--- /dev/null
+From e2ef628c266c5d21c29b4d6f5e1887eef3869a46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 09:31:04 +0200
+Subject: ALSA: sh: SND_AICA should depend on SH_DMA_API
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 66e48ef6ef506c89ec1b3851c6f9f5f80b5835ff ]
+
+If CONFIG_SH_DMA_API=n:
+
+ WARNING: unmet direct dependencies detected for G2_DMA
+ Depends on [n]: SH_DREAMCAST [=y] && SH_DMA_API [=n]
+ Selected by [y]:
+ - SND_AICA [=y] && SOUND [=y] && SND [=y] && SND_SUPERH [=y] && SH_DREAMCAST [=y]
+
+SND_AICA selects G2_DMA. As the latter depends on SH_DMA_API, the
+former should depend on SH_DMA_API, too.
+
+Fixes: f477a538c14d07f8 ("sh: dma: fix kconfig dependency for G2_DMA")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202505131320.PzgTtl9H-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/b90625f8a9078d0d304bafe862cbe3a3fab40082.1747121335.git.geert+renesas@glider.be
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/sh/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/sh/Kconfig b/sound/sh/Kconfig
+index b75fbb3236a7b..f5fa09d740b4c 100644
+--- a/sound/sh/Kconfig
++++ b/sound/sh/Kconfig
+@@ -14,7 +14,7 @@ if SND_SUPERH
+
+ config SND_AICA
+ tristate "Dreamcast Yamaha AICA sound"
+- depends on SH_DREAMCAST
++ depends on SH_DREAMCAST && SH_DMA_API
+ select SND_PCM
+ select G2_DMA
+ help
+--
+2.39.5
+
--- /dev/null
+From f21b39d6ab9b90b8480fab7d819b78eb08a9fd25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Oct 2022 00:14:20 -0700
+Subject: binfmt: Fix whitespace issues
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 8f6e3f9e5a0f58e458a348b7e36af11d0e9702af ]
+
+Fix the annoying whitespace issues that have been following these files
+around for years.
+
+Cc: linux-fsdevel@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
+Link: https://lore.kernel.org/r/20221018071350.never.230-kees@kernel.org
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 14 +++++++-------
+ fs/binfmt_elf_fdpic.c | 2 +-
+ fs/exec.c | 2 +-
+ include/uapi/linux/elf.h | 2 +-
+ 4 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 89e7e4826efce..d1cf3d25da4b6 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -248,7 +248,7 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
+ } while (0)
+
+ #ifdef ARCH_DLINFO
+- /*
++ /*
+ * ARCH_DLINFO must come first so PPC can do its special alignment of
+ * AUXV.
+ * update AT_VECTOR_SIZE_ARCH if the number of NEW_AUX_ENT() in
+@@ -1021,7 +1021,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ executable_stack);
+ if (retval < 0)
+ goto out_free_dentry;
+-
++
+ elf_bss = 0;
+ elf_brk = 0;
+
+@@ -1044,7 +1044,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+
+ if (unlikely (elf_brk > elf_bss)) {
+ unsigned long nbyte;
+-
++
+ /* There was a PT_LOAD segment with p_memsz > p_filesz
+ before this one. Map anonymous pages, if needed,
+ and clear the area. */
+@@ -1522,7 +1522,7 @@ static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
+ phdr->p_align = 0;
+ }
+
+-static void fill_note(struct memelfnote *note, const char *name, int type,
++static void fill_note(struct memelfnote *note, const char *name, int type,
+ unsigned int sz, void *data)
+ {
+ note->name = name;
+@@ -2005,8 +2005,8 @@ static int elf_dump_thread_status(long signr, struct elf_thread_status *t)
+ t->num_notes = 0;
+
+ fill_prstatus(&t->prstatus.common, p, signr);
+- elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
+-
++ elf_core_copy_task_regs(p, &t->prstatus.pr_reg);
++
+ fill_note(&t->notes[0], "CORE", NT_PRSTATUS, sizeof(t->prstatus),
+ &(t->prstatus));
+ t->num_notes++;
+@@ -2296,7 +2296,7 @@ static int elf_core_dump(struct coredump_params *cprm)
+ if (!elf_core_write_extra_phdrs(cprm, offset))
+ goto end_coredump;
+
+- /* write out the notes section */
++ /* write out the notes section */
+ if (!write_note_info(&info, cprm))
+ goto end_coredump;
+
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index c71a409273150..b2d3b6e43bb56 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -1603,7 +1603,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm)
+ if (!elf_core_write_extra_phdrs(cprm, offset))
+ goto end_coredump;
+
+- /* write out the notes section */
++ /* write out the notes section */
+ if (!writenote(thread_list->notes, cprm))
+ goto end_coredump;
+ if (!writenote(&psinfo_note, cprm))
+diff --git a/fs/exec.c b/fs/exec.c
+index 2039414cc6621..b65af8f9a4f9b 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -169,7 +169,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
+ exit:
+ fput(file);
+ out:
+- return error;
++ return error;
+ }
+ #endif /* #ifdef CONFIG_USELIB */
+
+diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h
+index c7b056af9ef0a..3e5f07be26fc8 100644
+--- a/include/uapi/linux/elf.h
++++ b/include/uapi/linux/elf.h
+@@ -91,7 +91,7 @@ typedef __s64 Elf64_Sxword;
+ #define DT_INIT 12
+ #define DT_FINI 13
+ #define DT_SONAME 14
+-#define DT_RPATH 15
++#define DT_RPATH 15
+ #define DT_SYMBOLIC 16
+ #define DT_REL 17
+ #define DT_RELSZ 18
+--
+2.39.5
+
--- /dev/null
+From 924e00e1d16bcd73f2c3140763c91d08284593d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:31:47 -0700
+Subject: binfmt_elf: Calculate total_size earlier
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 2d4cf7b190bbfadd4986bf5c34da17c1a88adf8e ]
+
+In preparation to support PT_LOAD with large p_align values on
+non-PT_INTERP ET_DYN executables (i.e. "static pie"), we'll need to use
+the total_size details earlier. Move this separately now to make the
+next patch more readable. As total_size and load_bias are currently
+calculated separately, this has no behavioral impact.
+
+Link: https://lore.kernel.org/r/20240508173149.677910-2-keescook@chromium.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 52 +++++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 25 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index ff796910265da..26abe256e91fb 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1093,7 +1093,34 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ * Header for ET_DYN binaries to calculate the
+ * randomization (load_bias) for all the LOAD
+ * Program Headers.
++ */
++
++ /*
++ * Calculate the entire size of the ELF mapping
++ * (total_size), used for the initial mapping,
++ * due to load_addr_set which is set to true later
++ * once the initial mapping is performed.
++ *
++ * Note that this is only sensible when the LOAD
++ * segments are contiguous (or overlapping). If
++ * used for LOADs that are far apart, this would
++ * cause the holes between LOADs to be mapped,
++ * running the risk of having the mapping fail,
++ * as it would be larger than the ELF file itself.
+ *
++ * As a result, only ET_DYN does this, since
++ * some ET_EXEC (e.g. ia64) may have large virtual
++ * memory holes between LOADs.
++ *
++ */
++ total_size = total_mapping_size(elf_phdata,
++ elf_ex->e_phnum);
++ if (!total_size) {
++ retval = -EINVAL;
++ goto out_free_dentry;
++ }
++
++ /*
+ * There are effectively two types of ET_DYN
+ * binaries: programs (i.e. PIE: ET_DYN with INTERP)
+ * and loaders (ET_DYN without INTERP, since they
+@@ -1134,31 +1161,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ * is then page aligned.
+ */
+ load_bias = ELF_PAGESTART(load_bias - vaddr);
+-
+- /*
+- * Calculate the entire size of the ELF mapping
+- * (total_size), used for the initial mapping,
+- * due to load_addr_set which is set to true later
+- * once the initial mapping is performed.
+- *
+- * Note that this is only sensible when the LOAD
+- * segments are contiguous (or overlapping). If
+- * used for LOADs that are far apart, this would
+- * cause the holes between LOADs to be mapped,
+- * running the risk of having the mapping fail,
+- * as it would be larger than the ELF file itself.
+- *
+- * As a result, only ET_DYN does this, since
+- * some ET_EXEC (e.g. ia64) may have large virtual
+- * memory holes between LOADs.
+- *
+- */
+- total_size = total_mapping_size(elf_phdata,
+- elf_ex->e_phnum);
+- if (!total_size) {
+- retval = -EINVAL;
+- goto out_free_dentry;
+- }
+ }
+
+ error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt,
+--
+2.39.5
+
--- /dev/null
+From bd677cad52559f6eaffce48d827bb2eb4c9f0e19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 20:24:30 -0700
+Subject: binfmt_elf: elf_bss no longer used by load_elf_binary()
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 8ed2ef21ff564cf4a25c098ace510ee6513c9836 ]
+
+With the BSS handled generically via the new filesz/memsz mismatch
+handling logic in elf_load(), elf_bss no longer needs to be tracked.
+Drop the variable.
+
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: linux-fsdevel@vger.kernel.org
+Cc: linux-mm@kvack.org
+Suggested-by: Eric Biederman <ebiederm@xmission.com>
+Tested-by: Pedro Falcato <pedro.falcato@gmail.com>
+Signed-off-by: Sebastian Ott <sebott@redhat.com>
+Link: https://lore.kernel.org/r/20230929032435.2391507-2-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index ea2968d343bb6..2672b9dca1af0 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -855,7 +855,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ unsigned long error;
+ struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
+ struct elf_phdr *elf_property_phdata = NULL;
+- unsigned long elf_bss, elf_brk;
++ unsigned long elf_brk;
+ int retval, i;
+ unsigned long elf_entry;
+ unsigned long e_entry;
+@@ -1047,7 +1047,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ if (retval < 0)
+ goto out_free_dentry;
+
+- elf_bss = 0;
+ elf_brk = 0;
+
+ start_code = ~0UL;
+@@ -1210,8 +1209,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+
+ k = elf_ppnt->p_vaddr + elf_ppnt->p_filesz;
+
+- if (k > elf_bss)
+- elf_bss = k;
+ if ((elf_ppnt->p_flags & PF_X) && end_code < k)
+ end_code = k;
+ if (end_data < k)
+@@ -1223,7 +1220,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+
+ e_entry = elf_ex->e_entry + load_bias;
+ phdr_addr += load_bias;
+- elf_bss += load_bias;
+ elf_brk += load_bias;
+ start_code += load_bias;
+ end_code += load_bias;
+--
+2.39.5
+
--- /dev/null
+From 30221e93aec855721e7b394605728289e7a07950 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:31:48 -0700
+Subject: binfmt_elf: Honor PT_LOAD alignment for static PIE
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 3545deff0ec7a37de7ed9632e262598582b140e9 ]
+
+The p_align values in PT_LOAD were ignored for static PIE executables
+(i.e. ET_DYN without PT_INTERP). This is because there is no way to
+request a non-fixed mmap region with a specific alignment. ET_DYN with
+PT_INTERP uses a separate base address (ELF_ET_DYN_BASE) and binfmt_elf
+performs the ASLR itself, which means it can also apply alignment. For
+the mmap region, the address selection happens deep within the vm_mmap()
+implementation (when the requested address is 0).
+
+The earlier attempt to implement this:
+
+ commit 9630f0d60fec ("fs/binfmt_elf: use PT_LOAD p_align values for static PIE")
+ commit 925346c129da ("fs/binfmt_elf: fix PT_LOAD p_align values for loaders")
+
+did not take into account the different base address origins, and were
+eventually reverted:
+
+ aeb7923733d1 ("revert "fs/binfmt_elf: use PT_LOAD p_align values for static PIE"")
+
+In order to get the correct alignment from an mmap base, binfmt_elf must
+perform a 0-address load first, then tear down the mapping and perform
+alignment on the resulting address. Since this is slightly more overhead,
+only do this when it is needed (i.e. the alignment is not the default
+ELF alignment). This does, however, have the benefit of being able to
+use MAP_FIXED_NOREPLACE, to avoid potential collisions.
+
+With this fixed, enable the static PIE self tests again.
+
+Reported-by: H.J. Lu <hjl.tools@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=215275
+Link: https://lore.kernel.org/r/20240508173149.677910-3-keescook@chromium.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 42 +++++++++++++++++++++++----
+ tools/testing/selftests/exec/Makefile | 2 +-
+ 2 files changed, 38 insertions(+), 6 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 26abe256e91fb..fd3d800f69c1c 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1120,10 +1120,13 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ goto out_free_dentry;
+ }
+
++ /* Calculate any requested alignment. */
++ alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
++
+ /*
+ * There are effectively two types of ET_DYN
+- * binaries: programs (i.e. PIE: ET_DYN with INTERP)
+- * and loaders (ET_DYN without INTERP, since they
++ * binaries: programs (i.e. PIE: ET_DYN with PT_INTERP)
++ * and loaders (ET_DYN without PT_INTERP, since they
+ * _are_ the ELF interpreter). The loaders must
+ * be loaded away from programs since the program
+ * may otherwise collide with the loader (especially
+@@ -1143,15 +1146,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
+ */
+ if (interpreter) {
++ /* On ET_DYN with PT_INTERP, we do the ASLR. */
+ load_bias = ELF_ET_DYN_BASE;
+ if (current->flags & PF_RANDOMIZE)
+ load_bias += arch_mmap_rnd();
+- alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
++ /* Adjust alignment as requested. */
+ if (alignment)
+ load_bias &= ~(alignment - 1);
+ elf_flags |= MAP_FIXED_NOREPLACE;
+- } else
+- load_bias = 0;
++ } else {
++ /*
++ * For ET_DYN without PT_INTERP, we rely on
++ * the architectures's (potentially ASLR) mmap
++ * base address (via a load_bias of 0).
++ *
++ * When a large alignment is requested, we
++ * must do the allocation at address "0" right
++ * now to discover where things will load so
++ * that we can adjust the resulting alignment.
++ * In this case (load_bias != 0), we can use
++ * MAP_FIXED_NOREPLACE to make sure the mapping
++ * doesn't collide with anything.
++ */
++ if (alignment > ELF_MIN_ALIGN) {
++ load_bias = elf_load(bprm->file, 0, elf_ppnt,
++ elf_prot, elf_flags, total_size);
++ if (BAD_ADDR(load_bias)) {
++ retval = IS_ERR_VALUE(load_bias) ?
