--- /dev/null
+From 2321cbe7d8ee41455eeaee64cc7445b762c4a64f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 May 2025 15:45:27 +0200
+Subject: ALSA: seq: Fix delivery of UMP events to group ports
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit ff7b190aef6cccdb6f14d20c5753081fe6420e0b ]
+
+When an event with UMP message is sent to a UMP client, the EP port
+receives always no matter where the event is sent to, as it's a
+catch-all port. OTOH, if an event is sent to EP port, and if the
+event has a certain UMP Group, it should have been delivered to the
+associated UMP Group port, too, but this was ignored, so far.
+
+This patch addresses the behavior. Now a UMP event sent to the
+Endpoint port will be delivered to the subscribers of the UMP group
+port the event is associated with.
+
+The patch also does a bit of refactoring to simplify the code about
+__deliver_to_subscribers().
+
+Fixes: 177ccf811df4 ("ALSA: seq: Support MIDI 2.0 UMP Endpoint port")
+Link: https://patch.msgid.link/20250511134528.6314-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_clientmgr.c | 52 ++++++++++++++++++++------------
+ sound/core/seq/seq_ump_convert.c | 18 +++++++++++
+ sound/core/seq/seq_ump_convert.h | 1 +
+ 3 files changed, 52 insertions(+), 19 deletions(-)
+
+diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
+index 706f53e39b53c..0ae01b85bb18c 100644
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -732,15 +732,21 @@ static int snd_seq_deliver_single_event(struct snd_seq_client *client,
+ */
+ static int __deliver_to_subscribers(struct snd_seq_client *client,
+ struct snd_seq_event *event,
+- struct snd_seq_client_port *src_port,
+- int atomic, int hop)
++ int port, int atomic, int hop)
+ {
++ struct snd_seq_client_port *src_port;
+ struct snd_seq_subscribers *subs;
+ int err, result = 0, num_ev = 0;
+ union __snd_seq_event event_saved;
+ size_t saved_size;
+ struct snd_seq_port_subs_info *grp;
+
++ if (port < 0)
++ return 0;
++ src_port = snd_seq_port_use_ptr(client, port);
++ if (!src_port)
++ return 0;
++
+ /* save original event record */
+ saved_size = snd_seq_event_packet_size(event);
+ memcpy(&event_saved, event, saved_size);
+@@ -775,6 +781,7 @@ static int __deliver_to_subscribers(struct snd_seq_client *client,
+ read_unlock(&grp->list_lock);
+ else
+ up_read(&grp->list_mutex);
++ snd_seq_port_unlock(src_port);
+ memcpy(event, &event_saved, saved_size);
+ return (result < 0) ? result : num_ev;
+ }
+@@ -783,25 +790,32 @@ static int deliver_to_subscribers(struct snd_seq_client *client,
+ struct snd_seq_event *event,
+ int atomic, int hop)
+ {
+- struct snd_seq_client_port *src_port;
+- int ret = 0, ret2;
+-
+- src_port = snd_seq_port_use_ptr(client, event->source.port);
+- if (src_port) {
+- ret = __deliver_to_subscribers(client, event, src_port, atomic, hop);
+- snd_seq_port_unlock(src_port);
+- }
+-
+- if (client->ump_endpoint_port < 0 ||
+- event->source.port == client->ump_endpoint_port)
+- return ret;
++ int ret;
++#if IS_ENABLED(CONFIG_SND_SEQ_UMP)
++ int ret2;
++#endif
+
+- src_port = snd_seq_port_use_ptr(client, client->ump_endpoint_port);
+- if (!src_port)
++ ret = __deliver_to_subscribers(client, event,
++ event->source.port, atomic, hop);
++#if IS_ENABLED(CONFIG_SND_SEQ_UMP)
++ if (!snd_seq_client_is_ump(client) || client->ump_endpoint_port < 0)
+ return ret;
+- ret2 = __deliver_to_subscribers(client, event, src_port, atomic, hop);
+- snd_seq_port_unlock(src_port);
+- return ret2 < 0 ? ret2 : ret;
++ /* If it's an event from EP port (and with a UMP group),
++ * deliver to subscribers of the corresponding UMP group port, too.
++ * Or, if it's from non-EP port, deliver to subscribers of EP port, too.
++ */
++ if (event->source.port == client->ump_endpoint_port)
++ ret2 = __deliver_to_subscribers(client, event,
++ snd_seq_ump_group_port(event),
++ atomic, hop);
++ else
++ ret2 = __deliver_to_subscribers(client, event,
++ client->ump_endpoint_port,
++ atomic, hop);
++ if (ret2 < 0)
++ return ret2;
++#endif
++ return ret;
+ }
+
+ /* deliver an event to the destination port(s).
+diff --git a/sound/core/seq/seq_ump_convert.c b/sound/core/seq/seq_ump_convert.c
+index ff7e558b4d51d..db2f169cae11e 100644
+--- a/sound/core/seq/seq_ump_convert.c
++++ b/sound/core/seq/seq_ump_convert.c
+@@ -1285,3 +1285,21 @@ int snd_seq_deliver_to_ump(struct snd_seq_client *source,
+ else
+ return cvt_to_ump_midi1(dest, dest_port, event, atomic, hop);
+ }
++
++/* return the UMP group-port number of the event;
++ * return -1 if groupless or non-UMP event
++ */
++int snd_seq_ump_group_port(const struct snd_seq_event *event)
++{
++ const struct snd_seq_ump_event *ump_ev =
++ (const struct snd_seq_ump_event *)event;
++ unsigned char type;
++
++ if (!snd_seq_ev_is_ump(event))
++ return -1;
++ type = ump_message_type(ump_ev->ump[0]);
++ if (ump_is_groupless_msg(type))
++ return -1;
++ /* group-port number starts from 1 */
++ return ump_message_group(ump_ev->ump[0]) + 1;
++}
+diff --git a/sound/core/seq/seq_ump_convert.h b/sound/core/seq/seq_ump_convert.h
+index 6c146d8032804..4abf0a7637d70 100644
+--- a/sound/core/seq/seq_ump_convert.h
++++ b/sound/core/seq/seq_ump_convert.h
+@@ -18,5 +18,6 @@ int snd_seq_deliver_to_ump(struct snd_seq_client *source,
+ struct snd_seq_client_port *dest_port,
+ struct snd_seq_event *event,
+ int atomic, int hop);
++int snd_seq_ump_group_port(const struct snd_seq_event *event);
+
+ #endif /* __SEQ_UMP_CONVERT_H */
+--
+2.39.5
+
--- /dev/null
+From edc2ceebd69eced6399c31797adc31c57afbc32a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 09:31:04 +0200
+Subject: ALSA: sh: SND_AICA should depend on SH_DMA_API
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 66e48ef6ef506c89ec1b3851c6f9f5f80b5835ff ]
+
+If CONFIG_SH_DMA_API=n:
+
+ WARNING: unmet direct dependencies detected for G2_DMA
+ Depends on [n]: SH_DREAMCAST [=y] && SH_DMA_API [=n]
+ Selected by [y]:
+ - SND_AICA [=y] && SOUND [=y] && SND [=y] && SND_SUPERH [=y] && SH_DREAMCAST [=y]
+
+SND_AICA selects G2_DMA. As the latter depends on SH_DMA_API, the
+former should depend on SH_DMA_API, too.
+
+Fixes: f477a538c14d07f8 ("sh: dma: fix kconfig dependency for G2_DMA")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202505131320.PzgTtl9H-lkp@intel.com/
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/b90625f8a9078d0d304bafe862cbe3a3fab40082.1747121335.git.geert+renesas@glider.be
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/sh/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/sh/Kconfig b/sound/sh/Kconfig
+index b75fbb3236a7b..f5fa09d740b4c 100644
+--- a/sound/sh/Kconfig
++++ b/sound/sh/Kconfig
+@@ -14,7 +14,7 @@ if SND_SUPERH
+
+ config SND_AICA
+ tristate "Dreamcast Yamaha AICA sound"
+- depends on SH_DREAMCAST
++ depends on SH_DREAMCAST && SH_DMA_API
+ select SND_PCM
+ select G2_DMA
+ help
+--
+2.39.5
+
--- /dev/null
+From ceb2b2573a84a31560df346569bc42e499b66e04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 May 2025 16:11:45 +0200
+Subject: ALSA: ump: Fix a typo of snd_ump_stream_msg_device_info
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit dd33993a9721ab1dae38bd37c9f665987d554239 ]
+
+s/devince/device/
+
+It's used only internally, so no any behavior changes.
+
+Fixes: 37e0e14128e0 ("ALSA: ump: Support UMP Endpoint and Function Block parsing")
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://patch.msgid.link/20250511141147.10246-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_midi2.c | 2 +-
+ include/sound/ump_msg.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_midi2.c b/drivers/usb/gadget/function/f_midi2.c
+index 12e866fb311d6..0a800ba53816a 100644
+--- a/drivers/usb/gadget/function/f_midi2.c
++++ b/drivers/usb/gadget/function/f_midi2.c
+@@ -475,7 +475,7 @@ static void reply_ump_stream_ep_info(struct f_midi2_ep *ep)
+ /* reply a UMP EP device info */
+ static void reply_ump_stream_ep_device(struct f_midi2_ep *ep)
+ {
+- struct snd_ump_stream_msg_devince_info rep = {
++ struct snd_ump_stream_msg_device_info rep = {
+ .type = UMP_MSG_TYPE_STREAM,
+ .status = UMP_STREAM_MSG_STATUS_DEVICE_INFO,
+ .manufacture_id = ep->info.manufacturer,
+diff --git a/include/sound/ump_msg.h b/include/sound/ump_msg.h
+index 72f60ddfea753..9556b4755a1ed 100644
+--- a/include/sound/ump_msg.h
++++ b/include/sound/ump_msg.h
+@@ -604,7 +604,7 @@ struct snd_ump_stream_msg_ep_info {
+ } __packed;
+
+ /* UMP Stream Message: Device Info Notification (128bit) */
+-struct snd_ump_stream_msg_devince_info {
++struct snd_ump_stream_msg_device_info {
+ #ifdef __BIG_ENDIAN_BITFIELD
+ /* 0 */
+ u32 type:4;
+@@ -754,7 +754,7 @@ struct snd_ump_stream_msg_fb_name {
+ union snd_ump_stream_msg {
+ struct snd_ump_stream_msg_ep_discovery ep_discovery;
+ struct snd_ump_stream_msg_ep_info ep_info;
+- struct snd_ump_stream_msg_devince_info device_info;
++ struct snd_ump_stream_msg_device_info device_info;
+ struct snd_ump_stream_msg_stream_cfg stream_cfg;
+ struct snd_ump_stream_msg_fb_discovery fb_discovery;
+ struct snd_ump_stream_msg_fb_info fb_info;
+--
+2.39.5
+
--- /dev/null
+From ba18bde15f258f3806c588f6a3be2102d09f8dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 May 2025 11:28:27 +0530
+Subject: arm64: dts: imx8mp-var-som: Fix LDO5 shutdown causing SD card timeout
+
+From: Himanshu Bhavani <himanshu.bhavani@siliconsignals.io>
+
+[ Upstream commit c6888983134e2ccc2db8ffd2720b0d4826d952e4 ]
+
+Fix SD card timeout issue caused by LDO5 regulator getting disabled
+after boot.
+
+The kernel log shows LDO5 being disabled, which leads to a timeout
+on USDHC2:
+[ 33.760561] LDO5: disabling
+[ 81.119861] mmc1: Timeout waiting for hardware interrupt.
+
+To prevent this, set regulator-boot-on and regulator-always-on for
+LDO5. Also add the vqmmc regulator to properly support 1.8V/3.3V
+signaling for USDHC2 using a GPIO-controlled regulator.
+
+Fixes: 6c2a1f4f71258 ("arm64: dts: imx8mp-var-som-symphony: Add Variscite Symphony board and VAR-SOM-MX8MP SoM")
+Signed-off-by: Himanshu Bhavani <himanshu.bhavani@siliconsignals.io>
+Acked-by: Tarang Raval <tarang.raval@siliconsignals.io>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi
+index b2ac2583a5929..b59da91fdd041 100644
+--- a/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi
++++ b/arch/arm64/boot/dts/freescale/imx8mp-var-som.dtsi
+@@ -35,7 +35,6 @@
+ <0x1 0x00000000 0 0xc0000000>;
+ };
+
+-
+ reg_usdhc2_vmmc: regulator-usdhc2-vmmc {
+ compatible = "regulator-fixed";
+ regulator-name = "VSD_3V3";
+@@ -46,6 +45,16 @@
+ startup-delay-us = <100>;
+ off-on-delay-us = <12000>;
+ };
++
++ reg_usdhc2_vqmmc: regulator-usdhc2-vqmmc {
++ compatible = "regulator-gpio";
++ regulator-name = "VSD_VSEL";
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <3300000>;
++ gpios = <&gpio2 12 GPIO_ACTIVE_HIGH>;
++ states = <3300000 0x0 1800000 0x1>;
++ vin-supply = <&ldo5>;
++ };
+ };
+
+ &A53_0 {
+@@ -205,6 +214,7 @@
+ pinctrl-2 = <&pinctrl_usdhc2_200mhz>, <&pinctrl_usdhc2_gpio>;
+ cd-gpios = <&gpio1 14 GPIO_ACTIVE_LOW>;
+ vmmc-supply = <®_usdhc2_vmmc>;
++ vqmmc-supply = <®_usdhc2_vqmmc>;
+ bus-width = <4>;
+ status = "okay";
+ };
+--
+2.39.5
+
--- /dev/null
+From f7cc177bb60f06c4562d74b3016c5ef30cb90430 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 09:17:53 +0100
+Subject: arm64: dts: rockchip: Assign RT5616 MCLK rate on
+ rk3588-friendlyelec-cm3588
+
+From: Tom Vincent <linux@tlvince.com>
+
+[ Upstream commit 5e6a4ee9799b202fefa8c6264647971f892f0264 ]
+
+The Realtek RT5616 audio codec on the FriendlyElec CM3588 module fails
+to probe correctly due to the missing clock properties. This results
+in distorted analogue audio output.
+
+Assign MCLK to 12.288 MHz, which allows the codec to advertise most of
+the standard sample rates per other RK3588 devices.
+
+Fixes: e23819cf273c ("arm64: dts: rockchip: Add FriendlyElec CM3588 NAS board")
+Signed-off-by: Tom Vincent <linux@tlvince.com>
+Link: https://lore.kernel.org/r/20250417081753.644950-1-linux@tlvince.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi b/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi
+index e3a9598b99fca..cacffc851584f 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3588-friendlyelec-cm3588.dtsi
+@@ -222,6 +222,10 @@
+ compatible = "realtek,rt5616";
+ reg = <0x1b>;
+ #sound-dai-cells = <0>;
++ assigned-clocks = <&cru I2S0_8CH_MCLKOUT>;
++ assigned-clock-rates = <12288000>;
++ clocks = <&cru I2S0_8CH_MCLKOUT>;
++ clock-names = "mclk";
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From d99263cb42da01417aa1c7e65568567ee659d947 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 18:51:55 +0200
+Subject: arm64: dts: rockchip: fix Sige5 RTC interrupt pin
+
+From: Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
+
+[ Upstream commit 4bf593be2e462623c4c34c7e3b604eb3f8f9de45 ]
+
+Someone made a typo when they added the RTC to the Sige5 DTS, which
+resulted in it using interrupts from GPIO0 B0 instead of GPIO0 A0. The
+pinctrl entry for it wasn't typoed though, curiously enough.
+
+The Sige5 v1.1 schematic was used to verify that GPIO0 A0 is the correct
+pin for the RTC wakeup interrupt, so let's change it to that.
+
+Fixes: 40f742b07ab2 ("arm64: dts: rockchip: Add rk3576-armsom-sige5 board")
+Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com>
+Link: https://lore.kernel.org/r/20250429-sige5-rtc-oopsie-v1-1-8686767d0f1f@collabora.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts b/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts
+index a9b9db31d2a3e..bab66b688e011 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3576-armsom-sige5.dts
+@@ -578,7 +578,7 @@
+ reg = <0x51>;
+ clock-output-names = "hym8563";
+ interrupt-parent = <&gpio0>;
+- interrupts = <RK_PB0 IRQ_TYPE_LEVEL_LOW>;
++ interrupts = <RK_PA0 IRQ_TYPE_LEVEL_LOW>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&hym8563_int>;
+ wakeup-source;
+--
+2.39.5
+
--- /dev/null
+From 915da6d5feaad91a4d2bb344fb9a0131e3076b35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 15:45:06 -0700
+Subject: binfmt_elf: Move brk for static PIE even if ASLR disabled
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 11854fe263eb1b9a8efa33b0c087add7719ea9b4 ]
+
+In commit bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing
+direct loader exec"), the brk was moved out of the mmap region when
+loading static PIE binaries (ET_DYN without INTERP). The common case
+for these binaries was testing new ELF loaders, so the brk needed to
+be away from mmap to avoid colliding with stack, future mmaps (of the
+loader-loaded binary), etc. But this was only done when ASLR was enabled,
+in an attempt to minimize changes to memory layouts.
+
+After adding support to respect alignment requirements for static PIE
+binaries in commit 3545deff0ec7 ("binfmt_elf: Honor PT_LOAD alignment
+for static PIE"), it became possible to have a large gap after the
+final PT_LOAD segment and the top of the mmap region. This means that
+future mmap allocations might go after the last PT_LOAD segment (where
+brk might be if ASLR was disabled) instead of before them (where they
+traditionally ended up).
+
+On arm64, running with ASLR disabled, Ubuntu 22.04's "ldconfig" binary,
+a static PIE, has alignment requirements that leaves a gap large enough
+after the last PT_LOAD segment to fit the vdso and vvar, but still leave
+enough space for the brk (which immediately follows the last PT_LOAD
+segment) to be allocated by the binary.
+
+fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real
+fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real
+fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0
+***[brk will go here at fffff7ffa000]***
+fffff7ffc000-fffff7ffe000 r--p 00000000 00:00 0 [vvar]
+fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso]
+fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack]
+
+After commit 0b3bc3354eb9 ("arm64: vdso: Switch to generic storage
+implementation"), the arm64 vvar grew slightly, and suddenly the brk
+collided with the allocation.
+
+fffff7f20000-fffff7fde000 r-xp 00000000 fe:02 8110426 /sbin/ldconfig.real
+fffff7fee000-fffff7ff5000 rw-p 000be000 fe:02 8110426 /sbin/ldconfig.real
+fffff7ff5000-fffff7ffa000 rw-p 00000000 00:00 0
+***[oops, no room any more, vvar is at fffff7ffa000!]***
+fffff7ffa000-fffff7ffe000 r--p 00000000 00:00 0 [vvar]
+fffff7ffe000-fffff8000000 r-xp 00000000 00:00 0 [vdso]
+fffffffdf000-1000000000000 rw-p 00000000 00:00 0 [stack]
+
+The solution is to unconditionally move the brk out of the mmap region
+for static PIE binaries. Whether ASLR is enabled or not does not change if
+there may be future mmap allocation collisions with a growing brk region.
+
+Update memory layout comments (with kernel-doc headings), consolidate
+the setting of mm->brk to later (it isn't needed early), move static PIE
+brk out of mmap unconditionally, and make sure brk(2) knows to base brk
+position off of mm->start_brk not mm->end_data no matter what the cause of
+moving it is (via current->brk_randomized).
+
+For the CONFIG_COMPAT_BRK case, though, leave the logic unchanged, as we
+can never safely move the brk. These systems, however, are not using
+specially aligned static PIE binaries.
+
+Reported-by: Ryan Roberts <ryan.roberts@arm.com>
+Closes: https://lore.kernel.org/lkml/f93db308-4a0e-4806-9faf-98f890f5a5e6@arm.com/
+Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
+Link: https://lore.kernel.org/r/20250425224502.work.520-kees@kernel.org
+Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
+Tested-by: Ryan Roberts <ryan.roberts@arm.com>
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf.c | 71 ++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 47 insertions(+), 24 deletions(-)
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 8054f44d39cf7..855ef79561062 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -831,6 +831,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
+ struct elf_phdr *elf_property_phdata = NULL;
+ unsigned long elf_brk;
++ bool brk_moved = false;
+ int retval, i;
+ unsigned long elf_entry;
+ unsigned long e_entry;
+@@ -1098,15 +1099,19 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ /* Calculate any requested alignment. */
+ alignment = maximum_alignment(elf_phdata, elf_ex->e_phnum);
+
+- /*
+- * There are effectively two types of ET_DYN
+- * binaries: programs (i.e. PIE: ET_DYN with PT_INTERP)
+- * and loaders (ET_DYN without PT_INTERP, since they
+- * _are_ the ELF interpreter). The loaders must
+- * be loaded away from programs since the program
+- * may otherwise collide with the loader (especially
+- * for ET_EXEC which does not have a randomized
+- * position). For example to handle invocations of
++ /**
++ * DOC: PIE handling
++ *
++ * There are effectively two types of ET_DYN ELF
++ * binaries: programs (i.e. PIE: ET_DYN with
++ * PT_INTERP) and loaders (i.e. static PIE: ET_DYN
++ * without PT_INTERP, usually the ELF interpreter
++ * itself). Loaders must be loaded away from programs
++ * since the program may otherwise collide with the
++ * loader (especially for ET_EXEC which does not have
++ * a randomized position).
++ *
++ * For example, to handle invocations of
+ * "./ld.so someprog" to test out a new version of
+ * the loader, the subsequent program that the
+ * loader loads must avoid the loader itself, so
+@@ -1119,6 +1124,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ * ELF_ET_DYN_BASE and loaders are loaded into the
+ * independently randomized mmap region (0 load_bias
+ * without MAP_FIXED nor MAP_FIXED_NOREPLACE).
++ *
++ * See below for "brk" handling details, which is
++ * also affected by program vs loader and ASLR.
+ */
+ if (interpreter) {
+ /* On ET_DYN with PT_INTERP, we do the ASLR. */
+@@ -1235,8 +1243,6 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ start_data += load_bias;
+ end_data += load_bias;
+
+- current->mm->start_brk = current->mm->brk = ELF_PAGEALIGN(elf_brk);
+-
+ if (interpreter) {
+ elf_entry = load_elf_interp(interp_elf_ex,
+ interpreter,
+@@ -1292,27 +1298,44 @@ static int load_elf_binary(struct linux_binprm *bprm)
+ mm->end_data = end_data;
+ mm->start_stack = bprm->p;
+
+- if ((current->flags & PF_RANDOMIZE) && (snapshot_randomize_va_space > 1)) {
++ /**
++ * DOC: "brk" handling
++ *
++ * For architectures with ELF randomization, when executing a
++ * loader directly (i.e. static PIE: ET_DYN without PT_INTERP),
++ * move the brk area out of the mmap region and into the unused
++ * ELF_ET_DYN_BASE region. Since "brk" grows up it may collide
++ * early with the stack growing down or other regions being put
++ * into the mmap region by the kernel (e.g. vdso).
++ *
++ * In the CONFIG_COMPAT_BRK case, though, everything is turned
++ * off because we're not allowed to move the brk at all.
++ */
++ if (!IS_ENABLED(CONFIG_COMPAT_BRK) &&
++ IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
++ elf_ex->e_type == ET_DYN && !interpreter) {
++ elf_brk = ELF_ET_DYN_BASE;
++ /* This counts as moving the brk, so let brk(2) know. */
++ brk_moved = true;
++ }
++ mm->start_brk = mm->brk = ELF_PAGEALIGN(elf_brk);
++
++ if ((current->flags & PF_RANDOMIZE) && snapshot_randomize_va_space > 1) {
+ /*
+- * For architectures with ELF randomization, when executing
+- * a loader directly (i.e. no interpreter listed in ELF
+- * headers), move the brk area out of the mmap region
+- * (since it grows up, and may collide early with the stack
+- * growing down), and into the unused ELF_ET_DYN_BASE region.
++ * If we didn't move the brk to ELF_ET_DYN_BASE (above),
++ * leave a gap between .bss and brk.
+ */
+- if (IS_ENABLED(CONFIG_ARCH_HAS_ELF_RANDOMIZE) &&
+- elf_ex->e_type == ET_DYN && !interpreter) {
+- mm->brk = mm->start_brk = ELF_ET_DYN_BASE;
+- } else {
+- /* Otherwise leave a gap between .bss and brk. */
++ if (!brk_moved)
+ mm->brk = mm->start_brk = mm->brk + PAGE_SIZE;
+- }
+
+ mm->brk = mm->start_brk = arch_randomize_brk(mm);
++ brk_moved = true;
++ }
++
+ #ifdef compat_brk_randomized
++ if (brk_moved)
+ current->brk_randomized = 1;
+ #endif
+- }
+
+ if (current->personality & MMAP_PAGE_ZERO) {
+ /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
+--
+2.39.5
+
--- /dev/null
+From d4ded60727be035ebe8053a4b6df2559222be103 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Apr 2025 15:05:59 -0400
+Subject: Bluetooth: MGMT: Fix MGMT_OP_ADD_DEVICE invalid device flags
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 1e2e3044c1bc64a64aa0eaf7c17f7832c26c9775 ]
+
+Device flags could be updated in the meantime while MGMT_OP_ADD_DEVICE
+is pending on hci_update_passive_scan_sync so instead of setting the
+current_flags as cmd->user_data just do a lookup using
+hci_conn_params_lookup and use the latest stored flags.
+
+Fixes: a182d9c84f9c ("Bluetooth: MGMT: Fix Add Device to responding before completing")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index 621c555f639be..181b1e070b82e 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -7540,11 +7540,16 @@ static void add_device_complete(struct hci_dev *hdev, void *data, int err)
+ struct mgmt_cp_add_device *cp = cmd->param;
+
+ if (!err) {
++ struct hci_conn_params *params;
++
++ params = hci_conn_params_lookup(hdev, &cp->addr.bdaddr,
++ le_addr_type(cp->addr.type));
++
+ device_added(cmd->sk, hdev, &cp->addr.bdaddr, cp->addr.type,
+ cp->action);
+ device_flags_changed(NULL, hdev, &cp->addr.bdaddr,
+ cp->addr.type, hdev->conn_flags,
+- PTR_UINT(cmd->user_data));
++ params ? params->flags : 0);
+ }
+
+ mgmt_cmd_complete(cmd->sk, hdev->id, MGMT_OP_ADD_DEVICE,
+@@ -7647,8 +7652,6 @@ static int add_device(struct sock *sk, struct hci_dev *hdev,
+ goto unlock;
+ }
+
+- cmd->user_data = UINT_PTR(current_flags);
+-
+ err = hci_cmd_sync_queue(hdev, add_device_sync, cmd,
+ add_device_complete);
+ if (err < 0) {
+--
+2.39.5
+
--- /dev/null
+From 2e27a674da553607a0b9e4015e74230dab41a7fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 15:24:13 -0400
+Subject: cgroup/cpuset: Extend kthread_is_per_cpu() check to all
+ PF_NO_SETAFFINITY tasks
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 39b5ef791d109dd54c7c2e6e87933edfcc0ad1ac ]
+
+Commit ec5fbdfb99d1 ("cgroup/cpuset: Enable update_tasks_cpumask()
+on top_cpuset") enabled us to pull CPUs dedicated to child partitions
+from tasks in top_cpuset by ignoring per cpu kthreads. However, there
+can be other kthreads that are not per cpu but have PF_NO_SETAFFINITY
+flag set to indicate that we shouldn't mess with their CPU affinity.
