--- /dev/null
+From 1d0b597facdd3c0239c88e8797c1014e1ea0ef15 Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Fri, 29 May 2026 14:08:53 +0200
+Subject: accel/ivpu: Add bounds check for firmware runtime memory
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit 1d0b597facdd3c0239c88e8797c1014e1ea0ef15 upstream.
+
+Validate that the firmware runtime memory specified in the image
+header is properly aligned and sized to hold the firmware image.
+This prevents errors during memory allocation and image transfer.
+
+Fixes: 2007e210b6a1 ("accel/ivpu: Split FW runtime and global memory buffers")
+Cc: stable@vger.kernel.org # v7.0+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260529120853.135876-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_fw.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/accel/ivpu/ivpu_fw.c b/drivers/accel/ivpu/ivpu_fw.c
+index 107f8ad31050..33c50779c06b 100644
+--- a/drivers/accel/ivpu/ivpu_fw.c
++++ b/drivers/accel/ivpu/ivpu_fw.c
+@@ -259,6 +259,22 @@ static int ivpu_fw_parse(struct ivpu_device *vdev)
+ return -EINVAL;
+ }
+
++ if (!PAGE_ALIGNED(runtime_addr)) {
++ ivpu_err(vdev, "Runtime address 0x%llx not page aligned\n", runtime_addr);
++ return -EINVAL;
++ }
++
++ if (!PAGE_ALIGNED(runtime_size)) {
++ ivpu_err(vdev, "Runtime size %llu not page aligned\n", runtime_size);
++ return -EINVAL;
++ }
++
++ if (runtime_size < image_size) {
++ ivpu_err(vdev, "Runtime size too small: %llu, image size: %llu\n",
++ runtime_size, image_size);
++ return -EINVAL;
++ }
++
+ if (!ivpu_is_within_range(image_load_addr, image_size, &vdev->hw->ranges.runtime)) {
+ ivpu_err(vdev, "Invalid firmware load address: 0x%llx and size %llu\n",
+ image_load_addr, image_size);
+--
+2.54.0
+
--- /dev/null
+From dd1311bcf0e62f0c515115f46a3813370f4a4bb1 Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Fri, 29 May 2026 13:58:42 +0200
+Subject: accel/ivpu: Add bounds checks for firmware log indices
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit dd1311bcf0e62f0c515115f46a3813370f4a4bb1 upstream.
+
+Add validation that read and write indices in the firmware log buffer
+are within valid bounds (< data_size) before using them. If
+out-of-bounds indices are encountered (from firmware), clamp them to
+safe values instead of proceeding with invalid offsets.
+
+This prevents potential out-of-bounds buffer access when firmware
+supplies invalid log indices.
+
+Fixes: 1fc1251149a7 ("accel/ivpu: Refactor functions in ivpu_fw_log.c")
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260529115842.135378-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_fw_log.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/accel/ivpu/ivpu_fw_log.c
++++ b/drivers/accel/ivpu/ivpu_fw_log.c
+@@ -98,6 +98,11 @@ static void fw_log_print_buffer(struct v
+ u32 log_start = only_new_msgs ? READ_ONCE(log->read_index) : 0;
+ u32 log_end = READ_ONCE(log->write_index);
+
++ if (log_start >= data_size)
++ log_start = 0;
++ if (log_end > data_size)
++ log_end = data_size;
++
+ if (log->wrap_count == log->read_wrap_count) {
+ if (log_end <= log_start) {
+ drm_printf(p, "==== %s \"%s\" log empty ====\n", prefix, log->name);
--- /dev/null
+From fb176425837693f50c5c9fc8db6fbb04af22bd0a Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Fri, 29 May 2026 14:08:41 +0200
+Subject: accel/ivpu: Add buffer overflow check in MS get_info_ioctl
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit fb176425837693f50c5c9fc8db6fbb04af22bd0a upstream.
+
+Add validation that the info size returned from the metric stream info
+query is not exceeded when checked against the allocated buffer size.
+If the firmware returns a size larger than the buffer, reject the
+operation with -EOVERFLOW instead of proceeding with an incorrect
+buffer copy.
+
+Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
+Cc: stable@vger.kernel.org # v6.18+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260529120841.135852-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ms.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/accel/ivpu/ivpu_ms.c
++++ b/drivers/accel/ivpu/ivpu_ms.c
+@@ -291,6 +291,13 @@ int ivpu_ms_get_info_ioctl(struct drm_de
+ if (ret)
+ goto unlock;
+
++ if (info_size > ivpu_bo_size(bo)) {
++ ivpu_warn_ratelimited(vdev, "MS info overflow: %#llx > %#zx\n",
++ info_size, ivpu_bo_size(bo));
++ ret = -EOVERFLOW;
++ goto unlock;
++ }
++
+ if (args->buffer_size < info_size) {
+ ret = -ENOSPC;
+ goto unlock;
--- /dev/null
+From d9faef564438d1e4579c692c046603e7ada7bdf4 Mon Sep 17 00:00:00 2001
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Date: Mon, 1 Jun 2026 18:16:43 +0200
+Subject: accel/ivpu: Fix signed integer truncation in IPC receive
+
+From: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+
+commit d9faef564438d1e4579c692c046603e7ada7bdf4 upstream.
+
+Fix potential buffer overflow where firmware-supplied data_size is cast
+to signed int before being used in min_t(). Large unsigned values
+(>= 0x80000000) become negative, causing unsigned wraparound and
+oversized memcpy operations that can overflow the stack buffer.
+
+Change min_t(int, ...) to min() as both values are unsigned and can be
+handled by min() without explicit cast.
+
+Fixes: 3b434a3445ff ("accel/ivpu: Use threaded IRQ to handle JOB done messages")
+Cc: stable@vger.kernel.org # v6.12+
+Signed-off-by: Andrzej Kacprowski <andrzej.kacprowski@linux.intel.com>
+Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Signed-off-by: Karol Wachowski <karol.wachowski@linux.intel.com>
+Link: https://patch.msgid.link/20260601161643.229342-1-andrzej.kacprowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ipc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/accel/ivpu/ivpu_ipc.c
++++ b/drivers/accel/ivpu/ivpu_ipc.c
+@@ -276,7 +276,7 @@ int ivpu_ipc_receive(struct ivpu_device
+ if (ipc_buf)
+ memcpy(ipc_buf, rx_msg->ipc_hdr, sizeof(*ipc_buf));
+ if (rx_msg->jsm_msg) {
+- u32 size = min_t(int, rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
++ u32 size = min(rx_msg->ipc_hdr->data_size, sizeof(*jsm_msg));
+
+ if (rx_msg->jsm_msg->result != VPU_JSM_STATUS_SUCCESS) {
+ ivpu_err(vdev, "IPC resp result error: %d\n", rx_msg->jsm_msg->result);
--- /dev/null
+From 84a0f7caafc679f763d3868635837e22bb89651a Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 11 May 2026 17:02:44 +0900
+Subject: ARM: Do not select HAVE_RUST when KASAN is enabled
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 84a0f7caafc679f763d3868635837e22bb89651a upstream.
+
+When KASAN is enabled, such as with allmodconfig, the build fails when
+building the Rust code with:
+
+ error: kernel-address sanitizer is not supported for this target
+
+ error: aborting due to 1 previous error
+
+ make[4]: *** [rust/Makefile:654: rust/core.o] Error 1
+
+The arm-unknown-linux-gnueabi target does not support KASAN, so avoid
+saying Rust is supported when it is enabled.
+
+Cc: stable@vger.kernel.org
+Fixes: ccb8ce526807 ("ARM: 9441/1: rust: Enable Rust support for ARMv7")
+Link: https://github.com/Rust-for-Linux/linux/issues/1234
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Christian Schrefl <chrisi.schrefl@gmail.com>
+Link: https://patch.msgid.link/20260511-arm-avoid-rust-with-kasan-v1-1-24d55f4a900b@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -135,7 +135,7 @@ config ARM
+ select MMU_GATHER_RCU_TABLE_FREE if SMP && ARM_LPAE
+ select HAVE_REGS_AND_STACK_ACCESS_API
+ select HAVE_RSEQ
+- select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7
++ select HAVE_RUST if CPU_LITTLE_ENDIAN && CPU_32v7 && !KASAN
+ select HAVE_STACKPROTECTOR
+ select HAVE_SYSCALL_TRACEPOINTS
+ select HAVE_UID16
--- /dev/null
+From 5c65b96b549ea2dcfde497436bf9e048deb87758 Mon Sep 17 00:00:00 2001
+From: Yuqi Xu <xuyq21@lenovo.com>
+Date: Fri, 29 May 2026 16:54:23 +0800
+Subject: Bluetooth: hci_sync: reject oversized Broadcast Announcement prepend
+
+From: Yuqi Xu <xuyq21@lenovo.com>
+
+commit 5c65b96b549ea2dcfde497436bf9e048deb87758 upstream.
+
+Existing advertising instances can already hold the maximum extended
+advertising payload. When hci_adv_bcast_annoucement() prepends the
+Broadcast Announcement service data to that payload, the combined data
+may no longer fit in the temporary buffer used to rebuild the
+advertising data.
+
+Reject that case before copying the existing payload and report the
+failure through the device log. This keeps the existing advertising
+data intact and avoids overrunning the temporary buffer.
+
+Fixes: 5725bc608252 ("Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Assisted-by: Codex:GPT-5.4
+Signed-off-by: Yuqi Xu <xuyq21@lenovo.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1725,6 +1725,11 @@ static int hci_adv_bcast_annoucement(str
+ /* Generate Broadcast ID */
+ get_random_bytes(bid, sizeof(bid));
+ len = eir_append_service_data(ad, 0, 0x1852, bid, sizeof(bid));
++ if (adv->adv_data_len > sizeof(ad) - len) {
++ bt_dev_err(hdev, "No room for Broadcast Announcement");
++ return -EINVAL;
++ }
++
+ memcpy(ad + len, adv->adv_data, adv->adv_data_len);
+ hci_set_adv_instance_data(hdev, adv->instance, len + adv->adv_data_len,
+ ad, 0, NULL);
--- /dev/null
+From dd214733544427587a95f66dbf3adff072568990 Mon Sep 17 00:00:00 2001
+From: Michael Bommarito <michael.bommarito@gmail.com>
+Date: Thu, 21 May 2026 10:45:17 -0400
+Subject: Bluetooth: L2CAP: reject BR/EDR signaling packets over MTUsig
+
+From: Michael Bommarito <michael.bommarito@gmail.com>
+
+commit dd214733544427587a95f66dbf3adff072568990 upstream.
+
+net/bluetooth/l2cap_core.c:l2cap_sig_channel() accepts BR/EDR
+signaling packets up to the channel MTU and dispatches each command
+without enforcing the signaling MTU (MTUsig). A Bluetooth BR/EDR peer
+within radio range can send a fixed-channel CID 0x0001 packet that is
+larger than MTUsig and contains many L2CAP_ECHO_REQ commands before
+pairing. In a real-radio stock-kernel run, one 681-byte signaling
+packet containing 168 zero-length ECHO_REQ commands made the target
+transmit 168 ECHO_RSP frames over about 220 ms.
+
+Impact: a Bluetooth BR/EDR peer within radio range, before pairing, can
+force 168 ECHO_RSP frames from one 681-byte fixed-channel signaling
+packet containing packed ECHO_REQ commands.
+
+Define Linux's BR/EDR signaling MTU as the spec minimum of 48 bytes and
+reject any larger signaling packet with one L2CAP_COMMAND_REJECT_RSP
+carrying L2CAP_REJ_MTU_EXCEEDED before any command is dispatched.
+
+The Bluetooth Core spec wording for MTUExceeded says the reject
+identifier shall match the first request command in the packet, and
+that packets containing only responses shall be silently discarded.
+Linux intentionally deviates from that prescription: silently
+discarding desynchronizes the peer because the remote stack never
+learns its responses were dropped, and locating the first request
+command requires walking command headers past MTUsig, i.e. processing
+bytes from a packet we have already decided is too large to process.
+We therefore always emit one reject and use the identifier from the
+first command header, a single fixed-offset byte read.
+
+The unrestricted BR/EDR signaling parser and ECHO_REQ response path both
+trace to the initial git import; no later introducing commit is
+available for a Fixes tag.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Link: https://lore.kernel.org/r/20260518002800.1361430-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260520135034.1060859-1-michael.bommarito@gmail.com
+Link: https://lore.kernel.org/r/20260521000555.3712030-1-michael.bommarito@gmail.com
+Assisted-by: Claude:claude-opus-4-7
+Assisted-by: Codex:gpt-5-5-xhigh
+Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/l2cap.h | 1
+ net/bluetooth/l2cap_core.c | 46 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 47 insertions(+)
+
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -33,6 +33,7 @@
+ /* L2CAP defaults */
+ #define L2CAP_DEFAULT_MTU 672
+ #define L2CAP_DEFAULT_MIN_MTU 48
++#define L2CAP_SIG_MTU 48 /* BR/EDR signaling MTU */
+ #define L2CAP_DEFAULT_FLUSH_TO 0xFFFF
+ #define L2CAP_EFS_DEFAULT_FLUSH_TO 0xFFFFFFFF
+ #define L2CAP_DEFAULT_TX_WINDOW 63
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -5651,6 +5651,15 @@ static inline void l2cap_sig_send_rej(st
+ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+ }
+
++static inline void l2cap_sig_send_mtu_rej(struct l2cap_conn *conn, u8 ident)
++{
++ struct l2cap_cmd_rej_mtu rej;
++
++ rej.reason = cpu_to_le16(L2CAP_REJ_MTU_EXCEEDED);
++ rej.max_mtu = cpu_to_le16(L2CAP_SIG_MTU);
++ l2cap_send_cmd(conn, ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
++}
++
+ static inline void l2cap_sig_channel(struct l2cap_conn *conn,
+ struct sk_buff *skb)
+ {
+@@ -5663,6 +5672,43 @@ static inline void l2cap_sig_channel(str
+ if (hcon->type != ACL_LINK)
+ goto drop;
+
++ /*
++ * Bluetooth Core v5.4, Vol 3, Part A, Section 4: the BR/EDR
++ * signaling channel has a fixed signaling MTU (MTUsig) whose
++ * minimum and default is 48 octets. Section 4.1 says that on
++ * an MTUExceeded command reject the identifier "shall match
++ * the first request command in the L2CAP packet" and that
++ * packets containing only response commands "shall be
++ * silently discarded".
