--- /dev/null
+From b4885bd5935bb26f0a414ad55679a372e53f9b9b Mon Sep 17 00:00:00 2001
+From: Alexandra Diupina <adiupina@astralinux.ru>
+Date: Wed, 19 Mar 2025 17:28:58 +0300
+Subject: cifs: avoid NULL pointer dereference in dbg call
+
+From: Alexandra Diupina <adiupina@astralinux.ru>
+
+commit b4885bd5935bb26f0a414ad55679a372e53f9b9b upstream.
+
+cifs_server_dbg() implies server to be non-NULL so
+move call under condition to avoid NULL pointer dereference.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2misc.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/client/smb2misc.c
++++ b/fs/smb/client/smb2misc.c
+@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_
+ WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
+ spin_unlock(&cifs_tcp_ses_lock);
+
+- if (tcon->ses)
++ if (tcon->ses) {
+ server = tcon->ses->server;
+-
+- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
+- tcon->tid, persistent_fid, volatile_fid);
++ cifs_server_dbg(FYI,
++ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
++ tcon->tid, persistent_fid, volatile_fid);
++ }
+
+ return 0;
+ }
--- /dev/null
+From 6f8a394aa952257575910d57cf0a63627fa949a2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
+Date: Sat, 5 Apr 2025 19:51:07 +0200
+Subject: cifs: Ensure that all non-client-specific reparse points are processed by the server
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+commit 6f8a394aa952257575910d57cf0a63627fa949a2 upstream.
+
+Fix regression in mounts to e.g. onedrive shares.
+
+Generally, reparse points are processed by the SMB server during the
+SMB OPEN request, but there are few reparse points which do not have
+OPEN-like meaning for the SMB server and has to be processed by the SMB
+client. Those are symlinks and special files (fifo, socket, block, char).
+
+For Linux SMB client, it is required to process also name surrogate reparse
+points as they represent another entity on the SMB server system. Linux
+client will mark them as separate mount points. Examples of name surrogate
+reparse points are NTFS junction points (e.g. created by the "mklink" tool
+on Windows servers).
+
+So after processing the name surrogate reparse points, clear the
+-EOPNOTSUPP error code returned from the parse_reparse_point() to let SMB
+server to process reparse points.
+
+And remove printing misleading error message "unhandled reparse tag:" as
+reparse points are handled by SMB server and hence unhandled fact is normal
+operation.
+
+Fixes: cad3fc0a4c8c ("cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point()")
+Fixes: b587fd128660 ("cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes")
+Cc: stable@vger.kernel.org
+Reported-by: Junwen Sun <sunjw8888@gmail.com>
+Tested-by: Junwen Sun <sunjw8888@gmail.com>
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/inode.c | 10 ++++++++++
+ fs/smb/client/reparse.c | 4 ----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/client/inode.c
++++ b/fs/smb/client/inode.c
+@@ -1145,6 +1145,16 @@ static int reparse_info_to_fattr(struct
+ cifs_create_junction_fattr(fattr, sb);
+ goto out;
+ }
++ /*
++ * If the reparse point is unsupported by the Linux SMB
++ * client then let it process by the SMB server. So mask
++ * the -EOPNOTSUPP error code. This will allow Linux SMB
++ * client to send SMB OPEN request to server. If server
++ * does not support this reparse point too then server
++ * will return error during open the path.
++ */
++ if (rc == -EOPNOTSUPP)
++ rc = 0;
+ }
+ break;
+ }
+--- a/fs/smb/client/reparse.c
++++ b/fs/smb/client/reparse.c
+@@ -633,8 +633,6 @@ int parse_reparse_point(struct reparse_d
+ const char *full_path,
+ bool unicode, struct cifs_open_info_data *data)
+ {
+- struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+-
+ data->reparse.buf = buf;
+
+ /* See MS-FSCC 2.1.2 */
+@@ -658,8 +656,6 @@ int parse_reparse_point(struct reparse_d
+ }
+ return 0;
+ default:
+- cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n",
+- le32_to_cpu(buf->ReparseTag));
+ return -EOPNOTSUPP;
+ }
+ }
--- /dev/null
+From 2510859475d7f46ed7940db0853f3342bf1b65ee Mon Sep 17 00:00:00 2001
+From: Roman Smirnov <r.smirnov@omp.ru>
+Date: Mon, 31 Mar 2025 11:22:49 +0300
+Subject: cifs: fix integer overflow in match_server()
+
+From: Roman Smirnov <r.smirnov@omp.ru>
+
+commit 2510859475d7f46ed7940db0853f3342bf1b65ee upstream.
+
+The echo_interval is not limited in any way during mounting,
+which makes it possible to write a large number to it. This can
+cause an overflow when multiplying ctx->echo_interval by HZ in
+match_server().
+
+Add constraints for echo_interval to smb3_fs_context_parse_param().
