--- /dev/null
+From b4885bd5935bb26f0a414ad55679a372e53f9b9b Mon Sep 17 00:00:00 2001
+From: Alexandra Diupina <adiupina@astralinux.ru>
+Date: Wed, 19 Mar 2025 17:28:58 +0300
+Subject: cifs: avoid NULL pointer dereference in dbg call
+
+From: Alexandra Diupina <adiupina@astralinux.ru>
+
+commit b4885bd5935bb26f0a414ad55679a372e53f9b9b upstream.
+
+cifs_server_dbg() implies server to be non-NULL so
+move call under condition to avoid NULL pointer dereference.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e79b0332ae06 ("cifs: ignore cached share root handle closing errors")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2misc.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/client/smb2misc.c
++++ b/fs/smb/client/smb2misc.c
+@@ -816,11 +816,12 @@ smb2_handle_cancelled_close(struct cifs_
+ WARN_ONCE(tcon->tc_count < 0, "tcon refcount is negative");
+ spin_unlock(&cifs_tcp_ses_lock);
+
+- if (tcon->ses)
++ if (tcon->ses) {
+ server = tcon->ses->server;
+-
+- cifs_server_dbg(FYI, "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
+- tcon->tid, persistent_fid, volatile_fid);
++ cifs_server_dbg(FYI,
++ "tid=0x%x: tcon is closing, skipping async close retry of fid %llu %llu\n",
++ tcon->tid, persistent_fid, volatile_fid);
++ }
+
+ return 0;
+ }
--- /dev/null
+From 6f8a394aa952257575910d57cf0a63627fa949a2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
+Date: Sat, 5 Apr 2025 19:51:07 +0200
+Subject: cifs: Ensure that all non-client-specific reparse points are processed by the server
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+commit 6f8a394aa952257575910d57cf0a63627fa949a2 upstream.
+
+Fix regression in mounts to e.g. onedrive shares.
+
+Generally, reparse points are processed by the SMB server during the
+SMB OPEN request, but there are few reparse points which do not have
+OPEN-like meaning for the SMB server and has to be processed by the SMB
+client. Those are symlinks and special files (fifo, socket, block, char).
+
+For Linux SMB client, it is required to process also name surrogate reparse
+points as they represent another entity on the SMB server system. Linux
+client will mark them as separate mount points. Examples of name surrogate
+reparse points are NTFS junction points (e.g. created by the "mklink" tool
+on Windows servers).
+
+So after processing the name surrogate reparse points, clear the
+-EOPNOTSUPP error code returned from the parse_reparse_point() to let SMB
+server to process reparse points.
+
+And remove printing misleading error message "unhandled reparse tag:" as
+reparse points are handled by SMB server and hence unhandled fact is normal
+operation.
+
+Fixes: cad3fc0a4c8c ("cifs: Throw -EOPNOTSUPP error on unsupported reparse point type from parse_reparse_point()")
+Fixes: b587fd128660 ("cifs: Treat unhandled directory name surrogate reparse points as mount directory nodes")
+Cc: stable@vger.kernel.org
+Reported-by: Junwen Sun <sunjw8888@gmail.com>
+Tested-by: Junwen Sun <sunjw8888@gmail.com>
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/inode.c | 10 ++++++++++
+ fs/smb/client/reparse.c | 4 ----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/client/inode.c
++++ b/fs/smb/client/inode.c
+@@ -1228,6 +1228,16 @@ static int reparse_info_to_fattr(struct
+ cifs_create_junction_fattr(fattr, sb);
+ goto out;
+ }
++ /*
++ * If the reparse point is unsupported by the Linux SMB
++ * client then let it process by the SMB server. So mask
++ * the -EOPNOTSUPP error code. This will allow Linux SMB
++ * client to send SMB OPEN request to server. If server
++ * does not support this reparse point too then server
++ * will return error during open the path.
++ */
++ if (rc == -EOPNOTSUPP)
++ rc = 0;
+ }
+ break;
+ }
+--- a/fs/smb/client/reparse.c
++++ b/fs/smb/client/reparse.c
+@@ -698,8 +698,6 @@ int parse_reparse_point(struct reparse_d
+ const char *full_path,
+ bool unicode, struct cifs_open_info_data *data)
+ {
+- struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
+-
+ data->reparse.buf = buf;
+
+ /* See MS-FSCC 2.1.2 */
+@@ -726,8 +724,6 @@ int parse_reparse_point(struct reparse_d
+ }
+ return 0;
+ default:
+- cifs_tcon_dbg(VFS | ONCE, "unhandled reparse tag: 0x%08x\n",
+- le32_to_cpu(buf->ReparseTag));
+ return -EOPNOTSUPP;
+ }
+ }
--- /dev/null
+From 2510859475d7f46ed7940db0853f3342bf1b65ee Mon Sep 17 00:00:00 2001
+From: Roman Smirnov <r.smirnov@omp.ru>
+Date: Mon, 31 Mar 2025 11:22:49 +0300
+Subject: cifs: fix integer overflow in match_server()
+
+From: Roman Smirnov <r.smirnov@omp.ru>
+
+commit 2510859475d7f46ed7940db0853f3342bf1b65ee upstream.
+
+The echo_interval is not limited in any way during mounting,
+which makes it possible to write a large number to it. This can
+cause an overflow when multiplying ctx->echo_interval by HZ in
+match_server().
+
+Add constraints for echo_interval to smb3_fs_context_parse_param().
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: adfeb3e00e8e1 ("cifs: Make echo interval tunable")
+Cc: stable@vger.kernel.org
+Signed-off-by: Roman Smirnov <r.smirnov@omp.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/fs_context.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/smb/client/fs_context.c
++++ b/fs/smb/client/fs_context.c
+@@ -1317,6 +1317,11 @@ static int smb3_fs_context_parse_param(s
+ ctx->closetimeo = HZ * result.uint_32;
+ break;
+ case Opt_echo_interval:
++ if (result.uint_32 < SMB_ECHO_INTERVAL_MIN ||
++ result.uint_32 > SMB_ECHO_INTERVAL_MAX) {
++ cifs_errorf(fc, "echo interval is out of bounds\n");
++ goto cifs_parse_mount_err;
++ }
+ ctx->echo_interval = result.uint_32;
+ break;
+ case Opt_snapshot:
--- /dev/null
+From 1821e90be08e7d4a54cd167dd818d80d06e064e9 Mon Sep 17 00:00:00 2001
+From: Aman <aman1@microsoft.com>
+Date: Thu, 6 Mar 2025 17:46:43 +0000
+Subject: CIFS: Propagate min offload along with other parameters from primary to secondary channels.
+
+From: Aman <aman1@microsoft.com>
+
+commit 1821e90be08e7d4a54cd167dd818d80d06e064e9 upstream.
+
+In a multichannel setup, it was observed that a few fields were not being
+copied over to the secondary channels, which impacted performance in cases
+where these options were relevant but not properly synchronized. To address
+this, this patch introduces copying the following parameters from the
+primary channel to the secondary channels:
+
+- min_offload
+- compression.requested
+- dfs_conn
+- ignore_signature
+- leaf_fullpath
+- noblockcnt
+- retrans
+- sign
+
+By copying these parameters, we ensure consistency across channels and
+prevent performance degradation due to missing or outdated settings.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Aman <aman1@microsoft.com>
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 1 +
+ fs/smb/client/sess.c | 7 +++++++
+ 2 files changed, 8 insertions(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -1722,6 +1722,7 @@ cifs_get_tcp_session(struct smb3_fs_cont
+ /* Grab netns reference for this server. */
+ cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
+
++ tcp_ses->sign = ctx->sign;
+ tcp_ses->conn_id = atomic_inc_return(&tcpSesNextId);
+ tcp_ses->noblockcnt = ctx->rootfs;
+ tcp_ses->noblocksnd = ctx->noblocksnd || ctx->rootfs;
+--- a/fs/smb/client/sess.c
++++ b/fs/smb/client/sess.c
+@@ -522,6 +522,13 @@ cifs_ses_add_channel(struct cifs_ses *se
+ ctx->sockopt_tcp_nodelay = ses->server->tcp_nodelay;
+ ctx->echo_interval = ses->server->echo_interval / HZ;
+ ctx->max_credits = ses->server->max_credits;
++ ctx->min_offload = ses->server->min_offload;
++ ctx->compress = ses->server->compression.requested;
++ ctx->dfs_conn = ses->server->dfs_conn;
++ ctx->ignore_signature = ses->server->ignore_signature;
++ ctx->leaf_fullpath = ses->server->leaf_fullpath;
++ ctx->rootfs = ses->server->noblockcnt;
++ ctx->retrans = ses->server->retrans;
+
+ /*
+ * This will be used for encoding/decoding user/domain/pw
--- /dev/null
+From 5eac348182d2b5ed1066459abedb7bc6b5466f81 Mon Sep 17 00:00:00 2001
+From: Ajit Pandey <quic_ajipan@quicinc.com>
+Date: Tue, 28 Jan 2025 17:08:35 +0530
+Subject: clk: qcom: clk-branch: Fix invert halt status bit check for votable clocks
+
+From: Ajit Pandey <quic_ajipan@quicinc.com>
+
+commit 5eac348182d2b5ed1066459abedb7bc6b5466f81 upstream.
+
+BRANCH_HALT_ENABLE and BRANCH_HALT_ENABLE_VOTED flags are used to check
+halt status of branch clocks, which have an inverted logic for the halt
+bit in CBCR register. However, the current logic in the _check_halt()
+method only compares the BRANCH_HALT_ENABLE flags, ignoring the votable
+branch clocks.
+
+Update the logic to correctly handle the invert logic for votable clocks
+using the BRANCH_HALT_ENABLE_VOTED flags.
