--- /dev/null
+From fd5625fc86922f36bedee5846fefd647b7e72751 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 15 Jan 2025 21:28:17 +0300
+Subject: ntb: use 64-bit arithmetic for the MSI doorbell mask
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream.
+
+msi_db_mask is of type 'u64', still the standard 'int' arithmetic is
+performed to compute its value.
+
+While most of the ntb_hw drivers actually don't utilize the higher 32
+bits of the doorbell mask now, this may be the case for Switchtec - see
+switchtec_ntb_init_db().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE static
+analysis tool.
+
+Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/ntb_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1351,7 +1351,7 @@ static int ntb_transport_probe(struct nt
+ qp_count = ilog2(qp_bitmap);
+ if (nt->use_msi) {
+ qp_count -= 1;
+- nt->msi_db_mask = 1 << qp_count;
++ nt->msi_db_mask = BIT_ULL(qp_count);
+ ntb_db_clear_mask(ndev, nt->msi_db_mask);
+ }
+
--- /dev/null
+From 962a2805e47b933876ba0e4c488d9e89ced2dd29 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:59 +0800
+Subject: of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream.
+
+In irq_of_parse_and_map(), refcount of device node @oirq.np was got
+by successful of_irq_parse_one() invocation, but it does not put the
+refcount before return, so causes @oirq.np refcount leakage.
+
+Fix by putting @oirq.np refcount before return.
+
+Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -39,11 +39,15 @@
+ unsigned int irq_of_parse_and_map(struct device_node *dev, int index)
+ {
+ struct of_phandle_args oirq;
++ unsigned int ret;
+
+ if (of_irq_parse_one(dev, index, &oirq))
+ return 0;
+
+- return irq_create_of_mapping(&oirq);
++ ret = irq_create_of_mapping(&oirq);
++ of_node_put(oirq.np);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(irq_of_parse_and_map);
+
--- /dev/null
+From 0cb58d6c7b558a69957fabe159bfb184196e1e8d Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:55 +0800
+Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_one()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 0cb58d6c7b558a69957fabe159bfb184196e1e8d upstream.
+
+of_irq_parse_one(@int_gen_dev, i, ...) will leak refcount of @i_th_phandle
+
+int_gen_dev {
+ ...
+ interrupts-extended = ..., <&i_th_phandle ...>, ...;
+ ...
+};
+
+Refcount of @i_th_phandle is increased by of_parse_phandle_with_args()
+but is not decreased by API of_irq_parse_one() before return, so causes
+refcount leakage.
+
+Rework the refcounting to use __free() cleanup and simplify the code to
+have a single call to of_irq_parse_raw().
+
+Also add comments about refcount of node @out_irq->np got by the API.
+
+Fixes: 79d9701559a9 ("of/irq: create interrupts-extended property")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-2-93e3a2659aa7@quicinc.com
+[robh: Use __free() to do puts]
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 59 +++++++++++++++++++++++++------------------------------
+ 1 file changed, 27 insertions(+), 32 deletions(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -16,6 +16,7 @@
+
+ #define pr_fmt(fmt) "OF: " fmt
+
++#include <linux/cleanup.h>
+ #include <linux/device.h>
+ #include <linux/errno.h>
+ #include <linux/list.h>
+@@ -339,10 +340,12 @@ EXPORT_SYMBOL_GPL(of_irq_parse_raw);
+ * This function resolves an interrupt for a node by walking the interrupt tree,
+ * finding which interrupt controller node it is attached to, and returning the
+ * interrupt specifier that can be used to retrieve a Linux IRQ number.
++ *
++ * Note: refcount of node @out_irq->np is increased by 1 on success.