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable")
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/fs_context.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1299,6 +1299,11 @@ static int smb3_fs_context_parse_param(s
+ ctx->closetimeo = HZ * result.uint_32;
+ break;
+ case Opt_echo_interval:
++ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN ||
++ result.uint_32 > SMB_ECHO_INTERVAL_MAX) {
++ cifs_errorf(fc, "echo interval is out of bounds\n");
++ goto cifs_parse_mount_err;
++ }
+ ctx->echo_interval = result.uint_32;
+ break;
+ case Opt_snapshot:
--- /dev/null
+From 5eac348182d2b5ed1066459abedb7bc6b5466f81 Mon Sep 17 00:00:00 2001
+From: Ajit Pandey <quic_ajipan@quicinc.com>
+Date: Tue, 28 Jan 2025 17:08:35 +0530
+Subject: clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks
+
+From: Ajit Pandey <quic_ajipan@quicinc.com>
+
+commit 5eac348182d2b5ed1066459abedb7bc6b5466f81 upstream.
+
+BRANCH_HALT_ENABLE and BRANCH_HALT_ENABLE_VOTED flags are used to check
+halt status of branch clocks, which have an inverted logic for the halt
+bit in CBCR register. However, the current logic in the _check_halt()
+method only compares the BRANCH_HALT_ENABLE flags, ignoring the votable
+branch clocks.
+
+Update the logic to correctly handle the invert logic for votable clocks
+using the BRANCH_HALT_ENABLE_VOTED flags.
+
+Fixes: 9092d1083a62 ("clk: qcom: branch: Extend the invert logic for branch2 clocks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ajit Pandey <quic_ajipan@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20250128-push_fix-v1-1-fafec6747881@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/clk-branch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/qcom/clk-branch.c
++++ b/drivers/clk/qcom/clk-branch.c
+@@ -27,7 +27,7 @@ static bool clk_branch_in_hwcg_mode(cons
+
+ static bool clk_branch_check_halt(const struct clk_branch *br, bool enabling)
+ {
+- bool invert = (br->halt_check == BRANCH_HALT_ENABLE);
++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE);
+ u32 val;
+
+ regmap_read(br->clkr.regmap, br->halt_reg, &val);
+@@ -43,7 +43,7 @@ static bool clk_branch2_check_halt(const
+ {
+ u32 val;
+ u32 mask;
+- bool invert = (br->halt_check == BRANCH_HALT_ENABLE);
++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE);
+
+ mask = CBCR_NOC_FSM_STATUS;
+ mask |= CBCR_CLK_OFF;
--- /dev/null
+From 65a733464553ea192797b889d1533a1a37216f32 Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Fri, 17 Jan 2025 13:54:08 +0000
+Subject: clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 65a733464553ea192797b889d1533a1a37216f32 upstream.
+
+Adding a new clause to this if/else I noticed the existing usage of
+pm_genpd_add_subdomain() wasn't capturing and returning the result code.
+
+pm_genpd_add_subdomain() returns an int and can fail. Capture that result
+code and throw it up the call stack if something goes wrong.
+
+Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-2-13f2bb656dad@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gdsc.c | 40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -465,6 +465,23 @@ err_disable_supply:
+ return ret;
+ }
+
++static void gdsc_pm_subdomain_remove(struct gdsc_desc *desc, size_t num)
++{
++ struct device *dev = desc->dev;
++ struct gdsc **scs = desc->scs;
++ int i;
++
++ /* Remove subdomains */
++ for (i = num - 1; i >= 0; i--) {
++ if (!scs[i])
++ continue;
++ if (scs[i]->parent)
++ pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
++ else if (!IS_ERR_OR_NULL(dev->pm_domain))
++ pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
++ }
++}
++
+ int gdsc_register(struct gdsc_desc *desc,
+ struct reset_controller_dev *rcdev, struct regmap *regmap)
+ {
+@@ -509,30 +526,27 @@ int gdsc_register(struct gdsc_desc *desc
+ if (!scs[i])
+ continue;
+ if (scs[i]->parent)
+- pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
++ ret = pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
+ else if (!IS_ERR_OR_NULL(dev->pm_domain))
+- pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
++ ret = pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
++ if (ret)
++ goto err_pm_subdomain_remove;
+ }
+
+ return of_genpd_add_provider_onecell(dev->of_node, data);
++
++err_pm_subdomain_remove:
++ gdsc_pm_subdomain_remove(desc, i);
++
++ return ret;
+ }
+
+ void gdsc_unregister(struct gdsc_desc *desc)
+ {
+- int i;
+ struct device *dev = desc->dev;
+- struct gdsc **scs = desc->scs;
+ size_t num = desc->num;
+
+- /* Remove subdomains */
+- for (i = num - 1; i >= 0; i--) {
+- if (!scs[i])
+- continue;
+- if (scs[i]->parent)
+- pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
+- else if (!IS_ERR_OR_NULL(dev->pm_domain))
+- pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+- }
++ gdsc_pm_subdomain_remove(desc, num);
+ of_genpd_del_provider(dev->of_node);
+ }
+
--- /dev/null
+From 0e6dfde439df0bb977cddd3cf7fff150a084a9bf Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Fri, 17 Jan 2025 13:54:07 +0000
+Subject: clk: qcom: gdsc: Release pm subdomains in reverse add order
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 0e6dfde439df0bb977cddd3cf7fff150a084a9bf upstream.
+
+gdsc_unregister() should release subdomains in the reverse order to the
+order in which those subdomains were added.
+
+I've made this patch a standalone patch because it facilitates a subsequent
+fix to stable.