+
+Fixes: 9092d1083a62 ("clk: qcom: branch: Extend the invert logic for branch2 clocks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ajit Pandey <quic_ajipan@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20250128-push_fix-v1-1-fafec6747881@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/clk-branch.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/qcom/clk-branch.c
++++ b/drivers/clk/qcom/clk-branch.c
+@@ -28,7 +28,7 @@ static bool clk_branch_in_hwcg_mode(cons
+
+ static bool clk_branch_check_halt(const struct clk_branch *br, bool enabling)
+ {
+- bool invert = (br->halt_check == BRANCH_HALT_ENABLE);
++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE);
+ u32 val;
+
+ regmap_read(br->clkr.regmap, br->halt_reg, &val);
+@@ -44,7 +44,7 @@ static bool clk_branch2_check_halt(const
+ {
+ u32 val;
+ u32 mask;
+- bool invert = (br->halt_check == BRANCH_HALT_ENABLE);
++ bool invert = (br->halt_check & BRANCH_HALT_ENABLE);
+
+ mask = CBCR_NOC_FSM_STATUS;
+ mask |= CBCR_CLK_OFF;
--- /dev/null
+From 65a733464553ea192797b889d1533a1a37216f32 Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Fri, 17 Jan 2025 13:54:08 +0000
+Subject: clk: qcom: gdsc: Capture pm_genpd_add_subdomain result code
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 65a733464553ea192797b889d1533a1a37216f32 upstream.
+
+Adding a new clause to this if/else I noticed the existing usage of
+pm_genpd_add_subdomain() wasn't capturing and returning the result code.
+
+pm_genpd_add_subdomain() returns an int and can fail. Capture that result
+code and throw it up the call stack if something goes wrong.
+
+Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-2-13f2bb656dad@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gdsc.c | 40 +++++++++++++++++++++++++++-------------
+ 1 file changed, 27 insertions(+), 13 deletions(-)
+
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -506,6 +506,23 @@ err_disable_supply:
+ return ret;
+ }
+
++static void gdsc_pm_subdomain_remove(struct gdsc_desc *desc, size_t num)
++{
++ struct device *dev = desc->dev;
++ struct gdsc **scs = desc->scs;
++ int i;
++
++ /* Remove subdomains */
++ for (i = num - 1; i >= 0; i--) {
++ if (!scs[i])
++ continue;
++ if (scs[i]->parent)
++ pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
++ else if (!IS_ERR_OR_NULL(dev->pm_domain))
++ pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
++ }
++}
++
+ int gdsc_register(struct gdsc_desc *desc,
+ struct reset_controller_dev *rcdev, struct regmap *regmap)
+ {
+@@ -555,30 +572,27 @@ int gdsc_register(struct gdsc_desc *desc
+ if (!scs[i])
+ continue;
+ if (scs[i]->parent)
+- pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
++ ret = pm_genpd_add_subdomain(scs[i]->parent, &scs[i]->pd);
+ else if (!IS_ERR_OR_NULL(dev->pm_domain))
+- pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
++ ret = pm_genpd_add_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
++ if (ret)
++ goto err_pm_subdomain_remove;
+ }
+
+ return of_genpd_add_provider_onecell(dev->of_node, data);
++
++err_pm_subdomain_remove:
++ gdsc_pm_subdomain_remove(desc, i);
++
++ return ret;
+ }
+
+ void gdsc_unregister(struct gdsc_desc *desc)
+ {
+- int i;
+ struct device *dev = desc->dev;
+- struct gdsc **scs = desc->scs;
+ size_t num = desc->num;
+
+- /* Remove subdomains */
+- for (i = num - 1; i >= 0; i--) {
+- if (!scs[i])
+- continue;
+- if (scs[i]->parent)
+- pm_genpd_remove_subdomain(scs[i]->parent, &scs[i]->pd);
+- else if (!IS_ERR_OR_NULL(dev->pm_domain))
+- pm_genpd_remove_subdomain(pd_to_genpd(dev->pm_domain), &scs[i]->pd);
+- }
++ gdsc_pm_subdomain_remove(desc, num);
+ of_genpd_del_provider(dev->of_node);
+ }
+
--- /dev/null
+From 0e6dfde439df0bb977cddd3cf7fff150a084a9bf Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Fri, 17 Jan 2025 13:54:07 +0000
+Subject: clk: qcom: gdsc: Release pm subdomains in reverse add order
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 0e6dfde439df0bb977cddd3cf7fff150a084a9bf upstream.
+
+gdsc_unregister() should release subdomains in the reverse order to the
+order in which those subdomains were added.
+
+I've made this patch a standalone patch because it facilitates a subsequent
+fix to stable.
+
+Fixes: 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20250117-b4-linux-next-24-11-18-clock-multiple-power-domains-v10-1-13f2bb656dad@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gdsc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -571,7 +571,7 @@ void gdsc_unregister(struct gdsc_desc *d
+ size_t num = desc->num;
+
+ /* Remove subdomains */
+- for (i = 0; i < num; i++) {
++ for (i = num - 1; i >= 0; i--) {
+ if (!scs[i])
+ continue;
+ if (scs[i]->parent)
--- /dev/null
+From 25708f73ff171bb4171950c9f4be5aa8504b8459 Mon Sep 17 00:00:00 2001
+From: Taniya Das <quic_tdas@quicinc.com>
+Date: Fri, 14 Feb 2025 09:56:59 +0530
+Subject: clk: qcom: gdsc: Set retain_ff before moving to HW CTRL
+
+From: Taniya Das <quic_tdas@quicinc.com>
+
+commit 25708f73ff171bb4171950c9f4be5aa8504b8459 upstream.
+
+Enable the retain_ff_enable bit of GDSCR only if the GDSC is already ON.
+Once the GDSCR moves to HW control, SW no longer can determine the state
+of the GDSCR and setting the retain_ff bit could destroy all the register
+contents we intended to save.
+Therefore, move the retain_ff configuration before switching the GDSC to
+HW trigger mode.
+
+Cc: stable@vger.kernel.org
+Fixes: 173722995cdb ("clk: qcom: gdsc: Add support to enable retention of GSDCR")
+Signed-off-by: Taniya Das <quic_tdas@quicinc.com>
+Reviewed-by: Imran Shaik <quic_imrashai@quicinc.com>
+Tested-by: Imran Shaik <quic_imrashai@quicinc.com> # on QCS8300
+Link: https://lore.kernel.org/r/20250214-gdsc_fixes-v1-1-73e56d68a80f@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/qcom/gdsc.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/clk/qcom/gdsc.c
++++ b/drivers/clk/qcom/gdsc.c
+@@ -292,6 +292,9 @@ static int gdsc_enable(struct generic_pm
+ */
+ udelay(1);
+
++ if (sc->flags & RETAIN_FF_ENABLE)
++ gdsc_retain_ff_on(sc);
++
+ /* Turn on HW trigger mode if supported */
+ if (sc->flags & HW_CTRL) {
+ ret = gdsc_hwctrl(sc, true);
+@@ -308,9 +311,6 @@ static int gdsc_enable(struct generic_pm
+ udelay(1);
+ }
+
+- if (sc->flags & RETAIN_FF_ENABLE)
+- gdsc_retain_ff_on(sc);
+-
+ return 0;
+ }
+
+@@ -457,13 +457,6 @@ static int gdsc_init(struct gdsc *sc)
+ goto err_disable_supply;
+ }
+
+- /* Turn on HW trigger mode if supported */
+- if (sc->flags & HW_CTRL) {
+- ret = gdsc_hwctrl(sc, true);
+- if (ret < 0)
+- goto err_disable_supply;
+- }
+-
+ /*
+ * Make sure the retain bit is set if the GDSC is already on,
+ * otherwise we end up turning off the GDSC and destroying all
+@@ -471,6 +464,14 @@ static int gdsc_init(struct gdsc *sc)
+ */
+ if (sc->flags & RETAIN_FF_ENABLE)
+ gdsc_retain_ff_on(sc);
++
++ /* Turn on HW trigger mode if supported */
++ if (sc->flags & HW_CTRL) {
++ ret = gdsc_hwctrl(sc, true);
++ if (ret < 0)
++ goto err_disable_supply;
++ }
++
+ } else if (sc->flags & ALWAYS_ON) {
+ /* If ALWAYS_ON GDSCs are not ON, turn them ON */
+ gdsc_enable(&sc->pd);
--- /dev/null
+From 7f22a298d926664b51fcfe2f8ea5feb7f8b79952 Mon Sep 17 00:00:00 2001
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Date: Mon, 27 Jan 2025 17:31:59 +0000
+Subject: clk: renesas: r9a07g043: Fix HP clock source for RZ/Five
+
+From: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+
+commit 7f22a298d926664b51fcfe2f8ea5feb7f8b79952 upstream.
+
+According to the Rev.1.20 hardware manual for the RZ/Five SoC, the clock
+source for HP is derived from PLL6 divided by 2. Correct the
+implementation by configuring HP as a fixed clock source instead of a
+MUX.
+
+The `CPG_PL6_ETH_SSEL' register, which is available on the RZ/G2UL SoC,
+is not present on the RZ/Five SoC, necessitating this change.