++ PTR_ERR((void*)load_bias) : -EINVAL;
++ goto out_free_dentry;
++ }
++ vm_munmap(load_bias, total_size);
++ /* Adjust alignment as requested. */
++ if (alignment)
++ load_bias &= ~(alignment - 1);
++ elf_flags |= MAP_FIXED_NOREPLACE;
++ } else
++ load_bias = 0;
++ }
+
+ /*
+ * Since load_bias is used for all subsequent loading
+diff --git a/tools/testing/selftests/exec/Makefile b/tools/testing/selftests/exec/Makefile
+index b54986078d7ea..a705493c04bb7 100644
+--- a/tools/testing/selftests/exec/Makefile
++++ b/tools/testing/selftests/exec/Makefile
+@@ -6,7 +6,7 @@ CFLAGS += -D_GNU_SOURCE
+ ALIGNS := 0x1000 0x200000 0x1000000
+ ALIGN_PIES := $(patsubst %,load_address.%,$(ALIGNS))
+ ALIGN_STATIC_PIES := $(patsubst %,load_address.static.%,$(ALIGNS))
+-ALIGNMENT_TESTS := $(ALIGN_PIES)
++ALIGNMENT_TESTS := $(ALIGN_PIES) $(ALIGN_STATIC_PIES)
+
+ TEST_PROGS := binfmt_script.py
+ TEST_GEN_PROGS := execveat non-regular $(ALIGNMENT_TESTS)
+--
+2.39.5
+
--- /dev/null
+From 731c39b3e501836103b2866f105d437290fe2d72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 22:25:44 -0800
+Subject: binfmt_elf: Leave a gap between .bss and brk
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 2a5eb9995528441447d33838727f6ec1caf08139 ]
+
+Currently the brk starts its randomization immediately after .bss,
+which means there is a chance that when the random offset is 0, linear
+overflows from .bss can reach into the brk area. Leave at least a single
+page gap between .bss and brk (when it has not already been explicitly
+relocated into the mmap range).
+
+Reported-by: <y0un9n132@gmail.com>
+Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
+Link: https://lore.kernel.org/r/20240217062545.1631668-2-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 2672b9dca1af0..ff796910265da 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -1294,6 +1294,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
+ elf_ex->e_type == ET_DYN && !interpreter) {
+ mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
++ } else {
++ /* Otherwise leave a gap between .bss and brk. */
++ mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
+ }
+
+ mm->brk = mm->start_brk = arch_randomize_brk(mm);
+--
+2.39.5
+
--- /dev/null
+From c2e4a40d2494b57044dd82b182b6cd32b4010aca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 15:45:06 -0700
+Subject: binfmt_elf: Move brk for static PIE even if ASLR disabled
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 11854fe263eb1b9a8efa33b0c087add7719ea9b4 ]
+
+In commit bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing
+direct loader exec"), the brk was moved out of the mmap region when
+loading static PIE binaries (ET_DYN without INTERP). The common case
+for these binaries was testing new ELF loaders, so the brk needed to
+be away from mmap to avoid colliding with stack, future mmaps (of the
+loader-loaded binary), etc. But this was only done when ASLR was enabled,
+in an attempt to minimize changes to memory layouts.
+
+After adding support to respect alignment requirements for static PIE
+binaries in commit 3545deff0ec7 ("binfmt_elf: Honor PT_LOAD alignment
+for static PIE"), it became possible to have a large gap after the
+final PT_LOAD segment and the top of the mmap region. This means that
+future mmap allocations might go after the last PT_LOAD segment (where
+brk might be if ASLR was disabled) instead of before them (where they
+traditionally ended up).
+
+On arm64, running with ASLR disabled, Ubuntu 22.04's "ldconfig" binary,
+a static PIE, has alignment requirements that leaves a gap large enough
+after the last PT_LOAD segment to fit the vdso and vvar, but still leave
+enough space for the brk (which immediately follows the last PT_LOAD
+segment) to be allocated by the binary.
+
+fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real
+fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real
+fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0
+***[brk will go here at fffff7ffa000]***
+fffff7ffc000-fffff7ffe000 r--p 00000000 00:00 0 [vvar]
+fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso]
+fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack]
+
+After commit 0b3bc3354eb9 ("arm64: vdso: Switch to generic storage
+implementation"), the arm64 vvar grew slightly, and suddenly the brk
+collided with the allocation.
+
+fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real
+fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real
+fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0
+***[oops, no room any more, vvar is at fffff7ffa000!]***
+fffff7ffa000-fffff7ffe000 r--p 00000000 00:00 0 [vvar]
+fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso]
+fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack]
+
+The solution is to unconditionally move the brk out of the mmap region
+for static PIE binaries. Whether ASLR is enabled or not does not change if
+there may be future mmap allocation collisions with a growing brk region.
+
+Update memory layout comments (with kernel-doc headings), consolidate
+the setting of mm->brk to later (it isn't needed early), move static PIE
+brk out of mmap unconditionally, and make sure brk(2) knows to base brk
+position off of mm->start_brk not mm->end_data no matter what the cause of
+moving it is (via current->brk_randomized).
+
+For the CONFIG_COMPAT_BRK case, though, leave the logic unchanged, as we
+can never safely move the brk. These systems, however, are not using
+specially aligned static PIE binaries.
+
+Reported-by: Ryan Roberts <ryan.roberts@arm.com>
+Closes: https://lore.kernel.org/lkml/f93db308-4a0e-4806-9faf-98f890f5a5e6@arm.com/
+Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
+Link: https://lore.kernel.org/r/20250425224502.work.520-kees@kernel.org
+Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
+Tested-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 71 ++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 47 insertions(+), 24 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index fd3d800f69c1c..762704eed9ce9 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -856,6 +856,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
+ struct elf_phdr *elf_property_phdata = NULL;
+ unsigned long elf_brk;
++ bool brk_moved = false;
+ int retval, i;
+ unsigned long elf_entry;
+ unsigned long e_entry;
+@@ -1123,15 +1124,19 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ /* Calculate any requested alignment. */
+ alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
+
+- /*
+- * There are effectively two types of ET_DYN
+- * binaries: programs (i.e. PIE: ET_DYN with PT_INTERP)
+- * and loaders (ET_DYN without PT_INTERP, since they
+- * _are_ the ELF interpreter). The loaders must
+- * be loaded away from programs since the program
+- * may otherwise collide with the loader (especially
+- * for ET_EXEC which does not have a randomized
+- * position). For example to handle invocations of
++ /**
++ * DOC: PIE handling
++ *
++ * There are effectively two types of ET_DYN ELF
++ * binaries: programs (i.e. PIE: ET_DYN with
++ * PT_INTERP) and loaders (i.e. static PIE: ET_DYN
++ * without PT_INTERP, usually the ELF interpreter
++ * itself). Loaders must be loaded away from programs
++ * since the program may otherwise collide with the
++ * loader (especially for ET_EXEC which does not have
++ * a randomized position).
++ *
++ * For example, to handle invocations of
+ * "./ld.so someprog" to test out a new version of
+ * the loader, the subsequent program that the
+ * loader loads must avoid the loader itself, so
+@@ -1144,6 +1149,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ * ELF_ET_DYN_BASE and loaders are loaded into the
+ * independently randomized mmap region (0 load_bias
+ * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
++ *
++ * See below for "brk" handling details, which is
++ * also affected by program vs loader and ASLR.
+ */
+ if (interpreter) {
+ /* On ET_DYN with PT_INTERP, we do the ASLR. */
+@@ -1260,8 +1268,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ start_data += load_bias;
+ end_data += load_bias;
+
+- current->mm->start_brk = current->mm->brk = ELF_PAGEALIGN(elf_brk);
+-
+ if (interpreter) {
+ elf_entry = load_elf_interp(interp_elf_ex,
+ interpreter,
+@@ -1317,27 +1323,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ mm->end_data = end_data;
+ mm->start_stack = bprm->p;
+
+- if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) {
++ /**
++ * DOC: "brk" handling
++ *
++ * For architectures with ELF randomization, when executing a
++ * loader directly (i.e. static PIE: ET_DYN without PT_INTERP),
++ * move the brk area out of the mmap region and into the unused
++ * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide
++ * early with the stack growing down or other regions being put
++ * into the mmap region by the kernel (e.g. vdso).
++ *
++ * In the CONFIG_COMPAT_BRK case, though, everything is turned
++ * off because we're not allowed to move the brk at all.
++ */
++ if (!IS_ENABLED(CONFIG_COMPAT_BRK) &&
++ IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
++ elf_ex->e_type == ET_DYN && !interpreter) {
++ elf_brk = ELF_ET_DYN_BASE;
++ /* This counts as moving the brk, so let brk(2) know. */
++ brk_moved = true;
++ }
++ mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk);
++
++ if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) {
+ /*
+- * For architectures with ELF randomization, when executing
+- * a loader directly (i.e. no interpreter listed in ELF
+- * headers), move the brk area out of the mmap region
+- * (since it grows up, and may collide early with the stack
+- * growing down), and into the unused ELF_ET_DYN_BASE region.
++ * If we didn't move the brk to ELF_ET_DYN_BASE (above),
++ * leave a gap between .bss and brk.
+ */
+- if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
+- elf_ex->e_type == ET_DYN && !interpreter) {
+- mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
+- } else {
+- /* Otherwise leave a gap between .bss and brk. */
++ if (!brk_moved)
+ mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
+- }
+
+ mm->brk = mm->start_brk = arch_randomize_brk(mm);
++ brk_moved = true;
++ }
++
+ #ifdef compat_brk_randomized
++ if (brk_moved)
+ current->brk_randomized = 1;
+ #endif
+- }
+
+ if (current->personality & MMAP_PAGE_ZERO) {
+ /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
+--
+2.39.5
+
--- /dev/null
+From 4a2d3f95f6153e4126bdc1d31d3ffb30203410da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 20:24:29 -0700
+Subject: binfmt_elf: Support segments with 0 filesz and misaligned starts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+[ Upstream commit 585a018627b4d7ed37387211f667916840b5c5ea ]
+
+Implement a helper elf_load() that wraps elf_map() and performs all
+of the necessary work to ensure that when "memsz > filesz" the bytes
+described by "memsz > filesz" are zeroed.
+
+An outstanding issue is if the first segment has filesz 0, and has a
+randomized location. But that is the same as today.
+
+In this change I replaced an open coded padzero() that did not clear
+all of the way to the end of the page, with padzero() that does.
+
+I also stopped checking the return of padzero() as there is at least
+one known case where testing for failure is the wrong thing to do.
+It looks like binfmt_elf_fdpic may have the proper set of tests
+for when error handling can be safely completed.
+
+I found a couple of commits in the old history
+https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git,
+that look very interesting in understanding this code.
+
+commit 39b56d902bf3 ("[PATCH] binfmt_elf: clearing bss may fail")
+commit c6e2227e4a3e ("[SPARC64]: Missing user access return value checks in fs/binfmt_elf.c and fs/compat.c")
+commit 5bf3be033f50 ("v2.4.10.1 -> v2.4.10.2")
+
+Looking at commit 39b56d902bf3 ("[PATCH] binfmt_elf: clearing bss may fail"):
+> commit 39b56d902bf35241e7cba6cc30b828ed937175ad
+> Author: Pavel Machek <pavel@ucw.cz>
+> Date: Wed Feb 9 22:40:30 2005 -0800
+>
+> [PATCH] binfmt_elf: clearing bss may fail
+>
+> So we discover that Borland's Kylix application builder emits weird elf
+> files which describe a non-writeable bss segment.
+>
+> So remove the clear_user() check at the place where we zero out the bss. I
+> don't _think_ there are any security implications here (plus we've never
+> checked that clear_user() return value, so whoops if it is a problem).
+>
+> Signed-off-by: Pavel Machek <pavel@suse.cz>
+> Signed-off-by: Andrew Morton <akpm@osdl.org>
+> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+
+It seems pretty clear that binfmt_elf_fdpic with skipping clear_user() for
+non-writable segments and otherwise calling clear_user(), aka padzero(),
+and checking it's return code is the right thing to do.
+
+I just skipped the error checking as that avoids breaking things.
+
+And notably, it looks like Borland's Kylix died in 2005 so it might be
+safe to just consider read-only segments with memsz > filesz an error.
+
+Reported-by: Sebastian Ott <sebott@redhat.com>
+Reported-by: Thomas Weißschuh <linux@weissschuh.net>
+Closes: https://lkml.kernel.org/r/20230914-bss-alloc-v1-1-78de67d2c6dd@weissschuh.net
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Link: https://lore.kernel.org/r/87sf71f123.fsf@email.froward.int.ebiederm.org
+Tested-by: Pedro Falcato <pedro.falcato@gmail.com>
+Signed-off-by: Sebastian Ott <sebott@redhat.com>
+Link: https://lore.kernel.org/r/20230929032435.2391507-1-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 111 +++++++++++++++++++++---------------------------
+ 1 file changed, 48 insertions(+), 63 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index d1cf3d25da4b6..ea2968d343bb6 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -109,25 +109,6 @@ static struct linux_binfmt elf_format = {
+
+ #define BAD_ADDR(x) (unlikely((unsigned long)(x) >= TASK_SIZE))
+
+-static int set_brk(unsigned long start, unsigned long end, int prot)
+-{
+- start = ELF_PAGEALIGN(start);
+- end = ELF_PAGEALIGN(end);
+- if (end > start) {
+- /*
+- * Map the last of the bss segment.
+- * If the header is requesting these pages to be
+- * executable, honour that (ppc32 needs this).
+- */
+- int error = vm_brk_flags(start, end - start,
+- prot & PROT_EXEC ? VM_EXEC : 0);
+- if (error)
+- return error;
+- }
+- current->mm->start_brk = current->mm->brk = end;
+- return 0;
+-}
+-
+ /* We need to explicitly zero any fractional pages
+ after the data section (i.e. bss). This would
+ contain the junk from the file that should not
+@@ -401,6 +382,51 @@ static unsigned long elf_map(struct file *filep, unsigned long addr,
+ return(map_addr);
+ }
+
++static unsigned long elf_load(struct file *filep, unsigned long addr,
++ const struct elf_phdr *eppnt, int prot, int type,
++ unsigned long total_size)
++{
++ unsigned long zero_start, zero_end;
++ unsigned long map_addr;
++
++ if (eppnt->p_filesz) {
++ map_addr = elf_map(filep, addr, eppnt, prot, type, total_size);
++ if (BAD_ADDR(map_addr))
++ return map_addr;
++ if (eppnt->p_memsz > eppnt->p_filesz) {
++ zero_start = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
++ eppnt->p_filesz;
++ zero_end = map_addr + ELF_PAGEOFFSET(eppnt->p_vaddr) +
++ eppnt->p_memsz;
++
++ /* Zero the end of the last mapped page */
++ padzero(zero_start);
++ }
++ } else {
++ map_addr = zero_start = ELF_PAGESTART(addr);
++ zero_end = zero_start + ELF_PAGEOFFSET(eppnt->p_vaddr) +
++ eppnt->p_memsz;
++ }
++ if (eppnt->p_memsz > eppnt->p_filesz) {
++ /*
++ * Map the last of the segment.
++ * If the header is requesting these pages to be
++ * executable, honour that (ppc32 needs this).
