--- /dev/null
+From db91586b1e8f36122a9e5b8fbced11741488dd22 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Fri, 18 Apr 2025 15:40:14 +0900
+Subject: ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit db91586b1e8f36122a9e5b8fbced11741488dd22 upstream.
+
+The function ata_mselect_control_ata_feature() has a return type defined
+as unsigned int but this function may return negative error codes, which
+are correctly propagated up the call chain as integers.
+
+Fix ata_mselect_control_ata_feature() to have the correct int return
+type.
+
+While at it, also fix a typo in this function description comment.
+
+Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3734,12 +3734,11 @@ static int ata_mselect_control_spg0(stru
+ }
+
+ /*
+- * Translate MODE SELECT control mode page, sub-pages f2h (ATA feature mode
++ * Translate MODE SELECT control mode page, sub-page f2h (ATA feature mode
+ * page) into a SET FEATURES command.
+ */
+-static unsigned int ata_mselect_control_ata_feature(struct ata_queued_cmd *qc,
+- const u8 *buf, int len,
+- u16 *fp)
++static int ata_mselect_control_ata_feature(struct ata_queued_cmd *qc,
++ const u8 *buf, int len, u16 *fp)
+ {
+ struct ata_device *dev = qc->dev;
+ struct ata_taskfile *tf = &qc->tf;
--- /dev/null
+From 88474ad734fb2000805c63e01cc53ea930adf2c7 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Sun, 13 Apr 2025 14:45:30 +0900
+Subject: ata: libata-scsi: Fix ata_msense_control_ata_feature()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 88474ad734fb2000805c63e01cc53ea930adf2c7 upstream.
+
+For the ATA features subpage of the control mode page, the T10 SAT-6
+specifications state that:
+
+For a MODE SENSE command, the SATL shall return the CDL_CTRL field value
+that was last set by an application client.
+
+However, the function ata_msense_control_ata_feature() always sets the
+CDL_CTRL field to the 0x02 value to indicate support for the CDL T2A and
+T2B pages. This is thus incorrect and the value 0x02 must be reported
+only after the user enables the CDL feature, which is indicated with the
+ATA_DFLAG_CDL_ENABLED device flag. When this flag is not set, the
+CDL_CTRL field of the ATA feature subpage of the control mode page must
+report a value of 0x00.
+
+Fix ata_msense_control_ata_feature() to report the correct values for
+the CDL_CTRL field, according to the enable/disable state of the device
+CDL feature.
+
+Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -2325,8 +2325,8 @@ static unsigned int ata_msense_control_a
+ */
+ put_unaligned_be16(ATA_FEATURE_SUB_MPAGE_LEN - 4, &buf[2]);
+
+- if (dev->flags & ATA_DFLAG_CDL)
+- buf[4] = 0x02; /* Support T2A and T2B pages */
++ if (dev->flags & ATA_DFLAG_CDL_ENABLED)
++ buf[4] = 0x02; /* T2A and T2B pages enabled */
+ else
+ buf[4] = 0;
+
--- /dev/null
+From 17e897a456752ec9c2d7afb3d9baf268b442451b Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Mon, 14 Apr 2025 10:25:05 +0900
+Subject: ata: libata-scsi: Improve CDL control
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 17e897a456752ec9c2d7afb3d9baf268b442451b upstream.
+
+With ATA devices supporting the CDL feature, using CDL requires that the
+feature be enabled with a SET FEATURES command. This command is issued
+as the translated command for the MODE SELECT command issued by
+scsi_cdl_enable() when the user enables CDL through the device
+cdl_enable sysfs attribute.
+
+Currently, ata_mselect_control_ata_feature() always translates a MODE
+SELECT command for the ATA features subpage of the control mode page to
+a SET FEATURES command to enable or disable CDL based on the cdl_ctrl
+field. However, there is no need to issue the SET FEATURES command if:
+1) The MODE SELECT command requests disabling CDL and CDL is already
+ disabled.
+2) The MODE SELECT command requests enabling CDL and CDL is already
+ enabled.
+
+Fix ata_mselect_control_ata_feature() to issue the SET FEATURES command
+only when necessary. Since enabling CDL also implies a reset of the CDL
+statistics log page, avoiding useless CDL enable operations also avoids
+clearing the CDL statistics log.
+
+Also add debug messages to clearly signal when CDL is being enabled or
+disabled using a SET FEATURES command.
+
+Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3757,17 +3757,27 @@ static unsigned int ata_mselect_control_
+ /* Check cdl_ctrl */
+ switch (buf[0] & 0x03) {
+ case 0:
+- /* Disable CDL */
++ /* Disable CDL if it is enabled */
++ if (!(dev->flags & ATA_DFLAG_CDL_ENABLED))
++ return 0;
++ ata_dev_dbg(dev, "Disabling CDL\n");
+ cdl_action = 0;
+ dev->flags &= ~ATA_DFLAG_CDL_ENABLED;
+ break;
+ case 0x02:
+- /* Enable CDL T2A/T2B: NCQ priority must be disabled */
++ /*
++ * Enable CDL if not already enabled. Since this is mutually
++ * exclusive with NCQ priority, allow this only if NCQ priority
++ * is disabled.
++ */
++ if (dev->flags & ATA_DFLAG_CDL_ENABLED)
++ return 0;
+ if (dev->flags & ATA_DFLAG_NCQ_PRIO_ENABLED) {
+ ata_dev_err(dev,
+ "NCQ priority must be disabled to enable CDL\n");
+ return -EINVAL;
+ }
++ ata_dev_dbg(dev, "Enabling CDL\n");
+ cdl_action = 1;
+ dev->flags |= ATA_DFLAG_CDL_ENABLED;
+ break;
--- /dev/null
+From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Tue, 22 Apr 2025 11:57:18 +0200
+Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek BehĂșn <kabel@kernel.org>
+
+commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream.
+
+According to the review by Bill Cox [1], the Atmel SHA204A random number
+generator produces random numbers with very low entropy.
+
+Set the lowest possible entropy for this chip just to be safe.
+
+[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
+
+Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marek BehĂșn <kabel@kernel.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-sha204a.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/crypto/atmel-sha204a.c
++++ b/drivers/crypto/atmel-sha204a.c
+@@ -163,6 +163,12 @@ static int atmel_sha204a_probe(struct i2
+ i2c_priv->hwrng.name = dev_name(&client->dev);
+ i2c_priv->hwrng.read = atmel_sha204a_rng_read;
+
++ /*
++ * According to review by Bill Cox [1], this HWRNG has very low entropy.
++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
++ */
++ i2c_priv->hwrng.quality = 1;
++
+ ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng);
+ if (ret)
+ dev_warn(&client->dev, "failed to register RNG (%d)\n", ret);
--- /dev/null
+From 078d3ee7c162cd66d76171579c02d7890bd77daf Mon Sep 17 00:00:00 2001
+From: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
+Date: Mon, 7 Apr 2025 19:27:34 +0000
+Subject: cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports
+
+From: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
+
+commit 078d3ee7c162cd66d76171579c02d7890bd77daf upstream.
+
+According to CXL r3.2 section 8.2.1.2, the PCI_COMMAND register fields,
+including Memory Space Enable bit, have no effect on the behavior of an
+RCD Upstream Port. Retaining this check may incorrectly cause
+cxl_pci_probe() to fail on a valid RCD upstream Port.
+
+While the specification is explicit only for RCD Upstream Ports, this
+check is solely for accessing the RCRB, which is always mapped through
+memory space. Therefore, its safe to remove the check entirely. In
+practice, firmware reliably enables the Memory Space Enable bit for
+RCH Downstream Ports and no failures have been observed.
+
+Removing the check simplifies the code and avoids unnecessary
+special-casing, while relying on BIOS/firmware to configure devices
+correctly. Moreover, any failures due to inaccessible RCRB regions
+will still be caught either in __rcrb_to_component() or while
+parsing the component register block.
+
+The following failure was observed in dmesg when the check was present:
+ cxl_pci 0000:7f:00.0: No component registers (-6)
+
+Fixes: d5b1a27143cb ("cxl/acpi: Extract component registers of restricted hosts from RCRB")
+Signed-off-by: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Terry Bowman <terry.bowman@amd.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Robert Richter <rrichter@amd.com>
+Link: https://patch.msgid.link/20250407192734.70631-1-Smita.KoralahalliChannabasappa@amd.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cxl/core/regs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/cxl/core/regs.c
++++ b/drivers/cxl/core/regs.c
+@@ -513,7 +513,6 @@ resource_size_t __rcrb_to_component(stru
+ resource_size_t rcrb = ri->base;
+ void __iomem *addr;
+ u32 bar0, bar1;
+- u16 cmd;
+ u32 id;
+
+ if (which == CXL_RCRB_UPSTREAM)
+@@ -535,7 +534,6 @@ resource_size_t __rcrb_to_component(stru
+ }
+
+ id = readl(addr + PCI_VENDOR_ID);
+- cmd = readw(addr + PCI_COMMAND);
+ bar0 = readl(addr + PCI_BASE_ADDRESS_0);
+ bar1 = readl(addr + PCI_BASE_ADDRESS_1);
+ iounmap(addr);
+@@ -550,8 +548,6 @@ resource_size_t __rcrb_to_component(stru
+ dev_err(dev, "Failed to access Downstream Port RCRB\n");
+ return CXL_RESOURCE_NONE;
+ }
+- if (!(cmd & PCI_COMMAND_MEMORY))
+- return CXL_RESOURCE_NONE;
+ /* The RCRB is a Memory Window, and the MEM_TYPE_1M bit is obsolete */
+ if (bar0 & (PCI_BASE_ADDRESS_MEM_TYPE_1M | PCI_BASE_ADDRESS_SPACE_IO))
+ return CXL_RESOURCE_NONE;
--- /dev/null
+From 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 Mon Sep 17 00:00:00 2001
+From: Roman Li <Roman.Li@amd.com>
+Date: Tue, 1 Apr 2025 17:05:10 -0400
+Subject: drm/amd/display: Fix gpu reset in multidisplay config
+
+From: Roman Li <Roman.Li@amd.com>
+
+commit 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 upstream.