+
+Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-1-13f2bb656dad@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gdsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -525,7 +525,7 @@ void gdsc_unregister(struct gdsc_desc *d
+ size_t num = desc->num;
+
+ /* Remove subdomains */
+- for (i = 0; i < num; i++) {
++ for (i = num - 1; i >= 0; i--) {
+ if (!scs[i])
+ continue;
+ if (scs[i]->parent)
--- /dev/null
+From 25708f73ff171bb4171950c9f4be5aa8504b8459 Mon Sep 17 00:00:00 2001
+From: Taniya Das <quic_tdas@quicinc.com>
+Date: Fri, 14 Feb 2025 09:56:59 +0530
+Subject: clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
+
+From: Taniya Das <quic_tdas@quicinc.com>
+
+commit 25708f73ff171bb4171950c9f4be5aa8504b8459 upstream.
+
+Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON.
+Once the GDSCR moves to HW control, SW no longer can determine the state
+of the GDSCR and setting the retain_ff bit could destroy all the register
+contents we intended to save.
+Therefore, move the retain_ff configuration before switching the GDSC to
+HW trigger mode.
+
+Cc: stable@vger.kernel.org
+Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR")
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Reviewed-by: Imran Shaik <quic_imrashai@quicinc.com>
+Tested-by: Imran Shaik <quic_imrashai@quicinc.com> # on QCS8300
+Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gdsc.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -292,6 +292,9 @@ static int gdsc_enable(struct generic_pm
+ */
+ udelay(1);
+
++ if (sc->flags & RETAIN_FF_ENABLE)
++ gdsc_retain_ff_on(sc);
++
+ /* Turn on HW trigger mode if supported */
+ if (sc->flags & HW_CTRL) {
+ ret = gdsc_hwctrl(sc, true);
+@@ -308,9 +311,6 @@ static int gdsc_enable(struct generic_pm
+ udelay(1);
+ }
+
+- if (sc->flags & RETAIN_FF_ENABLE)
+- gdsc_retain_ff_on(sc);
+-
+ return 0;
+ }
+
+@@ -420,13 +420,6 @@ static int gdsc_init(struct gdsc *sc)
+ goto err_disable_supply;
+ }
+
+- /* Turn on HW trigger mode if supported */
+- if (sc->flags & HW_CTRL) {
+- ret = gdsc_hwctrl(sc, true);
+- if (ret < 0)
+- goto err_disable_supply;
+- }
+-
+ /*
+ * Make sure the retain bit is set if the GDSC is already on,
+ * otherwise we end up turning off the GDSC and destroying all
+@@ -434,6 +427,14 @@ static int gdsc_init(struct gdsc *sc)
+ */
+ if (sc->flags & RETAIN_FF_ENABLE)
+ gdsc_retain_ff_on(sc);
++
++ /* Turn on HW trigger mode if supported */
++ if (sc->flags & HW_CTRL) {
++ ret = gdsc_hwctrl(sc, true);
++ if (ret < 0)
++ goto err_disable_supply;
++ }
++
+ } else if (sc->flags & ALWAYS_ON) {
+ /* If ALWAYS_ON GDSCs are not ON, turn them ON */
+ gdsc_enable(&sc->pd);
--- /dev/null
+From 07bb097b92b987db518e72525b515d77904e966e Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Fri, 17 Jan 2025 17:05:47 -0600
+Subject: crypto: ccp - Fix check for the primary ASP device
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit 07bb097b92b987db518e72525b515d77904e966e upstream.
+
+Currently, the ASP primary device check does not have support for PCI
+domains, and, as a result, when the system is configured with PCI domains
+(PCI segments) the wrong device can be selected as primary. This results
+in commands submitted to the device timing out and failing. The device
+check also relies on specific device and function assignments that may
+not hold in the future.
+
+Fix the primary ASP device check to include support for PCI domains and
+to perform proper checking of the Bus/Device/Function positions.
+
+Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sp-pci.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -243,14 +243,17 @@ static bool sp_pci_is_master(struct sp_d
+ pdev_new = to_pci_dev(dev_new);
+ pdev_cur = to_pci_dev(dev_cur);
+
+- if (pdev_new->bus->number < pdev_cur->bus->number)
+- return true;
++ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus))
++ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus);
+
+- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn))
+- return true;
++ if (pdev_new->bus->number != pdev_cur->bus->number)
++ return pdev_new->bus->number < pdev_cur->bus->number;
+
+- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn))
+- return true;
++ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn))
++ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn);
++
++ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn))
++ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn);
+
+ return false;
+ }
--- /dev/null
+From 9c565428788fb9b49066f94ab7b10efc686a0a4c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 28 Mar 2025 16:19:07 +0100
+Subject: dm-ebs: fix prefetch-vs-suspend race
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 9c565428788fb9b49066f94ab7b10efc686a0a4c upstream.