++ */
++ int error;
++
++ zero_start = ELF_PAGEALIGN(zero_start);
++ zero_end = ELF_PAGEALIGN(zero_end);
++
++ error = vm_brk_flags(zero_start, zero_end - zero_start,
++ prot & PROT_EXEC ? VM_EXEC : 0);
++ if (error)
++ map_addr = error;
++ }
++ return map_addr;
++}
++
++
+ static unsigned long total_mapping_size(const struct elf_phdr *phdr, int nr)
+ {
+ elf_addr_t min_addr = -1;
+@@ -830,7 +856,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
+ struct elf_phdr *elf_property_phdata = NULL;
+ unsigned long elf_bss, elf_brk;
+- int bss_prot = 0;
+ int retval, i;
+ unsigned long elf_entry;
+ unsigned long e_entry;
+@@ -1042,33 +1067,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ if (elf_ppnt->p_type != PT_LOAD)
+ continue;
+
+- if (unlikely (elf_brk > elf_bss)) {
+- unsigned long nbyte;
+-
+- /* There was a PT_LOAD segment with p_memsz > p_filesz
+- before this one. Map anonymous pages, if needed,
+- and clear the area. */
+- retval = set_brk(elf_bss + load_bias,
+- elf_brk + load_bias,
+- bss_prot);
+- if (retval)
+- goto out_free_dentry;
+- nbyte = ELF_PAGEOFFSET(elf_bss);
+- if (nbyte) {
+- nbyte = ELF_MIN_ALIGN - nbyte;
+- if (nbyte > elf_brk - elf_bss)
+- nbyte = elf_brk - elf_bss;
+- if (clear_user((void __user *)elf_bss +
+- load_bias, nbyte)) {
+- /*
+- * This bss-zeroing can fail if the ELF
+- * file specifies odd protections. So
+- * we don't check the return value
+- */
+- }
+- }
+- }
+-
+ elf_prot = make_prot(elf_ppnt->p_flags, &arch_state,
+ !!interpreter, false);
+
+@@ -1164,7 +1162,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ }
+ }
+
+- error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
++ error = elf_load(bprm->file, load_bias + vaddr, elf_ppnt,
+ elf_prot, elf_flags, total_size);
+ if (BAD_ADDR(error)) {
+ retval = IS_ERR((void *)error) ?
+@@ -1219,10 +1217,8 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ if (end_data < k)
+ end_data = k;
+ k = elf_ppnt->p_vaddr + elf_ppnt->p_memsz;
+- if (k > elf_brk) {
+- bss_prot = elf_prot;
++ if (k > elf_brk)
+ elf_brk = k;
+- }
+ }
+
+ e_entry = elf_ex->e_entry + load_bias;
+@@ -1234,18 +1230,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ start_data += load_bias;
+ end_data += load_bias;
+
+- /* Calling set_brk effectively mmaps the pages that we need
+- * for the bss and break sections. We must do this before
+- * mapping in the interpreter, to make sure it doesn't wind
+- * up getting placed where the bss needs to go.
+- */
+- retval = set_brk(elf_bss, elf_brk, bss_prot);
+- if (retval)
+- goto out_free_dentry;
+- if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
+- retval = -EFAULT; /* Nobody gets to see this, but.. */
+- goto out_free_dentry;
+- }
++ current->mm->start_brk = current->mm->brk = ELF_PAGEALIGN(elf_brk);
+
+ if (interpreter) {
+ elf_entry = load_elf_interp(interp_elf_ex,
+--
+2.39.5
+
--- /dev/null
+From d5d364a05073f22d9252a8ad86162d1dcf7a4ff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 15:31:16 +0200
+Subject: clocksource/i8253: Use raw_spinlock_irqsave() in
+ clockevent_i8253_disable()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 94cff94634e506a4a44684bee1875d2dbf782722 ]
+
+On x86 during boot, clockevent_i8253_disable() can be invoked via
+x86_late_time_init -> hpet_time_init() -> pit_timer_init() which happens
+with enabled interrupts.
+
+If some of the old i8253 hardware is actually used then lockdep will notice
+that i8253_lock is used in hard interrupt context. This causes lockdep to
+complain because it observed the lock being acquired with interrupts
+enabled and in hard interrupt context.
+
+Make clockevent_i8253_disable() acquire the lock with
+raw_spinlock_irqsave() to cure this.
+
+[ tglx: Massage change log and use guard() ]
+
+Fixes: c8c4076723dac ("x86/timer: Skip PIT initialization on modern chipsets")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250404133116.p-XRWJXf@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/i8253.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/clocksource/i8253.c b/drivers/clocksource/i8253.c
+index 39f7c2d736d16..b603c25f3dfaa 100644
+--- a/drivers/clocksource/i8253.c
++++ b/drivers/clocksource/i8253.c
+@@ -103,7 +103,7 @@ int __init clocksource_i8253_init(void)
+ #ifdef CONFIG_CLKEVT_I8253
+ void clockevent_i8253_disable(void)
+ {
+- raw_spin_lock(&i8253_lock);
++ guard(raw_spinlock_irqsave)(&i8253_lock);
+
+ /*
+ * Writing the MODE register should stop the counter, according to
+@@ -132,8 +132,6 @@ void clockevent_i8253_disable(void)
+ outb_p(0, PIT_CH0);
+
+ outb_p(0x30, PIT_MODE);
+-
+- raw_spin_unlock(&i8253_lock);
+ }
+
+ static int pit_shutdown(struct clock_event_device *evt)
+--
+2.39.5
+
--- /dev/null
+From 73a5b69a42c68d8e7767fbbfc5c678fbf835673d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2024 21:26:56 -0600
+Subject: drm/amd: Add Suspend/Hibernate notification callback support
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 2965e6355dcdf157b5fafa25a2715f00064da8bf ]
+
+As part of the suspend sequence VRAM needs to be evicted on dGPUs.
+In order to make suspend/resume more reliable we moved this into
+the pmops prepare() callback so that the suspend sequence would fail
+but the system could remain operational under high memory usage suspend.
+
+Another class of issues exist though where due to memory fragementation
+there isn't a large enough contiguous space and swap isn't accessible.
+
+Add support for a suspend/hibernate notification callback that could
+evict VRAM before tasks are frozen. This should allow paging out to swap
+if necessary.
+
+Link: https://github.com/ROCm/ROCK-Kernel-Driver/issues/174
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3476
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2362
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3781
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Link: https://lore.kernel.org/r/20241128032656.2090059-2-superm1@kernel.org
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 +
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 46 +++++++++++++++++++++-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 -
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+index 705703bab2fdd..019a83c7170d4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -781,6 +781,7 @@ struct amdgpu_device {
+ bool need_swiotlb;
+ bool accel_working;
+ struct notifier_block acpi_nb;
++ struct notifier_block pm_nb;
+ struct amdgpu_i2c_chan *i2c_bus[AMDGPU_MAX_I2C_BUS];
+ struct debugfs_blob_wrapper debugfs_vbios_blob;
+ struct debugfs_blob_wrapper debugfs_discovery_blob;
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index aac0e49f77c7f..32c571e9288ae 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -140,6 +140,8 @@ const char *amdgpu_asic_name[] = {
+ };
+
+ static inline void amdgpu_device_stop_pending_resets(struct amdgpu_device *adev);
++static int amdgpu_device_pm_notifier(struct notifier_block *nb, unsigned long mode,
++ void *data);
+
+ /**
+ * DOC: pcie_replay_count
+@@ -3992,6 +3994,11 @@ int amdgpu_device_init(struct amdgpu_device *adev,
+
+ amdgpu_device_check_iommu_direct_map(adev);
+
++ adev->pm_nb.notifier_call = amdgpu_device_pm_notifier;
++ r = register_pm_notifier(&adev->pm_nb);
++ if (r)
++ goto failed;
++
+ return 0;
+
+ release_ras_con:
+@@ -4053,6 +4060,8 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev)
+ flush_delayed_work(&adev->delayed_init_work);
+ adev->shutdown = true;
+
++ unregister_pm_notifier(&adev->pm_nb);
++
+ /* make sure IB test finished before entering exclusive mode
+ * to avoid preemption on IB test
+ * */
+@@ -4183,6 +4192,41 @@ static int amdgpu_device_evict_resources(struct amdgpu_device *adev)
+ /*
+ * Suspend & resume.
+ */
++/**
++ * amdgpu_device_pm_notifier - Notification block for Suspend/Hibernate events
++ * @nb: notifier block
++ * @mode: suspend mode
++ * @data: data
++ *
++ * This function is called when the system is about to suspend or hibernate.
++ * It is used to evict resources from the device before the system goes to
++ * sleep while there is still access to swap.
++ */
++static int amdgpu_device_pm_notifier(struct notifier_block *nb, unsigned long mode,
++ void *data)
++{
++ struct amdgpu_device *adev = container_of(nb, struct amdgpu_device, pm_nb);
++ int r;
++
++ switch (mode) {
++ case PM_HIBERNATION_PREPARE:
++ adev->in_s4 = true;
++ fallthrough;
++ case PM_SUSPEND_PREPARE:
++ r = amdgpu_device_evict_resources(adev);
++ /*
++ * This is considered non-fatal at this time because
++ * amdgpu_device_prepare() will also fatally evict resources.
++ * See https://gitlab.freedesktop.org/drm/amd/-/issues/3781
++ */
++ if (r)
++ drm_warn(adev_to_drm(adev), "Failed to evict resources, freeze active processes if problems occur: %d\n", r);
++ break;
++ }
++
++ return NOTIFY_DONE;
++}
++
+ /**
+ * amdgpu_device_prepare - prepare for device suspend
+ *
+@@ -4222,7 +4266,7 @@ int amdgpu_device_prepare(struct drm_device *dev)
+ return 0;
+
+ unprepare:
+- adev->in_s0ix = adev->in_s3 = false;
++ adev->in_s0ix = adev->in_s3 = adev->in_s4 = false;
+
+ return r;
+ }
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+index 0a85a59519cac..06958608c9849 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -2468,7 +2468,6 @@ static int amdgpu_pmops_freeze(struct device *dev)
+ struct amdgpu_device *adev = drm_to_adev(drm_dev);
+ int r;
+
+- adev->in_s4 = true;
+ r = amdgpu_device_suspend(drm_dev, true);
+ if (r)
+ return r;
+--
+2.39.5
+
--- /dev/null
+From 12ab9da2db8125c559eb2fb9a8dd53f114d9419f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Feb 2024 23:52:55 -0600
+Subject: drm/amd: Stop evicting resources on APUs in suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 226db36032c61d8717dfdd052adac351b22d3e83 ]
+
+commit 5095d5418193 ("drm/amd: Evict resources during PM ops prepare()
+callback") intentionally moved the eviction of resources to earlier in
+the suspend process, but this introduced a subtle change that it occurs
+before adev->in_s0ix or adev->in_s3 are set. This meant that APUs
+actually started to evict resources at suspend time as well.
+
+Explicitly set s0ix or s3 in the prepare() stage, and unset them if the
+prepare() stage failed.
+
+v2: squash in warning fix from Stephen Rothwell
+
+Reported-by: Jürg Billeter <j@bitron.ch>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3132#note_2271038
+Fixes: 5095d5418193 ("drm/amd: Evict resources during PM ops prepare() callback")
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 ++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 15 +++++++++++++++
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 +++++++++--
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+index dd22d2559720c..705703bab2fdd 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -1408,9 +1408,11 @@ static inline int amdgpu_acpi_smart_shift_update(struct drm_device *dev,
+ #if defined(CONFIG_ACPI) && defined(CONFIG_SUSPEND)
+ bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev);
+ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev);
++void amdgpu_choose_low_power_state(struct amdgpu_device *adev);
+ #else
+ static inline bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) { return false; }
+ static inline bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev) { return false; }
++static inline void amdgpu_choose_low_power_state(struct amdgpu_device *adev) { }
+ #endif
+
+ #if defined(CONFIG_DRM_AMD_DC)
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+index 5fa7f6d8aa309..70d761f79770d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -1118,4 +1118,19 @@ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev)
+ #endif /* CONFIG_AMD_PMC */
+ }
+
++/**
++ * amdgpu_choose_low_power_state
++ *
++ * @adev: amdgpu_device_pointer
++ *
++ * Choose the target low power state for the GPU
++ */
++void amdgpu_choose_low_power_state(struct amdgpu_device *adev)
++{
++ if (amdgpu_acpi_is_s0ix_active(adev))
++ adev->in_s0ix = true;
++ else if (amdgpu_acpi_is_s3_active(adev))
++ adev->in_s3 = true;
++}
++
+ #endif /* CONFIG_SUSPEND */
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index fcd0c61499f89..52f4ef4e8b4b0 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4195,13 +4195,15 @@ int amdgpu_device_prepare(struct drm_device *dev)
+ struct amdgpu_device *adev = drm_to_adev(dev);
+ int i, r;
+
++ amdgpu_choose_low_power_state(adev);
++
+ if (dev->switch_power_state == DRM_SWITCH_POWER_OFF)
+ return 0;
+
+ /* Evict the majority of BOs before starting suspend sequence */
+ r = amdgpu_device_evict_resources(adev);
+ if (r)
+- return r;
++ goto unprepare;
+
+ flush_delayed_work(&adev->gfx.gfx_off_delay_work);
+
+@@ -4212,10 +4214,15 @@ int amdgpu_device_prepare(struct drm_device *dev)
+ continue;
+ r = adev->ip_blocks[i].version->funcs->prepare_suspend((void *)adev);
+ if (r)
+- return r;
++ goto unprepare;
+ }
+
+ return 0;
++
++unprepare:
++ adev->in_s0ix = adev->in_s3 = false;
++
++ return r;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From c9669c17b92e3546b8551d6c5f9f55b21a73ed81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Feb 2024 17:16:49 +0800
+Subject: drm/amdgpu: Fix the runtime resume failure issue
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit bbfaf2aea7164db59739728d62d9cc91d64ff856 ]
+
+Don't set power state flag when system enter runtime suspend,
+or it may cause runtime resume failure issue.
+
+Fixes: 3a9626c816db ("drm/amd: Stop evicting resources on APUs in suspend")
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+index 70d761f79770d..46916680f044b 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -1127,6 +1127,9 @@ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev)
+ */
+ void amdgpu_choose_low_power_state(struct amdgpu_device *adev)
+ {
++ if (adev->in_runpm)
++ return;
++
+ if (amdgpu_acpi_is_s0ix_active(adev))
+ adev->in_s0ix = true;
+ else if (amdgpu_acpi_is_s3_active(adev))
+--
+2.39.5
+
--- /dev/null
+From e0615f932a0a0dd2f4f7d0a5a77740b4caacfa6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 16:04:35 -0500
+Subject: drm/amdgpu: trigger flr_work if reading pf2vf data failed
+
+From: Zhigang Luo <Zhigang.Luo@amd.com>
+
+[ Upstream commit ab66c832847fcdffc97d4591ba5547e3990d9d33 ]
+
+if reading pf2vf data failed 30 times continuously, it means something is
+wrong. Need to trigger flr_work to recover the issue.