+
+[Why]
+The indexing of stream_status in dm_gpureset_commit_state() is incorrect.
+That leads to asserts in multi-display configuration after gpu reset.
+
+[How]
+Adjust the indexing logic to align stream_status with surface_updates.
+
+Fixes: cdaae8371aa9 ("drm/amd/display: Handle GPU reset for DC block")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3808
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Roman Li <Roman.Li@amd.com>
+Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Tested-by: Mark Broadworth <mark.broadworth@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit d91bc901398741d317d9b55c59ca949d4bc7394b)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -3216,16 +3216,16 @@ static void dm_gpureset_commit_state(str
+ for (k = 0; k < dc_state->stream_count; k++) {
+ bundle->stream_update.stream = dc_state->streams[k];
+
+- for (m = 0; m < dc_state->stream_status->plane_count; m++) {
++ for (m = 0; m < dc_state->stream_status[k].plane_count; m++) {
+ bundle->surface_updates[m].surface =
+- dc_state->stream_status->plane_states[m];
++ dc_state->stream_status[k].plane_states[m];
+ bundle->surface_updates[m].surface->force_full_update =
+ true;
+ }
+
+ update_planes_and_stream_adapter(dm->dc,
+ UPDATE_TYPE_FULL,
+- dc_state->stream_status->plane_count,
++ dc_state->stream_status[k].plane_count,
+ dc_state->streams[k],
+ &bundle->stream_update,
+ bundle->surface_updates);
--- /dev/null
+From 67fe574651c73fe5cc176e35f28f2ec1ba498d14 Mon Sep 17 00:00:00 2001
+From: Roman Li <Roman.Li@amd.com>
+Date: Wed, 26 Mar 2025 10:33:51 -0400
+Subject: drm/amd/display: Force full update in gpu reset
+
+From: Roman Li <Roman.Li@amd.com>
+
+commit 67fe574651c73fe5cc176e35f28f2ec1ba498d14 upstream.
+
+[Why]
+While system undergoing gpu reset always do full update
+to sync the dc state before and after reset.
+
+[How]
+Return true in should_reset_plane() if gpu reset detected
+
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Roman Li <Roman.Li@amd.com>
+Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Tested-by: Mark Broadworth <mark.broadworth@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2ba8619b9a378ad218ad6c2e2ccaee8f531e08de)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -10775,6 +10775,9 @@ static bool should_reset_plane(struct dr
+ state->allow_modeset)
+ return true;
+
++ if (amdgpu_in_reset(adev) && state->allow_modeset)
++ return true;
++
+ /* Exit early if we know that we're adding or removing the plane. */
+ if (old_plane_state->crtc != new_plane_state->crtc)
+ return true;
--- /dev/null
+From 095c8e61f4c71cd4630ee11a82e82cc341b38464 Mon Sep 17 00:00:00 2001
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Date: Thu, 17 Apr 2025 15:55:06 -0400
+Subject: drm: panel: jd9365da: fix reset signal polarity in unprepare
+
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+
+commit 095c8e61f4c71cd4630ee11a82e82cc341b38464 upstream.
+
+commit a8972d5a49b4 ("drm: panel: jd9365da-h3: fix reset signal polarity")
+fixed reset signal polarity in jadard_dsi_probe() and jadard_prepare().
+
+It was not done in jadard_unprepare() because of an incorrect assumption
+about reset line handling in power off mode. After looking into the
+datasheet, it now appears that before disabling regulators, the reset line
+is deasserted first, and if reset_before_power_off_vcioo is true, then the
+reset line is asserted.
+
+Fix reset polarity by inverting gpiod_set_value() second argument in
+in jadard_unprepare().
+
+Fixes: 6b818c533dd8 ("drm: panel: Add Jadard JD9365DA-H3 DSI panel")
+Fixes: 2b976ad760dc ("drm/panel: jd9365da: Support for kd101ne3-40ti MIPI-DSI panel")
+Fixes: a8972d5a49b4 ("drm: panel: jd9365da-h3: fix reset signal polarity")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250417195507.778731-1-hugo@hugovil.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20250417195507.778731-1-hugo@hugovil.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c
++++ b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c
+@@ -129,11 +129,11 @@ static int jadard_unprepare(struct drm_p
+ {
+ struct jadard *jadard = panel_to_jadard(panel);
+
+- gpiod_set_value(jadard->reset, 1);
++ gpiod_set_value(jadard->reset, 0);
+ msleep(120);
+
+ if (jadard->desc->reset_before_power_off_vcioo) {
+- gpiod_set_value(jadard->reset, 0);
++ gpiod_set_value(jadard->reset, 1);
+
+ usleep_range(1000, 2000);
+ }
--- /dev/null
+From edd43f4d6f50ec3de55a0c9e9df6348d1da51965 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 24 Apr 2025 10:28:14 -0600
+Subject: io_uring: fix 'sync' handling of io_fallback_tw()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit edd43f4d6f50ec3de55a0c9e9df6348d1da51965 upstream.
+
+A previous commit added a 'sync' parameter to io_fallback_tw(), which if
+true, means the caller wants to wait on the fallback thread handling it.
+But the logic is somewhat messed up, ensure that ctxs are swapped and
+flushed appropriately.
+
+Cc: stable@vger.kernel.org
+Fixes: dfbe5561ae93 ("io_uring: flush offloaded and delayed task_work on exit")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1103,21 +1103,22 @@ static __cold void io_fallback_tw(struct
+ while (node) {
+ req = container_of(node, struct io_kiocb, io_task_work.node);
+ node = node->next;
+- if (sync && last_ctx != req->ctx) {
++ if (last_ctx != req->ctx) {
+ if (last_ctx) {
+- flush_delayed_work(&last_ctx->fallback_work);
++ if (sync)
++ flush_delayed_work(&last_ctx->fallback_work);
+ percpu_ref_put(&last_ctx->refs);
+ }
+ last_ctx = req->ctx;
+ percpu_ref_get(&last_ctx->refs);
+ }
+- if (llist_add(&req->io_task_work.node,
+- &req->ctx->fallback_llist))
+- schedule_delayed_work(&req->ctx->fallback_work, 1);
++ if (llist_add(&req->io_task_work.node, &last_ctx->fallback_llist))
++ schedule_delayed_work(&last_ctx->fallback_work, 1);
+ }
+
+ if (last_ctx) {
+- flush_delayed_work(&last_ctx->fallback_work);
++ if (sync)
++ flush_delayed_work(&last_ctx->fallback_work);
+ percpu_ref_put(&last_ctx->refs);
+ }
+ }
--- /dev/null
+From 3318dc299b072a0511d6dfd8367f3304fb6d9827 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Tue, 22 Apr 2025 17:16:16 +0100
+Subject: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 3318dc299b072a0511d6dfd8367f3304fb6d9827 upstream.
+
+With ACPI in place, gicv2m_get_fwnode() is registered with the pci
+subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime
+during a PCI host bridge probe. But, the call back is wrongly marked as
+__init, causing it to be freed, while being registered with the PCI
+subsystem and could trigger:
+
+ Unable to handle kernel paging request at virtual address ffff8000816c0400
+ gicv2m_get_fwnode+0x0/0x58 (P)
+ pci_set_bus_msi_domain+0x74/0x88
+ pci_register_host_bridge+0x194/0x548
+
+This is easily reproducible on a Juno board with ACPI boot.
+
+Retain the function for later use.
+
+Fixes: 0644b3daca28 ("irqchip/gic-v2m: acpi: Introducing GICv2m ACPI support")
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v2m.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-gic-v2m.c
++++ b/drivers/irqchip/irq-gic-v2m.c
+@@ -423,7 +423,7 @@ static int __init gicv2m_of_init(struct
+ #ifdef CONFIG_ACPI
+ static int acpi_num_msi;
+
+-static __init struct fwnode_handle *gicv2m_get_fwnode(struct device *dev)
++static struct fwnode_handle *gicv2m_get_fwnode(struct device *dev)
+ {
+ struct v2m_data *data;
+
--- /dev/null
+From 7537deda36521fa8fff9133b39c46e31893606f2 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 4 Apr 2025 12:38:16 -0700
+Subject: KVM: SVM: Allocate IR data using atomic allocation
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 7537deda36521fa8fff9133b39c46e31893606f2 upstream.
