--- /dev/null
+From 1834e864b53093eaed20538810146ff0736be0a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 13:57:16 +0200
+Subject: net: dsa: sja1105: fix kasan out-of-bounds warning in
+ sja1105_table_delete_entry()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 ]
+
+There are actually 2 problems:
+- deleting the last element doesn't require the memmove of elements
+ [i + 1, end) over it. Actually, element i+1 is out of bounds.
+- The memmove itself should move size - i - 1 elements, because the last
+ element is out of bounds.
+
+The out-of-bounds element still remains out of bounds after being
+accessed, so the problem is only that we touch it, not that it becomes
+in active use. But I suppose it can lead to issues if the out-of-bounds
+element is part of an unmapped page.
+
+Fixes: 6666cebc5e30 ("net: dsa: sja1105: Add support for VLAN operations")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250318115716.2124395-4-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_static_config.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_static_config.c b/drivers/net/dsa/sja1105/sja1105_static_config.c
+index 139b7b4fbd0d5..a348705174fa5 100644
+--- a/drivers/net/dsa/sja1105/sja1105_static_config.c
++++ b/drivers/net/dsa/sja1105/sja1105_static_config.c
+@@ -1439,8 +1439,10 @@ int sja1105_table_delete_entry(struct sja1105_table *table, int i)
+ if (i > table->entry_count)
+ return -ERANGE;
+
+- memmove(entries + i * entry_size, entries + (i + 1) * entry_size,
+- (table->entry_count - i) * entry_size);
++ if (i + 1 < table->entry_count) {
++ memmove(entries + i * entry_size, entries + (i + 1) * entry_size,
++ (table->entry_count - i - 1) * entry_size);
++ }
+
+ table->entry_count--;
+
+--
+2.53.0
+
s390-debug-reject-zero-length-input-before-trimming-.patch
selftests-lib.mk-also-install-config-and-settings.patch
revert-x86-vdso-fix-output-operand-size-of-rdpid.patch
+net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch
--- /dev/null
+From eeb417a5f448b68e4744682ab647e2db8a736188 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 17:14:27 +0800
+Subject: KVM: x86: Acquire SRCU in KVM_GET_MP_STATE to protect guest memory
+ accesses
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit ef01cac401f18647d62720cf773d7bb0541827da upstream.
+
+Acquire a lock on kvm->srcu when userspace is getting MP state to handle a
+rather extreme edge case where "accepting" APIC events, i.e. processing
+pending INIT or SIPI, can trigger accesses to guest memory. If the vCPU
+is in L2 with INIT *and* a TRIPLE_FAULT request pending, then getting MP
+state will trigger a nested VM-Exit by way of ->check_nested_events(), and
+emuating the nested VM-Exit can access guest memory.
+
+The splat was originally hit by syzkaller on a Google-internal kernel, and
+reproduced on an upstream kernel by hacking the triple_fault_event_test
+selftest to stuff a pending INIT, store an MSR on VM-Exit (to generate a
+memory access on VMX), and do vcpu_mp_state_get() to trigger the scenario.
+
+ =============================
+ WARNING: suspicious RCU usage
+ 6.14.0-rc3-b112d356288b-vmx/pi_lockdep_false_pos-lock #3 Not tainted
+ -----------------------------
+ include/linux/kvm_host.h:1058 suspicious rcu_dereference_check() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by triple_fault_ev/1256:
+ #0: ffff88810df5a330 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x8b/0x9a0 [kvm]
+
+ stack backtrace:
+ CPU: 11 UID: 1000 PID: 1256 Comm: triple_fault_ev Not tainted 6.14.0-rc3-b112d356288b-vmx #3
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7f/0x90
+ lockdep_rcu_suspicious+0x144/0x190
+ kvm_vcpu_gfn_to_memslot+0x156/0x180 [kvm]
+ kvm_vcpu_read_guest+0x3e/0x90 [kvm]
+ read_and_check_msr_entry+0x2e/0x180 [kvm_intel]
+ __nested_vmx_vmexit+0x550/0xde0 [kvm_intel]
+ kvm_check_nested_events+0x1b/0x30 [kvm]
+ kvm_apic_accept_events+0x33/0x100 [kvm]
+ kvm_arch_vcpu_ioctl_get_mpstate+0x30/0x1d0 [kvm]
+ kvm_vcpu_ioctl+0x33e/0x9a0 [kvm]
+ __x64_sys_ioctl+0x8b/0xb0
+ do_syscall_64+0x6c/0x170
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+ </TASK>
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20250401150504.829812-1-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[ Based on kernel 5.15 available functions, using srcu_read_lock/srcu_read_unlock instead of
+kvm_vcpu_srcu_read_lock/kvm_vcpu_srcu_read_unlock ]
+Signed-off-by: Rajani Kantha <681739313@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/x86.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index a22cd6c0eb0d4..bbfc8ccf4fcd9 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -10617,6 +10617,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu,
+ if (kvm_mpx_supported())
+ kvm_load_guest_fpu(vcpu);
+
++ vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
++
+ r = kvm_apic_accept_events(vcpu);
+ if (r < 0)
+ goto out;
+@@ -10630,6 +10632,8 @@ int kvm_arch_vcpu_ioctl_get_mpstate(struct kvm_vcpu *vcpu,
+ mp_state->mp_state = vcpu->arch.mp_state;
+
+ out:
++ srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
++
+ if (kvm_mpx_supported())
+ kvm_put_guest_fpu(vcpu);
+ vcpu_put(vcpu);
+--
+2.53.0
+
--- /dev/null
+From 80e54a7e0738675e793e695aff4c8c87adbf2c87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 11:18:40 +0800
+Subject: net: dsa: sja1105: fix kasan out-of-bounds warning in
+ sja1105_table_delete_entry()
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 ]
+
+There are actually 2 problems:
+- deleting the last element doesn't require the memmove of elements
+ [i + 1, end) over it. Actually, element i+1 is out of bounds.
+- The memmove itself should move size - i - 1 elements, because the last
+ element is out of bounds.
+
+The out-of-bounds element still remains out of bounds after being
+accessed, so the problem is only that we touch it, not that it becomes
+in active use. But I suppose it can lead to issues if the out-of-bounds
+element is part of an unmapped page.