+For other kthreads, their affinity will be changed to skip CPUs dedicated
+to child partitions whether it is an isolating or a scheduling one.
+
+As all the per cpu kthreads have PF_NO_SETAFFINITY set, the
+PF_NO_SETAFFINITY tasks are essentially a superset of per cpu kthreads.
+Fix this issue by dropping the kthread_is_per_cpu() check and checking
+the PF_NO_SETAFFINITY flag instead.
+
+Fixes: ec5fbdfb99d1 ("cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset")
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cpuset.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
+index 1287274ae1ce9..6fbffdca0c741 100644
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -1116,9 +1116,11 @@ void cpuset_update_tasks_cpumask(struct cpuset *cs, struct cpumask *new_cpus)
+
+ if (top_cs) {
+ /*
+- * Percpu kthreads in top_cpuset are ignored
++ * PF_NO_SETAFFINITY tasks are ignored.
++ * All per cpu kthreads should have PF_NO_SETAFFINITY
++ * flag set, see kthread_set_per_cpu().
+ */
+- if (kthread_is_per_cpu(task))
++ if (task->flags & PF_NO_SETAFFINITY)
+ continue;
+ cpumask_andnot(new_cpus, possible_mask, subpartitions_cpus);
+ } else {
+--
+2.39.5
+
--- /dev/null
+From 6dbc13b13313ced7c1a621103d51a6c7254d7fff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 08:18:44 -0500
+Subject: drivers/platform/x86/amd: pmf: Check for invalid sideloaded Smart PC
+ Policies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 690d722e02819ef978f90cd7553973eba1007e6c ]
+
+If a policy is passed into amd_pmf_get_pb_data() that causes the engine
+to fail to start there is a memory leak. Free the memory in this failure
+path.
+
+Fixes: 10817f28e5337 ("platform/x86/amd/pmf: Add capability to sideload of policy binary")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20250423132002.3984997-2-superm1@kernel.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmf/tee-if.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c
+index 14b99d8b63d2f..e008ac079fade 100644
+--- a/drivers/platform/x86/amd/pmf/tee-if.c
++++ b/drivers/platform/x86/amd/pmf/tee-if.c
+@@ -364,9 +364,14 @@ static ssize_t amd_pmf_get_pb_data(struct file *filp, const char __user *buf,
+ amd_pmf_hex_dump_pb(dev);
+ ret = amd_pmf_start_policy_engine(dev);
+ if (ret < 0)
+- return ret;
++ goto cleanup;
+
+ return length;
++
++cleanup:
++ kfree(dev->policy_buf);
++ dev->policy_buf = NULL;
++ return ret;
+ }
+
+ static const struct file_operations pb_fops = {
+--
+2.39.5
+
--- /dev/null
+From a5ee3308ee51d78181633ff96098a513ca26df6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Apr 2025 08:18:45 -0500
+Subject: drivers/platform/x86/amd: pmf: Check for invalid Smart PC Policies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 8e81b9cd6e95188d12c9cc25d40b61dd5ea05ace ]
+
+commit 376a8c2a14439 ("platform/x86/amd/pmf: Update PMF Driver for
+Compatibility with new PMF-TA") added support for platforms that support
+an updated TA, however it also exposed a number of platforms that although
+they have support for the updated TA don't actually populate a policy
+binary.
+
+Add an explicit check that the policy binary isn't empty before
+initializing the TA.
+
+Reported-by: Christian Heusel <christian@heusel.eu>
+Closes: https://lore.kernel.org/platform-driver-x86/ae644428-5bf2-4b30-81ba-0b259ed3449b@heusel.eu/
+Fixes: 376a8c2a14439 ("platform/x86/amd/pmf: Update PMF Driver for Compatibility with new PMF-TA")
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Tested-by: Christian Heusel <christian@heusel.eu>
+Link: https://lore.kernel.org/r/20250423132002.3984997-3-superm1@kernel.org
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmf/tee-if.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmf/tee-if.c b/drivers/platform/x86/amd/pmf/tee-if.c
+index e008ac079fade..d3bd12ad036ae 100644
+--- a/drivers/platform/x86/amd/pmf/tee-if.c
++++ b/drivers/platform/x86/amd/pmf/tee-if.c
+@@ -334,6 +334,11 @@ static int amd_pmf_start_policy_engine(struct amd_pmf_dev *dev)
+ return 0;
+ }
+
++static inline bool amd_pmf_pb_valid(struct amd_pmf_dev *dev)
++{
++ return memchr_inv(dev->policy_buf, 0xff, dev->policy_sz);
++}
++
+ #ifdef CONFIG_AMD_PMF_DEBUG
+ static void amd_pmf_hex_dump_pb(struct amd_pmf_dev *dev)
+ {
+@@ -361,6 +366,11 @@ static ssize_t amd_pmf_get_pb_data(struct file *filp, const char __user *buf,
+ dev->policy_buf = new_policy_buf;
+ dev->policy_sz = length;
+
++ if (!amd_pmf_pb_valid(dev)) {
++ ret = -EINVAL;
++ goto cleanup;
++ }
++
+ amd_pmf_hex_dump_pb(dev);
+ ret = amd_pmf_start_policy_engine(dev);
+ if (ret < 0)
+@@ -533,6 +543,12 @@ int amd_pmf_init_smart_pc(struct amd_pmf_dev *dev)
+
+ memcpy_fromio(dev->policy_buf, dev->policy_base, dev->policy_sz);
+
++ if (!amd_pmf_pb_valid(dev)) {
++ dev_info(dev->dev, "No Smart PC policy present\n");
++ ret = -EINVAL;
++ goto err_free_policy;
++ }
++
+ amd_pmf_hex_dump_pb(dev);
+
+ dev->prev_data = kzalloc(sizeof(*dev->prev_data), GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From b285d23e013cf15c6845e161baf89e32e70c7d37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Apr 2025 11:11:47 -0300
+Subject: drm/amd/display: Fix null check of pipe_ctx->plane_state for
+ update_dchubp_dpp
+
+From: Melissa Wen <mwen@igalia.com>
+
+[ Upstream commit a3b7e65b6be59e686e163fa1ceb0922f996897c2 ]
+
+Similar to commit 6a057072ddd1 ("drm/amd/display: Fix null check for
+pipe_ctx->plane_state in dcn20_program_pipe") that addresses a null
+pointer dereference on dcn20_update_dchubp_dpp. This is the same
+function hooked for update_dchubp_dpp in dcn401, with the same issue.
+Fix possible null pointer deference on dcn401_program_pipe too.
+
+Fixes: 63ab80d9ac0a ("drm/amd/display: DML2.1 Post-Si Cleanup")
+Signed-off-by: Melissa Wen <mwen@igalia.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit d8d47f739752227957d8efc0cb894761bfe1d879)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+index 89af3e4afbc25..0d39d193dacfa 100644
+--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c
+@@ -2027,9 +2027,9 @@ static void dcn401_program_pipe(
+ dc->res_pool->hubbub, pipe_ctx->plane_res.hubp->inst, pipe_ctx->hubp_regs.det_size);
+ }
+
+- if (pipe_ctx->update_flags.raw ||
+- (pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.raw) ||
+- pipe_ctx->stream->update_flags.raw)
++ if (pipe_ctx->plane_state && (pipe_ctx->update_flags.raw ||
++ pipe_ctx->plane_state->update_flags.raw ||
++ pipe_ctx->stream->update_flags.raw))
+ dc->hwss.update_dchubp_dpp(dc, pipe_ctx, context);
+
+ if (pipe_ctx->plane_state && (pipe_ctx->update_flags.bits.enable ||
+--
+2.39.5
+
--- /dev/null
+From 9d55834c2373051a9943677344fb6ffbcea01afa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 02:43:38 +0800
+Subject: drm/meson: Use 1000ULL when operating with mode->clock
+
+From: I Hsin Cheng <richard120310@gmail.com>
+
+[ Upstream commit eb0851e14432f3b87c77b704c835ac376deda03a ]
+
+Coverity scan reported the usage of "mode->clock * 1000" may lead to
+integer overflow. Use "1000ULL" instead of "1000"
+when utilizing it to avoid potential integer overflow issue.
+
+Link: https://scan5.scan.coverity.com/#/project-view/10074/10063?selectedIssue=1646759
+Signed-off-by: I Hsin Cheng <richard120310@gmail.com>
+Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Fixes: 1017560164b6 ("drm/meson: use unsigned long long / Hz for frequency types")
+Link: https://lore.kernel.org/r/20250505184338.678540-1-richard120310@gmail.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_encoder_hdmi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+index ce8cea5d3a56b..c61e6026adfae 100644
+--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c
++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c
+@@ -75,7 +75,7 @@ static void meson_encoder_hdmi_set_vclk(struct meson_encoder_hdmi *encoder_hdmi,
+ unsigned long long venc_freq;
+ unsigned long long hdmi_freq;
+
+- vclk_freq = mode->clock * 1000;
++ vclk_freq = mode->clock * 1000ULL;
+
+ /* For 420, pixel clock is half unlike venc clock */
+ if (encoder_hdmi->output_bus_fmt == MEDIA_BUS_FMT_UYYVYY8_0_5X24)
+@@ -123,7 +123,7 @@ static enum drm_mode_status meson_encoder_hdmi_mode_valid(struct drm_bridge *bri
+ struct meson_encoder_hdmi *encoder_hdmi = bridge_to_meson_encoder_hdmi(bridge);
+ struct meson_drm *priv = encoder_hdmi->priv;
+ bool is_hdmi2_sink = display_info->hdmi.scdc.supported;
+- unsigned long long clock = mode->clock * 1000;
++ unsigned long long clock = mode->clock * 1000ULL;
+ unsigned long long phy_freq;
+ unsigned long long vclk_freq;
+ unsigned long long venc_freq;
+--
+2.39.5
+
--- /dev/null
+From 1e76cf5a5585543addc148aa15c91df759324c5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 09:12:01 -0700
+Subject: drm/xe: Save CTX_TIMESTAMP mmio value instead of LRC value
+
+From: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+
+[ Upstream commit 66c8f7b435bddb7d8577ac8a57e175a6cb147227 ]
+
+For determining actual job execution time, save the current value of the
+CTX_TIMESTAMP register rather than the value saved in LRC since the
+current register value is the closest to the start time of the job.
+
+v2: Define MI_STORE_REGISTER_MEM to fix compile error
+v3: Place MI_STORE_REGISTER_MEM sorted by MI_INSTR (Lucas)
+
+Fixes: 65921374c48f ("drm/xe: Emit ctx timestamp copy in ring ops")
+Signed-off-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Link: https://lore.kernel.org/r/20250509161159.2173069-6-umesh.nerlige.ramappa@intel.com
+(cherry picked from commit 38b14233e5deff51db8faec287b4acd227152246)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/instructions/xe_mi_commands.h | 4 ++++
+ drivers/gpu/drm/xe/xe_lrc.c | 2 +-
+ drivers/gpu/drm/xe/xe_ring_ops.c | 7 ++-----
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/instructions/xe_mi_commands.h b/drivers/gpu/drm/xe/instructions/xe_mi_commands.h
+index 10ec2920d31b3..d4033278be9fc 100644
+--- a/drivers/gpu/drm/xe/instructions/xe_mi_commands.h
++++ b/drivers/gpu/drm/xe/instructions/xe_mi_commands.h
+@@ -47,6 +47,10 @@
+ #define MI_LRI_FORCE_POSTED REG_BIT(12)
+ #define MI_LRI_LEN(x) (((x) & 0xff) + 1)
+
++#define MI_STORE_REGISTER_MEM (__MI_INSTR(0x24) | XE_INSTR_NUM_DW(4))
++#define MI_SRM_USE_GGTT REG_BIT(22)
++#define MI_SRM_ADD_CS_OFFSET REG_BIT(19)
++
+ #define MI_FLUSH_DW __MI_INSTR(0x26)
+ #define MI_FLUSH_DW_STORE_INDEX REG_BIT(21)
+ #define MI_INVALIDATE_TLB REG_BIT(18)
+diff --git a/drivers/gpu/drm/xe/xe_lrc.c b/drivers/gpu/drm/xe/xe_lrc.c
+index bbb9ffbf63672..2a953c4f7d5dd 100644
+--- a/drivers/gpu/drm/xe/xe_lrc.c
++++ b/drivers/gpu/drm/xe/xe_lrc.c
+@@ -684,7 +684,7 @@ static inline u32 __xe_lrc_start_seqno_offset(struct xe_lrc *lrc)
+
+ static u32 __xe_lrc_ctx_job_timestamp_offset(struct xe_lrc *lrc)
+ {
+- /* The start seqno is stored in the driver-defined portion of PPHWSP */
++ /* This is stored in the driver-defined portion of PPHWSP */
+ return xe_lrc_pphwsp_offset(lrc) + LRC_CTX_JOB_TIMESTAMP_OFFSET;
+ }
+
+diff --git a/drivers/gpu/drm/xe/xe_ring_ops.c b/drivers/gpu/drm/xe/xe_ring_ops.c
+index 8d1fb33d923f4..3493177947680 100644
+--- a/drivers/gpu/drm/xe/xe_ring_ops.c
++++ b/drivers/gpu/drm/xe/xe_ring_ops.c
+@@ -234,13 +234,10 @@ static u32 get_ppgtt_flag(struct xe_sched_job *job)
+
+ static int emit_copy_timestamp(struct xe_lrc *lrc, u32 *dw, int i)
+ {
+- dw[i++] = MI_COPY_MEM_MEM | MI_COPY_MEM_MEM_SRC_GGTT |
+- MI_COPY_MEM_MEM_DST_GGTT;
++ dw[i++] = MI_STORE_REGISTER_MEM | MI_SRM_USE_GGTT | MI_SRM_ADD_CS_OFFSET;
++ dw[i++] = RING_CTX_TIMESTAMP(0).addr;
+ dw[i++] = xe_lrc_ctx_job_timestamp_ggtt_addr(lrc);
+ dw[i++] = 0;
+- dw[i++] = xe_lrc_ctx_timestamp_ggtt_addr(lrc);
+- dw[i++] = 0;
+- dw[i++] = MI_NOOP;
+
+ return i;
+ }
+--
+2.39.5
+
--- /dev/null
+From 0c0284f3d059aa33ce28127534518ec63a3e359f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Apr 2025 11:28:20 -0400
+Subject: fs/xattr.c: fix simple_xattr_list to always include security.* xattrs
+
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+
+[ Upstream commit 8b0ba61df5a1c44e2b3cf683831a4fc5e24ea99d ]
+
+The vfs has long had a fallback to obtain the security.* xattrs from the
+LSM when the filesystem does not implement its own listxattr, but
+shmem/tmpfs and kernfs later gained their own xattr handlers to support
+other xattrs. Unfortunately, as a side effect, tmpfs and kernfs-based
+filesystems like sysfs no longer return the synthetic security.* xattr
+names via listxattr unless they are explicitly set by userspace or
+initially set upon inode creation after policy load. coreutils has
+recently switched from unconditionally invoking getxattr for security.*
+for ls -Z via libselinux to only doing so if listxattr returns the xattr
+name, breaking ls -Z of such inodes.
+
+Before:
+$ getfattr -m.* /run/initramfs
+<no output>
+$ getfattr -m.* /sys/kernel/fscaps
+<no output>
+$ setfattr -n user.foo /run/initramfs
+$ getfattr -m.* /run/initramfs
+user.foo
+
+After:
+$ getfattr -m.* /run/initramfs
+security.selinux
+$ getfattr -m.* /sys/kernel/fscaps
+security.selinux
+$ setfattr -n user.foo /run/initramfs
+$ getfattr -m.* /run/initramfs
+security.selinux
+user.foo
+
+Link: https://lore.kernel.org/selinux/CAFqZXNtF8wDyQajPCdGn=iOawX4y77ph0EcfcqcUUj+T87FKyA@mail.gmail.com/
+Link: https://lore.kernel.org/selinux/20250423175728.3185-2-stephen.smalley.work@gmail.com/
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+Link: https://lore.kernel.org/20250424152822.2719-1-stephen.smalley.work@gmail.com
+Fixes: b09e0fa4b4ea66266058ee ("tmpfs: implement generic xattr support")
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xattr.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/fs/xattr.c b/fs/xattr.c
+index fabb2a04501ee..8ec5b0204bfdc 100644
+--- a/fs/xattr.c
++++ b/fs/xattr.c
+@@ -1428,6 +1428,15 @@ static bool xattr_is_trusted(const char *name)
+ return !strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN);
+ }
+
++static bool xattr_is_maclabel(const char *name)
++{
++ const char *suffix = name + XATTR_SECURITY_PREFIX_LEN;
++
++ return !strncmp(name, XATTR_SECURITY_PREFIX,
++ XATTR_SECURITY_PREFIX_LEN) &&
++ security_ismaclabel(suffix);
++}
++
+ /**
+ * simple_xattr_list - list all xattr objects
+ * @inode: inode from which to get the xattrs
+@@ -1460,6 +1469,17 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
+ if (err)
+ return err;
+
++ err = security_inode_listsecurity(inode, buffer, remaining_size);
++ if (err < 0)
++ return err;
++
++ if (buffer) {
++ if (remaining_size < err)
++ return -ERANGE;
++ buffer += err;
++ }
++ remaining_size -= err;
++
+ read_lock(&xattrs->lock);
+ for (rbp = rb_first(&xattrs->rb_root); rbp; rbp = rb_next(rbp)) {
+ xattr = rb_entry(rbp, struct simple_xattr, rb_node);
+@@ -1468,6 +1488,10 @@ ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
+ if (!trusted && xattr_is_trusted(xattr->name))
+ continue;
+
++ /* skip MAC labels; these are provided by LSM above */
++ if (xattr_is_maclabel(xattr->name))
++ continue;
++
+ err = xattr_list_one(&buffer, &remaining_size, xattr->name);
+ if (err)
+ break;
+--
+2.39.5
+
--- /dev/null
+From 9e83d334b37bc65a10ac6795c428112829b82dc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 23:11:46 +0000
+Subject: HID: thrustmaster: fix memory leak in thrustmaster_interrupts()
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+[ Upstream commit 09d546303b370113323bfff456c4e8cff8756005 ]
+
+In thrustmaster_interrupts(), the allocated send_buf is not
+freed if the usb_check_int_endpoints() check fails, leading
+to a memory leak.
+
+Fix this by ensuring send_buf is freed before returning in
+the error path.
+
+Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check")
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-thrustmaster.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
+index 3b81468a1df29..0bf70664c35ee 100644
+--- a/drivers/hid/hid-thrustmaster.c
++++ b/drivers/hid/hid-thrustmaster.c
+@@ -174,6 +174,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
+ u8 ep_addr[2] = {b_ep, 0};
+
+ if (!usb_check_int_endpoints(usbif, ep_addr)) {
++ kfree(send_buf);
+ hid_err(hdev, "Unexpected non-int endpoint\n");
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From fb9bf3dd5270a683079602e0559b2972d18a1440 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 17:48:53 +0800
+Subject: HID: uclogic: Add NULL check in uclogic_input_configured()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit bd07f751208ba190f9b0db5e5b7f35d5bb4a8a1e ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+uclogic_input_configured() does not check for this case, which results
+in a NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: dd613a4e45f8 ("HID: uclogic: Correct devm device reference for hidinput input_dev name")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-uclogic-core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c
+index d8008933c052f..321c43fb06ae0 100644
+--- a/drivers/hid/hid-uclogic-core.c
++++ b/drivers/hid/hid-uclogic-core.c
+@@ -142,11 +142,12 @@ static int uclogic_input_configured(struct hid_device *hdev,
+ suffix = "System Control";
+ break;
+ }
+- }
+-
+- if (suffix)
++ } else {
+ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
+ "%s %s", hdev->name, suffix);
++ if (!hi->input->name)
++ return -ENOMEM;
++ }
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 7f348c93ba25dda111263f490a223aa72b35ad11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:52:09 -0500
+Subject: iio: adc: ad7606: check for NULL before calling sw_mode_config()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 5257d80e22bf27009d6742e4c174f42cfe54e425 ]
+
+Check that the sw_mode_config function pointer is not NULL before
+calling it. Not all buses define this callback, which resulted in a NULL
+pointer dereference.
+
+Fixes: e571c1902116 ("iio: adc: ad7606: move scale_setup as function pointer on chip-info")
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250318-iio-adc-ad7606-improvements-v2-1-4b605427774c@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index 7985570ed1521..0339e27f92c32 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -1228,9 +1228,11 @@ static int ad7616_sw_mode_setup(struct iio_dev *indio_dev)
+ st->write_scale = ad7616_write_scale_sw;
+ st->write_os = &ad7616_write_os_sw;
+
+- ret = st->bops->sw_mode_config(indio_dev);
+- if (ret)
+- return ret;
++ if (st->bops->sw_mode_config) {
++ ret = st->bops->sw_mode_config(indio_dev);
++ if (ret)
++ return ret;
++ }
+
+ /* Activate Burst mode and SEQEN MODE */
+ return ad7606_write_mask(st, AD7616_CONFIGURATION_REGISTER,
+@@ -1261,6 +1263,9 @@ static int ad7606b_sw_mode_setup(struct iio_dev *indio_dev)
+ st->write_scale = ad7606_write_scale_sw;
+ st->write_os = &ad7606_write_os_sw;
+
++ if (!st->bops->sw_mode_config)
++ return 0;
++
+ return st->bops->sw_mode_config(indio_dev);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 87de2f6b911efd64142b52ebe109c7e1abac7a38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 17:10:53 +0100
+Subject: iio: adc: ad7606: move software functions into common file
+
+From: Guillaume Stols <gstols@baylibre.com>
+
+[ Upstream commit d2477887f6677de0675e600f1590378a5fb52909 ]
+
+Since the register are always the same, whatever bus is used, moving the
+software functions into the main file avoids the code to be duplicated
+in both SPI and parallel version of the driver.
+
+Signed-off-by: Guillaume Stols <gstols@baylibre.com>
+Co-developed-by: Angelo Dureghello <adureghello@baylibre.com>
+Signed-off-by: Angelo Dureghello <adureghello@baylibre.com>
+Link: https://patch.msgid.link/20250210-wip-bl-ad7606_add_backend_sw_mode-v4-3-160df18b1da7@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Stable-dep-of: 5257d80e22bf ("iio: adc: ad7606: check for NULL before calling sw_mode_config()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606.c | 133 +++++++++++++++++++++++++++++++---
+ drivers/iio/adc/ad7606.h | 37 +++++++++-
+ drivers/iio/adc/ad7606_spi.c | 137 +----------------------------------
+ 3 files changed, 158 insertions(+), 149 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index 376c808df11c7..7985570ed1521 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -85,6 +85,10 @@ static const unsigned int ad7606_oversampling_avail[7] = {
+ 1, 2, 4, 8, 16, 32, 64,
+ };
+
++static const unsigned int ad7606b_oversampling_avail[9] = {
++ 1, 2, 4, 8, 16, 32, 64, 128, 256,
++};
++
+ static const unsigned int ad7616_oversampling_avail[8] = {
+ 1, 2, 4, 8, 16, 32, 64, 128,
+ };
+@@ -187,6 +191,8 @@ static int ad7608_chan_scale_setup(struct iio_dev *indio_dev,
+ struct iio_chan_spec *chan, int ch);
+ static int ad7609_chan_scale_setup(struct iio_dev *indio_dev,
+ struct iio_chan_spec *chan, int ch);
++static int ad7616_sw_mode_setup(struct iio_dev *indio_dev);
++static int ad7606b_sw_mode_setup(struct iio_dev *indio_dev);
+
+ const struct ad7606_chip_info ad7605_4_info = {
+ .channels = ad7605_channels,
+@@ -239,6 +245,7 @@ const struct ad7606_chip_info ad7606b_info = {
+ .oversampling_avail = ad7606_oversampling_avail,
+ .oversampling_num = ARRAY_SIZE(ad7606_oversampling_avail),
+ .scale_setup_cb = ad7606_16bit_chan_scale_setup,
++ .sw_setup_cb = ad7606b_sw_mode_setup,
+ };
+ EXPORT_SYMBOL_NS_GPL(ad7606b_info, "IIO_AD7606");
+
+@@ -250,6 +257,7 @@ const struct ad7606_chip_info ad7606c_16_info = {
+ .oversampling_avail = ad7606_oversampling_avail,
+ .oversampling_num = ARRAY_SIZE(ad7606_oversampling_avail),
+ .scale_setup_cb = ad7606c_16bit_chan_scale_setup,
++ .sw_setup_cb = ad7606b_sw_mode_setup,
+ };
+ EXPORT_SYMBOL_NS_GPL(ad7606c_16_info, "IIO_AD7606");
+
+@@ -294,6 +302,7 @@ const struct ad7606_chip_info ad7606c_18_info = {
+ .oversampling_avail = ad7606_oversampling_avail,
+ .oversampling_num = ARRAY_SIZE(ad7606_oversampling_avail),
+ .scale_setup_cb = ad7606c_18bit_chan_scale_setup,
++ .sw_setup_cb = ad7606b_sw_mode_setup,
+ };
+ EXPORT_SYMBOL_NS_GPL(ad7606c_18_info, "IIO_AD7606");
+
+@@ -307,6 +316,7 @@ const struct ad7606_chip_info ad7616_info = {
+ .oversampling_num = ARRAY_SIZE(ad7616_oversampling_avail),
+ .os_req_reset = true,
+ .scale_setup_cb = ad7606_16bit_chan_scale_setup,
++ .sw_setup_cb = ad7616_sw_mode_setup,
+ };
+ EXPORT_SYMBOL_NS_GPL(ad7616_info, "IIO_AD7606");
+
+@@ -1138,16 +1148,118 @@ static const struct iio_trigger_ops ad7606_trigger_ops = {
+ .validate_device = iio_trigger_validate_own_device,
+ };
+
+-static int ad7606_sw_mode_setup(struct iio_dev *indio_dev)
++static int ad7606_write_mask(struct ad7606_state *st, unsigned int addr,
++ unsigned long mask, unsigned int val)
++{
++ int readval;
++
++ readval = st->bops->reg_read(st, addr);
++ if (readval < 0)
++ return readval;
++
++ readval &= ~mask;
++ readval |= val;
++
++ return st->bops->reg_write(st, addr, readval);
++}
++
++static int ad7616_write_scale_sw(struct iio_dev *indio_dev, int ch, int val)
+ {
+ struct ad7606_state *st = iio_priv(indio_dev);
++ unsigned int ch_addr, mode, ch_index;
+
+- st->sw_mode_en = st->bops->sw_mode_config &&
+- device_property_present(st->dev, "adi,sw-mode");
+- if (!st->sw_mode_en)
+- return 0;
++ /*
++ * Ad7616 has 16 channels divided in group A and group B.