+
+Allocate SVM's interrupt remapping metadata using GFP_ATOMIC as
+svm_ir_list_add() is called with IRQs are disabled and irqfs.lock held
+when kvm_irq_routing_update() reacts to GSI routing changes.
+
+Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20250404193923.1413163-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/avic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm/avic.c
++++ b/arch/x86/kvm/svm/avic.c
+@@ -820,7 +820,7 @@ static int svm_ir_list_add(struct vcpu_s
+ * Allocating new amd_iommu_pi_data, which will get
+ * add to the per-vcpu ir_list.
+ */
+- ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_KERNEL_ACCOUNT);
++ ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_ATOMIC | __GFP_ACCOUNT);
+ if (!ir) {
+ ret = -ENOMEM;
+ goto out;
--- /dev/null
+From 2ef174b13344b3b4554d3d28e6f9e2a2c1d3138f Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+Date: Thu, 24 Apr 2025 20:15:41 +0800
+Subject: LoongArch: Handle fp, lsx, lasx and lbt assembly symbols
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+commit 2ef174b13344b3b4554d3d28e6f9e2a2c1d3138f upstream.
+
+Like the other relevant symbols, export some fp, lsx, lasx and lbt
+assembly symbols and put the function declarations in header files
+rather than source files.
+
+While at it, use "asmlinkage" for the other existing C prototypes
+of assembly functions and also do not use the "extern" keyword with
+function declarations according to the document coding-style.rst.
+
+Cc: stable@vger.kernel.org # 6.6+
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/fpu.h | 37 ++++++++++++++++++++++---------------
+ arch/loongarch/include/asm/lbt.h | 10 +++++++---
+ arch/loongarch/kernel/fpu.S | 6 ++++++
+ arch/loongarch/kernel/lbt.S | 4 ++++
+ arch/loongarch/kernel/signal.c | 21 ---------------------
+ 5 files changed, 39 insertions(+), 39 deletions(-)
+
+--- a/arch/loongarch/include/asm/fpu.h
++++ b/arch/loongarch/include/asm/fpu.h
+@@ -22,22 +22,29 @@
+ struct sigcontext;
+
+ #define kernel_fpu_available() cpu_has_fpu
+-extern void kernel_fpu_begin(void);
+-extern void kernel_fpu_end(void);
+
+-extern void _init_fpu(unsigned int);
+-extern void _save_fp(struct loongarch_fpu *);
+-extern void _restore_fp(struct loongarch_fpu *);
+-
+-extern void _save_lsx(struct loongarch_fpu *fpu);
+-extern void _restore_lsx(struct loongarch_fpu *fpu);
+-extern void _init_lsx_upper(void);
+-extern void _restore_lsx_upper(struct loongarch_fpu *fpu);
+-
+-extern void _save_lasx(struct loongarch_fpu *fpu);
+-extern void _restore_lasx(struct loongarch_fpu *fpu);
+-extern void _init_lasx_upper(void);
+-extern void _restore_lasx_upper(struct loongarch_fpu *fpu);
++void kernel_fpu_begin(void);
++void kernel_fpu_end(void);
++
++asmlinkage void _init_fpu(unsigned int);
++asmlinkage void _save_fp(struct loongarch_fpu *);
++asmlinkage void _restore_fp(struct loongarch_fpu *);
++asmlinkage int _save_fp_context(void __user *fpregs, void __user *fcc, void __user *csr);
++asmlinkage int _restore_fp_context(void __user *fpregs, void __user *fcc, void __user *csr);
++
++asmlinkage void _save_lsx(struct loongarch_fpu *fpu);
++asmlinkage void _restore_lsx(struct loongarch_fpu *fpu);
++asmlinkage void _init_lsx_upper(void);
++asmlinkage void _restore_lsx_upper(struct loongarch_fpu *fpu);
++asmlinkage int _save_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
++asmlinkage int _restore_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
++
++asmlinkage void _save_lasx(struct loongarch_fpu *fpu);
++asmlinkage void _restore_lasx(struct loongarch_fpu *fpu);
++asmlinkage void _init_lasx_upper(void);
++asmlinkage void _restore_lasx_upper(struct loongarch_fpu *fpu);
++asmlinkage int _save_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
++asmlinkage int _restore_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
+
+ static inline void enable_lsx(void);
+ static inline void disable_lsx(void);
+--- a/arch/loongarch/include/asm/lbt.h
++++ b/arch/loongarch/include/asm/lbt.h
+@@ -12,9 +12,13 @@
+ #include <asm/loongarch.h>
+ #include <asm/processor.h>
+
+-extern void _init_lbt(void);
+-extern void _save_lbt(struct loongarch_lbt *);
+-extern void _restore_lbt(struct loongarch_lbt *);
++asmlinkage void _init_lbt(void);
++asmlinkage void _save_lbt(struct loongarch_lbt *);
++asmlinkage void _restore_lbt(struct loongarch_lbt *);
++asmlinkage int _save_lbt_context(void __user *regs, void __user *eflags);
++asmlinkage int _restore_lbt_context(void __user *regs, void __user *eflags);
++asmlinkage int _save_ftop_context(void __user *ftop);
++asmlinkage int _restore_ftop_context(void __user *ftop);
+
+ static inline int is_lbt_enabled(void)
+ {
+--- a/arch/loongarch/kernel/fpu.S
++++ b/arch/loongarch/kernel/fpu.S
+@@ -458,6 +458,7 @@ SYM_FUNC_START(_save_fp_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_save_fp_context)
++EXPORT_SYMBOL_GPL(_save_fp_context)
+
+ /*
+ * a0: fpregs
+@@ -471,6 +472,7 @@ SYM_FUNC_START(_restore_fp_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_restore_fp_context)
++EXPORT_SYMBOL_GPL(_restore_fp_context)
+
+ /*
+ * a0: fpregs
+@@ -484,6 +486,7 @@ SYM_FUNC_START(_save_lsx_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_save_lsx_context)
++EXPORT_SYMBOL_GPL(_save_lsx_context)
+
+ /*
+ * a0: fpregs
+@@ -497,6 +500,7 @@ SYM_FUNC_START(_restore_lsx_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_restore_lsx_context)
++EXPORT_SYMBOL_GPL(_restore_lsx_context)
+
+ /*
+ * a0: fpregs
+@@ -510,6 +514,7 @@ SYM_FUNC_START(_save_lasx_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_save_lasx_context)
++EXPORT_SYMBOL_GPL(_save_lasx_context)
+
+ /*
+ * a0: fpregs
+@@ -523,6 +528,7 @@ SYM_FUNC_START(_restore_lasx_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_restore_lasx_context)
++EXPORT_SYMBOL_GPL(_restore_lasx_context)
+
+ .L_fpu_fault:
+ li.w a0, -EFAULT # failure
+--- a/arch/loongarch/kernel/lbt.S
++++ b/arch/loongarch/kernel/lbt.S
+@@ -90,6 +90,7 @@ SYM_FUNC_START(_save_lbt_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_save_lbt_context)
++EXPORT_SYMBOL_GPL(_save_lbt_context)
+
+ /*
+ * a0: scr
+@@ -110,6 +111,7 @@ SYM_FUNC_START(_restore_lbt_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_restore_lbt_context)
++EXPORT_SYMBOL_GPL(_restore_lbt_context)
+
+ /*
+ * a0: ftop
+@@ -120,6 +122,7 @@ SYM_FUNC_START(_save_ftop_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_save_ftop_context)
++EXPORT_SYMBOL_GPL(_save_ftop_context)
+
+ /*
+ * a0: ftop
+@@ -150,6 +153,7 @@ SYM_FUNC_START(_restore_ftop_context)
+ li.w a0, 0 # success
+ jr ra
+ SYM_FUNC_END(_restore_ftop_context)
++EXPORT_SYMBOL_GPL(_restore_ftop_context)
+
+ .L_lbt_fault:
+ li.w a0, -EFAULT # failure
+--- a/arch/loongarch/kernel/signal.c
++++ b/arch/loongarch/kernel/signal.c
+@@ -51,27 +51,6 @@
+ #define lock_lbt_owner() ({ preempt_disable(); pagefault_disable(); })
+ #define unlock_lbt_owner() ({ pagefault_enable(); preempt_enable(); })
+
+-/* Assembly functions to move context to/from the FPU */
+-extern asmlinkage int
+-_save_fp_context(void __user *fpregs, void __user *fcc, void __user *csr);
+-extern asmlinkage int
+-_restore_fp_context(void __user *fpregs, void __user *fcc, void __user *csr);
+-extern asmlinkage int
+-_save_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
+-extern asmlinkage int
+-_restore_lsx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
+-extern asmlinkage int
+-_save_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
+-extern asmlinkage int
+-_restore_lasx_context(void __user *fpregs, void __user *fcc, void __user *fcsr);
+-
+-#ifdef CONFIG_CPU_HAS_LBT
+-extern asmlinkage int _save_lbt_context(void __user *regs, void __user *eflags);
+-extern asmlinkage int _restore_lbt_context(void __user *regs, void __user *eflags);
+-extern asmlinkage int _save_ftop_context(void __user *ftop);
+-extern asmlinkage int _restore_ftop_context(void __user *ftop);
+-#endif
+-
+ struct rt_sigframe {
+ struct siginfo rs_info;
+ struct ucontext rs_uctx;
--- /dev/null
+From 5add0dbbebd60628b55e5eb8426612dedab7311a Mon Sep 17 00:00:00 2001
+From: Bibo Mao <maobibo@loongson.cn>
+Date: Thu, 24 Apr 2025 20:15:52 +0800
+Subject: LoongArch: KVM: Fix PMU pass-through issue if VM exits to host finally
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+commit 5add0dbbebd60628b55e5eb8426612dedab7311a upstream.
