--- /dev/null
+From d84afaf6a9b3fdacdf95429d7945133256305373 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 20:20:15 +0900
+Subject: 9p/net: fix improper handling of bogus negative read/write replies
+
+From: Dominique Martinet <asmadeus@codewreck.org>
+
+[ Upstream commit d0259a856afca31d699b706ed5e2adf11086c73b ]
+
+In p9_client_write() and p9_client_read_once(), if the server
+incorrectly replies with success but a negative write/read count then we
+would consider written (negative) <= rsize (positive) because both
+variables were signed.
+
+Make variables unsigned to avoid this problem.
+
+The reproducer linked below now fails with the following error instead
+of a null pointer deref:
+9pnet: bogus RWRITE count (4294967295 > 3)
+
+Reported-by: Robert Morris <rtm@mit.edu>
+Closes: https://lore.kernel.org/16271.1734448631@26-5-164.dynamic.csail.mit.edu
+Message-ID: <20250319-9p_unsigned_rw-v3-1-71327f1503d0@codewreck.org>
+Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/client.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/net/9p/client.c b/net/9p/client.c
+index d841d82e908fe..cf73fe306219a 100644
+--- a/net/9p/client.c
++++ b/net/9p/client.c
+@@ -1547,7 +1547,8 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to,
+ struct p9_client *clnt = fid->clnt;
+ struct p9_req_t *req;
+ int count = iov_iter_count(to);
+- int rsize, received, non_zc = 0;
++ u32 rsize, received;
++ bool non_zc = false;
+ char *dataptr;
+
+ *err = 0;
+@@ -1570,7 +1571,7 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to,
+ 0, 11, "dqd", fid->fid,
+ offset, rsize);
+ } else {
+- non_zc = 1;
++ non_zc = true;
+ req = p9_client_rpc(clnt, P9_TREAD, "dqd", fid->fid, offset,
+ rsize);
+ }
+@@ -1591,11 +1592,11 @@ p9_client_read_once(struct p9_fid *fid, u64 offset, struct iov_iter *to,
+ return 0;
+ }
+ if (rsize < received) {
+- pr_err("bogus RREAD count (%d > %d)\n", received, rsize);
++ pr_err("bogus RREAD count (%u > %u)\n", received, rsize);
+ received = rsize;
+ }
+
+- p9_debug(P9_DEBUG_9P, "<<< RREAD count %d\n", received);
++ p9_debug(P9_DEBUG_9P, "<<< RREAD count %u\n", received);
+
+ if (non_zc) {
+ int n = copy_to_iter(dataptr, received, to);
+@@ -1622,9 +1623,9 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
+ *err = 0;
+
+ while (iov_iter_count(from)) {
+- int count = iov_iter_count(from);
+- int rsize = fid->iounit;
+- int written;
++ size_t count = iov_iter_count(from);
++ u32 rsize = fid->iounit;
++ u32 written;
+
+ if (!rsize || rsize > clnt->msize - P9_IOHDRSZ)
+ rsize = clnt->msize - P9_IOHDRSZ;
+@@ -1632,7 +1633,7 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
+ if (count < rsize)
+ rsize = count;
+
+- p9_debug(P9_DEBUG_9P, ">>> TWRITE fid %d offset %llu count %d (/%d)\n",
++ p9_debug(P9_DEBUG_9P, ">>> TWRITE fid %d offset %llu count %u (/%zu)\n",
+ fid->fid, offset, rsize, count);
+
+ /* Don't bother zerocopy for small IO (< 1024) */
+@@ -1658,11 +1659,11 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err)
+ break;
+ }
+ if (rsize < written) {
+- pr_err("bogus RWRITE count (%d > %d)\n", written, rsize);
++ pr_err("bogus RWRITE count (%u > %u)\n", written, rsize);
+ written = rsize;
+ }
+
+- p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", written);
++ p9_debug(P9_DEBUG_9P, "<<< RWRITE count %u\n", written);
+
+ p9_req_put(clnt, req);
+ iov_iter_revert(from, count - written - iov_iter_count(from));
+@@ -2049,7 +2050,8 @@ EXPORT_SYMBOL_GPL(p9_client_xattrcreate);
+
+ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
+ {
+- int err, rsize, non_zc = 0;
++ int err, non_zc = 0;
++ u32 rsize;
+ struct p9_client *clnt;
+ struct p9_req_t *req;
+ char *dataptr;
+@@ -2058,7 +2060,7 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
+
+ iov_iter_kvec(&to, ITER_DEST, &kv, 1, count);
+
+- p9_debug(P9_DEBUG_9P, ">>> TREADDIR fid %d offset %llu count %d\n",
++ p9_debug(P9_DEBUG_9P, ">>> TREADDIR fid %d offset %llu count %u\n",
+ fid->fid, offset, count);
+
+ clnt = fid->clnt;
+@@ -2093,11 +2095,11 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
+ goto free_and_error;
+ }
+ if (rsize < count) {
+- pr_err("bogus RREADDIR count (%d > %d)\n", count, rsize);
++ pr_err("bogus RREADDIR count (%u > %u)\n", count, rsize);
+ count = rsize;
+ }
+
+- p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count);
++ p9_debug(P9_DEBUG_9P, "<<< RREADDIR count %u\n", count);
+
+ if (non_zc)
+ memmove(data, dataptr, count);
+--
+2.39.5
+
--- /dev/null
+From aeba99f8cce1300c0e84121b111cf4add700fdff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 08:38:51 -0500
+Subject: ACPI: EC: Set ec_no_wakeup for Lenovo Go S
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit b988685388effd648150aab272533f833a2a70f0 ]
+
+When AC adapter is unplugged or plugged in EC wakes from HW sleep but
+APU doesn't enter back into HW sleep.
+
+The reason this happens is that, when the APU exits HW sleep, the power
+rails controlled by the EC will power up the TCON. The TCON has a GPIO
+that will be toggled at this time. The GPIO is not marked as a wakeup
+source, but the GPIO controller still has an unserviced interrupt.
+Unserviced interrupts will block entering HW sleep again. Clearing the
+GPIO doesn't help as the TCON continues to assert it until it's been
+initialized by i2c-hid.
+
+Fixing this would require TCON F/W changes and it's already broken in
+the wild on production hardware.
+
+To avoid triggering this issue add a quirk to avoid letting EC wake
+up system at all. The power button still works properly on this system.
+
+Reported-by: Antheas Kapenekakis <lkml@antheas.dev>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3929
+Link: https://github.com/bazzite-org/patchwork/commit/95b93b2852718ee1e808c72e6b1836da4a95fc63
+Co-developed-by: Antheas Kapenekakis <lkml@antheas.dev>
+Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20250401133858.1892077-1-superm1@kernel.org
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/ec.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
+index 115994dfefec1..77d6af6115893 100644
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -2301,6 +2301,34 @@ static const struct dmi_system_id acpi_ec_no_wakeup[] = {
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "103C_5336AN HP ZHAN 66 Pro"),
+ },
+ },
++ /*
++ * Lenovo Legion Go S; touchscreen blocks HW sleep when woken up from EC
++ * https://gitlab.freedesktop.org/drm/amd/-/issues/3929
++ */
++ {
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83L3"),
++ }
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83N6"),
++ }
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q2"),
++ }
++ },
++ {
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"),
++ }
++ },
+ { },
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 11afc5acf7d120ef2ee729f6253a638205e7645c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 17:15:42 -0700
+Subject: ACPI PPTT: Fix coding mistakes in a couple of sizeof() calls
+
+From: Jean-Marc Eurin <jmeurin@google.com>
+
+[ Upstream commit 7ab4f0e37a0f4207e742a8de69be03984db6ebf0 ]
+
+The end of table checks should be done with the structure size,
+but 2 of the 3 similar calls use the pointer size.
+
+Signed-off-by: Jean-Marc Eurin <jmeurin@google.com>
+Link: https://patch.msgid.link/20250402001542.2600671-1-jmeurin@google.com
+[ rjw: Subject edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pptt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/pptt.c b/drivers/acpi/pptt.c
+index a35dd0e41c270..f73ce6e13065d 100644
+--- a/drivers/acpi/pptt.c
++++ b/drivers/acpi/pptt.c
+@@ -229,7 +229,7 @@ static int acpi_pptt_leaf_node(struct acpi_table_header *table_hdr,
+ node_entry = ACPI_PTR_DIFF(node, table_hdr);
+ entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr,
+ sizeof(struct acpi_table_pptt));
+- proc_sz = sizeof(struct acpi_pptt_processor *);
++ proc_sz = sizeof(struct acpi_pptt_processor);
+
+ while ((unsigned long)entry + proc_sz < table_end) {
+ cpu_node = (struct acpi_pptt_processor *)entry;
+@@ -270,7 +270,7 @@ static struct acpi_pptt_processor *acpi_find_processor_node(struct acpi_table_he
+ table_end = (unsigned long)table_hdr + table_hdr->length;
+ entry = ACPI_ADD_PTR(struct acpi_subtable_header, table_hdr,
+ sizeof(struct acpi_table_pptt));
+- proc_sz = sizeof(struct acpi_pptt_processor *);
++ proc_sz = sizeof(struct acpi_pptt_processor);
+
+ /* find the processor structure associated with this cpuid */
+ while ((unsigned long)entry + proc_sz < table_end) {
+--
+2.39.5
+
--- /dev/null
+From 59dd7a4994414bae23c3740e49b697b9375924ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 12:12:37 +0900
+Subject: bpf: bpftool: Setting error code in do_loader()
+
+From: Sewon Nam <swnam0729@gmail.com>
+
+[ Upstream commit 02a4694107b4c830d4bd6d194e98b3ac0bc86f29 ]
+
+We are missing setting error code in do_loader() when
+bpf_object__open_file() fails. This means the command's exit status code
+will be successful, even though the operation failed. So make sure to
+return the correct error code. To maintain consistency with other
+locations where bpf_object__open_file() is called, return -1.
+
+ [0] Closes: https://github.com/libbpf/bpftool/issues/156
+
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Sewon Nam <swnam0729@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Tested-by: Quentin Monnet <qmo@kernel.org>
+Reviewed-by: Quentin Monnet <qmo@kernel.org>
+Link: https://lore.kernel.org/bpf/d3b5b4b4-19bb-4619-b4dd-86c958c4a367@stanley.mountain/t/#u
+Link: https://lore.kernel.org/bpf/20250311031238.14865-1-swnam0729@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/prog.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
+index 90ae2ea61324c..174e076e56af2 100644
+--- a/tools/bpf/bpftool/prog.c
++++ b/tools/bpf/bpftool/prog.c
+@@ -1924,6 +1924,7 @@ static int do_loader(int argc, char **argv)
+
+ obj = bpf_object__open_file(file, &open_opts);
+ if (!obj) {
++ err = -1;
+ p_err("failed to open object file");
+ goto err_close_obj;
+ }
+--
+2.39.5
+
--- /dev/null
+From 603ac8d8bdb4f5d0107056af6e627af82c3647d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Feb 2025 14:16:37 -0800
+Subject: bpf: Fix deadlock between rcu_tasks_trace and event_mutex.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+[ Upstream commit 4580f4e0ebdf8dc8d506ae926b88510395a0c1d1 ]
+
+Fix the following deadlock:
+CPU A
+_free_event()
+ perf_kprobe_destroy()
+ mutex_lock(&event_mutex)
+ perf_trace_event_unreg()
+ synchronize_rcu_tasks_trace()
+
+There are several paths where _free_event() grabs event_mutex
+and calls sync_rcu_tasks_trace. Above is one such case.
+
+CPU B
+bpf_prog_test_run_syscall()
+ rcu_read_lock_trace()
+ bpf_prog_run_pin_on_cpu()
+ bpf_prog_load()
+ bpf_tracing_func_proto()
+ trace_set_clr_event()
+ mutex_lock(&event_mutex)
+
+Delegate trace_set_clr_event() to workqueue to avoid
+such lock dependency.
+
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20250224221637.4780-1-alexei.starovoitov@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 545393601be8c..97f660a8ddc73 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -400,7 +400,7 @@ static const struct bpf_func_proto bpf_trace_printk_proto = {
+ .arg2_type = ARG_CONST_SIZE,
+ };
+
+-static void __set_printk_clr_event(void)
++static void __set_printk_clr_event(struct work_struct *work)
+ {
+ /*
+ * This program might be calling bpf_trace_printk,
+@@ -413,10 +413,11 @@ static void __set_printk_clr_event(void)
+ if (trace_set_clr_event("bpf_trace", "bpf_trace_printk", 1))
+ pr_warn_ratelimited("could not enable bpf_trace_printk events");
+ }
++static DECLARE_WORK(set_printk_work, __set_printk_clr_event);
+
+ const struct bpf_func_proto *bpf_get_trace_printk_proto(void)
+ {
+- __set_printk_clr_event();
++ schedule_work(&set_printk_work);
+ return &bpf_trace_printk_proto;
+ }
+
+@@ -459,7 +460,7 @@ static const struct bpf_func_proto bpf_trace_vprintk_proto = {
+
+ const struct bpf_func_proto *bpf_get_trace_vprintk_proto(void)
+ {
+- __set_printk_clr_event();
++ schedule_work(&set_printk_work);
+ return &bpf_trace_vprintk_proto;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 146baeaf12ad297fe0ef599967cd4a50e3e0e88e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 11:27:59 -0700
+Subject: bpf: Only fails the busy counter check in bpf_cgrp_storage_get if it
+ creates storage
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+[ Upstream commit f4edc66e48a694b3e6d164cc71f059de542dfaec ]
+
+The current cgrp storage has a percpu counter, bpf_cgrp_storage_busy,
+to detect potential deadlock at a spin_lock that the local storage
+acquires during new storage creation.
+
+There are false positives. It turns out to be too noisy in
+production. For example, a bpf prog may be doing a
+bpf_cgrp_storage_get on map_a. An IRQ comes in and triggers
+another bpf_cgrp_storage_get on a different map_b. It will then
+trigger the false positive deadlock check in the percpu counter.
+On top of that, both are doing lookup only and no need to create
+new storage, so practically it does not need to acquire
+the spin_lock.
+
+The bpf_task_storage_get already has a strategy to minimize this
+false positive by only failing if the bpf_task_storage_get needs
+to create a new storage and the percpu counter is busy. Creating
+a new storage is the only time it must acquire the spin_lock.
+
+This patch borrows the same idea. Unlike task storage that
+has a separate variant for tracing (_recur) and non-tracing, this
+patch stays with one bpf_cgrp_storage_get helper to keep it simple
+for now in light of the upcoming res_spin_lock.
+
+The variable could potentially use a better name noTbusy instead
+of nobusy. This patch follows the same naming in
+bpf_task_storage_get for now.
+
+I have tested it by temporarily adding noinline to
+the cgroup_storage_lookup(), traced it by fentry, and the fentry
+program succeeded in calling bpf_cgrp_storage_get().
+
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/r/20250318182759.3676094-1-martin.lau@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/bpf_cgrp_storage.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/bpf/bpf_cgrp_storage.c b/kernel/bpf/bpf_cgrp_storage.c
+index ee1c7b77096e7..fbbf3b6b9f835 100644
+--- a/kernel/bpf/bpf_cgrp_storage.c
++++ b/kernel/bpf/bpf_cgrp_storage.c
+@@ -162,6 +162,7 @@ BPF_CALL_5(bpf_cgrp_storage_get, struct bpf_map *, map, struct cgroup *, cgroup,
+ void *, value, u64, flags, gfp_t, gfp_flags)
+ {
+ struct bpf_local_storage_data *sdata;
++ bool nobusy;
+
+ WARN_ON_ONCE(!bpf_rcu_lock_held());
+ if (flags & ~(BPF_LOCAL_STORAGE_GET_F_CREATE))
+@@ -170,21 +171,21 @@ BPF_CALL_5(bpf_cgrp_storage_get, struct bpf_map *, map, struct cgroup *, cgroup,
+ if (!cgroup)
+ return (unsigned long)NULL;
+
+- if (!bpf_cgrp_storage_trylock())
+- return (unsigned long)NULL;
++ nobusy = bpf_cgrp_storage_trylock();
+
+- sdata = cgroup_storage_lookup(cgroup, map, true);
++ sdata = cgroup_storage_lookup(cgroup, map, nobusy);
+ if (sdata)
+ goto unlock;
+
+ /* only allocate new storage, when the cgroup is refcounted */
+ if (!percpu_ref_is_dying(&cgroup->self.refcnt) &&
+- (flags & BPF_LOCAL_STORAGE_GET_F_CREATE))
++ (flags & BPF_LOCAL_STORAGE_GET_F_CREATE) && nobusy)
+ sdata = bpf_local_storage_update(cgroup, (struct bpf_local_storage_map *)map,
+ value, BPF_NOEXIST, gfp_flags);
+
+ unlock:
+- bpf_cgrp_storage_unlock();
++ if (nobusy)
++ bpf_cgrp_storage_unlock();
+ return IS_ERR_OR_NULL(sdata) ? (unsigned long)NULL : (unsigned long)sdata->data;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From ca0cedf12efe65ad5b8cd9f7268e22fc643ceff0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 19:44:46 +0800
+Subject: bpf: Reject attaching fexit/fmod_ret to __noreturn functions
+
+From: Yafang Shao <laoar.shao@gmail.com>
+
+[ Upstream commit cfe816d469dce9c0864062cf65dd7b3c42adc6f8 ]
+
+If we attach fexit/fmod_ret to __noreturn functions, it will cause an
+issue that the bpf trampoline image will be left over even if the bpf
+link has been destroyed. Take attaching do_exit() with fexit for example.
+The fexit works as follows,
+
+ bpf_trampoline
+ + __bpf_tramp_enter
+ + percpu_ref_get(&tr->pcref);
+
+ + call do_exit()
+
+ + __bpf_tramp_exit
+ + percpu_ref_put(&tr->pcref);
+
+Since do_exit() never returns, the refcnt of the trampoline image is
+never decremented, preventing it from being freed. That can be verified
+with as follows,
+
+ $ bpftool link show <<<< nothing output
+ $ grep "bpf_trampoline_[0-9]" /proc/kallsyms
+ ffffffffc04cb000 t bpf_trampoline_6442526459 [bpf] <<<< leftover
+
+In this patch, all functions annotated with __noreturn are rejected, except
+for the following cases:
+- Functions that result in a system reboot, such as panic,
+ machine_real_restart and rust_begin_unwind
+- Functions that are never executed by tasks, such as rest_init and
+ cpu_startup_entry
+- Functions implemented in assembly, such as rewind_stack_and_make_dead and
+ xen_cpu_bringup_again, lack an associated BTF ID.
+
+With this change, attaching fexit probes to functions like do_exit() will
+be rejected.
+
+$ ./fexit
+libbpf: prog 'fexit': BPF program load failed: -EINVAL
+libbpf: prog 'fexit': -- BEGIN PROG LOAD LOG --
+Attaching fexit/fmod_ret to __noreturn functions is rejected.
+
+Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
+Link: https://lore.kernel.org/r/20250318114447.75484-2-laoar.shao@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index d6a4102312fad..e443506b0a65a 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -20106,6 +20106,33 @@ BTF_ID(func, __rcu_read_unlock)
+ #endif
+ BTF_SET_END(btf_id_deny)
+
++/* fexit and fmod_ret can't be used to attach to __noreturn functions.
++ * Currently, we must manually list all __noreturn functions here. Once a more
++ * robust solution is implemented, this workaround can be removed.
++ */
++BTF_SET_START(noreturn_deny)
++#ifdef CONFIG_IA32_EMULATION
++BTF_ID(func, __ia32_sys_exit)
++BTF_ID(func, __ia32_sys_exit_group)
++#endif
++#ifdef CONFIG_KUNIT
++BTF_ID(func, __kunit_abort)
++BTF_ID(func, kunit_try_catch_throw)
++#endif
++#ifdef CONFIG_MODULES
++BTF_ID(func, __module_put_and_kthread_exit)
++#endif
++#ifdef CONFIG_X86_64
++BTF_ID(func, __x64_sys_exit)
++BTF_ID(func, __x64_sys_exit_group)
++#endif
++BTF_ID(func, do_exit)
++BTF_ID(func, do_group_exit)
++BTF_ID(func, kthread_complete_and_exit)
++BTF_ID(func, kthread_exit)
++BTF_ID(func, make_task_dead)
++BTF_SET_END(noreturn_deny)
++
+ static bool can_be_sleepable(struct bpf_prog *prog)
+ {
+ if (prog->type == BPF_PROG_TYPE_TRACING) {
+@@ -20194,6 +20221,11 @@ static int check_attach_btf_id(struct bpf_verifier_env *env)
+ } else if (prog->type == BPF_PROG_TYPE_TRACING &&
+ btf_id_set_contains(&btf_id_deny, btf_id)) {
+ return -EINVAL;
++ } else if ((prog->expected_attach_type == BPF_TRACE_FEXIT ||
++ prog->expected_attach_type == BPF_MODIFY_RETURN) &&
++ btf_id_set_contains(&noreturn_deny, btf_id)) {
++ verbose(env, "Attaching fexit/fmod_ret to __noreturn functions is rejected.\n");
++ return -EINVAL;
+ }
+
+ key = bpf_trampoline_compute_key(tgt_prog, prog->aux->attach_btf, btf_id);
+--
+2.39.5
+
--- /dev/null
+From fd0121fe7ea0b1aa74cc96216f7b65d425a92d61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 6 Oct 2024 19:20:13 +0200
+Subject: cifs: Fix encoding of SMB1 Session Setup Kerberos Request in
+ non-UNICODE mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 16cb6b0509b65ac89187e9402e0b7a9ddf1765ef ]
+
+Like in UNICODE mode, SMB1 Session Setup Kerberos Request contains oslm and
+domain strings.
+
+Extract common code into ascii_oslm_strings() and ascii_domain_string()
+functions (similar to unicode variants) and use these functions in
+non-UNICODE code path in sess_auth_kerberos().