++ * The range of channels from A are stored in registers with address 4
++ * while channels from B are stored in register with address 6.
++ * The last bit from channels determines if it is from group A or B
++ * because the order of channels in iio is 0A, 0B, 1A, 1B...
++ */
++ ch_index = ch >> 1;
++
++ ch_addr = AD7616_RANGE_CH_ADDR(ch_index);
++
++ if ((ch & 0x1) == 0) /* channel A */
++ ch_addr += AD7616_RANGE_CH_A_ADDR_OFF;
++ else /* channel B */
++ ch_addr += AD7616_RANGE_CH_B_ADDR_OFF;
++
++ /* 0b01 for 2.5v, 0b10 for 5v and 0b11 for 10v */
++ mode = AD7616_RANGE_CH_MODE(ch_index, ((val + 1) & 0b11));
+
+- indio_dev->info = &ad7606_info_sw_mode;
++ return ad7606_write_mask(st, ch_addr, AD7616_RANGE_CH_MSK(ch_index),
++ mode);
++}
++
++static int ad7616_write_os_sw(struct iio_dev *indio_dev, int val)
++{
++ struct ad7606_state *st = iio_priv(indio_dev);
++
++ return ad7606_write_mask(st, AD7616_CONFIGURATION_REGISTER,
++ AD7616_OS_MASK, val << 2);
++}
++
++static int ad7606_write_scale_sw(struct iio_dev *indio_dev, int ch, int val)
++{
++ struct ad7606_state *st = iio_priv(indio_dev);
++
++ return ad7606_write_mask(st, AD7606_RANGE_CH_ADDR(ch),
++ AD7606_RANGE_CH_MSK(ch),
++ AD7606_RANGE_CH_MODE(ch, val));
++}
++
++static int ad7606_write_os_sw(struct iio_dev *indio_dev, int val)
++{
++ struct ad7606_state *st = iio_priv(indio_dev);
++
++ return st->bops->reg_write(st, AD7606_OS_MODE, val);
++}
++
++static int ad7616_sw_mode_setup(struct iio_dev *indio_dev)
++{
++ struct ad7606_state *st = iio_priv(indio_dev);
++ int ret;
++
++ /*
++ * Scale can be configured individually for each channel
++ * in software mode.
++ */
++
++ st->write_scale = ad7616_write_scale_sw;
++ st->write_os = &ad7616_write_os_sw;
++
++ ret = st->bops->sw_mode_config(indio_dev);
++ if (ret)
++ return ret;
++
++ /* Activate Burst mode and SEQEN MODE */
++ return ad7606_write_mask(st, AD7616_CONFIGURATION_REGISTER,
++ AD7616_BURST_MODE | AD7616_SEQEN_MODE,
++ AD7616_BURST_MODE | AD7616_SEQEN_MODE);
++}
++
++static int ad7606b_sw_mode_setup(struct iio_dev *indio_dev)
++{
++ struct ad7606_state *st = iio_priv(indio_dev);
++ DECLARE_BITMAP(os, 3);
++
++ bitmap_fill(os, 3);
++ /*
++ * Software mode is enabled when all three oversampling
++ * pins are set to high. If oversampling gpios are defined
++ * in the device tree, then they need to be set to high,
++ * otherwise, they must be hardwired to VDD
++ */
++ if (st->gpio_os) {
++ gpiod_set_array_value(st->gpio_os->ndescs, st->gpio_os->desc,
++ st->gpio_os->info, os);
++ }
++ /* OS of 128 and 256 are available only in software mode */
++ st->oversampling_avail = ad7606b_oversampling_avail;
++ st->num_os_ratios = ARRAY_SIZE(ad7606b_oversampling_avail);
++
++ st->write_scale = ad7606_write_scale_sw;
++ st->write_os = &ad7606_write_os_sw;
+
+ return st->bops->sw_mode_config(indio_dev);
+ }
+@@ -1326,9 +1438,12 @@ int ad7606_probe(struct device *dev, int irq, void __iomem *base_address,
+ st->write_scale = ad7606_write_scale_hw;
+ st->write_os = ad7606_write_os_hw;
+
+- ret = ad7606_sw_mode_setup(indio_dev);
+- if (ret)
+- return ret;
++ st->sw_mode_en = st->chip_info->sw_setup_cb &&
++ device_property_present(st->dev, "adi,sw-mode");
++ if (st->sw_mode_en) {
++ indio_dev->info = &ad7606_info_sw_mode;
++ st->chip_info->sw_setup_cb(indio_dev);
++ }
+
+ ret = ad7606_chan_scales_setup(indio_dev);
+ if (ret)
+diff --git a/drivers/iio/adc/ad7606.h b/drivers/iio/adc/ad7606.h
+index 8778ffe515b30..7a044b499cfe1 100644
+--- a/drivers/iio/adc/ad7606.h
++++ b/drivers/iio/adc/ad7606.h
+@@ -10,6 +10,36 @@
+
+ #define AD760X_MAX_CHANNELS 16
+
++#define AD7616_CONFIGURATION_REGISTER 0x02
++#define AD7616_OS_MASK GENMASK(4, 2)
++#define AD7616_BURST_MODE BIT(6)
++#define AD7616_SEQEN_MODE BIT(5)
++#define AD7616_RANGE_CH_A_ADDR_OFF 0x04
++#define AD7616_RANGE_CH_B_ADDR_OFF 0x06
++/*
++ * Range of channels from a group are stored in 2 registers.
++ * 0, 1, 2, 3 in a register followed by 4, 5, 6, 7 in second register.
++ * For channels from second group(8-15) the order is the same, only with
++ * an offset of 2 for register address.
++ */
++#define AD7616_RANGE_CH_ADDR(ch) ((ch) >> 2)
++/* The range of the channel is stored in 2 bits */
++#define AD7616_RANGE_CH_MSK(ch) (0b11 << (((ch) & 0b11) * 2))
++#define AD7616_RANGE_CH_MODE(ch, mode) ((mode) << ((((ch) & 0b11)) * 2))
++
++#define AD7606_CONFIGURATION_REGISTER 0x02
++#define AD7606_SINGLE_DOUT 0x00
++
++/*
++ * Range for AD7606B channels are stored in registers starting with address 0x3.
++ * Each register stores range for 2 channels(4 bits per channel).
++ */
++#define AD7606_RANGE_CH_MSK(ch) (GENMASK(3, 0) << (4 * ((ch) & 0x1)))
++#define AD7606_RANGE_CH_MODE(ch, mode) \
++ ((GENMASK(3, 0) & (mode)) << (4 * ((ch) & 0x1)))
++#define AD7606_RANGE_CH_ADDR(ch) (0x03 + ((ch) >> 1))
++#define AD7606_OS_MODE 0x08
++
+ #define AD760X_CHANNEL(num, mask_sep, mask_type, mask_all, bits) { \
+ .type = IIO_VOLTAGE, \
+ .indexed = 1, \
+@@ -71,6 +101,7 @@ struct ad7606_state;
+
+ typedef int (*ad7606_scale_setup_cb_t)(struct iio_dev *indio_dev,
+ struct iio_chan_spec *chan, int ch);
++typedef int (*ad7606_sw_setup_cb_t)(struct iio_dev *indio_dev);
+
+ /**
+ * struct ad7606_chip_info - chip specific information
+@@ -80,6 +111,7 @@ typedef int (*ad7606_scale_setup_cb_t)(struct iio_dev *indio_dev,
+ * @num_channels: number of channels
+ * @num_adc_channels the number of channels the ADC actually inputs.
+ * @scale_setup_cb: callback to setup the scales for each channel
++ * @sw_setup_cb: callback to setup the software mode if available.
+ * @oversampling_avail pointer to the array which stores the available
+ * oversampling ratios.
+ * @oversampling_num number of elements stored in oversampling_avail array
+@@ -94,6 +126,7 @@ struct ad7606_chip_info {
+ unsigned int num_adc_channels;
+ unsigned int num_channels;
+ ad7606_scale_setup_cb_t scale_setup_cb;
++ ad7606_sw_setup_cb_t sw_setup_cb;
+ const unsigned int *oversampling_avail;
+ unsigned int oversampling_num;
+ bool os_req_reset;
+@@ -206,10 +239,6 @@ struct ad7606_bus_ops {
+ int (*reg_write)(struct ad7606_state *st,
+ unsigned int addr,
+ unsigned int val);
+- int (*write_mask)(struct ad7606_state *st,
+- unsigned int addr,
+- unsigned long mask,
+- unsigned int val);
+ int (*update_scan_mode)(struct iio_dev *indio_dev, const unsigned long *scan_mask);
+ u16 (*rd_wr_cmd)(int addr, char isWriteOp);
+ };
+diff --git a/drivers/iio/adc/ad7606_spi.c b/drivers/iio/adc/ad7606_spi.c
+index c8bc9e772dfc2..179115e909888 100644
+--- a/drivers/iio/adc/ad7606_spi.c
++++ b/drivers/iio/adc/ad7606_spi.c
+@@ -15,36 +15,6 @@
+
+ #define MAX_SPI_FREQ_HZ 23500000 /* VDRIVE above 4.75 V */
+
+-#define AD7616_CONFIGURATION_REGISTER 0x02
+-#define AD7616_OS_MASK GENMASK(4, 2)
+-#define AD7616_BURST_MODE BIT(6)
+-#define AD7616_SEQEN_MODE BIT(5)
+-#define AD7616_RANGE_CH_A_ADDR_OFF 0x04
+-#define AD7616_RANGE_CH_B_ADDR_OFF 0x06
+-/*
+- * Range of channels from a group are stored in 2 registers.
+- * 0, 1, 2, 3 in a register followed by 4, 5, 6, 7 in second register.
+- * For channels from second group(8-15) the order is the same, only with
+- * an offset of 2 for register address.
+- */
+-#define AD7616_RANGE_CH_ADDR(ch) ((ch) >> 2)
+-/* The range of the channel is stored in 2 bits */
+-#define AD7616_RANGE_CH_MSK(ch) (0b11 << (((ch) & 0b11) * 2))
+-#define AD7616_RANGE_CH_MODE(ch, mode) ((mode) << ((((ch) & 0b11)) * 2))
+-
+-#define AD7606_CONFIGURATION_REGISTER 0x02
+-#define AD7606_SINGLE_DOUT 0x00
+-
+-/*
+- * Range for AD7606B channels are stored in registers starting with address 0x3.
+- * Each register stores range for 2 channels(4 bits per channel).
+- */
+-#define AD7606_RANGE_CH_MSK(ch) (GENMASK(3, 0) << (4 * ((ch) & 0x1)))
+-#define AD7606_RANGE_CH_MODE(ch, mode) \
+- ((GENMASK(3, 0) & mode) << (4 * ((ch) & 0x1)))
+-#define AD7606_RANGE_CH_ADDR(ch) (0x03 + ((ch) >> 1))
+-#define AD7606_OS_MODE 0x08
+-
+ static const struct iio_chan_spec ad7616_sw_channels[] = {
+ IIO_CHAN_SOFT_TIMESTAMP(16),
+ AD7616_CHANNEL(0),
+@@ -89,10 +59,6 @@ static const struct iio_chan_spec ad7606c_18_sw_channels[] = {
+ AD7606_SW_CHANNEL(7, 18),
+ };
+
+-static const unsigned int ad7606B_oversampling_avail[9] = {
+- 1, 2, 4, 8, 16, 32, 64, 128, 256
+-};
+-
+ static u16 ad7616_spi_rd_wr_cmd(int addr, char isWriteOp)
+ {
+ /*
+@@ -194,118 +160,20 @@ static int ad7606_spi_reg_write(struct ad7606_state *st,
+ return spi_write(spi, &st->d16[0], sizeof(st->d16[0]));
+ }
+
+-static int ad7606_spi_write_mask(struct ad7606_state *st,
+- unsigned int addr,
+- unsigned long mask,
+- unsigned int val)
+-{
+- int readval;
+-
+- readval = st->bops->reg_read(st, addr);
+- if (readval < 0)
+- return readval;
+-
+- readval &= ~mask;
+- readval |= val;
+-
+- return st->bops->reg_write(st, addr, readval);
+-}
+-
+-static int ad7616_write_scale_sw(struct iio_dev *indio_dev, int ch, int val)
+-{
+- struct ad7606_state *st = iio_priv(indio_dev);
+- unsigned int ch_addr, mode, ch_index;
+-
+-
+- /*
+- * Ad7616 has 16 channels divided in group A and group B.
+- * The range of channels from A are stored in registers with address 4
+- * while channels from B are stored in register with address 6.
+- * The last bit from channels determines if it is from group A or B
+- * because the order of channels in iio is 0A, 0B, 1A, 1B...
+- */
+- ch_index = ch >> 1;
+-
+- ch_addr = AD7616_RANGE_CH_ADDR(ch_index);
+-
+- if ((ch & 0x1) == 0) /* channel A */
+- ch_addr += AD7616_RANGE_CH_A_ADDR_OFF;
+- else /* channel B */
+- ch_addr += AD7616_RANGE_CH_B_ADDR_OFF;
+-
+- /* 0b01 for 2.5v, 0b10 for 5v and 0b11 for 10v */
+- mode = AD7616_RANGE_CH_MODE(ch_index, ((val + 1) & 0b11));
+- return st->bops->write_mask(st, ch_addr, AD7616_RANGE_CH_MSK(ch_index),
+- mode);
+-}
+-
+-static int ad7616_write_os_sw(struct iio_dev *indio_dev, int val)
+-{
+- struct ad7606_state *st = iio_priv(indio_dev);
+-
+- return st->bops->write_mask(st, AD7616_CONFIGURATION_REGISTER,
+- AD7616_OS_MASK, val << 2);
+-}
+-
+-static int ad7606_write_scale_sw(struct iio_dev *indio_dev, int ch, int val)
+-{
+- struct ad7606_state *st = iio_priv(indio_dev);
+-
+- return ad7606_spi_write_mask(st,
+- AD7606_RANGE_CH_ADDR(ch),
+- AD7606_RANGE_CH_MSK(ch),
+- AD7606_RANGE_CH_MODE(ch, val));
+-}
+-
+-static int ad7606_write_os_sw(struct iio_dev *indio_dev, int val)
+-{
+- struct ad7606_state *st = iio_priv(indio_dev);
+-
+- return ad7606_spi_reg_write(st, AD7606_OS_MODE, val);
+-}
+-
+ static int ad7616_sw_mode_config(struct iio_dev *indio_dev)
+ {
+- struct ad7606_state *st = iio_priv(indio_dev);
+-
+ /*
+ * Scale can be configured individually for each channel
+ * in software mode.
+ */
+ indio_dev->channels = ad7616_sw_channels;
+
+- st->write_scale = ad7616_write_scale_sw;
+- st->write_os = &ad7616_write_os_sw;
+-
+- /* Activate Burst mode and SEQEN MODE */
+- return st->bops->write_mask(st,
+- AD7616_CONFIGURATION_REGISTER,
+- AD7616_BURST_MODE | AD7616_SEQEN_MODE,
+- AD7616_BURST_MODE | AD7616_SEQEN_MODE);
++ return 0;
+ }
+
+ static int ad7606B_sw_mode_config(struct iio_dev *indio_dev)
+ {
+ struct ad7606_state *st = iio_priv(indio_dev);
+- DECLARE_BITMAP(os, 3);
+-
+- bitmap_fill(os, 3);
+- /*
+- * Software mode is enabled when all three oversampling
+- * pins are set to high. If oversampling gpios are defined
+- * in the device tree, then they need to be set to high,
+- * otherwise, they must be hardwired to VDD
+- */
+- if (st->gpio_os) {
+- gpiod_set_array_value(st->gpio_os->ndescs,
+- st->gpio_os->desc, st->gpio_os->info, os);
+- }
+- /* OS of 128 and 256 are available only in software mode */
+- st->oversampling_avail = ad7606B_oversampling_avail;
+- st->num_os_ratios = ARRAY_SIZE(ad7606B_oversampling_avail);
+-
+- st->write_scale = ad7606_write_scale_sw;
+- st->write_os = &ad7606_write_os_sw;
+
+ /* Configure device spi to output on a single channel */
+ st->bops->reg_write(st,
+@@ -350,7 +218,6 @@ static const struct ad7606_bus_ops ad7616_spi_bops = {
+ .read_block = ad7606_spi_read_block,
+ .reg_read = ad7606_spi_reg_read,
+ .reg_write = ad7606_spi_reg_write,
+- .write_mask = ad7606_spi_write_mask,
+ .rd_wr_cmd = ad7616_spi_rd_wr_cmd,
+ .sw_mode_config = ad7616_sw_mode_config,
+ };
+@@ -359,7 +226,6 @@ static const struct ad7606_bus_ops ad7606b_spi_bops = {
+ .read_block = ad7606_spi_read_block,
+ .reg_read = ad7606_spi_reg_read,
+ .reg_write = ad7606_spi_reg_write,
+- .write_mask = ad7606_spi_write_mask,
+ .rd_wr_cmd = ad7606B_spi_rd_wr_cmd,
+ .sw_mode_config = ad7606B_sw_mode_config,
+ };
+@@ -368,7 +234,6 @@ static const struct ad7606_bus_ops ad7606c_18_spi_bops = {
+ .read_block = ad7606_spi_read_block18to32,
+ .reg_read = ad7606_spi_reg_read,
+ .reg_write = ad7606_spi_reg_write,
+- .write_mask = ad7606_spi_write_mask,
+ .rd_wr_cmd = ad7606B_spi_rd_wr_cmd,
+ .sw_mode_config = ad7606c_18_sw_mode_config,
+ };
+--
+2.39.5
+
--- /dev/null
+From 9108346a7d53c0f071352ed75484ef6826083dcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 17:10:52 +0100
+Subject: iio: adc: ad7606: move the software mode configuration
+
+From: Guillaume Stols <gstols@baylibre.com>
+
+[ Upstream commit f2a62931b39478c98f977caf299df5bc072f38e0 ]
+
+This is a preparation for the intoduction of the sofware functions in
+the iio backend version of the driver.
+The software mode configuration must be executed once the channels are
+configured, and the number of channels is known. This is not the case
+before iio-backend's configuration is called, and iio backend version of
+the driver does not have a timestamp channel.
+Also the sw_mode_config callback is configured during the iio-backend
+configuration.
+For clarity purpose, I moved the entire block instead of just the
+concerned function calls.
+
+Signed-off-by: Guillaume Stols <gstols@baylibre.com>
+Link: https://patch.msgid.link/20250210-wip-bl-ad7606_add_backend_sw_mode-v4-2-160df18b1da7@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Stable-dep-of: 5257d80e22bf ("iio: adc: ad7606: check for NULL before calling sw_mode_config()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7606.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7606.c b/drivers/iio/adc/ad7606.c
+index d39354afd5394..376c808df11c7 100644
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -1246,17 +1246,6 @@ int ad7606_probe(struct device *dev, int irq, void __iomem *base_address,
+ return -ERESTARTSYS;
+ }
+
+- st->write_scale = ad7606_write_scale_hw;
+- st->write_os = ad7606_write_os_hw;
+-
+- ret = ad7606_sw_mode_setup(indio_dev);
+- if (ret)
+- return ret;
+-
+- ret = ad7606_chan_scales_setup(indio_dev);
+- if (ret)
+- return ret;
+-
+ /* If convst pin is not defined, setup PWM. */
+ if (!st->gpio_convst) {
+ st->cnvst_pwm = devm_pwm_get(dev, NULL);
+@@ -1334,6 +1323,17 @@ int ad7606_probe(struct device *dev, int irq, void __iomem *base_address,
+ return ret;
+ }
+
++ st->write_scale = ad7606_write_scale_hw;
++ st->write_os = ad7606_write_os_hw;
++
++ ret = ad7606_sw_mode_setup(indio_dev);
++ if (ret)
++ return ret;
++
++ ret = ad7606_chan_scales_setup(indio_dev);
++ if (ret)
++ return ret;
++
+ return devm_iio_device_register(dev, indio_dev);
+ }
+ EXPORT_SYMBOL_NS_GPL(ad7606_probe, "IIO_AD7606");
+--
+2.39.5
+
--- /dev/null
+From 1c5b6d142a199167c800ffe8854443d5b292db53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 15:02:23 -0600
+Subject: io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit d871198ee431d90f5308d53998c1ba1d5db5619a ]
+
+Not everything requires locking in there, which is why the 'has_lock'
+variable exists. But enough does that it's a bit unwieldy to manage.
+Wrap the whole thing in a ->uring_lock trylock, and just return
+with no output if we fail to grab it. The existing trylock() will
+already have greatly diminished utility/output for the failure case.
+
+This fixes an issue with reading the SQE fields, if the ring is being
+actively resized at the same time.
+
+Reported-by: Jann Horn <jannh@google.com>
+Fixes: 79cfe9e59c2a ("io_uring/register: add IORING_REGISTER_RESIZE_RINGS")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/fdinfo.c | 48 ++++++++++++++++++++++++-----------------------
+ 1 file changed, 25 insertions(+), 23 deletions(-)
+
+diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c
+index f60d0a9d505e2..336aec7ea8c29 100644
+--- a/io_uring/fdinfo.c
++++ b/io_uring/fdinfo.c
+@@ -86,13 +86,8 @@ static inline void napi_show_fdinfo(struct io_ring_ctx *ctx,
+ }
+ #endif
+
+-/*
+- * Caller holds a reference to the file already, we don't need to do
+- * anything else to get an extra reference.
+- */
+-__cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
++static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
+ {
+- struct io_ring_ctx *ctx = file->private_data;
+ struct io_overflow_cqe *ocqe;
+ struct io_rings *r = ctx->rings;
+ struct rusage sq_usage;
+@@ -106,7 +101,6 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ unsigned int sq_entries, cq_entries;
+ int sq_pid = -1, sq_cpu = -1;
+ u64 sq_total_time = 0, sq_work_time = 0;
+- bool has_lock;
+ unsigned int i;
+
+ if (ctx->flags & IORING_SETUP_CQE32)
+@@ -176,15 +170,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ seq_printf(m, "\n");
+ }
+
+- /*
+- * Avoid ABBA deadlock between the seq lock and the io_uring mutex,
+- * since fdinfo case grabs it in the opposite direction of normal use
+- * cases. If we fail to get the lock, we just don't iterate any
+- * structures that could be going away outside the io_uring mutex.
+- */
+- has_lock = mutex_trylock(&ctx->uring_lock);
+-
+- if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL)) {
++ if (ctx->flags & IORING_SETUP_SQPOLL) {
+ struct io_sq_data *sq = ctx->sq_data;
+
+ /*
+@@ -206,7 +192,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ seq_printf(m, "SqTotalTime:\t%llu\n", sq_total_time);
+ seq_printf(m, "SqWorkTime:\t%llu\n", sq_work_time);
+ seq_printf(m, "UserFiles:\t%u\n", ctx->file_table.data.nr);
+- for (i = 0; has_lock && i < ctx->file_table.data.nr; i++) {
++ for (i = 0; i < ctx->file_table.data.nr; i++) {
+ struct file *f = NULL;
+
+ if (ctx->file_table.data.nodes[i])
+@@ -218,7 +204,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ }
+ }
+ seq_printf(m, "UserBufs:\t%u\n", ctx->buf_table.nr);
+- for (i = 0; has_lock && i < ctx->buf_table.nr; i++) {
++ for (i = 0; i < ctx->buf_table.nr; i++) {
+ struct io_mapped_ubuf *buf = NULL;
+
+ if (ctx->buf_table.nodes[i])
+@@ -228,7 +214,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ else
+ seq_printf(m, "%5u: <none>\n", i);
+ }
+- if (has_lock && !xa_empty(&ctx->personalities)) {
++ if (!xa_empty(&ctx->personalities)) {
+ unsigned long index;
+ const struct cred *cred;
+
+@@ -238,7 +224,7 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ }
+
+ seq_puts(m, "PollList:\n");
+- for (i = 0; has_lock && i < (1U << ctx->cancel_table.hash_bits); i++) {
++ for (i = 0; i < (1U << ctx->cancel_table.hash_bits); i++) {
+ struct io_hash_bucket *hb = &ctx->cancel_table.hbs[i];
+ struct io_kiocb *req;
+
+@@ -247,9 +233,6 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ task_work_pending(req->tctx->task));
+ }
+
+- if (has_lock)
+- mutex_unlock(&ctx->uring_lock);
+-
+ seq_puts(m, "CqOverflowList:\n");
+ spin_lock(&ctx->completion_lock);
+ list_for_each_entry(ocqe, &ctx->cq_overflow_list, list) {
+@@ -262,4 +245,23 @@ __cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
+ spin_unlock(&ctx->completion_lock);
+ napi_show_fdinfo(ctx, m);
+ }
++
++/*
++ * Caller holds a reference to the file already, we don't need to do
++ * anything else to get an extra reference.
++ */
++__cold void io_uring_show_fdinfo(struct seq_file *m, struct file *file)
++{
++ struct io_ring_ctx *ctx = file->private_data;
++
++ /*
++ * Avoid ABBA deadlock between the seq lock and the io_uring mutex,
++ * since fdinfo case grabs it in the opposite direction of normal use
++ * cases.
++ */
++ if (mutex_trylock(&ctx->uring_lock)) {
++ __io_uring_show_fdinfo(ctx, m);
++ mutex_unlock(&ctx->uring_lock);
++ }
++}
+ #endif
+--
+2.39.5
+
--- /dev/null
+From 06d116a800a15a514e794d1122921e7145039600 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 14:48:05 +0200
+Subject: mlxsw: spectrum_router: Fix use-after-free when deleting GRE net
+ devices
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 92ec4855034b2c4d13f117558dc73d20581fa9ff ]
+
+The driver only offloads neighbors that are constructed on top of net
+devices registered by it or their uppers (which are all Ethernet). The
+device supports GRE encapsulation and decapsulation of forwarded
+traffic, but the driver will not offload dummy neighbors constructed on
+top of GRE net devices as they are not uppers of its net devices:
+
+ # ip link add name gre1 up type gre tos inherit local 192.0.2.1 remote 198.51.100.1
+ # ip neigh add 0.0.0.0 lladdr 0.0.0.0 nud noarp dev gre1
+ $ ip neigh show dev gre1 nud noarp
+ 0.0.0.0 lladdr 0.0.0.0 NOARP
+
+(Note that the neighbor is not marked with 'offload')
+
+When the driver is reloaded and the existing configuration is replayed,
+the driver does not perform the same check regarding existing neighbors
+and offloads the previously added one:
+
+ # devlink dev reload pci/0000:01:00.0
+ $ ip neigh show dev gre1 nud noarp
+ 0.0.0.0 lladdr 0.0.0.0 offload NOARP
+
+If the neighbor is later deleted, the driver will ignore the
+notification (given the GRE net device is not its upper) and will
+therefore keep referencing freed memory, resulting in a use-after-free
+[1] when the net device is deleted:
+
+ # ip neigh del 0.0.0.0 lladdr 0.0.0.0 dev gre1
+ # ip link del dev gre1
+
+Fix by skipping neighbor replay if the net device for which the replay
+is performed is not our upper.