+
+In function kvm_pre_enter_guest(), it prepares to enter guest and check
+whether there are pending signals or events. And it will not enter guest
+if there are, PMU pass-through preparation for guest should be cancelled
+and host should own PMU hardware.
+
+Cc: stable@vger.kernel.org
+Fixes: f4e40ea9f78f ("LoongArch: KVM: Add PMU support for guest")
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kvm/vcpu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/loongarch/kvm/vcpu.c b/arch/loongarch/kvm/vcpu.c
+index 2d3c2a2d1d1c..5af32ec62cb1 100644
+--- a/arch/loongarch/kvm/vcpu.c
++++ b/arch/loongarch/kvm/vcpu.c
+@@ -294,6 +294,7 @@ static int kvm_pre_enter_guest(struct kvm_vcpu *vcpu)
+ vcpu->arch.aux_inuse &= ~KVM_LARCH_SWCSR_LATEST;
+
+ if (kvm_request_pending(vcpu) || xfer_to_guest_mode_work_pending()) {
++ kvm_lose_pmu(vcpu);
+ /* make sure the vcpu mode has been written */
+ smp_store_mb(vcpu->mode, OUTSIDE_GUEST_MODE);
+ local_irq_enable();
+--
+2.49.0
+
--- /dev/null
+From 9ea86232a5520d9d21832d06031ea80f055a6ff8 Mon Sep 17 00:00:00 2001
+From: Bibo Mao <maobibo@loongson.cn>
+Date: Thu, 24 Apr 2025 20:15:52 +0800
+Subject: LoongArch: KVM: Fully clear some CSRs when VM reboot
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+commit 9ea86232a5520d9d21832d06031ea80f055a6ff8 upstream.
+
+Some registers such as LOONGARCH_CSR_ESTAT and LOONGARCH_CSR_GINTC are
+partly cleared with function _kvm_setcsr(). This comes from the hardware
+specification, some bits are read only in VM mode, and however they can
+be written in host mode. So they are partly cleared in VM mode, and can
+be fully cleared in host mode.
+
+These read only bits show pending interrupt or exception status. When VM
+reset, the read-only bits should be cleared, otherwise vCPU will receive
+unknown interrupts in boot stage.
+
+Here registers LOONGARCH_CSR_ESTAT/LOONGARCH_CSR_GINTC are fully cleared
+in ioctl KVM_REG_LOONGARCH_VCPU_RESET vCPU reset path.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kvm/vcpu.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/loongarch/kvm/vcpu.c
++++ b/arch/loongarch/kvm/vcpu.c
+@@ -874,6 +874,13 @@ static int kvm_set_one_reg(struct kvm_vc
+ vcpu->arch.st.guest_addr = 0;
+ memset(&vcpu->arch.irq_pending, 0, sizeof(vcpu->arch.irq_pending));
+ memset(&vcpu->arch.irq_clear, 0, sizeof(vcpu->arch.irq_clear));
++
++ /*
++ * When vCPU reset, clear the ESTAT and GINTC registers
++ * Other CSR registers are cleared with function _kvm_setcsr().
++ */
++ kvm_write_sw_gcsr(vcpu->arch.csr, LOONGARCH_CSR_GINTC, 0);
++ kvm_write_sw_gcsr(vcpu->arch.csr, LOONGARCH_CSR_ESTAT, 0);
+ break;
+ default:
+ ret = -EINVAL;
--- /dev/null
+From c37325cbd91abe3bfab280b3b09947155abe8e07 Mon Sep 17 00:00:00 2001
+From: Petr Tesarik <ptesarik@suse.com>
+Date: Thu, 24 Apr 2025 20:15:41 +0800
+Subject: LoongArch: Remove a bogus reference to ZONE_DMA
+
+From: Petr Tesarik <ptesarik@suse.com>
+
+commit c37325cbd91abe3bfab280b3b09947155abe8e07 upstream.
+
+Remove dead code. LoongArch does not have a DMA memory zone (24bit DMA).
+The architecture does not even define MAX_DMA_PFN.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Signed-off-by: Petr Tesarik <ptesarik@suse.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/mm/init.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/arch/loongarch/mm/init.c
++++ b/arch/loongarch/mm/init.c
+@@ -65,9 +65,6 @@ void __init paging_init(void)
+ {
+ unsigned long max_zone_pfns[MAX_NR_ZONES];
+
+-#ifdef CONFIG_ZONE_DMA
+- max_zone_pfns[ZONE_DMA] = MAX_DMA_PFN;
+-#endif
+ #ifdef CONFIG_ZONE_DMA32
+ max_zone_pfns[ZONE_DMA32] = MAX_DMA32_PFN;
+ #endif
--- /dev/null
+From bd51834d1cf65a2c801295d230c220aeebf87a73 Mon Sep 17 00:00:00 2001
+From: Ming Wang <wangming01@loongson.cn>
+Date: Thu, 24 Apr 2025 20:15:47 +0800
+Subject: LoongArch: Return NULL from huge_pte_offset() for invalid PMD
+
+From: Ming Wang <wangming01@loongson.cn>
+
+commit bd51834d1cf65a2c801295d230c220aeebf87a73 upstream.
+
+LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot
+even if the underlying entry points to invalid_pte_table (indicating no
+mapping). Callers like smaps_hugetlb_range() fetch this invalid entry
+value (the address of invalid_pte_table) via this pointer.
+
+The generic is_swap_pte() check then incorrectly identifies this address
+as a swap entry on LoongArch, because it satisfies the "!pte_present()
+&& !pte_none()" conditions. This misinterpretation, combined with a
+coincidental match by is_migration_entry() on the address bits, leads to
+kernel crashes in pfn_swap_entry_to_page().
+
+Fix this at the architecture level by modifying huge_pte_offset() to
+check the PMD entry's content using pmd_none() before returning. If the
+entry is invalid (i.e., it points to invalid_pte_table), return NULL
+instead of the pointer to the slot.
+
+Cc: stable@vger.kernel.org
+Acked-by: Peter Xu <peterx@redhat.com>
+Co-developed-by: Hongchen Zhang <zhanghongchen@loongson.cn>
+Signed-off-by: Hongchen Zhang <zhanghongchen@loongson.cn>
+Signed-off-by: Ming Wang <wangming01@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/mm/hugetlbpage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/loongarch/mm/hugetlbpage.c
++++ b/arch/loongarch/mm/hugetlbpage.c
+@@ -47,7 +47,7 @@ pte_t *huge_pte_offset(struct mm_struct
+ pmd = pmd_offset(pud, addr);
+ }
+ }
+- return (pte_t *) pmd;
++ return pmd_none(pmdp_get(pmd)) ? NULL : (pte_t *) pmd;
+ }
+
+ uint64_t pmd_to_entrylo(unsigned long pmd_val)
--- /dev/null
+From 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Mon, 10 Mar 2025 09:46:57 +0100
+Subject: mcb: fix a double free bug in chameleon_parse_gdd()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 upstream.
+
+In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev'
+would be released in mcb_device_register() via put_device().
+Thus, goto 'err' label and free 'mdev' again causes a double free.
+Just return if mcb_device_register() fails.
+
+Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Signed-off-by: Johannes Thumshirn <jth@kernel.org>
+Link: https://lore.kernel.org/r/6201d09e2975ae5789879f79a6de4c38de9edd4a.1741596225.git.jth@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mcb/mcb-parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mcb/mcb-parse.c
++++ b/drivers/mcb/mcb-parse.c
+@@ -96,7 +96,7 @@ static int chameleon_parse_gdd(struct mc
+
+ ret = mcb_device_register(bus, mdev);
+ if (ret < 0)
+- goto err;
++ return ret;
+
+ return 0;
+
--- /dev/null
+From 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Tue, 8 Apr 2025 16:00:05 +0300
+Subject: mei: me: add panther lake H DID
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c upstream.
+
+Add Panther Lake H device id.
