda-realtek-fix-mute-led-for-hp-victus-16-d1xxx-mb-8a26.patch
+platform-x86-intel-pmt-fix-a-crashlog-null-pointer-access.patch
+x86-fpu-delay-instruction-pointer-fixup-until-after-warning.patch
+kvm-x86-convert-vcpu_run-s-immediate-exit-param-into-a-generic-bitmap.patch
+kvm-x86-drop-kvm_x86_ops.set_dr6-in-favor-of-a-new-kvm_run-flag.patch
+kvm-vmx-allow-guest-to-set-debugctl.rtm_debug-if-rtm-is-supported.patch
+kvm-arm64-check-for-sysregs_on_cpu-before-accessing-the-cpu-state.patch
+kvm-arm64-filter-out-hcr_el2-bits-when-running-in-hypervisor-context.patch
+zloop-fix-kasan-use-after-free-of-tag-set.patch
+s390-mm-remove-possible-false-positive-warning-in-pte_free_defer.patch
+mips-mm-tlb-r4k-uniquify-tlb-entries-on-init.patch
+mm-hmm-move-pmd_to_hmm_pfn_flags-to-the-respective-ifdeffery.patch
+mm-swap-correctly-use-maxpages-in-swapon-syscall-to-avoid-potential-deadloop.patch
+mm-swap-fix-potential-buffer-overflow-in-setup_clusters.patch
+mm-swap-move-nr_swap_pages-counter-decrement-from-folio_alloc_swap-to-swap_range_alloc.patch
+mm-shmem-fix-the-shmem-large-folio-allocation-for-the-i915-driver.patch
+usb-gadget-uvc-initialize-frame-based-format-color-matching-descriptor.patch
+perf-arm-ni-set-initial-irq-affinity.patch
+media-ti-j721e-csi2rx-fix-list_del-corruption.patch
+hid-apple-validate-feature-report-field-count-to-prevent-null-pointer-dereference.patch
+usb-gadget-f_hid-fix-memory-leak-in-hidg_bind-error-path.patch
+hid-core-harden-s32ton-against-conversion-to-0-bits.patch
+hid-magicmouse-avoid-setting-up-battery-timer-when-not-needed.patch
+hid-apple-avoid-setting-up-battery-timer-for-devices-without-battery.patch
+usb-gadget-fix-use-after-free-in-composite_dev_cleanup.patch
--- /dev/null
+From 62783c30d78aecf9810dae46fd4d11420ad38b74 Mon Sep 17 00:00:00 2001
+From: Yuhao Jiang <danisjiang@gmail.com>
+Date: Mon, 23 Jun 2025 17:48:44 +0800
+Subject: USB: gadget: f_hid: Fix memory leak in hidg_bind error path
+
+From: Yuhao Jiang <danisjiang@gmail.com>
+
+commit 62783c30d78aecf9810dae46fd4d11420ad38b74 upstream.
+
+In hidg_bind(), if alloc_workqueue() fails after usb_assign_descriptors()
+has successfully allocated the USB descriptors, the current error handling
+does not call usb_free_all_descriptors() to free the allocated descriptors,
+resulting in a memory leak.
+
+Restructure the error handling by adding proper cleanup labels:
+- fail_free_all: cleans up workqueue and descriptors
+- fail_free_descs: cleans up descriptors only
+- fail: original cleanup for earlier failures
+
+This ensures that allocated resources are properly freed in reverse order
+of their allocation, preventing the memory leak when alloc_workqueue() fails.
+
+Fixes: a139c98f760ef ("USB: gadget: f_hid: Add GET_REPORT via userspace IOCTL")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuhao Jiang <danisjiang@gmail.com>
+Link: https://lore.kernel.org/r/20250623094844.244977-1-danisjiang@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_hid.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -1278,18 +1278,19 @@ static int hidg_bind(struct usb_configur
+
+ if (!hidg->workqueue) {
+ status = -ENOMEM;
+- goto fail;
++ goto fail_free_descs;
+ }
+
+ /* create char device */
+ cdev_init(&hidg->cdev, &f_hidg_fops);
+ status = cdev_device_add(&hidg->cdev, &hidg->dev);
+ if (status)
+- goto fail_free_descs;
++ goto fail_free_all;
+
+ return 0;
+-fail_free_descs:
++fail_free_all:
+ destroy_workqueue(hidg->workqueue);
++fail_free_descs:
+ usb_free_all_descriptors(f);
+ fail:
+ ERROR(f->config->cdev, "hidg_bind FAILED\n");
--- /dev/null
+From 151c0aa896c47a4459e07fee7d4843f44c1bb18e Mon Sep 17 00:00:00 2001
+From: Tao Xue <xuetao09@huawei.com>
+Date: Mon, 21 Jul 2025 17:39:08 +0800
+Subject: usb: gadget : fix use-after-free in composite_dev_cleanup()
+
+From: Tao Xue <xuetao09@huawei.com>
+
+commit 151c0aa896c47a4459e07fee7d4843f44c1bb18e upstream.
