--- /dev/null
+From eed0e3d305530066b4fc5370107cff8ef1a0d229 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Sat, 9 Aug 2025 10:19:39 -0700
+Subject: KEYS: trusted_tpm1: Compare HMAC values in constant time
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit eed0e3d305530066b4fc5370107cff8ef1a0d229 upstream.
+
+To prevent timing attacks, HMAC value comparison needs to be constant
+time. Replace the memcmp() with the correct function, crypto_memneq().
+
+[For the Fixes commit I used the commit that introduced the memcmp().
+It predates the introduction of crypto_memneq(), but it was still a bug
+at the time even though a helper function didn't exist yet.]
+
+Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted-keys/trusted_tpm1.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/security/keys/trusted-keys/trusted_tpm1.c
++++ b/security/keys/trusted-keys/trusted_tpm1.c
+@@ -7,6 +7,7 @@
+ */
+
+ #include <crypto/hash_info.h>
++#include <crypto/utils.h>
+ #include <linux/init.h>
+ #include <linux/slab.h>
+ #include <linux/parser.h>
+@@ -241,7 +242,7 @@ int TSS_checkhmac1(unsigned char *buffer
+ if (ret < 0)
+ goto out;
+
+- if (memcmp(testhmac, authdata, SHA1_DIGEST_SIZE))
++ if (crypto_memneq(testhmac, authdata, SHA1_DIGEST_SIZE))
+ ret = -EINVAL;
+ out:
+ kfree_sensitive(sdesc);
+@@ -334,7 +335,7 @@ static int TSS_checkhmac2(unsigned char
+ TPM_NONCE_SIZE, ononce, 1, continueflag1, 0, 0);
+ if (ret < 0)
+ goto out;
+- if (memcmp(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
++ if (crypto_memneq(testhmac1, authdata1, SHA1_DIGEST_SIZE)) {
+ ret = -EINVAL;
+ goto out;
+ }
+@@ -343,7 +344,7 @@ static int TSS_checkhmac2(unsigned char
+ TPM_NONCE_SIZE, ononce, 1, continueflag2, 0, 0);
+ if (ret < 0)
+ goto out;
+- if (memcmp(testhmac2, authdata2, SHA1_DIGEST_SIZE))
++ if (crypto_memneq(testhmac2, authdata2, SHA1_DIGEST_SIZE))
+ ret = -EINVAL;
+ out:
+ kfree_sensitive(sdesc);
--- /dev/null
+From f322a97aeb2a05b6b1ee17629145eb02e1a4c6a0 Mon Sep 17 00:00:00 2001
+From: Pratyush Yadav <pratyush@kernel.org>
+Date: Thu, 18 Sep 2025 19:06:15 +0200
+Subject: kho: only fill kimage if KHO is finalized
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+commit f322a97aeb2a05b6b1ee17629145eb02e1a4c6a0 upstream.
+
+kho_fill_kimage() only checks for KHO being enabled before filling in the
+FDT to the image. KHO being enabled does not mean that the kernel has
+data to hand over. That happens when KHO is finalized.
+
+When a kexec is done with KHO enabled but not finalized, the FDT page is
+allocated but not initialized. FDT initialization happens after finalize.
+This means the KHO segment is filled in but the FDT contains garbage
+data.
+
+This leads to the below error messages in the next kernel:
+
+ [ 0.000000] KHO: setup: handover FDT (0x10116b000) is invalid: -9
+ [ 0.000000] KHO: disabling KHO revival: -22
+
+There is no problem in practice, and the next kernel boots and works fine.
+But this still leads to misleading error messages and garbage being
+handed over.
+
+Only fill in KHO segment when KHO is finalized. When KHO is not enabled,
+the debugfs interface is not created and there is no way to finalize it
+anyway. So the check for kho_enable is not needed, and kho_out.finalize
+alone is enough.
+
+Link: https://lkml.kernel.org/r/20250918170617.91413-1-pratyush@kernel.org
+Fixes: 3bdecc3c93f9 ("kexec: add KHO support to kexec file loads")
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Cc: Alexander Graf <graf@amazon.com>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Changyuan Lyu <changyuanl@google.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kexec_handover.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/kexec_handover.c
++++ b/kernel/kexec_handover.c
+@@ -1233,7 +1233,7 @@ int kho_fill_kimage(struct kimage *image
+ int err = 0;
+ struct kexec_buf scratch;
+
+- if (!kho_enable)
++ if (!kho_out.finalized)
+ return 0;
+
+ image->kho.fdt = page_to_phys(kho_out.ser.fdt);
--- /dev/null
+From 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 24 Sep 2025 10:02:07 +0200
+Subject: lib/genalloc: fix device leak in of_gen_pool_get()
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1260cbcffa608219fc9188a6cbe9c45a300ef8b5 upstream.
+
+Make sure to drop the reference taken when looking up the genpool platform
+device in of_gen_pool_get() before returning the pool.
+
+Note that holding a reference to a device does typically not prevent its
+devres managed resources from being released so there is no point in
+keeping the reference.
+
+Link: https://lkml.kernel.org/r/20250924080207.18006-1-johan@kernel.org
+Fixes: 9375db07adea ("genalloc: add devres support, allow to find a managed pool by device")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Vladimir Zapolskiy <vz@mleia.com>
+Cc: <stable@vger.kernel.org> [3.10+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/genalloc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/lib/genalloc.c
++++ b/lib/genalloc.c
+@@ -899,8 +899,11 @@ struct gen_pool *of_gen_pool_get(struct
+ if (!name)
+ name = of_node_full_name(np_pool);
+ }
+- if (pdev)
++ if (pdev) {
+ pool = gen_pool_get(&pdev->dev, name);
++ put_device(&pdev->dev);
++ }
++
+ of_node_put(np_pool);
+
+ return pool;
--- /dev/null
+From 98b7bf54338b797e3a11e8178ce0e806060d8fa3 Mon Sep 17 00:00:00 2001
+From: Li Chen <me@linux.beauty>
+Date: Tue, 30 Sep 2025 08:35:59 +0800
+Subject: loop: fix backing file reference leak on validation error
+
+From: Li Chen <me@linux.beauty>
+
+commit 98b7bf54338b797e3a11e8178ce0e806060d8fa3 upstream.
+
+loop_change_fd() and loop_configure() call loop_check_backing_file()
+to validate the new backing file. If validation fails, the reference
+acquired by fget() was not dropped, leaking a file reference.
+
+Fix this by calling fput(file) before returning the error.
+
+Cc: stable@vger.kernel.org
+Cc: Markus Elfring <Markus.Elfring@web.de>
+CC: Yang Erkun <yangerkun@huawei.com>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: Yu Kuai <yukuai1@huaweicloud.com>
+Fixes: f5c84eff634b ("loop: Add sanity check for read/write_iter")
+Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Yang Erkun <yangerkun@huawei.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/loop.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -551,8 +551,10 @@ static int loop_change_fd(struct loop_de
+ return -EBADF;
+
+ error = loop_check_backing_file(file);
+- if (error)
++ if (error) {
++ fput(file);
+ return error;
++ }
+
+ /* suppress uevents while reconfiguring the device */
+ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 1);
+@@ -993,8 +995,10 @@ static int loop_configure(struct loop_de
+ return -EBADF;
+
+ error = loop_check_backing_file(file);
+- if (error)
++ if (error) {
++ fput(file);
+ return error;
++ }
+
+ is_loop = is_loop_device(file);
+
--- /dev/null
+From 22f166218f7313e8fe2d19213b5f4b3265f8c39e Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Wed, 10 Sep 2025 14:30:44 +0800
+Subject: md: fix mssing blktrace bio split events
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 22f166218f7313e8fe2d19213b5f4b3265f8c39e upstream.
+
+If bio is split by internal handling like chunksize or badblocks, the
+corresponding trace_block_split() is missing, resulting in blktrace
+inability to catch BIO split events and making it harder to analyze the
+BIO sequence.
+
+Cc: stable@vger.kernel.org
+Fixes: 4b1faf931650 ("block: Kill bio_pair_split()")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md-linear.c | 1 +
+ drivers/md/raid0.c | 4 ++++
+ drivers/md/raid1.c | 4 ++++
+ drivers/md/raid10.c | 8 ++++++++
+ drivers/md/raid5.c | 2 ++
+ 5 files changed, 19 insertions(+)
+
+--- a/drivers/md/md-linear.c
++++ b/drivers/md/md-linear.c
+@@ -267,6 +267,7 @@ static bool linear_make_request(struct m
+ }
+
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ submit_bio_noacct(bio);
+ bio = split;
+ }
+--- a/drivers/md/raid0.c
++++ b/drivers/md/raid0.c
+@@ -473,7 +473,9 @@ static void raid0_handle_discard(struct
+ bio_endio(bio);
+ return;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ submit_bio_noacct(bio);
+ bio = split;
+ end = zone->zone_end;
+@@ -621,7 +623,9 @@ static bool raid0_make_request(struct md
+ bio_endio(bio);
+ return true;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ raid0_map_submit_bio(mddev, bio);
+ bio = split;
+ }
+--- a/drivers/md/raid1.c
++++ b/drivers/md/raid1.c
+@@ -1383,7 +1383,9 @@ static void raid1_read_request(struct md
+ error = PTR_ERR(split);
+ goto err_handle;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ submit_bio_noacct(bio);
+ bio = split;
+ r1_bio->master_bio = bio;
+@@ -1591,7 +1593,9 @@ static void raid1_write_request(struct m
+ error = PTR_ERR(split);
+ goto err_handle;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ submit_bio_noacct(bio);
+ bio = split;
+ r1_bio->master_bio = bio;
+--- a/drivers/md/raid10.c
++++ b/drivers/md/raid10.c
+@@ -1209,7 +1209,9 @@ static void raid10_read_request(struct m
+ error = PTR_ERR(split);
+ goto err_handle;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ allow_barrier(conf);
+ submit_bio_noacct(bio);
+ wait_barrier(conf, false);
+@@ -1495,7 +1497,9 @@ static void raid10_write_request(struct
+ error = PTR_ERR(split);
+ goto err_handle;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ allow_barrier(conf);
+ submit_bio_noacct(bio);
+ wait_barrier(conf, false);
+@@ -1679,7 +1683,9 @@ static int raid10_handle_discard(struct
+ bio_endio(bio);
+ return 0;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ allow_barrier(conf);
+ /* Resend the fist split part */
+ submit_bio_noacct(split);
+@@ -1694,7 +1700,9 @@ static int raid10_handle_discard(struct
+ bio_endio(bio);
+ return 0;
+ }
++
+ bio_chain(split, bio);
++ trace_block_split(split, bio->bi_iter.bi_sector);
+ allow_barrier(conf);
+ /* Resend the second split part */
+ submit_bio_noacct(bio);
+--- a/drivers/md/raid5.c
++++ b/drivers/md/raid5.c
+@@ -5475,8 +5475,10 @@ static struct bio *chunk_aligned_read(st
+
+ if (sectors < bio_sectors(raid_bio)) {
+ struct r5conf *conf = mddev->private;
++
+ split = bio_split(raid_bio, sectors, GFP_NOIO, &conf->bio_split);
+ bio_chain(split, raid_bio);
++ trace_block_split(split, raid_bio->bi_iter.bi_sector);
+ submit_bio_noacct(raid_bio);
+ raid_bio = split;
+ }
--- /dev/null
+From 6744085079e785dae5f7a2239456135407c58b25 Mon Sep 17 00:00:00 2001
+From: Zhen Ni <zhen.ni@easystack.cn>
+Date: Wed, 6 Aug 2025 10:55:38 +0800
+Subject: memory: samsung: exynos-srom: Fix of_iomap leak in exynos_srom_probe
+
+From: Zhen Ni <zhen.ni@easystack.cn>
+
+commit 6744085079e785dae5f7a2239456135407c58b25 upstream.
+
+The of_platform_populate() call at the end of the function has a
+possible failure path, causing a resource leak.
+
+Replace of_iomap() with devm_platform_ioremap_resource() to ensure
+automatic cleanup of srom->reg_base.
+
+This issue was detected by smatch static analysis:
+drivers/memory/samsung/exynos-srom.c:155 exynos_srom_probe()warn:
+'srom->reg_base' from of_iomap() not released on lines: 155.
+
+Fixes: 8ac2266d8831 ("memory: samsung: exynos-srom: Add support for bank configuration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
+Link: https://lore.kernel.org/r/20250806025538.306593-1-zhen.ni@easystack.cn
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memory/samsung/exynos-srom.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/memory/samsung/exynos-srom.c
++++ b/drivers/memory/samsung/exynos-srom.c
+@@ -121,20 +121,18 @@ static int exynos_srom_probe(struct plat
+ return -ENOMEM;
+
+ srom->dev = dev;
+- srom->reg_base = of_iomap(np, 0);
+- if (!srom->reg_base) {
++ srom->reg_base = devm_platform_ioremap_resource(pdev, 0);
++ if (IS_ERR(srom->reg_base)) {
+ dev_err(&pdev->dev, "iomap of exynos srom controller failed\n");
+- return -ENOMEM;
++ return PTR_ERR(srom->reg_base);
+ }
+
+ platform_set_drvdata(pdev, srom);
+
+ srom->reg_offset = exynos_srom_alloc_reg_dump(exynos_srom_offsets,
+ ARRAY_SIZE(exynos_srom_offsets));
+- if (!srom->reg_offset) {
+- iounmap(srom->reg_base);
++ if (!srom->reg_offset)
+ return -ENOMEM;
+- }
+
+ for_each_child_of_node(np, child) {
+ if (exynos_srom_configure_bank(srom, child)) {
--- /dev/null
+From d140f3ba76ac98faad7f9b37ef5a3dcbd57f59e2 Mon Sep 17 00:00:00 2001
+From: Patrice Chotard <patrice.chotard@foss.st.com>
+Date: Thu, 7 Aug 2025 09:34:09 +0200
+Subject: memory: stm32_omm: Fix req2ack update test
+
+From: Patrice Chotard <patrice.chotard@foss.st.com>
+
+commit d140f3ba76ac98faad7f9b37ef5a3dcbd57f59e2 upstream.
+
+If "st,omm-req2ack-ns" property is found and its value is not 0,
+the current test doesn't allow to compute and set req2ack value,
+Fix this test.
+
+Fixes: 8181d061dcff ("memory: Add STM32 Octo Memory Manager driver")
+Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
+Link: https://lore.kernel.org/r/20250807-upstream_omm_fix_req2ack_test_condition-v2-1-d7df4af2b48b@foss.st.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/memory/stm32_omm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/memory/stm32_omm.c b/drivers/memory/stm32_omm.c
+index bee2ecc8c2b9..5d06623f3f68 100644
+--- a/drivers/memory/stm32_omm.c
++++ b/drivers/memory/stm32_omm.c
+@@ -238,7 +238,7 @@ static int stm32_omm_configure(struct device *dev)
+ if (mux & CR_MUXEN) {
+ ret = of_property_read_u32(dev->of_node, "st,omm-req2ack-ns",
+ &req2ack);
+- if (!ret && !req2ack) {
++ if (!ret && req2ack) {
+ req2ack = DIV_ROUND_UP(req2ack, NSEC_PER_SEC / clk_rate_max) - 1;
+
+ if (req2ack > 256)
+--
+2.51.0
+
--- /dev/null
+From fec40f44afdabcbc4a7748e4278f30737b54bb1a Mon Sep 17 00:00:00 2001
+From: Rex Chen <rex.chen_1@nxp.com>
+Date: Mon, 28 Jul 2025 17:22:29 +0900
+Subject: mmc: core: SPI mode remove cmd7
+
+From: Rex Chen <rex.chen_1@nxp.com>
+
+commit fec40f44afdabcbc4a7748e4278f30737b54bb1a upstream.
+
+SPI mode doesn't support cmd7, so remove it in mmc_sdio_alive() and
+confirm if sdio is active by checking CCCR register value is available
+or not.
+
+Signed-off-by: Rex Chen <rex.chen_1@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250728082230.1037917-2-rex.chen_1@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/sdio.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/sdio.c
++++ b/drivers/mmc/core/sdio.c
+@@ -945,7 +945,11 @@ static void mmc_sdio_remove(struct mmc_h
+ */
+ static int mmc_sdio_alive(struct mmc_host *host)
+ {
+- return mmc_select_card(host->card);
++ if (!mmc_host_is_spi(host))
++ return mmc_select_card(host->card);
++ else
++ return mmc_io_rw_direct(host->card, 0, 0, SDIO_CCCR_CCCR, 0,
++ NULL);
+ }
+
+ /*
--- /dev/null
+From fef12d9f5bcf7e2b19a7cf1295c6abd5642dd241 Mon Sep 17 00:00:00 2001
+From: Rex Chen <rex.chen_1@nxp.com>
+Date: Mon, 28 Jul 2025 17:22:30 +0900
+Subject: mmc: mmc_spi: multiple block read remove read crc ack
+
+From: Rex Chen <rex.chen_1@nxp.com>
+
+commit fef12d9f5bcf7e2b19a7cf1295c6abd5642dd241 upstream.
+
+For multiple block read, the current implementation, transfer packet
+includes cmd53 + cmd53 response + block nums*(1byte token +
+block length bytes payload + 2bytes CRC + 1byte transfer), the last
+1byte transfer of every block is not needed, so remove it.
+
+Why doesn't multiple block read need CRC ack?
+For read operation, host side get the payload and CRC value, then
+will only check the CRC value to confirm if the data is correct or
+not, but not send CRC ack to card. If the data is correct, save it,
+or discard it and retransmit if data is error, so the last 1byte
+transfer of every block make no sense.
+
+What's the side effect of this 1byte transfer?
+As the SPI is full duplex, if add this redundant 1byte transfer, SDIO
+card side take it as the token of next block, then all the next sub
+blocks sequence distort.
+
+Signed-off-by: Rex Chen <rex.chen_1@nxp.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250728082230.1037917-3-rex.chen_1@nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmc_spi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/mmc_spi.c
++++ b/drivers/mmc/host/mmc_spi.c
+@@ -563,7 +563,7 @@ mmc_spi_setup_data_message(struct mmc_sp
+ * the next token (next data block, or STOP_TRAN). We can try to
+ * minimize I/O ops by using a single read to collect end-of-busy.
+ */
+- if (multiple || write) {
++ if (write) {
+ t = &host->early_status;
+ memset(t, 0, sizeof(*t));
+ t->len = write ? sizeof(scratch->status) : 1;
--- /dev/null
+From 1001cc1171248ebb21d371fbe086b5d3f11b410b Mon Sep 17 00:00:00 2001
+From: Maarten Zanders <maarten@zanders.be>
+Date: Mon, 22 Sep 2025 17:39:38 +0200
+Subject: mtd: nand: raw: gpmi: fix clocks when CONFIG_PM=N
+
+From: Maarten Zanders <maarten@zanders.be>
+
+commit 1001cc1171248ebb21d371fbe086b5d3f11b410b upstream.
+
+Commit f04ced6d545e ("mtd: nand: raw: gpmi: improve power management
+handling") moved all clock handling into PM callbacks. With CONFIG_PM
+disabled, those callbacks are missing, leaving the driver unusable.
+
+Add clock init/teardown for !CONFIG_PM builds to restore basic operation.
+Keeping the driver working without requiring CONFIG_PM is preferred over
+adding a Kconfig dependency.
+
+Fixes: f04ced6d545e ("mtd: nand: raw: gpmi: improve power management handling")
+Signed-off-by: Maarten Zanders <maarten@zanders.be>
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
+@@ -145,6 +145,9 @@ err_clk:
+ return ret;
+ }
+
++#define gpmi_enable_clk(x) __gpmi_enable_clk(x, true)
++#define gpmi_disable_clk(x) __gpmi_enable_clk(x, false)
++
+ static int gpmi_init(struct gpmi_nand_data *this)
+ {
+ struct resources *r = &this->resources;
+@@ -2765,6 +2768,11 @@ static int gpmi_nand_probe(struct platfo
+ pm_runtime_enable(&pdev->dev);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, 500);
+ pm_runtime_use_autosuspend(&pdev->dev);
++#ifndef CONFIG_PM
++ ret = gpmi_enable_clk(this);
++ if (ret)
++ goto exit_acquire_resources;
++#endif
+
+ ret = gpmi_init(this);
+ if (ret)
+@@ -2800,6 +2808,9 @@ static void gpmi_nand_remove(struct plat
+ release_resources(this);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
++#ifndef CONFIG_PM
++ gpmi_disable_clk(this);
++#endif
+ }
+
+ static int gpmi_pm_suspend(struct device *dev)
+@@ -2846,9 +2857,6 @@ static int gpmi_pm_resume(struct device
+ return 0;
+ }
+
+-#define gpmi_enable_clk(x) __gpmi_enable_clk(x, true)
+-#define gpmi_disable_clk(x) __gpmi_enable_clk(x, false)
+-
+ static int gpmi_runtime_suspend(struct device *dev)
+ {
+ struct gpmi_nand_data *this = dev_get_drvdata(dev);
--- /dev/null
+From b8df622cf7f6808c85764e681847150ed6d85f3d Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Tue, 16 Sep 2025 18:07:37 +0200
+Subject: mtd: rawnand: fsmc: Default to autodetect buswidth
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit b8df622cf7f6808c85764e681847150ed6d85f3d upstream.