+
+Fixes: 95d48d270305ad2c ("clk: renesas: r9a07g043: Add support for RZ/Five SoC")
+Cc: stable@vger.kernel.org
+Reported-by: Hien Huynh <hien.huynh.px@renesas.com>
+Signed-off-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20250127173159.34572-1-prabhakar.mahadev-lad.rj@bp.renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clk/renesas/r9a07g043-cpg.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/clk/renesas/r9a07g043-cpg.c
++++ b/drivers/clk/renesas/r9a07g043-cpg.c
+@@ -89,7 +89,9 @@ static const struct clk_div_table dtable
+
+ /* Mux clock tables */
+ static const char * const sel_pll3_3[] = { ".pll3_533", ".pll3_400" };
++#ifdef CONFIG_ARM64
+ static const char * const sel_pll6_2[] = { ".pll6_250", ".pll5_250" };
++#endif
+ static const char * const sel_sdhi[] = { ".clk_533", ".clk_400", ".clk_266" };
+
+ static const u32 mtable_sdhi[] = { 1, 2, 3 };
+@@ -137,7 +139,12 @@ static const struct cpg_core_clk r9a07g0
+ DEF_DIV("P2", R9A07G043_CLK_P2, CLK_PLL3_DIV2_4_2, DIVPL3A, dtable_1_32),
+ DEF_FIXED("M0", R9A07G043_CLK_M0, CLK_PLL3_DIV2_4, 1, 1),
+ DEF_FIXED("ZT", R9A07G043_CLK_ZT, CLK_PLL3_DIV2_4_2, 1, 1),
++#ifdef CONFIG_ARM64
+ DEF_MUX("HP", R9A07G043_CLK_HP, SEL_PLL6_2, sel_pll6_2),
++#endif
++#ifdef CONFIG_RISCV
++ DEF_FIXED("HP", R9A07G043_CLK_HP, CLK_PLL6_250, 1, 1),
++#endif
+ DEF_FIXED("SPI0", R9A07G043_CLK_SPI0, CLK_DIV_PLL3_C, 1, 2),
+ DEF_FIXED("SPI1", R9A07G043_CLK_SPI1, CLK_DIV_PLL3_C, 1, 4),
+ DEF_SD_MUX("SD0", R9A07G043_CLK_SD0, SEL_SDHI0, SEL_SDHI0_STS, sel_sdhi,
--- /dev/null
+From 07bb097b92b987db518e72525b515d77904e966e Mon Sep 17 00:00:00 2001
+From: Tom Lendacky <thomas.lendacky@amd.com>
+Date: Fri, 17 Jan 2025 17:05:47 -0600
+Subject: crypto: ccp - Fix check for the primary ASP device
+
+From: Tom Lendacky <thomas.lendacky@amd.com>
+
+commit 07bb097b92b987db518e72525b515d77904e966e upstream.
+
+Currently, the ASP primary device check does not have support for PCI
+domains, and, as a result, when the system is configured with PCI domains
+(PCI segments) the wrong device can be selected as primary. This results
+in commands submitted to the device timing out and failing. The device
+check also relies on specific device and function assignments that may
+not hold in the future.
+
+Fix the primary ASP device check to include support for PCI domains and
+to perform proper checking of the Bus/Device/Function positions.
+
+Fixes: 2a6170dfe755 ("crypto: ccp: Add Platform Security Processor (PSP) device support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sp-pci.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/ccp/sp-pci.c
++++ b/drivers/crypto/ccp/sp-pci.c
+@@ -189,14 +189,17 @@ static bool sp_pci_is_master(struct sp_d
+ pdev_new = to_pci_dev(dev_new);
+ pdev_cur = to_pci_dev(dev_cur);
+
+- if (pdev_new->bus->number < pdev_cur->bus->number)
+- return true;
++ if (pci_domain_nr(pdev_new->bus) != pci_domain_nr(pdev_cur->bus))
++ return pci_domain_nr(pdev_new->bus) < pci_domain_nr(pdev_cur->bus);
+
+- if (PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn))
+- return true;
++ if (pdev_new->bus->number != pdev_cur->bus->number)
++ return pdev_new->bus->number < pdev_cur->bus->number;
+
+- if (PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn))
+- return true;
++ if (PCI_SLOT(pdev_new->devfn) != PCI_SLOT(pdev_cur->devfn))
++ return PCI_SLOT(pdev_new->devfn) < PCI_SLOT(pdev_cur->devfn);
++
++ if (PCI_FUNC(pdev_new->devfn) != PCI_FUNC(pdev_cur->devfn))
++ return PCI_FUNC(pdev_new->devfn) < PCI_FUNC(pdev_cur->devfn);
+
+ return false;
+ }
--- /dev/null
+From b949f55644a6d1645c0a71f78afabf12aec7c33b Mon Sep 17 00:00:00 2001
+From: Dionna Glaze <dionnaglaze@google.com>
+Date: Sat, 8 Mar 2025 12:10:28 +1100
+Subject: crypto: ccp - Fix uAPI definitions of PSP errors
+
+From: Dionna Glaze <dionnaglaze@google.com>
+
+commit b949f55644a6d1645c0a71f78afabf12aec7c33b upstream.
+
+Additions to the error enum after explicit 0x27 setting for
+SEV_RET_INVALID_KEY leads to incorrect value assignments.
+
+Use explicit values to match the manufacturer specifications more
+clearly.
+
+Fixes: 3a45dc2b419e ("crypto: ccp: Define the SEV-SNP commands")
+CC: stable@vger.kernel.org
+Signed-off-by: Dionna Glaze <dionnaglaze@google.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Alexey Kardashevskiy <aik@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/psp-sev.h | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/include/uapi/linux/psp-sev.h
++++ b/include/uapi/linux/psp-sev.h
+@@ -73,13 +73,20 @@ typedef enum {
+ SEV_RET_INVALID_PARAM,
+ SEV_RET_RESOURCE_LIMIT,
+ SEV_RET_SECURE_DATA_INVALID,
+- SEV_RET_INVALID_KEY = 0x27,
+- SEV_RET_INVALID_PAGE_SIZE,
+- SEV_RET_INVALID_PAGE_STATE,
+- SEV_RET_INVALID_MDATA_ENTRY,
+- SEV_RET_INVALID_PAGE_OWNER,
+- SEV_RET_INVALID_PAGE_AEAD_OFLOW,
+- SEV_RET_RMP_INIT_REQUIRED,
++ SEV_RET_INVALID_PAGE_SIZE = 0x0019,
++ SEV_RET_INVALID_PAGE_STATE = 0x001A,
++ SEV_RET_INVALID_MDATA_ENTRY = 0x001B,
++ SEV_RET_INVALID_PAGE_OWNER = 0x001C,
++ SEV_RET_AEAD_OFLOW = 0x001D,
++ SEV_RET_EXIT_RING_BUFFER = 0x001F,
++ SEV_RET_RMP_INIT_REQUIRED = 0x0020,
++ SEV_RET_BAD_SVN = 0x0021,
++ SEV_RET_BAD_VERSION = 0x0022,
++ SEV_RET_SHUTDOWN_REQUIRED = 0x0023,
++ SEV_RET_UPDATE_FAILED = 0x0024,
++ SEV_RET_RESTORE_REQUIRED = 0x0025,
++ SEV_RET_RMP_INITIALIZATION_FAILED = 0x0026,
++ SEV_RET_INVALID_KEY = 0x0027,
+ SEV_RET_MAX,
+ } sev_ret_code;
+
--- /dev/null
+From a3672304abf2a847ac0c54c84842c64c5bfba279 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Fri, 28 Feb 2025 17:48:51 -0500
+Subject: dlm: fix error if active rsb is not hashed
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit a3672304abf2a847ac0c54c84842c64c5bfba279 upstream.
+
+If an active rsb is not hashed anymore and this could occur because we
+releases and acquired locks we need to signal the followed code that
+the lookup failed. Since the lookup was successful, but it isn't part of
+the rsb hash anymore we need to signal it by setting error to -EBADR as
+dlm_search_rsb_tree() does it.
+
+Cc: stable@vger.kernel.org
+Fixes: 5be323b0c64d ("dlm: move dlm_search_rsb_tree() out of lock")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -741,6 +741,7 @@ static int find_rsb_dir(struct dlm_ls *l
+ read_lock_bh(&ls->ls_rsbtbl_lock);
+ if (!rsb_flag(r, RSB_HASHED)) {
+ read_unlock_bh(&ls->ls_rsbtbl_lock);
++ error = -EBADR;
+ goto do_new;
+ }
+
--- /dev/null
+From 94e6e889a786dd16542fc8f2a45405fa13e3bbb5 Mon Sep 17 00:00:00 2001
+From: Alexander Aring <aahringo@redhat.com>
+Date: Fri, 28 Feb 2025 17:48:50 -0500
+Subject: dlm: fix error if inactive rsb is not hashed
+
+From: Alexander Aring <aahringo@redhat.com>
+
+commit 94e6e889a786dd16542fc8f2a45405fa13e3bbb5 upstream.
+
+If an inactive rsb is not hashed anymore and this could occur because we
+releases and acquired locks we need to signal the followed code that the
+lookup failed. Since the lookup was successful, but it isn't part of the
+rsb hash anymore we need to signal it by setting error to -EBADR as
+dlm_search_rsb_tree() does it.
+
+Cc: stable@vger.kernel.org
+Fixes: 01fdeca1cc2d ("dlm: use rcu to avoid an extra rsb struct lookup")
+Signed-off-by: Alexander Aring <aahringo@redhat.com>
+Signed-off-by: David Teigland <teigland@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/dlm/lock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/dlm/lock.c
++++ b/fs/dlm/lock.c
+@@ -784,6 +784,7 @@ static int find_rsb_dir(struct dlm_ls *l
+ }
+ } else {
+ write_unlock_bh(&ls->ls_rsbtbl_lock);
++ error = -EBADR;
+ goto do_new;
+ }
+
--- /dev/null
+From 9c565428788fb9b49066f94ab7b10efc686a0a4c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 28 Mar 2025 16:19:07 +0100
+Subject: dm-ebs: fix prefetch-vs-suspend race
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 9c565428788fb9b49066f94ab7b10efc686a0a4c upstream.