++ *
++ * Linux intentionally deviates from that prescription:
++ *
++ * 1. Silently discarding desynchronizes the peer. The
++ * remote stack never learns its responses were dropped,
++ * so any state machine waiting on a paired response
++ * stalls until its own timer fires.
++ *
++ * 2. Locating "the first request command" requires walking
++ * command headers past MTUsig, i.e. processing bytes
++ * from a packet we have already decided is too large to
++ * process.
++ *
++ * Reject every over-MTUsig signaling packet with one
++ * L2CAP_REJ_MTU_EXCEEDED command reject. The reject's
++ * reason field is what tells the peer that the whole packet
++ * was discarded; the identifier value is informational, so
++ * we use the identifier from the first command header, a
++ * single fixed-offset byte read.
++ */
++ if (skb->len > L2CAP_SIG_MTU) {
++ u8 ident = skb->data[1];
++
++ BT_DBG("signaling packet exceeds MTU: %u > %u",
++ skb->len, L2CAP_SIG_MTU);
++ l2cap_sig_send_mtu_rej(conn, ident);
++ goto drop;
++ }
++
+ while (skb->len >= L2CAP_CMD_HDR_SIZE) {
+ u16 len;
+
--- /dev/null
+From 979c294509f9248fe1e7c358d582fb37dd5ca12d Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 4 Jun 2026 17:33:21 -0700
+Subject: cfi: Include uaccess.h for get_kernel_nofault()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 979c294509f9248fe1e7c358d582fb37dd5ca12d upstream.
+
+After commit 0652a3daa787 ("tracing: Fix CFI violation in probestub
+being called by tprobes"), there are many build errors when building
+ARCH=arm multi_v7_defconfig + CONFIG_CFI=y like:
+
+ In file included from drivers/base/devres.c:17:
+ In file included from drivers/base/trace.h:16:
+ In file included from include/linux/tracepoint.h:23:
+ include/linux/cfi.h:44:6: error: call to undeclared function 'get_kernel_nofault'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
+ 44 | if (get_kernel_nofault(hash, func - cfi_get_offset()))
+ | ^
+ 1 error generated.
+
+get_kernel_nofault() is called in the generic version of
+cfi_get_func_hash() but nothing ensures uaccess.h is always included for
+a proper expansion and prototype. Include uaccess.h in cfi.h to clear
+up the errors.
+
+Cc: stable@vger.kernel.org
+Fixes: 0652a3daa787 ("tracing: Fix CFI violation in probestub being called by tprobes")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/cfi.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/linux/cfi.h b/include/linux/cfi.h
+index 1fd22ea6eba4..0f220d29225c 100644
+--- a/include/linux/cfi.h
++++ b/include/linux/cfi.h
+@@ -9,6 +9,7 @@
+
+ #include <linux/bug.h>
+ #include <linux/module.h>
++#include <linux/uaccess.h>
+ #include <asm/cfi.h>
+
+ #ifdef CONFIG_CFI
+--
+2.54.0
+
--- /dev/null
+From 0a68853de27b522bca2b9934127277185374a24f Mon Sep 17 00:00:00 2001
+From: Sun Shaojie <sunshaojie@kylinos.cn>
+Date: Wed, 27 May 2026 14:43:28 +0800
+Subject: cgroup/cpuset: Use effective_xcpus in partcmd_update add/del mask calculation
+
+From: Sun Shaojie <sunshaojie@kylinos.cn>
+
+commit 0a68853de27b522bca2b9934127277185374a24f upstream.
+
+When sibling CPU exclusion occurs, a partition's user_xcpus may contain
+CPUs that were never actually granted to it. These CPUs are present in
+user_xcpus(cs) but not in cs->effective_xcpus.
+
+The partcmd_update path in update_parent_effective_cpumask() uses
+user_xcpus(cs) (via the local variable xcpus) to compute the addmask
+(CPUs to return to parent) and delmask (CPUs to request from parent).
+This is incorrect:
+
+ 1) When newmask removes a CPU that was previously excluded by a
+ sibling, addmask incorrectly includes that CPU and tries to return
+ it to the parent even though the partition never actually owned it,
+ causing CPU overlap with sibling partitions and triggering warnings
+ in generate_sched_domains().
+
+ 2) When newmask adds a previously excluded CPU that is now available,
+ delmask fails to request it from the parent because user_xcpus(cs)
+ already includes it.
+
+Fix this by using cs->effective_xcpus instead of user_xcpus(cs) in all
+partcmd_update paths that calculate addmask or delmask, including the
+PERR_NOCPUS error handling paths.
+
+Reproducers:
+
+ Example 1 - Removing a sibling-excluded CPU incorrectly returns it:
+
+ # cd /sys/fs/cgroup
+ # echo "0-1" > a1/cpuset.cpus
+ # echo "root" > a1/cpuset.cpus.partition
+ # echo "0-2" > b1/cpuset.cpus
+ # echo "root" > b1/cpuset.cpus.partition
+ # echo "2" > b1/cpuset.cpus
+ # cat cpuset.cpus.effective
+ # Actual: 0-1,3 Expected: 3
+
+ Example 2 - Expanding to a previously excluded CPU fails to request it:
+
+ # cd /sys/fs/cgroup
+ # echo "0-1" > a1/cpuset.cpus
+ # echo "root" > a1/cpuset.cpus.partition
+ # echo "0-2" > b1/cpuset.cpus
+ # echo "root" > b1/cpuset.cpus.partition
+ # echo "member" > a1/cpuset.cpus.partition
+ # echo "1-2" > b1/cpuset.cpus
+ # cat cpuset.cpus.effective
+ # Actual: 0-1,3 Expected: 0,3
+
+Fixes: 2a3602030d80 ("cgroup/cpuset: Don't invalidate sibling partitions on cpuset.cpus conflict")
+Cc: stable@vger.kernel.org # v7.0+
+Suggested-by: Zhang Guopeng <zhangguopeng@kylinos.cn>
+Signed-off-by: Sun Shaojie <sunshaojie@kylinos.cn>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
+index 5c33ab20cc20..c9e14fda3d6f 100644
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -1811,9 +1811,9 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
+ * Compute add/delete mask to/from effective_cpus
+ *
+ * For valid partition:
+- * addmask = exclusive_cpus & ~newmask
++ * addmask = effective_xcpus & ~newmask
+ * & parent->effective_xcpus
+- * delmask = newmask & ~exclusive_cpus
++ * delmask = newmask & ~effective_xcpus
+ * & parent->effective_xcpus
+ *
+ * For invalid partition:
+@@ -1825,11 +1825,11 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
+ deleting = cpumask_and(tmp->delmask,
+ newmask, parent->effective_xcpus);
+ } else {
+- cpumask_andnot(tmp->addmask, xcpus, newmask);
++ cpumask_andnot(tmp->addmask, cs->effective_xcpus, newmask);
+ adding = cpumask_and(tmp->addmask, tmp->addmask,
+ parent->effective_xcpus);
+
+- cpumask_andnot(tmp->delmask, newmask, xcpus);
++ cpumask_andnot(tmp->delmask, newmask, cs->effective_xcpus);
+ deleting = cpumask_and(tmp->delmask, tmp->delmask,
+ parent->effective_xcpus);
+ }
+@@ -1868,7 +1868,7 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
+ part_error = PERR_NOCPUS;
+ deleting = false;
+ adding = cpumask_and(tmp->addmask,
+- xcpus, parent->effective_xcpus);
++ cs->effective_xcpus, parent->effective_xcpus);
+ }
+ } else {
+ /*
+@@ -1890,7 +1890,8 @@ static int update_parent_effective_cpumask(struct cpuset *cs, int cmd,
+ part_error = PERR_NOCPUS;
+ if (is_partition_valid(cs))
+ adding = cpumask_and(tmp->addmask,
+- xcpus, parent->effective_xcpus);
++ cs->effective_xcpus,
++ parent->effective_xcpus);
+ } else if (is_partition_invalid(cs) && !cpumask_empty(xcpus) &&
+ cpumask_subset(xcpus, parent->effective_xcpus)) {
+ struct cgroup_subsys_state *css;
+--
+2.54.0
+
--- /dev/null
+From d21ad938398bca695a511307de38a65889e3b354 Mon Sep 17 00:00:00 2001
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Date: Wed, 10 Jun 2026 09:03:14 +0300
+Subject: drm/i915/gem: Fix phys BO pread/pwrite with offset
+
+From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+
+commit d21ad938398bca695a511307de38a65889e3b354 upstream.
+
+sg_page() returns struct page pointer not (void *) so the scaling
+of pread/pwrite is wrong for phys BO and wrong parts of BO would be
+accessed if non-zero offset is used.
+
+Last impacted platform with overlay or cursor planes using phys
+mapping was Gen3/945G/Lakeport.
+
+Reported-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Fixes: c6790dc22312 ("drm/i915: Wean off drm_pci_alloc/drm_pci_free")
+Cc: <stable@vger.kernel.org> # v4.5+
+Cc: Tvrtko Ursulin <tursulin@ursulin.net>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
+Link: https://patch.msgid.link/20260610060314.26111-1-joonas.lahtinen@linux.intel.com
+(cherry picked from commit 3e49a2f85070b2fb672c1e0fdba281a4ea3aebe6)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gem/i915_gem_phys.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gem/i915_gem_phys.c
++++ b/drivers/gpu/drm/i915/gem/i915_gem_phys.c
+@@ -18,6 +18,17 @@
+ #include "i915_gem_tiling.h"
+ #include "i915_scatterlist.h"
+
++/* Abuse scatterlist to store pointer instead of struct page. */
++static inline void __set_phys_vaddr(struct scatterlist *sg, void *vaddr)
++{
++ sg_assign_page(sg, (struct page *)vaddr);
++}
++
++static inline void *__get_phys_vaddr(struct scatterlist *sg)
++{
++ return (void *)sg_page(sg);
++}
++
+ static int i915_gem_object_get_pages_phys(struct drm_i915_gem_object *obj)
+ {
+ struct address_space *mapping = obj->base.filp->f_mapping;
+@@ -58,7 +69,7 @@ static int i915_gem_object_get_pages_phy
+ sg->offset = 0;
+ sg->length = obj->base.size;
+
+- sg_assign_page(sg, (struct page *)vaddr);
++ __set_phys_vaddr(sg, vaddr);
+ sg_dma_address(sg) = dma;
+ sg_dma_len(sg) = obj->base.size;
+
+@@ -99,7 +110,7 @@ i915_gem_object_put_pages_phys(struct dr
+ struct sg_table *pages)
+ {
+ dma_addr_t dma = sg_dma_address(pages->sgl);
+- void *vaddr = sg_page(pages->sgl);
++ void *vaddr = __get_phys_vaddr(pages->sgl);
+
+ __i915_gem_object_release_shmem(obj, pages, false);
+
+@@ -139,7 +150,7 @@ i915_gem_object_put_pages_phys(struct dr
+ int i915_gem_object_pwrite_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pwrite *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ struct drm_i915_private *i915 = to_i915(obj->base.dev);
+ int err;
+@@ -170,7 +181,7 @@ int i915_gem_object_pwrite_phys(struct d
+ int i915_gem_object_pread_phys(struct drm_i915_gem_object *obj,
+ const struct drm_i915_gem_pread *args)
+ {
+- void *vaddr = sg_page(obj->mm.pages->sgl) + args->offset;
++ void *vaddr = __get_phys_vaddr(obj->mm.pages->sgl) + args->offset;
+ char __user *user_data = u64_to_user_ptr(args->data_ptr);
+ int err;
+
--- /dev/null
+From bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86 Mon Sep 17 00:00:00 2001
+From: Dinh Nguyen <dinguyen@kernel.org>
+Date: Wed, 20 May 2026 21:54:57 -0500
+Subject: firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe
+
+From: Dinh Nguyen <dinguyen@kernel.org>
+
+commit bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86 upstream.
+
+rsu_send_msg() can return -ETIMEDOUT when
+wait_for_completion_interruptible_timeout() fires while the SMC call is still
+pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION,
+COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE
+call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then
+fall through and queue the next request on the same channel. The next svc
+kthread that runs will dereference pdata->chan->scl in its receive callback
+path, triggering a NULL pointer dereference identical to the one fixed by
+commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference
+when RSU is disabled") for the COMMAND_RSU_STATUS path.
+
+Apply the same cleanup pattern to the remaining failure paths: remove the
+async client, free the channel, and return early so no further messages are
+queued on a channel whose scl has been cleared.
+
+While at it, clean up stratix10_rsu_probe() in two ways without changing
+behavior:
+
+- Drop redundant zero-initialization of fields already cleared by
+ devm_kzalloc(): client.receive_cb, status.* and spt0/1_address
+ (INVALID_SPT_ADDRESS is 0x0).
+
+- Replace five identical 3-line error-cleanup blocks
+ (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() +
+ return ret) with goto labels (remove_async_client, free_channel),
+ matching the standard kernel resource-unwinding pattern and making it
+ easier to extend the probe sequence without forgetting matching
+ cleanup.
+
+Also move init_completion() next to mutex_init() so sync-primitive
+initialization is grouped before anything that could trigger a
+callback.
+
+Fixes: 15847537b623 ("firmware: stratix10-rsu: Migrate RSU driver to use stratix10 asynchronous framework.")