+
+Decision if non-UNICODE or UNICODE mode is used is based on the
+SMBFLG2_UNICODE flag in Flags2 packed field, and not based on the
+capabilities of server. Fix this check too.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/sess.c | 60 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 40 insertions(+), 20 deletions(-)
+
+diff --git a/fs/smb/client/sess.c b/fs/smb/client/sess.c
+index c2a98b2736645..f04922eb45d4c 100644
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -732,6 +732,22 @@ unicode_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
+ *pbcc_area = bcc_ptr;
+ }
+
++static void
++ascii_oslm_strings(char **pbcc_area, const struct nls_table *nls_cp)
++{
++ char *bcc_ptr = *pbcc_area;
++
++ strcpy(bcc_ptr, "Linux version ");
++ bcc_ptr += strlen("Linux version ");
++ strcpy(bcc_ptr, init_utsname()->release);
++ bcc_ptr += strlen(init_utsname()->release) + 1;
++
++ strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
++ bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
++
++ *pbcc_area = bcc_ptr;
++}
++
+ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
+ const struct nls_table *nls_cp)
+ {
+@@ -756,6 +772,25 @@ static void unicode_domain_string(char **pbcc_area, struct cifs_ses *ses,
+ *pbcc_area = bcc_ptr;
+ }
+
++static void ascii_domain_string(char **pbcc_area, struct cifs_ses *ses,
++ const struct nls_table *nls_cp)
++{
++ char *bcc_ptr = *pbcc_area;
++ int len;
++
++ /* copy domain */
++ if (ses->domainName != NULL) {
++ len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
++ if (WARN_ON_ONCE(len < 0))
++ len = CIFS_MAX_DOMAINNAME_LEN - 1;
++ bcc_ptr += len;
++ } /* else we send a null domain name so server will default to its own domain */
++ *bcc_ptr = 0;
++ bcc_ptr++;
++
++ *pbcc_area = bcc_ptr;
++}
++
+ static void unicode_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
+ const struct nls_table *nls_cp)
+ {
+@@ -801,25 +836,10 @@ static void ascii_ssetup_strings(char **pbcc_area, struct cifs_ses *ses,
+ *bcc_ptr = 0;
+ bcc_ptr++; /* account for null termination */
+
+- /* copy domain */
+- if (ses->domainName != NULL) {
+- len = strscpy(bcc_ptr, ses->domainName, CIFS_MAX_DOMAINNAME_LEN);
+- if (WARN_ON_ONCE(len < 0))
+- len = CIFS_MAX_DOMAINNAME_LEN - 1;
+- bcc_ptr += len;
+- } /* else we send a null domain name so server will default to its own domain */
+- *bcc_ptr = 0;
+- bcc_ptr++;
+-
+ /* BB check for overflow here */
+
+- strcpy(bcc_ptr, "Linux version ");
+- bcc_ptr += strlen("Linux version ");
+- strcpy(bcc_ptr, init_utsname()->release);
+- bcc_ptr += strlen(init_utsname()->release) + 1;
+-
+- strcpy(bcc_ptr, CIFS_NETWORK_OPSYS);
+- bcc_ptr += strlen(CIFS_NETWORK_OPSYS) + 1;
++ ascii_domain_string(&bcc_ptr, ses, nls_cp);
++ ascii_oslm_strings(&bcc_ptr, nls_cp);
+
+ *pbcc_area = bcc_ptr;
+ }
+@@ -1622,7 +1642,7 @@ sess_auth_kerberos(struct sess_data *sess_data)
+ sess_data->iov[1].iov_len = msg->secblob_len;
+ pSMB->req.SecurityBlobLength = cpu_to_le16(sess_data->iov[1].iov_len);
+
+- if (ses->capabilities & CAP_UNICODE) {
++ if (pSMB->req.hdr.Flags2 & SMBFLG2_UNICODE) {
+ /* unicode strings must be word aligned */
+ if (!IS_ALIGNED(sess_data->iov[0].iov_len + sess_data->iov[1].iov_len, 2)) {
+ *bcc_ptr = 0;
+@@ -1631,8 +1651,8 @@ sess_auth_kerberos(struct sess_data *sess_data)
+ unicode_oslm_strings(&bcc_ptr, sess_data->nls_cp);
+ unicode_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
+ } else {
+- /* BB: is this right? */
+- ascii_ssetup_strings(&bcc_ptr, ses, sess_data->nls_cp);
++ ascii_oslm_strings(&bcc_ptr, sess_data->nls_cp);
++ ascii_domain_string(&bcc_ptr, ses, sess_data->nls_cp);
+ }
+
+ sess_data->iov[2].iov_len = (long) bcc_ptr -
+--
+2.39.5
+
--- /dev/null
+From 3cd0e3700a0ef54d1c40cd26124e4137201b648b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Dec 2024 17:12:09 +0100
+Subject: cifs: Fix querying of WSL CHR and BLK reparse points over SMB1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit ef86ab131d9127dfbfa8f06e12441d05fdfb090b ]
+
+When reparse point in SMB1 query_path_info() callback was detected then
+query also for EA $LXDEV. In this EA are stored device major and minor
+numbers used by WSL CHR and BLK reparse points. Without major and minor
+numbers, stat() syscall does not work for char and block devices.
+
+Similar code is already in SMB2+ query_path_info() callback function.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/client/smb1ops.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+diff --git a/fs/smb/client/smb1ops.c b/fs/smb/client/smb1ops.c
+index bc1bac36c1b29..caa1d852ece49 100644
+--- a/fs/smb/client/smb1ops.c
++++ b/fs/smb/client/smb1ops.c
+@@ -597,6 +597,42 @@ static int cifs_query_path_info(const unsigned int xid,
+ CIFSSMBClose(xid, tcon, fid.netfid);
+ }
+
++#ifdef CONFIG_CIFS_XATTR
++ /*
++ * For WSL CHR and BLK reparse points it is required to fetch
++ * EA $LXDEV which contains major and minor device numbers.
++ */
++ if (!rc && data->reparse_point) {
++ struct smb2_file_full_ea_info *ea;
++
++ ea = (struct smb2_file_full_ea_info *)data->wsl.eas;
++ rc = CIFSSMBQAllEAs(xid, tcon, full_path, SMB2_WSL_XATTR_DEV,
++ &ea->ea_data[SMB2_WSL_XATTR_NAME_LEN + 1],
++ SMB2_WSL_XATTR_DEV_SIZE, cifs_sb);
++ if (rc == SMB2_WSL_XATTR_DEV_SIZE) {
++ ea->next_entry_offset = cpu_to_le32(0);
++ ea->flags = 0;
++ ea->ea_name_length = SMB2_WSL_XATTR_NAME_LEN;
++ ea->ea_value_length = cpu_to_le16(SMB2_WSL_XATTR_DEV_SIZE);
++ memcpy(&ea->ea_data[0], SMB2_WSL_XATTR_DEV, SMB2_WSL_XATTR_NAME_LEN + 1);
++ data->wsl.eas_len = sizeof(*ea) + SMB2_WSL_XATTR_NAME_LEN + 1 +
++ SMB2_WSL_XATTR_DEV_SIZE;
++ rc = 0;
++ } else if (rc >= 0) {
++ /* It is an error if EA $LXDEV has wrong size. */
++ rc = -EINVAL;
++ } else {
++ /*
++ * In all other cases ignore error if fetching
++ * of EA $LXDEV failed. It is needed only for
++ * WSL CHR and BLK reparse points and wsl_to_fattr()
++ * handle the case when EA is missing.
++ */
++ rc = 0;
++ }
++ }
++#endif
++
+ return rc;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 4e7449deba07b35e1636ccdff248424b4b286d17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Feb 2025 23:37:33 +0100
+Subject: clk: check for disabled clock-provider in
+ of_clk_get_hw_from_clkspec()
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+[ Upstream commit b20150d499b3ee5c2d632fbc5ac94f98dd33accf ]
+
+of_clk_get_hw_from_clkspec() checks all available clock-providers by
+comparing their of nodes to the one from the clkspec. If no matching
+clock provider is found, the function returns -EPROBE_DEFER to cause a
+re-check at a later date. If a matching clock provider is found, an
+authoritative answer can be retrieved from it whether the clock exists
+or not.
+
+This does not take into account that the clock-provider may never
+appear, because it's node is disabled. This can happen when a clock is
+optional, provided by a separate block which never gets enabled.
+
+One example of this happening is the rk3588's VOP, which has optional
+additional display clocks coming from PLLs inside the hdmiphy blocks.
+These can be used for better rates, but the system will also work
+without them.
+
+The problem around that is described in the followups to[1]. As we
+already know the of node of the presumed clock provider, add a check via
+of_device_is_available() whether this is a "valid" device node. This
+prevents eternal defer loops.
+
+Link: https://lore.kernel.org/dri-devel/20250215-vop2-hdmi1-disp-modes-v1-3-81962a7151d6@collabora.com/ [1]
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Tested-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://lore.kernel.org/r/20250222223733.2990179-1-heiko@sntech.de
+[sboyd@kernel.org: Reword commit text a bit]
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
+index 5bbd036f5295f..8474099e2cac1 100644
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -5216,6 +5216,10 @@ of_clk_get_hw_from_clkspec(struct of_phandle_args *clkspec)
+ if (!clkspec)
+ return ERR_PTR(-EINVAL);
+
++ /* Check if node in clkspec is in disabled/fail state */
++ if (!of_device_is_available(clkspec->np))
++ return ERR_PTR(-ENOENT);
++
+ mutex_lock(&of_clk_mutex);
+ list_for_each_entry(provider, &of_clk_providers, link) {
+ if (provider->node == clkspec->np) {
+--
+2.39.5
+
--- /dev/null
+From 60a8ac4ce16a00ce40db2e242da88e3a98e1ffe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 03:41:52 +0530
+Subject: crypto: ccp - Add support for PCI device 0x1134
+
+From: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com>
+
+[ Upstream commit 6cb345939b8cc4be79909875276aa9dc87d16757 ]
+
+PCI device 0x1134 shares same register features as PCI device 0x17E0.
+Hence reuse same data for the new PCI device ID 0x1134.
+
+Signed-off-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/sp-pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/crypto/ccp/sp-pci.c b/drivers/crypto/ccp/sp-pci.c
+index 0caa57dafc525..b1e60542351a6 100644
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -577,6 +577,7 @@ static const struct pci_device_id sp_pci_table[] = {
+ { PCI_VDEVICE(AMD, 0x14CA), (kernel_ulong_t)&dev_vdata[5] },
+ { PCI_VDEVICE(AMD, 0x15C7), (kernel_ulong_t)&dev_vdata[6] },
+ { PCI_VDEVICE(AMD, 0x1649), (kernel_ulong_t)&dev_vdata[6] },
++ { PCI_VDEVICE(AMD, 0x1134), (kernel_ulong_t)&dev_vdata[7] },
+ { PCI_VDEVICE(AMD, 0x17E0), (kernel_ulong_t)&dev_vdata[7] },
+ { PCI_VDEVICE(AMD, 0x156E), (kernel_ulong_t)&dev_vdata[8] },
+ /* Last entry must be zero */
+--
+2.39.5
+
--- /dev/null
+From 0ac21b189ad1073044aa65caa8955c8a3ac2f66a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 14:10:07 +0800
+Subject: crypto: null - Use spin lock instead of mutex
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit dcc47a028c24e793ce6d6efebfef1a1e92f80297 ]
+
+As the null algorithm may be freed in softirq context through
+af_alg, use spin locks instead of mutexes to protect the default
+null algorithm.
+
+Reported-by: syzbot+b3e02953598f447d4d2a@syzkaller.appspotmail.com
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/crypto_null.c | 39 ++++++++++++++++++++++++++-------------
+ 1 file changed, 26 insertions(+), 13 deletions(-)
+
+diff --git a/crypto/crypto_null.c b/crypto/crypto_null.c
+index 5b84b0f7cc178..3378670286535 100644
+--- a/crypto/crypto_null.c
++++ b/crypto/crypto_null.c
+@@ -17,10 +17,10 @@
+ #include <crypto/internal/skcipher.h>
+ #include <linux/init.h>
+ #include <linux/module.h>
+-#include <linux/mm.h>
++#include <linux/spinlock.h>
+ #include <linux/string.h>
+
+-static DEFINE_MUTEX(crypto_default_null_skcipher_lock);
++static DEFINE_SPINLOCK(crypto_default_null_skcipher_lock);
+ static struct crypto_sync_skcipher *crypto_default_null_skcipher;
+ static int crypto_default_null_skcipher_refcnt;
+
+@@ -152,23 +152,32 @@ MODULE_ALIAS_CRYPTO("cipher_null");
+
+ struct crypto_sync_skcipher *crypto_get_default_null_skcipher(void)
+ {
++ struct crypto_sync_skcipher *ntfm = NULL;
+ struct crypto_sync_skcipher *tfm;
+
+- mutex_lock(&crypto_default_null_skcipher_lock);
++ spin_lock_bh(&crypto_default_null_skcipher_lock);
+ tfm = crypto_default_null_skcipher;
+
+ if (!tfm) {
+- tfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0);
+- if (IS_ERR(tfm))
+- goto unlock;
+-
+- crypto_default_null_skcipher = tfm;
++ spin_unlock_bh(&crypto_default_null_skcipher_lock);
++
++ ntfm = crypto_alloc_sync_skcipher("ecb(cipher_null)", 0, 0);
++ if (IS_ERR(ntfm))
++ return ntfm;
++
++ spin_lock_bh(&crypto_default_null_skcipher_lock);
++ tfm = crypto_default_null_skcipher;
++ if (!tfm) {
++ tfm = ntfm;
++ ntfm = NULL;
++ crypto_default_null_skcipher = tfm;
++ }
+ }
+
+ crypto_default_null_skcipher_refcnt++;
++ spin_unlock_bh(&crypto_default_null_skcipher_lock);
+
+-unlock:
+- mutex_unlock(&crypto_default_null_skcipher_lock);
++ crypto_free_sync_skcipher(ntfm);
+
+ return tfm;
+ }
+@@ -176,12 +185,16 @@ EXPORT_SYMBOL_GPL(crypto_get_default_null_skcipher);
+
+ void crypto_put_default_null_skcipher(void)
+ {
+- mutex_lock(&crypto_default_null_skcipher_lock);
++ struct crypto_sync_skcipher *tfm = NULL;
++
++ spin_lock_bh(&crypto_default_null_skcipher_lock);
+ if (!--crypto_default_null_skcipher_refcnt) {
+- crypto_free_sync_skcipher(crypto_default_null_skcipher);
++ tfm = crypto_default_null_skcipher;
+ crypto_default_null_skcipher = NULL;
+ }
+- mutex_unlock(&crypto_default_null_skcipher_lock);
++ spin_unlock_bh(&crypto_default_null_skcipher_lock);
++
++ crypto_free_sync_skcipher(tfm);
+ }
+ EXPORT_SYMBOL_GPL(crypto_put_default_null_skcipher);
+
+--
+2.39.5
+
--- /dev/null
+From c784dd03fc295f5c8fb999fc64e5d227eb052ab8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Mar 2025 15:00:06 -0800
+Subject: dmaengine: dmatest: Fix dmatest waiting less when interrupted
+
+From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+
+[ Upstream commit e87ca16e99118ab4e130a41bdf12abbf6a87656c ]
+
+Change the "wait for operation finish" logic to take interrupts into
+account.
+
+When using dmatest with idxd DMA engine, it's possible that during
+longer tests, the interrupt notifying the finish of an operation
+happens during wait_event_freezable_timeout(), which causes dmatest to
+cleanup all the resources, some of which might still be in use.
+
+This fix ensures that the wait logic correctly handles interrupts,
+preventing premature cleanup of resources.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202502171134.8c403348-lkp@intel.com
+Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/20250305230007.590178-1-vinicius.gomes@intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/dmatest.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
+index ffe621695e472..78b8a97b23637 100644
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -827,9 +827,9 @@ static int dmatest_func(void *data)
+ } else {
+ dma_async_issue_pending(chan);
+
+- wait_event_freezable_timeout(thread->done_wait,
+- done->done,
+- msecs_to_jiffies(params->timeout));
++ wait_event_timeout(thread->done_wait,
++ done->done,
++ msecs_to_jiffies(params->timeout));
+
+ status = dma_async_is_tx_complete(chan, cookie, NULL,
+ NULL);
+--
+2.39.5
+
--- /dev/null
+From 57ada02f907da36dec163db7836bbc4a5108511e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 11:54:52 +0530
+Subject: ext4: make block validity check resistent to sb bh corruption
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+[ Upstream commit ccad447a3d331a239477c281533bacb585b54a98 ]
+
+Block validity checks need to be skipped in case they are called
+for journal blocks since they are part of system's protected
+zone.
+
+Currently, this is done by checking inode->ino against
+sbi->s_es->s_journal_inum, which is a direct read from the ext4 sb
+buffer head. If someone modifies this underneath us then the
+s_journal_inum field might get corrupted. To prevent against this,
+change the check to directly compare the inode with journal->j_inode.
+
+**Slight change in behavior**: During journal init path,
+check_block_validity etc might be called for journal inode when
+sbi->s_journal is not set yet. In this case we now proceed with
+ext4_inode_block_valid() instead of returning early. Since systems zones
+have not been set yet, it is okay to proceed so we can perform basic
+checks on the blocks.
+
+Suggested-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Link: https://patch.msgid.link/0c06bc9ebfcd6ccfed84a36e79147bf45ff5adc1.1743142920.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/block_validity.c | 5 ++---
+ fs/ext4/inode.c | 7 ++++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ext4/block_validity.c b/fs/ext4/block_validity.c
+index 6fe3c941b5651..4d6ba140276b5 100644
+--- a/fs/ext4/block_validity.c
++++ b/fs/ext4/block_validity.c
+@@ -351,10 +351,9 @@ int ext4_check_blockref(const char *function, unsigned int line,
+ {
+ __le32 *bref = p;
+ unsigned int blk;
++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
+
+- if (ext4_has_feature_journal(inode->i_sb) &&
+- (inode->i_ino ==
+- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
++ if (journal && inode == journal->j_inode)
+ return 0;
+
+ while (bref < p+max) {
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index ddfeaf19bff1b..f2b60fb0b937b 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -378,10 +378,11 @@ static int __check_block_validity(struct inode *inode, const char *func,
+ unsigned int line,
+ struct ext4_map_blocks *map)
+ {
+- if (ext4_has_feature_journal(inode->i_sb) &&
+- (inode->i_ino ==
+- le32_to_cpu(EXT4_SB(inode->i_sb)->s_es->s_journal_inum)))
++ journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
++
++ if (journal && inode == journal->j_inode)
+ return 0;
++
+ if (!ext4_inode_block_valid(inode, map->m_pblk, map->m_len)) {
+ ext4_error_inode(inode, func, line, map->m_pblk,
+ "lblock %lu mapped to illegal pblock %llu "
+--
+2.39.5
+
--- /dev/null
+From eb9e122dd104f6bccc9799d5f91c1d0690bded3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 20:16:38 +0800
+Subject: fs/ntfs3: Fix WARNING in ntfs_extend_initialized_size
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit ff355926445897cc9fdea3b00611e514232c213c ]
+
+Syzbot reported a WARNING in ntfs_extend_initialized_size.
+The data type of in->i_valid and to is u64 in ntfs_file_mmap().
+If their values are greater than LLONG_MAX, overflow will occur because
+the data types of the parameters valid and new_valid corresponding to
+the function ntfs_extend_initialized_size() are loff_t.
+
+Before calling ntfs_extend_initialized_size() in the ntfs_file_mmap(),
+the "ni->i_valid < to" has been determined, so the same WARN_ON determination
+is not required in ntfs_extend_initialized_size().
+Just execute the ntfs_extend_initialized_size() in ntfs_extend() to make
+a WARN_ON check.
+
+Reported-and-tested-by: syzbot+e37dd1dfc814b10caa55@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e37dd1dfc814b10caa55
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/file.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
+index 2ecd0303f9421..4aea458216117 100644
+--- a/fs/ntfs3/file.c
++++ b/fs/ntfs3/file.c
+@@ -335,6 +335,7 @@ static int ntfs_extend(struct inode *inode, loff_t pos, size_t count,
+ }
+
+ if (extend_init && !is_compressed(ni)) {
++ WARN_ON(ni->i_valid >= pos);
+ err = ntfs_extend_initialized_size(file, ni, ni->i_valid, pos);
+ if (err)
+ goto out;
+--
+2.39.5
+
--- /dev/null
+From fad224141953a8c3d30b532e39c5cc32f5bdeb6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 15:20:01 +0300
+Subject: gpiolib: of: Move Atmel HSMCI quirk up out of the regulator comment
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit b8c7a1ac884cc267d1031f8de07f1a689a69fbab ]
+
+The regulator comment in of_gpio_set_polarity_by_property()
+made on top of a couple of the cases, while Atmel HSMCI quirk
+is not related to that. Make it clear by moving Atmel HSMCI
+quirk up out of the scope of the regulator comment.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20250402122058.1517393-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-of.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
+index cec9e8f29bbdf..a0a2a0f75bba4 100644
+--- a/drivers/gpio/gpiolib-of.c
++++ b/drivers/gpio/gpiolib-of.c
+@@ -247,6 +247,9 @@ static void of_gpio_set_polarity_by_property(const struct device_node *np,
+ { "fsl,imx8qm-fec", "phy-reset-gpios", "phy-reset-active-high" },
+ { "fsl,s32v234-fec", "phy-reset-gpios", "phy-reset-active-high" },
+ #endif
++#if IS_ENABLED(CONFIG_MMC_ATMELMCI)
++ { "atmel,hsmci", "cd-gpios", "cd-inverted" },
++#endif
+ #if IS_ENABLED(CONFIG_PCI_IMX6)
+ { "fsl,imx6q-pcie", "reset-gpio", "reset-gpio-active-high" },
+ { "fsl,imx6sx-pcie", "reset-gpio", "reset-gpio-active-high" },
+@@ -272,9 +275,6 @@ static void of_gpio_set_polarity_by_property(const struct device_node *np,
+ #if IS_ENABLED(CONFIG_REGULATOR_GPIO)
+ { "regulator-gpio", "enable-gpio", "enable-active-high" },
+ { "regulator-gpio", "enable-gpios", "enable-active-high" },
+-#endif
+-#if IS_ENABLED(CONFIG_MMC_ATMELMCI)
+- { "atmel,hsmci", "cd-gpios", "cd-inverted" },
+ #endif
+ };
+ unsigned int i;
+--
+2.39.5
+
--- /dev/null
+From 87d50819a8cc48eba0cfe2ecd16bfa24134ac72f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Apr 2025 08:11:58 -0700
+Subject: hardening: Disable GCC randstruct for COMPILE_TEST
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit f5c68a4e84f9feca3be578199ec648b676db2030 ]
+
+There is a GCC crash bug in the randstruct for latest GCC versions that
+is being tickled by landlock[1]. Temporarily disable GCC randstruct for
+COMPILE_TEST builds to unbreak CI systems for the coming -rc2. This can
+be restored once the bug is fixed.