+
+There's a possible race condition in dm-ebs - dm bufio prefetch may be in
+progress while the device is suspended. Fix this by calling
+dm_bufio_client_reset in the postsuspend hook.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-ebs-target.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/md/dm-ebs-target.c
++++ b/drivers/md/dm-ebs-target.c
+@@ -390,6 +390,12 @@ static int ebs_map(struct dm_target *ti,
+ return DM_MAPIO_REMAPPED;
+ }
+
++static void ebs_postsuspend(struct dm_target *ti)
++{
++ struct ebs_c *ec = ti->private;
++ dm_bufio_client_reset(ec->bufio);
++}
++
+ static void ebs_status(struct dm_target *ti, status_type_t type,
+ unsigned int status_flags, char *result, unsigned int maxlen)
+ {
+@@ -447,6 +453,7 @@ static struct target_type ebs_target = {
+ .ctr = ebs_ctr,
+ .dtr = ebs_dtr,
+ .map = ebs_map,
++ .postsuspend = ebs_postsuspend,
+ .status = ebs_status,
+ .io_hints = ebs_io_hints,
+ .prepare_ioctl = ebs_prepare_ioctl,
--- /dev/null
+From 8bde1033f9cfc1c08628255cc434c6cf39c9d9ba Mon Sep 17 00:00:00 2001
+From: Jo Van Bulck <jo.vanbulck@kuleuven.be>
+Date: Fri, 28 Mar 2025 16:04:47 +0100
+Subject: dm-integrity: fix non-constant-time tag verification
+
+From: Jo Van Bulck <jo.vanbulck@kuleuven.be>
+
+commit 8bde1033f9cfc1c08628255cc434c6cf39c9d9ba upstream.
+
+When using dm-integrity in standalone mode with a keyed hmac algorithm,
+integrity tags are calculated and verified internally.
+
+Using plain memcmp to compare the stored and computed tags may leak the
+position of the first byte mismatch through side-channel analysis,
+allowing to brute-force expected tags in linear time (e.g., by counting
+single-stepping interrupts in confidential virtual machine environments).
+
+Co-developed-by: Luca Wilke <work@luca-wilke.com>
+Signed-off-by: Luca Wilke <work@luca-wilke.com>
+Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-integrity.c | 45 ++++++++++++++++++++++-----------------------
+ 1 file changed, 22 insertions(+), 23 deletions(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -21,6 +21,7 @@
+ #include <linux/reboot.h>
+ #include <crypto/hash.h>
+ #include <crypto/skcipher.h>
++#include <crypto/utils.h>
+ #include <linux/async_tx.h>
+ #include <linux/dm-bufio.h>
+
+@@ -516,7 +517,7 @@ static int sb_mac(struct dm_integrity_c
+ dm_integrity_io_error(ic, "crypto_shash_digest", r);
+ return r;
+ }
+- if (memcmp(mac, actual_mac, mac_size)) {
++ if (crypto_memneq(mac, actual_mac, mac_size)) {
+ dm_integrity_io_error(ic, "superblock mac", -EILSEQ);
+ dm_audit_log_target(DM_MSG_PREFIX, "mac-superblock", ic->ti, 0);
+ return -EILSEQ;
+@@ -859,7 +860,7 @@ static void rw_section_mac(struct dm_int
+ if (likely(wr))
+ memcpy(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR);
+ else {
+- if (memcmp(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR)) {
++ if (crypto_memneq(&js->mac, result + (j * JOURNAL_MAC_PER_SECTOR), JOURNAL_MAC_PER_SECTOR)) {
+ dm_integrity_io_error(ic, "journal mac", -EILSEQ);
+ dm_audit_log_target(DM_MSG_PREFIX, "mac-journal", ic->ti, 0);
+ }
+@@ -1401,10 +1402,9 @@ static bool find_newer_committed_node(st
+ static int dm_integrity_rw_tag(struct dm_integrity_c *ic, unsigned char *tag, sector_t *metadata_block,
+ unsigned int *metadata_offset, unsigned int total_size, int op)
+ {
+-#define MAY_BE_FILLER 1
+-#define MAY_BE_HASH 2
+ unsigned int hash_offset = 0;
+- unsigned int may_be = MAY_BE_HASH | (ic->discard ? MAY_BE_FILLER : 0);
++ unsigned char mismatch_hash = 0;
++ unsigned char mismatch_filler = !ic->discard;
+
+ do {
+ unsigned char *data, *dp;
+@@ -1425,7 +1425,7 @@ static int dm_integrity_rw_tag(struct dm
+ if (op == TAG_READ) {
+ memcpy(tag, dp, to_copy);
+ } else if (op == TAG_WRITE) {
+- if (memcmp(dp, tag, to_copy)) {
++ if (crypto_memneq(dp, tag, to_copy)) {
+ memcpy(dp, tag, to_copy);
+ dm_bufio_mark_partial_buffer_dirty(b, *metadata_offset, *metadata_offset + to_copy);
+ }
+@@ -1433,29 +1433,30 @@ static int dm_integrity_rw_tag(struct dm
+ /* e.g.: op == TAG_CMP */
+
+ if (likely(is_power_of_2(ic->tag_size))) {
+- if (unlikely(memcmp(dp, tag, to_copy)))
+- if (unlikely(!ic->discard) ||
+- unlikely(memchr_inv(dp, DISCARD_FILLER, to_copy) != NULL)) {
+- goto thorough_test;
+- }
++ if (unlikely(crypto_memneq(dp, tag, to_copy)))
++ goto thorough_test;
+ } else {
+ unsigned int i, ts;
+ thorough_test:
+ ts = total_size;
+
+ for (i = 0; i < to_copy; i++, ts--) {
+- if (unlikely(dp[i] != tag[i]))
+- may_be &= ~MAY_BE_HASH;
+- if (likely(dp[i] != DISCARD_FILLER))
+- may_be &= ~MAY_BE_FILLER;
++ /*
++ * Warning: the control flow must not be
++ * dependent on match/mismatch of
++ * individual bytes.
++ */
++ mismatch_hash |= dp[i] ^ tag[i];
++ mismatch_filler |= dp[i] ^ DISCARD_FILLER;
+ hash_offset++;
+ if (unlikely(hash_offset == ic->tag_size)) {
+- if (unlikely(!may_be)) {
++ if (unlikely(mismatch_hash) && unlikely(mismatch_filler)) {
+ dm_bufio_release(b);
+ return ts;
+ }
+ hash_offset = 0;
+- may_be = MAY_BE_HASH | (ic->discard ? MAY_BE_FILLER : 0);
++ mismatch_hash = 0;
++ mismatch_filler = !ic->discard;
+ }
+ }
+ }
+@@ -1476,8 +1477,6 @@ thorough_test:
+ } while (unlikely(total_size));
+
+ return 0;
+-#undef MAY_BE_FILLER
+-#undef MAY_BE_HASH
+ }
+
+ struct flush_request {
+@@ -2076,7 +2075,7 @@ retry_kmap:
+ char checksums_onstack[MAX_T(size_t, HASH_MAX_DIGESTSIZE, MAX_TAG_SIZE)];
+
+ integrity_sector_checksum(ic, logical_sector, mem + bv.bv_offset, checksums_onstack);
+- if (unlikely(memcmp(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) {
++ if (unlikely(crypto_memneq(checksums_onstack, journal_entry_tag(ic, je), ic->tag_size))) {
+ DMERR_LIMIT("Checksum failed when reading from journal, at sector 0x%llx",
+ logical_sector);
+ dm_audit_log_bio(DM_MSG_PREFIX, "journal-checksum",
+@@ -2595,7 +2594,7 @@ static void dm_integrity_inline_recheck(
+ bio_put(outgoing_bio);
+
+ integrity_sector_checksum(ic, dio->bio_details.bi_iter.bi_sector, outgoing_data, digest);
+- if (unlikely(memcmp(digest, dio->integrity_payload, min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) {
++ if (unlikely(crypto_memneq(digest, dio->integrity_payload, min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) {
+ DMERR_LIMIT("%pg: Checksum failed at sector 0x%llx",
+ ic->dev->bdev, dio->bio_details.bi_iter.bi_sector);
+ atomic64_inc(&ic->number_of_mismatches);
+@@ -2634,7 +2633,7 @@ static int dm_integrity_end_io(struct dm
+ char *mem = bvec_kmap_local(&bv);
+ //memset(mem, 0xff, ic->sectors_per_block << SECTOR_SHIFT);
+ integrity_sector_checksum(ic, dio->bio_details.bi_iter.bi_sector, mem, digest);
+- if (unlikely(memcmp(digest, dio->integrity_payload + pos,
++ if (unlikely(crypto_memneq(digest, dio->integrity_payload + pos,
+ min(crypto_shash_digestsize(ic->internal_hash), ic->tag_size)))) {
+ kunmap_local(mem);
+ dm_integrity_free_payload(dio);
+@@ -2911,7 +2910,7 @@ static void do_journal_write(struct dm_i
+
+ integrity_sector_checksum(ic, sec + ((l - j) << ic->sb->log2_sectors_per_block),
+ (char *)access_journal_data(ic, i, l), test_tag);
+- if (unlikely(memcmp(test_tag, journal_entry_tag(ic, je2), ic->tag_size))) {
++ if (unlikely(crypto_memneq(test_tag, journal_entry_tag(ic, je2), ic->tag_size))) {
+ dm_integrity_io_error(ic, "tag mismatch when replaying journal", -EILSEQ);
+ dm_audit_log_target(DM_MSG_PREFIX, "integrity-replay-journal", ic->ti, 0);
+ }
--- /dev/null
+From 00204ae3d6712ee053353920e3ce2b00c35ef75b Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Mon, 10 Feb 2025 16:14:22 +0100
+Subject: dm-integrity: set ti->error on memory allocation failure
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 00204ae3d6712ee053353920e3ce2b00c35ef75b upstream.
+
+The dm-integrity target didn't set the error string when memory
+allocation failed. This patch fixes it.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-integrity.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -5081,16 +5081,19 @@ try_smaller_buffer:
+
+ ic->recalc_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
+ if (!ic->recalc_bitmap) {
++ ti->error = "Could not allocate memory for bitmap";
+ r = -ENOMEM;
+ goto bad;
+ }
+ ic->may_write_bitmap = dm_integrity_alloc_page_list(n_bitmap_pages);
+ if (!ic->may_write_bitmap) {
++ ti->error = "Could not allocate memory for bitmap";
+ r = -ENOMEM;
+ goto bad;
+ }
+ ic->bbs = kvmalloc_array(ic->n_bitmap_blocks, sizeof(struct bitmap_block_status), GFP_KERNEL);
+ if (!ic->bbs) {
++ ti->error = "Could not allocate memory for bitmap";
+ r = -ENOMEM;
+ goto bad;
+ }
--- /dev/null
+From 2de510fccbca3d1906b55f4be5f1de83fa2424ef Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 28 Mar 2025 16:17:45 +0100
+Subject: dm-verity: fix prefetch-vs-suspend race
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 2de510fccbca3d1906b55f4be5f1de83fa2424ef upstream.