+
+[1]
+BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x1ea/0x200
+Read of size 8 at addr ffff888155b0e420 by task ip/2282
+[...]
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6f/0xa0
+ print_address_description.constprop.0+0x6f/0x350
+ print_report+0x108/0x205
+ kasan_report+0xdf/0x110
+ mlxsw_sp_neigh_entry_update+0x1ea/0x200
+ mlxsw_sp_router_rif_gone_sync+0x2a8/0x440
+ mlxsw_sp_rif_destroy+0x1e9/0x750
+ mlxsw_sp_netdevice_ipip_ol_event+0x3c9/0xdc0
+ mlxsw_sp_router_netdevice_event+0x3ac/0x15e0
+ notifier_call_chain+0xca/0x150
+ call_netdevice_notifiers_info+0x7f/0x100
+ unregister_netdevice_many_notify+0xc8c/0x1d90
+ rtnl_dellink+0x34e/0xa50
+ rtnetlink_rcv_msg+0x6fb/0xb70
+ netlink_rcv_skb+0x131/0x360
+ netlink_unicast+0x426/0x710
+ netlink_sendmsg+0x75a/0xc20
+ __sock_sendmsg+0xc1/0x150
+ ____sys_sendmsg+0x5aa/0x7b0
+ ___sys_sendmsg+0xfc/0x180
+ __sys_sendmsg+0x121/0x1b0
+ do_syscall_64+0xbb/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+Fixes: 8fdb09a7674c ("mlxsw: spectrum_router: Replay neighbours when RIF is made")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Petr Machata <petrm@nvidia.com>
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Link: https://patch.msgid.link/c53c02c904fde32dad484657be3b1477884e9ad6.1747225701.git.petrm@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+index 7d6d859cef3f9..511cd92e0e3e7 100644
+--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+@@ -3014,6 +3014,9 @@ static int mlxsw_sp_neigh_rif_made_sync(struct mlxsw_sp *mlxsw_sp,
+ .rif = rif,
+ };
+
++ if (!mlxsw_sp_dev_lower_is_port(mlxsw_sp_rif_dev(rif)))
++ return 0;
++
+ neigh_for_each(&arp_tbl, mlxsw_sp_neigh_rif_made_sync_each, &rms);
+ if (rms.err)
+ goto err_arp;
+--
+2.39.5
+
--- /dev/null
+From 5be1ed2aef1f735c5efdf86aa476a4c0f83bde89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 14:19:35 +0200
+Subject: net: cadence: macb: Fix a possible deadlock in macb_halt_tx.
+
+From: Mathieu Othacehe <othacehe@gnu.org>
+
+[ Upstream commit c92d6089d8ad7d4d815ebcedee3f3907b539ff1f ]
+
+There is a situation where after THALT is set high, TGO stays high as
+well. Because jiffies are never updated, as we are in a context with
+interrupts disabled, we never exit that loop and have a deadlock.
+
+That deadlock was noticed on a sama5d4 device that stayed locked for days.
+
+Use retries instead of jiffies so that the timeout really works and we do
+not have a deadlock anymore.
+
+Fixes: e86cd53afc590 ("net/macb: better manage tx errors")
+Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250509121935.16282-1-othacehe@gnu.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cadence/macb_main.c | 19 ++++++-------------
+ 1 file changed, 6 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c
+index c1f57d96e63fc..e3cc26472c2f1 100644
+--- a/drivers/net/ethernet/cadence/macb_main.c
++++ b/drivers/net/ethernet/cadence/macb_main.c
+@@ -1002,22 +1002,15 @@ static void macb_update_stats(struct macb *bp)
+
+ static int macb_halt_tx(struct macb *bp)
+ {
+- unsigned long halt_time, timeout;
+- u32 status;
++ u32 status;
+
+ macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(THALT));
+
+- timeout = jiffies + usecs_to_jiffies(MACB_HALT_TIMEOUT);
+- do {
+- halt_time = jiffies;
+- status = macb_readl(bp, TSR);
+- if (!(status & MACB_BIT(TGO)))
+- return 0;
+-
+- udelay(250);
+- } while (time_before(halt_time, timeout));
+-
+- return -ETIMEDOUT;
++ /* Poll TSR until TGO is cleared or timeout. */
++ return read_poll_timeout_atomic(macb_readl, status,
++ !(status & MACB_BIT(TGO)),
++ 250, MACB_HALT_TIMEOUT, false,
++ bp, TSR);
+ }
+
+ static void macb_tx_unmap(struct macb *bp, struct macb_tx_skb *tx_skb, int budget)
+--
+2.39.5
+
--- /dev/null
+From 3f2da42f6659efaba8f07c8f77e3170fbd956beb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 11:14:24 +0200
+Subject: net: dsa: b53: prevent standalone from trying to forward to other
+ ports
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 4227ea91e2657f7965e34313448e9d0a2b67712e ]
+
+When bridged ports and standalone ports share a VLAN, e.g. via VLAN
+uppers, or untagged traffic with a vlan unaware bridge, the ASIC will
+still try to forward traffic to known FDB entries on standalone ports.
+But since the port VLAN masks prevent forwarding to bridged ports, this
+traffic will be dropped.
+
+This e.g. can be observed in the bridge_vlan_unaware ping tests, where
+this breaks pinging with learning on.
+
+Work around this by enabling the simplified EAP mode on switches
+supporting it for standalone ports, which causes the ASIC to redirect
+traffic of unknown source MAC addresses to the CPU port.
+
+Since standalone ports do not learn, there are no known source MAC
+addresses, so effectively this redirects all incoming traffic to the CPU
+port.
+
+Fixes: ff39c2d68679 ("net: dsa: b53: Add bridge support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://patch.msgid.link/20250508091424.26870-1-jonas.gorski@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 33 ++++++++++++++++++++++++++++++++
+ drivers/net/dsa/b53/b53_regs.h | 14 ++++++++++++++
+ 2 files changed, 47 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index e3b5b450ee932..10484d19eaac5 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -326,6 +326,26 @@ static void b53_get_vlan_entry(struct b53_device *dev, u16 vid,
+ }
+ }
+
++static void b53_set_eap_mode(struct b53_device *dev, int port, int mode)
++{
++ u64 eap_conf;
++
++ if (is5325(dev) || is5365(dev) || dev->chip_id == BCM5389_DEVICE_ID)
++ return;
++
++ b53_read64(dev, B53_EAP_PAGE, B53_PORT_EAP_CONF(port), &eap_conf);
++
++ if (is63xx(dev)) {
++ eap_conf &= ~EAP_MODE_MASK_63XX;
++ eap_conf |= (u64)mode << EAP_MODE_SHIFT_63XX;
++ } else {
++ eap_conf &= ~EAP_MODE_MASK;
++ eap_conf |= (u64)mode << EAP_MODE_SHIFT;
++ }
++
++ b53_write64(dev, B53_EAP_PAGE, B53_PORT_EAP_CONF(port), eap_conf);
++}
++
+ static void b53_set_forwarding(struct b53_device *dev, int enable)
+ {
+ u8 mgmt;
+@@ -586,6 +606,13 @@ int b53_setup_port(struct dsa_switch *ds, int port)
+ b53_port_set_mcast_flood(dev, port, true);
+ b53_port_set_learning(dev, port, false);
+
++ /* Force all traffic to go to the CPU port to prevent the ASIC from
++ * trying to forward to bridged ports on matching FDB entries, then
++ * dropping frames because it isn't allowed to forward there.
++ */
++ if (dsa_is_user_port(ds, port))
++ b53_set_eap_mode(dev, port, EAP_MODE_SIMPLIFIED);
++
+ return 0;
+ }
+ EXPORT_SYMBOL(b53_setup_port);
+@@ -2042,6 +2069,9 @@ int b53_br_join(struct dsa_switch *ds, int port, struct dsa_bridge bridge,
+ pvlan |= BIT(i);
+ }
+
++ /* Disable redirection of unknown SA to the CPU port */
++ b53_set_eap_mode(dev, port, EAP_MODE_BASIC);
++
+ /* Configure the local port VLAN control membership to include
+ * remote ports and update the local port bitmask
+ */
+@@ -2077,6 +2107,9 @@ void b53_br_leave(struct dsa_switch *ds, int port, struct dsa_bridge bridge)
+ pvlan &= ~BIT(i);
+ }
+
++ /* Enable redirection of unknown SA to the CPU port */
++ b53_set_eap_mode(dev, port, EAP_MODE_SIMPLIFIED);
++
+ b53_write16(dev, B53_PVLAN_PAGE, B53_PVLAN_PORT_MASK(port), pvlan);
+ dev->ports[port].vlan_ctl_mask = pvlan;
+
+diff --git a/drivers/net/dsa/b53/b53_regs.h b/drivers/net/dsa/b53/b53_regs.h
+index bfbcb66bef662..5f7a0e5c5709d 100644
+--- a/drivers/net/dsa/b53/b53_regs.h
++++ b/drivers/net/dsa/b53/b53_regs.h
+@@ -50,6 +50,9 @@
+ /* Jumbo Frame Registers */
+ #define B53_JUMBO_PAGE 0x40
+
++/* EAP Registers */
++#define B53_EAP_PAGE 0x42
++
+ /* EEE Control Registers Page */
+ #define B53_EEE_PAGE 0x92
+
+@@ -480,6 +483,17 @@
+ #define JMS_MIN_SIZE 1518
+ #define JMS_MAX_SIZE 9724
+
++/*************************************************************************
++ * EAP Page Registers
++ *************************************************************************/
++#define B53_PORT_EAP_CONF(i) (0x20 + 8 * (i))
++#define EAP_MODE_SHIFT 51
++#define EAP_MODE_SHIFT_63XX 50
++#define EAP_MODE_MASK (0x3ull << EAP_MODE_SHIFT)
++#define EAP_MODE_MASK_63XX (0x3ull << EAP_MODE_SHIFT_63XX)
++#define EAP_MODE_BASIC 0
++#define EAP_MODE_SIMPLIFIED 3
++
+ /*************************************************************************
+ * EEE Configuration Page Registers
+ *************************************************************************/
+--
+2.39.5
+
--- /dev/null
+From f85653e0af7a5d0308b919dab4423215ef494a2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 14:38:16 +0300
+Subject: net: dsa: sja1105: discard incoming frames in BR_STATE_LISTENING
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 498625a8ab2c8e1c9ab5105744310e8d6952cc01 ]
+
+It has been reported that when under a bridge with stp_state=1, the logs
+get spammed with this message:
+
+[ 251.734607] fsl_dpaa2_eth dpni.5 eth0: Couldn't decode source port
+
+Further debugging shows the following info associated with packets:
+source_port=-1, switch_id=-1, vid=-1, vbid=1
+
+In other words, they are data plane packets which are supposed to be
+decoded by dsa_tag_8021q_find_port_by_vbid(), but the latter (correctly)
+refuses to do so, because no switch port is currently in
+BR_STATE_LEARNING or BR_STATE_FORWARDING - so the packet is effectively
+unexpected.
+
+The error goes away after the port progresses to BR_STATE_LEARNING in 15
+seconds (the default forward_time of the bridge), because then,
+dsa_tag_8021q_find_port_by_vbid() can correctly associate the data plane
+packets with a plausible bridge port in a plausible STP state.
+
+Re-reading IEEE 802.1D-1990, I see the following:
+
+"4.4.2 Learning: (...) The Forwarding Process shall discard received
+frames."
+
+IEEE 802.1D-2004 further clarifies:
+
+"DISABLED, BLOCKING, LISTENING, and BROKEN all correspond to the
+DISCARDING port state. While those dot1dStpPortStates serve to
+distinguish reasons for discarding frames, the operation of the
+Forwarding and Learning processes is the same for all of them. (...)
+LISTENING represents a port that the spanning tree algorithm has
+selected to be part of the active topology (computing a Root Port or
+Designated Port role) but is temporarily discarding frames to guard
+against loops or incorrect learning."
+
+Well, this is not what the driver does - instead it sets
+mac[port].ingress = true.
+
+To get rid of the log spam, prevent unexpected data plane packets to
+be received by software by discarding them on ingress in the LISTENING
+state.
+
+In terms of blame attribution: the prints only date back to commit
+d7f9787a763f ("net: dsa: tag_8021q: add support for imprecise RX based
+on the VBID"). However, the settings would permit a LISTENING port to
+forward to a FORWARDING port, and the standard suggests that's not OK.
+
+Fixes: 640f763f98c2 ("net: dsa: sja1105: Add support for Spanning Tree Protocol")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20250509113816.2221992-1-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_main.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
+index f8454f3b6f9c5..f674c400f05b2 100644
+--- a/drivers/net/dsa/sja1105/sja1105_main.c
++++ b/drivers/net/dsa/sja1105/sja1105_main.c
+@@ -2081,6 +2081,7 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port,
+ switch (state) {
+ case BR_STATE_DISABLED:
+ case BR_STATE_BLOCKING:
++ case BR_STATE_LISTENING:
+ /* From UM10944 description of DRPDTAG (why put this there?):
+ * "Management traffic flows to the port regardless of the state
+ * of the INGRESS flag". So BPDUs are still be allowed to pass.
+@@ -2090,11 +2091,6 @@ static void sja1105_bridge_stp_state_set(struct dsa_switch *ds, int port,
+ mac[port].egress = false;
+ mac[port].dyn_learn = false;
+ break;
+- case BR_STATE_LISTENING:
+- mac[port].ingress = true;
+- mac[port].egress = false;
+- mac[port].dyn_learn = false;
+- break;
+ case BR_STATE_LEARNING:
+ mac[port].ingress = true;
+ mac[port].egress = false;
+--
+2.39.5
+
--- /dev/null
+From 89ba0eedee3abc70b43522df361c8fbd91f01d74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 05:27:30 +0100
+Subject: net: ethernet: mtk_eth_soc: fix typo for declaration MT7988 ESW
+ capability
+
+From: Bo-Cun Chen <bc-bocun.chen@mediatek.com>
+
+[ Upstream commit 1bdea6fad6fb985ff13828373c48e337c4e939f9 ]
+
+Since MTK_ESW_BIT is a bit number rather than a bitmap, it causes
+MTK_HAS_CAPS to produce incorrect results. This leads to the ETH
+driver not declaring MAC capabilities correctly for the MT7988 ESW.
+
+Fixes: 445eb6448ed3 ("net: ethernet: mtk_eth_soc: add basic support for MT7988 SoC")
+Signed-off-by: Bo-Cun Chen <bc-bocun.chen@mediatek.com>
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/b8b37f409d1280fad9c4d32521e6207f63cd3213.1747110258.git.daniel@makrotopia.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 341def2bf1d35..22a8b909dd80b 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -4683,7 +4683,7 @@ static int mtk_add_mac(struct mtk_eth *eth, struct device_node *np)
+ }
+
+ if (mtk_is_netsys_v3_or_greater(mac->hw) &&
+- MTK_HAS_CAPS(mac->hw->soc->caps, MTK_ESW_BIT) &&
++ MTK_HAS_CAPS(mac->hw->soc->caps, MTK_ESW) &&
+ id == MTK_GMAC1_ID) {
+ mac->phylink_config.mac_capabilities = MAC_ASYM_PAUSE |
+ MAC_SYM_PAUSE |
+--
+2.39.5
+
--- /dev/null
+From 1775f1270f5469b5661ae360949f3118bb2e5cfa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 13:18:32 +0800
+Subject: net: mctp: Don't access ifa_index when missing
+
+From: Matt Johnston <matt@codeconstruct.com.au>
+
+[ Upstream commit f11cf946c0a92c560a890d68e4775723353599e1 ]
+
+In mctp_dump_addrinfo, ifa_index can be used to filter interfaces, but
+only when the struct ifaddrmsg is provided. Otherwise it will be
+comparing to uninitialised memory - reproducible in the syzkaller case from
+dhcpd, or busybox "ip addr show".
+
+The kernel MCTP implementation has always filtered by ifa_index, so
+existing userspace programs expecting to dump MCTP addresses must
+already be passing a valid ifa_index value (either 0 or a real index).
+
+BUG: KMSAN: uninit-value in mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
+ mctp_dump_addrinfo+0x208/0xac0 net/mctp/device.c:128
+ rtnl_dump_all+0x3ec/0x5b0 net/core/rtnetlink.c:4380
+ rtnl_dumpit+0xd5/0x2f0 net/core/rtnetlink.c:6824
+ netlink_dump+0x97b/0x1690 net/netlink/af_netlink.c:2309
+
+Fixes: 583be982d934 ("mctp: Add device handling and netlink interface")
+Reported-by: syzbot+e76d52dadc089b9d197f@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/68135815.050a0220.3a872c.000e.GAE@google.com/
+Reported-by: syzbot+1065a199625a388fce60@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/681357d6.050a0220.14dd7d.000d.GAE@google.com/
+Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250508-mctp-addr-dump-v2-1-c8a53fd2dd66@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/device.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/net/mctp/device.c b/net/mctp/device.c
+index 8e0724c56723d..7c0dcf3df3196 100644
+--- a/net/mctp/device.c
++++ b/net/mctp/device.c
+@@ -117,11 +117,18 @@ static int mctp_dump_addrinfo(struct sk_buff *skb, struct netlink_callback *cb)
+ struct net_device *dev;
+ struct ifaddrmsg *hdr;
+ struct mctp_dev *mdev;
+- int ifindex, rc;
+-
+- hdr = nlmsg_data(cb->nlh);
+- // filter by ifindex if requested
+- ifindex = hdr->ifa_index;
++ int ifindex = 0, rc;
++
++ /* Filter by ifindex if a header is provided */
++ if (cb->nlh->nlmsg_len >= nlmsg_msg_size(sizeof(*hdr))) {
++ hdr = nlmsg_data(cb->nlh);
++ ifindex = hdr->ifa_index;
++ } else {
++ if (cb->strict_check) {
++ NL_SET_ERR_MSG(cb->extack, "mctp: Invalid header for addr dump request");
++ return -EINVAL;
++ }
++ }
+
+ rcu_read_lock();
+ for_each_netdev_dump(net, dev, mcb->ifindex) {
+--
+2.39.5
+
--- /dev/null
+From d4643ffa764ff5efd5987ab135df30a8f51d7799 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 14:16:00 +0930
+Subject: net: mctp: Ensure keys maintain only one ref to corresponding dev
+
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+
+[ Upstream commit e4f349bd6e58051df698b82f94721f18a02a293d ]
+
+mctp_flow_prepare_output() is called in mctp_route_output(), which
+places outbound packets onto a given interface. The packet may represent
+a message fragment, in which case we provoke an unbalanced reference
+count to the underlying device. This causes trouble if we ever attempt
+to remove the interface:
+
+ [ 48.702195] usb 1-1: USB disconnect, device number 2
+ [ 58.883056] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
+ [ 69.022548] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
+ [ 79.172568] unregister_netdevice: waiting for mctpusb0 to become free. Usage count = 2
+ ...
+
+Predicate the invocation of mctp_dev_set_key() in
+mctp_flow_prepare_output() on not already having associated the device
+with the key. It's not yet realistic to uphold the property that the key
+maintains only one device reference earlier in the transmission sequence
+as the route (and therefore the device) may not be known at the time the
+key is associated with the socket.
+
+Fixes: 67737c457281 ("mctp: Pass flow data & flow release events to drivers")
+Acked-by: Jeremy Kerr <jk@codeconstruct.com.au>
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Link: https://patch.msgid.link/20250508-mctp-dev-refcount-v1-1-d4f965c67bb5@codeconstruct.com.au
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mctp/route.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/mctp/route.c b/net/mctp/route.c
+index 4c460160914f0..d9c8e5a5f9ce9 100644
+--- a/net/mctp/route.c
++++ b/net/mctp/route.c
+@@ -313,8 +313,10 @@ static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
+
+ key = flow->key;
+
+- if (WARN_ON(key->dev && key->dev != dev))
++ if (key->dev) {
++ WARN_ON(key->dev != dev);
+ return;
++ }
+
+ mctp_dev_set_key(dev, key);
+ }
+--
+2.39.5
+
--- /dev/null
+From 556b743b2ac302cd866a5a17730355db82047306 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 11 May 2025 13:15:52 +0300
+Subject: net/mlx5e: Disable MACsec offload for uplink representor profile
+
+From: Carolina Jubran <cjubran@nvidia.com>
+
+[ Upstream commit 588431474eb7572e57a927fa8558c9ba2f8af143 ]
+
+MACsec offload is not supported in switchdev mode for uplink
+representors. When switching to the uplink representor profile, the
+MACsec offload feature must be cleared from the netdevice's features.
+
+If left enabled, attempts to add offloads result in a null pointer
+dereference, as the uplink representor does not support MACsec offload
+even though the feature bit remains set.
+
+Clear NETIF_F_HW_MACSEC in mlx5e_fix_uplink_rep_features().
+
+Kernel log:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
+CPU: 29 UID: 0 PID: 4714 Comm: ip Not tainted 6.14.0-rc4_for_upstream_debug_2025_03_02_17_35 #1
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+RIP: 0010:__mutex_lock+0x128/0x1dd0
+Code: d0 7c 08 84 d2 0f 85 ad 15 00 00 8b 35 91 5c fe 03 85 f6 75 29 49 8d 7e 60 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 a6 15 00 00 4d 3b 76 60 0f 85 fd 0b 00 00 65 ff
+RSP: 0018:ffff888147a4f160 EFLAGS: 00010206
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000001
+RDX: 000000000000000f RSI: 0000000000000000 RDI: 0000000000000078
+RBP: ffff888147a4f2e0 R08: ffffffffa05d2c19 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
+R13: dffffc0000000000 R14: 0000000000000018 R15: ffff888152de0000
+FS: 00007f855e27d800(0000) GS:ffff88881ee80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000004e5768 CR3: 000000013ae7c005 CR4: 0000000000372eb0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? die_addr+0x3d/0xa0
+ ? exc_general_protection+0x144/0x220
+ ? asm_exc_general_protection+0x22/0x30
+ ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ ? __mutex_lock+0x128/0x1dd0
+ ? lockdep_set_lock_cmp_fn+0x190/0x190
+ ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ ? mutex_lock_io_nested+0x1ae0/0x1ae0
+ ? lock_acquire+0x1c2/0x530
+ ? macsec_upd_offload+0x145/0x380
+ ? lockdep_hardirqs_on_prepare+0x400/0x400
+ ? kasan_save_stack+0x30/0x40
+ ? kasan_save_stack+0x20/0x40
+ ? kasan_save_track+0x10/0x30
+ ? __kasan_kmalloc+0x77/0x90
+ ? __kmalloc_noprof+0x249/0x6b0
+ ? genl_family_rcv_msg_attrs_parse.constprop.0+0xb5/0x240
+ ? mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ mlx5e_macsec_add_secy+0xf9/0x700 [mlx5_core]
+ ? mlx5e_macsec_add_rxsa+0x11a0/0x11a0 [mlx5_core]
+ macsec_update_offload+0x26c/0x820
+ ? macsec_set_mac_address+0x4b0/0x4b0
+ ? lockdep_hardirqs_on_prepare+0x284/0x400
+ ? _raw_spin_unlock_irqrestore+0x47/0x50
+ macsec_upd_offload+0x2c8/0x380
+ ? macsec_update_offload+0x820/0x820
+ ? __nla_parse+0x22/0x30
+ ? genl_family_rcv_msg_attrs_parse.constprop.0+0x15e/0x240
+ genl_family_rcv_msg_doit+0x1cc/0x2a0
+ ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240
+ ? cap_capable+0xd4/0x330
+ genl_rcv_msg+0x3ea/0x670
+ ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0
+ ? lockdep_set_lock_cmp_fn+0x190/0x190
+ ? macsec_update_offload+0x820/0x820
+ netlink_rcv_skb+0x12b/0x390
+ ? genl_family_rcv_msg_dumpit+0x2a0/0x2a0
+ ? netlink_ack+0xd80/0xd80
+ ? rwsem_down_read_slowpath+0xf90/0xf90
+ ? netlink_deliver_tap+0xcd/0xac0
+ ? netlink_deliver_tap+0x155/0xac0
+ ? _copy_from_iter+0x1bb/0x12c0
+ genl_rcv+0x24/0x40
+ netlink_unicast+0x440/0x700
+ ? netlink_attachskb+0x760/0x760
+ ? lock_acquire+0x1c2/0x530
+ ? __might_fault+0xbb/0x170
+ netlink_sendmsg+0x749/0xc10
+ ? netlink_unicast+0x700/0x700
+ ? __might_fault+0xbb/0x170
+ ? netlink_unicast+0x700/0x700
+ __sock_sendmsg+0xc5/0x190
+ ____sys_sendmsg+0x53f/0x760
+ ? import_iovec+0x7/0x10
+ ? kernel_sendmsg+0x30/0x30
+ ? __copy_msghdr+0x3c0/0x3c0
+ ? filter_irq_stacks+0x90/0x90
+ ? stack_depot_save_flags+0x28/0xa30
+ ___sys_sendmsg+0xeb/0x170
+ ? kasan_save_stack+0x30/0x40
+ ? copy_msghdr_from_user+0x110/0x110
+ ? do_syscall_64+0x6d/0x140
+ ? lock_acquire+0x1c2/0x530
+ ? __virt_addr_valid+0x116/0x3b0
+ ? __virt_addr_valid+0x1da/0x3b0
+ ? lock_downgrade+0x680/0x680
+ ? __delete_object+0x21/0x50
+ __sys_sendmsg+0xf7/0x180
+ ? __sys_sendmsg_sock+0x20/0x20
+ ? kmem_cache_free+0x14c/0x4e0
+ ? __x64_sys_close+0x78/0xd0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7f855e113367
+Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+RSP: 002b:00007ffd15e90c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f855e113367
+RDX: 0000000000000000 RSI: 00007ffd15e90cf0 RDI: 0000000000000004
+RBP: 00007ffd15e90dbc R08: 0000000000000028 R09: 000000000045d100
+R10: 00007f855e011dd8 R11: 0000000000000246 R12: 0000000000000019
+R13: 0000000067c6b785 R14: 00000000004a1e80 R15: 0000000000000000
+ </TASK>
+Modules linked in: 8021q garp mrp sch_ingress openvswitch nsh mlx5_ib mlx5_fwctl mlx5_dpll mlx5_core rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5 auth_rpcgss oid_registry overlay zram zsmalloc fuse [last unloaded: mlx5_core]
+---[ end trace 0000000000000000 ]---
+
+Fixes: 8ff0ac5be144 ("net/mlx5: Add MACsec offload Tx command support")
+Signed-off-by: Carolina Jubran <cjubran@nvidia.com>
+Reviewed-by: Shahar Shitrit <shshitrit@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1746958552-561295-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+index 8fcaee381b0e0..01f6a60308cb7 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+@@ -4373,6 +4373,10 @@ static netdev_features_t mlx5e_fix_uplink_rep_features(struct net_device *netdev
+ if (netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER)
+ netdev_warn(netdev, "Disabling HW_VLAN CTAG FILTERING, not supported in switchdev mode\n");
+
++ features &= ~NETIF_F_HW_MACSEC;
++ if (netdev->features & NETIF_F_HW_MACSEC)
++ netdev_warn(netdev, "Disabling HW MACsec offload, not supported in switchdev mode\n");
++
+ return features;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 763faf8ee113383dae581d71201d6852d0555e3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 21:20:13 +0800
+Subject: net/tls: fix kernel panic when alloc_page failed
+
+From: Pengtao He <hept.hept.hept@gmail.com>
+
+[ Upstream commit 491deb9b8c4ad12fe51d554a69b8165b9ef9429f ]
+
+We cannot set frag_list to NULL pointer when alloc_page failed.