+
+1. In func configfs_composite_bind() -> composite_os_desc_req_prepare():
+if kmalloc fails, the pointer cdev->os_desc_req will be freed but not
+set to NULL. Then it will return a failure to the upper-level function.
+2. in func configfs_composite_bind() -> composite_dev_cleanup():
+it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it
+will attempt to use it.This will lead to a use-after-free issue.
+
+BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0
+Read of size 8 at addr 0000004827837a00 by task init/1
+
+CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1
+ kasan_report+0x188/0x1cc
+ __asan_load8+0xb4/0xbc
+ composite_dev_cleanup+0xf4/0x2c0
+ configfs_composite_bind+0x210/0x7ac
+ udc_bind_to_driver+0xb4/0x1ec
+ usb_gadget_probe_driver+0xec/0x21c
+ gadget_dev_desc_UDC_store+0x264/0x27c
+
+Fixes: 37a3a533429e ("usb: gadget: OS Feature Descriptors support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Tao Xue <xuetao09@huawei.com>
+Link: https://lore.kernel.org/r/20250721093908.14967-1-xuetao09@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -2489,6 +2489,11 @@ int composite_os_desc_req_prepare(struct
+ if (!cdev->os_desc_req->buf) {
+ ret = -ENOMEM;
+ usb_ep_free_request(ep0, cdev->os_desc_req);
++ /*
++ * Set os_desc_req to NULL so that composite_dev_cleanup()
++ * will not try to free it again.
++ */
++ cdev->os_desc_req = NULL;
+ goto end;
+ }
+ cdev->os_desc_req->context = cdev;
--- /dev/null
+From 323a80a1a5ace319a722909c006d5bdb2a35d273 Mon Sep 17 00:00:00 2001
+From: Akash Kumar <quic_akakum@quicinc.com>
+Date: Fri, 18 Jul 2025 14:21:38 +0530
+Subject: usb: gadget: uvc: Initialize frame-based format color matching descriptor
+
+From: Akash Kumar <quic_akakum@quicinc.com>
+
+commit 323a80a1a5ace319a722909c006d5bdb2a35d273 upstream.
+
+Fix NULL pointer crash in uvcg_framebased_make due to uninitialized color
+matching descriptor for frame-based format which was added in
+commit f5e7bdd34aca ("usb: gadget: uvc: Allow creating new color matching
+descriptors") that added handling for uncompressed and mjpeg format.
+
+Crash is seen when userspace configuration (via configfs) does not
+explicitly define the color matching descriptor. If color_matching is not
+found, config_group_find_item() returns NULL. The code then jumps to
+out_put_cm, where it calls config_item_put(color_matching);. If
+color_matching is NULL, this will dereference a null pointer, leading to a
+crash.
+
+[ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c
+[ 2.756273] Mem abort info:
+[ 2.760080] ESR = 0x0000000096000005
+[ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 2.771068] SET = 0, FnV = 0
+[ 2.771069] EA = 0, S1PTW = 0
+[ 2.771070] FSC = 0x05: level 1 translation fault
+[ 2.771071] Data abort info:
+[ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
+[ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000
+[ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
+[ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
+[ 2.771084] Dumping ftrace buffer:
+[ 2.771085] (ftrace buffer empty)
+[ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15
+[ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT)
+[ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+[ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc
+[ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c
+[ 2.771146] sp : ffffffc08140bbb0
+[ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250
+[ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768
+[ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48
+[ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00
+[ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250
+[ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615
+[ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0
+[ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a
+[ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000
+[ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000
+[ 2.771156] Call trace:
+[ 2.771157] __uvcg_fill_strm+0x198/0x2cc
+[ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c
+[ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290
+[ 2.771159] configfs_symlink+0x1f8/0x630
+[ 2.771161] vfs_symlink+0x114/0x1a0
+[ 2.771163] do_symlinkat+0x94/0x28c
+[ 2.771164] __arm64_sys_symlinkat+0x54/0x70
+[ 2.771164] invoke_syscall+0x58/0x114
+[ 2.771166] el0_svc_common+0x80/0xe0
+[ 2.771168] do_el0_svc+0x1c/0x28
+[ 2.771169] el0_svc+0x3c/0x70
+[ 2.771172] el0t_64_sync_handler+0x68/0xbc
+[ 2.771173] el0t_64_sync+0x1a8/0x1ac
+
+Initialize color matching descriptor for frame-based format to prevent
+NULL pointer crash by mirroring the handling done for uncompressed and
+mjpeg formats.