+Cc: stable@kernel.org
+Assisted-by: Claude:claude-4.7-opus-high Cursor
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a
+ centralize exit for all the rsu_send_async_msg() and rsu_send_msg().
+---
+ drivers/firmware/stratix10-rsu.c | 45 +++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 25 deletions(-)
+
+--- a/drivers/firmware/stratix10-rsu.c
++++ b/drivers/firmware/stratix10-rsu.c
+@@ -723,15 +723,9 @@ static int stratix10_rsu_probe(struct pl
+ return -ENOMEM;
+
+ priv->client.dev = dev;
+- priv->client.receive_cb = NULL;
+ priv->client.priv = priv;
+- priv->status.current_image = 0;
+- priv->status.fail_image = 0;
+- priv->status.error_location = 0;
+- priv->status.error_details = 0;
+- priv->status.version = 0;
+- priv->status.state = 0;
+ priv->retry_counter = INVALID_RETRY_COUNTER;
++ priv->max_retry = INVALID_RETRY_COUNTER;
+ priv->dcmf_version.dcmf0 = INVALID_DCMF_VERSION;
+ priv->dcmf_version.dcmf1 = INVALID_DCMF_VERSION;
+ priv->dcmf_version.dcmf2 = INVALID_DCMF_VERSION;
+@@ -740,11 +734,11 @@ static int stratix10_rsu_probe(struct pl
+ priv->dcmf_status.dcmf1 = INVALID_DCMF_STATUS;
+ priv->dcmf_status.dcmf2 = INVALID_DCMF_STATUS;
+ priv->dcmf_status.dcmf3 = INVALID_DCMF_STATUS;
+- priv->max_retry = INVALID_RETRY_COUNTER;
+- priv->spt0_address = INVALID_SPT_ADDRESS;
+- priv->spt1_address = INVALID_SPT_ADDRESS;
++ /* spt0/1_address and status fields default to 0 from kzalloc */
+
+ mutex_init(&priv->lock);
++ init_completion(&priv->completion);
++
+ priv->chan = stratix10_svc_request_channel_byname(&priv->client,
+ SVC_CLIENT_RSU);
+ if (IS_ERR(priv->chan)) {
+@@ -756,11 +750,9 @@ static int stratix10_rsu_probe(struct pl
+ ret = stratix10_svc_add_async_client(priv->chan, false);
+ if (ret) {
+ dev_err(dev, "failed to add async client\n");
+- stratix10_svc_free_channel(priv->chan);
+- return ret;
++ goto free_channel;
+ }
+
+- init_completion(&priv->completion);
+ platform_set_drvdata(pdev, priv);
+
+ /* get the initial state from firmware */
+@@ -768,41 +760,44 @@ static int stratix10_rsu_probe(struct pl
+ rsu_async_status_callback);
+ if (ret) {
+ dev_err(dev, "Error, getting RSU status %i\n", ret);
+- stratix10_svc_remove_async_client(priv->chan);
+- stratix10_svc_free_channel(priv->chan);
+- return ret;
++ goto remove_async_client;
+ }
+
+ /* get DCMF version from firmware */
+- ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_VERSION,
+- 0, rsu_dcmf_version_callback);
++ ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_VERSION, 0,
++ rsu_dcmf_version_callback);
+ if (ret) {
+ dev_err(dev, "Error, getting DCMF version %i\n", ret);
+- stratix10_svc_free_channel(priv->chan);
++ goto remove_async_client;
+ }
+
+- ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_STATUS,
+- 0, rsu_dcmf_status_callback);
++ ret = rsu_send_msg(priv, COMMAND_RSU_DCMF_STATUS, 0,
++ rsu_dcmf_status_callback);
+ if (ret) {
+ dev_err(dev, "Error, getting DCMF status %i\n", ret);
+- stratix10_svc_free_channel(priv->chan);
++ goto remove_async_client;
+ }
+
+ ret = rsu_send_msg(priv, COMMAND_RSU_MAX_RETRY, 0,
+ rsu_max_retry_callback);
+ if (ret) {
+ dev_err(dev, "Error, getting RSU max retry %i\n", ret);
+- stratix10_svc_free_channel(priv->chan);
++ goto remove_async_client;
+ }
+
+-
+ ret = rsu_send_async_msg(dev, priv, COMMAND_RSU_GET_SPT_TABLE, 0,
+ rsu_async_get_spt_table_callback);
+ if (ret) {
+ dev_err(dev, "Error, getting SPT table %i\n", ret);
+- stratix10_svc_free_channel(priv->chan);
++ goto remove_async_client;
+ }
+
++ return 0;
++
++remove_async_client:
++ stratix10_svc_remove_async_client(priv->chan);
++free_channel:
++ stratix10_svc_free_channel(priv->chan);
+ return ret;
+ }
+
--- /dev/null
+From 371aa062219a0af108fb8992f0759d1bac1e8c91 Mon Sep 17 00:00:00 2001
+From: Muhammad Amirul Asyraf Mohamad Jamian
+ <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
+Date: Thu, 16 Apr 2026 00:22:07 -0700
+Subject: firmware: stratix10-svc: Don't fail probe when async ops unsupported
+
+From: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
+
+commit 371aa062219a0af108fb8992f0759d1bac1e8c91 upstream.
+
+When the ATF version is too old to support SIP SVC v3 asynchronous
+operations (e.g. ATF 2.5), stratix10_svc_async_init() returns
+-EOPNOTSUPP. The probe function currently treats any non-zero return
+as fatal and aborts, logging:
+
+ stratix10-svc firmware:svc: Intel Service Layer Driver: ATF version \
+ is not compatible for async operation
+ stratix10-svc firmware:svc: probe with driver stratix10-svc failed \
+ with error -95
+
+This prevents the SVC driver from loading entirely, causing all
+dependent client drivers (hwmon, RSU, FCS) to also fail to probe even
+though they can operate correctly via the synchronous V1 SMC path.
+
+Fix this by treating -EOPNOTSUPP from stratix10_svc_async_init() as a
+non-fatal degraded condition. The driver loads in sync-only mode and
+logs:
+
+ stratix10-svc firmware:svc: Intel Service Layer Driver Initialized \
+ (sync-only mode)
+
+Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication")
+Cc: stable@vger.kernel.org
+Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/stratix10-svc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/stratix10-svc.c
++++ b/drivers/firmware/stratix10-svc.c
+@@ -1952,10 +1952,14 @@ static int stratix10_svc_drv_probe(struc
+ init_completion(&controller->complete_status);
+
+ ret = stratix10_svc_async_init(controller);
+- if (ret) {
++ if (ret == -EOPNOTSUPP) {
++ dev_info(dev, "Intel Service Layer Driver Initialized (sync-only mode)\n");
++ } else if (ret) {
+ dev_dbg(dev, "Intel Service Layer Driver: Error on stratix10_svc_async_init %d\n",
+ ret);
+ goto err_destroy_pool;
++ } else {
++ dev_info(dev, "Intel Service Layer Driver Initialized\n");
+ }
+
+ fifo_size = sizeof(struct stratix10_svc_data) * SVC_NUM_DATA_IN_FIFO;
--- /dev/null
+From 3e529f57931417120fab700afeef6e49553250d5 Mon Sep 17 00:00:00 2001
+From: Muhammad Amirul Asyraf Mohamad Jamian
+ <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
+Date: Thu, 16 Apr 2026 00:22:06 -0700
+Subject: firmware: stratix10-svc: Return -EOPNOTSUPP when ATF async unsupported
+
+From: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
+
+commit 3e529f57931417120fab700afeef6e49553250d5 upstream.
+
+Add a 'supported' flag to struct stratix10_async_ctrl to indicate
+whether the secure firmware supports SIP SVC v3 asynchronous
+communication. When the ATF version check in stratix10_svc_async_init()
+fails, set supported=false and return -EOPNOTSUPP instead of -EINVAL.
+
+This allows callers to distinguish between "async not supported by this
+ATF version" (-EOPNOTSUPP) and "programming error / bad argument"
+(-EINVAL), and take appropriate action (e.g. fall back to synchronous
+V1 SMC path) rather than treating both as fatal.
+
+Also update stratix10_svc_add_async_client() to return -EOPNOTSUPP
+immediately when async is not supported, rather than -EINVAL from the
+!actrl->initialized check, so client drivers receive a consistent and
+meaningful error code.
+
+This patch is a prerequisite for the following fix and must be applied
+together with it to correctly restore functionality on old ATF versions.
+
+Fixes: bcb9f4f07061 ("firmware: stratix10-svc: Add support for async communication")
+Cc: stable@vger.kernel.org
+Suggested-by: Anders Hedlund <anders.hedlund@windriver.com>
+Signed-off-by: Mahesh Rao <mahesh.rao@altera.com>
+Signed-off-by: Muhammad Amirul Asyraf Mohamad Jamian <muhammad.amirul.asyraf.mohamad.jamian@altera.com>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/stratix10-svc.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
+index e9e35d67ef96..8a4f18602f36 100644
+--- a/drivers/firmware/stratix10-svc.c
++++ b/drivers/firmware/stratix10-svc.c
+@@ -212,6 +212,7 @@ struct stratix10_async_chan {
+ /**
+ * struct stratix10_async_ctrl - Control structure for Stratix10
+ * asynchronous operations
++ * @supported: Flag indicating whether the system supports async operations
+ * @initialized: Flag indicating whether the control structure has
+ * been initialized
+ * @invoke_fn: Function pointer for invoking Stratix10 service calls
+@@ -228,6 +229,7 @@ struct stratix10_async_chan {
+ */
+
+ struct stratix10_async_ctrl {
++ bool supported;
+ bool initialized;
+ void (*invoke_fn)(struct stratix10_async_ctrl *actrl,
+ const struct arm_smccc_1_2_regs *args,
+@@ -1103,6 +1105,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_request_channel_byname);
+ * Return: 0 on success, or a negative error code on failure:
+ * -EINVAL if the channel is NULL or the async controller is
+ * not initialized.
++ * -EOPNOTSUPP if async operations are not supported.
+ * -EALREADY if the async channel is already allocated.
+ * -ENOMEM if memory allocation fails.
+ * Other negative values if ID allocation fails.
+@@ -1121,6 +1124,9 @@ int stratix10_svc_add_async_client(struct stratix10_svc_chan *chan,
+ ctrl = chan->ctrl;
+ actrl = &ctrl->actrl;
+
++ if (!actrl->supported)
++ return -EOPNOTSUPP;
++
+ if (!actrl->initialized) {
+ dev_err(ctrl->dev, "Async controller not initialized\n");
+ return -EINVAL;
+@@ -1562,6 +1568,7 @@ static inline void stratix10_smc_1_2(struct stratix10_async_ctrl *actrl,
+ * initialized, -ENOMEM if memory allocation fails,
+ * -EADDRINUSE if the client ID is already reserved, or other
+ * negative error codes on failure.
++ * -EOPNOTSUPP if system doesn't support async operations.
+ */
+ static int stratix10_svc_async_init(struct stratix10_svc_controller *controller)
+ {
+@@ -1585,10 +1592,12 @@ static int stratix10_svc_async_init(struct stratix10_svc_controller *controller)
+ !(res.a1 > ASYNC_ATF_MINIMUM_MAJOR_VERSION ||
+ (res.a1 == ASYNC_ATF_MINIMUM_MAJOR_VERSION &&
+ res.a2 >= ASYNC_ATF_MINIMUM_MINOR_VERSION))) {
+- dev_err(dev,
+- "Intel Service Layer Driver: ATF version is not compatible for async operation\n");
+- return -EINVAL;
++ dev_info(dev,
++ "Intel Service Layer Driver: ATF version is not compatible for async operation\n");
++ actrl->supported = false;
++ return -EOPNOTSUPP;
+ }
++ actrl->supported = true;
+
+ actrl->invoke_fn = stratix10_smc_1_2;
+
+--
+2.54.0
+
--- /dev/null
+From 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af Mon Sep 17 00:00:00 2001
+From: Anton Leontev <leontyevantony@gmail.com>
+Date: Thu, 4 Jun 2026 19:59:38 +0300
+Subject: hv_netvsc: use kmap_local_page in netvsc_copy_to_send_buf
+
+From: Anton Leontev <leontyevantony@gmail.com>
+
+commit 004e9ecfe6c5384f9e0b2f6f6389d42ec22789af upstream.
+
+netvsc_copy_to_send_buf() copies page buffer entries into the VMBus
+send buffer using phys_to_virt() on the entry PFN. Entries for the
+RNDIS header and the skb linear data come from kmalloc'd memory and
+are always in the kernel direct map, but entries for skb fragments
+reference page cache or user pages, which on 32-bit x86 with
+CONFIG_HIGHMEM=y can live above the LOWMEM boundary. For such a page
+phys_to_virt() returns an address outside the direct map and the
+subsequent memcpy() faults on the transmit softirq path, which is
+fatal.
+
+Map the pages with kmap_local_page() instead, handling two properties
+of the page buffer entries:
+
+ - pb[i].pfn is a Hyper-V PFN at HV_HYP_PAGE_SIZE (4K) granularity,
+ not a native PFN. Reconstruct the physical address first and derive
+ the native page from it, so the mapping stays correct where
+ PAGE_SIZE > HV_HYP_PAGE_SIZE (e.g. arm64 with 64K pages).
+
+ - Since commit 41a6328b2c55 ("hv_netvsc: Preserve contiguous PFN
+ grouping in the page buffer array"), an entry describes a full
+ physically contiguous fragment and pb[i].len can exceed PAGE_SIZE,
+ while kmap_local_page() maps a single page. Copy page by page,
+ splitting at native page boundaries.
+
+The copy path only handles packets smaller than the send section size
+(6144 bytes by default); larger packets take the cp_partial path where
+only the RNDIS header is copied. So entries here are bounded by the
+section size and a copy is split at most once on 4K-page systems. On
+!CONFIG_HIGHMEM configs kmap_local_page() folds to page_address() and
+no mapping work is added.