+
+There's a possible race condition in dm-ebs - dm bufio prefetch may be in
+progress while the device is suspended. Fix this by calling
+dm_bufio_client_reset in the postsuspend hook.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ebs-target.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/md/dm-ebs-target.c
++++ b/drivers/md/dm-ebs-target.c
+@@ -390,6 +390,12 @@ static int ebs_map(struct dm_target *ti,
+ return DM_MAPIO_REMAPPED;
+ }
+
++static void ebs_postsuspend(struct dm_target *ti)
++{
++ struct ebs_c *ec = ti->private;
++ dm_bufio_client_reset(ec->bufio);
++}
++
+ static void ebs_status(struct dm_target *ti, status_type_t type,
+ unsigned int status_flags, char *result, unsigned int maxlen)
+ {
+@@ -447,6 +453,7 @@ static struct target_type ebs_target = {
+ .ctr = ebs_ctr,
+ .dtr = ebs_dtr,
+ .map = ebs_map,
++ .postsuspend = ebs_postsuspend,
+ .status = ebs_status,
+ .io_hints = ebs_io_hints,
+ .prepare_ioctl = ebs_prepare_ioctl,
--- /dev/null
+From 00204ae3d6712ee053353920e3ce2b00c35ef75b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 10 Feb 2025 16:14:22 +0100
+Subject: dm-integrity: set ti->error on memory allocation failure
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream.
+
+The dm-integrity target didn't set the error string when memory
+allocation failed. This patch fixes it.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-integrity.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -4594,16 +4594,19 @@ try_smaller_buffer:
+
+ ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
+ if (!ic->recalc_bitmap) {
++ ti->error = "Could not allocate memory for bitmap";
+ r = -ENOMEM;
+ goto bad;
+ }
+ ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
+ if (!ic->may_write_bitmap) {
++ ti->error = "Could not allocate memory for bitmap";
+ r = -ENOMEM;
+ goto bad;
+ }
+ ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL);
+ if (!ic->bbs) {
++ ti->error = "Could not allocate memory for bitmap";
+ r = -ENOMEM;
+ goto bad;
+ }
--- /dev/null
+From 2de510fccbca3d1906b55f4be5f1de83fa2424ef Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 28 Mar 2025 16:17:45 +0100
+Subject: dm-verity: fix prefetch-vs-suspend race
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 2de510fccbca3d1906b55f4be5f1de83fa2424ef upstream.
+
+There's a possible race condition in dm-verity - the prefetch work item
+may race with suspend and it is possible that prefetch continues to run
+while the device is suspended. Fix this by calling flush_workqueue and
+dm_bufio_client_reset in the postsuspend hook.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-target.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/md/dm-verity-target.c
++++ b/drivers/md/dm-verity-target.c
+@@ -836,6 +836,13 @@ static int verity_map(struct dm_target *
+ return DM_MAPIO_SUBMITTED;
+ }
+
++static void verity_postsuspend(struct dm_target *ti)
++{
++ struct dm_verity *v = ti->private;
++ flush_workqueue(v->verify_wq);
++ dm_bufio_client_reset(v->bufio);
++}
++
+ /*
+ * Status: V (valid) or C (corruption found)
+ */
+@@ -1557,6 +1564,7 @@ static struct target_type verity_target
+ .ctr = verity_ctr,
+ .dtr = verity_dtr,
+ .map = verity_map,
++ .postsuspend = verity_postsuspend,
+ .status = verity_status,
+ .prepare_ioctl = verity_prepare_ioctl,
+ .iterate_devices = verity_iterate_devices,
--- /dev/null
+From d72deaf05ac18e421d7e52a6be8966fd6ee185f4 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 26 Feb 2025 12:29:13 +0100
+Subject: dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg'
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit d72deaf05ac18e421d7e52a6be8966fd6ee185f4 upstream.
+
+Binding listed variable number of IO addresses without defining them,
+however example DTS code, all in-tree DTS and Linux kernel driver
+mention only one address space, so drop the second to make binding
+precise and correctly describe the hardware.
+
+Fixes: a8fbe1442c2b ("dt-bindings: arm: Adds CoreSight TPDA hardware definitions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250226112914.94361-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml
++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml
+@@ -55,8 +55,7 @@ properties:
+ - const: arm,primecell
+
+ reg:
+- minItems: 1
+- maxItems: 2
++ maxItems: 1
+
+ clocks:
+ maxItems: 1
--- /dev/null
+From 1e4e454223f770748775f211455513c79cb3121e Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 26 Feb 2025 12:29:14 +0100
+Subject: dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg'
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 1e4e454223f770748775f211455513c79cb3121e upstream.
+
+Binding listed variable number of IO addresses without defining them,
+however example DTS code, all in-tree DTS and Linux kernel driver
+mention only one address space, so drop the second to make binding
+precise and correctly describe the hardware.
+
+Fixes: 6c781a35133d ("dt-bindings: arm: Add CoreSight TPDM hardware")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250226112914.94361-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml
++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml
+@@ -41,8 +41,7 @@ properties:
+ - const: arm,primecell
+
+ reg:
+- minItems: 1
+- maxItems: 2
++ maxItems: 1
+
+ clocks:
+ maxItems: 1
--- /dev/null
+From 42ea22e754ba4f2b86f8760ca27f6f71da2d982c Mon Sep 17 00:00:00 2001
+From: zhoumin <teczm@foxmail.com>
+Date: Tue, 1 Apr 2025 01:00:34 +0800
+Subject: ftrace: Add cond_resched() to ftrace_graph_set_hash()
+
+From: zhoumin <teczm@foxmail.com>
+
+commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream.
