--- /dev/null
+From 059d818ee2a7c19609b6f61cbaa47f935568a3c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 15:30:39 +0100
+Subject: ACPI: processor: idle: Return an error if both P_LVL{2,3} idle states
+ are invalid
+
+From: Giovanni Gherdovich <ggherdovich@suse.cz>
+
+[ Upstream commit 9e9b893404d43894d69a18dd2fc8fcf1c36abb7e ]
+
+Prior to commit 496121c02127 ("ACPI: processor: idle: Allow probing on
+platforms with one ACPI C-state"), the acpi_idle driver wouldn't load on
+systems without a valid C-State at least as deep as C2.
+
+The behavior was desirable for guests on hypervisors such as VMWare
+ESXi, which by default don't have the _CST ACPI method, and set the C2
+and C3 latencies to 101 and 1001 microseconds respectively via the FADT,
+to signify they're unsupported.
+
+Since the above change though, these virtualized deployments end up
+loading acpi_idle, and thus entering the default C1 C-State set by
+acpi_processor_get_power_info_default(); this is undesirable for a
+system that's communicating to the OS it doesn't want C-States (missing
+_CST, and invalid C2/C3 in FADT).
+
+Make acpi_processor_get_power_info_fadt() return -ENODEV in that case,
+so that acpi_processor_get_cstate_info() exits early and doesn't set
+pr->flags.power = 1.
+
+Fixes: 496121c02127 ("ACPI: processor: idle: Allow probing on platforms with one ACPI C-state")
+Signed-off-by: Giovanni Gherdovich <ggherdovich@suse.cz>
+Reviewed-by: Zhang Rui <rui.zhang@intel.com>
+Link: https://patch.msgid.link/20250328143040.9348-1-ggherdovich@suse.cz
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/processor_idle.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
+index 18f4334a96919..3386d01c1f157 100644
+--- a/drivers/acpi/processor_idle.c
++++ b/drivers/acpi/processor_idle.c
+@@ -268,6 +268,10 @@ static int acpi_processor_get_power_info_fadt(struct acpi_processor *pr)
+ ACPI_CX_DESC_LEN, "ACPI P_LVL3 IOPORT 0x%x",
+ pr->power.states[ACPI_STATE_C3].address);
+
++ if (!pr->power.states[ACPI_STATE_C2].address &&
++ !pr->power.states[ACPI_STATE_C3].address)
++ return -ENODEV;
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a6d672b1fc4c80ead56f2c9110e4765150912f5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 08:14:44 +0000
+Subject: affs: don't write overlarge OFS data block size fields
+
+From: Simon Tatham <anakin@pobox.com>
+
+[ Upstream commit 011ea742a25a77bac3d995f457886a67d178c6f0 ]
+
+If a data sector on an OFS floppy contains a value > 0x1e8 (the
+largest amount of data that fits in the sector after its header), then
+an Amiga reading the file can return corrupt data, by taking the
+overlarge size at its word and reading past the end of the buffer it
+read the disk sector into!
+
+The cause: when affs_write_end_ofs() writes data to an OFS filesystem,
+the new size field for a data block was computed by adding the amount
+of data currently being written (into the block) to the existing value
+of the size field. This is correct if you're extending the file at the
+end, but if you seek backwards in the file and overwrite _existing_
+data, it can lead to the size field being larger than the maximum
+legal value.
+
+This commit changes the calculation so that it sets the size field to
+the max of its previous size and the position within the block that we
+just wrote up to.
+
+Signed-off-by: Simon Tatham <anakin@pobox.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/affs/file.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/affs/file.c b/fs/affs/file.c
+index a7c9538214878..52d11931025cf 100644
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -724,7 +724,8 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
+ tmp = min(bsize - boff, to - from);
+ BUG_ON(boff + tmp > bsize || tmp > bsize);
+ memcpy(AFFS_DATA(bh) + boff, data + from, tmp);
+- be32_add_cpu(&AFFS_DATA_HEAD(bh)->size, tmp);
++ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(
++ max(boff + tmp, be32_to_cpu(AFFS_DATA_HEAD(bh)->size)));
+ affs_fix_checksum(sb, bh);
+ mark_buffer_dirty_inode(bh, inode);
+ written += tmp;
+--
+2.39.5
+
--- /dev/null
+From 1b6a11833139386a384be1955b49c5fae3fb5e55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 08:14:43 +0000
+Subject: affs: generate OFS sequence numbers starting at 1
+
+From: Simon Tatham <anakin@pobox.com>
+
+[ Upstream commit e4cf8ec4de4e13f156c1d61977d282d90c221085 ]
+
+If I write a file to an OFS floppy image, and try to read it back on
+an emulated Amiga running Workbench 1.3, the Amiga reports a disk
+error trying to read the file. (That is, it's unable to read it _at
+all_, even to copy it to the NIL: device. It isn't a matter of getting
+the wrong data and being unable to parse the file format.)
+
+This is because the 'sequence number' field in the OFS data block
+header is supposed to be based at 1, but affs writes it based at 0.
+All three locations changed by this patch were setting the sequence
+number to a variable 'bidx' which was previously obtained by dividing
+a file position by bsize, so bidx will naturally use 0 for the first
+block. Therefore all three should add 1 to that value before writing
+it into the sequence number field.
+
+With this change, the Amiga successfully reads the file.
+
+For data block reference: https://wiki.osdev.org/FFS_(Amiga)
+
+Signed-off-by: Simon Tatham <anakin@pobox.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/affs/file.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/affs/file.c b/fs/affs/file.c
+index 8daeed31e1af9..a7c9538214878 100644
+--- a/fs/affs/file.c
++++ b/fs/affs/file.c
+@@ -595,7 +595,7 @@ affs_extent_file_ofs(struct inode *inode, u32 newsize)
+ BUG_ON(tmp > bsize);
+ AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
+ AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
+- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
+ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp);
+ affs_fix_checksum(sb, bh);
+ bh->b_state &= ~(1UL << BH_New);
+@@ -746,7 +746,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
+ if (buffer_new(bh)) {
+ AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
+ AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
+- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
+ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(bsize);
+ AFFS_DATA_HEAD(bh)->next = 0;
+ bh->b_state &= ~(1UL << BH_New);
+@@ -780,7 +780,7 @@ static int affs_write_end_ofs(struct file *file, struct address_space *mapping,
+ if (buffer_new(bh)) {
+ AFFS_DATA_HEAD(bh)->ptype = cpu_to_be32(T_DATA);
+ AFFS_DATA_HEAD(bh)->key = cpu_to_be32(inode->i_ino);
+- AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx);
++ AFFS_DATA_HEAD(bh)->sequence = cpu_to_be32(bidx + 1);
+ AFFS_DATA_HEAD(bh)->size = cpu_to_be32(tmp);
+ AFFS_DATA_HEAD(bh)->next = 0;
+ bh->b_state &= ~(1UL << BH_New);
+--
+2.39.5
+
--- /dev/null
+From b741f0fa769564806f81ae8cfb980dd35da3a05e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 17:12:55 +0100
+Subject: ALSA: hda: Fix speakers on ASUS EXPERTBOOK P5405CSA 1.0
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Bárta <daniel.barta@trustlab.cz>
+
+[ Upstream commit f479ecc5ef15ed8d774968c1a8726a49420f11a0 ]
+
+After some digging around I have found that this laptop has Cirrus's smart
+aplifiers connected to SPI bus (spi1-CSC3551:00-cs35l41-hda).
+
+To get them correctly detected and working I had to modify patch_realtek.c
+with ASUS EXPERTBOOK P5405CSA 1.0 SystemID (0x1043, 0x1f63) and add
+corresponding hda_quirk (ALC245_FIXUP_CS35L41_SPI_2).
+
+Signed-off-by: Daniel Bárta <daniel.barta@trustlab.cz>
+Link: https://patch.msgid.link/20250227161256.18061-2-daniel.barta@trustlab.cz
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 2df163625ccff..55fc63472ddc2 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10065,6 +10065,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x1f12, "ASUS UM5302", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1f62, "ASUS UX7602ZM", ALC245_FIXUP_CS35L41_SPI_2),
++ SND_PCI_QUIRK(0x1043, 0x1f63, "ASUS P5405CSA", ALC245_FIXUP_CS35L41_SPI_2),
+ SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x1fb3, "ASUS ROG Flow Z13 GZ302EA", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2),
+--
+2.39.5
+
--- /dev/null
+From f63999dff98fb41008c1335c9c5dbd9ca8cb04a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Mar 2025 03:03:19 +0530
+Subject: ALSA: hda/realtek: Add mute LED quirk for HP Pavilion x360 14-dy1xxx
+
+From: Navon John Lukose <navonjohnlukose@gmail.com>
+
+[ Upstream commit b11a74ac4f545626d0dc95a8ca8c41df90532bf3 ]
+
+Add a fixup to enable the mute LED on HP Pavilion x360 Convertible
+14-dy1xxx with ALC295 codec. The appropriate coefficient index and bits
+were identified through a brute-force method, as detailed in
+https://bbs.archlinux.org/viewtopic.php?pid=2079504#p2079504.
+
+Signed-off-by: Navon John Lukose <navonjohnlukose@gmail.com>
+Link: https://patch.msgid.link/20250307213319.35507-1-navonjohnlukose@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 66238f7e35bd3..93e8990c23bc9 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4782,6 +4782,21 @@ static void alc236_fixup_hp_coef_micmute_led(struct hda_codec *codec,
+ }
+ }
+
++static void alc295_fixup_hp_mute_led_coefbit11(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ spec->mute_led_polarity = 0;
++ spec->mute_led_coef.idx = 0xb;
++ spec->mute_led_coef.mask = 3 << 3;
++ spec->mute_led_coef.on = 1 << 3;
++ spec->mute_led_coef.off = 1 << 4;
++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set);
++ }
++}
++
+ static void alc285_fixup_hp_mute_led(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+ {
+@@ -7258,6 +7273,7 @@ enum {
+ ALC290_FIXUP_MONO_SPEAKERS_HSJACK,
+ ALC290_FIXUP_SUBWOOFER,
+ ALC290_FIXUP_SUBWOOFER_HSJACK,
++ ALC295_FIXUP_HP_MUTE_LED_COEFBIT11,
+ ALC269_FIXUP_THINKPAD_ACPI,
+ ALC269_FIXUP_DMIC_THINKPAD_ACPI,
+ ALC269VB_FIXUP_INFINIX_ZERO_BOOK_13,
+@@ -8953,6 +8969,10 @@ static const struct hda_fixup alc269_fixups[] = {
+ .chained = true,
+ .chain_id = ALC283_FIXUP_INT_MIC,
+ },
++ [ALC295_FIXUP_HP_MUTE_LED_COEFBIT11] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc295_fixup_hp_mute_led_coefbit11,
++ },
+ [ALC298_FIXUP_SAMSUNG_AMP] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc298_fixup_samsung_amp,
+@@ -9822,6 +9842,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
+ SND_PCI_QUIRK(0x103c, 0x8537, "HP ProBook 440 G6", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
++ SND_PCI_QUIRK(0x103c, 0x85c6, "HP Pavilion x360 Convertible 14-dy1xxx", ALC295_FIXUP_HP_MUTE_LED_COEFBIT11),
+ SND_PCI_QUIRK(0x103c, 0x85de, "HP Envy x360 13-ar0xxx", ALC285_FIXUP_HP_ENVY_X360),
+ SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+--
+2.39.5
+
--- /dev/null
+From 6aded7266da069d7da89d9c365068e4371b6286e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Mar 2025 17:06:47 +0000
+Subject: ALSA: hda/realtek: Add support for ASUS ROG Strix G614 Laptops using
+ CS35L41 HDA
+
+From: Stefan Binding <sbinding@opensource.cirrus.com>
+
+[ Upstream commit 9120b2b4ad0dad2f6bbb6bcacd0456f806fda62d ]
+
+Add support for ASUS G614PH/PM/PP and G614FH/FM/FP.
+
+Laptops use 2 CS35L41 Amps with HDA, using Internal boost, with I2C
+
+Signed-off-by: Stefan Binding <sbinding@opensource.cirrus.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20250305170714.755794-4-sbinding@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 55fc63472ddc2..841338c82e807 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -9996,7 +9996,9 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
++ SND_PCI_QUIRK(0x1043, 0x1054, "ASUS G614FH/FM/FP", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x1043, 0x1074, "ASUS G614PH/PM/PP", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x10a1, "ASUS UX391UA", ALC294_FIXUP_ASUS_SPK),
+ SND_PCI_QUIRK(0x1043, 0x10c0, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+--
+2.39.5
+
--- /dev/null
+From e27aa4a16846bebb3287335f147ed1121465ffaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Mar 2025 17:06:51 +0000
+Subject: ALSA: hda/realtek: Add support for ASUS Zenbook UM3406KA Laptops
+ using CS35L41 HDA
+
+From: Stefan Binding <sbinding@opensource.cirrus.com>
+
+[ Upstream commit 8463d2adbe1901247937fcdfe4b525130f6db10b ]
+
+Laptop uses 2 CS35L41 Amps with HDA, using External boost with I2C
+
+Signed-off-by: Stefan Binding <sbinding@opensource.cirrus.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20250305170714.755794-8-sbinding@opensource.cirrus.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 841338c82e807..66238f7e35bd3 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10004,6 +10004,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x10d0, "ASUS X540LA/X540LJ", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x10d3, "ASUS K6500ZC", ALC294_FIXUP_ASUS_SPK),
+ SND_PCI_QUIRK(0x1043, 0x115d, "Asus 1015E", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
++ SND_PCI_QUIRK(0x1043, 0x1194, "ASUS UM3406KA", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x11c0, "ASUS X556UR", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x125e, "ASUS Q524UQK", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1043, 0x1271, "ASUS X430UN", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+--
+2.39.5
+
--- /dev/null
+From 990c1928654d5159417b199d29728b41558421bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Mar 2025 15:30:19 +0100
+Subject: ALSA: hda/realtek: Always honor no_shutup_pins
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 5a0c72c1da3cbc0cd4940a95d1be2830104c6edf ]
+
+The workaround for Dell machines to skip the pin-shutup for mic pins
+introduced alc_headset_mic_no_shutup() that is replaced from the
+generic snd_hda_shutup_pins() for certain codecs. The problem is that
+the call is done unconditionally even if spec->no_shutup_pins is set.
+This seems causing problems on other platforms like Lenovo.
+
+This patch corrects the behavior and the driver honors always
+spec->no_shutup_pins flag and skips alc_headset_mic_no_shutup() if
+it's set.
+
+Fixes: dad3197da7a3 ("ALSA: hda/realtek - Fixup headphone noise via runtime suspend")
+Reported-and-tested-by: Oleg Gorobets <oleg.goro@gmail.com>
+Link: https://patch.msgid.link/20250315143020.27184-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index a562e574fe403..86a4e8c7d3f91 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -582,6 +582,9 @@ static void alc_shutup_pins(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+
++ if (spec->no_shutup_pins)
++ return;
++
+ switch (codec->core.vendor_id) {
+ case 0x10ec0236:
+ case 0x10ec0256:
+@@ -597,8 +600,7 @@ static void alc_shutup_pins(struct hda_codec *codec)
+ alc_headset_mic_no_shutup(codec);
+ break;
+ default:
+- if (!spec->no_shutup_pins)
+- snd_hda_shutup_pins(codec);
++ snd_hda_shutup_pins(codec);
+ break;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From e87d4bc9673fdb150abcd445defd9e948674b288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 18:51:07 +0100
+Subject: ALSA: hda/realtek: Fix Asus Z13 2025 audio
+
+From: Antheas Kapenekakis <lkml@antheas.dev>
+
+[ Upstream commit 12784ca33b62fd327631749e6a0cd2a10110a56c ]
+
+Use the basic quirk for this type of amplifier. Sound works in speakers,
+headphones, and microphone. Whereas none worked before.
+
+Tested-by: Kyle Gospodnetich <me@kylegospodneti.ch>
+Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
+Link: https://patch.msgid.link/20250227175107.33432-3-lkml@antheas.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
+index 86a4e8c7d3f91..2df163625ccff 100644
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10066,6 +10066,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+ SND_PCI_QUIRK(0x1043, 0x1f12, "ASUS UM5302", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x1f62, "ASUS UX7602ZM", ALC245_FIXUP_CS35L41_SPI_2),
+ SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401),
++ SND_PCI_QUIRK(0x1043, 0x1fb3, "ASUS ROG Flow Z13 GZ302EA", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2),
+ SND_PCI_QUIRK(0x1043, 0x3a20, "ASUS G614JZR", ALC245_FIXUP_CS35L41_SPI_2),
+ SND_PCI_QUIRK(0x1043, 0x3a30, "ASUS G814JVR/JIR", ALC245_FIXUP_CS35L41_SPI_2),
+--
+2.39.5
+
--- /dev/null
+From bedd161ab90f8a48cd72ccd43dd1028ef48c4689 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2025 17:54:01 +0530
+Subject: arch/powerpc: drop GENERIC_PTDUMP from mpc885_ads_defconfig
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 2c5e6ac2db64ace51f66a9f3b3b3ab9553d748e8 ]
+
+GENERIC_PTDUMP gets selected on powerpc explicitly and hence can be
+dropped off from mpc885_ads_defconfig. Replace with CONFIG_PTDUMP_DEBUGFS
+instead.
+
+Link: https://lkml.kernel.org/r/20250226122404.1927473-3-anshuman.khandual@arm.com
+Fixes: e084728393a5 ("powerpc/ptdump: Convert powerpc to GENERIC_PTDUMP")
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Steven Price <steven.price@arm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/configs/mpc885_ads_defconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/configs/mpc885_ads_defconfig b/arch/powerpc/configs/mpc885_ads_defconfig
+index 56b876e418e91..6b998cb572553 100644
+--- a/arch/powerpc/configs/mpc885_ads_defconfig
++++ b/arch/powerpc/configs/mpc885_ads_defconfig
+@@ -78,4 +78,4 @@ CONFIG_DEBUG_VM_PGTABLE=y
+ CONFIG_DETECT_HUNG_TASK=y
+ CONFIG_BDI_SWITCH=y
+ CONFIG_PPC_EARLY_DEBUG=y
+-CONFIG_GENERIC_PTDUMP=y
++CONFIG_PTDUMP_DEBUGFS=y
+--
+2.39.5
+
--- /dev/null
+From 1c22ff2f3a749e0eef05e6e0f4e3707e10c6cda5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 21:50:36 +0800
+Subject: arcnet: Add NULL check in com20020pci_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit fda8c491db2a90ff3e6fbbae58e495b4ddddeca3 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+com20020pci_probe() does not check for this case, which results in a
+NULL pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue and ensure
+no resources are left allocated.
+
+Fixes: 6b17a597fc2f ("arcnet: restoring support for multiple Sohard Arcnet cards")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Link: https://patch.msgid.link/20250402135036.44697-1-bsdhenrymartin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/arcnet/com20020-pci.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/arcnet/com20020-pci.c b/drivers/net/arcnet/com20020-pci.c
+index 7b5c8bb02f119..e7db6a4e4dc9d 100644
+--- a/drivers/net/arcnet/com20020-pci.c
++++ b/drivers/net/arcnet/com20020-pci.c
+@@ -250,18 +250,33 @@ static int com20020pci_probe(struct pci_dev *pdev,
+ card->tx_led.default_trigger = devm_kasprintf(&pdev->dev,
+ GFP_KERNEL, "arc%d-%d-tx",
+ dev->dev_id, i);
++ if (!card->tx_led.default_trigger) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->tx_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "pci:green:tx:%d-%d",
+ dev->dev_id, i);
+-
++ if (!card->tx_led.name) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->tx_led.dev = &dev->dev;
+ card->recon_led.brightness_set = led_recon_set;
+ card->recon_led.default_trigger = devm_kasprintf(&pdev->dev,
+ GFP_KERNEL, "arc%d-%d-recon",
+ dev->dev_id, i);
++ if (!card->recon_led.default_trigger) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->recon_led.name = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "pci:red:recon:%d-%d",
+ dev->dev_id, i);
++ if (!card->recon_led.name) {
++ ret = -ENOMEM;
++ goto err_free_arcdev;
++ }
+ card->recon_led.dev = &dev->dev;
+
+ ret = devm_led_classdev_register(&pdev->dev, &card->tx_led);
+--
+2.39.5
+
--- /dev/null
+From d9d6ff8b3080447efc30641dcf3a3cccb41e1b73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 16:56:37 +0500
+Subject: ASoC: cs35l41: check the return value from spi_setup()
+
+From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+
+[ Upstream commit ad5a0970f86d82e39ebd06d45a1f7aa48a1316f8 ]
+
+Currently the return value from spi_setup() is not checked for a failure.
+It is unlikely it will ever fail in this particular case but it is still
+better to add this check for the sake of completeness and correctness. This
+is cheap since it is performed once when the device is being probed.
+
+Handle spi_setup() return value.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: 872fc0b6bde8 ("ASoC: cs35l41: Set the max SPI speed for the whole device")
+Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+Link: https://patch.msgid.link/20250304115643.2748-1-v.shevtsov@mt-integration.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/cs35l41-spi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/codecs/cs35l41-spi.c b/sound/soc/codecs/cs35l41-spi.c
+index 5c8bb24909eb4..bd73944758c6d 100644
+--- a/sound/soc/codecs/cs35l41-spi.c
++++ b/sound/soc/codecs/cs35l41-spi.c
+@@ -39,7 +39,9 @@ static int cs35l41_spi_probe(struct spi_device *spi)
+ return -ENOMEM;
+
+ spi->max_speed_hz = CS35L41_SPI_MAX_FREQ;
+- spi_setup(spi);
++ ret = spi_setup(spi);
++ if (ret < 0)
++ return ret;
+
+ spi_set_drvdata(spi, cs35l41);
+ cs35l41->regmap = devm_regmap_init_spi(spi, regmap_config);
+--
+2.39.5
+
--- /dev/null
+From b439d9969611c96e80a50d01316801f6c3f5e72c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 22:25:10 +0800
+Subject: ASoC: imx-card: Add NULL check in imx_card_probe()
+
+From: Henry Martin <bsdhenrymartin@gmail.com>
+
+[ Upstream commit 93d34608fd162f725172e780b1c60cc93a920719 ]
+
+devm_kasprintf() returns NULL when memory allocation fails. Currently,
+imx_card_probe() does not check for this case, which results in a NULL
+pointer dereference.
+
+Add NULL check after devm_kasprintf() to prevent this issue.
+
+Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
+Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20250401142510.29900-1-bsdhenrymartin@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/imx-card.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c
+index 9c1631c444229..c6d55b21f9496 100644
+--- a/sound/soc/fsl/imx-card.c
++++ b/sound/soc/fsl/imx-card.c
+@@ -759,6 +759,8 @@ static int imx_card_probe(struct platform_device *pdev)
+ data->dapm_routes[i].sink =
+ devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s",
+ i + 1, "Playback");
++ if (!data->dapm_routes[i].sink)
++ return -ENOMEM;
+ data->dapm_routes[i].source = "CPU-Playback";
+ }
+ }
+@@ -776,6 +778,8 @@ static int imx_card_probe(struct platform_device *pdev)
+ data->dapm_routes[i].source =
+ devm_kasprintf(&pdev->dev, GFP_KERNEL, "%d %s",
+ i + 1, "Capture");
++ if (!data->dapm_routes[i].source)
++ return -ENOMEM;
+ data->dapm_routes[i].sink = "CPU-Capture";
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 2491ca03428a5906360d97aef56d739645c706a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:05:24 +0530
+Subject: ASoC: ti: j721e-evm: Fix clock configuration for ti,j7200-cpb-audio
+ compatible
+
+From: Jayesh Choudhary <j-choudhary@ti.com>
+
+[ Upstream commit 45ff65e30deb919604e68faed156ad96ce7474d9 ]
+
+For 'ti,j7200-cpb-audio' compatible, there is support for only one PLL for
+48k. For 11025, 22050, 44100 and 88200 sampling rates, due to absence of
+J721E_CLK_PARENT_44100, we get EINVAL while running any audio application.
+Add support for these rates by using the 48k parent clock and adjusting
+the clock for these rates later in j721e_configure_refclk.
+
+Fixes: 6748d0559059 ("ASoC: ti: Add custom machine driver for j721e EVM (CPB and IVI)")
+Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
+Link: https://patch.msgid.link/20250318113524.57100-1-j-choudhary@ti.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/ti/j721e-evm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/ti/j721e-evm.c b/sound/soc/ti/j721e-evm.c
+index 6a969874c9270..5e0bdbd34a837 100644
+--- a/sound/soc/ti/j721e-evm.c
++++ b/sound/soc/ti/j721e-evm.c
+@@ -182,6 +182,8 @@ static int j721e_configure_refclk(struct j721e_priv *priv,
+ clk_id = J721E_CLK_PARENT_48000;
+ else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_44100])
+ clk_id = J721E_CLK_PARENT_44100;
++ else if (!(rate % 11025) && priv->pll_rates[J721E_CLK_PARENT_48000])
++ clk_id = J721E_CLK_PARENT_48000;
+ else
+ return ret;
+
+--
+2.39.5
+
--- /dev/null
+From 433dd412abe674803e07ce5e8c54749a7e8f25db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 12:22:59 +0800
+Subject: bpf: Use preempt_count() directly in bpf_send_signal_common()
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit b4a8b5bba712a711d8ca1f7d04646db63f9c88f5 ]
+
+bpf_send_signal_common() uses preemptible() to check whether or not the
+current context is preemptible. If it is preemptible, it will use
+irq_work to send the signal asynchronously instead of trying to hold a
+spin-lock, because spin-lock is sleepable under PREEMPT_RT.
+
+However, preemptible() depends on CONFIG_PREEMPT_COUNT. When
+CONFIG_PREEMPT_COUNT is turned off (e.g., CONFIG_PREEMPT_VOLUNTARY=y),
+!preemptible() will be evaluated as 1 and bpf_send_signal_common() will
+use irq_work unconditionally.
+
+Fix it by unfolding "!preemptible()" and using "preempt_count() != 0 ||
+irqs_disabled()" instead.
+
+Fixes: 87c544108b61 ("bpf: Send signals asynchronously if !preemptible")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20250220042259.1583319-1-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index af48f66466e81..6b5bb0e380b55 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -857,7 +857,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type)
+ if (unlikely(is_global_init(current)))
+ return -EPERM;
+
+- if (!preemptible()) {
++ if (preempt_count() != 0 || irqs_disabled()) {
+ /* Do an early check on signal validity. Otherwise,
+ * the error is lost in deferred irq_work.
+ */
+--
+2.39.5
+
--- /dev/null
+From 8d42e5a912a940f34a19ffcd5f6a49a170872ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 15:33:53 +0100
+Subject: can: statistics: use atomic access in hot path
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+[ Upstream commit 80b5f90158d1364cbd80ad82852a757fc0692bf2 ]
+
+In can_send() and can_receive() CAN messages and CAN filter matches are
+counted to be visible in the CAN procfs files.
+
+KCSAN detected a data race within can_send() when two CAN frames have
+been generated by a timer event writing to the same CAN netdevice at the
+same time. Use atomic operations to access the statistics in the hot path
+to fix the KCSAN complaint.
+
+Reported-by: syzbot+78ce4489b812515d5e4d@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67cd717d.050a0220.e1a89.0006.GAE@google.com
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20250310143353.3242-1-socketcan@hartkopp.net
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/af_can.c | 12 ++++++------
+ net/can/af_can.h | 12 ++++++------
+ net/can/proc.c | 46 +++++++++++++++++++++++++++-------------------
+ 3 files changed, 39 insertions(+), 31 deletions(-)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index 7d8543e877b44..bbd8e959137d9 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -287,8 +287,8 @@ int can_send(struct sk_buff *skb, int loop)
+ netif_rx(newskb);
+
+ /* update statistics */
+- pkg_stats->tx_frames++;
+- pkg_stats->tx_frames_delta++;
++ atomic_long_inc(&pkg_stats->tx_frames);
++ atomic_long_inc(&pkg_stats->tx_frames_delta);
+
+ return 0;
+
+@@ -648,8 +648,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev)
+ int matches;
+
+ /* update statistics */
+- pkg_stats->rx_frames++;
+- pkg_stats->rx_frames_delta++;
++ atomic_long_inc(&pkg_stats->rx_frames);
++ atomic_long_inc(&pkg_stats->rx_frames_delta);
+
+ /* create non-zero unique skb identifier together with *skb */
+ while (!(can_skb_prv(skb)->skbcnt))
+@@ -670,8 +670,8 @@ static void can_receive(struct sk_buff *skb, struct net_device *dev)
+ consume_skb(skb);
+
+ if (matches > 0) {
+- pkg_stats->matches++;
+- pkg_stats->matches_delta++;
++ atomic_long_inc(&pkg_stats->matches);
++ atomic_long_inc(&pkg_stats->matches_delta);
+ }
+ }
+
+diff --git a/net/can/af_can.h b/net/can/af_can.h
+index 7c2d9161e2245..22f3352c77fec 100644
+--- a/net/can/af_can.h
++++ b/net/can/af_can.h
+@@ -66,9 +66,9 @@ struct receiver {
+ struct can_pkg_stats {
+ unsigned long jiffies_init;
+
+- unsigned long rx_frames;
+- unsigned long tx_frames;
+- unsigned long matches;
++ atomic_long_t rx_frames;
++ atomic_long_t tx_frames;
++ atomic_long_t matches;
+
+ unsigned long total_rx_rate;
+ unsigned long total_tx_rate;
+@@ -82,9 +82,9 @@ struct can_pkg_stats {
+ unsigned long max_tx_rate;
+ unsigned long max_rx_match_ratio;
+
+- unsigned long rx_frames_delta;
+- unsigned long tx_frames_delta;
+- unsigned long matches_delta;
++ atomic_long_t rx_frames_delta;
++ atomic_long_t tx_frames_delta;
++ atomic_long_t matches_delta;
+ };
+
+ /* persistent statistics */
+diff --git a/net/can/proc.c b/net/can/proc.c
+index bbce97825f13f..25fdf060e30d0 100644
+--- a/net/can/proc.c
++++ b/net/can/proc.c
+@@ -118,6 +118,13 @@ void can_stat_update(struct timer_list *t)
+ struct can_pkg_stats *pkg_stats = net->can.pkg_stats;
+ unsigned long j = jiffies; /* snapshot */
+
++ long rx_frames = atomic_long_read(&pkg_stats->rx_frames);
++ long tx_frames = atomic_long_read(&pkg_stats->tx_frames);
++ long matches = atomic_long_read(&pkg_stats->matches);
++ long rx_frames_delta = atomic_long_read(&pkg_stats->rx_frames_delta);
++ long tx_frames_delta = atomic_long_read(&pkg_stats->tx_frames_delta);
++ long matches_delta = atomic_long_read(&pkg_stats->matches_delta);
++
+ /* restart counting in timer context on user request */
+ if (user_reset)
+ can_init_stats(net);
+@@ -127,35 +134,33 @@ void can_stat_update(struct timer_list *t)
+ can_init_stats(net);
+
+ /* prevent overflow in calc_rate() */
+- if (pkg_stats->rx_frames > (ULONG_MAX / HZ))
++ if (rx_frames > (LONG_MAX / HZ))
+ can_init_stats(net);
+
+ /* prevent overflow in calc_rate() */
+- if (pkg_stats->tx_frames > (ULONG_MAX / HZ))
++ if (tx_frames > (LONG_MAX / HZ))
+ can_init_stats(net);
+
+ /* matches overflow - very improbable */
+- if (pkg_stats->matches > (ULONG_MAX / 100))
++ if (matches > (LONG_MAX / 100))
+ can_init_stats(net);
+
+ /* calc total values */
+- if (pkg_stats->rx_frames)
+- pkg_stats->total_rx_match_ratio = (pkg_stats->matches * 100) /
+- pkg_stats->rx_frames;
++ if (rx_frames)
++ pkg_stats->total_rx_match_ratio = (matches * 100) / rx_frames;
+
+ pkg_stats->total_tx_rate = calc_rate(pkg_stats->jiffies_init, j,
+- pkg_stats->tx_frames);
++ tx_frames);
+ pkg_stats->total_rx_rate = calc_rate(pkg_stats->jiffies_init, j,
+- pkg_stats->rx_frames);
++ rx_frames);
+
+ /* calc current values */
+- if (pkg_stats->rx_frames_delta)
++ if (rx_frames_delta)
+ pkg_stats->current_rx_match_ratio =
+- (pkg_stats->matches_delta * 100) /
+- pkg_stats->rx_frames_delta;
++ (matches_delta * 100) / rx_frames_delta;
+
+- pkg_stats->current_tx_rate = calc_rate(0, HZ, pkg_stats->tx_frames_delta);
+- pkg_stats->current_rx_rate = calc_rate(0, HZ, pkg_stats->rx_frames_delta);
++ pkg_stats->current_tx_rate = calc_rate(0, HZ, tx_frames_delta);
++ pkg_stats->current_rx_rate = calc_rate(0, HZ, rx_frames_delta);
+
+ /* check / update maximum values */
+ if (pkg_stats->max_tx_rate < pkg_stats->current_tx_rate)
+@@ -168,9 +173,9 @@ void can_stat_update(struct timer_list *t)
+ pkg_stats->max_rx_match_ratio = pkg_stats->current_rx_match_ratio;
+
+ /* clear values for 'current rate' calculation */
+- pkg_stats->tx_frames_delta = 0;
+- pkg_stats->rx_frames_delta = 0;
+- pkg_stats->matches_delta = 0;
++ atomic_long_set(&pkg_stats->tx_frames_delta, 0);
++ atomic_long_set(&pkg_stats->rx_frames_delta, 0);
++ atomic_long_set(&pkg_stats->matches_delta, 0);
+
+ /* restart timer (one second) */
+ mod_timer(&net->can.stattimer, round_jiffies(jiffies + HZ));
+@@ -214,9 +219,12 @@ static int can_stats_proc_show(struct seq_file *m, void *v)
+ struct can_rcv_lists_stats *rcv_lists_stats = net->can.rcv_lists_stats;
+
+ seq_putc(m, '\n');
+- seq_printf(m, " %8ld transmitted frames (TXF)\n", pkg_stats->tx_frames);
+- seq_printf(m, " %8ld received frames (RXF)\n", pkg_stats->rx_frames);
+- seq_printf(m, " %8ld matched frames (RXMF)\n", pkg_stats->matches);
++ seq_printf(m, " %8ld transmitted frames (TXF)\n",
++ atomic_long_read(&pkg_stats->tx_frames));
++ seq_printf(m, " %8ld received frames (RXF)\n",
++ atomic_long_read(&pkg_stats->rx_frames));
++ seq_printf(m, " %8ld matched frames (RXMF)\n",
++ atomic_long_read(&pkg_stats->matches));
+
+ seq_putc(m, '\n');
+
+--
+2.39.5
+
--- /dev/null
+From 1194906bb2bf0e92ba801b08499a2962bd322bc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 11:03:23 +0100
+Subject: clk: amlogic: g12a: fix mmc A peripheral clock
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 0079e77c08de692cb20b38e408365c830a44b1ef ]
+
+The bit index of the peripheral clock for mmc A is wrong
+This was probably not a problem for mmc A as the peripheral is likely left
+enabled by the bootloader.
+
+No issues has been reported so far but it could be a problem, most likely
+some form of conflict between the ethernet and mmc A clock, breaking
+ethernet on init.
+
+Use the value provided by the documentation for mmc A before this
+becomes an actual problem.
+
+Fixes: 085a4ea93d54 ("clk: meson: g12a: add peripheral clock controller")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-mmca-fix-v1-1-5af421f58b64@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/g12a.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
+index a623596c1e490..d13a60fefc1b8 100644
+--- a/drivers/clk/meson/g12a.c
++++ b/drivers/clk/meson/g12a.c
+@@ -4199,7 +4199,7 @@ static MESON_GATE(g12a_spicc_1, HHI_GCLK_MPEG0, 14);
+ static MESON_GATE(g12a_hiu_reg, HHI_GCLK_MPEG0, 19);
+ static MESON_GATE(g12a_mipi_dsi_phy, HHI_GCLK_MPEG0, 20);
+ static MESON_GATE(g12a_assist_misc, HHI_GCLK_MPEG0, 23);
+-static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 4);
++static MESON_GATE(g12a_emmc_a, HHI_GCLK_MPEG0, 24);
+ static MESON_GATE(g12a_emmc_b, HHI_GCLK_MPEG0, 25);
+ static MESON_GATE(g12a_emmc_c, HHI_GCLK_MPEG0, 26);
+ static MESON_GATE(g12a_audio_codec, HHI_GCLK_MPEG0, 28);
+--
+2.39.5
+
--- /dev/null
+From 7483aaa7025547bb6a3fb24ab5992bfa8339fdb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 15:30:17 +0100
+Subject: clk: amlogic: g12b: fix cluster A parent data
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 8995f8f108c3ac5ad52b12a6cfbbc7b3b32e9a58 ]
+
+Several clocks used by both g12a and g12b use the g12a cpu A clock hw
+pointer as clock parent. This is incorrect on g12b since the parents of
+cluster A cpu clock are different. Also the hw clock provided as parent to
+these children is not even registered clock on g12b.
+
+Fix the problem by reverting to the global namespace and let CCF pick
+the appropriate, as it is already done for other clocks, such as
+cpu_clk_trace_div.
+
+Fixes: 25e682a02d91 ("clk: meson: g12a: migrate to the new parent description method")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241213-amlogic-clk-g12a-cpua-parent-fix-v1-1-d8c0f41865fe@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/g12a.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
+index 310accf94830b..a623596c1e490 100644
+--- a/drivers/clk/meson/g12a.c
++++ b/drivers/clk/meson/g12a.c
+@@ -1136,8 +1136,18 @@ static struct clk_regmap g12a_cpu_clk_div16_en = {
+ .hw.init = &(struct clk_init_data) {
+ .name = "cpu_clk_div16_en",
+ .ops = &clk_regmap_gate_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) {
+- &g12a_cpu_clk.hw
++ .parent_data = &(const struct clk_parent_data) {
++ /*
++ * Note:
++ * G12A and G12B have different cpu clocks (with
++ * different struct clk_hw). We fallback to the global
++ * naming string mechanism so this clock picks
++ * up the appropriate one. Same goes for the other
++ * clock using cpu cluster A clock output and present
++ * on both G12 variant.
++ */
++ .name = "cpu_clk",
++ .index = -1,
+ },
+ .num_parents = 1,
+ /*
+@@ -1202,7 +1212,10 @@ static struct clk_regmap g12a_cpu_clk_apb_div = {
+ .hw.init = &(struct clk_init_data){
+ .name = "cpu_clk_apb_div",
+ .ops = &clk_regmap_divider_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
++ .parent_data = &(const struct clk_parent_data) {
++ .name = "cpu_clk",
++ .index = -1,
++ },
+ .num_parents = 1,
+ },
+ };
+@@ -1236,7 +1249,10 @@ static struct clk_regmap g12a_cpu_clk_atb_div = {
+ .hw.init = &(struct clk_init_data){
+ .name = "cpu_clk_atb_div",
+ .ops = &clk_regmap_divider_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
++ .parent_data = &(const struct clk_parent_data) {
++ .name = "cpu_clk",
++ .index = -1,
++ },
+ .num_parents = 1,
+ },
+ };
+@@ -1270,7 +1286,10 @@ static struct clk_regmap g12a_cpu_clk_axi_div = {
+ .hw.init = &(struct clk_init_data){
+ .name = "cpu_clk_axi_div",
+ .ops = &clk_regmap_divider_ro_ops,
+- .parent_hws = (const struct clk_hw *[]) { &g12a_cpu_clk.hw },
++ .parent_data = &(const struct clk_parent_data) {
++ .name = "cpu_clk",
++ .index = -1,
++ },
+ .num_parents = 1,
+ },
+ };
+@@ -1305,13 +1324,6 @@ static struct clk_regmap g12a_cpu_clk_trace_div = {
+ .name = "cpu_clk_trace_div",
+ .ops = &clk_regmap_divider_ro_ops,
+ .parent_data = &(const struct clk_parent_data) {
+- /*
+- * Note:
+- * G12A and G12B have different cpu_clks (with
+- * different struct clk_hw). We fallback to the global
+- * naming string mechanism so cpu_clk_trace_div picks
+- * up the appropriate one.
+- */
+ .name = "cpu_clk",
+ .index = -1,
+ },
+--
+2.39.5
+
--- /dev/null
+From 7dffa8c85ef8554d382fa3eb991ce1e265e3b627 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2024 11:25:36 +0100
+Subject: clk: amlogic: gxbb: drop incorrect flag on 32k clock
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit f38f7fe4830c5cb4eac138249225f119e7939965 ]
+
+gxbb_32k_clk_div sets CLK_DIVIDER_ROUND_CLOSEST in the init_data flag which
+is incorrect. This is field is not where the divider flags belong.
+
+Thankfully, CLK_DIVIDER_ROUND_CLOSEST maps to bit 4 which is an unused
+clock flag, so there is no unintended consequence to this error.
+
+Effectively, the clock has been used without CLK_DIVIDER_ROUND_CLOSEST
+so far, so just drop it.
+
+Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-1-baca56ecf2db@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/gxbb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c
+index 608e0e8ca49a8..48c47503ea752 100644
+--- a/drivers/clk/meson/gxbb.c
++++ b/drivers/clk/meson/gxbb.c
+@@ -1310,7 +1310,7 @@ static struct clk_regmap gxbb_32k_clk_div = {
+ &gxbb_32k_clk_sel.hw
+ },
+ .num_parents = 1,
+- .flags = CLK_SET_RATE_PARENT | CLK_DIVIDER_ROUND_CLOSEST,
++ .flags = CLK_SET_RATE_PARENT,
+ },
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 9b979ed7ebe594e0017eef305aa98864599973c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2024 11:25:37 +0100
+Subject: clk: amlogic: gxbb: drop non existing 32k clock parent
+
+From: Jerome Brunet <jbrunet@baylibre.com>
+
+[ Upstream commit 7915d7d5407c026fa9343befb4d3343f7a345f97 ]
+
+The 32k clock reference a parent 'cts_slow_oscin' with a fixme note saying
+that this clock should be provided by AO controller.
+
+The HW probably has this clock but it does not exist at the moment in
+any controller implementation. Furthermore, referencing clock by the global
+name should be avoided whenever possible.
+
+There is no reason to keep this hack around, at least for now.
+
+Fixes: 14c735c8e308 ("clk: meson-gxbb: Add EE 32K Clock for CEC")
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20241220-amlogic-clk-gxbb-32k-fixes-v1-2-baca56ecf2db@baylibre.com
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/meson/gxbb.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clk/meson/gxbb.c b/drivers/clk/meson/gxbb.c
+index 48c47503ea752..35bc13e73c0dd 100644
+--- a/drivers/clk/meson/gxbb.c
++++ b/drivers/clk/meson/gxbb.c
+@@ -1270,14 +1270,13 @@ static struct clk_regmap gxbb_cts_i958 = {
+ },
+ };
+
++/*
++ * This table skips a clock named 'cts_slow_oscin' in the documentation
++ * This clock does not exist yet in this controller or the AO one
++ */
++static u32 gxbb_32k_clk_parents_val_table[] = { 0, 2, 3 };
+ static const struct clk_parent_data gxbb_32k_clk_parent_data[] = {
+ { .fw_name = "xtal", },
+- /*
+- * FIXME: This clock is provided by the ao clock controller but the
+- * clock is not yet part of the binding of this controller, so string
+- * name must be use to set this parent.
+- */
+- { .name = "cts_slow_oscin", .index = -1 },
+ { .hw = &gxbb_fclk_div3.hw },
+ { .hw = &gxbb_fclk_div5.hw },
+ };
+@@ -1287,6 +1286,7 @@ static struct clk_regmap gxbb_32k_clk_sel = {
+ .offset = HHI_32K_CLK_CNTL,
+ .mask = 0x3,
+ .shift = 16,
++ .table = gxbb_32k_clk_parents_val_table,
+ },
+ .hw.init = &(struct clk_init_data){
+ .name = "32k_clk_sel",
+--
+2.39.5
+
--- /dev/null
+From 14dc50ffebb7aaf200c36fbea7ffe8d8e03e214c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Mar 2025 16:26:18 +0100
+Subject: clk: qcom: gcc-msm8953: fix stuck venus0_core0 clock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit cdc59600bccf2cb4c483645438a97d4ec55f326b ]
+
+This clock can't be enable with VENUS_CORE0 GDSC turned off. But that
+GDSC is under HW control so it can be turned off at any moment.
+Instead of checking the dependent clock we can just vote for it to
+enable later when GDSC gets turned on.
+
+Fixes: 9bb6cfc3c77e6 ("clk: qcom: Add Global Clock Controller driver for MSM8953")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
+Link: https://lore.kernel.org/r/20250315-clock-fix-v1-2-2efdc4920dda@mainlining.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/gcc-msm8953.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/gcc-msm8953.c b/drivers/clk/qcom/gcc-msm8953.c
+index 8aafa6591e845..3b32830f7466a 100644
+--- a/drivers/clk/qcom/gcc-msm8953.c
++++ b/drivers/clk/qcom/gcc-msm8953.c
+@@ -3771,7 +3771,7 @@ static struct clk_branch gcc_venus0_axi_clk = {
+
+ static struct clk_branch gcc_venus0_core0_vcodec0_clk = {
+ .halt_reg = 0x4c02c,
+- .halt_check = BRANCH_HALT,
++ .halt_check = BRANCH_HALT_SKIP,
+ .clkr = {
+ .enable_reg = 0x4c02c,
+ .enable_mask = BIT(0),
+--
+2.39.5
+
--- /dev/null
+From bc1ac77b384ee8d3ea6b1792a47077c0783de28e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Mar 2025 16:26:17 +0100
+Subject: clk: qcom: mmcc-sdm660: fix stuck video_subcore0 clock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Czémán <barnabas.czeman@mainlining.org>
+
+[ Upstream commit 000cbe3896c56bf5c625e286ff096533a6b27657 ]
+
+This clock can't be enable with VENUS_CORE0 GDSC turned off. But that
+GDSC is under HW control so it can be turned off at any moment.
+Instead of checking the dependent clock we can just vote for it to
+enable later when GDSC gets turned on.
+
+Fixes: 5db3ae8b33de6 ("clk: qcom: Add SDM660 Multimedia Clock Controller (MMCC) driver")
+Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
+Link: https://lore.kernel.org/r/20250315-clock-fix-v1-1-2efdc4920dda@mainlining.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/qcom/mmcc-sdm660.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/qcom/mmcc-sdm660.c b/drivers/clk/qcom/mmcc-sdm660.c
+index bc19a23e13f8a..4d187d6aba734 100644
+--- a/drivers/clk/qcom/mmcc-sdm660.c
++++ b/drivers/clk/qcom/mmcc-sdm660.c
+@@ -2544,7 +2544,7 @@ static struct clk_branch video_core_clk = {
+
+ static struct clk_branch video_subcore0_clk = {
+ .halt_reg = 0x1048,
+- .halt_check = BRANCH_HALT,
++ .halt_check = BRANCH_HALT_SKIP,
+ .clkr = {
+ .enable_reg = 0x1048,
+ .enable_mask = BIT(0),
+--
+2.39.5
+
--- /dev/null
+From 002ceea2371be90460a026c2ed15b2c86634a2b6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 01:26:22 +0000
+Subject: clk: rockchip: rk3328: fix wrong clk_ref_usb3otg parent
+
+From: Peter Geis <pgwipeout@gmail.com>
+
+[ Upstream commit a9e60f1ffe1ca57d6af6a2573e2f950e76efbf5b ]
+
+Correct the clk_ref_usb3otg parent to fix clock control for the usb3
+controller on rk3328. Verified against the rk3328 trm, the rk3228h trm,
+and the rk3328 usb3 phy clock map.
+
+Fixes: fe3511ad8a1c ("clk: rockchip: add clock controller for rk3328")
+Signed-off-by: Peter Geis <pgwipeout@gmail.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://lore.kernel.org/r/20250115012628.1035928-2-pgwipeout@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3328.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3328.c b/drivers/clk/rockchip/clk-rk3328.c
+index 267ab54937d3d..a3587c500de28 100644
+--- a/drivers/clk/rockchip/clk-rk3328.c
++++ b/drivers/clk/rockchip/clk-rk3328.c
+@@ -201,7 +201,7 @@ PNAME(mux_aclk_peri_pre_p) = { "cpll_peri",
+ "gpll_peri",
+ "hdmiphy_peri" };
+ PNAME(mux_ref_usb3otg_src_p) = { "xin24m",
+- "clk_usb3otg_ref" };
++ "clk_ref_usb3otg_src" };
+ PNAME(mux_xin24m_32k_p) = { "xin24m",
+ "clk_rtc32k" };
+ PNAME(mux_mac2io_src_p) = { "clk_mac2io_src",
+--
+2.39.5
+
--- /dev/null
+From 0912bd166b0e16a8abc6d32f8cca99cc2adc1a36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 10:32:52 -0800
+Subject: clk: samsung: Fix UBSAN panic in samsung_clk_init()
+
+From: Will McVicker <willmcvicker@google.com>
+
+[ Upstream commit d19d7345a7bcdb083b65568a11b11adffe0687af ]
+
+With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to
+dereferencing `ctx->clk_data.hws` before setting
+`ctx->clk_data.num = nr_clks`. Move that up to fix the crash.
+
+ UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP
+ <snip>
+ Call trace:
+ samsung_clk_init+0x110/0x124 (P)
+ samsung_clk_init+0x48/0x124 (L)
+ samsung_cmu_register_one+0x3c/0xa0
+ exynos_arm64_register_cmu+0x54/0x64
+ __gs101_cmu_top_of_clk_init_declare+0x28/0x60
+ ...
+
+Fixes: e620a1e061c4 ("drivers/clk: convert VL struct to struct_size")
+Signed-off-by: Will McVicker <willmcvicker@google.com>
+Link: https://lore.kernel.org/r/20250212183253.509771-1-willmcvicker@google.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/samsung/clk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/samsung/clk.c b/drivers/clk/samsung/clk.c
+index bca4731b14ea5..a95047319fcb6 100644
+--- a/drivers/clk/samsung/clk.c
++++ b/drivers/clk/samsung/clk.c
+@@ -64,11 +64,11 @@ struct samsung_clk_provider *__init samsung_clk_init(struct device_node *np,
+ if (!ctx)
+ panic("could not allocate clock provider context.\n");
+
++ ctx->clk_data.num = nr_clks;
+ for (i = 0; i < nr_clks; ++i)
+ ctx->clk_data.hws[i] = ERR_PTR(-ENOENT);
+
+ ctx->reg_base = base;
+- ctx->clk_data.num = nr_clks;
+ spin_lock_init(&ctx->lock);
+
+ return ctx;
+--
+2.39.5
+
--- /dev/null
+From 48c472973637a8b7069e7a0ea9fa0f6ae3447b83 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 21:26:45 -0700
+Subject: context_tracking: Always inline ct_{nmi,irq}_{enter,exit}()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 9ac50f7311dc8b39e355582f14c1e82da47a8196 ]
+
+Thanks to CONFIG_DEBUG_SECTION_MISMATCH, empty functions can be
+generated out of line. These can be called from noinstr code, so make
+sure they're always inlined.
+
+Fixes the following warnings:
+
+ vmlinux.o: warning: objtool: irqentry_nmi_enter+0xa2: call to ct_nmi_enter() leaves .noinstr.text section
+ vmlinux.o: warning: objtool: irqentry_nmi_exit+0x16: call to ct_nmi_exit() leaves .noinstr.text section
+ vmlinux.o: warning: objtool: irqentry_exit+0x78: call to ct_irq_exit() leaves .noinstr.text section
+
+Fixes: 6f0e6c1598b1 ("context_tracking: Take IRQ eqs entrypoints over RCU")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/8509bce3f536bcd4ae7af3a2cf6930d48c5e631a.1743481539.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/d1eca076-fdde-484a-b33e-70e0d167c36d@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/context_tracking_irq.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/context_tracking_irq.h b/include/linux/context_tracking_irq.h
+index c50b5670c4a52..197916ee91a4b 100644
+--- a/include/linux/context_tracking_irq.h
++++ b/include/linux/context_tracking_irq.h
+@@ -10,12 +10,12 @@ void ct_irq_exit_irqson(void);
+ void ct_nmi_enter(void);
+ void ct_nmi_exit(void);
+ #else
+-static inline void ct_irq_enter(void) { }
+-static inline void ct_irq_exit(void) { }
++static __always_inline void ct_irq_enter(void) { }
++static __always_inline void ct_irq_exit(void) { }
+ static inline void ct_irq_enter_irqson(void) { }
+ static inline void ct_irq_exit_irqson(void) { }
+-static inline void ct_nmi_enter(void) { }
+-static inline void ct_nmi_exit(void) { }
++static __always_inline void ct_nmi_enter(void) { }
++static __always_inline void ct_nmi_exit(void) { }
+ #endif
+
+ #endif
+--
+2.39.5
+
--- /dev/null
+From fbb60a2b48bce1ae02f2dfdc46d8fa49d99cdc3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2025 21:53:48 +0000
+Subject: coresight: catu: Fix number of pages while using 64k pages
+
+From: Ilkka Koskinen <ilkka@os.amperecomputing.com>
+
+[ Upstream commit 0e14e062f5ff98aa15264dfa87c5f5e924028561 ]
+
+Trying to record a trace on kernel with 64k pages resulted in -ENOMEM.
+This happens due to a bug in calculating the number of table pages, which
+returns zero. Fix the issue by rounding up.
+
+$ perf record --kcore -e cs_etm/@tmc_etr55,cycacc,branch_broadcast/k --per-thread taskset --cpu-list 1 dd if=/dev/zero of=/dev/null
+failed to mmap with 12 (Cannot allocate memory)
+
+Fixes: 8ed536b1e283 ("coresight: catu: Add support for scatter gather tables")
+Signed-off-by: Ilkka Koskinen <ilkka@os.amperecomputing.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250109215348.5483-1-ilkka@os.amperecomputing.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-catu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-catu.c b/drivers/hwtracing/coresight/coresight-catu.c
+index bc90a03f478fd..6ef7afa25631f 100644
+--- a/drivers/hwtracing/coresight/coresight-catu.c
++++ b/drivers/hwtracing/coresight/coresight-catu.c
+@@ -267,7 +267,7 @@ catu_init_sg_table(struct device *catu_dev, int node,
+ * Each table can address upto 1MB and we can have
+ * CATU_PAGES_PER_SYSPAGE tables in a system page.
+ */
+- nr_tpages = DIV_ROUND_UP(size, SZ_1M) / CATU_PAGES_PER_SYSPAGE;
++ nr_tpages = DIV_ROUND_UP(size, CATU_PAGES_PER_SYSPAGE * SZ_1M);
+ catu_table = tmc_alloc_sg_table(catu_dev, node, nr_tpages,
+ size >> PAGE_SHIFT, pages);
+ if (IS_ERR(catu_table))
+--
+2.39.5
+
--- /dev/null
+From aa57fd192e64363d47e9a8d654035809d3e3f722 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 17:04:20 +0800
+Subject: coresight-etm4x: add isb() before reading the TRCSTATR
+
+From: Yuanfang Zhang <quic_yuanfang@quicinc.com>
+
+[ Upstream commit 4ff6039ffb79a4a8a44b63810a8a2f2b43264856 ]
+
+As recommended by section 4.3.7 ("Synchronization when using system
+instructions to progrom the trace unit") of ARM IHI 0064H.b, the
+self-hosted trace analyzer must perform a Context synchronization
+event between writing to the TRCPRGCTLR and reading the TRCSTATR.
+Additionally, add an ISB between the each read of TRCSTATR on
+coresight_timeout() when using system instructions to program the
+trace unit.
+
+Fixes: 1ab3bb9df5e3 ("coresight: etm4x: Add necessary synchronization for sysreg access")
+Signed-off-by: Yuanfang Zhang <quic_yuanfang@quicinc.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20250116-etm_sync-v4-1-39f2b05e9514@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-core.c | 20 ++++++--
+ .../coresight/coresight-etm4x-core.c | 48 +++++++++++++++++--
+ include/linux/coresight.h | 4 ++
+ 3 files changed, 62 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c
+index bcb08fadccf21..4477b1ab73577 100644
+--- a/drivers/hwtracing/coresight/coresight-core.c
++++ b/drivers/hwtracing/coresight/coresight-core.c
+@@ -1478,18 +1478,20 @@ static void coresight_remove_conns(struct coresight_device *csdev)
+ }
+
+ /**
+- * coresight_timeout - loop until a bit has changed to a specific register
+- * state.
++ * coresight_timeout_action - loop until a bit has changed to a specific register
++ * state, with a callback after every trial.
+ * @csa: coresight device access for the device
+ * @offset: Offset of the register from the base of the device.