+
+There's a possible race condition in dm-verity - the prefetch work item
+may race with suspend and it is possible that prefetch continues to run
+while the device is suspended. Fix this by calling flush_workqueue and
+dm_bufio_client_reset in the postsuspend hook.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-target.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/md/dm-verity-target.c
++++ b/drivers/md/dm-verity-target.c
+@@ -796,6 +796,13 @@ static int verity_map(struct dm_target *
+ return DM_MAPIO_SUBMITTED;
+ }
+
++static void verity_postsuspend(struct dm_target *ti)
++{
++ struct dm_verity *v = ti->private;
++ flush_workqueue(v->verify_wq);
++ dm_bufio_client_reset(v->bufio);
++}
++
+ /*
+ * Status: V (valid) or C (corruption found)
+ */
+@@ -1766,6 +1773,7 @@ static struct target_type verity_target
+ .ctr = verity_ctr,
+ .dtr = verity_dtr,
+ .map = verity_map,
++ .postsuspend = verity_postsuspend,
+ .status = verity_status,
+ .prepare_ioctl = verity_prepare_ioctl,
+ .iterate_devices = verity_iterate_devices,
--- /dev/null
+From d72deaf05ac18e421d7e52a6be8966fd6ee185f4 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 26 Feb 2025 12:29:13 +0100
+Subject: dt-bindings: coresight: qcom,coresight-tpda: Fix too many 'reg'
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit d72deaf05ac18e421d7e52a6be8966fd6ee185f4 upstream.
+
+Binding listed variable number of IO addresses without defining them,
+however example DTS code, all in-tree DTS and Linux kernel driver
+mention only one address space, so drop the second to make binding
+precise and correctly describe the hardware.
+
+Fixes: a8fbe1442c2b ("dt-bindings: arm: Adds CoreSight TPDA hardware definitions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250226112914.94361-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml
++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpda.yaml
+@@ -55,8 +55,7 @@ properties:
+ - const: arm,primecell
+
+ reg:
+- minItems: 1
+- maxItems: 2
++ maxItems: 1
+
+ clocks:
+ maxItems: 1
--- /dev/null
+From 1e4e454223f770748775f211455513c79cb3121e Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 26 Feb 2025 12:29:14 +0100
+Subject: dt-bindings: coresight: qcom,coresight-tpdm: Fix too many 'reg'
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 1e4e454223f770748775f211455513c79cb3121e upstream.
+
+Binding listed variable number of IO addresses without defining them,
+however example DTS code, all in-tree DTS and Linux kernel driver
+mention only one address space, so drop the second to make binding
+precise and correctly describe the hardware.
+
+Fixes: 6c781a35133d ("dt-bindings: arm: Add CoreSight TPDM hardware")
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250226112914.94361-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml
++++ b/Documentation/devicetree/bindings/arm/qcom,coresight-tpdm.yaml
+@@ -41,8 +41,7 @@ properties:
+ - const: arm,primecell
+
+ reg:
+- minItems: 1
+- maxItems: 2
++ maxItems: 1
+
+ qcom,dsb-element-bits:
+ description:
--- /dev/null
+From 42ea22e754ba4f2b86f8760ca27f6f71da2d982c Mon Sep 17 00:00:00 2001
+From: zhoumin <teczm@foxmail.com>
+Date: Tue, 1 Apr 2025 01:00:34 +0800
+Subject: ftrace: Add cond_resched() to ftrace_graph_set_hash()
+
+From: zhoumin <teczm@foxmail.com>
+
+commit 42ea22e754ba4f2b86f8760ca27f6f71da2d982c upstream.
+
+When the kernel contains a large number of functions that can be traced,
+the loop in ftrace_graph_set_hash() may take a lot of time to execute.
+This may trigger the softlockup watchdog.
+
+Add cond_resched() within the loop to allow the kernel to remain
+responsive even when processing a large number of functions.
+
+This matches the cond_resched() that is used in other locations of the
+code that iterates over all functions that can be traced.
+
+Cc: stable@vger.kernel.org
+Fixes: b9b0c831bed26 ("ftrace: Convert graph filter to use hash tables")
+Link: https://lore.kernel.org/tencent_3E06CE338692017B5809534B9C5C03DA7705@qq.com
+Signed-off-by: zhoumin <teczm@foxmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -6858,6 +6858,7 @@ ftrace_graph_set_hash(struct ftrace_hash
+ }
+ }
+ }
++ cond_resched();
+ } while_for_each_ftrace_rec();
+
+ return fail ? -EINVAL : 0;
--- /dev/null
+From 04a80a34c22f4db245f553d8696d1318d1c00ece Mon Sep 17 00:00:00 2001
+From: Andy Chiu <andybnac@gmail.com>
+Date: Wed, 9 Apr 2025 00:02:57 +0800
+Subject: ftrace: Properly merge notrace hashes
+
+From: Andy Chiu <andybnac@gmail.com>
+
+commit 04a80a34c22f4db245f553d8696d1318d1c00ece upstream.
+
+The global notrace hash should be jointly decided by the intersection of
+each subops's notrace hash, but not the filter hash.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250408160258.48563-1-andybnac@gmail.com
+Fixes: 5fccc7552ccb ("ftrace: Add subops logic to allow one ops to manage many")
+Signed-off-by: Andy Chiu <andybnac@gmail.com>
+[ fixed removing of freeing of filter_hash ]
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3542,16 +3542,16 @@ int ftrace_startup_subops(struct ftrace_
+ ftrace_hash_empty(subops->func_hash->notrace_hash)) {
+ notrace_hash = EMPTY_HASH;
+ } else {
+- size_bits = max(ops->func_hash->filter_hash->size_bits,
+- subops->func_hash->filter_hash->size_bits);
++ size_bits = max(ops->func_hash->notrace_hash->size_bits,
++ subops->func_hash->notrace_hash->size_bits);
+ notrace_hash = alloc_ftrace_hash(size_bits);
+ if (!notrace_hash) {
+ free_ftrace_hash(filter_hash);
+ return -ENOMEM;
+ }
+
+- ret = intersect_hash(¬race_hash, ops->func_hash->filter_hash,
+- subops->func_hash->filter_hash);
++ ret = intersect_hash(¬race_hash, ops->func_hash->notrace_hash,
++ subops->func_hash->notrace_hash);
+ if (ret < 0) {
+ free_ftrace_hash(filter_hash);
+ free_ftrace_hash(notrace_hash);
--- /dev/null
+From 8323f3a69de6f6e96bf22f32dd8e2920766050c2 Mon Sep 17 00:00:00 2001
+From: Guixin Liu <kanie@linux.alibaba.com>
+Date: Thu, 27 Mar 2025 11:23:49 +0800
+Subject: gpio: tegra186: fix resource handling in ACPI probe path
+
+From: Guixin Liu <kanie@linux.alibaba.com>
+
+commit 8323f3a69de6f6e96bf22f32dd8e2920766050c2 upstream.
+
+When the Tegra186 GPIO controller is probed through ACPI matching,
+the driver emits two error messages during probing:
+ "tegra186-gpio NVDA0508:00: invalid resource (null)"
+ "tegra186-gpio NVDA0508:00: invalid resource (null)"
+
+Fix this by getting resource first and then do the ioremap.
+
+Fixes: 2606e7c9f5fc ("gpio: tegra186: Add ACPI support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20250327032349.78809-1-kanie@linux.alibaba.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-tegra186.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/gpio/gpio-tegra186.c
++++ b/drivers/gpio/gpio-tegra186.c
+@@ -823,6 +823,7 @@ static int tegra186_gpio_probe(struct pl
+ struct gpio_irq_chip *irq;
+ struct tegra_gpio *gpio;
+ struct device_node *np;
++ struct resource *res;
+ char **names;
+ int err;
+
+@@ -842,19 +843,19 @@ static int tegra186_gpio_probe(struct pl
+ gpio->num_banks++;
+
+ /* get register apertures */
+- gpio->secure = devm_platform_ioremap_resource_byname(pdev, "security");
+- if (IS_ERR(gpio->secure)) {
+- gpio->secure = devm_platform_ioremap_resource(pdev, 0);
+- if (IS_ERR(gpio->secure))
+- return PTR_ERR(gpio->secure);
+- }
+-
+- gpio->base = devm_platform_ioremap_resource_byname(pdev, "gpio");
+- if (IS_ERR(gpio->base)) {
+- gpio->base = devm_platform_ioremap_resource(pdev, 1);
+- if (IS_ERR(gpio->base))
+- return PTR_ERR(gpio->base);
+- }
++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "security");
++ if (!res)
++ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++ gpio->secure = devm_ioremap_resource(&pdev->dev, res);
++ if (IS_ERR(gpio->secure))
++ return PTR_ERR(gpio->secure);
++
++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "gpio");
++ if (!res)
++ res = platform_get_resource(pdev, IORESOURCE_MEM, 1);
++ gpio->base = devm_ioremap_resource(&pdev->dev, res);
++ if (IS_ERR(gpio->base))
++ return PTR_ERR(gpio->base);
+
+ err = platform_irq_count(pdev);
+ if (err < 0)
--- /dev/null
+From c5672e310ad971d408752fce7596ed27adc6008f Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sun, 6 Apr 2025 22:22:45 +0200
+Subject: gpio: zynq: Fix wakeup source leaks on device unbind
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit c5672e310ad971d408752fce7596ed27adc6008f upstream.