+ */
+ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_args *out_irq)
+ {
+- struct device_node *p;
++ struct device_node __free(device_node) *p = NULL;
+ const __be32 *addr;
+ u32 intsize;
+ int i, res, addr_len;
+@@ -367,41 +370,33 @@ int of_irq_parse_one(struct device_node
+ /* Try the new-style interrupts-extended first */
+ res = of_parse_phandle_with_args(device, "interrupts-extended",
+ "#interrupt-cells", index, out_irq);
+- if (!res)
+- return of_irq_parse_raw(addr_buf, out_irq);
+-
+- /* Look for the interrupt parent. */
+- p = of_irq_find_parent(device);
+- if (p == NULL)
+- return -EINVAL;
+-
+- /* Get size of interrupt specifier */
+- if (of_property_read_u32(p, "#interrupt-cells", &intsize)) {
+- res = -EINVAL;
+- goto out;
+- }
+-
+- pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
++ if (!res) {
++ p = out_irq->np;
++ } else {
++ /* Look for the interrupt parent. */
++ p = of_irq_find_parent(device);
++ /* Get size of interrupt specifier */
++ if (!p || of_property_read_u32(p, "#interrupt-cells", &intsize))
++ return -EINVAL;
++
++ pr_debug(" parent=%pOF, intsize=%d\n", p, intsize);
++
++ /* Copy intspec into irq structure */
++ out_irq->np = p;
++ out_irq->args_count = intsize;
++ for (i = 0; i < intsize; i++) {
++ res = of_property_read_u32_index(device, "interrupts",
++ (index * intsize) + i,
++ out_irq->args + i);
++ if (res)
++ return res;
++ }
+
+- /* Copy intspec into irq structure */
+- out_irq->np = p;
+- out_irq->args_count = intsize;
+- for (i = 0; i < intsize; i++) {
+- res = of_property_read_u32_index(device, "interrupts",
+- (index * intsize) + i,
+- out_irq->args + i);
+- if (res)
+- goto out;
++ pr_debug(" intspec=%d\n", *out_irq->args);
+ }
+
+- pr_debug(" intspec=%d\n", *out_irq->args);
+-
+-
+ /* Check if there are any interrupt-map translations to process */
+- res = of_irq_parse_raw(addr_buf, out_irq);
+- out:
+- of_node_put(p);
+- return res;
++ return of_irq_parse_raw(addr_buf, out_irq);
+ }
+ EXPORT_SYMBOL_GPL(of_irq_parse_one);
+
--- /dev/null
+From ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:57 +0800
+Subject: of/irq: Fix device node refcount leakage in API of_irq_parse_raw()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit ff93e7213d6cc8d9a7b0bc64f70ed26094e168f3 upstream.
+
+if the node @out_irq->np got by of_irq_parse_raw() is a combo node which
+consists of both controller and nexus, namely, of_irq_parse_raw() returns
+due to condition (@ipar == @newpar), then the node's refcount was increased
+twice, hence causes refcount leakage.
+
+Fix by putting @out_irq->np refcount before returning due to the condition.
+Also add comments about refcount of node @out_irq->np got by the API.
+
+Fixes: 041284181226 ("of/irq: Allow matching of an interrupt-map local to an interrupt controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-4-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -166,6 +166,8 @@ const __be32 *of_irq_parse_imap_parent(c
+ * the specifier for each map, and then returns the translated map.
+ *
+ * Return: 0 on success and a negative number on error
++ *
++ * Note: refcount of node @out_irq->np is increased by 1 on success.
+ */
+ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
+ {
+@@ -311,6 +313,12 @@ int of_irq_parse_raw(const __be32 *addr,
+ addrsize = (imap - match_array) - intsize;
+
+ if (ipar == newpar) {
++ /*
++ * We got @ipar's refcount, but the refcount was
++ * gotten again by of_irq_parse_imap_parent() via its
++ * alias @newpar.
++ */
++ of_node_put(ipar);
+ pr_debug("%pOF interrupt-map entry to self\n", ipar);
+ return 0;
+ }
--- /dev/null
+From bbf71f44aaf241d853759a71de7e7ebcdb89be3d Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:58 +0800
+Subject: of/irq: Fix device node refcount leakages in of_irq_count()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream.
+
+of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful
+invocation of the later will get device node @irq.np refcount, but the
+former does not put the refcount before next iteration invocation, hence
+causes device node refcount leakages.
+
+Fix by putting @irq.np refcount before the next iteration invocation.