+
+Fixes: c25aaf814a63 ("hyperv: Enable sendbuf mechanism on the send path")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anton Leontev <leontyevantony@gmail.com>
+Link: https://patch.msgid.link/20260604165938.32033-1-leontyevantony@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc.c
++++ b/drivers/net/hyperv/netvsc.c
+@@ -12,6 +12,7 @@
+ #include <linux/sched.h>
+ #include <linux/wait.h>
+ #include <linux/mm.h>
++#include <linux/highmem.h>
+ #include <linux/delay.h>
+ #include <linux/io.h>
+ #include <linux/slab.h>
+@@ -965,12 +966,22 @@ static void netvsc_copy_to_send_buf(stru
+ }
+
+ for (i = 0; i < page_count; i++) {
+- char *src = phys_to_virt(pb[i].pfn << HV_HYP_PAGE_SHIFT);
+- u32 offset = pb[i].offset;
++ phys_addr_t paddr = (pb[i].pfn << HV_HYP_PAGE_SHIFT) +
++ pb[i].offset;
+ u32 len = pb[i].len;
+
+- memcpy(dest, (src + offset), len);
+- dest += len;
++ while (len) {
++ struct page *page = phys_to_page(paddr);
++ u32 off = offset_in_page(paddr);
++ u32 chunk = min_t(u32, len, PAGE_SIZE - off);
++ char *src = kmap_local_page(page);
++
++ memcpy(dest, src + off, chunk);
++ kunmap_local(src);
++ dest += chunk;
++ paddr += chunk;
++ len -= chunk;
++ }
+ }
+
+ if (padding)
--- /dev/null
+From 17f073f78fc43280891ecde8f8ec3f84f98bb37c Mon Sep 17 00:00:00 2001
+From: Oliver Upton <oupton@kernel.org>
+Date: Tue, 2 Jun 2026 09:59:01 -0700
+Subject: KVM: arm64: Correctly identify executable PTEs at stage-2
+
+From: Oliver Upton <oupton@kernel.org>
+
+commit 17f073f78fc43280891ecde8f8ec3f84f98bb37c upstream.
+
+KVM invalidates the I-cache before installing an executable PTE on
+implementations without DIC. Unfortunately, support for FEAT_XNX
+broke this check as KVM_PTE_LEAF_ATTR_HI_S2_XN was expanded to a
+bitfield.
+
+Fix it by reusing kvm_pgtable_stage2_pte_prot() and testing the abstract
+permission bits instead.
+
+Fixes: 2608563b466b ("KVM: arm64: Add support for FEAT_XNX stage-2 permissions")
+Reported-by: Sashiko (gemini/gemini-3.1-pro-preview)
+Signed-off-by: Oliver Upton <oupton@kernel.org>
+Reviewed-by: Wei-Lin Chang <weilin.chang@arm.com>
+Link: https://patch.msgid.link/20260602165901.52800-3-oupton@kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/pgtable.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kvm/hyp/pgtable.c
++++ b/arch/arm64/kvm/hyp/pgtable.c
+@@ -923,7 +923,9 @@ static bool stage2_pte_cacheable(struct
+
+ static bool stage2_pte_executable(kvm_pte_t pte)
+ {
+- return kvm_pte_valid(pte) && !(pte & KVM_PTE_LEAF_ATTR_HI_S2_XN);
++ enum kvm_pgtable_prot prot = kvm_pgtable_stage2_pte_prot(pte);
++
++ return prot & (KVM_PGTABLE_PROT_UX | KVM_PGTABLE_PROT_PX);
+ }
+
+ static u64 stage2_map_walker_phys_addr(const struct kvm_pgtable_visit_ctx *ctx,
--- /dev/null
+From 49b32ddb87a3a109afecea89e55d70f73956b8bc Mon Sep 17 00:00:00 2001
+From: Oliver Upton <oupton@kernel.org>
+Date: Tue, 2 Jun 2026 09:59:00 -0700
+Subject: KVM: arm64: nv: Fix handling of XN[0] when !FEAT_XNX
+
+From: Oliver Upton <oupton@kernel.org>
+
+commit 49b32ddb87a3a109afecea89e55d70f73956b8bc upstream.
+
+XN has already been extracted from its bitfield position so using
+FIELD_PREP() on the mask that clears XN[0] is completely broken, having
+the effect of unconditionally granting execute permissions...
+
+Fix the obvious mistake by manipulating the right bit.
+
+Cc: stable@vger.kernel.org
+Fixes: d93febe2ed2e ("KVM: arm64: nv: Forward FEAT_XNX permissions to the shadow stage-2")
+Reviewed-by: Wei-Lin Chang <weilin.chang@arm.com>
+Signed-off-by: Oliver Upton <oupton@kernel.org>
+Link: https://patch.msgid.link/20260602165901.52800-2-oupton@kernel.org
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_nested.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_nested.h
++++ b/arch/arm64/include/asm/kvm_nested.h
+@@ -131,7 +131,7 @@ static inline bool kvm_s2_trans_exec_el0
+ u8 xn = FIELD_GET(KVM_PTE_LEAF_ATTR_HI_S2_XN, trans->desc);
+
+ if (!kvm_has_xnx(kvm))
+- xn &= FIELD_PREP(KVM_PTE_LEAF_ATTR_HI_S2_XN, 0b10);
++ xn &= 0b10;
+
+ switch (xn) {
+ case 0b00:
+@@ -147,7 +147,7 @@ static inline bool kvm_s2_trans_exec_el1
+ u8 xn = FIELD_GET(KVM_PTE_LEAF_ATTR_HI_S2_XN, trans->desc);
+
+ if (!kvm_has_xnx(kvm))
+- xn &= FIELD_PREP(KVM_PTE_LEAF_ATTR_HI_S2_XN, 0b10);
++ xn &= 0b10;
+
+ switch (xn) {
+ case 0b00:
--- /dev/null
+From cbaffe843a942c0d3102e0f9bce0e72b029b2594 Mon Sep 17 00:00:00 2001
+From: Joey Gouly <joey.gouly@arm.com>
+Date: Thu, 4 Jun 2026 11:54:34 +0100
+Subject: KVM: arm64: Restore POR_EL0 access to host EL0
+
+From: Joey Gouly <joey.gouly@arm.com>
+
+commit cbaffe843a942c0d3102e0f9bce0e72b029b2594 upstream.
+
+CPTR_EL2.E0POE was being cleared in __deactivate_cptr_traps_vhe(), which meant
+that any accesses to POR_EL0 from host EL0 would trap and be reported to
+userspace as an Illegal instruction. This would happen after running any VM,
+regardless if it used POE or not.
+
+Signed-off-by: Joey Gouly <joey.gouly@arm.com>
+Link: https://sashiko.dev/#/patchset/20260602155430.2088142-1-maz@kernel.org?part=1
+Link: https://patch.msgid.link/20260604105434.2297268-1-joey.gouly@arm.com
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger,kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/include/hyp/switch.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
+@@ -181,6 +181,8 @@ static inline void __deactivate_cptr_tra
+ val |= CPACR_EL1_ZEN;
+ if (cpus_have_final_cap(ARM64_SME))
+ val |= CPACR_EL1_SMEN;
++ if (cpus_have_final_cap(ARM64_HAS_S1POE))
++ val |= CPACR_EL1_E0POE;
+
+ write_sysreg(val, cpacr_el1);
+ }
--- /dev/null
+From 8618004d3e897c0f1b71d9a9ab860461289bb89a Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 29 May 2026 20:35:39 +0200
+Subject: KVM: Don't WARN if memory is dirtied without a vCPU when the VM is dying
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 8618004d3e897c0f1b71d9a9ab860461289bb89a upstream.
+
+When marking a page dirty, complain about not having a running/loaded vCPU
+if and only if the VM is still alive, i.e. its refcount is non-zero. This
+will allow fixing a memory leak for x86 SEV-ES guests without hitting what
+is effectively a false positive on the WARN.
+
+For some SEV-ES VM-Exits, KVM keeps a writable mapping of a guest page
+across an exit to userspace, and typically unmaps the page on the next
+KVM_RUN. But if userspace never calls KVM_RUN after such an exit, then KVM
+needs to unmap the page when the vCPU is destroyed, which in turn triggers
+the WARN about not having a running vCPU.
+
+Alternatively, SEV-ES could temporarily load the vCPU to suppress the WARN,
+as is done in nested_vmx_free_vcpu() (but for completely unrelated reasons;
+suppressing WARN from nested_put_vmcs12_pages() is pure happenstance). But
+loading a vCPU during destruction is gross (ideally nVMX code would be
+cleaned up), risks complicating the SEV-ES code (KVM would need to ensure
+the temporarily load()+put() only runs when the vCPU isn't already loaded),
+and is ultimately pointless.
+
+The motivation for the WARN is to guard against KVM dirtying guest memory
+without pushing the corresponding GFN to the active vCPU's dirty ring, e.g.
+to ensure userspace doesn't miss a dirty page. But for the VM's refcount
+to reach zero, there can't be _any_ userspace mappings to the dirty ring,
+as mapping the dirty ring requires doing mmap() on the vCPU FD. I.e. if
+userspace had a valid mapping for the dirty ring, then the vCPU file and
+thus the owning VM would still be alive. And so since userspace can't
+possibly reach the dirty ring, whether or not KVM technically "misses" a
+push to the dirty ring is irrelevant.
+
+Reported-by: Michael Roth <michael.roth@amd.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260501202250.2115252-15-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20260529183549.1104619-15-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/kvm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -3527,7 +3527,8 @@ void mark_page_dirty_in_slot(struct kvm
+ if (WARN_ON_ONCE(vcpu && vcpu->kvm != kvm))
+ return;
+
+- WARN_ON_ONCE(!vcpu && !kvm_arch_allow_write_without_running_vcpu(kvm));
++ WARN_ON_ONCE(!vcpu && refcount_read(&kvm->users_count) &&
++ !kvm_arch_allow_write_without_running_vcpu(kvm));
+ #endif
+
+ if (memslot && kvm_slot_dirty_track_enabled(memslot)) {
--- /dev/null
+From f041dc80de4abbdd0909d871bf64f3f87d2350ff Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 29 May 2026 20:35:41 +0200
+Subject: KVM: SEV: Decouple the need to sync the GHCB SA from the need to free the SA
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit f041dc80de4abbdd0909d871bf64f3f87d2350ff upstream.
+
+Decouple synchronizing the GHCB SA from freeing/unpinning the SA, so that
+the free/unpin path can be reused when freeing a vCPU.
+
+Opportunistically add a WARN to harden KVM against stomping over (and thus
+leaking) an already-allocated scratch area.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Reviewed-by: Michael Roth <michael.roth@amd.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20260501202250.2115252-17-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20260529183549.1104619-17-pbonzini@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/sev.c | 27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/arch/x86/kvm/svm/sev.c
++++ b/arch/x86/kvm/svm/sev.c
+@@ -3547,20 +3547,17 @@ void sev_es_unmap_ghcb(struct vcpu_svm *
+ if (!svm->sev_es.ghcb)
+ return;
+
+- if (svm->sev_es.ghcb_sa_free) {
+- /*
+- * The scratch area lives outside the GHCB, so there is a
+- * buffer that, depending on the operation performed, may
+- * need to be synced, then freed.
+- */
+- if (svm->sev_es.ghcb_sa_sync) {
+- kvm_write_guest(svm->vcpu.kvm,
+- svm->sev_es.sw_scratch,
+- svm->sev_es.ghcb_sa,
+- svm->sev_es.ghcb_sa_len);
+- svm->sev_es.ghcb_sa_sync = false;
+- }
++ /*
++ * If the scratch area lives outside the GHCB, there's a buffer that,
++ * depending on the operation performed, may need to be synced.
++ */
++ if (svm->sev_es.ghcb_sa_sync) {
++ kvm_write_guest(svm->vcpu.kvm, svm->sev_es.sw_scratch,
++ svm->sev_es.ghcb_sa, svm->sev_es.ghcb_sa_len);
++ svm->sev_es.ghcb_sa_sync = false;
++ }
+
++ if (svm->sev_es.ghcb_sa_free) {
+ kvfree(svm->sev_es.ghcb_sa);
+ svm->sev_es.ghcb_sa = NULL;
+ svm->sev_es.ghcb_sa_free = false;
+@@ -3640,6 +3637,8 @@ static int setup_vmgexit_scratch(struct
+ goto e_scratch;
+ }
+
++ WARN_ON_ONCE(svm->sev_es.ghcb_sa_sync || svm->sev_es.ghcb_sa_free);
++
+ if ((scratch_gpa_beg & PAGE_MASK) == control->ghcb_gpa) {
+ /* Scratch area begins within GHCB */
+ ghcb_scratch_beg = control->ghcb_gpa +
+@@ -3661,6 +3660,8 @@ static int setup_vmgexit_scratch(struct
+ scratch_va = (void *)svm->sev_es.ghcb;
+ scratch_va += (scratch_gpa_beg - control->ghcb_gpa);
+
++ svm->sev_es.ghcb_sa_sync = false;
++ svm->sev_es.ghcb_sa_free = false;
+ svm->sev_es.ghcb_sa_len = ghcb_scratch_end - scratch_gpa_beg;
+ } else {
+ /* GHCB v2 requires the scratch area to be within the GHCB. */
--- /dev/null
+From 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e Mon Sep 17 00:00:00 2001
+From: Wupeng Ma <mawupeng1@huawei.com>
+Date: Fri, 22 May 2026 09:03:05 +0800
+Subject: mm/memory-failure: fix hugetlb_lock AA deadlock in get_huge_page_for_hwpoison
+
+From: Wupeng Ma <mawupeng1@huawei.com>
+
+commit 3c2d42b8ee345b17a4ba56b0f6492d1ff4c1178e upstream.