+
+Fixes: 6666cebc5e30 ("net: dsa: sja1105: Add support for VLAN operations")
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250318115716.2124395-4-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Rajani Kantha <681739313@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/sja1105/sja1105_static_config.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/sja1105/sja1105_static_config.c b/drivers/net/dsa/sja1105/sja1105_static_config.c
+index baba204ad62f6..2ac91fe2a79bc 100644
+--- a/drivers/net/dsa/sja1105/sja1105_static_config.c
++++ b/drivers/net/dsa/sja1105/sja1105_static_config.c
+@@ -1921,8 +1921,10 @@ int sja1105_table_delete_entry(struct sja1105_table *table, int i)
+ if (i > table->entry_count)
+ return -ERANGE;
+
+- memmove(entries + i * entry_size, entries + (i + 1) * entry_size,
+- (table->entry_count - i) * entry_size);
++ if (i + 1 < table->entry_count) {
++ memmove(entries + i * entry_size, entries + (i + 1) * entry_size,
++ (table->entry_count - i - 1) * entry_size);
++ }
+
+ table->entry_count--;
+
+--
+2.53.0
+
io_uring-prevent-opcode-speculation.patch
s390-debug-reject-zero-length-input-before-trimming-.patch
revert-x86-vdso-fix-output-operand-size-of-rdpid.patch
+net-dsa-sja1105-fix-kasan-out-of-bounds-warning-in-s.patch
+wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch
+kvm-x86-acquire-srcu-in-kvm_get_mp_state-to-protect-.patch
--- /dev/null
+From cb6b65960bc1236949c73f9d152343ce627ba612 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 14:03:36 +0800
+Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ]
+
+When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
+station exists but not whether it is actually a TDLS station. This
+allows the operation to proceed for non-TDLS stations, causing
+unintended side effects like modifying channel context and HT
+protection before failing.
+
+Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
+any side effects occur, to ensure the operation is only allowed for
+actual TDLS peers.
+
+Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
+Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index c2d7479c119af..d25dfeb347f24 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -1380,7 +1380,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
+
+ mutex_lock(&local->sta_mtx);
+ sta = sta_info_get(sdata, peer);
+- if (!sta) {
++ if (!sta || !sta->sta.tdls) {
+ mutex_unlock(&local->sta_mtx);
+ ret = -ENOLINK;
+ break;
+--
+2.53.0
+
net-rds-reset-op_nents-when-zerocopy-page-pin-fails.patch
io_uring-prevent-opcode-speculation.patch
s390-debug-reject-zero-length-input-before-trimming-.patch
+wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch
--- /dev/null
+From c9cadc7f98fa5ef27d2684efa3ce9e4e72da49fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 13:48:54 +0800
+Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ]
+
+When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
+station exists but not whether it is actually a TDLS station. This
+allows the operation to proceed for non-TDLS stations, causing
+unintended side effects like modifying channel context and HT
+protection before failing.
+
+Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
+any side effects occur, to ensure the operation is only allowed for
+actual TDLS peers.
+
+Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
+Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index 1f07b598a6a17..57bd4fc8d2375 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -1382,7 +1382,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
+
+ mutex_lock(&local->sta_mtx);
+ sta = sta_info_get(sdata, peer);
+- if (!sta) {
++ if (!sta || !sta->sta.tdls) {
+ mutex_unlock(&local->sta_mtx);
+ ret = -ENOLINK;
+ break;
+--
+2.53.0
+
--- /dev/null
+From 1cf6917bdd1d2678c63ceae22e40b5903121fa79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 23:30:00 -0700
+Subject: bridge: mrp: reject zero test interval to avoid OOM panic
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit fa6e24963342de4370e3a3c9af41e38277b74cf3 ]
+
+br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied
+interval value from netlink without validation. When interval is 0,
+usecs_to_jiffies(0) yields 0, causing the delayed work
+(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule
+itself with zero delay. This creates a tight loop on system_percpu_wq
+that allocates and transmits MRP test frames at maximum rate, exhausting
+all system memory and causing a kernel panic via OOM deadlock.
+
+The same zero-interval issue applies to br_mrp_start_in_test_parse()
+for interconnect test frames.
+
+Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both
+IFLA_BRIDGE_MRP_START_TEST_INTERVAL and
+IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the
+netlink attribute parsing layer before the value ever reaches the
+workqueue scheduling code. This is consistent with how other bridge
+subsystems (br_fdb, br_mst) enforce range constraints on netlink
+attributes.
+
+Fixes: 20f6a05ef635 ("bridge: mrp: Rework the MRP netlink interface")
+Fixes: 7ab1748e4ce6 ("bridge: mrp: Extend MRP netlink interface for configuring MRP interconnect")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260328063000.1845376-1-xmei5@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_mrp_netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_mrp_netlink.c b/net/bridge/br_mrp_netlink.c
+index ce6f63c77cc0a..86f0e75d6e345 100644
+--- a/net/bridge/br_mrp_netlink.c
++++ b/net/bridge/br_mrp_netlink.c
+@@ -196,7 +196,7 @@ static const struct nla_policy
+ br_mrp_start_test_policy[IFLA_BRIDGE_MRP_START_TEST_MAX + 1] = {
+ [IFLA_BRIDGE_MRP_START_TEST_UNSPEC] = { .type = NLA_REJECT },
+ [IFLA_BRIDGE_MRP_START_TEST_RING_ID] = { .type = NLA_U32 },
+- [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = { .type = NLA_U32 },
++ [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1),
+ [IFLA_BRIDGE_MRP_START_TEST_MAX_MISS] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_TEST_PERIOD] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_TEST_MONITOR] = { .type = NLA_U32 },
+@@ -316,7 +316,7 @@ static const struct nla_policy
+ br_mrp_start_in_test_policy[IFLA_BRIDGE_MRP_START_IN_TEST_MAX + 1] = {
+ [IFLA_BRIDGE_MRP_START_IN_TEST_UNSPEC] = { .type = NLA_REJECT },
+ [IFLA_BRIDGE_MRP_START_IN_TEST_IN_ID] = { .type = NLA_U32 },
+- [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = { .type = NLA_U32 },
++ [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1),
+ [IFLA_BRIDGE_MRP_START_IN_TEST_MAX_MISS] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_IN_TEST_PERIOD] = { .type = NLA_U32 },
+ };
+--
+2.53.0
+
revert-perf-tool_pmu-fix-aggregation-on-duration_tim.patch
revert-perf-python-add-parse_events-function.patch
revert-perf-tool_pmu-factor-tool-events-into-their-o.patch
+bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch
+spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch
--- /dev/null
+From a4fd8a4cee6e9673f6f408b806b6635f68590a61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 01:20:17 +0300
+Subject: spi: spi-dw-dma: fix print error log when wait finish transaction
+
+From: Vladimir Yakovlev <vovchkir@gmail.com>
+
+[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ]
+
+If an error occurs, the device may not have a current message. In this
+case, the system will crash.