+
+When the kernel contains a large number of functions that can be traced,
+the loop in ftrace_graph_set_hash() may take a lot of time to execute.
+This may trigger the softlockup watchdog.
+
+Add cond_resched() within the loop to allow the kernel to remain
+responsive even when processing a large number of functions.
+
+This matches the cond_resched() that is used in other locations of the
+code that iterates over all functions that can be traced.
+
+Cc: stable@vger.kernel.org
+Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables")
+Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com
+Signed-off-by: zhoumin <teczm@foxmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -6325,6 +6325,7 @@ ftrace_graph_set_hash(struct ftrace_hash
+ }
+ }
+ }
++ cond_resched();
+ } while_for_each_ftrace_rec();
+ out:
+ mutex_unlock(&ftrace_lock);
--- /dev/null
+From 8323f3a69de6f6e96bf22f32dd8e2920766050c2 Mon Sep 17 00:00:00 2001
+From: Guixin Liu <kanie@linux.alibaba.com>
+Date: Thu, 27 Mar 2025 11:23:49 +0800
+Subject: gpio: tegra186: fix resource handling in ACPI probe path
+
+From: Guixin Liu <kanie@linux.alibaba.com>
+
+commit 8323f3a69de6f6e96bf22f32dd8e2920766050c2 upstream.
+
+When the Tegra186 GPIO controller is probed through ACPI matching,
+the driver emits two error messages during probing:
+ "tegra186-gpio NVDA0508:00: invalid resource (null)"
+ "tegra186-gpio NVDA0508:00: invalid resource (null)"
+
+Fix this by getting resource first and then do the ioremap.
+
+Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250327032349.78809-1-kanie@linux.alibaba.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpio/gpio-tegra186.c
++++ b/drivers/gpio/gpio-tegra186.c
+@@ -822,6 +822,7 @@ static int tegra186_gpio_probe(struct pl
+ struct gpio_irq_chip *irq;
+ struct tegra_gpio *gpio;
+ struct device_node *np;
++ struct resource *res;
+ char **names;
+ int err;
+
+@@ -841,19 +842,19 @@ static int tegra186_gpio_probe(struct pl
+ gpio->num_banks++;
+
+ /* get register apertures */
+- gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security");
+- if (IS_ERR(gpio->secure)) {
+- gpio->secure = devm_platform_ioremap_resource(pdev, 0);
+- if (IS_ERR(gpio->secure))
+- return PTR_ERR(gpio->secure);
+- }
+-
+- gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio");
+- if (IS_ERR(gpio->base)) {
+- gpio->base = devm_platform_ioremap_resource(pdev, 1);
+- if (IS_ERR(gpio->base))
+- return PTR_ERR(gpio->base);
+- }
++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security");
++ if (!res)
++ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ gpio->secure = devm_ioremap_resource(&pdev->dev, res);
++ if (IS_ERR(gpio->secure))
++ return PTR_ERR(gpio->secure);
++
++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio");
++ if (!res)
++ res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
++ gpio->base = devm_ioremap_resource(&pdev->dev, res);
++ if (IS_ERR(gpio->base))
++ return PTR_ERR(gpio->base);
+
+ err = platform_irq_count(pdev);
+ if (err < 0)
--- /dev/null
+From c5672e310ad971d408752fce7596ed27adc6008f Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sun, 6 Apr 2025 22:22:45 +0200
+Subject: gpio: zynq: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit c5672e310ad971d408752fce7596ed27adc6008f upstream.
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-zynq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-zynq.c
++++ b/drivers/gpio/gpio-zynq.c
+@@ -1018,6 +1018,7 @@ static int zynq_gpio_remove(struct platf
+ ret = pm_runtime_get_sync(&pdev->dev);
+ if (ret < 0)
+ dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n");
++ device_init_wakeup(&pdev->dev, 0);
+ gpiochip_remove(&gpio->chip);
+ clk_disable_unprepare(gpio->clk);
+ device_set_wakeup_capable(&pdev->dev, 0);
--- /dev/null
+From 15970e1b23f5c25db88c613fddf9131de086f28e Mon Sep 17 00:00:00 2001
+From: Joshua Washington <joshwash@google.com>
+Date: Wed, 2 Apr 2025 00:10:37 +0000
+Subject: gve: handle overflow when reporting TX consumed descriptors
+
+From: Joshua Washington <joshwash@google.com>
+
+commit 15970e1b23f5c25db88c613fddf9131de086f28e upstream.
+
+When the tx tail is less than the head (in cases of wraparound), the TX
+consumed descriptor statistic in DQ will be reported as
+UINT32_MAX - head + tail, which is incorrect. Mask the difference of
+head and tail according to the ring size when reporting the statistic.
+
+Cc: stable@vger.kernel.org
+Fixes: 2c9198356d56 ("gve: Add consumed counts to ethtool stats")
+Signed-off-by: Joshua Washington <joshwash@google.com>
+Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250402001037.2717315-1-hramamurthy@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -356,7 +356,9 @@ gve_get_ethtool_stats(struct net_device
+ */
+ data[i++] = 0;
+ data[i++] = 0;
+- data[i++] = tx->dqo_tx.tail - tx->dqo_tx.head;
++ data[i++] =
++ (tx->dqo_tx.tail - tx->dqo_tx.head) &
++ tx->mask;
+ }
+ do {
+ start =
--- /dev/null
+From ef01cac401f18647d62720cf773d7bb0541827da Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 1 Apr 2025 08:05:04 -0700
+Subject: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit ef01cac401f18647d62720cf773d7bb0541827da upstream.