+ * @position: the position of the bit of interest.
+ * @value: the value the bit should have.
++ * @cb: Call back after each trial.
+ *
+ * Return: 0 as soon as the bit has taken the desired state or -EAGAIN if
+ * TIMEOUT_US has elapsed, which ever happens first.
+ */
+-int coresight_timeout(struct csdev_access *csa, u32 offset,
+- int position, int value)
++int coresight_timeout_action(struct csdev_access *csa, u32 offset,
++ int position, int value,
++ coresight_timeout_cb_t cb)
+ {
+ int i;
+ u32 val;
+@@ -1505,7 +1507,8 @@ int coresight_timeout(struct csdev_access *csa, u32 offset,
+ if (!(val & BIT(position)))
+ return 0;
+ }
+-
++ if (cb)
++ cb(csa, offset, position, value);
+ /*
+ * Delay is arbitrary - the specification doesn't say how long
+ * we are expected to wait. Extra check required to make sure
+@@ -1517,6 +1520,13 @@ int coresight_timeout(struct csdev_access *csa, u32 offset,
+
+ return -EAGAIN;
+ }
++EXPORT_SYMBOL_GPL(coresight_timeout_action);
++
++int coresight_timeout(struct csdev_access *csa, u32 offset,
++ int position, int value)
++{
++ return coresight_timeout_action(csa, offset, position, value, NULL);
++}
+ EXPORT_SYMBOL_GPL(coresight_timeout);
+
+ u32 coresight_relaxed_read32(struct coresight_device *csdev, u32 offset)
+diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
+index 354267edcb45f..1ad689db74da1 100644
+--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
++++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
+@@ -369,6 +369,29 @@ static void etm4_check_arch_features(struct etmv4_drvdata *drvdata,
+ }
+ #endif /* CONFIG_ETM4X_IMPDEF_FEATURE */
+
++static void etm4x_sys_ins_barrier(struct csdev_access *csa, u32 offset, int pos, int val)
++{
++ if (!csa->io_mem)
++ isb();
++}
++
++/*
++ * etm4x_wait_status: Poll for TRCSTATR.<pos> == <val>. While using system
++ * instruction to access the trace unit, each access must be separated by a
++ * synchronization barrier. See ARM IHI0064H.b section "4.3.7 Synchronization of
++ * register updates", for system instructions section, in "Notes":
++ *
++ * "In particular, whenever disabling or enabling the trace unit, a poll of
++ * TRCSTATR needs explicit synchronization between each read of TRCSTATR"
++ */
++static int etm4x_wait_status(struct csdev_access *csa, int pos, int val)
++{
++ if (!csa->io_mem)
++ return coresight_timeout_action(csa, TRCSTATR, pos, val,
++ etm4x_sys_ins_barrier);
++ return coresight_timeout(csa, TRCSTATR, pos, val);
++}
++
+ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
+ {
+ int i, rc;
+@@ -400,7 +423,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
+ isb();
+
+ /* wait for TRCSTATR.IDLE to go up */
+- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 1))
++ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 1))
+ dev_err(etm_dev,
+ "timeout while waiting for Idle Trace Status\n");
+ if (drvdata->nr_pe)
+@@ -493,7 +516,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
+ isb();
+
+ /* wait for TRCSTATR.IDLE to go back down to '0' */
+- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 0))
++ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 0))
+ dev_err(etm_dev,
+ "timeout while waiting for Idle Trace Status\n");
+
+@@ -845,10 +868,25 @@ static void etm4_disable_hw(void *info)
+ tsb_csync();
+ etm4x_relaxed_write32(csa, control, TRCPRGCTLR);
+
++ /*
++ * As recommended by section 4.3.7 ("Synchronization when using system
++ * instructions to progrom the trace unit") of ARM IHI 0064H.b, the
++ * self-hosted trace analyzer must perform a Context synchronization
++ * event between writing to the TRCPRGCTLR and reading the TRCSTATR.
++ */
++ if (!csa->io_mem)
++ isb();
++
+ /* wait for TRCSTATR.PMSTABLE to go to '1' */
+- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_PMSTABLE_BIT, 1))
++ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1))
+ dev_err(etm_dev,
+ "timeout while waiting for PM stable Trace Status\n");
++ /*
++ * As recommended by section 4.3.7 (Synchronization of register updates)
++ * of ARM IHI 0064H.b.
++ */
++ isb();
++
+ /* read the status of the single shot comparators */
+ for (i = 0; i < drvdata->nr_ss_cmp; i++) {
+ config->ss_status[i] =
+@@ -1593,7 +1631,7 @@ static int __etm4_cpu_save(struct etmv4_drvdata *drvdata)
+ etm4_os_lock(drvdata);
+
+ /* wait for TRCSTATR.PMSTABLE to go up */
+- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_PMSTABLE_BIT, 1)) {
++ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) {
+ dev_err(etm_dev,
+ "timeout while waiting for PM Stable Status\n");
+ etm4_os_unlock(drvdata);
+@@ -1684,7 +1722,7 @@ static int __etm4_cpu_save(struct etmv4_drvdata *drvdata)
+ state->trcpdcr = etm4x_read32(csa, TRCPDCR);
+
+ /* wait for TRCSTATR.IDLE to go up */
+- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 1)) {
++ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) {
+ dev_err(etm_dev,
+ "timeout while waiting for Idle Trace Status\n");
+ etm4_os_unlock(drvdata);
+diff --git a/include/linux/coresight.h b/include/linux/coresight.h
+index 1554021231f9c..56b40efb51a64 100644
+--- a/include/linux/coresight.h
++++ b/include/linux/coresight.h
+@@ -502,6 +502,10 @@ extern int coresight_enable(struct coresight_device *csdev);
+ extern void coresight_disable(struct coresight_device *csdev);
+ extern int coresight_timeout(struct csdev_access *csa, u32 offset,
+ int position, int value);
++typedef void (*coresight_timeout_cb_t) (struct csdev_access *, u32, int, int);
++extern int coresight_timeout_action(struct csdev_access *csa, u32 offset,
++ int position, int value,
++ coresight_timeout_cb_t cb);
+
+ extern int coresight_claim_device(struct coresight_device *csdev);
+ extern int coresight_claim_device_unlocked(struct coresight_device *csdev);
+--
+2.39.5
+
--- /dev/null
+From 61fe2c7748790ffc54aeb4ae7036b99021963d8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 11:55:10 +0800
+Subject: cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
+
+From: Jie Zhan <zhanjie9@hisilicon.com>
+
+[ Upstream commit 3698dd6b139dc37b35a9ad83d9330c1f99666c02 ]
+
+We observed an issue that the CPU frequency can't raise up with a 100% CPU
+load when NOHZ is off and the 'conservative' governor is selected.
+
+'idle_time' can be negative if it's obtained from get_cpu_idle_time_jiffy()
+when NOHZ is off. This was found and explained in commit 9485e4ca0b48
+("cpufreq: governor: Fix handling of special cases in dbs_update()").
+
+However, commit 7592019634f8 ("cpufreq: governors: Fix long idle detection
+logic in load calculation") introduced a comparison between 'idle_time' and
+'samling_rate' to detect a long idle interval. While 'idle_time' is
+converted to int before comparison, it's actually promoted to unsigned
+again when compared with an unsigned 'sampling_rate'. Hence, this leads to
+wrong idle interval detection when it's in fact 100% busy and sets
+policy_dbs->idle_periods to a very large value. 'conservative' adjusts the
+frequency to minimum because of the large 'idle_periods', such that the
+frequency can't raise up. 'Ondemand' doesn't use policy_dbs->idle_periods
+so it fortunately avoids the issue.
+
+Correct negative 'idle_time' to 0 before any use of it in dbs_update().
+
+Fixes: 7592019634f8 ("cpufreq: governors: Fix long idle detection logic in load calculation")
+Signed-off-by: Jie Zhan <zhanjie9@hisilicon.com>
+Reviewed-by: Chen Yu <yu.c.chen@intel.com>
+Link: https://patch.msgid.link/20250213035510.2402076-1-zhanjie9@hisilicon.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/cpufreq_governor.c | 45 +++++++++++++++---------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
+index 85da677c43d6b..c8bca3e77bcea 100644
+--- a/drivers/cpufreq/cpufreq_governor.c
++++ b/drivers/cpufreq/cpufreq_governor.c
+@@ -145,7 +145,23 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
+ time_elapsed = update_time - j_cdbs->prev_update_time;
+ j_cdbs->prev_update_time = update_time;
+
+- idle_time = cur_idle_time - j_cdbs->prev_cpu_idle;
++ /*
++ * cur_idle_time could be smaller than j_cdbs->prev_cpu_idle if
++ * it's obtained from get_cpu_idle_time_jiffy() when NOHZ is
++ * off, where idle_time is calculated by the difference between
++ * time elapsed in jiffies and "busy time" obtained from CPU
++ * statistics. If a CPU is 100% busy, the time elapsed and busy
++ * time should grow with the same amount in two consecutive
++ * samples, but in practice there could be a tiny difference,
++ * making the accumulated idle time decrease sometimes. Hence,
++ * in this case, idle_time should be regarded as 0 in order to
++ * make the further process correct.
++ */
++ if (cur_idle_time > j_cdbs->prev_cpu_idle)
++ idle_time = cur_idle_time - j_cdbs->prev_cpu_idle;
++ else
++ idle_time = 0;
++
+ j_cdbs->prev_cpu_idle = cur_idle_time;
+
+ if (ignore_nice) {
+@@ -162,7 +178,7 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
+ * calls, so the previous load value can be used then.
+ */
+ load = j_cdbs->prev_load;
+- } else if (unlikely((int)idle_time > 2 * sampling_rate &&
++ } else if (unlikely(idle_time > 2 * sampling_rate &&
+ j_cdbs->prev_load)) {
+ /*
+ * If the CPU had gone completely idle and a task has
+@@ -189,30 +205,15 @@ unsigned int dbs_update(struct cpufreq_policy *policy)
+ load = j_cdbs->prev_load;
+ j_cdbs->prev_load = 0;
+ } else {
+- if (time_elapsed >= idle_time) {
++ if (time_elapsed > idle_time)
+ load = 100 * (time_elapsed - idle_time) / time_elapsed;
+- } else {
+- /*
+- * That can happen if idle_time is returned by
+- * get_cpu_idle_time_jiffy(). In that case
+- * idle_time is roughly equal to the difference
+- * between time_elapsed and "busy time" obtained
+- * from CPU statistics. Then, the "busy time"
+- * can end up being greater than time_elapsed
+- * (for example, if jiffies_64 and the CPU
+- * statistics are updated by different CPUs),
+- * so idle_time may in fact be negative. That
+- * means, though, that the CPU was busy all
+- * the time (on the rough average) during the
+- * last sampling interval and 100 can be
+- * returned as the load.
+- */
+- load = (int)idle_time < 0 ? 100 : 0;
+- }
++ else
++ load = 0;
++
+ j_cdbs->prev_load = load;
+ }
+
+- if (unlikely((int)idle_time > 2 * sampling_rate)) {
++ if (unlikely(idle_time > 2 * sampling_rate)) {
+ unsigned int periods = idle_time / sampling_rate;
+
+ if (periods < idle_periods)
+--
+2.39.5
+
--- /dev/null
+From 90fad7a0fe4dca02bcfa73fa65ac481ef7c5afe1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jan 2025 08:49:49 +0000
+Subject: cpufreq: scpi: compare kHz instead of Hz
+
+From: zuoqian <zuoqian113@gmail.com>
+
+[ Upstream commit 4742da9774a416908ef8e3916164192c15c0e2d1 ]
+
+The CPU rate from clk_get_rate() may not be divisible by 1000
+(e.g., 133333333). But the rate calculated from frequency(kHz) is
+always divisible by 1000 (e.g., 133333000).
+Comparing the rate causes a warning during CPU scaling:
+"cpufreq: __target_index: Failed to change cpu frequency: -5".
+When we choose to compare kHz here, the issue does not occur.
+
+Fixes: 343a8d17fa8d ("cpufreq: scpi: remove arm_big_little dependency")
+Signed-off-by: zuoqian <zuoqian113@gmail.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/scpi-cpufreq.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/scpi-cpufreq.c b/drivers/cpufreq/scpi-cpufreq.c
+index ac719aca49b75..433deec4b61f8 100644
+--- a/drivers/cpufreq/scpi-cpufreq.c
++++ b/drivers/cpufreq/scpi-cpufreq.c
+@@ -39,8 +39,9 @@ static unsigned int scpi_cpufreq_get_rate(unsigned int cpu)
+ static int
+ scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index)
+ {
+- u64 rate = policy->freq_table[index].frequency * 1000;
++ unsigned long freq_khz = policy->freq_table[index].frequency;
+ struct scpi_data *priv = policy->driver_data;
++ unsigned long rate = freq_khz * 1000;
+ int ret;
+
+ ret = clk_set_rate(priv->clk, rate);
+@@ -48,7 +49,7 @@ scpi_cpufreq_set_target(struct cpufreq_policy *policy, unsigned int index)
+ if (ret)
+ return ret;
+
+- if (clk_get_rate(priv->clk) != rate)
++ if (clk_get_rate(priv->clk) / 1000 != freq_khz)
+ return -EIO;
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 13432397c747b866488fd7b65b5afc7c9fbe6810 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 11:56:26 +0800
+Subject: crypto: hisilicon/sec2 - fix for aead auth key length
+
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+
+[ Upstream commit 1b284ffc30b02808a0de698667cbcf5ce5f9144e ]
+
+According to the HMAC RFC, the authentication key
+can be 0 bytes, and the hardware can handle this
+scenario. Therefore, remove the incorrect validation
+for this case.
+
+Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2")
+Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/sec2/sec_crypto.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
+index 3de8715aad39d..292ab0ff2b07c 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
+@@ -1094,11 +1094,6 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
+ struct crypto_shash *hash_tfm = ctx->hash_tfm;
+ int blocksize, digestsize, ret;
+
+- if (!keys->authkeylen) {
+- pr_err("hisi_sec2: aead auth key error!\n");
+- return -EINVAL;
+- }
+-
+ blocksize = crypto_shash_blocksize(hash_tfm);
+ digestsize = crypto_shash_digestsize(hash_tfm);
+ if (keys->authkeylen > blocksize) {
+@@ -1110,7 +1105,8 @@ static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
+ }
+ ctx->a_key_len = digestsize;
+ } else {
+- memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
++ if (keys->authkeylen)
++ memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
+ ctx->a_key_len = keys->authkeylen;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 3138617d1dbdaaf9e276108ace44c3c3ebf0ffea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 11:56:27 +0800
+Subject: crypto: hisilicon/sec2 - fix for aead authsize alignment
+
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+
+[ Upstream commit a49cc71e219040d771a8c1254879984f98192811 ]
+
+The hardware only supports authentication sizes
+that are 4-byte aligned. Therefore, the driver
+switches to software computation in this case.
+
+Fixes: 2f072d75d1ab ("crypto: hisilicon - Add aead support on SEC2")
+Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/sec2/sec_crypto.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
+index 55b95968ecb70..3de8715aad39d 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
++++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
+@@ -57,7 +57,6 @@
+ #define SEC_TYPE_MASK 0x0F
+ #define SEC_DONE_MASK 0x0001
+ #define SEC_ICV_MASK 0x000E
+-#define SEC_SQE_LEN_RATE_MASK 0x3
+
+ #define SEC_TOTAL_IV_SZ(depth) (SEC_IV_SIZE * (depth))
+ #define SEC_SGL_SGE_NR 128
+@@ -80,16 +79,16 @@
+ #define SEC_TOTAL_PBUF_SZ(depth) (PAGE_SIZE * SEC_PBUF_PAGE_NUM(depth) + \
+ SEC_PBUF_LEFT_SZ(depth))
+
+-#define SEC_SQE_LEN_RATE 4
+ #define SEC_SQE_CFLAG 2
+ #define SEC_SQE_AEAD_FLAG 3
+ #define SEC_SQE_DONE 0x1
+ #define SEC_ICV_ERR 0x2
+-#define MIN_MAC_LEN 4
+ #define MAC_LEN_MASK 0x1U
+ #define MAX_INPUT_DATA_LEN 0xFFFE00
+ #define BITS_MASK 0xFF
++#define WORD_MASK 0x3
+ #define BYTE_BITS 0x8
++#define BYTES_TO_WORDS(bcount) ((bcount) >> 2)
+ #define SEC_XTS_NAME_SZ 0x3
+ #define IV_CM_CAL_NUM 2
+ #define IV_CL_MASK 0x7
+@@ -1180,7 +1179,7 @@ static int sec_aead_setkey(struct crypto_aead *tfm, const u8 *key,
+ goto bad_key;
+ }
+
+- if (ctx->a_ctx.a_key_len & SEC_SQE_LEN_RATE_MASK) {
++ if (ctx->a_ctx.a_key_len & WORD_MASK) {
+ ret = -EINVAL;
+ dev_err(dev, "AUTH key length error!\n");
+ goto bad_key;
+@@ -1589,11 +1588,10 @@ static void sec_auth_bd_fill_ex(struct sec_auth_ctx *ctx, int dir,
+
+ sec_sqe->type2.a_key_addr = cpu_to_le64(ctx->a_key_dma);
+
+- sec_sqe->type2.mac_key_alg = cpu_to_le32(authsize / SEC_SQE_LEN_RATE);
++ sec_sqe->type2.mac_key_alg = cpu_to_le32(BYTES_TO_WORDS(authsize));
+
+ sec_sqe->type2.mac_key_alg |=
+- cpu_to_le32((u32)((ctx->a_key_len) /
+- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET);
++ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET);
+
+ sec_sqe->type2.mac_key_alg |=
+ cpu_to_le32((u32)(ctx->a_alg) << SEC_AEAD_ALG_OFFSET);
+@@ -1645,12 +1643,10 @@ static void sec_auth_bd_fill_ex_v3(struct sec_auth_ctx *ctx, int dir,
+ sqe3->a_key_addr = cpu_to_le64(ctx->a_key_dma);
+
+ sqe3->auth_mac_key |=
+- cpu_to_le32((u32)(authsize /
+- SEC_SQE_LEN_RATE) << SEC_MAC_OFFSET_V3);
++ cpu_to_le32(BYTES_TO_WORDS(authsize) << SEC_MAC_OFFSET_V3);
+
+ sqe3->auth_mac_key |=
+- cpu_to_le32((u32)(ctx->a_key_len /
+- SEC_SQE_LEN_RATE) << SEC_AKEY_OFFSET_V3);
++ cpu_to_le32((u32)BYTES_TO_WORDS(ctx->a_key_len) << SEC_AKEY_OFFSET_V3);
+
+ sqe3->auth_mac_key |=
+ cpu_to_le32((u32)(ctx->a_alg) << SEC_AUTH_ALG_OFFSET_V3);
+@@ -2268,8 +2264,8 @@ static int sec_aead_spec_check(struct sec_ctx *ctx, struct sec_req *sreq)
+ struct device *dev = ctx->dev;
+ int ret;
+
+- /* Hardware does not handle cases where authsize is less than 4 bytes */
+- if (unlikely(sz < MIN_MAC_LEN)) {
++ /* Hardware does not handle cases where authsize is not 4 bytes aligned */
++ if (c_mode == SEC_CMODE_CBC && (sz & WORD_MASK)) {
+ sreq->aead_req.fallback = true;
+ return -EINVAL;
+ }
+--
+2.39.5
+
--- /dev/null
+From 8f8b7b998e96637ca8f95e490adc3bc15b356c4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Mar 2025 16:50:42 +0800
+Subject: crypto: nx - Fix uninitialised hv_nxc on error
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 9b00eb923f3e60ca76cbc8b31123716f3a87ac6a ]
+
+The compiler correctly warns that hv_nxc may be used uninitialised
+as that will occur when NX-GZIP is unavailable.
+
+Fix it by rearranging the code and delay setting caps_feat until
+the final query succeeds.
+
+Fixes: b4ba22114c78 ("crypto/nx: Get NX capabilities for GZIP coprocessor type")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/nx/nx-common-pseries.c | 37 ++++++++++++---------------
+ 1 file changed, 17 insertions(+), 20 deletions(-)
+
+diff --git a/drivers/crypto/nx/nx-common-pseries.c b/drivers/crypto/nx/nx-common-pseries.c
+index 3ea334b7f820c..1b0308ce7ce76 100644
+--- a/drivers/crypto/nx/nx-common-pseries.c
++++ b/drivers/crypto/nx/nx-common-pseries.c
+@@ -1142,6 +1142,7 @@ static void __init nxcop_get_capabilities(void)
+ {
+ struct hv_vas_all_caps *hv_caps;
+ struct hv_nx_cop_caps *hv_nxc;
++ u64 feat;
+ int rc;
+
+ hv_caps = kmalloc(sizeof(*hv_caps), GFP_KERNEL);
+@@ -1152,27 +1153,26 @@ static void __init nxcop_get_capabilities(void)
+ */
+ rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES, 0,
+ (u64)virt_to_phys(hv_caps));
++ if (!rc)
++ feat = be64_to_cpu(hv_caps->feat_type);
++ kfree(hv_caps);
+ if (rc)
+- goto out;
++ return;
++ if (!(feat & VAS_NX_GZIP_FEAT_BIT))
++ return;
+
+- caps_feat = be64_to_cpu(hv_caps->feat_type);
+ /*
+ * NX-GZIP feature available
+ */
+- if (caps_feat & VAS_NX_GZIP_FEAT_BIT) {
+- hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL);
+- if (!hv_nxc)
+- goto out;
+- /*
+- * Get capabilities for NX-GZIP feature
+- */
+- rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES,
+- VAS_NX_GZIP_FEAT,
+- (u64)virt_to_phys(hv_nxc));
+- } else {
+- pr_err("NX-GZIP feature is not available\n");
+- rc = -EINVAL;
+- }
++ hv_nxc = kmalloc(sizeof(*hv_nxc), GFP_KERNEL);
++ if (!hv_nxc)
++ return;
++ /*
++ * Get capabilities for NX-GZIP feature
++ */
++ rc = h_query_vas_capabilities(H_QUERY_NX_CAPABILITIES,
++ VAS_NX_GZIP_FEAT,
++ (u64)virt_to_phys(hv_nxc));
+
+ if (!rc) {
+ nx_cop_caps.descriptor = be64_to_cpu(hv_nxc->descriptor);
+@@ -1182,13 +1182,10 @@ static void __init nxcop_get_capabilities(void)
+ be64_to_cpu(hv_nxc->min_compress_len);
+ nx_cop_caps.min_decompress_len =
+ be64_to_cpu(hv_nxc->min_decompress_len);
+- } else {
+- caps_feat = 0;
++ caps_feat = feat;
+ }
+
+ kfree(hv_nxc);
+-out:
+- kfree(hv_caps);
+ }
+
+ static const struct vio_device_id nx842_vio_driver_ids[] = {
+--
+2.39.5
+
--- /dev/null
+From 7837f03233472ef396a6a0a72290cf68eadfdf35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 10:06:38 -0300
+Subject: drm/amd/display: avoid NPD when ASIC does not support DMUB
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 42d9d7bed270247f134190ba0cb05bbd072f58c2 ]
+
+ctx->dmub_srv will de NULL if the ASIC does not support DMUB, which is
+tested in dm_dmub_sw_init.
+
+However, it will be dereferenced in dmub_hw_lock_mgr_cmd if
+should_use_dmub_lock returns true.
+
+This has been the case since dmub support has been added for PSR1.
+
+Fix this by checking for dmub_srv in should_use_dmub_lock.
+
+[ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058
+[ 37.447808] #PF: supervisor read access in kernel mode
+[ 37.452959] #PF: error_code(0x0000) - not-present page
+[ 37.458112] PGD 0 P4D 0
+[ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+[ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88
+[ 37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023
+[ 37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0
+[ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5
+[ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202
+[ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358
+[ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000
+[ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5
+[ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000
+[ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000
+[ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000
+[ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0
+[ 37.572697] Call Trace:
+[ 37.575152] <TASK>
+[ 37.577258] ? __die_body+0x66/0xb0
+[ 37.580756] ? page_fault_oops+0x3e7/0x4a0
+[ 37.584861] ? exc_page_fault+0x3e/0xe0
+[ 37.588706] ? exc_page_fault+0x5c/0xe0
+[ 37.592550] ? asm_exc_page_fault+0x22/0x30
+[ 37.596742] ? dmub_hw_lock_mgr_cmd+0x77/0xb0
+[ 37.601107] dcn10_cursor_lock+0x1e1/0x240
+[ 37.605211] program_cursor_attributes+0x81/0x190
+[ 37.609923] commit_planes_for_stream+0x998/0x1ef0
+[ 37.614722] update_planes_and_stream_v2+0x41e/0x5c0
+[ 37.619703] dc_update_planes_and_stream+0x78/0x140
+[ 37.624588] amdgpu_dm_atomic_commit_tail+0x4362/0x49f0
+[ 37.629832] ? srso_return_thunk+0x5/0x5f
+[ 37.633847] ? mark_held_locks+0x6d/0xd0
+[ 37.637774] ? _raw_spin_unlock_irq+0x24/0x50
+[ 37.642135] ? srso_return_thunk+0x5/0x5f
+[ 37.646148] ? lockdep_hardirqs_on+0x95/0x150
+[ 37.650510] ? srso_return_thunk+0x5/0x5f
+[ 37.654522] ? _raw_spin_unlock_irq+0x2f/0x50
+[ 37.658883] ? srso_return_thunk+0x5/0x5f
+[ 37.662897] ? wait_for_common+0x186/0x1c0
+[ 37.666998] ? srso_return_thunk+0x5/0x5f
+[ 37.671009] ? drm_crtc_next_vblank_start+0xc3/0x170
+[ 37.675983] commit_tail+0xf5/0x1c0
+[ 37.679478] drm_atomic_helper_commit+0x2a2/0x2b0
+[ 37.684186] drm_atomic_commit+0xd6/0x100
+[ 37.688199] ? __cfi___drm_printfn_info+0x10/0x10
+[ 37.692911] drm_atomic_helper_update_plane+0xe5/0x130
+[ 37.698054] drm_mode_cursor_common+0x501/0x670
+[ 37.702600] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10
+[ 37.707572] drm_mode_cursor_ioctl+0x48/0x70
+[ 37.711851] drm_ioctl_kernel+0xf2/0x150
+[ 37.715781] drm_ioctl+0x363/0x590
+[ 37.719189] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10
+[ 37.724165] amdgpu_drm_ioctl+0x41/0x80
+[ 37.728013] __se_sys_ioctl+0x7f/0xd0
+[ 37.731685] do_syscall_64+0x87/0x100
+[ 37.735355] ? vma_end_read+0x12/0xe0
+[ 37.739024] ? srso_return_thunk+0x5/0x5f
+[ 37.743041] ? find_held_lock+0x47/0xf0
+[ 37.746884] ? vma_end_read+0x12/0xe0
+[ 37.750552] ? srso_return_thunk+0x5/0x5f
+[ 37.754565] ? lock_release+0x1c4/0x2e0
+[ 37.758406] ? vma_end_read+0x12/0xe0
+[ 37.762079] ? exc_page_fault+0x84/0xe0
+[ 37.765921] ? srso_return_thunk+0x5/0x5f
+[ 37.769938] ? lockdep_hardirqs_on+0x95/0x150
+[ 37.774303] ? srso_return_thunk+0x5/0x5f
+[ 37.778317] ? exc_page_fault+0x84/0xe0
+[ 37.782163] entry_SYSCALL_64_after_hwframe+0x55/0x5d
+[ 37.787218] RIP: 0033:0x784aa5ec3059
+[ 37.790803] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1d 48 8b 45 c8 64 48 2b 04 25 28 00 0
+[ 37.809553] RSP: 002b:0000784a9cdf90e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[ 37.817121] RAX: ffffffffffffffda RBX: 0000784a9cdf917c RCX: 0000784aa5ec3059
+[ 37.824256] RDX: 0000784a9cdf917c RSI: 00000000c01c64a3 RDI: 0000000000000020
+[ 37.831391] RBP: 0000784a9cdf9130 R08: 0000000000000100 R09: 0000000000ff0000
+[ 37.838525] R10: 0000000000000000 R11: 0000000000000246 R12: 0000025c01606ed0
+[ 37.845657] R13: 0000025c00030200 R14: 00000000c01c64a3 R15: 0000000000000020
+[ 37.852799] </TASK>
+[ 37.854992] Modules linked in:
+[ 37.864546] gsmi: Log Shutdown Reason 0x03
+[ 37.868656] CR2: 0000000000000058
+[ 37.871979] ---[ end trace 0000000000000000 ]---
+[ 37.880976] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0
+[ 37.885954] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5
+[ 37.904703] RSP: 0018:ffff969442853300 EFLAGS: 00010202
+[ 37.909933] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358
+[ 37.917068] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000
+[ 37.924201] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5
+[ 37.931336] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000
+[ 37.938469] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000
+[ 37.945602] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000
+[ 37.953689] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 37.959435] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0
+[ 37.966570] Kernel panic - not syncing: Fatal exception
+[ 37.971901] Kernel Offset: 0x30200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+[ 37.982840] gsmi: Log Shutdown Reason 0x02
+
+Fixes: b5c764d6ed55 ("drm/amd/display: Use HW lock mgr for PSR1")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Cc: Sun peng Li <sunpeng.li@amd.com>
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Daniel Wheeler <daniel.wheeler@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
+Reviewed-by: Leo Li <sunpeng.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c
+index 13995b6fb865b..b4f9553f7c8b2 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c
+@@ -65,6 +65,10 @@ void dmub_hw_lock_mgr_inbox0_cmd(struct dc_dmub_srv *dmub_srv,
+
+ bool should_use_dmub_lock(struct dc_link *link)
+ {
++ /* ASIC doesn't support DMUB */
++ if (!link->ctx->dmub_srv)
++ return false;
++
+ if (link->psr_settings.psr_version == DC_PSR_VERSION_SU_1)
+ return true;
+
+--
+2.39.5
+
--- /dev/null
+From b7211230776b23046a092fa30de4c1079040b0e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 01:28:51 +0500
+Subject: drm/amd/display: fix type mismatch in
+ CalculateDynamicMetadataParameters()
+
+From: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+
+[ Upstream commit c3c584c18c90a024a54716229809ba36424f9660 ]
+
+There is a type mismatch between what CalculateDynamicMetadataParameters()
+takes and what is passed to it. Currently this function accepts several
+args as signed long but it's called with unsigned integers and integer. On
+some systems where long is 32 bits and one of these unsigned int params is
+greater than INT_MAX it may cause passing input params as negative values.
+
+Fix this by changing these argument types from long to unsigned int and to
+int respectively. Also this will align the function's definition with
+similar functions in other dcn* drivers.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+Fixes: 6725a88f88a7 ("drm/amd/display: Add DCN3 DML")
+Signed-off-by: Vitaliy Shevtsov <v.shevtsov@mt-integration.ru>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/dc/dml/dcn30/display_mode_vba_30.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+index 861f32b3248e7..69521368ddb61 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_mode_vba_30.c
+@@ -283,10 +283,10 @@ static void CalculateDynamicMetadataParameters(
+ double DISPCLK,
+ double DCFClkDeepSleep,
+ double PixelClock,
+- long HTotal,
+- long VBlank,
+- long DynamicMetadataTransmittedBytes,
+- long DynamicMetadataLinesBeforeActiveRequired,
++ unsigned int HTotal,
++ unsigned int VBlank,
++ unsigned int DynamicMetadataTransmittedBytes,
++ int DynamicMetadataLinesBeforeActiveRequired,
+ int InterlaceEnable,
+ bool ProgressiveToInterlaceUnitInOPP,
+ double *Tsetup,
+@@ -3280,8 +3280,8 @@ static double CalculateWriteBackDelay(
+
+
+ static void CalculateDynamicMetadataParameters(int MaxInterDCNTileRepeaters, double DPPCLK, double DISPCLK,
+- double DCFClkDeepSleep, double PixelClock, long HTotal, long VBlank, long DynamicMetadataTransmittedBytes,
+- long DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP,
++ double DCFClkDeepSleep, double PixelClock, unsigned int HTotal, unsigned int VBlank, unsigned int DynamicMetadataTransmittedBytes,
++ int DynamicMetadataLinesBeforeActiveRequired, int InterlaceEnable, bool ProgressiveToInterlaceUnitInOPP,
+ double *Tsetup, double *Tdmbf, double *Tdmec, double *Tdmsks)
+ {
+ double TotalRepeaterDelayTime = 0;
+--
+2.39.5
+
--- /dev/null
+From 2db748768325af516a66ff0ff6c8d0aab118af3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 12:51:24 -0600
+Subject: drm/amd: Keep display off while going into S4
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 4afacc9948e1f8fdbca401d259ae65ad93d298c0 ]
+
+When userspace invokes S4 the flow is:
+
+1) amdgpu_pmops_prepare()
+2) amdgpu_pmops_freeze()
+3) Create hibernation image
+4) amdgpu_pmops_thaw()
+5) Write out image to disk
+6) Turn off system
+
+Then on resume amdgpu_pmops_restore() is called.
+
+This flow has a problem that because amdgpu_pmops_thaw() is called
+it will call amdgpu_device_resume() which will resume all of the GPU.
+
+This includes turning the display hardware back on and discovering
+connectors again.
+
+This is an unexpected experience for the display to turn back on.
+Adjust the flow so that during the S4 sequence display hardware is
+not turned back on.
+
+Reported-by: Xaver Hugl <xaver.hugl@gmail.com>
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2038
+Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Tested-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Harry Wentland <harry.wentland@amd.com>
+Link: https://lore.kernel.org/r/20250306185124.44780-1-mario.limonciello@amd.com
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 68bfdc8dc0a1a7fdd9ab61e69907ae71a6fd3d91)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 11 +++++++++--
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 +++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+index 238c15c0c7e1e..48076cf8ba803 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -2466,7 +2466,6 @@ static int amdgpu_pmops_freeze(struct device *dev)
+
+ adev->in_s4 = true;
+ r = amdgpu_device_suspend(drm_dev, true);
+- adev->in_s4 = false;
+ if (r)
+ return r;
+
+@@ -2478,8 +2477,13 @@ static int amdgpu_pmops_freeze(struct device *dev)
+ static int amdgpu_pmops_thaw(struct device *dev)
+ {
+ struct drm_device *drm_dev = dev_get_drvdata(dev);
++ struct amdgpu_device *adev = drm_to_adev(drm_dev);
++ int r;
+
+- return amdgpu_device_resume(drm_dev, true);
++ r = amdgpu_device_resume(drm_dev, true);
++ adev->in_s4 = false;
++
++ return r;
+ }
+
+ static int amdgpu_pmops_poweroff(struct device *dev)
+@@ -2492,6 +2496,9 @@ static int amdgpu_pmops_poweroff(struct device *dev)
+ static int amdgpu_pmops_restore(struct device *dev)
+ {
+ struct drm_device *drm_dev = dev_get_drvdata(dev);
++ struct amdgpu_device *adev = drm_to_adev(drm_dev);
++
++ adev->in_s4 = false;
+
+ return amdgpu_device_resume(drm_dev, true);
+ }
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 9b3f5f76d52d9..5a837e3df7f38 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -2897,6 +2897,11 @@ static int dm_resume(void *handle)
+
+ return 0;
+ }
++
++ /* leave display off for S4 sequence */
++ if (adev->in_s4)
++ return 0;
++
+ /* Recreate dc_state - DC invalidates it when setting power state to S3. */
+ dc_release_state(dm_state->context);
+ dm_state->context = dc_create_state(dm->dc);
+--
+2.39.5
+
--- /dev/null
+From 0b025aab63e002c21ea98425ec2b1c1d2f523861 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jan 2025 15:01:51 +0800
+Subject: drm/bridge: it6505: fix HDCP V match check is not performed correctly
+
+From: Hermes Wu <Hermes.wu@ite.com.tw>
+
+[ Upstream commit a5072fc77fb9e38fa9fd883642c83c3720049159 ]
+
+Fix a typo where V compare incorrectly compares av[] with av[] itself,
+which can result in HDCP failure.
+
+The loop of V compare is expected to iterate for 5 times
+which compare V array form av[0][] to av[4][].
+It should check loop counter reach the last statement "i == 5"
+before return true
+
+Fixes: 0989c02c7a5c ("drm/bridge: it6505: fix HDCP CTS compare V matching")
+Signed-off-by: Hermes Wu <Hermes.wu@ite.com.tw>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250121-fix-hdcp-v-comp-v4-1-185f45c728dc@ite.com.tw
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index 7c3bd539655b8..cc2bf9c143733 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2030,12 +2030,13 @@ static bool it6505_hdcp_part2_ksvlist_check(struct it6505 *it6505)
+ continue;
+ }
+
+- for (i = 0; i < 5; i++) {
++ for (i = 0; i < 5; i++)
+ if (bv[i][3] != av[i][0] || bv[i][2] != av[i][1] ||
+- av[i][1] != av[i][2] || bv[i][0] != av[i][3])
++ bv[i][1] != av[i][2] || bv[i][0] != av[i][3])
+ break;
+
+- DRM_DEV_DEBUG_DRIVER(dev, "V' all match!! %d, %d", retry, i);
++ if (i == 5) {
++ DRM_DEV_DEBUG_DRIVER(dev, "V' all match!! %d", retry);
+ return true;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 8a16fbd4738d9c9cc856ddf0ef9f7551691387e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 15:18:46 +0100
+Subject: drm/bridge: ti-sn65dsi86: Fix multiple instances
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+[ Upstream commit 574f5ee2c85a00a579549d50e9fc9c6c072ee4c4 ]
+
+Each bridge instance creates up to four auxiliary devices with different
+names. However, their IDs are always zero, causing duplicate filename
+errors when a system has multiple bridges:
+
+ sysfs: cannot create duplicate filename '/bus/auxiliary/devices/ti_sn65dsi86.gpio.0'
+
+Fix this by using a unique instance ID per bridge instance. The
+instance ID is derived from the I2C adapter number and the bridge's I2C
+address, to support multiple instances on the same bus.
+
+Fixes: bf73537f411b ("drm/bridge: ti-sn65dsi86: Break GPIO and MIPI-to-eDP bridge into sub-drivers")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/7a68a0e3f927e26edca6040067fb653eb06efb79.1733840089.git.geert+renesas@glider.be
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ti-sn65dsi86.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+index ff4d0564122a3..3c8e33f416e70 100644
+--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
++++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+@@ -480,6 +480,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata,
+ const char *name)
+ {
+ struct device *dev = pdata->dev;
++ const struct i2c_client *client = to_i2c_client(dev);
+ struct auxiliary_device *aux;
+ int ret;
+
+@@ -488,6 +489,7 @@ static int ti_sn65dsi86_add_aux_device(struct ti_sn65dsi86 *pdata,
+ return -ENOMEM;
+
+ aux->name = name;
++ aux->id = (client->adapter->nr << 10) | client->addr;
+ aux->dev.parent = dev;
+ aux->dev.release = ti_sn65dsi86_aux_device_release;
+ device_set_of_node_from_dev(&aux->dev, dev);
+--
+2.39.5
+
--- /dev/null
+From 34811bda6ff4c8b78ad3b9b8ca90fd79da7fb206 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 17:10:59 +0800
+Subject: drm/dp_mst: Fix drm RAD print
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wayne Lin <Wayne.Lin@amd.com>
+
+[ Upstream commit 6bbce873a9c97cb12f5455c497be279ac58e707f ]
+
+[Why]
+The RAD of sideband message printed today is incorrect.
+For RAD stored within MST branch
+- If MST branch LCT is 1, it's RAD array is untouched and remained as 0.
+- If MST branch LCT is larger than 1, use nibble to store the up facing
+ port number in cascaded sequence as illustrated below:
+
+ u8 RAD[0] = (LCT_2_UFP << 4) | LCT_3_UFP
+ RAD[1] = (LCT_4_UFP << 4) | LCT_5_UFP
+ ...
+
+In drm_dp_mst_rad_to_str(), it wrongly to use BIT_MASK(4) to fetch the port
+number of one nibble.
+
+[How]
+Adjust the code by:
+- RAD array items are valuable only for LCT >= 1.
+- Use 0xF as the mask to replace BIT_MASK(4)
+
+V2:
+- Document how RAD is constructed (Imre)
+
+V3:
+- Adjust the comment for rad[] so kdoc formats it properly (Lyude)
+
+Fixes: 2f015ec6eab6 ("drm/dp_mst: Add sideband down request tracing + selftests")
+Cc: Imre Deak <imre.deak@intel.com>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Harry Wentland <hwentlan@amd.com>
+Cc: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Lyude Paul <lyude@redhat.com>
+Signed-off-by: Wayne Lin <Wayne.Lin@amd.com>
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250113091100.3314533-2-Wayne.Lin@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/display/drm_dp_mst_topology.c | 8 ++++----
+ include/drm/display/drm_dp_mst_helper.h | 7 +++++++
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
+index 6f41c752844b0..a4d84a2c8b4ec 100644
+--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
++++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
+@@ -178,13 +178,13 @@ static int
+ drm_dp_mst_rad_to_str(const u8 rad[8], u8 lct, char *out, size_t len)
+ {
+ int i;
+- u8 unpacked_rad[16];
++ u8 unpacked_rad[16] = {};
+
+- for (i = 0; i < lct; i++) {
++ for (i = 1; i < lct; i++) {
+ if (i % 2)
+- unpacked_rad[i] = rad[i / 2] >> 4;
++ unpacked_rad[i] = rad[(i - 1) / 2] >> 4;
+ else
+- unpacked_rad[i] = rad[i / 2] & BIT_MASK(4);
++ unpacked_rad[i] = rad[(i - 1) / 2] & 0xF;
+ }
+
+ /* TODO: Eventually add something to printk so we can format the rad
+diff --git a/include/drm/display/drm_dp_mst_helper.h b/include/drm/display/drm_dp_mst_helper.h
+index 68074b13837b5..642995704b69c 100644
+--- a/include/drm/display/drm_dp_mst_helper.h
++++ b/include/drm/display/drm_dp_mst_helper.h
+@@ -220,6 +220,13 @@ struct drm_dp_mst_branch {
+ */
+ struct list_head destroy_next;
+
++ /**
++ * @rad: Relative Address of the MST branch.
++ * For &drm_dp_mst_topology_mgr.mst_primary, it's rad[8] are all 0,
++ * unset and unused. For MST branches connected after mst_primary,
++ * in each element of rad[] the nibbles are ordered by the most
++ * signifcant 4 bits first and the least significant 4 bits second.
++ */
+ u8 rad[8];
+ u8 lct;
+ int num_ports;
+--
+2.39.5
+
--- /dev/null
+From 0be2c54145b6f99668e5d871d34872a8b62d1ec5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 12:35:57 +0300
+Subject: drm/mediatek: dsi: fix error codes in mtk_dsi_host_transfer()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit dcb166ee43c3d594e7b73a24f6e8cf5663eeff2c ]
+
+There is a type bug because the return statement:
+
+ return ret < 0 ? ret : recv_cnt;
+
+The issue is that ret is an int, recv_cnt is a u32 and the function
+returns ssize_t, which is a signed long. The way that the type promotion
+works is that the negative error codes are first cast to u32 and then
+to signed long. The error codes end up being positive instead of
+negative and the callers treat them as success.
+
+Fixes: 81cc7e51c4f1 ("drm/mediatek: Allow commands to be sent during video mode")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/r/202412210801.iADw0oIH-lkp@intel.com/
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/b754a408-4f39-4e37-b52d-7706c132e27f@stanley.mountain/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dsi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dsi.c b/drivers/gpu/drm/mediatek/mtk_dsi.c
+index d871b1dba083d..0acfda47f002f 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
+@@ -1015,12 +1015,12 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host,
+ const struct mipi_dsi_msg *msg)
+ {
+ struct mtk_dsi *dsi = host_to_dsi(host);
+- u32 recv_cnt, i;
++ ssize_t recv_cnt;
+ u8 read_data[16];
+ void *src_addr;
+ u8 irq_flag = CMD_DONE_INT_FLAG;
+ u32 dsi_mode;
+- int ret;
++ int ret, i;
+
+ dsi_mode = readl(dsi->regs + DSI_MODE_CTRL);
+ if (dsi_mode & MODE) {
+@@ -1069,7 +1069,7 @@ static ssize_t mtk_dsi_host_transfer(struct mipi_dsi_host *host,
+ if (recv_cnt)
+ memcpy(msg->rx_buf, src_addr, recv_cnt);
+
+- DRM_INFO("dsi get %d byte data from the panel address(0x%x)\n",
++ DRM_INFO("dsi get %zd byte data from the panel address(0x%x)\n",
+ recv_cnt, *((u8 *)(msg->tx_buf)));
+
+ restore_dsi_mode:
+--
+2.39.5
+
--- /dev/null
+From e6af84486845336c367407c0f77930716d975bbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 16:48:12 +0100
+Subject: drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 72fcb88e7bbc053ed4fc74cebb0315b98a0f20c3 ]
+
+Rename member aud_sampe_size of struct hdmi_audio_param to
+aud_sample_size to fix a typo and enhance readability.
+
+This commit brings no functional changes.
+
+Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-20-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+index 465f6fe93e998..058b4c042e499 100644
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -137,7 +137,7 @@ enum hdmi_aud_channel_swap_type {
+
+ struct hdmi_audio_param {
+ enum hdmi_audio_coding_type aud_codec;
+- enum hdmi_audio_sample_size aud_sampe_size;
++ enum hdmi_audio_sample_size aud_sample_size;
+ enum hdmi_aud_input_type aud_input_type;
+ enum hdmi_aud_i2s_fmt aud_i2s_fmt;
+ enum hdmi_aud_mclk aud_mclk;
+@@ -1075,7 +1075,7 @@ static int mtk_hdmi_output_init(struct mtk_hdmi *hdmi)
+
+ hdmi->csp = HDMI_COLORSPACE_RGB;
+ aud_param->aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
+- aud_param->aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
++ aud_param->aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ aud_param->aud_input_type = HDMI_AUD_INPUT_I2S;
+ aud_param->aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT;
+ aud_param->aud_mclk = HDMI_AUD_MCLK_128FS;
+@@ -1576,14 +1576,14 @@ static int mtk_hdmi_audio_hw_params(struct device *dev, void *data,
+ switch (daifmt->fmt) {
+ case HDMI_I2S:
+ hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
+- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ hdmi_params.aud_input_type = HDMI_AUD_INPUT_I2S;
+ hdmi_params.aud_i2s_fmt = HDMI_I2S_MODE_I2S_24BIT;
+ hdmi_params.aud_mclk = HDMI_AUD_MCLK_128FS;
+ break;
+ case HDMI_SPDIF:
+ hdmi_params.aud_codec = HDMI_AUDIO_CODING_TYPE_PCM;
+- hdmi_params.aud_sampe_size = HDMI_AUDIO_SAMPLE_SIZE_16;
++ hdmi_params.aud_sample_size = HDMI_AUDIO_SAMPLE_SIZE_16;
+ hdmi_params.aud_input_type = HDMI_AUD_INPUT_SPDIF;
+ break;
+ default:
+--
+2.39.5
+
--- /dev/null
+From 09285a1324bcfa881658bea70f190ee20f867364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 16:48:10 +0100
+Subject: drm/mediatek: mtk_hdmi: Unregister audio platform device on failure
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 0be123cafc06eed0fd1227166a66e786434b0c50 ]
+
+The probe function of this driver may fail after registering the
+audio platform device: in that case, the state is not getting
+cleaned up, leaving this device registered.
+
+Adding up to the mix, should the probe function of this driver
+return a probe deferral for N times, we're registering up to N
+audio platform devices and, again, never freeing them up.
+
+To fix this, add a pointer to the audio platform device in the
+mtk_hdmi structure, and add a devm action to unregister it upon
+driver removal or probe failure.
+
+Fixes: 8f83f26891e1 ("drm/mediatek: Add HDMI support")
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20250217154836.108895-18-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_hdmi.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+index 6e8f99554f548..465f6fe93e998 100644
+--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c
++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c
+@@ -173,6 +173,7 @@ struct mtk_hdmi {
+ unsigned int sys_offset;
+ void __iomem *regs;
+ enum hdmi_colorspace csp;
++ struct platform_device *audio_pdev;
+ struct hdmi_audio_param aud_param;
+ bool audio_enable;
+ bool powered;
+@@ -1666,6 +1667,11 @@ static const struct hdmi_codec_ops mtk_hdmi_audio_codec_ops = {
+ .no_capture_mute = 1,
+ };
+
++static void mtk_hdmi_unregister_audio_driver(void *data)
++{
++ platform_device_unregister(data);
++}
++
+ static int mtk_hdmi_register_audio_driver(struct device *dev)
+ {
+ struct mtk_hdmi *hdmi = dev_get_drvdata(dev);
+@@ -1675,13 +1681,20 @@ static int mtk_hdmi_register_audio_driver(struct device *dev)
+ .i2s = 1,
+ .data = hdmi,
+ };
+- struct platform_device *pdev;
++ int ret;
+
+- pdev = platform_device_register_data(dev, HDMI_CODEC_DRV_NAME,
+- PLATFORM_DEVID_AUTO, &codec_data,
+- sizeof(codec_data));
+- if (IS_ERR(pdev))
+- return PTR_ERR(pdev);
++ hdmi->audio_pdev = platform_device_register_data(dev,
++ HDMI_CODEC_DRV_NAME,
++ PLATFORM_DEVID_AUTO,
++ &codec_data,
++ sizeof(codec_data));
++ if (IS_ERR(hdmi->audio_pdev))
++ return PTR_ERR(hdmi->audio_pdev);
++
++ ret = devm_add_action_or_reset(dev, mtk_hdmi_unregister_audio_driver,
++ hdmi->audio_pdev);
++ if (ret)
++ return ret;
+
+ DRM_INFO("%s driver bound to HDMI\n", HDMI_CODEC_DRV_NAME);
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 28d95615810a52ede9bed562f3569cbe69e0dc3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 12:17:42 +0100
+Subject: drm/msm/dsi: Set PHY usescase (and mode) before registering DSI host
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 660c396c98c061f9696bebacc178b74072e80054 ]
+
+Ordering issues here cause an uninitialized (default STANDALONE)
+usecase to be programmed (which appears to be a MUX) in some cases
+when msm_dsi_host_register() is called, leading to the slave PLL in
+bonded-DSI mode to source from a clock parent (dsi1vco) that is off.
+
+This should seemingly not be a problem as the actual dispcc clocks from
+DSI1 that are muxed in the clock tree of DSI0 are way further down, this
+bit still seems to have an effect on them somehow and causes the right
+side of the panel controlled by DSI1 to not function.
+
+In an ideal world this code is refactored to no longer have such
+error-prone calls "across subsystems", and instead model the "PLL src"
+register field as a regular mux so that changing the clock parents
+programmatically or in DTS via `assigned-clock-parents` has the
+desired effect.
+But for the avid reader, the clocks that we *are* muxing into DSI0's
+tree are way further down, so if this bit turns out to be a simple mux
+between dsiXvco and out_div, that shouldn't have any effect as this
+whole tree is off anyway.
+
+Fixes: 57bf43389337 ("drm/msm/dsi: Pass down use case to PHY")
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Patchwork: https://patchwork.freedesktop.org/patch/637650/
+Link: https://lore.kernel.org/r/20250217-drm-msm-initial-dualpipe-dsc-fixes-v3-2-913100d6103f@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_manager.c | 32 ++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c
+index 3a14173972832..f9e6cbd9e2d20 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c
+@@ -100,17 +100,35 @@ static int dsi_mgr_setup_components(int id)
+ int ret;
+
+ if (!IS_BONDED_DSI()) {
++ /*
++ * Set the usecase before calling msm_dsi_host_register(), which would
++ * already program the PLL source mux based on a default usecase.
++ */
++ msm_dsi_phy_set_usecase(msm_dsi->phy, MSM_DSI_PHY_STANDALONE);
++ msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy);
++
+ ret = msm_dsi_host_register(msm_dsi->host);
+ if (ret)
+ return ret;
+-
+- msm_dsi_phy_set_usecase(msm_dsi->phy, MSM_DSI_PHY_STANDALONE);
+- msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy);
+ } else if (other_dsi) {
+ struct msm_dsi *master_link_dsi = IS_MASTER_DSI_LINK(id) ?
+ msm_dsi : other_dsi;
+ struct msm_dsi *slave_link_dsi = IS_MASTER_DSI_LINK(id) ?
+ other_dsi : msm_dsi;
++
++ /*
++ * PLL0 is to drive both DSI link clocks in bonded DSI mode.
++ *
++ * Set the usecase before calling msm_dsi_host_register(), which would
++ * already program the PLL source mux based on a default usecase.
++ */
++ msm_dsi_phy_set_usecase(clk_master_dsi->phy,
++ MSM_DSI_PHY_MASTER);
++ msm_dsi_phy_set_usecase(clk_slave_dsi->phy,
++ MSM_DSI_PHY_SLAVE);
++ msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy);
++ msm_dsi_host_set_phy_mode(other_dsi->host, other_dsi->phy);
++
+ /* Register slave host first, so that slave DSI device
+ * has a chance to probe, and do not block the master
+ * DSI device's probe.
+@@ -124,14 +142,6 @@ static int dsi_mgr_setup_components(int id)
+ ret = msm_dsi_host_register(master_link_dsi->host);
+ if (ret)
+ return ret;
+-
+- /* PLL0 is to drive both 2 DSI link clocks in bonded DSI mode. */
+- msm_dsi_phy_set_usecase(clk_master_dsi->phy,
+- MSM_DSI_PHY_MASTER);
+- msm_dsi_phy_set_usecase(clk_slave_dsi->phy,
+- MSM_DSI_PHY_SLAVE);
+- msm_dsi_host_set_phy_mode(msm_dsi->host, msm_dsi->phy);
+- msm_dsi_host_set_phy_mode(other_dsi->host, other_dsi->phy);
+ }
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 9f76aa6079a3b42c8d50d386ce9bd3aac3348253 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 09:49:12 +0100
+Subject: drm/vkms: Fix use after free and double free on init error
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit ed15511a773df86205bda66c37193569575ae828 ]
+
+If the driver initialization fails, the vkms_exit() function might
+access an uninitialized or freed default_config pointer and it might
+double free it.
+
+Fix both possible errors by initializing default_config only when the
+driver initialization succeeded.
+
+Reported-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Closes: https://lore.kernel.org/all/Z5uDHcCmAwiTsGte@louis-chauvet-laptop/
+Fixes: 2df7af93fdad ("drm/vkms: Add vkms_config type")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Reviewed-by: Thomas Zimmermann <tzimmremann@suse.de>
+Reviewed-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250212084912.3196-1-jose.exposito89@gmail.com
+Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/vkms/vkms_drv.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/vkms/vkms_drv.c b/drivers/gpu/drm/vkms/vkms_drv.c
+index f716c5796f5fc..09025ff3b1961 100644
+--- a/drivers/gpu/drm/vkms/vkms_drv.c
++++ b/drivers/gpu/drm/vkms/vkms_drv.c
+@@ -226,17 +226,19 @@ static int __init vkms_init(void)
+ if (!config)
+ return -ENOMEM;
+
+- default_config = config;
+-
+ config->cursor = enable_cursor;
+ config->writeback = enable_writeback;
+ config->overlay = enable_overlay;
+
+ ret = vkms_create(config);
+- if (ret)
++ if (ret) {
+ kfree(config);
++ return ret;
++ }
+
+- return ret;
++ default_config = config;
++
++ return 0;
+ }
+
+ static void vkms_destroy(struct vkms_config *config)
+@@ -260,9 +262,10 @@ static void vkms_destroy(struct vkms_config *config)
+
+ static void __exit vkms_exit(void)
+ {
+- if (default_config->dev)
+- vkms_destroy(default_config);
++ if (!default_config)
++ return;
+
++ vkms_destroy(default_config);
+ kfree(default_config);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 62cc45c4f9a97ae60d242be6dcdd2dbe1a255671 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 11:03:39 +0200
+Subject: drm: xlnx: zynqmp: Fix max dma segment size
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit 28b529a98525123acd37372a04d21e87ec2edcf7 ]
+
+Fix "mapping sg segment longer than device claims to support" warning by
+setting the max segment size.