+
+In this case, it's better to use dev from the struct ctlr (struct spi_controller*).
+
+Signed-off-by: Vladimir Yakovlev <vovchkir@gmail.com>
+Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c
+index f4c209e5f52ba..4104e1bc2d5bd 100644
+--- a/drivers/spi/spi-dw-dma.c
++++ b/drivers/spi/spi-dw-dma.c
+@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed)
+ msecs_to_jiffies(ms));
+
+ if (ms == 0) {
+- dev_err(&dws->host->cur_msg->spi->dev,
++ dev_err(&dws->host->dev,
+ "DMA transaction timed out\n");
+ return -ETIMEDOUT;
+ }
+--
+2.53.0
+
--- /dev/null
+From 46344eb8ef1bc2f1314123b7ec47e04b484c5a75 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Mar 2026 23:30:00 -0700
+Subject: bridge: mrp: reject zero test interval to avoid OOM panic
+
+From: Xiang Mei <xmei5@asu.edu>
+
+[ Upstream commit fa6e24963342de4370e3a3c9af41e38277b74cf3 ]
+
+br_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied
+interval value from netlink without validation. When interval is 0,
+usecs_to_jiffies(0) yields 0, causing the delayed work
+(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule
+itself with zero delay. This creates a tight loop on system_percpu_wq
+that allocates and transmits MRP test frames at maximum rate, exhausting
+all system memory and causing a kernel panic via OOM deadlock.
+
+The same zero-interval issue applies to br_mrp_start_in_test_parse()
+for interconnect test frames.
+
+Use NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both
+IFLA_BRIDGE_MRP_START_TEST_INTERVAL and
+IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the
+netlink attribute parsing layer before the value ever reaches the
+workqueue scheduling code. This is consistent with how other bridge
+subsystems (br_fdb, br_mst) enforce range constraints on netlink
+attributes.
+
+Fixes: 20f6a05ef635 ("bridge: mrp: Rework the MRP netlink interface")
+Fixes: 7ab1748e4ce6 ("bridge: mrp: Extend MRP netlink interface for configuring MRP interconnect")
+Reported-by: Weiming Shi <bestswngs@gmail.com>
+Signed-off-by: Xiang Mei <xmei5@asu.edu>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20260328063000.1845376-1-xmei5@asu.edu
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_mrp_netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bridge/br_mrp_netlink.c b/net/bridge/br_mrp_netlink.c
+index ce6f63c77cc0a..86f0e75d6e345 100644
+--- a/net/bridge/br_mrp_netlink.c
++++ b/net/bridge/br_mrp_netlink.c
+@@ -196,7 +196,7 @@ static const struct nla_policy
+ br_mrp_start_test_policy[IFLA_BRIDGE_MRP_START_TEST_MAX + 1] = {
+ [IFLA_BRIDGE_MRP_START_TEST_UNSPEC] = { .type = NLA_REJECT },
+ [IFLA_BRIDGE_MRP_START_TEST_RING_ID] = { .type = NLA_U32 },
+- [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = { .type = NLA_U32 },
++ [IFLA_BRIDGE_MRP_START_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1),
+ [IFLA_BRIDGE_MRP_START_TEST_MAX_MISS] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_TEST_PERIOD] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_TEST_MONITOR] = { .type = NLA_U32 },
+@@ -316,7 +316,7 @@ static const struct nla_policy
+ br_mrp_start_in_test_policy[IFLA_BRIDGE_MRP_START_IN_TEST_MAX + 1] = {
+ [IFLA_BRIDGE_MRP_START_IN_TEST_UNSPEC] = { .type = NLA_REJECT },
+ [IFLA_BRIDGE_MRP_START_IN_TEST_IN_ID] = { .type = NLA_U32 },
+- [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = { .type = NLA_U32 },
++ [IFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL] = NLA_POLICY_MIN(NLA_U32, 1),
+ [IFLA_BRIDGE_MRP_START_IN_TEST_MAX_MISS] = { .type = NLA_U32 },
+ [IFLA_BRIDGE_MRP_START_IN_TEST_PERIOD] = { .type = NLA_U32 },
+ };
+--
+2.53.0
+
--- /dev/null
+From f9a9b1d1d6c4aa248e092aec50813a5c8cd1f592 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Feb 2026 16:16:17 -0800
+Subject: cxl/mbox: validate payload size before accessing contents in
+ cxl_payload_from_user_allowed()
+
+From: Davidlohr Bueso <dave@stgolabs.net>
+
+[ Upstream commit 60b5d1f68338aff2c5af0113f04aefa7169c50c2 ]
+
+cxl_payload_from_user_allowed() casts and dereferences the input
+payload without first verifying its size. When a raw mailbox command
+is sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,
+which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,
+triggering a KASAN splat:
+
+BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683
+Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258
+
+CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0xce/0x650 mm/kasan/report.c:482
+ kasan_report+0xce/0x100 mm/kasan/report.c:595
+ memcmp+0x176/0x1d0 lib/string.c:683
+ uuid_equal include/linux/uuid.h:73 [inline]
+ cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]
+ cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]
+ cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]
+ cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643
+ __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]
+ cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fdaf331ba79
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79
+RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003
+RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768
+ </TASK>
+
+Add 'in_size' parameter to cxl_payload_from_user_allowed() and validate
+the payload is large enough.