+
+Two concurrent madvise(MADV_HWPOISON) calls on the same hugetlb page can
+trigger a recursive spinlock self-deadlock (AA deadlock) on hugetlb_lock
+when racing with a concurrent unmap:
+
+ thread#0 thread#1
+ -------- --------
+ madvise(folio, MADV_HWPOISON)
+ -> poisons the folio successfully
+ madvise(folio, MADV_HWPOISON) unmap(folio)
+ try_memory_failure_hugetlb
+ get_huge_page_for_hwpoison
+ spin_lock_irq(&hugetlb_lock) <- held
+ __get_huge_page_for_hwpoison
+ hugetlb_update_hwpoison()
+ -> MF_HUGETLB_FOLIO_PRE_POISONED
+ goto out:
+ folio_put()
+ refcount: 1 -> 0
+ free_huge_folio()
+ spin_lock_irqsave(&hugetlb_lock)
+ -> AA DEADLOCK!
+
+The out: path in __get_huge_page_for_hwpoison() calls folio_put() to drop
+the GUP reference while the hugetlb_lock is still held by the hugetlb.c
+wrapper get_huge_page_for_hwpoison(). If concurrent unmap has released
+the page table mapping reference, folio_put() drops the folio refcount to
+zero, triggering free_huge_folio() which attempts to re-acquire the
+non-recursive hugetlb_lock.
+
+Fix this by moving hugetlb_lock acquisition from the hugetlb.c wrapper
+into get_huge_page_for_hwpoison(). Place spin_unlock_irq() before the
+folio_put() at the out: label so the folio is always released outside the
+lock.
+
+[akpm@linux-foundation.org: fix race, rename label per Miaohe]
+ Link: https://sashiko.dev/#/patchset/20260522010305.4099834-1-mawupeng1@huawei.com
+ Link: https://lore.kernel.org/f39f405e-4b4b-8f79-70fe-a2b5b62114eb@huawei.com
+Link: https://lore.kernel.org/20260522010305.4099834-1-mawupeng1@huawei.com
+Fixes: 405ce051236c ("mm/hwpoison: fix race between hugetlb free/demotion and memory_failure_hugetlb()")
+Signed-off-by: Wupeng Ma <mawupeng1@huawei.com>
+Acked-by: Oscar Salvador (SUSE) <osalvador@kernel.org>
+Acked-by: Muchun Song <muchun.song@linux.dev>
+Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Acked-by: Miaohe Lin <linmiaohe@huawei.com>
+Cc: David Hildenbrand <david@kernel.org>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Lorenzo Stoakes <ljs@kernel.org>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Mike Rapoport <rppt@kernel.org>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Vlastimil Babka <vbabka@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h | 8 --------
+ include/linux/mm.h | 8 --------
+ mm/hugetlb.c | 11 -----------
+ mm/memory-failure.c | 19 ++++++++++---------
+ 4 files changed, 10 insertions(+), 36 deletions(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -153,8 +153,6 @@ long hugetlb_unreserve_pages(struct inod
+ long freed);
+ bool folio_isolate_hugetlb(struct folio *folio, struct list_head *list);
+ int get_hwpoison_hugetlb_folio(struct folio *folio, bool *hugetlb, bool unpoison);
+-int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared);
+ void folio_putback_hugetlb(struct folio *folio);
+ void move_hugetlb_state(struct folio *old_folio, struct folio *new_folio, int reason);
+ void hugetlb_fix_reserve_counts(struct inode *inode);
+@@ -420,12 +418,6 @@ static inline int get_hwpoison_hugetlb_f
+ {
+ return 0;
+ }
+-
+-static inline int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared)
+-{
+- return 0;
+-}
+
+ static inline void folio_putback_hugetlb(struct folio *folio)
+ {
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -4601,8 +4601,6 @@ extern int soft_offline_page(unsigned lo
+ */
+ extern const struct attribute_group memory_failure_attr_group;
+ extern void memory_failure_queue(unsigned long pfn, int flags);
+-extern int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared);
+ void num_poisoned_pages_inc(unsigned long pfn);
+ void num_poisoned_pages_sub(unsigned long pfn, long i);
+ #else
+@@ -4610,12 +4608,6 @@ static inline void memory_failure_queue(
+ {
+ }
+
+-static inline int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared)
+-{
+- return 0;
+-}
+-
+ static inline void num_poisoned_pages_inc(unsigned long pfn)
+ {
+ }
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -7160,17 +7160,6 @@ int get_hwpoison_hugetlb_folio(struct fo
+ return ret;
+ }
+
+-int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+- bool *migratable_cleared)
+-{
+- int ret;
+-
+- spin_lock_irq(&hugetlb_lock);
+- ret = __get_huge_page_for_hwpoison(pfn, flags, migratable_cleared);
+- spin_unlock_irq(&hugetlb_lock);
+- return ret;
+-}
+-
+ /**
+ * folio_putback_hugetlb - unisolate a hugetlb folio
+ * @folio: the isolated hugetlb folio
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1966,20 +1966,19 @@ void folio_clear_hugetlb_hwpoison(struct
+ folio_free_raw_hwp(folio, true);
+ }
+
+-/*
+- * Called from hugetlb code with hugetlb_lock held.
+- */
+-int __get_huge_page_for_hwpoison(unsigned long pfn, int flags,
++static int get_huge_page_for_hwpoison(unsigned long pfn, int flags,
+ bool *migratable_cleared)
+ {
+ struct page *page = pfn_to_page(pfn);
+- struct folio *folio = page_folio(page);
++ struct folio *folio;
+ bool count_increased = false;
+ int ret, rc;
+
++ spin_lock_irq(&hugetlb_lock);
++ folio = page_folio(page);
+ if (!folio_test_hugetlb(folio)) {
+ ret = MF_HUGETLB_NON_HUGEPAGE;
+- goto out;
++ goto out_unlock;
+ } else if (flags & MF_COUNT_INCREASED) {
+ ret = MF_HUGETLB_IN_USED;
+ count_increased = true;
+@@ -1995,13 +1994,13 @@ int __get_huge_page_for_hwpoison(unsigne
+ } else {
+ ret = MF_HUGETLB_RETRY;
+ if (!(flags & MF_NO_RETRY))
+- goto out;
++ goto out_unlock;
+ }
+
+ rc = hugetlb_update_hwpoison(folio, page);
+ if (rc >= MF_HUGETLB_FOLIO_PRE_POISONED) {
+ ret = rc;
+- goto out;
++ goto out_unlock;
+ }
+
+ /*
+@@ -2013,8 +2012,10 @@ int __get_huge_page_for_hwpoison(unsigne
+ *migratable_cleared = true;
+ }
+
++ spin_unlock_irq(&hugetlb_lock);
+ return ret;
+-out:
++out_unlock:
++ spin_unlock_irq(&hugetlb_lock);
+ if (count_increased)
+ folio_put(folio);
+ return ret;
--- /dev/null
+From b837e38c255dd9f8b53511d52e87f1fda32b3dfe Mon Sep 17 00:00:00 2001
+From: Inochi Amaoto <inochiama@gmail.com>
+Date: Thu, 21 May 2026 15:21:20 +0800
+Subject: mmc: litex_mmc: Use DIV_ROUND_UP for more accurate clock calculation
+
+From: Inochi Amaoto <inochiama@gmail.com>
+
+commit b837e38c255dd9f8b53511d52e87f1fda32b3dfe upstream.
+
+The previous clock uses roundup_pow_of_two() to calculate the core
+clock frequency. It does not meet the actual hardware meaning.
+The actual frequency is calculated by "ref_clk / ((div >> 1) << 1)".
+
+Fix the clock divider calculation.
+
+Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface")
+Signed-off-by: Inochi Amaoto <inochiama@gmail.com>
+Reviewed-by: Gabriel Somlo <gsomlo@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulfh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/litex_mmc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/litex_mmc.c
++++ b/drivers/mmc/host/litex_mmc.c
+@@ -16,6 +16,7 @@
+ #include <linux/interrupt.h>
+ #include <linux/iopoll.h>
+ #include <linux/litex.h>
++#include <linux/math.h>
+ #include <linux/mod_devicetable.h>
+ #include <linux/module.h>
+ #include <linux/platform_device.h>
+@@ -436,11 +437,10 @@ static void litex_mmc_setclk(struct lite
+ struct device *dev = mmc_dev(host->mmc);
+ u32 div;
+
+- div = freq ? host->ref_clk / freq : 256U;
+- div = roundup_pow_of_two(div);
++ div = freq ? DIV_ROUND_UP(host->ref_clk, freq) : 256U;
+ div = clamp(div, 2U, 256U);
+ dev_dbg(dev, "sd_clk_freq=%d: set to %d via div=%d\n",
+- freq, host->ref_clk / div, div);
++ freq, host->ref_clk / ((div + 1) & ~1U), div);
+ litex_write16(host->sdphy + LITEX_PHY_CLOCKERDIV, div);
+ host->sd_clk = freq;
+ }
--- /dev/null
+From 48fcc895403cc97aa6c776cb65e6aa11290c0b44 Mon Sep 17 00:00:00 2001
+From: Wei Liu <wei.liu@kernel.org>
+Date: Thu, 23 Apr 2026 17:26:26 +0000
+Subject: mshv: add a missing padding field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wei Liu <wei.liu@kernel.org>
+
+commit 48fcc895403cc97aa6c776cb65e6aa11290c0b44 upstream.
+
+That was missed when importing the header.
+
+Reported-by: Doru Blânzeanu <dblanzeanu@linux.microsoft.com>
+Reported-by: Magnus Kulke <magnuskulke@linux.microsoft.com>
+Fixes: e68bda71a2384 ("hyperv: Add new Hyper-V headers in include/hyperv")
+Cc: stable@kernel.org
+Reviewed-by: Easwar Hariharan <easwar.hariharan@linux.microsoft.com>
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/hyperv/hvhdk.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/hyperv/hvhdk.h
++++ b/include/hyperv/hvhdk.h
+@@ -79,6 +79,7 @@ struct hv_vp_register_page {
+
+ u64 registers[18];
+ };
++ u8 reserved[8];
+ /* Volatile XMM registers (HV_X64_REGISTER_CLASS_XMM) */
+ union {
+ struct {
--- /dev/null
+From 805d5a2b792819171be100c50c9ddafa0f8c2231 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 5 Jun 2026 22:27:33 +0200
+Subject: namespace: restrict OPEN_TREE_NAMESPACE/FSMOUNT_NAMESPACE to directories
+
+From: Jann Horn <jannh@google.com>
+
+commit 805d5a2b792819171be100c50c9ddafa0f8c2231 upstream.
+
+open_tree(..., OPEN_TREE_NAMESPACE) and
+fsmount(..., FSMOUNT_NAMESPACE, ...) currently work on non-directories,
+like regular files. That's bad for two reasons:
+
+ - It ends up mounting a regular file over the inherited namespace root,
+ which is a directory; mounting a non-directory over a directory is
+ normally explicitly forbidden, see for example do_move_mount()
+
+ - It causes setns() on the new namespace to set the cwd to a regular
+ file, which the rest of VFS does not expect
+
+Fix it by restricting create_new_namespace() (which is used by both of
+these flags) to directories.
+
+Leave the behavior for OPEN_TREE_CLONE as-is, that seems unproblematic.
+
+Fixes: 9b8a0ba68246 ("mount: add OPEN_TREE_NAMESPACE")
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Jan Kara <jack@suse.cz>
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -3098,6 +3098,9 @@ static struct mnt_namespace *create_new_
+ unsigned int copy_flags = 0;
+ bool locked = false;
+
++ if (unlikely(!d_can_lookup(path->dentry)))
++ return ERR_PTR(-ENOTDIR);
++
+ if (user_ns != ns->user_ns)
+ copy_flags |= CL_SLAVE;
+
--- /dev/null
+From c7d573551f9286100a055ef696cde6af54549677 Mon Sep 17 00:00:00 2001
+From: Davide Ornaghi <d.ornaghi97@gmail.com>
+Date: Wed, 10 Jun 2026 12:39:13 +0200
+Subject: netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
+
+From: Davide Ornaghi <d.ornaghi97@gmail.com>
+
+commit c7d573551f9286100a055ef696cde6af54549677 upstream.
+
+NFT_META_BRI_IIFHWADDR declares its destination register with
+len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
+two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
+memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
+leaving the upper 2 bytes of the second register as uninitialised
+nft_do_chain() stack. A downstream load of that register span leaks
+those stale bytes to userspace.
+
+Zero the second register before the memcpy so the full declared span is
+written.
+
+Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/netfilter/nft_meta_bridge.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/bridge/netfilter/nft_meta_bridge.c
++++ b/net/bridge/netfilter/nft_meta_bridge.c
+@@ -64,6 +64,8 @@ static void nft_meta_bridge_get_eval(con
+ if (!br_dev)
+ goto err;
+
++ /* ETH_ALEN (6) is shorter than the destination register span (8) */
++ dest[1] = 0;
+ memcpy(dest, br_dev->dev_addr, ETH_ALEN);
+ return;
+ default:
--- /dev/null
+From c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Wed, 27 May 2026 13:57:50 +0000
+Subject: netfilter: nft_tunnel: fix use-after-free on object destroy
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit c32b26aaa2f9216520a38b3f4bfeec846eb3eb8a upstream.
+
+nft_tunnel_obj_destroy() calls metadata_dst_free() which directly
+kfree()s the metadata_dst, ignoring the dst_entry refcount. Packets
+that took a reference via dst_hold() in nft_tunnel_obj_eval() and
+are still queued (e.g. in a netem qdisc) are left with a dangling
+pointer. When these packets are eventually dequeued, dst_release()
+operates on freed memory.