+
+Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
+rather extreme edge case where "accepting" APIC events, i.e. processing
+pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU
+is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP
+state will trigger a nested VM-Exit by way of ->check_nested_events(), and
+emuating the nested VM-Exit can access guest memory.
+
+The splat was originally hit by syzkaller on a Google-internal kernel, and
+reproduced on an upstream kernel by hacking the triple_fault_event_test
+selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
+memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.
+
+ =============================
+ WARNING: suspicious RCU usage
+ 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
+ -----------------------------
+ include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by triple_fault_ev/1256:
+ #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]
+
+ stack backtrace:
+ CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7f/0x90
+ lockdep_rcu_suspicious+0x144/0x190
+ kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
+ kvm_vcpu_read_guest+0x3e/0x90 [kvm]
+ read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
+ __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
+ kvm_check_nested_events+0x1b/0x30 [kvm]
+ kvm_apic_accept_events+0x33/0x100 [kvm]
+ kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
+ kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
+ __x64_sys_ioctl+0x8b/0xb0
+ do_syscall_64+0x6c/0x170
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ </TASK>
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20250401150504.829812-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -11396,6 +11396,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
+ if (kvm_mpx_supported())
+ kvm_load_guest_fpu(vcpu);
+
++ kvm_vcpu_srcu_read_lock(vcpu);
++
+ r = kvm_apic_accept_events(vcpu);
+ if (r < 0)
+ goto out;
+@@ -11409,6 +11411,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
+ mp_state->mp_state = vcpu->arch.mp_state;
+
+ out:
++ kvm_vcpu_srcu_read_unlock(vcpu);
++
+ if (kvm_mpx_supported())
+ kvm_put_guest_fpu(vcpu);
+ vcpu_put(vcpu);
--- /dev/null
+From bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 14 Mar 2025 19:41:02 -0700
+Subject: KVM: x86: Explicitly zero-initialize on-stack CPUID unions
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 upstream.
+
+Explicitly zero/empty-initialize the unions used for PMU related CPUID
+entries, instead of manually zeroing all fields (hopefully), or in the
+case of 0x80000022, relying on the compiler to clobber the uninitialized
+bitfields.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Message-ID: <20250315024102.2361628-1-seanjc@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/cpuid.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -1011,8 +1011,8 @@ static inline int __do_cpuid_func(struct
+ }
+ break;
+ case 0xa: { /* Architectural Performance Monitoring */
+- union cpuid10_eax eax;
+- union cpuid10_edx edx;
++ union cpuid10_eax eax = { };
++ union cpuid10_edx edx = { };
+
+ if (!enable_pmu || !static_cpu_has(X86_FEATURE_ARCH_PERFMON)) {
+ entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
+@@ -1028,8 +1028,6 @@ static inline int __do_cpuid_func(struct
+
+ if (kvm_pmu_cap.version)
+ edx.split.anythread_deprecated = 1;
+- edx.split.reserved1 = 0;
+- edx.split.reserved2 = 0;
+
+ entry->eax = eax.full;
+ entry->ebx = kvm_pmu_cap.events_mask;
+@@ -1303,7 +1301,7 @@ static inline int __do_cpuid_func(struct
+ break;
+ /* AMD Extended Performance Monitoring and Debug */
+ case 0x80000022: {
+- union cpuid_0x80000022_ebx ebx;
++ union cpuid_0x80000022_ebx ebx = { };
+
+ entry->ecx = entry->edx = 0;
+ if (!enable_pmu || !kvm_cpu_cap_has(X86_FEATURE_PERFMON_V2)) {
--- /dev/null
+From ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Fri, 17 Jan 2025 14:18:52 +0000
+Subject: scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 upstream.
+
+The driver leaks the device reference taken with
+of_find_device_by_node(). Fix the leak by using devm_of_qcom_ice_get().
+
+Fixes: 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Acked-by: Martin K. Petersen <martin.petersen@oracle.com> # SCSI
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250117-qcom-ice-fix-dev-leak-v2-3-1ffa5b6884cb@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -121,7 +121,7 @@ static int ufs_qcom_ice_init(struct ufs_
+ struct device *dev = hba->dev;
+ struct qcom_ice *ice;
+
+- ice = of_qcom_ice_get(dev);
++ ice = devm_of_qcom_ice_get(dev);
+ if (ice == ERR_PTR(-EOPNOTSUPP)) {
+ dev_warn(dev, "Disabling inline encryption support\n");
+ ice = NULL;
mm-hwpoison-do-not-send-sigbus-to-processes-with-recovered-clean-pages.patch
mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch
sctp-detect-and-prevent-references-to-a-freed-transport-in-sendmsg.patch
+x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch
+tracing-do-not-add-length-to-print-format-in-synthetic-events.patch
+thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch
+cifs-avoid-null-pointer-dereference-in-dbg-call.patch
+cifs-fix-integer-overflow-in-match_server.patch
+cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch
+clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch
+clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch
+clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch
+clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch
+crypto-ccp-fix-check-for-the-primary-asp-device.patch
+dm-ebs-fix-prefetch-vs-suspend-race.patch
+dm-integrity-set-ti-error-on-memory-allocation-failure.patch
+dm-verity-fix-prefetch-vs-suspend-race.patch
+dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch
+dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch
+ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch
+gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch
+gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch
+gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch
+kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch
+kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch
+scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch
--- /dev/null
+From ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e Mon Sep 17 00:00:00 2001
+From: Trevor Woerner <twoerner@gmail.com>
+Date: Fri, 7 Feb 2025 12:50:47 -0500
+Subject: thermal/drivers/rockchip: Add missing rk3328 mapping entry
+
+From: Trevor Woerner <twoerner@gmail.com>
+
+commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream.