+
+Fixes: d76271d22694 ("drm: xlnx: DRM/KMS driver for Xilinx ZynqMP DisplayPort Subsystem")
+Reviewed-by: Sean Anderson <sean.anderson@linux.dev>
+Tested-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250115-xilinx-formats-v2-10-160327ca652a@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xlnx/zynqmp_dpsub.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
+index fcaa958d841c9..f34d4ec1d92f3 100644
+--- a/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
++++ b/drivers/gpu/drm/xlnx/zynqmp_dpsub.c
+@@ -205,6 +205,8 @@ static int zynqmp_dpsub_probe(struct platform_device *pdev)
+ if (ret)
+ return ret;
+
++ dma_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32));
++
+ /* Try the reserved memory. Proceed if there's none. */
+ of_reserved_mem_device_init(&pdev->dev);
+
+--
+2.39.5
+
--- /dev/null
+From bda5d23b6e27396a333ba5efde1f12a12bfaffdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 09:14:02 +0800
+Subject: EDAC/ie31200: Fix the DIMM size mask for several SoCs
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 3427befbbca6b19fe0e37f91d66ce5221de70bf1 ]
+
+The DIMM size mask for {Sky, Kaby, Coffee} Lake is not bits{7:0},
+but bits{5:0}. Fix it.
+
+Fixes: 953dee9bbd24 ("EDAC, ie31200_edac: Add Skylake support")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Gary Wang <gary.c.wang@intel.com>
+Link: https://lore.kernel.org/r/20250310011411.31685-3-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ie31200_edac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
+index 98d74c604d726..92714dd88b3f6 100644
+--- a/drivers/edac/ie31200_edac.c
++++ b/drivers/edac/ie31200_edac.c
+@@ -162,6 +162,7 @@
+ #define IE31200_MAD_DIMM_0_OFFSET 0x5004
+ #define IE31200_MAD_DIMM_0_OFFSET_SKL 0x500C
+ #define IE31200_MAD_DIMM_SIZE GENMASK_ULL(7, 0)
++#define IE31200_MAD_DIMM_SIZE_SKL GENMASK_ULL(5, 0)
+ #define IE31200_MAD_DIMM_A_RANK BIT(17)
+ #define IE31200_MAD_DIMM_A_RANK_SHIFT 17
+ #define IE31200_MAD_DIMM_A_RANK_SKL BIT(10)
+@@ -375,7 +376,7 @@ static void __iomem *ie31200_map_mchbar(struct pci_dev *pdev)
+ static void __skl_populate_dimm_info(struct dimm_data *dd, u32 addr_decode,
+ int chan)
+ {
+- dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE;
++ dd->size = (addr_decode >> (chan << 4)) & IE31200_MAD_DIMM_SIZE_SKL;
+ dd->dual_rank = (addr_decode & (IE31200_MAD_DIMM_A_RANK_SKL << (chan << 4))) ? 1 : 0;
+ dd->x16_width = ((addr_decode & (IE31200_MAD_DIMM_A_WIDTH_SKL << (chan << 4))) >>
+ (IE31200_MAD_DIMM_A_WIDTH_SKL_SHIFT + (chan << 4)));
+--
+2.39.5
+
--- /dev/null
+From a4f88ba722ec60e44e6d22d477607094316af2f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 09:14:03 +0800
+Subject: EDAC/ie31200: Fix the error path order of ie31200_init()
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit 231e341036d9988447e3b3345cf741a98139199e ]
+
+The error path order of ie31200_init() is incorrect, fix it.
+
+Fixes: 709ed1bcef12 ("EDAC/ie31200: Fallback if host bridge device is already initialized")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Gary Wang <gary.c.wang@intel.com>
+Link: https://lore.kernel.org/r/20250310011411.31685-4-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ie31200_edac.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
+index 92714dd88b3f6..56be8ef40f376 100644
+--- a/drivers/edac/ie31200_edac.c
++++ b/drivers/edac/ie31200_edac.c
+@@ -617,7 +617,7 @@ static int __init ie31200_init(void)
+
+ pci_rc = pci_register_driver(&ie31200_driver);
+ if (pci_rc < 0)
+- goto fail0;
++ return pci_rc;
+
+ if (!mci_pdev) {
+ ie31200_registered = 0;
+@@ -628,11 +628,13 @@ static int __init ie31200_init(void)
+ if (mci_pdev)
+ break;
+ }
++
+ if (!mci_pdev) {
+ edac_dbg(0, "ie31200 pci_get_device fail\n");
+ pci_rc = -ENODEV;
+- goto fail1;
++ goto fail0;
+ }
++
+ pci_rc = ie31200_init_one(mci_pdev, &ie31200_pci_tbl[i]);
+ if (pci_rc < 0) {
+ edac_dbg(0, "ie31200 init fail\n");
+@@ -640,12 +642,12 @@ static int __init ie31200_init(void)
+ goto fail1;
+ }
+ }
+- return 0;
+
++ return 0;
+ fail1:
+- pci_unregister_driver(&ie31200_driver);
+-fail0:
+ pci_dev_put(mci_pdev);
++fail0:
++ pci_unregister_driver(&ie31200_driver);
+
+ return pci_rc;
+ }
+--
+2.39.5
+
--- /dev/null
+From 82a2afe73597919491fce666c0275be275f055a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 09:14:01 +0800
+Subject: EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+[ Upstream commit d59d844e319d97682c8de29b88d2d60922a683b3 ]
+
+The EDAC_MC_LAYER_CHIP_SELECT layer pertains to the rank, not the DIMM.
+Fix its size to reflect the number of ranks instead of the number of DIMMs.
+Also delete the unused macros IE31200_{DIMMS,RANKS}.
+
+Fixes: 7ee40b897d18 ("ie31200_edac: Introduce the driver")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Tested-by: Gary Wang <gary.c.wang@intel.com>
+Link: https://lore.kernel.org/r/20250310011411.31685-2-qiuxu.zhuo@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/edac/ie31200_edac.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c
+index 9ef13570f2e54..98d74c604d726 100644
+--- a/drivers/edac/ie31200_edac.c
++++ b/drivers/edac/ie31200_edac.c
+@@ -91,8 +91,6 @@
+ (((did) & PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK) == \
+ PCI_DEVICE_ID_INTEL_IE31200_HB_CFL_MASK))
+
+-#define IE31200_DIMMS 4
+-#define IE31200_RANKS 8
+ #define IE31200_RANKS_PER_CHANNEL 4
+ #define IE31200_DIMMS_PER_CHANNEL 2
+ #define IE31200_CHANNELS 2
+@@ -426,7 +424,7 @@ static int ie31200_probe1(struct pci_dev *pdev, int dev_idx)
+
+ nr_channels = how_many_channels(pdev);
+ layers[0].type = EDAC_MC_LAYER_CHIP_SELECT;
+- layers[0].size = IE31200_DIMMS;
++ layers[0].size = IE31200_RANKS_PER_CHANNEL;
+ layers[0].is_virt_csrow = true;
+ layers[1].type = EDAC_MC_LAYER_CHANNEL;
+ layers[1].size = nr_channels;
+--
+2.39.5
+
--- /dev/null
+From fa5b93bcc0c1ff6e809db8f3cdcdce8bf0b07b95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 10:53:10 +0800
+Subject: exfat: fix the infinite loop in exfat_find_last_cluster()
+
+From: Yuezhang Mo <Yuezhang.Mo@sony.com>
+
+[ Upstream commit b0522303f67255926b946aa66885a0104d1b2980 ]
+
+In exfat_find_last_cluster(), the cluster chain is traversed until
+the EOF cluster. If the cluster chain includes a loop due to file
+system corruption, the EOF cluster cannot be traversed, resulting
+in an infinite loop.
+
+If the number of clusters indicated by the file size is inconsistent
+with the cluster chain length, exfat_find_last_cluster() will return
+an error, so if this inconsistency is found, the traversal can be
+aborted without traversing to the EOF cluster.
+
+Reported-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f7d147e6db52b1e09dba
+Tested-by: syzbot+f7d147e6db52b1e09dba@syzkaller.appspotmail.com
+Fixes: 31023864e67a ("exfat: add fat entry operations")
+Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exfat/fatent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/exfat/fatent.c b/fs/exfat/fatent.c
+index 220ab671a8156..9fa4cffabfb67 100644
+--- a/fs/exfat/fatent.c
++++ b/fs/exfat/fatent.c
+@@ -265,7 +265,7 @@ int exfat_find_last_cluster(struct super_block *sb, struct exfat_chain *p_chain,
+ clu = next;
+ if (exfat_ent_get(sb, clu, &next))
+ return -EIO;
+- } while (next != EXFAT_EOF_CLUSTER);
++ } while (next != EXFAT_EOF_CLUSTER && count <= p_chain->size);
+
+ if (p_chain->size != count) {
+ exfat_fs_error(sb,
+--
+2.39.5
+
--- /dev/null
+From be17448a395b3115bd313deeea113cba963323f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Apr 2023 21:35:36 +0200
+Subject: fbdev: au1100fb: Move a variable assignment behind a null pointer
+ check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Markus Elfring <elfring@users.sourceforge.net>
+
+[ Upstream commit 2df2c0caaecfd869b49e14f2b8df822397c5dd7f ]
+
+The address of a data structure member was determined before
+a corresponding null pointer check in the implementation of
+the function “au1100fb_setmode”.
+
+This issue was detected by using the Coccinelle software.
+
+Fixes: 3b495f2bb749 ("Au1100 FB driver uplift for 2.6.")
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/au1100fb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/au1100fb.c b/drivers/video/fbdev/au1100fb.c
+index 519313b8bb004..ab7f311d1b56a 100644
+--- a/drivers/video/fbdev/au1100fb.c
++++ b/drivers/video/fbdev/au1100fb.c
+@@ -137,13 +137,15 @@ static int au1100fb_fb_blank(int blank_mode, struct fb_info *fbi)
+ */
+ int au1100fb_setmode(struct au1100fb_device *fbdev)
+ {
+- struct fb_info *info = &fbdev->info;
++ struct fb_info *info;
+ u32 words;
+ int index;
+
+ if (!fbdev)
+ return -EINVAL;
+
++ info = &fbdev->info;
++
+ /* Update var-dependent FB info */
+ if (panel_is_active(fbdev->panel) || panel_is_color(fbdev->panel)) {
+ if (info->var.bits_per_pixel <= 8) {
+--
+2.39.5
+
--- /dev/null
+From 2a30f9d642b0bf0605af0df307fdb6022ec6c2d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 01:30:11 +0000
+Subject: fbdev: sm501fb: Add some geometry checks.
+
+From: Danila Chernetsov <listdansp@mail.ru>
+
+[ Upstream commit aee50bd88ea5fde1ff4cc021385598f81a65830c ]
+
+Added checks for xoffset, yoffset settings.
+Incorrect settings of these parameters can lead to errors
+in sm501fb_pan_ functions.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 5fc404e47bdf ("[PATCH] fb: SM501 framebuffer driver")
+Signed-off-by: Danila Chernetsov <listdansp@mail.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sm501fb.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/video/fbdev/sm501fb.c b/drivers/video/fbdev/sm501fb.c
+index f743bfbde2a6c..bbbc9de06a81b 100644
+--- a/drivers/video/fbdev/sm501fb.c
++++ b/drivers/video/fbdev/sm501fb.c
+@@ -326,6 +326,13 @@ static int sm501fb_check_var(struct fb_var_screeninfo *var,
+ if (var->xres_virtual > 4096 || var->yres_virtual > 2048)
+ return -EINVAL;
+
++ /* geometry sanity checks */
++ if (var->xres + var->xoffset > var->xres_virtual)
++ return -EINVAL;
++
++ if (var->yres + var->yoffset > var->yres_virtual)
++ return -EINVAL;
++
+ /* can cope with 8,16 or 32bpp */
+
+ if (var->bits_per_pixel <= 8)
+--
+2.39.5
+
--- /dev/null
+From 3103dc75d48fdddf8cd4bee5fa4a717d38254e67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Feb 2025 23:52:00 +0300
+Subject: fs/ntfs3: Fix a couple integer overflows on 32bit systems
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 5ad414f4df2294b28836b5b7b69787659d6aa708 ]
+
+On 32bit systems the "off + sizeof(struct NTFS_DE)" addition can
+have an integer wrapping issue. Fix it by using size_add().
+
+Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/index.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ntfs3/index.c b/fs/ntfs3/index.c
+index 2dfe74a3de755..139bdaececd72 100644
+--- a/fs/ntfs3/index.c
++++ b/fs/ntfs3/index.c
+@@ -617,7 +617,7 @@ static bool index_hdr_check(const struct INDEX_HDR *hdr, u32 bytes)
+ u32 off = le32_to_cpu(hdr->de_off);
+
+ if (!IS_ALIGNED(off, 8) || tot > bytes || end > tot ||
+- off + sizeof(struct NTFS_DE) > end) {
++ size_add(off, sizeof(struct NTFS_DE)) > end) {
+ /* incorrect index buffer. */
+ return false;
+ }
+@@ -736,7 +736,7 @@ static struct NTFS_DE *hdr_find_e(const struct ntfs_index *indx,
+ if (end > total)
+ return NULL;
+
+- if (off + sizeof(struct NTFS_DE) > end)
++ if (size_add(off, sizeof(struct NTFS_DE)) > end)
+ return NULL;
+
+ e = Add2Ptr(hdr, off);
+--
+2.39.5
+
--- /dev/null
+From ede54f0e30b13d501f08085d1d382215aec2aaec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 14:02:22 -0700
+Subject: fs/procfs: fix the comment above proc_pid_wchan()
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 6287fbad1cd91f0c25cdc3a580499060828a8f30 ]
+
+proc_pid_wchan() used to report kernel addresses to user space but that is
+no longer the case today. Bring the comment above proc_pid_wchan() in
+sync with the implementation.
+
+Link: https://lkml.kernel.org/r/20250319210222.1518771-1-bvanassche@acm.org
+Fixes: b2f73922d119 ("fs/proc, core/debug: Don't expose absolute kernel addresses via wchan")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/proc/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/proc/base.c b/fs/proc/base.c
+index 82e4a8805bae6..fb169bdfd9a8e 100644
+--- a/fs/proc/base.c
++++ b/fs/proc/base.c
+@@ -415,7 +415,7 @@ static const struct file_operations proc_pid_cmdline_ops = {
+ #ifdef CONFIG_KALLSYMS
+ /*
+ * Provides a wchan file via kallsyms in a proper one-value-per-file format.
+- * Returns the resolved symbol. If that fails, simply return the address.
++ * Returns the resolved symbol to user space.
+ */
+ static int proc_pid_wchan(struct seq_file *m, struct pid_namespace *ns,
+ struct pid *pid, struct task_struct *task)
+--
+2.39.5
+
--- /dev/null
+From fdb256ef2399e9436fba41cd007cada9702cdca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Feb 2025 14:30:56 +1100
+Subject: fuse: fix dax truncate/punch_hole fault path
+
+From: Alistair Popple <apopple@nvidia.com>
+
+[ Upstream commit 7851bf649d423edd7286b292739f2eefded3d35c ]
+
+Patch series "fs/dax: Fix ZONE_DEVICE page reference counts", v9.
+
+Device and FS DAX pages have always maintained their own page reference
+counts without following the normal rules for page reference counting. In
+particular pages are considered free when the refcount hits one rather
+than zero and refcounts are not added when mapping the page.
+
+Tracking this requires special PTE bits (PTE_DEVMAP) and a secondary
+mechanism for allowing GUP to hold references on the page (see
+get_dev_pagemap). However there doesn't seem to be any reason why FS DAX
+pages need their own reference counting scheme.
+
+By treating the refcounts on these pages the same way as normal pages we
+can remove a lot of special checks. In particular pXd_trans_huge()
+becomes the same as pXd_leaf(), although I haven't made that change here.
+It also frees up a valuable SW define PTE bit on architectures that have
+devmap PTE bits defined.
+
+It also almost certainly allows further clean-up of the devmap managed
+functions, but I have left that as a future improvment. It also enables
+support for compound ZONE_DEVICE pages which is one of my primary
+motivators for doing this work.
+
+This patch (of 20):
+
+FS DAX requires file systems to call into the DAX layout prior to
+unlinking inodes to ensure there is no ongoing DMA or other remote access
+to the direct mapped page. The fuse file system implements
+fuse_dax_break_layouts() to do this which includes a comment indicating
+that passing dmap_end == 0 leads to unmapping of the whole file.
+
+However this is not true - passing dmap_end == 0 will not unmap anything
+before dmap_start, and further more dax_layout_busy_page_range() will not
+scan any of the range to see if there maybe ongoing DMA access to the
+range. Fix this by passing -1 for dmap_end to fuse_dax_break_layouts()
+which will invalidate the entire file range to
+dax_layout_busy_page_range().
+
+Link: https://lkml.kernel.org/r/cover.8068ad144a7eea4a813670301f4d2a86a8e68ec4.1740713401.git-series.apopple@nvidia.com
+Link: https://lkml.kernel.org/r/f09a34b6c40032022e4ddee6fadb7cc676f08867.1740713401.git-series.apopple@nvidia.com
+Fixes: 6ae330cad6ef ("virtiofs: serialize truncate/punch_hole and dax fault path")
+Signed-off-by: Alistair Popple <apopple@nvidia.com>
+Co-developed-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Balbir Singh <balbirs@nvidia.com>
+Tested-by: Alison Schofield <alison.schofield@intel.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Cc: Asahi Lina <lina@asahilina.net>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Chunyan Zhang <zhang.lyra@gmail.com>
+Cc: "Darrick J. Wong" <djwong@kernel.org>
+Cc: Dave Chinner <david@fromorbit.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Jiang <dave.jiang@intel.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Huacai Chen <chenhuacai@kernel.org>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: linmiaohe <linmiaohe@huawei.com>
+Cc: Logan Gunthorpe <logang@deltatee.com>
+Cc: Matthew Wilcow (Oracle) <willy@infradead.org>
+Cc: Michael "Camp Drill Sergeant" Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Ted Ts'o <tytso@mit.edu>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Vishal Verma <vishal.l.verma@intel.com>
+Cc: WANG Xuerui <kernel@xen0n.name>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/dax.c | 1 -
+ fs/fuse/dir.c | 2 +-
+ fs/fuse/file.c | 4 ++--
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/fuse/dax.c b/fs/fuse/dax.c
+index 6e71904c396f1..dc28c28654d93 100644
+--- a/fs/fuse/dax.c
++++ b/fs/fuse/dax.c
+@@ -681,7 +681,6 @@ static int __fuse_dax_break_layouts(struct inode *inode, bool *retry,
+ 0, 0, fuse_wait_dax_page(inode));
+ }
+
+-/* dmap_end == 0 leads to unmapping of whole file */
+ int fuse_dax_break_layouts(struct inode *inode, u64 dmap_start,
+ u64 dmap_end)
+ {
+diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
+index de31cb8eb7201..c431abbf48e66 100644
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -1712,7 +1712,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr,
+ if (FUSE_IS_DAX(inode) && is_truncate) {
+ filemap_invalidate_lock(mapping);
+ fault_blocked = true;
+- err = fuse_dax_break_layouts(inode, 0, 0);
++ err = fuse_dax_break_layouts(inode, 0, -1);
+ if (err) {
+ filemap_invalidate_unlock(mapping);
+ return err;
+diff --git a/fs/fuse/file.c b/fs/fuse/file.c
+index 0df1311afb87d..723dd9b94e567 100644
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -240,7 +240,7 @@ int fuse_open_common(struct inode *inode, struct file *file, bool isdir)
+
+ if (dax_truncate) {
+ filemap_invalidate_lock(inode->i_mapping);
+- err = fuse_dax_break_layouts(inode, 0, 0);
++ err = fuse_dax_break_layouts(inode, 0, -1);
+ if (err)
+ goto out_inode_unlock;
+ }
+@@ -3020,7 +3020,7 @@ static long fuse_file_fallocate(struct file *file, int mode, loff_t offset,
+ inode_lock(inode);
+ if (block_faults) {
+ filemap_invalidate_lock(inode->i_mapping);
+- err = fuse_dax_break_layouts(inode, 0, 0);
++ err = fuse_dax_break_layouts(inode, 0, -1);
+ if (err)
+ goto out;
+ }
+--
+2.39.5
+
--- /dev/null
+From 7795798ee0914e034a6d790a45463a0a44290764 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 19:04:18 +0800
+Subject: HID: i2c-hid: improve i2c_hid_get_report error message
+
+From: Wentao Guan <guanwentao@uniontech.com>
+
+[ Upstream commit 723aa55c08c9d1e0734e39a815fd41272eac8269 ]
+
+We have two places to print "failed to set a report to ...",
+use "get a report from" instead of "set a report to", it makes
+people who knows less about the module to know where the error
+happened.
+
+Before:
+i2c_hid_acpi i2c-FTSC1000:00: failed to set a report to device: -11
+
+After:
+i2c_hid_acpi i2c-FTSC1000:00: failed to get a report from device: -11
+
+Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
+index 0b05bb1e4410e..8a7ac016b1abe 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -261,7 +261,7 @@ static int i2c_hid_get_report(struct i2c_hid *ihid,
+ ihid->rawbuf, recv_len + sizeof(__le16));
+ if (error) {
+ dev_err(&ihid->client->dev,
+- "failed to set a report to device: %d\n", error);
++ "failed to get a report from device: %d\n", error);
+ return error;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 386ebeba0453fd1dfa119dcaaa6483abb468637a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 09:08:22 +0100
+Subject: HID: remove superfluous (and wrong) Makefile entry for
+ CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
+
+From: Jiri Kosina <jkosina@suse.com>
+
+[ Upstream commit fe0fb58325e519008e2606a5aa2cff7ad23e212d ]
+
+The line
+
+ obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/
+
+in top-level HID Makefile is both superfluous (as CONFIG_INTEL_ISH_FIRMWARE_DOWNLOADER
+depends on CONFIG_INTEL_ISH_HID, which contains intel-ish-hid/ already) and wrong (as it's
+missing the CONFIG_ prefix).
+
+Just remove it.
+
+Fixes: 91b228107da3e ("HID: intel-ish-hid: ISH firmware loader client driver")
+Reported-by: Jiri Slaby <jirislaby@kernel.org>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile
+index e8014c1a2f8b6..86195e9c59c4b 100644
+--- a/drivers/hid/Makefile
++++ b/drivers/hid/Makefile
+@@ -159,7 +159,6 @@ obj-$(CONFIG_USB_KBD) += usbhid/
+ obj-$(CONFIG_I2C_HID_CORE) += i2c-hid/
+
+ obj-$(CONFIG_INTEL_ISH_HID) += intel-ish-hid/
+-obj-$(INTEL_ISH_FIRMWARE_DOWNLOADER) += intel-ish-hid/
+
+ obj-$(CONFIG_AMD_SFH_HID) += amd-sfh-hid/
+
+--
+2.39.5
+
--- /dev/null
+From ed8a1413457cc516f5ee206c10ddf2377d4a74db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 05:08:32 +0200
+Subject: hwmon: (nct6775-core) Fix out of bounds access for NCT679{8,9}
+
+From: Tasos Sahanidis <tasos@tasossah.com>
+
+[ Upstream commit 815f80ad20b63830949a77c816e35395d5d55144 ]
+
+pwm_num is set to 7 for these chips, but NCT6776_REG_PWM_MODE and
+NCT6776_PWM_MODE_MASK only contain 6 values.
+
+Fix this by adding another 0 to the end of each array.
+
+Signed-off-by: Tasos Sahanidis <tasos@tasossah.com>
+Link: https://lore.kernel.org/r/20250312030832.106475-1-tasos@tasossah.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775-core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/nct6775-core.c b/drivers/hwmon/nct6775-core.c
+index 9de3ad2713f1d..ec3ff4e9a9abd 100644
+--- a/drivers/hwmon/nct6775-core.c
++++ b/drivers/hwmon/nct6775-core.c
+@@ -276,8 +276,8 @@ static const s8 NCT6776_BEEP_BITS[] = {
+ static const u16 NCT6776_REG_TOLERANCE_H[] = {
+ 0x10c, 0x20c, 0x30c, 0x80c, 0x90c, 0xa0c, 0xb0c };
+
+-static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0 };
+-static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0 };
++static const u8 NCT6776_REG_PWM_MODE[] = { 0x04, 0, 0, 0, 0, 0, 0 };
++static const u8 NCT6776_PWM_MODE_MASK[] = { 0x01, 0, 0, 0, 0, 0, 0 };
+
+ static const u16 NCT6776_REG_FAN_MIN[] = {
+ 0x63a, 0x63c, 0x63e, 0x640, 0x642, 0x64a, 0x64c };
+--
+2.39.5
+
--- /dev/null
+From c0df44f1c6927c6c77ceebc04a004d046c25cb60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 13:36:04 +0800
+Subject: i3c: master: svc: Fix missing the IBI rules
+
+From: Stanley Chu <yschu@nuvoton.com>
+
+[ Upstream commit 9cecad134d84d14dc72a0eea7a107691c3e5a837 ]
+
+The code does not add IBI rules for devices with controller capability.
+However, the secondary controller has the controller capability and works
+at target mode when the device is probed. Therefore, add IBI rules for
+such devices.
+
+Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
+Signed-off-by: Stanley Chu <yschu@nuvoton.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250318053606.3087121-2-yschu@nuvoton.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master/svc-i3c-master.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
+index 9039ebef8648a..157ff26d40be9 100644
+--- a/drivers/i3c/master/svc-i3c-master.c
++++ b/drivers/i3c/master/svc-i3c-master.c
+@@ -943,7 +943,7 @@ static int svc_i3c_update_ibirules(struct svc_i3c_master *master)
+
+ /* Create the IBIRULES register for both cases */
+ i3c_bus_for_each_i3cdev(&master->base.bus, dev) {
+- if (I3C_BCR_DEVICE_ROLE(dev->info.bcr) == I3C_BCR_I3C_MASTER)
++ if (!(dev->info.bcr & I3C_BCR_IBI_REQ_CAP))
+ continue;
+
+ if (dev->info.bcr & I3C_BCR_IBI_PAYLOAD) {
+--
+2.39.5
+
--- /dev/null
+From cc8b3585788f949a3d11fb4ca14476d4ae4d94e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 16:20:17 +0200
+Subject: IB/mad: Check available slots before posting receive WRs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 37826f0a8c2f6b6add5179003b8597e32a445362 ]
+
+The ib_post_receive_mads() function handles posting receive work
+requests (WRs) to MAD QPs and is called in two cases:
+1) When a MAD port is opened.
+2) When a receive WQE is consumed upon receiving a new MAD.
+
+Whereas, if MADs arrive during the port open phase, a race condition
+might cause an extra WR to be posted, exceeding the QP’s capacity.
+This leads to failures such as:
+infiniband mlx5_0: ib_post_recv failed: -12
+infiniband mlx5_0: Couldn't post receive WRs
+infiniband mlx5_0: Couldn't start port
+infiniband mlx5_0: Couldn't open port 1
+
+Fix this by checking the current receive count before posting a new WR.
+If the QP’s receive queue is full, do not post additional WRs.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Link: https://patch.msgid.link/c4984ba3c3a98a5711a558bccefcad789587ecf1.1741875592.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/mad.c | 38 ++++++++++++++++++-----------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/infiniband/core/mad.c b/drivers/infiniband/core/mad.c
+index 58befbaaf0ad5..242434c09e8d8 100644
+--- a/drivers/infiniband/core/mad.c
++++ b/drivers/infiniband/core/mad.c
+@@ -2671,11 +2671,11 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ struct ib_mad_private *mad)
+ {
+ unsigned long flags;
+- int post, ret;
+ struct ib_mad_private *mad_priv;
+ struct ib_sge sg_list;
+ struct ib_recv_wr recv_wr;
+ struct ib_mad_queue *recv_queue = &qp_info->recv_queue;
++ int ret = 0;
+
+ /* Initialize common scatter list fields */
+ sg_list.lkey = qp_info->port_priv->pd->local_dma_lkey;
+@@ -2685,7 +2685,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ recv_wr.sg_list = &sg_list;
+ recv_wr.num_sge = 1;
+
+- do {
++ while (true) {
+ /* Allocate and map receive buffer */
+ if (mad) {
+ mad_priv = mad;
+@@ -2693,10 +2693,8 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ } else {
+ mad_priv = alloc_mad_private(port_mad_size(qp_info->port_priv),
+ GFP_ATOMIC);
+- if (!mad_priv) {
+- ret = -ENOMEM;
+- break;
+- }
++ if (!mad_priv)
++ return -ENOMEM;
+ }
+ sg_list.length = mad_priv_dma_size(mad_priv);
+ sg_list.addr = ib_dma_map_single(qp_info->port_priv->device,
+@@ -2705,37 +2703,41 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
+ DMA_FROM_DEVICE);
+ if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device,
+ sg_list.addr))) {
+- kfree(mad_priv);
+ ret = -ENOMEM;
+- break;
++ goto free_mad_priv;
+ }
+ mad_priv->header.mapping = sg_list.addr;
+ mad_priv->header.mad_list.mad_queue = recv_queue;
+ mad_priv->header.mad_list.cqe.done = ib_mad_recv_done;
+ recv_wr.wr_cqe = &mad_priv->header.mad_list.cqe;
+-
+- /* Post receive WR */
+ spin_lock_irqsave(&recv_queue->lock, flags);
+- post = (++recv_queue->count < recv_queue->max_active);
+- list_add_tail(&mad_priv->header.mad_list.list, &recv_queue->list);
++ if (recv_queue->count >= recv_queue->max_active) {
++ /* Fully populated the receive queue */
++ spin_unlock_irqrestore(&recv_queue->lock, flags);
++ break;
++ }
++ recv_queue->count++;
++ list_add_tail(&mad_priv->header.mad_list.list,
++ &recv_queue->list);
+ spin_unlock_irqrestore(&recv_queue->lock, flags);
++
+ ret = ib_post_recv(qp_info->qp, &recv_wr, NULL);
+ if (ret) {
+ spin_lock_irqsave(&recv_queue->lock, flags);
+ list_del(&mad_priv->header.mad_list.list);
+ recv_queue->count--;
+ spin_unlock_irqrestore(&recv_queue->lock, flags);
+- ib_dma_unmap_single(qp_info->port_priv->device,
+- mad_priv->header.mapping,
+- mad_priv_dma_size(mad_priv),
+- DMA_FROM_DEVICE);
+- kfree(mad_priv);
+ dev_err(&qp_info->port_priv->device->dev,
+ "ib_post_recv failed: %d\n", ret);
+ break;
+ }
+- } while (post);
++ }
+
++ ib_dma_unmap_single(qp_info->port_priv->device,
++ mad_priv->header.mapping,
++ mad_priv_dma_size(mad_priv), DMA_FROM_DEVICE);
++free_mad_priv:
++ kfree(mad_priv);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 364b7280446a0da44544fe6223b90087df4fc992 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 14:01:28 +0000
+Subject: iio: accel: mma8452: Ensure error return on failure to matching
+ oversampling ratio
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit df330c808182a8beab5d0f84a6cbc9cff76c61fc ]
+
+If a match was not found, then the write_raw() callback would return
+the odr index, not an error. Return -EINVAL if this occurs.
+To avoid similar issues in future, introduce j, a new indexing variable
+rather than using ret for this purpose.
+
+Fixes: 79de2ee469aa ("iio: accel: mma8452: claim direct mode during write raw")
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250217140135.896574-2-jic23@kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mma8452.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c
+index 3ba28c2ff68a3..ad7b7770d5262 100644
+--- a/drivers/iio/accel/mma8452.c
++++ b/drivers/iio/accel/mma8452.c
+@@ -711,7 +711,7 @@ static int mma8452_write_raw(struct iio_dev *indio_dev,
+ int val, int val2, long mask)
+ {
+ struct mma8452_data *data = iio_priv(indio_dev);
+- int i, ret;
++ int i, j, ret;
+
+ ret = iio_device_claim_direct_mode(indio_dev);
+ if (ret)
+@@ -771,14 +771,18 @@ static int mma8452_write_raw(struct iio_dev *indio_dev,
+ break;
+
+ case IIO_CHAN_INFO_OVERSAMPLING_RATIO:
+- ret = mma8452_get_odr_index(data);
++ j = mma8452_get_odr_index(data);
+
+ for (i = 0; i < ARRAY_SIZE(mma8452_os_ratio); i++) {
+- if (mma8452_os_ratio[i][ret] == val) {
++ if (mma8452_os_ratio[i][j] == val) {
+ ret = mma8452_set_power_mode(data, i);
+ break;
+ }
+ }
++ if (i == ARRAY_SIZE(mma8452_os_ratio)) {
++ ret = -EINVAL;
++ break;
++ }
+ break;
+ default:
+ ret = -EINVAL;
+--
+2.39.5
+
--- /dev/null
+From 93a84de39bf91fe58bb2de3694ff76a149d15c07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 14:01:33 +0000
+Subject: iio: accel: msa311: Fix failure to release runtime pm if direct mode
+ claim fails.
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+[ Upstream commit 60a0cf2ebab92011055ab7db6553c0fc3c546938 ]
+
+Reorder the claiming of direct mode and runtime pm calls to simplify
+handling a little. For correct error handling, after the reorder
+iio_device_release_direct_mode() must be claimed in an error occurs
+in pm_runtime_resume_and_get()
+
+Fixes: 1ca2cfbc0c33 ("iio: add MEMSensing MSA311 3-axis accelerometer driver")
+Reviewed-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20250217140135.896574-7-jic23@kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/msa311.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/iio/accel/msa311.c b/drivers/iio/accel/msa311.c
+index 2fded37591717..9b5c36f2322f1 100644
+--- a/drivers/iio/accel/msa311.c
++++ b/drivers/iio/accel/msa311.c
+@@ -595,23 +595,25 @@ static int msa311_read_raw_data(struct iio_dev *indio_dev,
+ __le16 axis;
+ int err;
+
+- err = pm_runtime_resume_and_get(dev);
++ err = iio_device_claim_direct_mode(indio_dev);
+ if (err)
+ return err;
+
+- err = iio_device_claim_direct_mode(indio_dev);
+- if (err)
++ err = pm_runtime_resume_and_get(dev);
++ if (err) {
++ iio_device_release_direct_mode(indio_dev);
+ return err;
++ }
+
+ mutex_lock(&msa311->lock);
+ err = msa311_get_axis(msa311, chan, &axis);
+ mutex_unlock(&msa311->lock);
+
+- iio_device_release_direct_mode(indio_dev);
+-
+ pm_runtime_mark_last_busy(dev);
+ pm_runtime_put_autosuspend(dev);
+
++ iio_device_release_direct_mode(indio_dev);
++
+ if (err) {
+ dev_err(dev, "can't get axis %s (%pe)\n",
+ chan->datasheet_name, ERR_PTR(err));
+@@ -757,10 +759,6 @@ static int msa311_write_samp_freq(struct iio_dev *indio_dev, int val, int val2)
+ unsigned int odr;
+ int err;
+
+- err = pm_runtime_resume_and_get(dev);
+- if (err)
+- return err;
+-
+ /*
+ * Sampling frequency changing is prohibited when buffer mode is
+ * enabled, because sometimes MSA311 chip returns outliers during
+@@ -770,6 +768,12 @@ static int msa311_write_samp_freq(struct iio_dev *indio_dev, int val, int val2)
+ if (err)
+ return err;
+
++ err = pm_runtime_resume_and_get(dev);
++ if (err) {
++ iio_device_release_direct_mode(indio_dev);
++ return err;
++ }
++
+ err = -EINVAL;
+ for (odr = 0; odr < ARRAY_SIZE(msa311_odr_table); odr++)
+ if (val == msa311_odr_table[odr].integral &&
+@@ -780,11 +784,11 @@ static int msa311_write_samp_freq(struct iio_dev *indio_dev, int val, int val2)
+ break;
+ }
+
+- iio_device_release_direct_mode(indio_dev);
+-
+ pm_runtime_mark_last_busy(dev);
+ pm_runtime_put_autosuspend(dev);
+
++ iio_device_release_direct_mode(indio_dev);
++
+ if (err)
+ dev_err(dev, "can't update frequency (%pe)\n", ERR_PTR(err));
+
+--
+2.39.5
+
--- /dev/null
+From 783d9441a542e3b0d4b2c39c67724cac23369517 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Mar 2025 12:47:01 +0100
+Subject: iio: adc: ad7124: Fix comparison of channel configs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 05a5d874f7327b75e9bc4359618017e047cc129c ]
+
+Checking the binary representation of two structs (of the same type)
+for equality doesn't have the same semantic as comparing all members for
+equality. The former might find a difference where the latter doesn't in
+the presence of padding or when ambiguous types like float or bool are
+involved. (Floats typically have different representations for single
+values, like -0.0 vs +0.0, or 0.5 * 2² vs 0.25 * 2³. The type bool has
+at least 8 bits and the raw values 1 and 2 (probably) both evaluate to
+true, but memcmp finds a difference.)
+
+When searching for a channel that already has the configuration we need,
+the comparison by member is the one that is needed.
+
+Convert the comparison accordingly to compare the members one after
+another. Also add a static_assert guard to (somewhat) ensure that when
+struct ad7124_channel_config::config_props is expanded, the comparison
+is adapted, too.
+
+This issue is somewhat theoretic, but using memcmp() on a struct is a
+bad pattern that is worth fixing.
+
+Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Link: https://patch.msgid.link/20250303114659.1672695-13-u.kleine-koenig@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/adc/ad7124.c | 35 +++++++++++++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/iio/adc/ad7124.c b/drivers/iio/adc/ad7124.c
+index 5d4abe81d2a2b..307a607bf56c7 100644
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -146,7 +146,11 @@ struct ad7124_chip_info {
+ struct ad7124_channel_config {
+ bool live;
+ unsigned int cfg_slot;
+- /* Following fields are used to compare equality. */
++ /*
++ * Following fields are used to compare for equality. If you
++ * make adaptations in it, you most likely also have to adapt
++ * ad7124_find_similar_live_cfg(), too.
++ */
+ struct_group(config_props,
+ enum ad7124_ref_sel refsel;
+ bool bipolar;
+@@ -333,15 +337,38 @@ static struct ad7124_channel_config *ad7124_find_similar_live_cfg(struct ad7124_
+ struct ad7124_channel_config *cfg)
+ {
+ struct ad7124_channel_config *cfg_aux;
+- ptrdiff_t cmp_size;
+ int i;
+
+- cmp_size = sizeof_field(struct ad7124_channel_config, config_props);
++ /*
++ * This is just to make sure that the comparison is adapted after
++ * struct ad7124_channel_config was changed.
++ */
++ static_assert(sizeof_field(struct ad7124_channel_config, config_props) ==
++ sizeof(struct {
++ enum ad7124_ref_sel refsel;
++ bool bipolar;
++ bool buf_positive;
++ bool buf_negative;
++ unsigned int vref_mv;
++ unsigned int pga_bits;
++ unsigned int odr;
++ unsigned int odr_sel_bits;
++ unsigned int filter_type;
++ }));
++
+ for (i = 0; i < st->num_channels; i++) {
+ cfg_aux = &st->channels[i].cfg;
+
+ if (cfg_aux->live &&
+- !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size))
++ cfg->refsel == cfg_aux->refsel &&
++ cfg->bipolar == cfg_aux->bipolar &&
++ cfg->buf_positive == cfg_aux->buf_positive &&
++ cfg->buf_negative == cfg_aux->buf_negative &&
++ cfg->vref_mv == cfg_aux->vref_mv &&
++ cfg->pga_bits == cfg_aux->pga_bits &&
++ cfg->odr == cfg_aux->odr &&
++ cfg->odr_sel_bits == cfg_aux->odr_sel_bits &&
++ cfg->filter_type == cfg_aux->filter_type)
+ return cfg_aux;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d913ce89d0f5ac3644905010e65efbbee35b2a2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 14:42:24 +0300
+Subject: ipv6: Do not consider link down nexthops in path selection
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 8b8e0dd357165e0258d9f9cdab5366720ed2f619 ]
+
+Nexthops whose link is down are not supposed to be considered during
+path selection when the "ignore_routes_with_linkdown" sysctl is set.
+This is done by assigning them a negative region boundary.
+
+However, when comparing the computed hash (unsigned) with the region
+boundary (signed), the negative region boundary is treated as unsigned,
+resulting in incorrect nexthop selection.
+
+Fix by treating the computed hash as signed. Note that the computed hash
+is always in range of [0, 2^31 - 1].
+
+Fixes: 3d709f69a3e7 ("ipv6: Use hash-threshold instead of modulo-N")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20250402114224.293392-3-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 2cfef1c971093..d6de164720a05 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -446,6 +446,7 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
+ {
+ struct fib6_info *first, *match = res->f6i;
+ struct fib6_info *sibling;
++ int hash;
+
+ if (!match->nh && (!match->fib6_nsiblings || have_oif_match))
+ goto out;
+@@ -472,7 +473,8 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
+ if (!first)
+ goto out;
+
+- if (fl6->mp_hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) &&
++ hash = fl6->mp_hash;
++ if (hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) &&
+ rt6_score_route(first->fib6_nh, first->fib6_flags, oif,
+ strict) >= 0) {
+ match = first;
+@@ -485,7 +487,7 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
+ int nh_upper_bound;
+
+ nh_upper_bound = atomic_read(&nh->fib_nh_upper_bound);
+- if (fl6->mp_hash > nh_upper_bound)
++ if (hash > nh_upper_bound)
+ continue;
+ if (rt6_score_route(nh, sibling->fib6_flags, oif, strict) < 0)
+ break;
+--
+2.39.5
+
--- /dev/null
+From 4edb9dcd4469d176a79519932c5ef83ea27b42f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 14:17:51 +0200
+Subject: ipv6: fix omitted netlink attributes when using
+ RTEXT_FILTER_SKIP_STATS
+
+From: Fernando Fernandez Mancera <ffmancera@riseup.net>
+
+[ Upstream commit 7ac6ea4a3e0898db76aecccd68fb2c403eb7d24e ]
+
+Using RTEXT_FILTER_SKIP_STATS is incorrectly skipping non-stats IPv6
+netlink attributes on link dump. This causes issues on userspace tools,
+e.g iproute2 is not rendering address generation mode as it should due
+to missing netlink attribute.
+
+Move the filling of IFLA_INET6_STATS and IFLA_INET6_ICMP6STATS to a
+helper function guarded by a flag check to avoid hitting the same
+situation in the future.
+
+Fixes: d5566fd72ec1 ("rtnetlink: RTEXT_FILTER_SKIP_STATS support to avoid dumping inet/inet6 stats")
+Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250402121751.3108-1-ffmancera@riseup.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/addrconf.c | 37 +++++++++++++++++++++++++------------
+ 1 file changed, 25 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
+index f52527c86e71c..0811cc8956a3a 100644
+--- a/net/ipv6/addrconf.c
++++ b/net/ipv6/addrconf.c
+@@ -5718,6 +5718,27 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype,
+ }
+ }
+
++static int inet6_fill_ifla6_stats_attrs(struct sk_buff *skb,
++ struct inet6_dev *idev)
++{
++ struct nlattr *nla;
++
++ nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64));
++ if (!nla)
++ goto nla_put_failure;
++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla));
++
++ nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64));
++ if (!nla)
++ goto nla_put_failure;
++ snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla));
++
++ return 0;
++
++nla_put_failure:
++ return -EMSGSIZE;
++}
++
+ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev,
+ u32 ext_filter_mask)
+ {
+@@ -5739,18 +5760,10 @@ static int inet6_fill_ifla6_attrs(struct sk_buff *skb, struct inet6_dev *idev,
+
+ /* XXX - MC not implemented */
+
+- if (ext_filter_mask & RTEXT_FILTER_SKIP_STATS)
+- return 0;
+-
+- nla = nla_reserve(skb, IFLA_INET6_STATS, IPSTATS_MIB_MAX * sizeof(u64));
+- if (!nla)
+- goto nla_put_failure;
+- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_STATS, nla_len(nla));
+-
+- nla = nla_reserve(skb, IFLA_INET6_ICMP6STATS, ICMP6_MIB_MAX * sizeof(u64));
+- if (!nla)
+- goto nla_put_failure;
+- snmp6_fill_stats(nla_data(nla), idev, IFLA_INET6_ICMP6STATS, nla_len(nla));
++ if (!(ext_filter_mask & RTEXT_FILTER_SKIP_STATS)) {
++ if (inet6_fill_ifla6_stats_attrs(skb, idev) < 0)
++ goto nla_put_failure;
++ }
+
+ nla = nla_reserve(skb, IFLA_INET6_TOKEN, sizeof(struct in6_addr));
+ if (!nla)
+--
+2.39.5
+
--- /dev/null
+From c0e806e6b3f8d21a2f0db841528117f1faa6ea4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 14:42:23 +0300
+Subject: ipv6: Start path selection from the first nexthop
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit 4d0ab3a6885e3e9040310a8d8f54503366083626 ]
+
+Cited commit transitioned IPv6 path selection to use hash-threshold
+instead of modulo-N. With hash-threshold, each nexthop is assigned a
+region boundary in the multipath hash function's output space and a
+nexthop is chosen if the calculated hash is smaller than the nexthop's
+region boundary.
+
+Hash-threshold does not work correctly if path selection does not start
+with the first nexthop. For example, if fib6_select_path() is always
+passed the last nexthop in the group, then it will always be chosen
+because its region boundary covers the entire hash function's output
+space.
+
+Fix this by starting the selection process from the first nexthop and do
+not consider nexthops for which rt6_score_route() provided a negative
+score.
+
+Fixes: 3d709f69a3e7 ("ipv6: Use hash-threshold instead of modulo-N")
+Reported-by: Stanislav Fomichev <stfomichev@gmail.com>
+Closes: https://lore.kernel.org/netdev/Z9RIyKZDNoka53EO@mini-arch/
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250402114224.293392-2-idosch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/route.c | 38 +++++++++++++++++++++++++++++++++++---
+ 1 file changed, 35 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 5cf6e824c0dff..2cfef1c971093 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -416,11 +416,35 @@ static bool rt6_check_expired(const struct rt6_info *rt)
+ return false;
+ }
+
++static struct fib6_info *
++rt6_multipath_first_sibling_rcu(const struct fib6_info *rt)
++{
++ struct fib6_info *iter;
++ struct fib6_node *fn;
++
++ fn = rcu_dereference(rt->fib6_node);
++ if (!fn)
++ goto out;
++ iter = rcu_dereference(fn->leaf);
++ if (!iter)
++ goto out;
++
++ while (iter) {
++ if (iter->fib6_metric == rt->fib6_metric &&
++ rt6_qualify_for_ecmp(iter))
++ return iter;
++ iter = rcu_dereference(iter->fib6_next);
++ }
++
++out:
++ return NULL;
++}
++
+ void fib6_select_path(const struct net *net, struct fib6_result *res,
+ struct flowi6 *fl6, int oif, bool have_oif_match,
+ const struct sk_buff *skb, int strict)
+ {
+- struct fib6_info *match = res->f6i;
++ struct fib6_info *first, *match = res->f6i;
+ struct fib6_info *sibling;
+
+ if (!match->nh && (!match->fib6_nsiblings || have_oif_match))
+@@ -444,10 +468,18 @@ void fib6_select_path(const struct net *net, struct fib6_result *res,
+ return;
+ }
+
+- if (fl6->mp_hash <= atomic_read(&match->fib6_nh->fib_nh_upper_bound))
++ first = rt6_multipath_first_sibling_rcu(match);
++ if (!first)
+ goto out;
+
+- list_for_each_entry_rcu(sibling, &match->fib6_siblings,
++ if (fl6->mp_hash <= atomic_read(&first->fib6_nh->fib_nh_upper_bound) &&
++ rt6_score_route(first->fib6_nh, first->fib6_flags, oif,
++ strict) >= 0) {
++ match = first;
++ goto out;
++ }
++
++ list_for_each_entry_rcu(sibling, &first->fib6_siblings,
+ fib6_siblings) {
+ const struct fib6_nh *nh = sibling->fib6_nh;
+ int nh_upper_bound;
+--
+2.39.5
+
--- /dev/null
+From 318813c5bb6a9bcc7b178bd9b9abb1e1fd081fa8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 19:59:00 +0000
+Subject: isofs: fix KMSAN uninit-value bug in do_isofs_readdir()
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+[ Upstream commit 81a82e8f33880793029cd6f8a766fb13b737e6a7 ]
+
+In do_isofs_readdir() when assigning the variable
+"struct iso_directory_record *de" the b_data field of the buffer_head
+is accessed and an offset is added to it, the size of b_data is 2048
+and the offset size is 2047, meaning
+"de = (struct iso_directory_record *) (bh->b_data + offset);"
+yields the final byte of the 2048 sized b_data block.
+
+The first byte of the directory record (de_len) is then read and
+found to be 31, meaning the directory record size is 31 bytes long.
+The directory record is defined by the structure:
+
+ struct iso_directory_record {
+ __u8 length; // 1 byte
+ __u8 ext_attr_length; // 1 byte
+ __u8 extent[8]; // 8 bytes
+ __u8 size[8]; // 8 bytes
+ __u8 date[7]; // 7 bytes
+ __u8 flags; // 1 byte
+ __u8 file_unit_size; // 1 byte
+ __u8 interleave; // 1 byte
+ __u8 volume_sequence_number[4]; // 4 bytes
+ __u8 name_len; // 1 byte
+ char name[]; // variable size
+ } __attribute__((packed));
+
+The fixed portion of this structure occupies 33 bytes. Therefore, a
+valid directory record must be at least 33 bytes long
+(even without considering the variable-length name field).
+Since de_len is only 31, it is insufficient to contain
+the complete fixed header.
+
+The code later hits the following sanity check that
+compares de_len against the sum of de->name_len and
+sizeof(struct iso_directory_record):
+
+ if (de_len < de->name_len[0] + sizeof(struct iso_directory_record)) {
+ ...
+ }
+
+Since the fixed portion of the structure is
+33 bytes (up to and including name_len member),
+a valid record should have de_len of at least 33 bytes;
+here, however, de_len is too short, and the field de->name_len
+(located at offset 32) is accessed even though it lies beyond
+the available 31 bytes.
+
+This access on the corrupted isofs data triggers a KASAN uninitialized
+memory warning. The fix would be to first verify that de_len is at least
+sizeof(struct iso_directory_record) before accessing any
+fields like de->name_len.
+
+Reported-by: syzbot <syzbot+812641c6c3d7586a1613@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+812641c6c3d7586a1613@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=812641c6c3d7586a1613
+Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem")
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250211195900.42406-1-qasdev00@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/isofs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/isofs/dir.c b/fs/isofs/dir.c
+index eb2f8273e6f15..09df40b612fbf 100644
+--- a/fs/isofs/dir.c
++++ b/fs/isofs/dir.c
+@@ -147,7 +147,8 @@ static int do_isofs_readdir(struct inode *inode, struct file *file,
+ de = tmpde;
+ }
+ /* Basic sanity check, whether name doesn't exceed dir entry */
+- if (de_len < de->name_len[0] +
++ if (de_len < sizeof(struct iso_directory_record) ||
++ de_len < de->name_len[0] +
+ sizeof(struct iso_directory_record)) {
+ printk(KERN_NOTICE "iso9660: Corrupted directory entry"
+ " in block %lu of inode %lu\n", block,
+--
+2.39.5
+
--- /dev/null
+From 72fb640e9caff13794f3fad01900e36d630f7c6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jan 2025 17:08:24 +0530
+Subject: kexec: initialize ELF lowest address to ULONG_MAX
+
+From: Sourabh Jain <sourabhjain@linux.ibm.com>
+
+[ Upstream commit 9986fb5164c8b21f6439cfd45ba36d8cc80c9710 ]
+
+Patch series "powerpc/crash: use generic crashkernel reservation", v3.
+
+Commit 0ab97169aa05 ("crash_core: add generic function to do reservation")
+added a generic function to reserve crashkernel memory. So let's use the
+same function on powerpc and remove the architecture-specific code that
+essentially does the same thing.
+
+The generic crashkernel reservation also provides a way to split the
+crashkernel reservation into high and low memory reservations, which can
+be enabled for powerpc in the future.
+
+Additionally move powerpc to use generic APIs to locate memory hole for
+kexec segments while loading kdump kernel.
+
+This patch (of 7):
+
+kexec_elf_load() loads an ELF executable and sets the address of the
+lowest PT_LOAD section to the address held by the lowest_load_addr
+function argument.
+
+To determine the lowest PT_LOAD address, a local variable lowest_addr
+(type unsigned long) is initialized to UINT_MAX. After loading each
+PT_LOAD, its address is compared to lowest_addr. If a loaded PT_LOAD
+address is lower, lowest_addr is updated. However, setting lowest_addr to
+UINT_MAX won't work when the kernel image is loaded above 4G, as the
+returned lowest PT_LOAD address would be invalid. This is resolved by
+initializing lowest_addr to ULONG_MAX instead.
+
+This issue was discovered while implementing crashkernel high/low
+reservation on the PowerPC architecture.
+
+Link: https://lkml.kernel.org/r/20250131113830.925179-1-sourabhjain@linux.ibm.com
+Link: https://lkml.kernel.org/r/20250131113830.925179-2-sourabhjain@linux.ibm.com
+Fixes: a0458284f062 ("powerpc: Add support code for kexec_file_load()")
+Signed-off-by: Sourabh Jain <sourabhjain@linux.ibm.com>
+Acked-by: Hari Bathini <hbathini@linux.ibm.com>
+Acked-by: Baoquan He <bhe@redhat.com>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kexec_elf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/kexec_elf.c b/kernel/kexec_elf.c
+index d3689632e8b90..3a5c25b2adc94 100644
+--- a/kernel/kexec_elf.c
++++ b/kernel/kexec_elf.c
+@@ -390,7 +390,7 @@ int kexec_elf_load(struct kimage *image, struct elfhdr *ehdr,
+ struct kexec_buf *kbuf,
+ unsigned long *lowest_load_addr)
+ {
+- unsigned long lowest_addr = UINT_MAX;
++ unsigned long lowest_addr = ULONG_MAX;
+ int ret;
+ size_t i;
+
+--
+2.39.5
+
--- /dev/null
+From e78ad8481558456b9f74839f8a2026ad8d8fe627 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 20:19:20 +0900
+Subject: ksmbd: fix multichannel connection failure
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit c1883049aa9b2b7dffd3a68c5fc67fa92c174bd9 ]
+
+ksmbd check that the session of second channel is in the session list of
+first connection. If it is in session list, multichannel connection
+should not be allowed.
+
+Fixes: b95629435b84 ("ksmbd: fix racy issue from session lookup and expire")
+Reported-by: Sean Heelan <seanheelan@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/mgmt/user_session.c | 16 ++++++++++++++++
+ fs/smb/server/mgmt/user_session.h | 2 ++
+ fs/smb/server/smb2pdu.c | 12 ++++--------
+ 3 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/fs/smb/server/mgmt/user_session.c b/fs/smb/server/mgmt/user_session.c
+index b1c2219ec0b42..3bcfe739ba136 100644
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -255,6 +255,22 @@ void ksmbd_sessions_deregister(struct ksmbd_conn *conn)
+ up_write(&sessions_table_lock);
+ }
+
++bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn,
++ unsigned long long id)
++{
++ struct ksmbd_session *sess;
++
++ down_read(&conn->session_lock);
++ sess = xa_load(&conn->sessions, id);
++ if (sess) {
++ up_read(&conn->session_lock);
++ return true;
++ }
++ up_read(&conn->session_lock);
++
++ return false;
++}
++
+ struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
+ unsigned long long id)
+ {
+diff --git a/fs/smb/server/mgmt/user_session.h b/fs/smb/server/mgmt/user_session.h
+index ce91b1d698e71..f4da293c4dbb2 100644
+--- a/fs/smb/server/mgmt/user_session.h
++++ b/fs/smb/server/mgmt/user_session.h
+@@ -87,6 +87,8 @@ void ksmbd_session_destroy(struct ksmbd_session *sess);
+ struct ksmbd_session *ksmbd_session_lookup_slowpath(unsigned long long id);
+ struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
+ unsigned long long id);
++bool is_ksmbd_session_in_connection(struct ksmbd_conn *conn,
++ unsigned long long id);
+ int ksmbd_session_register(struct ksmbd_conn *conn,
+ struct ksmbd_session *sess);
+ void ksmbd_sessions_deregister(struct ksmbd_conn *conn);
+diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
+index 646c4047d3b94..12bf3712ba2d3 100644
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1723,44 +1723,38 @@ int smb2_sess_setup(struct ksmbd_work *work)
+
+ if (conn->dialect != sess->dialect) {
+ rc = -EINVAL;
+- ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (!(req->hdr.Flags & SMB2_FLAGS_SIGNED)) {
+ rc = -EINVAL;
+- ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (strncmp(conn->ClientGUID, sess->ClientGUID,
+ SMB2_CLIENT_GUID_SIZE)) {
+ rc = -ENOENT;
+- ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (sess->state == SMB2_SESSION_IN_PROGRESS) {
+ rc = -EACCES;
+- ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (sess->state == SMB2_SESSION_EXPIRED) {
+ rc = -EFAULT;
+- ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+- ksmbd_user_session_put(sess);
+
+ if (ksmbd_conn_need_reconnect(conn)) {
+ rc = -EFAULT;
++ ksmbd_user_session_put(sess);
+ sess = NULL;
+ goto out_err;
+ }
+
+- sess = ksmbd_session_lookup(conn, sess_id);
+- if (!sess) {
++ if (is_ksmbd_session_in_connection(conn, sess_id)) {
+ rc = -EACCES;
+ goto out_err;
+ }
+@@ -1926,6 +1920,8 @@ int smb2_sess_setup(struct ksmbd_work *work)
+
+ sess->last_active = jiffies;
+ sess->state = SMB2_SESSION_EXPIRED;
++ ksmbd_user_session_put(sess);
++ work->sess = NULL;
+ if (try_delay) {
+ ksmbd_conn_set_need_reconnect(conn);
+ ssleep(5);
+--
+2.39.5
+
--- /dev/null
+From 0be04e0deee05fd7a7615650b21f797ae48810bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 20:12:34 +0800
+Subject: ksmbd: use aead_request_free to match aead_request_alloc
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 6171063e9d046ffa46f51579b2ca4a43caef581a ]
+
+Use aead_request_free() instead of kfree() to properly free memory
+allocated by aead_request_alloc(). This ensures sensitive crypto data
+is zeroed before being freed.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/smb/server/auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/smb/server/auth.c b/fs/smb/server/auth.c
+index 8e24a6665abdb..c34b30642bfdd 100644
+--- a/fs/smb/server/auth.c
++++ b/fs/smb/server/auth.c
+@@ -1211,7 +1211,7 @@ int ksmbd_crypt_message(struct ksmbd_work *work, struct kvec *iov,
+ free_sg:
+ kfree(sg);
+ free_req:
+- kfree(req);
++ aead_request_free(req);
+ free_ctx:
+ ksmbd_release_crypto_ctx(ctx);
+ return rc;
+--
+2.39.5
+
--- /dev/null
+From 08c6ac833a5ecb7391dc5e57c0110cedd6d4c5d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jan 2025 19:42:04 +0530
+Subject: lib: 842: Improve error handling in sw842_compress()
+
+From: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+
+[ Upstream commit af324dc0e2b558678aec42260cce38be16cc77ca ]
+
+The static code analysis tool "Coverity Scan" pointed the following
+implementation details out for further development considerations:
+CID 1309755: Unused value
+In sw842_compress: A value assigned to a variable is never used. (CWE-563)
+returned_value: Assigning value from add_repeat_template(p, repeat_count)
+to ret here, but that stored value is overwritten before it can be used.