+It will be used in tls_strp_check_queue_ok when the next time
+tls_strp_read_sock is called.
+
+This is because we don't reset full_len in tls_strp_flush_anchor_copy()
+so the recv path will try to continue handling the partial record
+on the next call but we dettached the rcvq from the frag list.
+Alternative fix would be to reset full_len.
+
+Unable to handle kernel NULL pointer dereference
+at virtual address 0000000000000028
+ Call trace:
+ tls_strp_check_rcv+0x128/0x27c
+ tls_strp_data_ready+0x34/0x44
+ tls_data_ready+0x3c/0x1f0
+ tcp_data_ready+0x9c/0xe4
+ tcp_data_queue+0xf6c/0x12d0
+ tcp_rcv_established+0x52c/0x798
+
+Fixes: 84c61fe1a75b ("tls: rx: do not use the standard strparser")
+Signed-off-by: Pengtao He <hept.hept.hept@gmail.com>
+Link: https://patch.msgid.link/20250514132013.17274-1-hept.hept.hept@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tls/tls_strp.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/tls/tls_strp.c b/net/tls/tls_strp.c
+index 77e33e1e340e3..65b0da6fdf6a7 100644
+--- a/net/tls/tls_strp.c
++++ b/net/tls/tls_strp.c
+@@ -396,7 +396,6 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort)
+ return 0;
+
+ shinfo = skb_shinfo(strp->anchor);
+- shinfo->frag_list = NULL;
+
+ /* If we don't know the length go max plus page for cipher overhead */
+ need_spc = strp->stm.full_len ?: TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE;
+@@ -412,6 +411,8 @@ static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort)
+ page, 0, 0);
+ }
+
++ shinfo->frag_list = NULL;
++
+ strp->copy_mode = 1;
+ strp->stm.offset = 0;
+
+--
+2.39.5
+
--- /dev/null
+From 536f8b517251651c6267821a6c8e9dc6bb736821 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 21:35:58 -0700
+Subject: net_sched: Flush gso_skb list too during ->change()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit 2d3cbfd6d54a2c39ce3244f33f85c595844bd7b8 ]
+
+Previously, when reducing a qdisc's limit via the ->change() operation, only
+the main skb queue was trimmed, potentially leaving packets in the gso_skb
+list. This could result in NULL pointer dereference when we only check
+sch->limit against sch->q.qlen.
+
+This patch introduces a new helper, qdisc_dequeue_internal(), which ensures
+both the gso_skb list and the main queue are properly flushed when trimming
+excess packets. All relevant qdiscs (codel, fq, fq_codel, fq_pie, hhf, pie)
+are updated to use this helper in their ->change() routines.
+
+Fixes: 76e3cc126bb2 ("codel: Controlled Delay AQM")
+Fixes: 4b549a2ef4be ("fq_codel: Fair Queue Codel AQM")
+Fixes: afe4fd062416 ("pkt_sched: fq: Fair Queue packet scheduler")
+Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler")
+Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
+Fixes: d4b36210c2e6 ("net: pkt_sched: PIE AQM scheme")
+Reported-by: Will <willsroot@protonmail.com>
+Reported-by: Savy <savy@syst3mfailure.io>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sch_generic.h | 15 +++++++++++++++
+ net/sched/sch_codel.c | 2 +-
+ net/sched/sch_fq.c | 2 +-
+ net/sched/sch_fq_codel.c | 2 +-
+ net/sched/sch_fq_pie.c | 2 +-
+ net/sched/sch_hhf.c | 2 +-
+ net/sched/sch_pie.c | 2 +-
+ 7 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
+index d48c657191cd0..1c05fed05f2bc 100644
+--- a/include/net/sch_generic.h
++++ b/include/net/sch_generic.h
+@@ -1031,6 +1031,21 @@ static inline struct sk_buff *__qdisc_dequeue_head(struct qdisc_skb_head *qh)
+ return skb;
+ }
+
++static inline struct sk_buff *qdisc_dequeue_internal(struct Qdisc *sch, bool direct)
++{
++ struct sk_buff *skb;
++
++ skb = __skb_dequeue(&sch->gso_skb);
++ if (skb) {
++ sch->q.qlen--;
++ return skb;
++ }
++ if (direct)
++ return __qdisc_dequeue_head(&sch->q);
++ else
++ return sch->dequeue(sch);
++}
++
+ static inline struct sk_buff *qdisc_dequeue_head(struct Qdisc *sch)
+ {
+ struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
+diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
+index 12dd71139da39..c93761040c6e7 100644
+--- a/net/sched/sch_codel.c
++++ b/net/sched/sch_codel.c
+@@ -144,7 +144,7 @@ static int codel_change(struct Qdisc *sch, struct nlattr *opt,
+
+ qlen = sch->q.qlen;
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true);
+
+ dropped += qdisc_pkt_len(skb);
+ qdisc_qstats_backlog_dec(sch, skb);
+diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
+index 2ca5332cfcc5c..902ff54706072 100644
+--- a/net/sched/sch_fq.c
++++ b/net/sched/sch_fq.c
+@@ -1136,7 +1136,7 @@ static int fq_change(struct Qdisc *sch, struct nlattr *opt,
+ sch_tree_lock(sch);
+ }
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = fq_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ if (!skb)
+ break;
+diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
+index 6c9029f71e88d..2a0f3a513bfaa 100644
+--- a/net/sched/sch_fq_codel.c
++++ b/net/sched/sch_fq_codel.c
+@@ -441,7 +441,7 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt,
+
+ while (sch->q.qlen > sch->limit ||
+ q->memory_usage > q->memory_limit) {
+- struct sk_buff *skb = fq_codel_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ q->cstats.drop_len += qdisc_pkt_len(skb);
+ rtnl_kfree_skbs(skb, skb);
+diff --git a/net/sched/sch_fq_pie.c b/net/sched/sch_fq_pie.c
+index 93c36afbf5762..67f437c170582 100644
+--- a/net/sched/sch_fq_pie.c
++++ b/net/sched/sch_fq_pie.c
+@@ -366,7 +366,7 @@ static int fq_pie_change(struct Qdisc *sch, struct nlattr *opt,
+
+ /* Drop excess packets if new limit is lower */
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = fq_pie_qdisc_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ len_dropped += qdisc_pkt_len(skb);
+ num_dropped += 1;
+diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c
+index 44d9efe1a96a8..5aa434b467073 100644
+--- a/net/sched/sch_hhf.c
++++ b/net/sched/sch_hhf.c
+@@ -564,7 +564,7 @@ static int hhf_change(struct Qdisc *sch, struct nlattr *opt,
+ qlen = sch->q.qlen;
+ prev_backlog = sch->qstats.backlog;
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = hhf_dequeue(sch);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, false);
+
+ rtnl_kfree_skbs(skb, skb);
+ }
+diff --git a/net/sched/sch_pie.c b/net/sched/sch_pie.c
+index bb1fa9aa530b2..97f71b6dbf5b5 100644
+--- a/net/sched/sch_pie.c
++++ b/net/sched/sch_pie.c
+@@ -195,7 +195,7 @@ static int pie_change(struct Qdisc *sch, struct nlattr *opt,
+ /* Drop excess packets if new limit is lower */
+ qlen = sch->q.qlen;
+ while (sch->q.qlen > sch->limit) {
+- struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
++ struct sk_buff *skb = qdisc_dequeue_internal(sch, true);
+
+ dropped += qdisc_pkt_len(skb);
+ qdisc_qstats_backlog_dec(sch, skb);
+--
+2.39.5
+
--- /dev/null
+From 16f2166ce1a5f15f613f1a243d614011e9d65360 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 15:16:38 -0700
+Subject: netlink: specs: tc: all actions are indexed arrays
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit f3dd5fb2fa494dcbdb10f8d27f2deac8ef61a2fc ]
+
+Some TC filters have actions listed as indexed arrays of nests
+and some as just nests. They are all indexed arrays, the handling
+is common across filters.
+
+Fixes: 2267672a6190 ("doc/netlink/specs: Update the tc spec")
+Link: https://patch.msgid.link/20250513221638.842532-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/tc.yaml | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/netlink/specs/tc.yaml b/Documentation/netlink/specs/tc.yaml
+index 5e1ff04f51f26..953aa837958b3 100644
+--- a/Documentation/netlink/specs/tc.yaml
++++ b/Documentation/netlink/specs/tc.yaml
+@@ -2017,7 +2017,8 @@ attribute-sets:
+ attributes:
+ -
+ name: act
+- type: nest
++ type: indexed-array
++ sub-type: nest
+ nested-attributes: tc-act-attrs
+ -
+ name: police
+@@ -2250,7 +2251,8 @@ attribute-sets:
+ attributes:
+ -
+ name: act
+- type: nest
++ type: indexed-array
++ sub-type: nest
+ nested-attributes: tc-act-attrs
+ -
+ name: police
+--
+2.39.5
+
--- /dev/null
+From c71dd36045692cee2b131f6e4591c765230d27a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 15:13:16 -0700
+Subject: netlink: specs: tc: fix a couple of attribute names
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit a9fb87b8b86918e34ef6bf3316311f41bc1a5b1f ]
+
+Fix up spelling of two attribute names. These are clearly typoes
+and will prevent C codegen from working. Let's treat this as
+a fix to get the correction into users' hands ASAP, and prevent
+anyone depending on the wrong names.
+
+Fixes: a1bcfde83669 ("doc/netlink/specs: Add a spec for tc")
+Link: https://patch.msgid.link/20250513221316.841700-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/netlink/specs/tc.yaml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/netlink/specs/tc.yaml b/Documentation/netlink/specs/tc.yaml
+index aacccea5dfe42..5e1ff04f51f26 100644
+--- a/Documentation/netlink/specs/tc.yaml
++++ b/Documentation/netlink/specs/tc.yaml
+@@ -2745,7 +2745,7 @@ attribute-sets:
+ type: u16
+ byte-order: big-endian
+ -
+- name: key-l2-tpv3-sid
++ name: key-l2tpv3-sid
+ type: u32
+ byte-order: big-endian
+ -
+@@ -3504,7 +3504,7 @@ attribute-sets:
+ name: rate64
+ type: u64
+ -
+- name: prate4
++ name: prate64
+ type: u64
+ -
+ name: burst
+--
+2.39.5
+
--- /dev/null
+From 9ee2d4123eacb1d9fa720590b247a70a09634f76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Apr 2025 15:25:08 +0800
+Subject: nfs: handle failure of nfs_get_lock_context in unlock path
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+[ Upstream commit c457dc1ec770a22636b473ce5d35614adfe97636 ]
+
+When memory is insufficient, the allocation of nfs_lock_context in
+nfs_get_lock_context() fails and returns -ENOMEM. If we mistakenly treat
+an nfs4_unlockdata structure (whose l_ctx member has been set to -ENOMEM)
+as valid and proceed to execute rpc_run_task(), this will trigger a NULL
+pointer dereference in nfs4_locku_prepare. For example:
+
+BUG: kernel NULL pointer dereference, address: 000000000000000c
+PGD 0 P4D 0
+Oops: Oops: 0000 [#1] SMP PTI
+CPU: 15 UID: 0 PID: 12 Comm: kworker/u64:0 Not tainted 6.15.0-rc2-dirty #60
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40
+Workqueue: rpciod rpc_async_schedule
+RIP: 0010:nfs4_locku_prepare+0x35/0xc2
+Code: 89 f2 48 89 fd 48 c7 c7 68 69 ef b5 53 48 8b 8e 90 00 00 00 48 89 f3
+RSP: 0018:ffffbbafc006bdb8 EFLAGS: 00010246
+RAX: 000000000000004b RBX: ffff9b964fc1fa00 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: fffffffffffffff4 RDI: ffff9ba53fddbf40
+RBP: ffff9ba539934000 R08: 0000000000000000 R09: ffffbbafc006bc38
+R10: ffffffffb6b689c8 R11: 0000000000000003 R12: ffff9ba539934030
+R13: 0000000000000001 R14: 0000000004248060 R15: ffffffffb56d1c30
+FS: 0000000000000000(0000) GS:ffff9ba5881f0000(0000) knlGS:00000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000000000000000c CR3: 000000093f244000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ __rpc_execute+0xbc/0x480
+ rpc_async_schedule+0x2f/0x40
+ process_one_work+0x232/0x5d0
+ worker_thread+0x1da/0x3d0
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x10d/0x240
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x34/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+Modules linked in:
+CR2: 000000000000000c
+---[ end trace 0000000000000000 ]---
+
+Free the allocated nfs4_unlockdata when nfs_get_lock_context() fails and
+return NULL to terminate subsequent rpc_run_task, preventing NULL pointer
+dereference.
+
+Fixes: f30cb757f680 ("NFS: Always wait for I/O completion before unlock")
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Link: https://lore.kernel.org/r/20250417072508.3850532-1-lilingfeng3@huawei.com
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index 6e95db6c17e92..810cfd9b7e533 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -7049,10 +7049,18 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl,
+ struct nfs4_unlockdata *p;
+ struct nfs4_state *state = lsp->ls_state;
+ struct inode *inode = state->inode;
++ struct nfs_lock_context *l_ctx;
+
+ p = kzalloc(sizeof(*p), GFP_KERNEL);
+ if (p == NULL)
+ return NULL;
++ l_ctx = nfs_get_lock_context(ctx);
++ if (!IS_ERR(l_ctx)) {
++ p->l_ctx = l_ctx;
++ } else {
++ kfree(p);
++ return NULL;
++ }
+ p->arg.fh = NFS_FH(inode);
+ p->arg.fl = &p->fl;
+ p->arg.seqid = seqid;
+@@ -7060,7 +7068,6 @@ static struct nfs4_unlockdata *nfs4_alloc_unlockdata(struct file_lock *fl,
+ p->lsp = lsp;
+ /* Ensure we don't close file until we're done freeing locks! */
+ p->ctx = get_nfs_open_context(ctx);
+- p->l_ctx = nfs_get_lock_context(ctx);
+ locks_init_lock(&p->fl);
+ locks_copy_lock(&p->fl, fl);
+ p->server = NFS_SERVER(inode);
+--
+2.39.5
+
--- /dev/null
+From 8793f8e6654c1bbf60450896b86cb6ec21701f8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Apr 2025 14:43:34 -0400
+Subject: NFS/localio: Fix a race in nfs_local_open_fh()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit fa7ab64f1e2fdc8f2603aab8e0dd20de89cb10d9 ]
+
+Once the clp->cl_uuid.lock has been dropped, another CPU could come in
+and free the struct nfsd_file that was just added. To prevent that from
+happening, take the RCU read lock before dropping the spin lock.
+
+Fixes: 86e00412254a ("nfs: cache all open LOCALIO nfsd_file(s) in client")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/localio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c
+index 5c21caeae075c..4ec952f9f47dd 100644
+--- a/fs/nfs/localio.c
++++ b/fs/nfs/localio.c
+@@ -278,6 +278,7 @@ nfs_local_open_fh(struct nfs_client *clp, const struct cred *cred,
+ new = __nfs_local_open_fh(clp, cred, fh, nfl, mode);
+ if (IS_ERR(new))
+ return NULL;
++ rcu_read_lock();
+ /* try to swap in the pointer */
+ spin_lock(&clp->cl_uuid.lock);
+ nf = rcu_dereference_protected(*pnf, 1);
+@@ -287,7 +288,6 @@ nfs_local_open_fh(struct nfs_client *clp, const struct cred *cred,
+ rcu_assign_pointer(*pnf, nf);
+ }
+ spin_unlock(&clp->cl_uuid.lock);
+- rcu_read_lock();
+ }
+ nf = nfs_local_file_get(nf);
+ rcu_read_unlock();
+--
+2.39.5
+
--- /dev/null
+From 9224d4e5ec203f81acd92f71addc586e6653bdf1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 10:50:13 -0400
+Subject: NFSv4/pnfs: Reset the layout state after a layoutreturn
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 6d6d7f91cc8c111d40416ac9240a3bb9396c5235 ]
+
+If there are still layout segments in the layout plh_return_lsegs list
+after a layout return, we should be resetting the state to ensure they
+eventually get returned as well.
+
+Fixes: 68f744797edd ("pNFS: Do not free layout segments that are marked for return")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 5f582713bf05e..683e09be25adf 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -745,6 +745,14 @@ pnfs_mark_matching_lsegs_invalid(struct pnfs_layout_hdr *lo,
+ return remaining;
+ }
+
++static void pnfs_reset_return_info(struct pnfs_layout_hdr *lo)
++{
++ struct pnfs_layout_segment *lseg;
++
++ list_for_each_entry(lseg, &lo->plh_return_segs, pls_list)
++ pnfs_set_plh_return_info(lo, lseg->pls_range.iomode, 0);
++}
++
+ static void
+ pnfs_free_returned_lsegs(struct pnfs_layout_hdr *lo,
+ struct list_head *free_me,
+@@ -1292,6 +1300,7 @@ void pnfs_layoutreturn_free_lsegs(struct pnfs_layout_hdr *lo,
+ pnfs_mark_matching_lsegs_invalid(lo, &freeme, range, seq);
+ pnfs_free_returned_lsegs(lo, &freeme, range, seq);
+ pnfs_set_layout_stateid(lo, stateid, NULL, true);
++ pnfs_reset_return_info(lo);
+ } else
+ pnfs_mark_layout_stateid_invalid(lo, &freeme);
+ out_unlock:
+--
+2.39.5
+
--- /dev/null
+From 35b1fbca965da70431b90c8e7a5819f7b54c03d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 16:57:06 +0200
+Subject: nvme-pci: acquire cq_poll_lock in nvme_poll_irqdisable
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 3d8932133dcecbd9bef1559533c1089601006f45 ]
+
+We need to lock this queue for that condition because the timeout work
+executes per-namespace and can poll the poll CQ.
+
+Reported-by: Hannes Reinecke <hare@kernel.org>
+Closes: https://lore.kernel.org/all/20240902130728.1999-1-hare@kernel.org/
+Fixes: a0fa9647a54e ("NVMe: add blk polling support")
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Daniel Wagner <wagi@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 7fdf7f24d46e6..00bd21b5c641e 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1205,7 +1205,9 @@ static void nvme_poll_irqdisable(struct nvme_queue *nvmeq)
+ WARN_ON_ONCE(test_bit(NVMEQ_POLLED, &nvmeq->flags));
+
+ disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
++ spin_lock(&nvmeq->cq_poll_lock);
+ nvme_poll_cq(nvmeq, NULL);
++ spin_unlock(&nvmeq->cq_poll_lock);
+ enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector));
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 0618e64a70c9c632e25101bebccc158fba2dcfdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 20:35:40 -0700
+Subject: nvme-pci: make nvme_pci_npages_prp() __always_inline
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 40696426b8c8c4f13cf6ac52f0470eed144be4b2 ]
+
+The only reason nvme_pci_npages_prp() could be used as a compile-time
+known result in BUILD_BUG_ON() is because the compiler was always choosing
+to inline the function. Under special circumstances (sanitizer coverage
+functions disabled for __init functions on ARCH=um), the compiler decided
+to stop inlining it:
+
+ drivers/nvme/host/pci.c: In function 'nvme_init':
+ include/linux/compiler_types.h:557:45: error: call to '__compiletime_assert_678' declared with attribute error: BUILD_BUG_ON failed: nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS
+ 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+ | ^
+ include/linux/compiler_types.h:538:25: note: in definition of macro '__compiletime_assert'
+ 538 | prefix ## suffix(); \
+ | ^~~~~~
+ include/linux/compiler_types.h:557:9: note: in expansion of macro '_compiletime_assert'
+ 557 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+ | ^~~~~~~~~~~~~~~~~~~
+ include/linux/build_bug.h:39:37: note: in expansion of macro 'compiletime_assert'
+ 39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
+ | ^~~~~~~~~~~~~~~~~~
+ include/linux/build_bug.h:50:9: note: in expansion of macro 'BUILD_BUG_ON_MSG'
+ 50 | BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
+ | ^~~~~~~~~~~~~~~~
+ drivers/nvme/host/pci.c:3804:9: note: in expansion of macro 'BUILD_BUG_ON'
+ 3804 | BUILD_BUG_ON(nvme_pci_npages_prp() > NVME_MAX_NR_ALLOCATIONS);
+ | ^~~~~~~~~~~~
+
+Force it to be __always_inline to make sure it is always available for
+use with BUILD_BUG_ON().
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202505061846.12FMyRjj-lkp@intel.com/
+Fixes: c372cdd1efdf ("nvme-pci: iod npages fits in s8")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index d49b69565d04c..7fdf7f24d46e6 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -390,7 +390,7 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db,
+ * as it only leads to a small amount of wasted memory for the lifetime of
+ * the I/O.
+ */
+-static int nvme_pci_npages_prp(void)
++static __always_inline int nvme_pci_npages_prp(void)
+ {
+ unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE;
+ unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE);
+--
+2.39.5
+
--- /dev/null
+From 36948be2e6b59d3f7f73c88061b1e49dcf5a70d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 May 2025 12:45:54 +0530
+Subject: octeontx2-af: Fix CGX Receive counters
+
+From: Hariprasad Kelam <hkelam@marvell.com>
+
+[ Upstream commit bf449f35e77fd44017abf991fac1f9ab7705bbe0 ]
+
+Each CGX block supports 4 logical MACs (LMACS). Receive
+counters CGX_CMR_RX_STAT0-8 are per LMAC and CGX_CMR_RX_STAT9-12
+are per CGX.
+
+Due a bug in previous patch, stale Per CGX counters values observed.
+
+Fixes: 66208910e57a ("octeontx2-af: Support to retrieve CGX LMAC stats")
+Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
+Link: https://patch.msgid.link/20250513071554.728922-1-hkelam@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
+index 8216f843a7cd5..e43c4608d3ba3 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c
+@@ -707,6 +707,11 @@ int cgx_get_rx_stats(void *cgxd, int lmac_id, int idx, u64 *rx_stat)
+
+ if (!is_lmac_valid(cgx, lmac_id))
+ return -ENODEV;
++
++ /* pass lmac as 0 for CGX_CMR_RX_STAT9-12 */
++ if (idx >= CGX_RX_STAT_GLOBAL_INDEX)
++ lmac_id = 0;
++
+ *rx_stat = cgx_read(cgx, lmac_id, CGXX_CMRX_RX_STAT0 + (idx * 8));
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9fca469762ca8ff10affc6b5645d05b6ef3aa4e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 18:22:37 +0530
+Subject: octeontx2-pf: Do not reallocate all ntuple filters
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit dcb479fde00be9a151c047d0a7c0626b64eb0019 ]
+
+If ntuple filters count is modified followed by
+unicast filters count using devlink then the ntuple count
+set by user is ignored and all the ntuple filters are
+being reallocated. Fix this by storing the ntuple count
+set by user. Without this patch, say if user tries
+to modify ntuple count as 8 followed by ucast filter count as 4
+using devlink commands then ntuple count is being reverted to
+default value 16 i.e, not retaining user set value 8.
+
+Fixes: 39c469188b6d ("octeontx2-pf: Add ucast filter count configurability via devlink.")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1747054357-5850-1-git-send-email-sbhatta@marvell.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h | 1 +
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c | 1 +
+ drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c | 3 ++-
+ 3 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+index 65814e3dc93f5..7cc12f10e8a15 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_common.h
+@@ -349,6 +349,7 @@ struct otx2_flow_config {
+ struct list_head flow_list_tc;
+ u8 ucast_flt_cnt;
+ bool ntuple;
++ u16 ntuple_cnt;
+ };
+
+ struct dev_hw_ops {
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c
+index 33ec9a7f7c033..e13ae5484c19c 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.c
+@@ -41,6 +41,7 @@ static int otx2_dl_mcam_count_set(struct devlink *devlink, u32 id,
+ if (!pfvf->flow_cfg)
+ return 0;
+
++ pfvf->flow_cfg->ntuple_cnt = ctx->val.vu16;
+ otx2_alloc_mcam_entries(pfvf, ctx->val.vu16);
+
+ return 0;
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
+index 47bfd1fb37d4b..64c6d9162ef64 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_flows.c
+@@ -247,7 +247,7 @@ int otx2_mcam_entry_init(struct otx2_nic *pfvf)
+ mutex_unlock(&pfvf->mbox.lock);
+
+ /* Allocate entries for Ntuple filters */
+- count = otx2_alloc_mcam_entries(pfvf, OTX2_DEFAULT_FLOWCOUNT);
++ count = otx2_alloc_mcam_entries(pfvf, flow_cfg->ntuple_cnt);
+ if (count <= 0) {
+ otx2_clear_ntuple_flow_info(pfvf, flow_cfg);
+ return 0;
+@@ -307,6 +307,7 @@ int otx2_mcam_flow_init(struct otx2_nic *pf)
+ INIT_LIST_HEAD(&pf->flow_cfg->flow_list_tc);
+
+ pf->flow_cfg->ucast_flt_cnt = OTX2_DEFAULT_UNICAST_FLOWS;
++ pf->flow_cfg->ntuple_cnt = OTX2_DEFAULT_FLOWCOUNT;
+
+ /* Allocate bare minimum number of MCAM entries needed for
+ * unicast and ntuple filters.
+--
+2.39.5
+
--- /dev/null
+From 1e4e56cf8c910cb548000b1b325daebeaec70a45 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 11:59:01 +0530
+Subject: octeontx2-pf: Fix ethtool support for SDP representors
+
+From: Hariprasad Kelam <hkelam@marvell.com>
+
+[ Upstream commit 314007549d89adebdd1e214a743d7e26edbd075e ]
+
+The hardware supports multiple MAC types, including RPM, SDP, and LBK.
+However, features such as link settings and pause frames are only available
+on RPM MAC, and not supported on SDP or LBK.
+
+This patch updates the ethtool operations logic accordingly to reflect
+this behavior.