+
+Fixes: 7b5a58952fc3 ("usb: gadget: uvc: configfs: Add frame-based frame format support")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Akash Kumar <quic_akakum@quicinc.com>
+Link: https://lore.kernel.org/r/20250718085138.1118788-1-quic_akakum@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/uvc_configfs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/usb/gadget/function/uvc_configfs.c
++++ b/drivers/usb/gadget/function/uvc_configfs.c
+@@ -2916,8 +2916,15 @@ static struct config_group *uvcg_frameba
+ 'H', '2', '6', '4', 0x00, 0x00, 0x10, 0x00,
+ 0x80, 0x00, 0x00, 0xaa, 0x00, 0x38, 0x9b, 0x71
+ };
++ struct uvcg_color_matching *color_match;
++ struct config_item *streaming;
+ struct uvcg_framebased *h;
+
++ streaming = group->cg_item.ci_parent;
++ color_match = uvcg_format_get_default_color_match(streaming);
++ if (!color_match)
++ return ERR_PTR(-EINVAL);
++
+ h = kzalloc(sizeof(*h), GFP_KERNEL);
+ if (!h)
+ return ERR_PTR(-ENOMEM);
+@@ -2936,6 +2943,9 @@ static struct config_group *uvcg_frameba
+
+ INIT_LIST_HEAD(&h->fmt.frames);
+ h->fmt.type = UVCG_FRAMEBASED;
++
++ h->fmt.color_matching = color_match;
++ color_match->refcnt++;
+ config_group_init_type_name(&h->fmt.group, name,
+ &uvcg_framebased_type);
+
--- /dev/null
+From 1cec9ac2d071cfd2da562241aab0ef701355762a Mon Sep 17 00:00:00 2001
+From: Dave Hansen <dave.hansen@linux.intel.com>
+Date: Tue, 24 Jun 2025 14:01:48 -0700
+Subject: x86/fpu: Delay instruction pointer fixup until after warning
+
+From: Dave Hansen <dave.hansen@linux.intel.com>
+
+commit 1cec9ac2d071cfd2da562241aab0ef701355762a upstream.
+
+Right now, if XRSTOR fails a console message like this is be printed:
+
+ Bad FPU state detected at restore_fpregs_from_fpstate+0x9a/0x170, reinitializing FPU registers.
+
+However, the text location (...+0x9a in this case) is the instruction
+*AFTER* the XRSTOR. The highlighted instruction in the "Code:" dump
+also points one instruction late.
+
+The reason is that the "fixup" moves RIP up to pass the bad XRSTOR and
+keep on running after returning from the #GP handler. But it does this
+fixup before warning.
+
+The resulting warning output is nonsensical because it looks like the
+non-FPU-related instruction is #GP'ing.
+
+Do not fix up RIP until after printing the warning. Do this by using
+the more generic and standard ex_handler_default().
+
+Fixes: d5c8028b4788 ("x86/fpu: Reinitialize FPU registers if restoring FPU state fails")
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Chao Gao <chao.gao@intel.com>
+Acked-by: Alison Schofield <alison.schofield@intel.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250624210148.97126F9E%40davehans-spike.ostc.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/mm/extable.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/mm/extable.c
++++ b/arch/x86/mm/extable.c
+@@ -122,13 +122,12 @@ static bool ex_handler_sgx(const struct
+ static bool ex_handler_fprestore(const struct exception_table_entry *fixup,
+ struct pt_regs *regs)
+ {
+- regs->ip = ex_fixup_addr(fixup);
+-
+ WARN_ONCE(1, "Bad FPU state detected at %pB, reinitializing FPU registers.",
+ (void *)instruction_pointer(regs));
+
+ fpu_reset_from_exception_fixup();
+- return true;
++
++ return ex_handler_default(fixup, regs);
+ }
+
+ /*
--- /dev/null
+From 222ae1ca139e0ffac8d11cc57b429b1bff4d60f0 Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Wed, 30 Jul 2025 09:12:37 -0500
+Subject: x86/sev: Evict cache lines during SNP memory validation
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+Commit 7b306dfa326f70114312b320d083b21fa9481e1e upstream.
+
+An SNP cache coherency vulnerability requires a cache line eviction
+mitigation when validating memory after a page state change to private.