+
+Conclusion:
+Add error handling for the return value from an add_repeat_template()
+call.
+
+Fixes: 2da572c959dd ("lib: add software 842 compression/decompression")
+Signed-off-by: Tanya Agarwal <tanyaagarwal25699@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/842/842_compress.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/842/842_compress.c b/lib/842/842_compress.c
+index c02baa4168e16..055356508d97c 100644
+--- a/lib/842/842_compress.c
++++ b/lib/842/842_compress.c
+@@ -532,6 +532,8 @@ int sw842_compress(const u8 *in, unsigned int ilen,
+ }
+ if (repeat_count) {
+ ret = add_repeat_template(p, repeat_count);
++ if (ret)
++ return ret;
+ repeat_count = 0;
+ if (next == last) /* reached max repeat bits */
+ goto repeat;
+--
+2.39.5
+
--- /dev/null
+From 6cee3deba434aca05cfd5908161de24ef6c108cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2025 16:28:21 -0800
+Subject: libbpf: Fix hypothetical STT_SECTION extern NULL deref case
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit e0525cd72b5979d8089fe524a071ea93fd011dc9 ]
+
+Fix theoretical NULL dereference in linker when resolving *extern*
+STT_SECTION symbol against not-yet-existing ELF section. Not sure if
+it's possible in practice for valid ELF object files (this would require
+embedded assembly manipulations, at which point BTF will be missing),
+but fix the s/dst_sym/dst_sec/ typo guarding this condition anyways.
+
+Fixes: faf6ed321cf6 ("libbpf: Add BPF static linker APIs")
+Fixes: a46349227cd8 ("libbpf: Add linker extern resolution support for functions and global variables")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/r/20250220002821.834400-1-andrii@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/linker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
+index 5a99bf6af445b..752ef88c9fd97 100644
+--- a/tools/lib/bpf/linker.c
++++ b/tools/lib/bpf/linker.c
+@@ -1962,7 +1962,7 @@ static int linker_append_elf_sym(struct bpf_linker *linker, struct src_obj *obj,
+
+ obj->sym_map[src_sym_idx] = dst_sym_idx;
+
+- if (sym_type == STT_SECTION && dst_sym) {
++ if (sym_type == STT_SECTION && dst_sec) {
+ dst_sec->sec_sym_idx = dst_sym_idx;
+ dst_sym->st_value = 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 2f7e26ab4a3238525db5fc991147f18fdc1bbf9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 11:36:18 +0100
+Subject: lockdep: Don't disable interrupts on RT in
+ disable_irq_nosync_lockdep.*()
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit 87886b32d669abc11c7be95ef44099215e4f5788 ]
+
+disable_irq_nosync_lockdep() disables interrupts with lockdep enabled to
+avoid false positive reports by lockdep that a certain lock has not been
+acquired with disabled interrupts. The user of this macros expects that
+a lock can be acquried without disabling interrupts because the IRQ line
+triggering the interrupt is disabled.
+
+This triggers a warning on PREEMPT_RT because after
+disable_irq_nosync_lockdep.*() the following spinlock_t now is acquired
+with disabled interrupts.
+
+On PREEMPT_RT there is no difference between spin_lock() and
+spin_lock_irq() so avoiding disabling interrupts in this case works for
+the two remaining callers as of today.
+
+Don't disable interrupts on PREEMPT_RT in disable_irq_nosync_lockdep.*().
+
+Closes: https://lore.kernel.org/760e34f9-6034-40e0-82a5-ee9becd24438@roeck-us.net
+Fixes: e8106b941ceab ("[PATCH] lockdep: core, add enable/disable_irq_irqsave/irqrestore() APIs")
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Suggested-by: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20250212103619.2560503-2-bigeasy@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/interrupt.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
+index 4a1dc88ddbff9..2610a7d156da8 100644
+--- a/include/linux/interrupt.h
++++ b/include/linux/interrupt.h
+@@ -441,7 +441,7 @@ irq_calc_affinity_vectors(unsigned int minvec, unsigned int maxvec,
+ static inline void disable_irq_nosync_lockdep(unsigned int irq)
+ {
+ disable_irq_nosync(irq);
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_disable();
+ #endif
+ }
+@@ -449,7 +449,7 @@ static inline void disable_irq_nosync_lockdep(unsigned int irq)
+ static inline void disable_irq_nosync_lockdep_irqsave(unsigned int irq, unsigned long *flags)
+ {
+ disable_irq_nosync(irq);
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_save(*flags);
+ #endif
+ }
+@@ -464,7 +464,7 @@ static inline void disable_irq_lockdep(unsigned int irq)
+
+ static inline void enable_irq_lockdep(unsigned int irq)
+ {
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_enable();
+ #endif
+ enable_irq(irq);
+@@ -472,7 +472,7 @@ static inline void enable_irq_lockdep(unsigned int irq)
+
+ static inline void enable_irq_lockdep_irqrestore(unsigned int irq, unsigned long *flags)
+ {
+-#ifdef CONFIG_LOCKDEP
++#if defined(CONFIG_LOCKDEP) && !defined(CONFIG_PREEMPT_RT)
+ local_irq_restore(*flags);
+ #endif
+ enable_irq(irq);
+--
+2.39.5
+
--- /dev/null
+From 9fb29714b5ecf3f046dd204ae414471daa5ee443 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 14:39:10 +0100
+Subject: lockdep/mm: Fix might_fault() lockdep check of current->mm->mmap_lock
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit a1b65f3f7c6f7f0a08a7dba8be458c6415236487 ]
+
+Turns out that this commit, about 10 years ago:
+
+ 9ec23531fd48 ("sched/preempt, mm/fault: Trigger might_sleep() in might_fault() with disabled pagefaults")
+
+... accidentally (and unnessecarily) put the lockdep part of
+__might_fault() under CONFIG_DEBUG_ATOMIC_SLEEP=y.
+
+This is potentially notable because large distributions such as
+Ubuntu are running with !CONFIG_DEBUG_ATOMIC_SLEEP.
+
+Restore the debug check.
+
+[ mingo: Update changelog. ]
+
+Fixes: 9ec23531fd48 ("sched/preempt, mm/fault: Trigger might_sleep() in might_fault() with disabled pagefaults")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/r/20241104135517.536628371@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/memory.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/mm/memory.c b/mm/memory.c
+index fd874df17b365..2e776ea38348a 100644
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -5848,10 +5848,8 @@ void __might_fault(const char *file, int line)
+ if (pagefault_disabled())
+ return;
+ __might_sleep(file, line);
+-#if defined(CONFIG_DEBUG_ATOMIC_SLEEP)
+ if (current->mm)
+ might_lock_read(¤t->mm->mmap_lock);
+-#endif
+ }
+ EXPORT_SYMBOL(__might_fault);
+ #endif
+--
+2.39.5
+
--- /dev/null
+From 4db785546ae0e8aeb42b2714f8a7df4c649598c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 15:26:52 -0800
+Subject: locking/semaphore: Use wake_q to wake up processes outside lock
+ critical section
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 85b2b9c16d053364e2004883140538e73b333cdb ]
+
+A circular lock dependency splat has been seen involving down_trylock():
+
+ ======================================================
+ WARNING: possible circular locking dependency detected
+ 6.12.0-41.el10.s390x+debug
+ ------------------------------------------------------
+ dd/32479 is trying to acquire lock:
+ 0015a20accd0d4f8 ((console_sem).lock){-.-.}-{2:2}, at: down_trylock+0x26/0x90
+
+ but task is already holding lock:
+ 000000017e461698 (&zone->lock){-.-.}-{2:2}, at: rmqueue_bulk+0xac/0x8f0
+
+ the existing dependency chain (in reverse order) is:
+ -> #4 (&zone->lock){-.-.}-{2:2}:
+ -> #3 (hrtimer_bases.lock){-.-.}-{2:2}:
+ -> #2 (&rq->__lock){-.-.}-{2:2}:
+ -> #1 (&p->pi_lock){-.-.}-{2:2}:
+ -> #0 ((console_sem).lock){-.-.}-{2:2}:
+
+The console_sem -> pi_lock dependency is due to calling try_to_wake_up()
+while holding the console_sem raw_spinlock. This dependency can be broken
+by using wake_q to do the wakeup instead of calling try_to_wake_up()
+under the console_sem lock. This will also make the semaphore's
+raw_spinlock become a terminal lock without taking any further locks
+underneath it.
+
+The hrtimer_bases.lock is a raw_spinlock while zone->lock is a
+spinlock. The hrtimer_bases.lock -> zone->lock dependency happens via
+the debug_objects_fill_pool() helper function in the debugobjects code.
+
+ -> #4 (&zone->lock){-.-.}-{2:2}:
+ __lock_acquire+0xe86/0x1cc0
+ lock_acquire.part.0+0x258/0x630
+ lock_acquire+0xb8/0xe0
+ _raw_spin_lock_irqsave+0xb4/0x120
+ rmqueue_bulk+0xac/0x8f0
+ __rmqueue_pcplist+0x580/0x830
+ rmqueue_pcplist+0xfc/0x470
+ rmqueue.isra.0+0xdec/0x11b0
+ get_page_from_freelist+0x2ee/0xeb0
+ __alloc_pages_noprof+0x2c2/0x520
+ alloc_pages_mpol_noprof+0x1fc/0x4d0
+ alloc_pages_noprof+0x8c/0xe0
+ allocate_slab+0x320/0x460
+ ___slab_alloc+0xa58/0x12b0
+ __slab_alloc.isra.0+0x42/0x60
+ kmem_cache_alloc_noprof+0x304/0x350
+ fill_pool+0xf6/0x450
+ debug_object_activate+0xfe/0x360
+ enqueue_hrtimer+0x34/0x190
+ __run_hrtimer+0x3c8/0x4c0
+ __hrtimer_run_queues+0x1b2/0x260
+ hrtimer_interrupt+0x316/0x760
+ do_IRQ+0x9a/0xe0
+ do_irq_async+0xf6/0x160
+
+Normally a raw_spinlock to spinlock dependency is not legitimate
+and will be warned if CONFIG_PROVE_RAW_LOCK_NESTING is enabled,
+but debug_objects_fill_pool() is an exception as it explicitly
+allows this dependency for non-PREEMPT_RT kernel without causing
+PROVE_RAW_LOCK_NESTING lockdep splat. As a result, this dependency is
+legitimate and not a bug.
+
+Anyway, semaphore is the only locking primitive left that is still
+using try_to_wake_up() to do wakeup inside critical section, all the
+other locking primitives had been migrated to use wake_q to do wakeup
+outside of the critical section. It is also possible that there are
+other circular locking dependencies involving printk/console_sem or
+other existing/new semaphores lurking somewhere which may show up in
+the future. Let just do the migration now to wake_q to avoid headache
+like this.
+
+Reported-by: yzbot+ed801a886dfdbfe7136d@syzkaller.appspotmail.com
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250307232717.1759087-3-boqun.feng@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/semaphore.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/locking/semaphore.c b/kernel/locking/semaphore.c
+index 34bfae72f2952..de9117c0e671e 100644
+--- a/kernel/locking/semaphore.c
++++ b/kernel/locking/semaphore.c
+@@ -29,6 +29,7 @@
+ #include <linux/export.h>
+ #include <linux/sched.h>
+ #include <linux/sched/debug.h>
++#include <linux/sched/wake_q.h>
+ #include <linux/semaphore.h>
+ #include <linux/spinlock.h>
+ #include <linux/ftrace.h>
+@@ -38,7 +39,7 @@ static noinline void __down(struct semaphore *sem);
+ static noinline int __down_interruptible(struct semaphore *sem);
+ static noinline int __down_killable(struct semaphore *sem);
+ static noinline int __down_timeout(struct semaphore *sem, long timeout);
+-static noinline void __up(struct semaphore *sem);
++static noinline void __up(struct semaphore *sem, struct wake_q_head *wake_q);
+
+ /**
+ * down - acquire the semaphore
+@@ -183,13 +184,16 @@ EXPORT_SYMBOL(down_timeout);
+ void __sched up(struct semaphore *sem)
+ {
+ unsigned long flags;
++ DEFINE_WAKE_Q(wake_q);
+
+ raw_spin_lock_irqsave(&sem->lock, flags);
+ if (likely(list_empty(&sem->wait_list)))
+ sem->count++;
+ else
+- __up(sem);
++ __up(sem, &wake_q);
+ raw_spin_unlock_irqrestore(&sem->lock, flags);
++ if (!wake_q_empty(&wake_q))
++ wake_up_q(&wake_q);
+ }
+ EXPORT_SYMBOL(up);
+
+@@ -269,11 +273,12 @@ static noinline int __sched __down_timeout(struct semaphore *sem, long timeout)
+ return __down_common(sem, TASK_UNINTERRUPTIBLE, timeout);
+ }
+
+-static noinline void __sched __up(struct semaphore *sem)
++static noinline void __sched __up(struct semaphore *sem,
++ struct wake_q_head *wake_q)
+ {
+ struct semaphore_waiter *waiter = list_first_entry(&sem->wait_list,
+ struct semaphore_waiter, list);
+ list_del(&waiter->list);
+ waiter->up = true;
+- wake_up_process(waiter->task);
++ wake_q_add(wake_q, waiter->task);
+ }
+--
+2.39.5
+
--- /dev/null
+From 0de14121a9450e9e4e42f4f40c9ad595bc1acac6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 16:31:09 +0800
+Subject: LoongArch: Fix help text of CMDLINE_EXTEND in Kconfig
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
+
+[ Upstream commit be216cbc1ddf99a51915414ce147311c0dfd50a2 ]
+
+It is the built-in command line appended to the bootloader command line,
+not the bootloader command line appended to the built-in command line.
+
+Fixes: fa96b57c1490 ("LoongArch: Add build infrastructure")
+Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/Kconfig | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/loongarch/Kconfig b/arch/loongarch/Kconfig
+index f4ba3638b76a8..0166d357069d9 100644
+--- a/arch/loongarch/Kconfig
++++ b/arch/loongarch/Kconfig
+@@ -310,8 +310,8 @@ config CMDLINE_BOOTLOADER
+ config CMDLINE_EXTEND
+ bool "Use built-in to extend bootloader kernel arguments"
+ help
+- The command-line arguments provided during boot will be
+- appended to the built-in command line. This is useful in
++ The built-in command line will be appended to the command-
++ line arguments provided during boot. This is useful in
+ cases where the provided arguments are insufficient and
+ you don't want to or cannot modify them.
+
+--
+2.39.5
+
--- /dev/null
+From 1869d08fcd56df2ebce48cd98c8fae7a1bbb20a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 17:44:23 +0100
+Subject: mdacon: rework dependency list
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 5bbcc7645f4b244ffb5ac6563fbe9d3d42194447 ]
+
+mdacon has roughly the same dependencies as vgacon but expresses them
+as a negative list instead of a positive list, with the only practical
+difference being PowerPC/CHRP, which uses vga16fb instead of vgacon.
+
+The CONFIG_MDA_CONSOLE description advises to only turn it on when vgacon
+is also used because MDA/Hercules-only systems should be using vgacon
+instead, so just change the list to enforce that directly for simplicity.
+
+The probing was broken from 2002 to 2008, this improves on the fix
+that was added then: If vgacon is a loadable module, then mdacon
+cannot be built-in now, and the list of systems that support vgacon
+is carried over.
+
+Fixes: 0b9cf3aa6b1e ("mdacon messing up default vc's - set default to vc13-16 again")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/console/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/console/Kconfig b/drivers/video/console/Kconfig
+index 22cea5082ac46..5c4df3aaab1ed 100644
+--- a/drivers/video/console/Kconfig
++++ b/drivers/video/console/Kconfig
+@@ -24,7 +24,7 @@ config VGA_CONSOLE
+ Say Y.
+
+ config MDA_CONSOLE
+- depends on !M68K && !PARISC && ISA
++ depends on VGA_CONSOLE && ISA
+ tristate "MDA text console (dual-headed)"
+ help
+ Say Y here if you have an old MDA or monochrome Hercules graphics
+--
+2.39.5
+
--- /dev/null
+From 43149839e4df0990aa9865b3ada68d9fa2249745 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 11:06:21 +0900
+Subject: media: platform: allgro-dvt: unregister v4l2_device on the error path
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit c2b96a6818159fba8a3bcc38262da9e77f9b3ec7 ]
+
+In allegro_probe(), the v4l2 device is not unregistered in the error
+path, which results in a memory leak. Fix it by calling
+v4l2_device_unregister() before returning error.
+
+Fixes: d74d4e2359ec ("media: allegro: move driver out of staging")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/allegro-dvt/allegro-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c
+index 3cb4618d23375..1a556e381eac8 100644
+--- a/drivers/media/platform/allegro-dvt/allegro-core.c
++++ b/drivers/media/platform/allegro-dvt/allegro-core.c
+@@ -3915,6 +3915,7 @@ static int allegro_probe(struct platform_device *pdev)
+ if (ret < 0) {
+ v4l2_err(&dev->v4l2_dev,
+ "failed to request firmware: %d\n", ret);
++ v4l2_device_unregister(&dev->v4l2_dev);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 5f0afb9b4fcb9a9aa99528cd08a4afa3a4b4b979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jan 2025 09:10:52 +0100
+Subject: media: verisilicon: HEVC: Initialize start_bit field
+
+From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+
+[ Upstream commit 7fcb42b3835e90ef18d68555934cf72adaf58402 ]
+
+The HEVC driver needs to set the start_bit field explicitly to avoid
+causing corrupted frames when the VP9 decoder is used in parallel. The
+reason for this problem is that the VP9 and the HEVC decoder share this
+register.
+
+Fixes: cb5dd5a0fa51 ("media: hantro: Introduce G2/HEVC decoder")
+Signed-off-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Tested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
+index a9d4ac84a8d8d..d1971af5f7fa6 100644
+--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
++++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
+@@ -517,6 +517,7 @@ static void set_buffers(struct hantro_ctx *ctx)
+ hantro_reg_write(vpu, &g2_stream_len, src_len);
+ hantro_reg_write(vpu, &g2_strm_buffer_len, src_buf_len);
+ hantro_reg_write(vpu, &g2_strm_start_offset, 0);
++ hantro_reg_write(vpu, &g2_start_bit, 0);
+ hantro_reg_write(vpu, &g2_write_mvs_e, 1);
+
+ hantro_write_addr(vpu, G2_TILE_SIZES_ADDR, ctx->hevc_dec.tile_sizes.dma);
+--
+2.39.5
+
--- /dev/null
+From 0a4ca7c2ddf2f0711a38706f0dfd3944e4933c2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 15:15:14 +0100
+Subject: memory: omap-gpmc: drop no compatible check
+
+From: Roger Quadros <rogerq@kernel.org>
+
+[ Upstream commit edcccc6892f65eff5fd3027a13976131dc7fd733 ]
+
+We are no longer depending on legacy device trees so
+drop the no compatible check for NAND and OneNAND
+nodes.
+
+Suggested-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
+Link: https://lore.kernel.org/r/20250114-omap-gpmc-drop-no-compatible-check-v1-1-262c8d549732@kernel.org
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/omap-gpmc.c | 20 --------------------
+ 1 file changed, 20 deletions(-)
+
+diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
+index 2351f2708da23..f30b1c0093d3f 100644
+--- a/drivers/memory/omap-gpmc.c
++++ b/drivers/memory/omap-gpmc.c
+@@ -2154,26 +2154,6 @@ static int gpmc_probe_generic_child(struct platform_device *pdev,
+ goto err;
+ }
+
+- if (of_node_name_eq(child, "nand")) {
+- /* Warn about older DT blobs with no compatible property */
+- if (!of_property_read_bool(child, "compatible")) {
+- dev_warn(&pdev->dev,
+- "Incompatible NAND node: missing compatible");
+- ret = -EINVAL;
+- goto err;
+- }
+- }
+-
+- if (of_node_name_eq(child, "onenand")) {
+- /* Warn about older DT blobs with no compatible property */
+- if (!of_property_read_bool(child, "compatible")) {
+- dev_warn(&pdev->dev,
+- "Incompatible OneNAND node: missing compatible");
+- ret = -EINVAL;
+- goto err;
+- }
+- }
+-
+ if (of_match_node(omap_nand_ids, child)) {
+ /* NAND specific setup */
+ val = 8;
+--
+2.39.5
+
--- /dev/null
+From 8d06b38255bb6f08c4ce3506f1e45ec59ec06c6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 09:12:06 -0800
+Subject: mfd: sm501: Switch to BIT() to mitigate integer overflows
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 2d8cb9ffe18c2f1e5bd07a19cbce85b26c1d0cf0 ]
+
+If offset end up being high enough, right hand expression in functions
+like sm501_gpio_set() shifted left for that number of bits, may
+not fit in int type.
+
+Just in case, fix that by using BIT() both as an option safe from
+overflow issues and to make this step look similar to other gpio
+drivers.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: f61be273d369 ("sm501: add gpiolib support")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://lore.kernel.org/r/20250115171206.20308-1-n.zhandarovich@fintech.ru
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/sm501.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
+index 3ac4508a6742a..78dcbf8e2c15d 100644
+--- a/drivers/mfd/sm501.c
++++ b/drivers/mfd/sm501.c
+@@ -920,7 +920,7 @@ static void sm501_gpio_set(struct gpio_chip *chip, unsigned offset, int value)
+ {
+ struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
+ struct sm501_gpio *smgpio = smchip->ourgpio;
+- unsigned long bit = 1 << offset;
++ unsigned long bit = BIT(offset);
+ void __iomem *regs = smchip->regbase;
+ unsigned long save;
+ unsigned long val;
+@@ -946,7 +946,7 @@ static int sm501_gpio_input(struct gpio_chip *chip, unsigned offset)
+ struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
+ struct sm501_gpio *smgpio = smchip->ourgpio;
+ void __iomem *regs = smchip->regbase;
+- unsigned long bit = 1 << offset;
++ unsigned long bit = BIT(offset);
+ unsigned long save;
+ unsigned long ddr;
+
+@@ -971,7 +971,7 @@ static int sm501_gpio_output(struct gpio_chip *chip,
+ {
+ struct sm501_gpio_chip *smchip = gpiochip_get_data(chip);
+ struct sm501_gpio *smgpio = smchip->ourgpio;
+- unsigned long bit = 1 << offset;
++ unsigned long bit = BIT(offset);
+ void __iomem *regs = smchip->regbase;
+ unsigned long save;
+ unsigned long val;
+--
+2.39.5
+
--- /dev/null
+From 7b2e87a3685bec4336c930c7cd899a1d51648b39 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 15:56:37 +0200
+Subject: net: dsa: mv88e6xxx: propperly shutdown PPU re-enable timer on
+ destroy
+
+From: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
+
+[ Upstream commit a58d882841a0750da3c482cd3d82432b1c7edb77 ]
+
+The mv88e6xxx has an internal PPU that polls PHY state. If we want to
+access the internal PHYs, we need to disable the PPU first. Because
+that is a slow operation, a 10ms timer is used to re-enable it,
+canceled with every access, so bulk operations effectively only
+disable it once and re-enable it some 10ms after the last access.
+
+If a PHY is accessed and then the mv88e6xxx module is removed before
+the 10ms are up, the PPU re-enable ends up accessing a dangling pointer.
+
+This especially affects probing during bootup. The MDIO bus and PHY
+registration may succeed, but registration with the DSA framework
+may fail later on (e.g. because the CPU port depends on another,
+very slow device that isn't done probing yet, returning -EPROBE_DEFER).
+In this case, probe() fails, but the MDIO subsystem may already have
+accessed the MIDO bus or PHYs, arming the timer.
+
+This is fixed as follows:
+ - If probe fails after mv88e6xxx_phy_init(), make sure we also call
+ mv88e6xxx_phy_destroy() before returning
+ - In mv88e6xxx_remove(), make sure we do the teardown in the correct
+ order, calling mv88e6xxx_phy_destroy() after unregistering the
+ switch device.
+ - In mv88e6xxx_phy_destroy(), destroy both the timer and the work item
+ that the timer might schedule, synchronously waiting in case one of
+ the callbacks already fired and destroying the timer first, before
+ waiting for the work item.
+ - Access to the PPU is guarded by a mutex, the worker acquires it
+ with a mutex_trylock(), not proceeding with the expensive shutdown
+ if that fails. We grab the mutex in mv88e6xxx_phy_destroy() to make
+ sure the slow PPU shutdown is already done or won't even enter, when
+ we wait for the work item.
+
+Fixes: 2e5f032095ff ("dsa: add support for the Marvell 88E6131 switch chip")
+Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://patch.msgid.link/20250401135705.92760-1-david.oberhollenzer@sigma-star.at
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 11 +++++++----
+ drivers/net/dsa/mv88e6xxx/phy.c | 3 +++
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index af0565c3a364c..b485176e53cd1 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -7199,13 +7199,13 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+ err = mv88e6xxx_switch_reset(chip);
+ mv88e6xxx_reg_unlock(chip);
+ if (err)
+- goto out;
++ goto out_phy;
+
+ if (np) {
+ chip->irq = of_irq_get(np, 0);
+ if (chip->irq == -EPROBE_DEFER) {
+ err = chip->irq;
+- goto out;
++ goto out_phy;
+ }
+ }
+
+@@ -7224,7 +7224,7 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+ mv88e6xxx_reg_unlock(chip);
+
+ if (err)
+- goto out;
++ goto out_phy;
+
+ if (chip->info->g2_irqs > 0) {
+ err = mv88e6xxx_g2_irq_setup(chip);
+@@ -7264,6 +7264,8 @@ static int mv88e6xxx_probe(struct mdio_device *mdiodev)
+ mv88e6xxx_g1_irq_free(chip);
+ else
+ mv88e6xxx_irq_poll_free(chip);
++out_phy:
++ mv88e6xxx_phy_destroy(chip);
+ out:
+ if (pdata)
+ dev_put(pdata->netdev);
+@@ -7286,7 +7288,6 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev)
+ mv88e6xxx_ptp_free(chip);
+ }
+
+- mv88e6xxx_phy_destroy(chip);
+ mv88e6xxx_unregister_switch(chip);
+ mv88e6xxx_mdios_unregister(chip);
+
+@@ -7300,6 +7301,8 @@ static void mv88e6xxx_remove(struct mdio_device *mdiodev)
+ mv88e6xxx_g1_irq_free(chip);
+ else
+ mv88e6xxx_irq_poll_free(chip);
++
++ mv88e6xxx_phy_destroy(chip);
+ }
+
+ static void mv88e6xxx_shutdown(struct mdio_device *mdiodev)
+diff --git a/drivers/net/dsa/mv88e6xxx/phy.c b/drivers/net/dsa/mv88e6xxx/phy.c
+index 252b5b3a3efef..d2104bd346ea2 100644
+--- a/drivers/net/dsa/mv88e6xxx/phy.c
++++ b/drivers/net/dsa/mv88e6xxx/phy.c
+@@ -197,7 +197,10 @@ static void mv88e6xxx_phy_ppu_state_init(struct mv88e6xxx_chip *chip)
+
+ static void mv88e6xxx_phy_ppu_state_destroy(struct mv88e6xxx_chip *chip)
+ {
++ mutex_lock(&chip->ppu_mutex);
+ del_timer_sync(&chip->ppu_timer);
++ cancel_work_sync(&chip->ppu_work);
++ mutex_unlock(&chip->ppu_mutex);
+ }
+
+ int mv88e6185_phy_ppu_read(struct mv88e6xxx_chip *chip, struct mii_bus *bus,
+--
+2.39.5
+
--- /dev/null
+From c7884dc3a5710ab618dcc6790363cf2581ad097f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 00:56:32 +0800
+Subject: net: fix geneve_opt length integer overflow
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ]
+
+struct geneve_opt uses 5 bit length for each single option, which
+means every vary size option should be smaller than 128 bytes.
+
+However, all current related Netlink policies cannot promise this
+length condition and the attacker can exploit a exact 128-byte size
+option to *fake* a zero length option and confuse the parsing logic,
+further achieve heap out-of-bounds read.
+
+One example crash log is like below:
+
+[ 3.905425] ==================================================================
+[ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
+[ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
+[ 3.906646]
+[ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
+[ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 3.907784] Call Trace:
+[ 3.907925] <TASK>
+[ 3.908048] dump_stack_lvl+0x44/0x5c
+[ 3.908258] print_report+0x184/0x4be
+[ 3.909151] kasan_report+0xc5/0x100
+[ 3.909539] kasan_check_range+0xf3/0x1a0
+[ 3.909794] memcpy+0x1f/0x60
+[ 3.909968] nla_put+0xa9/0xe0
+[ 3.910147] tunnel_key_dump+0x945/0xba0
+[ 3.911536] tcf_action_dump_1+0x1c1/0x340
+[ 3.912436] tcf_action_dump+0x101/0x180
+[ 3.912689] tcf_exts_dump+0x164/0x1e0
+[ 3.912905] fw_dump+0x18b/0x2d0
+[ 3.913483] tcf_fill_node+0x2ee/0x460
+[ 3.914778] tfilter_notify+0xf4/0x180
+[ 3.915208] tc_new_tfilter+0xd51/0x10d0
+[ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560
+[ 3.919118] netlink_rcv_skb+0xcd/0x200
+[ 3.919787] netlink_unicast+0x395/0x530
+[ 3.921032] netlink_sendmsg+0x3d0/0x6d0
+[ 3.921987] __sock_sendmsg+0x99/0xa0
+[ 3.922220] __sys_sendto+0x1b7/0x240
+[ 3.922682] __x64_sys_sendto+0x72/0x90
+[ 3.922906] do_syscall_64+0x5e/0x90
+[ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 3.924122] RIP: 0033:0x7e83eab84407
+[ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
+[ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
+[ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
+[ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
+[ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
+[ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
+[ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8
+
+Fix these issues by enforing correct length condition in related
+policies.
+
+Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+Fixes: 4ece47787077 ("lwtunnel: add options setting and dumping for geneve")
+Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key")
+Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Reviewed-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ net/netfilter/nft_tunnel.c | 2 +-
+ net/sched/act_tunnel_key.c | 2 +-
+ net/sched/cls_flower.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
+index fda08e2c72899..deb08cab44640 100644
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -450,7 +450,7 @@ static const struct nla_policy
+ geneve_opt_policy[LWTUNNEL_IP_OPT_GENEVE_MAX + 1] = {
+ [LWTUNNEL_IP_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
+ [LWTUNNEL_IP_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
+- [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 },
++ [LWTUNNEL_IP_OPT_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 },
+ };
+
+ static const struct nla_policy
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index 01ce65dd2078e..d026982a00fc4 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -333,7 +333,7 @@ static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
+ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GENEVE_MAX + 1] = {
+ [NFTA_TUNNEL_KEY_GENEVE_CLASS] = { .type = NLA_U16 },
+ [NFTA_TUNNEL_KEY_GENEVE_TYPE] = { .type = NLA_U8 },
+- [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 128 },
++ [NFTA_TUNNEL_KEY_GENEVE_DATA] = { .type = NLA_BINARY, .len = 127 },
+ };
+
+ static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
+diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
+index 2691a3d8e4511..55a9dff1cc1e6 100644
+--- a/net/sched/act_tunnel_key.c
++++ b/net/sched/act_tunnel_key.c
+@@ -66,7 +66,7 @@ geneve_opt_policy[TCA_TUNNEL_KEY_ENC_OPT_GENEVE_MAX + 1] = {
+ [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
+ [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
+ [TCA_TUNNEL_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY,
+- .len = 128 },
++ .len = 127 },
+ };
+
+ static const struct nla_policy
+diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
+index b4a7952c5d7da..a40a9e84c75f4 100644
+--- a/net/sched/cls_flower.c
++++ b/net/sched/cls_flower.c
+@@ -732,7 +732,7 @@ geneve_opt_policy[TCA_FLOWER_KEY_ENC_OPT_GENEVE_MAX + 1] = {
+ [TCA_FLOWER_KEY_ENC_OPT_GENEVE_CLASS] = { .type = NLA_U16 },
+ [TCA_FLOWER_KEY_ENC_OPT_GENEVE_TYPE] = { .type = NLA_U8 },
+ [TCA_FLOWER_KEY_ENC_OPT_GENEVE_DATA] = { .type = NLA_BINARY,
+- .len = 128 },
++ .len = 127 },
+ };
+
+ static const struct nla_policy
+--
+2.39.5
+
--- /dev/null
+From 910206bfb645054c0baabe6928efd3d923fb7c1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Mar 2025 14:28:26 +0200
+Subject: net/mlx5e: SHAMPO, Make reserved size independent of page size
+
+From: Lama Kayal <lkayal@nvidia.com>
+
+[ Upstream commit fab05835688526f9de123d1e98e4d1f838da4e22 ]
+
+When hw-gro is enabled, the maximum number of header entries that are
+needed per wqe (hd_per_wqe) is calculated based on the size of the
+reservations among other parameters.
+
+Miscalculation of the size of reservations leads to incorrect
+calculation of hd_per_wqe as 0, particularly in the case of large page
+size like in aarch64, this prevents the SHAMPO header from being
+correctly initialized in the device, ultimately causing the following
+cqe err that indicates a violation of PD.
+
+ mlx5_core 0000:00:08.0 eth2: ERR CQE on RQ: 0x1180
+ mlx5_core 0000:00:08.0 eth2: Error cqe on cqn 0x510, ci 0x0, qn 0x1180, opcode 0xe, syndrome 0x4, vendor syndrome 0x32
+ 00000000: 00 00 00 00 04 4a 00 00 00 00 00 00 20 00 93 32
+ 00000010: 55 00 00 00 fb cc 00 00 00 00 00 00 07 18 00 00
+ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a
+ 00000030: 00 00 00 9a 93 00 32 04 00 00 00 00 00 00 da e1
+
+Use the correct formula for calculating the size of reservations,
+precisely it shouldn't be dependent on page size, instead use the
+correct multiply of MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE.
+
+Fixes: e5ca8fb08ab2 ("net/mlx5e: Add control path for SHAMPO feature")
+Signed-off-by: Lama Kayal <lkayal@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/1742732906-166564-1-git-send-email-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/params.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c
+index be7302aa6f864..33cc53f221e0b 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/params.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/params.c
+@@ -390,7 +390,7 @@ u8 mlx5e_shampo_get_log_pkt_per_rsrv(struct mlx5_core_dev *mdev,
+ struct mlx5e_params *params)
+ {
+ u32 resrv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) *
+- PAGE_SIZE;
++ MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE;
+
+ return order_base_2(DIV_ROUND_UP(resrv_size, params->sw_mtu));
+ }
+@@ -818,7 +818,8 @@ static u32 mlx5e_shampo_get_log_cq_size(struct mlx5_core_dev *mdev,
+ struct mlx5e_params *params,
+ struct mlx5e_xsk_param *xsk)
+ {
+- int rsrv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) * PAGE_SIZE;
++ int rsrv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) *
++ MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE;
+ u16 num_strides = BIT(mlx5e_mpwqe_get_log_num_strides(mdev, params, xsk));
+ int pkt_per_rsrv = BIT(mlx5e_shampo_get_log_pkt_per_rsrv(mdev, params));
+ u8 log_stride_sz = mlx5e_mpwqe_get_log_stride_size(mdev, params, xsk);
+@@ -1027,7 +1028,8 @@ u32 mlx5e_shampo_hd_per_wqe(struct mlx5_core_dev *mdev,
+ struct mlx5e_params *params,
+ struct mlx5e_rq_param *rq_param)
+ {
+- int resv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) * PAGE_SIZE;
++ int resv_size = BIT(mlx5e_shampo_get_log_rsrv_size(mdev, params)) *
++ MLX5E_SHAMPO_WQ_BASE_RESRV_SIZE;
+ u16 num_strides = BIT(mlx5e_mpwqe_get_log_num_strides(mdev, params, NULL));
+ int pkt_per_resv = BIT(mlx5e_shampo_get_log_pkt_per_rsrv(mdev, params));
+ u8 log_stride_sz = mlx5e_mpwqe_get_log_stride_size(mdev, params, NULL);
+--
+2.39.5
+
--- /dev/null
+From 13d5a00e9a00530142748dac497eb473f6ffcc6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 08:58:04 +0200
+Subject: net: mvpp2: Prevent parser TCAM memory corruption
+
+From: Tobias Waldekranz <tobias@waldekranz.com>
+
+[ Upstream commit 96844075226b49af25a69a1d084b648ec2d9b08d ]
+
+Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM
+information, from concurrent modifications.
+
+Both the TCAM and SRAM tables are indirectly accessed by configuring
+an index register that selects the row to read or write to. This means
+that operations must be atomic in order to, e.g., avoid spreading
+writes across multiple rows. Since the shadow SRAM array is used to
+find free rows in the hardware table, it must also be protected in
+order to avoid TOCTOU errors where multiple cores allocate the same
+row.
+
+This issue was detected in a situation where `mvpp2_set_rx_mode()` ran
+concurrently on two CPUs. In this particular case the
+MVPP2_PE_MAC_UC_PROMISCUOUS entry was corrupted, causing the
+classifier unit to drop all incoming unicast - indicated by the
+`rx_classifier_drops` counter.
+
+Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
+Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
+Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Tested-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
+Link: https://patch.msgid.link/20250401065855.3113635-1-tobias@waldekranz.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 3 +
+ .../net/ethernet/marvell/mvpp2/mvpp2_main.c | 3 +-
+ .../net/ethernet/marvell/mvpp2/mvpp2_prs.c | 201 ++++++++++++------
+ 3 files changed, 140 insertions(+), 67 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+index 522d65acfc47e..50dc2fcb8f7b1 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+@@ -1108,6 +1108,9 @@ struct mvpp2 {
+
+ /* Spinlocks for CM3 shared memory configuration */
+ spinlock_t mss_spinlock;
++
++ /* Spinlock for shared PRS parser memory and shadow table */
++ spinlock_t prs_spinlock;
+ };
+
+ struct mvpp2_pcpu_stats {
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+index bbcdab562513f..ec69bb90f5740 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c
+@@ -7583,8 +7583,9 @@ static int mvpp2_probe(struct platform_device *pdev)
+ if (mvpp2_read(priv, MVPP2_VER_ID_REG) == MVPP2_VER_PP23)
+ priv->hw_version = MVPP23;
+
+- /* Init mss lock */
++ /* Init locks for shared packet processor resources */
+ spin_lock_init(&priv->mss_spinlock);
++ spin_lock_init(&priv->prs_spinlock);
+
+ /* Initialize network controller */
+ err = mvpp2_init(pdev, priv);
+diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+index 9af22f497a40f..93e978bdf303c 100644
+--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c
+@@ -23,6 +23,8 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe)
+ {
+ int i;
+
++ lockdep_assert_held(&priv->prs_spinlock);
++
+ if (pe->index > MVPP2_PRS_TCAM_SRAM_SIZE - 1)
+ return -EINVAL;
+
+@@ -43,11 +45,13 @@ static int mvpp2_prs_hw_write(struct mvpp2 *priv, struct mvpp2_prs_entry *pe)
+ }
+
+ /* Initialize tcam entry from hw */
+-int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe,
+- int tid)
++static int __mvpp2_prs_init_from_hw(struct mvpp2 *priv,
++ struct mvpp2_prs_entry *pe, int tid)
+ {
+ int i;
+
++ lockdep_assert_held(&priv->prs_spinlock);
++
+ if (tid > MVPP2_PRS_TCAM_SRAM_SIZE - 1)
+ return -EINVAL;
+
+@@ -73,6 +77,18 @@ int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe,
+ return 0;
+ }
+
++int mvpp2_prs_init_from_hw(struct mvpp2 *priv, struct mvpp2_prs_entry *pe,
++ int tid)
++{
++ int err;
++
++ spin_lock_bh(&priv->prs_spinlock);
++ err = __mvpp2_prs_init_from_hw(priv, pe, tid);
++ spin_unlock_bh(&priv->prs_spinlock);
++
++ return err;
++}
++
+ /* Invalidate tcam hw entry */
+ static void mvpp2_prs_hw_inv(struct mvpp2 *priv, int index)
+ {
+@@ -374,7 +390,7 @@ static int mvpp2_prs_flow_find(struct mvpp2 *priv, int flow)
+ priv->prs_shadow[tid].lu != MVPP2_PRS_LU_FLOWS)
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ bits = mvpp2_prs_sram_ai_get(&pe);
+
+ /* Sram store classification lookup ID in AI bits [5:0] */
+@@ -441,7 +457,7 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add)
+
+ if (priv->prs_shadow[MVPP2_PE_DROP_ALL].valid) {
+ /* Entry exist - update port only */
+- mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL);
++ __mvpp2_prs_init_from_hw(priv, &pe, MVPP2_PE_DROP_ALL);
+ } else {
+ /* Entry doesn't exist - create new */
+ memset(&pe, 0, sizeof(pe));
+@@ -469,14 +485,17 @@ static void mvpp2_prs_mac_drop_all_set(struct mvpp2 *priv, int port, bool add)
+ }
+
+ /* Set port to unicast or multicast promiscuous mode */
+-void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
+- enum mvpp2_prs_l2_cast l2_cast, bool add)
++static void __mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
++ enum mvpp2_prs_l2_cast l2_cast,
++ bool add)
+ {
+ struct mvpp2_prs_entry pe;
+ unsigned char cast_match;
+ unsigned int ri;
+ int tid;
+
++ lockdep_assert_held(&priv->prs_spinlock);
++
+ if (l2_cast == MVPP2_PRS_L2_UNI_CAST) {
+ cast_match = MVPP2_PRS_UCAST_VAL;
+ tid = MVPP2_PE_MAC_UC_PROMISCUOUS;
+@@ -489,7 +508,7 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
+
+ /* promiscuous mode - Accept unknown unicast or multicast packets */
+ if (priv->prs_shadow[tid].valid) {
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ } else {
+ memset(&pe, 0, sizeof(pe));
+ mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC);
+@@ -522,6 +541,14 @@ void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
+ mvpp2_prs_hw_write(priv, &pe);
+ }
+
++void mvpp2_prs_mac_promisc_set(struct mvpp2 *priv, int port,
++ enum mvpp2_prs_l2_cast l2_cast, bool add)
++{
++ spin_lock_bh(&priv->prs_spinlock);
++ __mvpp2_prs_mac_promisc_set(priv, port, l2_cast, add);
++ spin_unlock_bh(&priv->prs_spinlock);
++}
++
+ /* Set entry for dsa packets */
+ static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add,
+ bool tagged, bool extend)
+@@ -539,7 +566,7 @@ static void mvpp2_prs_dsa_tag_set(struct mvpp2 *priv, int port, bool add,
+
+ if (priv->prs_shadow[tid].valid) {
+ /* Entry exist - update port only */
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ } else {
+ /* Entry doesn't exist - create new */
+ memset(&pe, 0, sizeof(pe));
+@@ -610,7 +637,7 @@ static void mvpp2_prs_dsa_tag_ethertype_set(struct mvpp2 *priv, int port,
+
+ if (priv->prs_shadow[tid].valid) {
+ /* Entry exist - update port only */
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ } else {
+ /* Entry doesn't exist - create new */
+ memset(&pe, 0, sizeof(pe));
+@@ -673,7 +700,7 @@ static int mvpp2_prs_vlan_find(struct mvpp2 *priv, unsigned short tpid, int ai)
+ priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN)
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid);
+ if (!match)
+ continue;
+@@ -726,7 +753,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai,
+ priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN)
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
+ ri_bits = mvpp2_prs_sram_ri_get(&pe);
+ if ((ri_bits & MVPP2_PRS_RI_VLAN_MASK) ==
+ MVPP2_PRS_RI_VLAN_DOUBLE)
+@@ -760,7 +787,7 @@ static int mvpp2_prs_vlan_add(struct mvpp2 *priv, unsigned short tpid, int ai,
+
+ mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN);
+ } else {
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ }
+ /* Update ports' mask */
+ mvpp2_prs_tcam_port_map_set(&pe, port_map);
+@@ -800,7 +827,7 @@ static int mvpp2_prs_double_vlan_find(struct mvpp2 *priv, unsigned short tpid1,
+ priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VLAN)
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+
+ match = mvpp2_prs_tcam_data_cmp(&pe, 0, tpid1) &&
+ mvpp2_prs_tcam_data_cmp(&pe, 4, tpid2);
+@@ -849,7 +876,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1,
+ priv->prs_shadow[tid_aux].lu != MVPP2_PRS_LU_VLAN)
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid_aux);
+ ri_bits = mvpp2_prs_sram_ri_get(&pe);
+ ri_bits &= MVPP2_PRS_RI_VLAN_MASK;
+ if (ri_bits == MVPP2_PRS_RI_VLAN_SINGLE ||
+@@ -880,7 +907,7 @@ static int mvpp2_prs_double_vlan_add(struct mvpp2 *priv, unsigned short tpid1,
+
+ mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VLAN);
+ } else {
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ }
+
+ /* Update ports' mask */
+@@ -1213,8 +1240,8 @@ static void mvpp2_prs_mac_init(struct mvpp2 *priv)
+ /* Create dummy entries for drop all and promiscuous modes */
+ mvpp2_prs_drop_fc(priv);
+ mvpp2_prs_mac_drop_all_set(priv, 0, false);
+- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false);
+- mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false);
++ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_UNI_CAST, false);
++ __mvpp2_prs_mac_promisc_set(priv, 0, MVPP2_PRS_L2_MULTI_CAST, false);
+ }
+
+ /* Set default entries for various types of dsa packets */
+@@ -1533,12 +1560,6 @@ static int mvpp2_prs_vlan_init(struct platform_device *pdev, struct mvpp2 *priv)
+ struct mvpp2_prs_entry pe;
+ int err;
+
+- priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool),
+- MVPP2_PRS_DBL_VLANS_MAX,
+- GFP_KERNEL);
+- if (!priv->prs_double_vlans)
+- return -ENOMEM;
+-
+ /* Double VLAN: 0x88A8, 0x8100 */
+ err = mvpp2_prs_double_vlan_add(priv, ETH_P_8021AD, ETH_P_8021Q,
+ MVPP2_PRS_PORT_MASK);
+@@ -1941,7 +1962,7 @@ static int mvpp2_prs_vid_range_find(struct mvpp2_port *port, u16 vid, u16 mask)
+ port->priv->prs_shadow[tid].lu != MVPP2_PRS_LU_VID)
+ continue;
+
+- mvpp2_prs_init_from_hw(port->priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(port->priv, &pe, tid);
+
+ mvpp2_prs_tcam_data_byte_get(&pe, 2, &byte[0], &enable[0]);
+ mvpp2_prs_tcam_data_byte_get(&pe, 3, &byte[1], &enable[1]);
+@@ -1970,6 +1991,8 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
+
+ memset(&pe, 0, sizeof(pe));
+
++ spin_lock_bh(&priv->prs_spinlock);
++
+ /* Scan TCAM and see if entry with this <vid,port> already exist */
+ tid = mvpp2_prs_vid_range_find(port, vid, mask);
+
+@@ -1988,8 +2011,10 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
+ MVPP2_PRS_VLAN_FILT_MAX_ENTRY);
+
+ /* There isn't room for a new VID filter */
+- if (tid < 0)
++ if (tid < 0) {
++ spin_unlock_bh(&priv->prs_spinlock);
+ return tid;
++ }
+
+ mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_VID);
+ pe.index = tid;
+@@ -1997,7 +2022,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
+ /* Mask all ports */
+ mvpp2_prs_tcam_port_map_set(&pe, 0);
+ } else {
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ }
+
+ /* Enable the current port */
+@@ -2019,6 +2044,7 @@ int mvpp2_prs_vid_entry_add(struct mvpp2_port *port, u16 vid)
+ mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID);
+ mvpp2_prs_hw_write(priv, &pe);
+
++ spin_unlock_bh(&priv->prs_spinlock);
+ return 0;
+ }
+
+@@ -2028,15 +2054,16 @@ void mvpp2_prs_vid_entry_remove(struct mvpp2_port *port, u16 vid)
+ struct mvpp2 *priv = port->priv;
+ int tid;
+
+- /* Scan TCAM and see if entry with this <vid,port> already exist */
+- tid = mvpp2_prs_vid_range_find(port, vid, 0xfff);
++ spin_lock_bh(&priv->prs_spinlock);
+
+- /* No such entry */
+- if (tid < 0)
+- return;
++ /* Invalidate TCAM entry with this <vid,port>, if it exists */
++ tid = mvpp2_prs_vid_range_find(port, vid, 0xfff);
++ if (tid >= 0) {
++ mvpp2_prs_hw_inv(priv, tid);
++ priv->prs_shadow[tid].valid = false;
++ }
+
+- mvpp2_prs_hw_inv(priv, tid);
+- priv->prs_shadow[tid].valid = false;
++ spin_unlock_bh(&priv->prs_spinlock);
+ }
+
+ /* Remove all existing VID filters on this port */
+@@ -2045,6 +2072,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port)
+ struct mvpp2 *priv = port->priv;
+ int tid;
+
++ spin_lock_bh(&priv->prs_spinlock);
++
+ for (tid = MVPP2_PRS_VID_PORT_FIRST(port->id);
+ tid <= MVPP2_PRS_VID_PORT_LAST(port->id); tid++) {
+ if (priv->prs_shadow[tid].valid) {
+@@ -2052,6 +2081,8 @@ void mvpp2_prs_vid_remove_all(struct mvpp2_port *port)
+ priv->prs_shadow[tid].valid = false;
+ }
+ }
++
++ spin_unlock_bh(&priv->prs_spinlock);
+ }
+
+ /* Remove VID filering entry for this port */
+@@ -2060,10 +2091,14 @@ void mvpp2_prs_vid_disable_filtering(struct mvpp2_port *port)
+ unsigned int tid = MVPP2_PRS_VID_PORT_DFLT(port->id);
+ struct mvpp2 *priv = port->priv;
+
++ spin_lock_bh(&priv->prs_spinlock);
++
+ /* Invalidate the guard entry */
+ mvpp2_prs_hw_inv(priv, tid);
+
+ priv->prs_shadow[tid].valid = false;
++
++ spin_unlock_bh(&priv->prs_spinlock);
+ }
+
+ /* Add guard entry that drops packets when no VID is matched on this port */
+@@ -2079,6 +2114,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port)
+
+ memset(&pe, 0, sizeof(pe));
+
++ spin_lock_bh(&priv->prs_spinlock);
++
+ pe.index = tid;
+
+ reg_val = mvpp2_read(priv, MVPP2_MH_REG(port->id));
+@@ -2111,6 +2148,8 @@ void mvpp2_prs_vid_enable_filtering(struct mvpp2_port *port)
+ /* Update shadow table */
+ mvpp2_prs_shadow_set(priv, pe.index, MVPP2_PRS_LU_VID);
+ mvpp2_prs_hw_write(priv, &pe);
++
++ spin_unlock_bh(&priv->prs_spinlock);
+ }
+
+ /* Parser default initialization */
+@@ -2118,6 +2157,20 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv)
+ {
+ int err, index, i;
+
++ priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE,
++ sizeof(*priv->prs_shadow),
++ GFP_KERNEL);
++ if (!priv->prs_shadow)
++ return -ENOMEM;
++
++ priv->prs_double_vlans = devm_kcalloc(&pdev->dev, sizeof(bool),
++ MVPP2_PRS_DBL_VLANS_MAX,
++ GFP_KERNEL);
++ if (!priv->prs_double_vlans)
++ return -ENOMEM;
++
++ spin_lock_bh(&priv->prs_spinlock);
++
+ /* Enable tcam table */
+ mvpp2_write(priv, MVPP2_PRS_TCAM_CTRL_REG, MVPP2_PRS_TCAM_EN_MASK);
+
+@@ -2136,12 +2189,6 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv)
+ for (index = 0; index < MVPP2_PRS_TCAM_SRAM_SIZE; index++)
+ mvpp2_prs_hw_inv(priv, index);
+
+- priv->prs_shadow = devm_kcalloc(&pdev->dev, MVPP2_PRS_TCAM_SRAM_SIZE,
+- sizeof(*priv->prs_shadow),
+- GFP_KERNEL);
+- if (!priv->prs_shadow)
+- return -ENOMEM;
+-
+ /* Always start from lookup = 0 */
+ for (index = 0; index < MVPP2_MAX_PORTS; index++)
+ mvpp2_prs_hw_port_init(priv, index, MVPP2_PRS_LU_MH,
+@@ -2158,26 +2205,13 @@ int mvpp2_prs_default_init(struct platform_device *pdev, struct mvpp2 *priv)
+ mvpp2_prs_vid_init(priv);
+
+ err = mvpp2_prs_etype_init(priv);
+- if (err)
+- return err;
+-
+- err = mvpp2_prs_vlan_init(pdev, priv);
+- if (err)
+- return err;
+-
+- err = mvpp2_prs_pppoe_init(priv);
+- if (err)
+- return err;
+-
+- err = mvpp2_prs_ip6_init(priv);
+- if (err)
+- return err;
+-
+- err = mvpp2_prs_ip4_init(priv);
+- if (err)
+- return err;
++ err = err ? : mvpp2_prs_vlan_init(pdev, priv);
++ err = err ? : mvpp2_prs_pppoe_init(priv);
++ err = err ? : mvpp2_prs_ip6_init(priv);
++ err = err ? : mvpp2_prs_ip4_init(priv);
+
+- return 0;
++ spin_unlock_bh(&priv->prs_spinlock);
++ return err;
+ }
+
+ /* Compare MAC DA with tcam entry data */
+@@ -2217,7 +2251,7 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da,
+ (priv->prs_shadow[tid].udf != udf_type))
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ entry_pmap = mvpp2_prs_tcam_port_map_get(&pe);
+
+ if (mvpp2_prs_mac_range_equals(&pe, da, mask) &&
+@@ -2229,7 +2263,8 @@ mvpp2_prs_mac_da_range_find(struct mvpp2 *priv, int pmap, const u8 *da,
+ }
+
+ /* Update parser's mac da entry */
+-int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
++static int __mvpp2_prs_mac_da_accept(struct mvpp2_port *port,
++ const u8 *da, bool add)
+ {
+ unsigned char mask[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+ struct mvpp2 *priv = port->priv;
+@@ -2261,7 +2296,7 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
+ /* Mask all ports */
+ mvpp2_prs_tcam_port_map_set(&pe, 0);
+ } else {
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+ }
+
+ mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_MAC);
+@@ -2317,6 +2352,17 @@ int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
+ return 0;
+ }
+
++int mvpp2_prs_mac_da_accept(struct mvpp2_port *port, const u8 *da, bool add)
++{
++ int err;
++
++ spin_lock_bh(&port->priv->prs_spinlock);
++ err = __mvpp2_prs_mac_da_accept(port, da, add);
++ spin_unlock_bh(&port->priv->prs_spinlock);
++
++ return err;
++}
++
+ int mvpp2_prs_update_mac_da(struct net_device *dev, const u8 *da)
+ {
+ struct mvpp2_port *port = netdev_priv(dev);
+@@ -2345,6 +2391,8 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port)
+ unsigned long pmap;
+ int index, tid;
+
++ spin_lock_bh(&priv->prs_spinlock);
++
+ for (tid = MVPP2_PE_MAC_RANGE_START;
+ tid <= MVPP2_PE_MAC_RANGE_END; tid++) {
+ unsigned char da[ETH_ALEN], da_mask[ETH_ALEN];
+@@ -2354,7 +2402,7 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port)
+ (priv->prs_shadow[tid].udf != MVPP2_PRS_UDF_MAC_DEF))
+ continue;
+
+- mvpp2_prs_init_from_hw(priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(priv, &pe, tid);
+
+ pmap = mvpp2_prs_tcam_port_map_get(&pe);
+
+@@ -2375,14 +2423,17 @@ void mvpp2_prs_mac_del_all(struct mvpp2_port *port)
+ continue;
+
+ /* Remove entry from TCAM */
+- mvpp2_prs_mac_da_accept(port, da, false);
++ __mvpp2_prs_mac_da_accept(port, da, false);
+ }
++
++ spin_unlock_bh(&priv->prs_spinlock);
+ }
+
+ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
+ {
+ switch (type) {
+ case MVPP2_TAG_TYPE_EDSA:
++ spin_lock_bh(&priv->prs_spinlock);
+ /* Add port to EDSA entries */
+ mvpp2_prs_dsa_tag_set(priv, port, true,
+ MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA);
+@@ -2393,9 +2444,11 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
+ MVPP2_PRS_TAGGED, MVPP2_PRS_DSA);
+ mvpp2_prs_dsa_tag_set(priv, port, false,
+ MVPP2_PRS_UNTAGGED, MVPP2_PRS_DSA);
++ spin_unlock_bh(&priv->prs_spinlock);
+ break;
+
+ case MVPP2_TAG_TYPE_DSA:
++ spin_lock_bh(&priv->prs_spinlock);
+ /* Add port to DSA entries */
+ mvpp2_prs_dsa_tag_set(priv, port, true,
+ MVPP2_PRS_TAGGED, MVPP2_PRS_DSA);
+@@ -2406,10 +2459,12 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
+ MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA);
+ mvpp2_prs_dsa_tag_set(priv, port, false,
+ MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA);
++ spin_unlock_bh(&priv->prs_spinlock);
+ break;
+
+ case MVPP2_TAG_TYPE_MH:
+ case MVPP2_TAG_TYPE_NONE:
++ spin_lock_bh(&priv->prs_spinlock);
+ /* Remove port form EDSA and DSA entries */
+ mvpp2_prs_dsa_tag_set(priv, port, false,
+ MVPP2_PRS_TAGGED, MVPP2_PRS_DSA);
+@@ -2419,6 +2474,7 @@ int mvpp2_prs_tag_mode_set(struct mvpp2 *priv, int port, int type)
+ MVPP2_PRS_TAGGED, MVPP2_PRS_EDSA);
+ mvpp2_prs_dsa_tag_set(priv, port, false,
+ MVPP2_PRS_UNTAGGED, MVPP2_PRS_EDSA);
++ spin_unlock_bh(&priv->prs_spinlock);
+ break;
+
+ default:
+@@ -2437,11 +2493,15 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask)
+
+ memset(&pe, 0, sizeof(pe));
+
++ spin_lock_bh(&priv->prs_spinlock);
++
+ tid = mvpp2_prs_tcam_first_free(priv,
+ MVPP2_PE_LAST_FREE_TID,
+ MVPP2_PE_FIRST_FREE_TID);
+- if (tid < 0)
++ if (tid < 0) {
++ spin_unlock_bh(&priv->prs_spinlock);
+ return tid;
++ }
+
+ pe.index = tid;
+
+@@ -2461,6 +2521,7 @@ int mvpp2_prs_add_flow(struct mvpp2 *priv, int flow, u32 ri, u32 ri_mask)
+ mvpp2_prs_tcam_port_map_set(&pe, MVPP2_PRS_PORT_MASK);
+ mvpp2_prs_hw_write(priv, &pe);
+
++ spin_unlock_bh(&priv->prs_spinlock);
+ return 0;
+ }
+
+@@ -2472,6 +2533,8 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port)
+
+ memset(&pe, 0, sizeof(pe));
+
++ spin_lock_bh(&port->priv->prs_spinlock);
++
+ tid = mvpp2_prs_flow_find(port->priv, port->id);
+
+ /* Such entry not exist */
+@@ -2480,8 +2543,10 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port)
+ tid = mvpp2_prs_tcam_first_free(port->priv,
+ MVPP2_PE_LAST_FREE_TID,
+ MVPP2_PE_FIRST_FREE_TID);
+- if (tid < 0)
++ if (tid < 0) {
++ spin_unlock_bh(&port->priv->prs_spinlock);
+ return tid;
++ }
+
+ pe.index = tid;
+
+@@ -2492,13 +2557,14 @@ int mvpp2_prs_def_flow(struct mvpp2_port *port)
+ /* Update shadow table */
+ mvpp2_prs_shadow_set(port->priv, pe.index, MVPP2_PRS_LU_FLOWS);
+ } else {
+- mvpp2_prs_init_from_hw(port->priv, &pe, tid);
++ __mvpp2_prs_init_from_hw(port->priv, &pe, tid);
+ }
+
+ mvpp2_prs_tcam_lu_set(&pe, MVPP2_PRS_LU_FLOWS);
+ mvpp2_prs_tcam_port_map_set(&pe, (1 << port->id));
+ mvpp2_prs_hw_write(port->priv, &pe);
+
++ spin_unlock_bh(&port->priv->prs_spinlock);
+ return 0;
+ }
+
+@@ -2509,11 +2575,14 @@ int mvpp2_prs_hits(struct mvpp2 *priv, int index)
+ if (index > MVPP2_PRS_TCAM_SRAM_SIZE)
+ return -EINVAL;
+
++ spin_lock_bh(&priv->prs_spinlock);
++
+ mvpp2_write(priv, MVPP2_PRS_TCAM_HIT_IDX_REG, index);
+
+ val = mvpp2_read(priv, MVPP2_PRS_TCAM_HIT_CNT_REG);
+
+ val &= MVPP2_PRS_TCAM_HIT_CNT_MASK;
+
++ spin_unlock_bh(&priv->prs_spinlock);
+ return val;
+ }
+--
+2.39.5
+
--- /dev/null
+From 596fa1bd59e645446679b64df73ace91594fedf5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Mar 2025 15:25:35 -0700
+Subject: net_sched: skbprio: Remove overly strict queue assertions
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit ce8fe975fd99b49c29c42e50f2441ba53112b2e8 ]
+
+In the current implementation, skbprio enqueue/dequeue contains an assertion
+that fails under certain conditions when SKBPRIO is used as a child qdisc under
+TBF with specific parameters. The failure occurs because TBF sometimes peeks at
+packets in the child qdisc without actually dequeuing them when tokens are
+unavailable.