+
+also use dev_err to print the error message to get which device has
+issue and add warning message if waiting IDH_FLR_NOTIFICATION_CMPL
+timeout.
+
+Signed-off-by: Zhigang Luo <Zhigang.Luo@amd.com>
+Acked-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: d0ce1aaa8531 ("Revert "drm/amd: Stop evicting resources on APUs in suspend"")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 15 +++++++----
+ drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 29 ++++++++++++++++++----
+ drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 3 +++
+ drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c | 2 ++
+ drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c | 2 ++
+ 5 files changed, 41 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 52f4ef4e8b4b0..aac0e49f77c7f 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -139,6 +139,8 @@ const char *amdgpu_asic_name[] = {
+ "LAST",
+ };
+
++static inline void amdgpu_device_stop_pending_resets(struct amdgpu_device *adev);
++
+ /**
+ * DOC: pcie_replay_count
+ *
+@@ -4638,6 +4640,8 @@ static int amdgpu_device_reset_sriov(struct amdgpu_device *adev,
+ retry:
+ amdgpu_amdkfd_pre_reset(adev);
+
++ amdgpu_device_stop_pending_resets(adev);
++
+ if (from_hypervisor)
+ r = amdgpu_virt_request_full_gpu(adev, true);
+ else
+@@ -5509,11 +5513,12 @@ int amdgpu_device_gpu_recover(struct amdgpu_device *adev,
+ tmp_adev->asic_reset_res = r;
+ }
+
+- /*
+- * Drop all pending non scheduler resets. Scheduler resets
+- * were already dropped during drm_sched_stop
+- */
+- amdgpu_device_stop_pending_resets(tmp_adev);
++ if (!amdgpu_sriov_vf(tmp_adev))
++ /*
++ * Drop all pending non scheduler resets. Scheduler resets
++ * were already dropped during drm_sched_stop
++ */
++ amdgpu_device_stop_pending_resets(tmp_adev);
+ }
+
+ tmp_vram_lost_counter = atomic_read(&((adev)->vram_lost_counter));
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+index d7b76a3d2d558..6174bef0ecb88 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+@@ -32,6 +32,7 @@
+
+ #include "amdgpu.h"
+ #include "amdgpu_ras.h"
++#include "amdgpu_reset.h"
+ #include "vi.h"
+ #include "soc15.h"
+ #include "nv.h"
+@@ -456,7 +457,7 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev)
+ return -EINVAL;
+
+ if (pf2vf_info->size > 1024) {
+- DRM_ERROR("invalid pf2vf message size\n");
++ dev_err(adev->dev, "invalid pf2vf message size: 0x%x\n", pf2vf_info->size);
+ return -EINVAL;
+ }
+
+@@ -467,7 +468,9 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev)
+ adev->virt.fw_reserve.p_pf2vf, pf2vf_info->size,
+ adev->virt.fw_reserve.checksum_key, checksum);
+ if (checksum != checkval) {
+- DRM_ERROR("invalid pf2vf message\n");
++ dev_err(adev->dev,
++ "invalid pf2vf message: header checksum=0x%x calculated checksum=0x%x\n",
++ checksum, checkval);
+ return -EINVAL;
+ }
+
+@@ -481,7 +484,9 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev)
+ adev->virt.fw_reserve.p_pf2vf, pf2vf_info->size,
+ 0, checksum);
+ if (checksum != checkval) {
+- DRM_ERROR("invalid pf2vf message\n");
++ dev_err(adev->dev,
++ "invalid pf2vf message: header checksum=0x%x calculated checksum=0x%x\n",
++ checksum, checkval);
+ return -EINVAL;
+ }
+
+@@ -517,7 +522,7 @@ static int amdgpu_virt_read_pf2vf_data(struct amdgpu_device *adev)
+ ((struct amd_sriov_msg_pf2vf_info *)pf2vf_info)->uuid;
+ break;
+ default:
+- DRM_ERROR("invalid pf2vf version\n");
++ dev_err(adev->dev, "invalid pf2vf version: 0x%x\n", pf2vf_info->version);
+ return -EINVAL;
+ }
+
+@@ -617,8 +622,21 @@ static void amdgpu_virt_update_vf2pf_work_item(struct work_struct *work)
+ int ret;
+
+ ret = amdgpu_virt_read_pf2vf_data(adev);
+- if (ret)
++ if (ret) {
++ adev->virt.vf2pf_update_retry_cnt++;
++ if ((adev->virt.vf2pf_update_retry_cnt >= AMDGPU_VF2PF_UPDATE_MAX_RETRY_LIMIT) &&
++ amdgpu_sriov_runtime(adev) && !amdgpu_in_reset(adev)) {
++ if (amdgpu_reset_domain_schedule(adev->reset_domain,
++ &adev->virt.flr_work))
++ return;
++ else
++ dev_err(adev->dev, "Failed to queue work! at %s", __func__);
++ }
++
+ goto out;
++ }
++
++ adev->virt.vf2pf_update_retry_cnt = 0;
+ amdgpu_virt_write_vf2pf_data(adev);
+
+ out:
+@@ -639,6 +657,7 @@ void amdgpu_virt_init_data_exchange(struct amdgpu_device *adev)
+ adev->virt.fw_reserve.p_pf2vf = NULL;
+ adev->virt.fw_reserve.p_vf2pf = NULL;
+ adev->virt.vf2pf_update_interval_ms = 0;
++ adev->virt.vf2pf_update_retry_cnt = 0;
+
+ if (adev->mman.fw_vram_usage_va != NULL) {
+ /* go through this logic in ip_init and reset to init workqueue*/
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
+index dc6aaa4d67be7..fc2859726f0a6 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
+@@ -51,6 +51,8 @@
+ /* tonga/fiji use this offset */
+ #define mmBIF_IOV_FUNC_IDENTIFIER 0x1503
+
++#define AMDGPU_VF2PF_UPDATE_MAX_RETRY_LIMIT 30
++
+ enum amdgpu_sriov_vf_mode {
+ SRIOV_VF_MODE_BARE_METAL = 0,
+ SRIOV_VF_MODE_ONE_VF,
+@@ -250,6 +252,7 @@ struct amdgpu_virt {
+ /* vf2pf message */
+ struct delayed_work vf2pf_work;
+ uint32_t vf2pf_update_interval_ms;
++ int vf2pf_update_retry_cnt;
+
+ /* multimedia bandwidth config */
+ bool is_mm_bw_enabled;
+diff --git a/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c b/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c
+index 12906ba74462f..d39c6baae007a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c
++++ b/drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c
+@@ -276,6 +276,8 @@ static void xgpu_ai_mailbox_flr_work(struct work_struct *work)
+ timeout -= 10;
+ } while (timeout > 1);
+
++ dev_warn(adev->dev, "waiting IDH_FLR_NOTIFICATION_CMPL timeout\n");
++
+ flr_done:
+ atomic_set(&adev->reset_domain->in_gpu_reset, 0);
+ up_write(&adev->reset_domain->sem);
+diff --git a/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c b/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c
+index e07757eea7adf..a311a2425ec01 100644
+--- a/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c
++++ b/drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c
+@@ -300,6 +300,8 @@ static void xgpu_nv_mailbox_flr_work(struct work_struct *work)
+ timeout -= 10;
+ } while (timeout > 1);
+
++ dev_warn(adev->dev, "waiting IDH_FLR_NOTIFICATION_CMPL timeout\n");
++
+ flr_done:
+ atomic_set(&adev->reset_domain->in_gpu_reset, 0);
+ up_write(&adev->reset_domain->sem);
+--
+2.39.5
+
--- /dev/null
+From 87e34953f1a0e8177dd9ce09ef0911ea15ed13ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 23:11:46 +0000
+Subject: HID: thrustmaster: fix memory leak in thrustmaster_interrupts()
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+[ Upstream commit 09d546303b370113323bfff456c4e8cff8756005 ]
+
+In thrustmaster_interrupts(), the allocated send_buf is not
+freed if the usb_check_int_endpoints() check fails, leading
+to a memory leak.
+
+Fix this by ensuring send_buf is freed before returning in
+the error path.
+
+Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check")
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-thrustmaster.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
+index 3b81468a1df29..0bf70664c35ee 100644
+--- a/drivers/hid/hid-thrustmaster.c
++++ b/drivers/hid/hid-thrustmaster.c
+@@ -174,6 +174,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
+ u8 ep_addr[2] = {b_ep, 0};
+
+ if (!usb_check_int_endpoints(usbif, ep_addr)) {
++ kfree(send_buf);
+ hid_err(hdev, "Unexpected non-int endpoint\n");
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 2b9a65e17650515aa02b2209beb87191c2ece377 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 17:48:53 +0800
+Subject: HID: uclogic: Add NULL check in uclogic_input_configured()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+uclogic_input_configured() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: dd613a4e45f8 ("HID: uclogic: Correct devm device reference for hidinput input_dev name")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c
+index 39114d5c55a0e..5b35f9f321d41 100644
+--- a/drivers/hid/hid-uclogic-core.c
++++ b/drivers/hid/hid-uclogic-core.c
+@@ -142,11 +142,12 @@ static int uclogic_input_configured(struct hid_device *hdev,
+ suffix = "System Control";
+ break;
+ }
+- }
+-
+- if (suffix)
++ } else {
+ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
+ "%s %s", hdev->name, suffix);
++ if (!hi->input->name)
++ return -ENOMEM;
++ }
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 1d7e168e74e778e607328804afb9b8a0137f962e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Apr 2025 11:34:24 +0100
+Subject: iio: adc: ad7266: Fix potential timestamp alignment issue.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 52d349884738c346961e153f195f4c7fe186fcf4 ]
+
+On architectures where an s64 is only 32-bit aligned insufficient padding
+would be left between the earlier elements and the timestamp. Use
+aligned_s64 to enforce the correct placement and ensure the storage is
+large enough.
+
+Fixes: 54e018da3141 ("iio:ad7266: Mark transfer buffer as __be16") # aligned_s64 is much newer.
+Reported-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250413103443.2420727-2-jic23@kernel.org
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7266.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c
+index 98648c679a55c..2ace3aafe4978 100644
+--- a/drivers/iio/adc/ad7266.c
++++ b/drivers/iio/adc/ad7266.c
+@@ -44,7 +44,7 @@ struct ad7266_state {
+ */
+ struct {
+ __be16 sample[2];
+- s64 timestamp;
++ aligned_s64 timestamp;
+ } data __aligned(IIO_DMA_MINALIGN);
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 9403665acc2c679041de84365f3941f552a9d8a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Apr 2025 11:34:25 +0100
+Subject: iio: adc: ad7768-1: Fix insufficient alignment of timestamp.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit ffbc26bc91c1f1eb3dcf5d8776e74cbae21ee13a ]
+
+On architectures where an s64 is not 64-bit aligned, this may result
+insufficient alignment of the timestamp and the structure being too small.
+Use aligned_s64 to force the alignment.
+
+Fixes: a1caeebab07e ("iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp()") # aligned_s64 newer
+Reported-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250413103443.2420727-3-jic23@kernel.org
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7768-1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/adc/ad7768-1.c b/drivers/iio/adc/ad7768-1.c
+index 74b0c85944bd6..967f06cd3f94e 100644
+--- a/drivers/iio/adc/ad7768-1.c
++++ b/drivers/iio/adc/ad7768-1.c
+@@ -169,7 +169,7 @@ struct ad7768_state {
+ union {
+ struct {
+ __be32 chan;
+- s64 timestamp;
++ aligned_s64 timestamp;
+ } scan;
+ __be32 d32;
+ u8 d8[2];
+--
+2.39.5
+
--- /dev/null
+From 41c58a736224c6cd6e5ce593ff630c4b2c83a608 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 11:52:37 -0500
+Subject: iio: chemical: sps30: use aligned_s64 for timestamp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit bb49d940344bcb8e2b19e69d7ac86f567887ea9a ]
+
+Follow the pattern of other drivers and use aligned_s64 for the
+timestamp. This will ensure that the timestamp is correctly aligned on
+all architectures.
+
+Fixes: a5bf6fdd19c3 ("iio:chemical:sps30: Fix timestamp alignment")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20250417-iio-more-timestamp-alignment-v1-5-eafac1e22318@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/chemical/sps30.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iio/chemical/sps30.c b/drivers/iio/chemical/sps30.c
+index 814ce0aad1ccc..4085a36cd1db7 100644
+--- a/drivers/iio/chemical/sps30.c
++++ b/drivers/iio/chemical/sps30.c
+@@ -108,7 +108,7 @@ static irqreturn_t sps30_trigger_handler(int irq, void *p)
+ int ret;
+ struct {
+ s32 data[4]; /* PM1, PM2P5, PM4, PM10 */
+- s64 ts;
++ aligned_s64 ts;
+ } scan;
+
+ mutex_lock(&state->lock);
+--
+2.39.5
+
--- /dev/null
+From 5946d82ee5680a0890ecda20bde3f04dff1a2f65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 14:19:35 +0200
+Subject: net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
+
+From: Mathieu Othacehe <othacehe@gnu.org>
+
+[ Upstream commit c92d6089d8ad7d4d815ebcedee3f3907b539ff1f ]
+
+There is a situation where after THALT is set high, TGO stays high as
+well. Because jiffies are never updated, as we are in a context with
+interrupts disabled, we never exit that loop and have a deadlock.
+
+That deadlock was noticed on a sama5d4 device that stayed locked for days.
+
+Use retries instead of jiffies so that the timeout really works and we do
+not have a deadlock anymore.
+
+Fixes: e86cd53afc590 ("net/macb: better manage tx errors")
+Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250509121935.16282-1-othacehe@gnu.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index fc3342944dbcc..d2f4709dee0de 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -962,22 +962,15 @@ static void macb_update_stats(struct macb *bp)
+
+ static int macb_halt_tx(struct macb *bp)
+ {
+- unsigned long halt_time, timeout;
+- u32 status;
++ u32 status;
+
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(THALT));
+
+- timeout = jiffies + usecs_to_jiffies(MACB_HALT_TIMEOUT);
+- do {
+- halt_time = jiffies;
+- status = macb_readl(bp, TSR);
+- if (!(status & MACB_BIT(TGO)))
+- return 0;
+-
+- udelay(250);
+- } while (time_before(halt_time, timeout));
+-
+- return -ETIMEDOUT;
++ /* Poll TSR until TGO is cleared or timeout. */
++ return read_poll_timeout_atomic(macb_readl, status,
++ !(status & MACB_BIT(TGO)),
++ 250, MACB_HALT_TIMEOUT, false,
++ bp, TSR);
+ }
+
+ static void macb_tx_unmap(struct macb *bp, struct macb_tx_skb *tx_skb, int budget)
+--
+2.39.5
+
--- /dev/null
+From d50e65937ffe42d3dd9519877f79c4bc4b3751e3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 14:38:16 +0300
+Subject: net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 498625a8ab2c8e1c9ab5105744310e8d6952cc01 ]
+
+It has been reported that when under a bridge with stp_state=1, the logs
+get spammed with this message:
+
+[ 251.734607] fsl_dpaa2_eth dpni.5 eth0: Couldn't decode source port
+
+Further debugging shows the following info associated with packets:
+source_port=-1, switch_id=-1, vid=-1, vbid=1
+
+In other words, they are data plane packets which are supposed to be
+decoded by dsa_tag_8021q_find_port_by_vbid(), but the latter (correctly)
+refuses to do so, because no switch port is currently in
+BR_STATE_LEARNING or BR_STATE_FORWARDING - so the packet is effectively
+unexpected.