+
+Replace metadata_dst_free() with dst_release() so the metadata_dst
+is freed only after all references are dropped. The dst subsystem
+already handles metadata_dst cleanup in dst_destroy() when
+DST_METADATA is set.
+
+Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Reviewed-by: Fernando Fernandez Mancera <fmancera@suse.de>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -702,7 +702,7 @@ static void nft_tunnel_obj_destroy(const
+ {
+ struct nft_tunnel_obj *priv = nft_obj_data(obj);
+
+- metadata_dst_free(priv->md);
++ dst_release(&priv->md->dst);
+ }
+
+ static struct nft_object_type nft_tunnel_obj_type;
--- /dev/null
+From 8473c3a197b57ff01396f7a2ec6ddf65383820d4 Mon Sep 17 00:00:00 2001
+From: Judith Mendez <jm@ti.com>
+Date: Wed, 13 May 2026 18:11:53 -0500
+Subject: pinctrl: mcp23s08: Initialize mcp->dev and mcp->addr before regmap init
+
+From: Judith Mendez <jm@ti.com>
+
+commit 8473c3a197b57ff01396f7a2ec6ddf65383820d4 upstream.
+
+Regmap initialization triggers regcache_maple_populate() which attempts
+SPI read to populate cache. SPI read requires mcp->dev and mcp->addr to
+be set, without them, NULL pointer dereference occurs during probe.
+
+Move initialization before mcp23s08_spi_regmap_init() call.
+
+Cc: stable@vger.kernel.org
+Fixes: f9f4fda15e72 ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type")
+Signed-off-by: Judith Mendez <jm@ti.com>
+Signed-off-by: Linus Walleij <linusw@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-mcp23s08_spi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-mcp23s08_spi.c
++++ b/drivers/pinctrl/pinctrl-mcp23s08_spi.c
+@@ -10,6 +10,7 @@
+ #include "pinctrl-mcp23s08.h"
+
+ #define MCP_MAX_DEV_PER_CS 8
++#define MCP23S08_SPI_BASE 0x40
+
+ /*
+ * A given spi_device can represent up to eight mcp23sxx chips
+@@ -173,6 +174,8 @@ static int mcp23s08_probe(struct spi_dev
+ for_each_set_bit(addr, &spi_present_mask, MCP_MAX_DEV_PER_CS) {
+ data->mcp[addr] = &data->chip[--chips];
+ data->mcp[addr]->irq = spi->irq;
++ data->mcp[addr]->dev = dev;
++ data->mcp[addr]->addr = MCP23S08_SPI_BASE | (addr << 1);
+
+ ret = mcp23s08_spi_regmap_init(data->mcp[addr], dev, addr, info);
+ if (ret)
+@@ -184,7 +187,7 @@ static int mcp23s08_probe(struct spi_dev
+ if (!data->mcp[addr]->pinctrl_desc.name)
+ return -ENOMEM;
+
+- ret = mcp23s08_probe_one(data->mcp[addr], dev, 0x40 | (addr << 1),
++ ret = mcp23s08_probe_one(data->mcp[addr], dev, MCP23S08_SPI_BASE | (addr << 1),
+ info->type, -1);
+ if (ret < 0)
+ return ret;
--- /dev/null
+From 42445de1765547f56f48d107c0b8f3482c98458e Mon Sep 17 00:00:00 2001
+From: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Date: Fri, 29 May 2026 12:36:02 -0700
+Subject: Revert "drm/xe/nvls: Define GuC firmware for NVL-S"
+
+From: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+
+commit 42445de1765547f56f48d107c0b8f3482c98458e upstream.
+
+This reverts commit 4e88de313ff4d1c67b644b1f39f9fb4089711b71.
+
+The early GuC FW definition meant for our CI branch was accidentally
+merged to the drm-xe-next branch instead. This GuC FW will never be
+released to linux-firmware, so we do not want the definition to be
+available in the mainline Linux codebase.
+
+Fixes: 4e88de313ff4 ("drm/xe/nvls: Define GuC firmware for NVL-S")
+Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Cc: Julia Filipchuk <julia.filipchuk@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: stable@vger.kernel.org # v7.0+
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Link: https://patch.msgid.link/20260529193558.185436-11-daniele.ceraolospurio@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 65b8e0ac86e48cfc9128c04dfc53ea3395d030dd)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_uc_fw.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/gpu/drm/xe/xe_uc_fw.c
++++ b/drivers/gpu/drm/xe/xe_uc_fw.c
+@@ -115,7 +115,6 @@ struct fw_blobs_by_type {
+ #define XE_GT_TYPE_ANY XE_GT_TYPE_UNINITIALIZED
+
+ #define XE_GUC_FIRMWARE_DEFS(fw_def, mmp_ver, major_ver) \
+- fw_def(NOVALAKE_S, GT_TYPE_ANY, mmp_ver(xe, guc, nvl, 70, 55, 4)) \
+ fw_def(PANTHERLAKE, GT_TYPE_ANY, major_ver(xe, guc, ptl, 70, 54, 0)) \
+ fw_def(BATTLEMAGE, GT_TYPE_ANY, major_ver(xe, guc, bmg, 70, 54, 0)) \
+ fw_def(LUNARLAKE, GT_TYPE_ANY, major_ver(xe, guc, lnl, 70, 53, 0)) \
--- /dev/null
+From fa7c84726dc217ce0c183926ef9411636c7a2213 Mon Sep 17 00:00:00 2001
+From: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
+Date: Wed, 3 Jun 2026 12:22:15 +0530
+Subject: Revert "drm/xe: Skip exec queue schedule toggle if queue is idle during suspend"
+
+From: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
+
+commit fa7c84726dc217ce0c183926ef9411636c7a2213 upstream.
+
+This reverts commit 8533051ce92015e9cc6f75e0d52119b9d91610b6.
+
+The idle-skip optimization bypasses GuC suspend, so the GPU may not
+perform the context switch that flushes TLB entries for invalidated
+userptr VMAs. In LR/preempt-fence VM mode, this can lead to missed TLB
+invalidation and page faults during userptr invalidation tests.
+
+Restore unconditional schedule toggling on suspend so the context-switch
+TLB flush is always performed.
+
+This optimization will be reintroduced with a fix that does not skip
+suspend in LR/preempt-fence VM mode.
+
+Fixes: 8533051ce920 ("drm/xe: Skip exec queue schedule toggle if queue is idle during suspend")
+Cc: stable@vger.kernel.org # v7.0+
+Suggested-by: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Tangudu Tilak Tirumalesh <tilak.tirumalesh.tangudu@intel.com>
+Reviewed-by: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Daniele Ceraolo Spurio <daniele.ceraolospurio@intel.com>
+Link: https://patch.msgid.link/20260603065217.3131066-2-tilak.tirumalesh.tangudu@intel.com
+(cherry picked from commit 6a1e7934d9a6cf46aecae00a99c2603d1295e170)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_exec_queue.h | 17 ---------
+ drivers/gpu/drm/xe/xe_guc_submit.c | 55 +-------------------------------
+ drivers/gpu/drm/xe/xe_hw_engine_group.c | 10 +----
+ 3 files changed, 5 insertions(+), 77 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_exec_queue.h
++++ b/drivers/gpu/drm/xe/xe_exec_queue.h
+@@ -161,21 +161,4 @@ int xe_exec_queue_contexts_hwsp_rebase(s
+
+ struct xe_lrc *xe_exec_queue_lrc(struct xe_exec_queue *q);
+
+-/**
+- * xe_exec_queue_idle_skip_suspend() - Can exec queue skip suspend
+- * @q: The exec_queue
+- *
+- * If an exec queue is not parallel and is idle, the suspend steps can be
+- * skipped in the submission backend immediatley signaling the suspend fence.
+- * Parallel queues cannot skip this step due to limitations in the submission
+- * backend.
+- *
+- * Return: True if exec queue is idle and can skip suspend steps, False
+- * otherwise
+- */
+-static inline bool xe_exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
+-{
+- return !xe_exec_queue_is_parallel(q) && xe_exec_queue_is_idle(q);
+-}
+-
+ #endif
+--- a/drivers/gpu/drm/xe/xe_guc_submit.c
++++ b/drivers/gpu/drm/xe/xe_guc_submit.c
+@@ -72,7 +72,6 @@ exec_queue_to_guc(struct xe_exec_queue *
+ #define EXEC_QUEUE_STATE_WEDGED (1 << 8)
+ #define EXEC_QUEUE_STATE_BANNED (1 << 9)
+ #define EXEC_QUEUE_STATE_PENDING_RESUME (1 << 10)
+-#define EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND (1 << 11)
+
+ static bool exec_queue_registered(struct xe_exec_queue *q)
+ {
+@@ -224,21 +223,6 @@ static void clear_exec_queue_pending_res
+ atomic_and(~EXEC_QUEUE_STATE_PENDING_RESUME, &q->guc->state);
+ }
+
+-static bool exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
+-{
+- return atomic_read(&q->guc->state) & EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND;
+-}
+-
+-static void set_exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
+-{
+- atomic_or(EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND, &q->guc->state);
+-}
+-
+-static void clear_exec_queue_idle_skip_suspend(struct xe_exec_queue *q)
+-{
+- atomic_and(~EXEC_QUEUE_STATE_IDLE_SKIP_SUSPEND, &q->guc->state);
+-}
+-
+ static bool exec_queue_killed_or_banned_or_wedged(struct xe_exec_queue *q)
+ {
+ return (atomic_read(&q->guc->state) &
+@@ -1110,7 +1094,7 @@ static void submit_exec_queue(struct xe_
+ if (!job->restore_replay || job->last_replay) {
+ if (xe_exec_queue_is_parallel(q))
+ wq_item_append(q);
+- else if (!exec_queue_idle_skip_suspend(q))
++ else
+ xe_lrc_set_ring_tail(lrc, lrc->ring.tail);
+ job->last_replay = false;
+ }
+@@ -1781,10 +1765,9 @@ static void __guc_exec_queue_process_msg
+ {
+ struct xe_exec_queue *q = msg->private_data;
+ struct xe_guc *guc = exec_queue_to_guc(q);
+- bool idle_skip_suspend = xe_exec_queue_idle_skip_suspend(q);
+
+- if (!idle_skip_suspend && guc_exec_queue_allowed_to_change_state(q) &&
+- !exec_queue_suspended(q) && exec_queue_enabled(q)) {
++ if (guc_exec_queue_allowed_to_change_state(q) && !exec_queue_suspended(q) &&
++ exec_queue_enabled(q)) {
+ wait_event(guc->ct.wq, vf_recovery(guc) ||
+ ((q->guc->resume_time != RESUME_PENDING ||
+ xe_guc_read_stopped(guc)) && !exec_queue_pending_disable(q)));
+@@ -1803,33 +1786,11 @@ static void __guc_exec_queue_process_msg
+ disable_scheduling(q, false);
+ }
+ } else if (q->guc->suspend_pending) {
+- if (idle_skip_suspend)
+- set_exec_queue_idle_skip_suspend(q);
+ set_exec_queue_suspended(q);
+ suspend_fence_signal(q);
+ }
+ }
+
+-static void sched_context(struct xe_exec_queue *q)
+-{
+- struct xe_guc *guc = exec_queue_to_guc(q);
+- struct xe_lrc *lrc = q->lrc[0];
+- u32 action[] = {
+- XE_GUC_ACTION_SCHED_CONTEXT,
+- q->guc->id,
+- };
+-
+- xe_gt_assert(guc_to_gt(guc), !xe_exec_queue_is_parallel(q));
+- xe_gt_assert(guc_to_gt(guc), !exec_queue_destroyed(q));
+- xe_gt_assert(guc_to_gt(guc), exec_queue_registered(q));
+- xe_gt_assert(guc_to_gt(guc), !exec_queue_pending_disable(q));
+-
+- trace_xe_exec_queue_submit(q);
+-
+- xe_lrc_set_ring_tail(lrc, lrc->ring.tail);
+- xe_guc_ct_send(&guc->ct, action, ARRAY_SIZE(action), 0, 0);
+-}
+-
+ static void __guc_exec_queue_process_msg_resume(struct xe_sched_msg *msg)
+ {
+ struct xe_exec_queue *q = msg->private_data;
+@@ -1837,22 +1798,12 @@ static void __guc_exec_queue_process_msg
+ if (guc_exec_queue_allowed_to_change_state(q)) {
+ clear_exec_queue_suspended(q);
+ if (!exec_queue_enabled(q)) {
+- if (exec_queue_idle_skip_suspend(q)) {
+- struct xe_lrc *lrc = q->lrc[0];
+-
+- clear_exec_queue_idle_skip_suspend(q);
+- xe_lrc_set_ring_tail(lrc, lrc->ring.tail);
+- }
+ q->guc->resume_time = RESUME_PENDING;
+ set_exec_queue_pending_resume(q);
+ enable_scheduling(q);
+- } else if (exec_queue_idle_skip_suspend(q)) {
+- clear_exec_queue_idle_skip_suspend(q);
+- sched_context(q);
+ }
+ } else {
+ clear_exec_queue_suspended(q);
+- clear_exec_queue_idle_skip_suspend(q);
+ }
+ }
+
+--- a/drivers/gpu/drm/xe/xe_hw_engine_group.c
++++ b/drivers/gpu/drm/xe/xe_hw_engine_group.c
+@@ -207,21 +207,15 @@ static int xe_hw_engine_group_suspend_fa
+ lockdep_assert_held_write(&group->mode_sem);
+
+ list_for_each_entry(q, &group->exec_queue_list, hw_engine_group_link) {
+- bool idle_skip_suspend;
+
+ if (!xe_vm_in_fault_mode(q->vm))
+ continue;
+
+- idle_skip_suspend = xe_exec_queue_idle_skip_suspend(q);
+- if (!idle_skip_suspend && has_deps)
++ if (has_deps)
+ return -EAGAIN;
+
+ xe_gt_stats_incr(q->gt, XE_GT_STATS_ID_HW_ENGINE_GROUP_SUSPEND_LR_QUEUE_COUNT, 1);
+- if (idle_skip_suspend)
+- xe_gt_stats_incr(q->gt,
+- XE_GT_STATS_ID_HW_ENGINE_GROUP_SKIP_LR_QUEUE_COUNT, 1);
+-
+- need_resume |= !idle_skip_suspend;
++ need_resume = true;
+ q->ops->suspend(q);
+ gt = q->gt;
+ }
--- /dev/null
+From ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Wed, 27 May 2026 18:18:07 +0000
+Subject: rust: arm64: set uwtable llvm module flag for CONFIG_UNWIND_TABLES
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit ac35b5580ace12e5d0a0b5e61e36d2c4e1ffa29c upstream.