+
+Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -509,8 +509,10 @@ int of_irq_count(struct device_node *dev
+ struct of_phandle_args irq;
+ int nr = 0;
+
+- while (of_irq_parse_one(dev, nr, &irq) == 0)
++ while (of_irq_parse_one(dev, nr, &irq) == 0) {
++ of_node_put(irq.np);
+ nr++;
++ }
+
+ return nr;
+ }
--- /dev/null
+From 708124d9e6e7ac5ebf927830760679136b23fdf0 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:59:00 +0800
+Subject: of/irq: Fix device node refcount leakages in of_irq_init()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream.
+
+of_irq_init() will leak interrupt controller device node refcounts
+in two places as explained below:
+
+1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when
+ suffers @desc->irq_init_cb() failure.
+2) Leak refcount of @desc->interrupt_parent when cleans up list
+ @intc_desc_list in the end.
+
+Refcounts of both @desc->dev and @desc->interrupt_parent were got in
+the first loop, but of_irq_init() does not put them before kfree(@desc)
+in places mentioned above, so causes refcount leakages.
+
+Fix by putting refcounts involved before kfree(@desc).
+
+Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put")
+Fixes: c71a54b08201 ("of/irq: introduce of_irq_init")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -633,6 +633,8 @@ void __init of_irq_init(const struct of_
+ __func__, desc->dev, desc->dev,
+ desc->interrupt_parent);
+ of_node_clear_flag(desc->dev, OF_POPULATED);
++ of_node_put(desc->interrupt_parent);
++ of_node_put(desc->dev);
+ kfree(desc);
+ continue;
+ }
+@@ -663,6 +665,7 @@ void __init of_irq_init(const struct of_
+ err:
+ list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) {
+ list_del(&desc->list);
++ of_node_put(desc->interrupt_parent);
+ of_node_put(desc->dev);
+ kfree(desc);
+ }
--- /dev/null
+From 2df181e1aea4628a8fd257f866026625d0519627 Mon Sep 17 00:00:00 2001
+From: Stanimir Varbanov <svarbanov@suse.de>
+Date: Thu, 23 Jan 2025 00:29:55 +0200
+Subject: PCI: brcmstb: Fix missing of_node_put() in brcm_pcie_probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stanimir Varbanov <svarbanov@suse.de>
+
+commit 2df181e1aea4628a8fd257f866026625d0519627 upstream.
+
+A call to of_parse_phandle() is incrementing the refcount, and as such,
+the of_node_put() must be called when the reference is no longer needed.
+
+Thus, refactor the existing code and add a missing of_node_put() call
+following the check to ensure that "msi_np" matches "pcie->np" and after
+MSI initialization, but only if the MSI support is enabled system-wide.
+
+Cc: stable@vger.kernel.org # v5.10+
+Fixes: 40ca1bf580ef ("PCI: brcmstb: Add MSI support")
+Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250122222955.1752778-1-svarbanov@suse.de
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-brcmstb.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/controller/pcie-brcmstb.c
++++ b/drivers/pci/controller/pcie-brcmstb.c
+@@ -1501,7 +1501,7 @@ static struct pci_ops brcm7425_pcie_ops
+
+ static int brcm_pcie_probe(struct platform_device *pdev)
+ {
+- struct device_node *np = pdev->dev.of_node, *msi_np;
++ struct device_node *np = pdev->dev.of_node;
+ struct pci_host_bridge *bridge;
+ const struct pcie_cfg_data *data;
+ struct brcm_pcie *pcie;
+@@ -1576,9 +1576,14 @@ static int brcm_pcie_probe(struct platfo
+ goto fail;
+ }
+
+- msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
+- if (pci_msi_enabled() && msi_np == pcie->np) {
+- ret = brcm_pcie_enable_msi(pcie);
++ if (pci_msi_enabled()) {
++ struct device_node *msi_np = of_parse_phandle(pcie->np, "msi-parent", 0);
++
++ if (msi_np == pcie->np)
++ ret = brcm_pcie_enable_msi(pcie);
++
++ of_node_put(msi_np);
++
+ if (ret) {
+ dev_err(pcie->dev, "probe of internal MSI failed");
+ goto fail;
--- /dev/null
+From 1f2768b6a3ee77a295106e3a5d68458064923ede Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Sun, 2 Feb 2025 14:23:57 +0800
+Subject: PCI: Fix reference leak in pci_alloc_child_bus()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream.