+
+Suggested-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/all/20250407-kbuild-disable-gcc-plugins-v1-1-5d46ae583f5e@kernel.org/ [1]
+Acked-by: Mark Brown <broonie@kernel.org>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20250409151154.work.872-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/Kconfig.hardening | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
+index 2cff851ebfd7e..f1ba84812ab22 100644
+--- a/security/Kconfig.hardening
++++ b/security/Kconfig.hardening
+@@ -310,7 +310,7 @@ config CC_HAS_RANDSTRUCT
+
+ choice
+ prompt "Randomize layout of sensitive kernel structures"
+- default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT)
++ default RANDSTRUCT_FULL if COMPILE_TEST && CC_HAS_RANDSTRUCT
+ default RANDSTRUCT_NONE
+ help
+ If you enable this, the layouts of structures that are entirely
+--
+2.39.5
+
--- /dev/null
+From f7c3ab002516d95516d77a6b5093a97679419255 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 12:29:30 +0100
+Subject: io_uring: always do atomic put from iowq
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ Upstream commit 390513642ee6763c7ada07f0a1470474986e6c1c ]
+
+io_uring always switches requests to atomic refcounting for iowq
+execution before there is any parallilism by setting REQ_F_REFCOUNT,
+and the flag is not cleared until the request completes. That should be
+fine as long as the compiler doesn't make up a non existing value for
+the flags, however KCSAN still complains when the request owner changes
+oter flag bits:
+
+BUG: KCSAN: data-race in io_req_task_cancel / io_wq_free_work
+...
+read to 0xffff888117207448 of 8 bytes by task 3871 on cpu 0:
+ req_ref_put_and_test io_uring/refs.h:22 [inline]
+
+Skip REQ_F_REFCOUNT checks for iowq, we know it's set.
+
+Reported-by: syzbot+903a2ad71fb3f1e47cf5@syzkaller.appspotmail.com
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/d880bc27fb8c3209b54641be4ff6ac02b0e5789a.1743679736.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/io_uring.c | 2 +-
+ io_uring/refs.h | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
+index 9883fd16cde44..3ce93418e0151 100644
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1917,7 +1917,7 @@ struct io_wq_work *io_wq_free_work(struct io_wq_work *work)
+ struct io_kiocb *req = container_of(work, struct io_kiocb, work);
+ struct io_kiocb *nxt = NULL;
+
+- if (req_ref_put_and_test(req)) {
++ if (req_ref_put_and_test_atomic(req)) {
+ if (req->flags & IO_REQ_LINK_FLAGS)
+ nxt = io_req_find_next(req);
+ io_free_req(req);
+diff --git a/io_uring/refs.h b/io_uring/refs.h
+index 1336de3f2a30a..21a379b0f22d6 100644
+--- a/io_uring/refs.h
++++ b/io_uring/refs.h
+@@ -17,6 +17,13 @@ static inline bool req_ref_inc_not_zero(struct io_kiocb *req)
+ return atomic_inc_not_zero(&req->refs);
+ }
+
++static inline bool req_ref_put_and_test_atomic(struct io_kiocb *req)
++{
++ WARN_ON_ONCE(!(data_race(req->flags) & REQ_F_REFCOUNT));
++ WARN_ON_ONCE(req_ref_zero_or_close_to_overflow(req));
++ return atomic_dec_and_test(&req->refs);
++}
++
+ static inline bool req_ref_put_and_test(struct io_kiocb *req)
+ {
+ if (likely(!(req->flags & REQ_F_REFCOUNT)))
+--
+2.39.5
+
--- /dev/null
+From 179173c46642f545531cbc58dd56c5678bea3d69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 15:12:36 +0800
+Subject: iomap: skip unnecessary ifs_block_is_uptodate check
+
+From: Gou Hao <gouhao@uniontech.com>
+
+[ Upstream commit 8e3c15ee0d292c413c66fe10201d1b035a0bea72 ]
+
+In iomap_adjust_read_range, i is either the first !uptodate block, or it
+is past last for the second loop looking for trailing uptodate blocks.
+Assuming there's no overflow (there's no combination of huge folios and
+tiny blksize) then yeah, there is no point in retesting that the same
+block pointed to by i is uptodate since we hold the folio lock so nobody
+else could have set it uptodate.
+
+Signed-off-by: Gou Hao <gouhao@uniontech.com>
+Link: https://lore.kernel.org/20250410071236.16017-1-gouhao@uniontech.com
+Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Suggested-by: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/iomap/buffered-io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
+index e7e6701806ad2..7ffdf0d037fae 100644
+--- a/fs/iomap/buffered-io.c
++++ b/fs/iomap/buffered-io.c
+@@ -224,7 +224,7 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio,
+ }
+
+ /* truncate len if we find any trailing uptodate block(s) */
+- for ( ; i <= last; i++) {
++ while (++i <= last) {
+ if (ifs_block_is_uptodate(ifs, i)) {
+ plen -= (last - i + 1) * block_size;
+ last = i - 1;
+--
+2.39.5
+
--- /dev/null
+From 0de903f8525825a321d06cb007335c3b012fcd6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 14:13:57 +0100
+Subject: KVM: s390: Don't use %pK through debug printing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 0c7fbae5bc782429c97d68dc40fb126748d7e352 ]
+
+Restricted pointers ("%pK") are only meant to be used when directly
+printing to a file from task context.
+Otherwise it can unintentionally expose security sensitive,
+raw pointer values.
+
+Use regular pointer formatting instead.
+
+Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Michael Mueller <mimu@linux.ibm.com>
+Tested-by: Michael Mueller <mimu@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-2-0e4ace75d8aa@linutronix.de
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Message-ID: <20250217-restricted-pointers-s390-v1-2-0e4ace75d8aa@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/intercept.c | 2 +-
+ arch/s390/kvm/interrupt.c | 8 ++++----
+ arch/s390/kvm/kvm-s390.c | 10 +++++-----
+ 3 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
+index b16352083ff98..f0be263b334ce 100644
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -94,7 +94,7 @@ static int handle_validity(struct kvm_vcpu *vcpu)
+
+ vcpu->stat.exit_validity++;
+ trace_kvm_s390_intercept_validity(vcpu, viwhy);
+- KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%pK)", viwhy,
++ KVM_EVENT(3, "validity intercept 0x%x for pid %u (kvm 0x%p)", viwhy,
+ current->pid, vcpu->kvm);
+
+ /* do not warn on invalid runtime instrumentation mode */
+diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
+index efaebba5ee19c..fe4841104ed92 100644
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -3161,7 +3161,7 @@ void kvm_s390_gisa_clear(struct kvm *kvm)
+ if (!gi->origin)
+ return;
+ gisa_clear_ipm(gi->origin);
+- VM_EVENT(kvm, 3, "gisa 0x%pK cleared", gi->origin);
++ VM_EVENT(kvm, 3, "gisa 0x%p cleared", gi->origin);
+ }
+
+ void kvm_s390_gisa_init(struct kvm *kvm)
+@@ -3178,7 +3178,7 @@ void kvm_s390_gisa_init(struct kvm *kvm)
+ gi->timer.function = gisa_vcpu_kicker;
+ memset(gi->origin, 0, sizeof(struct kvm_s390_gisa));
+ gi->origin->next_alert = (u32)virt_to_phys(gi->origin);
+- VM_EVENT(kvm, 3, "gisa 0x%pK initialized", gi->origin);
++ VM_EVENT(kvm, 3, "gisa 0x%p initialized", gi->origin);
+ }
+
+ void kvm_s390_gisa_enable(struct kvm *kvm)
+@@ -3219,7 +3219,7 @@ void kvm_s390_gisa_destroy(struct kvm *kvm)
+ process_gib_alert_list();
+ hrtimer_cancel(&gi->timer);
+ gi->origin = NULL;
+- VM_EVENT(kvm, 3, "gisa 0x%pK destroyed", gisa);
++ VM_EVENT(kvm, 3, "gisa 0x%p destroyed", gisa);
+ }
+
+ void kvm_s390_gisa_disable(struct kvm *kvm)
+@@ -3468,7 +3468,7 @@ int __init kvm_s390_gib_init(u8 nisc)
+ }
+ }
+
+- KVM_EVENT(3, "gib 0x%pK (nisc=%d) initialized", gib, gib->nisc);
++ KVM_EVENT(3, "gib 0x%p (nisc=%d) initialized", gib, gib->nisc);
+ goto out;
+
+ out_unreg_gal:
+diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
+index 348d030d2660c..890d850f51f07 100644
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -990,7 +990,7 @@ static int kvm_s390_set_mem_control(struct kvm *kvm, struct kvm_device_attr *att
+ }
+ mutex_unlock(&kvm->lock);
+ VM_EVENT(kvm, 3, "SET: max guest address: %lu", new_limit);
+- VM_EVENT(kvm, 3, "New guest asce: 0x%pK",
++ VM_EVENT(kvm, 3, "New guest asce: 0x%p",
+ (void *) kvm->arch.gmap->asce);
+ break;
+ }
+@@ -3418,7 +3418,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
+ kvm_s390_gisa_init(kvm);
+ INIT_LIST_HEAD(&kvm->arch.pv.need_cleanup);
+ kvm->arch.pv.set_aside = NULL;
+- KVM_EVENT(3, "vm 0x%pK created by pid %u", kvm, current->pid);
++ KVM_EVENT(3, "vm 0x%p created by pid %u", kvm, current->pid);
+
+ return 0;
+ out_err:
+@@ -3481,7 +3481,7 @@ void kvm_arch_destroy_vm(struct kvm *kvm)
+ kvm_s390_destroy_adapters(kvm);
+ kvm_s390_clear_float_irqs(kvm);
+ kvm_s390_vsie_destroy(kvm);
+- KVM_EVENT(3, "vm 0x%pK destroyed", kvm);
++ KVM_EVENT(3, "vm 0x%p destroyed", kvm);
+ }
+
+ /* Section: vcpu related */
+@@ -3602,7 +3602,7 @@ static int sca_switch_to_extended(struct kvm *kvm)
+
+ free_page((unsigned long)old_sca);
+
+- VM_EVENT(kvm, 2, "Switched to ESCA (0x%pK -> 0x%pK)",
++ VM_EVENT(kvm, 2, "Switched to ESCA (0x%p -> 0x%p)",
+ old_sca, kvm->arch.sca);
+ return 0;
+ }
+@@ -3974,7 +3974,7 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)
+ goto out_free_sie_block;
+ }
+
+- VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%pK, sie block at 0x%pK",
++ VM_EVENT(vcpu->kvm, 3, "create cpu %d at 0x%p, sie block at 0x%p",
+ vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);
+ trace_kvm_s390_create_vcpu(vcpu->vcpu_id, vcpu, vcpu->arch.sie_block);
+
+--
+2.39.5
+
--- /dev/null
+From c68dccfe011969155b19efbe6d9964cde23dc61d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 14:13:56 +0100
+Subject: KVM: s390: Don't use %pK through tracepoints
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+[ Upstream commit 6c9567e0850be2f0f94ab64fa6512413fd1a1eb1 ]
+
+Restricted pointers ("%pK") are not meant to be used through TP_format().
+It can unintentionally expose security sensitive, raw pointer values.
+
+Use regular pointer formatting instead.
+
+Link: https://lore.kernel.org/lkml/20250113171731-dc10e3c1-da64-4af0-b767-7c7070468023@linutronix.de/
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Michael Mueller <mimu@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Message-ID: <20250217-restricted-pointers-s390-v1-1-0e4ace75d8aa@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/trace-s390.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/kvm/trace-s390.h b/arch/s390/kvm/trace-s390.h
+index 6f0209d45164f..9c5f546a2e1a3 100644
+--- a/arch/s390/kvm/trace-s390.h
++++ b/arch/s390/kvm/trace-s390.h
+@@ -56,7 +56,7 @@ TRACE_EVENT(kvm_s390_create_vcpu,
+ __entry->sie_block = sie_block;
+ ),
+
+- TP_printk("create cpu %d at 0x%pK, sie block at 0x%pK",
++ TP_printk("create cpu %d at 0x%p, sie block at 0x%p",
+ __entry->id, __entry->vcpu, __entry->sie_block)
+ );
+
+@@ -255,7 +255,7 @@ TRACE_EVENT(kvm_s390_enable_css,
+ __entry->kvm = kvm;
+ ),
+
+- TP_printk("enabling channel I/O support (kvm @ %pK)\n",
++ TP_printk("enabling channel I/O support (kvm @ %p)\n",
+ __entry->kvm)
+ );
+
+--
+2.39.5
+
--- /dev/null
+From 531992ed367e748f6cd64df110bae60a477a75f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 11:01:59 +0800
+Subject: loop: aio inherit the ioprio of original request
+
+From: Yunlong Xing <yunlong.xing@unisoc.com>
+
+[ Upstream commit 1fdb8188c3d505452b40cdb365b1bb32be533a8e ]
+
+Set cmd->iocb.ki_ioprio to the ioprio of loop device's request.
+The purpose is to inherit the original request ioprio in the aio
+flow.
+
+Signed-off-by: Yunlong Xing <yunlong.xing@unisoc.com>
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250414030159.501180-1-yunlong.xing@unisoc.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/loop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 8a6c1146df00f..455e2a2b149f4 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -441,7 +441,7 @@ static int lo_rw_aio(struct loop_device *lo, struct loop_cmd *cmd,
+ cmd->iocb.ki_filp = file;
+ cmd->iocb.ki_complete = lo_rw_aio_complete;
+ cmd->iocb.ki_flags = IOCB_DIRECT;
+- cmd->iocb.ki_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0);
++ cmd->iocb.ki_ioprio = req_get_ioprio(rq);
+
+ if (rw == ITER_SOURCE)
+ ret = call_write_iter(file, &cmd->iocb, &iter);
+--
+2.39.5
+
--- /dev/null
+From add14a0c947310ec897d45495fabf2acdda13c32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 15:28:48 +0000
+Subject: mailbox: pcc: Always clear the platform ack interrupt first
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+[ Upstream commit cf1338c0e02880cd235a4590eeb15e2039c873bc ]
+
+The PCC mailbox interrupt handler (pcc_mbox_irq()) currently checks
+for command completion flags and any error status before clearing the
+interrupt.
+
+The below sequence highlights an issue in the handling of PCC mailbox
+interrupts, specifically when dealing with doorbell notifications and
+acknowledgment between the OSPM and the platform where type3 and type4
+channels are sharing the interrupt.
+
+-------------------------------------------------------------------------
+| T | Platform Firmware | OSPM/Linux PCC driver |
+|---|---------------------------------|---------------------------------|
+| 1 | | Build message in shmem |
+| 2 | | Ring Type3 chan doorbell |
+| 3 | Receives the doorbell interrupt | |
+| 4 | Process the message from OSPM | |
+| 5 | Build response for the message | |
+| 6 | Ring Platform ACK interrupt on | |
+| | Type3 chan to OSPM | Received the interrupt |
+| 7 | Build Notification in Type4 Chan| |
+| 8 | | Start processing interrupt in |
+| | | pcc_mbox_irq() handler |
+| 9 | | Enter PCC handler for Type4 chan|
+|10 | | Check command complete cleared |
+|11 | | Read the notification |
+|12 | | Clear Platform ACK interrupt |
+| | No effect from the previous step yet as the Platform ACK |
+| | interrupt has not yet been triggered for this channel |
+|13 | Ring Platform ACK interrupt on | |
+| | Type4 chan to OSPM | |
+|14 | | Enter PCC handler for Type3 chan|
+|15 | | Command complete is set. |
+|16 | | Read the response. |
+|17 | | Clear Platform ACK interrupt |
+|18 | | Leave PCC handler for Type3 |
+|19 | | Leave pcc_mbox_irq() handler |
+|20 | | Re-enter pcc_mbox_irq() handler |
+|21 | | Enter PCC handler for Type4 chan|
+|22 | | Leave PCC handler for Type4 chan|
+|23 | | Enter PCC handler for Type3 chan|
+|24 | | Leave PCC handler for Type3 chan|
+|25 | | Leave pcc_mbox_irq() handler |
+-------------------------------------------------------------------------
+
+The key issue occurs when OSPM tries to acknowledge platform ack
+interrupt for a notification which is ready to be read and processed
+but the interrupt itself is not yet triggered by the platform.
+
+This ineffective acknowledgment leads to an issue later in time where
+the interrupt remains pending as we exit the interrupt handler without
+clearing the platform ack interrupt as there is no pending response or
+notification. The interrupt acknowledgment order is incorrect.
+
+To resolve this issue, the platform acknowledgment interrupt should
+always be cleared before processing the interrupt for any notifications
+or response.
+
+Reported-by: Robbie King <robbiek@xsightlabs.com>
+Reviewed-by: Huisong Li <lihuisong@huawei.com>
+Tested-by: Huisong Li <lihuisong@huawei.com>
+Tested-by: Adam Young <admiyo@os.amperecomputing.com>
+Tested-by: Robbie King <robbiek@xsightlabs.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/pcc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
+index 8fd4d0f79b090..f8215a8f656a4 100644
+--- a/drivers/mailbox/pcc.c
++++ b/drivers/mailbox/pcc.c
+@@ -313,6 +313,10 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p)
+ int ret;
+
+ pchan = chan->con_priv;
++
++ if (pcc_chan_reg_read_modify_write(&pchan->plat_irq_ack))
++ return IRQ_NONE;
++
+ if (pchan->type == ACPI_PCCT_TYPE_EXT_PCC_MASTER_SUBSPACE &&
+ !pchan->chan_in_use)
+ return IRQ_NONE;
+@@ -330,9 +334,6 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p)
+ return IRQ_NONE;
+ }
+
+- if (pcc_chan_reg_read_modify_write(&pchan->plat_irq_ack))
+- return IRQ_NONE;
+-
+ /*
+ * Clear this flag after updating interrupt ack register and just
+ * before mbox_chan_received_data() which might call pcc_send_data()
+--
+2.39.5
+
--- /dev/null
+From 8ee99a6760364d1318ab21f06ca3be387a115734 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 15:28:47 +0000
+Subject: mailbox: pcc: Fix the possible race in updation of chan_in_use flag
+
+From: Huisong Li <lihuisong@huawei.com>
+
+[ Upstream commit 9779d45c749340ab461d595c1a4a664cb28f3007 ]
+
+The function mbox_chan_received_data() calls the Rx callback of the
+mailbox client driver. The callback might set chan_in_use flag from
+pcc_send_data(). This flag's status determines whether the PCC channel
+is in use.
+
+However, there is a potential race condition where chan_in_use is
+updated incorrectly due to concurrency between the interrupt handler
+(pcc_mbox_irq()) and the command sender(pcc_send_data()).
+
+The 'chan_in_use' flag of a channel is set to true after sending a
+command. And the flag of the new command may be cleared erroneous by
+the interrupt handler afer mbox_chan_received_data() returns,
+
+As a result, the interrupt being level triggered can't be cleared in
+pcc_mbox_irq() and it will be disabled after the number of handled times
+exceeds the specified value. The error log is as follows:
+
+ | kunpeng_hccs HISI04B2:00: PCC command executed timeout!
+ | kunpeng_hccs HISI04B2:00: get port link status info failed, ret = -110
+ | irq 13: nobody cared (try booting with the "irqpoll" option)
+ | Call trace:
+ | dump_backtrace+0x0/0x210
+ | show_stack+0x1c/0x2c
+ | dump_stack+0xec/0x130
+ | __report_bad_irq+0x50/0x190
+ | note_interrupt+0x1e4/0x260
+ | handle_irq_event+0x144/0x17c
+ | handle_fasteoi_irq+0xd0/0x240
+ | __handle_domain_irq+0x80/0xf0
+ | gic_handle_irq+0x74/0x2d0
+ | el1_irq+0xbc/0x140
+ | mnt_clone_write+0x0/0x70
+ | file_update_time+0xcc/0x160
+ | fault_dirty_shared_page+0xe8/0x150
+ | do_shared_fault+0x80/0x1d0
+ | do_fault+0x118/0x1a4
+ | handle_pte_fault+0x154/0x230
+ | __handle_mm_fault+0x1ac/0x390
+ | handle_mm_fault+0xf0/0x250
+ | do_page_fault+0x184/0x454
+ | do_translation_fault+0xac/0xd4
+ | do_mem_abort+0x44/0xb4
+ | el0_da+0x40/0x74
+ | el0_sync_handler+0x60/0xb4
+ | el0_sync+0x168/0x180
+ | handlers:
+ | pcc_mbox_irq
+ | Disabling IRQ #13
+
+To solve this issue, pcc_mbox_irq() must clear 'chan_in_use' flag before
+the call to mbox_chan_received_data().
+
+Tested-by: Adam Young <admiyo@os.amperecomputing.com>
+Tested-by: Robbie King <robbiek@xsightlabs.com>
+Signed-off-by: Huisong Li <lihuisong@huawei.com>
+(sudeep.holla: Minor updates to the subject, commit message and comment)
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mailbox/pcc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c
+index 82102a4c5d688..8fd4d0f79b090 100644
+--- a/drivers/mailbox/pcc.c
++++ b/drivers/mailbox/pcc.c
+@@ -333,10 +333,16 @@ static irqreturn_t pcc_mbox_irq(int irq, void *p)
+ if (pcc_chan_reg_read_modify_write(&pchan->plat_irq_ack))
+ return IRQ_NONE;
+
++ /*
++ * Clear this flag after updating interrupt ack register and just
++ * before mbox_chan_received_data() which might call pcc_send_data()
++ * where the flag is set again to start new transfer. This is
++ * required to avoid any possible race in updatation of this flag.
++ */
++ pchan->chan_in_use = false;
+ mbox_chan_received_data(chan, NULL);
+
+ check_and_ack(pchan, chan);
+- pchan->chan_in_use = false;
+
+ return IRQ_HANDLED;
+ }
+--
+2.39.5
+
--- /dev/null
+From dd518d46314c2f57625a0a0fb993a97a5fe2706c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 17:38:08 +0300
+Subject: md/raid1: Add check for missing source disk in process_checks()
+
+From: Meir Elisha <meir.elisha@volumez.com>
+
+[ Upstream commit b7c178d9e57c8fd4238ff77263b877f6f16182ba ]
+
+During recovery/check operations, the process_checks function loops
+through available disks to find a 'primary' source with successfully
+read data.
+
+If no suitable source disk is found after checking all possibilities,
+the 'primary' index will reach conf->raid_disks * 2. Add an explicit
+check for this condition after the loop. If no source disk was found,
+print an error message and return early to prevent further processing
+without a valid primary source.