+
+Fixes: 6179045ccc0c ("cxl/mbox: Block immediate mode in SET_PARTITION_INFO command")
+Fixes: 206f9fa9d555 ("cxl/mbox: Add Clear Log mailbox command")
+Signed-off-by: Davidlohr Bueso <dave@stgolabs.net>
+Reviewed-by: Alison Schofield <alison.schofield@intel.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://patch.msgid.link/20260220001618.963490-2-dave@stgolabs.net
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cxl/core/mbox.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cxl/core/mbox.c b/drivers/cxl/core/mbox.c
+index fa6dd0c94656f..e7a6452bf5445 100644
+--- a/drivers/cxl/core/mbox.c
++++ b/drivers/cxl/core/mbox.c
+@@ -311,6 +311,7 @@ static bool cxl_mem_raw_command_allowed(u16 opcode)
+ * cxl_payload_from_user_allowed() - Check contents of in_payload.
+ * @opcode: The mailbox command opcode.
+ * @payload_in: Pointer to the input payload passed in from user space.
++ * @in_size: Size of @payload_in in bytes.
+ *
+ * Return:
+ * * true - payload_in passes check for @opcode.
+@@ -325,12 +326,15 @@ static bool cxl_mem_raw_command_allowed(u16 opcode)
+ *
+ * The specific checks are determined by the opcode.
+ */
+-static bool cxl_payload_from_user_allowed(u16 opcode, void *payload_in)
++static bool cxl_payload_from_user_allowed(u16 opcode, void *payload_in,
++ size_t in_size)
+ {
+ switch (opcode) {
+ case CXL_MBOX_OP_SET_PARTITION_INFO: {
+ struct cxl_mbox_set_partition_info *pi = payload_in;
+
++ if (in_size < sizeof(*pi))
++ return false;
+ if (pi->flags & CXL_SET_PARTITION_IMMEDIATE_FLAG)
+ return false;
+ break;
+@@ -338,6 +342,8 @@ static bool cxl_payload_from_user_allowed(u16 opcode, void *payload_in)
+ case CXL_MBOX_OP_CLEAR_LOG: {
+ const uuid_t *uuid = (uuid_t *)payload_in;
+
++ if (in_size < sizeof(uuid_t))
++ return false;
+ /*
+ * Restrict the ‘Clear log’ action to only apply to
+ * Vendor debug logs.
+@@ -365,7 +371,8 @@ static int cxl_mbox_cmd_ctor(struct cxl_mbox_cmd *mbox_cmd,
+ if (IS_ERR(mbox_cmd->payload_in))
+ return PTR_ERR(mbox_cmd->payload_in);
+
+- if (!cxl_payload_from_user_allowed(opcode, mbox_cmd->payload_in)) {
++ if (!cxl_payload_from_user_allowed(opcode, mbox_cmd->payload_in,
++ in_size)) {
+ dev_dbg(cxl_mbox->host, "%s: input payload not allowed\n",
+ cxl_mem_opcode_to_name(opcode));
+ kvfree(mbox_cmd->payload_in);
+--
+2.53.0
+
--- /dev/null
+From 4d97f44585dc6ff65f2e729f113dc126a90818eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Mar 2026 16:45:40 +0100
+Subject: sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting
+
+From: Juri Lelli <juri.lelli@redhat.com>
+
+[ Upstream commit d658686a1331db3bb108ca079d76deb3208ed949 ]
+
+Running stress-ng --schedpolicy 0 on an RT kernel on a big machine
+might lead to the following WARNINGs (edited).
+
+ sched: DL de-boosted task PID 22725: REPLENISH flag missing
+
+ WARNING: CPU: 93 PID: 0 at kernel/sched/deadline.c:239 dequeue_task_dl+0x15c/0x1f8
+ ... (running_bw underflow)
+ Call trace:
+ dequeue_task_dl+0x15c/0x1f8 (P)
+ dequeue_task+0x80/0x168
+ deactivate_task+0x24/0x50
+ push_dl_task+0x264/0x2e0
+ dl_task_timer+0x1b0/0x228
+ __hrtimer_run_queues+0x188/0x378
+ hrtimer_interrupt+0xfc/0x260
+ ...
+
+The problem is that when a SCHED_DEADLINE task (lock holder) is
+changed to a lower priority class via sched_setscheduler(), it may
+fail to properly inherit the parameters of potential DEADLINE donors
+if it didn't already inherit them in the past (shorter deadline than
+donor's at that time). This might lead to bandwidth accounting
+corruption, as enqueue_task_dl() won't recognize the lock holder as
+boosted.
+
+The scenario occurs when:
+1. A DEADLINE task (donor) blocks on a PI mutex held by another
+ DEADLINE task (holder), but the holder doesn't inherit parameters
+ (e.g., it already has a shorter deadline)
+2. sched_setscheduler() changes the holder from DEADLINE to a lower
+ class while still holding the mutex
+3. The holder should now inherit DEADLINE parameters from the donor
+ and be enqueued with ENQUEUE_REPLENISH, but this doesn't happen
+
+Fix the issue by introducing __setscheduler_dl_pi(), which detects when
+a DEADLINE (proper or boosted) task gets setscheduled to a lower
+priority class. In case, the function makes the task inherit DEADLINE
+parameters of the donoer (pi_se) and sets ENQUEUE_REPLENISH flag to
+ensure proper bandwidth accounting during the next enqueue operation.
+
+Fixes: 2279f540ea7d ("sched/deadline: Fix priority inheritance with multiple scheduling classes")
+Reported-by: Bruno Goncalves <bgoncalv@redhat.com>
+Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://patch.msgid.link/20260302-upstream-fix-deadline-piboost-b4-v3-1-6ba32184a9e0@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/syscalls.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c
+index d2bcedc10152f..77b663a5dfb2b 100644
+--- a/kernel/sched/syscalls.c
++++ b/kernel/sched/syscalls.c
+@@ -322,6 +322,35 @@ static bool check_same_owner(struct task_struct *p)
+ uid_eq(cred->euid, pcred->uid));
+ }
+
++#ifdef CONFIG_RT_MUTEXES
++static inline void __setscheduler_dl_pi(int newprio, int policy,
++ struct task_struct *p,
++ struct sched_change_ctx *scope)
++{
++ /*
++ * In case a DEADLINE task (either proper or boosted) gets
++ * setscheduled to a lower priority class, check if it neeeds to
++ * inherit parameters from a potential pi_task. In that case make
++ * sure replenishment happens with the next enqueue.