+
+The mapping table for the rk3328 is missing the entry for -25C which is
+found in the TRM section 9.5.2 "Temperature-to-code mapping".
+
+NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as:
+ 4096-<code in table>. Whereas the table in the TRM gives the code
+ "3774" for -25C, the kernel uses 4096-3774=322.
+
+[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as
+ well as through the downstream kernel code, it seems we may have
+ some troubles at our hands. Let me explain, please.
+
+ To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that
+ the equation for the output when tsadc_q_sel equals 1 is (4096 -
+ tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output
+ equation is (1024 - tsadc_q) in that case.
+
+ The downstream kernel code, however, treats the RK3308 and RK3328
+ tables and their values as being the same. It even mentions 1024 as
+ the "offset" value in a comment block for the rk_tsadcv3_control()
+ function, just like the upstream code does, which is obviously wrong
+ "offset" value when correlated with the table on page 544 of part 1
+ of the RK3308 TRM v1.1.
+
+ With all this in mind, it's obvious that more work is needed to make
+ it clear where's the actual mistake (it could be that the TRM is
+ wrong), which I'll volunteer for as part of the SoC binning project.
+ In the meantime, this patch looks fine as-is to me, by offering
+ what's a clear improvement to the current state of the upstream
+ code"
+
+Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf
+Cc: stable@vger.kernel.org
+Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver")
+Signed-off-by: Trevor Woerner <twoerner@gmail.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/rockchip_thermal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thermal/rockchip_thermal.c
++++ b/drivers/thermal/rockchip_thermal.c
+@@ -386,6 +386,7 @@ static const struct tsadc_table rk3328_c
+ {296, -40000},
+ {304, -35000},
+ {313, -30000},
++ {322, -25000},
+ {331, -20000},
+ {340, -15000},
+ {349, -10000},
--- /dev/null
+From e1a453a57bc76be678bd746f84e3d73f378a9511 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Mon, 7 Apr 2025 15:41:39 -0400
+Subject: tracing: Do not add length to print format in synthetic events
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit e1a453a57bc76be678bd746f84e3d73f378a9511 upstream.
+
+The following causes a vsnprintf fault:
+
+ # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
+ # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger
+ # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger
+
+Because the synthetic event's "wakee" field is created as a dynamic string
+(even though the string copied is not). The print format to print the
+dynamic string changed from "%*s" to "%s" because another location
+(__set_synth_event_print_fmt()) exported this to user space, and user
+space did not need that. But it is still used in print_synth_event(), and
+the output looks like:
+
+ <idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155
+ sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58
+ <idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91
+ bash-880 [002] d..5. 193.811371: wake_lat: wakee=(efault)kworker/u35:2delta=21
+ <idle>-0 [001] d..5. 193.811516: wake_lat: wakee=(efault)sshd-sessiondelta=129
+ sshd-session-879 [001] d..5. 193.967576: wake_lat: wakee=(efault)kworker/u34:5delta=50
+
+The length isn't needed as the string is always nul terminated. Just print
+the string and not add the length (which was hard coded to the max string
+length anyway).
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: Douglas Raillard <douglas.raillard@arm.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/20250407154139.69955768@gandalf.local.home
+Fixes: 4d38328eb442d ("tracing: Fix synth event printk format for str fields");
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_synth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -377,7 +377,6 @@ static enum print_line_t print_synth_eve
+ union trace_synth_field *data = &entry->fields[n_u64];
+
+ trace_seq_printf(s, print_fmt, se->fields[i]->name,
+- STR_VAR_LEN_MAX,
+ (char *)entry + data->as_dynamic.offset,
+ i == se->n_fields - 1 ? "" : " ");
+ n_u64++;
--- /dev/null
+From 87af633689ce16ddb166c80f32b120e50b1295de Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 7 Apr 2025 10:28:37 +0200
+Subject: x86/xen: fix balloon target initialization for PVH dom0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 87af633689ce16ddb166c80f32b120e50b1295de upstream.
+
+PVH dom0 re-uses logic from PV dom0, in which RAM ranges not assigned to
+dom0 are re-used as scratch memory to map foreign and grant pages. Such
+logic relies on reporting those unpopulated ranges as RAM to Linux, and
+mark them as reserved. This way Linux creates the underlying page
+structures required for metadata management.