+
+This peek operation creates a discrepancy between the parent and child qdisc
+queue length counters. When TBF later receives a high-priority packet,
+SKBPRIO's queue length may show a different value than what's reflected in its
+internal priority queue tracking, triggering the assertion.
+
+The fix removes this overly strict assertions in SKBPRIO, they are not
+necessary at all.
+
+Reported-by: syzbot+a3422a19b05ea96bee18@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=a3422a19b05ea96bee18
+Fixes: aea5f654e6b7 ("net/sched: add skbprio scheduler")
+Cc: Nishanth Devarajan <ndev2021@gmail.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/20250329222536.696204-2-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_skbprio.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/sched/sch_skbprio.c b/net/sched/sch_skbprio.c
+index 5df2dacb7b1ab..05aa363a7fee9 100644
+--- a/net/sched/sch_skbprio.c
++++ b/net/sched/sch_skbprio.c
+@@ -121,8 +121,6 @@ static int skbprio_enqueue(struct sk_buff *skb, struct Qdisc *sch,
+ /* Check to update highest and lowest priorities. */
+ if (skb_queue_empty(lp_qdisc)) {
+ if (q->lowest_prio == q->highest_prio) {
+- /* The incoming packet is the only packet in queue. */
+- BUG_ON(sch->q.qlen != 1);
+ q->lowest_prio = prio;
+ q->highest_prio = prio;
+ } else {
+@@ -154,7 +152,6 @@ static struct sk_buff *skbprio_dequeue(struct Qdisc *sch)
+ /* Update highest priority field. */
+ if (skb_queue_empty(hpq)) {
+ if (q->lowest_prio == q->highest_prio) {
+- BUG_ON(sch->q.qlen);
+ q->highest_prio = 0;
+ q->lowest_prio = SKBPRIO_MAX_PRIORITY - 1;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From edecf7f498adef27e728b18677abee77bd5bfd2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 23:24:20 +0100
+Subject: netfilter: nft_set_hash: GC reaps elements with conncount for dynamic
+ sets only
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 9d74da1177c800eb3d51c13f9821b7b0683845a5 ]
+
+conncount has its own GC handler which determines when to reap stale
+elements, this is convenient for dynamic sets. However, this also reaps
+non-dynamic sets with static configurations coming from control plane.
+Always run connlimit gc handler but honor feedback to reap element if
+this set is dynamic.
+
+Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_set_hash.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
+index 5c4209b49bda7..a592cca7a61f9 100644
+--- a/net/netfilter/nft_set_hash.c
++++ b/net/netfilter/nft_set_hash.c
+@@ -310,7 +310,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,
+
+ nft_setelem_expr_foreach(expr, elem_expr, size) {
+ if (expr->ops->gc &&
+- expr->ops->gc(read_pnet(&set->net), expr))
++ expr->ops->gc(read_pnet(&set->net), expr) &&
++ set->flags & NFT_SET_EVAL)
+ return true;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 33428a0b61e7449fd3dc16f8ce5cc5dc4d796fc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Apr 2025 01:00:26 +0800
+Subject: netfilter: nft_tunnel: fix geneve_opt type confusion addition
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit 1b755d8eb1ace3870789d48fbd94f386ad6e30be ]
+
+When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the
+parsing logic should place every geneve_opt structure one by one
+compactly. Hence, when deciding the next geneve_opt position, the
+pointer addition should be in units of char *.
+
+However, the current implementation erroneously does type conversion
+before the addition, which will lead to heap out-of-bounds write.
+
+[ 6.989857] ==================================================================
+[ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70
+[ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178
+[ 6.991162]
+[ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1
+[ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+[ 6.992281] Call Trace:
+[ 6.992423] <TASK>
+[ 6.992586] dump_stack_lvl+0x44/0x5c
+[ 6.992801] print_report+0x184/0x4be
+[ 6.993790] kasan_report+0xc5/0x100
+[ 6.994252] kasan_check_range+0xf3/0x1a0
+[ 6.994486] memcpy+0x38/0x60
+[ 6.994692] nft_tunnel_obj_init+0x977/0xa70
+[ 6.995677] nft_obj_init+0x10c/0x1b0
+[ 6.995891] nf_tables_newobj+0x585/0x950
+[ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020
+[ 6.998997] nfnetlink_rcv+0x1df/0x220
+[ 6.999537] netlink_unicast+0x395/0x530
+[ 7.000771] netlink_sendmsg+0x3d0/0x6d0
+[ 7.001462] __sock_sendmsg+0x99/0xa0
+[ 7.001707] ____sys_sendmsg+0x409/0x450
+[ 7.002391] ___sys_sendmsg+0xfd/0x170
+[ 7.003145] __sys_sendmsg+0xea/0x170
+[ 7.004359] do_syscall_64+0x5e/0x90
+[ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+[ 7.006127] RIP: 0033:0x7ec756d4e407
+[ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
+[ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+[ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407
+[ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003
+[ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000
+[ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
+[ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8
+
+Fix this bug with correct pointer addition and conversion in parse
+and dump code.
+
+Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nft_tunnel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
+index efb505445eac1..01ce65dd2078e 100644
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -339,7 +339,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN
+ static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
+ struct nft_tunnel_opts *opts)
+ {
+- struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
++ struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);
+ struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
+ int err, data_len;
+
+@@ -621,7 +621,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
+ if (!inner)
+ goto failure;
+ while (opts->len > offset) {
+- opt = (struct geneve_opt *)opts->u.data + offset;
++ opt = (struct geneve_opt *)(opts->u.data + offset);
+ if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
+ opt->opt_class) ||
+ nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,
+--
+2.39.5
+
--- /dev/null
+From c5548915817a6f8e9b914bcfea7360c038be86d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 20:40:18 +0800
+Subject: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4
+ sockets
+
+From: Debin Zhu <mowenroot@163.com>
+
+[ Upstream commit 078aabd567de3d63d37d7673f714e309d369e6e2 ]
+
+When calling netlbl_conn_setattr(), addr->sa_family is used
+to determine the function behavior. If sk is an IPv4 socket,
+but the connect function is called with an IPv6 address,
+the function calipso_sock_setattr() is triggered.
+Inside this function, the following code is executed:
+
+sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL;
+
+Since sk is an IPv4 socket, pinet6 is NULL, leading to a
+null pointer dereference.
+
+This patch fixes the issue by checking if inet6_sk(sk)
+returns a NULL pointer before accessing pinet6.
+
+Signed-off-by: Debin Zhu <mowenroot@163.com>
+Signed-off-by: Bitao Ouyang <1985755126@qq.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Link: https://patch.msgid.link/20250401124018.4763-1-mowenroot@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/calipso.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 1578ed9e97d89..c07e3da08d2a8 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1075,8 +1075,13 @@ static int calipso_sock_getattr(struct sock *sk,
+ struct ipv6_opt_hdr *hop;
+ int opt_len, len, ret_val = -ENOMSG, offset;
+ unsigned char *opt;
+- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
++ struct ipv6_pinfo *pinfo = inet6_sk(sk);
++ struct ipv6_txoptions *txopts;
++
++ if (!pinfo)
++ return -EAFNOSUPPORT;
+
++ txopts = txopt_get(pinfo);
+ if (!txopts || !txopts->hopopt)
+ goto done;
+
+@@ -1128,8 +1133,13 @@ static int calipso_sock_setattr(struct sock *sk,
+ {
+ int ret_val;
+ struct ipv6_opt_hdr *old, *new;
+- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
++ struct ipv6_pinfo *pinfo = inet6_sk(sk);
++ struct ipv6_txoptions *txopts;
++
++ if (!pinfo)
++ return -EAFNOSUPPORT;
+
++ txopts = txopt_get(pinfo);
+ old = NULL;
+ if (txopts)
+ old = txopts->hopopt;
+@@ -1156,8 +1166,13 @@ static int calipso_sock_setattr(struct sock *sk,
+ static void calipso_sock_delattr(struct sock *sk)
+ {
+ struct ipv6_opt_hdr *new_hop;
+- struct ipv6_txoptions *txopts = txopt_get(inet6_sk(sk));
++ struct ipv6_pinfo *pinfo = inet6_sk(sk);
++ struct ipv6_txoptions *txopts;
++
++ if (!pinfo)
++ return;
+
++ txopts = txopt_get(pinfo);
+ if (!txopts || !txopts->hopopt)
+ goto done;
+
+--
+2.39.5
+
--- /dev/null
+From 133b6810b8017bad640e1de7c647f67d6da2e784 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2025 16:50:30 -0500
+Subject: NFSv4: Don't trigger uneccessary scans for return-on-close
+ delegations
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit 47acca884f714f41d95dc654f802845544554784 ]
+
+The amount of looping through the list of delegations is occasionally
+leading to soft lockups. Avoid at least some loops by not requiring the
+NFSv4 state manager to scan for delegations that are marked for
+return-on-close. Instead, either mark them for immediate return (if
+possible) or else leave it up to nfs4_inode_return_delegation_on_close()
+to return them once the file is closed by the application.
+
+Fixes: b757144fd77c ("NFSv4: Be less aggressive about returning delegations for open files")
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/delegation.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
+index 39c697e100b1b..6363bbc37f425 100644
+--- a/fs/nfs/delegation.c
++++ b/fs/nfs/delegation.c
+@@ -570,17 +570,6 @@ static bool nfs_delegation_need_return(struct nfs_delegation *delegation)
+
+ if (test_and_clear_bit(NFS_DELEGATION_RETURN, &delegation->flags))
+ ret = true;
+- else if (test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags)) {
+- struct inode *inode;
+-
+- spin_lock(&delegation->lock);
+- inode = delegation->inode;
+- if (inode && list_empty(&NFS_I(inode)->open_files))
+- ret = true;
+- spin_unlock(&delegation->lock);
+- }
+- if (ret)
+- clear_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
+ if (test_bit(NFS_DELEGATION_RETURNING, &delegation->flags) ||
+ test_bit(NFS_DELEGATION_RETURN_DELAYED, &delegation->flags) ||
+ test_bit(NFS_DELEGATION_REVOKED, &delegation->flags))
+@@ -821,11 +810,25 @@ int nfs4_inode_make_writeable(struct inode *inode)
+ return nfs4_inode_return_delegation(inode);
+ }
+
+-static void nfs_mark_return_if_closed_delegation(struct nfs_server *server,
+- struct nfs_delegation *delegation)
++static void
++nfs_mark_return_if_closed_delegation(struct nfs_server *server,
++ struct nfs_delegation *delegation)
+ {
+- set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
+- set_bit(NFS4CLNT_DELEGRETURN, &server->nfs_client->cl_state);
++ struct inode *inode;
++
++ if (test_bit(NFS_DELEGATION_RETURN, &delegation->flags) ||
++ test_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags))
++ return;
++ spin_lock(&delegation->lock);
++ inode = delegation->inode;
++ if (!inode)
++ goto out;
++ if (list_empty(&NFS_I(inode)->open_files))
++ nfs_mark_return_delegation(server, delegation);
++ else
++ set_bit(NFS_DELEGATION_RETURN_IF_CLOSED, &delegation->flags);
++out:
++ spin_unlock(&delegation->lock);
+ }
+
+ static bool nfs_server_mark_return_all_delegations(struct nfs_server *server)
+--
+2.39.5
+
--- /dev/null
+From a0c6388badc6b3f2ee2138338f3a83b72a2336dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 11:15:19 +0300
+Subject: ntb: intel: Fix using link status DB's
+
+From: Nikita Shubin <n.shubin@yadro.com>
+
+[ Upstream commit 8144e9c8f30fb23bb736a5d24d5c9d46965563c4 ]
+
+Make sure we are not using DB's which were remapped for link status.
+
+Fixes: f6e51c354b60 ("ntb: intel: split out the gen3 code")
+Signed-off-by: Nikita Shubin <n.shubin@yadro.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_gen3.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_gen3.c b/drivers/ntb/hw/intel/ntb_hw_gen3.c
+index ffcfc3e02c353..a5aa96a31f4a6 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_gen3.c
++++ b/drivers/ntb/hw/intel/ntb_hw_gen3.c
+@@ -215,6 +215,9 @@ static int gen3_init_ntb(struct intel_ntb_dev *ndev)
+ }
+
+ ndev->db_valid_mask = BIT_ULL(ndev->db_count) - 1;
++ /* Make sure we are not using DB's used for link status */
++ if (ndev->hwerr_flags & NTB_HWERR_MSIX_VECTOR32_BAD)
++ ndev->db_valid_mask &= ~ndev->db_link_mask;
+
+ ndev->reg->db_iowrite(ndev->db_valid_mask,
+ ndev->self_mmio +
+--
+2.39.5
+
--- /dev/null
+From 5577aa90fd68690d1ebb86271a1fed964e21f425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 16:33:05 +0800
+Subject: ntb_hw_switchtec: Fix shift-out-of-bounds in
+ switchtec_ntb_mw_set_trans
+
+From: Yajun Deng <yajun.deng@linux.dev>
+
+[ Upstream commit de203da734fae00e75be50220ba5391e7beecdf9 ]
+
+There is a kernel API ntb_mw_clear_trans() would pass 0 to both addr and
+size. This would make xlate_pos negative.
+
+[ 23.734156] switchtec switchtec0: MW 0: part 0 addr 0x0000000000000000 size 0x0000000000000000
+[ 23.734158] ================================================================================
+[ 23.734172] UBSAN: shift-out-of-bounds in drivers/ntb/hw/mscc/ntb_hw_switchtec.c:293:7
+[ 23.734418] shift exponent -1 is negative
+
+Ensuring xlate_pos is a positive or zero before BIT.
+
+Fixes: 1e2fd202f859 ("ntb_hw_switchtec: Check for alignment of the buffer in mw_set_trans()")
+Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+index 7ce65a00db56b..1bdec59100019 100644
+--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+@@ -288,7 +288,7 @@ static int switchtec_ntb_mw_set_trans(struct ntb_dev *ntb, int pidx, int widx,
+ if (size != 0 && xlate_pos < 12)
+ return -EINVAL;
+
+- if (!IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
++ if (xlate_pos >= 0 && !IS_ALIGNED(addr, BIT_ULL(xlate_pos))) {
+ /*
+ * In certain circumstances we can get a buffer that is
+ * not aligned to its size. (Most of the time
+--
+2.39.5
+
--- /dev/null
+From 73f711a46c7d222129ecea2f85e3d850fb64c398 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 01:04:43 +0800
+Subject: nvme-pci: clean up CMBMSC when registering CMB fails
+
+From: Icenowy Zheng <uwu@icenowy.me>
+
+[ Upstream commit 6a3572e10f740acd48e2713ef37e92186a3ce5e8 ]
+
+CMB decoding should get disabled when the CMB block isn't successfully
+registered to P2P DMA subsystem.
+
+Clean up the CMBMSC register in this error handling codepath to disable
+CMB decoding (and CMBLOC/CMBSZ registers).
+
+Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index afcb9668dad98..bfca71f958a06 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1949,6 +1949,7 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ if (pci_p2pdma_add_resource(pdev, bar, size, offset)) {
+ dev_warn(dev->ctrl.device,
+ "failed to register the CMB\n");
++ hi_lo_writeq(0, dev->bar + NVME_REG_CMBMSC);
+ return;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From dde0acf729f0958cbc123df304e92488a3f25202 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 01:04:44 +0800
+Subject: nvme-pci: skip CMB blocks incompatible with PCI P2P DMA
+
+From: Icenowy Zheng <uwu@icenowy.me>
+
+[ Upstream commit 56cf7ef0d490b28fad8f8629fc135c5ab7c9f54e ]
+
+The PCI P2PDMA code will register the CMB block to the memory
+hot-plugging subsystem, which have an alignment requirement. Memory
+blocks that do not satisfy this alignment requirement (usually 2MB) will
+lead to a WARNING from memory hotplugging.
+
+Verify the CMB block's address and size against the alignment and only
+try to send CMB blocks compatible with it to prevent this warning.
+
+Tested on Intel DC D4502 SSD, which has a 512K CMB block that is too
+small for memory hotplugging (thus PCI P2PDMA).
+
+Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index bfca71f958a06..da858463b2557 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -1928,6 +1928,18 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ if (offset > bar_size)
+ return;
+
++ /*
++ * Controllers may support a CMB size larger than their BAR, for
++ * example, due to being behind a bridge. Reduce the CMB to the
++ * reported size of the BAR
++ */
++ size = min(size, bar_size - offset);
++
++ if (!IS_ALIGNED(size, memremap_compat_align()) ||
++ !IS_ALIGNED(pci_resource_start(pdev, bar),
++ memremap_compat_align()))
++ return;
++
+ /*
+ * Tell the controller about the host side address mapping the CMB,
+ * and enable CMB decoding for the NVMe 1.4+ scheme:
+@@ -1938,14 +1950,6 @@ static void nvme_map_cmb(struct nvme_dev *dev)
+ dev->bar + NVME_REG_CMBMSC);
+ }
+
+- /*
+- * Controllers may support a CMB size larger than their BAR,
+- * for example, due to being behind a bridge. Reduce the CMB to
+- * the reported size of the BAR
+- */
+- if (size > bar_size - offset)
+- size = bar_size - offset;
+-
+ if (pci_p2pdma_add_resource(pdev, bar, size, offset)) {
+ dev_warn(dev->ctrl.device,
+ "failed to register the CMB\n");
+--
+2.39.5
+
--- /dev/null
+From 89d6c9bb722126a52cdd65d61ca4bb2b51218b6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 18:28:59 +0200
+Subject: nvme-pci: skip nvme_write_sq_db on empty rqlist
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 288ff0d10beb069355036355d5f7612579dc869c ]
+
+nvme_submit_cmds() should check the rqlist before calling
+nvme_write_sq_db(); if the list is empty, it must return immediately.
+
+Fixes: beadf0088501 ("nvme-pci: reverse request order in nvme_queue_rqs")
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index da858463b2557..c62ff639a39bd 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -954,6 +954,9 @@ static void nvme_submit_cmds(struct nvme_queue *nvmeq, struct request **rqlist)
+ {
+ struct request *req;
+
++ if (rq_list_empty(rqlist))
++ return;
++
+ spin_lock(&nvmeq->sq_lock);
+ while ((req = rq_list_pop(rqlist))) {
+ struct nvme_iod *iod = blk_mq_rq_to_pdu(req);
+--
+2.39.5
+
--- /dev/null
+From 0859c58178a73360b7ea13dd69c7c2002523e71d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 13:18:30 +0200
+Subject: nvme-tcp: fix possible UAF in nvme_tcp_poll
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 8c1624b63a7d24142a2bbc3a5ee7e95f004ea36e ]
+
+nvme_tcp_poll() may race with the send path error handler because
+it may complete the request while it is actively being polled for
+completion, resulting in a UAF panic [1]:
+
+We should make sure to stop polling when we see an error when
+trying to read from the socket. Hence make sure to propagate the
+error so that the block layer breaks the polling cycle.
+
+[1]:
+--
+[35665.692310] nvme nvme2: failed to send request -13
+[35665.702265] nvme nvme2: unsupported pdu type (3)
+[35665.702272] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[35665.702542] nvme nvme2: queue 1 receive failed: -22
+[35665.703209] #PF: supervisor write access in kernel mode
+[35665.703213] #PF: error_code(0x0002) - not-present page
+[35665.703214] PGD 8000003801cce067 P4D 8000003801cce067 PUD 37e6f79067 PMD 0
+[35665.703220] Oops: 0002 [#1] SMP PTI
+[35665.703658] nvme nvme2: starting error recovery
+[35665.705809] Hardware name: Inspur aaabbb/YZMB-00882-104, BIOS 4.1.26 09/22/2022
+[35665.705812] Workqueue: kblockd blk_mq_requeue_work
+[35665.709172] RIP: 0010:_raw_spin_lock+0xc/0x30
+[35665.715788] Call Trace:
+[35665.716201] <TASK>
+[35665.716613] ? show_trace_log_lvl+0x1c1/0x2d9
+[35665.717049] ? show_trace_log_lvl+0x1c1/0x2d9
+[35665.717457] ? blk_mq_request_bypass_insert+0x2c/0xb0
+[35665.717950] ? __die_body.cold+0x8/0xd
+[35665.718361] ? page_fault_oops+0xac/0x140
+[35665.718749] ? blk_mq_start_request+0x30/0xf0
+[35665.719144] ? nvme_tcp_queue_rq+0xc7/0x170 [nvme_tcp]
+[35665.719547] ? exc_page_fault+0x62/0x130
+[35665.719938] ? asm_exc_page_fault+0x22/0x30
+[35665.720333] ? _raw_spin_lock+0xc/0x30
+[35665.720723] blk_mq_request_bypass_insert+0x2c/0xb0
+[35665.721101] blk_mq_requeue_work+0xa5/0x180
+[35665.721451] process_one_work+0x1e8/0x390
+[35665.721809] worker_thread+0x53/0x3d0
+[35665.722159] ? process_one_work+0x390/0x390
+[35665.722501] kthread+0x124/0x150
+[35665.722849] ? set_kthread_struct+0x50/0x50
+[35665.723182] ret_from_fork+0x1f/0x30
+
+Reported-by: Zhang Guanghui <zhang.guanghui@cestc.cn>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/tcp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c
+index da9d510d3d4f1..6dd19322c7f8e 100644
+--- a/drivers/nvme/host/tcp.c
++++ b/drivers/nvme/host/tcp.c
+@@ -2518,6 +2518,7 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
+ {
+ struct nvme_tcp_queue *queue = hctx->driver_data;
+ struct sock *sk = queue->sock->sk;
++ int ret;
+
+ if (!test_bit(NVME_TCP_Q_LIVE, &queue->flags))
+ return 0;
+@@ -2525,9 +2526,9 @@ static int nvme_tcp_poll(struct blk_mq_hw_ctx *hctx, struct io_comp_batch *iob)
+ set_bit(NVME_TCP_Q_POLLING, &queue->flags);
+ if (sk_can_busy_loop(sk) && skb_queue_empty_lockless(&sk->sk_receive_queue))
+ sk_busy_loop(sk, true);
+- nvme_tcp_try_recv(queue);
++ ret = nvme_tcp_try_recv(queue);
+ clear_bit(NVME_TCP_Q_POLLING, &queue->flags);
+- return queue->nr_cqe;
++ return ret < 0 ? ret : queue->nr_cqe;
+ }
+
+ static int nvme_tcp_get_address(struct nvme_ctrl *ctrl, char *buf, int size)
+--
+2.39.5
+
--- /dev/null
+From 75cf581ebd9b42cd49867fd06db572e747f02630 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 14:56:06 -0700
+Subject: objtool, media: dib8000: Prevent divide-by-zero in dib8000_set_dds()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit e63d465f59011dede0a0f1d21718b59a64c3ff5c ]
+
+If dib8000_set_dds()'s call to dib8000_read32() returns zero, the result
+is a divide-by-zero. Prevent that from happening.
+
+Fixes the following warning with an UBSAN kernel:
+
+ drivers/media/dvb-frontends/dib8000.o: warning: objtool: dib8000_tune() falls through to next function dib8096p_cfg_DibRx()
+
+Fixes: 173a64cb3fcf ("[media] dib8000: enhancement")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/bd1d504d930ae3f073b1e071bcf62cae7708773c.1742852847.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/r/202503210602.fvH5DO1i-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/dib8000.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
+index 301d8eca7a6f9..f2fae575e84c8 100644
+--- a/drivers/media/dvb-frontends/dib8000.c
++++ b/drivers/media/dvb-frontends/dib8000.c
+@@ -2701,8 +2701,11 @@ static void dib8000_set_dds(struct dib8000_state *state, s32 offset_khz)
+ u8 ratio;
+
+ if (state->revision == 0x8090) {
++ u32 internal = dib8000_read32(state, 23) / 1000;
++
+ ratio = 4;
+- unit_khz_dds_val = (1<<26) / (dib8000_read32(state, 23) / 1000);
++
++ unit_khz_dds_val = (1<<26) / (internal ?: 1);
+ if (offset_khz < 0)
+ dds = (1 << 26) - (abs_offset_khz * unit_khz_dds_val);
+ else
+--
+2.39.5
+
--- /dev/null
+From a0662593e5d45971ee90516bacbdf25fde3cf125 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 11:49:08 +0300
+Subject: ocfs2: validate l_tree_depth to avoid out-of-bounds access
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+[ Upstream commit a406aff8c05115119127c962cbbbbd202e1973ef ]
+
+The l_tree_depth field is 16-bit (__le16), but the actual maximum depth is
+limited to OCFS2_MAX_PATH_DEPTH.
+
+Add a check to prevent out-of-bounds access if l_tree_depth has an invalid
+value, which may occur when reading from a corrupted mounted disk [1].
+
+Link: https://lkml.kernel.org/r/20250214084908.736528-1-kovalev@altlinux.org
+Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Reported-by: syzbot+66c146268dc88f4341fd@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=66c146268dc88f4341fd [1]
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Kurt Hackel <kurt.hackel@oracle.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Vasiliy Kovalev <kovalev@altlinux.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/alloc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
+index 51c93929a1461..7f11ffacc9150 100644
+--- a/fs/ocfs2/alloc.c
++++ b/fs/ocfs2/alloc.c
+@@ -1796,6 +1796,14 @@ static int __ocfs2_find_path(struct ocfs2_caching_info *ci,
+
+ el = root_el;
+ while (el->l_tree_depth) {
++ if (unlikely(le16_to_cpu(el->l_tree_depth) >= OCFS2_MAX_PATH_DEPTH)) {
++ ocfs2_error(ocfs2_metadata_cache_get_super(ci),
++ "Owner %llu has invalid tree depth %u in extent list\n",
++ (unsigned long long)ocfs2_metadata_cache_owner(ci),
++ le16_to_cpu(el->l_tree_depth));
++ ret = -EROFS;
++ goto out;
++ }
+ if (le16_to_cpu(el->l_next_free_rec) == 0) {
+ ocfs2_error(ocfs2_metadata_cache_get_super(ci),
+ "Owner %llu has empty extent list at depth %u\n",
+--
+2.39.5
+
--- /dev/null
+From 8d2a4973d6efe1967a6a43c1a017378336309f9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 14:44:41 +0530
+Subject: octeontx2-af: Fix mbox INTR handler when num VFs > 64
+
+From: Geetha sowjanya <gakula@marvell.com>
+
+[ Upstream commit 0fdba88a211508984eb5df62008c29688692b134 ]
+
+When number of RVU VFs > 64, the vfs value passed to "rvu_queue_work"
+function is incorrect. Due to which mbox workqueue entries for
+VFs 0 to 63 never gets added to workqueue.
+
+Fixes: 9bdc47a6e328 ("octeontx2-af: Mbox communication support btw AF and it's VFs")
+Signed-off-by: Geetha sowjanya <gakula@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250327091441.1284-1-gakula@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+index c7829265eade9..d9c68f8166aff 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+@@ -2562,7 +2562,7 @@ static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq)
+ rvupf_write64(rvu, RVU_PF_VFPF_MBOX_INTX(1), intr);
+
+ rvu_queue_work(&rvu->afvf_wq_info, 64, vfs, intr);
+- vfs -= 64;
++ vfs = 64;
+ }
+
+ intr = rvupf_read64(rvu, RVU_PF_VFPF_MBOX_INTX(0));
+--
+2.39.5
+
--- /dev/null
+From 524b4363c0d891c11dc00d0d0918a71546788d46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Mar 2025 15:10:54 +0530
+Subject: octeontx2-af: Free NIX_AF_INT_VEC_GEN irq
+
+From: Geetha sowjanya <gakula@marvell.com>
+
+[ Upstream commit 323d6db6dc7decb06f2545efb9496259ddacd4f4 ]
+
+Due to the incorrect initial vector number in
+rvu_nix_unregister_interrupts(), NIX_AF_INT_VEC_GEN is not
+geeting free. Fix the vector number to include NIX_AF_INT_VEC_GEN
+irq.
+
+Fixes: 5ed66306eab6 ("octeontx2-af: Add devlink health reporters for NIX")
+Signed-off-by: Geetha sowjanya <gakula@marvell.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250327094054.2312-1-gakula@marvell.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+index b9a4efb955333..32fa8f2c5f4ee 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_devlink.c
+@@ -217,7 +217,7 @@ static void rvu_nix_unregister_interrupts(struct rvu *rvu)
+ rvu->irq_allocated[offs + NIX_AF_INT_VEC_RVU] = false;
+ }
+
+- for (i = NIX_AF_INT_VEC_AF_ERR; i < NIX_AF_INT_VEC_CNT; i++)
++ for (i = NIX_AF_INT_VEC_GEN; i < NIX_AF_INT_VEC_CNT; i++)
+ if (rvu->irq_allocated[offs + i]) {
+ free_irq(pci_irq_vector(rvu->pdev, offs + i), rvu_dl);
+ rvu->irq_allocated[offs + i] = false;
+--
+2.39.5
+
--- /dev/null
+From 9840a7f8f7b1f7d7bbcf471891347002ddade014 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 21:58:06 +0800
+Subject: of: property: Increase NR_FWNODE_REFERENCE_ARGS
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit eb50844d728f11e87491f7c7af15a4a737f1159d ]
+
+Currently, the following two macros have different values:
+
+// The maximal argument count for firmware node reference
+ #define NR_FWNODE_REFERENCE_ARGS 8
+// The maximal argument count for DT node reference
+ #define MAX_PHANDLE_ARGS 16
+
+It may cause firmware node reference's argument count out of range if
+directly assign DT node reference's argument count to firmware's.
+
+drivers/of/property.c:of_fwnode_get_reference_args() is doing the direct
+assignment, so may cause firmware's argument count @args->nargs got out
+of range, namely, in [9, 16].
+
+Fix by increasing NR_FWNODE_REFERENCE_ARGS to 16 to meet DT requirement.
+Will align both macros later to avoid such inconsistency.
+
+Fixes: 3e3119d3088f ("device property: Introduce fwnode_property_get_reference_args")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250225-fix_arg_count-v4-1-13cdc519eb31@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/fwnode.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/fwnode.h b/include/linux/fwnode.h
+index 525cc031596b6..7efb4493e51c0 100644
+--- a/include/linux/fwnode.h
++++ b/include/linux/fwnode.h
+@@ -83,7 +83,7 @@ struct fwnode_endpoint {
+ #define SWNODE_GRAPH_PORT_NAME_FMT "port@%u"
+ #define SWNODE_GRAPH_ENDPOINT_NAME_FMT "endpoint@%u"
+
+-#define NR_FWNODE_REFERENCE_ARGS 8
++#define NR_FWNODE_REFERENCE_ARGS 16
+
+ /**
+ * struct fwnode_reference_args - Fwnode reference with additional arguments
+--
+2.39.5
+
--- /dev/null
+From 0cdcc981cbbca471eecc63d5a66fd460bc0ff873 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 22 Dec 2024 19:39:08 -0800
+Subject: PCI/ASPM: Fix link state exit during switch upstream function removal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Stodden <daniel.stodden@gmail.com>
+
+[ Upstream commit cbf937dcadfd571a434f8074d057b32cd14fbea5 ]
+
+Before 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to
+avoid use-after-free"), we would free the ASPM link only after the last
+function on the bus pertaining to the given link was removed.
+
+That was too late. If function 0 is removed before sibling function,
+link->downstream would point to free'd memory after.
+
+After above change, we freed the ASPM parent link state upon any function
+removal on the bus pertaining to a given link.
+
+That is too early. If the link is to a PCIe switch with MFD on the upstream
+port, then removing functions other than 0 first would free a link which
+still remains parent_link to the remaining downstream ports.
+
+The resulting GPFs are especially frequent during hot-unplug, because
+pciehp removes devices on the link bus in reverse order.
+
+On that switch, function 0 is the virtual P2P bridge to the internal bus.
+Free exactly when function 0 is removed -- before the parent link is
+obsolete, but after all subordinate links are gone.
+
+Link: https://lore.kernel.org/r/e12898835f25234561c9d7de4435590d957b85d9.1734924854.git.dns@arista.com
+Fixes: 456d8aa37d0f ("PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free")
+Signed-off-by: Daniel Stodden <dns@arista.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/aspm.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
+index cf4acea6610d5..20ec2a4aae65f 100644
+--- a/drivers/pci/pcie/aspm.c
++++ b/drivers/pci/pcie/aspm.c
+@@ -1031,16 +1031,16 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
+ parent_link = link->parent;
+
+ /*
+- * link->downstream is a pointer to the pci_dev of function 0. If
+- * we remove that function, the pci_dev is about to be deallocated,
+- * so we can't use link->downstream again. Free the link state to
+- * avoid this.
++ * Free the parent link state, no later than function 0 (i.e.
++ * link->downstream) being removed.
+ *
+- * If we're removing a non-0 function, it's possible we could
+- * retain the link state, but PCIe r6.0, sec 7.5.3.7, recommends
+- * programming the same ASPM Control value for all functions of
+- * multi-function devices, so disable ASPM for all of them.
++ * Do not free the link state any earlier. If function 0 is a
++ * switch upstream port, this link state is parent_link to all
++ * subordinate ones.
+ */
++ if (pdev != link->downstream)
++ goto out;
++
+ pcie_config_aspm_link(link, 0);
+ list_del(&link->sibling);
+ free_link_state(link);
+@@ -1051,6 +1051,7 @@ void pcie_aspm_exit_link_state(struct pci_dev *pdev)
+ pcie_config_aspm_path(parent_link);
+ }
+
++ out:
+ mutex_unlock(&aspm_lock);
+ up_read(&pci_bus_sem);
+ }
+--
+2.39.5
+
--- /dev/null
+From 15a5a7997d2ea417a9222ecb99107cbfe5022e24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 14:56:00 -0600
+Subject: PCI: Avoid reset when disabled via sysfs
+
+From: Nishanth Aravamudan <naravamudan@nvidia.com>
+
+[ Upstream commit 479380efe1625e251008d24b2810283db60d6fcd ]
+
+After d88f521da3ef ("PCI: Allow userspace to query and set device reset
+mechanism"), userspace can disable reset of specific PCI devices by writing
+an empty string to the sysfs reset_method file.
+
+However, pci_slot_resettable() does not check pci_reset_supported(), which
+means that pci_reset_function() will still reset the device even if
+userspace has disabled all the reset methods.
+
+I was able to reproduce this issue with a vfio device passed to a qemu
+guest, where I had disabled PCI reset via sysfs.
+
+Add an explicit check of pci_reset_supported() in both
+pci_slot_resettable() and pci_bus_resettable() to ensure both the reset
+status and reset execution are bypassed if an administrator disables it for
+a device.
+
+Link: https://lore.kernel.org/r/20250207205600.1846178-1-naravamudan@nvidia.com
+Fixes: d88f521da3ef ("PCI: Allow userspace to query and set device reset mechanism")
+Signed-off-by: Nishanth Aravamudan <naravamudan@nvidia.com>
+[bhelgaas: commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Cc: Amey Narkhede <ameynarkhede03@gmail.com>
+Cc: Jason Gunthorpe <jgg@nvidia.com>
+Cc: Yishai Hadas <yishaih@nvidia.com>
+Cc: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Cc: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 8a35a9887302d..f411cef0186e1 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5578,6 +5578,8 @@ static bool pci_bus_resetable(struct pci_bus *bus)
+ return false;
+
+ list_for_each_entry(dev, &bus->devices, bus_list) {
++ if (!pci_reset_supported(dev))
++ return false;
+ if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
+ (dev->subordinate && !pci_bus_resetable(dev->subordinate)))
+ return false;
+@@ -5654,6 +5656,8 @@ static bool pci_slot_resetable(struct pci_slot *slot)
+ list_for_each_entry(dev, &slot->bus->devices, bus_list) {
+ if (!dev->slot || dev->slot != slot)
+ continue;
++ if (!pci_reset_supported(dev))
++ return false;
+ if (dev->dev_flags & PCI_DEV_FLAGS_NO_BUS_RESET ||
+ (dev->subordinate && !pci_bus_resetable(dev->subordinate)))
+ return false;
+--
+2.39.5
+
--- /dev/null
+From 6dd11fd68629c540910b8bc7f24522be1ca72845 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 12:39:32 -0500
+Subject: PCI: brcmstb: Fix error path after a call to regulator_bulk_get()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jim Quinlan <james.quinlan@broadcom.com>
+
+[ Upstream commit 3651ad5249c51cf7eee078e12612557040a6bdb4 ]
+
+If the regulator_bulk_get() returns an error and no regulators
+are created, we need to set their number to zero.
+
+If we don't do this and the PCIe link up fails, a call to the
+regulator_bulk_free() will result in a kernel panic.
+
+While at it, print the error value, as we cannot return an error
+upwards as the kernel will WARN() on an error from add_bus().
+
+Fixes: 9e6be018b263 ("PCI: brcmstb: Enable child bus device regulators from DT")
+Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20250214173944.47506-5-james.quinlan@broadcom.com
+[kwilczynski: commit log, use comma in the message to match style with
+other similar messages]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-brcmstb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c
+index feb825326d596..016ea0e79c3ad 100644
+--- a/drivers/pci/controller/pcie-brcmstb.c
++++ b/drivers/pci/controller/pcie-brcmstb.c
+@@ -1117,7 +1117,8 @@ static int brcm_pcie_add_bus(struct pci_bus *bus)
+
+ ret = regulator_bulk_get(dev, sr->num_supplies, sr->supplies);
+ if (ret) {
+- dev_info(dev, "No regulators for downstream device\n");
++ dev_info(dev, "Did not get regulators, err=%d\n", ret);
++ pcie->sr = NULL;
+ goto no_regulators;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 3bbdd5b05fddb9903c6df347f2bf685662c7bfad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 12:39:33 -0500
+Subject: PCI: brcmstb: Fix potential premature regulator disabling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jim Quinlan <james.quinlan@broadcom.com>
+
+[ Upstream commit b7de1b60ecab2f7b6f05d8116e93228a0bbb8563 ]
+
+The platform supports enabling and disabling regulators only on
+ports below the Root Complex.
+
+Thus, we need to verify this both when adding and removing the bus,
+otherwise regulators may be disabled prematurely when a bus further
+down the topology is removed.
+
+Fixes: 9e6be018b263 ("PCI: brcmstb: Enable child bus device regulators from DT")
+Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250214173944.47506-6-james.quinlan@broadcom.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-brcmstb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c
+index 016ea0e79c3ad..3056e9b7223ec 100644
+--- a/drivers/pci/controller/pcie-brcmstb.c
++++ b/drivers/pci/controller/pcie-brcmstb.c
+@@ -1141,7 +1141,7 @@ static void brcm_pcie_remove_bus(struct pci_bus *bus)
+ struct subdev_regulators *sr = pcie->sr;
+ struct device *dev = &bus->dev;
+
+- if (!sr)
++ if (!sr || !bus->parent || !pci_is_root_bus(bus->parent))
+ return;
+
+ if (regulator_bulk_disable(sr->num_supplies, sr->supplies))
+--
+2.39.5
+
--- /dev/null
+From f188ae9941ef37079164c0a6ed5538c521b652a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 12:39:30 -0500
+Subject: PCI: brcmstb: Use internal register to change link capability
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jim Quinlan <james.quinlan@broadcom.com>
+
+[ Upstream commit 0c97321e11e0e9e18546f828492758f6aaecec59 ]
+
+The driver has been mistakenly writing to a read-only (RO)
+configuration space register (PCI_EXP_LNKCAP) to change the
+PCIe link capability.
+
+Although harmless in this case, the proper write destination
+is an internal register that is reflected by PCI_EXP_LNKCAP.
+
+Thus, fix the brcm_pcie_set_gen() function to correctly update
+the link capability.
+
+Fixes: c0452137034b ("PCI: brcmstb: Add Broadcom STB PCIe host controller driver")
+Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250214173944.47506-3-james.quinlan@broadcom.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-brcmstb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-brcmstb.c b/drivers/pci/controller/pcie-brcmstb.c
+index 521acd632f1ac..feb825326d596 100644
+--- a/drivers/pci/controller/pcie-brcmstb.c
++++ b/drivers/pci/controller/pcie-brcmstb.c
+@@ -383,10 +383,10 @@ static int brcm_pcie_set_ssc(struct brcm_pcie *pcie)
+ static void brcm_pcie_set_gen(struct brcm_pcie *pcie, int gen)
+ {
+ u16 lnkctl2 = readw(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2);
+- u32 lnkcap = readl(pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP);
++ u32 lnkcap = readl(pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
+
+ lnkcap = (lnkcap & ~PCI_EXP_LNKCAP_SLS) | gen;
+- writel(lnkcap, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCAP);
++ writel(lnkcap, pcie->base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
+
+ lnkctl2 = (lnkctl2 & ~0xf) | gen;
+ writew(lnkctl2, pcie->base + BRCM_PCIE_CAP_REGS + PCI_EXP_LNKCTL2);
+--
+2.39.5
+
--- /dev/null
+From 060a9f66293b719463c8a93f8a05be5a7283d84a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Feb 2025 00:57:24 +0800
+Subject: PCI: cadence-ep: Fix the driver to send MSG TLP for INTx without data
+ payload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans Zhang <18255117159@163.com>
+
+[ Upstream commit 3ac47fbf4f6e8c3a7c3855fac68cc3246f90f850 ]
+
+Per the Cadence's "PCIe Controller IP for AX14" user guide, Version
+1.04, Section 9.1.7.1, "AXI Subordinate to PCIe Address Translation
+Registers", Table 9.4, the bit 16 of the AXI Subordinate Address
+(axi_s_awaddr) when set corresponds to MSG with data, and when not set,
+to MSG without data.
+
+However, the driver is currently doing the opposite and due to this,
+the INTx is never received on the host.
+
+So, fix the driver to reflect the documentation and also make INTx work.
+
+Fixes: 37dddf14f1ae ("PCI: cadence: Add EndPoint Controller driver for Cadence PCIe controller")
+Signed-off-by: Hans Zhang <18255117159@163.com>
+Signed-off-by: Hans Zhang <hans.zhang@cixtech.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20250214165724.184599-1-18255117159@163.com
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/cadence/pcie-cadence-ep.c | 3 +--
+ drivers/pci/controller/cadence/pcie-cadence.h | 2 +-
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/controller/cadence/pcie-cadence-ep.c b/drivers/pci/controller/cadence/pcie-cadence-ep.c
+index b8b655d4047ec..a87dab9abba26 100644
+--- a/drivers/pci/controller/cadence/pcie-cadence-ep.c
++++ b/drivers/pci/controller/cadence/pcie-cadence-ep.c
+@@ -354,8 +354,7 @@ static void cdns_pcie_ep_assert_intx(struct cdns_pcie_ep *ep, u8 fn, u8 intx,
+ spin_unlock_irqrestore(&ep->lock, flags);
+
+ offset = CDNS_PCIE_NORMAL_MSG_ROUTING(MSG_ROUTING_LOCAL) |
+- CDNS_PCIE_NORMAL_MSG_CODE(msg_code) |
+- CDNS_PCIE_MSG_NO_DATA;
++ CDNS_PCIE_NORMAL_MSG_CODE(msg_code);
+ writel(0, ep->irq_cpu_addr + offset);
+ }
+
+diff --git a/drivers/pci/controller/cadence/pcie-cadence.h b/drivers/pci/controller/cadence/pcie-cadence.h
+index 190786e47df93..2891e8c16a592 100644
+--- a/drivers/pci/controller/cadence/pcie-cadence.h
++++ b/drivers/pci/controller/cadence/pcie-cadence.h
+@@ -240,7 +240,7 @@ struct cdns_pcie_rp_ib_bar {
+ #define CDNS_PCIE_NORMAL_MSG_CODE_MASK GENMASK(15, 8)
+ #define CDNS_PCIE_NORMAL_MSG_CODE(code) \
+ (((code) << 8) & CDNS_PCIE_NORMAL_MSG_CODE_MASK)
+-#define CDNS_PCIE_MSG_NO_DATA BIT(16)
++#define CDNS_PCIE_MSG_DATA BIT(16)
+
+ struct cdns_pcie;
+
+--
+2.39.5
+
--- /dev/null
+From 954036aaa2c22a229a000b1f84816b674e19827e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 18:21:14 +0200
+Subject: PCI: pciehp: Don't enable HPIE when resuming in poll mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 527664f738afb6f2c58022cd35e63801e5dc7aec ]
+
+PCIe hotplug can operate in poll mode without interrupt handlers using a
+polling kthread only. eb34da60edee ("PCI: pciehp: Disable hotplug
+interrupt during suspend") failed to consider that and enables HPIE
+(Hot-Plug Interrupt Enable) unconditionally when resuming the Port.
+
+Only set HPIE if non-poll mode is in use. This makes
+pcie_enable_interrupt() match how pcie_enable_notification() already
+handles HPIE.
+
+Link: https://lore.kernel.org/r/20250321162114.3939-1-ilpo.jarvinen@linux.intel.com
+Fixes: eb34da60edee ("PCI: pciehp: Disable hotplug interrupt during suspend")
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pciehp_hpc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
+index 358f077284cbe..1ee5f7a9c7419 100644
+--- a/drivers/pci/hotplug/pciehp_hpc.c
++++ b/drivers/pci/hotplug/pciehp_hpc.c
+@@ -840,7 +840,9 @@ void pcie_enable_interrupt(struct controller *ctrl)
+ {
+ u16 mask;
+
+- mask = PCI_EXP_SLTCTL_HPIE | PCI_EXP_SLTCTL_DLLSCE;
++ mask = PCI_EXP_SLTCTL_DLLSCE;
++ if (!pciehp_poll_mode)
++ mask |= PCI_EXP_SLTCTL_HPIE;
+ pcie_write_cmd(ctrl, mask, mask);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 667e9872c3f0470cd4bf5ce59e1dfaa4aedf1ca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Mar 2025 10:36:30 +0800
+Subject: PCI/portdrv: Only disable pciehp interrupts early when needed
+
+From: Feng Tang <feng.tang@linux.alibaba.com>
+
+[ Upstream commit 9d7db4db19827380e225914618c0c1bf435ed2f5 ]
+
+Firmware developers reported that Linux issues two PCIe hotplug commands in
+very short intervals on an ARM server, which doesn't comply with the PCIe
+spec. According to PCIe r6.1, sec 6.7.3.2, if the Command Completed event
+is supported, software must wait for a command to complete or wait at
+least 1 second before sending a new command.
+
+In the failure case, the first PCIe hotplug command is from
+get_port_device_capability(), which sends a command to disable PCIe hotplug
+interrupts without waiting for its completion, and the second command comes
+from pcie_enable_notification() of pciehp driver, which enables hotplug
+interrupts again.
+
+Fix this by only disabling the hotplug interrupts when the pciehp driver is
+not enabled.
+
+Link: https://lore.kernel.org/r/20250303023630.78397-1-feng.tang@linux.alibaba.com
+Fixes: 2bd50dd800b5 ("PCI: PCIe: Disable PCIe port services during port initialization")
+Suggested-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Feng Tang <feng.tang@linux.alibaba.com>
+[bhelgaas: commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pcie/portdrv_core.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/pcie/portdrv_core.c b/drivers/pci/pcie/portdrv_core.c
+index 1ac7fec47d6fb..332315183cd45 100644
+--- a/drivers/pci/pcie/portdrv_core.c
++++ b/drivers/pci/pcie/portdrv_core.c
+@@ -214,10 +214,12 @@ static int get_port_device_capability(struct pci_dev *dev)
+
+ /*
+ * Disable hot-plug interrupts in case they have been enabled
+- * by the BIOS and the hot-plug service driver is not loaded.
++ * by the BIOS and the hot-plug service driver won't be loaded
++ * to handle them.
+ */
+- pcie_capability_clear_word(dev, PCI_EXP_SLTCTL,
+- PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE);
++ if (!IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE))
++ pcie_capability_clear_word(dev, PCI_EXP_SLTCTL,
++ PCI_EXP_SLTCTL_CCIE | PCI_EXP_SLTCTL_HPIE);
+ }
+
+ #ifdef CONFIG_PCIEAER
+--
+2.39.5
+
--- /dev/null
+From 6ec27b3266ac5156876a20c22781b76652c3cfe2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 11:46:34 +0300
+Subject: PCI: Remove stray put_device() in pci_register_host_bridge()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 6e8d06e5096c80cbf41313b4a204f43071ca42be ]
+
+This put_device() was accidentally left over from when we changed the code
+from using device_register() to calling device_add(). Delete it.