+
+If device_register(&child->dev) fails, call put_device() to explicitly
+release child->dev, per the comment at device_register().
+
+Found by code review.
+
+Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn
+Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1145,7 +1145,10 @@ static struct pci_bus *pci_alloc_child_b
+ add_dev:
+ pci_set_bus_msi_domain(child);
+ ret = device_register(&child->dev);
+- WARN_ON(ret < 0);
++ if (WARN_ON(ret < 0)) {
++ put_device(&child->dev);
++ return NULL;
++ }
+
+ pcibios_add_bus(child);
+
--- /dev/null
+From aecb63e88c5e5fb9afb782a1577264c76f179af9 Mon Sep 17 00:00:00 2001
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Date: Wed, 5 Mar 2025 15:43:16 +0100
+Subject: phy: freescale: imx8m-pcie: assert phy reset and perst in power off
+
+From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+
+commit aecb63e88c5e5fb9afb782a1577264c76f179af9 upstream.
+
+Ensure the PHY reset and perst is asserted during power-off to
+guarantee it is in a reset state upon repeated power-on calls. This
+resolves an issue where the PHY may not properly initialize during
+subsequent power-on cycles. Power-on will deassert the reset at the
+appropriate time after tuning the PHY parameters.
+
+During suspend/resume cycles, we observed that the PHY PLL failed to
+lock during resume when the CPU temperature increased from 65C to 75C.
+The observed errors were:
+ phy phy-32f00000.pcie-phy.3: phy poweron failed --> -110
+ imx6q-pcie 33800000.pcie: waiting for PHY ready timeout!
+ imx6q-pcie 33800000.pcie: PM: dpm_run_callback(): genpd_resume_noirq+0x0/0x80 returns -110
+ imx6q-pcie 33800000.pcie: PM: failed to resume noirq: error -110
+
+This resulted in a complete CPU freeze, which is resolved by ensuring
+the PHY is in reset during power-on, thus preventing PHY PLL failures.
+
+Cc: stable@vger.kernel.org
+Fixes: 1aa97b002258 ("phy: freescale: pcie: Initialize the imx8 pcie standalone phy driver")
+Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250305144355.20364-3-eichest@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
++++ b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
+@@ -162,6 +162,16 @@ static int imx8_pcie_phy_power_on(struct
+ return ret;
+ }
+
++static int imx8_pcie_phy_power_off(struct phy *phy)
++{
++ struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy);
++
++ reset_control_assert(imx8_phy->reset);
++ reset_control_assert(imx8_phy->perst);
++
++ return 0;
++}
++
+ static int imx8_pcie_phy_init(struct phy *phy)
+ {
+ struct imx8_pcie_phy *imx8_phy = phy_get_drvdata(phy);
+@@ -182,6 +192,7 @@ static const struct phy_ops imx8_pcie_ph
+ .init = imx8_pcie_phy_init,
+ .exit = imx8_pcie_phy_exit,
+ .power_on = imx8_pcie_phy_power_on,
++ .power_off = imx8_pcie_phy_power_off,
+ .owner = THIS_MODULE,
+ };
+
--- /dev/null
+From e225128c3f8be879e7d4eb71a25949e188b420ae Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Wed, 12 Mar 2025 14:19:27 +0100
+Subject: pinctrl: qcom: Clear latched interrupt status when changing IRQ type
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit e225128c3f8be879e7d4eb71a25949e188b420ae upstream.