+
+Cc: stable <stable@kernel.org>
+Co-developed-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://lore.kernel.org/r/20250408130005.1358140-1-alexander.usyskin@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 1 +
+ drivers/misc/mei/pci-me.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -117,6 +117,7 @@
+
+ #define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */
+
++#define MEI_DEV_ID_PTL_H 0xE370 /* Panther Lake H */
+ #define MEI_DEV_ID_PTL_P 0xE470 /* Panther Lake P */
+
+ /*
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -124,6 +124,7 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_H, MEI_ME_PCH15_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_P, MEI_ME_PCH15_CFG)},
+
+ /* required last entry */
--- /dev/null
+From 00f1cc14da0f06d2897b8c528df7c7dcf1b8da50 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 18 Mar 2025 15:12:02 +0100
+Subject: mei: vsc: Fix fortify-panic caused by invalid counted_by() use
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 00f1cc14da0f06d2897b8c528df7c7dcf1b8da50 upstream.
+
+gcc 15 honors the __counted_by(len) attribute on vsc_tp_packet.buf[]
+and the vsc-tp.c code is using this in a wrong way. len does not contain
+the available size in the buffer, it contains the actual packet length
+*without* the crc. So as soon as vsc_tp_xfer() tries to add the crc to
+buf[] the fortify-panic handler gets triggered:
+
+[ 80.842193] memcpy: detected buffer overflow: 4 byte write of buffer size 0
+[ 80.842243] WARNING: CPU: 4 PID: 272 at lib/string_helpers.c:1032 __fortify_report+0x45/0x50
+...
+[ 80.843175] __fortify_panic+0x9/0xb
+[ 80.843186] vsc_tp_xfer.cold+0x67/0x67 [mei_vsc_hw]
+[ 80.843210] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90
+[ 80.843229] ? lockdep_hardirqs_on+0x7c/0x110
+[ 80.843250] mei_vsc_hw_start+0x98/0x120 [mei_vsc]
+[ 80.843270] mei_reset+0x11d/0x420 [mei]
+
+The easiest fix would be to just drop the counted-by but with the exception
+of the ack buffer in vsc_tp_xfer_helper() which only contains enough room
+for the packet-header, all other uses of vsc_tp_packet always use a buffer
+of VSC_TP_MAX_XFER_SIZE bytes for the packet.
+
+Instead of just dropping the counted-by, split the vsc_tp_packet struct
+definition into a header and a full-packet definition and use a fixed
+size buf[] in the packet definition, this way fortify-source buffer
+overrun checking still works when enabled.
+
+Fixes: 566f5ca97680 ("mei: Add transport driver for IVSC device")
+Cc: stable@kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250318141203.94342-2-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/vsc-tp.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/drivers/misc/mei/vsc-tp.c
++++ b/drivers/misc/mei/vsc-tp.c
+@@ -36,20 +36,24 @@
+ #define VSC_TP_XFER_TIMEOUT_BYTES 700
+ #define VSC_TP_PACKET_PADDING_SIZE 1
+ #define VSC_TP_PACKET_SIZE(pkt) \
+- (sizeof(struct vsc_tp_packet) + le16_to_cpu((pkt)->len) + VSC_TP_CRC_SIZE)
++ (sizeof(struct vsc_tp_packet_hdr) + le16_to_cpu((pkt)->hdr.len) + VSC_TP_CRC_SIZE)
+ #define VSC_TP_MAX_PACKET_SIZE \
+- (sizeof(struct vsc_tp_packet) + VSC_TP_MAX_MSG_SIZE + VSC_TP_CRC_SIZE)
++ (sizeof(struct vsc_tp_packet_hdr) + VSC_TP_MAX_MSG_SIZE + VSC_TP_CRC_SIZE)
+ #define VSC_TP_MAX_XFER_SIZE \
+ (VSC_TP_MAX_PACKET_SIZE + VSC_TP_XFER_TIMEOUT_BYTES)
+ #define VSC_TP_NEXT_XFER_LEN(len, offset) \
+- (len + sizeof(struct vsc_tp_packet) + VSC_TP_CRC_SIZE - offset + VSC_TP_PACKET_PADDING_SIZE)
++ (len + sizeof(struct vsc_tp_packet_hdr) + VSC_TP_CRC_SIZE - offset + VSC_TP_PACKET_PADDING_SIZE)
+
+-struct vsc_tp_packet {
++struct vsc_tp_packet_hdr {
+ __u8 sync;
+ __u8 cmd;
+ __le16 len;
+ __le32 seq;
+- __u8 buf[] __counted_by(len);
++};
++
++struct vsc_tp_packet {
++ struct vsc_tp_packet_hdr hdr;
++ __u8 buf[VSC_TP_MAX_XFER_SIZE - sizeof(struct vsc_tp_packet_hdr)];
+ };
+
+ struct vsc_tp {
+@@ -158,12 +162,12 @@ static int vsc_tp_dev_xfer(struct vsc_tp
+ static int vsc_tp_xfer_helper(struct vsc_tp *tp, struct vsc_tp_packet *pkt,
+ void *ibuf, u16 ilen)
+ {
+- int ret, offset = 0, cpy_len, src_len, dst_len = sizeof(struct vsc_tp_packet);
++ int ret, offset = 0, cpy_len, src_len, dst_len = sizeof(struct vsc_tp_packet_hdr);
+ int next_xfer_len = VSC_TP_PACKET_SIZE(pkt) + VSC_TP_XFER_TIMEOUT_BYTES;
+ u8 *src, *crc_src, *rx_buf = tp->rx_buf;
+ int count_down = VSC_TP_MAX_XFER_COUNT;
+ u32 recv_crc = 0, crc = ~0;
+- struct vsc_tp_packet ack;
++ struct vsc_tp_packet_hdr ack;
+ u8 *dst = (u8 *)&ack;
+ bool synced = false;
+
+@@ -280,10 +284,10 @@ int vsc_tp_xfer(struct vsc_tp *tp, u8 cm
+
+ guard(mutex)(&tp->mutex);
+
+- pkt->sync = VSC_TP_PACKET_SYNC;
+- pkt->cmd = cmd;
+- pkt->len = cpu_to_le16(olen);
+- pkt->seq = cpu_to_le32(++tp->seq);
++ pkt->hdr.sync = VSC_TP_PACKET_SYNC;
++ pkt->hdr.cmd = cmd;
++ pkt->hdr.len = cpu_to_le16(olen);
++ pkt->hdr.seq = cpu_to_le32(++tp->seq);
+ memcpy(pkt->buf, obuf, olen);
+
+ crc = ~crc32(~0, (u8 *)pkt, sizeof(pkt) + olen);
--- /dev/null
+From 30a41ed32d3088cd0d682a13d7f30b23baed7e93 Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Wed, 16 Apr 2025 12:24:13 +0200
+Subject: net: phy: microchip: force IRQ polling mode for lan88xx
+
+From: Fiona Klute <fiona.klute@gmx.de>
+
+commit 30a41ed32d3088cd0d682a13d7f30b23baed7e93 upstream.
+
+With lan88xx based devices the lan78xx driver can get stuck in an
+interrupt loop while bringing the device up, flooding the kernel log
+with messages like the following:
+
+lan78xx 2-3:1.0 enp1s0u3: kevent 4 may have been dropped
+
+Removing interrupt support from the lan88xx PHY driver forces the
+driver to use polling instead, which avoids the problem.
+
+The issue has been observed with Raspberry Pi devices at least since
+4.14 (see [1], bug report for their downstream kernel), as well as
+with Nvidia devices [2] in 2020, where disabling interrupts was the
+vendor-suggested workaround (together with the claim that phylib
+changes in 4.9 made the interrupt handling in lan78xx incompatible).
+
+Iperf reports well over 900Mbits/sec per direction with client in
+--dualtest mode, so there does not seem to be a significant impact on
+throughput (lan88xx device connected via switch to the peer).