++ */
++
++ if (dl_prio(newprio) && !dl_policy(policy)) {
++ struct task_struct *pi_task = rt_mutex_get_top_task(p);
++
++ if (pi_task) {
++ p->dl.pi_se = pi_task->dl.pi_se;
++ scope->flags |= ENQUEUE_REPLENISH;
++ }
++ }
++}
++#else /* !CONFIG_RT_MUTEXES */
++static inline void __setscheduler_dl_pi(int newprio, int policy,
++ struct task_struct *p,
++ struct sched_change_ctx *scope)
++{
++}
++#endif /* !CONFIG_RT_MUTEXES */
++
+ #ifdef CONFIG_UCLAMP_TASK
+
+ static int uclamp_validate(struct task_struct *p,
+@@ -693,6 +722,7 @@ int __sched_setscheduler(struct task_struct *p,
+ __setscheduler_params(p, attr);
+ p->sched_class = next_class;
+ p->prio = newprio;
++ __setscheduler_dl_pi(newprio, policy, p, scope);
+ }
+ __setscheduler_uclamp(p, attr);
+ check_class_changing(rq, p, prev_class);
+--
+2.53.0
+
--- /dev/null
+From 2671015f90f26ed10a4fb3a32279a09e72b84eac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 13:43:43 +0100
+Subject: sched: Employ sched_change guards
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit e9139f765ac7048cadc9981e962acdf8b08eabf3 ]
+
+As proposed a long while ago -- and half done by scx -- wrap the
+scheduler's 'change' pattern in a guard helper.
+
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Acked-by: Vincent Guittot <vincent.guittot@linaro.org>
+Stable-dep-of: d658686a1331 ("sched/deadline: Fix missing ENQUEUE_REPLENISH during PI de-boosting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/cleanup.h | 5 ++
+ kernel/sched/core.c | 159 +++++++++++++++-------------------------
+ kernel/sched/ext.c | 39 +++++-----
+ kernel/sched/sched.h | 33 ++++++---
+ kernel/sched/syscalls.c | 65 ++++++----------
+ 5 files changed, 131 insertions(+), 170 deletions(-)
+
+diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h
+index 19c7e475d3a4d..a1194e44b5276 100644
+--- a/include/linux/cleanup.h
++++ b/include/linux/cleanup.h
+@@ -341,6 +341,11 @@ _label: \
+ #define __DEFINE_CLASS_IS_CONDITIONAL(_name, _is_cond) \
+ static __maybe_unused const bool class_##_name##_is_conditional = _is_cond
+
++#define DEFINE_CLASS_IS_UNCONDITIONAL(_name) \
++ __DEFINE_CLASS_IS_CONDITIONAL(_name, false); \
++ static inline void * class_##_name##_lock_ptr(class_##_name##_t *_T) \
++ { return (void *)1; }
++
+ #define __GUARD_IS_ERR(_ptr) \
+ ({ \
+ unsigned long _rc = (__force unsigned long)(_ptr); \
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index 0d93f60fed20a..46fc94f2338e8 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -7332,7 +7332,7 @@ void rt_mutex_post_schedule(void)
+ */
+ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task)
+ {
+- int prio, oldprio, queued, running, queue_flag =
++ int prio, oldprio, queue_flag =
+ DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK;
+ const struct sched_class *prev_class, *next_class;
+ struct rq_flags rf;
+@@ -7397,52 +7397,42 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task)
+ if (prev_class != next_class && p->se.sched_delayed)
+ dequeue_task(rq, p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK);
+
+- queued = task_on_rq_queued(p);
+- running = task_current_donor(rq, p);
+- if (queued)
+- dequeue_task(rq, p, queue_flag);
+- if (running)
+- put_prev_task(rq, p);
+-
+- /*
+- * Boosting condition are:
+- * 1. -rt task is running and holds mutex A
+- * --> -dl task blocks on mutex A
+- *
+- * 2. -dl task is running and holds mutex A
+- * --> -dl task blocks on mutex A and could preempt the
+- * running task
+- */
+- if (dl_prio(prio)) {
+- if (!dl_prio(p->normal_prio) ||
+- (pi_task && dl_prio(pi_task->prio) &&
+- dl_entity_preempt(&pi_task->dl, &p->dl))) {
+- p->dl.pi_se = pi_task->dl.pi_se;
+- queue_flag |= ENQUEUE_REPLENISH;
++ scoped_guard (sched_change, p, queue_flag) {
++ /*
++ * Boosting condition are:
++ * 1. -rt task is running and holds mutex A
++ * --> -dl task blocks on mutex A
++ *
++ * 2. -dl task is running and holds mutex A
++ * --> -dl task blocks on mutex A and could preempt the
++ * running task
++ */
++ if (dl_prio(prio)) {
++ if (!dl_prio(p->normal_prio) ||
++ (pi_task && dl_prio(pi_task->prio) &&
++ dl_entity_preempt(&pi_task->dl, &p->dl))) {
++ p->dl.pi_se = pi_task->dl.pi_se;
++ scope->flags |= ENQUEUE_REPLENISH;
++ } else {
++ p->dl.pi_se = &p->dl;
++ }
++ } else if (rt_prio(prio)) {
++ if (dl_prio(oldprio))
++ p->dl.pi_se = &p->dl;
++ if (oldprio < prio)
++ scope->flags |= ENQUEUE_HEAD;
+ } else {
+- p->dl.pi_se = &p->dl;
++ if (dl_prio(oldprio))
++ p->dl.pi_se = &p->dl;
++ if (rt_prio(oldprio))
++ p->rt.timeout = 0;
+ }
+- } else if (rt_prio(prio)) {
+- if (dl_prio(oldprio))
+- p->dl.pi_se = &p->dl;
+- if (oldprio < prio)
+- queue_flag |= ENQUEUE_HEAD;
+- } else {
+- if (dl_prio(oldprio))
+- p->dl.pi_se = &p->dl;
+- if (rt_prio(oldprio))
+- p->rt.timeout = 0;
+- }
+
+- p->sched_class = next_class;
+- p->prio = prio;
++ p->sched_class = next_class;
++ p->prio = prio;
+
+- check_class_changing(rq, p, prev_class);
+-
+- if (queued)
+- enqueue_task(rq, p, queue_flag);
+- if (running)
+- set_next_task(rq, p);
++ check_class_changing(rq, p, prev_class);
++ }
+
+ check_class_changed(rq, p, prev_class, oldprio);
+ out_unlock:
+@@ -8090,26 +8080,9 @@ int migrate_task_to(struct task_struct *p, int target_cpu)
+ */