+
+When submitting the TLMM test driver, Bjorn reported that some of the test
+cases are failing for GPIOs that not are backed by PDC (i.e. "non-wakeup"
+GPIOs that are handled directly in pinctrl-msm). Basically, lingering
+latched interrupt state is still being delivered at IRQ request time, e.g.:
+
+ ok 1 tlmm_test_silent_rising
+ tlmm_test_silent_falling: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
+ Expected atomic_read(&priv->intr_count) == 0, but
+ atomic_read(&priv->intr_count) == 1 (0x1)
+ not ok 2 tlmm_test_silent_falling
+ tlmm_test_silent_low: ASSERTION FAILED at drivers/pinctrl/qcom/tlmm-test.c:178
+ Expected atomic_read(&priv->intr_count) == 0, but
+ atomic_read(&priv->intr_count) == 1 (0x1)
+ not ok 3 tlmm_test_silent_low
+ ok 4 tlmm_test_silent_high
+
+Whether to report interrupts that came in while the IRQ was unclaimed
+doesn't seem to be well-defined in the Linux IRQ API. However, looking
+closer at these specific cases, we're actually reporting events that do not
+match the interrupt type requested by the driver:
+
+ 1. After "ok 1 tlmm_test_silent_rising", the GPIO is in low state and
+ configured for IRQF_TRIGGER_RISING.
+
+ 2. (a) In preparation for "tlmm_test_silent_falling", the GPIO is switched
+ to high state. The rising interrupt gets latched.
+ (b) The GPIO is re-configured for IRQF_TRIGGER_FALLING, but the latched
+ interrupt isn't cleared.
+ (c) The IRQ handler is called for the latched interrupt, but there
+ wasn't any falling edge.
+
+ 3. (a) For "tlmm_test_silent_low", the GPIO remains in high state.
+ (b) The GPIO is re-configured for IRQF_TRIGGER_LOW. This seems to
+ result in a phantom interrupt that gets latched.
+ (c) The IRQ handler is called for the latched interrupt, but the GPIO
+ isn't in low state.
+
+ 4. (a) For "tlmm_test_silent_high", the GPIO is switched to low state.
+ (b) This doesn't result in a latched interrupt, because RAW_STATUS_EN
+ was cleared when masking the level-triggered interrupt.
+
+Fix this by clearing the interrupt state whenever making any changes to the
+interrupt configuration. This includes previously disabled interrupts, but
+also any changes to interrupt polarity or detection type.
+
+With this change, all 16 test cases are now passing for the non-wakeup
+GPIOs in the TLMM.
+
+Cc: stable@vger.kernel.org
+Fixes: cf9d052aa600 ("pinctrl: qcom: Don't clear pending interrupts when enabling")
+Reported-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Closes: https://lore.kernel.org/r/20250227-tlmm-test-v1-1-d18877b4a5db@oss.qualcomm.com/
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Tested-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/20250312-pinctrl-msm-type-latch-v1-1-ce87c561d3d7@linaro.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -1040,8 +1040,7 @@ static int msm_gpio_irq_set_type(struct
+ const struct msm_pingroup *g;
+ u32 intr_target_mask = GENMASK(2, 0);
+ unsigned long flags;
+- bool was_enabled;
+- u32 val;
++ u32 val, oldval;
+
+ if (msm_gpio_needs_dual_edge_parent_workaround(d, type)) {
+ set_bit(d->hwirq, pctrl->dual_edge_irqs);
+@@ -1103,8 +1102,7 @@ static int msm_gpio_irq_set_type(struct
+ * internal circuitry of TLMM, toggling the RAW_STATUS
+ * could cause the INTR_STATUS to be set for EDGE interrupts.
+ */
+- val = msm_readl_intr_cfg(pctrl, g);
+- was_enabled = val & BIT(g->intr_raw_status_bit);
++ val = oldval = msm_readl_intr_cfg(pctrl, g);
+ val |= BIT(g->intr_raw_status_bit);
+ if (g->intr_detection_width == 2) {
+ val &= ~(3 << g->intr_detection_bit);
+@@ -1157,9 +1155,11 @@ static int msm_gpio_irq_set_type(struct
+ /*
+ * The first time we set RAW_STATUS_EN it could trigger an interrupt.
+ * Clear the interrupt. This is safe because we have
+- * IRQCHIP_SET_TYPE_MASKED.