+
+[1] https://github.com/raspberrypi/linux/issues/2447
+[2] https://forums.developer.nvidia.com/t/jetson-xavier-and-lan7800-problem/142134/11
+
+Link: https://lore.kernel.org/0901d90d-3f20-4a10-b680-9c978e04ddda@lunn.ch
+Fixes: 792aec47d59d ("add microchip LAN88xx phy driver")
+Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
+Cc: kernel-list@raspberrypi.com
+Cc: stable@vger.kernel.org
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250416102413.30654-1-fiona.klute@gmx.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/microchip.c | 46 ++------------------------------------------
+ 1 file changed, 3 insertions(+), 43 deletions(-)
+
+--- a/drivers/net/phy/microchip.c
++++ b/drivers/net/phy/microchip.c
+@@ -37,47 +37,6 @@ static int lan88xx_write_page(struct phy
+ return __phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, page);
+ }
+
+-static int lan88xx_phy_config_intr(struct phy_device *phydev)
+-{
+- int rc;
+-
+- if (phydev->interrupts == PHY_INTERRUPT_ENABLED) {
+- /* unmask all source and clear them before enable */
+- rc = phy_write(phydev, LAN88XX_INT_MASK, 0x7FFF);
+- rc = phy_read(phydev, LAN88XX_INT_STS);
+- rc = phy_write(phydev, LAN88XX_INT_MASK,
+- LAN88XX_INT_MASK_MDINTPIN_EN_ |
+- LAN88XX_INT_MASK_LINK_CHANGE_);
+- } else {
+- rc = phy_write(phydev, LAN88XX_INT_MASK, 0);
+- if (rc)
+- return rc;
+-
+- /* Ack interrupts after they have been disabled */
+- rc = phy_read(phydev, LAN88XX_INT_STS);
+- }
+-
+- return rc < 0 ? rc : 0;
+-}
+-
+-static irqreturn_t lan88xx_handle_interrupt(struct phy_device *phydev)
+-{
+- int irq_status;
+-
+- irq_status = phy_read(phydev, LAN88XX_INT_STS);
+- if (irq_status < 0) {
+- phy_error(phydev);
+- return IRQ_NONE;
+- }
+-
+- if (!(irq_status & LAN88XX_INT_STS_LINK_CHANGE_))
+- return IRQ_NONE;
+-
+- phy_trigger_machine(phydev);
+-
+- return IRQ_HANDLED;
+-}
+-
+ static int lan88xx_suspend(struct phy_device *phydev)
+ {
+ struct lan88xx_priv *priv = phydev->priv;
+@@ -528,8 +487,9 @@ static struct phy_driver microchip_phy_d
+ .config_aneg = lan88xx_config_aneg,
+ .link_change_notify = lan88xx_link_change_notify,
+
+- .config_intr = lan88xx_phy_config_intr,
+- .handle_interrupt = lan88xx_handle_interrupt,
++ /* Interrupt handling is broken, do not define related
++ * functions to force polling.
++ */
+
+ .suspend = lan88xx_suspend,
+ .resume = genphy_resume,
--- /dev/null
+From 9e8d1013b0c38910cbc9e60de74dbe883878469d Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Wed, 16 Apr 2025 18:01:25 +0200
+Subject: net: selftests: initialize TCP header and skb payload with zero
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 9e8d1013b0c38910cbc9e60de74dbe883878469d upstream.
+
+Zero-initialize TCP header via memset() to avoid garbage values that
+may affect checksum or behavior during test transmission.
+
+Also zero-fill allocated payload and padding regions using memset()
+after skb_put(), ensuring deterministic content for all outgoing
+test packets.
+
+Fixes: 3e1e58d64c3d ("net: add generic selftest support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250416160125.2914724-1-o.rempel@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/selftests.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/net/core/selftests.c
++++ b/net/core/selftests.c
+@@ -100,10 +100,10 @@ static struct sk_buff *net_test_get_skb(
+ ehdr->h_proto = htons(ETH_P_IP);
+
+ if (attr->tcp) {
++ memset(thdr, 0, sizeof(*thdr));
+ thdr->source = htons(attr->sport);
+ thdr->dest = htons(attr->dport);
+ thdr->doff = sizeof(struct tcphdr) / 4;
+- thdr->check = 0;
+ } else {
+ uhdr->source = htons(attr->sport);
+ uhdr->dest = htons(attr->dport);
+@@ -144,10 +144,18 @@ static struct sk_buff *net_test_get_skb(
+ attr->id = net_test_next_id;
+ shdr->id = net_test_next_id++;
+
+- if (attr->size)
+- skb_put(skb, attr->size);
+- if (attr->max_size && attr->max_size > skb->len)
+- skb_put(skb, attr->max_size - skb->len);
++ if (attr->size) {
++ void *payload = skb_put(skb, attr->size);
++
++ memset(payload, 0, attr->size);
++ }
++
++ if (attr->max_size && attr->max_size > skb->len) {
++ size_t pad_len = attr->max_size - skb->len;
++ void *pad = skb_put(skb, pad_len);
++
++ memset(pad, 0, pad_len);
++ }
+
+ skb->csum = 0;
+ skb->ip_summed = CHECKSUM_PARTIAL;
--- /dev/null
+From 53bd97801632c940767f4c8407c2cbdeb56b40e7 Mon Sep 17 00:00:00 2001
+From: Christian Schrefl <chrisi.schrefl@gmail.com>
+Date: Sun, 13 Apr 2025 21:26:56 +0200
+Subject: rust: firmware: Use `ffi::c_char` type in `FwFunc`
+
+From: Christian Schrefl <chrisi.schrefl@gmail.com>
+
+commit 53bd97801632c940767f4c8407c2cbdeb56b40e7 upstream.
+
+The `FwFunc` struct contains an function with a char pointer argument,
+for which a `*const u8` pointer was used. This is not really the
+"proper" type for this, so use a `*const kernel::ffi::c_char` pointer
+instead.
+
+This has no real functionality changes, since now `kernel::ffi::c_char`
+(which bindgen uses for `char`) is now a type alias to `u8` anyways,
+but before commit 1bae8729e50a ("rust: map `long` to `isize` and `char`
+to `u8`") the concrete type of `kernel::ffi::c_char` depended on the
+architecture (However all supported architectures at the time mapped to
+`i8`).
+
+This caused problems on the v6.13 tag when building for 32 bit arm (with
+my patches), since back then `*const i8` was used in the function
+argument and the function that bindgen generated used
+`*const core::ffi::c_char` which Rust mapped to `*const u8` on 32 bit
+arm. The stable v6.13.y branch does not have this issue since commit
+1bae8729e50a ("rust: map `long` to `isize` and `char` to `u8`") was
+backported.
+
+This caused the following build error:
+```
+error[E0308]: mismatched types
+ --> rust/kernel/firmware.rs:20:4
+ |
+20 | Self(bindings::request_firmware)
+ | ---- ^^^^^^^^^^^^^^^^^^^^^^^^^^ expected fn pointer, found fn item
+ | |
+ | arguments to this function are incorrect
+ |
+ = note: expected fn pointer `unsafe extern "C" fn(_, *const i8, _) -> _`
+ found fn item `unsafe extern "C" fn(_, *const u8, _) -> _ {request_firmware}`
+note: tuple struct defined here
+ --> rust/kernel/firmware.rs:14:8
+ |
+14 | struct FwFunc(
+ | ^^^^^^
+
+error[E0308]: mismatched types
+ --> rust/kernel/firmware.rs:24:14
+ |
+24 | Self(bindings::firmware_request_nowarn)
+ | ---- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ expected fn pointer, found fn item
+ | |
+ | arguments to this function are incorrect
+ |
+ = note: expected fn pointer `unsafe extern "C" fn(_, *const i8, _) -> _`
+ found fn item `unsafe extern "C" fn(_, *const u8, _) -> _ {firmware_request_nowarn}`
+note: tuple struct defined here
+ --> rust/kernel/firmware.rs:14:8
+ |
+14 | struct FwFunc(
+ | ^^^^^^
+
+error[E0308]: mismatched types
+ --> rust/kernel/firmware.rs:64:45
+ |
+64 | let ret = unsafe { func.0(pfw as _, name.as_char_ptr(), dev.as_raw()) };
+ | ------ ^^^^^^^^^^^^^^^^^^ expected `*const i8`, found `*const u8`
+ | |
+ | arguments to this function are incorrect
+ |
+ = note: expected raw pointer `*const i8`
+ found raw pointer `*const u8`
+
+error: aborting due to 3 previous errors
+```
+
+Fixes: de6582833db0 ("rust: add firmware abstractions")
+Cc: stable@vger.kernel.org
+Reviewed-by: Benno Lossin <benno.lossin@proton.me>
+Signed-off-by: Christian Schrefl <chrisi.schrefl@gmail.com>
+Acked-by: Miguel Ojeda <ojeda@kernel.org>
+Link: https://lore.kernel.org/r/20250413-rust_arm_fix_fw_abstaction-v3-1-8dd7c0bbcd47@gmail.com
+[ Add firmware prefix to commit subject. - Danilo ]
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/firmware.rs | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/rust/kernel/firmware.rs b/rust/kernel/firmware.rs
+index f04b058b09b2..2494c96e105f 100644
+--- a/rust/kernel/firmware.rs
++++ b/rust/kernel/firmware.rs
+@@ -4,7 +4,7 @@
+ //!
+ //! C header: [`include/linux/firmware.h`](srctree/include/linux/firmware.h)
+
+-use crate::{bindings, device::Device, error::Error, error::Result, str::CStr};
++use crate::{bindings, device::Device, error::Error, error::Result, ffi, str::CStr};
+ use core::ptr::NonNull;
+
+ /// # Invariants
+@@ -12,7 +12,11 @@
+ /// One of the following: `bindings::request_firmware`, `bindings::firmware_request_nowarn`,
+ /// `bindings::firmware_request_platform`, `bindings::request_firmware_direct`.