+
+If you don't specify buswidth 2 (16 bits) in the device
+tree, FSMC doesn't even probe anymore:
+
+fsmc-nand 10100000.flash: FSMC device partno 090,
+ manufacturer 80, revision 00, config 00
+nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
+nand: ST Micro 10100000.flash
+nand: bus width 8 instead of 16 bits
+nand: No NAND device found
+fsmc-nand 10100000.flash: probe with driver fsmc-nand failed
+ with error -22
+
+With this patch to use autodetection unless buswidth is
+specified, the device is properly detected again:
+
+fsmc-nand 10100000.flash: FSMC device partno 090,
+ manufacturer 80, revision 00, config 00
+nand: device found, Manufacturer ID: 0x20, Chip ID: 0xb1
+nand: ST Micro NAND 128MiB 1,8V 16-bit
+nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
+fsmc-nand 10100000.flash: Using 1-bit HW ECC scheme
+Scanning device for bad blocks
+
+I don't know where or how this happened, I think some change
+in the nand core.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/fsmc_nand.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/fsmc_nand.c
++++ b/drivers/mtd/nand/raw/fsmc_nand.c
+@@ -876,10 +876,14 @@ static int fsmc_nand_probe_config_dt(str
+ if (!of_property_read_u32(np, "bank-width", &val)) {
+ if (val == 2) {
+ nand->options |= NAND_BUSWIDTH_16;
+- } else if (val != 1) {
++ } else if (val == 1) {
++ nand->options |= NAND_BUSWIDTH_AUTO;
++ } else {
+ dev_err(&pdev->dev, "invalid bank-width %u\n", val);
+ return -EINVAL;
+ }
++ } else {
++ nand->options |= NAND_BUSWIDTH_AUTO;
+ }
+
+ if (of_property_read_bool(np, "nand-skip-bbtscan"))
--- /dev/null
+From eeaed48980a7aeb0d3d8b438185d4b5a66154ff9 Mon Sep 17 00:00:00 2001
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+Date: Tue, 1 Jul 2025 22:55:49 +0200
+Subject: nvme-pci: Add TUXEDO IBS Gen8 to Samsung sleep quirk
+
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+
+commit eeaed48980a7aeb0d3d8b438185d4b5a66154ff9 upstream.
+
+On the TUXEDO InfinityBook S Gen8, a Samsung 990 Evo NVMe leads to
+a high power consumption in s2idle sleep (3.5 watts).
+
+This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with
+a lower power consumption, typically around 1 watts.
+
+Signed-off-by: Georg Gottleuber <ggo@tuxedocomputers.com>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3324,10 +3324,12 @@ static unsigned long check_vendor_combin
+ * Exclude Samsung 990 Evo from NVME_QUIRK_SIMPLE_SUSPEND
+ * because of high power consumption (> 2 Watt) in s2idle
+ * sleep. Only some boards with Intel CPU are affected.
++ * (Note for testing: Samsung 990 Evo Plus has same PCI ID)
+ */
+ if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") ||
+ dmi_match(DMI_BOARD_NAME, "GMxPXxx") ||
+ dmi_match(DMI_BOARD_NAME, "GXxMRXx") ||
++ dmi_match(DMI_BOARD_NAME, "NS5X_NS7XAU") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PG31") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") ||
+ dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71"))
--- /dev/null
+From a8de554774ae48efbe48ace79f8badae2daa2bf1 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Tue, 30 Sep 2025 16:16:18 +0800
+Subject: of: unittest: Fix device reference count leak in of_unittest_pci_node_verify
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit a8de554774ae48efbe48ace79f8badae2daa2bf1 upstream.
+
+In of_unittest_pci_node_verify(), when the add parameter is false,
+device_find_any_child() obtains a reference to a child device. This
+function implicitly calls get_device() to increment the device's
+reference count before returning the pointer. However, the caller
+fails to properly release this reference by calling put_device(),
+leading to a device reference count leak. Add put_device() in the else
+branch immediately after child_dev is no longer needed.
+
+As the comment of device_find_any_child states: "NOTE: you will need
+to drop the reference with put_device() after use".
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: 26409dd04589 ("of: unittest: Add pci_dt_testdrv pci driver")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/unittest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -4300,6 +4300,7 @@ static int of_unittest_pci_node_verify(s
+ unittest(!np, "Child device tree node is not removed\n");
+ child_dev = device_find_any_child(&pdev->dev);
+ unittest(!child_dev, "Child device is not removed\n");
++ put_device(child_dev);
+ }
+
+ failed:
--- /dev/null
+From 042a60680de43175eb4df0977ff04a4eba9da082 Mon Sep 17 00:00:00 2001
+From: Askar Safin <safinaskar@zohomail.com>
+Date: Mon, 25 Aug 2025 18:12:33 +0000
+Subject: openat2: don't trigger automounts with RESOLVE_NO_XDEV
+
+From: Askar Safin <safinaskar@zohomail.com>
+
+commit 042a60680de43175eb4df0977ff04a4eba9da082 upstream.
+
+openat2 had a bug: if we pass RESOLVE_NO_XDEV, then openat2
+doesn't traverse through automounts, but may still trigger them.
+(See the link for full bug report with reproducer.)
+
+This commit fixes this bug.
+
+Link: https://lore.kernel.org/linux-fsdevel/20250817075252.4137628-1-safinaskar@zohomail.com/
+Fixes: fddb5d430ad9fa91b49b1 ("open: introduce openat2(2) syscall")
+Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Askar Safin <safinaskar@zohomail.com>
+Link: https://lore.kernel.org/20250825181233.2464822-5-safinaskar@zohomail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namei.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1449,6 +1449,10 @@ static int follow_automount(struct path
+ dentry->d_inode)
+ return -EISDIR;
+
++ /* No need to trigger automounts if mountpoint crossing is disabled. */
++ if (lookup_flags & LOOKUP_NO_XDEV)
++ return -EXDEV;
++
+ if (count && (*count)++ >= MAXSYMLINKS)
+ return -ELOOP;
+
+@@ -1472,6 +1476,10 @@ static int __traverse_mounts(struct path
+ /* Allow the filesystem to manage the transit without i_rwsem
+ * being held. */
+ if (flags & DCACHE_MANAGE_TRANSIT) {
++ if (lookup_flags & LOOKUP_NO_XDEV) {
++ ret = -EXDEV;
++ break;
++ }
+ ret = path->dentry->d_op->d_manage(path, false);
+ flags = smp_load_acquire(&path->dentry->d_flags);
+ if (ret < 0)
--- /dev/null
+From 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b Mon Sep 17 00:00:00 2001
+From: Xiao Liang <shaw.leon@gmail.com>
+Date: Sun, 17 Aug 2025 00:30:15 +0800
+Subject: padata: Reset next CPU when reorder sequence wraps around
+
+From: Xiao Liang <shaw.leon@gmail.com>
+
+commit 501302d5cee0d8e8ec2c4a5919c37e0df9abc99b upstream.
+
+When seq_nr wraps around, the next reorder job with seq 0 is hashed to
+the first CPU in padata_do_serial(). Correspondingly, need reset pd->cpu
+to the first one when pd->processed wraps around. Otherwise, if the
+number of used CPUs is not a power of 2, padata_find_next() will be
+checking a wrong list, hence deadlock.
+
+Fixes: 6fc4dbcf0276 ("padata: Replace delayed timer with immediate workqueue in padata_reorder")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/padata.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -291,8 +291,12 @@ static void padata_reorder(struct padata
+ struct padata_serial_queue *squeue;
+ int cb_cpu;
+
+- cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu);
+ processed++;
++ /* When sequence wraps around, reset to the first CPU. */
++ if (unlikely(processed == 0))
++ cpu = cpumask_first(pd->cpumask.pcpu);
++ else
++ cpu = cpumask_next_wrap(cpu, pd->cpumask.pcpu);
+
+ cb_cpu = padata->cb_cpu;
+ squeue = per_cpu_ptr(pd->squeue, cb_cpu);
--- /dev/null
+From 8ec5a066f88f89bd52094ba18792b34c49dcd55a Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Wed, 1 Oct 2025 23:58:40 +0100
+Subject: parisc: don't reference obsolete termio struct for TC* constants
+
+From: Sam James <sam@gentoo.org>
+
+commit 8ec5a066f88f89bd52094ba18792b34c49dcd55a upstream.
+
+Similar in nature to ab107276607af90b13a5994997e19b7b9731e251. glibc-2.42
+drops the legacy termio struct, but the ioctls.h header still defines some
+TC* constants in terms of termio (via sizeof). Hardcode the values instead.
+
+This fixes building Python for example, which falls over like:
+ ./Modules/termios.c:1119:16: error: invalid application of 'sizeof' to incomplete type 'struct termio'
+
+Link: https://bugs.gentoo.org/961769
+Link: https://bugs.gentoo.org/962600
+Co-authored-by: Stian Halseth <stian@itx.no>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sam James <sam@gentoo.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/uapi/asm/ioctls.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/ioctls.h
++++ b/arch/parisc/include/uapi/asm/ioctls.h
+@@ -10,10 +10,10 @@
+ #define TCSETS _IOW('T', 17, struct termios) /* TCSETATTR */
+ #define TCSETSW _IOW('T', 18, struct termios) /* TCSETATTRD */
+ #define TCSETSF _IOW('T', 19, struct termios) /* TCSETATTRF */
+-#define TCGETA _IOR('T', 1, struct termio)
+-#define TCSETA _IOW('T', 2, struct termio)
+-#define TCSETAW _IOW('T', 3, struct termio)
+-#define TCSETAF _IOW('T', 4, struct termio)
++#define TCGETA 0x40125401
++#define TCSETA 0x80125402
++#define TCSETAW 0x80125403
++#define TCSETAF 0x80125404
+ #define TCSBRK _IO('T', 5)
+ #define TCXONC _IO('T', 6)
+ #define TCFLSH _IO('T', 7)
--- /dev/null
+From 16794e524d310780163fdd49d0bf7fac30f8dbc8 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Tue, 5 Aug 2025 11:35:30 -0400
+Subject: parisc: Remove spurious if statement from raw_copy_from_user()
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 16794e524d310780163fdd49d0bf7fac30f8dbc8 upstream.
+
+Accidently introduced in commit 91428ca9320e.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Fixes: 91428ca9320e ("parisc: Check region is readable by user in raw_copy_from_user()")
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/lib/memcpy.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/parisc/lib/memcpy.c
++++ b/arch/parisc/lib/memcpy.c
+@@ -41,7 +41,6 @@ unsigned long raw_copy_from_user(void *d
+ mtsp(get_kernel_space(), SR_TEMP2);
+
+ /* Check region is user accessible */
+- if (start)
+ while (start < end) {
+ if (!prober_user(SR_TEMP1, start)) {
+ newlen = (start - (unsigned long) src);
--- /dev/null
+From bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Thu, 7 Aug 2025 15:55:38 +0200
+Subject: PCI/AER: Fix missing uevent on recovery when a reset is requested
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit bbf7d0468d0da71d76cc6ec9bc8a224325d07b6b upstream.
+
+Since commit 7b42d97e99d3 ("PCI/ERR: Always report current recovery
+status for udev") AER uses the result of error_detected() as parameter
+to pci_uevent_ers(). As pci_uevent_ers() however does not handle
+PCI_ERS_RESULT_NEED_RESET this results in a missing uevent for the
+beginning of recovery if drivers request a reset. Fix this by treating
+PCI_ERS_RESULT_NEED_RESET as beginning recovery.
+
+Fixes: 7b42d97e99d3 ("PCI/ERR: Always report current recovery status for udev")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250807-add_err_uevents-v5-1-adf85b0620b0@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-driver.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/pci-driver.c
++++ b/drivers/pci/pci-driver.c
+@@ -1596,6 +1596,7 @@ void pci_uevent_ers(struct pci_dev *pdev
+ switch (err_type) {
+ case PCI_ERS_RESULT_NONE:
+ case PCI_ERS_RESULT_CAN_RECOVER:
++ case PCI_ERS_RESULT_NEED_RESET:
+ envp[idx++] = "ERROR_EVENT=BEGIN_RECOVERY";
+ envp[idx++] = "DEVICE_ONLINE=0";
+ break;
--- /dev/null
+From 6633875250b38b18b8638cf01e695de031c71f02 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 27 Aug 2025 15:41:09 +0200
+Subject: PCI/AER: Support errors introduced by PCIe r6.0
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 6633875250b38b18b8638cf01e695de031c71f02 upstream.
+
+PCIe r6.0 defined five additional errors in the Uncorrectable Error
+Status, Mask and Severity Registers (PCIe r7.0 sec 7.8.4.2ff).
+
+lspci has been supporting them since commit 144b0911cc0b ("ls-ecaps:
+extend decode support for more fields for AER CE and UE status"):
+
+ https://git.kernel.org/pub/scm/utils/pciutils/pciutils.git/commit/?id=144b0911cc0b
+
+Amend the AER driver to recognize them as well, instead of logging them as
+"Unknown Error Bit".
+
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/21f1875b18d4078c99353378f37dcd6b994f6d4e.1756301211.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/aer.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/pci/pcie/aer.c
++++ b/drivers/pci/pcie/aer.c
+@@ -43,7 +43,7 @@
+ #define AER_ERROR_SOURCES_MAX 128
+
+ #define AER_MAX_TYPEOF_COR_ERRS 16 /* as per PCI_ERR_COR_STATUS */
+-#define AER_MAX_TYPEOF_UNCOR_ERRS 27 /* as per PCI_ERR_UNCOR_STATUS*/
++#define AER_MAX_TYPEOF_UNCOR_ERRS 32 /* as per PCI_ERR_UNCOR_STATUS*/
+
+ struct aer_err_source {
+ u32 status; /* PCI_ERR_ROOT_STATUS */
+@@ -525,11 +525,11 @@ static const char *aer_uncorrectable_err
+ "AtomicOpBlocked", /* Bit Position 24 */
+ "TLPBlockedErr", /* Bit Position 25 */
+ "PoisonTLPBlocked", /* Bit Position 26 */
+- NULL, /* Bit Position 27 */
+- NULL, /* Bit Position 28 */
+- NULL, /* Bit Position 29 */
+- NULL, /* Bit Position 30 */
+- NULL, /* Bit Position 31 */
++ "DMWrReqBlocked", /* Bit Position 27 */
++ "IDECheck", /* Bit Position 28 */
++ "MisIDETLP", /* Bit Position 29 */
++ "PCRC_CHECK", /* Bit Position 30 */
++ "TLPXlatBlocked", /* Bit Position 31 */
+ };
+
+ static const char *aer_agent_string[] = {
--- /dev/null
+From 6e460c3d611009a1d1c2c1f61c96578284a14fba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Mon, 30 Jun 2025 17:26:39 +0300
+Subject: PCI: Ensure relaxed tail alignment does not increase min_align
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit 6e460c3d611009a1d1c2c1f61c96578284a14fba upstream.
+
+When using relaxed tail alignment for the bridge window, pbus_size_mem()
+also tries to minimize min_align, which can under certain scenarios end up
+increasing min_align from that found by calculate_mem_align().
+
+Ensure min_align is not increased by the relaxed tail alignment.
+
+Eventually, it would be better to add calculate_relaxed_head_align()
+similar to calculate_mem_align() which finds out what alignment can be used
+for the head without introducing any gaps into the bridge window to give
+flexibility on head address too. But that looks relatively complex so it
+requires much more testing than fixing the immediate problem causing a
+regression.
+
+Fixes: 67f9085596ee ("PCI: Allow relaxed bridge window tail sizing for optional resources")
+Reported-by: Rio Liu <rio@r26.me>
+Closes: https://lore.kernel.org/all/o2bL8MtD_40-lf8GlslTw-AZpUPzm8nmfCnJKvS8RQ3NOzOW1uq1dVCEfRpUjJ2i7G2WjfQhk2IWZ7oGp-7G-jXN4qOdtnyOcjRR0PZWK5I=@r26.me/
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Rio Liu <rio@r26.me>
+Cc: stable@vger.kernel.org # v6.15+
+Link: https://patch.msgid.link/20250822123359.16305-2-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/setup-bus.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
+index 7853ac6999e2..527f0479e983 100644
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -1169,6 +1169,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
+ resource_size_t children_add_size = 0;
+ resource_size_t children_add_align = 0;
+ resource_size_t add_align = 0;
++ resource_size_t relaxed_align;
+
+ if (!b_res)
+ return -ENOSPC;
+@@ -1246,8 +1247,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
+ if (bus->self && size0 &&
+ !pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type,
+ size0, min_align)) {
+- min_align = 1ULL << (max_order + __ffs(SZ_1M));
+- min_align = max(min_align, win_align);
++ relaxed_align = 1ULL << (max_order + __ffs(SZ_1M));
++ relaxed_align = max(relaxed_align, win_align);
++ min_align = min(min_align, relaxed_align);
+ size0 = calculate_memsize(size, min_size, 0, 0, resource_size(b_res), win_align);
+ pci_info(bus->self, "bridge window %pR to %pR requires relaxed alignment rules\n",
+ b_res, &bus->busn_res);
+@@ -1261,8 +1263,9 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
+ if (bus->self && size1 &&
+ !pbus_upstream_space_available(bus, mask | IORESOURCE_PREFETCH, type,
+ size1, add_align)) {
+- min_align = 1ULL << (max_order + __ffs(SZ_1M));
+- min_align = max(min_align, win_align);
++ relaxed_align = 1ULL << (max_order + __ffs(SZ_1M));
++ relaxed_align = max(relaxed_align, win_align);
++ min_align = min(min_align, relaxed_align);
+ size1 = calculate_memsize(size, min_size, add_size, children_add_size,
+ resource_size(b_res), win_align);
+ pci_info(bus->self,
+--
+2.51.0
+
--- /dev/null
+From 1cbc5e25fb70e942a7a735a1f3d6dd391afc9b29 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Wed, 13 Aug 2025 07:11:02 +0200
+Subject: PCI/ERR: Fix uevent on failure to recover
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 1cbc5e25fb70e942a7a735a1f3d6dd391afc9b29 upstream.
+
+Upon failure to recover from a PCIe error through AER, DPC or EDR, a
+uevent is sent to inform user space about disconnection of the bridge
+whose subordinate devices failed to recover.
+
+However the bridge itself is not disconnected. Instead, a uevent should
+be sent for each of the subordinate devices.
+
+Only if the "bridge" happens to be a Root Complex Event Collector or
+Integrated Endpoint does it make sense to send a uevent for it (because
+there are no subordinate devices).
+
+Right now if there is a mix of subordinate devices with and without
+pci_error_handlers, a BEGIN_RECOVERY event is sent for those with
+pci_error_handlers but no FAILED_RECOVERY event is ever sent for them
+afterwards. Fix it.
+
+Fixes: 856e1eb9bdd4 ("PCI/AER: Add uevents in AER and EEH error/resume")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org # v4.16+
+Link: https://patch.msgid.link/68fc527a380821b5d861dd554d2ce42cb739591c.1755008151.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pcie/err.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pcie/err.c
++++ b/drivers/pci/pcie/err.c
+@@ -108,6 +108,12 @@ static int report_normal_detected(struct
+ return report_error_detected(dev, pci_channel_io_normal, data);
+ }
+
++static int report_perm_failure_detected(struct pci_dev *dev, void *data)
++{
++ pci_uevent_ers(dev, PCI_ERS_RESULT_DISCONNECT);
++ return 0;
++}
++
+ static int report_mmio_enabled(struct pci_dev *dev, void *data)
+ {
+ struct pci_driver *pdrv;
+@@ -269,7 +275,7 @@ pci_ers_result_t pcie_do_recovery(struct
+ failed:
+ pci_walk_bridge(bridge, pci_pm_runtime_put, NULL);
+
+- pci_uevent_ers(bridge, PCI_ERS_RESULT_DISCONNECT);
++ pci_walk_bridge(bridge, report_perm_failure_detected, NULL);
+
+ pci_info(bridge, "device recovery failed\n");
+
--- /dev/null
+From 31af09b3eaf3603870ce9fd5a7b6c8693129c4cf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Mon, 30 Jun 2025 17:26:41 +0300
+Subject: PCI: Fix failure detection during resource resize
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit 31af09b3eaf3603870ce9fd5a7b6c8693129c4cf upstream.