+
+The error goes away after the port progresses to BR_STATE_LEARNING in 15
+seconds (the default forward_time of the bridge), because then,
+dsa_tag_8021q_find_port_by_vbid() can correctly associate the data plane
+packets with a plausible bridge port in a plausible STP state.
+
+Re-reading IEEE 802.1D-1990, I see the following:
+
+"4.4.2 Learning: (...) The Forwarding Process shall discard received
+frames."
+
+IEEE 802.1D-2004 further clarifies:
+
+"DISABLED, BLOCKING, LISTENING, and BROKEN all correspond to the
+DISCARDING port state. While those dot1dStpPortStates serve to
+distinguish reasons for discarding frames, the operation of the
+Forwarding and Learning processes is the same for all of them. (...)
+LISTENING represents a port that the spanning tree algorithm has
+selected to be part of the active topology (computing a Root Port or
+Designated Port role) but is temporarily discarding frames to guard
+against loops or incorrect learning."
+
+Well, this is not what the driver does - instead it sets
+mac[port].ingress = true.
+
+To get rid of the log spam, prevent unexpected data plane packets to
+be received by software by discarding them on ingress in the LISTENING
+state.
+
+In terms of blame attribution: the prints only date back to commit
+d7f9787a763f ("net: dsa: tag_8021q: add support for imprecise RX based
+on the VBID"). However, the settings would permit a LISTENING port to
+forward to a FORWARDING port, and the standard suggests that's not OK.
+
+Fixes: 640f763f98c2 ("net: dsa: sja1105: Add support for Spanning Tree Protocol")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20250509113816.2221992-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index f1f1368e8146f..d51d982c4bc01 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -2083,6 +2083,7 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port,
+ switch (state) {
+ case BR_STATE_DISABLED:
+ case BR_STATE_BLOCKING:
++ case BR_STATE_LISTENING:
+ /* From UM10944 description of DRPDTAG (why put this there?):
+ * "Management traffic flows to the port regardless of the state
+ * of the INGRESS flag". So BPDUs are still be allowed to pass.
+@@ -2092,11 +2093,6 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port,
+ mac[port].egress = false;
+ mac[port].dyn_learn = false;
+ break;
+- case BR_STATE_LISTENING:
+- mac[port].ingress = true;
+- mac[port].egress = false;
+- mac[port].dyn_learn = false;
+- break;
+ case BR_STATE_LEARNING:
+ mac[port].ingress = true;
+ mac[port].egress = false;
+--
+2.39.5
+
--- /dev/null
+From 09fa366889e70216b949376a59545227fcbf8677 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 14:16:00 +0930
+Subject: net: mctp: Ensure keys maintain only one ref to corresponding dev
+
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+
+[ Upstream commit e4f349bd6e58051df698b82f94721f18a02a293d ]
+
+mctp_flow_prepare_output() is called in mctp_route_output(), which
+places outbound packets onto a given interface. The packet may represent
+a message fragment, in which case we provoke an unbalanced reference
+count to the underlying device. This causes trouble if we ever attempt
+to remove the interface:
+
+ [ 48.702195] usb 1-1: USB disconnect, device number 2
+ [ 58.883056] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
+ [ 69.022548] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
+ [ 79.172568] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
+ ...
+
+Predicate the invocation of mctp_dev_set_key() in
+mctp_flow_prepare_output() on not already having associated the device
+with the key. It's not yet realistic to uphold the property that the key
+maintains only one device reference earlier in the transmission sequence
+as the route (and therefore the device) may not be known at the time the
+key is associated with the socket.
+
+Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
+Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250508-mctp-dev-refcount-v1-1-d4f965c67bb5@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/route.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mctp/route.c b/net/mctp/route.c
+index e72cdd4ce588f..62952ad5cb636 100644
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -274,8 +274,10 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
+
+ key = flow->key;
+
+- if (WARN_ON(key->dev && key->dev != dev))
++ if (key->dev) {
++ WARN_ON(key->dev != dev);
+ return;
++ }
+
+ mctp_dev_set_key(dev, key);
+ }
+--
+2.39.5
+
--- /dev/null
+From 4a1be77eaad40623f82907d829becbce8b0d9dde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 May 2025 13:15:52 +0300
+Subject: net/mlx5e: Disable MACsec offload for uplink representor profile
+
+From: Carolina Jubran <cjubran@nvidia.com>
+
+[ Upstream commit 588431474eb7572e57a927fa8558c9ba2f8af143 ]
+
+MACsec offload is not supported in switchdev mode for uplink
+representors. When switching to the uplink representor profile, the
+MACsec offload feature must be cleared from the netdevice's features.
+
+If left enabled, attempts to add offloads result in a null pointer
+dereference, as the uplink representor does not support MACsec offload
+even though the feature bit remains set.
+
+Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features().
+
+Kernel log:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
+CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:__mutex_lock+0x128/0x1dd0
+Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff
+RSP: 0018:ffff888147a4f160 EFLAGS: 00010206
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
+RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078
+RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
+R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000
+FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? die_addr+0x3d/0xa0
+ ? exc_general_protection+0x144/0x220
+ ? asm_exc_general_protection+0x22/0x30
+ ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ ? __mutex_lock+0x128/0x1dd0
+ ? lockdep_set_lock_cmp_fn+0x190/0x190
+ ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ ? mutex_lock_io_nested+0x1ae0/0x1ae0
+ ? lock_acquire+0x1c2/0x530
+ ? macsec_upd_offload+0x145/0x380
+ ? lockdep_hardirqs_on_prepare+0x400/0x400
+ ? kasan_save_stack+0x30/0x40
+ ? kasan_save_stack+0x20/0x40
+ ? kasan_save_track+0x10/0x30
+ ? __kasan_kmalloc+0x77/0x90
+ ? __kmalloc_noprof+0x249/0x6b0
+ ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240
+ ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core]
+ macsec_update_offload+0x26c/0x820
+ ? macsec_set_mac_address+0x4b0/0x4b0
+ ? lockdep_hardirqs_on_prepare+0x284/0x400
+ ? _raw_spin_unlock_irqrestore+0x47/0x50
+ macsec_upd_offload+0x2c8/0x380
+ ? macsec_update_offload+0x820/0x820
+ ? __nla_parse+0x22/0x30
+ ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240
+ genl_family_rcv_msg_doit+0x1cc/0x2a0
+ ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240
+ ? cap_capable+0xd4/0x330
+ genl_rcv_msg+0x3ea/0x670
+ ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0
+ ? lockdep_set_lock_cmp_fn+0x190/0x190
+ ? macsec_update_offload+0x820/0x820
+ netlink_rcv_skb+0x12b/0x390
+ ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0
+ ? netlink_ack+0xd80/0xd80
+ ? rwsem_down_read_slowpath+0xf90/0xf90
+ ? netlink_deliver_tap+0xcd/0xac0
+ ? netlink_deliver_tap+0x155/0xac0
+ ? _copy_from_iter+0x1bb/0x12c0
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x440/0x700
+ ? netlink_attachskb+0x760/0x760
+ ? lock_acquire+0x1c2/0x530
+ ? __might_fault+0xbb/0x170
+ netlink_sendmsg+0x749/0xc10
+ ? netlink_unicast+0x700/0x700
+ ? __might_fault+0xbb/0x170
+ ? netlink_unicast+0x700/0x700
+ __sock_sendmsg+0xc5/0x190
+ ____sys_sendmsg+0x53f/0x760
+ ? import_iovec+0x7/0x10
+ ? kernel_sendmsg+0x30/0x30
+ ? __copy_msghdr+0x3c0/0x3c0
+ ? filter_irq_stacks+0x90/0x90
+ ? stack_depot_save_flags+0x28/0xa30
+ ___sys_sendmsg+0xeb/0x170
+ ? kasan_save_stack+0x30/0x40
+ ? copy_msghdr_from_user+0x110/0x110
+ ? do_syscall_64+0x6d/0x140
+ ? lock_acquire+0x1c2/0x530
+ ? __virt_addr_valid+0x116/0x3b0
+ ? __virt_addr_valid+0x1da/0x3b0
+ ? lock_downgrade+0x680/0x680
+ ? __delete_object+0x21/0x50
+ __sys_sendmsg+0xf7/0x180
+ ? __sys_sendmsg_sock+0x20/0x20
+ ? kmem_cache_free+0x14c/0x4e0
+ ? __x64_sys_close+0x78/0xd0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7f855e113367
+Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+RSP: 002b:00007ffd15e90c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f855e113367
+RDX: 0000000000000000 RSI: 00007ffd15e90cf0 RDI: 0000000000000004
+RBP: 00007ffd15e90dbc R08: 0000000000000028 R09: 000000000045d100
+R10: 00007f855e011dd8 R11: 0000000000000246 R12: 0000000000000019
+R13: 0000000067c6b785 R14: 00000000004a1e80 R15: 0000000000000000
+ </TASK>
+Modules linked in: 8021q garp mrp sch_ingress openvswitch nsh mlx5_ib mlx5_fwctl mlx5_dpll mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core]
+---[ end trace 0000000000000000 ]---
+
+Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support")
+Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
+Reviewed-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1746958552-561295-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index f520949b2024c..887d446354006 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4023,6 +4023,10 @@ static netdev_features_t mlx5e_fix_uplink_rep_features(struct net_device *netdev
+ if (netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
+ netdev_warn(netdev, "Disabling HW_VLAN CTAG FILTERING, not supported in switchdev mode\n");
+
++ features &= ~NETIF_F_HW_MACSEC;
++ if (netdev->features & NETIF_F_HW_MACSEC)
++ netdev_warn(netdev, "Disabling HW MACsec offload, not supported in switchdev mode\n");
++
+ return features;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e2dd25940030c57d9de6238d6e80dcae453693dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 21:20:13 +0800
+Subject: net/tls: fix kernel panic when alloc_page failed
+
+From: Pengtao He <hept.hept.hept@gmail.com>
+
+[ Upstream commit 491deb9b8c4ad12fe51d554a69b8165b9ef9429f ]
+
+We cannot set frag_list to NULL pointer when alloc_page failed.
+It will be used in tls_strp_check_queue_ok when the next time
+tls_strp_read_sock is called.
+
+This is because we don't reset full_len in tls_strp_flush_anchor_copy()
+so the recv path will try to continue handling the partial record
+on the next call but we dettached the rcvq from the frag list.
+Alternative fix would be to reset full_len.
+
+Unable to handle kernel NULL pointer dereference
+at virtual address 0000000000000028
+ Call trace:
+ tls_strp_check_rcv+0x128/0x27c
+ tls_strp_data_ready+0x34/0x44
+ tls_data_ready+0x3c/0x1f0
+ tcp_data_ready+0x9c/0xe4
+ tcp_data_queue+0xf6c/0x12d0
+ tcp_rcv_established+0x52c/0x798
+
+Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
+Signed-off-by: Pengtao He <hept.hept.hept@gmail.com>
+Link: https://patch.msgid.link/20250514132013.17274-1-hept.hept.hept@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_strp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
+index f37f4a0fcd3c2..44d7f1aef9f12 100644
+--- a/net/tls/tls_strp.c
++++ b/net/tls/tls_strp.c
+@@ -396,7 +396,6 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort)
+ return 0;
+
+ shinfo = skb_shinfo(strp->anchor);
+- shinfo->frag_list = NULL;
+
+ /* If we don't know the length go max plus page for cipher overhead */
+ need_spc = strp->stm.full_len ?: TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE;
+@@ -412,6 +411,8 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort)
+ page, 0, 0);
+ }
+
++ shinfo->frag_list = NULL;
++
+ strp->copy_mode = 1;
+ strp->stm.offset = 0;
+
+--
+2.39.5
+
--- /dev/null
+From a5583969dce663e5a059b68e2ac3fbba600f9624 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 21:35:58 -0700
+Subject: net_sched: Flush gso_skb list too during ->change()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 ]
+
+Previously, when reducing a qdisc's limit via the ->change() operation, only
+the main skb queue was trimmed, potentially leaving packets in the gso_skb
+list. This could result in NULL pointer dereference when we only check
+sch->limit against sch->q.qlen.
+
+This patch introduces a new helper, qdisc_dequeue_internal(), which ensures
+both the gso_skb list and the main queue are properly flushed when trimming
+excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)
+are updated to use this helper in their ->change() routines.