+
+Due to a rustc bug [1] the -Cforce-unwind-tables=y flag only emits the
+uwtable annotation for functions, but not for the module. This means
+that compiler-generated functions such as 'asan.module_ctor' do not
+receive the uwtable annotation.
+
+When CONFIG_UNWIND_PATCH_PAC_INTO_SCS is enabled, this leads to boot
+failures because the dwarf information emitted for the kasan
+constructors is wrong, which causes the SCS boot patching code to
+patch the constructor in an illegal manner. Specifically, the paciasp
+instruction is patched, but the autiasp instruction is not. This
+mismatch leads to a crash when the constructor is called during boot.
+
+ ==================================================================
+ BUG: KASAN: global-out-of-bounds in do_basic_setup+0x4c/0x90
+ Read of size 8 at addr ffffffe3cc7eb488 by task swapper/0/1
+
+Specifically the faulting instruction is the (*fn)() to invoke the
+constructor in do_ctors() of the init/main.c file.
+
+Once the fix lands in rustc, this flag can be made conditional on the
+rustc version. Note that passing the flag on a rustc with the fix
+present has no effect.
+
+[ The fix [1] has landed for Rust 1.98.0 (expected release on
+ 2026-08-20).
+
+ Thus add a version check as discussed.
+
+ - Miguel ]
+
+Fixes: d077242d68a3 ("rust: support for shadow call stack sanitizer")
+Cc: stable@kernel.org
+Link: https://github.com/rust-lang/rust/pull/156973 [1]
+Reported-by: Bo Ye <bo.ye@mediatek.com>
+Debugged-by: Isaac Manjarres <isaacmanjarres@google.com>
+Debugged-by: Sami Tolvanen <samitolvanen@google.com>
+Tested-by: Isaac Manjarres <isaacmanjarres@google.com>
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260527-uwtable-module-flag-v1-1-caa41342be4b@google.com
+[ Adjusted link and comment. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Makefile | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/Makefile
++++ b/arch/arm64/Makefile
+@@ -63,6 +63,9 @@ else
+ KBUILD_CFLAGS += -fasynchronous-unwind-tables
+ KBUILD_AFLAGS += -fasynchronous-unwind-tables
+ KBUILD_RUSTFLAGS += -Cforce-unwind-tables=y -Zuse-sync-unwind=n
++# Work around rustc bug on compilers without
++# https://github.com/rust-lang/rust/pull/156973.
++KBUILD_RUSTFLAGS += $(if $(call rustc-min-version,109800),,-Zllvm_module_flag=uwtable:u32:2:max)
+ endif
+
+ ifeq ($(CONFIG_STACKPROTECTOR_PER_TASK),y)
--- /dev/null
+From 4a44b17406cb5a93f90af3df9392b3a45eb336fb Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Thu, 7 May 2026 11:14:42 +0000
+Subject: rust: kasan/kbuild: fix rustc-option when cross-compiling
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 4a44b17406cb5a93f90af3df9392b3a45eb336fb upstream.
+
+The Makefile version of rustc-option currently checks whether the option
+exists for the host target instead of the target actually being compiled
+for. It was done this way in commit 46e24a545cdb ("rust: kasan/kbuild:
+fix missing flags on first build") to avoid a circular dependency on
+target.json. However, because of this, rustc-option currently does not
+function when cross-compiling from x86_64 to aarch64 if
+CONFIG_SHADOW_CALL_STACK is enabled. This is because KBUILD_RUSTFLAGS
+contains -Zfixed-x18 under this configuration. Since that flag does not
+exist on the host target, rustc-option runs into a compilation failure
+every time, leading to all flags being rejected as unsupported.
+
+To fix this, update rustc-option to pass a --target parameter so that
+the host target is not used. For targets using target.json, use a
+built-in target that is as close as possible to the target created with
+target.json to avoid the circular dependency on target.json.
+
+One scenario where this causes a boot failure:
+* Cross-compiled from x86_64 to aarch64.
+* With CONFIG_SHADOW_CALL_STACK=y
+* With CONFIG_KASAN_SW_TAGS=y
+* With CONFIG_KASAN_INLINE=n
+Then the resulting kernel image will fail to boot when it first calls
+into Rust code with a crash along the lines of "Unable to handle kernel
+paging request at virtual address 0ffffffc08541796". This is because the
+call threshold is not specified, so rustc will inline kasan operations,
+but the kasan shadow offset is not specified, which leads to the inlined
+kasan instructions being incorrect.
+
+Note that the -Zsanitizer=kernel-hwaddress parameter itself does not
+lead to a rustc-option failure despite being aarch64-specific because
+RUSTFLAGS_KASAN has not yet been added to KBUILD_RUSTFLAGS when
+rustc-option is evaluated by the kasan Makefile.
+
+Cc: stable@vger.kernel.org
+Fixes: 46e24a545cdb ("rust: kasan/kbuild: fix missing flags on first build")
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260507-rustc-option-cross-v2-1-2f650a49c2b5@google.com
+[ Edited slightly:
+ - Reset variable to avoid using the environment.
+ - Use a simply expanded variable flavor for simplicity.
+ - Export variable so that behavior in sub-`make`s is consistent.
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+ This matches other variables. - Miguel ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+---
+ Makefile | 3 ++-
+ arch/x86/Makefile | 4 ++++
+ arch/x86/Makefile.um | 8 ++++++++
+ scripts/Makefile.compiler | 2 +-
+ 4 files changed, 15 insertions(+), 2 deletions(-)
+
+--- a/Makefile
++++ b/Makefile
+@@ -606,6 +606,7 @@ KBUILD_RUSTFLAGS := $(rust_common_flags)
+ -Crelocation-model=static \
+ -Zfunction-sections=n \
+ -Wclippy::float_arithmetic
++KBUILD_RUSTFLAGS_OPTION_CHKS :=
+
+ KBUILD_AFLAGS_KERNEL :=
+ KBUILD_CFLAGS_KERNEL :=
+@@ -642,7 +643,7 @@ export KBUILD_USERCFLAGS KBUILD_USERLDFL
+
+ export KBUILD_CPPFLAGS NOSTDINC_FLAGS LINUXINCLUDE OBJCOPYFLAGS KBUILD_LDFLAGS
+ export KBUILD_CFLAGS CFLAGS_KERNEL CFLAGS_MODULE
+-export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE
++export KBUILD_RUSTFLAGS RUSTFLAGS_KERNEL RUSTFLAGS_MODULE KBUILD_RUSTFLAGS_OPTION_CHKS
+ export KBUILD_AFLAGS AFLAGS_KERNEL AFLAGS_MODULE
+ export KBUILD_AFLAGS_MODULE KBUILD_CFLAGS_MODULE KBUILD_RUSTFLAGS_MODULE KBUILD_LDFLAGS_MODULE
+ export KBUILD_AFLAGS_KERNEL KBUILD_CFLAGS_KERNEL KBUILD_RUSTFLAGS_KERNEL
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -81,6 +81,10 @@ KBUILD_CFLAGS += -mno-sse -mno-mmx -mno-
+ KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+ KBUILD_RUSTFLAGS += -Ctarget-feature=-sse,-sse2,-sse3,-ssse3,-sse4.1,-sse4.2,-avx,-avx2
+
++# The target.json file is not available when invoking rustc-option, so use the
++# built-in target when checking whether flags are supported instead.
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-none
++
+ #
+ # CFLAGS for compiling floating point code inside the kernel.
+ #
+--- a/arch/x86/Makefile.um
++++ b/arch/x86/Makefile.um
+@@ -14,6 +14,14 @@ endif
+
+ KBUILD_RUSTFLAGS += --target=$(objtree)/scripts/target.json
+
++# The target.json file is not available when invoking rustc-option, so use the
++# built-in target when checking whether flags are supported instead.
++ifeq ($(CONFIG_X86_32),y)
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=i686-unknown-linux-gnu
++else
++KBUILD_RUSTFLAGS_OPTION_CHKS += --target=x86_64-unknown-linux-gnu
++endif
++
+ ifeq ($(CONFIG_X86_32),y)
+ START := 0x8048000
+
+--- a/scripts/Makefile.compiler
++++ b/scripts/Makefile.compiler
+@@ -80,7 +80,7 @@ ld-option = $(call try-run, $(LD) $(KBUI
+ # TODO: remove RUSTC_BOOTSTRAP=1 when we raise the minimum GNU Make version to 4.4
+ __rustc-option = $(call try-run,\
+ echo '$(pound)![allow(missing_docs)]$(pound)![feature(no_core)]$(pound)![no_core]' | RUSTC_BOOTSTRAP=1\
+- $(1) --sysroot=/dev/null $(filter-out --sysroot=/dev/null --target=%,$(2)) $(3)\
++ $(1) --sysroot=/dev/null $(KBUILD_RUSTFLAGS_OPTION_CHKS) $(filter-out --sysroot=/dev/null --target=%target.json,$(2)) $(3)\
+ --crate-type=rlib --out-dir=$(TMPOUT) --emit=obj=- - >/dev/null,$(3),$(4))
+
+ # rustc-option
--- /dev/null
+From 905b06d32a52afe32fcf5f30cf298c9ea6359f11 Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Sat, 30 May 2026 13:49:25 +0200
+Subject: rust: x86: support Rust >= 1.98.0 target spec
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 905b06d32a52afe32fcf5f30cf298c9ea6359f11 upstream.
+
+Starting with Rust 1.98.0 (expected 2026-08-20), the target spec will not
+support `x86-softfloat` anymore [1]. Instead, `softfloat` should be used,
+which is an alias. Otherwise, one gets:
+
+ error: error loading target specification: rustc-abi: invalid rustc abi: 'x86-softfloat'. allowed values: 'x86-sse2', 'softfloat' at line 3 column 32
+ |
+ = help: run `rustc --print target-list` for a list of built-in targets
+
+Thus conditionally use one or the other depending on the version.
+
+The alias has existed since Rust 1.95.0 (released 2026-04-16) [2], but
+use the newer version instead to avoid changing how the build works for
+existing compilers, at least until more testing takes place.
+
+Cc: Ralf Jung <post@ralfj.de>
+Cc: stable@vger.kernel.org # Needed in 6.12.y and later (Rust is pinned in older LTSs).
+Link: https://github.com/rust-lang/rust/pull/157151 [1]
+Link: https://github.com/rust-lang/rust/pull/151154 [2]
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://patch.msgid.link/20260530114925.260754-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/generate_rust_target.rs | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/scripts/generate_rust_target.rs
++++ b/scripts/generate_rust_target.rs
+@@ -196,7 +196,9 @@ fn main() {
+ }
+ } else if cfg.has("X86_64") {
+ ts.push("arch", "x86_64");
+- if cfg.rustc_version_atleast(1, 86, 0) {
++ if cfg.rustc_version_atleast(1, 98, 0) {
++ ts.push("rustc-abi", "softfloat");
++ } else if cfg.rustc_version_atleast(1, 86, 0) {
+ ts.push("rustc-abi", "x86-softfloat");
+ }
+ ts.push(
+@@ -236,7 +238,9 @@ fn main() {
+ panic!("32-bit x86 only works under UML");
+ }
+ ts.push("arch", "x86");
+- if cfg.rustc_version_atleast(1, 86, 0) {
++ if cfg.rustc_version_atleast(1, 98, 0) {
++ ts.push("rustc-abi", "softfloat");
++ } else if cfg.rustc_version_atleast(1, 86, 0) {
+ ts.push("rustc-abi", "x86-softfloat");
+ }
+ ts.push(
drm-xe-fix-refcount-leak-in-xe_range_fence_insert.patch
drm-xe-fix-job-timeout-recovery-for-unstarted-jobs-a.patch
accel-amdxdna-fix-mm_struct-reference-leak-in-aie2_p.patch
+namespace-restrict-open_tree_namespace-fsmount_namespace-to-directories.patch
+netfilter-nft_tunnel-fix-use-after-free-on-object-destroy.patch
+netfilter-nft_meta_bridge-fix-stale-stack-leak-via-iifhwaddr-register.patch
+tee-shm-fix-shm-leak-in-register_shm_helper.patch
+bluetooth-hci_sync-reject-oversized-broadcast-announcement-prepend.patch
+bluetooth-l2cap-reject-br-edr-signaling-packets-over-mtusig.patch
+soc-qcom-ice-fix-race-between-qcom_ice_probe-and-of_qcom_ice_get.patch
+mm-memory-failure-fix-hugetlb_lock-aa-deadlock-in-get_huge_page_for_hwpoison.patch
+revert-drm-xe-nvls-define-guc-firmware-for-nvl-s.patch
+accel-ivpu-add-bounds-check-for-firmware-runtime-memory.patch
+accel-ivpu-add-bounds-checks-for-firmware-log-indices.patch
+firmware-stratix10-svc-don-t-fail-probe-when-async-ops-unsupported.patch
+firmware-stratix10-svc-return-eopnotsupp-when-atf-async-unsupported.patch
+firmware-stratix10-rsu-fix-null-deref-on-rsu_send_msg-timeout-in-probe.patch
+accel-ivpu-add-buffer-overflow-check-in-ms-get_info_ioctl.patch
+accel-ivpu-fix-signed-integer-truncation-in-ipc-receive.patch
+tracing-fix-cfi-violation-in-probestub-being-called-by-tprobes.patch
+tracing-probes-point-the-error-offset-correctly-for-eprobe-argument-error.patch
+cgroup-cpuset-use-effective_xcpus-in-partcmd_update-add-del-mask-calculation.patch
+revert-drm-xe-skip-exec-queue-schedule-toggle-if-queue-is-idle-during-suspend.patch
+rust-x86-support-rust-1.98.0-target-spec.patch
+arm-do-not-select-have_rust-when-kasan-is-enabled.patch
+rust-arm64-set-uwtable-llvm-module-flag-for-config_unwind_tables.patch
+rust-kasan-kbuild-fix-rustc-option-when-cross-compiling.patch
+mmc-litex_mmc-use-div_round_up-for-more-accurate-clock-calculation.patch
+cfi-include-uaccess.h-for-get_kernel_nofault.patch
+mshv-add-a-missing-padding-field.patch
+kvm-don-t-warn-if-memory-is-dirtied-without-a-vcpu-when-the-vm-is-dying.patch
+kvm-sev-decouple-the-need-to-sync-the-ghcb-sa-from-the-need-to-free-the-sa.patch
+kvm-arm64-nv-fix-handling-of-xn-when-feat_xnx.patch
+kvm-arm64-correctly-identify-executable-ptes-at-stage-2.patch
+kvm-arm64-restore-por_el0-access-to-host-el0.patch
+drm-i915-gem-fix-phys-bo-pread-pwrite-with-offset.patch
+hv_netvsc-use-kmap_local_page-in-netvsc_copy_to_send_buf.patch
+pinctrl-mcp23s08-initialize-mcp-dev-and-mcp-addr-before-regmap-init.patch
--- /dev/null
+From d922113ef91e6e7e8065e9070f349365341ba32e Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Date: Mon, 18 May 2026 19:22:17 +0530
+Subject: soc: qcom: ice: Fix race between qcom_ice_probe() and of_qcom_ice_get()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+
+commit d922113ef91e6e7e8065e9070f349365341ba32e upstream.