+
+Link: https://lore.kernel.org/linux-raid/20250408143808.1026534-1-meir.elisha@volumez.com
+Signed-off-by: Meir Elisha <meir.elisha@volumez.com>
+Suggested-and-reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/raid1.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
+index 65309da1dca34..8b25287c89ed6 100644
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -2061,14 +2061,9 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
+ if (!rdev_set_badblocks(rdev, sect, s, 0))
+ abort = 1;
+ }
+- if (abort) {
+- conf->recovery_disabled =
+- mddev->recovery_disabled;
+- set_bit(MD_RECOVERY_INTR, &mddev->recovery);
+- md_done_sync(mddev, r1_bio->sectors, 0);
+- put_buf(r1_bio);
++ if (abort)
+ return 0;
+- }
++
+ /* Try next page */
+ sectors -= s;
+ sect += s;
+@@ -2207,10 +2202,21 @@ static void sync_request_write(struct mddev *mddev, struct r1bio *r1_bio)
+ int disks = conf->raid_disks * 2;
+ struct bio *wbio;
+
+- if (!test_bit(R1BIO_Uptodate, &r1_bio->state))
+- /* ouch - failed to read all of that. */
+- if (!fix_sync_read_error(r1_bio))
++ if (!test_bit(R1BIO_Uptodate, &r1_bio->state)) {
++ /*
++ * ouch - failed to read all of that.
++ * No need to fix read error for check/repair
++ * because all member disks are read.
++ */
++ if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery) ||
++ !fix_sync_read_error(r1_bio)) {
++ conf->recovery_disabled = mddev->recovery_disabled;
++ set_bit(MD_RECOVERY_INTR, &mddev->recovery);
++ md_done_sync(mddev, r1_bio->sectors, 0);
++ put_buf(r1_bio);
+ return;
++ }
++ }
+
+ if (test_bit(MD_RECOVERY_REQUESTED, &mddev->recovery))
+ process_checks(r1_bio);
+--
+2.39.5
+
--- /dev/null
+From 45a6d36d048be7b4d304b41ea0510ed923e33903 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jan 2025 12:01:56 +0100
+Subject: MIPS: cm: Detect CM quirks from device tree
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit e27fbe16af5cfc40639de4ced67d1a866a1953e9 ]
+
+Some information that should be retrieved at runtime for the Coherence
+Manager can be either absent or wrong. This patch allows checking if
+some of this information is available from the device tree and updates
+the internal variable accordingly.
+
+For now, only the compatible string associated with the broken HCI is
+being retrieved.
+
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mips-cm.h | 22 ++++++++++++++++++++++
+ arch/mips/kernel/mips-cm.c | 14 ++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h
+index 696b40beb774f..0f31324998c0a 100644
+--- a/arch/mips/include/asm/mips-cm.h
++++ b/arch/mips/include/asm/mips-cm.h
+@@ -47,6 +47,16 @@ extern phys_addr_t __mips_cm_phys_base(void);
+ */
+ extern int mips_cm_is64;
+
++/*
++ * mips_cm_is_l2_hci_broken - determine if HCI is broken
++ *
++ * Some CM reports show that Hardware Cache Initialization is
++ * complete, but in reality it's not the case. They also incorrectly
++ * indicate that Hardware Cache Initialization is supported. This
++ * flags allows warning about this broken feature.
++ */
++extern bool mips_cm_is_l2_hci_broken;
++
+ /**
+ * mips_cm_error_report - Report CM cache errors
+ */
+@@ -85,6 +95,18 @@ static inline bool mips_cm_present(void)
+ #endif
+ }
+
++/**
++ * mips_cm_update_property - update property from the device tree
++ *
++ * Retrieve the properties from the device tree if a CM node exist and
++ * update the internal variable based on this.
++ */
++#ifdef CONFIG_MIPS_CM
++extern void mips_cm_update_property(void);
++#else
++static void mips_cm_update_property(void) {}
++#endif
++
+ /**
+ * mips_cm_has_l2sync - determine whether an L2-only sync region is present
+ *
+diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c
+index 3f00788b08718..4f75160f08949 100644
+--- a/arch/mips/kernel/mips-cm.c
++++ b/arch/mips/kernel/mips-cm.c
+@@ -5,6 +5,7 @@
+ */
+
+ #include <linux/errno.h>
++#include <linux/of.h>
+ #include <linux/percpu.h>
+ #include <linux/spinlock.h>
+
+@@ -14,6 +15,7 @@
+ void __iomem *mips_gcr_base;
+ void __iomem *mips_cm_l2sync_base;
+ int mips_cm_is64;
++bool mips_cm_is_l2_hci_broken;
+
+ static char *cm2_tr[8] = {
+ "mem", "gcr", "gic", "mmio",
+@@ -243,6 +245,18 @@ static void mips_cm_probe_l2sync(void)
+ mips_cm_l2sync_base = ioremap(addr, MIPS_CM_L2SYNC_SIZE);
+ }
+
++void mips_cm_update_property(void)
++{
++ struct device_node *cm_node;
++
++ cm_node = of_find_compatible_node(of_root, NULL, "mobileye,eyeq6-cm");
++ if (!cm_node)
++ return;
++ pr_info("HCI (Hardware Cache Init for the L2 cache) in GCR_L2_RAM_CONFIG from the CM3 is broken");
++ mips_cm_is_l2_hci_broken = true;
++ of_node_put(cm_node);
++}
++
+ int mips_cm_probe(void)
+ {
+ phys_addr_t addr;
+--
+2.39.5
+
--- /dev/null
+From 2bf5684038739b4d5673d3b512945417c2c9c20c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Feb 2025 09:57:25 +0100
+Subject: ntb: reduce stack usage in idt_scan_mws
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit aff12700b8dd7422bfe2277696e192af4df9de8f ]
+
+idt_scan_mws() puts a large fixed-size array on the stack and copies
+it into a smaller dynamically allocated array at the end. On 32-bit
+targets, the fixed size can easily exceed the warning limit for
+possible stack overflow:
+
+drivers/ntb/hw/idt/ntb_hw_idt.c:1041:27: error: stack frame size (1032) exceeds limit (1024) in 'idt_scan_mws' [-Werror,-Wframe-larger-than]
+
+Change it to instead just always use dynamic allocation for the
+array from the start. It's too big for the stack, but not actually
+all that much for a permanent allocation.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/all/202205111109.PiKTruEj-lkp@intel.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/idt/ntb_hw_idt.c | 18 +++++++-----------
+ 1 file changed, 7 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/ntb/hw/idt/ntb_hw_idt.c b/drivers/ntb/hw/idt/ntb_hw_idt.c
+index 48823b53ede3e..22aaa60d2d384 100644
+--- a/drivers/ntb/hw/idt/ntb_hw_idt.c
++++ b/drivers/ntb/hw/idt/ntb_hw_idt.c
+@@ -1041,7 +1041,7 @@ static inline char *idt_get_mw_name(enum idt_mw_type mw_type)
+ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port,
+ unsigned char *mw_cnt)
+ {
+- struct idt_mw_cfg mws[IDT_MAX_NR_MWS], *ret_mws;
++ struct idt_mw_cfg *mws;
+ const struct idt_ntb_bar *bars;
+ enum idt_mw_type mw_type;
+ unsigned char widx, bidx, en_cnt;
+@@ -1049,6 +1049,11 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port,
+ int aprt_size;
+ u32 data;
+
++ mws = devm_kcalloc(&ndev->ntb.pdev->dev, IDT_MAX_NR_MWS,
++ sizeof(*mws), GFP_KERNEL);
++ if (!mws)
++ return ERR_PTR(-ENOMEM);
++
+ /* Retrieve the array of the BARs registers */
+ bars = portdata_tbl[port].bars;
+
+@@ -1103,16 +1108,7 @@ static struct idt_mw_cfg *idt_scan_mws(struct idt_ntb_dev *ndev, int port,
+ }
+ }
+
+- /* Allocate memory for memory window descriptors */
+- ret_mws = devm_kcalloc(&ndev->ntb.pdev->dev, *mw_cnt, sizeof(*ret_mws),
+- GFP_KERNEL);
+- if (!ret_mws)
+- return ERR_PTR(-ENOMEM);
+-
+- /* Copy the info of detected memory windows */
+- memcpy(ret_mws, mws, (*mw_cnt)*sizeof(*ret_mws));
+-
+- return ret_mws;
++ return mws;
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 592f0fbe5256a25d2524b12466f32250c4ed2133 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 20:02:16 +0530
+Subject: ntb_hw_amd: Add NTB PCI ID for new gen CPU
+
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+
+[ Upstream commit bf8a7ce7e4c7267a6f5f2b2023cfc459b330b25e ]
+
+Add NTB support for new generation of processor.
+
+Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/amd/ntb_hw_amd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ntb/hw/amd/ntb_hw_amd.c b/drivers/ntb/hw/amd/ntb_hw_amd.c
+index d687e8c2cc78d..63ceed89b62ef 100644
+--- a/drivers/ntb/hw/amd/ntb_hw_amd.c
++++ b/drivers/ntb/hw/amd/ntb_hw_amd.c
+@@ -1318,6 +1318,7 @@ static const struct pci_device_id amd_ntb_pci_tbl[] = {
+ { PCI_VDEVICE(AMD, 0x148b), (kernel_ulong_t)&dev_data[1] },
+ { PCI_VDEVICE(AMD, 0x14c0), (kernel_ulong_t)&dev_data[1] },
+ { PCI_VDEVICE(AMD, 0x14c3), (kernel_ulong_t)&dev_data[1] },
++ { PCI_VDEVICE(AMD, 0x155a), (kernel_ulong_t)&dev_data[1] },
+ { PCI_VDEVICE(HYGON, 0x145b), (kernel_ulong_t)&dev_data[0] },
+ { 0, }
+ };
+--
+2.39.5
+
--- /dev/null
+From 362d77f12601fbf1472db7b3f747d366d546ae5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 14:06:43 -0600
+Subject: nvme: multipath: fix return value of nvme_available_path
+
+From: Uday Shankar <ushankar@purestorage.com>
+
+[ Upstream commit e3105f54a51554fb1bbf19dcaf93c4411d2d6c8a ]
+
+The function returns bool so we should return false, not NULL. No
+functional changes are expected.
+
+Signed-off-by: Uday Shankar <ushankar@purestorage.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
+index 32283301199f0..119afdfe4b91e 100644
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -426,7 +426,7 @@ static bool nvme_available_path(struct nvme_ns_head *head)
+ struct nvme_ns *ns;
+
+ if (!test_bit(NVME_NSHEAD_DISK_LIVE, &head->flags))
+- return NULL;
++ return false;
+
+ list_for_each_entry_srcu(ns, &head->list, siblings,
+ srcu_read_lock_held(&head->srcu)) {
+--
+2.39.5
+
--- /dev/null
+From 0a1d7955a0845141f6880ab427746359f38c27f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 09:19:30 +0200
+Subject: nvme: re-read ANA log page after ns scan completes
+
+From: Hannes Reinecke <hare@kernel.org>
+
+[ Upstream commit 62baf70c327444338c34703c71aa8cc8e4189bd6 ]
+
+When scanning for new namespaces we might have missed an ANA AEN.
+
+The NVMe base spec (NVMe Base Specification v2.1, Figure 151 'Asynchonous
+Event Information - Notice': Asymmetric Namespace Access Change) states:
+
+ A controller shall not send this even if an Attached Namespace
+ Attribute Changed asynchronous event [...] is sent for the same event.
+
+so we need to re-read the ANA log page after we rescanned the namespace
+list to update the ANA states of the new namespaces.
+
+Signed-off-by: Hannes Reinecke <hare@kernel.org>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index e36c6fcab1eed..8827614ab8c63 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3976,6 +3976,11 @@ static void nvme_scan_work(struct work_struct *work)
+ /* Requeue if we have missed AENs */
+ if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events))
+ nvme_queue_scan(ctrl);
++#ifdef CONFIG_NVME_MULTIPATH
++ else
++ /* Re-read the ANA log page to not miss updates */
++ queue_work(nvme_wq, &ctrl->ana_work);
++#endif
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From d6ba664f91c287bfe6bc836f705d37ea07a5197b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 09:19:29 +0200
+Subject: nvme: requeue namespace scan on missed AENs
+
+From: Hannes Reinecke <hare@kernel.org>
+
+[ Upstream commit 9546ad1a9bda7362492114f5866b95b0ac4a100e ]
+
+Scanning for namespaces can take some time, so if the target is
+reconfigured while the scan is running we may miss a Attached Namespace
+Attribute Changed AEN.
+
+Check if the NVME_AER_NOTICE_NS_CHANGED bit is set once the scan has
+finished, and requeue scanning to pick up any missed change.
+
+Signed-off-by: Hannes Reinecke <hare@kernel.org>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index f00665ad0c11a..e36c6fcab1eed 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3972,6 +3972,10 @@ static void nvme_scan_work(struct work_struct *work)
+ nvme_scan_ns_sequential(ctrl);
+ }
+ mutex_unlock(&ctrl->scan_lock);
++
++ /* Requeue if we have missed AENs */
++ if (test_bit(NVME_AER_NOTICE_NS_CHANGED, &ctrl->events))
++ nvme_queue_scan(ctrl);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 26431fe0c5bc177d38ac1cf4c8e306889e3dc0d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 17:29:10 +0200
+Subject: nvmet-fc: put ref when assoc->del_work is already scheduled
+
+From: Daniel Wagner <wagi@kernel.org>
+
+[ Upstream commit 70289ae5cac4d3a39575405aaf63330486cea030 ]
+
+Do not leak the tgtport reference when the work is already scheduled.
+
+Signed-off-by: Daniel Wagner <wagi@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c
+index 68ff9540e2d13..570c58d2b5a58 100644
+--- a/drivers/nvme/target/fc.c
++++ b/drivers/nvme/target/fc.c
+@@ -1091,7 +1091,8 @@ static void
+ nvmet_fc_schedule_delete_assoc(struct nvmet_fc_tgt_assoc *assoc)
+ {
+ nvmet_fc_tgtport_get(assoc->tgtport);
+- queue_work(nvmet_wq, &assoc->del_work);
++ if (!queue_work(nvmet_wq, &assoc->del_work))
++ nvmet_fc_tgtport_put(assoc->tgtport);
+ }
+
+ static struct nvmet_fc_tgt_assoc *
+--
+2.39.5
+
--- /dev/null
+From 429627945b04335e19dd4a6a4e4fc53b2cc5190b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 17:29:09 +0200
+Subject: nvmet-fc: take tgtport reference only once
+
+From: Daniel Wagner <wagi@kernel.org>
+
+[ Upstream commit b0b26ad0e1943de25ce82a7e5af3574f31b1cf99 ]
+
+The reference counting code can be simplified. Instead taking a tgtport
+refrerence at the beginning of nvmet_fc_alloc_hostport and put it back
+if not a new hostport object is allocated, only take it when a new
+hostport object is allocated.
+
+Signed-off-by: Daniel Wagner <wagi@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/fc.c | 22 +++++++---------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c
+index d40d5a4ea932e..68ff9540e2d13 100644
+--- a/drivers/nvme/target/fc.c
++++ b/drivers/nvme/target/fc.c
+@@ -1030,33 +1030,24 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle)
+ struct nvmet_fc_hostport *newhost, *match = NULL;
+ unsigned long flags;
+
++ /*
++ * Caller holds a reference on tgtport.
++ */
++
+ /* if LLDD not implemented, leave as NULL */
+ if (!hosthandle)
+ return NULL;
+
+- /*
+- * take reference for what will be the newly allocated hostport if
+- * we end up using a new allocation
+- */
+- if (!nvmet_fc_tgtport_get(tgtport))
+- return ERR_PTR(-EINVAL);
+-
+ spin_lock_irqsave(&tgtport->lock, flags);
+ match = nvmet_fc_match_hostport(tgtport, hosthandle);
+ spin_unlock_irqrestore(&tgtport->lock, flags);
+
+- if (match) {
+- /* no new allocation - release reference */
+- nvmet_fc_tgtport_put(tgtport);
++ if (match)
+ return match;
+- }
+
+ newhost = kzalloc(sizeof(*newhost), GFP_KERNEL);
+- if (!newhost) {
+- /* no new allocation - release reference */
+- nvmet_fc_tgtport_put(tgtport);
++ if (!newhost)
+ return ERR_PTR(-ENOMEM);
+- }
+
+ spin_lock_irqsave(&tgtport->lock, flags);
+ match = nvmet_fc_match_hostport(tgtport, hosthandle);
+@@ -1065,6 +1056,7 @@ nvmet_fc_alloc_hostport(struct nvmet_fc_tgtport *tgtport, void *hosthandle)
+ kfree(newhost);
+ newhost = match;
+ } else {
++ nvmet_fc_tgtport_get(tgtport);
+ newhost->tgtport = tgtport;
+ newhost->hosthandle = hosthandle;
+ INIT_LIST_HEAD(&newhost->host_list);
+--
+2.39.5
+
--- /dev/null
+From 6583f3c924ef854484a2263d3930621a40ae70d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 14:56:09 -0700
+Subject: objtool, ASoC: codecs: wcd934x: Remove potential undefined behavior
+ in wcd934x_slim_irq_handler()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 060aed9c0093b341480770457093449771cf1496 ]
+
+If 'port_id' is negative, the shift counts in wcd934x_slim_irq_handler()
+also become negative, resulting in undefined behavior due to shift out
+of bounds.
+
+If I'm reading the code correctly, that appears to be not possible, but
+with KCOV enabled, Clang's range analysis isn't always able to determine
+that and generates undefined behavior.
+
+As a result the code generation isn't optimal, and undefined behavior
+should be avoided regardless. Improve code generation and remove the
+undefined behavior by converting the signed variables to unsigned.
+
+Fixes the following warning with UBSAN:
+
+ sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Mark Brown <broonie@kernel.org>
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/7e863839ec7301bf9c0f429a03873d44e484c31c.1742852847.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/wcd934x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c
+index 1b6e376f3833c..fe222c4b74c00 100644
+--- a/sound/soc/codecs/wcd934x.c
++++ b/sound/soc/codecs/wcd934x.c
+@@ -2281,7 +2281,7 @@ static irqreturn_t wcd934x_slim_irq_handler(int irq, void *data)
+ {
+ struct wcd934x_codec *wcd = data;
+ unsigned long status = 0;
+- int i, j, port_id;
++ unsigned int i, j, port_id;
+ unsigned int val, int_val = 0;
+ irqreturn_t ret = IRQ_NONE;
+ bool tx;
+--
+2.39.5
+
--- /dev/null
+From a1b759b56f6eca391265309d21fdf4a944fb0e50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 14:56:12 -0700
+Subject: objtool, lkdtm: Obfuscate the do_nothing() pointer
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 05026ea01e95ffdeb0e5ac8fb7fb1b551e3a8726 ]
+
+If execute_location()'s memcpy of do_nothing() gets inlined and unrolled
+by the compiler, it copies one word at a time:
+
+ mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x1374
+ mov %rax,0x38(%rbx)
+ mov 0x0(%rip),%rax R_X86_64_PC32 .text+0x136c
+ mov %rax,0x30(%rbx)
+ ...
+
+Those .text references point to the middle of the function, causing
+objtool to complain about their lack of ENDBR.
+
+Prevent that by resolving the function pointer at runtime rather than
+build time. This fixes the following warning:
+
+ drivers/misc/lkdtm/lkdtm.o: warning: objtool: execute_location+0x23: relocation to !ENDBR: .text+0x1378
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/30b9abffbddeb43c4f6320b1270fa9b4d74c54ed.1742852847.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/oe-kbuild-all/202503191453.uFfxQy5R-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/lkdtm/perms.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/misc/lkdtm/perms.c b/drivers/misc/lkdtm/perms.c
+index 5b861dbff27e9..6c24426104ba6 100644
+--- a/drivers/misc/lkdtm/perms.c
++++ b/drivers/misc/lkdtm/perms.c
+@@ -28,6 +28,13 @@ static const unsigned long rodata = 0xAA55AA55;
+ /* This is marked __ro_after_init, so it should ultimately be .rodata. */
+ static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
+
++/*
++ * This is a pointer to do_nothing() which is initialized at runtime rather
++ * than build time to avoid objtool IBT validation warnings caused by an
++ * inlined unrolled memcpy() in execute_location().
++ */
++static void __ro_after_init *do_nothing_ptr;
++
+ /*
+ * This just returns to the caller. It is designed to be copied into
+ * non-executable memory regions.
+@@ -65,13 +72,12 @@ static noinline __nocfi void execute_location(void *dst, bool write)
+ {
+ void (*func)(void);
+ func_desc_t fdesc;
+- void *do_nothing_text = dereference_function_descriptor(do_nothing);
+
+- pr_info("attempting ok execution at %px\n", do_nothing_text);
++ pr_info("attempting ok execution at %px\n", do_nothing_ptr);
+ do_nothing();
+
+ if (write == CODE_WRITE) {
+- memcpy(dst, do_nothing_text, EXEC_SIZE);
++ memcpy(dst, do_nothing_ptr, EXEC_SIZE);
+ flush_icache_range((unsigned long)dst,
+ (unsigned long)dst + EXEC_SIZE);
+ }
+@@ -267,6 +273,8 @@ static void lkdtm_ACCESS_NULL(void)
+
+ void __init lkdtm_perms_init(void)
+ {
++ do_nothing_ptr = dereference_function_descriptor(do_nothing);
++
+ /* Make sure we can write to __ro_after_init values during __init */
+ ro_after_init |= 0xAA;
+ }
+--
+2.39.5
+
--- /dev/null
+From bc7083ab31dc82f82f3020f5a7911346a4263664 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 14:56:07 -0700
+Subject: objtool, panic: Disable SMAP in __stack_chk_fail()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 72c774aa9d1e16bfd247096935e7dae194d84929 ]
+
+__stack_chk_fail() can be called from uaccess-enabled code. Make sure
+uaccess gets disabled before calling panic().