+
+Since 96336ec70264 ("PCI: Perform reset_resource() and build fail list in
+sync") the failed list is always built and returned to let the caller
+decide what to do with the failures. The caller may want to retry resource
+fitting and assignment and before that can happen, the resources should be
+restored to their original state (a reset effectively clears the struct
+resource), which requires returning them to the failed list so the original
+state remains stored in the associated struct pci_dev_resource.
+
+Resource resizing is different from the ordinary resource fitting and
+assignment in that it only considers part of the resources. This means
+failures for other resource types are not relevant at all and should be
+ignored. As resize doesn't unassign such unrelated resources, those
+resources ending up in the failed list implies assignment of that
+resource must have failed before resize too. The check in
+pci_reassign_bridge_resources() to decide if the whole assignment is
+successful, however, is based on list emptiness which will cause false
+negatives when the failed list has resources with an unrelated type.
+
+If the failed list is not empty, call pci_required_resource_failed() and
+extend it to be able to filter on specific resource types too (if
+provided).
+
+Calling pci_required_resource_failed() at this point is slightly
+problematic because the resource itself is reset when the failed list
+is constructed in __assign_resources_sorted(). As a result,
+pci_resource_is_optional() does not have access to the original
+resource flags. This could be worked around by restoring and
+re-resetting the resource around the call to pci_resource_is_optional(),
+however, it shouldn't cause issue as resource resizing is meant for
+64-bit prefetchable resources according to Christian König (see the
+Link which unfortunately doesn't point directly to Christian's reply
+because lore didn't store that email at all).
+
+Fixes: 96336ec70264 ("PCI: Perform reset_resource() and build fail list in sync")
+Link: https://lore.kernel.org/all/c5d1b5d8-8669-5572-75a7-0b480f581ac1@linux.intel.com/
+Reported-by: D Scott Phillips <scott@os.amperecomputing.com>
+Closes: https://lore.kernel.org/all/86plf0lgit.fsf@scott-ph-mail.amperecomputing.com/
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: D Scott Phillips <scott@os.amperecomputing.com>
+Reviewed-by: D Scott Phillips <scott@os.amperecomputing.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: stable@vger.kernel.org # v6.15+
+Link: https://patch.msgid.link/20250822123359.16305-4-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/setup-bus.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -28,6 +28,10 @@
+ #include <linux/acpi.h>
+ #include "pci.h"
+
++#define PCI_RES_TYPE_MASK \
++ (IORESOURCE_IO | IORESOURCE_MEM | IORESOURCE_PREFETCH |\
++ IORESOURCE_MEM_64)
++
+ unsigned int pci_flags;
+ EXPORT_SYMBOL_GPL(pci_flags);
+
+@@ -384,13 +388,19 @@ static bool pci_need_to_release(unsigned
+ }
+
+ /* Return: @true if assignment of a required resource failed. */
+-static bool pci_required_resource_failed(struct list_head *fail_head)
++static bool pci_required_resource_failed(struct list_head *fail_head,
++ unsigned long type)
+ {
+ struct pci_dev_resource *fail_res;
+
++ type &= PCI_RES_TYPE_MASK;
++
+ list_for_each_entry(fail_res, fail_head, list) {
+ int idx = pci_resource_num(fail_res->dev, fail_res->res);
+
++ if (type && (fail_res->flags & PCI_RES_TYPE_MASK) != type)
++ continue;
++
+ if (!pci_resource_is_optional(fail_res->dev, idx))
+ return true;
+ }
+@@ -504,7 +514,7 @@ assign:
+ }
+
+ /* Without realloc_head and only optional fails, nothing more to do. */
+- if (!pci_required_resource_failed(&local_fail_head) &&
++ if (!pci_required_resource_failed(&local_fail_head, 0) &&
+ list_empty(realloc_head)) {
+ list_for_each_entry(save_res, &save_head, list) {
+ struct resource *res = save_res->res;
+@@ -1707,10 +1717,6 @@ static void __pci_bridge_assign_resource
+ }
+ }
+
+-#define PCI_RES_TYPE_MASK \
+- (IORESOURCE_IO | IORESOURCE_MEM | IORESOURCE_PREFETCH |\
+- IORESOURCE_MEM_64)
+-
+ static void pci_bridge_release_resources(struct pci_bus *bus,
+ unsigned long type)
+ {
+@@ -2449,8 +2455,12 @@ int pci_reassign_bridge_resources(struct
+ free_list(&added);
+
+ if (!list_empty(&failed)) {
+- ret = -ENOSPC;
+- goto cleanup;
++ if (pci_required_resource_failed(&failed, type)) {
++ ret = -ENOSPC;
++ goto cleanup;
++ }
++ /* Only resources with unrelated types failed (again) */
++ free_list(&failed);
+ }
+
+ list_for_each_entry(dev_res, &saved, list) {
--- /dev/null
+From 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Tue, 26 Aug 2025 10:52:08 +0200
+Subject: PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 05703271c3cdcc0f2a8cf6ebdc45892b8ca83520 upstream.
+
+Before disabling SR-IOV via config space accesses to the parent PF,
+sriov_disable() first removes the PCI devices representing the VFs.
+
+Since commit 9d16947b7583 ("PCI: Add global pci_lock_rescan_remove()")
+such removal operations are serialized against concurrent remove and
+rescan using the pci_rescan_remove_lock. No such locking was ever added
+in sriov_disable() however. In particular when commit 18f9e9d150fc
+("PCI/IOV: Factor out sriov_add_vfs()") factored out the PCI device
+removal into sriov_del_vfs() there was still no locking around the
+pci_iov_remove_virtfn() calls.
+
+On s390 the lack of serialization in sriov_disable() may cause double
+remove and list corruption with the below (amended) trace being observed:
+
+ PSW: 0704c00180000000 0000000c914e4b38 (klist_put+56)
+ GPRS: 000003800313fb48 0000000000000000 0000000100000001 0000000000000001
+ 00000000f9b520a8 0000000000000000 0000000000002fbd 00000000f4cc9480
+ 0000000000000001 0000000000000000 0000000000000000 0000000180692828
+ 00000000818e8000 000003800313fe2c 000003800313fb20 000003800313fad8
+ #0 [3800313fb20] device_del at c9158ad5c
+ #1 [3800313fb88] pci_remove_bus_device at c915105ba
+ #2 [3800313fbd0] pci_iov_remove_virtfn at c9152f198
+ #3 [3800313fc28] zpci_iov_remove_virtfn at c90fb67c0
+ #4 [3800313fc60] zpci_bus_remove_device at c90fb6104
+ #5 [3800313fca0] __zpci_event_availability at c90fb3dca
+ #6 [3800313fd08] chsc_process_sei_nt0 at c918fe4a2
+ #7 [3800313fd60] crw_collect_info at c91905822
+ #8 [3800313fe10] kthread at c90feb390
+ #9 [3800313fe68] __ret_from_fork at c90f6aa64
+ #10 [3800313fe98] ret_from_fork at c9194f3f2.
+
+This is because in addition to sriov_disable() removing the VFs, the
+platform also generates hot-unplug events for the VFs. This being the
+reverse operation to the hotplug events generated by sriov_enable() and
+handled via pdev->no_vf_scan. And while the event processing takes
+pci_rescan_remove_lock and checks whether the struct pci_dev still exists,
+the lack of synchronization makes this checking racy.
+
+Other races may also be possible of course though given that this lack of
+locking persisted so long observable races seem very rare. Even on s390 the
+list corruption was only observed with certain devices since the platform
+events are only triggered by config accesses after the removal, so as long
+as the removal finished synchronously they would not race. Either way the
+locking is missing so fix this by adding it to the sriov_del_vfs() helper.
+
+Just like PCI rescan-remove, locking is also missing in sriov_add_vfs()
+including for the error case where pci_stop_and_remove_bus_device() is
+called without the PCI rescan-remove lock being held. Even in the non-error
+case, adding new PCI devices and buses should be serialized via the PCI
+rescan-remove lock. Add the necessary locking.
+
+Fixes: 18f9e9d150fc ("PCI/IOV: Factor out sriov_add_vfs()")
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
+Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
+Reviewed-by: Julian Ruess <julianr@linux.ibm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250826-pci_fix_sriov_disable-v1-1-2d0bc938f2a3@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/iov.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/pci/iov.c
++++ b/drivers/pci/iov.c
+@@ -629,15 +629,18 @@ static int sriov_add_vfs(struct pci_dev
+ if (dev->no_vf_scan)
+ return 0;
+
++ pci_lock_rescan_remove();
+ for (i = 0; i < num_vfs; i++) {
+ rc = pci_iov_add_virtfn(dev, i);
+ if (rc)
+ goto failed;
+ }
++ pci_unlock_rescan_remove();
+ return 0;
+ failed:
+ while (i--)
+ pci_iov_remove_virtfn(dev, i);
++ pci_unlock_rescan_remove();
+
+ return rc;
+ }
+@@ -762,8 +765,10 @@ static void sriov_del_vfs(struct pci_dev
+ struct pci_sriov *iov = dev->sriov;
+ int i;
+
++ pci_lock_rescan_remove();
+ for (i = 0; i < iov->num_VFs; i++)
+ pci_iov_remove_virtfn(dev, i);
++ pci_unlock_rescan_remove();
+ }
+
+ static void sriov_disable(struct pci_dev *dev)
--- /dev/null
+From 9a7f144e18dc5f037d85a0f0d99524a574331098 Mon Sep 17 00:00:00 2001
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+Date: Mon, 1 Sep 2025 17:33:55 +0530
+Subject: PCI: j721e: Fix module autoloading
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+commit 9a7f144e18dc5f037d85a0f0d99524a574331098 upstream.
+
+Commit a2790bf81f0f ("PCI: j721e: Add support to build as a loadable
+module") added support to build the driver as a loadable module. However,
+it did not add MODULE_DEVICE_TABLE() which is required for autoloading the
+driver based on device table when it is built as a loadable module.
+
+Fix it by adding MODULE_DEVICE_TABLE.
+
+Fixes: a2790bf81f0f ("PCI: j721e: Add support to build as a loadable module")
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+[mani: reworded description]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250901120359.3410774-1-s-vadapalli@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/cadence/pci-j721e.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c
+index 6c93f39d0288..cfca13a4c840 100644
+--- a/drivers/pci/controller/cadence/pci-j721e.c
++++ b/drivers/pci/controller/cadence/pci-j721e.c
+@@ -440,6 +440,7 @@ static const struct of_device_id of_j721e_pcie_match[] = {
+ },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, of_j721e_pcie_match);
+
+ static int j721e_pcie_probe(struct platform_device *pdev)
+ {
+--
+2.51.0
+
--- /dev/null
+From f842d3313ba179d4005096357289c7ad09cec575 Mon Sep 17 00:00:00 2001
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+Date: Mon, 8 Sep 2025 17:38:27 +0530
+Subject: PCI: j721e: Fix programming sequence of "strap" settings
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+commit f842d3313ba179d4005096357289c7ad09cec575 upstream.
+
+The Cadence PCIe Controller integrated in the TI K3 SoCs supports both
+Root-Complex and Endpoint modes of operation. The Glue Layer allows
+"strapping" the Mode of operation of the Controller, the Link Speed
+and the Link Width. This is enabled by programming the "PCIEn_CTRL"
+register (n corresponds to the PCIe instance) within the CTRL_MMR
+memory-mapped register space. The "reset-values" of the registers are
+also different depending on the mode of operation.
+
+Since the PCIe Controller latches onto the "reset-values" immediately
+after being powered on, if the Glue Layer configuration is not done while
+the PCIe Controller is off, it will result in the PCIe Controller latching
+onto the wrong "reset-values". In practice, this will show up as a wrong
+representation of the PCIe Controller's capability structures in the PCIe
+Configuration Space. Some such capabilities which are supported by the PCIe
+Controller in the Root-Complex mode but are incorrectly latched onto as
+being unsupported are:
+- Link Bandwidth Notification
+- Alternate Routing ID (ARI) Forwarding Support
+- Next capability offset within Advanced Error Reporting (AER) capability
+
+Fix this by powering off the PCIe Controller before programming the "strap"
+settings and powering it on after that. The runtime PM APIs namely
+pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and
+increment the usage counter respectively, causing GENPD to power off and
+power on the PCIe Controller.
+
+Fixes: f3e25911a430 ("PCI: j721e: Add TI J721E PCIe driver")
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250908120828.1471776-1-s-vadapalli@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/cadence/pci-j721e.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/pci/controller/cadence/pci-j721e.c
++++ b/drivers/pci/controller/cadence/pci-j721e.c
+@@ -284,6 +284,25 @@ static int j721e_pcie_ctrl_init(struct j
+ if (!ret)
+ offset = args.args[0];
+
++ /*
++ * The PCIe Controller's registers have different "reset-values"
++ * depending on the "strap" settings programmed into the PCIEn_CTRL
++ * register within the CTRL_MMR memory-mapped register space.
++ * The registers latch onto a "reset-value" based on the "strap"
++ * settings sampled after the PCIe Controller is powered on.
++ * To ensure that the "reset-values" are sampled accurately, power
++ * off the PCIe Controller before programming the "strap" settings
++ * and power it on after that. The runtime PM APIs namely
++ * pm_runtime_put_sync() and pm_runtime_get_sync() will decrement and
++ * increment the usage counter respectively, causing GENPD to power off
++ * and power on the PCIe Controller.
++ */
++ ret = pm_runtime_put_sync(dev);
++ if (ret < 0) {
++ dev_err(dev, "Failed to power off PCIe Controller\n");
++ return ret;
++ }
++
+ ret = j721e_pcie_set_mode(pcie, syscon, offset);
+ if (ret < 0) {
+ dev_err(dev, "Failed to set pci mode\n");
+@@ -302,6 +321,12 @@ static int j721e_pcie_ctrl_init(struct j
+ return ret;
+ }
+
++ ret = pm_runtime_get_sync(dev);
++ if (ret < 0) {
++ dev_err(dev, "Failed to power on PCIe Controller\n");
++ return ret;
++ }
++
+ /* Enable ACSPCIE refclk output if the optional property exists */
+ syscon = syscon_regmap_lookup_by_phandle_optional(node,
+ "ti,syscon-acspcie-proxy-ctrl");
--- /dev/null
+From e51d05f523e43ce5d2bad957943a2b14f68078cd Mon Sep 17 00:00:00 2001
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+Date: Fri, 12 Sep 2025 15:37:58 +0530
+Subject: PCI: keystone: Use devm_request_irq() to free "ks-pcie-error-irq" on exit
+
+From: Siddharth Vadapalli <s-vadapalli@ti.com>
+
+commit e51d05f523e43ce5d2bad957943a2b14f68078cd upstream.
+
+Commit under Fixes introduced the IRQ handler for "ks-pcie-error-irq".
+The interrupt is acquired using "request_irq()" but is never freed if
+the driver exits due to an error. Although the section in the driver that
+invokes "request_irq()" has moved around over time, the issue hasn't been
+addressed until now.
+
+Fix this by using "devm_request_irq()" which automatically frees the
+interrupt if the driver exits.
+
+Fixes: 025dd3daeda7 ("PCI: keystone: Add error IRQ handler")
+Reported-by: Jiri Slaby <jirislaby@kernel.org>
+Closes: https://lore.kernel.org/r/3d3a4b52-e343-42f3-9d69-94c259812143@kernel.org
+Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250912100802.3136121-2-s-vadapalli@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -1201,8 +1201,8 @@ static int ks_pcie_probe(struct platform
+ if (irq < 0)
+ return irq;
+
+- ret = request_irq(irq, ks_pcie_err_irq_handler, IRQF_SHARED,
+- "ks-pcie-error-irq", ks_pcie);
++ ret = devm_request_irq(dev, irq, ks_pcie_err_irq_handler, IRQF_SHARED,
++ "ks-pcie-error-irq", ks_pcie);
+ if (ret < 0) {
+ dev_err(dev, "failed to request error IRQ %d\n",
+ irq);
--- /dev/null
+From e24bbbe0780262a21fc8619fe99078a5b8d64b18 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 21 Jul 2025 17:36:08 +0200
+Subject: PCI/pwrctrl: Fix device and OF node leak at bus scan
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit e24bbbe0780262a21fc8619fe99078a5b8d64b18 upstream.
+
+Make sure to drop the references to the pwrctrl OF node and device taken by
+of_pci_find_child_device() and of_find_device_by_node() respectively when
+scanning the bus.
+
+Fixes: 957f40d039a9 ("PCI/pwrctrl: Move creation of pwrctrl devices to pci_scan_device()")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org # v6.15
+Link: https://patch.msgid.link/20250721153609.8611-3-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index f41128f91ca7..a56dfa1c9b6f 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -2516,9 +2516,15 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in
+ struct device_node *np;
+
+ np = of_pci_find_child_device(dev_of_node(&bus->dev), devfn);
+- if (!np || of_find_device_by_node(np))
++ if (!np)
+ return NULL;
+
++ pdev = of_find_device_by_node(np);
++ if (pdev) {
++ put_device(&pdev->dev);
++ goto err_put_of_node;
++ }
++
+ /*
+ * First check whether the pwrctrl device really needs to be created or
+ * not. This is decided based on at least one of the power supplies
+@@ -2526,17 +2532,24 @@ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, in
+ */
+ if (!of_pci_supply_present(np)) {
+ pr_debug("PCI/pwrctrl: Skipping OF node: %s\n", np->name);
+- return NULL;
++ goto err_put_of_node;
+ }
+
+ /* Now create the pwrctrl device */
+ pdev = of_platform_device_create(np, NULL, &host->dev);
+ if (!pdev) {
+ pr_err("PCI/pwrctrl: Failed to create pwrctrl device for node: %s\n", np->name);
+- return NULL;
++ goto err_put_of_node;
+ }
+
++ of_node_put(np);
++
+ return pdev;
++
++err_put_of_node:
++ of_node_put(np);
++
++ return NULL;
+ }
+ #else
+ static struct platform_device *pci_pwrctrl_create_device(struct pci_bus *bus, int devfn)
+--
+2.51.0
+
--- /dev/null
+From dc32e9346b26ba33e84ec3034a1e53a9733700f9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 21 Jul 2025 17:36:09 +0200
+Subject: PCI/pwrctrl: Fix device leak at device stop
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit dc32e9346b26ba33e84ec3034a1e53a9733700f9 upstream.
+
+Make sure to drop the reference to the pwrctrl device taken by
+of_find_device_by_node() when stopping a PCI device.
+
+Fixes: 681725afb6b9 ("PCI/pwrctl: Remove pwrctl device without iterating over all children of pwrctl parent")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org # v6.13
+Link: https://patch.msgid.link/20250721153609.8611-4-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/remove.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pci/remove.c b/drivers/pci/remove.c
+index 445afdfa6498..16f21edbc29d 100644
+--- a/drivers/pci/remove.c
++++ b/drivers/pci/remove.c
+@@ -31,6 +31,8 @@ static void pci_pwrctrl_unregister(struct device *dev)
+ return;
+
+ of_device_unregister(pdev);
++ put_device(&pdev->dev);
++
+ of_node_clear_flag(np, OF_POPULATED);
+ }
+
+--
+2.51.0
+
--- /dev/null
+From 39f9be6aba3ae4d6fdd4b8554f1184d054d7a713 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 21 Jul 2025 17:36:07 +0200
+Subject: PCI/pwrctrl: Fix device leak at registration
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 39f9be6aba3ae4d6fdd4b8554f1184d054d7a713 upstream.
+
+Make sure to drop the reference to the pwrctrl device taken by
+of_find_device_by_node() when registering a PCI device.
+
+Fixes: b458ff7e8176 ("PCI/pwrctl: Ensure that pwrctl drivers are probed before PCI client drivers")
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org # v6.13
+Link: https://patch.msgid.link/20250721153609.8611-2-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/bus.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/drivers/pci/bus.c
++++ b/drivers/pci/bus.c
+@@ -361,11 +361,15 @@ void pci_bus_add_device(struct pci_dev *
+ * before PCI client drivers.