+
+Link: https://lore.kernel.org/r/55b24870-89fb-4c91-b85d-744e35db53c2@stanley.mountain
+Fixes: 9885440b16b8 ("PCI: Fix pci_host_bridge struct device release/free handling")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/probe.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
+index 5c1ab9ee65eb3..bd35327648778 100644
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -926,10 +926,9 @@ static int pci_register_host_bridge(struct pci_host_bridge *bridge)
+ /* Temporarily move resources off the list */
+ list_splice_init(&bridge->windows, &resources);
+ err = device_add(&bridge->dev);
+- if (err) {
+- put_device(&bridge->dev);
++ if (err)
+ goto free;
+- }
++
+ bus->bridge = get_device(&bridge->dev);
+ device_enable_async_suspend(bus->bridge);
+ pci_set_bus_of_node(bus);
+--
+2.39.5
+
--- /dev/null
+From c07721c817b500b08a44adc8bb3d99aef2af3f9f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 10:24:57 +0800
+Subject: PCI: Use downstream bridges for distributing resources
+
+From: Kai-Heng Feng <kaihengf@nvidia.com>
+
+[ Upstream commit 1a596ad00ffe9b37fc60a93cbdd4daead3bf95f3 ]
+
+7180c1d08639 ("PCI: Distribute available resources for root buses, too")
+breaks BAR assignment on some devices:
+
+ pci 0006:03:00.0: BAR 0 [mem 0x6300c0000000-0x6300c1ffffff 64bit pref]: assigned
+ pci 0006:03:00.1: BAR 0 [mem 0x6300c2000000-0x6300c3ffffff 64bit pref]: assigned
+ pci 0006:03:00.2: BAR 0 [mem size 0x00800000 64bit pref]: can't assign; no space
+ pci 0006:03:00.0: VF BAR 0 [mem size 0x02000000 64bit pref]: can't assign; no space
+ pci 0006:03:00.1: VF BAR 0 [mem size 0x02000000 64bit pref]: can't assign; no space
+
+The apertures of domain 0006 before 7180c1d08639:
+
+ 6300c0000000-63ffffffffff : PCI Bus 0006:00
+ 6300c0000000-6300c9ffffff : PCI Bus 0006:01
+ 6300c0000000-6300c9ffffff : PCI Bus 0006:02 # 160MB
+ 6300c0000000-6300c8ffffff : PCI Bus 0006:03 # 144MB
+ 6300c0000000-6300c1ffffff : 0006:03:00.0 # 32MB
+ 6300c2000000-6300c3ffffff : 0006:03:00.1 # 32MB
+ 6300c4000000-6300c47fffff : 0006:03:00.2 # 8MB
+ 6300c4800000-6300c67fffff : 0006:03:00.0 # 32MB
+ 6300c6800000-6300c87fffff : 0006:03:00.1 # 32MB
+ 6300c9000000-6300c9bfffff : PCI Bus 0006:04 # 12MB
+ 6300c9000000-6300c9bfffff : PCI Bus 0006:05 # 12MB
+ 6300c9000000-6300c91fffff : PCI Bus 0006:06 # 2MB
+ 6300c9200000-6300c93fffff : PCI Bus 0006:07 # 2MB
+ 6300c9400000-6300c95fffff : PCI Bus 0006:08 # 2MB
+ 6300c9600000-6300c97fffff : PCI Bus 0006:09 # 2MB
+
+After 7180c1d08639:
+
+ 6300c0000000-63ffffffffff : PCI Bus 0006:00
+ 6300c0000000-6300c9ffffff : PCI Bus 0006:01
+ 6300c0000000-6300c9ffffff : PCI Bus 0006:02 # 160MB
+ 6300c0000000-6300c43fffff : PCI Bus 0006:03 # 68MB
+ 6300c0000000-6300c1ffffff : 0006:03:00.0 # 32MB
+ 6300c2000000-6300c3ffffff : 0006:03:00.1 # 32MB
+ --- no space --- : 0006:03:00.2 # 8MB
+ --- no space --- : 0006:03:00.0 # 32MB
+ --- no space --- : 0006:03:00.1 # 32MB
+ 6300c4400000-6300c4dfffff : PCI Bus 0006:04 # 10MB
+ 6300c4400000-6300c4dfffff : PCI Bus 0006:05 # 10MB
+ 6300c4400000-6300c45fffff : PCI Bus 0006:06 # 2MB
+ 6300c4600000-6300c47fffff : PCI Bus 0006:07 # 2MB
+ 6300c4800000-6300c49fffff : PCI Bus 0006:08 # 2MB
+ 6300c4a00000-6300c4bfffff : PCI Bus 0006:09 # 2MB
+
+We can see that the window to 0006:03 gets shrunken too much and 0006:04
+eats away the window for 0006:03:00.2.
+
+The offending commit distributes the upstream bridge's resources multiple
+times to every downstream bridge, hence makes the aperture smaller than
+desired because calculation of io_per_b, mmio_per_b and mmio_pref_per_b
+becomes incorrect.
+
+Instead, distribute downstream bridges' own resources to resolve the issue.
+
+Link: https://lore.kernel.org/r/20241204022457.51322-1-kaihengf@nvidia.com
+Fixes: 7180c1d08639 ("PCI: Distribute available resources for root buses, too")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219540
+Signed-off-by: Kai-Heng Feng <kaihengf@nvidia.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Cc: Carol Soto <csoto@nvidia.com>
+Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Chris Chiu <chris.chiu@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/setup-bus.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
+index b8cb990044fb2..8c1ad20a21ec5 100644
+--- a/drivers/pci/setup-bus.c
++++ b/drivers/pci/setup-bus.c
+@@ -2027,8 +2027,7 @@ pci_root_bus_distribute_available_resources(struct pci_bus *bus,
+ * in case of root bus.
+ */
+ if (bridge && pci_bridge_resources_not_assigned(dev))
+- pci_bridge_distribute_available_resources(bridge,
+- add_list);
++ pci_bridge_distribute_available_resources(dev, add_list);
+ else
+ pci_root_bus_distribute_available_resources(b, add_list);
+ }
+--
+2.39.5
+
--- /dev/null
+From ce1db1adf333563e4ed7ce2abdbddd713350ed10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Feb 2025 21:20:22 +0530
+Subject: PCI: xilinx-cpm: Fix IRQ domain leak in error path of probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thippeswamy Havalige <thippeswamy.havalige@amd.com>
+
+[ Upstream commit 57b0302240741e73fe51f88404b3866e0d2933ad ]
+
+The IRQ domain allocated for the PCIe controller is not freed if
+resource_list_first_type() returns NULL, leading to a resource leak.
+
+This fix ensures properly cleaning up the allocated IRQ domain in
+the error path.
+
+Fixes: 49e427e6bdd1 ("Merge branch 'pci/host-probe-refactor'")
+Signed-off-by: Thippeswamy Havalige <thippeswamy.havalige@amd.com>
+[kwilczynski: added missing Fixes: tag, refactored to use one of the goto labels]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Link: https://lore.kernel.org/r/20250224155025.782179-2-thippeswamy.havalige@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-xilinx-cpm.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-cpm.c b/drivers/pci/controller/pcie-xilinx-cpm.c
+index e4ab48041eb6d..53cf701bb228a 100644
+--- a/drivers/pci/controller/pcie-xilinx-cpm.c
++++ b/drivers/pci/controller/pcie-xilinx-cpm.c
+@@ -595,15 +595,17 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev)
+ return err;
+
+ bus = resource_list_first_type(&bridge->windows, IORESOURCE_BUS);
+- if (!bus)
+- return -ENODEV;
++ if (!bus) {
++ err = -ENODEV;
++ goto err_free_irq_domains;
++ }
+
+ port->variant = of_device_get_match_data(dev);
+
+ err = xilinx_cpm_pcie_parse_dt(port, bus->res);
+ if (err) {
+ dev_err(dev, "Parsing DT failed\n");
+- goto err_parse_dt;
++ goto err_free_irq_domains;
+ }
+
+ xilinx_cpm_pcie_init_port(port);
+@@ -627,7 +629,7 @@ static int xilinx_cpm_pcie_probe(struct platform_device *pdev)
+ xilinx_cpm_free_interrupts(port);
+ err_setup_irq:
+ pci_ecam_free(port->cfg);
+-err_parse_dt:
++err_free_irq_domains:
+ xilinx_cpm_free_irq_domains(port);
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From abc726a22db2309a11d0990e1446bf4b326e314a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Feb 2025 14:22:59 -0800
+Subject: perf evlist: Add success path to evlist__create_syswide_maps
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit fe0ce8a9d85a48642880c9b78944cb0d23e779c5 ]
+
+Over various refactorings evlist__create_syswide_maps has been made to
+only ever return with -ENOMEM. Fix this so that when
+perf_evlist__set_maps is successfully called, 0 is returned.
+
+Reviewed-by: Howard Chu <howardchu95@gmail.com>
+Signed-off-by: Ian Rogers <irogers@google.com>
+Reviewed-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lore.kernel.org/r/20250228222308.626803-3-irogers@google.com
+Fixes: 8c0498b6891d7ca5 ("perf evlist: Fix create_syswide_maps() not propagating maps")
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/evlist.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/tools/perf/util/evlist.c b/tools/perf/util/evlist.c
+index dca6843ea3225..41bbe6f85b0d3 100644
+--- a/tools/perf/util/evlist.c
++++ b/tools/perf/util/evlist.c
+@@ -1342,19 +1342,18 @@ static int evlist__create_syswide_maps(struct evlist *evlist)
+ */
+ cpus = perf_cpu_map__new(NULL);
+ if (!cpus)
+- goto out;
++ return -ENOMEM;
+
+ threads = perf_thread_map__new_dummy();
+- if (!threads)
+- goto out_put;
++ if (!threads) {
++ perf_cpu_map__put(cpus);
++ return -ENOMEM;
++ }
+
+ perf_evlist__set_maps(&evlist->core, cpus, threads);
+-
+ perf_thread_map__put(threads);
+-out_put:
+ perf_cpu_map__put(cpus);
+-out:
+- return -ENOMEM;
++ return 0;
+ }
+
+ int evlist__open(struct evlist *evlist)
+--
+2.39.5
+
--- /dev/null
+From 5cda9855a60d42bec091b4905eb0ea1fb4909978 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:41 -0300
+Subject: perf python: Check if there is space to copy all the event
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 89aaeaf84231157288035b366cb6300c1c6cac64 ]
+
+The pyrf_event__new() method copies the event obtained from the perf
+ring buffer to a structure that will then be turned into a python object
+for further consumption, so it copies perf_event.header.size bytes to
+its 'event' member:
+
+ $ pahole -C pyrf_event /tmp/build/perf-tools-next/python/perf.cpython-312-x86_64-linux-gnu.so
+ struct pyrf_event {
+ PyObject ob_base; /* 0 16 */
+ struct evsel * evsel; /* 16 8 */
+ struct perf_sample sample; /* 24 312 */
+
+ /* XXX last struct has 7 bytes of padding, 2 holes */
+
+ /* --- cacheline 5 boundary (320 bytes) was 16 bytes ago --- */
+ union perf_event event; /* 336 4168 */
+
+ /* size: 4504, cachelines: 71, members: 4 */
+ /* member types with holes: 1, total: 2 */
+ /* paddings: 1, sum paddings: 7 */
+ /* last cacheline: 24 bytes */
+ };
+
+ $
+
+It was doing so without checking if the event just obtained has more
+than that space, fix it.
+
+This isn't a proper, final solution, as we need to support larger
+events, but for the time being we at least bounds check and document it.
+
+Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-7-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index efc8f88db5cff..e25c3fcaecccc 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -610,6 +610,11 @@ static PyObject *pyrf_event__new(union perf_event *event)
+ event->header.type == PERF_RECORD_SWITCH_CPU_WIDE))
+ return NULL;
+
++ // FIXME this better be dynamic or we need to parse everything
++ // before calling perf_mmap__consume(), including tracepoint fields.
++ if (sizeof(pevent->event) < event->header.size)
++ return NULL;
++
+ ptype = pyrf_event__type[event->header.type];
+ pevent = PyObject_New(struct pyrf_event, ptype);
+ if (pevent != NULL)
+--
+2.39.5
+
--- /dev/null
+From 2f03cdb19761e6c77f79312c62ddea40dbd410b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:39 -0300
+Subject: perf python: Decrement the refcount of just created event on failure
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 3de5a2bf5b4847f7a59a184568f969f8fe05d57f ]
+
+To avoid a leak if we have the python object but then something happens
+and we need to return the operation, decrement the offset of the newly
+created object.
+
+Fixes: 377f698db12150a1 ("perf python: Add struct evsel into struct pyrf_event")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-5-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index 9ae5ffea91b48..894a9966599fd 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -1109,6 +1109,7 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
+
+ evsel = evlist__event2evsel(evlist, event);
+ if (!evsel) {
++ Py_DECREF(pyevent);
+ Py_INCREF(Py_None);
+ return Py_None;
+ }
+@@ -1120,9 +1121,12 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
+ /* Consume the even only after we parsed it out. */
+ perf_mmap__consume(&md->core);
+
+- if (err)
++ if (err) {
++ Py_DECREF(pyevent);
+ return PyErr_Format(PyExc_OSError,
+ "perf: can't parse sample, err=%d", err);
++ }
++
+ return pyevent;
+ }
+ end:
+--
+2.39.5
+
--- /dev/null
+From 8c926b249823faa6da8e74ac7ea9214ae0ec4b75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:40 -0300
+Subject: perf python: Don't keep a raw_data pointer to consumed ring buffer
+ space
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit f3fed3ae34d606819d87a63d970cc3092a5be7ab ]
+
+When processing tracepoints the perf python binding was parsing the
+event before calling perf_mmap__consume(&md->core) in
+pyrf_evlist__read_on_cpu().
+
+But part of this event parsing was to set the perf_sample->raw_data
+pointer to the payload of the event, which then could be overwritten by
+other event before tracepoint fields were asked for via event.prev_comm
+in a python program, for instance.
+
+This also happened with other fields, but strings were were problems
+were surfacing, as there is UTF-8 validation for the potentially garbled
+data.
+
+This ended up showing up as (with some added debugging messages):
+
+ ( field 'prev_comm' ret=0x7f7c31f65110, raw_size=68 ) ( field 'prev_pid' ret=0x7f7c23b1bed0, raw_size=68 ) ( field 'prev_prio' ret=0x7f7c239c0030, raw_size=68 ) ( field 'prev_state' ret=0x7f7c239c0250, raw_size=68 ) time 14771421785867 prev_comm= prev_pid=1919907691 prev_prio=796026219 prev_state=0x303a32313175 ==>
+ ( XXX '��' len=16, raw_size=68) ( field 'next_comm' ret=(nil), raw_size=68 ) Traceback (most recent call last):
+ File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 51, in <module>
+ main()
+ File "/home/acme/git/perf-tools-next/tools/perf/python/tracepoint.py", line 46, in main
+ event.next_comm,
+ ^^^^^^^^^^^^^^^
+ AttributeError: 'perf.sample_event' object has no attribute 'next_comm'
+
+When event.next_comm was asked for, the PyUnicode_FromString() python
+API would fail and that tracepoint field wouldn't be available, stopping
+the tools/perf/python/tracepoint.py test tool.
+
+But, since we already do a copy of the whole event in pyrf_event__new,
+just use it and while at it remove what was done in in e8968e654191390a
+("perf python: Fix pyrf_evlist__read_on_cpu event consuming") because we
+don't really need to wait for parsing the sample before declaring the
+event as consumed.
+
+This copy is questionable as is now, as it limits the maximum event +
+sample_type and tracepoint payload to sizeof(union perf_event), this all
+has been "working" because 'struct perf_event_mmap2', the largest entry
+in 'union perf_event' is:
+
+ $ pahole -C perf_event ~/bin/perf | grep mmap2
+ struct perf_record_mmap2 mmap2; /* 0 4168 */
+ $
+
+Fixes: bae57e3825a3dded ("perf python: Add support to resolve tracepoint fields")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-6-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index 894a9966599fd..efc8f88db5cff 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -1116,11 +1116,9 @@ static PyObject *pyrf_evlist__read_on_cpu(struct pyrf_evlist *pevlist,
+
+ pevent->evsel = evsel;
+
+- err = evsel__parse_sample(evsel, event, &pevent->sample);
+-
+- /* Consume the even only after we parsed it out. */
+ perf_mmap__consume(&md->core);
+
++ err = evsel__parse_sample(evsel, &pevent->event, &pevent->sample);
+ if (err) {
+ Py_DECREF(pyevent);
+ return PyErr_Format(PyExc_OSError,
+--
+2.39.5
+
--- /dev/null
+From d6f6967492b3b0040d057792c30bff821e9bd789 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 17:31:36 -0300
+Subject: perf python: Fixup description of sample.id event member
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 1376c195e8ad327bb9f2d32e0acc5ac39e7cb30a ]
+
+Some old cut'n'paste error, its "ip", so the description should be
+"event ip", not "event type".
+
+Fixes: 877108e42b1b9ba6 ("perf tools: Initial python binding")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Reviewed-by: Ian Rogers <irogers@google.com>
+Link: https://lore.kernel.org/r/20250312203141.285263-2-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/python.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/python.c b/tools/perf/util/python.c
+index 5be5fa2391de2..9ae5ffea91b48 100644
+--- a/tools/perf/util/python.c
++++ b/tools/perf/util/python.c
+@@ -181,7 +181,7 @@ struct pyrf_event {
+ };
+
+ #define sample_members \
+- sample_member_def(sample_ip, ip, T_ULONGLONG, "event type"), \
++ sample_member_def(sample_ip, ip, T_ULONGLONG, "event ip"), \
+ sample_member_def(sample_pid, pid, T_INT, "event pid"), \
+ sample_member_def(sample_tid, tid, T_INT, "event tid"), \
+ sample_member_def(sample_time, time, T_ULONGLONG, "event timestamp"), \
+--
+2.39.5
+
--- /dev/null
+From 3dbcbf53fe1182e535d8e328af0da943bf072c4a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Mar 2025 11:00:36 +0800
+Subject: perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
+
+From: Tao Chen <chen.dylane@linux.dev>
+
+[ Upstream commit c96fff391c095c11dc87dab35be72dee7d217cde ]
+
+The poll man page says POLLRDNORM is equivalent to POLLIN. For poll(),
+it seems that if user sets pollfd with POLLRDNORM in userspace, perf_poll
+will not return until timeout even if perf_output_wakeup called,
+whereas POLLIN returns.
+
+Fixes: 76369139ceb9 ("perf: Split up buffer handling from core code")
+Signed-off-by: Tao Chen <chen.dylane@linux.dev>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250314030036.2543180-1-chen.dylane@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/ring_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
+index 98588e96b5919..3e1655374c2ed 100644
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -19,7 +19,7 @@
+
+ static void perf_output_wakeup(struct perf_output_handle *handle)
+ {
+- atomic_set(&handle->rb->poll, EPOLLIN);
++ atomic_set(&handle->rb->poll, EPOLLIN | EPOLLRDNORM);
+
+ handle->event->pending_wakeup = 1;
+ irq_work_queue(&handle->event->pending_irq);
+--
+2.39.5
+
--- /dev/null
+From 3f764d24abda308794f1ec45b92a3f03de89b974 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Mar 2025 09:53:45 +0100
+Subject: perf tools: annotate asm_pure_loop.S
+
+From: Marcus Meissner <meissner@suse.de>
+
+[ Upstream commit 9a352a90e88a041f4b26d359493e12a7f5ae1a6a ]
+
+Annotate so it is built with non-executable stack.
+
+Fixes: 8b97519711c3 ("perf test: Add asm pureloop test tool")
+Signed-off-by: Marcus Meissner <meissner@suse.de>
+Reviewed-by: Leo Yan <leo.yan@arm.com>
+Link: https://lore.kernel.org/r/20250323085410.23751-1-meissner@suse.de
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S b/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S
+index 75cf084a927d3..5777600467723 100644
+--- a/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S
++++ b/tools/perf/tests/shell/coresight/asm_pure_loop/asm_pure_loop.S
+@@ -26,3 +26,5 @@ skip:
+ mov x0, #0
+ mov x8, #93 // __NR_exit syscall
+ svc #0
++
++.section .note.GNU-stack, "", @progbits
+--
+2.39.5
+
--- /dev/null
+From c1921c6d8bed69fc2ac866f2e21eb5f5f2501b82 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 16:45:32 -0300
+Subject: perf units: Fix insufficient array space
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit cf67629f7f637fb988228abdb3aae46d0c1748fe ]
+
+No need to specify the array size, let the compiler figure that out.
+
+This addresses this compiler warning that was noticed while build
+testing on fedora rawhide:
+
+ 31 15.81 fedora:rawhide : FAIL gcc version 15.0.1 20250225 (Red Hat 15.0.1-0) (GCC)
+ util/units.c: In function 'unit_number__scnprintf':
+ util/units.c:67:24: error: initializer-string for array of 'char' is too long [-Werror=unterminated-string-initialization]
+ 67 | char unit[4] = "BKMG";
+ | ^~~~~~
+ cc1: all warnings being treated as errors
+
+Fixes: 9808143ba2e54818 ("perf tools: Add unit_number__scnprintf function")
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lore.kernel.org/r/20250310194534.265487-3-acme@kernel.org
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/units.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/units.c b/tools/perf/util/units.c
+index 32c39cfe209b3..4c6a86e1cb54b 100644
+--- a/tools/perf/util/units.c
++++ b/tools/perf/util/units.c
+@@ -64,7 +64,7 @@ unsigned long convert_unit(unsigned long value, char *unit)
+
+ int unit_number__scnprintf(char *buf, size_t size, u64 n)
+ {
+- char unit[4] = "BKMG";
++ char unit[] = "BKMG";
+ int i = 0;
+
+ while (((n / 1024) > 1) && (i < 3)) {
+--
+2.39.5
+
--- /dev/null
+From a2ac2506dbcd5b8edbd7cfa4fb8a63f4dd3fdfff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Mar 2025 16:37:53 +0000
+Subject: pinctrl: renesas: rza2: Fix missing of_node_put() call
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit abcdeb4e299a11ecb5a3ea0cce00e68e8f540375 ]
+
+of_parse_phandle_with_fixed_args() requires its caller to
+call into of_node_put() on the node pointer from the output
+structure, but such a call is currently missing.
+
+Call into of_node_put() to rectify that.
+
+Fixes: b59d0e782706 ("pinctrl: Add RZ/A2 pin and gpio controller")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20250305163753.34913-5-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/pinctrl-rza2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/renesas/pinctrl-rza2.c b/drivers/pinctrl/renesas/pinctrl-rza2.c
+index 12126e30dc20f..2d6072e9f5a87 100644
+--- a/drivers/pinctrl/renesas/pinctrl-rza2.c
++++ b/drivers/pinctrl/renesas/pinctrl-rza2.c
+@@ -252,6 +252,8 @@ static int rza2_gpio_register(struct rza2_pinctrl_priv *priv)
+ return ret;
+ }
+
++ of_node_put(of_args.np);
++
+ if ((of_args.args[0] != 0) ||
+ (of_args.args[1] != 0) ||
+ (of_args.args[2] != priv->npins)) {
+--
+2.39.5
+
--- /dev/null
+From a4272ec6da9fc64ef177165e88b3a2ae1998cb27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Mar 2025 16:37:51 +0000
+Subject: pinctrl: renesas: rzg2l: Fix missing of_node_put() call
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit a5779e625e2b377f16a6675c432aaf299ce5028c ]
+
+of_parse_phandle_with_fixed_args() requires its caller to
+call into of_node_put() on the node pointer from the output
+structure, but such a call is currently missing.
+
+Call into of_node_put() to rectify that.
+
+Fixes: c4c4637eb57f ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20250305163753.34913-3-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+index 159812fe1c97c..1304ab0bcac1e 100644
+--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+@@ -1365,6 +1365,8 @@ static int rzg2l_gpio_register(struct rzg2l_pinctrl *pctrl)
+ return ret;
+ }
+
++ of_node_put(of_args.np);
++
+ if (of_args.args[0] != 0 || of_args.args[1] != 0 ||
+ of_args.args[2] != pctrl->data->n_port_pins) {
+ dev_err(pctrl->dev, "gpio-ranges does not match selected SOC\n");
+--
+2.39.5
+
--- /dev/null
+From 0a20ef92a9bace69c7c45c45d9fc9b9365d2c485 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Mar 2025 16:37:52 +0000
+Subject: pinctrl: renesas: rzv2m: Fix missing of_node_put() call
+
+From: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+
+[ Upstream commit 5a550b00704d3a2cd9d766a9427b0f8166da37df ]
+
+of_parse_phandle_with_fixed_args() requires its caller to
+call into of_node_put() on the node pointer from the output
+structure, but such a call is currently missing.
+
+Call into of_node_put() to rectify that.
+
+Fixes: 92a9b8252576 ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver")
+Signed-off-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
+Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Link: https://lore.kernel.org/20250305163753.34913-4-fabrizio.castro.jz@renesas.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/renesas/pinctrl-rzv2m.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/renesas/pinctrl-rzv2m.c b/drivers/pinctrl/renesas/pinctrl-rzv2m.c
+index 2858800288bb7..dc4299c03b990 100644
+--- a/drivers/pinctrl/renesas/pinctrl-rzv2m.c
++++ b/drivers/pinctrl/renesas/pinctrl-rzv2m.c
+@@ -943,6 +943,8 @@ static int rzv2m_gpio_register(struct rzv2m_pinctrl *pctrl)
+ return ret;
+ }
+
++ of_node_put(of_args.np);
++
+ if (of_args.args[0] != 0 || of_args.args[1] != 0 ||
+ of_args.args[2] != pctrl->data->n_port_pins) {
+ dev_err(pctrl->dev, "gpio-ranges does not match selected SOC\n");
+--
+2.39.5
+
--- /dev/null
+From 61039f72ef3175cce138b50ce7386612f5da0f4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 10:35:42 +0530
+Subject: pinctrl: tegra: Set SFIO mode to Mux Register
+
+From: Prathamesh Shete <pshete@nvidia.com>
+
+[ Upstream commit 17013f0acb322e5052ff9b9d0fab0ab5a4bfd828 ]
+
+Tegra devices have an 'sfsel' bit field that determines whether a pin
+operates in SFIO (Special Function I/O) or GPIO mode. Currently,
+tegra_pinctrl_gpio_disable_free() sets this bit when releasing a GPIO.
+
+However, tegra_pinctrl_set_mux() can be called independently in certain
+code paths where gpio_disable_free() is not invoked. In such cases, failing
+to set the SFIO mode could lead to incorrect pin configurations, resulting
+in functional issues for peripherals relying on SFIO.
+
+This patch ensures that whenever set_mux() is called, the SFIO mode is
+correctly set in the Mux Register if the 'sfsel' bit is present. This
+prevents situations where the pin remains in GPIO mode despite being
+configured for SFIO use.
+
+Fixes: 971dac7123c7 ("pinctrl: add a driver for NVIDIA Tegra")
+Signed-off-by: Prathamesh Shete <pshete@nvidia.com>
+Link: https://lore.kernel.org/20250306050542.16335-1-pshete@nvidia.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/tegra/pinctrl-tegra.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/pinctrl/tegra/pinctrl-tegra.c b/drivers/pinctrl/tegra/pinctrl-tegra.c
+index 50bd26a30ac0a..30341c43da59a 100644
+--- a/drivers/pinctrl/tegra/pinctrl-tegra.c
++++ b/drivers/pinctrl/tegra/pinctrl-tegra.c
+@@ -270,6 +270,9 @@ static int tegra_pinctrl_set_mux(struct pinctrl_dev *pctldev,
+ val = pmx_readl(pmx, g->mux_bank, g->mux_reg);
+ val &= ~(0x3 << g->mux_bit);
+ val |= i << g->mux_bit;
++ /* Set the SFIO/GPIO selection to SFIO when under pinmux control*/
++ if (pmx->soc->sfsel_in_mux)
++ val |= (1 << g->sfsel_bit);
+ pmx_writel(pmx, val, g->mux_bank, g->mux_reg);
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 76b14cc610d7bb4223f0b4e7e5bc5b39196b29cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 17:39:31 +0200
+Subject: platform/x86: intel-hid: fix volume buttons on Microsoft Surface Go 4
+ tablet
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Panchenko <dmitry@d-systems.ee>
+
+[ Upstream commit 2738d06fb4f01145b24c542fb06de538ffc56430 ]
+
+Volume buttons on Microsoft Surface Go 4 tablet didn't send any events.
+Add Surface Go 4 DMI match to button_array_table to fix this.
+
+Signed-off-by: Dmitry Panchenko <dmitry@d-systems.ee>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20250220154016.3620917-1-dmitry@d-systems.ee
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/hid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
+index b96ef0eb82aff..c13837401c26a 100644
+--- a/drivers/platform/x86/intel/hid.c
++++ b/drivers/platform/x86/intel/hid.c
+@@ -109,6 +109,13 @@ static const struct dmi_system_id button_array_table[] = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 3"),
+ },
+ },
++ {
++ .ident = "Microsoft Surface Go 4",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Microsoft Corporation"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 4"),
++ },
++ },
+ { }
+ };
+
+--
+2.39.5
+
--- /dev/null
+From bd42dcbaae94188fec3f65ca79a43818218eae72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 11:53:50 +0100
+Subject: PM: sleep: Adjust check before setting power.must_resume
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit eeb87d17aceab7803a5a5bcb6cf2817b745157cf ]
+
+The check before setting power.must_resume in device_suspend_noirq()
+does not take power.child_count into account, but it should do that, so
+use pm_runtime_need_not_resume() in it for this purpose and adjust the
+comment next to it accordingly.
+
+Fixes: 107d47b2b95e ("PM: sleep: core: Simplify the SMART_SUSPEND flag handling")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://patch.msgid.link/3353728.44csPzL39Z@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 13 ++++++-------
+ drivers/base/power/runtime.c | 2 +-
+ include/linux/pm_runtime.h | 2 ++
+ 3 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 9c5a5f4dba5a6..49728cb628c19 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1236,14 +1236,13 @@ static int __device_suspend_noirq(struct device *dev, pm_message_t state, bool a
+ dev->power.is_noirq_suspended = true;
+
+ /*
+- * Skipping the resume of devices that were in use right before the
+- * system suspend (as indicated by their PM-runtime usage counters)
+- * would be suboptimal. Also resume them if doing that is not allowed
+- * to be skipped.
++ * Devices must be resumed unless they are explicitly allowed to be left
++ * in suspend, but even in that case skipping the resume of devices that
++ * were in use right before the system suspend (as indicated by their
++ * runtime PM usage counters and child counters) would be suboptimal.
+ */
+- if (atomic_read(&dev->power.usage_count) > 1 ||
+- !(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) &&
+- dev->power.may_skip_resume))
++ if (!(dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME) &&
++ dev->power.may_skip_resume) || !pm_runtime_need_not_resume(dev))
+ dev->power.must_resume = true;
+
+ if (dev->power.must_resume)
+diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
+index 14088b5adb556..bb68cba4d85a9 100644
+--- a/drivers/base/power/runtime.c
++++ b/drivers/base/power/runtime.c
+@@ -1840,7 +1840,7 @@ void pm_runtime_drop_link(struct device_link *link)
+ pm_request_idle(link->supplier);
+ }
+
+-static bool pm_runtime_need_not_resume(struct device *dev)
++bool pm_runtime_need_not_resume(struct device *dev)
+ {
+ return atomic_read(&dev->power.usage_count) <= 1 &&
+ (atomic_read(&dev->power.child_count) == 0 ||
+diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
+index 9a8151a2bdea6..b79a1a20d0d9c 100644
+--- a/include/linux/pm_runtime.h
++++ b/include/linux/pm_runtime.h
+@@ -66,6 +66,7 @@ static inline bool queue_pm_work(struct work_struct *work)
+
+ extern int pm_generic_runtime_suspend(struct device *dev);
+ extern int pm_generic_runtime_resume(struct device *dev);
++extern bool pm_runtime_need_not_resume(struct device *dev);
+ extern int pm_runtime_force_suspend(struct device *dev);
+ extern int pm_runtime_force_resume(struct device *dev);
+
+@@ -254,6 +255,7 @@ static inline bool queue_pm_work(struct work_struct *work) { return false; }
+
+ static inline int pm_generic_runtime_suspend(struct device *dev) { return 0; }
+ static inline int pm_generic_runtime_resume(struct device *dev) { return 0; }
++static inline bool pm_runtime_need_not_resume(struct device *dev) {return true; }
+ static inline int pm_runtime_force_suspend(struct device *dev) { return 0; }
+ static inline int pm_runtime_force_resume(struct device *dev) { return 0; }
+
+--
+2.39.5
+
--- /dev/null
+From 6b2b3ff38c8c4c870caccfb9f7ec3d4677d16fdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 17:00:00 +0100
+Subject: PM: sleep: Fix handling devices with direct_complete set on errors
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 03f1444016b71feffa1dfb8a51f15ba592f94b13 ]
+
+When dpm_suspend() fails, some devices with power.direct_complete set
+may not have been handled by device_suspend() yet, so runtime PM has
+not been disabled for them yet even though power.direct_complete is set.
+
+Since device_resume() expects that runtime PM has been disabled for all
+devices with power.direct_complete set, it will attempt to reenable
+runtime PM for the devices that have not been processed by device_suspend()
+which does not make sense. Had those devices had runtime PM disabled
+before device_suspend() had run, device_resume() would have inadvertently
+enable runtime PM for them, but this is not expected to happen because
+it would require ->prepare() callbacks to return positive values for
+devices with runtime PM disabled, which would be invalid.
+
+In practice, this issue is most likely benign because pm_runtime_enable()
+will not allow the "disable depth" counter to underflow, but it causes a
+warning message to be printed for each affected device.
+
+To allow device_resume() to distinguish the "direct complete" devices
+that have been processed by device_suspend() from those which have not
+been handled by it, make device_suspend() set power.is_suspended for
+"direct complete" devices.
+
+Next, move the power.is_suspended check in device_resume() before the
+power.direct_complete check in it to make it skip the "direct complete"
+devices that have not been handled by device_suspend().
+
+This change is based on a preliminary patch from Saravana Kannan.
+
+Fixes: aae4518b3124 ("PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily")
+Link: https://lore.kernel.org/linux-pm/20241114220921.2529905-2-saravanak@google.com/
+Reported-by: Saravana Kannan <saravanak@google.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Saravana Kannan <saravanak@google.com>
+Link: https://patch.msgid.link/12627587.O9o76ZdvQC@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 49728cb628c19..343d3c966e7a7 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -894,6 +894,9 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ if (dev->power.syscore)
+ goto Complete;
+
++ if (!dev->power.is_suspended)
++ goto Complete;
++
+ if (dev->power.direct_complete) {
+ /* Match the pm_runtime_disable() in __device_suspend(). */
+ pm_runtime_enable(dev);
+@@ -912,9 +915,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ */
+ dev->power.is_prepared = false;
+
+- if (!dev->power.is_suspended)
+- goto Unlock;
+-
+ if (dev->pm_domain) {
+ info = "power domain ";
+ callback = pm_op(&dev->pm_domain->ops, state);
+@@ -954,7 +954,6 @@ static void __device_resume(struct device *dev, pm_message_t state, bool async)
+ error = dpm_run_callback(callback, dev, state, info);
+ dev->power.is_suspended = false;
+
+- Unlock:
+ device_unlock(dev);
+ dpm_watchdog_clear(&wd);
+
+@@ -1638,6 +1637,7 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
+ pm_runtime_disable(dev);
+ if (pm_runtime_status_suspended(dev)) {
+ pm_dev_dbg(dev, state, "direct-complete ");
++ dev->power.is_suspended = true;
+ goto Complete;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e5a1ed67446c185c5f567622e6231a21e7b4867e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Mar 2025 21:11:49 +0100
+Subject: power: supply: max77693: Fix wrong conversion of charge input
+ threshold value
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 30cc7b0d0e9341d419eb7da15fb5c22406dbe499 ]
+
+The charge input threshold voltage register on the MAX77693 PMIC accepts
+four values: 0x0 for 4.3v, 0x1 for 4.7v, 0x2 for 4.8v and 0x3 for 4.9v.
+Due to an oversight, the driver calculated the values for 4.7v and above
+starting from 0x0, rather than from 0x1 ([(4700000 - 4700000) / 100000]
+gives 0).
+
+Add 1 to the calculation to ensure that 4.7v is converted to a register
+value of 0x1 and that the other two voltages are converted correctly as
+well.
+
+Fixes: 87c2d9067893 ("power: max77693: Add charger driver for Maxim 77693")
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20250316-max77693-charger-input-threshold-fix-v1-1-2b037d0ac722@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max77693_charger.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/max77693_charger.c b/drivers/power/supply/max77693_charger.c
+index a2c5c9858639f..ef3482fa4023e 100644
+--- a/drivers/power/supply/max77693_charger.c
++++ b/drivers/power/supply/max77693_charger.c
+@@ -556,7 +556,7 @@ static int max77693_set_charge_input_threshold_volt(struct max77693_charger *chg
+ case 4700000:
+ case 4800000:
+ case 4900000:
+- data = (uvolt - 4700000) / 100000;
++ data = ((uvolt - 4700000) / 100000) + 1;
+ break;
+ default:
+ dev_err(chg->dev, "Wrong value for charge input voltage regulation threshold\n");
+--
+2.39.5
+
--- /dev/null
+From e2ddf84d1b074b93c292e537f9ab54d7a96a9c53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 21:26:46 -0700
+Subject: rcu-tasks: Always inline rcu_irq_work_resched()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 6309a5c43b0dc629851f25b2e5ef8beff61d08e5 ]
+
+Thanks to CONFIG_DEBUG_SECTION_MISMATCH, empty functions can be
+generated out of line. rcu_irq_work_resched() can be called from
+noinstr code, so make sure it's always inlined.
+
+Fixes: 564506495ca9 ("rcu/context-tracking: Move deferred nocb resched to context tracking")
+Reported-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/e84f15f013c07e4c410d972e75620c53b62c1b3e.1743481539.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/d1eca076-fdde-484a-b33e-70e0d167c36d@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/rcupdate.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h
+index 6858cae98da9e..d001a69fcb7d4 100644
+--- a/include/linux/rcupdate.h
++++ b/include/linux/rcupdate.h
+@@ -133,7 +133,7 @@ static inline void rcu_sysrq_end(void) { }
+ #if defined(CONFIG_NO_HZ_FULL) && (!defined(CONFIG_GENERIC_ENTRY) || !defined(CONFIG_KVM_XFER_TO_GUEST_WORK))
+ void rcu_irq_work_resched(void);
+ #else
+-static inline void rcu_irq_work_resched(void) { }
++static __always_inline void rcu_irq_work_resched(void) { }
+ #endif
+
+ #ifdef CONFIG_RCU_NOCB_CPU
+--
+2.39.5
+
--- /dev/null
+From c5364dbfdc6d76316bf58abbc2e5438feec1ca19 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 16:54:20 +0000
+Subject: RDMA/core: Don't expose hw_counters outside of init net namespace
+
+From: Roman Gushchin <roman.gushchin@linux.dev>
+
+[ Upstream commit a1ecb30f90856b0be4168ad51b8875148e285c1f ]
+
+Commit 467f432a521a ("RDMA/core: Split port and device counter sysfs
+attributes") accidentally almost exposed hw counters to non-init net
+namespaces. It didn't expose them fully, as an attempt to read any of
+those counters leads to a crash like this one:
+
+[42021.807566] BUG: kernel NULL pointer dereference, address: 0000000000000028
+[42021.814463] #PF: supervisor read access in kernel mode
+[42021.819549] #PF: error_code(0x0000) - not-present page
+[42021.824636] PGD 0 P4D 0
+[42021.827145] Oops: 0000 [#1] SMP PTI
+[42021.830598] CPU: 82 PID: 2843922 Comm: switchto-defaul Kdump: loaded Tainted: G S W I XXX
+[42021.841697] Hardware name: XXX
+[42021.849619] RIP: 0010:hw_stat_device_show+0x1e/0x40 [ib_core]
+[42021.855362] Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 49 89 d0 4c 8b 5e 20 48 8b 8f b8 04 00 00 48 81 c7 f0 fa ff ff <48> 8b 41 28 48 29 ce 48 83 c6 d0 48 c1 ee 04 69 d6 ab aa aa aa 48
+[42021.873931] RSP: 0018:ffff97fe90f03da0 EFLAGS: 00010287
+[42021.879108] RAX: ffff9406988a8c60 RBX: ffff940e1072d438 RCX: 0000000000000000
+[42021.886169] RDX: ffff94085f1aa000 RSI: ffff93c6cbbdbcb0 RDI: ffff940c7517aef0
+[42021.893230] RBP: ffff97fe90f03e70 R08: ffff94085f1aa000 R09: 0000000000000000
+[42021.900294] R10: ffff94085f1aa000 R11: ffffffffc0775680 R12: ffffffff87ca2530
+[42021.907355] R13: ffff940651602840 R14: ffff93c6cbbdbcb0 R15: ffff94085f1aa000
+[42021.914418] FS: 00007fda1a3b9700(0000) GS:ffff94453fb80000(0000) knlGS:0000000000000000
+[42021.922423] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[42021.928130] CR2: 0000000000000028 CR3: 00000042dcfb8003 CR4: 00000000003726f0
+[42021.935194] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[42021.942257] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[42021.949324] Call Trace:
+[42021.951756] <TASK>
+[42021.953842] [<ffffffff86c58674>] ? show_regs+0x64/0x70
+[42021.959030] [<ffffffff86c58468>] ? __die+0x78/0xc0
+[42021.963874] [<ffffffff86c9ef75>] ? page_fault_oops+0x2b5/0x3b0
+[42021.969749] [<ffffffff87674b92>] ? exc_page_fault+0x1a2/0x3c0
+[42021.975549] [<ffffffff87801326>] ? asm_exc_page_fault+0x26/0x30
+[42021.981517] [<ffffffffc0775680>] ? __pfx_show_hw_stats+0x10/0x10 [ib_core]
+[42021.988482] [<ffffffffc077564e>] ? hw_stat_device_show+0x1e/0x40 [ib_core]
+[42021.995438] [<ffffffff86ac7f8e>] dev_attr_show+0x1e/0x50
+[42022.000803] [<ffffffff86a3eeb1>] sysfs_kf_seq_show+0x81/0xe0
+[42022.006508] [<ffffffff86a11134>] seq_read_iter+0xf4/0x410
+[42022.011954] [<ffffffff869f4b2e>] vfs_read+0x16e/0x2f0
+[42022.017058] [<ffffffff869f50ee>] ksys_read+0x6e/0xe0
+[42022.022073] [<ffffffff8766f1ca>] do_syscall_64+0x6a/0xa0
+[42022.027441] [<ffffffff8780013b>] entry_SYSCALL_64_after_hwframe+0x78/0xe2
+
+The problem can be reproduced using the following steps:
+ ip netns add foo
+ ip netns exec foo bash
+ cat /sys/class/infiniband/mlx4_0/hw_counters/*
+
+The panic occurs because of casting the device pointer into an
+ib_device pointer using container_of() in hw_stat_device_show() is
+wrong and leads to a memory corruption.
+
+However the real problem is that hw counters should never been exposed
+outside of the non-init net namespace.
+
+Fix this by saving the index of the corresponding attribute group
+(it might be 1 or 2 depending on the presence of driver-specific
+attributes) and zeroing the pointer to hw_counters group for compat
+devices during the initialization.
+
+With this fix applied hw_counters are not available in a non-init
+net namespace:
+ find /sys/class/infiniband/mlx4_0/ -name hw_counters
+ /sys/class/infiniband/mlx4_0/ports/1/hw_counters
+ /sys/class/infiniband/mlx4_0/ports/2/hw_counters
+ /sys/class/infiniband/mlx4_0/hw_counters
+
+ ip netns add foo
+ ip netns exec foo bash
+ find /sys/class/infiniband/mlx4_0/ -name hw_counters
+
+Fixes: 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes")
+Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: Leon Romanovsky <leon@kernel.org>
+Cc: Maher Sanalla <msanalla@nvidia.com>
+Cc: linux-rdma@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Link: https://patch.msgid.link/20250227165420.3430301-1-roman.gushchin@linux.dev
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/device.c | 9 +++++++++
+ drivers/infiniband/core/sysfs.c | 1 +
+ include/rdma/ib_verbs.h | 1 +
+ 3 files changed, 11 insertions(+)
+
+diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
+index 291ded20934c8..a5ba2cb3031f2 100644
+--- a/drivers/infiniband/core/device.c
++++ b/drivers/infiniband/core/device.c
+@@ -543,6 +543,8 @@ static struct class ib_class = {
+ static void rdma_init_coredev(struct ib_core_device *coredev,
+ struct ib_device *dev, struct net *net)
+ {
++ bool is_full_dev = &dev->coredev == coredev;
++
+ /* This BUILD_BUG_ON is intended to catch layout change
+ * of union of ib_core_device and device.
+ * dev must be the first element as ib_core and providers
+@@ -554,6 +556,13 @@ static void rdma_init_coredev(struct ib_core_device *coredev,
+
+ coredev->dev.class = &ib_class;
+ coredev->dev.groups = dev->groups;
++
++ /*
++ * Don't expose hw counters outside of the init namespace.
++ */
++ if (!is_full_dev && dev->hw_stats_attr_index)
++ coredev->dev.groups[dev->hw_stats_attr_index] = NULL;
++
+ device_initialize(&coredev->dev);
+ coredev->owner = dev;
+ INIT_LIST_HEAD(&coredev->port_list);
+diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c
+index ec5efdc166601..a9c33a6220ea8 100644
+--- a/drivers/infiniband/core/sysfs.c
++++ b/drivers/infiniband/core/sysfs.c
+@@ -984,6 +984,7 @@ int ib_setup_device_attrs(struct ib_device *ibdev)
+ for (i = 0; i != ARRAY_SIZE(ibdev->groups); i++)
+ if (!ibdev->groups[i]) {
+ ibdev->groups[i] = &data->group;
++ ibdev->hw_stats_attr_index = i;
+ return 0;
+ }
+ WARN(true, "struct ib_device->groups is too small");
+diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h
+index 5582509003264..41eb2a7c9695d 100644
+--- a/include/rdma/ib_verbs.h
++++ b/include/rdma/ib_verbs.h
+@@ -2725,6 +2725,7 @@ struct ib_device {
+ * It is a NULL terminated array.
+ */
+ const struct attribute_group *groups[4];
++ u8 hw_stats_attr_index;
+
+ u64 uverbs_cmd_mask;
+
+--
+2.39.5
+
--- /dev/null
+From 84771e55ee25c22f528977a14e3606e7e23ee260 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 20:04:40 +0800
+Subject: RDMA/erdma: Prevent use-after-free in erdma_accept_newconn()
+
+From: Cheng Xu <chengyou@linux.alibaba.com>
+
+[ Upstream commit 83437689249e6a17b25e27712fbee292e42e7855 ]
+
+After the erdma_cep_put(new_cep) being called, new_cep will be freed,
+and the following dereference will cause a UAF problem. Fix this issue.
+
+Fixes: 920d93eac8b9 ("RDMA/erdma: Add connection management (CM) support")
+Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
+Signed-off-by: Cheng Xu <chengyou@linux.alibaba.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/erdma/erdma_cm.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/erdma/erdma_cm.c b/drivers/infiniband/hw/erdma/erdma_cm.c
+index 74f6348f240ac..1156ae62c4683 100644
+--- a/drivers/infiniband/hw/erdma/erdma_cm.c
++++ b/drivers/infiniband/hw/erdma/erdma_cm.c
+@@ -704,7 +704,6 @@ static void erdma_accept_newconn(struct erdma_cep *cep)
+ erdma_cancel_mpatimer(new_cep);
+
+ erdma_cep_put(new_cep);
+- new_cep->sock = NULL;
+ }
+
+ if (new_s) {
+--
+2.39.5
+
--- /dev/null
+From 292cd2283a2067b1cae8e8e3292708770a3f001c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 16:29:54 +0200
+Subject: RDMA/mlx5: Fix calculation of total invalidated pages
+
+From: Chiara Meiohas <cmeiohas@nvidia.com>
+
+[ Upstream commit 79195147644653ebffadece31a42181e4c48c07d ]
+
+When invalidating an address range in mlx5, there is an optimization to
+do UMR operations in chunks.
+Previously, the invalidation counter was incorrectly updated for the
+same indexes within a chunk. Now, the invalidation counter is updated
+only when a chunk is complete and mlx5r_umr_update_xlt() is called.
+This ensures that the counter accurately represents the number of pages
+invalidated using UMR.
+
+Fixes: a3de94e3d61e ("IB/mlx5: Introduce ODP diagnostic counters")
+Signed-off-by: Chiara Meiohas <cmeiohas@nvidia.com>
+Reviewed-by: Michael Guralnik <michaelgur@nvidia.com>
+Link: https://patch.msgid.link/560deb2433318e5947282b070c915f3c81fef77f.1741875692.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/odp.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c
+index 87fbee8061003..89682fe0747ff 100644
+--- a/drivers/infiniband/hw/mlx5/odp.c
++++ b/drivers/infiniband/hw/mlx5/odp.c
+@@ -275,9 +275,6 @@ static bool mlx5_ib_invalidate_range(struct mmu_interval_notifier *mni,
+ blk_start_idx = idx;
+ in_block = 1;
+ }
+-
+- /* Count page invalidations */
+- invalidations += idx - blk_start_idx + 1;
+ } else {
+ u64 umr_offset = idx & umr_block_mask;
+
+@@ -287,14 +284,19 @@ static bool mlx5_ib_invalidate_range(struct mmu_interval_notifier *mni,
+ MLX5_IB_UPD_XLT_ZAP |
+ MLX5_IB_UPD_XLT_ATOMIC);
+ in_block = 0;
++ /* Count page invalidations */
++ invalidations += idx - blk_start_idx + 1;
+ }
+ }
+ }
+- if (in_block)
++ if (in_block) {
+ mlx5r_umr_update_xlt(mr, blk_start_idx,
+ idx - blk_start_idx + 1, 0,
+ MLX5_IB_UPD_XLT_ZAP |
+ MLX5_IB_UPD_XLT_ATOMIC);
++ /* Count page invalidations */
++ invalidations += idx - blk_start_idx + 1;
++ }
+
+ mlx5_update_odp_stats(mr, invalidations, invalidations);
+
+--
+2.39.5
+
--- /dev/null
+From e3b489d3855b891a002543d9df73e4282e2ad7e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 16:29:53 +0200
+Subject: RDMA/mlx5: Fix mlx5_poll_one() cur_qp update flow
+
+From: Patrisious Haddad <phaddad@nvidia.com>
+
+[ Upstream commit 5ed3b0cb3f827072e93b4c5b6e2b8106fd7cccbd ]
+
+When cur_qp isn't NULL, in order to avoid fetching the QP from
+the radix tree again we check if the next cqe QP is identical to
+the one we already have.
+
+The bug however is that we are checking if the QP is identical by
+checking the QP number inside the CQE against the QP number inside the
+mlx5_ib_qp, but that's wrong since the QP number from the CQE is from
+FW so it should be matched against mlx5_core_qp which is our FW QP
+number.
+
+Otherwise we could use the wrong QP when handling a CQE which could
+cause the kernel trace below.
+
+This issue is mainly noticeable over QPs 0 & 1, since for now they are
+the only QPs in our driver whereas the QP number inside mlx5_ib_qp
+doesn't match the QP number inside mlx5_core_qp.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000012
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] SMP
+ CPU: 0 UID: 0 PID: 7927 Comm: kworker/u62:1 Not tainted 6.14.0-rc3+ #189
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+ Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core]
+ RIP: 0010:mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
+ Code: 03 00 00 8d 58 ff 21 cb 66 39 d3 74 39 48 c7 c7 3c 89 6e a0 0f b7 db e8 b7 d2 b3 e0 49 8b 86 60 03 00 00 48 c7 c7 4a 89 6e a0 <0f> b7 5c 98 02 e8 9f d2 b3 e0 41 0f b7 86 78 03 00 00 83 e8 01 21
+ RSP: 0018:ffff88810511bd60 EFLAGS: 00010046
+ RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: ffff88885fa1b3c0 RDI: ffffffffa06e894a
+ RBP: 00000000000000b0 R08: 0000000000000000 R09: ffff88810511bc10
+ R10: 0000000000000001 R11: 0000000000000001 R12: ffff88810d593000
+ R13: ffff88810e579108 R14: ffff888105146000 R15: 00000000000000b0
+ FS: 0000000000000000(0000) GS:ffff88885fa00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000012 CR3: 00000001077e6001 CR4: 0000000000370eb0
+ Call Trace:
+ <TASK>
+ ? __die+0x20/0x60
+ ? page_fault_oops+0x150/0x3e0
+ ? exc_page_fault+0x74/0x130
+ ? asm_exc_page_fault+0x22/0x30
+ ? mlx5_ib_poll_cq+0x4c7/0xd90 [mlx5_ib]
+ __ib_process_cq+0x5a/0x150 [ib_core]
+ ib_cq_poll_work+0x31/0x90 [ib_core]
+ process_one_work+0x169/0x320
+ worker_thread+0x288/0x3a0
+ ? work_busy+0xb0/0xb0
+ kthread+0xd7/0x1f0
+ ? kthreads_online_cpu+0x130/0x130
+ ? kthreads_online_cpu+0x130/0x130
+ ret_from_fork+0x2d/0x50
+ ? kthreads_online_cpu+0x130/0x130
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
+Reviewed-by: Edward Srouji <edwards@nvidia.com>
+Link: https://patch.msgid.link/4ada09d41f1e36db62c44a9b25c209ea5f054316.1741875692.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx5/cq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/mlx5/cq.c b/drivers/infiniband/hw/mlx5/cq.c
+index be189e0525de6..a34bbe27bb76a 100644
+--- a/drivers/infiniband/hw/mlx5/cq.c
++++ b/drivers/infiniband/hw/mlx5/cq.c
+@@ -484,7 +484,7 @@ static int mlx5_poll_one(struct mlx5_ib_cq *cq,
+ }
+
+ qpn = ntohl(cqe64->sop_drop_qpn) & 0xffffff;
+- if (!*cur_qp || (qpn != (*cur_qp)->ibqp.qp_num)) {
++ if (!*cur_qp || (qpn != (*cur_qp)->trans_qp.base.mqp.qpn)) {
+ /* We do not have to take the QP table lock here,
+ * because CQs will be locked while QPs are removed
+ * from the table.
+--
+2.39.5
+
--- /dev/null
+From 0470a631cb48bfe7e5a8f040ce622f4389eac643 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Mar 2025 18:01:05 +0800
+Subject: remoteproc: core: Clear table_sz when rproc_shutdown
+
+From: Peng Fan <peng.fan@nxp.com>
+
+[ Upstream commit efdde3d73ab25cef4ff2d06783b0aad8b093c0e4 ]
+
+There is case as below could trigger kernel dump:
+Use U-Boot to start remote processor(rproc) with resource table
+published to a fixed address by rproc. After Kernel boots up,
+stop the rproc, load a new firmware which doesn't have resource table
+,and start rproc.
+
+When starting rproc with a firmware not have resource table,
+`memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will
+trigger dump, because rproc->cache_table is set to NULL during the last
+stop operation, but rproc->table_sz is still valid.
+
+This issue is found on i.MX8MP and i.MX9.
+
+Dump as below:
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
+Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000
+[0000000000000000] pgd=0000000000000000, p4d=0000000000000000
+Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38
+Hardware name: NXP i.MX8MPlus EVK board (DT)
+pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : __pi_memcpy_generic+0x110/0x22c
+lr : rproc_start+0x88/0x1e0
+Call trace:
+ __pi_memcpy_generic+0x110/0x22c (P)
+ rproc_boot+0x198/0x57c
+ state_store+0x40/0x104
+ dev_attr_store+0x18/0x2c
+ sysfs_kf_write+0x7c/0x94
+ kernfs_fop_write_iter+0x120/0x1cc
+ vfs_write+0x240/0x378
+ ksys_write+0x70/0x108
+ __arm64_sys_write+0x1c/0x28
+ invoke_syscall+0x48/0x10c
+ el0_svc_common.constprop.0+0xc0/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x30/0xcc
+ el0t_64_sync_handler+0x10c/0x138
+ el0t_64_sync+0x198/0x19c
+
+Clear rproc->table_sz to address the issue.
+
+Fixes: 9dc9507f1880 ("remoteproc: Properly deal with the resource table when detaching")
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/20250319100106.3622619-1-peng.fan@oss.nxp.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/remoteproc_core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
+index 341787909bd2a..beae269e80b3c 100644
+--- a/drivers/remoteproc/remoteproc_core.c
++++ b/drivers/remoteproc/remoteproc_core.c
+@@ -2023,6 +2023,7 @@ int rproc_shutdown(struct rproc *rproc)
+ kfree(rproc->cached_table);
+ rproc->cached_table = NULL;
+ rproc->table_ptr = NULL;
++ rproc->table_sz = 0;
+ out:
+ mutex_unlock(&rproc->lock);
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 1e46fc085a065ab40455c81f3b7221e91762ded8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 23:05:18 +0100
+Subject: remoteproc: qcom_q6v5_mss: Handle platforms with one power domain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luca Weiss <luca@lucaweiss.eu>
+
+[ Upstream commit 4641840341f37dc8231e0840ec1514b4061b4322 ]
+
+For example MSM8974 has mx voltage rail exposed as regulator and only cx
+voltage rail is exposed as power domain. This power domain (cx) is
+attached internally in power domain and cannot be attached in this driver.