+
+Device can be unbound, so driver must also release memory for the wakeup
+source.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250406202245.53854-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-zynq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpio/gpio-zynq.c
++++ b/drivers/gpio/gpio-zynq.c
+@@ -1011,6 +1011,7 @@ static void zynq_gpio_remove(struct plat
+ ret = pm_runtime_get_sync(&pdev->dev);
+ if (ret < 0)
+ dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n");
++ device_init_wakeup(&pdev->dev, 0);
+ gpiochip_remove(&gpio->chip);
+ device_set_wakeup_capable(&pdev->dev, 0);
+ pm_runtime_disable(&pdev->dev);
--- /dev/null
+From 15970e1b23f5c25db88c613fddf9131de086f28e Mon Sep 17 00:00:00 2001
+From: Joshua Washington <joshwash@google.com>
+Date: Wed, 2 Apr 2025 00:10:37 +0000
+Subject: gve: handle overflow when reporting TX consumed descriptors
+
+From: Joshua Washington <joshwash@google.com>
+
+commit 15970e1b23f5c25db88c613fddf9131de086f28e upstream.
+
+When the tx tail is less than the head (in cases of wraparound), the TX
+consumed descriptor statistic in DQ will be reported as
+UINT32_MAX - head + tail, which is incorrect. Mask the difference of
+head and tail according to the ring size when reporting the statistic.
+
+Cc: stable@vger.kernel.org
+Fixes: 2c9198356d56 ("gve: Add consumed counts to ethtool stats")
+Signed-off-by: Joshua Washington <joshwash@google.com>
+Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250402001037.2717315-1-hramamurthy@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -392,7 +392,9 @@ gve_get_ethtool_stats(struct net_device
+ */
+ data[i++] = 0;
+ data[i++] = 0;
+- data[i++] = tx->dqo_tx.tail - tx->dqo_tx.head;
++ data[i++] =
++ (tx->dqo_tx.tail - tx->dqo_tx.head) &
++ tx->mask;
+ }
+ do {
+ start =
--- /dev/null
+From 459a35111b0a890172a78d51c01b204e13a34a18 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 14 Mar 2025 19:46:23 -0700
+Subject: KVM: Allow building irqbypass.ko as as module when kvm.ko is a module
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 459a35111b0a890172a78d51c01b204e13a34a18 upstream.
+
+Convert HAVE_KVM_IRQ_BYPASS into a tristate so that selecting
+IRQ_BYPASS_MANAGER follows KVM={m,y}, i.e. doesn't force irqbypass.ko to
+be built-in.
+
+Note, PPC allows building KVM as a module, but selects HAVE_KVM_IRQ_BYPASS
+from a boolean Kconfig, i.e. KVM PPC unnecessarily forces irqbpass.ko to
+be built-in. But that flaw is a longstanding PPC specific issue.
+
+Fixes: 61df71ee992d ("kvm: move "select IRQ_BYPASS_MANAGER" to common code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20250315024623.2363994-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kvm_host.h | 2 +-
+ virt/kvm/Kconfig | 2 +-
+ virt/kvm/eventfd.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -2373,7 +2373,7 @@ static inline bool kvm_is_visible_memslo
+ struct kvm_vcpu *kvm_get_running_vcpu(void);
+ struct kvm_vcpu * __percpu *kvm_get_running_vcpus(void);
+
+-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
+ bool kvm_arch_has_irq_bypass(void);
+ int kvm_arch_irq_bypass_add_producer(struct irq_bypass_consumer *,
+ struct irq_bypass_producer *);
+--- a/virt/kvm/Kconfig
++++ b/virt/kvm/Kconfig
+@@ -75,7 +75,7 @@ config KVM_COMPAT
+ depends on KVM && COMPAT && !(S390 || ARM64 || RISCV)
+
+ config HAVE_KVM_IRQ_BYPASS
+- bool
++ tristate
+ select IRQ_BYPASS_MANAGER
+
+ config HAVE_KVM_VCPU_ASYNC_IOCTL
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -149,7 +149,7 @@ irqfd_shutdown(struct work_struct *work)
+ /*
+ * It is now safe to release the object's resources
+ */
+-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
+ irq_bypass_unregister_consumer(&irqfd->consumer);
+ #endif
+ eventfd_ctx_put(irqfd->eventfd);
+@@ -274,7 +274,7 @@ static void irqfd_update(struct kvm *kvm
+ write_seqcount_end(&irqfd->irq_entry_sc);
+ }
+
+-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
+ void __attribute__((weak)) kvm_arch_irq_bypass_stop(
+ struct irq_bypass_consumer *cons)
+ {
+@@ -424,7 +424,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ if (events & EPOLLIN)
+ schedule_work(&irqfd->inject);
+
+-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
+ if (kvm_arch_has_irq_bypass()) {
+ irqfd->consumer.token = (void *)irqfd->eventfd;
+ irqfd->consumer.add_producer = kvm_arch_irq_bypass_add_producer;
+@@ -609,14 +609,14 @@ void kvm_irq_routing_update(struct kvm *
+ spin_lock_irq(&kvm->irqfds.lock);
+
+ list_for_each_entry(irqfd, &kvm->irqfds.items, list) {
+-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
+ /* Under irqfds.lock, so can read irq_entry safely */
+ struct kvm_kernel_irq_routing_entry old = irqfd->irq_entry;
+ #endif
+
+ irqfd_update(kvm, irqfd);
+
+-#ifdef CONFIG_HAVE_KVM_IRQ_BYPASS
++#if IS_ENABLED(CONFIG_HAVE_KVM_IRQ_BYPASS)
+ if (irqfd->producer &&
+ kvm_arch_irqfd_route_changed(&old, &irqfd->irq_entry)) {
+ int ret = kvm_arch_update_irqfd_routing(
--- /dev/null
+From b4392813bbc3b05fc01a33c64d8b8c6c62c32cfa Mon Sep 17 00:00:00 2001
+From: Amit Machhiwal <amachhiw@linux.ibm.com>
+Date: Thu, 20 Feb 2025 12:30:02 +0530
+Subject: KVM: PPC: Enable CAP_SPAPR_TCE_VFIO on pSeries KVM guests
+
+From: Amit Machhiwal <amachhiw@linux.ibm.com>
+
+commit b4392813bbc3b05fc01a33c64d8b8c6c62c32cfa upstream.
+
+Currently on book3s-hv, the capability KVM_CAP_SPAPR_TCE_VFIO is only
+available for KVM Guests running on PowerNV and not for the KVM guests
+running on pSeries hypervisors. This prevents a pSeries L2 guest from
+leveraging the in-kernel acceleration for H_PUT_TCE_INDIRECT and
+H_STUFF_TCE hcalls that results in slow startup times for large memory
+guests.
+
+Support for VFIO on pSeries was restored in commit f431a8cde7f1
+("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries"),
+making it possible to re-enable this capability on pSeries hosts.
+
+This change enables KVM_CAP_SPAPR_TCE_VFIO for nested PAPR guests on
+pSeries, while maintaining the existing behavior on PowerNV. Booting an
+L2 guest with 128GB of memory shows an average 11% improvement in
+startup time.
+
+Fixes: f431a8cde7f1 ("powerpc/iommu: Reimplement the iommu_table_group_ops for pSeries")
+Cc: stable@vger.kernel.org
+Reviewed-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Signed-off-by: Amit Machhiwal <amachhiw@linux.ibm.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250220070002.1478849-1-amachhiw@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kvm/powerpc.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -550,12 +550,9 @@ int kvm_vm_ioctl_check_extension(struct
+
+ #ifdef CONFIG_PPC_BOOK3S_64
+ case KVM_CAP_SPAPR_TCE:
++ fallthrough;
+ case KVM_CAP_SPAPR_TCE_64:
+- r = 1;
+- break;
+ case KVM_CAP_SPAPR_TCE_VFIO:
+- r = !!cpu_has_feature(CPU_FTR_HVMODE);
+- break;
+ case KVM_CAP_PPC_RTAS:
+ case KVM_CAP_PPC_FIXUP_HCALL:
+ case KVM_CAP_PPC_ENABLE_HCALL:
--- /dev/null
+From ef01cac401f18647d62720cf773d7bb0541827da Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 1 Apr 2025 08:05:04 -0700
+Subject: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory accesses
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit ef01cac401f18647d62720cf773d7bb0541827da upstream.
+
+Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
+rather extreme edge case where "accepting" APIC events, i.e. processing
+pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU
+is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP
+state will trigger a nested VM-Exit by way of ->check_nested_events(), and
+emuating the nested VM-Exit can access guest memory.
+
+The splat was originally hit by syzkaller on a Google-internal kernel, and
+reproduced on an upstream kernel by hacking the triple_fault_event_test
+selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
+memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.
+
+ =============================
+ WARNING: suspicious RCU usage
+ 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
+ -----------------------------
+ include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by triple_fault_ev/1256:
+ #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]
+
+ stack backtrace:
+ CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7f/0x90
+ lockdep_rcu_suspicious+0x144/0x190
+ kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
+ kvm_vcpu_read_guest+0x3e/0x90 [kvm]
+ read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
+ __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
+ kvm_check_nested_events+0x1b/0x30 [kvm]
+ kvm_apic_accept_events+0x33/0x100 [kvm]
+ kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
+ kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
+ __x64_sys_ioctl+0x8b/0xb0
+ do_syscall_64+0x6c/0x170
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ </TASK>
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20250401150504.829812-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -11765,6 +11765,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
+ if (kvm_mpx_supported())
+ kvm_load_guest_fpu(vcpu);
+
++ kvm_vcpu_srcu_read_lock(vcpu);
++
+ r = kvm_apic_accept_events(vcpu);
+ if (r < 0)
+ goto out;
+@@ -11778,6 +11780,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(stru
+ mp_state->mp_state = vcpu->arch.mp_state;
+
+ out:
++ kvm_vcpu_srcu_read_unlock(vcpu);
++
+ if (kvm_mpx_supported())
+ kvm_put_guest_fpu(vcpu);
+ vcpu_put(vcpu);
--- /dev/null
+From bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 14 Mar 2025 19:41:02 -0700
+Subject: KVM: x86: Explicitly zero-initialize on-stack CPUID unions
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit bc52ae0a708cb6fa3926d11c88e3c55e1171b4a1 upstream.