+ */
+ pdev = of_find_device_by_node(dn);
+- if (pdev && of_pci_supply_present(dn)) {
+- if (!device_link_add(&dev->dev, &pdev->dev,
+- DL_FLAG_AUTOREMOVE_CONSUMER))
+- pci_err(dev, "failed to add device link to power control device %s\n",
+- pdev->name);
++ if (pdev) {
++ if (of_pci_supply_present(dn)) {
++ if (!device_link_add(&dev->dev, &pdev->dev,
++ DL_FLAG_AUTOREMOVE_CONSUMER)) {
++ pci_err(dev, "failed to add device link to power control device %s\n",
++ pdev->name);
++ }
++ }
++ put_device(&pdev->dev);
+ }
+
+ if (!dn || of_device_is_available(dn))
--- /dev/null
+From d96ac5bdc52b271b4f8ac0670a203913666b8758 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Date: Wed, 6 Aug 2025 21:25:18 +0200
+Subject: PCI: rcar-gen4: Fix PHY initialization
+
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+
+commit d96ac5bdc52b271b4f8ac0670a203913666b8758 upstream.
+
+R-Car V4H Reference Manual R19UH0186EJ0130 Rev.1.30 Apr. 21, 2025 page 4581
+Figure 104.3b Initial Setting of PCIEC(example), middle of the figure
+indicates that fourth write into register 0x148 [2:0] is 0x3 or
+GENMASK(1, 0). The current code writes GENMASK(11, 0) which is a typo. Fix
+the typo.
+
+Fixes: faf5a975ee3b ("PCI: rcar-gen4: Add support for R-Car V4H")
+Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250806192548.133140-1-marek.vasut+renesas@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-rcar-gen4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pci/controller/dwc/pcie-rcar-gen4.c
++++ b/drivers/pci/controller/dwc/pcie-rcar-gen4.c
+@@ -723,7 +723,7 @@ static int rcar_gen4_pcie_ltssm_control(
+ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(23, 22), BIT(22));
+ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(18, 16), GENMASK(17, 16));
+ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(7, 6), BIT(6));
+- rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(2, 0), GENMASK(11, 0));
++ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x148, GENMASK(2, 0), GENMASK(1, 0));
+ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x1d4, GENMASK(16, 15), GENMASK(16, 15));
+ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x514, BIT(26), BIT(26));
+ rcar_gen4_pcie_phy_reg_update_bits(rcar, 0x0f8, BIT(16), 0);
--- /dev/null
+From 5ed35b4d490d8735021cce9b715b62a418310864 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Date: Tue, 9 Sep 2025 18:26:25 +0200
+Subject: PCI: rcar-host: Convert struct rcar_msi mask_lock into raw spinlock
+
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+
+commit 5ed35b4d490d8735021cce9b715b62a418310864 upstream.
+
+The rcar_msi_irq_unmask() function may be called from a PCI driver
+request_threaded_irq() function. This triggers kernel/irq/manage.c
+__setup_irq() which locks raw spinlock &desc->lock descriptor lock
+and with that descriptor lock held, calls rcar_msi_irq_unmask().
+
+Since the &desc->lock descriptor lock is a raw spinlock, and the rcar_msi
+.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait
+context' with CONFIG_PROVE_RAW_LOCK_NESTING=y.
+
+Use scoped_guard() to simplify the locking.
+
+Fixes: 83ed8d4fa656 ("PCI: rcar: Convert to MSI domains")
+Reported-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
+Reported-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
+Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250909162707.13927-2-marek.vasut+renesas@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rcar-host.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rcar-host.c
++++ b/drivers/pci/controller/pcie-rcar-host.c
+@@ -12,6 +12,7 @@
+ */
+
+ #include <linux/bitops.h>
++#include <linux/cleanup.h>
+ #include <linux/clk.h>
+ #include <linux/clk-provider.h>
+ #include <linux/delay.h>
+@@ -38,7 +39,7 @@ struct rcar_msi {
+ DECLARE_BITMAP(used, INT_PCI_MSI_NR);
+ struct irq_domain *domain;
+ struct mutex map_lock;
+- spinlock_t mask_lock;
++ raw_spinlock_t mask_lock;
+ int irq1;
+ int irq2;
+ };
+@@ -602,28 +603,26 @@ static void rcar_msi_irq_mask(struct irq
+ {
+ struct rcar_msi *msi = irq_data_get_irq_chip_data(d);
+ struct rcar_pcie *pcie = &msi_to_host(msi)->pcie;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = rcar_pci_read_reg(pcie, PCIEMSIIER);
+- value &= ~BIT(d->hwirq);
+- rcar_pci_write_reg(pcie, value, PCIEMSIIER);
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = rcar_pci_read_reg(pcie, PCIEMSIIER);
++ value &= ~BIT(d->hwirq);
++ rcar_pci_write_reg(pcie, value, PCIEMSIIER);
++ }
+ }
+
+ static void rcar_msi_irq_unmask(struct irq_data *d)
+ {
+ struct rcar_msi *msi = irq_data_get_irq_chip_data(d);
+ struct rcar_pcie *pcie = &msi_to_host(msi)->pcie;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = rcar_pci_read_reg(pcie, PCIEMSIIER);
+- value |= BIT(d->hwirq);
+- rcar_pci_write_reg(pcie, value, PCIEMSIIER);
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = rcar_pci_read_reg(pcie, PCIEMSIIER);
++ value |= BIT(d->hwirq);
++ rcar_pci_write_reg(pcie, value, PCIEMSIIER);
++ }
+ }
+
+ static void rcar_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+@@ -736,7 +735,7 @@ static int rcar_pcie_enable_msi(struct r
+ int err;
+
+ mutex_init(&msi->map_lock);
+- spin_lock_init(&msi->mask_lock);
++ raw_spin_lock_init(&msi->mask_lock);
+
+ err = of_address_to_resource(dev->of_node, 0, &res);
+ if (err)
--- /dev/null
+From 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Date: Tue, 9 Sep 2025 18:26:24 +0200
+Subject: PCI: rcar-host: Drop PMSR spinlock
+
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+
+commit 0a8f173d9dad13930d5888505dc4c4fd6a1d4262 upstream.
+
+The pmsr_lock spinlock used to be necessary to synchronize access to the
+PMSR register, because that access could have been triggered from either
+config space access in rcar_pcie_config_access() or an exception handler
+rcar_pcie_aarch32_abort_handler().
+
+The rcar_pcie_aarch32_abort_handler() case is no longer applicable since
+commit 6e36203bc14c ("PCI: rcar: Use PCI_SET_ERROR_RESPONSE after read
+which triggered an exception"), which performs more accurate, controlled
+invocation of the exception, and a fixup.
+
+This leaves rcar_pcie_config_access() as the only call site from which
+rcar_pcie_wakeup() is called. The rcar_pcie_config_access() can only be
+called from the controller struct pci_ops .read and .write callbacks,
+and those are serialized in drivers/pci/access.c using raw spinlock
+'pci_lock' . It should be noted that CONFIG_PCI_LOCKLESS_CONFIG is never
+set on this platform.
+
+Since the 'pci_lock' is a raw spinlock , and the 'pmsr_lock' is not a
+raw spinlock, this constellation triggers 'BUG: Invalid wait context'
+with CONFIG_PROVE_RAW_LOCK_NESTING=y .
+
+Remove the pmsr_lock to fix the locking.
+
+Fixes: a115b1bd3af0 ("PCI: rcar: Add L1 link state fix into data abort hook")
+Reported-by: Duy Nguyen <duy.nguyen.rh@renesas.com>
+Reported-by: Thuan Nguyen <thuan.nguyen-hong@banvien.com.vn>
+Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250909162707.13927-1-marek.vasut+renesas@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rcar-host.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rcar-host.c
++++ b/drivers/pci/controller/pcie-rcar-host.c
+@@ -52,20 +52,13 @@ struct rcar_pcie_host {
+ int (*phy_init_fn)(struct rcar_pcie_host *host);
+ };
+
+-static DEFINE_SPINLOCK(pmsr_lock);
+-
+ static int rcar_pcie_wakeup(struct device *pcie_dev, void __iomem *pcie_base)
+ {
+- unsigned long flags;
+ u32 pmsr, val;
+ int ret = 0;
+
+- spin_lock_irqsave(&pmsr_lock, flags);
+-
+- if (!pcie_base || pm_runtime_suspended(pcie_dev)) {
+- ret = -EINVAL;
+- goto unlock_exit;
+- }
++ if (!pcie_base || pm_runtime_suspended(pcie_dev))
++ return -EINVAL;
+
+ pmsr = readl(pcie_base + PMSR);
+
+@@ -87,8 +80,6 @@ static int rcar_pcie_wakeup(struct devic
+ writel(L1FAEG | PMEL1RX, pcie_base + PMSR);
+ }
+
+-unlock_exit:
+- spin_unlock_irqrestore(&pmsr_lock, flags);
+ return ret;
+ }
+
--- /dev/null
+From 48991e4935078b05f80616c75d1ee2ea3ae18e58 Mon Sep 17 00:00:00 2001
+From: Brian Norris <briannorris@google.com>
+Date: Wed, 24 Sep 2025 09:57:11 -0700
+Subject: PCI/sysfs: Ensure devices are powered for config reads
+
+From: Brian Norris <briannorris@google.com>
+
+commit 48991e4935078b05f80616c75d1ee2ea3ae18e58 upstream.
+
+The "max_link_width", "current_link_speed", "current_link_width",
+"secondary_bus_number", and "subordinate_bus_number" sysfs files all access
+config registers, but they don't check the runtime PM state. If the device
+is in D3cold or a parent bridge is suspended, we may see -EINVAL, bogus
+values, or worse, depending on implementation details.
+
+Wrap these access in pci_config_pm_runtime_{get,put}() like most of the
+rest of the similar sysfs attributes.
+
+Notably, "max_link_speed" does not access config registers; it returns a
+cached value since d2bd39c0456b ("PCI: Store all PCIe Supported Link
+Speeds").
+
+Fixes: 56c1af4606f0 ("PCI: Add sysfs max_link_speed/width, current_link_speed/width, etc")
+Signed-off-by: Brian Norris <briannorris@google.com>
+Signed-off-by: Brian Norris <briannorris@chromium.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250924095711.v2.1.Ibb5b6ca1e2c059e04ec53140cd98a44f2684c668@changeid
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci-sysfs.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -201,8 +201,14 @@ static ssize_t max_link_width_show(struc
+ struct device_attribute *attr, char *buf)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
++ ssize_t ret;
+
+- return sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev));
++ /* We read PCI_EXP_LNKCAP, so we need the device to be accessible. */
++ pci_config_pm_runtime_get(pdev);
++ ret = sysfs_emit(buf, "%u\n", pcie_get_width_cap(pdev));
++ pci_config_pm_runtime_put(pdev);
++
++ return ret;
+ }
+ static DEVICE_ATTR_RO(max_link_width);
+
+@@ -214,7 +220,10 @@ static ssize_t current_link_speed_show(s
+ int err;
+ enum pci_bus_speed speed;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
+@@ -231,7 +240,10 @@ static ssize_t current_link_width_show(s
+ u16 linkstat;
+ int err;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &linkstat);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
+@@ -247,7 +259,10 @@ static ssize_t secondary_bus_number_show
+ u8 sec_bus;
+ int err;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pci_read_config_byte(pci_dev, PCI_SECONDARY_BUS, &sec_bus);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
+@@ -263,7 +278,10 @@ static ssize_t subordinate_bus_number_sh
+ u8 sub_bus;
+ int err;
+
++ pci_config_pm_runtime_get(pci_dev);
+ err = pci_read_config_byte(pci_dev, PCI_SUBORDINATE_BUS, &sub_bus);
++ pci_config_pm_runtime_put(pci_dev);
++
+ if (err)
+ return -EINVAL;
+
--- /dev/null
+From 26fda92d3b56bf44a02bcb4001c5a5548e0ae8ee Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Date: Mon, 22 Sep 2025 17:07:48 +0200
+Subject: PCI: tegra: Convert struct tegra_msi mask_lock into raw spinlock
+
+From: Marek Vasut <marek.vasut+renesas@mailbox.org>
+
+commit 26fda92d3b56bf44a02bcb4001c5a5548e0ae8ee upstream.
+
+The tegra_msi_irq_unmask() function may be called from a PCI driver
+request_threaded_irq() function. This triggers kernel/irq/manage.c
+__setup_irq() which locks raw spinlock &desc->lock descriptor lock
+and with that descriptor lock held, calls tegra_msi_irq_unmask().
+
+Since the &desc->lock descriptor lock is a raw spinlock, and the tegra_msi
+.mask_lock is not a raw spinlock, this setup triggers 'BUG: Invalid wait
+context' with CONFIG_PROVE_RAW_LOCK_NESTING=y.
+
+Use scoped_guard() to simplify the locking.
+
+Fixes: 2c99e55f7955 ("PCI: tegra: Convert to MSI domains")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Closes: https://patchwork.kernel.org/project/linux-pci/patch/20250909162707.13927-2-marek.vasut+renesas@mailbox.org/#26574451
+Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250922150811.88450-1-marek.vasut+renesas@mailbox.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pci-tegra.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/drivers/pci/controller/pci-tegra.c
++++ b/drivers/pci/controller/pci-tegra.c
+@@ -14,6 +14,7 @@
+ */
+
+ #include <linux/clk.h>
++#include <linux/cleanup.h>
+ #include <linux/debugfs.h>
+ #include <linux/delay.h>
+ #include <linux/export.h>
+@@ -270,7 +271,7 @@ struct tegra_msi {
+ DECLARE_BITMAP(used, INT_PCI_MSI_NR);
+ struct irq_domain *domain;
+ struct mutex map_lock;
+- spinlock_t mask_lock;
++ raw_spinlock_t mask_lock;
+ void *virt;
+ dma_addr_t phys;
+ int irq;
+@@ -1581,14 +1582,13 @@ static void tegra_msi_irq_mask(struct ir
+ struct tegra_msi *msi = irq_data_get_irq_chip_data(d);
+ struct tegra_pcie *pcie = msi_to_pcie(msi);
+ unsigned int index = d->hwirq / 32;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
+- value &= ~BIT(d->hwirq % 32);
+- afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
++ value &= ~BIT(d->hwirq % 32);
++ afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
++ }
+ }
+
+ static void tegra_msi_irq_unmask(struct irq_data *d)
+@@ -1596,14 +1596,13 @@ static void tegra_msi_irq_unmask(struct
+ struct tegra_msi *msi = irq_data_get_irq_chip_data(d);
+ struct tegra_pcie *pcie = msi_to_pcie(msi);
+ unsigned int index = d->hwirq / 32;
+- unsigned long flags;
+ u32 value;
+
+- spin_lock_irqsave(&msi->mask_lock, flags);
+- value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
+- value |= BIT(d->hwirq % 32);
+- afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
+- spin_unlock_irqrestore(&msi->mask_lock, flags);
++ scoped_guard(raw_spinlock_irqsave, &msi->mask_lock) {
++ value = afi_readl(pcie, AFI_MSI_EN_VEC(index));
++ value |= BIT(d->hwirq % 32);
++ afi_writel(pcie, value, AFI_MSI_EN_VEC(index));
++ }
+ }
+
+ static void tegra_compose_msi_msg(struct irq_data *data, struct msi_msg *msg)
+@@ -1711,7 +1710,7 @@ static int tegra_pcie_msi_setup(struct t
+ int err;
+
+ mutex_init(&msi->map_lock);
+- spin_lock_init(&msi->mask_lock);
++ raw_spin_lock_init(&msi->mask_lock);
+
+ if (IS_ENABLED(CONFIG_PCI_MSI)) {
+ err = tegra_allocate_domains(msi);
--- /dev/null
+From b640d42a6ac9ba01abe65ec34f7c73aaf6758ab8 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Mon, 22 Sep 2025 16:08:24 +0200
+Subject: PCI: tegra194: Fix broken tegra_pcie_ep_raise_msi_irq()
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit b640d42a6ac9ba01abe65ec34f7c73aaf6758ab8 upstream.
+
+The pci_epc_raise_irq() supplies a MSI or MSI-X interrupt number in range
+(1-N), as per the pci_epc_raise_irq() kdoc, where N is 32 for MSI.
+
+But tegra_pcie_ep_raise_msi_irq() incorrectly uses the interrupt number as
+the MSI vector. This causes wrong MSI vector to be triggered, leading to
+the failure of PCI endpoint Kselftest MSI_TEST test case.
+
+To fix this issue, convert the interrupt number to MSI vector.
+
+Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250922140822.519796-6-cassel@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-tegra194.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -1955,10 +1955,10 @@ static int tegra_pcie_ep_raise_intx_irq(
+
+ static int tegra_pcie_ep_raise_msi_irq(struct tegra_pcie_dw *pcie, u16 irq)
+ {
+- if (unlikely(irq > 31))
++ if (unlikely(irq > 32))
+ return -EINVAL;
+
+- appl_writel(pcie, BIT(irq), APPL_MSI_CTRL_1);
++ appl_writel(pcie, BIT(irq - 1), APPL_MSI_CTRL_1);
+
+ return 0;
+ }
--- /dev/null
+From f8c9ad46b00453a8c075453f3745f8d263f44834 Mon Sep 17 00:00:00 2001
+From: Vidya Sagar <vidyas@nvidia.com>
+Date: Mon, 22 Sep 2025 16:08:26 +0200
+Subject: PCI: tegra194: Handle errors in BPMP response
+
+From: Vidya Sagar <vidyas@nvidia.com>
+
+commit f8c9ad46b00453a8c075453f3745f8d263f44834 upstream.
+
+The return value from tegra_bpmp_transfer() indicates the success or
+failure of the IPC transaction with BPMP. If the transaction succeeded, we
+also need to check the actual command's result code.
+
+If we don't have error handling for tegra_bpmp_transfer(), we will set the
+pcie->ep_state to EP_STATE_ENABLED even when the tegra_bpmp_transfer()
+command fails. Thus, the pcie->ep_state will get out of sync with reality,
+and any further PERST# assert + deassert will be a no-op and will not
+trigger the hardware initialization sequence.
+
+This is because pex_ep_event_pex_rst_deassert() checks the current
+pcie->ep_state, and does nothing if the current state is already
+EP_STATE_ENABLED.
+
+Thus, it is important to have error handling for tegra_bpmp_transfer(),
+such that the pcie->ep_state can not get out of sync with reality, so that
+we will try to initialize the hardware not only during the first PERST#
+assert + deassert, but also during any succeeding PERST# assert + deassert.
+
+One example where this fix is needed is when using a rock5b as host.
+During the initial PERST# assert + deassert (triggered by the bootloader on
+the rock5b) pex_ep_event_pex_rst_deassert() will get called, but for some
+unknown reason, the tegra_bpmp_transfer() call to initialize the PHY fails.
+Once Linux has been loaded on the rock5b, the PCIe driver will once again
+assert + deassert PERST#. However, without tegra_bpmp_transfer() error
+handling, this second PERST# assert + deassert will not trigger the
+hardware initialization sequence.
+
+With tegra_bpmp_transfer() error handling, the second PERST# assert +
+deassert will once again trigger the hardware to be initialized and this
+time the tegra_bpmp_transfer() succeeds.
+
+Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
+Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
+[cassel: improve commit log]
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250922140822.519796-8-cassel@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-tegra194.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -1214,6 +1214,7 @@ static int tegra_pcie_bpmp_set_ctrl_stat
+ struct mrq_uphy_response resp;
+ struct tegra_bpmp_message msg;
+ struct mrq_uphy_request req;
++ int err;
+
+ /*
+ * Controller-5 doesn't need to have its state set by BPMP-FW in
+@@ -1236,7 +1237,13 @@ static int tegra_pcie_bpmp_set_ctrl_stat
+ msg.rx.data = &resp;
+ msg.rx.size = sizeof(resp);
+
+- return tegra_bpmp_transfer(pcie->bpmp, &msg);
++ err = tegra_bpmp_transfer(pcie->bpmp, &msg);
++ if (err)
++ return err;
++ if (msg.rx.ret)
++ return -EINVAL;
++
++ return 0;
+ }
+
+ static int tegra_pcie_bpmp_set_pll_state(struct tegra_pcie_dw *pcie,
+@@ -1245,6 +1252,7 @@ static int tegra_pcie_bpmp_set_pll_state
+ struct mrq_uphy_response resp;
+ struct tegra_bpmp_message msg;
+ struct mrq_uphy_request req;
++ int err;
+
+ memset(&req, 0, sizeof(req));
+ memset(&resp, 0, sizeof(resp));
+@@ -1264,7 +1272,13 @@ static int tegra_pcie_bpmp_set_pll_state
+ msg.rx.data = &resp;
+ msg.rx.size = sizeof(resp);
+
+- return tegra_bpmp_transfer(pcie->bpmp, &msg);
++ err = tegra_bpmp_transfer(pcie->bpmp, &msg);
++ if (err)
++ return err;
++ if (msg.rx.ret)
++ return -EINVAL;
++
++ return 0;
+ }
+
+ static void tegra_pcie_downstream_dev_to_D0(struct tegra_pcie_dw *pcie)
--- /dev/null
+From 42f9c66a6d0cc45758dab77233c5460e1cf003df Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Mon, 22 Sep 2025 16:08:25 +0200
+Subject: PCI: tegra194: Reset BARs when running in PCIe endpoint mode
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit 42f9c66a6d0cc45758dab77233c5460e1cf003df upstream.