+
+Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
+Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
+Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
+Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
+Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
+Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme")
+Reported-by: Will <willsroot@protonmail.com>
+Reported-by: Savy <savy@syst3mfailure.io>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 15 +++++++++++++++
+ net/sched/sch_codel.c | 2 +-
+ net/sched/sch_fq.c | 2 +-
+ net/sched/sch_fq_codel.c | 2 +-
+ net/sched/sch_fq_pie.c | 2 +-
+ net/sched/sch_hhf.c | 2 +-
+ net/sched/sch_pie.c | 2 +-
+ 7 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index 80f657bf2e047..b34e9e93a1463 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -997,6 +997,21 @@ static inline struct sk_buff *__qdisc_dequeue_head(struct qdisc_skb_head *qh)
+ return skb;
+ }
+
++static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool direct)
++{
++ struct sk_buff *skb;
++
++ skb = __skb_dequeue(&sch->gso_skb);
++ if (skb) {
++ sch->q.qlen--;
++ return skb;
++ }
++ if (direct)
++ return __qdisc_dequeue_head(&sch->q);
++ else
++ return sch->dequeue(sch);
++}
++
+ static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch)
+ {
+ struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
+diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
+index 5f2e068157456..63c02040b426a 100644
+--- a/net/sched/sch_codel.c
++++ b/net/sched/sch_codel.c
+@@ -168,7 +168,7 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt,
+
+ qlen = sch->q.qlen;
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true);
+
+ dropped += qdisc_pkt_len(skb);
+ qdisc_qstats_backlog_dec(sch, skb);
+diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
+index f59a2cb2c803d..91f5ef6be0f23 100644
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -901,7 +901,7 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt,
+ sch_tree_lock(sch);
+ }
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = fq_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ if (!skb)
+ break;
+diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
+index 9330923a624c0..47b5a056165cb 100644
+--- a/net/sched/sch_fq_codel.c
++++ b/net/sched/sch_fq_codel.c
+@@ -431,7 +431,7 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt,
+
+ while (sch->q.qlen > sch->limit ||
+ q->memory_usage > q->memory_limit) {
+- struct sk_buff *skb = fq_codel_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ q->cstats.drop_len += qdisc_pkt_len(skb);
+ rtnl_kfree_skbs(skb, skb);
+diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
+index 68e6acd0f130d..607c580d75e4b 100644
+--- a/net/sched/sch_fq_pie.c
++++ b/net/sched/sch_fq_pie.c
+@@ -357,7 +357,7 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt,
+
+ /* Drop excess packets if new limit is lower */
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = fq_pie_qdisc_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ len_dropped += qdisc_pkt_len(skb);
+ num_dropped += 1;
+diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c
+index d26cd436cbe31..83fc44f20e31c 100644
+--- a/net/sched/sch_hhf.c
++++ b/net/sched/sch_hhf.c
+@@ -560,7 +560,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt,
+ qlen = sch->q.qlen;
+ prev_backlog = sch->qstats.backlog;
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = hhf_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ rtnl_kfree_skbs(skb, skb);
+ }
+diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
+index b60b31ef71cc5..e1bb151a97195 100644
+--- a/net/sched/sch_pie.c
++++ b/net/sched/sch_pie.c
+@@ -190,7 +190,7 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt,
+ /* Drop excess packets if new limit is lower */
+ qlen = sch->q.qlen;
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true);
+
+ dropped += qdisc_pkt_len(skb);
+ qdisc_qstats_backlog_dec(sch, skb);
+--
+2.39.5
+
--- /dev/null
+From 816949b45ea78e239b5bc56122fbb71b4c893855 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 15:25:08 +0800
+Subject: nfs: handle failure of nfs_get_lock_context in unlock path
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit c457dc1ec770a22636b473ce5d35614adfe97636 ]
+
+When memory is insufficient, the allocation of nfs_lock_context in
+nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat
+an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)
+as valid and proceed to execute rpc_run_task(), this will trigger a NULL
+pointer dereference in nfs4_locku_prepare. For example:
+
+BUG: kernel NULL pointer dereference, address: 000000000000000c
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40
+Workqueue: rpciod rpc_async_schedule
+RIP: 0010:nfs4_locku_prepare+0x35/0xc2
+Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3
+RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246
+RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40
+RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38
+R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030
+R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30
+FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ __rpc_execute+0xbc/0x480
+ rpc_async_schedule+0x2f/0x40
+ process_one_work+0x232/0x5d0
+ worker_thread+0x1da/0x3d0
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x10d/0x240
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x34/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+Modules linked in:
+CR2: 000000000000000c
+---[ end trace 0000000000000000 ]---
+
+Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and
+return NULL to terminate subsequent rpc_run_task, preventing NULL pointer
+dereference.
+
+Fixes: f30cb757f680 ("NFS: Always wait for I/O completion before unlock")
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Link: https://lore.kernel.org/r/20250417072508.3850532-1-lilingfeng3@huawei.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 5b06b8d4e0147..acef50824d1a2 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -6886,10 +6886,18 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl,
+ struct nfs4_unlockdata *p;
+ struct nfs4_state *state = lsp->ls_state;
+ struct inode *inode = state->inode;
++ struct nfs_lock_context *l_ctx;
+
+ p = kzalloc(sizeof(*p), GFP_KERNEL);
+ if (p == NULL)
+ return NULL;
++ l_ctx = nfs_get_lock_context(ctx);
++ if (!IS_ERR(l_ctx)) {
++ p->l_ctx = l_ctx;
++ } else {
++ kfree(p);
++ return NULL;
++ }
+ p->arg.fh = NFS_FH(inode);
+ p->arg.fl = &p->fl;
+ p->arg.seqid = seqid;
+@@ -6897,7 +6905,6 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl,
+ p->lsp = lsp;
+ /* Ensure we don't close file until we're done freeing locks! */
+ p->ctx = get_nfs_open_context(ctx);
+- p->l_ctx = nfs_get_lock_context(ctx);
+ locks_init_lock(&p->fl);
+ locks_copy_lock(&p->fl, fl);
+ p->server = NFS_SERVER(inode);
+--
+2.39.5
+
--- /dev/null
+From 9adfd00d616618eb1953363f8d74a7c1d1f9e7ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 10:50:13 -0400
+Subject: NFSv4/pnfs: Reset the layout state after a layoutreturn
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 6d6d7f91cc8c111d40416ac9240a3bb9396c5235 ]
+
+If there are still layout segments in the layout plh_return_lsegs list
+after a layout return, we should be resetting the state to ensure they
+eventually get returned as well.
+
+Fixes: 68f744797edd ("pNFS: Do not free layout segments that are marked for return")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index f682869320198..fe0ddbce3bcb2 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -732,6 +732,14 @@ pnfs_mark_matching_lsegs_invalid(struct pnfs_layout_hdr *lo,
+ return remaining;
+ }
+
++static void pnfs_reset_return_info(struct pnfs_layout_hdr *lo)
++{
++ struct pnfs_layout_segment *lseg;
++
++ list_for_each_entry(lseg, &lo->plh_return_segs, pls_list)
++ pnfs_set_plh_return_info(lo, lseg->pls_range.iomode, 0);
++}
++
+ static void
+ pnfs_free_returned_lsegs(struct pnfs_layout_hdr *lo,
+ struct list_head *free_me,
+@@ -1180,6 +1188,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo,
+ pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq);
+ pnfs_free_returned_lsegs(lo, &freeme, range, seq);
+ pnfs_set_layout_stateid(lo, stateid, NULL, true);
++ pnfs_reset_return_info(lo);
+ } else
+ pnfs_mark_layout_stateid_invalid(lo, &freeme);
+ out_unlock:
+--
+2.39.5
+
--- /dev/null
+From 6c3e0b4252149ecd523fbc9886efbe8143bf7ccf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 16:57:06 +0200
+Subject: nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 3d8932133dcecbd9bef1559533c1089601006f45 ]
+
+We need to lock this queue for that condition because the timeout work
+executes per-namespace and can poll the poll CQ.
+
+Reported-by: Hannes Reinecke <hare@kernel.org>
+Closes: https://lore.kernel.org/all/20240902130728.1999-1-hare@kernel.org/
+Fixes: a0fa9647a54e ("NVMe: add blk polling support")
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Daniel Wagner <wagi@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 553e6bb461b39..49a3cb8f1f105 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1154,7 +1154,9 @@ static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)
+ WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));
+
+ disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
++ spin_lock(&nvmeq->cq_poll_lock);
+ nvme_poll_cq(nvmeq, NULL);
++ spin_unlock(&nvmeq->cq_poll_lock);
+ enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 67f0196532054259b6c8984b8543b79a4a78612b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 20:35:40 -0700
+Subject: nvme-pci: make nvme_pci_npages_prp() __always_inline
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 40696426b8c8c4f13cf6ac52f0470eed144be4b2 ]
+
+The only reason nvme_pci_npages_prp() could be used as a compile-time
+known result in BUILD_BUG_ON() is because the compiler was always choosing
+to inline the function. Under special circumstances (sanitizer coverage
+functions disabled for __init functions on ARCH=um), the compiler decided
+to stop inlining it:
+
+ drivers/nvme/host/pci.c: In function 'nvme_init':
+ include/linux/compiler_types.h:557:45: error: call to '__compiletime_assert_678' declared with attribute error: BUILD_BUG_ON failed: nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS
+ 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+ | ^
+ include/linux/compiler_types.h:538:25: note: in definition of macro '__compiletime_assert'
+ 538 | prefix ## suffix(); \
+ | ^~~~~~
+ include/linux/compiler_types.h:557:9: note: in expansion of macro '_compiletime_assert'
+ 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+ | ^~~~~~~~~~~~~~~~~~~
+ include/linux/build_bug.h:39:37: note: in expansion of macro 'compiletime_assert'
+ 39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
+ | ^~~~~~~~~~~~~~~~~~
+ include/linux/build_bug.h:50:9: note: in expansion of macro 'BUILD_BUG_ON_MSG'
+ 50 | BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
+ | ^~~~~~~~~~~~~~~~
+ drivers/nvme/host/pci.c:3804:9: note: in expansion of macro 'BUILD_BUG_ON'
+ 3804 | BUILD_BUG_ON(nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS);
+ | ^~~~~~~~~~~~
+
+Force it to be __always_inline to make sure it is always available for
+use with BUILD_BUG_ON().
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202505061846.12FMyRjj-lkp@intel.com/
+Fixes: c372cdd1efdf ("nvme-pci: iod npages fits in s8")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index da858463b2557..553e6bb461b39 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -376,7 +376,7 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db,
+ * as it only leads to a small amount of wasted memory for the lifetime of
+ * the I/O.
+ */
+-static int nvme_pci_npages_prp(void)
++static __always_inline int nvme_pci_npages_prp(void)
+ {
+ unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE;
+ unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE);
+--
+2.39.5
+
--- /dev/null
+From ad73672fe0af796f52a02662fa053dee86aeff11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 18:12:36 +0530
+Subject: octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit 865ab2461375e3a5a2526f91f9a9f17b8931bc9e ]
+
+MASCEC hardware block has a field called maximum transmit size for
+TX secy. Max packet size going out of MCS block has be programmed
+taking into account full packet size which has L2 header,SecTag
+and ICV. MACSEC offload driver is configuring max transmit size as
+macsec interface MTU which is incorrect. Say with 1500 MTU of real
+device, macsec interface created on top of real device will have MTU of
+1468(1500 - (SecTag + ICV)). This is causing packets from macsec
+interface of size greater than or equal to 1468 are not getting
+transmitted out because driver programmed max transmit size as 1468
+instead of 1514(1500 + ETH_HDR_LEN).
+
+Fixes: c54ffc73601c ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1747053756-4529-1-git-send-email-sbhatta@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+index a487a98eac88c..6da8d8f2a8701 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+@@ -428,7 +428,8 @@ static int cn10k_mcs_write_tx_secy(struct otx2_nic *pfvf,
+ if (sw_tx_sc->encrypt)
+ sectag_tci |= (MCS_TCI_E | MCS_TCI_C);
+
+- policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU, secy->netdev->mtu);
++ policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU,
++ pfvf->netdev->mtu + OTX2_ETH_HLEN);
+ /* Write SecTag excluding AN bits(1..0) */
+ policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_TCI, sectag_tci >> 2);
+ policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_OFFSET, tag_offset);
+--
+2.39.5
+
--- /dev/null
+From 00b45749282028f75498a73ec3c5576f1e760b6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 15:17:02 +0200
+Subject: platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit bfcfe6d335a967f8ea0c1980960e6f0205b5de6e ]
+
+The wlan_ctrl_by_user detection was introduced by commit a50bd128f28c
+("asus-wmi: record wlan status while controlled by userapp").
+
+Quoting from that commit's commit message:
+
+"""
+When you call WMIMethod(DSTS, 0x00010011) to get WLAN status, it may return
+
+(1) 0x00050001 (On)
+(2) 0x00050000 (Off)
+(3) 0x00030001 (On)
+(4) 0x00030000 (Off)
+(5) 0x00000002 (Unknown)
+
+(1), (2) means that the model has hardware GPIO for WLAN, you can call
+WMIMethod(DEVS, 0x00010011, 1 or 0) to turn WLAN on/off.
+(3), (4) means that the model doesn’t have hardware GPIO, you need to use
+API or driver library to turn WLAN on/off, and call
+WMIMethod(DEVS, 0x00010012, 1 or 0) to set WLAN LED status.
+After you set WLAN LED status, you can see the WLAN status is changed with
+WMIMethod(DSTS, 0x00010011). Because the status is recorded lastly
+(ex: Windows), you can use it for synchronization.
+(5) means that the model doesn’t have WLAN device.
+
+WLAN is the ONLY special case with upper rule.
+"""
+
+The wlan_ctrl_by_user flag should be set on 0x0003000? ((3), (4) above)
+return values, but the flag mistakenly also gets set on laptops with
+0x0005000? ((1), (2)) return values. This is causing rfkill problems on
+laptops where 0x0005000? is returned.
+
+Fix the check to only set the wlan_ctrl_by_user flag for 0x0003000?
+return values.
+
+Fixes: a50bd128f28c ("asus-wmi: record wlan status while controlled by userapp")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219786
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20250501131702.103360-2-hdegoede@redhat.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-wmi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
+index 296150eaef929..33eacb4fc4c45 100644
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -3804,7 +3804,8 @@ static int asus_wmi_add(struct platform_device *pdev)
+ goto fail_leds;
+
+ asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_WLAN, &result);
+- if (result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT))
++ if ((result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) ==
++ (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT))
+ asus->driver->wlan_ctrl_by_user = 1;
+
+ if (!(asus->driver->wlan_ctrl_by_user && ashs_present())) {
+--
+2.39.5
+
--- /dev/null
+From aca63d9225b4ec94908f205f4d2501ca8c239699 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 10:18:27 +0530
+Subject: qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 9d8a99c5a7c7f4f7eca2c168a4ec254409670035 ]
+
+In one of the error paths in qlcnic_sriov_channel_cfg_cmd(), the memory
+allocated in qlcnic_sriov_alloc_bc_mbx_args() for mailbox arguments is
+not freed. Fix that by jumping to the error path that frees them, by
+calling qlcnic_free_mbx_args(). This was found using static analysis.
+
+Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250512044829.36400-1-abdun.nihaal@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+index 28d24d59efb84..d57b976b90409 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+@@ -1484,8 +1484,11 @@ static int qlcnic_sriov_channel_cfg_cmd(struct qlcnic_adapter *adapter, u8 cmd_o
+ }
+
+ cmd_op = (cmd.rsp.arg[0] & 0xff);
+- if (cmd.rsp.arg[0] >> 25 == 2)
+- return 2;
++ if (cmd.rsp.arg[0] >> 25 == 2) {
++ ret = 2;
++ goto out;
++ }
++
+ if (cmd_op == QLCNIC_BC_CMD_CHANNEL_INIT)
+ set_bit(QLC_BC_VF_STATE, &vf->state);
+ else
+--
+2.39.5
+
--- /dev/null
+From 97338c1278a606b61d8ede4733949472e2fa0d69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Apr 2025 09:57:14 +0200
+Subject: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit f81b33582f9339d2dc17c69b92040d3650bb4bae ]
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcf/0x610 mm/kasan/report.c:489
+ kasan_report+0xb5/0xe0 mm/kasan/report.c:602
+ rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195
+ rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132
+ __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232
+ rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109
+ create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052
+ ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095
+ ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679
+ vfs_write fs/read_write.c:677 [inline]
+ vfs_write+0x26a/0xcc0 fs/read_write.c:659
+ ksys_write+0x1b8/0x200 fs/read_write.c:731
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+In the function rxe_create_cq, when rxe_cq_from_init fails, the function
+rxe_cleanup will be called to handle the allocated resources. In fact,
+some memory resources have already been freed in the function
+rxe_cq_from_init. Thus, this problem will occur.