+
+Explicitly zero/empty-initialize the unions used for PMU related CPUID
+entries, instead of manually zeroing all fields (hopefully), or in the
+case of 0x80000022, relying on the compiler to clobber the uninitialized
+bitfields.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Reviewed-by: Jim Mattson <jmattson@google.com>
+Message-ID: <20250315024102.2361628-1-seanjc@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/cpuid.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -1053,8 +1053,8 @@ static inline int __do_cpuid_func(struct
+ }
+ break;
+ case 0xa: { /* Architectural Performance Monitoring */
+- union cpuid10_eax eax;
+- union cpuid10_edx edx;
++ union cpuid10_eax eax = { };
++ union cpuid10_edx edx = { };
+
+ if (!enable_pmu || !static_cpu_has(X86_FEATURE_ARCH_PERFMON)) {
+ entry->eax = entry->ebx = entry->ecx = entry->edx = 0;
+@@ -1070,8 +1070,6 @@ static inline int __do_cpuid_func(struct
+
+ if (kvm_pmu_cap.version)
+ edx.split.anythread_deprecated = 1;
+- edx.split.reserved1 = 0;
+- edx.split.reserved2 = 0;
+
+ entry->eax = eax.full;
+ entry->ebx = kvm_pmu_cap.events_mask;
+@@ -1389,7 +1387,7 @@ static inline int __do_cpuid_func(struct
+ break;
+ /* AMD Extended Performance Monitoring and Debug */
+ case 0x80000022: {
+- union cpuid_0x80000022_ebx ebx;
++ union cpuid_0x80000022_ebx ebx = { };
+
+ entry->ecx = entry->edx = 0;
+ if (!enable_pmu || !kvm_cpu_cap_has(X86_FEATURE_PERFMON_V2)) {
--- /dev/null
+From ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 Mon Sep 17 00:00:00 2001
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+Date: Fri, 17 Jan 2025 14:18:52 +0000
+Subject: scsi: ufs: qcom: fix dev reference leaked through of_qcom_ice_get
+
+From: Tudor Ambarus <tudor.ambarus@linaro.org>
+
+commit ded40f32b55f7f2f4ed9627dd3c37a1fe89ed8c6 upstream.
+
+The driver leaks the device reference taken with
+of_find_device_by_node(). Fix the leak by using devm_of_qcom_ice_get().
+
+Fixes: 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
+Acked-by: Martin K. Petersen <martin.petersen@oracle.com> # SCSI
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250117-qcom-ice-fix-dev-leak-v2-3-1ffa5b6884cb@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-qcom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -118,7 +118,7 @@ static int ufs_qcom_ice_init(struct ufs_
+ struct device *dev = hba->dev;
+ struct qcom_ice *ice;
+
+- ice = of_qcom_ice_get(dev);
++ ice = devm_of_qcom_ice_get(dev);
+ if (ice == ERR_PTR(-EOPNOTSUPP)) {
+ dev_warn(dev, "Disabling inline encryption support\n");
+ ice = NULL;
mm-hugetlb-move-hugetlb_sysctl_init-to-the-__init-section.patch
mm-hwpoison-introduce-folio_contain_hwpoisoned_page-helper.patch
sctp-detect-and-prevent-references-to-a-freed-transport-in-sendmsg.patch
+x86-xen-fix-balloon-target-initialization-for-pvh-dom0.patch
+tracing-fprobe-events-fix-possible-uaf-on-modules.patch
+tracing-do-not-add-length-to-print-format-in-synthetic-events.patch
+thermal-drivers-rockchip-add-missing-rk3328-mapping-entry.patch
+cifs-propagate-min-offload-along-with-other-parameters-from-primary-to-secondary-channels.patch
+cifs-avoid-null-pointer-dereference-in-dbg-call.patch
+cifs-fix-integer-overflow-in-match_server.patch
+cifs-ensure-that-all-non-client-specific-reparse-points-are-processed-by-the-server.patch
+clk-renesas-r9a07g043-fix-hp-clock-source-for-rz-five.patch
+clk-qcom-clk-branch-fix-invert-halt-status-bit-check-for-votable-clocks.patch
+clk-qcom-gdsc-release-pm-subdomains-in-reverse-add-order.patch
+clk-qcom-gdsc-capture-pm_genpd_add_subdomain-result-code.patch
+clk-qcom-gdsc-set-retain_ff-before-moving-to-hw-ctrl.patch
+crypto-ccp-fix-check-for-the-primary-asp-device.patch
+crypto-ccp-fix-uapi-definitions-of-psp-errors.patch
+dlm-fix-error-if-inactive-rsb-is-not-hashed.patch
+dlm-fix-error-if-active-rsb-is-not-hashed.patch
+dm-ebs-fix-prefetch-vs-suspend-race.patch
+dm-integrity-set-ti-error-on-memory-allocation-failure.patch
+dm-integrity-fix-non-constant-time-tag-verification.patch
+dm-verity-fix-prefetch-vs-suspend-race.patch
+dt-bindings-coresight-qcom-coresight-tpda-fix-too-many-reg.patch
+dt-bindings-coresight-qcom-coresight-tpdm-fix-too-many-reg.patch
+ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch
+ftrace-properly-merge-notrace-hashes.patch
+gpio-tegra186-fix-resource-handling-in-acpi-probe-path.patch
+gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch
+gve-handle-overflow-when-reporting-tx-consumed-descriptors.patch
+kvm-allow-building-irqbypass.ko-as-as-module-when-kvm.ko-is-a-module.patch
+kvm-ppc-enable-cap_spapr_tce_vfio-on-pseries-kvm-guests.patch
+kvm-x86-explicitly-zero-initialize-on-stack-cpuid-unions.patch
+kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-guest-memory-accesses.patch
+scsi-ufs-qcom-fix-dev-reference-leaked-through-of_qcom_ice_get.patch
--- /dev/null
+From ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e Mon Sep 17 00:00:00 2001
+From: Trevor Woerner <twoerner@gmail.com>
+Date: Fri, 7 Feb 2025 12:50:47 -0500
+Subject: thermal/drivers/rockchip: Add missing rk3328 mapping entry
+
+From: Trevor Woerner <twoerner@gmail.com>
+
+commit ee022e5cae052e0c67ca7c5fec0f2e7bc897c70e upstream.
+
+The mapping table for the rk3328 is missing the entry for -25C which is
+found in the TRM section 9.5.2 "Temperature-to-code mapping".
+
+NOTE: the kernel uses the tsadc_q_sel=1'b1 mode which is defined as:
+ 4096-<code in table>. Whereas the table in the TRM gives the code
+ "3774" for -25C, the kernel uses 4096-3774=322.
+
+[Dragan Simic] : "After going through the RK3308 and RK3328 TRMs, as
+ well as through the downstream kernel code, it seems we may have
+ some troubles at our hands. Let me explain, please.
+
+ To sum it up, part 1 of the RK3308 TRM v1.1 says on page 538 that
+ the equation for the output when tsadc_q_sel equals 1 is (4096 -
+ tsadc_q), while part 1 of the RK3328 TRM v1.2 says that the output
+ equation is (1024 - tsadc_q) in that case.
+
+ The downstream kernel code, however, treats the RK3308 and RK3328
+ tables and their values as being the same. It even mentions 1024 as
+ the "offset" value in a comment block for the rk_tsadcv3_control()
+ function, just like the upstream code does, which is obviously wrong
+ "offset" value when correlated with the table on page 544 of part 1
+ of the RK3308 TRM v1.1.
+
+ With all this in mind, it's obvious that more work is needed to make
+ it clear where's the actual mistake (it could be that the TRM is
+ wrong), which I'll volunteer for as part of the SoC binning project.
+ In the meantime, this patch looks fine as-is to me, by offering
+ what's a clear improvement to the current state of the upstream
+ code"
+
+Link: https://opensource.rock-chips.com/images/9/97/Rockchip_RK3328TRM_V1.1-Part1-20170321.pdf
+Cc: stable@vger.kernel.org
+Fixes: eda519d5f73e ("thermal: rockchip: Support the RK3328 SOC in thermal driver")
+Signed-off-by: Trevor Woerner <twoerner@gmail.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://lore.kernel.org/r/20250207175048.35959-1-twoerner@gmail.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/rockchip_thermal.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thermal/rockchip_thermal.c
++++ b/drivers/thermal/rockchip_thermal.c
+@@ -386,6 +386,7 @@ static const struct tsadc_table rk3328_c
+ {296, -40000},
+ {304, -35000},
+ {313, -30000},
++ {322, -25000},
+ {331, -20000},
+ {340, -15000},
+ {349, -10000},
--- /dev/null
+From e1a453a57bc76be678bd746f84e3d73f378a9511 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Mon, 7 Apr 2025 15:41:39 -0400
+Subject: tracing: Do not add length to print format in synthetic events
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit e1a453a57bc76be678bd746f84e3d73f378a9511 upstream.
+
+The following causes a vsnprintf fault:
+
+ # echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
+ # echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger
+ # echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger
+
+Because the synthetic event's "wakee" field is created as a dynamic string
+(even though the string copied is not). The print format to print the
+dynamic string changed from "%*s" to "%s" because another location
+(__set_synth_event_print_fmt()) exported this to user space, and user
+space did not need that. But it is still used in print_synth_event(), and
+the output looks like:
+
+ <idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155
+ sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58
+ <idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91
+ bash-880 [002] d..5. 193.811371: wake_lat: wakee=(efault)kworker/u35:2delta=21
+ <idle>-0 [001] d..5. 193.811516: wake_lat: wakee=(efault)sshd-sessiondelta=129
+ sshd-session-879 [001] d..5. 193.967576: wake_lat: wakee=(efault)kworker/u34:5delta=50
+
+The length isn't needed as the string is always nul terminated. Just print
+the string and not add the length (which was hard coded to the max string
+length anyway).