+
+Tegra already defines all BARs except BAR0 as BAR_RESERVED. This is
+sufficient for pci-epf-test to not allocate backing memory and to not call
+set_bar() for those BARs. However, marking a BAR as BAR_RESERVED does not
+mean that the BAR gets disabled.
+
+The host side driver, pci_endpoint_test, simply does an ioremap for all
+enabled BARs and will run tests against all enabled BARs, so it will run
+tests against the BARs marked as BAR_RESERVED.
+
+After running the BAR tests (which will write to all enabled BARs), the
+inbound address translation is broken. This is because the tegra controller
+exposes the ATU Port Logic Structure in BAR4, so when BAR4 is written, the
+inbound address translation settings get overwritten.
+
+To avoid this, implement the dw_pcie_ep_ops .init() callback and start off
+by disabling all BARs (pci-epf-test will later enable/configure BARs that
+are not defined as BAR_RESERVED).
+
+This matches the behavior of other PCIe endpoint drivers: dra7xx, imx6,
+layerscape-ep, artpec6, dw-rockchip, qcom-ep, rcar-gen4, and uniphier-ep.
+
+With this, the PCI endpoint kselftest test case CONSECUTIVE_BAR_TEST (which
+was specifically made to detect address translation issues) passes.
+
+Fixes: c57247f940e8 ("PCI: tegra: Add support for PCIe endpoint mode in Tegra194")
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250922140822.519796-7-cassel@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pcie-tegra194.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -1955,6 +1955,15 @@ static irqreturn_t tegra_pcie_ep_pex_rst
+ return IRQ_HANDLED;
+ }
+
++static void tegra_pcie_ep_init(struct dw_pcie_ep *ep)
++{
++ struct dw_pcie *pci = to_dw_pcie_from_ep(ep);
++ enum pci_barno bar;
++
++ for (bar = 0; bar < PCI_STD_NUM_BARS; bar++)
++ dw_pcie_ep_reset_bar(pci, bar);
++};
++
+ static int tegra_pcie_ep_raise_intx_irq(struct tegra_pcie_dw *pcie, u16 irq)
+ {
+ /* Tegra194 supports only INTA */
+@@ -2031,6 +2040,7 @@ tegra_pcie_ep_get_features(struct dw_pci
+ }
+
+ static const struct dw_pcie_ep_ops pcie_ep_ops = {
++ .init = tegra_pcie_ep_init,
+ .raise_irq = tegra_pcie_ep_raise_irq,
+ .get_features = tegra_pcie_ep_get_features,
+ };
--- /dev/null
+From 98a4f5b7359205ced1b6a626df3963bf7c5e5052 Mon Sep 17 00:00:00 2001
+From: Jani Nurminen <jani.nurminen@windriver.com>
+Date: Fri, 12 Sep 2025 11:09:48 +0200
+Subject: PCI: xilinx-nwl: Fix ECAM programming
+
+From: Jani Nurminen <jani.nurminen@windriver.com>
+
+commit 98a4f5b7359205ced1b6a626df3963bf7c5e5052 upstream.
+
+When PCIe has been set up by the bootloader, the ecam_size field in the
+E_ECAM_CONTROL register already contains a value.
+
+The driver previously programmed it to 0xc (for 16 busses; 16 MB), but
+bumped to 0x10 (for 256 busses; 256 MB) by the commit 2fccd11518f1 ("PCI:
+xilinx-nwl: Modify ECAM size to enable support for 256 buses").
+
+Regardless of what the bootloader has programmed, the driver ORs in a
+new maximal value without doing a proper RMW sequence. This can lead to
+problems.
+
+For example, if the bootloader programs in 0xc and the driver uses 0x10,
+the ORed result is 0x1c, which is beyond the ecam_max_size limit of 0x10
+(from E_ECAM_CAPABILITIES).
+
+Avoid the problems by doing a proper RMW.
+
+Fixes: 2fccd11518f1 ("PCI: xilinx-nwl: Modify ECAM size to enable support for 256 buses")
+Signed-off-by: Jani Nurminen <jani.nurminen@windriver.com>
+[mani: added stable tag]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/e83a2af2-af0b-4670-bcf5-ad408571c2b0@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-xilinx-nwl.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/controller/pcie-xilinx-nwl.c
++++ b/drivers/pci/controller/pcie-xilinx-nwl.c
+@@ -718,9 +718,10 @@ static int nwl_pcie_bridge_init(struct n
+ nwl_bridge_writel(pcie, nwl_bridge_readl(pcie, E_ECAM_CONTROL) |
+ E_ECAM_CR_ENABLE, E_ECAM_CONTROL);
+
+- nwl_bridge_writel(pcie, nwl_bridge_readl(pcie, E_ECAM_CONTROL) |
+- (NWL_ECAM_MAX_SIZE << E_ECAM_SIZE_SHIFT),
+- E_ECAM_CONTROL);
++ ecam_val = nwl_bridge_readl(pcie, E_ECAM_CONTROL);
++ ecam_val &= ~E_ECAM_SIZE_LOC;
++ ecam_val |= NWL_ECAM_MAX_SIZE << E_ECAM_SIZE_SHIFT;
++ nwl_bridge_writel(pcie, ecam_val, E_ECAM_CONTROL);
+
+ nwl_bridge_writel(pcie, lower_32_bits(pcie->phys_ecam_base),
+ E_ECAM_BASE_LO);
--- /dev/null
+From 358253fa8179ab4217ac283b56adde0174186f87 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sat, 30 Aug 2025 13:16:58 +0200
+Subject: pinctrl: samsung: Drop unused S3C24xx driver data
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 358253fa8179ab4217ac283b56adde0174186f87 upstream.
+
+Drop unused declarations after S3C24xx SoC family removal in the commit
+61b7f8920b17 ("ARM: s3c: remove all s3c24xx support").
+
+Fixes: 1ea35b355722 ("ARM: s3c: remove s3c24xx specific hacks")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250830111657.126190-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.h
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.h
+@@ -402,10 +402,6 @@ extern const struct samsung_pinctrl_of_m
+ extern const struct samsung_pinctrl_of_match_data fsd_of_data;
+ extern const struct samsung_pinctrl_of_match_data gs101_of_data;
+ extern const struct samsung_pinctrl_of_match_data s3c64xx_of_data;
+-extern const struct samsung_pinctrl_of_match_data s3c2412_of_data;
+-extern const struct samsung_pinctrl_of_match_data s3c2416_of_data;
+-extern const struct samsung_pinctrl_of_match_data s3c2440_of_data;
+-extern const struct samsung_pinctrl_of_match_data s3c2450_of_data;
+ extern const struct samsung_pinctrl_of_match_data s5pv210_of_data;
+
+ #endif /* __PINCTRL_SAMSUNG_H */
--- /dev/null
+From 1ebe8f7e782523e62cd1fa8237f7afba5d1dae83 Mon Sep 17 00:00:00 2001
+From: Christian Loehle <christian.loehle@arm.com>
+Date: Sun, 31 Aug 2025 22:43:57 +0100
+Subject: PM: EM: Fix late boot with holes in CPU topology
+
+From: Christian Loehle <christian.loehle@arm.com>
+
+commit 1ebe8f7e782523e62cd1fa8237f7afba5d1dae83 upstream.
+
+Commit e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity
+adjustment") added a mechanism to handle CPUs that come up late by
+retrying when any of the `cpufreq_cpu_get()` call fails.
+
+However, if there are holes in the CPU topology (offline CPUs, e.g.
+nosmt), the first missing CPU causes the loop to break, preventing
+subsequent online CPUs from being updated.
+
+Instead of aborting on the first missing CPU policy, loop through all
+and retry if any were missing.
+
+Fixes: e3f1164fc9ee ("PM: EM: Support late CPUs booting and capacity adjustment")
+Suggested-by: Kenneth Crudup <kenneth.crudup@gmail.com>
+Reported-by: Kenneth Crudup <kenneth.crudup@gmail.com>
+Link: https://lore.kernel.org/linux-pm/40212796-734c-4140-8a85-854f72b8144d@panix.com/
+Cc: 6.9+ <stable@vger.kernel.org> # 6.9+
+Signed-off-by: Christian Loehle <christian.loehle@arm.com>
+Link: https://patch.msgid.link/20250831214357.2020076-1-christian.loehle@arm.com
+[ rjw: Drop the new pr_debug() message which is not very useful ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/power/energy_model.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/kernel/power/energy_model.c
++++ b/kernel/power/energy_model.c
+@@ -799,7 +799,7 @@ void em_adjust_cpu_capacity(unsigned int
+ static void em_check_capacity_update(void)
+ {
+ cpumask_var_t cpu_done_mask;
+- int cpu;
++ int cpu, failed_cpus = 0;
+
+ if (!zalloc_cpumask_var(&cpu_done_mask, GFP_KERNEL)) {
+ pr_warn("no free memory\n");
+@@ -817,10 +817,8 @@ static void em_check_capacity_update(voi
+
+ policy = cpufreq_cpu_get(cpu);
+ if (!policy) {
+- pr_debug("Accessing cpu%d policy failed\n", cpu);
+- schedule_delayed_work(&em_update_work,
+- msecs_to_jiffies(1000));
+- break;
++ failed_cpus++;
++ continue;
+ }
+ cpufreq_cpu_put(policy);
+
+@@ -835,6 +833,9 @@ static void em_check_capacity_update(voi
+ em_adjust_new_capacity(cpu, dev, pd);
+ }
+
++ if (failed_cpus)
++ schedule_delayed_work(&em_update_work, msecs_to_jiffies(1000));
++
+ free_cpumask_var(cpu_done_mask);
+ }
+
--- /dev/null
+From 469d80a3712c66a00b5bb888e62e809db8887ba7 Mon Sep 17 00:00:00 2001
+From: "Mario Limonciello (AMD)" <superm1@kernel.org>
+Date: Thu, 25 Sep 2025 13:51:06 -0500
+Subject: PM: hibernate: Fix hybrid-sleep
+
+From: Mario Limonciello (AMD) <superm1@kernel.org>
+
+commit 469d80a3712c66a00b5bb888e62e809db8887ba7 upstream.
+
+Hybrid sleep will hibernate the system followed by running through
+the suspend routine. Since both the hibernate and the suspend routine
+will call pm_restrict_gfp_mask(), pm_restore_gfp_mask() must be called
+before starting the suspend sequence.
+
+Add an explicit call to pm_restore_gfp_mask() to power_down() before
+the suspend sequence starts. Add an extra call for pm_restrict_gfp_mask()
+when exiting suspend so that the pm_restore_gfp_mask() call in hibernate()
+is balanced.
+
+Reported-by: Ionut Nechita <ionut_n2001@yahoo.com>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4573
+Tested-by: Ionut Nechita <ionut_n2001@yahoo.com>
+Fixes: 12ffc3b1513eb ("PM: Restrict swap use to later in the suspend sequence")
+Tested-by: Kenneth Crudup <kenny@panix.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Link: https://patch.msgid.link/20250925185108.2968494-2-superm1@kernel.org
+[ rjw: Add comment explainig the new pm_restrict_gfp_mask() call purpose ]
+Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/power/hibernate.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -695,12 +695,16 @@ static void power_down(void)
+
+ #ifdef CONFIG_SUSPEND
+ if (hibernation_mode == HIBERNATION_SUSPEND) {
++ pm_restore_gfp_mask();
+ error = suspend_devices_and_enter(mem_sleep_current);
+ if (error) {
+ hibernation_mode = hibernation_ops ?
+ HIBERNATION_PLATFORM :
+ HIBERNATION_SHUTDOWN;
+ } else {
++ /* Match pm_restore_gfp_mask() call in hibernate() */
++ pm_restrict_gfp_mask();
++
+ /* Restore swap signature. */
+ error = swsusp_unmark();
+ if (error)
--- /dev/null
+From 6f4c6f9ed4ce65303f6bb153e2afc71bc33c8ded Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 26 Sep 2025 18:40:25 +0200
+Subject: PM: hibernate: Restrict GFP mask in power_down()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 6f4c6f9ed4ce65303f6bb153e2afc71bc33c8ded upstream.
+
+Commit 12ffc3b1513e ("PM: Restrict swap use to later in the
+suspend sequence") caused hibernation_platform_enter() to call
+pm_restore_gfp_mask() via dpm_resume_end(), so when power_down()
+returns after aborting hibernation_platform_enter(), it needs
+to match the pm_restore_gfp_mask() call in hibernate() that will
+occur subsequently.
+
+Address this by adding a pm_restrict_gfp_mask() call to the relevant
+error path in power_down().
+
+Fixes: 12ffc3b1513e ("PM: Restrict swap use to later in the suspend sequence")
+Cc: 6.16+ <stable@vger.kernel.org> # 6.16+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/power/hibernate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -722,6 +722,8 @@ static void power_down(void)
+ case HIBERNATION_PLATFORM:
+ error = hibernation_platform_enter();
+ if (error == -EAGAIN || error == -EBUSY) {
++ /* Match pm_restore_gfp_mask() in hibernate(). */
++ pm_restrict_gfp_mask();
+ swsusp_unmark();
+ events_check_enabled = false;
+ pr_info("Wakeup event detected during hibernation, rolling back.\n");
--- /dev/null
+From ee6cd8f3e28ee5a929c3b67c01a350f550f9b73a Mon Sep 17 00:00:00 2001
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+Date: Thu, 18 Sep 2025 20:06:45 +0300
+Subject: power: supply: max77976_charger: fix constant current reporting
+
+From: Dzmitry Sankouski <dsankouski@gmail.com>
+
+commit ee6cd8f3e28ee5a929c3b67c01a350f550f9b73a upstream.
+
+CHARGE_CONTROL_LIMIT is a wrong property to report charge current limit,
+because `CHARGE_*` attributes represents capacity, not current. The
+correct attribute to report and set charge current limit is
+CONSTANT_CHARGE_CURRENT.
+
+Rename CHARGE_CONTROL_LIMIT to CONSTANT_CHARGE_CURRENT.
+
+Cc: stable@vger.kernel.org
+Fixes: 715ecbc10d6a ("power: supply: max77976: add Maxim MAX77976 charger driver")
+Signed-off-by: Dzmitry Sankouski <dsankouski@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/max77976_charger.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/power/supply/max77976_charger.c
++++ b/drivers/power/supply/max77976_charger.c
+@@ -292,10 +292,10 @@ static int max77976_get_property(struct
+ case POWER_SUPPLY_PROP_ONLINE:
+ err = max77976_get_online(chg, &val->intval);
+ break;
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX:
+ val->intval = MAX77976_CHG_CC_MAX;
+ break;
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+ err = max77976_get_integer(chg, CHG_CC,
+ MAX77976_CHG_CC_MIN,
+ MAX77976_CHG_CC_MAX,
+@@ -330,7 +330,7 @@ static int max77976_set_property(struct
+ int err = 0;
+
+ switch (psp) {
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+ err = max77976_set_integer(chg, CHG_CC,
+ MAX77976_CHG_CC_MIN,
+ MAX77976_CHG_CC_MAX,
+@@ -355,7 +355,7 @@ static int max77976_property_is_writeabl
+ enum power_supply_property psp)
+ {
+ switch (psp) {
+- case POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT:
++ case POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT:
+ case POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT:
+ return true;
+ default:
+@@ -368,8 +368,8 @@ static enum power_supply_property max779
+ POWER_SUPPLY_PROP_CHARGE_TYPE,
+ POWER_SUPPLY_PROP_HEALTH,
+ POWER_SUPPLY_PROP_ONLINE,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT,
+- POWER_SUPPLY_PROP_CHARGE_CONTROL_LIMIT_MAX,
++ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT,
++ POWER_SUPPLY_PROP_CONSTANT_CHARGE_CURRENT_MAX,
+ POWER_SUPPLY_PROP_INPUT_CURRENT_LIMIT,
+ POWER_SUPPLY_PROP_MODEL_NAME,
+ POWER_SUPPLY_PROP_MANUFACTURER,
--- /dev/null
+From a39087905af9ffecaa237a918a2c03a04e479934 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 4 Aug 2025 12:07:28 +0200
+Subject: powerpc/powernv/pci: Fix underflow and leak issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit a39087905af9ffecaa237a918a2c03a04e479934 upstream.
+
+pnv_irq_domain_alloc() allocates interrupts at parent's interrupt
+domain. If it fails in the progress, all allocated interrupts are
+freed.
+
+The number of successfully allocated interrupts so far is stored
+"i". However, "i - 1" interrupts are freed. This is broken:
+
+ - One interrupt is not be freed
+
+ - If "i" is zero, "i - 1" wraps around
+
+Correct the number of freed interrupts to "i".
+
+Fixes: 0fcfe2247e75 ("powerpc/powernv/pci: Add MSI domains")
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/70f8debe8688e0b467367db769b71c20146a836d.1754300646.git.namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/powernv/pci-ioda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/powernv/pci-ioda.c
++++ b/arch/powerpc/platforms/powernv/pci-ioda.c
+@@ -1854,7 +1854,7 @@ static int pnv_irq_domain_alloc(struct i
+ return 0;
+
+ out:
+- irq_domain_free_irqs_parent(domain, virq, i - 1);
++ irq_domain_free_irqs_parent(domain, virq, i);
+ msi_bitmap_free_hwirqs(&phb->msi_bmp, hwirq, nr_irqs);
+ return ret;
+ }
--- /dev/null
+From 3443ff3be6e59b80d74036bb39f5b6409eb23cc9 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 4 Aug 2025 12:07:27 +0200
+Subject: powerpc/pseries/msi: Fix potential underflow and leak issue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 3443ff3be6e59b80d74036bb39f5b6409eb23cc9 upstream.
+
+pseries_irq_domain_alloc() allocates interrupts at parent's interrupt
+domain. If it fails in the progress, all allocated interrupts are
+freed.
+
+The number of successfully allocated interrupts so far is stored
+"i". However, "i - 1" interrupts are freed. This is broken:
+
+ - One interrupt is not be freed
+
+ - If "i" is zero, "i - 1" wraps around
+
+Correct the number of freed interrupts to 'i'.
+
+Fixes: a5f3d2c17b07 ("powerpc/pseries/pci: Add MSI domains")
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Cédric Le Goater <clg@redhat.com>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/a980067f2b256bf716b4cd713bc1095966eed8cd.1754300646.git.namcao@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/msi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/platforms/pseries/msi.c
++++ b/arch/powerpc/platforms/pseries/msi.c
+@@ -593,7 +593,7 @@ static int pseries_irq_domain_alloc(stru
+
+ out:
+ /* TODO: handle RTAS cleanup in ->msi_finish() ? */
+- irq_domain_free_irqs_parent(domain, virq, i - 1);
++ irq_domain_free_irqs_parent(domain, virq, i);
+ return ret;
+ }
+
--- /dev/null
+From 3a4b9d027e4061766f618292df91760ea64a1fcc Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Tue, 19 Aug 2025 19:42:24 +0800
+Subject: pwm: berlin: Fix wrong register in suspend/resume
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit 3a4b9d027e4061766f618292df91760ea64a1fcc upstream.
+
+The 'enable' register should be BERLIN_PWM_EN rather than
+BERLIN_PWM_ENABLE, otherwise, the driver accesses wrong address, there
+will be cpu exception then kernel panic during suspend/resume.