+
+The solution is to let rxe_cleanup do all the work.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://paste.ubuntu.com/p/tJgC42wDf6/
+Tested-by: liuyi <liuy22@mails.tsinghua.edu.cn>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Link: https://patch.msgid.link/20250412075714.3257358-1-yanjun.zhu@linux.dev
+Reviewed-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_cq.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_cq.c b/drivers/infiniband/sw/rxe/rxe_cq.c
+index b1a0ab3cd4bd1..43dfc6fd8a3ed 100644
+--- a/drivers/infiniband/sw/rxe/rxe_cq.c
++++ b/drivers/infiniband/sw/rxe/rxe_cq.c
+@@ -71,11 +71,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe,
+
+ err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata,
+ cq->queue->buf, cq->queue->buf_size, &cq->queue->ip);
+- if (err) {
+- vfree(cq->queue->buf);
+- kfree(cq->queue);
++ if (err)
+ return err;
+- }
+
+ cq->is_user = uresp;
+
+--
+2.39.5
+
--- /dev/null
+From 4568e85c992bf6b3a500fd63ecfc6d31fbed7d69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 09:49:43 +0300
+Subject: regulator: max20086: fix invalid memory access
+
+From: Cosmin Tanislav <demonsingur@gmail.com>
+
+[ Upstream commit 6b0cd72757c69bc2d45da42b41023e288d02e772 ]
+
+max20086_parse_regulators_dt() calls of_regulator_match() using an
+array of struct of_regulator_match allocated on the stack for the
+matches argument.
+
+of_regulator_match() calls devm_of_regulator_put_matches(), which calls
+devres_alloc() to allocate a struct devm_of_regulator_matches which will
+be de-allocated using devm_of_regulator_put_matches().
+
+struct devm_of_regulator_matches is populated with the stack allocated
+matches array.
+
+If the device fails to probe, devm_of_regulator_put_matches() will be
+called and will try to call of_node_put() on that stack pointer,
+generating the following dmesg entries:
+
+max20086 6-0028: Failed to read DEVICE_ID reg: -121
+kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet
+kobject_put() is being called.
+
+Followed by a stack trace matching the call flow described above.
+
+Switch to allocating the matches array using devm_kcalloc() to
+avoid accessing the stack pointer long after it's out of scope.
+
+This also has the advantage of allowing multiple max20086 to probe
+without overriding the data stored inside the global of_regulator_match.
+
+Fixes: bfff546aae50 ("regulator: Add MAX20086-MAX20089 driver")
+Signed-off-by: Cosmin Tanislav <demonsingur@gmail.com>
+Link: https://patch.msgid.link/20250508064947.2567255-1-demonsingur@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/max20086-regulator.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/max20086-regulator.c b/drivers/regulator/max20086-regulator.c
+index b8bf76c170fea..332fb58f90952 100644
+--- a/drivers/regulator/max20086-regulator.c
++++ b/drivers/regulator/max20086-regulator.c
+@@ -133,7 +133,7 @@ static int max20086_regulators_register(struct max20086 *chip)
+
+ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
+ {
+- struct of_regulator_match matches[MAX20086_MAX_REGULATORS] = { };
++ struct of_regulator_match *matches;
+ struct device_node *node;
+ unsigned int i;
+ int ret;
+@@ -144,6 +144,11 @@ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
+ return -ENODEV;
+ }
+
++ matches = devm_kcalloc(chip->dev, chip->info->num_outputs,
++ sizeof(*matches), GFP_KERNEL);
++ if (!matches)
++ return -ENOMEM;
++
+ for (i = 0; i < chip->info->num_outputs; ++i)
+ matches[i].name = max20086_output_names[i];
+
+--
+2.39.5
+
--- /dev/null
+From ad5388eb14a8e71c24776057f977021ad464a407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 13:00:16 -0400
+Subject: Revert "drm/amd: Stop evicting resources on APUs in suspend"
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit d0ce1aaa8531a4a4707711cab5721374751c51b0 ]
+
+This reverts commit 3a9626c816db901def438dc2513622e281186d39.
+
+This breaks S4 because we end up setting the s3/s0ix flags
+even when we are entering s4 since prepare is used by both
+flows. The causes both the S3/s0ix and s4 flags to be set
+which breaks several checks in the driver which assume they
+are mutually exclusive.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3634
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit ce8f7d95899c2869b47ea6ce0b3e5bf304b2fff4)
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 --
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 18 ------------------
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 11 ++---------
+ 3 files changed, 2 insertions(+), 29 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu.h b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+index 019a83c7170d4..af86402c70a9f 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu.h
+@@ -1409,11 +1409,9 @@ static inline int amdgpu_acpi_smart_shift_update(struct drm_device *dev,
+ #if defined(CONFIG_ACPI) && defined(CONFIG_SUSPEND)
+ bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev);
+ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev);
+-void amdgpu_choose_low_power_state(struct amdgpu_device *adev);
+ #else
+ static inline bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev) { return false; }
+ static inline bool amdgpu_acpi_is_s3_active(struct amdgpu_device *adev) { return false; }
+-static inline void amdgpu_choose_low_power_state(struct amdgpu_device *adev) { }
+ #endif
+
+ #if defined(CONFIG_DRM_AMD_DC)
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+index 46916680f044b..5fa7f6d8aa309 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+@@ -1118,22 +1118,4 @@ bool amdgpu_acpi_is_s0ix_active(struct amdgpu_device *adev)
+ #endif /* CONFIG_AMD_PMC */
+ }
+
+-/**
+- * amdgpu_choose_low_power_state
+- *
+- * @adev: amdgpu_device_pointer
+- *
+- * Choose the target low power state for the GPU
+- */
+-void amdgpu_choose_low_power_state(struct amdgpu_device *adev)
+-{
+- if (adev->in_runpm)
+- return;
+-
+- if (amdgpu_acpi_is_s0ix_active(adev))
+- adev->in_s0ix = true;
+- else if (amdgpu_acpi_is_s3_active(adev))
+- adev->in_s3 = true;
+-}
+-
+ #endif /* CONFIG_SUSPEND */
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 32c571e9288ae..57a7f72f366f7 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4241,15 +4241,13 @@ int amdgpu_device_prepare(struct drm_device *dev)
+ struct amdgpu_device *adev = drm_to_adev(dev);
+ int i, r;
+
+- amdgpu_choose_low_power_state(adev);
+-
+ if (dev->switch_power_state == DRM_SWITCH_POWER_OFF)
+ return 0;
+
+ /* Evict the majority of BOs before starting suspend sequence */
+ r = amdgpu_device_evict_resources(adev);
+ if (r)
+- goto unprepare;
++ return r;
+
+ flush_delayed_work(&adev->gfx.gfx_off_delay_work);
+
+@@ -4260,15 +4258,10 @@ int amdgpu_device_prepare(struct drm_device *dev)
+ continue;
+ r = adev->ip_blocks[i].version->funcs->prepare_suspend((void *)adev);
+ if (r)
+- goto unprepare;
++ return r;
+ }
+
+ return 0;
+-
+-unprepare:
+- adev->in_s0ix = adev->in_s3 = adev->in_s4 = false;
+-
+- return r;
+ }
+
+ /**
+--
+2.39.5
+
--- /dev/null
+From c6d64fc55845d84fa380500959f48b5feb1cbdd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:31:46 -0700
+Subject: selftests/exec: Build both static and non-static load_address tests
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit b57a2907c9d96c56494ef25f8ec821cd0b355dd6 ]
+
+After commit 4d1cd3b2c5c1 ("tools/testing/selftests/exec: fix link
+error"), the load address alignment tests tried to build statically.
+This was silently ignored in some cases. However, after attempting to
+further fix the build by switching to "-static-pie", the test started
+failing. This appears to be due to non-PT_INTERP ET_DYN execs ("static
+PIE") not doing alignment correctly, which remains unfixed[1]. See commit
+aeb7923733d1 ("revert "fs/binfmt_elf: use PT_LOAD p_align values for
+static PIE"") for more details.
+
+Provide rules to build both static and non-static PIE binaries, improve
+debug reporting, and perform several test steps instead of a single
+all-or-nothing test. However, do not actually enable static-pie tests;
+alignment specification is only supported for ET_DYN with PT_INTERP
+("regular PIE").
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215275 [1]
+Link: https://lore.kernel.org/r/20240508173149.677910-1-keescook@chromium.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/exec/Makefile | 19 +++---
+ tools/testing/selftests/exec/load_address.c | 67 +++++++++++++++++----
+ 2 files changed, 66 insertions(+), 20 deletions(-)
+
+diff --git a/tools/testing/selftests/exec/Makefile b/tools/testing/selftests/exec/Makefile
+index a0b8688b08369..b54986078d7ea 100644
+--- a/tools/testing/selftests/exec/Makefile
++++ b/tools/testing/selftests/exec/Makefile
+@@ -3,8 +3,13 @@ CFLAGS = -Wall
+ CFLAGS += -Wno-nonnull
+ CFLAGS += -D_GNU_SOURCE
+
++ALIGNS := 0x1000 0x200000 0x1000000
++ALIGN_PIES := $(patsubst %,load_address.%,$(ALIGNS))
++ALIGN_STATIC_PIES := $(patsubst %,load_address.static.%,$(ALIGNS))
++ALIGNMENT_TESTS := $(ALIGN_PIES)
++
+ TEST_PROGS := binfmt_script.py
+-TEST_GEN_PROGS := execveat load_address_4096 load_address_2097152 load_address_16777216 non-regular
++TEST_GEN_PROGS := execveat non-regular $(ALIGNMENT_TESTS)
+ TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir
+ # Makefile is a run-time dependency, since it's accessed by the execveat test
+ TEST_FILES := Makefile
+@@ -28,9 +33,9 @@ $(OUTPUT)/execveat.symlink: $(OUTPUT)/execveat
+ $(OUTPUT)/execveat.denatured: $(OUTPUT)/execveat
+ cp $< $@
+ chmod -x $@
+-$(OUTPUT)/load_address_4096: load_address.c
+- $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x1000 -pie -static $< -o $@
+-$(OUTPUT)/load_address_2097152: load_address.c
+- $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x200000 -pie -static $< -o $@
+-$(OUTPUT)/load_address_16777216: load_address.c
+- $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=0x1000000 -pie -static $< -o $@
++$(OUTPUT)/load_address.0x%: load_address.c
++ $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=$(lastword $(subst ., ,$@)) \
++ -fPIE -pie $< -o $@
++$(OUTPUT)/load_address.static.0x%: load_address.c
++ $(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=$(lastword $(subst ., ,$@)) \
++ -fPIE -static-pie $< -o $@
+diff --git a/tools/testing/selftests/exec/load_address.c b/tools/testing/selftests/exec/load_address.c
+index 17e3207d34ae7..8257fddba8c8d 100644
+--- a/tools/testing/selftests/exec/load_address.c
++++ b/tools/testing/selftests/exec/load_address.c
+@@ -5,11 +5,13 @@
+ #include <link.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stdbool.h>
+ #include "../kselftest.h"
+
+ struct Statistics {
+ unsigned long long load_address;
+ unsigned long long alignment;
++ bool interp;
+ };
+
+ int ExtractStatistics(struct dl_phdr_info *info, size_t size, void *data)
+@@ -26,11 +28,20 @@ int ExtractStatistics(struct dl_phdr_info *info, size_t size, void *data)
+ stats->alignment = 0;
+
+ for (i = 0; i < info->dlpi_phnum; i++) {
++ unsigned long long align;
++
++ if (info->dlpi_phdr[i].p_type == PT_INTERP) {
++ stats->interp = true;
++ continue;
++ }
++
+ if (info->dlpi_phdr[i].p_type != PT_LOAD)
+ continue;
+
+- if (info->dlpi_phdr[i].p_align > stats->alignment)
+- stats->alignment = info->dlpi_phdr[i].p_align;
++ align = info->dlpi_phdr[i].p_align;
++
++ if (align > stats->alignment)
++ stats->alignment = align;
+ }
+
+ return 1; // Terminate dl_iterate_phdr.
+@@ -38,27 +49,57 @@ int ExtractStatistics(struct dl_phdr_info *info, size_t size, void *data)
+
+ int main(int argc, char **argv)
+ {
+- struct Statistics extracted;
+- unsigned long long misalign;
++ struct Statistics extracted = { };
++ unsigned long long misalign, pow2;
++ bool interp_needed;
++ char buf[1024];
++ FILE *maps;
+ int ret;
+
+ ksft_print_header();
+- ksft_set_plan(1);
++ ksft_set_plan(4);
++
++ /* Dump maps file for debugging reference. */
++ maps = fopen("/proc/self/maps", "r");
++ if (!maps)
++ ksft_exit_fail_msg("FAILED: /proc/self/maps: %s\n", strerror(errno));
++ while (fgets(buf, sizeof(buf), maps)) {
++ ksft_print_msg("%s", buf);
++ }
++ fclose(maps);
+
++ /* Walk the program headers. */
+ ret = dl_iterate_phdr(ExtractStatistics, &extracted);
+ if (ret != 1)
+ ksft_exit_fail_msg("FAILED: dl_iterate_phdr\n");
+
+- if (extracted.alignment == 0)
+- ksft_exit_fail_msg("FAILED: No alignment found\n");
+- else if (extracted.alignment & (extracted.alignment - 1))
+- ksft_exit_fail_msg("FAILED: Alignment is not a power of 2\n");
++ /* Report our findings. */
++ ksft_print_msg("load_address=%#llx alignment=%#llx\n",
++ extracted.load_address, extracted.alignment);
++
++ /* If we're named with ".static." we expect no INTERP. */
++ interp_needed = strstr(argv[0], ".static.") == NULL;
++
++ /* Were we built as expected? */
++ ksft_test_result(interp_needed == extracted.interp,
++ "%s INTERP program header %s\n",
++ interp_needed ? "Wanted" : "Unwanted",
++ extracted.interp ? "seen" : "missing");
++
++ /* Did we find an alignment? */
++ ksft_test_result(extracted.alignment != 0,
++ "Alignment%s found\n", extracted.alignment ? "" : " NOT");
++
++ /* Is the alignment sane? */
++ pow2 = extracted.alignment & (extracted.alignment - 1);
++ ksft_test_result(pow2 == 0,
++ "Alignment is%s a power of 2: %#llx\n",
++ pow2 == 0 ? "" : " NOT", extracted.alignment);
+
++ /* Is the load address aligned? */
+ misalign = extracted.load_address & (extracted.alignment - 1);
+- if (misalign)
+- ksft_exit_fail_msg("FAILED: alignment = %llu, load_address = %llu\n",
+- extracted.alignment, extracted.load_address);
++ ksft_test_result(misalign == 0, "Load Address is %saligned (%#llx)\n",
++ misalign ? "MIS" : "", misalign);
+
+- ksft_test_result_pass("Completed\n");
+ ksft_finished();
+ }
+--
+2.39.5
+
--- /dev/null
+From 17b2acf4bc6a14386d20e004318d0f6b292a2e13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Mar 2024 20:59:24 +0500
+Subject: selftests/exec: load_address: conform test to TAP format output
+
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+
+[ Upstream commit c4095067736b7ed50316a2bc7c9577941e87ad45 ]
+
+Conform the layout, informational and status messages to TAP. No
+functional change is intended other than the layout of output messages.