+
+Cc: stable@vger.kernel.org
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: Douglas Raillard <douglas.raillard@arm.com>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://lore.kernel.org/20250407154139.69955768@gandalf.local.home
+Fixes: 4d38328eb442d ("tracing: Fix synth event printk format for str fields");
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_synth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -377,7 +377,6 @@ static enum print_line_t print_synth_eve
+ union trace_synth_field *data = &entry->fields[n_u64];
+
+ trace_seq_printf(s, print_fmt, se->fields[i]->name,
+- STR_VAR_LEN_MAX,
+ (char *)entry + data->as_dynamic.offset,
+ i == se->n_fields - 1 ? "" : " ");
+ n_u64++;
--- /dev/null
+From dd941507a9486252d6fcf11814387666792020f3 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Mon, 31 Mar 2025 23:05:07 +0900
+Subject: tracing: fprobe events: Fix possible UAF on modules
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit dd941507a9486252d6fcf11814387666792020f3 upstream.
+
+Commit ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module
+refcount") moved try_module_get() from __find_tracepoint_module_cb()
+to find_tracepoint() caller, but that introduced a possible UAF
+because the module can be unloaded before try_module_get(). In this
+case, the module object should be freed too. Thus, try_module_get()
+does not only fail but may access to the freed object.
+
+To avoid that, try_module_get() in __find_tracepoint_module_cb()
+again.
+
+Link: https://lore.kernel.org/all/174342990779.781946.9138388479067729366.stgit@devnote2/
+
+Fixes: ac91052f0ae5 ("tracing: tprobe-events: Fix leakage of module refcount")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_fprobe.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/kernel/trace/trace_fprobe.c
++++ b/kernel/trace/trace_fprobe.c
+@@ -888,9 +888,15 @@ static void __find_tracepoint_module_cb(
+ struct __find_tracepoint_cb_data *data = priv;
+
+ if (!data->tpoint && !strcmp(data->tp_name, tp->name)) {
+- data->tpoint = tp;
+- if (!data->mod)
++ /* If module is not specified, try getting module refcount. */
++ if (!data->mod && mod) {
++ /* If failed to get refcount, ignore this tracepoint. */
++ if (!try_module_get(mod))
++ return;
++
+ data->mod = mod;
++ }
++ data->tpoint = tp;
+ }
+ }
+
+@@ -902,7 +908,11 @@ static void __find_tracepoint_cb(struct
+ data->tpoint = tp;
+ }
+
+-/* Find a tracepoint from kernel and module. */
++/*
++ * Find a tracepoint from kernel and module. If the tracepoint is on the module,
++ * the module's refcount is incremented and returned as *@tp_mod. Thus, if it is
++ * not NULL, caller must call module_put(*tp_mod) after used the tracepoint.
++ */
+ static struct tracepoint *find_tracepoint(const char *tp_name,
+ struct module **tp_mod)
+ {
+@@ -931,7 +941,10 @@ static void reenable_trace_fprobe(struct
+ }
+ }
+
+-/* Find a tracepoint from specified module. */
++/*
++ * Find a tracepoint from specified module. In this case, this does not get the
++ * module's refcount. The caller must ensure the module is not freed.
++ */
+ static struct tracepoint *find_tracepoint_in_module(struct module *mod,
+ const char *tp_name)
+ {
+@@ -1167,11 +1180,6 @@ static int __trace_fprobe_create(int arg
+ if (is_tracepoint) {
+ ctx.flags |= TPARG_FL_TPOINT;
+ tpoint = find_tracepoint(symbol, &tp_mod);
+- /* lock module until register this tprobe. */
+- if (tp_mod && !try_module_get(tp_mod)) {
+- tpoint = NULL;
+- tp_mod = NULL;
+- }
+ if (tpoint) {
+ ctx.funcname = kallsyms_lookup(
+ (unsigned long)tpoint->probestub,
--- /dev/null
+From 87af633689ce16ddb166c80f32b120e50b1295de Mon Sep 17 00:00:00 2001
+From: Roger Pau Monne <roger.pau@citrix.com>
+Date: Mon, 7 Apr 2025 10:28:37 +0200
+Subject: x86/xen: fix balloon target initialization for PVH dom0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Roger Pau Monne <roger.pau@citrix.com>
+
+commit 87af633689ce16ddb166c80f32b120e50b1295de upstream.
+
+PVH dom0 re-uses logic from PV dom0, in which RAM ranges not assigned to
+dom0 are re-used as scratch memory to map foreign and grant pages. Such
+logic relies on reporting those unpopulated ranges as RAM to Linux, and
+mark them as reserved. This way Linux creates the underlying page
+structures required for metadata management.
+
+Such approach works fine on PV because the initial balloon target is
+calculated using specific Xen data, that doesn't take into account the
+memory type changes described above. However on HVM and PVH the initial
+balloon target is calculated using get_num_physpages(), and that function
+does take into account the unpopulated RAM regions used as scratch space
+for remote domain mappings.
+
+This leads to PVH dom0 having an incorrect initial balloon target, which
+causes malfunction (excessive memory freeing) of the balloon driver if the
+dom0 memory target is later adjusted from the toolstack.
+
+Fix this by using xen_released_pages to account for any pages that are part
+of the memory map, but are already unpopulated when the balloon driver is
+initialized. This accounts for any regions used for scratch remote
+mappings. Note on x86 xen_released_pages definition is moved to
+enlighten.c so it's uniformly available for all Xen-enabled builds.
+
+Take the opportunity to unify PV with PVH/HVM guests regarding the usage of
+get_num_physpages(), as that avoids having to add different logic for PV vs
+PVH in both balloon_add_regions() and arch_xen_unpopulated_init().
+
+Much like a6aa4eb994ee, the code in this changeset should have been part of
+38620fc4e893.
+
+Fixes: a6aa4eb994ee ('xen/x86: add extra pages to unpopulated-alloc if available')
+Signed-off-by: Roger Pau Monné <roger.pau@citrix.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250407082838.65495-1-roger.pau@citrix.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/enlighten.c | 10 ++++++++++
+ arch/x86/xen/setup.c | 3 ---
+ drivers/xen/balloon.c | 34 ++++++++++++++++++++++++----------
+ 3 files changed, 34 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -70,6 +70,9 @@ EXPORT_SYMBOL(xen_start_flags);
+ */
+ struct shared_info *HYPERVISOR_shared_info = &xen_dummy_shared_info;
+
++/* Number of pages released from the initial allocation. */
++unsigned long xen_released_pages;
++
+ static __ref void xen_get_vendor(void)
+ {
+ init_cpu_devs();
+@@ -466,6 +469,13 @@ int __init arch_xen_unpopulated_init(str
+ xen_free_unpopulated_pages(1, &pg);
+ }
+
++ /*
++ * Account for the region being in the physmap but unpopulated.
++ * The value in xen_released_pages is used by the balloon
++ * driver to know how much of the physmap is unpopulated and
++ * set an accurate initial memory target.
++ */
++ xen_released_pages += xen_extra_mem[i].n_pfns;
+ /* Zero so region is not also added to the balloon driver. */
+ xen_extra_mem[i].n_pfns = 0;
+ }
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -37,9 +37,6 @@
+
+ #define GB(x) ((uint64_t)(x) * 1024 * 1024 * 1024)
+
+-/* Number of pages released from the initial allocation. */
+-unsigned long xen_released_pages;
+-
+ /* Memory map would allow PCI passthrough. */
+ bool xen_pv_pci_possible;
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -675,7 +675,7 @@ void xen_free_ballooned_pages(unsigned i
+ }
+ EXPORT_SYMBOL(xen_free_ballooned_pages);
+
+-static void __init balloon_add_regions(void)
++static int __init balloon_add_regions(void)
+ {
+ unsigned long start_pfn, pages;
+ unsigned long pfn, extra_pfn_end;
+@@ -698,26 +698,38 @@ static void __init balloon_add_regions(v
+ for (pfn = start_pfn; pfn < extra_pfn_end; pfn++)
+ balloon_append(pfn_to_page(pfn));
+
+- balloon_stats.total_pages += extra_pfn_end - start_pfn;
++ /*
++ * Extra regions are accounted for in the physmap, but need
++ * decreasing from current_pages to balloon down the initial
++ * allocation, because they are already accounted for in
++ * total_pages.
++ */
++ if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) {
++ WARN(1, "Extra pages underflow current target");
++ return -ERANGE;
++ }
++ balloon_stats.current_pages -= extra_pfn_end - start_pfn;
+ }
++
++ return 0;
+ }
+
+ static int __init balloon_init(void)
+ {
+ struct task_struct *task;
++ int rc;
+
+ if (!xen_domain())
+ return -ENODEV;
+
+ pr_info("Initialising balloon driver\n");
+
+-#ifdef CONFIG_XEN_PV
+- balloon_stats.current_pages = xen_pv_domain()
+- ? min(xen_start_info->nr_pages - xen_released_pages, max_pfn)
+- : get_num_physpages();
+-#else
+- balloon_stats.current_pages = get_num_physpages();
+-#endif
++ if (xen_released_pages >= get_num_physpages()) {
++ WARN(1, "Released pages underflow current target");
++ return -ERANGE;
++ }
++
++ balloon_stats.current_pages = get_num_physpages() - xen_released_pages;
+ balloon_stats.target_pages = balloon_stats.current_pages;
+ balloon_stats.balloon_low = 0;
+ balloon_stats.balloon_high = 0;
+@@ -734,7 +746,9 @@ static int __init balloon_init(void)
+ register_sysctl_init("xen/balloon", balloon_table);
+ #endif
+
+- balloon_add_regions();
++ rc = balloon_add_regions();
++ if (rc)
++ return rc;
+
+ task = kthread_run(balloon_thread, NULL, "xen-balloon");
+ if (IS_ERR(task)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