+
+Fixes: bbf0722c1c66 ("pwm: berlin: Add suspend/resume support")
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Link: https://lore.kernel.org/r/20250819114224.31825-1-jszhang@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-berlin.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pwm/pwm-berlin.c
++++ b/drivers/pwm/pwm-berlin.c
+@@ -234,7 +234,7 @@ static int berlin_pwm_suspend(struct dev
+ for (i = 0; i < chip->npwm; i++) {
+ struct berlin_pwm_channel *channel = &bpc->channel[i];
+
+- channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_ENABLE);
++ channel->enable = berlin_pwm_readl(bpc, i, BERLIN_PWM_EN);
+ channel->ctrl = berlin_pwm_readl(bpc, i, BERLIN_PWM_CONTROL);
+ channel->duty = berlin_pwm_readl(bpc, i, BERLIN_PWM_DUTY);
+ channel->tcnt = berlin_pwm_readl(bpc, i, BERLIN_PWM_TCNT);
+@@ -262,7 +262,7 @@ static int berlin_pwm_resume(struct devi
+ berlin_pwm_writel(bpc, i, channel->ctrl, BERLIN_PWM_CONTROL);
+ berlin_pwm_writel(bpc, i, channel->duty, BERLIN_PWM_DUTY);
+ berlin_pwm_writel(bpc, i, channel->tcnt, BERLIN_PWM_TCNT);
+- berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_ENABLE);
++ berlin_pwm_writel(bpc, i, channel->enable, BERLIN_PWM_EN);
+ }
+
+ return 0;
--- /dev/null
+From afe872274edc7da46719a2029bfa4eab142b15f6 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.i.king@gmail.com>
+Date: Tue, 2 Sep 2025 14:03:48 +0100
+Subject: pwm: Fix incorrect variable used in error message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+commit afe872274edc7da46719a2029bfa4eab142b15f6 upstream.
+
+The dev_err message is reporting the incorrect return value ret_tohw,
+it should be reporting the value in ret_fromhw. Fix this by using
+ret_fromhw instead of ret_tohw.
+
+Fixes: 6c5126c6406d ("pwm: Provide new consumer API functions for waveforms")
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Link: https://lore.kernel.org/r/20250902130348.2630053-1-colin.i.king@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pwm/core.c
++++ b/drivers/pwm/core.c
+@@ -276,7 +276,7 @@ int pwm_round_waveform_might_sleep(struc
+
+ if (IS_ENABLED(CONFIG_PWM_DEBUG) && ret_fromhw > 0)
+ dev_err(&chip->dev, "Unexpected return value from __pwm_round_waveform_fromhw: requested %llu/%llu [+%llu], return value %d\n",
+- wf_req.duty_length_ns, wf_req.period_length_ns, wf_req.duty_offset_ns, ret_tohw);
++ wf_req.duty_length_ns, wf_req.period_length_ns, wf_req.duty_offset_ns, ret_fromhw);
+
+ if (IS_ENABLED(CONFIG_PWM_DEBUG) &&
+ (ret_tohw == 0) != pwm_check_rounding(&wf_req, wf))
--- /dev/null
+From 5d09ee1bec870263f4ace439402ea840503b503b Mon Sep 17 00:00:00 2001
+From: Corey Minyard <corey@minyard.net>
+Date: Wed, 20 Aug 2025 11:03:13 -0500
+Subject: Revert "ipmi: fix msg stack when IPMI is disconnected"
+
+From: Corey Minyard <corey@minyard.net>
+
+commit 5d09ee1bec870263f4ace439402ea840503b503b upstream.
+
+This reverts commit c608966f3f9c2dca596967501d00753282b395fc.
+
+This patch has a subtle bug that can cause the IPMI driver to go into an
+infinite loop if the BMC misbehaves in a certain way. Apparently
+certain BMCs do misbehave this way because several reports have come in
+recently about this.
+
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Tested-by: Eric Hagberg <ehagberg@janestreet.com>
+Cc: <stable@vger.kernel.org> # 6.2
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_kcs_sm.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_kcs_sm.c
++++ b/drivers/char/ipmi/ipmi_kcs_sm.c
+@@ -122,10 +122,10 @@ struct si_sm_data {
+ unsigned long error0_timeout;
+ };
+
+-static unsigned int init_kcs_data_with_state(struct si_sm_data *kcs,
+- struct si_sm_io *io, enum kcs_states state)
++static unsigned int init_kcs_data(struct si_sm_data *kcs,
++ struct si_sm_io *io)
+ {
+- kcs->state = state;
++ kcs->state = KCS_IDLE;
+ kcs->io = io;
+ kcs->write_pos = 0;
+ kcs->write_count = 0;
+@@ -140,12 +140,6 @@ static unsigned int init_kcs_data_with_s
+ return 2;
+ }
+
+-static unsigned int init_kcs_data(struct si_sm_data *kcs,
+- struct si_sm_io *io)
+-{
+- return init_kcs_data_with_state(kcs, io, KCS_IDLE);
+-}
+-
+ static inline unsigned char read_status(struct si_sm_data *kcs)
+ {
+ return kcs->io->inputb(kcs->io, 1);
+@@ -276,7 +270,7 @@ static int start_kcs_transaction(struct
+ if (size > MAX_KCS_WRITE_SIZE)
+ return IPMI_REQ_LEN_EXCEEDED_ERR;
+
+- if (kcs->state != KCS_IDLE) {
++ if ((kcs->state != KCS_IDLE) && (kcs->state != KCS_HOSED)) {
+ dev_warn(kcs->io->dev, "KCS in invalid state %d\n", kcs->state);
+ return IPMI_NOT_IN_MY_STATE_ERR;
+ }
+@@ -501,7 +495,7 @@ static enum si_sm_result kcs_event(struc
+ }
+
+ if (kcs->state == KCS_HOSED) {
+- init_kcs_data_with_state(kcs, kcs->io, KCS_ERROR0);
++ init_kcs_data(kcs, kcs->io);
+ return SI_SM_HOSED;
+ }
+
--- /dev/null
+From 668208b161a0b679427e7d0f34c0a65fd7d23979 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Thu, 14 Aug 2025 12:06:14 +0000
+Subject: riscv: use an atomic xchg in pudp_huge_get_and_clear()
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit 668208b161a0b679427e7d0f34c0a65fd7d23979 upstream.
+
+Make sure we return the right pud value and not a value that could have
+been overwritten in between by a different core.
+
+Link: https://lkml.kernel.org/r/20250814-dev-alex-thp_pud_xchg-v1-1-b4704dfae206@rivosinc.com
+Fixes: c3cc2a4a3a23 ("riscv: Add support for PUD THP")
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Cc: Andrew Donnellan <ajd@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/pgtable.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/riscv/include/asm/pgtable.h
++++ b/arch/riscv/include/asm/pgtable.h
+@@ -959,6 +959,17 @@ static inline pud_t pudp_huge_get_and_cl
+ return pud;
+ }
+
++#define __HAVE_ARCH_PUDP_HUGE_GET_AND_CLEAR
++static inline pud_t pudp_huge_get_and_clear(struct mm_struct *mm,
++ unsigned long address, pud_t *pudp)
++{
++ pud_t pud = __pud(atomic_long_xchg((atomic_long_t *)pudp, 0));
++
++ page_table_check_pud_clear(mm, pud);
++
++ return pud;
++}
++
+ static inline int pud_young(pud_t pud)
+ {
+ return pte_young(pud_pte(pud));
--- /dev/null
+From a001cd248ab244633c5fabe4f7c707e13fc1d1cc Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Tue, 19 Aug 2025 15:29:44 -0700
+Subject: rseq/selftests: Use weak symbol reference, not definition, to link with glibc
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit a001cd248ab244633c5fabe4f7c707e13fc1d1cc upstream.
+
+Add "extern" to the glibc-defined weak rseq symbols to convert the rseq
+selftest's usage from weak symbol definitions to weak symbol _references_.
+Effectively re-defining the glibc symbols wreaks havoc when building with
+-fno-common, e.g. generates segfaults when running multi-threaded programs,
+as dynamically linked applications end up with multiple versions of the
+symbols.
+
+Building with -fcommon, which until recently has the been the default for
+GCC and clang, papers over the bug by allowing the linker to resolve the
+weak/tentative definition to glibc's "real" definition.
+
+Note, the symbol itself (or rather its address), not the value of the
+symbol, is set to 0/NULL for unresolved weak symbol references, as the
+symbol doesn't exist and thus can't have a value. Check for a NULL rseq
+size pointer to handle the scenario where the test is statically linked
+against a libc that doesn't support rseq in any capacity.
+
+Fixes: 3bcbc20942db ("selftests/rseq: Play nice with binaries statically linked against glibc 2.35+")
+Reported-by: Thomas Gleixner <tglx@linutronix.de>
+Suggested-by: Florian Weimer <fweimer@redhat.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: stable@vger.kernel.org
+Closes: https://lore.kernel.org/all/87frdoybk4.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/rseq/rseq.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/rseq/rseq.c
++++ b/tools/testing/selftests/rseq/rseq.c
+@@ -40,9 +40,9 @@
+ * Define weak versions to play nice with binaries that are statically linked
+ * against a libc that doesn't support registering its own rseq.
+ */
+-__weak ptrdiff_t __rseq_offset;
+-__weak unsigned int __rseq_size;
+-__weak unsigned int __rseq_flags;
++extern __weak ptrdiff_t __rseq_offset;
++extern __weak unsigned int __rseq_size;
++extern __weak unsigned int __rseq_flags;
+
+ static const ptrdiff_t *libc_rseq_offset_p = &__rseq_offset;
+ static const unsigned int *libc_rseq_size_p = &__rseq_size;
+@@ -209,7 +209,7 @@ void rseq_init(void)
+ * libc not having registered a restartable sequence. Try to find the
+ * symbols if that's the case.
+ */
+- if (!*libc_rseq_size_p) {
++ if (!libc_rseq_size_p || !*libc_rseq_size_p) {
+ libc_rseq_offset_p = dlsym(RTLD_NEXT, "__rseq_offset");
+ libc_rseq_size_p = dlsym(RTLD_NEXT, "__rseq_size");
+ libc_rseq_flags_p = dlsym(RTLD_NEXT, "__rseq_flags");
--- /dev/null
+From 9db26d5855d0374d4652487bfb5aacf40821c469 Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Fri, 16 May 2025 09:23:39 +0200
+Subject: rtc: interface: Ensure alarm irq is enabled when UIE is enabled
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit 9db26d5855d0374d4652487bfb5aacf40821c469 upstream.
+
+When setting a normal alarm, user-space is responsible for using
+RTC_AIE_ON/RTC_AIE_OFF to control if alarm irq should be enabled.
+
+But when RTC_UIE_ON is used, interrupts must be enabled so that the
+requested irq events are generated.
+When RTC_UIE_OFF is used, alarm irq is disabled if there are no other
+alarms queued, so this commit brings symmetry to that.
+
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-5-3de8e530a39e@geanix.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/interface.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -594,6 +594,10 @@ int rtc_update_irq_enable(struct rtc_dev
+ rtc->uie_rtctimer.node.expires = ktime_add(now, onesec);
+ rtc->uie_rtctimer.period = ktime_set(1, 0);
+ err = rtc_timer_enqueue(rtc, &rtc->uie_rtctimer);
++ if (!err && rtc->ops && rtc->ops->alarm_irq_enable)
++ err = rtc->ops->alarm_irq_enable(rtc->dev.parent, 1);
++ if (err)
++ goto out;
+ } else {
+ rtc_timer_remove(rtc, &rtc->uie_rtctimer);
+ }
--- /dev/null
+From 795cda8338eab036013314dbc0b04aae728880ab Mon Sep 17 00:00:00 2001
+From: Esben Haabendal <esben@geanix.com>
+Date: Fri, 16 May 2025 09:23:35 +0200
+Subject: rtc: interface: Fix long-standing race when setting alarm
+
+From: Esben Haabendal <esben@geanix.com>
+
+commit 795cda8338eab036013314dbc0b04aae728880ab upstream.
+
+As described in the old comment dating back to
+commit 6610e0893b8b ("RTC: Rework RTC code to use timerqueue for events")
+from 2010, we have been living with a race window when setting alarm
+with an expiry in the near future (i.e. next second).
+With 1 second resolution, it can happen that the second ticks after the
+check for the timer having expired, but before the alarm is actually set.
+When this happen, no alarm IRQ is generated, at least not with some RTC
+chips (isl12022 is an example of this).
+
+With UIE RTC timer being implemented on top of alarm irq, being re-armed
+every second, UIE will occasionally fail to work, as an alarm irq lost
+due to this race will stop the re-arming loop.
+
+For now, I have limited the additional expiry check to only be done for
+alarms set to next seconds. I expect it should be good enough, although I
+don't know if we can now for sure that systems with loads could end up
+causing the same problems for alarms set 2 seconds or even longer in the
+future.
+
+I haven't been able to reproduce the problem with this check in place.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Esben Haabendal <esben@geanix.com>
+Link: https://lore.kernel.org/r/20250516-rtc-uie-irq-fixes-v2-1-3de8e530a39e@geanix.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/interface.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/rtc/interface.c
++++ b/drivers/rtc/interface.c
+@@ -443,6 +443,29 @@ static int __rtc_set_alarm(struct rtc_de
+ else
+ err = rtc->ops->set_alarm(rtc->dev.parent, alarm);
+
++ /*
++ * Check for potential race described above. If the waiting for next
++ * second, and the second just ticked since the check above, either
++ *
++ * 1) It ticked after the alarm was set, and an alarm irq should be
++ * generated.
++ *
++ * 2) It ticked before the alarm was set, and alarm irq most likely will
++ * not be generated.
++ *
++ * While we cannot easily check for which of these two scenarios we
++ * are in, we can return -ETIME to signal that the timer has already
++ * expired, which is true in both cases.
++ */
++ if ((scheduled - now) <= 1) {
++ err = __rtc_read_time(rtc, &tm);
++ if (err)
++ return err;
++ now = rtc_tm_to_time64(&tm);
++ if (scheduled <= now)
++ return -ETIME;
++ }
++
+ trace_rtc_set_alarm(rtc_tm_to_time64(&alarm->time), err);
+ return err;
+ }
--- /dev/null
+From 8fd5485fb4f3d9da3977fd783fcb8e5452463420 Mon Sep 17 00:00:00 2001
+From: Harshit Agarwal <harshit@nutanix.com>
+Date: Tue, 8 Apr 2025 04:50:21 +0000
+Subject: sched/deadline: Fix race in push_dl_task()
+
+From: Harshit Agarwal <harshit@nutanix.com>
+
+commit 8fd5485fb4f3d9da3977fd783fcb8e5452463420 upstream.
+
+When a CPU chooses to call push_dl_task and picks a task to push to
+another CPU's runqueue then it will call find_lock_later_rq method
+which would take a double lock on both CPUs' runqueues. If one of the
+locks aren't readily available, it may lead to dropping the current
+runqueue lock and reacquiring both the locks at once. During this window
+it is possible that the task is already migrated and is running on some
+other CPU. These cases are already handled. However, if the task is
+migrated and has already been executed and another CPU is now trying to
+wake it up (ttwu) such that it is queued again on the runqeue
+(on_rq is 1) and also if the task was run by the same CPU, then the
+current checks will pass even though the task was migrated out and is no
+longer in the pushable tasks list.
+Please go through the original rt change for more details on the issue.
+
+To fix this, after the lock is obtained inside the find_lock_later_rq,
+it ensures that the task is still at the head of pushable tasks list.
+Also removed some checks that are no longer needed with the addition of
+this new check.
+However, the new check of pushable tasks list only applies when
+find_lock_later_rq is called by push_dl_task. For the other caller i.e.
+dl_task_offline_migration, existing checks are used.
+
+Signed-off-by: Harshit Agarwal <harshit@nutanix.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250408045021.3283624-1-harshit@nutanix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/deadline.c | 73 ++++++++++++++++++++++++++++++++----------------
+ 1 file changed, 49 insertions(+), 24 deletions(-)
+
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2551,6 +2551,25 @@ static int find_later_rq(struct task_str
+ return -1;
+ }
+
++static struct task_struct *pick_next_pushable_dl_task(struct rq *rq)
++{
++ struct task_struct *p;
++
++ if (!has_pushable_dl_tasks(rq))
++ return NULL;
++
++ p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root));
++
++ WARN_ON_ONCE(rq->cpu != task_cpu(p));
++ WARN_ON_ONCE(task_current(rq, p));
++ WARN_ON_ONCE(p->nr_cpus_allowed <= 1);
++
++ WARN_ON_ONCE(!task_on_rq_queued(p));
++ WARN_ON_ONCE(!dl_task(p));
++
++ return p;
++}
++
+ /* Locks the rq it finds */
+ static struct rq *find_lock_later_rq(struct task_struct *task, struct rq *rq)
+ {
+@@ -2578,12 +2597,37 @@ static struct rq *find_lock_later_rq(str
+
+ /* Retry if something changed. */
+ if (double_lock_balance(rq, later_rq)) {
+- if (unlikely(task_rq(task) != rq ||
++ /*
++ * double_lock_balance had to release rq->lock, in the
++ * meantime, task may no longer be fit to be migrated.
++ * Check the following to ensure that the task is
++ * still suitable for migration:
++ * 1. It is possible the task was scheduled,
++ * migrate_disabled was set and then got preempted,
++ * so we must check the task migration disable
++ * flag.
++ * 2. The CPU picked is in the task's affinity.
++ * 3. For throttled task (dl_task_offline_migration),
++ * check the following:
++ * - the task is not on the rq anymore (it was
++ * migrated)
++ * - the task is not on CPU anymore
++ * - the task is still a dl task
++ * - the task is not queued on the rq anymore
++ * 4. For the non-throttled task (push_dl_task), the
++ * check to ensure that this task is still at the
++ * head of the pushable tasks list is enough.
++ */
++ if (unlikely(is_migration_disabled(task) ||
+ !cpumask_test_cpu(later_rq->cpu, &task->cpus_mask) ||
+- task_on_cpu(rq, task) ||
+- !dl_task(task) ||
+- is_migration_disabled(task) ||
+- !task_on_rq_queued(task))) {
++ (task->dl.dl_throttled &&
++ (task_rq(task) != rq ||
++ task_on_cpu(rq, task) ||
++ !dl_task(task) ||
++ !task_on_rq_queued(task))) ||
++ (!task->dl.dl_throttled &&
++ task != pick_next_pushable_dl_task(rq)))) {
++
+ double_unlock_balance(rq, later_rq);
+ later_rq = NULL;
+ break;
+@@ -2606,25 +2650,6 @@ static struct rq *find_lock_later_rq(str
+ return later_rq;
+ }
+
+-static struct task_struct *pick_next_pushable_dl_task(struct rq *rq)
+-{
+- struct task_struct *p;
+-
+- if (!has_pushable_dl_tasks(rq))
+- return NULL;
+-
+- p = __node_2_pdl(rb_first_cached(&rq->dl.pushable_dl_tasks_root));
+-
+- WARN_ON_ONCE(rq->cpu != task_cpu(p));
+- WARN_ON_ONCE(task_current(rq, p));
+- WARN_ON_ONCE(p->nr_cpus_allowed <= 1);
+-
+- WARN_ON_ONCE(!task_on_rq_queued(p));
+- WARN_ON_ONCE(!dl_task(p));
+-
+- return p;
+-}
+-
+ /*
+ * See if the non running -deadline tasks on this rq
+ * can be sent to some other CPU where they can preempt
--- /dev/null
+From b81296591c567b12d3873b05a37b975707959b94 Mon Sep 17 00:00:00 2001
+From: Thorsten Blum <thorsten.blum@linux.dev>
+Date: Fri, 19 Sep 2025 11:26:37 +0200
+Subject: scsi: hpsa: Fix potential memory leak in hpsa_big_passthru_ioctl()
+
+From: Thorsten Blum <thorsten.blum@linux.dev>
+
+commit b81296591c567b12d3873b05a37b975707959b94 upstream.
+
+Replace kmalloc() followed by copy_from_user() with memdup_user() to fix
+a memory leak that occurs when copy_from_user(buff[sg_used],,) fails and
+the 'cleanup1:' path does not free the memory for 'buff[sg_used]'. Using
+memdup_user() avoids this by freeing the memory internally.
+
+Since memdup_user() already allocates memory, use kzalloc() in the else
+branch instead of manually zeroing 'buff[sg_used]' using memset(0).
+
+Cc: stable@vger.kernel.org
+Fixes: edd163687ea5 ("[SCSI] hpsa: add driver for HP Smart Array controllers.")
+Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
+Acked-by: Don Brace <don.brace@microchip.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/hpsa.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/scsi/hpsa.c
++++ b/drivers/scsi/hpsa.c
+@@ -6522,18 +6522,21 @@ static int hpsa_big_passthru_ioctl(struc
+ while (left) {
+ sz = (left > ioc->malloc_size) ? ioc->malloc_size : left;
+ buff_size[sg_used] = sz;
+- buff[sg_used] = kmalloc(sz, GFP_KERNEL);
+- if (buff[sg_used] == NULL) {
+- status = -ENOMEM;
+- goto cleanup1;
+- }
++
+ if (ioc->Request.Type.Direction & XFER_WRITE) {
+- if (copy_from_user(buff[sg_used], data_ptr, sz)) {
+- status = -EFAULT;
++ buff[sg_used] = memdup_user(data_ptr, sz);
++ if (IS_ERR(buff[sg_used])) {
++ status = PTR_ERR(buff[sg_used]);
++ goto cleanup1;
++ }
++ } else {
++ buff[sg_used] = kzalloc(sz, GFP_KERNEL);
++ if (!buff[sg_used]) {
++ status = -ENOMEM;
+ goto cleanup1;
+ }
+- } else
+- memset(buff[sg_used], 0, sz);
++ }
++
+ left -= sz;
+ data_ptr += sz;
+ sg_used++;
--- /dev/null
+From b5f717b31b5e478398740db8aee2ecbc4dd72bf3 Mon Sep 17 00:00:00 2001
+From: Abinash Singh <abinashsinghlalotra@gmail.com>
+Date: Tue, 26 Aug 2025 00:09:38 +0530
+Subject: scsi: sd: Fix build warning in sd_revalidate_disk()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Abinash Singh <abinashsinghlalotra@gmail.com>
+
+commit b5f717b31b5e478398740db8aee2ecbc4dd72bf3 upstream.
+
+A build warning was triggered due to excessive stack usage in
+sd_revalidate_disk():
+
+drivers/scsi/sd.c: In function ‘sd_revalidate_disk.isra’:
+drivers/scsi/sd.c:3824:1: warning: the frame size of 1160 bytes is larger than 1024 bytes [-Wframe-larger-than=]
+
+This is caused by a large local struct queue_limits (~400B) allocated on
+the stack. Replacing it with a heap allocation using kmalloc()
+significantly reduces frame usage. Kernel stack is limited (~8 KB), and
+allocating large structs on the stack is discouraged. As the function
+already performs heap allocations (e.g. for buffer), this change fits
+well.
+
+Fixes: 804e498e0496 ("sd: convert to the atomic queue limits API")
+Cc: stable@vger.kernel.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Abinash Singh <abinashsinghlalotra@gmail.com>
+Link: https://lore.kernel.org/r/20250825183940.13211-2-abinashsinghlalotra@gmail.com
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 50 ++++++++++++++++++++++++++++----------------------
+ 1 file changed, 28 insertions(+), 22 deletions(-)
+
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3696,10 +3696,10 @@ static int sd_revalidate_disk(struct gen
+ struct scsi_disk *sdkp = scsi_disk(disk);
+ struct scsi_device *sdp = sdkp->device;
+ sector_t old_capacity = sdkp->capacity;
+- struct queue_limits lim;
+- unsigned char *buffer;
++ struct queue_limits *lim = NULL;
++ unsigned char *buffer = NULL;
+ unsigned int dev_max;
+- int err;
++ int err = 0;
+
+ SCSI_LOG_HLQUEUE(3, sd_printk(KERN_INFO, sdkp,
+ "sd_revalidate_disk\n"));
+@@ -3711,6 +3711,10 @@ static int sd_revalidate_disk(struct gen
+ if (!scsi_device_online(sdp))
+ goto out;
+
++ lim = kmalloc(sizeof(*lim), GFP_KERNEL);
++ if (!lim)
++ goto out;
++
+ buffer = kmalloc(SD_BUF_SIZE, GFP_KERNEL);
+ if (!buffer) {
+ sd_printk(KERN_WARNING, sdkp, "sd_revalidate_disk: Memory "
+@@ -3720,14 +3724,14 @@ static int sd_revalidate_disk(struct gen
+
+ sd_spinup_disk(sdkp);
+
+- lim = queue_limits_start_update(sdkp->disk->queue);
++ *lim = queue_limits_start_update(sdkp->disk->queue);
+
+ /*
+ * Without media there is no reason to ask; moreover, some devices
+ * react badly if we do.
+ */
+ if (sdkp->media_present) {
+- sd_read_capacity(sdkp, &lim, buffer);
++ sd_read_capacity(sdkp, lim, buffer);
+ /*
+ * Some USB/UAS devices return generic values for mode pages
+ * until the media has been accessed. Trigger a READ operation
+@@ -3741,17 +3745,17 @@ static int sd_revalidate_disk(struct gen
+ * cause this to be updated correctly and any device which
+ * doesn't support it should be treated as rotational.
+ */
+- lim.features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM);
++ lim->features |= (BLK_FEAT_ROTATIONAL | BLK_FEAT_ADD_RANDOM);
+
+ if (scsi_device_supports_vpd(sdp)) {
+ sd_read_block_provisioning(sdkp);
+- sd_read_block_limits(sdkp, &lim);
++ sd_read_block_limits(sdkp, lim);
+ sd_read_block_limits_ext(sdkp);
+- sd_read_block_characteristics(sdkp, &lim);
+- sd_zbc_read_zones(sdkp, &lim, buffer);
++ sd_read_block_characteristics(sdkp, lim);
++ sd_zbc_read_zones(sdkp, lim, buffer);
+ }
+
+- sd_config_discard(sdkp, &lim, sd_discard_mode(sdkp));
++ sd_config_discard(sdkp, lim, sd_discard_mode(sdkp));
+
+ sd_print_capacity(sdkp, old_capacity);
+
+@@ -3761,47 +3765,46 @@ static int sd_revalidate_disk(struct gen
+ sd_read_app_tag_own(sdkp, buffer);
+ sd_read_write_same(sdkp, buffer);
+ sd_read_security(sdkp, buffer);
+- sd_config_protection(sdkp, &lim);
++ sd_config_protection(sdkp, lim);
+ }
+
+ /*
+ * We now have all cache related info, determine how we deal
+ * with flush requests.
+ */
+- sd_set_flush_flag(sdkp, &lim);
++ sd_set_flush_flag(sdkp, lim);
+
+ /* Initial block count limit based on CDB TRANSFER LENGTH field size. */
+ dev_max = sdp->use_16_for_rw ? SD_MAX_XFER_BLOCKS : SD_DEF_XFER_BLOCKS;
+
+ /* Some devices report a maximum block count for READ/WRITE requests. */
+ dev_max = min_not_zero(dev_max, sdkp->max_xfer_blocks);
+- lim.max_dev_sectors = logical_to_sectors(sdp, dev_max);
++ lim->max_dev_sectors = logical_to_sectors(sdp, dev_max);
+
+ if (sd_validate_min_xfer_size(sdkp))
+- lim.io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks);
++ lim->io_min = logical_to_bytes(sdp, sdkp->min_xfer_blocks);
+ else
+- lim.io_min = 0;
++ lim->io_min = 0;
+
+ /*
+ * Limit default to SCSI host optimal sector limit if set. There may be
+ * an impact on performance for when the size of a request exceeds this
+ * host limit.
+ */
+- lim.io_opt = sdp->host->opt_sectors << SECTOR_SHIFT;
++ lim->io_opt = sdp->host->opt_sectors << SECTOR_SHIFT;
+ if (sd_validate_opt_xfer_size(sdkp, dev_max)) {
+- lim.io_opt = min_not_zero(lim.io_opt,
++ lim->io_opt = min_not_zero(lim->io_opt,
+ logical_to_bytes(sdp, sdkp->opt_xfer_blocks));
+ }
+
+ sdkp->first_scan = 0;
+
+ set_capacity_and_notify(disk, logical_to_sectors(sdp, sdkp->capacity));
+- sd_config_write_same(sdkp, &lim);
+- kfree(buffer);
++ sd_config_write_same(sdkp, lim);
+
+- err = queue_limits_commit_update_frozen(sdkp->disk->queue, &lim);
++ err = queue_limits_commit_update_frozen(sdkp->disk->queue, lim);
+ if (err)
+- return err;
++ goto out;
+
+ /*
+ * Query concurrent positioning ranges after
+@@ -3820,7 +3823,10 @@ static int sd_revalidate_disk(struct gen
+ set_capacity_and_notify(disk, 0);
+
+ out:
+- return 0;
++ kfree(buffer);
++ kfree(lim);
++
++ return err;
+ }
+
+ /**
--- /dev/null
+From dd91c79e4f58fbe2898dac84858033700e0e99fb Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@kernel.org>
+Date: Mon, 18 Aug 2025 13:54:23 -0700
+Subject: sctp: Fix MAC comparison to be constant-time
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+commit dd91c79e4f58fbe2898dac84858033700e0e99fb upstream.
+
+To prevent timing attacks, MACs need to be compared in constant time.
+Use the appropriate helper function for this.
+
+Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Link: https://patch.msgid.link/20250818205426.30222-3-ebiggers@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/sm_make_chunk.c | 3 ++-
+ net/sctp/sm_statefuns.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -31,6 +31,7 @@
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
+ #include <crypto/hash.h>
++#include <crypto/utils.h>
+ #include <linux/types.h>
+ #include <linux/kernel.h>
+ #include <linux/ip.h>
+@@ -1788,7 +1789,7 @@ struct sctp_association *sctp_unpack_coo
+ }
+ }
+
+- if (memcmp(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
++ if (crypto_memneq(digest, cookie->signature, SCTP_SIGNATURE_SIZE)) {
+ *error = -SCTP_IERROR_BAD_SIG;
+ goto fail;
+ }
+--- a/net/sctp/sm_statefuns.c
++++ b/net/sctp/sm_statefuns.c
+@@ -30,6 +30,7 @@
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
++#include <crypto/utils.h>
+ #include <linux/types.h>
+ #include <linux/kernel.h>
+ #include <linux/ip.h>
+@@ -4417,7 +4418,7 @@ static enum sctp_ierror sctp_sf_authenti
+ sh_key, GFP_ATOMIC);
+
+ /* Discard the packet if the digests do not match */
+- if (memcmp(save_digest, digest, sig_len)) {
++ if (crypto_memneq(save_digest, digest, sig_len)) {
+ kfree(save_digest);
+ return SCTP_IERROR_BAD_SIG;
+ }
ipmi-rework-user-message-limit-handling.patch
ipmi-msghandler-change-seq_lock-to-a-mutex.patch
kernel-sys.c-fix-the-racy-usage-of-task_lock-tsk-group_leader-in-sys_prlimit64-paths.patch
+keys-trusted_tpm1-compare-hmac-values-in-constant-time.patch
+kho-only-fill-kimage-if-kho-is-finalized.patch
+lib-genalloc-fix-device-leak-in-of_gen_pool_get.patch
+loop-fix-backing-file-reference-leak-on-validation-error.patch
+md-fix-mssing-blktrace-bio-split-events.patch
+of-unittest-fix-device-reference-count-leak-in-of_unittest_pci_node_verify.patch
+openat2-don-t-trigger-automounts-with-resolve_no_xdev.patch
+padata-reset-next-cpu-when-reorder-sequence-wraps-around.patch
+parisc-don-t-reference-obsolete-termio-struct-for-tc-constants.patch
+parisc-remove-spurious-if-statement-from-raw_copy_from_user.patch
+nvme-pci-add-tuxedo-ibs-gen8-to-samsung-sleep-quirk.patch
+pinctrl-samsung-drop-unused-s3c24xx-driver-data.patch
+pm-em-fix-late-boot-with-holes-in-cpu-topology.patch
+pm-hibernate-fix-hybrid-sleep.patch
+pm-hibernate-restrict-gfp-mask-in-power_down.patch
+power-supply-max77976_charger-fix-constant-current-reporting.patch
+powerpc-powernv-pci-fix-underflow-and-leak-issue.patch
+powerpc-pseries-msi-fix-potential-underflow-and-leak-issue.patch
+pwm-berlin-fix-wrong-register-in-suspend-resume.patch
+pwm-fix-incorrect-variable-used-in-error-message.patch
+revert-ipmi-fix-msg-stack-when-ipmi-is-disconnected.patch
+riscv-use-an-atomic-xchg-in-pudp_huge_get_and_clear.patch
+sched-deadline-fix-race-in-push_dl_task.patch
+scsi-hpsa-fix-potential-memory-leak-in-hpsa_big_passthru_ioctl.patch
+scsi-sd-fix-build-warning-in-sd_revalidate_disk.patch
+sctp-fix-mac-comparison-to-be-constant-time.patch
+smb-client-fix-bug-with-newly-created-file-in-cached-dir.patch
+sparc64-fix-hugetlb-for-sun4u.patch
+sparc-fix-error-handling-in-scan_one_device.patch
+xtensa-simdisk-add-input-size-check-in-proc_write_simdisk.patch
+xsk-harden-userspace-supplied-xdp_desc-validation.patch
+mtd-rawnand-fsmc-default-to-autodetect-buswidth.patch
+mtd-nand-raw-gpmi-fix-clocks-when-config_pm-n.patch
+mmc-core-spi-mode-remove-cmd7.patch
+mmc-mmc_spi-multiple-block-read-remove-read-crc-ack.patch
+memory-samsung-exynos-srom-fix-of_iomap-leak-in-exynos_srom_probe.patch
+memory-stm32_omm-fix-req2ack-update-test.patch
+rtc-interface-ensure-alarm-irq-is-enabled-when-uie-is-enabled.patch
+rtc-interface-fix-long-standing-race-when-setting-alarm.patch
+rseq-selftests-use-weak-symbol-reference-not-definition-to-link-with-glibc.patch
+pci-xilinx-nwl-fix-ecam-programming.patch
+pci-tegra-convert-struct-tegra_msi-mask_lock-into-raw-spinlock.patch
+pci-sysfs-ensure-devices-are-powered-for-config-reads.patch
+pci-iov-add-pci-rescan-remove-locking-when-enabling-disabling-sr-iov.patch
+pci-err-fix-uevent-on-failure-to-recover.patch
+pci-aer-fix-missing-uevent-on-recovery-when-a-reset-is-requested.patch
+pci-aer-support-errors-introduced-by-pcie-r6.0.patch
+pci-ensure-relaxed-tail-alignment-does-not-increase-min_align.patch
+pci-fix-failure-detection-during-resource-resize.patch
+pci-j721e-fix-module-autoloading.patch
+pci-j721e-fix-programming-sequence-of-strap-settings.patch
+pci-keystone-use-devm_request_irq-to-free-ks-pcie-error-irq-on-exit.patch
+pci-rcar-gen4-fix-phy-initialization.patch
+pci-rcar-host-drop-pmsr-spinlock.patch
+pci-rcar-host-convert-struct-rcar_msi-mask_lock-into-raw-spinlock.patch
+pci-tegra194-fix-broken-tegra_pcie_ep_raise_msi_irq.patch
+pci-tegra194-handle-errors-in-bpmp-response.patch
+pci-tegra194-reset-bars-when-running-in-pcie-endpoint-mode.patch
+pci-pwrctrl-fix-device-leak-at-registration.patch
+pci-pwrctrl-fix-device-and-of-node-leak-at-bus-scan.patch
+pci-pwrctrl-fix-device-leak-at-device-stop.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-indac-access.patch
+spi-cadence-quadspi-flush-posted-register-writes-before-dac-access.patch
+spi-cadence-quadspi-fix-cqspi_setup_flash.patch
+xfs-use-deferred-intent-items-for-reaping-crosslinked-blocks.patch
+x86-fred-remove-endbr64-from-fred-entry-points.patch
+x86-umip-check-that-the-instruction-opcode-is-at-least-two-bytes.patch
+x86-umip-fix-decoding-of-register-forms-of-0f-01-sgdt-and-sidt-aliases.patch
--- /dev/null
+From aa12118dbcfe659697567c9daa0eac2c71e3fd37 Mon Sep 17 00:00:00 2001
+From: Bharath SM <bharathsm@microsoft.com>
+Date: Fri, 26 Sep 2025 10:13:50 -0500
+Subject: smb client: fix bug with newly created file in cached dir
+
+From: Bharath SM <bharathsm@microsoft.com>
+
+commit aa12118dbcfe659697567c9daa0eac2c71e3fd37 upstream.
+
+Test generic/637 spotted a problem with create of a new file in a
+cached directory (by the same client) could cause cases where the
+new file does not show up properly in ls on that client until the
+lease times out.
+
+Fixes: 037e1bae588e ("smb: client: use ParentLeaseKey in cifs_do_create")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bharath SM <bharathsm@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/dir.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/smb/client/dir.c b/fs/smb/client/dir.c
+index bc145436eba4..a233a5fe377b 100644
+--- a/fs/smb/client/dir.c
++++ b/fs/smb/client/dir.c
+@@ -329,6 +329,7 @@ static int cifs_do_create(struct inode *inode, struct dentry *direntry, unsigned
+ parent_cfid->fid.lease_key,
+ SMB2_LEASE_KEY_SIZE);
+ parent_cfid->dirents.is_valid = false;
++ parent_cfid->dirents.is_failed = true;
+ }
+ break;
+ }
+--
+2.51.0
+
--- /dev/null
+From 302c04110f0ce70d25add2496b521132548cd408 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Sat, 20 Sep 2025 20:53:12 +0800
+Subject: sparc: fix error handling in scan_one_device()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 302c04110f0ce70d25add2496b521132548cd408 upstream.
+
+Once of_device_register() failed, we should call put_device() to
+decrement reference count for cleanup. Or it could cause memory leak.
+So fix this by calling put_device(), then the name can be freed in
+kobject_cleanup().
+
+Calling path: of_device_register() -> of_device_add() -> device_add().
+As comment of device_add() says, 'if device_add() succeeds, you should
+call device_del() when you want to get rid of it. If device_add() has
+not succeeded, use only put_device() to drop the reference count'.
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Reviewed-by: Andreas Larsson <andreas@gaisler.com>
+Signed-off-by: Andreas Larsson <andreas@gaisler.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/kernel/of_device_32.c | 1 +
+ arch/sparc/kernel/of_device_64.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/arch/sparc/kernel/of_device_32.c
++++ b/arch/sparc/kernel/of_device_32.c
+@@ -387,6 +387,7 @@ static struct platform_device * __init s
+
+ if (of_device_register(op)) {
+ printk("%pOF: Could not register of device.\n", dp);
++ put_device(&op->dev);
+ kfree(op);
+ op = NULL;
+ }
+--- a/arch/sparc/kernel/of_device_64.c
++++ b/arch/sparc/kernel/of_device_64.c
+@@ -677,6 +677,7 @@ static struct platform_device * __init s
+
+ if (of_device_register(op)) {
+ printk("%pOF: Could not register of device.\n", dp);
++ put_device(&op->dev);
+ kfree(op);
+ op = NULL;
+ }
--- /dev/null
+From 6fd44a481b3c6111e4801cec964627791d0f3ec5 Mon Sep 17 00:00:00 2001
+From: Anthony Yznaga <anthony.yznaga@oracle.com>
+Date: Tue, 15 Jul 2025 18:24:46 -0700
+Subject: sparc64: fix hugetlb for sun4u
+
+From: Anthony Yznaga <anthony.yznaga@oracle.com>
+
+commit 6fd44a481b3c6111e4801cec964627791d0f3ec5 upstream.
+
+An attempt to exercise sparc hugetlb code in a sun4u-based guest
+running under qemu results in the guest hanging due to being stuck
+in a trap loop. This is due to invalid hugetlb TTEs being installed
+that do not have the expected _PAGE_PMD_HUGE and page size bits set.
+Although the breakage has gone apparently unnoticed for several years,
+fix it now so there is the option to exercise sparc hugetlb code under
+qemu. This can be useful because sun4v support in qemu does not support
+linux guests currently and sun4v-based hardware resources may not be
+readily available.
+
+Fix tested with a 6.15.2 and 6.16-rc6 kernels by running libhugetlbfs
+tests on a qemu guest running Debian 13.
+
+Fixes: c7d9f77d33a7 ("sparc64: Multi-page size support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Anthony Yznaga <anthony.yznaga@oracle.com>
+Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Reviewed-by: Andreas Larsson <andreas@gaisler.com>
+Link: https://lore.kernel.org/r/20250716012446.10357-1-anthony.yznaga@oracle.com
+Signed-off-by: Andreas Larsson <andreas@gaisler.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/sparc/mm/hugetlbpage.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/arch/sparc/mm/hugetlbpage.c
++++ b/arch/sparc/mm/hugetlbpage.c
+@@ -22,6 +22,26 @@
+
+ static pte_t sun4u_hugepage_shift_to_tte(pte_t entry, unsigned int shift)
+ {
++ unsigned long hugepage_size = _PAGE_SZ4MB_4U;
++
++ pte_val(entry) = pte_val(entry) & ~_PAGE_SZALL_4U;
++
++ switch (shift) {
++ case HPAGE_256MB_SHIFT:
++ hugepage_size = _PAGE_SZ256MB_4U;
++ pte_val(entry) |= _PAGE_PMD_HUGE;
++ break;
++ case HPAGE_SHIFT:
++ pte_val(entry) |= _PAGE_PMD_HUGE;
++ break;
++ case HPAGE_64K_SHIFT:
++ hugepage_size = _PAGE_SZ64K_4U;
++ break;
++ default:
++ WARN_ONCE(1, "unsupported hugepage shift=%u\n", shift);
++ }
++
++ pte_val(entry) = pte_val(entry) | hugepage_size;
+ return entry;
+ }
+
--- /dev/null
+From 858d4d9e0a9d6b64160ef3c824f428c9742172c4 Mon Sep 17 00:00:00 2001
+From: Santhosh Kumar K <s-k6@ti.com>
+Date: Sat, 6 Sep 2025 00:29:57 +0530
+Subject: spi: cadence-quadspi: Fix cqspi_setup_flash()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Santhosh Kumar K <s-k6@ti.com>
+
+commit 858d4d9e0a9d6b64160ef3c824f428c9742172c4 upstream.