+ void sched_setnuma(struct task_struct *p, int nid)
+ {
+- bool queued, running;
+- struct rq_flags rf;
+- struct rq *rq;
+-
+- rq = task_rq_lock(p, &rf);
+- queued = task_on_rq_queued(p);
+- running = task_current_donor(rq, p);
+-
+- if (queued)
+- dequeue_task(rq, p, DEQUEUE_SAVE);
+- if (running)
+- put_prev_task(rq, p);
+-
+- p->numa_preferred_nid = nid;
+-
+- if (queued)
+- enqueue_task(rq, p, ENQUEUE_RESTORE | ENQUEUE_NOCLOCK);
+- if (running)
+- set_next_task(rq, p);
+- task_rq_unlock(rq, p, &rf);
++ guard(task_rq_lock)(p);
++ scoped_guard (sched_change, p, DEQUEUE_SAVE)
++ p->numa_preferred_nid = nid;
+ }
+ #endif /* CONFIG_NUMA_BALANCING */
+
+@@ -9215,8 +9188,9 @@ static void sched_change_group(struct task_struct *tsk)
+ */
+ void sched_move_task(struct task_struct *tsk, bool for_autogroup)
+ {
+- int queued, running, queue_flags =
++ unsigned int queue_flags =
+ DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK;
++ bool resched = false;
+ struct rq *rq;
+
+ CLASS(task_rq_lock, rq_guard)(tsk);
+@@ -9224,29 +9198,16 @@ void sched_move_task(struct task_struct *tsk, bool for_autogroup)
+
+ update_rq_clock(rq);
+
+- running = task_current_donor(rq, tsk);
+- queued = task_on_rq_queued(tsk);
+-
+- if (queued)
+- dequeue_task(rq, tsk, queue_flags);
+- if (running)
+- put_prev_task(rq, tsk);
+-
+- sched_change_group(tsk);
+- if (!for_autogroup)
+- scx_cgroup_move_task(tsk);
++ scoped_guard (sched_change, tsk, queue_flags) {
++ sched_change_group(tsk);
++ if (!for_autogroup)
++ scx_cgroup_move_task(tsk);
++ if (scope->running)
++ resched = true;
++ }
+
+- if (queued)
+- enqueue_task(rq, tsk, queue_flags);
+- if (running) {
+- set_next_task(rq, tsk);
+- /*
+- * After changing group, the running task may have joined a
+- * throttled one but it's still the running task. Trigger a
+- * resched to make sure that task can still run.
+- */
++ if (resched)
+ resched_curr(rq);
+- }
+ }
+
+ static struct cgroup_subsys_state *
+@@ -10902,37 +10863,39 @@ void sched_mm_cid_fork(struct task_struct *t)
+ }
+ #endif /* CONFIG_SCHED_MM_CID */
+
+-#ifdef CONFIG_SCHED_CLASS_EXT
+-void sched_deq_and_put_task(struct task_struct *p, int queue_flags,
+- struct sched_enq_and_set_ctx *ctx)
++static DEFINE_PER_CPU(struct sched_change_ctx, sched_change_ctx);
++
++struct sched_change_ctx *sched_change_begin(struct task_struct *p, unsigned int flags)
+ {
++ struct sched_change_ctx *ctx = this_cpu_ptr(&sched_change_ctx);
+ struct rq *rq = task_rq(p);
+
+ lockdep_assert_rq_held(rq);
+
+- *ctx = (struct sched_enq_and_set_ctx){
++ *ctx = (struct sched_change_ctx){
+ .p = p,
+- .queue_flags = queue_flags,
++ .flags = flags,
+ .queued = task_on_rq_queued(p),
+- .running = task_current(rq, p),
++ .running = task_current_donor(rq, p),
+ };
+
+- update_rq_clock(rq);
+ if (ctx->queued)
+- dequeue_task(rq, p, queue_flags | DEQUEUE_NOCLOCK);
++ dequeue_task(rq, p, flags);
+ if (ctx->running)
+ put_prev_task(rq, p);
++
++ return ctx;
+ }
+
+-void sched_enq_and_set_task(struct sched_enq_and_set_ctx *ctx)
++void sched_change_end(struct sched_change_ctx *ctx)
+ {
+- struct rq *rq = task_rq(ctx->p);
++ struct task_struct *p = ctx->p;
++ struct rq *rq = task_rq(p);
+
+ lockdep_assert_rq_held(rq);
+
+ if (ctx->queued)
+- enqueue_task(rq, ctx->p, ctx->queue_flags | ENQUEUE_NOCLOCK);
++ enqueue_task(rq, p, ctx->flags | ENQUEUE_NOCLOCK);
+ if (ctx->running)
+- set_next_task(rq, ctx->p);
++ set_next_task(rq, p);
+ }
+-#endif /* CONFIG_SCHED_CLASS_EXT */
+diff --git a/kernel/sched/ext.c b/kernel/sched/ext.c
+index 35c0b31924d37..3029e5b8f9a57 100644
+--- a/kernel/sched/ext.c
++++ b/kernel/sched/ext.c
+@@ -3866,11 +3866,10 @@ static void scx_bypass(bool bypass)
+ */
+ list_for_each_entry_safe_reverse(p, n, &rq->scx.runnable_list,
+ scx.runnable_node) {
+- struct sched_enq_and_set_ctx ctx;
+-
+ /* cycling deq/enq is enough, see the function comment */
+- sched_deq_and_put_task(p, DEQUEUE_SAVE | DEQUEUE_MOVE, &ctx);
+- sched_enq_and_set_task(&ctx);
++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_MOVE) {
++ /* nothing */ ;
++ }
+ }
+
+ /* resched to restore ticks and idle state */
+@@ -4021,17 +4020,16 @@ static void scx_disable_workfn(struct kthread_work *work)
+ while ((p = scx_task_iter_next_locked(&sti))) {
+ const struct sched_class *old_class = p->sched_class;
+ const struct sched_class *new_class = scx_setscheduler_class(p);
+- struct sched_enq_and_set_ctx ctx;
+
+- if (old_class != new_class && p->se.sched_delayed)
+- dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED);
++ update_rq_clock(task_rq(p));
+
+- sched_deq_and_put_task(p, DEQUEUE_SAVE | DEQUEUE_MOVE, &ctx);
+-
+- p->sched_class = new_class;
+- check_class_changing(task_rq(p), p, old_class);
++ if (old_class != new_class && p->se.sched_delayed)
++ dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK);
+
+- sched_enq_and_set_task(&ctx);
++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK) {
++ p->sched_class = new_class;
++ check_class_changing(task_rq(p), p, old_class);
++ }
+
+ check_class_changed(task_rq(p), p, old_class, p->prio);
+ scx_exit_task(p);
+@@ -4845,21 +4843,20 @@ static void scx_enable_workfn(struct kthread_work *work)
+ while ((p = scx_task_iter_next_locked(&sti))) {
+ const struct sched_class *old_class = p->sched_class;