+
+Fixes: 8750cf392394 ("remoteproc: qcom_q6v5_mss: Allow replacing regulators with power domains")
+Co-developed-by: Matti Lehtimäki <matti.lehtimaki@gmail.com>
+Signed-off-by: Matti Lehtimäki <matti.lehtimaki@gmail.com>
+Reviewed-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Signed-off-by: Luca Weiss <luca@lucaweiss.eu>
+Link: https://lore.kernel.org/r/20250217-msm8226-modem-v5-4-2bc74b80e0ae@lucaweiss.eu
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_mss.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c
+index e4ef8e6ed8aaa..5c9acc55b08ad 100644
+--- a/drivers/remoteproc/qcom_q6v5_mss.c
++++ b/drivers/remoteproc/qcom_q6v5_mss.c
+@@ -1786,6 +1786,13 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs,
+ while (pd_names[num_pds])
+ num_pds++;
+
++ /* Handle single power domain */
++ if (num_pds == 1 && dev->pm_domain) {
++ devs[0] = dev;
++ pm_runtime_enable(dev);
++ return 1;
++ }
++
+ for (i = 0; i < num_pds; i++) {
+ devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]);
+ if (IS_ERR_OR_NULL(devs[i])) {
+@@ -1806,8 +1813,15 @@ static int q6v5_pds_attach(struct device *dev, struct device **devs,
+ static void q6v5_pds_detach(struct q6v5 *qproc, struct device **pds,
+ size_t pd_count)
+ {
++ struct device *dev = qproc->dev;
+ int i;
+
++ /* Handle single power domain */
++ if (pd_count == 1 && dev->pm_domain) {
++ pm_runtime_disable(dev);
++ return;
++ }
++
+ for (i = 0; i < pd_count; i++)
+ dev_pm_domain_detach(pds[i], false);
+ }
+@@ -2313,13 +2327,13 @@ static const struct rproc_hexagon_res msm8974_mss = {
+ .supply = "pll",
+ .uA = 100000,
+ },
+- {}
+- },
+- .fallback_proxy_supply = (struct qcom_mss_reg_res[]) {
+ {
+ .supply = "mx",
+ .uV = 1050000,
+ },
++ {}
++ },
++ .fallback_proxy_supply = (struct qcom_mss_reg_res[]) {
+ {
+ .supply = "cx",
+ .uA = 100000,
+@@ -2345,7 +2359,6 @@ static const struct rproc_hexagon_res msm8974_mss = {
+ NULL
+ },
+ .proxy_pd_names = (char*[]){
+- "mx",
+ "cx",
+ NULL
+ },
+--
+2.39.5
+
--- /dev/null
+From 0adeae5073e173e284be94b31f5ace5174fb203a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2025 22:54:00 +0100
+Subject: remoteproc: qcom_q6v5_pas: Make single-PD handling more robust
+
+From: Luca Weiss <luca@lucaweiss.eu>
+
+[ Upstream commit e917b73234b02aa4966325e7380d2559bf127ba9 ]
+
+Only go into the if condition for single-PD handling when there's
+actually just one power domain specified there. Otherwise it'll be an
+issue in the dts and we should fail in the regular code path.
+
+This also mirrors the latest changes in the qcom_q6v5_mss driver.
+
+Suggested-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains")
+Signed-off-by: Luca Weiss <luca@lucaweiss.eu>
+Reviewed-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Link: https://lore.kernel.org/r/20250128-pas-singlepd-v1-2-85d9ae4b0093@lucaweiss.eu
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/remoteproc/qcom_q6v5_pas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
+index 631c90afb5bc5..679e89db85a05 100644
+--- a/drivers/remoteproc/qcom_q6v5_pas.c
++++ b/drivers/remoteproc/qcom_q6v5_pas.c
+@@ -389,16 +389,16 @@ static int adsp_pds_attach(struct device *dev, struct device **devs,
+ if (!pd_names)
+ return 0;
+
++ while (pd_names[num_pds])
++ num_pds++;
++
+ /* Handle single power domain */
+- if (dev->pm_domain) {
++ if (num_pds == 1 && dev->pm_domain) {
+ devs[0] = dev;
+ pm_runtime_enable(dev);
+ return 1;
+ }
+
+- while (pd_names[num_pds])
+- num_pds++;
+-
+ for (i = 0; i < num_pds; i++) {
+ devs[i] = dev_pm_domain_attach_by_name(dev, pd_names[i]);
+ if (IS_ERR_OR_NULL(devs[i])) {
+@@ -423,7 +423,7 @@ static void adsp_pds_detach(struct qcom_adsp *adsp, struct device **pds,
+ int i;
+
+ /* Handle single power domain */
+- if (dev->pm_domain && pd_count) {
++ if (pd_count == 1 && dev->pm_domain) {
+ pm_runtime_disable(dev);
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 3af77e4829ecf98806b696e3d524a0a7cc9cbcdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Feb 2025 15:01:06 +0800
+Subject: ring-buffer: Fix bytes_dropped calculation issue
+
+From: Feng Yang <yangfeng@kylinos.cn>
+
+[ Upstream commit c73f0b69648501978e8b3e8fa7eef7f4197d0481 ]
+
+The calculation of bytes-dropped and bytes_dropped_nested is reversed.
+Although it does not affect the final calculation of total_dropped,
+it should still be modified.
+
+Link: https://lore.kernel.org/20250223070106.6781-1-yangfeng59949@163.com
+Fixes: 6c43e554a2a5 ("ring-buffer: Add ring buffer startup selftest")
+Signed-off-by: Feng Yang <yangfeng@kylinos.cn>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ring_buffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
+index 0093fc56ab3ac..21b7d044797e3 100644
+--- a/kernel/trace/ring_buffer.c
++++ b/kernel/trace/ring_buffer.c
+@@ -5994,9 +5994,9 @@ static __init int rb_write_something(struct rb_test_data *data, bool nested)
+ /* Ignore dropped events before test starts. */
+ if (started) {
+ if (nested)
+- data->bytes_dropped += len;
+- else
+ data->bytes_dropped_nested += len;
++ else
++ data->bytes_dropped += len;
+ }
+ return len;
+ }
+--
+2.39.5
+
--- /dev/null
+From a061f5cf6e622c4d413910f62563626fea3d22cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 13:28:36 -0600
+Subject: riscv: ftrace: Add parentheses in macro definitions of make_call_t0
+ and make_call_ra
+
+From: Juhan Jin <juhan.jin@foxmail.com>
+
+[ Upstream commit 5f1a58ed91a040d4625d854f9bb3dd4995919202 ]
+
+This patch adds parentheses to parameters caller and callee of macros
+make_call_t0 and make_call_ra. Every existing invocation of these two
+macros uses a single variable for each argument, so the absence of the
+parentheses seems okay. However, future invocations might use more
+complex expressions as arguments. For example, a future invocation might
+look like this: make_call_t0(a - b, c, call). Without parentheses in the
+macro definition, the macro invocation expands to:
+
+...
+unsigned int offset = (unsigned long) c - (unsigned long) a - b;
+...
+
+which is clearly wrong.
+
+The use of parentheses ensures arguments are correctly evaluated and
+potentially saves future users of make_call_t0 and make_call_ra debugging
+trouble.
+
+Fixes: 6724a76cff85 ("riscv: ftrace: Reduce the detour code size to half")
+Signed-off-by: Juhan Jin <juhan.jin@foxmail.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/tencent_AE90AA59903A628E87E9F80E563DA5BA5508@qq.com
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/ftrace.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h
+index dcf1bc9de5841..3d97c951a3847 100644
+--- a/arch/riscv/include/asm/ftrace.h
++++ b/arch/riscv/include/asm/ftrace.h
+@@ -82,7 +82,7 @@ struct dyn_arch_ftrace {
+ #define make_call_t0(caller, callee, call) \
+ do { \
+ unsigned int offset = \
+- (unsigned long) callee - (unsigned long) caller; \
++ (unsigned long) (callee) - (unsigned long) (caller); \
+ call[0] = to_auipc_t0(offset); \
+ call[1] = to_jalr_t0(offset); \
+ } while (0)
+@@ -98,7 +98,7 @@ do { \
+ #define make_call_ra(caller, callee, call) \
+ do { \
+ unsigned int offset = \
+- (unsigned long) callee - (unsigned long) caller; \
++ (unsigned long) (callee) - (unsigned long) (caller); \
+ call[0] = to_auipc_ra(offset); \
+ call[1] = to_jalr_ra(offset); \
+ } while (0)
+--
+2.39.5
+
--- /dev/null
+From a9a0de47d8263a566782935225828d3fe89ecfa0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 10:58:41 +0100
+Subject: rndis_host: Flag RNDIS modems as WWAN devices
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+[ Upstream commit 67d1a8956d2d62fe6b4c13ebabb57806098511d8 ]
+
+Set FLAG_WWAN instead of FLAG_ETHERNET for RNDIS interfaces on Mobile
+Broadband Modems, as opposed to regular Ethernet adapters.
+
+Otherwise NetworkManager gets confused, misjudges the device type,
+and wouldn't know it should connect a modem to get the device to work.
+What would be the result depends on ModemManager version -- older
+ModemManager would end up disconnecting a device after an unsuccessful
+probe attempt (if it connected without needing to unlock a SIM), while
+a newer one might spawn a separate PPP connection over a tty interface
+instead, resulting in a general confusion and no end of chaos.
+
+The only way to get this work reliably is to fix the device type
+and have good enough version ModemManager (or equivalent).
+
+Fixes: 63ba395cd7a5 ("rndis_host: support Novatel Verizon USB730L")
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Link: https://patch.msgid.link/20250325095842.1567999-1-lkundrak@v3.sk
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/rndis_host.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c
+index 7b3739b29c8f7..bb0bf14158727 100644
+--- a/drivers/net/usb/rndis_host.c
++++ b/drivers/net/usb/rndis_host.c
+@@ -630,6 +630,16 @@ static const struct driver_info zte_rndis_info = {
+ .tx_fixup = rndis_tx_fixup,
+ };
+
++static const struct driver_info wwan_rndis_info = {
++ .description = "Mobile Broadband RNDIS device",
++ .flags = FLAG_WWAN | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
++ .bind = rndis_bind,
++ .unbind = rndis_unbind,
++ .status = rndis_status,
++ .rx_fixup = rndis_rx_fixup,
++ .tx_fixup = rndis_tx_fixup,
++};
++
+ /*-------------------------------------------------------------------------*/
+
+ static const struct usb_device_id products [] = {
+@@ -666,9 +676,11 @@ static const struct usb_device_id products [] = {
+ USB_INTERFACE_INFO(USB_CLASS_WIRELESS_CONTROLLER, 1, 3),
+ .driver_info = (unsigned long) &rndis_info,
+ }, {
+- /* Novatel Verizon USB730L */
++ /* Mobile Broadband Modem, seen in Novatel Verizon USB730L and
++ * Telit FN990A (RNDIS)
++ */
+ USB_INTERFACE_INFO(USB_CLASS_MISC, 4, 1),
+- .driver_info = (unsigned long) &rndis_info,
++ .driver_info = (unsigned long)&wwan_rndis_info,
+ },
+ { }, // END
+ };
+--
+2.39.5
+
--- /dev/null
+From 8d6269b57b05591ddd1f34300a1b7a20c54fd288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 11:02:26 +0200
+Subject: rtnetlink: Allocate vfinfo size for VF GUIDs when supported
+
+From: Mark Zhang <markzhang@nvidia.com>
+
+[ Upstream commit 23f00807619d15063d676218f36c5dfeda1eb420 ]
+
+Commit 30aad41721e0 ("net/core: Add support for getting VF GUIDs")
+added support for getting VF port and node GUIDs in netlink ifinfo
+messages, but their size was not taken into consideration in the
+function that allocates the netlink message, causing the following
+warning when a netlink message is filled with many VF port and node
+GUIDs:
+ # echo 64 > /sys/bus/pci/devices/0000\:08\:00.0/sriov_numvfs
+ # ip link show dev ib0
+ RTNETLINK answers: Message too long
+ Cannot send link get request: Message too long
+
+Kernel warning:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 1930 at net/core/rtnetlink.c:4151 rtnl_getlink+0x586/0x5a0
+ Modules linked in: xt_conntrack xt_MASQUERADE nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay mlx5_ib macsec mlx5_core tls rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm iw_cm ib_ipoib fuse ib_cm ib_core
+ CPU: 2 UID: 0 PID: 1930 Comm: ip Not tainted 6.14.0-rc2+ #1
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:rtnl_getlink+0x586/0x5a0
+ Code: cb 82 e8 3d af 0a 00 4d 85 ff 0f 84 08 ff ff ff 4c 89 ff 41 be ea ff ff ff e8 66 63 5b ff 49 c7 07 80 4f cb 82 e9 36 fc ff ff <0f> 0b e9 16 fe ff ff e8 de a0 56 00 66 66 2e 0f 1f 84 00 00 00 00
+ RSP: 0018:ffff888113557348 EFLAGS: 00010246
+ RAX: 00000000ffffffa6 RBX: ffff88817e87aa34 RCX: dffffc0000000000
+ RDX: 0000000000000003 RSI: 0000000000000000 RDI: ffff88817e87afb8
+ RBP: 0000000000000009 R08: ffffffff821f44aa R09: 0000000000000000
+ R10: ffff8881260f79a8 R11: ffff88817e87af00 R12: ffff88817e87aa00
+ R13: ffffffff8563d300 R14: 00000000ffffffa6 R15: 00000000ffffffff
+ FS: 00007f63a5dbf280(0000) GS:ffff88881ee00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f63a5ba4493 CR3: 00000001700fe002 CR4: 0000000000772eb0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ? __warn+0xa5/0x230
+ ? rtnl_getlink+0x586/0x5a0
+ ? report_bug+0x22d/0x240
+ ? handle_bug+0x53/0xa0
+ ? exc_invalid_op+0x14/0x50
+ ? asm_exc_invalid_op+0x16/0x20
+ ? skb_trim+0x6a/0x80
+ ? rtnl_getlink+0x586/0x5a0
+ ? __pfx_rtnl_getlink+0x10/0x10
+ ? rtnetlink_rcv_msg+0x1e5/0x860
+ ? __pfx___mutex_lock+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? __pfx_lock_acquire+0x10/0x10
+ ? stack_trace_save+0x90/0xd0
+ ? filter_irq_stacks+0x1d/0x70
+ ? kasan_save_stack+0x30/0x40
+ ? kasan_save_stack+0x20/0x40
+ ? kasan_save_track+0x10/0x30
+ rtnetlink_rcv_msg+0x21c/0x860
+ ? entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ ? __pfx_rtnetlink_rcv_msg+0x10/0x10
+ ? arch_stack_walk+0x9e/0xf0
+ ? rcu_is_watching+0x34/0x60
+ ? lock_acquire+0xd5/0x410
+ ? rcu_is_watching+0x34/0x60
+ netlink_rcv_skb+0xe0/0x210
+ ? __pfx_rtnetlink_rcv_msg+0x10/0x10
+ ? __pfx_netlink_rcv_skb+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? __pfx___netlink_lookup+0x10/0x10
+ ? lock_release+0x62/0x200
+ ? netlink_deliver_tap+0xfd/0x290
+ ? rcu_is_watching+0x34/0x60
+ ? lock_release+0x62/0x200
+ ? netlink_deliver_tap+0x95/0x290
+ netlink_unicast+0x31f/0x480
+ ? __pfx_netlink_unicast+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? lock_acquire+0xd5/0x410
+ netlink_sendmsg+0x369/0x660
+ ? lock_release+0x62/0x200
+ ? __pfx_netlink_sendmsg+0x10/0x10
+ ? import_ubuf+0xb9/0xf0
+ ? __import_iovec+0x254/0x2b0
+ ? lock_release+0x62/0x200
+ ? __pfx_netlink_sendmsg+0x10/0x10
+ ____sys_sendmsg+0x559/0x5a0
+ ? __pfx_____sys_sendmsg+0x10/0x10
+ ? __pfx_copy_msghdr_from_user+0x10/0x10
+ ? rcu_is_watching+0x34/0x60
+ ? do_read_fault+0x213/0x4a0
+ ? rcu_is_watching+0x34/0x60
+ ___sys_sendmsg+0xe4/0x150
+ ? __pfx____sys_sendmsg+0x10/0x10
+ ? do_fault+0x2cc/0x6f0
+ ? handle_pte_fault+0x2e3/0x3d0
+ ? __pfx_handle_pte_fault+0x10/0x10
+ ? preempt_count_sub+0x14/0xc0
+ ? __down_read_trylock+0x150/0x270
+ ? __handle_mm_fault+0x404/0x8e0
+ ? __pfx___handle_mm_fault+0x10/0x10
+ ? lock_release+0x62/0x200
+ ? __rcu_read_unlock+0x65/0x90
+ ? rcu_is_watching+0x34/0x60
+ __sys_sendmsg+0xd5/0x150
+ ? __pfx___sys_sendmsg+0x10/0x10
+ ? __up_read+0x192/0x480
+ ? lock_release+0x62/0x200
+ ? __rcu_read_unlock+0x65/0x90
+ ? rcu_is_watching+0x34/0x60
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ RIP: 0033:0x7f63a5b13367
+ Code: 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+ RSP: 002b:00007fff8c726bc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 0000000067b687c2 RCX: 00007f63a5b13367
+ RDX: 0000000000000000 RSI: 00007fff8c726c30 RDI: 0000000000000004
+ RBP: 00007fff8c726cb8 R08: 0000000000000000 R09: 0000000000000034
+ R10: 00007fff8c726c7c R11: 0000000000000246 R12: 0000000000000001
+ R13: 0000000000000000 R14: 00007fff8c726cd0 R15: 00007fff8c726cd0
+ </TASK>
+ irq event stamp: 0
+ hardirqs last enabled at (0): [<0000000000000000>] 0x0
+ hardirqs last disabled at (0): [<ffffffff813f9e58>] copy_process+0xd08/0x2830
+ softirqs last enabled at (0): [<ffffffff813f9e58>] copy_process+0xd08/0x2830
+ softirqs last disabled at (0): [<0000000000000000>] 0x0
+ ---[ end trace 0000000000000000 ]---
+
+Thus, when calculating ifinfo message size, take VF GUIDs sizes into
+account when supported.
+
+Fixes: 30aad41721e0 ("net/core: Add support for getting VF GUIDs")
+Signed-off-by: Mark Zhang <markzhang@nvidia.com>
+Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
+Signed-off-by: Mark Bloch <mbloch@nvidia.com>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/20250325090226.749730-1-mbloch@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/rtnetlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
+index 45c54fb9ad03f..6bc2f78a5ebbf 100644
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1007,6 +1007,9 @@ static inline int rtnl_vfinfo_size(const struct net_device *dev,
+ /* IFLA_VF_STATS_TX_DROPPED */
+ nla_total_size_64bit(sizeof(__u64)));
+ }
++ if (dev->netdev_ops->ndo_get_vf_guid)
++ size += num_vfs * 2 *
++ nla_total_size(sizeof(struct ifla_vf_guid));
+ return size;
+ } else
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From dff59df5a4b23a8a75be49f4ba3160a0d1ed6880 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Mar 2025 08:45:12 +0000
+Subject: rust: fix signature of rust_fmt_argument
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+[ Upstream commit 901b3290bd4dc35e613d13abd03c129e754dd3dd ]
+
+Without this change, the rest of this series will emit the following
+error message:
+
+error[E0308]: `if` and `else` have incompatible types
+ --> <linux>/rust/kernel/print.rs:22:22
+ |
+21 | #[export]
+ | --------- expected because of this
+22 | unsafe extern "C" fn rust_fmt_argument(
+ | ^^^^^^^^^^^^^^^^^ expected `u8`, found `i8`
+ |
+ = note: expected fn item `unsafe extern "C" fn(*mut u8, *mut u8, *mut c_void) -> *mut u8 {bindings::rust_fmt_argument}`
+ found fn item `unsafe extern "C" fn(*mut i8, *mut i8, *const c_void) -> *mut i8 {print::rust_fmt_argument}`
+
+The error may be different depending on the architecture.
+
+To fix this, change the void pointer argument to use a const pointer,
+and change the imports to use crate::ffi instead of core::ffi for
+integer types.
+
+Fixes: 787983da7718 ("vsprintf: add new `%pA` format specifier")
+Reviewed-by: Tamir Duberstein <tamird@gmail.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Acked-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20250303-export-macro-v3-1-41fbad85a27f@google.com
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/vsprintf.c | 2 +-
+ rust/kernel/print.rs | 7 +++----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/lib/vsprintf.c b/lib/vsprintf.c
+index fa1c197018551..408a92c5a4f79 100644
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -2257,7 +2257,7 @@ int __init no_hash_pointers_enable(char *str)
+ early_param("no_hash_pointers", no_hash_pointers_enable);
+
+ /* Used for Rust formatting ('%pA'). */
+-char *rust_fmt_argument(char *buf, char *end, void *ptr);
++char *rust_fmt_argument(char *buf, char *end, const void *ptr);
+
+ /*
+ * Show a '%p' thing. A kernel extension is that the '%p' is followed
+diff --git a/rust/kernel/print.rs b/rust/kernel/print.rs
+index b6d1c12136de1..e21be6996932e 100644
+--- a/rust/kernel/print.rs
++++ b/rust/kernel/print.rs
+@@ -6,12 +6,11 @@
+ //!
+ //! Reference: <https://www.kernel.org/doc/html/latest/core-api/printk-basics.html>
+
+-use core::{
++use crate::{
+ ffi::{c_char, c_void},
+- fmt,
++ str::RawFormatter,
+ };
+-
+-use crate::str::RawFormatter;
++use core::fmt;
+
+ #[cfg(CONFIG_PRINTK)]
+ use crate::bindings;
+--
+2.39.5
+
--- /dev/null
+From 2385a708553978e6a40e42b7f05e72bb81d4a425 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 10:59:53 +0530
+Subject: sched/deadline: Use online cpus for validating runtime
+
+From: Shrikanth Hegde <sshegde@linux.ibm.com>
+
+[ Upstream commit 14672f059d83f591afb2ee1fff56858efe055e5a ]
+
+The ftrace selftest reported a failure because writing -1 to
+sched_rt_runtime_us returns -EBUSY. This happens when the possible
+CPUs are different from active CPUs.
+
+Active CPUs are part of one root domain, while remaining CPUs are part
+of def_root_domain. Since active cpumask is being used, this results in
+cpus=0 when a non active CPUs is used in the loop.
+
+Fix it by looping over the online CPUs instead for validating the
+bandwidth calculations.
+
+Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
+Link: https://lore.kernel.org/r/20250306052954.452005-2-sshegde@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/deadline.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
+index 389290e950bea..7f378fa0b6ed3 100644
+--- a/kernel/sched/deadline.c
++++ b/kernel/sched/deadline.c
+@@ -2762,7 +2762,7 @@ int sched_dl_global_validate(void)
+ * value smaller than the currently allocated bandwidth in
+ * any of the root_domains.
+ */
+- for_each_possible_cpu(cpu) {
++ for_each_online_cpu(cpu) {
+ rcu_read_lock_sched();
+
+ if (dl_bw_visited(cpu, gen))
+--
+2.39.5
+
--- /dev/null
+From e36415efb471e4d4d5aa76b59587e09e2a129d4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 31 Mar 2025 21:26:44 -0700
+Subject: sched/smt: Always inline sched_smt_active()
+
+From: Josh Poimboeuf <jpoimboe@kernel.org>
+
+[ Upstream commit 09f37f2d7b21ff35b8b533f9ab8cfad2fe8f72f6 ]
+
+sched_smt_active() can be called from noinstr code, so it should always
+be inlined. The CONFIG_SCHED_SMT version already has __always_inline.
+Do the same for its !CONFIG_SCHED_SMT counterpart.
+
+Fixes the following warning:
+
+ vmlinux.o: error: objtool: intel_idle_ibrs+0x13: call to sched_smt_active() leaves .noinstr.text section
+
+Fixes: 321a874a7ef8 ("sched/smt: Expose sched_smt_present static key")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/1d03907b0a247cf7fb5c1d518de378864f603060.1743481539.git.jpoimboe@kernel.org
+Closes: https://lore.kernel.org/r/202503311434.lyw2Tveh-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/sched/smt.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/sched/smt.h b/include/linux/sched/smt.h
+index 59d3736c454cf..737b50f40137b 100644
+--- a/include/linux/sched/smt.h
++++ b/include/linux/sched/smt.h
+@@ -12,7 +12,7 @@ static __always_inline bool sched_smt_active(void)
+ return static_branch_likely(&sched_smt_present);
+ }
+ #else
+-static inline bool sched_smt_active(void) { return false; }
++static __always_inline bool sched_smt_active(void) { return false; }
+ #endif
+
+ void arch_smt_update(void);
+--
+2.39.5
+
--- /dev/null
+From 11d54762113470408c97de27ff425804226d27f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 13:28:52 +0100
+Subject: selftests/bpf: Fix string read in strncmp benchmark
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Viktor Malik <vmalik@redhat.com>
+
+[ Upstream commit de07b182899227d5fd1ca7a1a7d495ecd453d49c ]
+
+The strncmp benchmark uses the bpf_strncmp helper and a hand-written
+loop to compare two strings. The values of the strings are filled from
+userspace. One of the strings is non-const (in .bss) while the other is
+const (in .rodata) since that is the requirement of bpf_strncmp.
+
+The problem is that in the hand-written loop, Clang optimizes the reads
+from the const string to always return 0 which breaks the benchmark.
+
+Use barrier_var to prevent the optimization.
+
+The effect can be seen on the strncmp-no-helper variant.
+
+Before this change:
+
+ # ./bench strncmp-no-helper
+ Setting up benchmark 'strncmp-no-helper'...
+ Benchmark 'strncmp-no-helper' started.
+ Iter 0 (112.309us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s
+ Iter 1 (-23.238us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s
+ Iter 2 ( 58.994us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s
+ Iter 3 (-30.466us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s
+ Iter 4 ( 29.996us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s
+ Iter 5 ( 16.949us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s
+ Iter 6 (-60.035us): hits 0.000M/s ( 0.000M/prod), drops 0.000M/s, total operations 0.000M/s
+ Summary: hits 0.000 ± 0.000M/s ( 0.000M/prod), drops 0.000 ± 0.000M/s, total operations 0.000 ± 0.000M/s
+
+After this change:
+
+ # ./bench strncmp-no-helper
+ Setting up benchmark 'strncmp-no-helper'...
+ Benchmark 'strncmp-no-helper' started.
+ Iter 0 ( 77.711us): hits 5.534M/s ( 5.534M/prod), drops 0.000M/s, total operations 5.534M/s
+ Iter 1 ( 11.215us): hits 6.006M/s ( 6.006M/prod), drops 0.000M/s, total operations 6.006M/s
+ Iter 2 (-14.253us): hits 5.931M/s ( 5.931M/prod), drops 0.000M/s, total operations 5.931M/s
+ Iter 3 ( 59.087us): hits 6.005M/s ( 6.005M/prod), drops 0.000M/s, total operations 6.005M/s
+ Iter 4 (-21.379us): hits 6.010M/s ( 6.010M/prod), drops 0.000M/s, total operations 6.010M/s
+ Iter 5 (-20.310us): hits 5.861M/s ( 5.861M/prod), drops 0.000M/s, total operations 5.861M/s
+ Iter 6 ( 53.937us): hits 6.004M/s ( 6.004M/prod), drops 0.000M/s, total operations 6.004M/s
+ Summary: hits 5.969 ± 0.061M/s ( 5.969M/prod), drops 0.000 ± 0.000M/s, total operations 5.969 ± 0.061M/s
+
+Fixes: 9c42652f8be3 ("selftests/bpf: Add benchmark for bpf_strncmp() helper")
+Suggested-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Viktor Malik <vmalik@redhat.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/bpf/20250313122852.1365202-1-vmalik@redhat.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/progs/strncmp_bench.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/strncmp_bench.c b/tools/testing/selftests/bpf/progs/strncmp_bench.c
+index 18373a7df76e6..f47bf88f8d2a7 100644
+--- a/tools/testing/selftests/bpf/progs/strncmp_bench.c
++++ b/tools/testing/selftests/bpf/progs/strncmp_bench.c
+@@ -35,7 +35,10 @@ static __always_inline int local_strncmp(const char *s1, unsigned int sz,
+ SEC("tp/syscalls/sys_enter_getpgid")
+ int strncmp_no_helper(void *ctx)
+ {
+- if (local_strncmp(str, cmp_str_len + 1, target) < 0)
++ const char *target_str = target;
++
++ barrier_var(target_str);
++ if (local_strncmp(str, cmp_str_len + 1, target_str) < 0)
+ __sync_add_and_fetch(&hits, 1);
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 5e9b0e5f4a4509d60dff159c1769ba350976ee6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 Jan 2025 12:35:22 +0530
+Subject: selftests/bpf: Select NUMA_NO_NODE to create map
+
+From: Saket Kumar Bhaskar <skb99@linux.ibm.com>
+
+[ Upstream commit 4107a1aeb20ed4cdad6a0d49de92ea0f933c71b7 ]
+
+On powerpc, a CPU does not necessarily originate from NUMA node 0.
+This contrasts with architectures like x86, where CPU 0 is not
+hot-pluggable, making NUMA node 0 a consistently valid node.
+This discrepancy can lead to failures when creating a map on NUMA
+node 0, which is initialized by default, if no CPUs are allocated
+from NUMA node 0.
+
+This patch fixes the issue by setting NUMA_NO_NODE (-1) for map
+creation for this selftest.
+
+Fixes: 96eabe7a40aa ("bpf: Allow selecting numa node during map creation")
+Signed-off-by: Saket Kumar Bhaskar <skb99@linux.ibm.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/bpf/cf1f61468b47425ecf3728689bc9636ddd1d910e.1738302337.git.skb99@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c
+index f79815b7e951b..fff16cdc93f20 100644
+--- a/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c
++++ b/tools/testing/selftests/bpf/prog_tests/bloom_filter_map.c
+@@ -6,6 +6,10 @@
+ #include <test_progs.h>
+ #include "bloom_filter_map.skel.h"
+
++#ifndef NUMA_NO_NODE
++#define NUMA_NO_NODE (-1)
++#endif
++
+ static void test_fail_cases(void)
+ {
+ LIBBPF_OPTS(bpf_map_create_opts, opts);
+@@ -69,6 +73,7 @@ static void test_success_cases(void)
+
+ /* Create a map */
+ opts.map_flags = BPF_F_ZERO_SEED | BPF_F_NUMA_NODE;
++ opts.numa_node = NUMA_NO_NODE;
+ fd = bpf_map_create(BPF_MAP_TYPE_BLOOM_FILTER, NULL, 0, sizeof(value), 100, &opts);
+ if (!ASSERT_GE(fd, 0, "bpf_map_create bloom filter success case"))
+ return;
+--
+2.39.5
+
--- /dev/null
+From 932786184bdc45dd9e5151467259334e91711e43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Mar 2025 10:56:43 +0100
+Subject: selinux: Chain up tool resolving errors in install_policy.sh
+
+From: Tim Schumacher <tim.schumacher1@huawei.com>
+
+[ Upstream commit 6ae0042f4d3f331e841495eb0a3d51598e593ec2 ]
+
+Subshell evaluations are not exempt from errexit, so if a command is
+not available, `which` will fail and exit the script as a whole.
+This causes the helpful error messages to not be printed if they are
+tacked on using a `$?` comparison.
+
+Resolve the issue by using chains of logical operators, which are not
+subject to the effects of errexit.
+
+Fixes: e37c1877ba5b1 ("scripts/selinux: modernize mdp")
+Signed-off-by: Tim Schumacher <tim.schumacher1@huawei.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/selinux/install_policy.sh | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/scripts/selinux/install_policy.sh b/scripts/selinux/install_policy.sh
+index 24086793b0d8d..db40237e60ce7 100755
+--- a/scripts/selinux/install_policy.sh
++++ b/scripts/selinux/install_policy.sh
+@@ -6,27 +6,24 @@ if [ `id -u` -ne 0 ]; then
+ exit 1
+ fi
+
+-SF=`which setfiles`
+-if [ $? -eq 1 ]; then
++SF=`which setfiles` || {
+ echo "Could not find setfiles"
+ echo "Do you have policycoreutils installed?"
+ exit 1
+-fi
++}
+
+-CP=`which checkpolicy`
+-if [ $? -eq 1 ]; then
++CP=`which checkpolicy` || {
+ echo "Could not find checkpolicy"
+ echo "Do you have checkpolicy installed?"
+ exit 1
+-fi
++}
+ VERS=`$CP -V | awk '{print $1}'`
+
+-ENABLED=`which selinuxenabled`
+-if [ $? -eq 1 ]; then
++ENABLED=`which selinuxenabled` || {
+ echo "Could not find selinuxenabled"
+ echo "Do you have libselinux-utils installed?"
+ exit 1
+-fi
++}
+
+ if selinuxenabled; then
+ echo "SELinux is already enabled"
+--
+2.39.5
+
--- /dev/null
+watch_queue-fix-pipe-accounting-mismatch.patch
+x86-mm-pat-cpa-test-fix-length-for-cpa_array-test.patch
+cpufreq-scpi-compare-khz-instead-of-hz.patch
+smack-dont-compile-ipv6-code-unless-ipv6-is-configur.patch
+cpufreq-governor-fix-negative-idle_time-handling-in-.patch
+x86-fpu-fix-guest-fpu-state-buffer-allocation-size.patch
+x86-fpu-avoid-copying-dynamic-fp-state-from-init_tas.patch
+x86-platform-only-allow-config_eisa-for-32-bit.patch
+x86-sev-add-missing-rip_rel_ref-invocations-during-s.patch
+lockdep-mm-fix-might_fault-lockdep-check-of-current-.patch
+pm-sleep-adjust-check-before-setting-power.must_resu.patch
+selinux-chain-up-tool-resolving-errors-in-install_po.patch
+edac-ie31200-fix-the-size-of-edac_mc_layer_chip_sele.patch
+edac-ie31200-fix-the-dimm-size-mask-for-several-socs.patch
+edac-ie31200-fix-the-error-path-order-of-ie31200_ini.patch
+thermal-int340x-add-null-check-for-adev.patch
+pm-sleep-fix-handling-devices-with-direct_complete-s.patch
+lockdep-don-t-disable-interrupts-on-rt-in-disable_ir.patch
+perf-ring_buffer-allow-the-epollrdnorm-flag-for-poll.patch
+x86-fpu-xstate-fix-inconsistencies-in-guest-fpu-xfea.patch
+media-verisilicon-hevc-initialize-start_bit-field.patch
+media-platform-allgro-dvt-unregister-v4l2_device-on-.patch
+asoc-cs35l41-check-the-return-value-from-spi_setup.patch
+hid-remove-superfluous-and-wrong-makefile-entry-for-.patch
+alsa-hda-realtek-always-honor-no_shutup_pins.patch
+asoc-ti-j721e-evm-fix-clock-configuration-for-ti-j72.patch
+drm-bridge-ti-sn65dsi86-fix-multiple-instances.patch
+drm-dp_mst-fix-drm-rad-print.patch
+drm-bridge-it6505-fix-hdcp-v-match-check-is-not-perf.patch
+drm-xlnx-zynqmp-fix-max-dma-segment-size.patch
+drm-vkms-fix-use-after-free-and-double-free-on-init-.patch
+pci-use-downstream-bridges-for-distributing-resource.patch
+drm-mediatek-mtk_hdmi-unregister-audio-platform-devi.patch
+drm-mediatek-mtk_hdmi-fix-typo-for-aud_sampe_size-me.patch
+pci-aspm-fix-link-state-exit-during-switch-upstream-.patch
+drm-msm-dsi-set-phy-usescase-and-mode-before-registe.patch
+pci-cadence-ep-fix-the-driver-to-send-msg-tlp-for-in.patch
+pci-brcmstb-use-internal-register-to-change-link-cap.patch
+pci-brcmstb-fix-error-path-after-a-call-to-regulator.patch
+pci-brcmstb-fix-potential-premature-regulator-disabl.patch
+pci-portdrv-only-disable-pciehp-interrupts-early-whe.patch
+pci-avoid-reset-when-disabled-via-sysfs.patch
+drm-amd-display-fix-type-mismatch-in-calculatedynami.patch
+pci-remove-stray-put_device-in-pci_register_host_bri.patch
+pci-xilinx-cpm-fix-irq-domain-leak-in-error-path-of-.patch
+drm-mediatek-dsi-fix-error-codes-in-mtk_dsi_host_tra.patch
+drm-amd-display-avoid-npd-when-asic-does-not-support.patch
+pci-pciehp-don-t-enable-hpie-when-resuming-in-poll-m.patch
+fbdev-au1100fb-move-a-variable-assignment-behind-a-n.patch
+mdacon-rework-dependency-list.patch
+fbdev-sm501fb-add-some-geometry-checks.patch
+clk-amlogic-gxbb-drop-incorrect-flag-on-32k-clock.patch
+crypto-hisilicon-sec2-fix-for-aead-authsize-alignmen.patch
+remoteproc-core-clear-table_sz-when-rproc_shutdown.patch
+of-property-increase-nr_fwnode_reference_args.patch
+remoteproc-qcom_q6v5_pas-make-single-pd-handling-mor.patch
+libbpf-fix-hypothetical-stt_section-extern-null-dere.patch
+selftests-bpf-fix-string-read-in-strncmp-benchmark.patch
+clk-samsung-fix-ubsan-panic-in-samsung_clk_init.patch
+clk-qcom-gcc-msm8953-fix-stuck-venus0_core0-clock.patch
+bpf-use-preempt_count-directly-in-bpf_send_signal_co.patch
+lib-842-improve-error-handling-in-sw842_compress.patch
+pinctrl-renesas-rza2-fix-missing-of_node_put-call.patch
+pinctrl-renesas-rzg2l-fix-missing-of_node_put-call.patch
+clk-rockchip-rk3328-fix-wrong-clk_ref_usb3otg-parent.patch
+rdma-core-don-t-expose-hw_counters-outside-of-init-n.patch
+rdma-mlx5-fix-calculation-of-total-invalidated-pages.patch
+rdma-erdma-prevent-use-after-free-in-erdma_accept_ne.patch
+remoteproc-qcom_q6v5_mss-handle-platforms-with-one-p.patch
+ib-mad-check-available-slots-before-posting-receive-.patch
+pinctrl-tegra-set-sfio-mode-to-mux-register.patch
+clk-amlogic-g12b-fix-cluster-a-parent-data.patch
+clk-amlogic-gxbb-drop-non-existing-32k-clock-parent.patch
+selftests-bpf-select-numa_no_node-to-create-map.patch
+rust-fix-signature-of-rust_fmt_argument.patch
+clk-amlogic-g12a-fix-mmc-a-peripheral-clock.patch
+x86-entry-fix-orc-unwinder-for-push_regs-with-save_r.patch
+power-supply-max77693-fix-wrong-conversion-of-charge.patch
+crypto-nx-fix-uninitialised-hv_nxc-on-error.patch
+rdma-mlx5-fix-mlx5_poll_one-cur_qp-update-flow.patch
+pinctrl-renesas-rzv2m-fix-missing-of_node_put-call.patch
+mfd-sm501-switch-to-bit-to-mitigate-integer-overflow.patch
+x86-dumpstack-fix-inaccurate-unwinding-from-exceptio.patch
+crypto-hisilicon-sec2-fix-for-aead-auth-key-length.patch
+clk-qcom-mmcc-sdm660-fix-stuck-video_subcore0-clock.patch
+isofs-fix-kmsan-uninit-value-bug-in-do_isofs_readdir.patch
+soundwire-slave-fix-an-of-node-reference-leak-in-sou.patch
+coresight-catu-fix-number-of-pages-while-using-64k-p.patch
+coresight-etm4x-add-isb-before-reading-the-trcstatr.patch
+iio-accel-mma8452-ensure-error-return-on-failure-to-.patch
+iio-accel-msa311-fix-failure-to-release-runtime-pm-i.patch
+usb-xhci-correct-debug-message-page-size-calculation.patch
+fs-ntfs3-fix-a-couple-integer-overflows-on-32bit-sys.patch
+iio-adc-ad7124-fix-comparison-of-channel-configs.patch
+perf-evlist-add-success-path-to-evlist__create_syswi.patch
+perf-units-fix-insufficient-array-space.patch
+kexec-initialize-elf-lowest-address-to-ulong_max.patch
+ocfs2-validate-l_tree_depth-to-avoid-out-of-bounds-a.patch
+arch-powerpc-drop-generic_ptdump-from-mpc885_ads_def.patch
+nfsv4-don-t-trigger-uneccessary-scans-for-return-on-.patch
+fuse-fix-dax-truncate-punch_hole-fault-path.patch
+um-remove-copy_from_kernel_nofault_allowed.patch
+i3c-master-svc-fix-missing-the-ibi-rules.patch
+perf-python-fixup-description-of-sample.id-event-mem.patch
+perf-python-decrement-the-refcount-of-just-created-e.patch
+perf-python-don-t-keep-a-raw_data-pointer-to-consume.patch
+perf-python-check-if-there-is-space-to-copy-all-the-.patch
+staging-rtl8723bs-select-config_crypto_lib_aes.patch
+fs-procfs-fix-the-comment-above-proc_pid_wchan.patch
+perf-tools-annotate-asm_pure_loop.s.patch
+objtool-media-dib8000-prevent-divide-by-zero-in-dib8.patch
+exfat-fix-the-infinite-loop-in-exfat_find_last_clust.patch
+rtnetlink-allocate-vfinfo-size-for-vf-guids-when-sup.patch
+rndis_host-flag-rndis-modems-as-wwan-devices.patch
+ksmbd-use-aead_request_free-to-match-aead_request_al.patch
+ksmbd-fix-multichannel-connection-failure.patch
+net-mlx5e-shampo-make-reserved-size-independent-of-p.patch
+ring-buffer-fix-bytes_dropped-calculation-issue.patch
+loongarch-fix-help-text-of-cmdline_extend-in-kconfig.patch
+acpi-processor-idle-return-an-error-if-both-p_lvl-2-.patch
+octeontx2-af-fix-mbox-intr-handler-when-num-vfs-64.patch
+octeontx2-af-free-nix_af_int_vec_gen-irq.patch
+sched-smt-always-inline-sched_smt_active.patch
+context_tracking-always-inline-ct_-nmi-irq-_-enter-e.patch
+rcu-tasks-always-inline-rcu_irq_work_resched.patch
+wifi-iwlwifi-fw-allocate-chained-sg-tables-for-dump.patch
+wifi-iwlwifi-mvm-use-the-right-version-of-the-rate-a.patch
+nvme-tcp-fix-possible-uaf-in-nvme_tcp_poll.patch
+nvme-pci-clean-up-cmbmsc-when-registering-cmb-fails.patch
+nvme-pci-skip-cmb-blocks-incompatible-with-pci-p2p-d.patch
+wifi-brcmfmac-keep-power-during-suspend-if-board-req.patch
+affs-generate-ofs-sequence-numbers-starting-at-1.patch
+affs-don-t-write-overlarge-ofs-data-block-size-field.patch
+alsa-hda-realtek-fix-asus-z13-2025-audio.patch
+alsa-hda-fix-speakers-on-asus-expertbook-p5405csa-1..patch
+platform-x86-intel-hid-fix-volume-buttons-on-microso.patch
+hid-i2c-hid-improve-i2c_hid_get_report-error-message.patch
+alsa-hda-realtek-add-support-for-asus-rog-strix-g614.patch
+alsa-hda-realtek-add-support-for-asus-zenbook-um3406.patch
+sched-deadline-use-online-cpus-for-validating-runtim.patch
+locking-semaphore-use-wake_q-to-wake-up-processes-ou.patch
+x86-sgx-warn-explicitly-if-x86_feature_sgx_lc-is-not.patch
+drm-amd-keep-display-off-while-going-into-s4.patch
+alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
+can-statistics-use-atomic-access-in-hot-path.patch
+memory-omap-gpmc-drop-no-compatible-check.patch
+hwmon-nct6775-core-fix-out-of-bounds-access-for-nct6.patch
+spufs-fix-a-leak-on-spufs_new_file-failure.patch
+spufs-fix-gang-directory-lifetimes.patch
+spufs-fix-a-leak-in-spufs_create_context.patch
+riscv-ftrace-add-parentheses-in-macro-definitions-of.patch
+ntb_hw_switchtec-fix-shift-out-of-bounds-in-switchte.patch
+ntb-intel-fix-using-link-status-db-s.patch
+nvme-pci-skip-nvme_write_sq_db-on-empty-rqlist.patch
+asoc-imx-card-add-null-check-in-imx_card_probe.patch
+netfilter-nft_set_hash-gc-reaps-elements-with-connco.patch
+netlabel-fix-null-pointer-exception-caused-by-calips.patch
+net_sched-skbprio-remove-overly-strict-queue-asserti.patch
+net-mvpp2-prevent-parser-tcam-memory-corruption.patch
+udp-fix-memory-accounting-leak.patch
+vsock-avoid-timeout-during-connect-if-the-socket-is-.patch
+tunnels-accept-packet_host-in-skb_tunnel_check_pmtu.patch
+netfilter-nft_tunnel-fix-geneve_opt-type-confusion-a.patch
+ipv6-fix-omitted-netlink-attributes-when-using-rtext.patch
+net-dsa-mv88e6xxx-propperly-shutdown-ppu-re-enable-t.patch
+net-fix-geneve_opt-length-integer-overflow.patch
+ipv6-start-path-selection-from-the-first-nexthop.patch
+ipv6-do-not-consider-link-down-nexthops-in-path-sele.patch
+arcnet-add-null-check-in-com20020pci_probe.patch
--- /dev/null
+From d2dd3791a78b0b0798b5fd0639f1209675d47731 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jan 2025 19:36:42 +0300
+Subject: smack: dont compile ipv6 code unless ipv6 is configured
+
+From: Konstantin Andreev <andreev@swemel.ru>
+
+[ Upstream commit bfcf4004bcbce2cb674b4e8dbd31ce0891766bac ]
+
+I want to be sure that ipv6-specific code
+is not compiled in kernel binaries
+if ipv6 is not configured.
+
+[1] was getting rid of "unused variable" warning, but,
+with that, it also mandated compilation of a handful ipv6-
+specific functions in ipv4-only kernel configurations:
+
+smk_ipv6_localhost, smack_ipv6host_label, smk_ipv6_check.
+
+Their compiled bodies are likely to be removed by compiler
+from the resulting binary, but, to be on the safe side,
+I remove them from the compiler view.
+
+[1]
+Fixes: 00720f0e7f28 ("smack: avoid unused 'sip' variable warning")
+
+Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack.h | 6 ++++++
+ security/smack/smack_lsm.c | 10 +++++++++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index aa15ff56ed6e7..eb22090f3bb85 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -152,6 +152,7 @@ struct smk_net4addr {
+ struct smack_known *smk_label; /* label */
+ };
+
++#if IS_ENABLED(CONFIG_IPV6)
+ /*
+ * An entry in the table identifying IPv6 hosts.
+ */
+@@ -162,7 +163,9 @@ struct smk_net6addr {
+ int smk_masks; /* mask size */
+ struct smack_known *smk_label; /* label */
+ };
++#endif /* CONFIG_IPV6 */
+
++#ifdef SMACK_IPV6_PORT_LABELING
+ /*
+ * An entry in the table identifying ports.
+ */
+@@ -175,6 +178,7 @@ struct smk_port_label {
+ short smk_sock_type; /* Socket type */
+ short smk_can_reuse;
+ };
++#endif /* SMACK_IPV6_PORT_LABELING */
+
+ struct smack_known_list_elem {
+ struct list_head list;
+@@ -314,7 +318,9 @@ extern struct smack_known smack_known_web;
+ extern struct mutex smack_known_lock;
+ extern struct list_head smack_known_list;
+ extern struct list_head smk_net4addr_list;
++#if IS_ENABLED(CONFIG_IPV6)
+ extern struct list_head smk_net6addr_list;
++#endif /* CONFIG_IPV6 */
+
+ extern struct mutex smack_onlycap_lock;
+ extern struct list_head smack_onlycap_list;
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 25995df15e82d..285103ffc75c6 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2405,6 +2405,7 @@ static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip)
+ return NULL;
+ }
+
++#if IS_ENABLED(CONFIG_IPV6)
+ /*
+ * smk_ipv6_localhost - Check for local ipv6 host address
+ * @sip: the address
+@@ -2472,6 +2473,7 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
+
+ return NULL;
+ }
++#endif /* CONFIG_IPV6 */
+
+ /**
+ * smack_netlbl_add - Set the secattr on a socket
+@@ -2575,6 +2577,7 @@ static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap)
+ return rc;
+ }
+
++#if IS_ENABLED(CONFIG_IPV6)
+ /**
+ * smk_ipv6_check - check Smack access
+ * @subject: subject Smack label
+@@ -2607,6 +2610,7 @@ static int smk_ipv6_check(struct smack_known *subject,
+ rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);
+ return rc;
+ }
++#endif /* CONFIG_IPV6 */
+
+ #ifdef SMACK_IPV6_PORT_LABELING
+ /**
+@@ -2939,7 +2943,9 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
+ return 0;
+ if (addrlen < offsetofend(struct sockaddr, sa_family))
+ return 0;
+- if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {
++
++#if IS_ENABLED(CONFIG_IPV6)
++ if (sap->sa_family == AF_INET6) {
+ struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
+ struct smack_known *rsp = NULL;
+
+@@ -2959,6 +2965,8 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
+
+ return rc;
+ }
++#endif /* CONFIG_IPV6 */
++
+ if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in))
+ return 0;
+ rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap);
+--
+2.39.5
+
--- /dev/null
+From c6d16f66e578df7d0588de457772ff8037cb7ce3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 12:48:44 +0900
+Subject: soundwire: slave: fix an OF node reference leak in soundwire slave
+ device
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit aac2f8363f773ae1f65aab140e06e2084ac6b787 ]
+
+When initializing a soundwire slave device, an OF node is stored to the
+device with refcount incremented. However, the refcount is not
+decremented in .release(), thus call of_node_put() in
+sdw_slave_release().
+
+Fixes: a2e484585ad3 ("soundwire: core: add device tree support for slave devices")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20241205034844.2784964-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soundwire/slave.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/soundwire/slave.c b/drivers/soundwire/slave.c
+index c1c1a2ac293af..28b0d7b6d780c 100644
+--- a/drivers/soundwire/slave.c
++++ b/drivers/soundwire/slave.c
+@@ -12,6 +12,7 @@ static void sdw_slave_release(struct device *dev)
+ {
+ struct sdw_slave *slave = dev_to_sdw_dev(dev);
+
++ of_node_put(slave->dev.of_node);
+ mutex_destroy(&slave->sdw_dev_lock);
+ kfree(slave);
+ }
+--
+2.39.5
+
--- /dev/null
+From bc950d9bd34cfc10acaaa529a41261b486e4c5dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 19:38:28 -0400
+Subject: spufs: fix a leak in spufs_create_context()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 0f5cce3fc55b08ee4da3372baccf4bcd36a98396 ]
+
+Leak fixes back in 2008 missed one case - if we are trying to set affinity
+and spufs_mkdir() fails, we need to drop the reference to neighbor.
+
+Fixes: 58119068cb27 "[POWERPC] spufs: Fix memory leak on SPU affinity"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/inode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
+index 79d45fa599002..d11951586e1f8 100644
+--- a/arch/powerpc/platforms/cell/spufs/inode.c
++++ b/arch/powerpc/platforms/cell/spufs/inode.c
+@@ -459,8 +459,11 @@ spufs_create_context(struct inode *inode, struct dentry *dentry,
+ }
+
+ ret = spufs_mkdir(inode, dentry, flags, mode & 0777);
+- if (ret)
++ if (ret) {
++ if (neighbor)
++ put_spu_context(neighbor);
+ goto out_aff_unlock;
++ }
+
+ if (affinity) {
+ spufs_set_affinity(flags, SPUFS_I(d_inode(dentry))->i_ctx,
+--
+2.39.5
+
--- /dev/null
+From 1f30c14f59670483887d5015f8ccdf4777ce755d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Mar 2025 19:26:31 -0500
+Subject: spufs: fix a leak on spufs_new_file() failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit d1ca8698ca1332625d83ea0d753747be66f9906d ]
+
+It's called from spufs_fill_dir(), and caller of that will do
+spufs_rmdir() in case of failure. That does remove everything
+we'd managed to create, but... the problem dentry is still
+negative. IOW, it needs to be explicitly dropped.
+
+Fixes: 3f51dd91c807 "[PATCH] spufs: fix spufs_fill_dir error path"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
+index dbcfe361831a6..ac10339ea4172 100644
+--- a/arch/powerpc/platforms/cell/spufs/inode.c
++++ b/arch/powerpc/platforms/cell/spufs/inode.c
+@@ -191,8 +191,10 @@ static int spufs_fill_dir(struct dentry *dir,
+ return -ENOMEM;
+ ret = spufs_new_file(dir->d_sb, dentry, files->ops,
+ files->mode & mode, files->size, ctx);
+- if (ret)
++ if (ret) {
++ dput(dentry);
+ return ret;
++ }
+ files++;
+ }
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From cb9333513cc4b110b8e00744f912e62035b4c173 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 19:18:39 -0400
+Subject: spufs: fix gang directory lifetimes
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit c134deabf4784e155d360744d4a6a835b9de4dd4 ]
+
+prior to "[POWERPC] spufs: Fix gang destroy leaks" we used to have
+a problem with gang lifetimes - creation of a gang returns opened
+gang directory, which normally gets removed when that gets closed,
+but if somebody has created a context belonging to that gang and
+kept it alive until the gang got closed, removal failed and we
+ended up with a leak.
+
+Unfortunately, it had been fixed the wrong way. Dentry of gang
+directory was no longer pinned, and rmdir on close was gone.
+One problem was that failure of open kept calling simple_rmdir()
+as cleanup, which meant an unbalanced dput(). Another bug was
+in the success case - gang creation incremented link count on
+root directory, but that was no longer undone when gang got
+destroyed.
+
+Fix consists of
+ * reverting the commit in question
+ * adding a counter to gang, protected by ->i_rwsem
+of gang directory inode.
+ * having it set to 1 at creation time, dropped
+in both spufs_dir_close() and spufs_gang_close() and bumped
+in spufs_create_context(), provided that it's not 0.
+ * using simple_recursive_removal() to take the gang
+directory out when counter reaches zero.