+
+Fixes: 2f7f33a09516 ("octeontx2-pf: Add representors for sdp MAC")
+Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+index 2d53dc77ef1ef..b3f616a7f2e96 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+@@ -315,7 +315,7 @@ static void otx2_get_pauseparam(struct net_device *netdev,
+ struct otx2_nic *pfvf = netdev_priv(netdev);
+ struct cgx_pause_frm_cfg *req, *rsp;
+
+- if (is_otx2_lbkvf(pfvf->pdev))
++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev))
+ return;
+
+ mutex_lock(&pfvf->mbox.lock);
+@@ -347,7 +347,7 @@ static int otx2_set_pauseparam(struct net_device *netdev,
+ if (pause->autoneg)
+ return -EOPNOTSUPP;
+
+- if (is_otx2_lbkvf(pfvf->pdev))
++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev))
+ return -EOPNOTSUPP;
+
+ if (pause->rx_pause)
+@@ -937,8 +937,8 @@ static u32 otx2_get_link(struct net_device *netdev)
+ {
+ struct otx2_nic *pfvf = netdev_priv(netdev);
+
+- /* LBK link is internal and always UP */
+- if (is_otx2_lbkvf(pfvf->pdev))
++ /* LBK and SDP links are internal and always UP */
++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev))
+ return 1;
+ return pfvf->linfo.link_up;
+ }
+@@ -1409,7 +1409,7 @@ static int otx2vf_get_link_ksettings(struct net_device *netdev,
+ {
+ struct otx2_nic *pfvf = netdev_priv(netdev);
+
+- if (is_otx2_lbkvf(pfvf->pdev)) {
++ if (is_otx2_lbkvf(pfvf->pdev) || is_otx2_sdp_rep(pfvf->pdev)) {
+ cmd->base.duplex = DUPLEX_FULL;
+ cmd->base.speed = SPEED_100000;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From a51400f349566a413b3871c6c9938afb0bc7e0f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 18:12:36 +0530
+Subject: octeontx2-pf: macsec: Fix incorrect max transmit size in TX secy
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit 865ab2461375e3a5a2526f91f9a9f17b8931bc9e ]
+
+MASCEC hardware block has a field called maximum transmit size for
+TX secy. Max packet size going out of MCS block has be programmed
+taking into account full packet size which has L2 header,SecTag
+and ICV. MACSEC offload driver is configuring max transmit size as
+macsec interface MTU which is incorrect. Say with 1500 MTU of real
+device, macsec interface created on top of real device will have MTU of
+1468(1500 - (SecTag + ICV)). This is causing packets from macsec
+interface of size greater than or equal to 1468 are not getting
+transmitted out because driver programmed max transmit size as 1468
+instead of 1514(1500 + ETH_HDR_LEN).
+
+Fixes: c54ffc73601c ("octeontx2-pf: mcs: Introduce MACSEC hardware offloading")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/1747053756-4529-1-git-send-email-sbhatta@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+index f3b9daffaec3c..4c7e0f345cb5b 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
++++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+@@ -531,7 +531,8 @@ static int cn10k_mcs_write_tx_secy(struct otx2_nic *pfvf,
+ if (sw_tx_sc->encrypt)
+ sectag_tci |= (MCS_TCI_E | MCS_TCI_C);
+
+- policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU, secy->netdev->mtu);
++ policy = FIELD_PREP(MCS_TX_SECY_PLCY_MTU,
++ pfvf->netdev->mtu + OTX2_ETH_HLEN);
+ /* Write SecTag excluding AN bits(1..0) */
+ policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_TCI, sectag_tci >> 2);
+ policy |= FIELD_PREP(MCS_TX_SECY_PLCY_ST_OFFSET, tag_offset);
+--
+2.39.5
+
--- /dev/null
+From e2b17eb2ecc8741a9c63126edb1d28bf9fc519dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Apr 2025 10:23:57 +0000
+Subject: platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually
+ exclusive drivers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Suma Hegde <suma.hegde@amd.com>
+
+[ Upstream commit 0581d384f344ed0a963dd27cbff3c7af80c189e7 ]
+
+amd_hsmp and hsmp_acpi are intended to be mutually exclusive drivers and
+amd_hsmp is for legacy platforms. To achieve this, it is essential to
+check for the presence of the ACPI device in plat.c. If the hsmp ACPI
+device entry is found, allow the hsmp_acpi driver to manage the hsmp
+and return an error from plat.c.
+
+Additionally, rename the driver from amd_hsmp to hsmp_acpi to prevent
+"Driver 'amd_hsmp' is already registered, aborting..." error in case
+both drivers are loaded simultaneously.
+
+Also, support both platform device based and ACPI based probing for
+family 0x1A models 0x00 to 0x0F, implement only ACPI based probing
+for family 0x1A, models 0x10 to 0x1F. Return false from
+legacy_hsmp_support() for this platform.
+This aligns with the condition check in is_f1a_m0h().
+
+Link: https://lore.kernel.org/platform-driver-x86/aALZxvHWmphNL1wa@gourry-fedora-PF4VCD3F/
+Fixes: 7d3135d16356 ("platform/x86/amd/hsmp: Create separate ACPI, plat and common drivers")
+Reviewed-by: Naveen Krishna Chatradhi <naveenkrishna.chatradhi@amd.com>
+Co-developed-by: Gregory Price <gourry@gourry.net>
+Signed-off-by: Gregory Price <gourry@gourry.net>
+Signed-off-by: Suma Hegde <suma.hegde@amd.com>
+Link: https://lore.kernel.org/r/20250425102357.266790-1-suma.hegde@amd.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/hsmp/acpi.c | 3 +--
+ drivers/platform/x86/amd/hsmp/hsmp.h | 1 +
+ drivers/platform/x86/amd/hsmp/plat.c | 6 +++++-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/platform/x86/amd/hsmp/acpi.c b/drivers/platform/x86/amd/hsmp/acpi.c
+index c1eccb3c80c5c..eaae044e4f824 100644
+--- a/drivers/platform/x86/amd/hsmp/acpi.c
++++ b/drivers/platform/x86/amd/hsmp/acpi.c
+@@ -27,9 +27,8 @@
+
+ #include "hsmp.h"
+
+-#define DRIVER_NAME "amd_hsmp"
++#define DRIVER_NAME "hsmp_acpi"
+ #define DRIVER_VERSION "2.3"
+-#define ACPI_HSMP_DEVICE_HID "AMDI0097"
+
+ /* These are the strings specified in ACPI table */
+ #define MSG_IDOFF_STR "MsgIdOffset"
+diff --git a/drivers/platform/x86/amd/hsmp/hsmp.h b/drivers/platform/x86/amd/hsmp/hsmp.h
+index af8b21f821d66..d58d4f0c20d55 100644
+--- a/drivers/platform/x86/amd/hsmp/hsmp.h
++++ b/drivers/platform/x86/amd/hsmp/hsmp.h
+@@ -23,6 +23,7 @@
+
+ #define HSMP_CDEV_NAME "hsmp_cdev"
+ #define HSMP_DEVNODE_NAME "hsmp"
++#define ACPI_HSMP_DEVICE_HID "AMDI0097"
+
+ struct hsmp_mbaddr_info {
+ u32 base_addr;
+diff --git a/drivers/platform/x86/amd/hsmp/plat.c b/drivers/platform/x86/amd/hsmp/plat.c
+index b9782a078dbd2..81931e808bbc8 100644
+--- a/drivers/platform/x86/amd/hsmp/plat.c
++++ b/drivers/platform/x86/amd/hsmp/plat.c
+@@ -11,6 +11,7 @@
+
+ #include <asm/amd_hsmp.h>
+
++#include <linux/acpi.h>
+ #include <linux/build_bug.h>
+ #include <linux/device.h>
+ #include <linux/module.h>
+@@ -266,7 +267,7 @@ static bool legacy_hsmp_support(void)
+ }
+ case 0x1A:
+ switch (boot_cpu_data.x86_model) {
+- case 0x00 ... 0x1F:
++ case 0x00 ... 0x0F:
+ return true;
+ default:
+ return false;
+@@ -288,6 +289,9 @@ static int __init hsmp_plt_init(void)
+ return ret;
+ }
+
++ if (acpi_dev_present(ACPI_HSMP_DEVICE_HID, NULL, -1))
++ return -ENODEV;
++
+ hsmp_pdev = get_hsmp_pdev();
+ if (!hsmp_pdev)
+ return -ENOMEM;
+--
+2.39.5
+
--- /dev/null
+From 308c9b2c7ef772e2905676310ddbfd77777ca914 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 18:01:03 +0800
+Subject: platform/x86/amd/pmc: Declare quirk_spurious_8042 for MECHREVO Wujie
+ 14XA (GX4HRXL)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Runhua He <hua@aosc.io>
+
+[ Upstream commit 0887817e4953885fbd6a5c1bec2fdd339261eb19 ]
+
+MECHREVO Wujie 14XA (GX4HRXL) wakes up immediately after s2idle entry.
+This happens regardless of whether the laptop is plugged into AC power,
+or whether any peripheral is plugged into the laptop.
+
+Similar to commit a55bdad5dfd1 ("platform/x86/amd/pmc: Disable keyboard
+wakeup on AMD Framework 13"), the MECHREVO Wujie 14XA wakes up almost
+instantly after s2idle suspend entry (IRQ1 is the keyboard):
+
+2025-04-18 17:23:57,588 DEBUG: PM: Triggering wakeup from IRQ 9
+2025-04-18 17:23:57,588 DEBUG: PM: Triggering wakeup from IRQ 1
+
+Add this model to the spurious_8042 quirk to workaround this.
+
+This patch does not affect the wake-up function of the built-in keyboard.
+Because the firmware of this machine adds an insurance for keyboard
+wake-up events, as it always triggers an additional IRQ 9 to wake up the
+system.
+
+Suggested-by: Mingcong Bai <jeffbai@aosc.io>
+Suggested-by: Xinhui Yang <cyan@cyano.uk>
+Suggested-by: Rong Zhang <i@rong.moe>
+Fixes: a55bdad5dfd1 ("platform/x86/amd/pmc: Disable keyboard wakeup on AMD Framework 13")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4166
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://zhuanldan.zhihu.com/p/730538041
+Tested-by: Yemu Lu <prcups@krgm.moe>
+Signed-off-by: Runhua He <hua@aosc.io>
+Link: https://lore.kernel.org/r/20250507100103.995395-1-hua@aosc.io
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/amd/pmc/pmc-quirks.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+index b4f49720c87f6..2e3f6fc67c568 100644
+--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
++++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
+@@ -217,6 +217,13 @@ static const struct dmi_system_id fwbug_list[] = {
+ DMI_MATCH(DMI_BIOS_VERSION, "03.05"),
+ }
+ },
++ {
++ .ident = "MECHREVO Wujie 14X (GX4HRXL)",
++ .driver_data = &quirk_spurious_8042,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_NAME, "WUJIE14-GX4HRXL"),
++ }
++ },
+ {}
+ };
+
+--
+2.39.5
+
--- /dev/null
+From c891901370e5ff22af4ad751c85e1b3f51bc4034 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 May 2025 15:17:02 +0200
+Subject: platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit bfcfe6d335a967f8ea0c1980960e6f0205b5de6e ]
+
+The wlan_ctrl_by_user detection was introduced by commit a50bd128f28c
+("asus-wmi: record wlan status while controlled by userapp").
+
+Quoting from that commit's commit message:
+
+"""
+When you call WMIMethod(DSTS, 0x00010011) to get WLAN status, it may return
+
+(1) 0x00050001 (On)
+(2) 0x00050000 (Off)
+(3) 0x00030001 (On)
+(4) 0x00030000 (Off)
+(5) 0x00000002 (Unknown)
+
+(1), (2) means that the model has hardware GPIO for WLAN, you can call
+WMIMethod(DEVS, 0x00010011, 1 or 0) to turn WLAN on/off.
+(3), (4) means that the model doesn’t have hardware GPIO, you need to use
+API or driver library to turn WLAN on/off, and call
+WMIMethod(DEVS, 0x00010012, 1 or 0) to set WLAN LED status.
+After you set WLAN LED status, you can see the WLAN status is changed with
+WMIMethod(DSTS, 0x00010011). Because the status is recorded lastly
+(ex: Windows), you can use it for synchronization.
+(5) means that the model doesn’t have WLAN device.
+
+WLAN is the ONLY special case with upper rule.
+"""
+
+The wlan_ctrl_by_user flag should be set on 0x0003000? ((3), (4) above)
+return values, but the flag mistakenly also gets set on laptops with
+0x0005000? ((1), (2)) return values. This is causing rfkill problems on
+laptops where 0x0005000? is returned.
+
+Fix the check to only set the wlan_ctrl_by_user flag for 0x0003000?
+return values.
+
+Fixes: a50bd128f28c ("asus-wmi: record wlan status while controlled by userapp")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219786
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20250501131702.103360-2-hdegoede@redhat.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/asus-wmi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
+index 38ef778e8c19b..f66d152e265da 100644
+--- a/drivers/platform/x86/asus-wmi.c
++++ b/drivers/platform/x86/asus-wmi.c
+@@ -4777,7 +4777,8 @@ static int asus_wmi_add(struct platform_device *pdev)
+ goto fail_leds;
+
+ asus_wmi_get_devstate(asus, ASUS_WMI_DEVID_WLAN, &result);
+- if (result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT))
++ if ((result & (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT)) ==
++ (ASUS_WMI_DSTS_PRESENCE_BIT | ASUS_WMI_DSTS_USER_BIT))
+ asus->driver->wlan_ctrl_by_user = 1;
+
+ if (!(asus->driver->wlan_ctrl_by_user && ashs_present())) {
+--
+2.39.5
+
--- /dev/null
+From 552c93c93ebdc94a087bb1883303396ed4e450e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 May 2025 10:18:27 +0530
+Subject: qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd()
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 9d8a99c5a7c7f4f7eca2c168a4ec254409670035 ]
+
+In one of the error paths in qlcnic_sriov_channel_cfg_cmd(), the memory
+allocated in qlcnic_sriov_alloc_bc_mbx_args() for mailbox arguments is
+not freed. Fix that by jumping to the error path that frees them, by
+calling qlcnic_free_mbx_args(). This was found using static analysis.
+
+Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250512044829.36400-1-abdun.nihaal@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+index 28d24d59efb84..d57b976b90409 100644
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+@@ -1484,8 +1484,11 @@ static int qlcnic_sriov_channel_cfg_cmd(struct qlcnic_adapter *adapter, u8 cmd_o
+ }
+
+ cmd_op = (cmd.rsp.arg[0] & 0xff);
+- if (cmd.rsp.arg[0] >> 25 == 2)
+- return 2;
++ if (cmd.rsp.arg[0] >> 25 == 2) {
++ ret = 2;
++ goto out;
++ }
++
+ if (cmd_op == QLCNIC_BC_CMD_CHANNEL_INIT)
+ set_bit(QLC_BC_VF_STATE, &vf->state);
+ else
+--
+2.39.5
+
--- /dev/null
+From 0efe8e7c9944bca5e7656a57a2214507e584772d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 May 2025 17:10:08 +0200
+Subject: RDMA/core: Fix "KASAN: slab-use-after-free Read in
+ ib_register_device" problem
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit d0706bfd3ee40923c001c6827b786a309e2a8713 ]
+
+Call Trace:
+
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xc3/0x670 mm/kasan/report.c:521
+ kasan_report+0xe0/0x110 mm/kasan/report.c:634
+ strlen+0x93/0xa0 lib/string.c:420
+ __fortify_strlen include/linux/fortify-string.h:268 [inline]
+ get_kobj_path_length lib/kobject.c:118 [inline]
+ kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
+ kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
+ ib_register_device drivers/infiniband/core/device.c:1472 [inline]
+ ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
+ rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
+ rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
+ rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
+ nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
+ rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
+ rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
+ netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
+ netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
+ netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
+ sock_sendmsg_nosec net/socket.c:712 [inline]
+ __sock_sendmsg net/socket.c:727 [inline]
+ ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
+ ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
+ __sys_sendmsg+0x16d/0x220 net/socket.c:2652
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+This problem is similar to the problem that the
+commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
+fixes.
+
+The root cause is: the function ib_device_rename() renames the name with
+lock. But in the function kobject_uevent(), this name is accessed without
+lock protection at the same time.
+
+The solution is to add the lock protection when this name is accessed in
+the function kobject_uevent().
+
+Fixes: 779e0bf47632 ("RDMA/core: Do not indicate device ready when device enablement fails")
+Link: https://patch.msgid.link/r/20250506151008.75701-1-yanjun.zhu@linux.dev
+Reported-by: syzbot+e2ce9e275ecc70a30b72@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=e2ce9e275ecc70a30b72
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index ee75b99f84bcc..baf12e3e2a7ea 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -1352,6 +1352,9 @@ static void ib_device_notify_register(struct ib_device *device)
+
+ down_read(&devices_rwsem);
+
++ /* Mark for userspace that device is ready */
++ kobject_uevent(&device->dev.kobj, KOBJ_ADD);
++
+ ret = rdma_nl_notify_event(device, 0, RDMA_REGISTER_EVENT);
+ if (ret)
+ goto out;
+@@ -1468,10 +1471,9 @@ int ib_register_device(struct ib_device *device, const char *name,
+ return ret;
+ }
+ dev_set_uevent_suppress(&device->dev, false);
+- /* Mark for userspace that device is ready */
+- kobject_uevent(&device->dev.kobj, KOBJ_ADD);
+
+ ib_device_notify_register(device);
++
+ ib_device_put(device);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 89ef8170e64d89938bbb05eac0a224bdbdd17267 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Apr 2025 09:57:14 +0200
+Subject: RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit f81b33582f9339d2dc17c69b92040d3650bb4bae ]
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x7d/0xa0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xcf/0x610 mm/kasan/report.c:489
+ kasan_report+0xb5/0xe0 mm/kasan/report.c:602
+ rxe_queue_cleanup+0xd0/0xe0 drivers/infiniband/sw/rxe/rxe_queue.c:195
+ rxe_cq_cleanup+0x3f/0x50 drivers/infiniband/sw/rxe/rxe_cq.c:132
+ __rxe_cleanup+0x168/0x300 drivers/infiniband/sw/rxe/rxe_pool.c:232
+ rxe_create_cq+0x22e/0x3a0 drivers/infiniband/sw/rxe/rxe_verbs.c:1109
+ create_cq+0x658/0xb90 drivers/infiniband/core/uverbs_cmd.c:1052
+ ib_uverbs_create_cq+0xc7/0x120 drivers/infiniband/core/uverbs_cmd.c:1095
+ ib_uverbs_write+0x969/0xc90 drivers/infiniband/core/uverbs_main.c:679
+ vfs_write fs/read_write.c:677 [inline]
+ vfs_write+0x26a/0xcc0 fs/read_write.c:659
+ ksys_write+0x1b8/0x200 fs/read_write.c:731
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+In the function rxe_create_cq, when rxe_cq_from_init fails, the function
+rxe_cleanup will be called to handle the allocated resources. In fact,
+some memory resources have already been freed in the function
+rxe_cq_from_init. Thus, this problem will occur.
+
+The solution is to let rxe_cleanup do all the work.
+
+Fixes: 8700e3e7c485 ("Soft RoCE driver")
+Link: https://paste.ubuntu.com/p/tJgC42wDf6/
+Tested-by: liuyi <liuy22@mails.tsinghua.edu.cn>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Link: https://patch.msgid.link/20250412075714.3257358-1-yanjun.zhu@linux.dev
+Reviewed-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/sw/rxe/rxe_cq.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/sw/rxe/rxe_cq.c b/drivers/infiniband/sw/rxe/rxe_cq.c
+index fec87c9030abd..fffd144d509eb 100644
+--- a/drivers/infiniband/sw/rxe/rxe_cq.c
++++ b/drivers/infiniband/sw/rxe/rxe_cq.c
+@@ -56,11 +56,8 @@ int rxe_cq_from_init(struct rxe_dev *rxe, struct rxe_cq *cq, int cqe,
+
+ err = do_mmap_info(rxe, uresp ? &uresp->mi : NULL, udata,
+ cq->queue->buf, cq->queue->buf_size, &cq->queue->ip);
+- if (err) {
+- vfree(cq->queue->buf);
+- kfree(cq->queue);
++ if (err)
+ return err;
+- }
+
+ cq->is_user = uresp;
+
+--
+2.39.5
+
--- /dev/null
+From 6ce589fcd5e91fda79ad8ee1a999e96e3f171846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 09:49:43 +0300
+Subject: regulator: max20086: fix invalid memory access
+
+From: Cosmin Tanislav <demonsingur@gmail.com>
+
+[ Upstream commit 6b0cd72757c69bc2d45da42b41023e288d02e772 ]
+
+max20086_parse_regulators_dt() calls of_regulator_match() using an
+array of struct of_regulator_match allocated on the stack for the
+matches argument.
+
+of_regulator_match() calls devm_of_regulator_put_matches(), which calls
+devres_alloc() to allocate a struct devm_of_regulator_matches which will
+be de-allocated using devm_of_regulator_put_matches().
+
+struct devm_of_regulator_matches is populated with the stack allocated
+matches array.
+
+If the device fails to probe, devm_of_regulator_put_matches() will be
+called and will try to call of_node_put() on that stack pointer,
+generating the following dmesg entries:
+
+max20086 6-0028: Failed to read DEVICE_ID reg: -121
+kobject: '\xc0$\xa5\x03' (000000002cebcb7a): is not initialized, yet
+kobject_put() is being called.
+
+Followed by a stack trace matching the call flow described above.
+
+Switch to allocating the matches array using devm_kcalloc() to
+avoid accessing the stack pointer long after it's out of scope.
+
+This also has the advantage of allowing multiple max20086 to probe
+without overriding the data stored inside the global of_regulator_match.
+
+Fixes: bfff546aae50 ("regulator: Add MAX20086-MAX20089 driver")
+Signed-off-by: Cosmin Tanislav <demonsingur@gmail.com>
+Link: https://patch.msgid.link/20250508064947.2567255-1-demonsingur@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/max20086-regulator.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/max20086-regulator.c b/drivers/regulator/max20086-regulator.c
+index 59eb23d467ec0..198d45f8e8849 100644
+--- a/drivers/regulator/max20086-regulator.c
++++ b/drivers/regulator/max20086-regulator.c
+@@ -132,7 +132,7 @@ static int max20086_regulators_register(struct max20086 *chip)
+
+ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
+ {
+- struct of_regulator_match matches[MAX20086_MAX_REGULATORS] = { };
++ struct of_regulator_match *matches;
+ struct device_node *node;
+ unsigned int i;
+ int ret;
+@@ -143,6 +143,11 @@ static int max20086_parse_regulators_dt(struct max20086 *chip, bool *boot_on)
+ return -ENODEV;
+ }
+
++ matches = devm_kcalloc(chip->dev, chip->info->num_outputs,
++ sizeof(*matches), GFP_KERNEL);
++ if (!matches)
++ return -ENOMEM;
++
+ for (i = 0; i < chip->info->num_outputs; ++i)
+ matches[i].name = max20086_output_names[i];
+
+--
+2.39.5
+
--- /dev/null
+From 97ddf3d3d7b762e91f2e7087639733485afb5031 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Apr 2025 17:24:36 +0800
+Subject: riscv: dts: sophgo: fix DMA data-width configuration for CV18xx
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ze Huang <huangze@whut.edu.cn>
+
+[ Upstream commit 3e6244429ba38f8dee3336b8b805948276b281ab ]
+
+The "snps,data-width" property[1] defines the AXI data width of the DMA
+controller as:
+
+ width = 8 × (2^n) bits
+
+(0 = 8 bits, 1 = 16 bits, 2 = 32 bits, ..., 6 = 512 bits)
+where "n" is the value of "snps,data-width".
+
+For the CV18xx DMA controller, the correct AXI data width is 32 bits,
+corresponding to "snps,data-width = 2".
+
+Test results on Milkv Duo S can be found here [2].
+
+Link: https://github.com/torvalds/linux/blob/master/Documentation/devicetree/bindings/dma/snps%2Cdw-axi-dmac.yaml#L74 [1]
+Link: https://gist.github.com/Sutter099/4fa99bb2d89e5af975983124704b3861 [2]
+
+Fixes: 514951a81a5e ("riscv: dts: sophgo: cv18xx: add DMA controller")
+Co-developed-by: Yu Yuan <yu.yuan@sjtu.edu.cn>
+Signed-off-by: Yu Yuan <yu.yuan@sjtu.edu.cn>
+Signed-off-by: Ze Huang <huangze@whut.edu.cn>
+Link: https://lore.kernel.org/r/20250428-duo-dma-config-v1-1-eb6ad836ca42@whut.edu.cn
+Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
+Signed-off-by: Chen Wang <unicorn_wang@outlook.com>
+Signed-off-by: Chen Wang <wangchen20@iscas.ac.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/boot/dts/sophgo/cv18xx.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/boot/dts/sophgo/cv18xx.dtsi b/arch/riscv/boot/dts/sophgo/cv18xx.dtsi
+index c18822ec849f3..58cd546392e05 100644
+--- a/arch/riscv/boot/dts/sophgo/cv18xx.dtsi
++++ b/arch/riscv/boot/dts/sophgo/cv18xx.dtsi
+@@ -341,7 +341,7 @@
+ 1024 1024 1024 1024>;
+ snps,priority = <0 1 2 3 4 5 6 7>;
+ snps,dma-masters = <2>;
+- snps,data-width = <4>;
++ snps,data-width = <2>;
+ status = "disabled";
+ };
+
+--
+2.39.5
+
--- /dev/null
+From e0dd90f92931fd4040aee0bf75b348a402464821 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Apr 2025 10:26:33 +0200
+Subject: sched_ext: Fix missing rq lock in scx_bpf_cpuperf_set()
+
+From: Andrea Righi <arighi@nvidia.com>
+
+[ Upstream commit a11d6784d7316a6c77ca9f14fb1a698ebbb3c1fb ]
+
+scx_bpf_cpuperf_set() can be used to set a performance target level on
+any CPU. However, it doesn't correctly acquire the corresponding rq
+lock, which may lead to unsafe behavior and trigger the following
+warning, due to the lockdep_assert_rq_held() check:
+
+[ 51.713737] WARNING: CPU: 3 PID: 3899 at kernel/sched/sched.h:1512 scx_bpf_cpuperf_set+0x1a0/0x1e0
+...
+[ 51.713836] Call trace:
+[ 51.713837] scx_bpf_cpuperf_set+0x1a0/0x1e0 (P)
+[ 51.713839] bpf_prog_62d35beb9301601f_bpfland_init+0x168/0x440
+[ 51.713841] bpf__sched_ext_ops_init+0x54/0x8c
+[ 51.713843] scx_ops_enable.constprop.0+0x2c0/0x10f0
+[ 51.713845] bpf_scx_reg+0x18/0x30
+[ 51.713847] bpf_struct_ops_link_create+0x154/0x1b0
+[ 51.713849] __sys_bpf+0x1934/0x22a0
+
+Fix by properly acquiring the rq lock when possible or raising an error
+if we try to operate on a CPU that is not the one currently locked.
+
+Fixes: d86adb4fc0655 ("sched_ext: Add cpuperf support")
+Signed-off-by: Andrea Righi <arighi@nvidia.com>
+Acked-by: Changwoo Min <changwoo@igalia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/ext.c | 27 +++++++++++++++++++++++----
+ 1 file changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
+index 77cdff0d9f348..0067f540a3f0f 100644
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -7459,13 +7459,32 @@ __bpf_kfunc void scx_bpf_cpuperf_set(s32 cpu, u32 perf)
+ }
+
+ if (ops_cpu_valid(cpu, NULL)) {
+- struct rq *rq = cpu_rq(cpu);
++ struct rq *rq = cpu_rq(cpu), *locked_rq = scx_locked_rq();
++ struct rq_flags rf;
++
++ /*
++ * When called with an rq lock held, restrict the operation
++ * to the corresponding CPU to prevent ABBA deadlocks.