++ * IRQCHIP_SET_TYPE_MASKED. When changing the interrupt type, we could
++ * also still have a non-matching interrupt latched, so clear whenever
++ * making changes to the interrupt configuration.
+ */
+- if (!was_enabled)
++ if (val != oldval)
+ msm_ack_intr_status(pctrl, g);
+
+ if (test_bit(d->hwirq, pctrl->dual_edge_irqs))
--- /dev/null
+From c183165f87a486d5879f782c05a23c179c3794ab Mon Sep 17 00:00:00 2001
+From: Geliang Tang <tanggeliang@kylinos.cn>
+Date: Fri, 28 Mar 2025 15:27:18 +0100
+Subject: selftests: mptcp: close fd_in before returning in main_loop
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+commit c183165f87a486d5879f782c05a23c179c3794ab upstream.
+
+The file descriptor 'fd_in' is opened when cfg_input is configured, but
+not closed in main_loop(), this patch fixes it.
+
+Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
+Cc: stable@vger.kernel.org
+Co-developed-by: Cong Liu <liucong2@kylinos.cn>
+Signed-off-by: Cong Liu <liucong2@kylinos.cn>
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-3-34161a482a7f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -1299,7 +1299,7 @@ again:
+
+ ret = copyfd_io(fd_in, fd, 1, 0, &winfo);
+ if (ret)
+- return ret;
++ goto out;
+
+ if (cfg_truncate > 0) {
+ shutdown(fd, SHUT_WR);
+@@ -1320,7 +1320,10 @@ again:
+ close(fd);
+ }
+
+- return 0;
++out:
++ if (cfg_input)
++ close(fd_in);
++ return ret;
+ }
+
+ int parse_proto(const char *proto)
--- /dev/null
+From 7335d4ac812917c16e04958775826d12d481c92d Mon Sep 17 00:00:00 2001
+From: Cong Liu <liucong2@kylinos.cn>
+Date: Fri, 28 Mar 2025 15:27:17 +0100
+Subject: selftests: mptcp: fix incorrect fd checks in main_loop
+
+From: Cong Liu <liucong2@kylinos.cn>
+
+commit 7335d4ac812917c16e04958775826d12d481c92d upstream.
+
+Fix a bug where the code was checking the wrong file descriptors
+when opening the input files. The code was checking 'fd' instead
+of 'fd_in', which could lead to incorrect error handling.
+
+Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
+Cc: stable@vger.kernel.org
+Fixes: ca7ae8916043 ("selftests: mptcp: mptfo Initiator/Listener")
+Co-developed-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Cong Liu <liucong2@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250328-net-mptcp-misc-fixes-6-15-v1-2-34161a482a7f@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -1270,7 +1270,7 @@ int main_loop(void)
+
+ if (cfg_input && cfg_sockopt_types.mptfo) {
+ fd_in = open(cfg_input, O_RDONLY);
+- if (fd < 0)
++ if (fd_in < 0)
+ xerror("can't open %s:%d", cfg_input, errno);
+ }
+
+@@ -1293,7 +1293,7 @@ again:
+
+ if (cfg_input && !cfg_sockopt_types.mptfo) {
+ fd_in = open(cfg_input, O_RDONLY);
+- if (fd < 0)
++ if (fd_in < 0)
+ xerror("can't open %s:%d", cfg_input, errno);
+ }
+
kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch
kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch
scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch
+ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch
+of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_one.patch
+of-irq-fix-device-node-refcount-leakage-in-api-of_irq_parse_raw.patch
+of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch
+of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch
+of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch
+pci-brcmstb-fix-missing-of_node_put-in-brcm_pcie_probe.patch
+pci-fix-reference-leak-in-pci_alloc_child_bus.patch
+phy-freescale-imx8m-pcie-assert-phy-reset-and-perst-in-power-off.patch
+pinctrl-qcom-clear-latched-interrupt-status-when-changing-irq-type.patch
+selftests-mptcp-close-fd_in-before-returning-in-main_loop.patch
+selftests-mptcp-fix-incorrect-fd-checks-in-main_loop.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