+ const struct sched_class *new_class = scx_setscheduler_class(p);
+- struct sched_enq_and_set_ctx ctx;
+
+ if (!tryget_task_struct(p))
+ continue;
+
+- if (old_class != new_class && p->se.sched_delayed)
+- dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED);
+-
+- sched_deq_and_put_task(p, DEQUEUE_SAVE | DEQUEUE_MOVE, &ctx);
++ update_rq_clock(task_rq(p));
+
+- p->scx.slice = SCX_SLICE_DFL;
+- p->sched_class = new_class;
+- check_class_changing(task_rq(p), p, old_class);
++ if (old_class != new_class && p->se.sched_delayed)
++ dequeue_task(task_rq(p), p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK);
+
+- sched_enq_and_set_task(&ctx);
++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_MOVE | DEQUEUE_NOCLOCK) {
++ p->scx.slice = SCX_SLICE_DFL;
++ p->sched_class = new_class;
++ check_class_changing(task_rq(p), p, old_class);
++ }
+
+ check_class_changed(task_rq(p), p, old_class, p->prio);
+ put_task_struct(p);
+diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
+index f750dea7b7876..668841022dbf2 100644
+--- a/kernel/sched/sched.h
++++ b/kernel/sched/sched.h
+@@ -3891,23 +3891,38 @@ extern void check_class_changed(struct rq *rq, struct task_struct *p,
+ extern struct balance_callback *splice_balance_callbacks(struct rq *rq);
+ extern void balance_callbacks(struct rq *rq, struct balance_callback *head);
+
+-#ifdef CONFIG_SCHED_CLASS_EXT
+ /*
+- * Used by SCX in the enable/disable paths to move tasks between sched_classes
+- * and establish invariants.
++ * The 'sched_change' pattern is the safe, easy and slow way of changing a
++ * task's scheduling properties. It dequeues a task, such that the scheduler
++ * is fully unaware of it; at which point its properties can be modified;
++ * after which it is enqueued again.
++ *
++ * Typically this must be called while holding task_rq_lock, since most/all
++ * properties are serialized under those locks. There is currently one
++ * exception to this rule in sched/ext which only holds rq->lock.
++ */
++
++/*
++ * This structure is a temporary, used to preserve/convey the queueing state
++ * of the task between sched_change_begin() and sched_change_end(). Ensuring
++ * the task's queueing state is idempotent across the operation.
+ */
+-struct sched_enq_and_set_ctx {
++struct sched_change_ctx {
+ struct task_struct *p;
+- int queue_flags;
++ int flags;
+ bool queued;
+ bool running;
+ };
+
+-void sched_deq_and_put_task(struct task_struct *p, int queue_flags,
+- struct sched_enq_and_set_ctx *ctx);
+-void sched_enq_and_set_task(struct sched_enq_and_set_ctx *ctx);
++struct sched_change_ctx *sched_change_begin(struct task_struct *p, unsigned int flags);
++void sched_change_end(struct sched_change_ctx *ctx);
+
+-#endif /* CONFIG_SCHED_CLASS_EXT */
++DEFINE_CLASS(sched_change, struct sched_change_ctx *,
++ sched_change_end(_T),
++ sched_change_begin(p, flags),
++ struct task_struct *p, unsigned int flags)
++
++DEFINE_CLASS_IS_UNCONDITIONAL(sched_change)
+
+ #include "ext.h"
+
+diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c
+index 6805a63d47af7..d2bcedc10152f 100644
+--- a/kernel/sched/syscalls.c
++++ b/kernel/sched/syscalls.c
+@@ -64,7 +64,6 @@ static int effective_prio(struct task_struct *p)
+
+ void set_user_nice(struct task_struct *p, long nice)
+ {
+- bool queued, running;
+ struct rq *rq;
+ int old_prio;
+
+@@ -90,22 +89,12 @@ void set_user_nice(struct task_struct *p, long nice)
+ return;
+ }
+
+- queued = task_on_rq_queued(p);
+- running = task_current_donor(rq, p);
+- if (queued)
+- dequeue_task(rq, p, DEQUEUE_SAVE | DEQUEUE_NOCLOCK);
+- if (running)
+- put_prev_task(rq, p);
+-
+- p->static_prio = NICE_TO_PRIO(nice);
+- set_load_weight(p, true);
+- old_prio = p->prio;
+- p->prio = effective_prio(p);
+-
+- if (queued)
+- enqueue_task(rq, p, ENQUEUE_RESTORE | ENQUEUE_NOCLOCK);
+- if (running)
+- set_next_task(rq, p);
++ scoped_guard (sched_change, p, DEQUEUE_SAVE | DEQUEUE_NOCLOCK) {
++ p->static_prio = NICE_TO_PRIO(nice);
++ set_load_weight(p, true);
++ old_prio = p->prio;
++ p->prio = effective_prio(p);
++ }
+
+ /*
+ * If the task increased its priority or is running and
+@@ -515,7 +504,7 @@ int __sched_setscheduler(struct task_struct *p,
+ bool user, bool pi)
+ {
+ int oldpolicy = -1, policy = attr->sched_policy;
+- int retval, oldprio, newprio, queued, running;
++ int retval, oldprio, newprio;
+ const struct sched_class *prev_class, *next_class;
+ struct balance_callback *head;
+ struct rq_flags rf;
+@@ -698,33 +687,25 @@ int __sched_setscheduler(struct task_struct *p,
+ if (prev_class != next_class && p->se.sched_delayed)
+ dequeue_task(rq, p, DEQUEUE_SLEEP | DEQUEUE_DELAYED | DEQUEUE_NOCLOCK);
+
+- queued = task_on_rq_queued(p);
+- running = task_current_donor(rq, p);
+- if (queued)
+- dequeue_task(rq, p, queue_flags);
+- if (running)
+- put_prev_task(rq, p);
+-
+- if (!(attr->sched_flags & SCHED_FLAG_KEEP_PARAMS)) {
+- __setscheduler_params(p, attr);
+- p->sched_class = next_class;
+- p->prio = newprio;
+- }
+- __setscheduler_uclamp(p, attr);
+- check_class_changing(rq, p, prev_class);
++ scoped_guard (sched_change, p, queue_flags) {
+
+- if (queued) {
+- /*
+- * We enqueue to tail when the priority of a task is
+- * increased (user space view).