+
+Fixes the following warning:
+
+ kernel/trace/trace_branch.o: error: objtool: ftrace_likely_update+0x1ea: call to __stack_chk_fail() with UACCESS enabled
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/a3e97e0119e1b04c725a8aa05f7bc83d98e657eb.1742852847.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/panic.c | 6 ++++++
+ tools/objtool/check.c | 5 ++++-
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/panic.c b/kernel/panic.c
+index ef9f9a4e928de..d7973e9754748 100644
+--- a/kernel/panic.c
++++ b/kernel/panic.c
+@@ -763,9 +763,15 @@ device_initcall(register_warn_debugfs);
+ */
+ __visible noinstr void __stack_chk_fail(void)
+ {
++ unsigned long flags;
++
+ instrumentation_begin();
++ flags = user_access_save();
++
+ panic("stack-protector: Kernel stack is corrupted in: %pB",
+ __builtin_return_address(0));
++
++ user_access_restore(flags);
+ instrumentation_end();
+ }
+ EXPORT_SYMBOL(__stack_chk_fail);
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index ddf3da6eccd0d..eb6d7025ee49c 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -1225,12 +1225,15 @@ static const char *uaccess_safe_builtin[] = {
+ "__ubsan_handle_load_invalid_value",
+ /* STACKLEAK */
+ "stackleak_track_stack",
++ /* TRACE_BRANCH_PROFILING */
++ "ftrace_likely_update",
++ /* STACKPROTECTOR */
++ "__stack_chk_fail",
+ /* misc */
+ "csum_partial_copy_generic",
+ "copy_mc_fragile",
+ "copy_mc_fragile_handle_tail",
+ "copy_mc_enhanced_fast_string",
+- "ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */
+ "rep_stos_alternative",
+ "rep_movs_alternative",
+ "__copy_user_nocache",
+--
+2.39.5
+
--- /dev/null
+From 599446370751089c6ce8ffc7905fd4ebd1bb11cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 14:56:10 -0700
+Subject: objtool, regulator: rk808: Remove potential undefined behavior in
+ rk806_set_mode_dcdc()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 29c578c848402a34e8c8e115bf66cb6008b77062 ]
+
+If 'ctr_bit' is negative, the shift counts become negative, causing a
+shift of bounds and undefined behavior.
+
+Presumably that's not possible in normal operation, but the code
+generation isn't optimal. And undefined behavior should be avoided
+regardless.
+
+Improve code generation and remove the undefined behavior by converting
+the signed variables to unsigned.
+
+Fixes the following warning with an UBSAN kernel:
+
+ vmlinux.o: warning: objtool: rk806_set_mode_dcdc() falls through to next function rk806_get_mode_dcdc()
+ vmlinux.o: warning: objtool: .text.rk806_set_mode_dcdc: unexpected end of section
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Mark Brown <broonie@kernel.org>
+Cc: Liam Girdwood <lgirdwood@gmail.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/2023abcddf3f524ba478d64339996f25dc4097d2.1742852847.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/oe-kbuild-all/202503182350.52KeHGD4-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/rk808-regulator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/regulator/rk808-regulator.c b/drivers/regulator/rk808-regulator.c
+index 374d80dc6d17a..bec22a001a5dd 100644
+--- a/drivers/regulator/rk808-regulator.c
++++ b/drivers/regulator/rk808-regulator.c
+@@ -267,8 +267,8 @@ static const unsigned int rk817_buck1_4_ramp_table[] = {
+
+ static int rk806_set_mode_dcdc(struct regulator_dev *rdev, unsigned int mode)
+ {
+- int rid = rdev_get_id(rdev);
+- int ctr_bit, reg;
++ unsigned int rid = rdev_get_id(rdev);
++ unsigned int ctr_bit, reg;
+
+ reg = RK806_POWER_FPWM_EN0 + rid / 8;
+ ctr_bit = rid % 8;
+--
+2.39.5
+
--- /dev/null
+From 38cfbdf39de169ac554c4ef88707f682b538798c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 14:55:57 -0700
+Subject: objtool: Silence more KCOV warnings
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 6b023c7842048c4bbeede802f3cf36b96c7a8b25 ]
+
+In the past there were issues with KCOV triggering unreachable
+instruction warnings, which is why unreachable warnings are now disabled
+with CONFIG_KCOV.
+
+Now some new KCOV warnings are showing up with GCC 14:
+
+ vmlinux.o: warning: objtool: cpuset_write_resmask() falls through to next function cpuset_update_active_cpus.cold()
+ drivers/usb/core/driver.o: error: objtool: usb_deregister() falls through to next function usb_match_device()
+ sound/soc/codecs/snd-soc-wcd934x.o: warning: objtool: .text.wcd934x_slim_irq_handler: unexpected end of section
+
+All are caused by GCC KCOV not finishing an optimization, leaving behind
+a never-taken conditional branch to a basic block which falls through to
+the next function (or end of section).
+
+At a high level this is similar to the unreachable warnings mentioned
+above, in that KCOV isn't fully removing dead code. Treat it the same
+way by adding these to the list of warnings to ignore with CONFIG_KCOV.
+
+Reported-by: Ingo Molnar <mingo@kernel.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/66a61a0b65d74e072d3dc02384e395edb2adc3c5.1742852846.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/Z9iTsI09AEBlxlHC@gmail.com
+Closes: https://lore.kernel.org/oe-kbuild-all/202503180044.oH9gyPeg-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index 8ba5bcfd5cd57..ddf3da6eccd0d 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -3569,6 +3569,9 @@ static int validate_branch(struct objtool_file *file, struct symbol *func,
+ !strncmp(func->name, "__pfx_", 6))
+ return 0;
+
++ if (file->ignore_unreachables)
++ return 0;
++
+ WARN("%s() falls through to next function %s()",
+ func->name, insn_func(insn)->name);
+ return 1;
+@@ -3788,6 +3791,9 @@ static int validate_branch(struct objtool_file *file, struct symbol *func,
+ if (!next_insn) {
+ if (state.cfi.cfa.base == CFI_UNDEFINED)
+ return 0;
++ if (file->ignore_unreachables)
++ return 0;
++
+ WARN("%s: unexpected end of section", sec->name);
+ return 1;
+ }
+--
+2.39.5
+
--- /dev/null
+From 8a8c4b939408b3a0541d91432e5611d1e3514815 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 00:02:15 -0700
+Subject: objtool: Stop UNRET validation on UD2
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 9f9cc012c2cbac4833746a0182e06a8eec940d19 ]
+
+In preparation for simplifying INSN_SYSCALL, make validate_unret()
+terminate control flow on UD2 just like validate_branch() already does.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/ce841269e7e28c8b7f32064464a9821034d724ff.1744095216.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/objtool/check.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tools/objtool/check.c b/tools/objtool/check.c
+index eb6d7025ee49c..6d35fe0e4695c 100644
+--- a/tools/objtool/check.c
++++ b/tools/objtool/check.c
+@@ -3949,6 +3949,9 @@ static int validate_unret(struct objtool_file *file, struct instruction *insn)
+ break;
+ }
+
++ if (insn->dead_end)
++ return 0;
++
+ if (!next) {
+ WARN_INSN(insn, "teh end!");
+ return -1;
+--
+2.39.5
+
--- /dev/null
+From bfe4ea74c500a00fea22c5633114b0812a457d8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Feb 2025 01:43:04 +0800
+Subject: parisc: PDT: Fix missing prototype warning
+
+From: Yu-Chun Lin <eleanor15x@gmail.com>
+
+[ Upstream commit b899981750dcb958ceffa4462d903963ee494aa2 ]
+
+As reported by the kernel test robot, the following error occurs:
+
+arch/parisc/kernel/pdt.c:65:6: warning: no previous prototype for 'arch_report_meminfo' [-Wmissing-prototypes]
+ 65 | void arch_report_meminfo(struct seq_file *m)
+ | ^~~~~~~~~~~~~~~~~~~
+
+arch_report_meminfo() is declared in include/linux/proc_fs.h and only
+defined when CONFIG_PROC_FS is enabled. Wrap its definition in #ifdef
+CONFIG_PROC_FS to fix the -Wmissing-prototypes warning.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202502082315.IPaHaTyM-lkp@intel.com/
+Signed-off-by: Yu-Chun Lin <eleanor15x@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/pdt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/parisc/kernel/pdt.c b/arch/parisc/kernel/pdt.c
+index 0f9b3b5914cf6..b70b67adb855f 100644
+--- a/arch/parisc/kernel/pdt.c
++++ b/arch/parisc/kernel/pdt.c
+@@ -63,6 +63,7 @@ static unsigned long pdt_entry[MAX_PDT_ENTRIES] __page_aligned_bss;
+ #define PDT_ADDR_PERM_ERR (pdt_type != PDT_PDC ? 2UL : 0UL)
+ #define PDT_ADDR_SINGLE_ERR 1UL
+
++#ifdef CONFIG_PROC_FS
+ /* report PDT entries via /proc/meminfo */
+ void arch_report_meminfo(struct seq_file *m)
+ {
+@@ -74,6 +75,7 @@ void arch_report_meminfo(struct seq_file *m)
+ seq_printf(m, "PDT_cur_entries: %7lu\n",
+ pdt_status.pdt_entries);
+ }
++#endif
+
+ static int get_info_pat_new(void)
+ {
+--
+2.39.5
+
--- /dev/null
+From 1eb22628e59654656d857f8bb84e2c29dbfb3ea3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 5 Apr 2025 16:30:36 -0400
+Subject: perf/core: Fix WARN_ON(!ctx) in __free_event() for partial init
+
+From: Gabriel Shahrouzi <gshahrouzi@gmail.com>
+
+[ Upstream commit 0ba3a4ab76fd3367b9cb680cad70182c896c795c ]
+
+Move the get_ctx(child_ctx) call and the child_event->ctx assignment to
+occur immediately after the child event is allocated. Ensure that
+child_event->ctx is non-NULL before any subsequent error path within
+inherit_event calls free_event(), satisfying the assumptions of the
+cleanup code.
+
+Details:
+
+There's no clear Fixes tag, because this bug is a side-effect of
+multiple interacting commits over time (up to 15 years old), not
+a single regression.
+
+The code initially incremented refcount then assigned context
+immediately after the child_event was created. Later, an early
+validity check for child_event was added before the
+refcount/assignment. Even later, a WARN_ON_ONCE() cleanup check was
+added, assuming event->ctx is valid if the pmu_ctx is valid.
+The problem is that the WARN_ON_ONCE() could trigger after the initial
+check passed but before child_event->ctx was assigned, violating its
+precondition. The solution is to assign child_event->ctx right after
+its initial validation. This ensures the context exists for any
+subsequent checks or cleanup routines, resolving the WARN_ON_ONCE().
+
+To resolve it, defer the refcount update and child_event->ctx assignment
+directly after child_event->pmu_ctx is set but before checking if the
+parent event is orphaned. The cleanup routine depends on
+event->pmu_ctx being non-NULL before it verifies event->ctx is
+non-NULL. This also maintains the author's original intent of passing
+in child_ctx to find_get_pmu_context before its refcount/assignment.
+
+[ mingo: Expanded the changelog from another email by Gabriel Shahrouzi. ]
+
+Reported-by: syzbot+ff3aa851d46ab82953a3@syzkaller.appspotmail.com
+Signed-off-by: Gabriel Shahrouzi <gshahrouzi@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@amd.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Link: https://lore.kernel.org/r/20250405203036.582721-1-gshahrouzi@gmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=ff3aa851d46ab82953a3
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index b710976fb01b1..987807b1040ae 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -13419,6 +13419,9 @@ inherit_event(struct perf_event *parent_event,
+ if (IS_ERR(child_event))
+ return child_event;
+
++ get_ctx(child_ctx);
++ child_event->ctx = child_ctx;
++
+ pmu_ctx = find_get_pmu_context(child_event->pmu, child_ctx, child_event);
+ if (IS_ERR(pmu_ctx)) {
+ free_event(child_event);
+@@ -13441,8 +13444,6 @@ inherit_event(struct perf_event *parent_event,
+ return NULL;
+ }
+
+- get_ctx(child_ctx);
+-
+ /*
+ * Make the child state follow the state of the parent event,
+ * not its attr.disabled bit. We hold the parent's mutex,
+@@ -13463,7 +13464,6 @@ inherit_event(struct perf_event *parent_event,
+ local64_set(&hwc->period_left, sample_period);
+ }
+
+- child_event->ctx = child_ctx;
+ child_event->overflow_handler = parent_event->overflow_handler;
+ child_event->overflow_handler_context
+ = parent_event->overflow_handler_context;
+--
+2.39.5
+
--- /dev/null
+From 0efcee4f2e59aff786c7dad34776b78fc0cd0fbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 17:25:52 -0600
+Subject: pinctrl: renesas: rza2: Fix potential NULL pointer dereference
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit f752ee5b5b86b5f88a5687c9eb0ef9b39859b908 ]
+
+`chip.label` in rza2_gpio_register() could be NULL.
+Add the missing check.
+
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com>
+Link: https://lore.kernel.org/20250210232552.1545887-1-chenyuan0y@gmail.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/pinctrl-rza2.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c
+index c5d733216508e..df660b7e1300c 100644
+--- a/drivers/pinctrl/renesas/pinctrl-rza2.c
++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c
+@@ -243,6 +243,9 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv)
+ int ret;
+
+ chip.label = devm_kasprintf(priv->dev, GFP_KERNEL, "%pOFn", np);
++ if (!chip.label)
++ return -ENOMEM;
++
+ chip.parent = priv->dev;
+ chip.ngpio = priv->npins;
+
+--
+2.39.5
+
--- /dev/null
+From 505add336f338567c3ac52d3acf086ad9ab8ac31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2024 17:50:34 -0600
+Subject: qibfs: fix _another_ leak
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit bdb43af4fdb39f844ede401bdb1258f67a580a27 ]
+
+failure to allocate inode => leaked dentry...
+
+this one had been there since the initial merge; to be fair,
+if we are that far OOM, the odds of failing at that particular
+allocation are low...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/qib/qib_fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/infiniband/hw/qib/qib_fs.c b/drivers/infiniband/hw/qib/qib_fs.c
+index 11155e0fb8395..35d777976c295 100644
+--- a/drivers/infiniband/hw/qib/qib_fs.c
++++ b/drivers/infiniband/hw/qib/qib_fs.c
+@@ -55,6 +55,7 @@ static int qibfs_mknod(struct inode *dir, struct dentry *dentry,
+ struct inode *inode = new_inode(dir->i_sb);
+
+ if (!inode) {
++ dput(dentry);
+ error = -EPERM;
+ goto bail;
+ }
+--
+2.39.5
+
--- /dev/null
+From aaf2ead9e6929015ac05f1c716c481f4325bc088 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 14:09:48 +0200
+Subject: riscv: Provide all alternative macros all the time
+
+From: Andrew Jones <ajones@ventanamicro.com>
+
+[ Upstream commit fb53a9aa5f5b8bf302f3260a7f1f5a24345ce62a ]
+
+We need to provide all six forms of the alternative macros
+(ALTERNATIVE, ALTERNATIVE_2, _ALTERNATIVE_CFG, _ALTERNATIVE_CFG_2,
+__ALTERNATIVE_CFG, __ALTERNATIVE_CFG_2) for all four cases derived
+from the two ifdefs (RISCV_ALTERNATIVE, __ASSEMBLY__) in order to
+ensure all configs can compile. Define this missing ones and ensure
+all are defined to consume all parameters passed.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202504130710.3IKz6Ibs-lkp@intel.com/
+Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
+Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20250414120947.135173-2-ajones@ventanamicro.com
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/alternative-macros.h | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/arch/riscv/include/asm/alternative-macros.h b/arch/riscv/include/asm/alternative-macros.h
+index 721ec275ce57e..231d777d936c2 100644
+--- a/arch/riscv/include/asm/alternative-macros.h
++++ b/arch/riscv/include/asm/alternative-macros.h
+@@ -115,24 +115,19 @@
+ \old_c
+ .endm
+
+-#define _ALTERNATIVE_CFG(old_c, ...) \
+- ALTERNATIVE_CFG old_c
+-
+-#define _ALTERNATIVE_CFG_2(old_c, ...) \
+- ALTERNATIVE_CFG old_c
++#define __ALTERNATIVE_CFG(old_c, ...) ALTERNATIVE_CFG old_c
++#define __ALTERNATIVE_CFG_2(old_c, ...) ALTERNATIVE_CFG old_c
+
+ #else /* !__ASSEMBLY__ */
+
+-#define __ALTERNATIVE_CFG(old_c) \
+- old_c "\n"
++#define __ALTERNATIVE_CFG(old_c, ...) old_c "\n"
++#define __ALTERNATIVE_CFG_2(old_c, ...) old_c "\n"
+
+-#define _ALTERNATIVE_CFG(old_c, ...) \
+- __ALTERNATIVE_CFG(old_c)
++#endif /* __ASSEMBLY__ */
+
+-#define _ALTERNATIVE_CFG_2(old_c, ...) \
+- __ALTERNATIVE_CFG(old_c)
++#define _ALTERNATIVE_CFG(old_c, ...) __ALTERNATIVE_CFG(old_c)
++#define _ALTERNATIVE_CFG_2(old_c, ...) __ALTERNATIVE_CFG_2(old_c)
+
+-#endif /* __ASSEMBLY__ */
+ #endif /* CONFIG_RISCV_ALTERNATIVE */
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From ff705b3dd6c94acba679729bf5c0890cff24f4f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jan 2025 10:34:49 +0100
+Subject: rtc: pcf85063: do a SW reset if POR failed
+
+From: Lukas Stockmann <lukas.stockmann@siemens.com>
+
+[ Upstream commit 2b7cbd98495f6ee4cd6422fe77828a19e9edf87f ]
+
+Power-on Reset has a documented issue in PCF85063, refer to its datasheet,
+section "Software reset":
+
+"There is a low probability that some devices will have corruption of the
+registers after the automatic power-on reset if the device is powered up
+with a residual VDD level. It is required that the VDD starts at zero volts
+at power up or upon power cycling to ensure that there is no corruption of
+the registers. If this is not possible, a reset must be initiated after
+power-up (i.e. when power is stable) with the software reset command"
+
+Trigger SW reset if there is an indication that POR has failed.
+
+Link: https://www.nxp.com/docs/en/data-sheet/PCF85063A.pdf
+Signed-off-by: Lukas Stockmann <lukas.stockmann@siemens.com>
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Link: https://lore.kernel.org/r/20250120093451.30778-1-alexander.sverdlin@siemens.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf85063.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
+index 905986c616559..73848f764559b 100644
+--- a/drivers/rtc/rtc-pcf85063.c
++++ b/drivers/rtc/rtc-pcf85063.c
+@@ -35,6 +35,7 @@
+ #define PCF85063_REG_CTRL1_CAP_SEL BIT(0)
+ #define PCF85063_REG_CTRL1_STOP BIT(5)
+ #define PCF85063_REG_CTRL1_EXT_TEST BIT(7)
++#define PCF85063_REG_CTRL1_SWR 0x58
+
+ #define PCF85063_REG_CTRL2 0x01
+ #define PCF85063_CTRL2_AF BIT(6)
+@@ -589,7 +590,7 @@ static int pcf85063_probe(struct i2c_client *client)
+
+ i2c_set_clientdata(client, pcf85063);
+
+- err = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL1, &tmp);
++ err = regmap_read(pcf85063->regmap, PCF85063_REG_SC, &tmp);
+ if (err) {
+ dev_err(&client->dev, "RTC chip is not present\n");
+ return err;
+@@ -599,6 +600,22 @@ static int pcf85063_probe(struct i2c_client *client)
+ if (IS_ERR(pcf85063->rtc))
+ return PTR_ERR(pcf85063->rtc);
+
++ /*
++ * If a Power loss is detected, SW reset the device.
++ * From PCF85063A datasheet:
++ * There is a low probability that some devices will have corruption
++ * of the registers after the automatic power-on reset...
++ */
++ if (tmp & PCF85063_REG_SC_OS) {
++ dev_warn(&client->dev,
++ "POR issue detected, sending a SW reset\n");
++ err = regmap_write(pcf85063->regmap, PCF85063_REG_CTRL1,
++ PCF85063_REG_CTRL1_SWR);
++ if (err < 0)
++ dev_warn(&client->dev,
++ "SW reset failed, trying to continue\n");
++ }
++
+ err = pcf85063_load_capacitance(pcf85063, client->dev.of_node,
+ config->force_cap_7000 ? 7000 : 0);
+ if (err < 0)
+--
+2.39.5
+
--- /dev/null
+From efbb631f241106fe8731ea3af5d994258bf86d38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2025 10:52:16 +0800
+Subject: s390/sclp: Add check for get_zeroed_page()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit 3db42c75a921854a99db0a2775814fef97415bac ]
+
+Add check for the return value of get_zeroed_page() in
+sclp_console_init() to prevent null pointer dereference.
+Furthermore, to solve the memory leak caused by the loop
+allocation, add a free helper to do the free job.
+
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250218025216.2421548-1-haoxiang_li2024@163.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/char/sclp_con.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/drivers/s390/char/sclp_con.c b/drivers/s390/char/sclp_con.c
+index e5d947c763ea5..6a030ba38bf36 100644
+--- a/drivers/s390/char/sclp_con.c
++++ b/drivers/s390/char/sclp_con.c
+@@ -263,6 +263,19 @@ static struct console sclp_console =
+ .index = 0 /* ttyS0 */
+ };
+
++/*
++ * Release allocated pages.
++ */
++static void __init __sclp_console_free_pages(void)
++{
++ struct list_head *page, *p;
++
++ list_for_each_safe(page, p, &sclp_con_pages) {
++ list_del(page);
++ free_page((unsigned long)page);
++ }
++}
++
+ /*
+ * called by console_init() in drivers/char/tty_io.c at boot-time.
+ */
+@@ -282,6 +295,10 @@ sclp_console_init(void)
+ /* Allocate pages for output buffering */
+ for (i = 0; i < sclp_console_pages; i++) {
+ page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
++ if (!page) {
++ __sclp_console_free_pages();
++ return -ENOMEM;
++ }
+ list_add_tail(page, &sclp_con_pages);
+ }
+ sclp_conbuf = NULL;
+--
+2.39.5
+
--- /dev/null
+From c6f26e2d71690716b079cb40b1fb547a2918727c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2025 11:41:04 +0800
+Subject: s390/tty: Fix a potential memory leak bug
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+[ Upstream commit ad9bb8f049717d64c5e62b2a44954be9f681c65b ]
+
+The check for get_zeroed_page() leads to a direct return
+and overlooked the memory leak caused by loop allocation.
+Add a free helper to free spaces allocated by get_zeroed_page().