+The specific mitigation is to touch the first and last byte of each 4K
+page that is being validated. There is no need to perform the mitigation
+when performing a page state change to shared and rescinding validation.
+
+CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that,
+when set, indicates that the software mitigation for this vulnerability is
+not needed.
+
+Implement the mitigation and invoke it when validating memory (making it
+private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest
+is vulnerable.
+
+Co-developed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/cpuflags.c | 13 +++++++++++++
+ arch/x86/boot/startup/sev-shared.c | 7 +++++++
+ arch/x86/coco/sev/core.c | 21 +++++++++++++++++++++
+ arch/x86/include/asm/cpufeatures.h | 1 +
+ arch/x86/include/asm/sev.h | 19 +++++++++++++++++++
+ arch/x86/kernel/cpu/scattered.c | 1 +
+ 6 files changed, 62 insertions(+)
+
+--- a/arch/x86/boot/cpuflags.c
++++ b/arch/x86/boot/cpuflags.c
+@@ -106,5 +106,18 @@ void get_cpuflags(void)
+ cpuid(0x80000001, &ignored, &ignored, &cpu.flags[6],
+ &cpu.flags[1]);
+ }
++
++ if (max_amd_level >= 0x8000001f) {
++ u32 ebx;
++
++ /*
++ * The X86_FEATURE_COHERENCY_SFW_NO feature bit is in
++ * the virtualization flags entry (word 8) and set by
++ * scattered.c, so the bit needs to be explicitly set.
++ */
++ cpuid(0x8000001f, &ignored, &ebx, &ignored, &ignored);
++ if (ebx & BIT(31))
++ set_bit(X86_FEATURE_COHERENCY_SFW_NO, cpu.flags);
++ }
+ }
+ }
+--- a/arch/x86/boot/startup/sev-shared.c
++++ b/arch/x86/boot/startup/sev-shared.c
+@@ -810,6 +810,13 @@ static void __head pvalidate_4k_page(uns
+ if (ret)
+ sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PVALIDATE);
+ }
++
++ /*
++ * If validating memory (making it private) and affected by the
++ * cache-coherency vulnerability, perform the cache eviction mitigation.
++ */
++ if (validate && !has_cpuflag(X86_FEATURE_COHERENCY_SFW_NO))
++ sev_evict_cache((void *)vaddr, 1);
+ }
+
+ /*
+--- a/arch/x86/coco/sev/core.c
++++ b/arch/x86/coco/sev/core.c
+@@ -358,10 +358,31 @@ static void svsm_pval_pages(struct snp_p
+
+ static void pvalidate_pages(struct snp_psc_desc *desc)
+ {
++ struct psc_entry *e;
++ unsigned int i;
++
+ if (snp_vmpl)
+ svsm_pval_pages(desc);
+ else
+ pval_pages(desc);
++
++ /*
++ * If not affected by the cache-coherency vulnerability there is no need
++ * to perform the cache eviction mitigation.
++ */
++ if (cpu_feature_enabled(X86_FEATURE_COHERENCY_SFW_NO))
++ return;
++
++ for (i = 0; i <= desc->hdr.end_entry; i++) {
++ e = &desc->entries[i];
++
++ /*
++ * If validating memory (making it private) perform the cache
++ * eviction mitigation.
++ */
++ if (e->operation == SNP_PAGE_STATE_PRIVATE)
++ sev_evict_cache(pfn_to_kaddr(e->gfn), e->pagesize ? 512 : 1);
++ }
+ }
+
+ static int vmgexit_psc(struct ghcb *ghcb, struct snp_psc_desc *desc)
+--- a/arch/x86/include/asm/cpufeatures.h
++++ b/arch/x86/include/asm/cpufeatures.h
+@@ -218,6 +218,7 @@
+ #define X86_FEATURE_FLEXPRIORITY ( 8*32+ 1) /* "flexpriority" Intel FlexPriority */
+ #define X86_FEATURE_EPT ( 8*32+ 2) /* "ept" Intel Extended Page Table */
+ #define X86_FEATURE_VPID ( 8*32+ 3) /* "vpid" Intel Virtual Processor ID */
++#define X86_FEATURE_COHERENCY_SFW_NO ( 8*32+ 4) /* SNP cache coherency software work around not needed */
+
+ #define X86_FEATURE_VMMCALL ( 8*32+15) /* "vmmcall" Prefer VMMCALL to VMCALL */
+ #define X86_FEATURE_XENPV ( 8*32+16) /* Xen paravirtual guest */
+--- a/arch/x86/include/asm/sev.h
++++ b/arch/x86/include/asm/sev.h
+@@ -621,6 +621,24 @@ int rmp_make_shared(u64 pfn, enum pg_lev
+ void snp_leak_pages(u64 pfn, unsigned int npages);
+ void kdump_sev_callback(void);
+ void snp_fixup_e820_tables(void);
++
++static inline void sev_evict_cache(void *va, int npages)
++{
++ volatile u8 val __always_unused;
++ u8 *bytes = va;
++ int page_idx;
++
++ /*
++ * For SEV guests, a read from the first/last cache-lines of a 4K page
++ * using the guest key is sufficient to cause a flush of all cache-lines
++ * associated with that 4K page without incurring all the overhead of a
++ * full CLFLUSH sequence.