+
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/r/20240304155928.1818928-2-usama.anjum@collabora.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Stable-dep-of: 11854fe263eb ("binfmt_elf: Move brk for static PIE even if ASLR disabled")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/exec/load_address.c | 34 +++++++++------------
+ 1 file changed, 15 insertions(+), 19 deletions(-)
+
+diff --git a/tools/testing/selftests/exec/load_address.c b/tools/testing/selftests/exec/load_address.c
+index d487c2f6a6150..17e3207d34ae7 100644
+--- a/tools/testing/selftests/exec/load_address.c
++++ b/tools/testing/selftests/exec/load_address.c
+@@ -5,6 +5,7 @@
+ #include <link.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include "../kselftest.h"
+
+ struct Statistics {
+ unsigned long long load_address;
+@@ -41,28 +42,23 @@ int main(int argc, char **argv)
+ unsigned long long misalign;
+ int ret;
+
++ ksft_print_header();
++ ksft_set_plan(1);
++
+ ret = dl_iterate_phdr(ExtractStatistics, &extracted);
+- if (ret != 1) {
+- fprintf(stderr, "FAILED\n");
+- return 1;
+- }
++ if (ret != 1)
++ ksft_exit_fail_msg("FAILED: dl_iterate_phdr\n");
+
+- if (extracted.alignment == 0) {
+- fprintf(stderr, "No alignment found\n");
+- return 1;
+- } else if (extracted.alignment & (extracted.alignment - 1)) {
+- fprintf(stderr, "Alignment is not a power of 2\n");
+- return 1;
+- }
++ if (extracted.alignment == 0)
++ ksft_exit_fail_msg("FAILED: No alignment found\n");
++ else if (extracted.alignment & (extracted.alignment - 1))
++ ksft_exit_fail_msg("FAILED: Alignment is not a power of 2\n");
+
+ misalign = extracted.load_address & (extracted.alignment - 1);
+- if (misalign) {
+- printf("alignment = %llu, load_address = %llu\n",
+- extracted.alignment, extracted.load_address);
+- fprintf(stderr, "FAILED\n");
+- return 1;
+- }
++ if (misalign)
++ ksft_exit_fail_msg("FAILED: alignment = %llu, load_address = %llu\n",
++ extracted.alignment, extracted.load_address);
+
+- fprintf(stderr, "PASS\n");
+- return 0;
++ ksft_test_result_pass("Completed\n");
++ ksft_finished();
+ }
+--
+2.39.5
+
--- /dev/null
+binfmt-fix-whitespace-issues.patch
+binfmt_elf-support-segments-with-0-filesz-and-misali.patch
+binfmt_elf-elf_bss-no-longer-used-by-load_elf_binary.patch
+selftests-exec-load_address-conform-test-to-tap-form.patch
+binfmt_elf-leave-a-gap-between-.bss-and-brk.patch
+selftests-exec-build-both-static-and-non-static-load.patch
+binfmt_elf-calculate-total_size-earlier.patch
+binfmt_elf-honor-pt_load-alignment-for-static-pie.patch
+binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch
+platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch
+tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch
+tpm-tis-double-the-timeout-b-to-4s.patch
+iio-adc-ad7266-fix-potential-timestamp-alignment-iss.patch
+drm-amd-stop-evicting-resources-on-apus-in-suspend.patch
+drm-amdgpu-fix-the-runtime-resume-failure-issue.patch
+drm-amdgpu-trigger-flr_work-if-reading-pf2vf-data-fa.patch
+drm-amd-add-suspend-hibernate-notification-callback-.patch
+revert-drm-amd-stop-evicting-resources-on-apus-in-su.patch
+iio-adc-ad7768-1-fix-insufficient-alignment-of-times.patch
+iio-chemical-sps30-use-aligned_s64-for-timestamp.patch
+clocksource-i8253-use-raw_spinlock_irqsave-in-clocke.patch
+rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch
+hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch
+hid-uclogic-add-null-check-in-uclogic_input_configur.patch
+nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch
+spi-loopback-test-do-not-split-1024-byte-hexdumps.patch
+net_sched-flush-gso_skb-list-too-during-change.patch
+net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch
+net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch
+net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch
+nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch
+nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch
+alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch
+net-mlx5e-disable-macsec-offload-for-uplink-represen.patch
+qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch
+regulator-max20086-fix-invalid-memory-access.patch
+octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch
+net-tls-fix-kernel-panic-when-alloc_page-failed.patch
+nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch
--- /dev/null
+From 57041fbe149d64e96a162b0f561409589f444498 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 13:10:35 +0200
+Subject: spi: loopback-test: Do not split 1024-byte hexdumps
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit a73fa3690a1f3014d6677e368dce4e70767a6ba2 ]
+
+spi_test_print_hex_dump() prints buffers holding less than 1024 bytes in
+full. Larger buffers are truncated: only the first 512 and the last 512
+bytes are printed, separated by a truncation message. The latter is
+confusing in case the buffer holds exactly 1024 bytes, as all data is
+printed anyway.
+
+Fix this by printing buffers holding up to and including 1024 bytes in
+full.
+
+Fixes: 84e0c4e5e2c4ef42 ("spi: add loopback test driver to allow for spi_master regression tests")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/37ee1bc90c6554c9347040adabf04188c8f704aa.1746184171.git.geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-loopback-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c
+index dd7de8fa37d04..ab29ae463f677 100644
+--- a/drivers/spi/spi-loopback-test.c
++++ b/drivers/spi/spi-loopback-test.c
+@@ -410,7 +410,7 @@ MODULE_LICENSE("GPL");
+ static void spi_test_print_hex_dump(char *pre, const void *ptr, size_t len)
+ {
+ /* limit the hex_dump */
+- if (len < 1024) {
++ if (len <= 1024) {
+ print_hex_dump(KERN_INFO, pre,
+ DUMP_PREFIX_OFFSET, 16, 1,
+ ptr, len, 0);
+--
+2.39.5
+
--- /dev/null
+From c58ce9336cc357d0c54c5ebb31c2661175a21cd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 10:23:14 +0200
+Subject: tpm: tis: Double the timeout B to 4s
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit 2f661f71fda1fc0c42b7746ca5b7da529eb6b5be ]
+
+With some Infineon chips the timeouts in tpm_tis_send_data (both B and
+C) can reach up to about 2250 ms.
+
+Timeout C is retried since
+commit de9e33df7762 ("tpm, tpm_tis: Workaround failed command reception on Infineon devices")
+
+Timeout B still needs to be extended.
+
+The problem is most commonly encountered with context related operation
+such as load context/save context. These are issued directly by the
+kernel, and there is no retry logic for them.
+
+When a filesystem is set up to use the TPM for unlocking the boot fails,
+and restarting the userspace service is ineffective. This is likely
+because ignoring a load context/save context result puts the real TPM
+state and the TPM state expected by the kernel out of sync.
+
+Chips known to be affected:
+tpm_tis IFX1522:00: 2.0 TPM (device-id 0x1D, rev-id 54)
+Description: SLB9672
+Firmware Revision: 15.22
+
+tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 22)
+Firmware Revision: 7.83
+
+tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
+Firmware Revision: 5.63
+
+Link: https://lore.kernel.org/linux-integrity/Z5pI07m0Muapyu9w@kitsune.suse.cz/
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.h | 2 +-
+ include/linux/tpm.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h
+index be72681ab8ea2..5f29eebef52b8 100644
+--- a/drivers/char/tpm/tpm_tis_core.h
++++ b/drivers/char/tpm/tpm_tis_core.h
+@@ -53,7 +53,7 @@ enum tis_int_flags {
+ enum tis_defaults {
+ TIS_MEM_LEN = 0x5000,
+ TIS_SHORT_TIMEOUT = 750, /* ms */
+- TIS_LONG_TIMEOUT = 2000, /* 2 sec */
++ TIS_LONG_TIMEOUT = 4000, /* 4 secs */
+ TIS_TIMEOUT_MIN_ATML = 14700, /* usecs */
+ TIS_TIMEOUT_MAX_ATML = 15000, /* usecs */
+ };
+diff --git a/include/linux/tpm.h b/include/linux/tpm.h
+index dd0784a6e07d9..4a4112bb1d1b8 100644
+--- a/include/linux/tpm.h
++++ b/include/linux/tpm.h
+@@ -181,7 +181,7 @@ enum tpm2_const {
+
+ enum tpm2_timeouts {
+ TPM2_TIMEOUT_A = 750,
+- TPM2_TIMEOUT_B = 2000,
++ TPM2_TIMEOUT_B = 4000,
+ TPM2_TIMEOUT_C = 200,
+ TPM2_TIMEOUT_D = 30,
+ TPM2_DURATION_SHORT = 20,
+--
+2.39.5
+
--- /dev/null
+From a3402404629658e3cbdf88f469c562455d484f66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 12:44:41 +0900
+Subject: tracing: probes: Fix a possible race in trace_probe_log APIs
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit fd837de3c9cb1a162c69bc1fb1f438467fe7f2f5 ]
+
+Since the shared trace_probe_log variable can be accessed and
+modified via probe event create operation of kprobe_events,
+uprobe_events, and dynamic_events, it should be protected.
+In the dynamic_events, all operations are serialized by
+`dyn_event_ops_mutex`. But kprobe_events and uprobe_events
+interfaces are not serialized.
+
+To solve this issue, introduces dyn_event_create(), which runs
+create() operation under the mutex, for kprobe_events and
+uprobe_events. This also uses lockdep to check the mutex is
+held when using trace_probe_log* APIs.
+
+Link: https://lore.kernel.org/all/174684868120.551552.3068655787654268804.stgit@devnote2/
+
+Reported-by: Paul Cacheux <paulcacheux@gmail.com>
+Closes: https://lore.kernel.org/all/20250510074456.805a16872b591e2971a4d221@kernel.org/
+Fixes: ab105a4fb894 ("tracing: Use tracing error_log with probe events")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_dynevent.c | 16 +++++++++++++++-
+ kernel/trace/trace_dynevent.h | 1 +
+ kernel/trace/trace_kprobe.c | 2 +-
+ kernel/trace/trace_probe.c | 9 +++++++++
+ kernel/trace/trace_uprobe.c | 2 +-
+ 5 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/trace/trace_dynevent.c b/kernel/trace/trace_dynevent.c
+index 4376887e0d8aa..c9b0533407ede 100644
+--- a/kernel/trace/trace_dynevent.c
++++ b/kernel/trace/trace_dynevent.c
+@@ -16,7 +16,7 @@
+ #include "trace_output.h" /* for trace_event_sem */
+ #include "trace_dynevent.h"
+
+-static DEFINE_MUTEX(dyn_event_ops_mutex);
++DEFINE_MUTEX(dyn_event_ops_mutex);
+ static LIST_HEAD(dyn_event_ops_list);
+
+ bool trace_event_dyn_try_get_ref(struct trace_event_call *dyn_call)
+@@ -125,6 +125,20 @@ int dyn_event_release(const char *raw_command, struct dyn_event_operations *type
+ return ret;
+ }
+
++/*
++ * Locked version of event creation. The event creation must be protected by
++ * dyn_event_ops_mutex because of protecting trace_probe_log.
++ */
++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type)
++{
++ int ret;
++
++ mutex_lock(&dyn_event_ops_mutex);
++ ret = type->create(raw_command);
++ mutex_unlock(&dyn_event_ops_mutex);
++ return ret;
++}
++
+ static int create_dyn_event(const char *raw_command)
+ {
+ struct dyn_event_operations *ops;
+diff --git a/kernel/trace/trace_dynevent.h b/kernel/trace/trace_dynevent.h
+index 936477a111d3e..beee3f8d75444 100644
+--- a/kernel/trace/trace_dynevent.h
++++ b/kernel/trace/trace_dynevent.h
+@@ -100,6 +100,7 @@ void *dyn_event_seq_next(struct seq_file *m, void *v, loff_t *pos);
+ void dyn_event_seq_stop(struct seq_file *m, void *v);
+ int dyn_events_release_all(struct dyn_event_operations *type);
+ int dyn_event_release(const char *raw_command, struct dyn_event_operations *type);
++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type);
+
+ /*
+ * for_each_dyn_event - iterate over the dyn_event list
+diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
+index 72655d81b37d3..cc155c4117684 100644
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -975,7 +975,7 @@ static int create_or_delete_trace_kprobe(const char *raw_command)
+ if (raw_command[0] == '-')
+ return dyn_event_release(raw_command, &trace_kprobe_ops);
+
+- ret = trace_kprobe_create(raw_command);
++ ret = dyn_event_create(raw_command, &trace_kprobe_ops);
+ return ret == -ECANCELED ? -EINVAL : ret;
+ }
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index ba48b5e270e1f..3888a59c9dfe9 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -143,9 +143,12 @@ static const struct fetch_type *find_fetch_type(const char *type)
+ }
+
+ static struct trace_probe_log trace_probe_log;
++extern struct mutex dyn_event_ops_mutex;
+
+ void trace_probe_log_init(const char *subsystem, int argc, const char **argv)
+ {
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ trace_probe_log.subsystem = subsystem;
+ trace_probe_log.argc = argc;
+ trace_probe_log.argv = argv;
+@@ -154,11 +157,15 @@ void trace_probe_log_init(const char *subsystem, int argc, const char **argv)
+
+ void trace_probe_log_clear(void)
+ {
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ memset(&trace_probe_log, 0, sizeof(trace_probe_log));
+ }
+
+ void trace_probe_log_set_index(int index)
+ {
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ trace_probe_log.index = index;
+ }
+
+@@ -167,6 +174,8 @@ void __trace_probe_log_err(int offset, int err_type)
+ char *command, *p;
+ int i, len = 0, pos = 0;
+
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ if (!trace_probe_log.argv)
+ return;
+
+diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
+index a6a3ff2a441ed..53ef3cb65098d 100644
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -732,7 +732,7 @@ static int create_or_delete_trace_uprobe(const char *raw_command)
+ if (raw_command[0] == '-')
+ return dyn_event_release(raw_command, &trace_uprobe_ops);
+
+- ret = trace_uprobe_create(raw_command);
++ ret = dyn_event_create(raw_command, &trace_uprobe_ops);
+ return ret == -ECANCELED ? -EINVAL : ret;
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