++ */
++ if (locked_rq && rq != locked_rq) {
++ scx_ops_error("Invalid target CPU %d", cpu);
++ return;
++ }
++
++ /*
++ * If no rq lock is held, allow to operate on any CPU by
++ * acquiring the corresponding rq lock.
++ */
++ if (!locked_rq) {
++ rq_lock_irqsave(rq, &rf);
++ update_rq_clock(rq);
++ }
+
+ rq->scx.cpuperf_target = perf;
++ cpufreq_update_util(rq, 0);
+
+- rcu_read_lock_sched_notrace();
+- cpufreq_update_util(cpu_rq(cpu), 0);
+- rcu_read_unlock_sched_notrace();
++ if (!locked_rq)
++ rq_unlock_irqrestore(rq, &rf);
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+sched_ext-fix-missing-rq-lock-in-scx_bpf_cpuperf_set.patch
+arm64-dts-rockchip-assign-rt5616-mclk-rate-on-rk3588.patch
+fs-xattr.c-fix-simple_xattr_list-to-always-include-s.patch
+drivers-platform-x86-amd-pmf-check-for-invalid-sidel.patch
+drivers-platform-x86-amd-pmf-check-for-invalid-smart.patch
+x86-amd_node-platform-x86-amd-hsmp-have-hsmp-use-smn.patch
+platform-x86-amd-hsmp-make-amd_hsmp-and-hsmp_acpi-as.patch
+arm64-dts-rockchip-fix-sige5-rtc-interrupt-pin.patch
+riscv-dts-sophgo-fix-dma-data-width-configuration-fo.patch
+binfmt_elf-move-brk-for-static-pie-even-if-aslr-disa.patch
+platform-x86-amd-pmc-declare-quirk_spurious_8042-for.patch
+platform-x86-asus-wmi-fix-wlan_ctrl_by_user-detectio.patch
+arm64-dts-imx8mp-var-som-fix-ldo5-shutdown-causing-s.patch
+cgroup-cpuset-extend-kthread_is_per_cpu-check-to-all.patch
+tracing-fprobe-fix-rcu-warning-message-in-list-trave.patch
+tracing-probes-fix-a-possible-race-in-trace_probe_lo.patch
+tpm-tis-double-the-timeout-b-to-4s.patch
+iio-adc-ad7606-move-the-software-mode-configuration.patch
+iio-adc-ad7606-move-software-functions-into-common-f.patch
+iio-adc-ad7606-check-for-null-before-calling-sw_mode.patch
+rdma-rxe-fix-slab-use-after-free-read-in-rxe_queue_c.patch
+hid-thrustmaster-fix-memory-leak-in-thrustmaster_int.patch
+hid-uclogic-add-null-check-in-uclogic_input_configur.patch
+nfs-handle-failure-of-nfs_get_lock_context-in-unlock.patch
+nfs-localio-fix-a-race-in-nfs_local_open_fh.patch
+spi-loopback-test-do-not-split-1024-byte-hexdumps.patch
+rdma-core-fix-kasan-slab-use-after-free-read-in-ib_r.patch
+bluetooth-mgmt-fix-mgmt_op_add_device-invalid-device.patch
+net_sched-flush-gso_skb-list-too-during-change.patch
+drm-meson-use-1000ull-when-operating-with-mode-clock.patch
+tools-net-ynl-ethtool-fix-crash-when-hardware-clock-.patch
+net-mctp-don-t-access-ifa_index-when-missing.patch
+tests-ncdevmem-fix-double-free-of-queue-array.patch
+net-mctp-ensure-keys-maintain-only-one-ref-to-corres.patch
+alsa-seq-fix-delivery-of-ump-events-to-group-ports.patch
+alsa-ump-fix-a-typo-of-snd_ump_stream_msg_device_inf.patch
+net-cadence-macb-fix-a-possible-deadlock-in-macb_hal.patch
+net-dsa-sja1105-discard-incoming-frames-in-br_state_.patch
+nvme-pci-make-nvme_pci_npages_prp-__always_inline.patch
+nvme-pci-acquire-cq_poll_lock-in-nvme_poll_irqdisabl.patch
+alsa-sh-snd_aica-should-depend-on-sh_dma_api.patch
+net-dsa-b53-prevent-standalone-from-trying-to-forwar.patch
+drm-amd-display-fix-null-check-of-pipe_ctx-plane_sta.patch
+vsock-test-fix-occasional-failure-in-siocoutq-tests.patch
+net-mlx5e-disable-macsec-offload-for-uplink-represen.patch
+qlcnic-fix-memory-leak-in-qlcnic_sriov_channel_cfg_c.patch
+regulator-max20086-fix-invalid-memory-access.patch
+octeontx2-pf-fix-ethtool-support-for-sdp-representor.patch
+io_uring-fdinfo-grab-ctx-uring_lock-around-io_uring_.patch
+drm-xe-save-ctx_timestamp-mmio-value-instead-of-lrc-.patch
+netlink-specs-tc-fix-a-couple-of-attribute-names.patch
+netlink-specs-tc-all-actions-are-indexed-arrays.patch
+octeontx2-pf-macsec-fix-incorrect-max-transmit-size-.patch
+net-ethernet-mtk_eth_soc-fix-typo-for-declaration-mt.patch
+octeontx2-af-fix-cgx-receive-counters.patch
+octeontx2-pf-do-not-reallocate-all-ntuple-filters.patch
+wifi-mac80211-set-n_channels-after-allocating-struct.patch
+mlxsw-spectrum_router-fix-use-after-free-when-deleti.patch
+net-tls-fix-kernel-panic-when-alloc_page-failed.patch
+tsnep-fix-timestamping-with-a-stacked-dsa-driver.patch
+ublk-fix-dead-loop-when-canceling-io-command.patch
+nfsv4-pnfs-reset-the-layout-state-after-a-layoutretu.patch
--- /dev/null
+From ae313542922cebb20c64e23095c6e8e509847562 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 May 2025 13:10:35 +0200
+Subject: spi: loopback-test: Do not split 1024-byte hexdumps
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit a73fa3690a1f3014d6677e368dce4e70767a6ba2 ]
+
+spi_test_print_hex_dump() prints buffers holding less than 1024 bytes in
+full. Larger buffers are truncated: only the first 512 and the last 512
+bytes are printed, separated by a truncation message. The latter is
+confusing in case the buffer holds exactly 1024 bytes, as all data is
+printed anyway.
+
+Fix this by printing buffers holding up to and including 1024 bytes in
+full.
+
+Fixes: 84e0c4e5e2c4ef42 ("spi: add loopback test driver to allow for spi_master regression tests")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://patch.msgid.link/37ee1bc90c6554c9347040adabf04188c8f704aa.1746184171.git.geert+renesas@glider.be
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-loopback-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c
+index 31a878d9458d9..7740f94847a88 100644
+--- a/drivers/spi/spi-loopback-test.c
++++ b/drivers/spi/spi-loopback-test.c
+@@ -420,7 +420,7 @@ MODULE_LICENSE("GPL");
+ static void spi_test_print_hex_dump(char *pre, const void *ptr, size_t len)
+ {
+ /* limit the hex_dump */
+- if (len < 1024) {
++ if (len <= 1024) {
+ print_hex_dump(KERN_INFO, pre,
+ DUMP_PREFIX_OFFSET, 16, 1,
+ ptr, len, 0);
+--
+2.39.5
+
--- /dev/null
+From 0702022a070c6430a36d20a12a5b0590da3af2bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 11:44:34 +0300
+Subject: tests/ncdevmem: Fix double-free of queue array
+
+From: Cosmin Ratiu <cratiu@nvidia.com>
+
+[ Upstream commit 97c4e094a4b2edbb4fffeda718f8e806f825a18f ]
+
+netdev_bind_rx takes ownership of the queue array passed as parameter
+and frees it, so a queue array buffer cannot be reused across multiple
+netdev_bind_rx calls.
+
+This commit fixes that by always passing in a newly created queue array
+to all netdev_bind_rx calls in ncdevmem.
+
+Fixes: 85585b4bc8d8 ("selftests: add ncdevmem, netcat for devmem TCP")
+Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Reviewed-by: Joe Damato <jdamato@fastly.com>
+Reviewed-by: Mina Almasry <almasrymina@google.com>
+Link: https://patch.msgid.link/20250508084434.1933069-1-cratiu@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/drivers/net/hw/ncdevmem.c | 55 ++++++++-----------
+ 1 file changed, 22 insertions(+), 33 deletions(-)
+
+diff --git a/tools/testing/selftests/drivers/net/hw/ncdevmem.c b/tools/testing/selftests/drivers/net/hw/ncdevmem.c
+index 19a6969643f46..2d8ffe98700ea 100644
+--- a/tools/testing/selftests/drivers/net/hw/ncdevmem.c
++++ b/tools/testing/selftests/drivers/net/hw/ncdevmem.c
+@@ -432,6 +432,22 @@ static int parse_address(const char *str, int port, struct sockaddr_in6 *sin6)
+ return 0;
+ }
+
++static struct netdev_queue_id *create_queues(void)
++{
++ struct netdev_queue_id *queues;
++ size_t i = 0;
++
++ queues = calloc(num_queues, sizeof(*queues));
++ for (i = 0; i < num_queues; i++) {
++ queues[i]._present.type = 1;
++ queues[i]._present.id = 1;
++ queues[i].type = NETDEV_QUEUE_TYPE_RX;
++ queues[i].id = start_queue + i;
++ }
++
++ return queues;
++}
++
+ int do_server(struct memory_buffer *mem)
+ {
+ char ctrl_data[sizeof(int) * 20000];
+@@ -449,7 +465,6 @@ int do_server(struct memory_buffer *mem)
+ char buffer[256];
+ int socket_fd;
+ int client_fd;
+- size_t i = 0;
+ int ret;
+
+ ret = parse_address(server_ip, atoi(port), &server_sin);
+@@ -472,16 +487,7 @@ int do_server(struct memory_buffer *mem)
+
+ sleep(1);
+
+- queues = malloc(sizeof(*queues) * num_queues);
+-
+- for (i = 0; i < num_queues; i++) {
+- queues[i]._present.type = 1;
+- queues[i]._present.id = 1;
+- queues[i].type = NETDEV_QUEUE_TYPE_RX;
+- queues[i].id = start_queue + i;
+- }
+-
+- if (bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys))
++ if (bind_rx_queue(ifindex, mem->fd, create_queues(), num_queues, &ys))
+ error(1, 0, "Failed to bind\n");
+
+ tmp_mem = malloc(mem->size);
+@@ -546,7 +552,6 @@ int do_server(struct memory_buffer *mem)
+ goto cleanup;
+ }
+
+- i++;
+ for (cm = CMSG_FIRSTHDR(&msg); cm; cm = CMSG_NXTHDR(&msg, cm)) {
+ if (cm->cmsg_level != SOL_SOCKET ||
+ (cm->cmsg_type != SCM_DEVMEM_DMABUF &&
+@@ -631,10 +636,8 @@ int do_server(struct memory_buffer *mem)
+
+ void run_devmem_tests(void)
+ {
+- struct netdev_queue_id *queues;
+ struct memory_buffer *mem;
+ struct ynl_sock *ys;
+- size_t i = 0;
+
+ mem = provider->alloc(getpagesize() * NUM_PAGES);
+
+@@ -642,38 +645,24 @@ void run_devmem_tests(void)
+ if (configure_rss())
+ error(1, 0, "rss error\n");
+
+- queues = calloc(num_queues, sizeof(*queues));
+-
+ if (configure_headersplit(1))
+ error(1, 0, "Failed to configure header split\n");
+
+- if (!bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys))
++ if (!bind_rx_queue(ifindex, mem->fd,
++ calloc(num_queues, sizeof(struct netdev_queue_id)),
++ num_queues, &ys))
+ error(1, 0, "Binding empty queues array should have failed\n");
+
+- for (i = 0; i < num_queues; i++) {
+- queues[i]._present.type = 1;
+- queues[i]._present.id = 1;
+- queues[i].type = NETDEV_QUEUE_TYPE_RX;
+- queues[i].id = start_queue + i;
+- }
+-
+ if (configure_headersplit(0))
+ error(1, 0, "Failed to configure header split\n");
+
+- if (!bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys))
++ if (!bind_rx_queue(ifindex, mem->fd, create_queues(), num_queues, &ys))
+ error(1, 0, "Configure dmabuf with header split off should have failed\n");
+
+ if (configure_headersplit(1))
+ error(1, 0, "Failed to configure header split\n");
+
+- for (i = 0; i < num_queues; i++) {
+- queues[i]._present.type = 1;
+- queues[i]._present.id = 1;
+- queues[i].type = NETDEV_QUEUE_TYPE_RX;
+- queues[i].id = start_queue + i;
+- }
+-
+- if (bind_rx_queue(ifindex, mem->fd, queues, num_queues, &ys))
++ if (bind_rx_queue(ifindex, mem->fd, create_queues(), num_queues, &ys))
+ error(1, 0, "Failed to bind\n");
+
+ /* Deactivating a bound queue should not be legal */
+--
+2.39.5
+
--- /dev/null
+From c8d08f2f200d7faa080477b31738d527bf004272 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 May 2025 03:54:14 +0000
+Subject: tools/net/ynl: ethtool: fix crash when Hardware Clock info is missing
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 45375814eb3f4245956c0c85092a4eee4441d167 ]
+
+Fix a crash in the ethtool YNL implementation when Hardware Clock information
+is not present in the response. This ensures graceful handling of devices or
+drivers that do not provide this optional field. e.g.
+
+ Traceback (most recent call last):
+ File "/net/tools/net/ynl/pyynl/./ethtool.py", line 438, in <module>
+ main()
+ ~~~~^^
+ File "/net/tools/net/ynl/pyynl/./ethtool.py", line 341, in main
+ print(f'PTP Hardware Clock: {tsinfo["phc-index"]}')
+ ~~~~~~^^^^^^^^^^^^^
+ KeyError: 'phc-index'
+
+Fixes: f3d07b02b2b8 ("tools: ynl: ethtool testing tool")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://patch.msgid.link/20250508035414.82974-1-liuhangbin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/net/ynl/pyynl/ethtool.py | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/tools/net/ynl/pyynl/ethtool.py b/tools/net/ynl/pyynl/ethtool.py
+index af7fddd7b085b..cab6b576c8762 100755
+--- a/tools/net/ynl/pyynl/ethtool.py
++++ b/tools/net/ynl/pyynl/ethtool.py
+@@ -338,16 +338,24 @@ def main():
+ print('Capabilities:')
+ [print(f'\t{v}') for v in bits_to_dict(tsinfo['timestamping'])]
+
+- print(f'PTP Hardware Clock: {tsinfo["phc-index"]}')
++ print(f'PTP Hardware Clock: {tsinfo.get("phc-index", "none")}')
+
+- print('Hardware Transmit Timestamp Modes:')
+- [print(f'\t{v}') for v in bits_to_dict(tsinfo['tx-types'])]
++ if 'tx-types' in tsinfo:
++ print('Hardware Transmit Timestamp Modes:')
++ [print(f'\t{v}') for v in bits_to_dict(tsinfo['tx-types'])]
++ else:
++ print('Hardware Transmit Timestamp Modes: none')
++
++ if 'rx-filters' in tsinfo:
++ print('Hardware Receive Filter Modes:')
++ [print(f'\t{v}') for v in bits_to_dict(tsinfo['rx-filters'])]
++ else:
++ print('Hardware Receive Filter Modes: none')
+
+- print('Hardware Receive Filter Modes:')
+- [print(f'\t{v}') for v in bits_to_dict(tsinfo['rx-filters'])]
++ if 'stats' in tsinfo and tsinfo['stats']:
++ print('Statistics:')
++ [print(f'\t{k}: {v}') for k, v in tsinfo['stats'].items()]
+
+- print('Statistics:')
+- [print(f'\t{k}: {v}') for k, v in tsinfo['stats'].items()]
+ return
+
+ print(f'Settings for {args.device}:')
+--
+2.39.5
+
--- /dev/null
+From dd471d57f83dfa2aaa322b14408d25addcadb0a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Apr 2025 10:23:14 +0200
+Subject: tpm: tis: Double the timeout B to 4s
+
+From: Michal Suchanek <msuchanek@suse.de>
+
+[ Upstream commit 2f661f71fda1fc0c42b7746ca5b7da529eb6b5be ]
+
+With some Infineon chips the timeouts in tpm_tis_send_data (both B and
+C) can reach up to about 2250 ms.
+
+Timeout C is retried since
+commit de9e33df7762 ("tpm, tpm_tis: Workaround failed command reception on Infineon devices")
+
+Timeout B still needs to be extended.
+
+The problem is most commonly encountered with context related operation
+such as load context/save context. These are issued directly by the
+kernel, and there is no retry logic for them.
+
+When a filesystem is set up to use the TPM for unlocking the boot fails,
+and restarting the userspace service is ineffective. This is likely
+because ignoring a load context/save context result puts the real TPM
+state and the TPM state expected by the kernel out of sync.
+
+Chips known to be affected:
+tpm_tis IFX1522:00: 2.0 TPM (device-id 0x1D, rev-id 54)
+Description: SLB9672
+Firmware Revision: 15.22
+
+tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1B, rev-id 22)
+Firmware Revision: 7.83
+
+tpm_tis MSFT0101:00: 2.0 TPM (device-id 0x1A, rev-id 16)
+Firmware Revision: 5.63
+
+Link: https://lore.kernel.org/linux-integrity/Z5pI07m0Muapyu9w@kitsune.suse.cz/
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/tpm/tpm_tis_core.h | 2 +-
+ include/linux/tpm.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h
+index 970d02c337c7f..6c3aa480396b6 100644
+--- a/drivers/char/tpm/tpm_tis_core.h
++++ b/drivers/char/tpm/tpm_tis_core.h
+@@ -54,7 +54,7 @@ enum tis_int_flags {
+ enum tis_defaults {
+ TIS_MEM_LEN = 0x5000,
+ TIS_SHORT_TIMEOUT = 750, /* ms */
+- TIS_LONG_TIMEOUT = 2000, /* 2 sec */
++ TIS_LONG_TIMEOUT = 4000, /* 4 secs */
+ TIS_TIMEOUT_MIN_ATML = 14700, /* usecs */
+ TIS_TIMEOUT_MAX_ATML = 15000, /* usecs */
+ };
+diff --git a/include/linux/tpm.h b/include/linux/tpm.h
+index 6c3125300c009..3db0b6a87d454 100644
+--- a/include/linux/tpm.h
++++ b/include/linux/tpm.h
+@@ -224,7 +224,7 @@ enum tpm2_const {
+
+ enum tpm2_timeouts {
+ TPM2_TIMEOUT_A = 750,
+- TPM2_TIMEOUT_B = 2000,
++ TPM2_TIMEOUT_B = 4000,
+ TPM2_TIMEOUT_C = 200,
+ TPM2_TIMEOUT_D = 30,
+ TPM2_DURATION_SHORT = 20,
+--
+2.39.5
+
--- /dev/null
+From 359a5d9a51c06e0b365b0c1d9d858e55f8e43577 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Apr 2025 05:22:21 -0700
+Subject: tracing: fprobe: Fix RCU warning message in list traversal
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 9dda18a32b4a6693fccd3f7c0738af646147b1cf ]
+
+When CONFIG_PROVE_RCU_LIST is enabled, fprobe triggers the following
+warning:
+
+ WARNING: suspicious RCU usage
+ kernel/trace/fprobe.c:457 RCU-list traversed in non-reader section!!
+
+ other info that might help us debug this:
+ #1: ffffffff863c4e08 (fprobe_mutex){+.+.}-{4:4}, at: fprobe_module_callback+0x7b/0x8c0
+
+ Call Trace:
+ fprobe_module_callback
+ notifier_call_chain
+ blocking_notifier_call_chain
+
+This warning occurs because fprobe_remove_node_in_module() traverses an
+RCU list using RCU primitives without holding an RCU read lock. However,
+the function is only called from fprobe_module_callback(), which holds
+the fprobe_mutex lock that provides sufficient protection for safely
+traversing the list.
+
+Fix the warning by specifying the locking design to the
+CONFIG_PROVE_RCU_LIST mechanism. Add the lockdep_is_held() argument to
+hlist_for_each_entry_rcu() to inform the RCU checker that fprobe_mutex
+provides the required protection.
+
+Link: https://lore.kernel.org/all/20250410-fprobe-v1-1-068ef5f41436@debian.org/
+
+Fixes: a3dc2983ca7b90 ("tracing: fprobe: Cleanup fprobe hash when module unloading")
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Tested-by: Antonio Quartulli <antonio@mandelbit.com>
+Tested-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/fprobe.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/fprobe.c b/kernel/trace/fprobe.c
+index 95c6e3473a76b..ba7ff14f5339b 100644
+--- a/kernel/trace/fprobe.c
++++ b/kernel/trace/fprobe.c
+@@ -454,7 +454,8 @@ static void fprobe_remove_node_in_module(struct module *mod, struct hlist_head *
+ struct fprobe_hlist_node *node;
+ int ret = 0;
+
+- hlist_for_each_entry_rcu(node, head, hlist) {
++ hlist_for_each_entry_rcu(node, head, hlist,
++ lockdep_is_held(&fprobe_mutex)) {
+ if (!within_module(node->addr, mod))
+ continue;
+ if (delete_fprobe_node(node))
+--
+2.39.5
+
--- /dev/null
+From 215fe92818c96bd903c734c5c48bc014d7f99d8c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 May 2025 12:44:41 +0900
+Subject: tracing: probes: Fix a possible race in trace_probe_log APIs
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+[ Upstream commit fd837de3c9cb1a162c69bc1fb1f438467fe7f2f5 ]
+
+Since the shared trace_probe_log variable can be accessed and
+modified via probe event create operation of kprobe_events,
+uprobe_events, and dynamic_events, it should be protected.
+In the dynamic_events, all operations are serialized by
+`dyn_event_ops_mutex`. But kprobe_events and uprobe_events
+interfaces are not serialized.
+
+To solve this issue, introduces dyn_event_create(), which runs
+create() operation under the mutex, for kprobe_events and
+uprobe_events. This also uses lockdep to check the mutex is
+held when using trace_probe_log* APIs.
+
+Link: https://lore.kernel.org/all/174684868120.551552.3068655787654268804.stgit@devnote2/
+
+Reported-by: Paul Cacheux <paulcacheux@gmail.com>
+Closes: https://lore.kernel.org/all/20250510074456.805a16872b591e2971a4d221@kernel.org/
+Fixes: ab105a4fb894 ("tracing: Use tracing error_log with probe events")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_dynevent.c | 16 +++++++++++++++-
+ kernel/trace/trace_dynevent.h | 1 +
+ kernel/trace/trace_kprobe.c | 2 +-
+ kernel/trace/trace_probe.c | 9 +++++++++
+ kernel/trace/trace_uprobe.c | 2 +-
+ 5 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/trace/trace_dynevent.c b/kernel/trace/trace_dynevent.c
+index a322e4f249a50..5d64a18cacacc 100644
+--- a/kernel/trace/trace_dynevent.c
++++ b/kernel/trace/trace_dynevent.c
+@@ -16,7 +16,7 @@
+ #include "trace_output.h" /* for trace_event_sem */
+ #include "trace_dynevent.h"
+
+-static DEFINE_MUTEX(dyn_event_ops_mutex);
++DEFINE_MUTEX(dyn_event_ops_mutex);
+ static LIST_HEAD(dyn_event_ops_list);
+
+ bool trace_event_dyn_try_get_ref(struct trace_event_call *dyn_call)
+@@ -116,6 +116,20 @@ int dyn_event_release(const char *raw_command, struct dyn_event_operations *type
+ return ret;
+ }
+
++/*
++ * Locked version of event creation. The event creation must be protected by
++ * dyn_event_ops_mutex because of protecting trace_probe_log.
++ */
++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type)
++{
++ int ret;
++
++ mutex_lock(&dyn_event_ops_mutex);
++ ret = type->create(raw_command);
++ mutex_unlock(&dyn_event_ops_mutex);
++ return ret;
++}
++
+ static int create_dyn_event(const char *raw_command)
+ {
+ struct dyn_event_operations *ops;
+diff --git a/kernel/trace/trace_dynevent.h b/kernel/trace/trace_dynevent.h
+index 936477a111d3e..beee3f8d75444 100644
+--- a/kernel/trace/trace_dynevent.h
++++ b/kernel/trace/trace_dynevent.h
+@@ -100,6 +100,7 @@ void *dyn_event_seq_next(struct seq_file *m, void *v, loff_t *pos);
+ void dyn_event_seq_stop(struct seq_file *m, void *v);
+ int dyn_events_release_all(struct dyn_event_operations *type);
+ int dyn_event_release(const char *raw_command, struct dyn_event_operations *type);
++int dyn_event_create(const char *raw_command, struct dyn_event_operations *type);
+
+ /*
+ * for_each_dyn_event - iterate over the dyn_event list
+diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c
+index 8287b175667f3..a5d46f109fcce 100644
+--- a/kernel/trace/trace_kprobe.c
++++ b/kernel/trace/trace_kprobe.c
+@@ -1092,7 +1092,7 @@ static int create_or_delete_trace_kprobe(const char *raw_command)
+ if (raw_command[0] == '-')
+ return dyn_event_release(raw_command, &trace_kprobe_ops);
+
+- ret = trace_kprobe_create(raw_command);
++ ret = dyn_event_create(raw_command, &trace_kprobe_ops);
+ return ret == -ECANCELED ? -EINVAL : ret;
+ }
+
+diff --git a/kernel/trace/trace_probe.c b/kernel/trace/trace_probe.c
+index 2eeecb6c95eea..424751cdf31f9 100644
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -154,9 +154,12 @@ static const struct fetch_type *find_fetch_type(const char *type, unsigned long
+ }
+
+ static struct trace_probe_log trace_probe_log;
++extern struct mutex dyn_event_ops_mutex;
+
+ void trace_probe_log_init(const char *subsystem, int argc, const char **argv)
+ {
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ trace_probe_log.subsystem = subsystem;
+ trace_probe_log.argc = argc;
+ trace_probe_log.argv = argv;
+@@ -165,11 +168,15 @@ void trace_probe_log_init(const char *subsystem, int argc, const char **argv)
+
+ void trace_probe_log_clear(void)
+ {
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ memset(&trace_probe_log, 0, sizeof(trace_probe_log));
+ }
+
+ void trace_probe_log_set_index(int index)
+ {
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ trace_probe_log.index = index;
+ }
+
+@@ -178,6 +185,8 @@ void __trace_probe_log_err(int offset, int err_type)
+ char *command, *p;
+ int i, len = 0, pos = 0;
+
++ lockdep_assert_held(&dyn_event_ops_mutex);
++
+ if (!trace_probe_log.argv)
+ return;
+
+diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c
+index 3386439ec9f67..35cf76c75dd76 100644
+--- a/kernel/trace/trace_uprobe.c
++++ b/kernel/trace/trace_uprobe.c
+@@ -741,7 +741,7 @@ static int create_or_delete_trace_uprobe(const char *raw_command)
+ if (raw_command[0] == '-')
+ return dyn_event_release(raw_command, &trace_uprobe_ops);
+
+- ret = trace_uprobe_create(raw_command);
++ ret = dyn_event_create(raw_command, &trace_uprobe_ops);
+ return ret == -ECANCELED ? -EINVAL : ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a77f5f12bb7783accb4fe3a066619209e3dd33ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 May 2025 21:56:57 +0200
+Subject: tsnep: fix timestamping with a stacked DSA driver
+
+From: Gerhard Engleder <gerhard@engleder-embedded.com>
+
+[ Upstream commit b3ca9eef6646576ad506a96d941d87a69f66732a ]
+
+This driver is susceptible to a form of the bug explained in commit
+c26a2c2ddc01 ("gianfar: Fix TX timestamping with a stacked DSA driver")
+and in Documentation/networking/timestamping.rst section "Other caveats
+for MAC drivers", specifically it timestamps any skb which has
+SKBTX_HW_TSTAMP, and does not consider if timestamping has been enabled
+in adapter->hwtstamp_config.tx_type.