+
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250218034104.2436469-1-haoxiang_li2024@163.com
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/char/sclp_tty.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/s390/char/sclp_tty.c b/drivers/s390/char/sclp_tty.c
+index 892c18d2f87e9..d3edacb6ee148 100644
+--- a/drivers/s390/char/sclp_tty.c
++++ b/drivers/s390/char/sclp_tty.c
+@@ -490,6 +490,17 @@ static const struct tty_operations sclp_ops = {
+ .flush_buffer = sclp_tty_flush_buffer,
+ };
+
++/* Release allocated pages. */
++static void __init __sclp_tty_free_pages(void)
++{
++ struct list_head *page, *p;
++
++ list_for_each_safe(page, p, &sclp_tty_pages) {
++ list_del(page);
++ free_page((unsigned long)page);
++ }
++}
++
+ static int __init
+ sclp_tty_init(void)
+ {
+@@ -516,6 +527,7 @@ sclp_tty_init(void)
+ for (i = 0; i < MAX_KMEM_PAGES; i++) {
+ page = (void *) get_zeroed_page(GFP_KERNEL | GFP_DMA);
+ if (page == NULL) {
++ __sclp_tty_free_pages();
+ tty_driver_kref_put(driver);
+ return -ENOMEM;
+ }
+--
+2.39.5
+
--- /dev/null
+From 5cd54bdac4daa2f2bcfc4ea2c7af01d2515c43b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 15:49:55 +0200
+Subject: sched/isolation: Make CONFIG_CPU_ISOLATION depend on CONFIG_SMP
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+[ Upstream commit 975776841e689dd8ba36df9fa72ac3eca3c2957a ]
+
+kernel/sched/isolation.c obviously makes no sense without CONFIG_SMP, but
+the Kconfig entry we have right now:
+
+ config CPU_ISOLATION
+ bool "CPU isolation"
+ depends on SMP || COMPILE_TEST
+
+allows the creation of pointless .config's which cause
+build failures.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20250330134955.GA7910@redhat.com
+
+Closes: https://lore.kernel.org/oe-kbuild-all/202503260646.lrUqD3j5-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ init/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/init/Kconfig b/init/Kconfig
+index 1105cb53f391a..8b630143c720f 100644
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -689,7 +689,7 @@ endmenu # "CPU/Task time and stats accounting"
+
+ config CPU_ISOLATION
+ bool "CPU isolation"
+- depends on SMP || COMPILE_TEST
++ depends on SMP
+ default y
+ help
+ Make sure that CPUs running critical tasks are not disturbed by
+--
+2.39.5
+
--- /dev/null
+From 5e426894e0b8361f00a5073a8dfce3723ed88814 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:51:35 +0800
+Subject: scsi: hisi_sas: Fix I/O errors caused by hardware port ID changes
+
+From: Xingui Yang <yangxingui@huawei.com>
+
+[ Upstream commit daff37f00c7506ca322ccfce95d342022f06ec58 ]
+
+The hw port ID of phy may change when inserting disks in batches, causing
+the port ID in hisi_sas_port and itct to be inconsistent with the hardware,
+resulting in I/O errors. The solution is to set the device state to gone to
+intercept I/O sent to the device, and then execute linkreset to discard and
+find the disk to re-update its information.
+
+Signed-off-by: Xingui Yang <yangxingui@huawei.com>
+Link: https://lore.kernel.org/r/20250312095135.3048379-3-yangxingui@huawei.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/hisi_sas/hisi_sas_main.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
+index f78c5f8a49ffa..7e64661d215bd 100644
+--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
+@@ -911,8 +911,28 @@ static void hisi_sas_phyup_work_common(struct work_struct *work,
+ container_of(work, typeof(*phy), works[event]);
+ struct hisi_hba *hisi_hba = phy->hisi_hba;
+ struct asd_sas_phy *sas_phy = &phy->sas_phy;
++ struct asd_sas_port *sas_port = sas_phy->port;
++ struct hisi_sas_port *port = phy->port;
++ struct device *dev = hisi_hba->dev;
++ struct domain_device *port_dev;
+ int phy_no = sas_phy->id;
+
++ if (!test_bit(HISI_SAS_RESETTING_BIT, &hisi_hba->flags) &&
++ sas_port && port && (port->id != phy->port_id)) {
++ dev_info(dev, "phy%d's hw port id changed from %d to %llu\n",
++ phy_no, port->id, phy->port_id);
++ port_dev = sas_port->port_dev;
++ if (port_dev && !dev_is_expander(port_dev->dev_type)) {
++ /*
++ * Set the device state to gone to block
++ * sending IO to the device.
++ */
++ set_bit(SAS_DEV_GONE, &port_dev->state);
++ hisi_sas_notify_phy_event(phy, HISI_PHYE_LINK_RESET);
++ return;
++ }
++ }
++
+ phy->wait_phyup_cnt = 0;
+ if (phy->identify.target_port_protocols == SAS_PROTOCOL_SSP)
+ hisi_hba->hw->sl_notify_ssp(hisi_hba, phy_no);
+--
+2.39.5
+
--- /dev/null
+From c244d0c9357d9e0f89d403819502b7629c550efd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 23:03:05 +0000
+Subject: scsi: pm80xx: Set phy_attached to zero when device is gone
+
+From: Igor Pylypiv <ipylypiv@google.com>
+
+[ Upstream commit f7b705c238d1483f0a766e2b20010f176e5c0fb7 ]
+
+When a fatal error occurs, a phy down event may not be received to set
+phy->phy_attached to zero.
+
+Signed-off-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Salomon Dushimirimana <salomondush@google.com>
+Link: https://lore.kernel.org/r/20250319230305.3172920-1-salomondush@google.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/pm8001/pm8001_sas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
+index ee2da8e49d4cf..a9d6dac413346 100644
+--- a/drivers/scsi/pm8001/pm8001_sas.c
++++ b/drivers/scsi/pm8001/pm8001_sas.c
+@@ -719,6 +719,7 @@ static void pm8001_dev_gone_notify(struct domain_device *dev)
+ spin_lock_irqsave(&pm8001_ha->lock, flags);
+ }
+ PM8001_CHIP_DISP->dereg_dev_req(pm8001_ha, device_id);
++ pm8001_ha->phy[pm8001_dev->attached_phy].phy_attached = 0;
+ pm8001_free_dev(pm8001_dev);
+ } else {
+ pm8001_dbg(pm8001_ha, DISC, "Found dev has gone.\n");
+--
+2.39.5
+
--- /dev/null
+From 799c5bc82e5ec65582a55f8933f15c00cdc794b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 15:30:18 +0000
+Subject: scsi: ufs: exynos: Ensure pre_link() executes before
+ exynos_ufs_phy_init()
+
+From: Peter Griffin <peter.griffin@linaro.org>
+
+[ Upstream commit 3d101165e72316775947d71321d97194f03dfef3 ]
+
+Ensure clocks are enabled before configuring unipro. Additionally move
+the pre_link() hook before the exynos_ufs_phy_init() calls. This means
+the register write sequence more closely resembles the ordering of the
+downstream driver.
+
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-1-96722cc2ba1b@linaro.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/host/ufs-exynos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c
+index d138b66d5e350..f61126189876e 100644
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -990,9 +990,14 @@ static int exynos_ufs_pre_link(struct ufs_hba *hba)
+ exynos_ufs_config_intr(ufs, DFES_DEF_L4_ERRS, UNIPRO_L4);
+ exynos_ufs_set_unipro_pclk_div(ufs);
+
++ exynos_ufs_setup_clocks(hba, true, PRE_CHANGE);
++
+ /* unipro */
+ exynos_ufs_config_unipro(ufs);
+
++ if (ufs->drv_data->pre_link)
++ ufs->drv_data->pre_link(ufs);
++
+ /* m-phy */
+ exynos_ufs_phy_init(ufs);
+ if (!(ufs->opts & EXYNOS_UFS_OPT_SKIP_CONFIG_PHY_ATTR)) {
+@@ -1000,11 +1005,6 @@ static int exynos_ufs_pre_link(struct ufs_hba *hba)
+ exynos_ufs_config_phy_cap_attr(ufs);
+ }
+
+- exynos_ufs_setup_clocks(hba, true, PRE_CHANGE);
+-
+- if (ufs->drv_data->pre_link)
+- ufs->drv_data->pre_link(ufs);
+-
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From db3fc35dcf7a76b248f20defabe3c0e386cd5e63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 16:09:40 +0800
+Subject: selftests/mincore: Allow read-ahead pages to reach the end of the
+ file
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 197c1eaa7ba633a482ed7588eea6fd4aa57e08d4 ]
+
+When running the mincore_selftest on a system with an XFS file system, it
+failed the "check_file_mmap" test case due to the read-ahead pages reaching
+the end of the file. The failure log is as below:
+
+ RUN global.check_file_mmap ...
+ mincore_selftest.c:264:check_file_mmap:Expected i (1024) < vec_size (1024)
+ mincore_selftest.c:265:check_file_mmap:Read-ahead pages reached the end of the file
+ check_file_mmap: Test failed
+ FAIL global.check_file_mmap
+
+This is because the read-ahead window size of the XFS file system on this
+machine is 4 MB, which is larger than the size from the #PF address to the
+end of the file. As a result, all the pages for this file are populated.
+
+ blockdev --getra /dev/nvme0n1p5
+ 8192
+ blockdev --getbsz /dev/nvme0n1p5
+ 512
+
+This issue can be fixed by extending the current FILE_SIZE 4MB to a larger
+number, but it will still fail if the read-ahead window size of the file
+system is larger enough. Additionally, in the real world, read-ahead pages
+reaching the end of the file can happen and is an expected behavior.
+Therefore, allowing read-ahead pages to reach the end of the file is a
+better choice for the "check_file_mmap" test case.
+
+Link: https://lore.kernel.org/r/20250311080940.21413-1-qiuxu.zhuo@intel.com
+Reported-by: Yi Lai <yi1.lai@intel.com>
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/mincore/mincore_selftest.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/tools/testing/selftests/mincore/mincore_selftest.c b/tools/testing/selftests/mincore/mincore_selftest.c
+index e949a43a61450..efabfcbe0b498 100644
+--- a/tools/testing/selftests/mincore/mincore_selftest.c
++++ b/tools/testing/selftests/mincore/mincore_selftest.c
+@@ -261,9 +261,6 @@ TEST(check_file_mmap)
+ TH_LOG("No read-ahead pages found in memory");
+ }
+
+- EXPECT_LT(i, vec_size) {
+- TH_LOG("Read-ahead pages reached the end of the file");
+- }
+ /*
+ * End of the readahead window. The rest of the pages shouldn't
+ * be in memory.
+--
+2.39.5
+
--- /dev/null
+From c800994254c76ed34aa31d33892f7d30adfb492c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 08:18:49 +0800
+Subject: selftests: ublk: fix test_stripe_04
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit 72070e57b0a518ec8e562a2b68fdfc796ef5c040 ]
+
+Commit 57ed58c13256 ("selftests: ublk: enable zero copy for stripe target")
+added test entry of test_stripe_04, but forgot to add the test script.
+
+So fix the test by adding the script file.
+
+Reported-by: Uday Shankar <ushankar@purestorage.com>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Uday Shankar <ushankar@purestorage.com>
+Link: https://lore.kernel.org/r/20250404001849.1443064-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/ublk/test_stripe_04.sh | 24 +++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+ create mode 100755 tools/testing/selftests/ublk/test_stripe_04.sh
+
+diff --git a/tools/testing/selftests/ublk/test_stripe_04.sh b/tools/testing/selftests/ublk/test_stripe_04.sh
+new file mode 100755
+index 0000000000000..1f2b642381d17
+--- /dev/null
++++ b/tools/testing/selftests/ublk/test_stripe_04.sh
+@@ -0,0 +1,24 @@
++#!/bin/bash
++# SPDX-License-Identifier: GPL-2.0
++
++. "$(cd "$(dirname "$0")" && pwd)"/test_common.sh
++
++TID="stripe_04"
++ERR_CODE=0
++
++_prep_test "stripe" "mkfs & mount & umount on zero copy"
++
++backfile_0=$(_create_backfile 256M)
++backfile_1=$(_create_backfile 256M)
++dev_id=$(_add_ublk_dev -t stripe -z -q 2 "$backfile_0" "$backfile_1")
++_check_add_dev $TID $? "$backfile_0" "$backfile_1"
++
++_mkfs_mount_test /dev/ublkb"${dev_id}"
++ERR_CODE=$?
++
++_cleanup_test "stripe"
++
++_remove_backfile "$backfile_0"
++_remove_backfile "$backfile_1"
++
++_show_result $TID $ERR_CODE
+--
+2.39.5
+
usb-wdm-close-race-between-wdm_open-and-wdm_wwan_port_stop.patch
usb-wdm-wdm_wwan_port_tx_complete-mutex-in-atomic-context.patch
usb-wdm-add-annotation.patch
+pinctrl-renesas-rza2-fix-potential-null-pointer-dere.patch
+mips-cm-detect-cm-quirks-from-device-tree.patch
+crypto-ccp-add-support-for-pci-device-0x1134.patch
+crypto-null-use-spin-lock-instead-of-mutex.patch
+bpf-fix-deadlock-between-rcu_tasks_trace-and-event_m.patch
+clk-check-for-disabled-clock-provider-in-of_clk_get_.patch
+parisc-pdt-fix-missing-prototype-warning.patch
+s390-sclp-add-check-for-get_zeroed_page.patch
+s390-tty-fix-a-potential-memory-leak-bug.patch
+bpf-bpftool-setting-error-code-in-do_loader.patch
+bpf-only-fails-the-busy-counter-check-in-bpf_cgrp_st.patch
+bpf-reject-attaching-fexit-fmod_ret-to-__noreturn-fu.patch
+x86-kconfig-make-config_pci_cnb20le_quirk-depend-on-.patch
+mailbox-pcc-fix-the-possible-race-in-updation-of-cha.patch
+mailbox-pcc-always-clear-the-platform-ack-interrupt-.patch
+usb-host-max3421-hcd-add-missing-spi_device_id-table.patch
+fs-ntfs3-fix-warning-in-ntfs_extend_initialized_size.patch
+usb-dwc3-gadget-refactor-loop-to-avoid-null-endpoint.patch
+usb-dwc3-gadget-avoid-using-reserved-endpoints-on-in.patch
+sound-virtio-fix-cancel_sync-warnings-on-uninitializ.patch
+dmaengine-dmatest-fix-dmatest-waiting-less-when-inte.patch
+usb-xhci-avoid-stop-endpoint-retry-loop-if-the-endpo.patch
+usb-gadget-aspeed-add-null-pointer-check-in-ast_vhub.patch
+usb-host-xhci-plat-mvebu-use-quirks-instead-of-init_.patch
+thunderbolt-scan-retimers-after-device-router-has-be.patch
+objtool-silence-more-kcov-warnings.patch
+objtool-panic-disable-smap-in-__stack_chk_fail.patch
+objtool-asoc-codecs-wcd934x-remove-potential-undefin.patch
+objtool-regulator-rk808-remove-potential-undefined-b.patch
+objtool-lkdtm-obfuscate-the-do_nothing-pointer.patch
+qibfs-fix-_another_-leak.patch
+ntb-reduce-stack-usage-in-idt_scan_mws.patch
+ntb_hw_amd-add-ntb-pci-id-for-new-gen-cpu.patch
+9p-net-fix-improper-handling-of-bogus-negative-read-.patch
+rtc-pcf85063-do-a-sw-reset-if-por-failed.patch
+io_uring-always-do-atomic-put-from-iowq.patch
+sched-isolation-make-config_cpu_isolation-depend-on-.patch
+kvm-s390-don-t-use-pk-through-tracepoints.patch
+kvm-s390-don-t-use-pk-through-debug-printing.patch
+udmabuf-fix-a-buf-size-overflow-issue-during-udmabuf.patch
+selftests-ublk-fix-test_stripe_04.patch
+perf-core-fix-warn_on-ctx-in-__free_event-for-partia.patch
+xen-change-xen-acpi-processor-dom0-dependency.patch
+nvme-requeue-namespace-scan-on-missed-aens.patch
+acpi-ec-set-ec_no_wakeup-for-lenovo-go-s.patch
+acpi-pptt-fix-coding-mistakes-in-a-couple-of-sizeof-.patch
+nvme-re-read-ana-log-page-after-ns-scan-completes.patch
+nvme-multipath-fix-return-value-of-nvme_available_pa.patch
+objtool-stop-unret-validation-on-ud2.patch
+gpiolib-of-move-atmel-hsmci-quirk-up-out-of-the-regu.patch
+selftests-mincore-allow-read-ahead-pages-to-reach-th.patch
+x86-bugs-use-sbpb-in-write_ibpb-if-applicable.patch
+x86-bugs-don-t-fill-rsb-on-vmexit-with-eibrs-retpoli.patch
+x86-bugs-don-t-fill-rsb-on-context-switch-with-eibrs.patch
+nvmet-fc-take-tgtport-reference-only-once.patch
+nvmet-fc-put-ref-when-assoc-del_work-is-already-sche.patch
+cifs-fix-encoding-of-smb1-session-setup-kerberos-req.patch
+timekeeping-add-a-lockdep-override-in-tick_freeze.patch
+cifs-fix-querying-of-wsl-chr-and-blk-reparse-points-.patch
+ext4-make-block-validity-check-resistent-to-sb-bh-co.patch
+scsi-hisi_sas-fix-i-o-errors-caused-by-hardware-port.patch
+scsi-ufs-exynos-ensure-pre_link-executes-before-exyn.patch
+scsi-pm80xx-set-phy_attached-to-zero-when-device-is-.patch
+x86-i8253-call-clockevent_i8253_disable-with-interru.patch
+iomap-skip-unnecessary-ifs_block_is_uptodate-check.patch
+riscv-provide-all-alternative-macros-all-the-time.patch
+loop-aio-inherit-the-ioprio-of-original-request.patch
+spi-tegra210-quad-use-warn_on_once-instead-of-warn_o.patch
+spi-tegra210-quad-add-rate-limiting-and-simplify-tim.patch
+hardening-disable-gcc-randstruct-for-compile_test.patch
+ubsan-fix-panic-from-test_ubsan_out_of_bounds.patch
+x86-cpu-add-cpu-model-number-for-bartlett-lake-cpus-.patch
+md-raid1-add-check-for-missing-source-disk-in-proces.patch
+spi-spi-imx-add-check-for-spi_imx_setupxfer.patch
--- /dev/null
+From 50f1a39e20fcd9e63795cf27e0ecf3e32a4b9181 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 11:40:59 -0800
+Subject: sound/virtio: Fix cancel_sync warnings on uninitialized work_structs
+
+From: John Stultz <jstultz@google.com>
+
+[ Upstream commit 3c7df2e27346eb40a0e86230db1ccab195c97cfe ]
+
+Betty reported hitting the following warning:
+
+[ 8.709131][ T221] WARNING: CPU: 2 PID: 221 at kernel/workqueue.c:4182
+...
+[ 8.713282][ T221] Call trace:
+[ 8.713365][ T221] __flush_work+0x8d0/0x914
+[ 8.713468][ T221] __cancel_work_sync+0xac/0xfc
+[ 8.713570][ T221] cancel_work_sync+0x24/0x34
+[ 8.713667][ T221] virtsnd_remove+0xa8/0xf8 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276]
+[ 8.713868][ T221] virtsnd_probe+0x48c/0x664 [virtio_snd ab15f34d0dd772f6d11327e08a81d46dc9c36276]
+[ 8.714035][ T221] virtio_dev_probe+0x28c/0x390
+[ 8.714139][ T221] really_probe+0x1bc/0x4c8
+...
+
+It seems we're hitting the error path in virtsnd_probe(), which
+triggers a virtsnd_remove() which iterates over the substreams
+calling cancel_work_sync() on the elapsed_period work_struct.
+
+Looking at the code, from earlier in:
+virtsnd_probe()->virtsnd_build_devs()->virtsnd_pcm_parse_cfg()
+
+We set snd->nsubstreams, allocate the snd->substreams, and if
+we then hit an error on the info allocation or something in
+virtsnd_ctl_query_info() fails, we will exit without having
+initialized the elapsed_period work_struct.
+
+When that error path unwinds we then call virtsnd_remove()
+which as long as the substreams array is allocated, will iterate
+through calling cancel_work_sync() on the uninitialized work
+struct hitting this warning.
+
+Takashi Iwai suggested this fix, which initializes the substreams
+structure right after allocation, so that if we hit the error
+paths we avoid trying to cleanup uninitialized data.
+
+Note: I have not yet managed to reproduce the issue myself, so
+this patch has had limited testing.
+
+Feedback or thoughts would be appreciated!
+
+Cc: Anton Yakovlev <anton.yakovlev@opensynergy.com>
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>
+Cc: virtualization@lists.linux.dev
+Cc: linux-sound@vger.kernel.org
+Cc: kernel-team@android.com
+Reported-by: Betty Zhou <bettyzhou@google.com>
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: John Stultz <jstultz@google.com>
+Message-Id: <20250116194114.3375616-1-jstultz@google.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/virtio/virtio_pcm.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/sound/virtio/virtio_pcm.c b/sound/virtio/virtio_pcm.c
+index c10d91fff2fb0..1ddec1f4f05d5 100644
+--- a/sound/virtio/virtio_pcm.c
++++ b/sound/virtio/virtio_pcm.c
+@@ -337,6 +337,21 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd)
+ if (!snd->substreams)
+ return -ENOMEM;
+
++ /*
++ * Initialize critical substream fields early in case we hit an
++ * error path and end up trying to clean up uninitialized structures
++ * elsewhere.
++ */
++ for (i = 0; i < snd->nsubstreams; ++i) {
++ struct virtio_pcm_substream *vss = &snd->substreams[i];
++
++ vss->snd = snd;
++ vss->sid = i;
++ INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed);
++ init_waitqueue_head(&vss->msg_empty);
++ spin_lock_init(&vss->lock);
++ }
++
+ info = kcalloc(snd->nsubstreams, sizeof(*info), GFP_KERNEL);
+ if (!info)
+ return -ENOMEM;
+@@ -350,12 +365,6 @@ int virtsnd_pcm_parse_cfg(struct virtio_snd *snd)
+ struct virtio_pcm_substream *vss = &snd->substreams[i];
+ struct virtio_pcm *vpcm;
+
+- vss->snd = snd;
+- vss->sid = i;
+- INIT_WORK(&vss->elapsed_period, virtsnd_pcm_period_elapsed);
+- init_waitqueue_head(&vss->msg_empty);
+- spin_lock_init(&vss->lock);
+-
+ rc = virtsnd_pcm_build_hw(vss, &info[i]);
+ if (rc)
+ goto on_exit;
+--
+2.39.5
+
--- /dev/null
+From dd08fe0ba2687dc4ec53eee0a6e6686e6c5d50bc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 10:16:05 +0900
+Subject: spi: spi-imx: Add check for spi_imx_setupxfer()
+
+From: Tamura Dai <kirinode0@gmail.com>
+
+[ Upstream commit 951a04ab3a2db4029debfa48d380ef834b93207e ]
+
+Add check for the return value of spi_imx_setupxfer().
+spi_imx->rx and spi_imx->tx function pointer can be NULL when
+spi_imx_setupxfer() return error, and make NULL pointer dereference.