+ struct FwFunc(
+- unsafe extern "C" fn(*mut *const bindings::firmware, *const u8, *mut bindings::device) -> i32,
++ unsafe extern "C" fn(
++ *mut *const bindings::firmware,
++ *const ffi::c_char,
++ *mut bindings::device,
++ ) -> i32,
+ );
+
+ impl FwFunc {
+--
+2.49.0
+
--- /dev/null
+From 47068309b5777313b6ac84a77d8d10dc7312260a Mon Sep 17 00:00:00 2001
+From: Breno Leitao <leitao@debian.org>
+Date: Tue, 8 Apr 2025 09:50:42 -0700
+Subject: sched_ext: Use kvzalloc for large exit_dump allocation
+
+From: Breno Leitao <leitao@debian.org>
+
+commit 47068309b5777313b6ac84a77d8d10dc7312260a upstream.
+
+Replace kzalloc with kvzalloc for the exit_dump buffer allocation, which
+can require large contiguous memory depending on the implementation.
+This change prevents allocation failures by allowing the system to fall
+back to vmalloc when contiguous memory allocation fails.
+
+Since this buffer is only used for debugging purposes, physical memory
+contiguity is not required, making vmalloc a suitable alternative.
+
+Cc: stable@vger.kernel.org
+Fixes: 07814a9439a3b0 ("sched_ext: Print debug dump after an error exit")
+Suggested-by: Rik van Riel <riel@surriel.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Acked-by: Andrea Righi <arighi@nvidia.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/ext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -4530,7 +4530,7 @@ unlock:
+
+ static void free_exit_info(struct scx_exit_info *ei)
+ {
+- kfree(ei->dump);
++ kvfree(ei->dump);
+ kfree(ei->msg);
+ kfree(ei->bt);
+ kfree(ei);
+@@ -4546,7 +4546,7 @@ static struct scx_exit_info *alloc_exit_
+
+ ei->bt = kcalloc(SCX_EXIT_BT_LEN, sizeof(ei->bt[0]), GFP_KERNEL);
+ ei->msg = kzalloc(SCX_EXIT_MSG_LEN, GFP_KERNEL);
+- ei->dump = kzalloc(exit_dump_len, GFP_KERNEL);
++ ei->dump = kvzalloc(exit_dump_len, GFP_KERNEL);
+
+ if (!ei->bt || !ei->msg || !ei->dump) {
+ free_exit_info(ei);
--- /dev/null
+From 14a3cc755825ef7b34c986aa2786ea815023e9c5 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Sun, 13 Apr 2025 11:24:47 +0900
+Subject: scsi: Improve CDL control
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 14a3cc755825ef7b34c986aa2786ea815023e9c5 upstream.
+
+With ATA devices supporting the CDL feature, using CDL requires that the
+feature be enabled with a SET FEATURES command. This command is issued
+as the translated command for the MODE SELECT command issued by
+scsi_cdl_enable() when the user enables CDL through the device
+cdl_enable sysfs attribute.
+
+However, the implementation of scsi_cdl_enable() always issues a MODE
+SELECT command for ATA devices when the enable argument is true, even if
+CDL is already enabled on the device. While this does not cause any
+issue with using CDL descriptors with read/write commands (the CDL
+feature will be enabled on the drive), issuing the MODE SELECT command
+even when the device CDL feature is already enabled will cause a reset
+of the ATA device CDL statistics log page (as defined in ACS, any CDL
+enable action must reset the device statistics).
+
+Avoid this needless actions (and the implied statistics log page reset)
+by modifying scsi_cdl_enable() to issue the MODE SELECT command to
+enable CDL if and only if CDL is not reported as already enabled on the
+device.
+
+And while at it, simplify the initialization of the is_ata boolean
+variable and move the declaration of the scsi mode data and sense header
+variables to within the scope of ATA device handling.
+
+Fixes: 1b22cfb14142 ("scsi: core: Allow enabling and disabling command duration limits")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/scsi/scsi.c
++++ b/drivers/scsi/scsi.c
+@@ -695,26 +695,23 @@ void scsi_cdl_check(struct scsi_device *
+ */
+ int scsi_cdl_enable(struct scsi_device *sdev, bool enable)
+ {
+- struct scsi_mode_data data;
+- struct scsi_sense_hdr sshdr;
+- struct scsi_vpd *vpd;
+- bool is_ata = false;
+ char buf[64];
++ bool is_ata;
+ int ret;
+
+ if (!sdev->cdl_supported)
+ return -EOPNOTSUPP;
+
+ rcu_read_lock();
+- vpd = rcu_dereference(sdev->vpd_pg89);
+- if (vpd)
+- is_ata = true;
++ is_ata = rcu_dereference(sdev->vpd_pg89);
+ rcu_read_unlock();
+
+ /*
+ * For ATA devices, CDL needs to be enabled with a SET FEATURES command.
+ */
+ if (is_ata) {
++ struct scsi_mode_data data;
++ struct scsi_sense_hdr sshdr;
+ char *buf_data;
+ int len;
+
+@@ -723,16 +720,30 @@ int scsi_cdl_enable(struct scsi_device *
+ if (ret)
+ return -EINVAL;
+
+- /* Enable CDL using the ATA feature page */
++ /* Enable or disable CDL using the ATA feature page */
+ len = min_t(size_t, sizeof(buf),
+ data.length - data.header_length -
+ data.block_descriptor_length);
+ buf_data = buf + data.header_length +
+ data.block_descriptor_length;
+- if (enable)
+- buf_data[4] = 0x02;
+- else
+- buf_data[4] = 0;
++
++ /*
++ * If we want to enable CDL and CDL is already enabled on the
++ * device, do nothing. This avoids needlessly resetting the CDL
++ * statistics on the device as that is implied by the CDL enable
++ * action. Similar to this, there is no need to do anything if
++ * we want to disable CDL and CDL is already disabled.
++ */
++ if (enable) {
++ if ((buf_data[4] & 0x03) == 0x02)
++ goto out;
++ buf_data[4] &= ~0x03;
++ buf_data[4] |= 0x02;
++ } else {
++ if ((buf_data[4] & 0x03) == 0x00)
++ goto out;
++ buf_data[4] &= ~0x03;
++ }
+
+ ret = scsi_mode_select(sdev, 1, 0, buf_data, len, 5 * HZ, 3,
+ &data, &sshdr);
+@@ -744,6 +755,7 @@ int scsi_cdl_enable(struct scsi_device *
+ }
+ }
+
++out:
+ sdev->cdl_enable = enable;
+
+ return 0;
--- /dev/null
+From cdd445258db9919e9dde497a6d5c3477ea7faf4d Mon Sep 17 00:00:00 2001
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Date: Fri, 11 Apr 2025 16:44:18 +0530
+Subject: scsi: mpi3mr: Fix pending I/O counter
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+commit cdd445258db9919e9dde497a6d5c3477ea7faf4d upstream.
+
+Commit 199510e33dea ("scsi: mpi3mr: Update consumer index of reply
+queues after every 100 replies") introduced a regression with the
+per-reply queue pending I/O counter which was erroneously decremented,
+leading to the counter going negative.
+
+Drop the incorrect atomic decrement for the pending I/O counter.
+
+Fixes: 199510e33dea ("scsi: mpi3mr: Update consumer index of reply queues after every 100 replies")
+Cc: stable@vger.kernel.org
+Co-developed-by: Sathya Prakash <sathya.prakash@broadcom.com>
+Signed-off-by: Sathya Prakash <sathya.prakash@broadcom.com>
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250411111419.135485-2-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -563,7 +563,7 @@ int mpi3mr_process_op_reply_q(struct mpi
+ WRITE_ONCE(op_req_q->ci, le16_to_cpu(reply_desc->request_queue_ci));
+ mpi3mr_process_op_reply_desc(mrioc, reply_desc, &reply_dma,
+ reply_qidx);
+- atomic_dec(&op_reply_q->pend_ios);
++
+ if (reply_dma)
+ mpi3mr_repost_reply_buf(mrioc, reply_dma);
+ num_op_reply++;
loongarch-make-do_xyz-exception-handlers-more-robust.patch
kvm-svm-disable-avic-on-snp-enabled-system-without-hvinusewrallowed-feature.patch
netfilter-fib-avoid-lookup-if-socket-is-available.patch
+virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch
+sched_ext-use-kvzalloc-for-large-exit_dump-allocation.patch
+crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch
+xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch
+net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch
+net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch
+scsi-mpi3mr-fix-pending-i-o-counter.patch
+rust-firmware-use-ffi-c_char-type-in-fwfunc.patch
+drm-panel-jd9365da-fix-reset-signal-polarity-in-unprepare.patch
+drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch
+drm-amd-display-force-full-update-in-gpu-reset.patch
+x86-insn-fix-ctest-instruction-decoding.patch
+irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get_fwnode.patch
+loongarch-handle-fp-lsx-lasx-and-lbt-assembly-symbols.patch
+loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch
+loongarch-remove-a-bogus-reference-to-zone_dma.patch
+loongarch-kvm-fully-clear-some-csrs-when-vm-reboot.patch
+loongarch-kvm-fix-pmu-pass-through-issue-if-vm-exits-to-host-finally.patch
+io_uring-fix-sync-handling-of-io_fallback_tw.patch
+kvm-svm-allocate-ir-data-using-atomic-allocation.patch
+cxl-core-regs.c-skip-memory-space-enable-check-for-rcd-and-rch-ports.patch
+mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch
+ata-libata-scsi-improve-cdl-control.patch
+ata-libata-scsi-fix-ata_mselect_control_ata_feature-return-type.patch
+ata-libata-scsi-fix-ata_msense_control_ata_feature.patch
+usb-storage-quirk-for-adata-portable-hdd-ch94.patch
+scsi-improve-cdl-control.patch
+mei-me-add-panther-lake-h-did.patch
+mei-vsc-fix-fortify-panic-caused-by-invalid-counted_by-use.patch
--- /dev/null
+From 9ab75eee1a056f896b87d139044dd103adc532b9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 3 Apr 2025 19:59:45 +0200
+Subject: USB: storage: quirk for ADATA Portable HDD CH94
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 9ab75eee1a056f896b87d139044dd103adc532b9 upstream.