+
+Such approach works fine on PV because the initial balloon target is
+calculated using specific Xen data, that doesn't take into account the
+memory type changes described above. However on HVM and PVH the initial
+balloon target is calculated using get_num_physpages(), and that function
+does take into account the unpopulated RAM regions used as scratch space
+for remote domain mappings.
+
+This leads to PVH dom0 having an incorrect initial balloon target, which
+causes malfunction (excessive memory freeing) of the balloon driver if the
+dom0 memory target is later adjusted from the toolstack.
+
+Fix this by using xen_released_pages to account for any pages that are part
+of the memory map, but are already unpopulated when the balloon driver is
+initialized. This accounts for any regions used for scratch remote
+mappings. Note on x86 xen_released_pages definition is moved to
+enlighten.c so it's uniformly available for all Xen-enabled builds.
+
+Take the opportunity to unify PV with PVH/HVM guests regarding the usage of
+get_num_physpages(), as that avoids having to add different logic for PV vs
+PVH in both balloon_add_regions() and arch_xen_unpopulated_init().
+
+Much like a6aa4eb994ee, the code in this changeset should have been part of
+38620fc4e893.
+
+Fixes: a6aa4eb994ee ('xen/x86: add extra pages to unpopulated-alloc if available')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250407082838.65495-1-roger.pau@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/enlighten.c | 10 ++++++++++
+ arch/x86/xen/setup.c | 3 ---
+ drivers/xen/balloon.c | 34 ++++++++++++++++++++++++----------
+ 3 files changed, 34 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -75,6 +75,9 @@ EXPORT_SYMBOL(xen_start_flags);
+ */
+ struct shared_info *HYPERVISOR_shared_info = &xen_dummy_shared_info;
+
++/* Number of pages released from the initial allocation. */
++unsigned long xen_released_pages;
++
+ static __ref void xen_get_vendor(void)
+ {
+ init_cpu_devs();
+@@ -471,6 +474,13 @@ int __init arch_xen_unpopulated_init(str
+ xen_free_unpopulated_pages(1, &pg);
+ }
+
++ /*
++ * Account for the region being in the physmap but unpopulated.
++ * The value in xen_released_pages is used by the balloon
++ * driver to know how much of the physmap is unpopulated and
++ * set an accurate initial memory target.
++ */
++ xen_released_pages += xen_extra_mem[i].n_pfns;
+ /* Zero so region is not also added to the balloon driver. */
+ xen_extra_mem[i].n_pfns = 0;
+ }
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -38,9 +38,6 @@
+
+ #define GB(x) ((uint64_t)(x) * 1024 * 1024 * 1024)
+
+-/* Number of pages released from the initial allocation. */
+-unsigned long xen_released_pages;
+-
+ /* Memory map would allow PCI passthrough. */
+ bool xen_pv_pci_possible;
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -671,7 +671,7 @@ void xen_free_ballooned_pages(unsigned i
+ }
+ EXPORT_SYMBOL(xen_free_ballooned_pages);
+
+-static void __init balloon_add_regions(void)
++static int __init balloon_add_regions(void)
+ {
+ unsigned long start_pfn, pages;
+ unsigned long pfn, extra_pfn_end;
+@@ -694,26 +694,38 @@ static void __init balloon_add_regions(v
+ for (pfn = start_pfn; pfn < extra_pfn_end; pfn++)
+ balloon_append(pfn_to_page(pfn));
+
+- balloon_stats.total_pages += extra_pfn_end - start_pfn;
++ /*
++ * Extra regions are accounted for in the physmap, but need
++ * decreasing from current_pages to balloon down the initial
++ * allocation, because they are already accounted for in
++ * total_pages.
++ */
++ if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) {
++ WARN(1, "Extra pages underflow current target");
++ return -ERANGE;
++ }
++ balloon_stats.current_pages -= extra_pfn_end - start_pfn;
+ }
++
++ return 0;
+ }
+
+ static int __init balloon_init(void)
+ {
+ struct task_struct *task;
++ int rc;
+
+ if (!xen_domain())
+ return -ENODEV;
+
+ pr_info("Initialising balloon driver\n");
+
+-#ifdef CONFIG_XEN_PV
+- balloon_stats.current_pages = xen_pv_domain()
+- ? min(xen_start_info->nr_pages - xen_released_pages, max_pfn)
+- : get_num_physpages();
+-#else
+- balloon_stats.current_pages = get_num_physpages();
+-#endif
++ if (xen_released_pages >= get_num_physpages()) {
++ WARN(1, "Released pages underflow current target");
++ return -ERANGE;
++ }
++
++ balloon_stats.current_pages = get_num_physpages() - xen_released_pages;
+ balloon_stats.target_pages = balloon_stats.current_pages;
+ balloon_stats.balloon_low = 0;
+ balloon_stats.balloon_high = 0;
+@@ -730,7 +742,9 @@ static int __init balloon_init(void)
+ register_sysctl_init("xen/balloon", balloon_table);
+ #endif
+
+- balloon_add_regions();
++ rc = balloon_add_regions();
++ if (rc)
++ return rc;
+
+ task = kthread_run(balloon_thread, NULL, "xen-balloon");
+ if (IS_ERR(task)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