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+ Call trace:
+ 0x0
+ spi_imx_pio_transfer+0x50/0xd8
+ spi_imx_transfer_one+0x18c/0x858
+ spi_transfer_one_message+0x43c/0x790
+ __spi_pump_transfer_message+0x238/0x5d4
+ __spi_sync+0x2b0/0x454
+ spi_write_then_read+0x11c/0x200
+
+Signed-off-by: Tamura Dai <kirinode0@gmail.com>
+Reviewed-by: Carlos Song <carlos.song@nxp.com>
+Link: https://patch.msgid.link/20250417011700.14436-1-kirinode0@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-imx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
+index daa32bde61556..da4442954375b 100644
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1614,10 +1614,13 @@ static int spi_imx_transfer_one(struct spi_controller *controller,
+ struct spi_device *spi,
+ struct spi_transfer *transfer)
+ {
++ int ret;
+ struct spi_imx_data *spi_imx = spi_controller_get_devdata(spi->controller);
+ unsigned long hz_per_byte, byte_limit;
+
+- spi_imx_setupxfer(spi, transfer);
++ ret = spi_imx_setupxfer(spi, transfer);
++ if (ret < 0)
++ return ret;
+ transfer->effective_speed_hz = spi_imx->spi_bus_clk;
+
+ /* flush rxfifo before transfer */
+--
+2.39.5
+
--- /dev/null
+From 86bda15ffcb1f1262355841cb648819d1e2c8e23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 06:47:50 -0700
+Subject: spi: tegra210-quad: add rate limiting and simplify timeout error
+ message
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 21f4314e66ed8d40b2ee24185d1a06a07a512eb1 ]
+
+On malfunctioning hardware, timeout error messages can appear thousands
+of times, creating unnecessary system pressure and log bloat. This patch
+makes two improvements:
+
+1. Replace dev_err() with dev_err_ratelimited() to prevent log flooding
+ when hardware errors persist
+2. Remove the redundant timeout value parameter from the error message,
+ as 'ret' is always zero in this error path
+
+These changes reduce logging overhead while maintaining necessary error
+reporting for debugging purposes.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://patch.msgid.link/20250401-tegra-v2-2-126c293ec047@debian.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index 2abb54f9a9ba4..e3c236025a7b3 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -1118,8 +1118,8 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+ QSPI_DMA_TIMEOUT);
+
+ if (WARN_ON_ONCE(ret == 0)) {
+- dev_err(tqspi->dev, "QSPI Transfer failed with timeout: %d\n",
+- ret);
++ dev_err_ratelimited(tqspi->dev,
++ "QSPI Transfer failed with timeout\n");
+ if (tqspi->is_curr_dma_xfer &&
+ (tqspi->cur_direction & DATA_DIR_TX))
+ dmaengine_terminate_all
+--
+2.39.5
+
--- /dev/null
+From 8507176c87408b99521a85df871fb0641acf2a44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 06:47:49 -0700
+Subject: spi: tegra210-quad: use WARN_ON_ONCE instead of WARN_ON for timeouts
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 41c721fc093938745d116c3a21326a0ee03bb491 ]
+
+Some machines with tegra_qspi_combined_seq_xfer hardware issues generate
+excessive kernel warnings, severely polluting the logs:
+
+ dmesg | grep -i "WARNING:.*tegra_qspi_transfer_one_message" | wc -l
+ 94451
+
+This patch replaces WARN_ON with WARN_ON_ONCE for timeout conditions to
+reduce log spam. The subsequent error message still prints on each
+occurrence, providing sufficient information about the failure, while
+the stack trace is only needed once for debugging purposes.
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://patch.msgid.link/20250401-tegra-v2-1-126c293ec047@debian.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-tegra210-quad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
+index d1afa4140e8a2..2abb54f9a9ba4 100644
+--- a/drivers/spi/spi-tegra210-quad.c
++++ b/drivers/spi/spi-tegra210-quad.c
+@@ -1117,7 +1117,7 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+ (&tqspi->xfer_completion,
+ QSPI_DMA_TIMEOUT);
+
+- if (WARN_ON(ret == 0)) {
++ if (WARN_ON_ONCE(ret == 0)) {
+ dev_err(tqspi->dev, "QSPI Transfer failed with timeout: %d\n",
+ ret);
+ if (tqspi->is_curr_dma_xfer &&
+--
+2.39.5
+
--- /dev/null
+From e3e89e69af26e33e845fb44d862ac0fe772a3a4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 10:53:21 +0200
+Subject: thunderbolt: Scan retimers after device router has been enumerated
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+[ Upstream commit 75749d2c1d8cef439f8b69fa1f4f36d0fc3193e6 ]
+
+Thomas reported connection issues on AMD system with Pluggable UD-4VPD
+dock. After some experiments it looks like the device has some sort of
+internal timeout that triggers reconnect. This is completely against the
+USB4 spec, as there is no requirement for the host to enumerate the
+device right away or even at all.
+
+In Linux case the delay is caused by scanning of retimers on the link so
+we can work this around by doing the scanning after the device router
+has been enumerated.
+
+Reported-by: Thomas Lynema <lyz27@yahoo.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219748
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thunderbolt/tb.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c
+index 7c3310a2b28a4..b92a8a5b2e8c9 100644
+--- a/drivers/thunderbolt/tb.c
++++ b/drivers/thunderbolt/tb.c
+@@ -1370,11 +1370,15 @@ static void tb_scan_port(struct tb_port *port)
+ goto out_rpm_put;
+ }
+
+- tb_retimer_scan(port, true);
+-
+ sw = tb_switch_alloc(port->sw->tb, &port->sw->dev,
+ tb_downstream_route(port));
+ if (IS_ERR(sw)) {
++ /*
++ * Make the downstream retimers available even if there
++ * is no router connected.
++ */
++ tb_retimer_scan(port, true);
++
+ /*
+ * If there is an error accessing the connected switch
+ * it may be connected to another domain. Also we allow
+@@ -1424,6 +1428,14 @@ static void tb_scan_port(struct tb_port *port)
+ upstream_port = tb_upstream_port(sw);
+ tb_configure_link(port, upstream_port, sw);
+
++ /*
++ * Scan for downstream retimers. We only scan them after the
++ * router has been enumerated to avoid issues with certain
++ * Pluggable devices that expect the host to enumerate them
++ * within certain timeout.
++ */
++ tb_retimer_scan(port, true);
++
+ /*
+ * CL0s and CL1 are enabled and supported together.
+ * Silently ignore CLx enabling in case CLx is not supported.
+--
+2.39.5
+
--- /dev/null
+From 09749e8634b88211cbe982f07aece2b9417301d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 15:34:29 +0200
+Subject: timekeeping: Add a lockdep override in tick_freeze()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 92e250c624ea37fde64bfd624fd2556f0d846f18 ]
+
+tick_freeze() acquires a raw spinlock (tick_freeze_lock). Later in the
+callchain (timekeeping_suspend() -> mc146818_avoid_UIP()) the RTC driver
+acquires a spinlock which becomes a sleeping lock on PREEMPT_RT. Lockdep
+complains about this lock nesting.
+
+Add a lockdep override for this special case and a comment explaining
+why it is okay.
+
+Reported-by: Borislav Petkov <bp@alien8.de>
+Reported-by: Chris Bainbridge <chris.bainbridge@gmail.com>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/all/20250404133429.pnAzf-eF@linutronix.de
+Closes: https://lore.kernel.org/all/20250330113202.GAZ-krsjAnurOlTcp-@fat_crate.local/
+Closes: https://lore.kernel.org/all/CAP-bSRZ0CWyZZsMtx046YV8L28LhY0fson2g4EqcwRAVN1Jk+Q@mail.gmail.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/tick-common.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/kernel/time/tick-common.c b/kernel/time/tick-common.c
+index 7f2b17fc8ce40..ecdb8c2b2cab2 100644
+--- a/kernel/time/tick-common.c
++++ b/kernel/time/tick-common.c
+@@ -495,6 +495,7 @@ void tick_resume(void)
+
+ #ifdef CONFIG_SUSPEND
+ static DEFINE_RAW_SPINLOCK(tick_freeze_lock);
++static DEFINE_WAIT_OVERRIDE_MAP(tick_freeze_map, LD_WAIT_SLEEP);
+ static unsigned int tick_freeze_depth;
+
+ /**
+@@ -514,9 +515,22 @@ void tick_freeze(void)
+ if (tick_freeze_depth == num_online_cpus()) {
+ trace_suspend_resume(TPS("timekeeping_freeze"),
+ smp_processor_id(), true);
++ /*
++ * All other CPUs have their interrupts disabled and are
++ * suspended to idle. Other tasks have been frozen so there
++ * is no scheduling happening. This means that there is no
++ * concurrency in the system at this point. Therefore it is
++ * okay to acquire a sleeping lock on PREEMPT_RT, such as a
++ * spinlock, because the lock cannot be held by other CPUs
++ * or threads and acquiring it cannot block.
++ *
++ * Inform lockdep about the situation.
++ */
++ lock_map_acquire_try(&tick_freeze_map);
+ system_state = SYSTEM_SUSPEND;
+ sched_clock_suspend();
+ timekeeping_suspend();
++ lock_map_release(&tick_freeze_map);
+ } else {
+ tick_suspend_local();
+ }
+@@ -538,8 +552,16 @@ void tick_unfreeze(void)
+ raw_spin_lock(&tick_freeze_lock);
+
+ if (tick_freeze_depth == num_online_cpus()) {
++ /*
++ * Similar to tick_freeze(). On resumption the first CPU may
++ * acquire uncontended sleeping locks while other CPUs block on
++ * tick_freeze_lock.
++ */
++ lock_map_acquire_try(&tick_freeze_map);
+ timekeeping_resume();
+ sched_clock_resume();
++ lock_map_release(&tick_freeze_map);
++
+ system_state = SYSTEM_RUNNING;
+ trace_suspend_resume(TPS("timekeeping_freeze"),
+ smp_processor_id(), false);
+--
+2.39.5
+
--- /dev/null
+From 127139d44b3cf7df201c93da692bef4955ebd312 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Apr 2025 20:33:54 +0000
+Subject: ubsan: Fix panic from test_ubsan_out_of_bounds
+
+From: Mostafa Saleh <smostafa@google.com>
+
+[ Upstream commit 9b044614be12d78d3a93767708b8d02fb7dfa9b0 ]
+
+Running lib_ubsan.ko on arm64 (without CONFIG_UBSAN_TRAP) panics the
+kernel:
+
+[ 31.616546] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: test_ubsan_out_of_bounds+0x158/0x158 [test_ubsan]
+[ 31.646817] CPU: 3 UID: 0 PID: 179 Comm: insmod Not tainted 6.15.0-rc2 #1 PREEMPT
+[ 31.648153] Hardware name: linux,dummy-virt (DT)
+[ 31.648970] Call trace:
+[ 31.649345] show_stack+0x18/0x24 (C)
+[ 31.650960] dump_stack_lvl+0x40/0x84
+[ 31.651559] dump_stack+0x18/0x24
+[ 31.652264] panic+0x138/0x3b4
+[ 31.652812] __ktime_get_real_seconds+0x0/0x10
+[ 31.653540] test_ubsan_load_invalid_value+0x0/0xa8 [test_ubsan]
+[ 31.654388] init_module+0x24/0xff4 [test_ubsan]
+[ 31.655077] do_one_initcall+0xd4/0x280
+[ 31.655680] do_init_module+0x58/0x2b4
+
+That happens because the test corrupts other data in the stack:
+400: d5384108 mrs x8, sp_el0
+404: f9426d08 ldr x8, [x8, #1240]
+408: f85f83a9 ldur x9, [x29, #-8]
+40c: eb09011f cmp x8, x9
+410: 54000301 b.ne 470 <test_ubsan_out_of_bounds+0x154> // b.any
+
+As there is no guarantee the compiler will order the local variables
+as declared in the module:
+ volatile char above[4] = { }; /* Protect surrounding memory. */
+ volatile int arr[4];
+ volatile char below[4] = { }; /* Protect surrounding memory. */
+
+There is another problem where the out-of-bound index is 5 which is larger
+than the extra surrounding memory for protection.
+
+So, use a struct to enforce the ordering, and fix the index to be 4.
+Also, remove some of the volatiles and rely on OPTIMIZER_HIDE_VAR()
+
+Signed-off-by: Mostafa Saleh <smostafa@google.com>
+Link: https://lore.kernel.org/r/20250415203354.4109415-1-smostafa@google.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/test_ubsan.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/lib/test_ubsan.c b/lib/test_ubsan.c
+index 2062be1f2e80f..f90f2b9842ec4 100644
+--- a/lib/test_ubsan.c
++++ b/lib/test_ubsan.c
+@@ -35,18 +35,22 @@ static void test_ubsan_shift_out_of_bounds(void)
+
+ static void test_ubsan_out_of_bounds(void)
+ {
+- volatile int i = 4, j = 5, k = -1;
+- volatile char above[4] = { }; /* Protect surrounding memory. */
+- volatile int arr[4];
+- volatile char below[4] = { }; /* Protect surrounding memory. */
++ int i = 4, j = 4, k = -1;
++ volatile struct {
++ char above[4]; /* Protect surrounding memory. */
++ int arr[4];
++ char below[4]; /* Protect surrounding memory. */
++ } data;
+
+- above[0] = below[0];
++ OPTIMIZER_HIDE_VAR(i);
++ OPTIMIZER_HIDE_VAR(j);
++ OPTIMIZER_HIDE_VAR(k);
+
+ UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "above");
+- arr[j] = i;
++ data.arr[j] = i;
+
+ UBSAN_TEST(CONFIG_UBSAN_BOUNDS, "below");
+- arr[k] = i;
++ data.arr[k] = i;
+ }
+
+ enum ubsan_test_enum {
+--
+2.39.5
+
--- /dev/null
+From f902a2091ea87094ae788291cb4a56e2c3a815f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 11:41:26 -0500
+Subject: udmabuf: fix a buf size overflow issue during udmabuf creation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Xiaogang Chen <xiaogang.chen@amd.com>
+
+[ Upstream commit 021ba7f1babd029e714d13a6bf2571b08af96d0f ]
+
+by casting size_limit_mb to u64 when calculate pglimit.
+
+Signed-off-by: Xiaogang Chen<Xiaogang.Chen@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250321164126.329638-1-xiaogang.chen@amd.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma-buf/udmabuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c
+index d1fcdd1f9aaed..373282beeb606 100644
+--- a/drivers/dma-buf/udmabuf.c
++++ b/drivers/dma-buf/udmabuf.c
+@@ -214,7 +214,7 @@ static long udmabuf_create(struct miscdevice *device,
+ if (!ubuf)
+ return -ENOMEM;
+
+- pglimit = (size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
++ pglimit = ((u64)size_limit_mb * 1024 * 1024) >> PAGE_SHIFT;
+ for (i = 0; i < head->count; i++) {
+ if (!IS_ALIGNED(list[i].offset, PAGE_SIZE))
+ goto err;
+--
+2.39.5
+
--- /dev/null
+From c945cbcef1557c5b5a31a44dff79a583aa5b5927 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 21:28:04 +0200
+Subject: usb: dwc3: gadget: Avoid using reserved endpoints on Intel Merrifield
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 461f24bff86808ee5fbfe74751a825f8a7ab24e0 ]
+
+Intel Merrifield SoC uses these endpoints for tracing and they cannot
+be re-allocated if being used because the side band flow control signals
+are hard wired to certain endpoints:
+
+• 1 High BW Bulk IN (IN#1) (RTIT)
+• 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8)
+
+In device mode, since RTIT (EP#1) and EXI/RunControl (EP#8) uses
+External Buffer Control (EBC) mode, these endpoints are to be mapped to
+EBC mode (to be done by EXI target driver). Additionally TRB for RTIT
+and EXI are maintained in STM (System Trace Module) unit and the EXI
+target driver will as well configure the TRB location for EP #1 IN
+and EP#8 (IN and OUT). Since STM/PTI and EXI hardware blocks manage
+these endpoints and interface to OTG3 controller through EBC interface,
+there is no need to enable any events (such as XferComplete etc)
+for these end points.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Ferry Toth <fntoth@gmail.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20250212193116.2487289-5-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/dwc3-pci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c
+index 052852f801467..54a4ee2b90b7f 100644
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -148,11 +148,21 @@ static const struct property_entry dwc3_pci_intel_byt_properties[] = {
+ {}
+ };
+
++/*
++ * Intel Merrifield SoC uses these endpoints for tracing and they cannot
++ * be re-allocated if being used because the side band flow control signals
++ * are hard wired to certain endpoints:
++ * - 1 High BW Bulk IN (IN#1) (RTIT)
++ * - 1 1KB BW Bulk IN (IN#8) + 1 1KB BW Bulk OUT (Run Control) (OUT#8)
++ */
++static const u8 dwc3_pci_mrfld_reserved_endpoints[] = { 3, 16, 17 };
++
+ static const struct property_entry dwc3_pci_mrfld_properties[] = {
+ PROPERTY_ENTRY_STRING("dr_mode", "otg"),
+ PROPERTY_ENTRY_STRING("linux,extcon-name", "mrfld_bcove_pwrsrc"),
+ PROPERTY_ENTRY_BOOL("snps,dis_u3_susphy_quirk"),
+ PROPERTY_ENTRY_BOOL("snps,dis_u2_susphy_quirk"),
++ PROPERTY_ENTRY_U8_ARRAY("snps,reserved-endpoints", dwc3_pci_mrfld_reserved_endpoints),
+ PROPERTY_ENTRY_BOOL("snps,usb2-gadget-lpm-disable"),
+ PROPERTY_ENTRY_BOOL("linux,sysdev_is_parent"),
+ {}
+--
+2.39.5
+
--- /dev/null
+From cc3d36f203921f1ccd29bbe90da83ec0b7373fee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 21:28:02 +0200
+Subject: usb: dwc3: gadget: Refactor loop to avoid NULL endpoints
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit eafba0205426091354f050381c32ad1567c35844 ]
+
+Prepare the gadget driver to handle the reserved endpoints that will be
+not allocated at the initialisation time.
+
+While at it, add a warning where the NULL endpoint should never happen.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Tested-by: Ferry Toth <fntoth@gmail.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20250212193116.2487289-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/gadget.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
+index 8b22924205811..f51d743bb3ecc 100644
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -548,6 +548,7 @@ static int dwc3_gadget_set_xfer_resource(struct dwc3_ep *dep)
+ int dwc3_gadget_start_config(struct dwc3 *dwc, unsigned int resource_index)
+ {
+ struct dwc3_gadget_ep_cmd_params params;
++ struct dwc3_ep *dep;
+ u32 cmd;
+ int i;
+ int ret;
+@@ -564,8 +565,13 @@ int dwc3_gadget_start_config(struct dwc3 *dwc, unsigned int resource_index)
+ return ret;
+
+ /* Reset resource allocation flags */
+- for (i = resource_index; i < dwc->num_eps && dwc->eps[i]; i++)
+- dwc->eps[i]->flags &= ~DWC3_EP_RESOURCE_ALLOCATED;
++ for (i = resource_index; i < dwc->num_eps; i++) {
++ dep = dwc->eps[i];
++ if (!dep)
++ continue;
++
++ dep->flags &= ~DWC3_EP_RESOURCE_ALLOCATED;
++ }
+
+ return 0;
+ }
+@@ -752,9 +758,11 @@ void dwc3_gadget_clear_tx_fifos(struct dwc3 *dwc)
+
+ dwc->last_fifo_depth = fifo_depth;
+ /* Clear existing TXFIFO for all IN eps except ep0 */
+- for (num = 3; num < min_t(int, dwc->num_eps, DWC3_ENDPOINTS_NUM);
+- num += 2) {
++ for (num = 3; num < min_t(int, dwc->num_eps, DWC3_ENDPOINTS_NUM); num += 2) {
+ dep = dwc->eps[num];
++ if (!dep)
++ continue;
++
+ /* Don't change TXFRAMNUM on usb31 version */
+ size = DWC3_IP_IS(DWC3) ? 0 :
+ dwc3_readl(dwc->regs, DWC3_GTXFIFOSIZ(num >> 1)) &
+@@ -3670,6 +3678,8 @@ static bool dwc3_gadget_endpoint_trbs_complete(struct dwc3_ep *dep,
+
+ for (i = 0; i < DWC3_ENDPOINTS_NUM; i++) {
+ dep = dwc->eps[i];
++ if (!dep)
++ continue;
+
+ if (!(dep->flags & DWC3_EP_ENABLED))
+ continue;
+@@ -3858,6 +3868,10 @@ static void dwc3_endpoint_interrupt(struct dwc3 *dwc,
+ u8 epnum = event->endpoint_number;
+
+ dep = dwc->eps[epnum];
++ if (!dep) {
++ dev_warn(dwc->dev, "spurious event, endpoint %u is not allocated\n", epnum);
++ return;
++ }
+
+ if (!(dep->flags & DWC3_EP_ENABLED)) {
+ if ((epnum > 1) && !(dep->flags & DWC3_EP_TRANSFER_STARTED))
+--
+2.39.5
+
--- /dev/null
+From 33def6fdd818f13fd32a1da1745ef8cd030585d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 20:27:05 -0500
+Subject: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit 8c75f3e6a433d92084ad4e78b029ae680865420f ]
+
+The variable d->name, returned by devm_kasprintf(), could be NULL.
+A pointer check is added to prevent potential NULL pointer dereference.
+This is similar to the fix in commit 3027e7b15b02
+("ice: Fix some null pointer dereference issues in ice_ptp.c").
+
+This issue is found by our static analysis tool
+
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Link: https://lore.kernel.org/r/20250311012705.1233829-1-chenyuan0y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/aspeed-vhub/dev.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/gadget/udc/aspeed-vhub/dev.c b/drivers/usb/gadget/udc/aspeed-vhub/dev.c
+index 573109ca5b799..a09f72772e6e9 100644
+--- a/drivers/usb/gadget/udc/aspeed-vhub/dev.c
++++ b/drivers/usb/gadget/udc/aspeed-vhub/dev.c
+@@ -548,6 +548,9 @@ int ast_vhub_init_dev(struct ast_vhub *vhub, unsigned int idx)
+ d->vhub = vhub;
+ d->index = idx;
+ d->name = devm_kasprintf(parent, GFP_KERNEL, "port%d", idx+1);
++ if (!d->name)
++ return -ENOMEM;
++
+ d->regs = vhub->regs + 0x100 + 0x10 * idx;
+
+ ast_vhub_init_ep0(vhub, &d->ep0, d);
+--
+2.39.5
+
--- /dev/null
+From 39bb444a67ef85e9fa29801fc8b7018b3aa83856 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2025 20:51:13 +0100
+Subject: usb: host: max3421-hcd: Add missing spi_device_id table
+
+From: Alexander Stein <alexander.stein@mailbox.org>
+
+[ Upstream commit 41d5e3806cf589f658f92c75195095df0b66f66a ]
+
+"maxim,max3421" DT compatible is missing its SPI device ID entry, not
+allowing module autoloading and leading to the following message:
+ "SPI driver max3421-hcd has no spi_device_id for maxim,max3421"
+
+Fix this by adding the spi_device_id table.