+
+Version 1.60 specifically needs this quirk.
+Version 2.00 is known good.
+
+Cc: stable <stable@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20250403180004.343133-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_LUNS),
+
++/* Reported-by: Oliver Neukum <oneukum@suse.com> */
++UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160,
++ "ADATA",
++ "Portable HDD CH94",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_ATA_1X),
++
+ /* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
+ UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
+ "Initio Corporation",
--- /dev/null
+From fbd3039a64b01b769040677c4fc68badeca8e3b2 Mon Sep 17 00:00:00 2001
+From: Halil Pasic <pasic@linux.ibm.com>
+Date: Sat, 22 Mar 2025 01:29:54 +0100
+Subject: virtio_console: fix missing byte order handling for cols and rows
+
+From: Halil Pasic <pasic@linux.ibm.com>
+
+commit fbd3039a64b01b769040677c4fc68badeca8e3b2 upstream.
+
+As per virtio spec the fields cols and rows are specified as little
+endian. Although there is no legacy interface requirement that would
+state that cols and rows need to be handled as native endian when legacy
+interface is used, unlike for the fields of the adjacent struct
+virtio_console_control, I decided to err on the side of caution based
+on some non-conclusive virtio spec repo archaeology and opt for using
+virtio16_to_cpu() much like for virtio_console_control.event. Strictly
+by the letter of the spec virtio_le_to_cpu() would have been sufficient.
+But when the legacy interface is not used, it boils down to the same.
+
+And when using the legacy interface, the device formatting these as
+little endian when the guest is big endian would surprise me more than
+it using guest native byte order (which would make it compatible with
+the current implementation). Nevertheless somebody trying to implement
+the spec following it to the letter could end up forcing little endian
+byte order when the legacy interface is in use. So IMHO this ultimately
+needs a judgement call by the maintainers.
+
+Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message")
+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
+Cc: stable@vger.kernel.org # v2.6.35+
+Message-Id: <20250322002954.3129282-1-pasic@linux.ibm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/virtio_console.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -1579,8 +1579,8 @@ static void handle_control_message(struc
+ break;
+ case VIRTIO_CONSOLE_RESIZE: {
+ struct {
+- __u16 rows;
+- __u16 cols;
++ __virtio16 rows;
++ __virtio16 cols;
+ } size;
+
+ if (!is_console_port(port))
+@@ -1588,7 +1588,8 @@ static void handle_control_message(struc
+
+ memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt),
+ sizeof(size));
+- set_console_size(port, size.rows, size.cols);
++ set_console_size(port, virtio16_to_cpu(vdev, size.rows),
++ virtio16_to_cpu(vdev, size.cols));
+
+ port->cons.hvc->irq_requested = 1;
+ resize_console(port);
--- /dev/null
+From 85fd85bc025a525354acb2241beb3c5387c551ec Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Wed, 23 Apr 2025 09:58:15 +0300
+Subject: x86/insn: Fix CTEST instruction decoding
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit 85fd85bc025a525354acb2241beb3c5387c551ec upstream.
+
+insn_decoder_test found a problem with decoding APX CTEST instructions:
+
+ Found an x86 instruction decoder bug, please report this.
+ ffffffff810021df 62 54 94 05 85 ff ctestneq
+ objdump says 6 bytes, but insn_get_length() says 5
+
+It happens because x86-opcode-map.txt doesn't specify arguments for the
+instruction and the decoder doesn't expect to see ModRM byte.
+
+Fixes: 690ca3a3067f ("x86/insn: Add support for APX EVEX instructions to the opcode map")
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org # v6.10+
+Link: https://lore.kernel.org/r/20250423065815.2003231-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/lib/x86-opcode-map.txt | 4 ++--
+ tools/arch/x86/lib/x86-opcode-map.txt | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/lib/x86-opcode-map.txt
++++ b/arch/x86/lib/x86-opcode-map.txt
+@@ -996,8 +996,8 @@ AVXcode: 4
+ 83: Grp1 Ev,Ib (1A),(es)
+ # CTESTSCC instructions are: CTESTB, CTESTBE, CTESTF, CTESTL, CTESTLE, CTESTNB, CTESTNBE, CTESTNL,
+ # CTESTNLE, CTESTNO, CTESTNS, CTESTNZ, CTESTO, CTESTS, CTESTT, CTESTZ
+-84: CTESTSCC (ev)
+-85: CTESTSCC (es) | CTESTSCC (66),(es)
++84: CTESTSCC Eb,Gb (ev)
++85: CTESTSCC Ev,Gv (es) | CTESTSCC Ev,Gv (66),(es)
+ 88: POPCNT Gv,Ev (es) | POPCNT Gv,Ev (66),(es)
+ 8f: POP2 Bq,Rq (000),(11B),(ev)
+ a5: SHLD Ev,Gv,CL (es) | SHLD Ev,Gv,CL (66),(es)
+--- a/tools/arch/x86/lib/x86-opcode-map.txt
++++ b/tools/arch/x86/lib/x86-opcode-map.txt
+@@ -996,8 +996,8 @@ AVXcode: 4
+ 83: Grp1 Ev,Ib (1A),(es)
+ # CTESTSCC instructions are: CTESTB, CTESTBE, CTESTF, CTESTL, CTESTLE, CTESTNB, CTESTNBE, CTESTNL,
+ # CTESTNLE, CTESTNO, CTESTNS, CTESTNZ, CTESTO, CTESTS, CTESTT, CTESTZ
+-84: CTESTSCC (ev)
+-85: CTESTSCC (es) | CTESTSCC (66),(es)
++84: CTESTSCC Eb,Gb (ev)
++85: CTESTSCC Ev,Gv (es) | CTESTSCC Ev,Gv (66),(es)
+ 88: POPCNT Gv,Ev (es) | POPCNT Gv,Ev (66),(es)
+ 8f: POP2 Bq,Rq (000),(11B),(ev)
+ a5: SHLD Ev,Gv,CL (es) | SHLD Ev,Gv,CL (66),(es)
--- /dev/null
+From cc3628dcd851ddd8d418bf0c897024b4621ddc92 Mon Sep 17 00:00:00 2001
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+Date: Thu, 17 Apr 2025 12:21:17 +0000
+Subject: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()
+
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+
+commit cc3628dcd851ddd8d418bf0c897024b4621ddc92 upstream.
+
+The function xdp_convert_buff_to_frame() may return NULL if it fails
+to correctly convert the XDP buffer into an XDP frame due to memory
+constraints, internal errors, or invalid data. Failing to check for NULL
+may lead to a NULL pointer dereference if the result is used later in
+processing, potentially causing crashes, data corruption, or undefined
+behavior.
+
+On XDP redirect failure, the associated page must be released explicitly
+if it was previously retained via get_page(). Failing to do so may result
+in a memory leak, as the pages reference count is not decremented.
+
+Cc: stable@vger.kernel.org # v5.9+
+Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
+Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
+Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@nppct.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -985,20 +985,27 @@ static u32 xennet_run_xdp(struct netfron
+ act = bpf_prog_run_xdp(prog, xdp);
+ switch (act) {
+ case XDP_TX:
+- get_page(pdata);
+ xdpf = xdp_convert_buff_to_frame(xdp);
++ if (unlikely(!xdpf)) {
++ trace_xdp_exception(queue->info->netdev, prog, act);
++ break;
++ }
++ get_page(pdata);
+ err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0);
+- if (unlikely(!err))
++ if (unlikely(err <= 0)) {
++ if (err < 0)
++ trace_xdp_exception(queue->info->netdev, prog, act);
+ xdp_return_frame_rx_napi(xdpf);
+- else if (unlikely(err < 0))
+- trace_xdp_exception(queue->info->netdev, prog, act);
++ }
+ break;
+ case XDP_REDIRECT:
+ get_page(pdata);
+ err = xdp_do_redirect(queue->info->netdev, xdp, prog);
+ *need_xdp_flush = true;
+- if (unlikely(err))
++ if (unlikely(err)) {
+ trace_xdp_exception(queue->info->netdev, prog, act);
++ xdp_return_buff(xdp);
++ }
+ break;
+ case XDP_PASS:
+ case XDP_DROP:
projects / thirdparty / kernel / stable-queue.git / commitdiff