+
+The 'max_cs' stores the largest chip select number. It should only
+be updated when the current 'cs' is greater than existing 'max_cs'. So,
+fix the condition accordingly.
+
+Also, return failure if there are no flash device declared.
+
+Fixes: 0f3841a5e115 ("spi: cadence-qspi: report correct number of chip-select")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Théo Lebrun <theo.lebrun@bootlin.com>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-4-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -1727,12 +1727,10 @@ static const struct spi_controller_mem_c
+
+ static int cqspi_setup_flash(struct cqspi_st *cqspi)
+ {
+- unsigned int max_cs = cqspi->num_chipselect - 1;
+ struct platform_device *pdev = cqspi->pdev;
+ struct device *dev = &pdev->dev;
+ struct cqspi_flash_pdata *f_pdata;
+- unsigned int cs;
+- int ret;
++ int ret, cs, max_cs = -1;
+
+ /* Get flash device data */
+ for_each_available_child_of_node_scoped(dev->of_node, np) {
+@@ -1745,10 +1743,10 @@ static int cqspi_setup_flash(struct cqsp
+ if (cs >= cqspi->num_chipselect) {
+ dev_err(dev, "Chip select %d out of range.\n", cs);
+ return -EINVAL;
+- } else if (cs < max_cs) {
+- max_cs = cs;
+ }
+
++ max_cs = max_t(int, cs, max_cs);
++
+ f_pdata = &cqspi->f_pdata[cs];
+ f_pdata->cqspi = cqspi;
+ f_pdata->cs = cs;
+@@ -1758,6 +1756,11 @@ static int cqspi_setup_flash(struct cqsp
+ return ret;
+ }
+
++ if (max_cs < 0) {
++ dev_err(dev, "No flash device declared\n");
++ return -ENODEV;
++ }
++
+ cqspi->num_chipselect = max_cs + 1;
+ return 0;
+ }
--- /dev/null
+From 1ad55767e77a853c98752ed1e33b68049a243bd7 Mon Sep 17 00:00:00 2001
+From: Pratyush Yadav <pratyush@kernel.org>
+Date: Sat, 6 Sep 2025 00:29:56 +0530
+Subject: spi: cadence-quadspi: Flush posted register writes before DAC access
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+commit 1ad55767e77a853c98752ed1e33b68049a243bd7 upstream.
+
+cqspi_read_setup() and cqspi_write_setup() program the address width as
+the last step in the setup. This is likely to be immediately followed by
+a DAC region read/write. On TI K3 SoCs the DAC region is on a different
+endpoint from the register region. This means that the order of the two
+operations is not guaranteed, and they might be reordered at the
+interconnect level. It is possible that the DAC read/write goes through
+before the address width update goes through. In this situation if the
+previous command used a different address width the OSPI command is sent
+with the wrong number of address bytes, resulting in an invalid command
+and undefined behavior.
+
+Read back the size register to make sure the write gets flushed before
+accessing the DAC region.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-3-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -720,6 +720,7 @@ static int cqspi_read_setup(struct cqspi
+ reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ reg |= (op->addr.nbytes - 1);
+ writel(reg, reg_base + CQSPI_REG_SIZE);
++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ return 0;
+ }
+
+@@ -1064,6 +1065,7 @@ static int cqspi_write_setup(struct cqsp
+ reg &= ~CQSPI_REG_SIZE_ADDRESS_MASK;
+ reg |= (op->addr.nbytes - 1);
+ writel(reg, reg_base + CQSPI_REG_SIZE);
++ readl(reg_base + CQSPI_REG_SIZE); /* Flush posted write. */
+ return 0;
+ }
+
--- /dev/null
+From 29e0b471ccbd674d20d4bbddea1a51e7105212c5 Mon Sep 17 00:00:00 2001
+From: Pratyush Yadav <pratyush@kernel.org>
+Date: Sat, 6 Sep 2025 00:29:55 +0530
+Subject: spi: cadence-quadspi: Flush posted register writes before INDAC access
+
+From: Pratyush Yadav <pratyush@kernel.org>
+
+commit 29e0b471ccbd674d20d4bbddea1a51e7105212c5 upstream.
+
+cqspi_indirect_read_execute() and cqspi_indirect_write_execute() first
+set the enable bit on APB region and then start reading/writing to the
+AHB region. On TI K3 SoCs these regions lie on different endpoints. This
+means that the order of the two operations is not guaranteed, and they
+might be reordered at the interconnect level.
+
+It is possible for the AHB write to be executed before the APB write to
+enable the indirect controller, causing the transaction to be invalid
+and the write erroring out. Read back the APB region write before
+accessing the AHB region to make sure the write got flushed and the race
+condition is eliminated.
+
+Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
+CC: stable@vger.kernel.org
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Signed-off-by: Santhosh Kumar K <s-k6@ti.com>
+Message-ID: <20250905185958.3575037-2-s-k6@ti.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -765,6 +765,7 @@ static int cqspi_indirect_read_execute(s
+ reinit_completion(&cqspi->transfer_complete);
+ writel(CQSPI_REG_INDIRECTRD_START_MASK,
+ reg_base + CQSPI_REG_INDIRECTRD);
++ readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */
+
+ while (remaining > 0) {
+ if (use_irq &&
+@@ -1091,6 +1092,8 @@ static int cqspi_indirect_write_execute(
+ reinit_completion(&cqspi->transfer_complete);
+ writel(CQSPI_REG_INDIRECTWR_START_MASK,
+ reg_base + CQSPI_REG_INDIRECTWR);
++ readl(reg_base + CQSPI_REG_INDIRECTWR); /* Flush posted write. */
++
+ /*
+ * As per 66AK2G02 TRM SPRUHY8F section 11.15.5.3 Indirect Access
+ * Controller programming sequence, couple of cycles of
--- /dev/null
+From 3da01ffe1aeaa0d427ab5235ba735226670a80d9 Mon Sep 17 00:00:00 2001
+From: "Xin Li (Intel)" <xin@zytor.com>
+Date: Tue, 15 Jul 2025 23:33:20 -0700
+Subject: x86/fred: Remove ENDBR64 from FRED entry points
+
+From: Xin Li (Intel) <xin@zytor.com>
+
+commit 3da01ffe1aeaa0d427ab5235ba735226670a80d9 upstream.
+
+The FRED specification has been changed in v9.0 to state that there
+is no need for FRED event handlers to begin with ENDBR64, because
+in the presence of supervisor indirect branch tracking, FRED event
+delivery does not enter the WAIT_FOR_ENDBRANCH state.
+
+As a result, remove ENDBR64 from FRED entry points.
+
+Then add ANNOTATE_NOENDBR to indicate that FRED entry points will
+never be used for indirect calls to suppress an objtool warning.
+
+This change implies that any indirect CALL/JMP to FRED entry points
+causes #CP in the presence of supervisor indirect branch tracking.
+
+Credit goes to Jennifer Miller <jmill@asu.edu> and other contributors
+from Arizona State University whose research shows that placing ENDBR
+at entry points has negative value thus led to this change.
+
+Note: This is obviously an incompatible change to the FRED
+architecture. But, it's OK because there no FRED systems out in the
+wild today. All production hardware and late pre-production hardware
+will follow the FRED v9 spec and be compatible with this approach.
+
+[ dhansen: add note to changelog about incompatibility ]
+
+Fixes: 14619d912b65 ("x86/fred: FRED entry/exit and dispatch code")
+Signed-off-by: Xin Li (Intel) <xin@zytor.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: H. Peter Anvin (Intel) <hpa@zytor.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Link: https://lore.kernel.org/linux-hardening/Z60NwR4w%2F28Z7XUa@ubun/
+Cc:stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250716063320.1337818-1-xin%40zytor.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/entry/entry_64_fred.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/entry/entry_64_fred.S
++++ b/arch/x86/entry/entry_64_fred.S
+@@ -16,7 +16,7 @@
+
+ .macro FRED_ENTER
+ UNWIND_HINT_END_OF_STACK
+- ENDBR
++ ANNOTATE_NOENDBR
+ PUSH_AND_CLEAR_REGS
+ movq %rsp, %rdi /* %rdi -> pt_regs */
+ .endm
--- /dev/null
+From 32278c677947ae2f042c9535674a7fff9a245dd3 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 8 Aug 2025 10:23:56 -0700
+Subject: x86/umip: Check that the instruction opcode is at least two bytes
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 32278c677947ae2f042c9535674a7fff9a245dd3 upstream.
+
+When checking for a potential UMIP violation on #GP, verify the decoder found
+at least two opcode bytes to avoid false positives when the kernel encounters
+an unknown instruction that starts with 0f. Because the array of opcode.bytes
+is zero-initialized by insn_init(), peeking at bytes[1] will misinterpret
+garbage as a potential SLDT or STR instruction, and can incorrectly trigger
+emulation.
+
+E.g. if a VPALIGNR instruction
+
+ 62 83 c5 05 0f 08 ff vpalignr xmm17{k5},xmm23,XMMWORD PTR [r8],0xff
+
+hits a #GP, the kernel emulates it as STR and squashes the #GP (and corrupts
+the userspace code stream).
+
+Arguably the check should look for exactly two bytes, but no three byte
+opcodes use '0f 00 xx' or '0f 01 xx' as an escape, i.e. it should be
+impossible to get a false positive if the first two opcode bytes match '0f 00'
+or '0f 01'. Go with a more conservative check with respect to the existing
+code to minimize the chances of breaking userspace, e.g. due to decoder
+weirdness.
+
+Analyzed by Nick Bray <ncbray@google.com>.
+
+Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
+Reported-by: Dan Snyder <dansnyder@google.com>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/umip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/umip.c
++++ b/arch/x86/kernel/umip.c
+@@ -156,8 +156,8 @@ static int identify_insn(struct insn *in
+ if (!insn->modrm.nbytes)
+ return -EINVAL;
+
+- /* All the instructions of interest start with 0x0f. */
+- if (insn->opcode.bytes[0] != 0xf)
++ /* The instructions of interest have 2-byte opcodes: 0F 00 or 0F 01. */
++ if (insn->opcode.nbytes < 2 || insn->opcode.bytes[0] != 0xf)
+ return -EINVAL;
+
+ if (insn->opcode.bytes[1] == 0x1) {
--- /dev/null
+From 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 8 Aug 2025 10:23:57 -0700
+Subject: x86/umip: Fix decoding of register forms of 0F 01 (SGDT and SIDT aliases)
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 27b1fd62012dfe9d3eb8ecde344d7aa673695ecf upstream.
+
+Filter out the register forms of 0F 01 when determining whether or not to
+emulate in response to a potential UMIP violation #GP, as SGDT and SIDT only
+accept memory operands. The register variants of 0F 01 are used to encode
+instructions for things like VMX and SGX, i.e. not checking the Mod field
+would cause the kernel to incorrectly emulate on #GP, e.g. due to a CPL
+violation on VMLAUNCH.
+
+Fixes: 1e5db223696a ("x86/umip: Add emulation code for UMIP instructions")
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/umip.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/kernel/umip.c
++++ b/arch/x86/kernel/umip.c
+@@ -163,8 +163,19 @@ static int identify_insn(struct insn *in
+ if (insn->opcode.bytes[1] == 0x1) {
+ switch (X86_MODRM_REG(insn->modrm.value)) {
+ case 0:
++ /* The reg form of 0F 01 /0 encodes VMX instructions. */
++ if (X86_MODRM_MOD(insn->modrm.value) == 3)
++ return -EINVAL;
++
+ return UMIP_INST_SGDT;
+ case 1:
++ /*
++ * The reg form of 0F 01 /1 encodes MONITOR/MWAIT,
++ * STAC/CLAC, and ENCLS.
++ */
++ if (X86_MODRM_MOD(insn->modrm.value) == 3)
++ return -EINVAL;
++
+ return UMIP_INST_SIDT;
+ case 4:
+ return UMIP_INST_SMSW;
--- /dev/null
+From cd32a0c0dcdf634f2e0e71f41c272e19dece6264 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Tue, 8 Apr 2025 16:14:32 -0700
+Subject: xfs: use deferred intent items for reaping crosslinked blocks
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit cd32a0c0dcdf634f2e0e71f41c272e19dece6264 upstream.
+
+When we're removing rmap records for crosslinked blocks, use deferred
+intent items so that we can try to free/unmap as many of the old data
+structure's blocks as we can in the same transaction as the commit.
+
+Cc: <stable@vger.kernel.org> # v6.6
+Fixes: 1c7ce115e52106 ("xfs: reap large AG metadata extents when possible")
+Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/reap.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/xfs/scrub/reap.c
++++ b/fs/xfs/scrub/reap.c
+@@ -416,8 +416,6 @@ xreap_agextent_iter(
+ trace_xreap_dispose_unmap_extent(pag_group(sc->sa.pag), agbno,
+ *aglenp);
+
+- rs->force_roll = true;
+-
+ if (rs->oinfo == &XFS_RMAP_OINFO_COW) {
+ /*
+ * If we're unmapping CoW staging extents, remove the
+@@ -426,11 +424,14 @@ xreap_agextent_iter(
+ */
+ xfs_refcount_free_cow_extent(sc->tp, false, fsbno,
+ *aglenp);
++ rs->force_roll = true;
+ return 0;
+ }
+
+- return xfs_rmap_free(sc->tp, sc->sa.agf_bp, sc->sa.pag, agbno,
+- *aglenp, rs->oinfo);
++ xfs_rmap_free_extent(sc->tp, false, fsbno, *aglenp,
++ rs->oinfo->oi_owner);
++ rs->deferred++;
++ return 0;
+ }
+
+ trace_xreap_dispose_free_extent(pag_group(sc->sa.pag), agbno, *aglenp);
--- /dev/null
+From 07ca98f906a403637fc5e513a872a50ef1247f3b Mon Sep 17 00:00:00 2001
+From: Alexander Lobakin <aleksander.lobakin@intel.com>
+Date: Wed, 8 Oct 2025 18:56:59 +0200
+Subject: xsk: Harden userspace-supplied xdp_desc validation
+
+From: Alexander Lobakin <aleksander.lobakin@intel.com>
+
+commit 07ca98f906a403637fc5e513a872a50ef1247f3b upstream.
+
+Turned out certain clearly invalid values passed in xdp_desc from
+userspace can pass xp_{,un}aligned_validate_desc() and then lead
+to UBs or just invalid frames to be queued for xmit.
+
+desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len
+can cause positive integer overflow and wraparound, the same way low
+enough desc->addr with a non-zero pool->tx_metadata_len can cause
+negative integer overflow. Both scenarios can then pass the
+validation successfully.
+This doesn't happen with valid XSk applications, but can be used
+to perform attacks.
+
+Always promote desc->len to ``u64`` first to exclude positive
+overflows of it. Use explicit check_{add,sub}_overflow() when
+validating desc->addr (which is ``u64`` already).
+
+bloat-o-meter reports a little growth of the code size:
+
+add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)
+Function old new delta
+xskq_cons_peek_desc 299 330 +31
+xsk_tx_peek_release_desc_batch 973 1002 +29
+xsk_generic_xmit 3148 3132 -16
+
+but hopefully this doesn't hurt the performance much.
+
+Fixes: 341ac980eab9 ("xsk: Support tx_metadata_len")
+Cc: stable@vger.kernel.org # 6.8+
+Signed-off-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Link: https://lore.kernel.org/r/20251008165659.4141318-1-aleksander.lobakin@intel.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/xdp/xsk_queue.h | 45 +++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+--- a/net/xdp/xsk_queue.h
++++ b/net/xdp/xsk_queue.h
+@@ -143,14 +143,24 @@ static inline bool xp_unused_options_set
+ static inline bool xp_aligned_validate_desc(struct xsk_buff_pool *pool,
+ struct xdp_desc *desc)
+ {
+- u64 addr = desc->addr - pool->tx_metadata_len;
+- u64 len = desc->len + pool->tx_metadata_len;
+- u64 offset = addr & (pool->chunk_size - 1);
++ u64 len = desc->len;
++ u64 addr, offset;
+
+- if (!desc->len)
++ if (!len)
+ return false;
+
+- if (offset + len > pool->chunk_size)
++ /* Can overflow if desc->addr < pool->tx_metadata_len */
++ if (check_sub_overflow(desc->addr, pool->tx_metadata_len, &addr))
++ return false;
++
++ offset = addr & (pool->chunk_size - 1);
++
++ /*
++ * Can't overflow: @offset is guaranteed to be < ``U32_MAX``
++ * (pool->chunk_size is ``u32``), @len is guaranteed
++ * to be <= ``U32_MAX``.
++ */
++ if (offset + len + pool->tx_metadata_len > pool->chunk_size)
+ return false;
+
+ if (addr >= pool->addrs_cnt)
+@@ -158,27 +168,42 @@ static inline bool xp_aligned_validate_d
+
+ if (xp_unused_options_set(desc->options))
+ return false;
++
+ return true;
+ }
+
+ static inline bool xp_unaligned_validate_desc(struct xsk_buff_pool *pool,
+ struct xdp_desc *desc)
+ {
+- u64 addr = xp_unaligned_add_offset_to_addr(desc->addr) - pool->tx_metadata_len;
+- u64 len = desc->len + pool->tx_metadata_len;
++ u64 len = desc->len;
++ u64 addr, end;
+
+- if (!desc->len)
++ if (!len)
+ return false;
+
++ /* Can't overflow: @len is guaranteed to be <= ``U32_MAX`` */
++ len += pool->tx_metadata_len;
+ if (len > pool->chunk_size)
+ return false;
+
+- if (addr >= pool->addrs_cnt || addr + len > pool->addrs_cnt ||
+- xp_desc_crosses_non_contig_pg(pool, addr, len))
++ /* Can overflow if desc->addr is close to 0 */
++ if (check_sub_overflow(xp_unaligned_add_offset_to_addr(desc->addr),
++ pool->tx_metadata_len, &addr))
++ return false;
++
++ if (addr >= pool->addrs_cnt)
++ return false;
++
++ /* Can overflow if pool->addrs_cnt is high enough */
++ if (check_add_overflow(addr, len, &end) || end > pool->addrs_cnt)
++ return false;
++
++ if (xp_desc_crosses_non_contig_pg(pool, addr, len))
+ return false;
+
+ if (xp_unused_options_set(desc->options))
+ return false;
++
+ return true;
+ }
+
--- /dev/null
+From 5d5f08fd0cd970184376bee07d59f635c8403f63 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Fri, 29 Aug 2025 16:30:15 +0800
+Subject: xtensa: simdisk: add input size check in proc_write_simdisk
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit 5d5f08fd0cd970184376bee07d59f635c8403f63 upstream.
+
+A malicious user could pass an arbitrarily bad value
+to memdup_user_nul(), potentially causing kernel crash.
+
+This follows the same pattern as commit ee76746387f6
+("netdevsim: prevent bad user input in nsim_dev_health_break_write()")
+
+Fixes: b6c7e873daf7 ("xtensa: ISS: add host file-based simulated disk")
+Fixes: 16e5c1fc3604 ("convert a bunch of open-coded instances of memdup_user_nul()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Message-Id: <20250829083015.1992751-1-linmq006@gmail.com>
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/xtensa/platforms/iss/simdisk.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/xtensa/platforms/iss/simdisk.c
++++ b/arch/xtensa/platforms/iss/simdisk.c
+@@ -231,10 +231,14 @@ static ssize_t proc_read_simdisk(struct
+ static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- char *tmp = memdup_user_nul(buf, count);
++ char *tmp;
+ struct simdisk *dev = pde_data(file_inode(file));
+ int err;
+
++ if (count == 0 || count > PAGE_SIZE)
++ return -EINVAL;
++
++ tmp = memdup_user_nul(buf, count);
+ if (IS_ERR(tmp))
+ return PTR_ERR(tmp);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