+
+Signed-off-by: Alexander Stein <alexander.stein@mailbox.org>
+Link: https://lore.kernel.org/r/20250128195114.56321-1-alexander.stein@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/max3421-hcd.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c
+index a219260ad3e6c..cc1f579f02de1 100644
+--- a/drivers/usb/host/max3421-hcd.c
++++ b/drivers/usb/host/max3421-hcd.c
+@@ -1946,6 +1946,12 @@ max3421_remove(struct spi_device *spi)
+ usb_put_hcd(hcd);
+ }
+
++static const struct spi_device_id max3421_spi_ids[] = {
++ { "max3421" },
++ { },
++};
++MODULE_DEVICE_TABLE(spi, max3421_spi_ids);
++
+ static const struct of_device_id max3421_of_match_table[] = {
+ { .compatible = "maxim,max3421", },
+ {},
+@@ -1955,6 +1961,7 @@ MODULE_DEVICE_TABLE(of, max3421_of_match_table);
+ static struct spi_driver max3421_driver = {
+ .probe = max3421_probe,
+ .remove = max3421_remove,
++ .id_table = max3421_spi_ids,
+ .driver = {
+ .name = "max3421-hcd",
+ .of_match_table = max3421_of_match_table,
+--
+2.39.5
+
--- /dev/null
+From 30ed22fd1d89af532e23c48f463ffcf3bf097939 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 18:36:46 +0100
+Subject: usb: host: xhci-plat: mvebu: use ->quirks instead of ->init_quirk()
+ func
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Théo Lebrun <theo.lebrun@bootlin.com>
+
+[ Upstream commit 64eb182d5f7a5ec30227bce4f6922ff663432f44 ]
+
+Compatible "marvell,armada3700-xhci" match data uses the
+struct xhci_plat_priv::init_quirk() function pointer to add
+XHCI_RESET_ON_RESUME as quirk on XHCI.
+
+Instead, use the struct xhci_plat_priv::quirks field.
+
+Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
+Link: https://lore.kernel.org/r/20250205-s2r-cdns-v7-1-13658a271c3c@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mvebu.c | 10 ----------
+ drivers/usb/host/xhci-mvebu.h | 6 ------
+ drivers/usb/host/xhci-plat.c | 2 +-
+ 3 files changed, 1 insertion(+), 17 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-mvebu.c b/drivers/usb/host/xhci-mvebu.c
+index 87f1597a0e5ab..257e4d79971fd 100644
+--- a/drivers/usb/host/xhci-mvebu.c
++++ b/drivers/usb/host/xhci-mvebu.c
+@@ -73,13 +73,3 @@ int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd)
+
+ return 0;
+ }
+-
+-int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd)
+-{
+- struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+-
+- /* Without reset on resume, the HC won't work at all */
+- xhci->quirks |= XHCI_RESET_ON_RESUME;
+-
+- return 0;
+-}
+diff --git a/drivers/usb/host/xhci-mvebu.h b/drivers/usb/host/xhci-mvebu.h
+index 3be021793cc8b..9d26e22c48422 100644
+--- a/drivers/usb/host/xhci-mvebu.h
++++ b/drivers/usb/host/xhci-mvebu.h
+@@ -12,16 +12,10 @@ struct usb_hcd;
+
+ #if IS_ENABLED(CONFIG_USB_XHCI_MVEBU)
+ int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd);
+-int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd);
+ #else
+ static inline int xhci_mvebu_mbus_init_quirk(struct usb_hcd *hcd)
+ {
+ return 0;
+ }
+-
+-static inline int xhci_mvebu_a3700_init_quirk(struct usb_hcd *hcd)
+-{
+- return 0;
+-}
+ #endif
+ #endif /* __LINUX_XHCI_MVEBU_H */
+diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c
+index d68e9abcdc69a..8832e0cedadaf 100644
+--- a/drivers/usb/host/xhci-plat.c
++++ b/drivers/usb/host/xhci-plat.c
+@@ -106,7 +106,7 @@ static const struct xhci_plat_priv xhci_plat_marvell_armada = {
+ };
+
+ static const struct xhci_plat_priv xhci_plat_marvell_armada3700 = {
+- .init_quirk = xhci_mvebu_a3700_init_quirk,
++ .quirks = XHCI_RESET_ON_RESUME,
+ };
+
+ static const struct xhci_plat_priv xhci_plat_brcm = {
+--
+2.39.5
+
--- /dev/null
+From d04496bd939eb760363e962560db151019348d48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 17:45:51 +0200
+Subject: usb: xhci: Avoid Stop Endpoint retry loop if the endpoint seems
+ Running
+
+From: Michal Pecio <michal.pecio@gmail.com>
+
+[ Upstream commit 28a76fcc4c85dd39633fb96edb643c91820133e3 ]
+
+Nothing prevents a broken HC from claiming that an endpoint is Running
+and repeatedly rejecting Stop Endpoint with Context State Error.
+
+Avoid infinite retries and give back cancelled TDs.
+
+No such cases known so far, but HCs have bugs.
+
+Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250311154551.4035726-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-ring.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index e66bb87c42179..cb94439629451 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1214,16 +1214,19 @@ static void xhci_handle_cmd_stop_ep(struct xhci_hcd *xhci, int slot_id,
+ * Stopped state, but it will soon change to Running.
+ *
+ * Assume this bug on unexpected Stop Endpoint failures.
+- * Keep retrying until the EP starts and stops again, on
+- * chips where this is known to help. Wait for 100ms.
++ * Keep retrying until the EP starts and stops again.
+ */
+- if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100)))
+- break;
+ fallthrough;
+ case EP_STATE_RUNNING:
+ /* Race, HW handled stop ep cmd before ep was running */
+ xhci_dbg(xhci, "Stop ep completion ctx error, ctx_state %d\n",
+ GET_EP_CTX_STATE(ep_ctx));
++ /*
++ * Don't retry forever if we guessed wrong or a defective HC never starts
++ * the EP or says 'Running' but fails the command. We must give back TDs.
++ */
++ if (time_is_before_jiffies(ep->stop_time + msecs_to_jiffies(100)))
++ break;
+
+ command = xhci_alloc_command(xhci, false, GFP_ATOMIC);
+ if (!command) {
+--
+2.39.5
+
--- /dev/null
+From 4b06af944a1554dc656a8b9c0fd08d3ed1a2a24b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 14:47:34 -0700
+Subject: x86/bugs: Don't fill RSB on context switch with eIBRS
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 27ce8299bc1ec6df8306073785ff82b30b3cc5ee ]
+
+User->user Spectre v2 attacks (including RSB) across context switches
+are already mitigated by IBPB in cond_mitigation(), if enabled globally
+or if either the prev or the next task has opted in to protection. RSB
+filling without IBPB serves no purpose for protecting user space, as
+indirect branches are still vulnerable.
+
+User->kernel RSB attacks are mitigated by eIBRS. In which case the RSB
+filling on context switch isn't needed, so remove it.
+
+Suggested-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Reviewed-by: Amit Shah <amit.shah@amd.com>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Link: https://lore.kernel.org/r/98cdefe42180358efebf78e3b80752850c7a3e1b.1744148254.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 24 ++++++++++++------------
+ arch/x86/mm/tlb.c | 6 +++---
+ 2 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index a8fce2ab0f250..78545f7e9cc6c 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1574,7 +1574,7 @@ static void __init spec_ctrl_disable_kernel_rrsba(void)
+ rrsba_disabled = true;
+ }
+
+-static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_mitigation mode)
++static void __init spectre_v2_select_rsb_mitigation(enum spectre_v2_mitigation mode)
+ {
+ /*
+ * Similar to context switches, there are two types of RSB attacks
+@@ -1598,7 +1598,7 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_
+ */
+ switch (mode) {
+ case SPECTRE_V2_NONE:
+- return;
++ break;
+
+ case SPECTRE_V2_EIBRS:
+ case SPECTRE_V2_EIBRS_LFENCE:
+@@ -1607,18 +1607,21 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_
+ pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
+ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
+ }
+- return;
++ break;
+
+ case SPECTRE_V2_RETPOLINE:
+ case SPECTRE_V2_LFENCE:
+ case SPECTRE_V2_IBRS:
+- pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
++ pr_info("Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT\n");
++ setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
+ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
+- return;
+- }
++ break;
+
+- pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation at VM exit");
+- dump_stack();
++ default:
++ pr_warn_once("Unknown Spectre v2 mode, disabling RSB mitigation\n");
++ dump_stack();
++ break;
++ }
+ }
+
+ /*
+@@ -1844,10 +1847,7 @@ static void __init spectre_v2_select_mitigation(void)
+ *
+ * FIXME: Is this pointless for retbleed-affected AMD?
+ */
+- setup_force_cpu_cap(X86_FEATURE_RSB_CTXSW);
+- pr_info("Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch\n");
+-
+- spectre_v2_determine_rsb_fill_type_at_vmexit(mode);
++ spectre_v2_select_rsb_mitigation(mode);
+
+ /*
+ * Retpoline protects the kernel, but doesn't protect firmware. IBRS
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
+index df1794a5e38a5..4872bb082b193 100644
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -392,9 +392,9 @@ static void cond_mitigation(struct task_struct *next)
+ prev_mm = this_cpu_read(cpu_tlbstate.last_user_mm_spec);
+
+ /*
+- * Avoid user/user BTB poisoning by flushing the branch predictor
+- * when switching between processes. This stops one process from
+- * doing Spectre-v2 attacks on another.
++ * Avoid user->user BTB/RSB poisoning by flushing them when switching
++ * between processes. This stops one process from doing Spectre-v2
++ * attacks on another.
+ *
+ * Both, the conditional and the always IBPB mode use the mm
+ * pointer to avoid the IBPB when switching between tasks of the
+--
+2.39.5
+
--- /dev/null
+From ccb6bf7ee1586bef7907495df096b4c1989784b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 14:47:33 -0700
+Subject: x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 18bae0dfec15b24ec14ca17dc18603372f5f254f ]
+
+eIBRS protects against guest->host RSB underflow/poisoning attacks.
+Adding retpoline to the mix doesn't change that. Retpoline has a
+balanced CALL/RET anyway.
+
+So the current full RSB filling on VMEXIT with eIBRS+retpoline is
+overkill. Disable it or do the VMEXIT_LITE mitigation if needed.
+
+Suggested-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
+Reviewed-by: Amit Shah <amit.shah@amd.com>
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: Sean Christopherson <seanjc@google.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Link: https://lore.kernel.org/r/84a1226e5c9e2698eae1b5ade861f1b8bf3677dc.1744148254.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/bugs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
+index 7df458a6553eb..a8fce2ab0f250 100644
+--- a/arch/x86/kernel/cpu/bugs.c
++++ b/arch/x86/kernel/cpu/bugs.c
+@@ -1600,20 +1600,20 @@ static void __init spectre_v2_determine_rsb_fill_type_at_vmexit(enum spectre_v2_
+ case SPECTRE_V2_NONE:
+ return;
+
+- case SPECTRE_V2_EIBRS_LFENCE:
+ case SPECTRE_V2_EIBRS:
++ case SPECTRE_V2_EIBRS_LFENCE:
++ case SPECTRE_V2_EIBRS_RETPOLINE:
+ if (boot_cpu_has_bug(X86_BUG_EIBRS_PBRSB)) {
+- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
+ pr_info("Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT\n");
++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT_LITE);
+ }
+ return;
+
+- case SPECTRE_V2_EIBRS_RETPOLINE:
+ case SPECTRE_V2_RETPOLINE:
+ case SPECTRE_V2_LFENCE:
+ case SPECTRE_V2_IBRS:
+- setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
+ pr_info("Spectre v2 / SpectreRSB : Filling RSB on VMEXIT\n");
++ setup_force_cpu_cap(X86_FEATURE_RSB_VMEXIT);
+ return;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6a5266370553a7232a9146b08cc22ec55e66d229 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Apr 2025 14:47:31 -0700
+Subject: x86/bugs: Use SBPB in write_ibpb() if applicable
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit fc9fd3f98423367c79e0bd85a9515df26dc1b3cc ]
+
+write_ibpb() does IBPB, which (among other things) flushes branch type
+predictions on AMD. If the CPU has SRSO_NO, or if the SRSO mitigation
+has been disabled, branch type flushing isn't needed, in which case the
+lighter-weight SBPB can be used.
+
+The 'x86_pred_cmd' variable already keeps track of whether IBPB or SBPB
+should be used. Use that instead of hardcoding IBPB.
+
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/17c5dcd14b29199b75199d67ff7758de9d9a4928.1744148254.git.jpoimboe@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/entry.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/entry/entry.S b/arch/x86/entry/entry.S
+index 2143358d0c4c7..78fd2442b49dc 100644
+--- a/arch/x86/entry/entry.S
++++ b/arch/x86/entry/entry.S
+@@ -16,7 +16,7 @@
+
+ SYM_FUNC_START(entry_ibpb)
+ movl $MSR_IA32_PRED_CMD, %ecx
+- movl $PRED_CMD_IBPB, %eax
++ movl _ASM_RIP(x86_pred_cmd), %eax
+ xorl %edx, %edx
+ wrmsr
+
+--
+2.39.5
+
--- /dev/null
+From a07fe67628c568077e5b8eba8659ab96fe670c2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 11:28:39 +0800
+Subject: x86/cpu: Add CPU model number for Bartlett Lake CPUs with Raptor Cove
+ cores
+
+From: Pi Xiange <xiange.pi@intel.com>
+
+[ Upstream commit d466304c4322ad391797437cd84cca7ce1660de0 ]
+
+Bartlett Lake has a P-core only product with Raptor Cove.
+
+[ mingo: Switch around the define as pointed out by Christian Ludloff:
+ Ratpr Cove is the core, Bartlett Lake is the product.
+
+Signed-off-by: Pi Xiange <xiange.pi@intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Christian Ludloff <ludloff@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: John Ogness <john.ogness@linutronix.de>
+Cc: "Ahmed S. Darwish" <darwi@linutronix.de>
+Cc: x86-cpuid@lists.linux.dev
+Link: https://lore.kernel.org/r/20250414032839.5368-1-xiange.pi@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/intel-family.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h
+index f81a851c46dca..652c0137e909f 100644
+--- a/arch/x86/include/asm/intel-family.h
++++ b/arch/x86/include/asm/intel-family.h
+@@ -159,6 +159,8 @@
+ #define INTEL_FAM6_GRANITERAPIDS_D 0xAE
+ #define INTEL_GRANITERAPIDS_D IFM(6, 0xAE)
+
++#define INTEL_BARTLETTLAKE IFM(6, 0xD7) /* Raptor Cove */
++
+ /* "Hybrid" Processors (P-Core/E-Core) */
+
+ #define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */
+--
+2.39.5
+
--- /dev/null
+From 0a988e34b2e38d67713b007d4963954e3fe73bc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 11:23:03 +0200
+Subject: x86/i8253: Call clockevent_i8253_disable() with interrupts disabled
+
+From: Fernando Fernandez Mancera <ffmancera@riseup.net>
+
+[ Upstream commit 3940f5349b476197fb079c5aa19c9a988de64efb ]
+
+There's a lockdep false positive warning related to i8253_lock:
+
+ WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected
+ ...
+ systemd-sleep/3324 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
+ ffffffffb2c23398 (i8253_lock){+.+.}-{2:2}, at: pcspkr_event+0x3f/0xe0 [pcspkr]
+
+ ...
+ ... which became HARDIRQ-irq-unsafe at:
+ ...
+ lock_acquire+0xd0/0x2f0
+ _raw_spin_lock+0x30/0x40
+ clockevent_i8253_disable+0x1c/0x60
+ pit_timer_init+0x25/0x50
+ hpet_time_init+0x46/0x50
+ x86_late_time_init+0x1b/0x40
+ start_kernel+0x962/0xa00
+ x86_64_start_reservations+0x24/0x30
+ x86_64_start_kernel+0xed/0xf0
+ common_startup_64+0x13e/0x141
+ ...
+
+Lockdep complains due pit_timer_init() using the lock in an IRQ-unsafe
+fashion, but it's a false positive, because there is no deadlock
+possible at that point due to init ordering: at the point where
+pit_timer_init() is called there is no other possible usage of
+i8253_lock because the system is still in the very early boot stage
+with no interrupts.
+
+But in any case, pit_timer_init() should disable interrupts before
+calling clockevent_i8253_disable() out of general principle, and to
+keep lockdep working even in this scenario.
+
+Use scoped_guard() for that, as suggested by Thomas Gleixner.
+
+[ mingo: Cleaned up the changelog. ]
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/Z-uwd4Bnn7FcCShX@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/i8253.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/i8253.c b/arch/x86/kernel/i8253.c
+index 80e262bb627fe..cb9852ad60989 100644
+--- a/arch/x86/kernel/i8253.c
++++ b/arch/x86/kernel/i8253.c
+@@ -46,7 +46,8 @@ bool __init pit_timer_init(void)
+ * VMMs otherwise steal CPU time just to pointlessly waggle
+ * the (masked) IRQ.
+ */
+- clockevent_i8253_disable();
++ scoped_guard(irq)
++ clockevent_i8253_disable();
+ return false;
+ }
+ clockevent_i8253_init(true);
+--
+2.39.5
+
--- /dev/null
+From 842e4c8add0b3d9d4fc18dd3ce6c8db5e388afd9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 21:48:48 +0100
+Subject: x86/Kconfig: Make CONFIG_PCI_CNB20LE_QUIRK depend on X86_32
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Jończyk <mat.jonczyk@o2.pl>
+
+[ Upstream commit d9f87802676bb23b9425aea8ad95c76ad9b50c6e ]
+
+I was unable to find a good description of the ServerWorks CNB20LE
+chipset. However, it was probably exclusively used with the Pentium III
+processor (this CPU model was used in all references to it that I
+found where the CPU model was provided: dmesgs in [1] and [2];
+[3] page 2; [4]-[7]).
+
+As is widely known, the Pentium III processor did not support the 64-bit
+mode, support for which was introduced by Intel a couple of years later.
+So it is safe to assume that no systems with the CNB20LE chipset have
+amd64 and the CONFIG_PCI_CNB20LE_QUIRK may now depend on X86_32.
+
+Additionally, I have determined that most computers with the CNB20LE
+chipset did have ACPI support and this driver was inactive on them.
+I have submitted a patch to remove this driver, but it was met with
+resistance [8].
+
+[1] Jim Studt, Re: Problem with ServerWorks CNB20LE and lost interrupts
+ Linux Kernel Mailing List, https://lkml.org/lkml/2002/1/11/111
+
+[2] RedHat Bug 665109 - e100 problems on old Compaq Proliant DL320
+ https://bugzilla.redhat.com/show_bug.cgi?id=665109
+
+[3] R. Hughes-Jones, S. Dallison, G. Fairey, Performance Measurements on
+ Gigabit Ethernet NICs and Server Quality Motherboards,
+ http://datatag.web.cern.ch/papers/pfldnet2003-rhj.doc
+
+[4] "Hardware for Linux",
+ Probe #d6b5151873 of Intel STL2-bd A28808-302 Desktop Computer (STL2)
+ https://linux-hardware.org/?probe=d6b5151873
+
+[5] "Hardware for Linux", Probe #0b5d843f10 of Compaq ProLiant DL380
+ https://linux-hardware.org/?probe=0b5d843f10
+
+[6] Ubuntu Forums, Dell Poweredge 2400 - Adaptec SCSI Bus AIC-7880
+ https://ubuntuforums.org/showthread.php?t=1689552
+
+[7] Ira W. Snyder, "BISECTED: 2.6.35 (and -git) fail to boot: APIC problems"
+ https://lkml.org/lkml/2010/8/13/220
+
+[8] Bjorn Helgaas, "Re: [PATCH] x86/pci: drop ServerWorks / Broadcom
+ CNB20LE PCI host bridge driver"
+ https://lore.kernel.org/lkml/20220318165535.GA840063@bhelgaas/T/
+
+Signed-off-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
+Signed-off-by: David Heideberg <david@ixit.cz>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250321-x86_x2apic-v3-6-b0cbaa6fa338@ixit.cz
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index d874ea22512b5..9b60b144f38ac 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -2827,13 +2827,21 @@ config MMCONF_FAM10H
+ depends on X86_64 && PCI_MMCONFIG && ACPI
+
+ config PCI_CNB20LE_QUIRK
+- bool "Read CNB20LE Host Bridge Windows" if EXPERT
+- depends on PCI
++ bool "Read PCI host bridge windows from the CNB20LE chipset" if EXPERT
++ depends on X86_32 && PCI
+ help
+ Read the PCI windows out of the CNB20LE host bridge. This allows
+ PCI hotplug to work on systems with the CNB20LE chipset which do
+ not have ACPI.
+
++ The ServerWorks (later Broadcom) CNB20LE was a chipset designed
++ most probably only for Pentium III.
++
++ To find out if you have such a chipset, search for a PCI device with
++ 1166:0009 PCI IDs, for example by executing
++ lspci -nn | grep '1166:0009'
++ The code is inactive if there is none.
++
+ There's no public spec for this chipset, and this functionality
+ is known to be incomplete.
+
+--
+2.39.5
+
--- /dev/null
+From 37dab8cdeeef250e7867533bc1071c59e6bd4d55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 13:29:12 -0400
+Subject: xen: Change xen-acpi-processor dom0 dependency
+
+From: Jason Andryuk <jason.andryuk@amd.com>
+
+[ Upstream commit 0f2946bb172632e122d4033e0b03f85230a29510 ]
+
+xen-acpi-processor functions under a PVH dom0 with only a
+xen_initial_domain() runtime check. Change the Kconfig dependency from
+PV dom0 to generic dom0 to reflect that.
+
+Suggested-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Jason Andryuk <jason.andryuk@amd.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Tested-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250331172913.51240-1-jason.andryuk@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig
+index d43153fec18ea..af5c214b22069 100644
+--- a/drivers/xen/Kconfig
++++ b/drivers/xen/Kconfig
+@@ -278,7 +278,7 @@ config XEN_PRIVCMD_IRQFD
+
+ config XEN_ACPI_PROCESSOR
+ tristate "Xen ACPI processor"
+- depends on XEN && XEN_PV_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ
++ depends on XEN && XEN_DOM0 && X86 && ACPI_PROCESSOR && CPU_FREQ
+ default m
+ help
+ This ACPI processor uploads Power Management information to the Xen
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