+
+The current platform driver design causes probe ordering races with
+consumers (UFS, eMMC) due to ICE's dependency on SCM firmware calls. If ICE
+probe fails (missing ICE SCM or DT registers), devm_of_qcom_ice_get() loops
+with -EPROBE_DEFER, leaving consumers non-functional even when ICE should
+be gracefully disabled. devm_of_qcom_ice_get() doesn't know if the ICE
+driver probe has failed due to above reasons or it is waiting for the SCM
+driver.
+
+Moreover, there is no devlink dependency between ICE and consumer drivers
+as 'qcom,ice' is not considered as a DT 'supplier'. So the consumer drivers
+have no idea of when the ICE driver is going to probe.
+
+To address these issues, store the error pointer in a global xarray with
+ice node phandle as a key during probe in addition to the valid ice pointer
+and synchronize both qcom_ice_probe() and of_qcom_ice_get() using a mutex.
+
+If the xarray entry is NULL, then it implies that the driver is not
+probed yet, so return -EPROBE_DEFER. If it has any error pointer, return
+that error pointer directly. Otherwise, add the devlink as usual and return
+the valid pointer to the consumer.
+
+Xarray is used instead of platform drvdata, since driver core frees the
+drvdata during probe failure. So it cannot be used to pass the error
+pointer to the consumers.
+
+Note that this change only fixes the standalone ICE DT node bindings and
+not the ones with 'ice' range embedded in the consumer nodes, where there
+is no issue.
+
+Fixes: 2afbf43a4aec ("soc: qcom: Make the Qualcomm UFS/SDCC ICE a dedicated driver")
+Reported-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Tested-by: Sumit Garg <sumit.garg@oss.qualcomm.com> # OP-TEE as TZ
+Acked-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Cc: stable@vger.kernel.org # 6.4
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20260518-qcom-ice-fix-v7-1-2a595382185b@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/ice.c | 38 +++++++++++++++++++++++++++++++-------
+ 1 file changed, 31 insertions(+), 7 deletions(-)
+
+--- a/drivers/soc/qcom/ice.c
++++ b/drivers/soc/qcom/ice.c
+@@ -16,6 +16,7 @@
+ #include <linux/of.h>
+ #include <linux/of_platform.h>
+ #include <linux/platform_device.h>
++#include <linux/xarray.h>
+
+ #include <linux/firmware/qcom/qcom_scm.h>
+
+@@ -114,6 +115,9 @@ struct qcom_ice {
+ u8 hwkm_version;
+ };
+
++static DEFINE_XARRAY(ice_handles);
++static DEFINE_MUTEX(ice_mutex);
++
+ static bool qcom_ice_check_supported(struct qcom_ice *ice)
+ {
+ u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
+@@ -644,6 +648,8 @@ static struct qcom_ice *of_qcom_ice_get(
+ return qcom_ice_create(&pdev->dev, base);
+ }
+
++ guard(mutex)(&ice_mutex);
++
+ /*
+ * If the consumer node does not provider an 'ice' reg range
+ * (legacy DT binding), then it must at least provide a phandle
+@@ -660,12 +666,13 @@ static struct qcom_ice *of_qcom_ice_get(
+ return ERR_PTR(-ENODEV);
+ }
+
+- ice = platform_get_drvdata(pdev);
+- if (!ice) {
+- dev_err(dev, "Cannot get ice instance from %s\n",
+- dev_name(&pdev->dev));
++ ice = xa_load(&ice_handles, pdev->dev.of_node->phandle);
++ if (IS_ERR_OR_NULL(ice)) {
+ platform_device_put(pdev);
+- return ERR_PTR(-EPROBE_DEFER);
++ if (!ice)
++ return ERR_PTR(-EPROBE_DEFER);
++ else
++ return ice;
+ }
+
+ link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER);
+@@ -729,24 +736,40 @@ EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get);
+
+ static int qcom_ice_probe(struct platform_device *pdev)
+ {
++ unsigned long phandle = pdev->dev.of_node->phandle;
+ struct qcom_ice *engine;
+ void __iomem *base;
+
++ guard(mutex)(&ice_mutex);
++
+ base = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(base)) {
+ dev_warn(&pdev->dev, "ICE registers not found\n");
++ /* Store the error pointer for devm_of_qcom_ice_get() */
++ xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL);
+ return PTR_ERR(base);
+ }
+
+ engine = qcom_ice_create(&pdev->dev, base);
+- if (IS_ERR(engine))
++ if (IS_ERR(engine)) {
++ /* Store the error pointer for devm_of_qcom_ice_get() */
++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
+ return PTR_ERR(engine);
++ }
+
+- platform_set_drvdata(pdev, engine);
++ xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
+
+ return 0;
+ }
+
++static void qcom_ice_remove(struct platform_device *pdev)
++{
++ unsigned long phandle = pdev->dev.of_node->phandle;
++
++ guard(mutex)(&ice_mutex);
++ xa_store(&ice_handles, phandle, NULL, GFP_KERNEL);
++}
++
+ static const struct of_device_id qcom_ice_of_match_table[] = {
+ { .compatible = "qcom,inline-crypto-engine" },
+ { },
+@@ -755,6 +778,7 @@ MODULE_DEVICE_TABLE(of, qcom_ice_of_matc
+
+ static struct platform_driver qcom_ice_driver = {
+ .probe = qcom_ice_probe,
++ .remove = qcom_ice_remove,
+ .driver = {
+ .name = "qcom-ice",
+ .of_match_table = qcom_ice_of_match_table,
--- /dev/null
+From 26682f5efc276e3ad96d102019472bfbf03833b2 Mon Sep 17 00:00:00 2001
+From: Georgiy Osokin <g.osokin@auroraos.dev>
+Date: Wed, 8 Apr 2026 18:52:03 +0300
+Subject: tee: shm: fix shm leak in register_shm_helper()
+
+From: Georgiy Osokin <g.osokin@auroraos.dev>
+
+commit 26682f5efc276e3ad96d102019472bfbf03833b2 upstream.
+
+register_shm_helper() allocates shm before calling
+iov_iter_npages(). If iov_iter_npages() returns 0, the function
+jumps to err_ctx_put and leaks shm.
+
+This can be triggered by TEE_IOC_SHM_REGISTER with
+struct tee_ioctl_shm_register_data where length is 0.
+
+Jump to err_free_shm instead.
+
+Fixes: 7bdee4157591 ("tee: Use iov_iter to better support shared buffer registration")
+Cc: stable@vger.kernel.org
+Cc: lvc-project@linuxtesting.org
+Signed-off-by: Georgiy Osokin <g.osokin@auroraos.dev>
+Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/tee_shm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -435,7 +435,7 @@ register_shm_helper(struct tee_context *
+ num_pages = iov_iter_npages(iter, INT_MAX);
+ if (!num_pages) {
+ ret = ERR_PTR(-ENOMEM);
+- goto err_ctx_put;
++ goto err_free_shm;
+ }
+
+ shm->pages = kzalloc_objs(*shm->pages, num_pages);
--- /dev/null
+From 0652a3daa78723f955b1ebeb621665ce72bec53e Mon Sep 17 00:00:00 2001
+From: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
+Date: Wed, 3 Jun 2026 18:31:42 +0300
+Subject: tracing: Fix CFI violation in probestub being called by tprobes
+
+From: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
+
+commit 0652a3daa78723f955b1ebeb621665ce72bec53e upstream.
+
+The probestub is a function to allow tprobes to hook to a tracepoint to
+gain access to its parameters. The function itself is only referenced by
+the tracepoint structure which lives in the __tracepoint section. objtool
+explicitly ignores that section and when processing functions in the
+kernel, if it detects one that has no references it will seal it to have
+its ENDBR stripped on boot up.
+
+This means when a tprobe is attached to the sched_wakeup tracepoint, when it
+is triggered it will call __probestub_sched_wakeup and due to the missing
+ENDBR on a CFI-enabled machine it will take a #CP exception.
+
+Fix this by adding CFI_NOSEAL annotation to probestub declaration.
+
+Cc: stable@vger.kernel.org
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Link: https://patch.msgid.link/20260603153147.573589-1-eva.kurchatova@virtuozzo.com
+Fixes: d5173f753750 ("objtool: Exclude __tracepoints data from ENDBR checks")
+Signed-off-by: Eva Kurchatova <eva.kurchatova@virtuozzo.com>
+[ Updated change log ]
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/tracepoint.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/include/linux/tracepoint.h
++++ b/include/linux/tracepoint.h
+@@ -20,6 +20,7 @@
+ #include <linux/rcupdate_trace.h>
+ #include <linux/tracepoint-defs.h>
+ #include <linux/static_call.h>
++#include <linux/cfi.h>
+
+ struct module;
+ struct tracepoint;
+@@ -380,6 +381,13 @@ static inline struct tracepoint *tracepo
+ void __probestub_##_name(void *__data, proto) \
+ { \
+ } \
++ /* \
++ * Annotate the probestub 'CFI_NOSEAL' to stop objtool from \
++ * requesting the kernel remove the ENDBR, because the only \
++ * references to the function are in the __tracepoint section, \
++ * that objtool doesn't scan. \
++ */ \
++ CFI_NOSEAL(__probestub_##_name); \
+ DEFINE_STATIC_CALL(tp_func_##_name, __traceiter_##_name); \
+ DEFINE_RUST_DO_TRACE(_name, TP_PROTO(proto), TP_ARGS(args))
+
--- /dev/null
+From 85e0f27dd1396307913ffc5745b0c05137e9beac Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Mon, 25 May 2026 11:21:14 +0900
+Subject: tracing/probes: Point the error offset correctly for eprobe argument error
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 85e0f27dd1396307913ffc5745b0c05137e9beac upstream.
+
+Fix to point the error offset correctly for eprobe argument error.
+In the cleanup commit 1b8b0cd754cd ("tracing/probes: Move event parameter
+fetching code to common parser"), due to incorrect backward compatibility
+aimed at conforming to the test specifications, the error location was set
+to 0 when a non-existent formal parameter was specified for Eprobe.
+However, this should be corrected in both the test and the implementation
+to point correct error position.
+
+Link: https://lore.kernel.org/all/177967567399.209006.1451571244515632097.stgit@devnote2/
+
+Fixes: 1b8b0cd754cd ("tracing/probes: Move event parameter fetching code to common parser")
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe.c | 2 --
+ tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc | 2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/kernel/trace/trace_probe.c
++++ b/kernel/trace/trace_probe.c
+@@ -962,8 +962,6 @@ static int parse_probe_vars(char *orig_a
+ code->op = FETCH_OP_COMM;
+ return 0;
+ }
+- /* backward compatibility */
+- ctx->offset = 0;
+ goto inval;
+ }
+
+--- a/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
++++ b/tools/testing/selftests/ftrace/test.d/dynevent/eprobes_syntax_errors.tc
+@@ -20,7 +20,7 @@ check_error 'e:foo/^12345678901234567890
+ check_error 'e:foo/^bar.1 syscalls/sys_enter_openat' # BAD_EVENT_NAME
+
+ check_error 'e:foo/bar syscalls/sys_enter_openat arg=^dfd' # BAD_FETCH_ARG
+-check_error 'e:foo/bar syscalls/sys_enter_openat ^arg=$foo' # BAD_ATTACH_ARG
++check_error 'e:foo/bar syscalls/sys_enter_openat arg=^$foo' # BAD_ATTACH_ARG
+
+ if grep -q '<attached-group>\.<attached-event>.*\[if <filter>\]' README; then
+ check_error 'e:foo/bar syscalls/sys_enter_openat if ^' # NO_EP_FILTER
projects / thirdparty / kernel / stable-queue.git / commitdiff