+
+Fixes: 877907d37da9 "[POWERPC] spufs: Fix gang destroy leaks"
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/platforms/cell/spufs/gang.c | 1 +
+ arch/powerpc/platforms/cell/spufs/inode.c | 54 +++++++++++++++++++----
+ arch/powerpc/platforms/cell/spufs/spufs.h | 2 +
+ 3 files changed, 49 insertions(+), 8 deletions(-)
+
+diff --git a/arch/powerpc/platforms/cell/spufs/gang.c b/arch/powerpc/platforms/cell/spufs/gang.c
+index 827d338deaf4c..2c2999de6bfa2 100644
+--- a/arch/powerpc/platforms/cell/spufs/gang.c
++++ b/arch/powerpc/platforms/cell/spufs/gang.c
+@@ -25,6 +25,7 @@ struct spu_gang *alloc_spu_gang(void)
+ mutex_init(&gang->aff_mutex);
+ INIT_LIST_HEAD(&gang->list);
+ INIT_LIST_HEAD(&gang->aff_list_head);
++ gang->alive = 1;
+
+ out:
+ return gang;
+diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c
+index ac10339ea4172..79d45fa599002 100644
+--- a/arch/powerpc/platforms/cell/spufs/inode.c
++++ b/arch/powerpc/platforms/cell/spufs/inode.c
+@@ -200,6 +200,23 @@ static int spufs_fill_dir(struct dentry *dir,
+ return 0;
+ }
+
++static void unuse_gang(struct dentry *dir)
++{
++ struct inode *inode = dir->d_inode;
++ struct spu_gang *gang = SPUFS_I(inode)->i_gang;
++
++ if (gang) {
++ bool dead;
++
++ inode_lock(inode); // exclusion with spufs_create_context()
++ dead = !--gang->alive;
++ inode_unlock(inode);
++
++ if (dead)
++ simple_recursive_removal(dir, NULL);
++ }
++}
++
+ static int spufs_dir_close(struct inode *inode, struct file *file)
+ {
+ struct inode *parent;
+@@ -214,6 +231,7 @@ static int spufs_dir_close(struct inode *inode, struct file *file)
+ inode_unlock(parent);
+ WARN_ON(ret);
+
++ unuse_gang(dir->d_parent);
+ return dcache_dir_close(inode, file);
+ }
+
+@@ -406,7 +424,7 @@ spufs_create_context(struct inode *inode, struct dentry *dentry,
+ {
+ int ret;
+ int affinity;
+- struct spu_gang *gang;
++ struct spu_gang *gang = SPUFS_I(inode)->i_gang;
+ struct spu_context *neighbor;
+ struct path path = {.mnt = mnt, .dentry = dentry};
+
+@@ -421,11 +439,15 @@ spufs_create_context(struct inode *inode, struct dentry *dentry,
+ if ((flags & SPU_CREATE_ISOLATE) && !isolated_loader)
+ return -ENODEV;
+
+- gang = NULL;
++ if (gang) {
++ if (!gang->alive)
++ return -ENOENT;
++ gang->alive++;
++ }
++
+ neighbor = NULL;
+ affinity = flags & (SPU_CREATE_AFFINITY_MEM | SPU_CREATE_AFFINITY_SPU);
+ if (affinity) {
+- gang = SPUFS_I(inode)->i_gang;
+ if (!gang)
+ return -EINVAL;
+ mutex_lock(&gang->aff_mutex);
+@@ -454,6 +476,8 @@ spufs_create_context(struct inode *inode, struct dentry *dentry,
+ out_aff_unlock:
+ if (affinity)
+ mutex_unlock(&gang->aff_mutex);
++ if (ret && gang)
++ gang->alive--; // can't reach 0
+ return ret;
+ }
+
+@@ -483,6 +507,7 @@ spufs_mkgang(struct inode *dir, struct dentry *dentry, umode_t mode)
+ inode->i_fop = &simple_dir_operations;
+
+ d_instantiate(dentry, inode);
++ dget(dentry);
+ inc_nlink(dir);
+ inc_nlink(d_inode(dentry));
+ return ret;
+@@ -493,6 +518,21 @@ spufs_mkgang(struct inode *dir, struct dentry *dentry, umode_t mode)
+ return ret;
+ }
+
++static int spufs_gang_close(struct inode *inode, struct file *file)
++{
++ unuse_gang(file->f_path.dentry);
++ return dcache_dir_close(inode, file);
++}
++
++static const struct file_operations spufs_gang_fops = {
++ .open = dcache_dir_open,
++ .release = spufs_gang_close,
++ .llseek = dcache_dir_lseek,
++ .read = generic_read_dir,
++ .iterate_shared = dcache_readdir,
++ .fsync = noop_fsync,
++};
++
+ static int spufs_gang_open(const struct path *path)
+ {
+ int ret;
+@@ -512,7 +552,7 @@ static int spufs_gang_open(const struct path *path)
+ return PTR_ERR(filp);
+ }
+
+- filp->f_op = &simple_dir_operations;
++ filp->f_op = &spufs_gang_fops;
+ fd_install(ret, filp);
+ return ret;
+ }
+@@ -527,10 +567,8 @@ static int spufs_create_gang(struct inode *inode,
+ ret = spufs_mkgang(inode, dentry, mode & 0777);
+ if (!ret) {
+ ret = spufs_gang_open(&path);
+- if (ret < 0) {
+- int err = simple_rmdir(inode, dentry);
+- WARN_ON(err);
+- }
++ if (ret < 0)
++ unuse_gang(dentry);
+ }
+ return ret;
+ }
+diff --git a/arch/powerpc/platforms/cell/spufs/spufs.h b/arch/powerpc/platforms/cell/spufs/spufs.h
+index 84958487f696a..d33787c57c39a 100644
+--- a/arch/powerpc/platforms/cell/spufs/spufs.h
++++ b/arch/powerpc/platforms/cell/spufs/spufs.h
+@@ -151,6 +151,8 @@ struct spu_gang {
+ int aff_flags;
+ struct spu *aff_ref_spu;
+ atomic_t aff_sched_count;
++
++ int alive;
+ };
+
+ /* Flag bits for spu_gang aff_flags */
+--
+2.39.5
+
--- /dev/null
+From 0cda172c54ea867c0eb9ec1e94c18e5b3dd5da4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 22 Feb 2025 19:36:17 +0000
+Subject: staging: rtl8723bs: select CONFIG_CRYPTO_LIB_AES
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
+
+[ Upstream commit b2a9a6a26b7e954297e51822e396572026480bad ]
+
+This fixes the following issue:
+ERROR: modpost: "aes_expandkey" [drivers/staging/rtl8723bs/r8723bs.ko]
+undefined!
+ERROR: modpost: "aes_encrypt" [drivers/staging/rtl8723bs/r8723bs.ko]
+undefined!
+
+Fixes: 7d40753d8820 ("staging: rtl8723bs: use in-kernel aes encryption in OMAC1 routines")
+Fixes: 3d3a170f6d80 ("staging: rtl8723bs: use in-kernel aes encryption")
+Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/tencent_0BDDF3A721708D16A2E7C3DAFF0FEC79A105@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/rtl8723bs/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/staging/rtl8723bs/Kconfig b/drivers/staging/rtl8723bs/Kconfig
+index f23e29b679fb5..14afcbbd61045 100644
+--- a/drivers/staging/rtl8723bs/Kconfig
++++ b/drivers/staging/rtl8723bs/Kconfig
+@@ -5,6 +5,7 @@ config RTL8723BS
+ depends on m
+ select CFG80211_WEXT
+ select CRYPTO
++ select CRYPTO_LIB_AES
+ select CRYPTO_LIB_ARC4
+ help
+ This option enables support for RTL8723BS SDIO drivers, such as
+--
+2.39.5
+
--- /dev/null
+From 6f0de208027fb8c618a6353d73b018a5ffff75d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Mar 2025 23:36:11 -0500
+Subject: thermal: int340x: Add NULL check for adev
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit 2542a3f70e563a9e70e7ded314286535a3321bdb ]
+
+Not all devices have an ACPI companion fwnode, so adev might be NULL.
+This is similar to the commit cd2fd6eab480
+("platform/x86: int3472: Check for adev == NULL").
+
+Add a check for adev not being set and return -ENODEV in that case to
+avoid a possible NULL pointer deref in int3402_thermal_probe().
+
+Note, under the same directory, int3400_thermal_probe() has such a
+check.
+
+Fixes: 77e337c6e23e ("Thermal: introduce INT3402 thermal driver")
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Link: https://patch.msgid.link/20250313043611.1212116-1-chenyuan0y@gmail.com
+[ rjw: Subject edit, added Fixes: ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/intel/int340x_thermal/int3402_thermal.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
+index 43fa351e2b9ec..b7fdf25bfd237 100644
+--- a/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
++++ b/drivers/thermal/intel/int340x_thermal/int3402_thermal.c
+@@ -45,6 +45,9 @@ static int int3402_thermal_probe(struct platform_device *pdev)
+ struct int3402_thermal_data *d;
+ int ret;
+
++ if (!adev)
++ return -ENODEV;
++
+ if (!acpi_has_method(adev->handle, "_TMP"))
+ return -ENODEV;
+
+--
+2.39.5
+
--- /dev/null
+From 120753febaaad70b1550fe616752db4c7226461d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Mar 2025 01:33:44 +0100
+Subject: tunnels: Accept PACKET_HOST in skb_tunnel_check_pmtu().
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 8930424777e43257f5bf6f0f0f53defd0d30415c ]
+
+Because skb_tunnel_check_pmtu() doesn't handle PACKET_HOST packets,
+commit 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper
+pmtud support.") forced skb->pkt_type to PACKET_OUTGOING for
+openvswitch packets that are sent using the OVS_ACTION_ATTR_OUTPUT
+action. This allowed such packets to invoke the
+iptunnel_pmtud_check_icmp() or iptunnel_pmtud_check_icmpv6() helpers
+and thus trigger PMTU update on the input device.
+
+However, this also broke other parts of PMTU discovery. Since these
+packets don't have the PACKET_HOST type anymore, they won't trigger the
+sending of ICMP Fragmentation Needed or Packet Too Big messages to
+remote hosts when oversized (see the skb_in->pkt_type condition in
+__icmp_send() for example).
+
+These two skb->pkt_type checks are therefore incompatible as one
+requires skb->pkt_type to be PACKET_HOST, while the other requires it
+to be anything but PACKET_HOST.
+
+It makes sense to not trigger ICMP messages for non-PACKET_HOST packets
+as these messages should be generated only for incoming l2-unicast
+packets. However there doesn't seem to be any reason for
+skb_tunnel_check_pmtu() to ignore PACKET_HOST packets.
+
+Allow both cases to work by allowing skb_tunnel_check_pmtu() to work on
+PACKET_HOST packets and not overriding skb->pkt_type in openvswitch
+anymore.
+
+Fixes: 30a92c9e3d6b ("openvswitch: Set the skbuff pkt_type for proper pmtud support.")
+Fixes: 4cb47a8644cc ("tunnels: PMTU discovery support for directly bridged IP packets")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Aaron Conole <aconole@redhat.com>
+Tested-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/eac941652b86fddf8909df9b3bf0d97bc9444793.1743208264.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ip_tunnel_core.c | 2 +-
+ net/openvswitch/actions.c | 6 ------
+ 2 files changed, 1 insertion(+), 7 deletions(-)
+
+diff --git a/net/ipv4/ip_tunnel_core.c b/net/ipv4/ip_tunnel_core.c
+index 80ccd6661aa32..fda08e2c72899 100644
+--- a/net/ipv4/ip_tunnel_core.c
++++ b/net/ipv4/ip_tunnel_core.c
+@@ -415,7 +415,7 @@ int skb_tunnel_check_pmtu(struct sk_buff *skb, struct dst_entry *encap_dst,
+
+ skb_dst_update_pmtu_no_confirm(skb, mtu);
+
+- if (!reply || skb->pkt_type == PACKET_HOST)
++ if (!reply)
+ return 0;
+
+ if (skb->protocol == htons(ETH_P_IP))
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 18d360aaf09bc..c517b24b30931 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -926,12 +926,6 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,
+ pskb_trim(skb, ovs_mac_header_len(key));
+ }
+
+- /* Need to set the pkt_type to involve the routing layer. The
+- * packet movement through the OVS datapath doesn't generally
+- * use routing, but this is needed for tunnel cases.
+- */
+- skb->pkt_type = PACKET_OUTGOING;
+-
+ if (likely(!mru ||
+ (skb->len <= mru + vport->dev->hard_header_len))) {
+ ovs_vport_send(vport, skb, ovs_key_mac_proto(key));
+--
+2.39.5
+
--- /dev/null
+From a4f4eaf38916548a37600ebf409ce65664b86d9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 11:44:43 -0700
+Subject: udp: Fix memory accounting leak.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit df207de9d9e7a4d92f8567e2c539d9c8c12fd99d ]
+
+Matt Dowling reported a weird UDP memory usage issue.
+
+Under normal operation, the UDP memory usage reported in /proc/net/sockstat
+remains close to zero. However, it occasionally spiked to 524,288 pages
+and never dropped. Moreover, the value doubled when the application was
+terminated. Finally, it caused intermittent packet drops.
+
+We can reproduce the issue with the script below [0]:
+
+ 1. /proc/net/sockstat reports 0 pages
+
+ # cat /proc/net/sockstat | grep UDP:
+ UDP: inuse 1 mem 0
+
+ 2. Run the script till the report reaches 524,288
+
+ # python3 test.py & sleep 5
+ # cat /proc/net/sockstat | grep UDP:
+ UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> PAGE_SHIFT
+
+ 3. Kill the socket and confirm the number never drops
+
+ # pkill python3 && sleep 5
+ # cat /proc/net/sockstat | grep UDP:
+ UDP: inuse 1 mem 524288
+
+ 4. (necessary since v6.0) Trigger proto_memory_pcpu_drain()
+
+ # python3 test.py & sleep 1 && pkill python3
+
+ 5. The number doubles
+
+ # cat /proc/net/sockstat | grep UDP:
+ UDP: inuse 1 mem 1048577
+
+The application set INT_MAX to SO_RCVBUF, which triggered an integer
+overflow in udp_rmem_release().
+
+When a socket is close()d, udp_destruct_common() purges its receive
+queue and sums up skb->truesize in the queue. This total is calculated
+and stored in a local unsigned integer variable.
+
+The total size is then passed to udp_rmem_release() to adjust memory
+accounting. However, because the function takes a signed integer
+argument, the total size can wrap around, causing an overflow.
+
+Then, the released amount is calculated as follows:
+
+ 1) Add size to sk->sk_forward_alloc.
+ 2) Round down sk->sk_forward_alloc to the nearest lower multiple of
+ PAGE_SIZE and assign it to amount.
+ 3) Subtract amount from sk->sk_forward_alloc.
+ 4) Pass amount >> PAGE_SHIFT to __sk_mem_reduce_allocated().
+
+When the issue occurred, the total in udp_destruct_common() was 2147484480
+(INT_MAX + 833), which was cast to -2147482816 in udp_rmem_release().
+
+At 1) sk->sk_forward_alloc is changed from 3264 to -2147479552, and
+2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't
+see a warning in inet_sock_destruct(). However, udp_memory_allocated
+ends up doubling at 4).
+
+Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for
+memory_allocated"), memory usage no longer doubles immediately after
+a socket is close()d because __sk_mem_reduce_allocated() caches the
+amount in udp_memory_per_cpu_fw_alloc. However, the next time a UDP
+socket receives a packet, the subtraction takes effect, causing UDP
+memory usage to double.
+
+This issue makes further memory allocation fail once the socket's
+sk->sk_rmem_alloc exceeds net.ipv4.udp_rmem_min, resulting in packet
+drops.
+
+To prevent this issue, let's use unsigned int for the calculation and
+call sk_forward_alloc_add() only once for the small delta.
+
+Note that first_packet_length() also potentially has the same problem.
+
+[0]:
+from socket import *
+
+SO_RCVBUFFORCE = 33
+INT_MAX = (2 ** 31) - 1
+
+s = socket(AF_INET, SOCK_DGRAM)
+s.bind(('', 0))
+s.setsockopt(SOL_SOCKET, SO_RCVBUFFORCE, INT_MAX)
+
+c = socket(AF_INET, SOCK_DGRAM)
+c.connect(s.getsockname())
+
+data = b'a' * 100
+
+while True:
+ c.send(data)
+
+Fixes: f970bd9e3a06 ("udp: implement memory accounting helpers")
+Reported-by: Matt Dowling <madowlin@amazon.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/20250401184501.67377-3-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 88da11922d677..da96252dd8a16 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1437,12 +1437,12 @@ static bool udp_skb_has_head_state(struct sk_buff *skb)
+ }
+
+ /* fully reclaim rmem/fwd memory allocated for skb */
+-static void udp_rmem_release(struct sock *sk, int size, int partial,
+- bool rx_queue_lock_held)
++static void udp_rmem_release(struct sock *sk, unsigned int size,
++ int partial, bool rx_queue_lock_held)
+ {
+ struct udp_sock *up = udp_sk(sk);
+ struct sk_buff_head *sk_queue;
+- int amt;
++ unsigned int amt;
+
+ if (likely(partial)) {
+ up->forward_deficit += size;
+@@ -1462,10 +1462,8 @@ static void udp_rmem_release(struct sock *sk, int size, int partial,
+ if (!rx_queue_lock_held)
+ spin_lock(&sk_queue->lock);
+
+-
+- sk_forward_alloc_add(sk, size);
+- amt = (sk->sk_forward_alloc - partial) & ~(PAGE_SIZE - 1);
+- sk_forward_alloc_add(sk, -amt);
++ amt = (size + sk->sk_forward_alloc - partial) & ~(PAGE_SIZE - 1);
++ sk_forward_alloc_add(sk, size - amt);
+
+ if (amt)
+ __sk_mem_reduce_allocated(sk, amt >> PAGE_SHIFT);
+@@ -1650,7 +1648,7 @@ EXPORT_SYMBOL_GPL(skb_consume_udp);
+
+ static struct sk_buff *__first_packet_length(struct sock *sk,
+ struct sk_buff_head *rcvq,
+- int *total)
++ unsigned int *total)
+ {
+ struct sk_buff *skb;
+
+@@ -1683,8 +1681,8 @@ static int first_packet_length(struct sock *sk)
+ {
+ struct sk_buff_head *rcvq = &udp_sk(sk)->reader_queue;
+ struct sk_buff_head *sk_queue = &sk->sk_receive_queue;
++ unsigned int total = 0;
+ struct sk_buff *skb;
+- int total = 0;
+ int res;
+
+ spin_lock_bh(&rcvq->lock);
+--
+2.39.5
+
--- /dev/null
+From 579ac17bc02b8a1074f79da60e0bef702cb66c1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 17:09:26 +0100
+Subject: um: remove copy_from_kernel_nofault_allowed
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 84a6fc378471fbeaf48f8604566a5a33a3d63c18 ]
+
+There is no need to override the default version of this function
+anymore as UML now has proper _nofault memory access functions.
+
+Doing this also fixes the fact that the implementation was incorrect as
+using mincore() will incorrectly flag pages as inaccessible if they were
+swapped out by the host.
+
+Fixes: f75b1b1bedfb ("um: Implement probe_kernel_read()")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Link: https://patch.msgid.link/20250210160926.420133-3-benjamin@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/shared/os.h | 1 -
+ arch/um/kernel/Makefile | 2 +-
+ arch/um/kernel/maccess.c | 19 --------------
+ arch/um/os-Linux/process.c | 51 -------------------------------------
+ 4 files changed, 1 insertion(+), 72 deletions(-)
+ delete mode 100644 arch/um/kernel/maccess.c
+
+diff --git a/arch/um/include/shared/os.h b/arch/um/include/shared/os.h
+index 0df646c6651ea..3b382da2996f0 100644
+--- a/arch/um/include/shared/os.h
++++ b/arch/um/include/shared/os.h
+@@ -211,7 +211,6 @@ extern int os_protect_memory(void *addr, unsigned long len,
+ extern int os_unmap_memory(void *addr, int len);
+ extern int os_drop_memory(void *addr, int length);
+ extern int can_drop_memory(void);
+-extern int os_mincore(void *addr, unsigned long len);
+
+ /* execvp.c */
+ extern int execvp_noalloc(char *buf, const char *file, char *const argv[]);
+diff --git a/arch/um/kernel/Makefile b/arch/um/kernel/Makefile
+index 1c2d4b29a3d46..6407fc911007b 100644
+--- a/arch/um/kernel/Makefile
++++ b/arch/um/kernel/Makefile
+@@ -17,7 +17,7 @@ extra-y := vmlinux.lds
+ obj-y = config.o exec.o exitcode.o irq.o ksyms.o mem.o \
+ physmem.o process.o ptrace.o reboot.o sigio.o \
+ signal.o sysrq.o time.o tlb.o trap.o \
+- um_arch.o umid.o maccess.o kmsg_dump.o capflags.o skas/
++ um_arch.o umid.o kmsg_dump.o capflags.o skas/
+ obj-y += load_file.o
+
+ obj-$(CONFIG_BLK_DEV_INITRD) += initrd.o
+diff --git a/arch/um/kernel/maccess.c b/arch/um/kernel/maccess.c
+deleted file mode 100644
+index 8ccd56813f684..0000000000000
+--- a/arch/um/kernel/maccess.c
++++ /dev/null
+@@ -1,19 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0-only
+-/*
+- * Copyright (C) 2013 Richard Weinberger <richrd@nod.at>
+- */
+-
+-#include <linux/uaccess.h>
+-#include <linux/kernel.h>
+-#include <os.h>
+-
+-bool copy_from_kernel_nofault_allowed(const void *src, size_t size)
+-{
+- void *psrc = (void *)rounddown((unsigned long)src, PAGE_SIZE);
+-
+- if ((unsigned long)src < PAGE_SIZE || size <= 0)
+- return false;
+- if (os_mincore(psrc, size + src - psrc) <= 0)
+- return false;
+- return true;
+-}
+diff --git a/arch/um/os-Linux/process.c b/arch/um/os-Linux/process.c
+index e52dd37ddadcc..2686120ab2325 100644
+--- a/arch/um/os-Linux/process.c
++++ b/arch/um/os-Linux/process.c
+@@ -223,57 +223,6 @@ int __init can_drop_memory(void)
+ return ok;
+ }
+
+-static int os_page_mincore(void *addr)
+-{
+- char vec[2];
+- int ret;
+-
+- ret = mincore(addr, UM_KERN_PAGE_SIZE, vec);
+- if (ret < 0) {
+- if (errno == ENOMEM || errno == EINVAL)
+- return 0;
+- else
+- return -errno;
+- }
+-
+- return vec[0] & 1;
+-}
+-
+-int os_mincore(void *addr, unsigned long len)
+-{
+- char *vec;
+- int ret, i;
+-
+- if (len <= UM_KERN_PAGE_SIZE)
+- return os_page_mincore(addr);
+-
+- vec = calloc(1, (len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE);
+- if (!vec)
+- return -ENOMEM;
+-
+- ret = mincore(addr, UM_KERN_PAGE_SIZE, vec);
+- if (ret < 0) {
+- if (errno == ENOMEM || errno == EINVAL)
+- ret = 0;
+- else
+- ret = -errno;
+-
+- goto out;
+- }
+-
+- for (i = 0; i < ((len + UM_KERN_PAGE_SIZE - 1) / UM_KERN_PAGE_SIZE); i++) {
+- if (!(vec[i] & 1)) {
+- ret = 0;
+- goto out;
+- }
+- }
+-
+- ret = 1;
+-out:
+- free(vec);
+- return ret;
+-}
+-
+ void init_new_thread_signals(void)
+ {
+ set_handler(SIGSEGV);
+--
+2.39.5
+
--- /dev/null
+From 3ff65fd11128a31d7f9a9e5f2751fc61c49442d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Mar 2025 16:49:47 +0200
+Subject: usb: xhci: correct debug message page size calculation
+
+From: Niklas Neronin <niklas.neronin@linux.intel.com>
+
+[ Upstream commit 55741c723318905e6d5161bf1e12749020b161e3 ]
+
+The ffs() function returns the index of the first set bit, starting from 1.
+If no bits are set, it returns zero. This behavior causes an off-by-one
+page size in the debug message, as the page size calculation [1]
+is zero-based, while ffs() is one-based.
+
+Fix this by subtracting one from the result of ffs(). Note that since
+variable 'val' is unsigned, subtracting one from zero will result in the
+maximum unsigned integer value. Consequently, the condition 'if (val < 16)'
+will still function correctly.
+
+[1], Page size: (2^(n+12)), where 'n' is the set page size bit.
+
+Fixes: 81720ec5320c ("usb: host: xhci: use ffs() in xhci_mem_init()")
+Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20250306144954.3507700-9-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-mem.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
+index 27c924ddb68e6..09e7eabdb73f4 100644
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -2342,10 +2342,10 @@ int xhci_mem_init(struct xhci_hcd *xhci, gfp_t flags)
+ page_size = readl(&xhci->op_regs->page_size);
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init,
+ "Supported page size register = 0x%x", page_size);
+- i = ffs(page_size);
+- if (i < 16)
++ val = ffs(page_size) - 1;
++ if (val < 16)
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init,
+- "Supported page size of %iK", (1 << (i+12)) / 1024);
++ "Supported page size of %iK", (1 << (val + 12)) / 1024);
+ else
+ xhci_warn(xhci, "WARN: no supported page size\n");
+ /* Use 4K pages, since that's common and the minimum the HC supports */
+--
+2.39.5
+
--- /dev/null
+From a01a07ce88435a81fd5cd3a0772ba6dc7e4152e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Mar 2025 15:15:28 +0100
+Subject: vsock: avoid timeout during connect() if the socket is closing
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+[ Upstream commit fccd2b711d9628c7ce0111d5e4938652101ee30a ]
+
+When a peer attempts to establish a connection, vsock_connect() contains
+a loop that waits for the state to be TCP_ESTABLISHED. However, the
+other peer can be fast enough to accept the connection and close it
+immediately, thus moving the state to TCP_CLOSING.
+
+When this happens, the peer in the vsock_connect() is properly woken up,
+but since the state is not TCP_ESTABLISHED, it goes back to sleep
+until the timeout expires, returning -ETIMEDOUT.
+
+If the socket state is TCP_CLOSING, waiting for the timeout is pointless.
+vsock_connect() can return immediately without errors or delay since the
+connection actually happened. The socket will be in a closing state,
+but this is not an issue, and subsequent calls will fail as expected.
+
+We discovered this issue while developing a test that accepts and
+immediately closes connections to stress the transport switch between
+two connect() calls, where the first one was interrupted by a signal
+(see Closes link).
+
+Reported-by: Luigi Leonardi <leonardi@redhat.com>
+Closes: https://lore.kernel.org/virtualization/bq6hxrolno2vmtqwcvb5bljfpb7mvwb3kohrvaed6auz5vxrfv@ijmd2f3grobn/
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Tested-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Link: https://patch.msgid.link/20250328141528.420719-1-sgarzare@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index e78c9209e0b45..a2271da346d34 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1437,7 +1437,11 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr,
+ timeout = vsk->connect_timeout;
+ prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+
+- while (sk->sk_state != TCP_ESTABLISHED && sk->sk_err == 0) {
++ /* If the socket is already closing or it is in an error state, there
++ * is no point in waiting.
++ */
++ while (sk->sk_state != TCP_ESTABLISHED &&
++ sk->sk_state != TCP_CLOSING && sk->sk_err == 0) {
+ if (flags & O_NONBLOCK) {
+ /* If we're not going to block, we schedule a timeout
+ * function to generate a timeout on the connection
+--
+2.39.5
+
--- /dev/null
+From 5b127ef1f447c0767ac4c2411011c623736e6560 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 11:41:08 -0600
+Subject: watch_queue: fix pipe accounting mismatch
+
+From: Eric Sandeen <sandeen@redhat.com>
+
+[ Upstream commit f13abc1e8e1a3b7455511c4e122750127f6bc9b0 ]
+
+Currently, watch_queue_set_size() modifies the pipe buffers charged to
+user->pipe_bufs without updating the pipe->nr_accounted on the pipe
+itself, due to the if (!pipe_has_watch_queue()) test in
+pipe_resize_ring(). This means that when the pipe is ultimately freed,
+we decrement user->pipe_bufs by something other than what than we had
+charged to it, potentially leading to an underflow. This in turn can
+cause subsequent too_many_pipe_buffers_soft() tests to fail with -EPERM.
+
+To remedy this, explicitly account for the pipe usage in
+watch_queue_set_size() to match the number set via account_pipe_buffers()
+
+(It's unclear why watch_queue_set_size() does not update nr_accounted;
+it may be due to intentional overprovisioning in watch_queue_set_size()?)
+
+Fixes: e95aada4cb93d ("pipe: wakeup wr_wait after setting max_usage")
+Signed-off-by: Eric Sandeen <sandeen@redhat.com>
+Link: https://lore.kernel.org/r/206682a8-0604-49e5-8224-fdbe0c12b460@redhat.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/watch_queue.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
+index 442bb92212f2a..a72ea1c2f59fe 100644
+--- a/kernel/watch_queue.c
++++ b/kernel/watch_queue.c
+@@ -270,6 +270,15 @@ long watch_queue_set_size(struct pipe_inode_info *pipe, unsigned int nr_notes)
+ if (ret < 0)
+ goto error;
+
++ /*
++ * pipe_resize_ring() does not update nr_accounted for watch_queue
++ * pipes, because the above vastly overprovisions. Set nr_accounted on
++ * and max_usage this pipe to the number that was actually charged to
++ * the user above via account_pipe_buffers.
++ */
++ pipe->max_usage = nr_pages;
++ pipe->nr_accounted = nr_pages;
++
+ ret = -ENOMEM;
+ pages = kcalloc(sizeof(struct page *), nr_pages, GFP_KERNEL);
+ if (!pages)
+--
+2.39.5
+
--- /dev/null
+From 99fcfb81f693e8cb3d55c7fffce2f9c3c6257330 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 19:59:35 +0100
+Subject: wifi: brcmfmac: keep power during suspend if board requires it
+
+From: Matthias Proske <email@matthias-proske.de>
+
+[ Upstream commit 8c3170628a9ce24a59647bd24f897e666af919b8 ]
+
+After commit 92cadedd9d5f ("brcmfmac: Avoid keeping power to SDIO card
+unless WOWL is used"), the wifi adapter by default is turned off on
+suspend and then re-probed on resume.
+
+This conflicts with some embedded boards that require to remain powered.
+They will fail on resume with:
+
+brcmfmac: brcmf_sdio_bus_rxctl: resumed on timeout
+ieee80211 phy1: brcmf_bus_started: failed: -110
+ieee80211 phy1: brcmf_attach: dongle is not responding: err=-110
+brcmfmac: brcmf_sdio_firmware_callback: brcmf_attach failed
+
+This commit checks for the Device Tree property 'cap-power-off-cards'.
+If this property is not set, it means that we do not have the capability
+to power off and should therefore remain powered.
+
+Signed-off-by: Matthias Proske <email@matthias-proske.de>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20250212185941.146958-2-email@matthias-proske.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../broadcom/brcm80211/brcmfmac/bcmsdh.c | 20 ++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+index 9217e9f6e9076..7cd8ec6f515a4 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -1151,6 +1151,7 @@ static int brcmf_ops_sdio_suspend(struct device *dev)
+ struct brcmf_bus *bus_if;
+ struct brcmf_sdio_dev *sdiodev;
+ mmc_pm_flag_t sdio_flags;
++ bool cap_power_off;
+ int ret = 0;
+
+ func = container_of(dev, struct sdio_func, dev);
+@@ -1158,19 +1159,23 @@ static int brcmf_ops_sdio_suspend(struct device *dev)
+ if (func->num != 1)
+ return 0;
+
++ cap_power_off = !!(func->card->host->caps & MMC_CAP_POWER_OFF_CARD);
+
+ bus_if = dev_get_drvdata(dev);
+ sdiodev = bus_if->bus_priv.sdio;
+
+- if (sdiodev->wowl_enabled) {
++ if (sdiodev->wowl_enabled || !cap_power_off) {
+ brcmf_sdiod_freezer_on(sdiodev);
+ brcmf_sdio_wd_timer(sdiodev->bus, 0);
+
+ sdio_flags = MMC_PM_KEEP_POWER;
+- if (sdiodev->settings->bus.sdio.oob_irq_supported)
+- enable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr);
+- else
+- sdio_flags |= MMC_PM_WAKE_SDIO_IRQ;
++
++ if (sdiodev->wowl_enabled) {
++ if (sdiodev->settings->bus.sdio.oob_irq_supported)
++ enable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr);
++ else
++ sdio_flags |= MMC_PM_WAKE_SDIO_IRQ;
++ }
+
+ if (sdio_set_host_pm_flags(sdiodev->func1, sdio_flags))
+ brcmf_err("Failed to set pm_flags %x\n", sdio_flags);
+@@ -1192,18 +1197,19 @@ static int brcmf_ops_sdio_resume(struct device *dev)
+ struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
+ struct sdio_func *func = container_of(dev, struct sdio_func, dev);
+ int ret = 0;
++ bool cap_power_off = !!(func->card->host->caps & MMC_CAP_POWER_OFF_CARD);
+
+ brcmf_dbg(SDIO, "Enter: F%d\n", func->num);
+ if (func->num != 2)
+ return 0;
+
+- if (!sdiodev->wowl_enabled) {
++ if (!sdiodev->wowl_enabled && cap_power_off) {
+ /* bus was powered off and device removed, probe again */
+ ret = brcmf_sdiod_probe(sdiodev);
+ if (ret)
+ brcmf_err("Failed to probe device on resume\n");
+ } else {
+- if (sdiodev->settings->bus.sdio.oob_irq_supported)
++ if (sdiodev->wowl_enabled && sdiodev->settings->bus.sdio.oob_irq_supported)
+ disable_irq_wake(sdiodev->settings->bus.sdio.oob_irq_nr);
+
+ brcmf_sdiod_freezer_off(sdiodev);
+--
+2.39.5
+
--- /dev/null
+From f067c0c654bcc339468077c9a68033b864b99a90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Feb 2025 14:34:45 +0200
+Subject: wifi: iwlwifi: fw: allocate chained SG tables for dump
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 7774e3920029398ad49dc848b23840593f14d515 ]
+
+The firmware dumps can be pretty big, and since we use single
+pages for each SG table entry, even the table itself may end
+up being an order-5 allocation. Build chained tables so that
+we need not allocate a higher-order table here.
+
+This could be improved and cleaned up, e.g. by using the SG
+pool code or simply kvmalloc(), but all of that would require
+also updating the devcoredump first since that frees it all,
+so we need to be more careful. SG pool might also run against
+the CONFIG_ARCH_NO_SG_CHAIN limitation, which is irrelevant
+here.
+
+Also use _devcd_free_sgtable() for the error paths now, much
+simpler especially since it's in two places now.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250209143303.697c7a465ac9.Iea982df46b5c075bfb77ade36f187d99a70c63db@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 86 ++++++++++++++-------
+ 1 file changed, 58 insertions(+), 28 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+index 7fadaec777cea..4c5dbd8248e7b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c
+@@ -559,41 +559,71 @@ static void iwl_dump_prph(struct iwl_fw_runtime *fwrt,
+ }
+
+ /*
+- * alloc_sgtable - allocates scallerlist table in the given size,
+- * fills it with pages and returns it
++ * alloc_sgtable - allocates (chained) scatterlist in the given size,
++ * fills it with pages and returns it
+ * @size: the size (in bytes) of the table
+-*/
+-static struct scatterlist *alloc_sgtable(int size)
++ */
++static struct scatterlist *alloc_sgtable(ssize_t size)
+ {
+- int alloc_size, nents, i;
+- struct page *new_page;
+- struct scatterlist *iter;
+- struct scatterlist *table;
++ struct scatterlist *result = NULL, *prev;
++ int nents, i, n_prev;
+
+ nents = DIV_ROUND_UP(size, PAGE_SIZE);
+- table = kcalloc(nents, sizeof(*table), GFP_KERNEL);
+- if (!table)
+- return NULL;
+- sg_init_table(table, nents);
+- iter = table;
+- for_each_sg(table, iter, sg_nents(table), i) {
+- new_page = alloc_page(GFP_KERNEL);
+- if (!new_page) {
+- /* release all previous allocated pages in the table */
+- iter = table;
+- for_each_sg(table, iter, sg_nents(table), i) {
+- new_page = sg_page(iter);
+- if (new_page)
+- __free_page(new_page);
+- }
+- kfree(table);
++
++#define N_ENTRIES_PER_PAGE (PAGE_SIZE / sizeof(*result))
++ /*
++ * We need an additional entry for table chaining,
++ * this ensures the loop can finish i.e. we can
++ * fit at least two entries per page (obviously,
++ * many more really fit.)
++ */
++ BUILD_BUG_ON(N_ENTRIES_PER_PAGE < 2);
++
++ while (nents > 0) {
++ struct scatterlist *new, *iter;
++ int n_fill, n_alloc;
++
++ if (nents <= N_ENTRIES_PER_PAGE) {
++ /* last needed table */
++ n_fill = nents;
++ n_alloc = nents;
++ nents = 0;
++ } else {
++ /* fill a page with entries */
++ n_alloc = N_ENTRIES_PER_PAGE;
++ /* reserve one for chaining */
++ n_fill = n_alloc - 1;
++ nents -= n_fill;
++ }
++
++ new = kcalloc(n_alloc, sizeof(*new), GFP_KERNEL);
++ if (!new) {
++ if (result)
++ _devcd_free_sgtable(result);
+ return NULL;
+ }
+- alloc_size = min_t(int, size, PAGE_SIZE);
+- size -= PAGE_SIZE;
+- sg_set_page(iter, new_page, alloc_size, 0);
++ sg_init_table(new, n_alloc);
++
++ if (!result)
++ result = new;
++ else
++ sg_chain(prev, n_prev, new);
++ prev = new;
++ n_prev = n_alloc;
++
++ for_each_sg(new, iter, n_fill, i) {
++ struct page *new_page = alloc_page(GFP_KERNEL);
++
++ if (!new_page) {
++ _devcd_free_sgtable(result);
++ return NULL;
++ }
++
++ sg_set_page(iter, new_page, PAGE_SIZE, 0);
++ }
+ }
+- return table;
++
++ return result;
+ }
+
+ static void iwl_fw_get_prph_len(struct iwl_fw_runtime *fwrt,
+--
+2.39.5
+
--- /dev/null
+From ced474b1da2f2c5f57983882f12818be4dfe957b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Feb 2025 14:34:50 +0200
+Subject: wifi: iwlwifi: mvm: use the right version of the rate API
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit a03e2082e678ea10d0d8bdf3ed933eb05a8ddbb0 ]
+
+The firmware uses the newer version of the API in recent devices. For
+older devices, we translate the rate to the new format.
+Don't parse the rate with old parsing macros.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20250209143303.13d70cdcbb4e.Ic92193bce4013b70a823cfef250ee79c16cf7c17@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+index 105f283b777d2..fce8950007bbb 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+@@ -1272,7 +1272,7 @@ iwl_mvm_decode_he_phy_ru_alloc(struct iwl_mvm_rx_phy_data *phy_data,
+ */
+ u8 ru = le32_get_bits(phy_data->d1, IWL_RX_PHY_DATA1_HE_RU_ALLOC_MASK);
+ u32 rate_n_flags = phy_data->rate_n_flags;
+- u32 he_type = rate_n_flags & RATE_MCS_HE_TYPE_MSK_V1;
++ u32 he_type = rate_n_flags & RATE_MCS_HE_TYPE_MSK;
+ u8 offs = 0;
+
+ rx_status->bw = RATE_INFO_BW_HE_RU;
+@@ -1327,13 +1327,13 @@ iwl_mvm_decode_he_phy_ru_alloc(struct iwl_mvm_rx_phy_data *phy_data,
+
+ if (he_mu)
+ he_mu->flags2 |=
+- le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK_V1,
++ le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK,
+ rate_n_flags),
+ IEEE80211_RADIOTAP_HE_MU_FLAGS2_BW_FROM_SIG_A_BW);
+- else if (he_type == RATE_MCS_HE_TYPE_TRIG_V1)
++ else if (he_type == RATE_MCS_HE_TYPE_TRIG)
+ he->data6 |=
+ cpu_to_le16(IEEE80211_RADIOTAP_HE_DATA6_TB_PPDU_BW_KNOWN) |
+- le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK_V1,
++ le16_encode_bits(FIELD_GET(RATE_MCS_CHAN_WIDTH_MSK,
+ rate_n_flags),
+ IEEE80211_RADIOTAP_HE_DATA6_TB_PPDU_BW);
+ }
+--
+2.39.5
+
--- /dev/null
+From 479b966c9a5590a63494aa23395a2c3327f88443 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 03:01:23 +0100
+Subject: x86/dumpstack: Fix inaccurate unwinding from exception stacks due to
+ misplaced assignment
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 2c118f50d7fd4d9aefc4533a26f83338b2906b7a ]
+
+Commit:
+
+ 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again")
+
+was intended to ensure alignment of the stack pointer; but it also moved
+the initialization of the "stack" variable down into the loop header.
+
+This was likely intended as a no-op cleanup, since the commit
+message does not mention it; however, this caused a behavioral change
+because the value of "regs" is different between the two places.
+
+Originally, get_stack_pointer() used the regs provided by the caller; after
+that commit, get_stack_pointer() instead uses the regs at the top of the
+stack frame the unwinder is looking at. Often, there are no such regs at
+all, and "regs" is NULL, causing get_stack_pointer() to fall back to the
+task's current stack pointer, which is not what we want here, but probably
+happens to mostly work. Other times, the original regs will point to
+another regs frame - in that case, the linear guess unwind logic in
+show_trace_log_lvl() will start unwinding too far up the stack, causing the
+first frame found by the proper unwinder to never be visited, resulting in
+a stack trace consisting purely of guess lines.
+
+Fix it by moving the "stack = " assignment back where it belongs.
+
+Fixes: 2e4be0d011f2 ("x86/show_trace_log_lvl: Ensure stack pointer is aligned, again")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-2-acd774364768@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/dumpstack.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
+index f18ca44c904b7..52dc5839d1e8e 100644
+--- a/arch/x86/kernel/dumpstack.c
++++ b/arch/x86/kernel/dumpstack.c
+@@ -195,6 +195,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ printk("%sCall Trace:\n", log_lvl);
+
+ unwind_start(&state, task, regs, stack);
++ stack = stack ?: get_stack_pointer(task, regs);
+ regs = unwind_get_entry_regs(&state, &partial);
+
+ /*
+@@ -213,9 +214,7 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ * - hardirq stack
+ * - entry stack
+ */
+- for (stack = stack ?: get_stack_pointer(task, regs);
+- stack;
+- stack = stack_info.next_sp) {
++ for (; stack; stack = stack_info.next_sp) {
+ const char *stack_name;
+
+ stack = PTR_ALIGN(stack, sizeof(long));
+--
+2.39.5
+
--- /dev/null
+From 3a447a17457542ae28406f25315571781abc9445 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Mar 2025 03:01:22 +0100
+Subject: x86/entry: Fix ORC unwinder for PUSH_REGS with save_ret=1
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 57e2428f8df8263275344566e02c277648a4b7f1 ]
+
+PUSH_REGS with save_ret=1 is used by interrupt entry helper functions that
+initially start with a UNWIND_HINT_FUNC ORC state.
+
+However, save_ret=1 means that we clobber the helper function's return
+address (and then later restore the return address further down on the
+stack); after that point, the only thing on the stack we can unwind through
+is the IRET frame, so use UNWIND_HINT_IRET_REGS until we have a full
+pt_regs frame.
+
+( An alternate approach would be to move the pt_regs->di overwrite down
+ such that it is the final step of pt_regs setup; but I don't want to
+ rearrange entry code just to make unwinding a tiny bit more elegant. )
+
+Fixes: 9e809d15d6b6 ("x86/entry: Reduce the code footprint of the 'idtentry' macro")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lore.kernel.org/r/20250325-2025-03-unwind-fixes-v1-1-acd774364768@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/entry/calling.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
+index f6907627172ba..01e9593e2bd95 100644
+--- a/arch/x86/entry/calling.h
++++ b/arch/x86/entry/calling.h
+@@ -70,6 +70,8 @@ For 32-bit we have the following conventions - kernel is built with
+ pushq %rsi /* pt_regs->si */
+ movq 8(%rsp), %rsi /* temporarily store the return address in %rsi */
+ movq %rdi, 8(%rsp) /* pt_regs->di (overwriting original return address) */
++ /* We just clobbered the return address - use the IRET frame for unwinding: */
++ UNWIND_HINT_IRET_REGS offset=3*8
+ .else
+ pushq %rdi /* pt_regs->di */
+ pushq %rsi /* pt_regs->si */
+--
+2.39.5
+
--- /dev/null
+From 6dc847b5e64b2a3393c34583c1e6126fa6d68871 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2025 14:31:36 +0100
+Subject: x86/fpu: Avoid copying dynamic FP state from init_task in
+ arch_dup_task_struct()
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 5d3b81d4d8520efe888536b6906dc10fd1a228a8 ]
+
+The init_task instance of struct task_struct is statically allocated and
+may not contain the full FP state for userspace. As such, limit the copy
+to the valid area of both init_task and 'dst' and ensure all memory is
+initialized.
+
+Note that the FP state is only needed for userspace, and as such it is
+entirely reasonable for init_task to not contain parts of it.
+
+Fixes: 5aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86")
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Link: https://lore.kernel.org/r/20250226133136.816901-1-benjamin@sipsolutions.net
+----
+
+v2:
+- Fix code if arch_task_struct_size < sizeof(init_task) by using
+ memcpy_and_pad.
+
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index acc83738bf5b4..24c237c571980 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -87,7 +87,12 @@ EXPORT_PER_CPU_SYMBOL_GPL(__tss_limit_invalid);
+ */
+ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
+ {
+- memcpy(dst, src, arch_task_struct_size);
++ /* init_task is not dynamically sized (incomplete FPU state) */
++ if (unlikely(src == &init_task))
++ memcpy_and_pad(dst, arch_task_struct_size, src, sizeof(init_task), 0);
++ else
++ memcpy(dst, src, arch_task_struct_size);
++
+ #ifdef CONFIG_VM86
+ dst->thread.vm86 = NULL;
+ #endif
+--
+2.39.5
+
--- /dev/null
+From eaa959b1aea1545c313988cdd6ad87df95737a54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2025 14:10:45 +0000
+Subject: x86/fpu: Fix guest FPU state buffer allocation size
+
+From: Stanislav Spassov <stanspas@amazon.de>
+
+[ Upstream commit 1937e18cc3cf27e2b3ef70e8c161437051ab7608 ]
+
+Ongoing work on an optimization to batch-preallocate vCPU state buffers
+for KVM revealed a mismatch between the allocation sizes used in
+fpu_alloc_guest_fpstate() and fpstate_realloc(). While the former
+allocates a buffer sized to fit the default set of XSAVE features
+in UABI form (as per fpu_user_cfg), the latter uses its ksize argument
+derived (for the requested set of features) in the same way as the sizes
+found in fpu_kernel_cfg, i.e. using the compacted in-kernel
+representation.
+
+The correct size to use for guest FPU state should indeed be the
+kernel one as seen in fpstate_realloc(). The original issue likely
+went unnoticed through a combination of UABI size typically being
+larger than or equal to kernel size, and/or both amounting to the
+same number of allocated 4K pages.
+
+Fixes: 69f6ed1d14c6 ("x86/fpu: Provide infrastructure for KVM FPU cleanup")
+Signed-off-by: Stanislav Spassov <stanspas@amazon.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20250218141045.85201-1-stanspas@amazon.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/fpu/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
+index f1446f532b17b..cbaa3afdd223f 100644
+--- a/arch/x86/kernel/fpu/core.c
++++ b/arch/x86/kernel/fpu/core.c
+@@ -220,7 +220,7 @@ bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu)
+ struct fpstate *fpstate;
+ unsigned int size;
+
+- size = fpu_user_cfg.default_size + ALIGN(offsetof(struct fpstate, regs), 64);
++ size = fpu_kernel_cfg.default_size + ALIGN(offsetof(struct fpstate, regs), 64);
+ fpstate = vzalloc(size);
+ if (!fpstate)
+ return false;
+--
+2.39.5
+
--- /dev/null
+From e5f273b67866a2d3c10fe751f52c00848d1cf40d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 22:06:11 +0800
+Subject: x86/fpu/xstate: Fix inconsistencies in guest FPU xfeatures
+
+From: Chao Gao <chao.gao@intel.com>
+
+[ Upstream commit dda366083e5ff307a4a728757db874bbfe7550be ]
+
+Guest FPUs manage vCPU FPU states. They are allocated via
+fpu_alloc_guest_fpstate() and are resized in fpstate_realloc() when XFD
+features are enabled.
+
+Since the introduction of guest FPUs, there have been inconsistencies in
+the kernel buffer size and xfeatures:
+
+ 1. fpu_alloc_guest_fpstate() uses fpu_user_cfg since its introduction. See:
+
+ 69f6ed1d14c6 ("x86/fpu: Provide infrastructure for KVM FPU cleanup")
+ 36487e6228c4 ("x86/fpu: Prepare guest FPU for dynamically enabled FPU features")
+
+ 2. __fpstate_reset() references fpu_kernel_cfg to set storage attributes.
+
+ 3. fpu->guest_perm uses fpu_kernel_cfg, affecting fpstate_realloc().
+
+A recent commit in the tip:x86/fpu tree partially addressed the inconsistency
+between (1) and (3) by using fpu_kernel_cfg for size calculation in (1),
+but left fpu_guest->xfeatures and fpu_guest->perm still referencing
+fpu_user_cfg:
+
+ https://lore.kernel.org/all/20250218141045.85201-1-stanspas@amazon.de/
+
+ 1937e18cc3cf ("x86/fpu: Fix guest FPU state buffer allocation size")
+
+The inconsistencies within fpu_alloc_guest_fpstate() and across the
+mentioned functions cause confusion.
+
+Fix them by using fpu_kernel_cfg consistently in fpu_alloc_guest_fpstate(),
+except for fields related to the UABI buffer. Referencing fpu_kernel_cfg
+won't impact functionalities, as:
+
+ 1. fpu_guest->perm is overwritten shortly in fpu_init_guest_permissions()
+ with fpstate->guest_perm, which already uses fpu_kernel_cfg.
+
+ 2. fpu_guest->xfeatures is solely used to check if XFD features are enabled.
+ Including supervisor xfeatures doesn't affect the check.
+
+Fixes: 36487e6228c4 ("x86/fpu: Prepare guest FPU for dynamically enabled FPU features")
+Suggested-by: Chang S. Bae <chang.seok.bae@intel.com>
+Signed-off-by: Chao Gao <chao.gao@intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Stefano Stabellini <sstabellini@kernel.org>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
+Cc: Sean Christopherson <seanjc@google.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Link: https://lore.kernel.org/r/20250317140613.1761633-1-chao.gao@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/fpu/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
+index cbaa3afdd223f..80ba0f81a44a6 100644
+--- a/arch/x86/kernel/fpu/core.c
++++ b/arch/x86/kernel/fpu/core.c
+@@ -232,8 +232,8 @@ bool fpu_alloc_guest_fpstate(struct fpu_guest *gfpu)
+ fpstate->is_guest = true;
+
+ gfpu->fpstate = fpstate;
+- gfpu->xfeatures = fpu_user_cfg.default_features;
+- gfpu->perm = fpu_user_cfg.default_features;
++ gfpu->xfeatures = fpu_kernel_cfg.default_features;
++ gfpu->perm = fpu_kernel_cfg.default_features;
+
+ /*
+ * KVM sets the FP+SSE bits in the XSAVE header when copying FPU state
+--
+2.39.5
+
--- /dev/null
+From 9c5cd3a9c7a6e8382ff7b48e0d9d6e65829879e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 26 Jan 2025 09:47:25 +0200
+Subject: x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
+
+From: Mike Rapoport (Microsoft) <rppt@kernel.org>
+
+[ Upstream commit 33ea120582a638b2f2e380a50686c2b1d7cce795 ]
+
+The CPA_ARRAY test always uses len[1] as numpages argument to
+change_page_attr_set() although the addresses array is different each
+iteration of the test loop.
+
+Replace len[1] with len[i] to have numpages matching the addresses array.
+
+Fixes: ecc729f1f471 ("x86/mm/cpa: Add ARRAY and PAGES_ARRAY selftests")
+Signed-off-by: "Mike Rapoport (Microsoft)" <rppt@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250126074733.1384926-2-rppt@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/pat/cpa-test.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/mm/pat/cpa-test.c b/arch/x86/mm/pat/cpa-test.c
+index 423b21e80929a..55ce39b6b1b09 100644
+--- a/arch/x86/mm/pat/cpa-test.c
++++ b/arch/x86/mm/pat/cpa-test.c
+@@ -183,7 +183,7 @@ static int pageattr_test(void)
+ break;
+
+ case 1:
+- err = change_page_attr_set(addrs, len[1], PAGE_CPA_TEST, 1);
++ err = change_page_attr_set(addrs, len[i], PAGE_CPA_TEST, 1);
+ break;
+
+ case 2:
+--
+2.39.5
+
--- /dev/null
+From 705251b22ce476ec215f6985ec693b1ef0f6e8ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Feb 2025 22:37:14 +0100
+Subject: x86/platform: Only allow CONFIG_EISA for 32-bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 976ba8da2f3c2f1e997f4f620da83ae65c0e3728 ]
+
+The CONFIG_EISA menu was cleaned up in 2018, but this inadvertently
+brought the option back on 64-bit machines: ISA remains guarded by
+a CONFIG_X86_32 check, but EISA no longer depends on ISA.
+
+The last Intel machines ith EISA support used a 82375EB PCI/EISA bridge
+from 1993 that could be paired with the 440FX chipset on early Pentium-II
+CPUs, long before the first x86-64 products.
+
+Fixes: 6630a8e50105 ("eisa: consolidate EISA Kconfig entry in drivers/eisa")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250226213714.4040853-11-arnd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index ca8dd7e5585f0..48ab6e8f2d1d4 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -208,7 +208,7 @@ config X86
+ select HAVE_SAMPLE_FTRACE_DIRECT_MULTI if X86_64
+ select HAVE_EBPF_JIT
+ select HAVE_EFFICIENT_UNALIGNED_ACCESS
+- select HAVE_EISA
++ select HAVE_EISA if X86_32
+ select HAVE_EXIT_THREAD
+ select HAVE_FAST_GUP
+ select HAVE_FENTRY if X86_64 || DYNAMIC_FTRACE
+--
+2.39.5
+
--- /dev/null
+From d55277a6ec557e87d105f37aced2b580ac6536cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 20:23:22 +0000
+Subject: x86/sev: Add missing RIP_REL_REF() invocations during sme_enable()
+
+From: Kevin Loughlin <kevinloughlin@google.com>
+
+[ Upstream commit 72dafb567760320f2de7447cd6e979bf9d4e5d17 ]
+
+The following commit:
+
+ 1c811d403afd ("x86/sev: Fix position dependent variable references in startup code")
+
+introduced RIP_REL_REF() to force RIP-relative accesses to global variables,
+as needed to prevent crashes during early SEV/SME startup code.
+
+For completeness, RIP_REL_REF() should be used with additional variables during
+sme_enable():
+
+ https://lore.kernel.org/all/CAMj1kXHnA0fJu6zh634=fbJswp59kSRAbhW+ubDGj1+NYwZJ-Q@mail.gmail.com/
+
+Access these vars with RIP_REL_REF() to prevent problem reoccurence.
+
+Fixes: 1c811d403afd ("x86/sev: Fix position dependent variable references in startup code")
+Signed-off-by: Kevin Loughlin <kevinloughlin@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Link: https://lore.kernel.org/r/20241122202322.977678-1-kevinloughlin@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/mem_encrypt_identity.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/mm/mem_encrypt_identity.c b/arch/x86/mm/mem_encrypt_identity.c
+index f176098848749..839d8a4a1cd08 100644
+--- a/arch/x86/mm/mem_encrypt_identity.c
++++ b/arch/x86/mm/mem_encrypt_identity.c
+@@ -588,7 +588,7 @@ void __head sme_enable(struct boot_params *bp)
+
+ out:
+ RIP_REL_REF(sme_me_mask) = me_mask;
+- physical_mask &= ~me_mask;
+- cc_vendor = CC_VENDOR_AMD;
++ RIP_REL_REF(physical_mask) &= ~me_mask;
++ RIP_REL_REF(cc_vendor) = CC_VENDOR_AMD;
+ cc_set_mask(me_mask);
+ }
+--
+2.39.5
+
--- /dev/null
+From 060dbb71ad31a92a607469376ebddcf2ce6dacf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 9 Mar 2025 18:22:16 +0100
+Subject: x86/sgx: Warn explicitly if X86_FEATURE_SGX_LC is not enabled
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+[ Upstream commit 65be5c95d08eedda570a6c888a12384c77fe7614 ]
+
+The kernel requires X86_FEATURE_SGX_LC to be able to create SGX enclaves,
+not just X86_FEATURE_SGX.
+
+There is quite a number of hardware which has X86_FEATURE_SGX but not
+X86_FEATURE_SGX_LC. A kernel running on such hardware does not create
+the /dev/sgx_enclave file and does so silently.
+
+Explicitly warn if X86_FEATURE_SGX_LC is not enabled to properly notify
+users that the kernel disabled the SGX driver.
+
+The X86_FEATURE_SGX_LC, a.k.a. SGX Launch Control, is a CPU feature
+that enables LE (Launch Enclave) hash MSRs to be writable (with
+additional opt-in required in the 'feature control' MSR) when running
+enclaves, i.e. using a custom root key rather than the Intel proprietary
+key for enclave signing.
+
+I've hit this issue myself and have spent some time researching where
+my /dev/sgx_enclave file went on SGX-enabled hardware.
+
+Related links:
+
+ https://github.com/intel/linux-sgx/issues/837
+ https://patchwork.kernel.org/project/platform-driver-x86/patch/20180827185507.17087-3-jarkko.sakkinen@linux.intel.com/
+
+[ mingo: Made the error message a bit more verbose, and added other cases
+ where the kernel fails to create the /dev/sgx_enclave device node. ]
+
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Kai Huang <kai.huang@intel.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Sean Christopherson <sean.j.christopherson@intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250309172215.21777-2-vdronov@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/sgx/driver.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/sgx/driver.c b/arch/x86/kernel/cpu/sgx/driver.c
+index aa9b8b8688676..afccb69cd9a2c 100644
+--- a/arch/x86/kernel/cpu/sgx/driver.c
++++ b/arch/x86/kernel/cpu/sgx/driver.c
+@@ -150,13 +150,15 @@ int __init sgx_drv_init(void)
+ u64 xfrm_mask;
+ int ret;
+
+- if (!cpu_feature_enabled(X86_FEATURE_SGX_LC))
++ if (!cpu_feature_enabled(X86_FEATURE_SGX_LC)) {
++ pr_info("SGX disabled: SGX launch control CPU feature is not available, /dev/sgx_enclave disabled.\n");
+ return -ENODEV;
++ }
+
+ cpuid_count(SGX_CPUID, 0, &eax, &ebx, &ecx, &edx);
+
+ if (!(eax & 1)) {
+- pr_err("SGX disabled: SGX1 instruction support not available.\n");
++ pr_info("SGX disabled: SGX1 instruction support not available, /dev/sgx_enclave disabled.\n");
+ return -ENODEV;
+ }
+
+@@ -173,8 +175,10 @@ int __init sgx_drv_init(void)
+ }
+
+ ret = misc_register(&sgx_dev_enclave);
+- if (ret)
++ if (ret) {
++ pr_info("SGX disabled: Unable to register the /dev/sgx_enclave driver (%d).\n", ret);
+ return ret;
++ }
+
+ return 0;
+ }
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