++ */
++ for (page_idx = 0; page_idx < npages; page_idx++) {
++ val = bytes[page_idx * PAGE_SIZE];
++ val = bytes[page_idx * PAGE_SIZE + PAGE_SIZE - 1];
++ }
++}
+ #else
+ static inline bool snp_probe_rmptable_info(void) { return false; }
+ static inline int snp_rmptable_init(void) { return -ENOSYS; }
+@@ -636,6 +654,7 @@ static inline int rmp_make_shared(u64 pf
+ static inline void snp_leak_pages(u64 pfn, unsigned int npages) {}
+ static inline void kdump_sev_callback(void) { }
+ static inline void snp_fixup_e820_tables(void) {}
++static inline void sev_evict_cache(void *va, int npages) {}
+ #endif
+
+ #endif
+--- a/arch/x86/kernel/cpu/scattered.c
++++ b/arch/x86/kernel/cpu/scattered.c
+@@ -48,6 +48,7 @@ static const struct cpuid_bit cpuid_bits
+ { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 },
+ { X86_FEATURE_AMD_FAST_CPPC, CPUID_EDX, 15, 0x80000007, 0 },
+ { X86_FEATURE_MBA, CPUID_EBX, 6, 0x80000008, 0 },
++ { X86_FEATURE_COHERENCY_SFW_NO, CPUID_EBX, 31, 0x8000001f, 0 },
+ { X86_FEATURE_SMBA, CPUID_EBX, 2, 0x80000020, 0 },
+ { X86_FEATURE_BMEC, CPUID_EBX, 3, 0x80000020, 0 },
+ { X86_FEATURE_TSA_SQ_NO, CPUID_ECX, 1, 0x80000021, 0 },
--- /dev/null
+From 765761851d89c772f482494d452e266795460278 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Thu, 31 Jul 2025 20:07:45 +0900
+Subject: zloop: fix KASAN use-after-free of tag set
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 765761851d89c772f482494d452e266795460278 upstream.
+
+When a zoned loop device, or zloop device, is removed, KASAN enabled
+kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The
+BUG happens because zloop_ctl_remove() calls put_disk(), which invokes
+zloop_free_disk(). The zloop_free_disk() frees the memory allocated for
+the zlo pointer. However, after the memory is freed, zloop_ctl_remove()
+calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo.
+Hence the KASAN use-after-free.
+
+ zloop_ctl_remove()
+ put_disk(zlo->disk)
+ put_device()
+ kobject_put()
+ ...
+ zloop_free_disk()
+ kvfree(zlo)
+ blk_mq_free_tag_set(&zlo->tag_set)
+
+To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set)
+from zloop_ctl_remove() into zloop_free_disk(). This ensures that
+the tag_set is freed before the call to kvfree(zlo).
+
+Fixes: eb0570c7df23 ("block: new zoned loop block device driver")
+CC: stable@vger.kernel.org
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250731110745.165751-1-shinichiro.kawasaki@wdc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/zloop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/block/zloop.c b/drivers/block/zloop.c
+index 553b1a713ab9..a423228e201b 100644
+--- a/drivers/block/zloop.c
++++ b/drivers/block/zloop.c
+@@ -700,6 +700,8 @@ static void zloop_free_disk(struct gendisk *disk)
+ struct zloop_device *zlo = disk->private_data;
+ unsigned int i;
+
++ blk_mq_free_tag_set(&zlo->tag_set);
++
+ for (i = 0; i < zlo->nr_zones; i++) {
+ struct zloop_zone *zone = &zlo->zones[i];
+
+@@ -1080,7 +1082,6 @@ static int zloop_ctl_remove(struct zloop_options *opts)
+
+ del_gendisk(zlo->disk);
+ put_disk(zlo->disk);
+- blk_mq_free_tag_set(&zlo->tag_set);
+
+ pr_info("Removed device %d\n", opts->id);
+
+--
+2.50.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