+
+Evaluate the proper TX timestamping condition only once on the TX
+path (in tsnep_xmit_frame_ring()) and store the result in an additional
+TX entry flag. Evaluate the new TX entry flag in the TX confirmation path
+(in tsnep_tx_poll()).
+
+This way SKBTX_IN_PROGRESS is set by the driver as required, but never
+evaluated. SKBTX_IN_PROGRESS shall not be evaluated as it can be set
+by a stacked DSA driver and evaluating it would lead to unwanted
+timestamps.
+
+Fixes: 403f69bbdbad ("tsnep: Add TSN endpoint Ethernet MAC driver")
+Suggested-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Signed-off-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://patch.msgid.link/20250514195657.25874-1-gerhard@engleder-embedded.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/engleder/tsnep_main.c | 30 ++++++++++++++--------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/engleder/tsnep_main.c b/drivers/net/ethernet/engleder/tsnep_main.c
+index 0d030cb0b21c7..63aeb400051c4 100644
+--- a/drivers/net/ethernet/engleder/tsnep_main.c
++++ b/drivers/net/ethernet/engleder/tsnep_main.c
+@@ -67,6 +67,8 @@
+ #define TSNEP_TX_TYPE_XDP_NDO_MAP_PAGE (TSNEP_TX_TYPE_XDP_NDO | TSNEP_TX_TYPE_MAP_PAGE)
+ #define TSNEP_TX_TYPE_XDP (TSNEP_TX_TYPE_XDP_TX | TSNEP_TX_TYPE_XDP_NDO)
+ #define TSNEP_TX_TYPE_XSK BIT(12)
++#define TSNEP_TX_TYPE_TSTAMP BIT(13)
++#define TSNEP_TX_TYPE_SKB_TSTAMP (TSNEP_TX_TYPE_SKB | TSNEP_TX_TYPE_TSTAMP)
+
+ #define TSNEP_XDP_TX BIT(0)
+ #define TSNEP_XDP_REDIRECT BIT(1)
+@@ -387,8 +389,7 @@ static void tsnep_tx_activate(struct tsnep_tx *tx, int index, int length,
+ if (entry->skb) {
+ entry->properties = length & TSNEP_DESC_LENGTH_MASK;
+ entry->properties |= TSNEP_DESC_INTERRUPT_FLAG;
+- if ((entry->type & TSNEP_TX_TYPE_SKB) &&
+- (skb_shinfo(entry->skb)->tx_flags & SKBTX_IN_PROGRESS))
++ if ((entry->type & TSNEP_TX_TYPE_SKB_TSTAMP) == TSNEP_TX_TYPE_SKB_TSTAMP)
+ entry->properties |= TSNEP_DESC_EXTENDED_WRITEBACK_FLAG;
+
+ /* toggle user flag to prevent false acknowledge
+@@ -480,7 +481,8 @@ static int tsnep_tx_map_frag(skb_frag_t *frag, struct tsnep_tx_entry *entry,
+ return mapped;
+ }
+
+-static int tsnep_tx_map(struct sk_buff *skb, struct tsnep_tx *tx, int count)
++static int tsnep_tx_map(struct sk_buff *skb, struct tsnep_tx *tx, int count,
++ bool do_tstamp)
+ {
+ struct device *dmadev = tx->adapter->dmadev;
+ struct tsnep_tx_entry *entry;
+@@ -506,6 +508,9 @@ static int tsnep_tx_map(struct sk_buff *skb, struct tsnep_tx *tx, int count)
+ entry->type = TSNEP_TX_TYPE_SKB_INLINE;
+ mapped = 0;
+ }
++
++ if (do_tstamp)
++ entry->type |= TSNEP_TX_TYPE_TSTAMP;
+ } else {
+ skb_frag_t *frag = &skb_shinfo(skb)->frags[i - 1];
+
+@@ -559,11 +564,12 @@ static int tsnep_tx_unmap(struct tsnep_tx *tx, int index, int count)
+ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb,
+ struct tsnep_tx *tx)
+ {
+- int count = 1;
+ struct tsnep_tx_entry *entry;
++ bool do_tstamp = false;
++ int count = 1;
+ int length;
+- int i;
+ int retval;
++ int i;
+
+ if (skb_shinfo(skb)->nr_frags > 0)
+ count += skb_shinfo(skb)->nr_frags;
+@@ -580,7 +586,13 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb,
+ entry = &tx->entry[tx->write];
+ entry->skb = skb;
+
+- retval = tsnep_tx_map(skb, tx, count);
++ if (unlikely(skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP) &&
++ tx->adapter->hwtstamp_config.tx_type == HWTSTAMP_TX_ON) {
++ skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
++ do_tstamp = true;
++ }
++
++ retval = tsnep_tx_map(skb, tx, count, do_tstamp);
+ if (retval < 0) {
+ tsnep_tx_unmap(tx, tx->write, count);
+ dev_kfree_skb_any(entry->skb);
+@@ -592,9 +604,6 @@ static netdev_tx_t tsnep_xmit_frame_ring(struct sk_buff *skb,
+ }
+ length = retval;
+
+- if (skb_shinfo(skb)->tx_flags & SKBTX_HW_TSTAMP)
+- skb_shinfo(skb)->tx_flags |= SKBTX_IN_PROGRESS;
+-
+ for (i = 0; i < count; i++)
+ tsnep_tx_activate(tx, (tx->write + i) & TSNEP_RING_MASK, length,
+ i == count - 1);
+@@ -845,8 +854,7 @@ static bool tsnep_tx_poll(struct tsnep_tx *tx, int napi_budget)
+
+ length = tsnep_tx_unmap(tx, tx->read, count);
+
+- if ((entry->type & TSNEP_TX_TYPE_SKB) &&
+- (skb_shinfo(entry->skb)->tx_flags & SKBTX_IN_PROGRESS) &&
++ if (((entry->type & TSNEP_TX_TYPE_SKB_TSTAMP) == TSNEP_TX_TYPE_SKB_TSTAMP) &&
+ (__le32_to_cpu(entry->desc_wb->properties) &
+ TSNEP_DESC_EXTENDED_WRITEBACK_FLAG)) {
+ struct skb_shared_hwtstamps hwtstamps;
+--
+2.39.5
+
--- /dev/null
+From b1cebc70152d3b6e948830af4e8f36633cbf544e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 May 2025 00:26:01 +0800
+Subject: ublk: fix dead loop when canceling io command
+
+From: Ming Lei <ming.lei@redhat.com>
+
+[ Upstream commit dd24f87f65c957f30e605e44961d2fd53a44c780 ]
+
+Commit:
+
+f40139fde527 ("ublk: fix race between io_uring_cmd_complete_in_task and
+ ublk_cancel_cmd")
+
+adds a request state check in ublk_cancel_cmd(), and if the request is
+started, skips canceling this uring_cmd.
+
+However, the current uring_cmd may be in ACTIVE state, without block
+request coming to the uring command. Meantime, if the cached request in
+tag_set.tags[tag] has been delivered to ublk server and reycycled, then
+this uring_cmd can't be canceled.
+
+ublk requests are aborted in ublk char device release handler, which
+depends on canceling all ACTIVE uring_cmd. So it causes a dead loop.
+
+Fix this issue by not taking a stale request into account when canceling
+uring_cmd in ublk_cancel_cmd().
+
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Closes: https://lore.kernel.org/linux-block/mruqwpf4tqenkbtgezv5oxwq7ngyq24jzeyqy4ixzvivatbbxv@4oh2wzz4e6qn/
+Fixes: f40139fde527 ("ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20250515162601.77346-1-ming.lei@redhat.com
+[axboe: rewording of commit message]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/ublk_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
+index 348c4feb7a2df..7bbfc20f116a4 100644
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -1677,7 +1677,7 @@ static void ublk_cancel_cmd(struct ublk_queue *ubq, unsigned tag,
+ * that ublk_dispatch_req() is always called
+ */
+ req = blk_mq_tag_to_rq(ub->tag_set.tags[ubq->q_id], tag);
+- if (req && blk_mq_request_started(req))
++ if (req && blk_mq_request_started(req) && req->tag == tag)
+ return;
+
+ spin_lock(&ubq->cancel_lock);
+--
+2.39.5
+
--- /dev/null
+From 31886d07fb1eed384bae344600f6f56398dde3a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 May 2025 10:14:56 -0500
+Subject: vsock/test: Fix occasional failure in SIOCOUTQ tests
+
+From: Konstantin Shkolnyy <kshk@linux.ibm.com>
+
+[ Upstream commit 7fd7ad6f36af36f30a06d165eff3780cb139fa79 ]
+
+These tests:
+ "SOCK_STREAM ioctl(SIOCOUTQ) 0 unsent bytes"
+ "SOCK_SEQPACKET ioctl(SIOCOUTQ) 0 unsent bytes"
+output: "Unexpected 'SIOCOUTQ' value, expected 0, got 64 (CLIENT)".
+
+They test that the SIOCOUTQ ioctl reports 0 unsent bytes after the data
+have been received by the other side. However, sometimes there is a delay
+in updating this "unsent bytes" counter, and the test fails even though
+the counter properly goes to 0 several milliseconds later.
+
+The delay occurs in the kernel because the used buffer notification
+callback virtio_vsock_tx_done(), called upon receipt of the data by the
+other side, doesn't update the counter itself. It delegates that to
+a kernel thread (via vsock->tx_work). Sometimes that thread is delayed
+more than the test expects.
+
+Change the test to poll SIOCOUTQ until it returns 0 or a timeout occurs.
+
+Signed-off-by: Konstantin Shkolnyy <kshk@linux.ibm.com>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Fixes: 18ee44ce97c1 ("test/vsock: add ioctl unsent bytes test")
+Link: https://patch.msgid.link/20250507151456.2577061-1-kshk@linux.ibm.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/vsock/vsock_test.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/vsock/vsock_test.c b/tools/testing/vsock/vsock_test.c
+index d0f6d253ac72d..613551132a966 100644
+--- a/tools/testing/vsock/vsock_test.c
++++ b/tools/testing/vsock/vsock_test.c
+@@ -1264,21 +1264,25 @@ static void test_unsent_bytes_client(const struct test_opts *opts, int type)
+ send_buf(fd, buf, sizeof(buf), 0, sizeof(buf));
+ control_expectln("RECEIVED");
+
+- ret = ioctl(fd, SIOCOUTQ, &sock_bytes_unsent);
+- if (ret < 0) {
+- if (errno == EOPNOTSUPP) {
+- fprintf(stderr, "Test skipped, SIOCOUTQ not supported.\n");
+- } else {
++ /* SIOCOUTQ isn't guaranteed to instantly track sent data. Even though
++ * the "RECEIVED" message means that the other side has received the
++ * data, there can be a delay in our kernel before updating the "unsent
++ * bytes" counter. Repeat SIOCOUTQ until it returns 0.
++ */
++ timeout_begin(TIMEOUT);
++ do {
++ ret = ioctl(fd, SIOCOUTQ, &sock_bytes_unsent);
++ if (ret < 0) {
++ if (errno == EOPNOTSUPP) {
++ fprintf(stderr, "Test skipped, SIOCOUTQ not supported.\n");
++ break;
++ }
+ perror("ioctl");
+ exit(EXIT_FAILURE);
+ }
+- } else if (ret == 0 && sock_bytes_unsent != 0) {
+- fprintf(stderr,
+- "Unexpected 'SIOCOUTQ' value, expected 0, got %i\n",
+- sock_bytes_unsent);
+- exit(EXIT_FAILURE);
+- }
+-
++ timeout_check("SIOCOUTQ");
++ } while (sock_bytes_unsent != 0);
++ timeout_end();
+ close(fd);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 1304d2c7a203a2197887840be7013cee1bbd4d9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 May 2025 11:46:45 -0700
+Subject: wifi: mac80211: Set n_channels after allocating struct
+ cfg80211_scan_request
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 82bbe02b2500ef0a62053fe2eb84773fe31c5a0a ]
+
+Make sure that n_channels is set after allocating the
+struct cfg80211_registered_device::int_scan_req member. Seen with
+syzkaller:
+
+UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5
+index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]')
+
+This was missed in the initial conversions because I failed to locate
+the allocation likely due to the "sizeof(void *)" not matching the
+"channels" array type.
+
+Reported-by: syzbot+4bcdddd48bb6f0be0da1@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/lkml/680fd171.050a0220.2b69d1.045e.GAE@google.com/
+Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by")
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://patch.msgid.link/20250509184641.work.542-kees@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/main.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/main.c b/net/mac80211/main.c
+index 53e5aee468856..2b6249d75a5d4 100644
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1354,10 +1354,12 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
+ hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_MONITOR);
+
+
+- local->int_scan_req = kzalloc(sizeof(*local->int_scan_req) +
+- sizeof(void *) * channels, GFP_KERNEL);
++ local->int_scan_req = kzalloc(struct_size(local->int_scan_req,
++ channels, channels),
++ GFP_KERNEL);
+ if (!local->int_scan_req)
+ return -ENOMEM;
++ local->int_scan_req->n_channels = channels;
+
+ eth_broadcast_addr(local->int_scan_req->bssid);
+
+--
+2.39.5
+
--- /dev/null
+From 96445d6d69316af8e556ad8901d44190d93166d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2025 19:48:55 +0000
+Subject: x86/amd_node, platform/x86/amd/hsmp: Have HSMP use SMN through
+ AMD_NODE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit 735049b801cf3d597752017385cfc8768ce44303 ]
+
+The HSMP interface is just an SMN interface with different offsets.
+
+Define an HSMP wrapper in the SMN code and have the HSMP platform driver
+use that rather than a local solution.
+
+Also, remove the "root" member from AMD_NB, since there are no more
+users of it.
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Carlos Bilbao <carlos.bilbao@kernel.org>
+Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20250130-wip-x86-amd-nb-cleanup-v4-1-b5cc997e471b@amd.com
+Stable-dep-of: 0581d384f344 ("platform/x86/amd/hsmp: Make amd_hsmp and hsmp_acpi as mutually exclusive drivers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/amd_nb.h | 1 -
+ arch/x86/include/asm/amd_node.h | 13 ++++++++++
+ arch/x86/kernel/amd_nb.c | 1 -
+ arch/x86/kernel/amd_node.c | 9 +++++++
+ drivers/platform/x86/amd/hsmp/Kconfig | 2 +-
+ drivers/platform/x86/amd/hsmp/acpi.c | 7 +++---
+ drivers/platform/x86/amd/hsmp/hsmp.c | 1 -
+ drivers/platform/x86/amd/hsmp/hsmp.h | 3 ---
+ drivers/platform/x86/amd/hsmp/plat.c | 36 +++++++++------------------
+ 9 files changed, 39 insertions(+), 34 deletions(-)
+
+diff --git a/arch/x86/include/asm/amd_nb.h b/arch/x86/include/asm/amd_nb.h
+index 4c4efb93045ed..adfa0854cf2da 100644
+--- a/arch/x86/include/asm/amd_nb.h
++++ b/arch/x86/include/asm/amd_nb.h
+@@ -27,7 +27,6 @@ struct amd_l3_cache {
+ };
+
+ struct amd_northbridge {
+- struct pci_dev *root;
+ struct pci_dev *misc;
+ struct pci_dev *link;
+ struct amd_l3_cache l3_cache;
+diff --git a/arch/x86/include/asm/amd_node.h b/arch/x86/include/asm/amd_node.h
+index 113ad3e8ee40a..002c3afbd30f9 100644
+--- a/arch/x86/include/asm/amd_node.h
++++ b/arch/x86/include/asm/amd_node.h
+@@ -30,7 +30,20 @@ static inline u16 amd_num_nodes(void)
+ return topology_amd_nodes_per_pkg() * topology_max_packages();
+ }
+
++#ifdef CONFIG_AMD_NODE
+ int __must_check amd_smn_read(u16 node, u32 address, u32 *value);
+ int __must_check amd_smn_write(u16 node, u32 address, u32 value);
+
++/* Should only be used by the HSMP driver. */
++int __must_check amd_smn_hsmp_rdwr(u16 node, u32 address, u32 *value, bool write);
++#else
++static inline int __must_check amd_smn_read(u16 node, u32 address, u32 *value) { return -ENODEV; }
++static inline int __must_check amd_smn_write(u16 node, u32 address, u32 value) { return -ENODEV; }
++
++static inline int __must_check amd_smn_hsmp_rdwr(u16 node, u32 address, u32 *value, bool write)
++{
++ return -ENODEV;
++}
++#endif /* CONFIG_AMD_NODE */
++
+ #endif /*_ASM_X86_AMD_NODE_H_*/
+diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
+index 67e773744edb2..6d12a9b694327 100644
+--- a/arch/x86/kernel/amd_nb.c
++++ b/arch/x86/kernel/amd_nb.c
+@@ -73,7 +73,6 @@ static int amd_cache_northbridges(void)
+ amd_northbridges.nb = nb;
+
+ for (i = 0; i < amd_northbridges.num; i++) {
+- node_to_amd_nb(i)->root = amd_node_get_root(i);
+ node_to_amd_nb(i)->misc = amd_node_get_func(i, 3);
+
+ /*
+diff --git a/arch/x86/kernel/amd_node.c b/arch/x86/kernel/amd_node.c
+index d2ec7fd555c51..65045f223c10a 100644
+--- a/arch/x86/kernel/amd_node.c
++++ b/arch/x86/kernel/amd_node.c
+@@ -97,6 +97,9 @@ static DEFINE_MUTEX(smn_mutex);
+ #define SMN_INDEX_OFFSET 0x60
+ #define SMN_DATA_OFFSET 0x64
+
++#define HSMP_INDEX_OFFSET 0xc4
++#define HSMP_DATA_OFFSET 0xc8
++
+ /*
+ * SMN accesses may fail in ways that are difficult to detect here in the called
+ * functions amd_smn_read() and amd_smn_write(). Therefore, callers must do
+@@ -179,6 +182,12 @@ int __must_check amd_smn_write(u16 node, u32 address, u32 value)
+ }
+ EXPORT_SYMBOL_GPL(amd_smn_write);
+
++int __must_check amd_smn_hsmp_rdwr(u16 node, u32 address, u32 *value, bool write)
++{
++ return __amd_smn_rw(HSMP_INDEX_OFFSET, HSMP_DATA_OFFSET, node, address, value, write);
++}
++EXPORT_SYMBOL_GPL(amd_smn_hsmp_rdwr);
++
+ static int amd_cache_roots(void)
+ {
+ u16 node, num_nodes = amd_num_nodes();
+diff --git a/drivers/platform/x86/amd/hsmp/Kconfig b/drivers/platform/x86/amd/hsmp/Kconfig
+index 7d10d4462a453..d6f7a62d55b5e 100644
+--- a/drivers/platform/x86/amd/hsmp/Kconfig
++++ b/drivers/platform/x86/amd/hsmp/Kconfig
+@@ -7,7 +7,7 @@ config AMD_HSMP
+ tristate
+
+ menu "AMD HSMP Driver"
+- depends on AMD_NB || COMPILE_TEST
++ depends on AMD_NODE || COMPILE_TEST
+
+ config AMD_HSMP_ACPI
+ tristate "AMD HSMP ACPI device driver"
+diff --git a/drivers/platform/x86/amd/hsmp/acpi.c b/drivers/platform/x86/amd/hsmp/acpi.c
+index 444b43be35a25..c1eccb3c80c5c 100644
+--- a/drivers/platform/x86/amd/hsmp/acpi.c
++++ b/drivers/platform/x86/amd/hsmp/acpi.c
+@@ -10,7 +10,6 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <asm/amd_hsmp.h>
+-#include <asm/amd_nb.h>
+
+ #include <linux/acpi.h>
+ #include <linux/device.h>
+@@ -24,6 +23,8 @@
+
+ #include <uapi/asm-generic/errno-base.h>
+
++#include <asm/amd_node.h>
++
+ #include "hsmp.h"
+
+ #define DRIVER_NAME "amd_hsmp"
+@@ -321,8 +322,8 @@ static int hsmp_acpi_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ if (!hsmp_pdev->is_probed) {
+- hsmp_pdev->num_sockets = amd_nb_num();
+- if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_SOCKETS)
++ hsmp_pdev->num_sockets = amd_num_nodes();
++ if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_NUM_NODES)
+ return -ENODEV;
+
+ hsmp_pdev->sock = devm_kcalloc(&pdev->dev, hsmp_pdev->num_sockets,
+diff --git a/drivers/platform/x86/amd/hsmp/hsmp.c b/drivers/platform/x86/amd/hsmp/hsmp.c
+index 03164e30b3a50..a3ac09a90de45 100644
+--- a/drivers/platform/x86/amd/hsmp/hsmp.c
++++ b/drivers/platform/x86/amd/hsmp/hsmp.c
+@@ -8,7 +8,6 @@
+ */
+
+ #include <asm/amd_hsmp.h>
+-#include <asm/amd_nb.h>
+
+ #include <linux/acpi.h>
+ #include <linux/delay.h>
+diff --git a/drivers/platform/x86/amd/hsmp/hsmp.h b/drivers/platform/x86/amd/hsmp/hsmp.h
+index e852f0a947e4f..af8b21f821d66 100644
+--- a/drivers/platform/x86/amd/hsmp/hsmp.h
++++ b/drivers/platform/x86/amd/hsmp/hsmp.h
+@@ -21,8 +21,6 @@
+
+ #define HSMP_ATTR_GRP_NAME_SIZE 10
+
+-#define MAX_AMD_SOCKETS 8
+-
+ #define HSMP_CDEV_NAME "hsmp_cdev"
+ #define HSMP_DEVNODE_NAME "hsmp"
+
+@@ -41,7 +39,6 @@ struct hsmp_socket {
+ void __iomem *virt_base_addr;
+ struct semaphore hsmp_sem;
+ char name[HSMP_ATTR_GRP_NAME_SIZE];
+- struct pci_dev *root;
+ struct device *dev;
+ u16 sock_ind;
+ int (*amd_hsmp_rdwr)(struct hsmp_socket *sock, u32 off, u32 *val, bool rw);
+diff --git a/drivers/platform/x86/amd/hsmp/plat.c b/drivers/platform/x86/amd/hsmp/plat.c
+index 02ca85762b686..b9782a078dbd2 100644
+--- a/drivers/platform/x86/amd/hsmp/plat.c
++++ b/drivers/platform/x86/amd/hsmp/plat.c
+@@ -10,14 +10,16 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <asm/amd_hsmp.h>
+-#include <asm/amd_nb.h>
+
++#include <linux/build_bug.h>
+ #include <linux/device.h>
+ #include <linux/module.h>
+ #include <linux/pci.h>
+ #include <linux/platform_device.h>
+ #include <linux/sysfs.h>
+
++#include <asm/amd_node.h>
++
+ #include "hsmp.h"
+
+ #define DRIVER_NAME "amd_hsmp"
+@@ -34,28 +36,12 @@
+ #define SMN_HSMP_MSG_RESP 0x0010980
+ #define SMN_HSMP_MSG_DATA 0x00109E0
+
+-#define HSMP_INDEX_REG 0xc4
+-#define HSMP_DATA_REG 0xc8
+-
+ static struct hsmp_plat_device *hsmp_pdev;
+
+ static int amd_hsmp_pci_rdwr(struct hsmp_socket *sock, u32 offset,
+ u32 *value, bool write)
+ {
+- int ret;
+-
+- if (!sock->root)
+- return -ENODEV;
+-
+- ret = pci_write_config_dword(sock->root, HSMP_INDEX_REG,
+- sock->mbinfo.base_addr + offset);
+- if (ret)
+- return ret;
+-
+- ret = (write ? pci_write_config_dword(sock->root, HSMP_DATA_REG, *value)
+- : pci_read_config_dword(sock->root, HSMP_DATA_REG, value));
+-
+- return ret;
++ return amd_smn_hsmp_rdwr(sock->sock_ind, sock->mbinfo.base_addr + offset, value, write);
+ }
+
+ static ssize_t hsmp_metric_tbl_plat_read(struct file *filp, struct kobject *kobj,
+@@ -95,7 +81,12 @@ static umode_t hsmp_is_sock_attr_visible(struct kobject *kobj,
+ * Static array of 8 + 1(for NULL) elements is created below
+ * to create sysfs groups for sockets.
+ * is_bin_visible function is used to show / hide the necessary groups.
++ *
++ * Validate the maximum number against MAX_AMD_NUM_NODES. If this changes,
++ * then the attributes and groups below must be adjusted.
+ */
++static_assert(MAX_AMD_NUM_NODES == 8);
++
+ #define HSMP_BIN_ATTR(index, _list) \
+ static const struct bin_attribute attr##index = { \
+ .attr = { .name = HSMP_METRICS_TABLE_NAME, .mode = 0444}, \
+@@ -159,10 +150,7 @@ static int init_platform_device(struct device *dev)
+ int ret, i;
+
+ for (i = 0; i < hsmp_pdev->num_sockets; i++) {
+- if (!node_to_amd_nb(i))
+- return -ENODEV;
+ sock = &hsmp_pdev->sock[i];
+- sock->root = node_to_amd_nb(i)->root;
+ sock->sock_ind = i;
+ sock->dev = dev;
+ sock->mbinfo.base_addr = SMN_HSMP_BASE;
+@@ -305,11 +293,11 @@ static int __init hsmp_plt_init(void)
+ return -ENOMEM;
+
+ /*
+- * amd_nb_num() returns number of SMN/DF interfaces present in the system
++ * amd_num_nodes() returns number of SMN/DF interfaces present in the system
+ * if we have N SMN/DF interfaces that ideally means N sockets
+ */
+- hsmp_pdev->num_sockets = amd_nb_num();
+- if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_SOCKETS)
++ hsmp_pdev->num_sockets = amd_num_nodes();
++ if (hsmp_pdev->num_sockets == 0 || hsmp_pdev->num_sockets > MAX_AMD_NUM_NODES)
+ return ret;
+
+ ret = platform_driver_register(&amd_hsmp_driver);
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