+- */
+- if (oldprio < p->prio)
+- queue_flags |= ENQUEUE_HEAD;
++ if (!(attr->sched_flags & SCHED_FLAG_KEEP_PARAMS)) {
++ __setscheduler_params(p, attr);
++ p->sched_class = next_class;
++ p->prio = newprio;
++ }
++ __setscheduler_uclamp(p, attr);
++ check_class_changing(rq, p, prev_class);
+
+- enqueue_task(rq, p, queue_flags);
++ if (scope->queued) {
++ /*
++ * We enqueue to tail when the priority of a task is
++ * increased (user space view).
++ */
++ if (oldprio < p->prio)
++ scope->flags |= ENQUEUE_HEAD;
++ }
+ }
+- if (running)
+- set_next_task(rq, p);
+
+ check_class_changed(rq, p, prev_class, oldprio);
+
+--
+2.53.0
+
iommu-amd-fix-illegal-cap-mmio-access-in-iommu-debug.patch
iommu-amd-remove-latent-out-of-bounds-access-in-iomm.patch
fuse-fix-uninit-value-in-fuse_dentry_revalidate.patch
+cxl-mbox-validate-payload-size-before-accessing-cont.patch
+sched-employ-sched_change-guards.patch
+sched-deadline-fix-missing-enqueue_replenish-during-.patch
+bridge-mrp-reject-zero-test-interval-to-avoid-oom-pa.patch
+spi-spi-dw-dma-fix-print-error-log-when-wait-finish-.patch
--- /dev/null
+From 6a23c01f04705cad26c3406e3a3e528f7d9e95a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Mar 2026 01:20:17 +0300
+Subject: spi: spi-dw-dma: fix print error log when wait finish transaction
+
+From: Vladimir Yakovlev <vovchkir@gmail.com>
+
+[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ]
+
+If an error occurs, the device may not have a current message. In this
+case, the system will crash.
+
+In this case, it's better to use dev from the struct ctlr (struct spi_controller*).
+
+Signed-off-by: Vladimir Yakovlev <vovchkir@gmail.com>
+Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-dw-dma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c
+index b5bed02b7e500..31063f9270924 100644
+--- a/drivers/spi/spi-dw-dma.c
++++ b/drivers/spi/spi-dw-dma.c
+@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed)
+ msecs_to_jiffies(ms));
+
+ if (ms == 0) {
+- dev_err(&dws->host->cur_msg->spi->dev,
++ dev_err(&dws->host->dev,
+ "DMA transaction timed out\n");
+ return -ETIMEDOUT;
+ }
+--
+2.53.0
+
driver-core-generalize-driver_override-in-struct-dev.patch
driver-core-platform-use-generic-driver_override-inf.patch
s390-debug-reject-zero-length-input-before-trimming-.patch
+wifi-mac80211-check-tdls-flag-in-ieee80211_tdls_oper.patch
--- /dev/null
+From 78c2afb430701a0b3638e4a316ecf262417d7225 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 May 2026 13:48:35 +0800
+Subject: wifi: mac80211: check tdls flag in ieee80211_tdls_oper
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+[ Upstream commit 7d73872d949c488a1d7c308031d6a9d89b5e0a8b ]
+
+When NL80211_TDLS_ENABLE_LINK is called, the code only checks if the
+station exists but not whether it is actually a TDLS station. This
+allows the operation to proceed for non-TDLS stations, causing
+unintended side effects like modifying channel context and HT
+protection before failing.
+
+Add a check for sta->sta.tdls early in the ENABLE_LINK case, before
+any side effects occur, to ensure the operation is only allowed for
+actual TDLS peers.
+
+Reported-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=56b6a844a4ea74487b7b
+Tested-by: syzbot+56b6a844a4ea74487b7b@syzkaller.appspotmail.com
+Suggested-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
+Link: https://patch.msgid.link/20260313092417.520807-1-kartikey406@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Li hongliang <1468888505@139.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tdls.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
+index 0fd353fec9fc6..c3622f779d120 100644
+--- a/net/mac80211/tdls.c
++++ b/net/mac80211/tdls.c
+@@ -1481,7 +1481,7 @@ int ieee80211_tdls_oper(struct wiphy *wiphy, struct net_device *dev,
+
+ mutex_lock(&local->sta_mtx);
+ sta = sta_info_get(sdata, peer);
+- if (!sta) {
++ if (!sta || !sta->sta.tdls) {
+ mutex_unlock(&local->sta_mtx);
+ ret = -ENOLINK;
+ break;
+--
+2.53.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
